Confidentiality

Necessary level of security is enforced and unauthorized disclosure is prevented.

 Integrity

Accuracy and reliability fo the information and systems are provided and any unauthorized notification is presented.

Availability 

Reliable and timely access to data and resources is provided to authorized individuals.

Shoulder Surfing

Viewing infomration in an unauthorized manner by looking over the shoulder of someone else.

 Social Engineering

Gaining unauthorized access by tricking someone into divulging sensitive information.

 Vulnerability

Weaknesses or a lack of a countermeasure.

 Threat Agent

Entity that can exploit a vulernability.

 Threat

The danger of a threat agent exploiting a vulnerability.

 Risk  

The probability of a threat agent exploiting a vulnerability and the associated impact.

 Control

Safeguard that is put in place to reduce a risk, also called a countermeasure.

 Exposure

Presence of a vulnerability, which exposes the organization to a threat.

 Control types

Administrative, technical and physical.

Corrective

Fix items after an incident has occurred.

Preventive

Stop an incident from occurring.

Recovery

Restore necessary components to return to normal operations.

Deterrent

Discourage a potential attacker.

Detective

Identify an incident's activities after it took place.

Compensating

Alternative control that provides similiar protection as the original control.

Defense-in-depth

Implementation of multiple controls so that successful penetration and compromise is more difficult to obtain.

ISO/IEC 27000 Series 

Industry-recognized best practices for the development and management of an information security management system. 

Zachman Framework

Enterprise architecture framework used to define and understand a business environment developed by John Zachman. 

TOGAF

Enterprise architecture framework used to define and understand a business environment developed by The Open Group. 

DoDAF

U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals. 

MODAF

Architecture framework used mainly in military support missions developed by the British Ministry of Defense. 

SABSA Framework

Risk-driven enterprise security architecture that maps to business initiatives, similar to the Zachman Framework.

CobiT

Set of control objectives used as a framework for IT governance developed by Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI).

SP 800-53

Set of controls to protect the U.S. federal systems developed by the National Institute of Standards and Technology (NIST).

COSO

Internal control model used for corporate governance to help prevent fraud developed by the Committee of Sponsoring Orgnaizations (COSO) of the Treadway Commission. 

ITIL

Best practices for information technology services management processes developed by the United Kingdom's Office of Government COmmerce. 

Six Sigma

Business management strategy developed by Motorola with the goal of improving business processes. 

Capability Maturity Model Integration (CMMI)

Process improvement model developed by Carnegie Mellon. 

Security through Obscurity

Relying upon the secrecy or complexity of an item as its security, instead of practicing solid security practices. 

NIST 800-30 Risk Management Guide for Information Technlogy Systems

A U.S. federal standard that is focused on  IT risks. 

Facilitated Risk Analysis Process (FRAP)

A focused, qualitative approach that carries out prescreening to save time and money. 

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

Team-oriented approach that assesses organizational and IT risks through facilitated wokrshops. 

AS/NZS 4360

Australia and New Zewland business risk management assessment approach. 

ISO/IEC 27005

International standard for the implemenation of a risk managment program that integrates into an information security management system (ISMS).

Failure Modes and Effect Analysis

Approach that dissects a component into its basic functions to identify flaws and those flaws' effects. 

Fault Tree Analysis

Approach to map specific flaws to root causes in complex systems. 

CRAMM

Central Computing and Telecommunications Agency Risk Analysis and Management Method.

Quantitative Risk Analysis

Assigning monetary and numeric values to all the data elements of a risk assessment.

Qualitative Risk Analysis

Opinion-based method of analyzing risk with the use of scenarios and ratings. 

Single Loss Expectancy

One instance of an expected loss if a specific vulnerability is exploited and how it affects a single asset.  Asset Vlaue x Exposure Factor = SLE

Annualized Loss Expectancy

Annual expected loss if a specific vulnerability is exploited and how it affects a single asset.  SLE x ARO =ALE

Uncertainty Analysis

Assigning confidence level value to data elements.

Delphi Method

Data collection method that happens in an anonymous fashion. 

Cost/Benefit Analysis

Calculating the value of a control.  (ALE before implementing a control) - (ALE after implementing a control) - (annual cost of control) = value of a control.

Functionality versus Effectiveness of Control

Functionality is what a control does, and its effectiveness is how well the control does it. 

Total Risk

Full risks amount before a control is put into place.  Threats x vlunerabilities x assets = total risk. 

Residual Risk

Risk that remains after implementing a control.  Threats x vulnerabilties x assets x (control gap) = residual risk. 

Handling Risk

Accept, transfer, mitigate, avoid.