As the cybersecurity industry grows, so do the concepts and terms to help us manage security policies and business objectives. This edition of ‘What is the Meaning of This?’ focuses on duty of care, reasonableness, and CIS RAM.
Appropriate A condition in which risks to information assets will not foreseeably create harm that is greater than what the organization or interested parties can tolerate.
Appropriate risk Risk that, as evaluated and stated, would appear to an organization, its interested parties, and authorities as acceptably low.
The likelihood of an impact must be acceptable to all foreseeably affected parties.
Asset Class A group of information assets that are evaluated as one set based on their similarity. “Servers,” “end-user computers,” “network devices” are examples, as are “email servers,” “web servers” and “authentication servers.”
Authorities Usually regulators or judges who may evaluate reasonableness of safeguards as compared to harm to others and may impose penalties as a result of their evaluation.
Attack Path Model A description of how a specific attack path may occur within an environment.
Burden The negative impact that a safeguard may pose to the organization, or to others.
Business Owners Personnel who own business processes, goods, or services that information technologies support. i.e. customer service managers, product managers, sales management.
CIS RAM An information security risk assessment method based on DoCRA that helps organizations design and evaluate their implementation of the CIS Controls. It helps model “reasonable” uses of the CIS Controls to address the mission, objectives, and obligations of each organization’s specific environment.
Constituents Individuals or organizations that may be benefit from effective security over information assets, or may be harmed if security fails.
Control A documented method for protecting information assets using technical, physical, or procedural safeguards.
Control Objective The intended outcome of a control.
Due Care The amount of care that a reasonable person would take to prevent foreseeable harm to others.
Duty of care The responsibility of one party to prevent harm to others.
Duty of Care Risk Analysis Standard (DoCRA) Principles and practices for analyzing risks that addresses the interests of all parties potentially affected by those risks. DoCRA describes processes for evaluating risks and their safeguards so that the resulting analysis is easily communicated to and accepted by authorities – such as regulators and judges – and to other parties who may be harmed by those risks. It provides a foundation to develop reasonable security and safeguards based on an organization’s mission, objective, and social responsibility.
Principles and practices for analyzing risks that addresses the interests of all parties potentially affected by those risks. DoCRA describes processes for evaluating risks and their safeguards so that the resulting analysis is easily communicated to and accepted by authorities – such as regulators and judges – and to other parties who may be harmed by those risks. It provides a foundation to develop reasonable security and safeguards based on an organization’s mission, objective, and social responsibility.
Impact The magnitude of harm that may be suffered by any party as a result of a threat. Can be stated qualitatively and quantitatively.
Interested parties Individuals or organizations that may benefit by engaging in risk or that may be harmed if risk is realized.
Inherent Risk The likelihood of an impact occurring when a threat compromises an unprotected asset.
Key Risk Indicator Aggregations and trending analysis of measures that management may use to understand their risk status.
Likelihood The frequency, commonality, or foreseeability of a threat creating an impact. Can be stated qualitatively and quantitatively.
Reasonable Risk The risk posed by a safeguard must be less than or equal to the risk it protects against.
Reasonable safeguards Protections against the foreseeability or magnitude of risks that do not pose a burden that is greater than the risk it protects against.
Residual Risk The risk that remains after a safeguard is applied. This concept is not directly used by CIS RAM, but implies that risk is lowered when a safeguard is applied. Residual risk does not take into account potential negative impacts to the organization when safeguards are applied.
Risk An estimation of the likelihood that a threat will create an undesirable impact. In terms of this method, risk may be expressed as the product of a likelihood and an impact.
Risk Acceptance Criteria The likelihood of an impact that the organization equates with appropriate risk.
Risk Analysis The process of estimating the likelihood that an event will create an impact. The foreseeability of a threat, the expected effectiveness of safeguards, and an evaluated result are necessary components of risk analysis. Risk analysis may occur during a comprehensive risk assessment, or as part of other activities such as change management, vulnerability assessments, system development and acquisition, and policies exceptions.
Risk Assessment A comprehensive project that evaluates the potential for harm to occur within a scope of information assets, controls, and threats.
Risk Evaluation The mathematical component of risk analysis that estimates the likelihood and impact of a risk, and compares it to acceptable risk.
Risk Management A process for analyzing, mitigating, overseeing, and reducing risk.
Risk Treatment Option The selection of a method for addressing risks. Organizations may choose to Accept, Reduce, Transfer, or Avoid risks.
Risk Treatment Plan A comprehensive project plan for implementing risk treatment recommendations.
Risk Treatment Recommendations A listing of safeguards or processes that may be implemented and operated to reduce the likelihood and/or impact of a risk.
Safeguard Technologies, processes, and physical protections that prevent or detect threats against information assets. Safeguards are implementations of controls.
Safeguard Risk The risk posed by recommended safeguards. An organization’s mission or objectives may be negatively impacted by a new security control. These impacts must be evaluated to understand their burden on the organization, and to determine whether the burden is reasonable.
Security An assurance that characteristics of information assets are protected. Confidentiality, Integrity, and Availability are common security characteristics. Other characteristics of information assets such as velocity, authenticity, and reliability may also be considered if these are valuable to the organization and its constituents.
Threat An act or an omission that may create harm.
Threat Model A description of how a threat could compromise an information asset, given the current safeguards and vulnerabilities around the asset.
Vulnerability A weakness that could permit a threat to compromise the security of information assets.