CSC-303 Chapter 5

Benchmarking

An attempt to improve information security practices by comparing an organization's efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate.

Threat Assessment

An evaluation of the threats to information assets, including a determination of their potential to endanger the organization.

Operational/behavioral Feasibility

An examination of how well a particular solution fits within the organization's culture and the extent to which users are expected to accept the solution. Also known as behavioral feasibility.

Political Feasibility

An examination of how well a particular solution fits within the organization's political environment—for example, the working relationship within the organization's communities of interest or between the organization and its external environment.

Organizational Feasibility

An examination of how well a particular solution fits within the organization's strategic planning objectives and goals.

Technical Feasibility

An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel.

Baseline

An assessment of the performance of some action or process against which future performance is assessed; the first measurement (benchmark) in benchmarking.

Quantitative Assessment

An asset valuation approach that attempts to assign absolute numerical measures.

Qualitative Assessment

An asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures.

Defense Risk Control Strategy

The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. Also known as the avoidance strategy.

Mitigation Risk Control Strategy

The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation.

Transference Risk Control Strategy

The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations.

Termination Risk Control Strategy

The risk control strategy that eliminates all risk associated with an information asset by removing it from service.

Acceptance Risk Control Strategy

The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation.

Residual Risk

The risk to information assets that remains even after current controls have been applied.

Single Loss Expectancy (SLE)

In a cost-benefit analysis, the calculated value associated with the most likely loss from an attack. The _____ is the product of the asset's value and the exposure factor.

Annualized Rate of Occurrence (ARO)

In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis.

Exposure Factor (EF)

In a cost-benefit analysis, the expected percentage of loss that would occur from a particular attack.

Annualized Lost Expectancy (ALE)

In a cost-benefit analysis, the product of the annualized rate of occurrence and single loss expectancy.

Annualized Cost of a Safeguard (ACS)

In a cost-benefit analysis, the total cost of a control or safeguard, including all purchase, maintenance, subscription, personnel, and support fees, divided by the total number of expected years of use.

Risk Assessment

A determination of the extent to which an organization's information assets are exposed to risk.

Threats-Vulnerabilities-Assets (TVA) Worksheet

A document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings.

Data Classification Scheme

A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it.

Threats-Vulnerabilities-Assets (TVA) Triplets

A pairing of an asset with a threat and an identification of vulnerabilities that exist between the two. This pairing is often expressed in the format TxVyAz, where there may be one or more vulnerabilities between Threat X and Asset Z. For example, T1V1A2 would represent Threat 1 to Vulnerability 1 on Asset 2.

Security Clearance

A personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is "cleared" to access.

Cost-benefit Analysis (CBA)

Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization.

Loss magnitude

Also known as event loss magnitude, the combination of an asset's value and the percentage of it that might be lost in an attack.

Dumpster Diving

An information attack that involves searching through a target organization's trash and recycling bins for sensitive information.

Clean Desk Policy

An organizational policy that specifies employees must inspect their work areas and ensure that all classified information, documents, and materials are secured at the end of every work day.

Process-based Measures

Performance measures or metrics based on intangible activities.

Metrics-based Measures

Performance measures or metrics based on observed numerical data.

Best Business Practices

Security efforts that are considered among the best in the industry.

Avoidance of Competitive Disadvantage

The adoption and implementation of a business model, method, technique, resource, or technology to prevent being outperformed by a competing organization; working to keep pace with the competition through innovation, rather than falling behind.

Competitive Advantage

The adoption and implementation of an innovative business model, method, technique, resource, or technology in order to outperform the competition.

Risk Control

The application of controls that reduce the risks to an organization's information assets to an acceptable level.

Loss frequency

The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range.

Performance Gaps

The difference between an organization's observed and desired performance.

Cost Avoidance

The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident.

Attack Success Probability

The number of successful attacks that are expected to occur within a specified time period.

Likelihood

The probability that a specific vulnerability within an organization will be the target of an attack.

Asset Valuation

The process of assigning financial value or worth to each information asset.

Baselining

The process of conducting a baseline. See also baseline.

Risk Management

The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.

Risk Appetite

The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.

Risk Identification

The recognition, enumeration, and documentation of risks to an organization's information assets.