Ver:
· Riesgo
Proceso que permite
comprender la naturaleza del riesgo y determinar el nivel de riesgo. [UNE-ISO
GUÍA 73:2010]
NOTA 1 El
análisis del riesgo proporciona las bases para la evaluación del riesgo y para
tomar las decisiones relativas al tratamiento del riesgo.
NOTA 2 El
análisis del riesgo incluye la estimación del riesgo.
[UNE-ISO/IEC 27000:2014]
Utilización sistemática de la información disponible para identificar peligros y estimar los riesgos. [ENS:2010]
Proceso que permite comprender la naturaleza del riesgo y determinar el nivel de riesgo. [UNE Guía 73:2010]
Proceso sistemático para estimar la magnitud de los riesgos a que está expuesta una Organización. [Magerit:2012]
Estudio de los bienes, sus vulnerabilidades y las probabilidades de materialización de amenazas, con el propósito de determinar la exposición anual al riesgo de cada bien ante cada amenaza.
Puede ser cuantitativo, cuando esta exposición se expresa en unidades monetarias, o cualitativo, cuando se expresa en una escala relativa de gravedad, por ejemplo del 1 al 10. Dada la dificultad que entraña el cálculo preciso de las probabilidades citadas, se suele elegir esta último.
[Ribagorda:1997]
process to comprehend
the nature of risk and to determine the level of risk [ISO Guide 73:2009]
NOTE 1: Risk
analysis provides the basis for risk evaluation and decisions about risk
treatment.
NOTE: Risk
analysis includes risk estimation
[ISO/IEC 27000:2014]
process to
comprehend the nature of risk and to determine the level of risk. [ISO Guide
73:2009]
Examination of information to identify the risk to an information system. [CNSSI_4009:2010]
A process by which frequency and magnitude of IT risk scenarios are estimated. [RiskIT-PG:2009]
systematic
examination of the components and characteristics of risk
Annotation: In
practice, risk analysis is generally conducted to produce a risk assessment.
Risk analysis can also involve aggregation of the results of risk assessments
to produce a valuation of risks for the purpose of informing decisions. In
addition, risk analysis can be done on proposed alternative risk management
strategies to determine the likely impact of the strategies on the overall
risk.
DHS Risk Lexicon,
September 2008
(I) An assessment
process that systematically (a) identifies valuable system resources and
threats to those resources, (b) quantifies loss exposures (i.e., loss
potential) based on estimated frequencies and costs of occurrence, and (c)
(optionally) recommends how to allocate available resources to countermeasures
so as to minimize total exposure. (See: risk management, business-case analysis.
Compare: threat analysis.) [RFC4949:2007]
An analysis of system assets and vulnerabilities to establish an expected loss from certain events based on estimated probabilities of occurrence. [TDIR:2003]
The process of identifying
the risks to system security and determining the probability of occurrence, the
resulting impact, and the additional safeguards that mitigate this impact. Part
of risk management and synonymous with risk assessment. [NIST-SP800-33:2001]
A documented
assessment of the potential risks and vulnerabilities to the confidentiality,
integrity and availability of ePHI, and an estimation of the security measures
sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate
level. Risk analysis involves
determining what requires protection, what it should be protected from, and how
to protect it.
http://www.hipaa.yale.edu/overview/glossary.html
Risk analysis
involves analyzing target software for vulnerabilities and characterizing their
nature and potential impact. Microsoft calls this threat modeling. Risk
analysis attempts to identify, prioritize, and plan appropriate mitigation for
the risks facing a piece of software.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/attack/590-BSI.html
processus mis en oeuvre
pour comprendre la nature d'un risque et pour déterminer le niveau de risque [ISO
Guide 73:2009]
Temas relacionados