Adequate Security |
Security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. [NIST Glossary]
|
Adversary |
Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities. [NIST Glossary] |
Analysis Approach
|
The approach used to define the orientation or starting point of the risk assessment, the level of detail in the assessment, and how risks due to similar threat scenarios are treated. [NIST Glossary] |
Assessment |
See Security Control Assessment or Risk Assessment. |
Asset |
Anything that has value to an organization, including, but not limited to, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards). [NISTIR 7693] |
Attack |
Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself. [NIST Glossary] |
Availability |
Ensuring timely and reliable access to and use of information. [NIST Glossary] |
Compensating Security Control
|
A management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system. [NIST Glossary] |
Confidentiality |
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [NIST Glossary] |
Corrective Action Plan [CAP] |
Corrective actions for an issuer for removing or reducing deficiencies or risks identified by the Assessor during the assessment of issuer operations. The plan identifies actions that need to be performed in order to obtain or sustain authorization. [NIST Glossary] |
Criticality |
A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. Note criticality is often determined by the impact to the organization due to a loss of integrity or availability. [NIST Glossary] |
Cyber Attack |
An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information. [NIST Glossary] |
Cyber Incident |
Actions through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein. See incident. [NIST Glossary] |
Cybersecurity |
Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. [NIST Glossary] |
Cyberspace |
The interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries. [NIST Glossary] |
Cyber Physical System |
A system that includes engineered, interacting networks of physical and computational components. [NIST Glossary] |
Defense-in-Breadth |
A planned, systematic set of multidisciplinary activities that seek to identify, manage, and reduce risk of exploitable vulnerabilities at every stage of the system, network, or subcomponent life cycle (system, network, or product design and development; manufacturing; packaging; assembly; system integration; distribution; operations; maintenance; and retirement). [NIST Glossary] |
Defense-in-Depth |
Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization. [NIST Glossary] |
Enhanced Overlay |
An overlay that adds controls, enhancements, or additional guidance to security control baselines in order to highlight or address needs specific to the purpose of the overlay. See Overlay. Synonymous with Tailored Overlay. [NIST Glossary] |
Enterprise |
An organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of the following business aspects: acquisition, program management, financial management (e.g., budgets), human resources, security, and information systems, information, and mission management. [NIST Glossary] |
Enterprise Risk Management [ERM] |
The methods and processes used by an enterprise to manage risks to its mission and to establish the trust necessary for the enterprise to support shared missions. It involves the identification of mission dependencies on enterprise capabilities, the identification and prioritization of risks due to defined threats, the implementation of countermeasures to provide both a static risk posture and an effective dynamic response to active threats; and it assesses enterprise performance against threats and adjusts countermeasures, as necessary. [NIST Glossary] |
Enterprise Risk Register |
A risk register at the enterprise level that contains normalized and aggregated inputs from subordinate organizations’ risk registers and profiles. [NISTIR 8286] |
Impact Level |
The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability. [NIST Glossary] |
Impact Value |
The assessed potential impact resulting from a compromise of the confidentiality, integrity, or availability of an information type, expressed as a value of low, moderate, or high. [NIST Glossary] |
Incident |
An occurrence that results in actual or potential jeopardy to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. [NIST Glossary] |
Information Security Risk |
The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems. See Risk. [NIST Glossary] |
Information System |
A discrete set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. [NIST Glossary] Information systems also include specialized systems, for example: industrial/process control systems, cyber-physical systems, embedded systems, and devices.[NIST SP 800-171, Rev 2] |
Information System-Related Security Risk |
Risk that arises through the loss of confidentiality, integrity, or availability of information or information systems considering impacts to organizational operations and assets, individuals, other organizations, and the Nation. A subset of Information Security Risk. See Risk. [NIST Glossary] |
Integrity |
Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity. [NIST Glossary] |
Likelihood of Occurrence |
A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. [NIST Glossary] |
Organization |
An entity of any size, complexity, or positioning within an organizational structure. See Enterprise. [NIST Glossary] |
Overlay |
A fully specified set of security controls, control enhancements, and supplemental guidance derived from tailoring a security baseline to fit the user’s specific environment and mission. [NIST Glossary] |
Plan of Action and Milestones [POAM] |
A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones. Synonymous with Corrective Action Plan. [NIST Glossary] |
Processing |
Operation or set of operations performed upon [ePHI] that can include, but is not limited to, the collection, retention, logging, generation, transformation, use, disclosure, transfer, and disposal of [ePHI]. [NIST Glossary] |
Quantitative Assessment |
A set of methods, principles, or rules for assessing risks based on the use of numbers where the meanings and proportionality of values are maintained inside and outside the context of the assessment. [NIST Glossary] |
Qualitative Assessment |
A set of methods, principles, or rules for assessing risk based on non-numerical categories or levels. [NIST Glossary] |
Quasi-quantitative Assessment |
See Semi-Quantitative Assessment. |
Repeatability |
The ability to repeat an assessment in the future, in a manner that is consistent with, and hence comparable to, prior assessments. [NIST Glossary] |
Reproducibility
|
The ability of different experts to produce the same results from the same data. [NIST Glossary] |
Residual Risk |
Portion of risk remaining after security measures have been applied. [NIST Glossary] |
Risk Analysis |
The process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with risk assessment. [NIST Glossary] |
Risk Appetite
|
The types and amount of risk, on a broad level, an organization is willing to accept in its pursuit of value. [NIST Glossary] |
Risk Assessment |
The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, and other organizations, resulting from the operation of an information system. Part of risk management, risk assessment incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis. [NIST Glossary] |
Risk Assessment Methodology |
A risk assessment process, together with a risk model, assessment approach, and analysis approach. [NIST Glossary] |
Risk Factor |
A characteristic in a risk model as an input to determining the level of risk in a risk assessment. [NIST Glossary] |
Risk Management |
The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the nation, and includes: (i) establishing the context for risk-related activities; (ii) assessing risk; (iii) responding to risk once determined; and (iv) monitoring risk over time. [NIST Glossary] |
Risk Management Framework [RMF] |
A structured approach used to oversee and manage risk. [NIST Glossary] |
Risk Mitigation |
Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process. [A subset of Risk Response.] [NIST Glossary] |
Risk Model |
A key component of a risk assessment methodology—in addition to the assessment approach and analysis approach—that defines key terms and assessable risk factors. [NIST Glossary] |
Risk Monitoring |
Maintaining ongoing awareness of an organization’s risk environment, risk management program, and associated activities to support risk decisions. [NIST Glossary] |
Risk Profile |
A prioritized inventory of the most significant risks identified and assessed through the risk assessment process versus a complete inventory of risks. [NISTIR 8286] |
Risk Register |
A central record of current risks, and related information, for a given scope or organization. Current risks are comprised of both accepted risks and risks that have a planned mitigation path. [NIST Glossary] |
Risk Response |
Accepting, avoiding, mitigating, sharing, or transferring risk to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, or other organizations. See Course of Action. Synonymous with Risk Treatment. [NIST Glossary] |
Risk Tolerance |
The level of risk an entity is willing to assume in order to achieve a potential desired result. [NIST Glossary] |
Scoping |
The act of applying scoping guidance, which consists of specific technology-related, infrastructure-related, public access-related, scalability-related, common security control-related, and risk-related considerations on the applicability and implementation of individual security and privacy controls in the control baseline. [NIST Glossary, adapted from Scoping Guidance] |
Scoping Considerations |
A part of tailoring guidance providing organizations with specific considerations on the applicability and implementation of security controls in the security control baseline. Areas of consideration include policy/regulatory, technology, physical infrastructure, system component allocation, operational/environmental, public access, scalability, common control, and security objective. [NIST Glossary] |
Security Control(s) |
The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an organization and/or information system(s) to protect information confidentiality, integrity, and availability. [NIST Glossary, adapted] |
Security Control Assessment |
The testing and/or evaluation of the management, operational, and technical security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization. [NIST Glossary] |
Security Control Baseline |
A set of information security controls that has been established through information security strategic planning activities intended to be the initial security control set selected for a specific organization and/or system(s) that provides a starting point for the tailoring process. [NIST Glossary] |
Semi-Quantitative Assessment |
Use of a set of methods, principles, or rules for assessing risk based on bins, scales, or representative numbers whose values and meanings are not maintained in other contexts. Synonymous with Quasi-Quantitative Assessment. [NIST Glossary] |
Tailored Overlay
|
See Enhanced Overlay. |
Tailored Security Control Baseline |
A set of security controls resulting from the application of tailoring guidance to the security control baseline. See Tailoring. [NIST Glossary] |
Tailoring
|
The process by which a security control baseline is modified based on: (i) the application of scoping guidance; (ii) the specification of compensating security controls, if needed; and (iii) the specification of organization-defined parameters in the security controls via explicit assignment and selection statements. Tailoring [NIST Glossary] |
Threat |
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. [NIST Glossary, adapted] |
Threat Assessment/Analysis |
Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat. [NIST Glossary] |
Threat Event |
An event or situation that has the potential for causing undesirable consequences or impact. [NIST Glossary] |
Threat Intelligence
|
An event or situation that has the potential for causing undesirable consequences or impact. [NIST Glossary] |
Threat Scenario |
A set of discrete threat events, associated with a specific threat source or multiple threat sources, partially ordered in time. [NIST Glossary] |
Threat Source |
The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally exploit a vulnerability. [NIST Glossary] |
Vulnerability |
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. [NIST Glossary] |
Vulnerability Assessment/ Analysis |
Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation. [NIST Glossary] |