ITEC 3500 (CHAT)

  • Risk: “The estimated frequency and potential impact of future loss”.

  • Annual Loss Expectancy (ALE): Expected annual loss, calculated as Single Loss Expectancy (SLE) multiplied by Annualized Rate of Occurrence (ARO).

  • Single Loss Expectancy (SLE): The dollar amount of loss from a single event (if a specific threat occurs).

  • Annualized Rate of Occurrence (ARO): The estimated number of times a specific threat is expected to occur within one year.

  • Enterprise Risk Management (ERM): “A process… applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite…”.

  • Risk Appetite: “The amount of risk, on a broad level, that an organization is willing to accept in pursuit of its business objectives”.

  • Information Security Risk: “The expected loss of information confidentiality, integrity, or availability”.

  • Key Risk Indicator (KRI): Metrics “used by organizations to provide an early signal of increasing risk exposures”.

  • Risk Assessment vs. Risk Analysis: A risk assessment is a high-level evaluation (e.g. enterprise or business-unit level) of potential risks, while a risk analysis is a detailed examination at a granular level (e.g. system or process level).

  • Risk Management Process: Typically involves four steps – Identify a risk, Measure/Assess the risk, Respond/Mitigate the risk, and Monitor the risk continuously.

  • Residual Risk: The remaining risk after controls or mitigations are applied; in other words, the risk that “remains after management has implemented risk response”.

  • Compensating Control: An alternate safeguard implemented when a primary control is infeasible; it “provides similar protection as the original control”.

  • Preventive Control: A control that stops an incident from occurring, e.g. requiring access IDs to enter a building or granting read-only database access.

  • Detective Control: A control that detects or alerts on a security incident in progress, e.g. intrusion-detection alarms or log monitoring.

  • Corrective Control: A control that fixes or restores systems after an incident, e.g. restoring systems from backup tapes.

  • Defense in Depth: A security principle using multiple overlapping layers of defense so that if one layer is breached, others remain to protect assets.

  • Segregation of Duties: A control principle that divides critical tasks among multiple people to prevent fraud or error; for example, one person should not both authorize and process transactions.

  • Least Privilege (Minimum Privilege): Granting each user or system only the access and permissions needed for its function.

  • Need to Know: Restricting access so that “information should only be provided to those parties who require it to perform their defined business functions”.

  • Vulnerability: A weakness in a system, process, or person that can be exploited by a threat, e.g. a software bug or lack of user training.

  • Zero-Day Vulnerability: A vulnerability that is publicly known but for which no vendor patch exists yet.

  • CVE (Common Vulnerabilities and Exposures): A dictionary of publicly disclosed cybersecurity vulnerabilities and exposures, each given a unique ID, description, and references.

  • CVSS (Common Vulnerability Scoring System): A globally recognized standard for rating the severity of technical vulnerabilities (though it measures severity, not business risk).

  • Business Continuity Planning (BCP): Planning to keep essential business functions operating during and after disasters or disruptive events.

  • Disaster Recovery (DR): The IT-focused part of BCP that deals with restoring systems and data after a major outage or disaster.

  • Business Impact Analysis (BIA): A study of business processes and their dependencies to determine the recovery priorities and objectives in a disruption.

  • Recovery Time Objective (RTO): The maximum acceptable time to restore a process after a disruption; i.e. “how much time we have to get everything up and working again”.

  • Recovery Point Objective (RPO): The maximum acceptable data loss measured in time; it determines backup frequency.

  • Maximum Tolerable Downtime (MTD): The total time a business process can be unavailable without causing unacceptable harm.

  • Full Backup: A complete copy of all chosen data; simple to restore but time-consuming to create.

  • Incremental Backup: Backs up only data changed since the last backup; saves storage but requires multiple backup sets to restore.

  • Differential Backup: Backs up all data changed since the last full backup; requires only the full plus latest differential to restore.

  • Hot Site: A fully equipped standby data center where systems and equipment are already running; can take over almost immediately, but is expensive to maintain.

  • Warm Site: A recovery facility partially equipped with hardware and infrastructure; requires installation and configuration of systems before becoming operational.

  • Cold Site: A basic space with power and connectivity but no hardware; very cheap, but requires full system setup after a disaster.

  • Single Sign-On (SSO): An authentication system that allows a user to log in once and then access multiple systems or services without re-entering credentials.

  • Kerberos: An authentication protocol (developed at MIT) that uses tickets and symmetric keys to provide single sign-on within a trusted domain.

  • SAML (Security Assertion Markup Language): An XML-based protocol that enables identity federation and single sign-on across different organizations on the Internet.

  • Role-Based Access Control (RBAC): An IAM model where users are assigned to roles (reflecting job functions) and inherit the permissions of those roles, simplifying access management.

  • Threat Modeling: A structured process for identifying potential threats, attackers, vulnerabilities, and attack scenarios against an organization or system.

  • OCTAVE: “Operationally Critical Threat, Asset, and Vulnerability Evaluation” – a risk assessment methodology focused on evaluating an organization’s critical assets, threats, and vulnerabilities.

  • TARA (Threat Agent Risk Assessment): An approach that focuses on profiling threat agents (attackers) by their motivations and capabilities, to assess how they might exploit vulnerabilities.

  • NIST Cybersecurity Framework (NIST CSF): A voluntary, risk-based framework by NIST that helps organizations manage cybersecurity by organizing practices into five core functions: Identify, Protect, Detect, Respond, Recover.

  • COBIT 5: A comprehensive governance and management framework by ISACA that helps enterprises derive value from IT by balancing benefits, risk, and resource use.

  • ISO/IEC 27001: An international standard specifying requirements for establishing, implementing, and maintaining an Information Security Management System (ISMS) to achieve information confidentiality, integrity, and availability.

  • ISO/IEC 27002: A complementary code of practice containing guidelines and controls for implementing information security, providing best-practice guidance for ISO 27001 implementations.

  • CIS Critical Security Controls: A prioritized set of cybersecurity best practices (“a short list of high-priority, highly effective defensive actions”) that organizations can implement to thwart common attacks.

  • Internal Control (COSO): A process designed to provide reasonable assurance regarding achievement of objectives, including operational effectiveness and legal compliance.

  • Audit (ISO definition): “A systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled”.

Risk Management

  • Risk: The estimated frequency and potential impact of a future loss.

  • Single Loss Expectancy (SLE): Loss from a single event. Annualized Rate of Occurrence (ARO): Frequency of that event per year. Annual Loss Expectancy (ALE): Expected yearly loss (SLE * ARO).

  • Enterprise Risk Management (ERM): A holistic process for identifying events that may affect an organization and managing risk within risk appetite to achieve objectives.

  • Risk Appetite: The level of risk an organization is willing to accept in pursuit of its objectives.

  • Information Security Risk: Expected loss to confidentiality, integrity, or availability.

  • Key Risk Indicator (KRI): Metrics providing early warning of rising risk.

  • Risk Assessment vs Analysis: Assessment is a high-level scan of risks; Analysis is detailed evaluation of specific systems.

  • Risk Management Cycle: Identify risks, measure (assess) them, respond/mitigate them, and continuously monitor.

  • Residual Risk: Remaining risk after controls are applied.

  • Compensating Control: Alternate control providing equivalent protection when primary control isn’t feasible.

Business Continuity

  • Business Continuity Planning (BCP): Preparing to keep critical business functions running during disruptions.

  • Disaster Recovery (DR): The IT-focused effort to restore systems and data after a disruption.

  • Business Impact Analysis (BIA): Evaluates business processes and their dependencies to set recovery priorities.

  • Recovery Time Objective (RTO): Maximum tolerable downtime for a process (time to restore it).

  • Recovery Point Objective (RPO): Maximum tolerable data loss (time between backups).

  • Maximum Tolerable Downtime (MTD): Total time a process can be down before severe impact.

  • Full Backup: Complete data copy (longer to make, easy to restore).

  • Incremental Backup: Only changes since last backup (space-efficient, complex restore).

  • Differential Backup: Changes since last full backup (moderate space, easier restore).

  • Hot Site / Warm Site / Cold Site: Types of alternate data centers – Hot: fully equipped (fast failover, costly); Warm: partially equipped (moderate readiness); Cold: empty shell (slowest recovery, cheapest).

Cybersecurity Controls

  • Preventive Control: Stops incidents from occurring (e.g. locks, access restrictions).

  • Detective Control: Identifies or alerts on incidents in progress (e.g. intrusion detection).

  • Corrective Control: Restores systems after incidents (e.g. backups).

  • Defense in Depth: Layered security so breaching one control doesn’t expose all assets.

  • Segregation of Duties: Splitting critical tasks among multiple people to reduce risk.

  • Least Privilege: Granting only the minimum access needed for each user or process.

  • Need to Know: Providing sensitive information only to those who must have it for their roles.

  • Vulnerability: A system or process weakness that can be exploited.

  • Zero-Day Vulnerability: A known vulnerability without an available patch.

  • CVE: A catalog of publicly disclosed vulnerabilities.

  • CVSS: A standard scoring system for rating the severity of vulnerabilities.

  • Compensating Control: An alternative measure when a preferred control cannot be implemented.

  • OWASP Top 10: (Web application security) A list of common critical web application risks (maintained annually by OWASP) (for context).

Identity & Access Management (IAM)

  • Single Sign-On (SSO): Lets a user authenticate once and access multiple systems without re-entering credentials.

  • Kerberos: An authentication protocol that uses tickets (via a Key Distribution Center) to provide SSO within a domain.

  • SAML: An XML-based protocol for exchanging authentication/authorization data, enabling cross-organization SSO (identity federation).

  • Role-Based Access Control (RBAC): Assigning users to roles (reflecting job functions) with specific permissions, simplifying management.

  • Principle of Least Privilege: (Also under controls) limiting user access to only what is necessary for their role.

  • Identity Federation: (Concept) Linking identity management across organizations (often via SAML) so users can access external services with internal credentials.

Threat Modeling

  • Threat Modeling: Identifying and evaluating potential threats, attack vectors, and vulnerabilities against assets.

  • Threat Agent: Any person or entity (internal or external, deliberate or accidental) that could exploit a vulnerability.

  • Attack Scenario: A hypothetical sequence of steps an attacker might use to exploit a vulnerability.

  • Risk Assessment vs Analysis: See above.

  • OCTAVE: A structured methodology (“Operationally Critical Threat, Asset, and Vulnerability Evaluation”) for organizational risk assessment.

  • TARA: “Threat Agent Risk Assessment” – focuses on profiling threat agents (their skills and motives) and mapping them to vulnerabilities.

Industry Frameworks

  • NIST Cybersecurity Framework (CSF): A voluntary framework by the U.S. NIST, comprising five core functions (Identify, Protect, Detect, Respond, Recover) to guide cybersecurity risk management.

  • COBIT 5: An ISACA framework for IT governance and management, designed to help enterprises derive maximum business value from IT by balancing benefits, risks, and resource use.

  • ISO/IEC 27001: An international standard that specifies requirements for an ISMS (Information Security Management System) to achieve secure information handling.

  • ISO/IEC 27002: A code of practice providing guidelines and controls (best practices) to implement ISO 27001 objectives.

  • CIS Critical Security Controls: A set of prioritized, actionable controls (“must-do, do-first”) to defend against common cyber attacks.

  • COSO (Internal Control Framework): A widely used enterprise risk and control framework (for example, the “Three Lines of Defense” model).

  • Audit: A formal evaluation process; per ISO, “systematic, independent and documented” review of evidence against criteria.