Information Security Terminologies

avatar
Created by
Anusha Malook

Cards (15)

  • Vulnerability
    Weakness of a system that allows threat source to conpromise its security e.g. lack of VAPT, absence of policies and
    procedures, etc.
  • Threat
    Any potential danger that is associated with the exploitation of a vulnerability. A potential aspect that could result an impact on exploiting a vulnerability e.g. information disclosure, service disruption, etc.
  • Threat Agent
    Takes advantage of a vulnerability
  • RiskLikelihood of a threat source exploiting a vulnerability and corresponding business impact >>> Risk is an uncertain event which leads to some monetary and other losses
    >>> Risk is not uncertainty; we know the possible outcomes but not which one will take place
  • Exposure
    instance of being exposed to posers
  • Contro/Countermeasure

    Is put into place to mitigate/reduce the potential risk
  • Risk management
    Risk management is the process of identifying, assessing and controlling financial, legal, strategic and security risks to an organization's capital and earnings
  • Likelihood
    How often a threat tries / attempts to exploit a vulnerability. e.g.
    daily, once a week, once a month, etc.
  • Impact
    What is the outcome of a particular threat exploiting a
    vulnerability. e.g. financial loss of a million dollars, penalty, etc.
  • Asset Valuation

    Process of defining the value of asset. e.g. monetary, based on
    confidentiality, integrity and availability, etc.
  • Inherent Risk
    Risk which is naturally associated with an asset / process.
  • Residual Risk
    After applying a control on a particular risk, the risk left behind is called residual risk or in other words for understanding it can be = inherent risk - control
    value.
  • Asset Owner
    Usually a person from the business side i.e. a personnel who is the business user. Asset Owner owns the risk pertaining to the asset
    and all approvals are sought from the same.
  • Asset Custodian
    Usually a person from the IT department i.e. a
    personnel who manages the asset. Asset Custodian is responsible to manage the asset
    and implement all controls, where required. To make any significant changes / decision pertaining to the asset, the custodian always takes
    permission from the Asset Owner.
  • Risk Owner
    The person accountable for a risk. Usually the asset owner or a personnel designated by the management.