The following acronyms and terms are used in this chapter. For the explanation and definition purpose of this chapter, these acronyms and terms are defined as follows:
Audit
A term that typically accompanies an accounting or auditing firm that conforms to a specific and formal methodology and definition for how an investigation is to be conducted with specific reporting elements and metrics being examined (such as a financial audit according to Public Accounting and Auditing Guidelines and Procedures).
Assessment
An evaluation and/or valuation of IT assets based on predefined measurement or evaluation criteria. This does not typically require an accounting or auditing firm to conduct an assessment such as a risk or vulnerability assessment.
Disclaimer of Warranties
A legal term that denies or disavows the user's legal claim of warranty of the product, hardware, or software.
Exclusion of Incidental, Consequential, and Certain Other Damages
A legal term that protects and indemnifies the organization from external incidents, consequences, or other certain damages that may arise from the use of the organization's hardware or software.
Hot Site
A remote and secure data center that replicates the production IT infrastructure, systems, applications, and backup data of the production environment.
IT
Information technology.
IT Asset
Information technology asset such as hardware or software or data.
IT Asset Criticality
The act of putting a criticality factor or importance value (Critical, Major, or Minor) in an IT asset.
IT Asset Valuation
The act of putting a monetary value to an IT asset.
IT Infrastructure
A general term to encompass all information technology assets (hardware, software, data), components, systems, applications, and resources.
IT Security Architecture and Framework
A document that defines the policies, standards, procedures, and guidelines for information security.
Law
A rule of conduct or action prescribed or formally recognized as binding or enforced by a controlling authority (U.S. federal government, state government, and so on).
Limitation of Liability and Remedies
A legal term that limits the organization from the amount of financial liability and the limitation of the remedies the organization is legally willing to take on.
Limited Warranty
A legal term that defines but limits the written guarantee of the integrity of a product and of the maker's responsibility for the repair or replacement of defective parts.
Mandate
A formal order from a superior court or official to an inferior one, such as a mandate from the U.S. federal government to state government.
Qualitative Analysis
A weighted factor or nonmonetary evaluation and analysis that is based on a weighting or criticality factor valuation as part of the evaluation or analysis.
Quantitative Analysis
A numerical evaluation and analysis that is based on monetary or dollar valuation as part of the evaluation or analysis.
Regulation
How a law or mandate is implemented.
Risk
The exposure or potential for loss or damage to IT assets within that IT infrastructure.
Risk Assessment
A process for evaluating the exposure or potential loss or damage to the IT and data assets for an organization.
Risk Management
The overall responsibility and management of risk within an organization. Risk management is the responsibility and dissemination of roles, responsibilities, and accountabilities for risk in an organization.
Threat
Any agent, condition, or circumstance that could potentially cause harm, loss, damage, or compromise to an IT asset or data asset.
Vulnerability
A weakness in the IT infrastructure or IT components that may be exploited for a threat to destroy, damage, or compromise an IT asset.
Vulnerability Assessment
A methodical evaluation of an organization's IT weaknesses of infrastructure components and assets and how those weaknesses can be mitigated through proper security controls and recommendations to remediate exposure to risks, threats, and vulnerabilities.
Vulnerability Management
The overall responsibility and management of vulnerabilities within an organization and how that management of vulnerabilities will be achieved through dissemination of duties throughout the IT organization.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Risk-Assessment Methodologies
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Post-Assessment Activities
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template