Measurement Function

Measurement Function

Definition(s)


Measurement Function

Algorithm or calculation performed to combine two or more base measures. [SOURCE: ISO/IEC 15939:2007]. Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Measurement

Measurement

Definition(s)


Measurement

Process to determine a value.
  • Note 1 to entry: In the context of information security the process of determining a value requires information about the effectiveness of an information security management system and its associated controls using a measurement method, a measurement function, an analytical model, and decision criteria.
Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
ISMS Project

ISMS Project

Definition(s)


ISMS Project

Structured activities undertaken by an organization to implement an ISMS. Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Information System

Information System

Definition(s)


Information System

Applications, services, information technology assets, or other information handling components. Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Information Sharing Community

Information Sharing Community

Definition(s)


Information Sharing Community

Group of organizations that agree to share information.
  • Note 1 to entry: An organization can be an individual.
Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Information Security Incident Management

Information Security Incident Management

Definition(s)


Information Security Incident Management

Processes for detecting, reporting, assessing, responding to, dealing with, and learning from information. Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Information Security Incident

Information Security Incident

Definition(s)


Information Security Incident

Single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security. Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Information Security Event

Information Security Event

Definition(s)


Information Security Event

Identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant. Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Information Security Continuity

Information Security Continuity

Definition(s)


Information Security Continuity

Processes and procedures for ensuring continued information security operations. Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Information Security

Information Security

Definition(s)


Information Security

Preservation of confidentiality, integrity and availability of information.
  • Note 1 to entry: In addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.
Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Information Processing Facilities

Information Processing Facilities

Definition(s)


Information Processing Facilities

Any information processing system, service or infrastructure, or the physical location housing it. Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Information Need

Information Need

 Definition(s)


Information Need

Insight necessary to manage objectives, goals, risks and problems. [SOURCE: ISO/IEC 15939:2007]. Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Governing Body

Governing Body

Definition(s)


Governing Body

Person or group of people who are accountable for the performance and conformance of the organization.
  • Note 1 to entry: Governing body can in some jurisdictions be a board of directors.
Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Governance of Information Security

Governance of Information Security

Definition(s)


Governance of Information Security

System by which an organization’s information security activities are directed and controlled. Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Executive Management

Executive Management

Definition(s)


Executive Management

Person or group of people who have delegated responsibility from the governing body for implementation of strategies and policies to accomplish the purpose of the organization Note 1 to entry: Executive management is sometimes called top management and can include Chief Executive Officers, Chief Financial Officers, Chief Information Officers, and similar roles. Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Documented Information

Documented Information

Definition(s)


Documented Information

Information required to be controlled and maintained by an organization and the medium on which it is contained
  • Note 1 to entry: Documented information can be in any format and media and from any source.
  • Note 2 to entry: Documented information can refer to
    • the management system, including related processes;
    • information created in order for the organization to operate (documentation);
    • evidence of results achieved (records).
Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Derived Measure

Derived Measure

Definition(s)


Derived Measure

Measure that is defined as a function of two or more values of base measures. [SOURCE: ISO/IEC 15939:2007] Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Decision Criteria

Decision Criteria

Definition(s)


Decision Criteria

Thresholds, targets, or patterns used to determine the need for action or further investigation, or to describe the level of confidence in a given result. [SOURCE: ISO/IEC 15939:2007] Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Control Objective

Control Objective

Definition(s)


Control Objective

Statement describing what is to be achieved as a result of implementing controls. Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Continual Improvement

Continual Improvement

Definition(s)


Continual Improvement

Recurring activity to enhance performance. Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Base Measure

Base Measure

Definition(s)


Base Measure

measure defined in terms of an attribute and the method for quantifying it. [SOURCE: ISO/IEC 15939:2007] Note 1 to entry: A base measure is functionally independent of other measures. Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Analytical Model

Analytical Model

Definition(s)


Analytical Model

Algorithm or calculation combining one or more base measures and/or derived measures with associated decision criteria. Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global Standards
Vulnerability Assessment

Vulnerability Assessment

Definition(s)


Vulnerability Assessment

A product or process of identifying physical features or operational attributes that renders an entity, asset, system, network, or geographic area susceptible or exposed to hazards.

Source: API RP 781 Security Plan Methodology for the Oil and Natural Gas Industries.1st Ed. September 2016. Global Standards

Vulnerability Assessment

Product or process of identifying physical features or operational attributes that renders an entity, asset, system, network, or geographic area susceptible or exposed to hazards.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Vulnerability Assessment

Product or process of identifying physical features or operational attributes that render an entity, asset, system, network, or geographic area susceptible or exposed to hazards. Sample Usage: The team conducted a vulnerability assessment on the ship to determine how it might be exploited or attacked by an adversary. Annotation: Vulnerability assessments can produce comparable estimates of vulnerabilities across a variety of hazards or assets, systems, or networks. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Uncertainty

Uncertainty

Definition(s)


Uncertainty

Degree to which a calculated, estimated, or observed value may deviate from the true value.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Uncertainty

Degree to which a calculated, estimated, or observed value may deviate from the true value. Sample Usage: The uncertainty in the estimate was due to a lack of information for the particular environment and situation. Annotation:
  1. Uncertainty may stem from many causes, including the lack of information.
  2. The concept of uncertainty is useful in understanding that likelihoods and consequences can oftentimes not be predicted with a high degree of precision or accuracy.
Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Unacceptable Risk

Unacceptable Risk

Definition(s)


Unacceptable Risk

Level of risk at which, given costs and benefits associated with further risk reduction measures, action is deemed to be warranted at a given point in time.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Unacceptable Risk

Definition: level of risk at which, given costs and benefits associated with further risk reduction measures, action is deemed to be warranted at a given point in time. Sample Usage: The presence of contaminants in excess of a certain level represents an unacceptable risk to public health. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Risk Assessment Methodology

Risk Assessment Methodology

Definition(s)


Risk Assessment Methodology

Set of methods, principles, or rules used to identify and assess risks and to form priorities, develop courses of action, and inform decision making.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Risk Assessment Methodology

Set of methods, principles, or rules used to identify and assess risks and to form priorities, develop courses of action, and inform decision making. Sample Usage: The Maritime Security Risk Analysis Model (MSRAM) is a risk assessment methodology used to assess risk at our Nation's ports. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Direct Consequence

Direct Consequence

Definition(s)


Direct Consequence

Effect that is an immediate result of an event, incident, or occurrence.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Direct Consequence

Effect that is an immediate result of an event, incident, or occurrence. Sample Usage: Property damage and loss of life were among the direct consequences resulting from the hurricane. Annotation:
  1. Direct consequences can include injuries, loss of life, on-site business interruption, immediate remediation costs, and damage to property and infrastructure as well as to the environment.
  2. The distinction between direct and indirect consequences is not always clear, but what matters in risk analysis is a) capturing the likely effects – be they designated as direct or indirect – that should be part of the analysis, b) clearly defining what is contained as part of direct consequences and what is part of indirect consequences, and c) being consistent across the entire analysis. Such consistency and clarity is important for comparability across scenarios and risk analyses.
Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Criticality Assessment

Criticality Assessment

Definition(s)


Criticality Assessment

Product or process of systematically identifying, evaluating, and prioritizing based on the importance of an impact to mission(s), function(s), or continuity of operations.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Criticality Assessment

Product or process of systematically identifying, evaluating, and prioritizing based on the importance of an impact to mission(s), function(s), or continuity of operations Sample Usage: A criticality assessment determined that the county's chemical plants required greater attention than previously determined. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Criticality

Criticality

Definition(s)


Criticality

Importance to a mission, function, or continuity of operations.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Criticality

Importance to a mission or function, or continuity of operations. Sample Usage: The criticality of the asset was determined based upon the number of people to whom it provided service. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Countermeasure

Countermeasure

Definition(s)


Countermeasure

An action, measure, or device intended to reduce an identified risk.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards  

Countermeasure

Means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be administrative, technical, management, or legal in nature. [ISO/IEC 27000:2009]
  • NOTE: ISO Guide 73:2009 defines control as simply a measure that is modifying risk.
Source: ISO/IEC 27032:2015, Information technology — Security techniques — Guidelines for cybersecurity, First Edition, July 2012. Global Standards

Countermeasure

Action, measure, or device intended to reduce an identified risk. Sample Usage: Some facilities employ surveillance cameras as a countermeasure. Annotation: A countermeasure can reduce any component of risk -threat, vulnerability, or consequence. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance  

Countermeasure

Action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken [11].
  • NOTE: The term “Control” is also used to describe this concept in some contexts. The term countermeasure has been chosen for this standard to avoid confusion with the word control in the context of “process control.”
Source: ANSI/ISA–99.00.01–2007, Security for Industrial Automation and Control Systems, Part 1: Terminology, Concepts, and Models, 29 October 2007. National Standard