Access control includes both access authorization and review of access to both logical and physical assets. It refers to all the steps that are taken to selectively authorize and restrict entry, contact, or use of assets. Access authorizations and restrictions are established in accordance with business and security requirements and should reflect the value of the assets in question for the company. To make an entity accountable is to assign actions and decisions to an identifiable entity and to expect that entity to be answerable for those actions and decisions. Therefore, accountability is the state of being answerable for the actions and decisions that have been assigned to it. An analytical model is a mathematical, logical or mechanical representation of a relationship, theory, process, system, or sequence of events, so designed that a study of the model functions as a means of summarizing the complex relations of the real world or as a way of illustrating a theory. Analytical models are used to facilitate and support decision making. An Assessment is the act of evaluating something. Here it means that the organization is evaluated in comparison to Threats that are aimed at its Assets, i.e. Risk. An asset is any tangible or intangible thing or characteristic that has value to an organization. Obvious types of assets include: facilities, machines, patents, and software; but less obvious types are: information, people, and services, as well as characteristics such as brand, culture, reputation, skill and knowledge. An attack is any deliberate unauthorized attempt to access, use, alter, expose, steal, disable, or destroy an asset. An attribute is any distinctive feature, characteristic or property of an object that can be identified or isolated, either quantitatively or qualitatively, by human or automated means. An audit is a systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. Audit Types The scope of an audit is a statement that specifies the focus, extent, and boundary of a particular audit. The scope could be specified by defining the physical location of the audit, the business entities that will be examined, the processes and activities that will be included, and the time period that will be covered. Authentication is the act of confirming the truth of an attribute of a single piece of data (datum) or entity. To authenticate is to verify that a characteristic or attribute that appears to be true is in fact true. Authenticity is a property or characteristic of an entity. An entity is authentic if it is what it claims to be. Availability is a property or characteristic of an asset, so if an asset is accessible and usable when an authorized entity requires access, it is available. A base measure is either an attribute or property of an entity and the method used to quantify it. Business Continuity Management (BCM) is a holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. Business continuity plan (BCP) outlines procedures and instructions an organization must follow in the event of a disruption or disaster; BCP includes business processes, assets, human resources, business partners and more. A business entity is an entity that is formed and administered as per commercial law in order to engage in business activities, charitable work, or other activities allowable. The distinct business entity has complete control over how it utilizes its assets, organizes its management and the most appropriate financing structure if required. Categories are any general or comprehensive division. In RM Studio Categories are the division of Assets according to the applicable Standard. A code of practice is a guide of best practices used to implement a Standard. A competence is a cluster of related abilities, commitments, knowledge, and skills that enable a person or a business entity to act effectively and as expected in a job or situation. Confidentiality is a characteristic that applies to information. To protect and preserve the confidentiality of information means to ensure that it is not made available or disclosed to unauthorized entities. In this context, entities include both individuals and processes. Conformity is the “fulfillment of a requirement”. To conform means to meet or comply to requirements. There are many types of requirements, such as information security requirements, customer, contractual, regulatory, and statutory requirements, to name a few. A consequence is the effect, result, or outcome of something occurring. A single event can have a range of certain or uncertain consequences and these consequences can influence how well an organization achieves its objectives. In addition, initial consequences can escalate through knock-on effects. An organization’s context includes all of the internal and external issues that are deemed relevant and the influence these issues could have on its ability to achieve the objectives and outcomes that the ISMS intends to achieve. See internal context and external context. Continual improvement is a set of recurring activities designed and executed to upgrade the performance of processes, products, services, systems, and organizations. In the context of information security management, a control is any administrative, managerial, technical, or legal method that is used to mitigate or manage information security risk. Controls are also referred to as safeguards or countermeasures. Controls can include: An information security control objective provides a specific target against which to evaluate the effectiveness of controls. A correction is any activity that is taken to eliminate an identified nonconformity; however, corrections do not address causes – corrective actions address causes. Corrective actions are improvements to an organization’s processes taken to eliminate causes of nonconformities or other undesirable situations. The term data is defined as a collection or set of values assigned to measures or indicators. A measure is a variable made up of values and an indicator is a measure or variable used to evaluate or estimate an attribute or property of an object. Decision criteria are factors like thresholds, targets, or patterns. Decision criteria are used to determine whether action should be taken or whether further investigation is required before decisions can be made. Decision criteria are also used to evaluate results and to describe confidence levels. A derived measure is a measure that is defined as a mathematical function of two or more values of base measures (a base measure is both an attribute of an entity and the method used to quantify it). The term documented information refers to the information required to be controlled and maintained by an organization and the medium on which it is contained. Documented information can be in any format, any media and from any source. Documented information includes information about the management system and related processes, as well as all the information that organizations need to operate and all the information that they use to document the results they achieve (records). In short, the term documented information is just a new name for what used to be called documents and records; however, this change is significant. In the past, documents and records were to be managed differently, but now they require the same set of requirements. Effectiveness refers to the degree to which a planned effect is achieved. Planned activities are effective if these activities are executed properly and planned results are effective if they are achieved. Efficiency is a relationship between results achieved (outputs) and resources used (inputs). Efficiency can be enhanced by achieving more with the same or fewer resources. The efficiency of a process or system can be enhanced by achieving more or getting better results (outputs) with the same or fewer resources (inputs). An event could be one occurrence, several occurrences, or even a non-occurrence (when something doesn’t happen that was supposed to happen). It can also be a change in circumstances. Events are sometimes referred to as incidents or accidents. Events always have causes and usually have consequences. The term executive management (or top management) refers to the people who are responsible for implementing the strategies and policies needed to achieve an organization’s purpose. It includes chief executive officers, chief financial officers, chief information officers, and other similar roles. Executive managers are given this responsibility by a governing body (sometimes referred to as a board of directors). External environment in which the organization seeks to achieve its objectives and the key drivers and trends having impact on the objectives of the organization, as well as the relationships with, and perceptions and values of external stakeholders. An organization’s external context may include: A formal study of the steps necessary to improve from current performance level to the desired level of performance in areas such as: In business and economics, a gap analysis is a tool that helps an organization identify its actual performance to determine how to attain its expected performance. At the core two questions present: Gap analysis provides a foundation for measuring investment of time, money and human resources required to achieve a particular outcome (e.g. to turn the salary payment process from paper-based to paperless with the use of a system). The governance of information security refers to the system off concepts and principles for the governance of information security, by which organizations can evaluate, direct, monitor and communicate the information security related activities within the organization and are applicable to all types and sizes of organizations. The term governing body refers to the people who are responsible for the overall performance and conformance of an organization. In the context of this standard, guidelines are the steps that are taken to achieve objectives and implement policies. Guidelines clarify what should be done and how. The effect a realized incident or event will have on the organization. An indicator is a measure or variable that is used to evaluate or estimate an attribute or property of an object. Indicators are often derived from analytical models and are used to address information needs. An information need is an insight that is necessary or required in order to solve problems, to manage risks, and to achieve goals and objectives. An information processing facility is any system, service, or infrastructure, or any physical location that houses these things. A facility can be either an activity or a place and it can be either tangible or intangible. The purpose of information security is to protect and preserve the confidentiality, integrity, and availability of information. It may also involve protecting and preserving the authenticity and reliability of information and ensuring that entities can be held accountable. Information security continuity refers to an integrated set of policies, procedures, and processes that are used to ensure that a predefined level of security continues during a disaster or crisis (when disruptive incidents occur or adverse situations exist). Continuity is achieved by identifying potential threats and vulnerabilities, by analyzing possible impacts, and by taking steps to build organizational resilience. An information security event is a system, service, or network state, condition, or occurrence that indicates that information security may have been breached or compromised or that a security policy may have been violated or a control may have failed. An information security incident is made up of one or more unwanted or unexpected information security events that could possibly compromise the security of information and weaken or impair business operations. Information security incident management is a set of processes that organizations use to deal with information security incidents. It includes a detection process, a reporting process, an assessment process, a response process, and a learning process. An information security management system (ISMS) includes all of the policies, procedures, documents, records, plans, guidelines, agreements, contracts, processes, practices, methods, activities, roles, responsibilities, relationships, tools, techniques, technologies, resources, and structures that organizations use to protect and preserve information, to manage and control information security risks, and to achieve business objectives. An ISMS is part of an organization’s larger management system. An information sharing community is a group of people or a group of organizations that agree to share information. An information system is any set of components that is used to handle information. Information systems include applications, services, or any other assets that handle information. Within the narrow context of information security, the term integrity means to protect the accuracy and completeness of information. An organization’s internal context includes all of the factors and forces within its boundaries that influence how it tries to achieve its objectives. An organization’s internal context includes: ISMS projects include all of the work that organizations do to implement information security management systems (ISMS). The International Organization for Standardization (Organization internationale de normalization), is an international-Standard-setting body composed of representatives from various national Standards organizations. The level of risk is its magnitude. It is estimated by considering and combining consequences and likelihoods. A level of risk can be assigned to a single risk or to a combination of risks. Likelihood is the chance that something might happen. Likelihood can be defined, determined, or measured objectively or subjectively and can be expressed either qualitatively or quantitatively (using mathematics). The term management refers to all the activities that are used to coordinate, direct, and control organizations. In this context, the term management does not refer to people. It refers to what managers do. A management system is a set of interrelated or interacting elements that organizations use to establish policies and objectives and all the processes they need to ensure that policies are followed and objectives are achieved. These elements include structures, programs, procedures, plans, documents, records, methods, tools, techniques, technologies, roles, responsibilities, relationships, agreements, and resources. There are many types of management systems. Some of these include information security management systems, quality management systems, environmental management systems, business continuity management systems, food safety management systems, risk management systems, disaster management systems, emergency management systems, and occupational health and safety management systems. The scope or focus of a management system could be restricted to a specific function or section of an organization or it could include the entire organization. It could even include a function that cuts across several organizations. Measurement is a process that is used to determine a value. In the context of information security management, measurement is a process that is used to obtain information about the effectiveness of an information management system (ISMS) and the controls that it uses. Measurement functions, analytical models, and decision criteria are used to evaluate measurement results and to decide whether action should be taken or whether further investigation is required before decisions can be made. A measurement function is an algorithm or a calculation that combines two or more base measures. (A base measure is both an attribute and property of an entity and the method used to quantify it.) A measurement method is a logical sequence of generic operations that uses measurement scales to quantify attributes. Measurement methods use either objective or subjective techniques to quantify attributes. A measurement result addresses an information need and consists of one or more indicators together with details that explain how these indicators are to be interpreted. Also known as the Ribbon. It is the top most part of the application where the most common functions are placed for your convenience. A mitigating control is a type of control used in auditing to discover and prevent mistakes that may lead to uncorrected and/or unrecorded misstatements that would generally be related to control deficiencies. The mitigating controls found in the ISO/IEC 27002 (also known as Annex A) are suggested measures to implement for risk mitigation, which reduces the probability or impact of a threat to an asset. A navigational tool that allows the user to expand and collapse items representing parts of the software that have been divided into nodes simulating a tree with branches. This allows users to access nested nodes with ease. Nonconformity is a non-fulfillment or failure to meet a requirement. A requirement is a need, expectation, or obligation. It can be stated or implied by an organization or interested parties. Non-repudiation techniques and services are used to provide undeniable proof that an alleged event actually happened or an alleged action was actually carried out and that these events and actions were actually carried out by a particular entity and actually had a particular origin. Non-repudiation is a way of guaranteeing that people cannot later deny that an event happened or an action was carried out by an entity. In this context, an object is any item that has attributes which can be characterized through measurement. Measurement is a process or method that is used to obtain information about the effectiveness of an information management system (ISMS) and the controls that it uses. An objective is a result you wish to achieve. Objectives can be strategic, tactical, or operational and can apply to an organization as a whole or to a system, process, project, product, or service. A variety of words can be used to express objectives. These include words like target, aim, goal, purpose, or intended outcome. An organization can be a single person or a group that achieves its objectives by using its own functions, responsibilities, authorities, and relationships. It can be a company, corporation, enterprise, firm, partnership, charity, or institution and can be either incorporated or unincorporated and can be either privately or publicly owned. It can also be a single operating unit that is part of a larger entity. When an organization makes an arrangement with an outside organization to perform part of a function or process, it is referred to as outsourcing. To outsource means to ask an external organization to perform part of a function or process usually done in-house. A performance is a measurable result that is achieved by an activity, process, product, service, system, or organization. This definition allows us to consider performance measurements. It allows us to think about the measurement of organizational performance, process performance, product performance, service performance, systemic performance, and so on. Such measurements can be either quantitative or qualitative. A policy statement defines a general commitment, direction, or intention. An information security policy statement should express management’s formal commitment to the implementation and improvement of its information security management system (ISMS) and should include information security objectives or facilitate their development. A procedure is a way of carrying out a process or activity. Procedures may or may not be documented. ISO/IEC 27001 and 27002 sometimes asks you to document a procedure and sometimes it leaves it up to you to decide. A process is a set of activities that are interrelated or that interact with one another. Processes use resources to transform inputs into outputs. The likelihood a threat occurs. Probability (same as likelihood) can be defined, determined, or measured objectively or subjectively and can be expressed either qualitatively or quantitatively (using mathematics). Records provide evidence that activities have been performed or results have been achieved. Records always document the past. Reliability is a property of something and means consistency. Something is reliable if it behaves consistently or produces consistent results. An account or statement describing in detail an event, situation or similar, usually as a result of observation or inquiry. Also: A document or record of accumulated data containing information organized in a narrative, graphic or tabular form, prepared on ad hoc, periodic, recurring, regular or as required basis. Reports may refer to specific periods, events, occurrences or subjects and may be presented in digital or written form. A requirement is a need, expectation, or obligation. It can be stated or implied by an organization, its customers, or other interested parties. A specified requirement is one that has been stated (in a document for example), whereas an implied requirement is a need, expectation, or obligation that is common practice or customary. Residual risk is the risk left over after you’ve implemented all reasonable risk treatment options. A review is an activity. Its purpose is to determine how well the thing being reviewed is capable of achieving established objectives. Reviews ask the following question: is the subject of the review a suitable, adequate, effective, and efficient way of achieving objectives? A review objective is a statement that describes what a review is intended or expected to achieve According to ISO 31000, risk is the “effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected. The following paragraph will explain what this means. ISO 31000 recognizes that all of us operate in an uncertain world. Whenever we try to achieve an objective, there’s always the chance that things will not go according to plan. Every step has an element of risk that needs to be managed and every outcome is uncertain. Whenever we try to achieve an objective, we don’t always get the results we expect. Sometimes we get positive results and sometimes we get negative results and occasionally we get both. Because of this, ISO 31000 wants us to reduce uncertainty as much as possible. Information security risk is often expressed as a combination of two factors: probability and consequences. It asks two basic questions: Information security risks often emerge because potential security threats are identified that could exploit vulnerabilities in an information asset or group of assets and therefore cause harm to an organization. Risk acceptance occurs when the cost of managing a certain type of risk is accepted, because the risk involved is not adequate enough to warrant the added cost it will take to avoid that risk. Risk analysis is a process that is used to understand the nature, sources, and causes of the risks that have been identified and to estimate the level of risk. Risk analysis results are used to carry out risk evaluations and to make risk treatment decisions. How detailed your risk analysis ought to be will depend upon the risk, the purpose of the analysis, the information you have, and the resources available. Risk assessment is a process that is, in turn, made up of three processes: risk identification, risk analysis, and risk evaluation. Risk identification is a process that is used to find, recognize, and describe the risks that could affect the achievement of objectives. Risk analysis is a process that is used to understand the nature, sources, and causes of the risks that you have identified and to estimate the level of risk. Risk evaluation is a process that is used to compare risk analysis results with risk criteria in order to determine whether or not a specified level of risk is acceptable or tolerable. Risk communication and consultation is a dialogue between an organization and its stakeholders. Discussions could be about the existence of risks, their nature, form, likelihood, and significance, as well as whether or not risks are acceptable or should be treated, and what treatment options should be considered. This dialogue is both continual and iterative. It is a two-way process that involves both sharing and receiving information about the management of risk. However, this is not joint decision making. Once communication and consultation is finished, decisions are made and directions are established by the organization, not by stakeholders. Risk criteria are terms of reference and are used to evaluate the significance or importance of an organization’s risks. They are used to determine whether a specified level of risk is acceptable or tolerable. Risk criteria should reflect your organization’s values, policies, and objectives, should be based on its external and internal context, should consider the views of stakeholders, and should be derived from standards, laws, policies, and other requirements. Risk evaluation is a process that is used to compare risk analysis results with risk criteria in order to determine whether or not a risk or a specified level of risk is acceptable or tolerable. Risk evaluation results are used to help select risk treatment options. Risk identification is a process that involves finding, recognizing, and describing the risks that could affect the achievement of an organization’s objectives. It involves discovering possible sources of risk in addition to the events and circumstances that could affect the achievement of objectives; it also includes the identification of possible causes and potential consequences. You may use historical data, theoretical analysis, informed opinion, expert advice, and stakeholder input to identify your risks. Risk management refers to a coordinated set of activities, methods, and techniques that organizations use to deal with the risk and uncertainty that influences how well they achieve their objectives. A risk management process is one that systematically uses management policies, procedures, and practices to establish context, to communicate and consult with stakeholders, and to identify, analyze, evaluate, treat, monitor, and review risk. Risk mitigation is a systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence (also referred to as risk reduction). A risk owner is a person or entity that has been given the authority to manage a particular risk and is accountable for doing so. Risk treatment involves identifying the range of options for treating risk, assessing those options, preparing risk treatment plans and implementing them. The options available for the treatment of risks include: Retain/accept the risk – if, after controls are put in place, the remaining risk is deemed acceptable to the organization, the risk can be retained. However, plans should be put in place to manage/fund the consequences of the risk should it occur. Reduce the Likelihood of the risk occurring – by preventative maintenance, audit & compliance programs, supervision, contract conditions, policies & procedures, testing, investment & portfolio management, training of staff, technical controls and quality assurance programs etc. Reduce the Consequences of the risk occurring – through contingency planning, contract conditions, disaster recovery & business continuity plans, off-site back-up, public relations, emergency procedures and staff training etc. Transfer the risk – this involves another party bearing or sharing some part of the risk by the use of contracts, insurance, outsourcing, joint ventures or partnerships etc. Avoid the risk – decide not to proceed with the activity likely to generate the risk, where this is practicable. A scale is an ordered set of values. Scales can be distinguished from one another based on how values on the same scale are interrelated. There are at least four types of scales: nominal, ordinal, interval, and ratio. Nominal scales use categories as values (e.g. female vs. male), ordinal scales rank values (1st, 2nd, 3rd, 4th, etc.), interval scales use equal quantities as values (e.g., dates and temperatures), and ratio scales use values that specify how much or how many (e.g. duration and length). Ratio scales are possible because they exploit the fact that sometimes it makes sense to use zero as a value. Being able to use a zero value allows you to do calculations and to say that something is twice as far as something else or takes three times as long as something else, for example. A security implementation standard is a document that describes the officially or formally authorized ways in which security can be achieved or realized. The Statement of Applicability is the primary document that identifies an organization’s information security implementation and is the connection between the risk assessment and risk treatment. The Statement of Applicability also includes an explanation (justification) of how and why such controls are appropriate and at what stage of implementation each control exists. The SoA justification should reference policies, procedures, other documentation and implemented systems through which controls will manifest. A clear justification for the controls deemed not applicable to the organization must also be included. The SoA is a vital document in the certification process as it is a single document providing required information for the certification that can be easily presented to management with regular status updates. A third party is any person or body that is recognized as independent of the people directly involved with an issue. A threat is a potential event. When a threat turns into an actual event, it may cause an unwanted incident. It is unwanted because the incident may harm an organization or system. The term top management normally refers to the people at the top of an organization; the people who provide resources and delegate authority and who coordinate, direct, and control organizations. However, if the scope of a management system covers only part of an organization, then the term top management refers, instead, to the people who direct and control that part of the organization. A trusted information communication entity is an autonomous organization that supports the exchange of information between members of an information sharing community. A unit of measurement is a particular quantity or magnitude that is used as a standard for comparing measurements of the same kind. A standard unit of measurement is one that has been defined and adopted by convention, by agreement, or officially established by law. Validation is a process. It uses objective evidence to confirm that the requirements which define an intended use or application have been met. Whenever all requirements have been met, a validated status is achieved. The process of validation can be carried out under realistic use conditions or within a simulated use environment. Verification is a process that uses objective evidence to confirm that specified requirements have actually been met. Verification is sometimes referred to as compliance testing. Vulnerability is a weakness of an asset or control that could potentially be exploited by one or more threats. 13.Glossary
Access control
Accountability
Analytical model
Assessment
Asset
Attack
Attribute
Audit
Audit scope
Authentication
Authenticity
Availability
Base measure
Business continuity management
Business Continuity Plan
Business Entity
Categories
Code of Practice
Competence
Confidentiality
Conformity
Consequence
Context
Continual improvement
Control
Control objective
Correction
Corrective action
Data
Decision criteria
Derived measure
Documented information
Effectiveness
Efficiency
Event
Executive management
External context
Gap Analysis
Governance: Information Security and Information Technology
Governing body
Guideline
Impact
Indicator
Information need
Information processing facilities
Information security
Information security continuity
Information security event
Information security incident
Information security incident management
Information Security Management System
Information sharing community
Information system
Integrity
Internal context
ISMS project
ISO
Level of risk
Likelihood
Management
Management system
Measurement
Measurement function
Measurement method
Measurement results
Menu Bar
Mitigating control
Navigation tree
Nonconformity
Non-repudiation
Object
Objective
Organization
Outsource
Performance
Policy
Procedure
Process
Probability
Record
Reliability
Report
Requirement
Residual risk
Review
Review objective
Risk
Risk acceptance
Risk analysis
Risk Assessment
Risk communication and consultation
Risk criteria
Risk evaluation
Risk identification
Risk management
Risk management process
Risk mitigation
Risk Owner
Risk Treatment
Scale
Security implementation standard
Statement of Applicability (SoA)
Third party
Threat
Top management
Trusted information communication entity
Unit of measurement
Validation
Verification
Vulnerability