Familiarity with the following terms will help users of information technology to better understand their responsibilities for IT security.
The degree to which a security failure has the potential to result in harm or loss. The impact of a potential risk may be identified by the responses to the following questions:
- What are the ramifications of the loss of confidentiality, integrity, availability, or authorized use of systems?
- Will physical harm to any individual result?
- Will the strategic mission of the Organization be affected?
- Will personal information be compromised?
- Will large segments of the community be inconvenienced?
- Will the reputation of the organization suffer?
- Who will need to resolve the security incident?
- What is the magnitude of resources required to resolve the security incident?
Incidents that cause limited damage to operations or assets and that do not involve risk for individuals. These incidents require minor corrective actions or repairs within the designated custodial structure and communication is frequently required only within the affected unit.
Incidents that cause short-term degradation or partial loss of the Organization's mission capability; that affect or disadvantage only subsets of the Organization community; or result in limited loss or damage to significant assets. These incidents require corrective actions or repairs that can normally be handled within the designated custodial structure, usually involves only internal communications, and normally will not require the involvement of high-level administration.
Incidents that cause an extensive loss of the Organization's mission capability; result in a loss of major assets; pose a significant threat to the well-being of large numbers of individuals or to human life; or damage the reputation of the Organization. These incidents require substantial allocation of human resources to correct; may require communication to external agencies or law enforcement and the public; and often require the involvement of high-level administration within the Organization.
A source of danger; a possibility of incurring loss or damage. In general, risk is a composite of three factors: threats, vulnerabilities, and impact (see definitions of these terms in this section).
In information technology security, a systematic process used to determine the potential for any given information system to be subject to loss and to assess the impact of that loss. Risk assessment involves determining potential for and impact of a negative event by evaluating the nature of the information and information systems.
Factors used to determine the level of risk include the effect of the loss on the Organization's strategic missions; the extent of loss to major information systems; the potential for injury or damage to individual(s); the inconvenience or loss of productivity for subsets of the Organization community; the potential for damage to the Organization's reputation; the level of administrative involvement required; and the level at which the security problem can be resolved.
Action taken to reduce risk to an acceptable level. An analysis evaluating costs, benefits, and impacts to the Organization will be critical in determining what, if any, action should be taken. Some options to reduce risk include:
Accepting the potential risk and continuing operations of the IT system.
Risk mitigation by eliminating a risk cause and/or consequence.
Risk mitigation by implementing controls reducing the negative impact of a threat exercising a vulnerability.
Risk mitigation by using other options to compensate for a loss due to a security incident.
The state of being free from unacceptable risk. IT security focuses on reducing the risk of computing systems, communications systems, and information being misused, destroyed, or modified, or for information to be disclosed inappropriately either by intent or accident.
Security incident :
An accidental or malicious act that exercises a vulnerability resulting in the potential of a negative impact.
Actions or events that potentially compromise the confidentiality, integrity, availability, or authorized use.
These threats may be human or non-human, natural, accidental, or deliberate. Examples:-
Acts of malice by individuals or groups; purposeful or malicious use of information or information systems.Natural or physical disasters such as fire, flood, hardware failures. Unintentional oversight, action, or inaction; data left open to unauthorized access; accidental deletion of data files; inadequate data backup procedures.
Security exposures that increase the potential for a failure of security. A narrow technical definition includes only those exposures created by software or hardware design. However, a broader definition includes exposure that can be inherent to an activity or practice. Examples:
Software or hardware that allows unauthorized access to information or information systems.
Business practices such as collecting and storing personal information that could, if revealed, be damaging to individuals.
Personal practices or procedures such as improperly protecting one's password or providing inadequate physical environments for IT systems.