Ver:
· Identificación de los riesgos
· Control
Efecto de la
incertidumbre sobre la consecución de los objetivos. [UNE-ISO GUÍA 73:2010]
NOTA 1 Un
efecto es una desviación, positiva y/o negativa, respecto a lo previsto.
NOTA 2 La
incertidumbre es el estado, incluso parcial, de deficiencia en la información
relativa a la comprensión o al conocimiento de un suceso, de sus consecuencias o
de su probabilidad.
NOTA 3 Con
frecuencia, el riesgo se caracteriza por referencia a sucesos potenciales y a
sus consecuencias o una combinación de ambas
NOTA 4 Con
frecuencia, el riesgo se expresa en términos de combinación de las
consecuencias de un suceso (incluyendo los cambios en las circunstancias) y de
su probabilidad.
NOTA 5: En el
contexto de sistemas de gestión de la seguridad de la información, los riesgos
de seguridad de la información se pueden expresar como el efecto de la
incertidumbre sobre los objetivos de seguridad de la información.
NOTA 6: El
riesgo de seguridad de la información se relaciona con la posibilidad de que
las amenazas exploten vulnerabilidades de un activo o grupo de activos de
información y causen daño a una organización.
[UNE-ISO/IEC 27000:2014]
Efecto de la
incertidumbre sobre la consecución de los objetivos.
NOTA 4. Con
frecuencia, el riesgo se expresa en términos de combinación de las
consecuencias de un suceso (incluyendo los cambios en las circunstancias) y de
su probabilidad.
[ISO Guía
73:2010]
Estimación
del grado de exposición a que una amenaza se materialice sobre uno o más
activos causando daños o perjuicios a la organización. [UNE-71504:2008]
Los riesgos
del sistema de información en la hipótesis de que no hubieran salvaguardas
presentes. [UNE-71504:2008]
Un posible
Evento que podría causar daño o pérdidas, o afectar la habilidad de alcanzar
Objetivos. Un Riesgo es medido por la probabilidad de una Amenaza, la
Vulnerabilidad del Activo a esa Amenaza, y por el Impacto que tendría en caso
que ocurriera. [ITIL:2007]
Estimación
del grado de exposición a que una amenaza se materialice sobre uno o más
activos causando daños o perjuicios a la Organización. [Magerit:2012]
Probabilidad
de que una amenaza se materialice aprovechando una vulnerabilidad causando daño
(impacto) en un proceso o sistema. [CCN-STIC-401:2007]
El potencial
de que una amenaza específica explote las debilidades de un activo o grupo de
activos para ocasionar pérdida y/o daño a los activos. Por lo general se mide
por medio de una combinación del impacto y la probabilidad de ocurrencia.
[COBIT:2006]
Dícese del
calculado tomando en consideración el valor propio de un acti-vo y el valor de
los activos que depende de él. Este valor se combina con la degradación causada
por una amenaza y la frecuencia estimada de la misma. [Magerit:2012]
Dícese del
calculado tomando en consideración únicamente el valor propio de un activo.
Este valor se combina con la degradación causada por una amenaza y la
frecuencia estimada de la misma, medidas ambas sobre ac-tivos de los que
depende. [Magerit:2012]
Probabilidad
de que una vulnerabilidad propia de un sistema de información sea explotada por
las amenazas a dicho sistema, con el objetivo de penetrarlo. [CESID:1997]
A measure of the
extent to which an entity is threatened by a potential circumstance or event,
and typically a function of: (i) the adverse impacts that would arise if the
circumstance or event occurs; and (ii) the likelihood of occurrence.
Framework for
Improving Critical Infrastructure Cybersecurity, National Institute of
Standards and Technology, February 12, 2014
effect of
uncertainty on objectives [ISO Guide 73:2009]
NOTE 1: An effect
is a deviation from the expected positive or negative.
NOTE 2:
Uncertainty is the state, even partial, of deficiency of information related
to, understanding or knowledge of, an event, its consequence, or likelihood.
NOTE 3: Risk is
often characterized by reference to potential events and consequences, or a
combination of these.
NOTE 4: Risk is
often expressed in terms of a combination of the consequences of an event
(including changes in circumstances) and the associated likelihood of
occurrence.
NOTE 5: In the
context of information security management systems, information security risks
can be expressed as effect of uncertainty on information security objectives.
NOTE 6:
Information security risk is associated with the potential that threats will
exploit vulnerabilities of an information asset or group of information assets
and thereby cause harm to an organization.
[ISO/IEC 27000:2014]
effect of
uncertainty on objectives
NOTE 4. Risk is
often expressed in terms of a combination of the consequences of an event
(including changes in circumstances) and the associated likelihood of
occurrence.
[ISO Guide 73:2009]
A probable
situation with uncertain frequency and magnitude of loss (or gain) [RiskIT-PG:2009]
The risk level or
exposure without taking into account the actions that management has taken or
might take (e.g., implementing controls) [RiskIT-PG:2009]
The business risk
associated with the use, ownership, operation, involvement, influence and
adoption of IT within an enterprise [RiskIT-PG:2009]
1: An instance of
an IT risk
2: A combination
of control, value and threat conditions that impose a noteworthy level of IT
risk
[RiskIT-PG:2009]
potential for an
unwanted outcome resulting from an incident, event, or occurrence, as
determined by its likelihood and the associated consequences
Extended
Definition: potential for an adverse outcome assessed as a function of threats,
vulnerabilities, and consequences associated with an incident, event, or
occurrence
Annotation:
1) Risk is
defined as the potential for an unwanted outcome. This potential is often
measured and used to compare different future situations.
2) Risk may
manifest at the strategic, operational, and tactical levels.
DHS Risk Lexicon,
September 2008
A measure of the extent
to which an entity is threatened by a potential circumstance or event, and
typically a function of:
(i) the adverse
impacts that would arise if the circumstance or event occurs; and
(ii) the
likelihood of occurrence.
Information
system-related security risks are those risks that arise from the loss of
confidentiality, integrity, or availability of information or information
systems and reflect the potential adverse impacts to organizational operations
(including mission, functions, image, or reputation), organizational assets,
individuals, other organizations, and the Nation. [FIPS 200, Adapted]
[NIST-SP800-53:2013]
A measure of the
extent to which an entity is threatened by a potential circumstance or event,
and typically a function of 1) the adverse impacts that would arise if the
circumstance or event occurs; and 2) the likelihood of occurrence.
Note: Information
system-related security risks are those risks that arise from the loss of
confidentiality, integrity, or availability of information or information
systems and reflect the potential adverse impacts to organizational operations
(including mission, functions, image, or reputation), organizational assets,
individuals, other organizations, and the Nation.
[CNSSI_4009:2010]
1. (I) An
expectation of loss expressed as the probability that a particular threat will
exploit a particular vulnerability with a particular harmful result. (See:
residual risk.)
2. (O) /SET/
"The possibility of loss because of one or more threats to information
(not to be confused with financial or business risk)." [SET2]
[RFC4949:2007]
A possible Event
that could cause harm or loss, or affect the ability to achieve Objectives. A
Risk is measured by the probability of a Threat, the Vulnerability of the Asset
to that Threat, and the Impact it would have if it occurred. [ITIL:2007]
The potential
that a given threat will exploit vulnerabilities of an asset or group of assets
to cause loss and/or damage to the assets. It usually is measured by a
combination of impact and probability of occurrence. [COBIT:2006]
The level of impact
on organizational operations (including mission, functions, image, or
reputation), organizational assets, or individuals resulting from the operation
of an information system given the potential impact of a threat and the
likelihood of that threat occurring. [FIPS-200:2006]
As used in this
guideline, the term 'risk' means a combination of:
·
the
likelihood that a particular vulnerability in an agency information system will
be either intentionally or unintentionally exploited by a particular threat
resulting in a loss of confidentiality, integrity, or availability, and
·
the
potential impact or magnitude of harm that a loss of confidentiality,
integrity, or availability will have on agency operations (including mission,
functions, and public confidence in the agency), an agencys assets, or
individuals (including privacy) should there be a threat exploitation of
information system vulnerabilities.
[NIST-SP800-60V2:2004]
A combination of
the likelihood that a threat will occur, the likelihood that a threat
occurrence will result in an adverse impact, and the severity of the resulting
adverse impact. Reducing either the threat or the vulnerability reduces the
risk. [TDIR:2003]
A measure of the
exposure to which a system or potential system may be subjected. [CRAMM:2003]
The net
mission/business impact (probability of occurrence combined with impact) from a
particular threat source exploiting, or triggering, a particular information
technology vulnerability. IT related-risks arise from legal liability or
mission/business loss due to:
·
Unauthorized
(malicious, non-malicious, or accidental) disclosure, modification, or destruction
of information.
·
Non-malicious
errors and omissions.
·
IT
disruptions due to natural or man-made disasters.
·
Failure
to exercise due care and diligence in the implementation and operation of the
IT.
[NIST-SP800-33:2001]
Flaws and bugs
lead to risk. Risks are not failures. Risks capture the probability that a flaw
or a bug will impact the purpose of the software. Risk measures also take into
account the potential damage that can occur. A very high risk is not only
likely to happen but also likely to cause great harm. Risks can be managed by
technical and non-technical means.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/risk/248-BSI.html
Risks capture the
likelihood that a vulnerability will be exploited, as well as the potential
damage (impact) that will occur if it is. It is important to note that risks,
threats, and exploits are all separate things. Risks may be present in the
target software, on the target host, or in the broader operational environment
of the software.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/attack/590-BSI.html
A measure of the
potential degree to which protected information is subject to loss through
adversary exploitation.
http://www.ioss.gov/docs/definitions.html
The potential for
the occurrence of an adverse event if no mitigating action is taken (i.e., the
potential for any applicable threat to exploit a system vulnerability).
[TDIR:2003]
The uncertainty
that can create exposure to undesired future events and outcomes. It is the
expression of the likelihood and impact of an event with the potential to
impede the achievement of an organization's objectives.
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16578
In the context of
RIDM, risk is the potential for shortfalls, which may be realized in the
future, with respect to achieving explicitly-stated performance commitments.
The performance shortfalls may be related to institutional support for mission
execution, or related to any one or more of the following mission execution
domains: safety, technical, cost, schedule.
As applied to
CRM, risk is characterizedas a set of triplets:
a. The scenario(s) leading to degraded
performance in one or more performance measures,
b. The likelihood(s) of those
scenarios,
c. The consequence(s), impact, or
severity of the impact on performance that would result if those scenarios were
to occur.
Uncertainties are
included in the evaluation of likelihoods and consequences.
NASA Risk
Management Handbook, NASA/SP-2011-3422, Version 1.0, November 2011
effet de l'incertitude
sur l'atteinte des objectifs [ISO Guide 73:2009]
Un événement possible
pouvant causer une déficience ou une perte, ou affecter la possibilité
d'atteindre des objectifs. Un risque se mesure par la probabilité d'une menace,
la vulnérabilité d'un actif à cette menace et l'impact qu'il aurait s'il se
produisait. [ITIL:2007]
Incertitude que peut
engendrer l'exposition à des événements ou résultats non désirés. Il s'agit de
l'expression de la probabilité et de l'incidence d'un événement susceptible de
nuire à la réalisation des objectifs d'une organisation.
http://www.tbs-sct.gc.ca/pol/doc-fra.aspx?id=16578
Temas relacionados