ITEC 3500 (CHAT)

Risk

The estimated frequency and potential impact of future loss.

Annual Loss Expectancy (ALE)

Expected annual loss, calculated as Single Loss Expectancy (SLE) multiplied by Annualized Rate of Occurrence (ARO).

Single Loss Expectancy (SLE) [GOOD]

The dollar amount of loss from a single event if a specific threat occurs.

Annualized Rate of Occurrence (ARO) [GOOD]

The estimated number of times a specific threat is expected to occur within one year.

Risk Appetite

The amount of risk that an organization is willing to accept in pursuit of its business objectives.

Information Security Risk [good]

The expected loss of information confidentiality, integrity, or availability.

Key Risk Indicator (KRI) [Good]

Metrics used by organizations to provide an early signal of increasing risk exposures.

Risk Assessment vs. Risk Analysis [GOOD]

A risk assessment is a high-level evaluation of potential risks, while a risk analysis is a detailed examination at a granular level.

Risk Management Process

Typically involves four steps – Identify, Measure/Assess, Respond/Mitigate, and Monitor risks continuously.

Residual Risk [GOOD]

The remaining risk after controls or mitigations are applied.

Compensating Control [Good]

An alternate safeguard implemented when a primary control is infeasible, providing similar protection.

Preventive Control [Good]

A control that stops an incident from occurring.

Detective Control [GOOD]

A control that detects or alerts on a security incident in progress.

Corrective Control [GOOD]

A control that fixes or restores systems after an incident.

Defense in Depth

A security principle using multiple overlapping layers of defense.

Segregation of Duties [GOOD]

A control principle that divides critical tasks among multiple people to prevent fraud or error.

Least Privilege (Minimum Privilege)

Granting each user or system only the access and permissions needed for its function.

Need to Know [GOOD]

Restricting access so that information is provided only to those who require it for business functions.

Vulnerability [GOOD]

A weakness in a system, process, or person that can be exploited by a threat.

Zero-Day Vulnerability [good]

A vulnerability that is publicly known but for which no vendor patch exists.

CVE (Common Vulnerabilities and Exposures)

A dictionary of publicly disclosed cybersecurity vulnerabilities, each given a unique ID.

CVSS (Common Vulnerability Scoring System)

A standard for rating the severity of technical vulnerabilities.

Business Continuity Planning (BCP) [GOOD]

Planning to keep essential business functions operating during and after disruptions.

Disaster Recovery (DR)

The IT-focused part of BCP that deals with restoring systems and data after a major outage.

Business Impact Analysis (BIA) [GOOD]

A study of business processes and their dependencies to determine recovery priorities.

Recovery Time Objective (RTO) [GOOD]

The maximum acceptable time to restore a process after a disruption.

Recovery Point Objective (RPO) [Good]

The maximum acceptable data loss measured in time.

Maximum Tolerable Downtime (MTD) [GROUP]

The total time a business process can be unavailable without causing unacceptable harm.

Full Backup [good]

A complete copy of all chosen data.

Incremental Backup [GOOD]

Backs up only data changed since the last backup.

Differential Backup [GOOD]

Backs up all data changed since the last full backup.

Hot Site [GOOD]

A fully equipped standby data center that can take over almost immediately.

Warm Site

A recovery facility partially equipped with hardware that requires installation before becoming operational.

Cold Site

A basic space with power and connectivity but no hardware.

Single Sign-On (SSO)

An authentication system that allows a user to log in once to access multiple systems.

Kerberos

An authentication protocol that uses tickets and keys to provide SSO within a trusted domain.

SAML (Security Assertion Markup Language)

An XML-based protocol that enables identity federation and SSO across organizations.

Role-Based Access Control (RBAC)

An IBM model where users are assigned to roles reflecting job functions.

Threat Modeling

A structured process for identifying potential threats and vulnerabilities.

OCTAVE

Operationally Critical Threat, Asset, and Vulnerability Evaluation – a risk assessment methodology.

TARA (Threat Agent Risk Assessment)

An approach focusing on profiling threat agents by their motivations.

NIST Cybersecurity Framework (NIST CSF)

A voluntary framework that helps organizations manage cybersecurity risks.

COBIT 5

A comprehensive governance and management framework for maximizing IT value.

ISO/IEC 27001

An international standard for establishing and maintaining an Information Security Management System.

ISO/IEC 27002

A code of practice providing guidelines for implementing information security.

CIS Critical Security Controls

A prioritized set of cybersecurity best practices for organizations.

Internal Control (COSO)

A process designed to provide reasonable assurance regarding achievement of objectives.

Audit (ISO definition)

A systematic, independent process for evaluating compliance with specified criteria.

OWASP Top 10

(Web application security) A list of common critical web application risks (maintained annually by OWASP) (for context).

Threat Agent

Any person or entity (internal or external, deliberate or accidental) that could exploit a vulnerability.

Attack Scenario

A hypothetical sequence of steps an attacker might use to exploit a vulnerability.