Glossary
This section provides brief descriptions of the various items and terms used to describe risk, security, networking and technology issues.
Control: A safeguard, response or countermeasure to manage (i.e. mitigate or reduce) risk, including policies, guidelines, standards, practices or organizational structures.
ISO/IEC: The International Organization for Standardization/International Electrotechnical Commission.
ISO/IEC 27002: Part of the ISO 27000 series on information security. Prepared by the Joint Technical Committee ISO/IEC Information Technology Subcommittee. The current version of the standard was published June 15, 2005 and replaced the previous version ISO 17799:2000.
ISMS: Information Security Management System. The over-arching policy framework and administrative program for guiding IT security within an organization.
Risk: The combination of the probability of a threat materializing (i.e. event) and its consequence or impact. Risk management reflects coordinated activities to direct and control risk, and typically includes risk assessment, risk treatment or mitigation, risk acceptance, and risk communication.
Risk Assessment: The systematic and methodical consideration of: 1) the harm (i.e. impact) likely to result from a range of business process failures; and 2) the realistic likelihood of such failures occurring.
The risk assessment and risk management process includes estimating the magnitude of inherent risk (i.e. the product of impact and likelihood), comparing risk estimates against risk criteria (i.e. risk evaluation), and determining the appropriate controls for reducing risk to an acceptable level (i.e. residual risk).
Threat: A potential cause of an unwanted incident, which may result in harm (i.e. impact) to a system or organization.
Vulnerability: A weakness of an asset or group of assets that can be exploited by one or more threats.