| Acceptable Risk | The level of Residual Risk that has been determined to be a reasonable level of potential loss/disruption for a specific IT system. [NIST Glossary] |
| Adequate Security [Protection] | Security [protection] commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. [NIST Glossary] |
| Adversary | Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities. [NIST Glossary] |
| Analysis Approach | The approach used to define the orientation or starting point of the risk assessment, the level of detail in the assessment, and how risks due to similar threat scenarios are treated. [NIST Glossary] |
| Assessment | See Security Control Assessment or Risk Assessment. |
| Assessment Scope | The information systems and technology, infrastructure, and organizational elements that are the target of assessment. [HITRUST] |
| Asset(s) | Anything that has value to an organization, including, but not limited to, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards). [NIST Glossary] |
| Assurance | Grounds for justified confidence that a claim has been or will be achieved. Note 1: Assurance is typically obtained relative to a set of specific claims. The scope and focus of such claims may vary (e.g., security claims, safety claims) and the claims themselves may be interrelated. Note 2: Assurance is obtained through techniques and methods that generate credible evidence to substantiate claims. [NIST Glossary] |
| Attack | Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself. [NIST Glossary] |
| Attack Surface | The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment. [NIST Glossary] |
| Audit | Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures. [NIST Glossary] |
| Availability | Ensuring timely and reliable access to and use of information. [NIST Glossary] |
| Avoidance Control | A general class of control that helps minimize a target’s attack surface or otherwise reduce the frequency with which a threat actor comes into contact with an asset. [HITRUST] |
| Capability (Threat Actor) | The ability of a threat actor to successfully exploit one or more vulnerabilities to achieve an objective and generally consists of a threat actor’s knowledge, skills, and tools (and other resources). [HITRUST] |
| Care | The process of protecting someone or something and providing what that person or thing needs. [Cambridge Dictionary] |
| Compensating Security Control(s) | A management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system. [NIST Glossary] |
| Compliance | An adherence to the laws, regulations, standards, guidelines, and other specifications [such as contractual obligations] relevant to an organization’s business. [Adapted from the HITRUST Risk vs. Compliance Whitepaper, p. 3] |
| Confidentiality | Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [NIST Glossary] |
| Control Category(ies) | The highest topical level in the HITRUST CSF control framework. [HITRUST] |
| Control Function | The manner in which a control addresses a threat to manage associated risk. [HITRUST] |
| Control Implementation Requirement | A granular, often prescriptive requirement or activity within a HITRUST CSF control intended to help an organization achieve the outcome indicated by its Control Specification. [HITRUST] |
| Control Maturity | The extent to which a control is defined, implemented, measured, managed/controlled, and effective. [HITRUST] Also, ‘Control Implementation Maturity.’ |
| Control Purpose | Synonymous with Control Function. |
| Control Requirement | See Control Implementation Requirement. |
| Control(s) | The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management, or legal nature. An attribute assigned to an asset that reflects its relative importance or necessity in achieving or contributing to the achievement of stated goals. [NIST Glossary] Synonymous with ‘Countermeasures’ and ‘Safeguards.’ A [HITRUST CSF] control is a collection of implementation requirements intended to satisfy the objective or outcome [identified] by a control specification; includes a control reference, i.e., a control number and name, risk factors, topical area tags, and supporting authoritative sources. [HITRUST] |
| Corrective Action | Activities intended to remediate control deficiencies; actions taken to address causes of non-conformity, preclude hazards, or prevent the recurrence of a problem. [HITRUST] |
| Corrective Action Plan (CAP) | Corrective actions for an issuer for removing or reducing deficiencies or risks identified by the Assessor during the assessment of issuer operations. The plan identifies actions that need to be performed in order to obtain or sustain authorization. [NIST Glossary] |
| Countermeasure(s) | Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. [NIST Glossary] Synonymous with ‘Controls’ or ‘Safeguards.’ |
| Course of Action | A time-phased or situation-dependent combination of risk response measures. [NIST Glossary] |
| Criticality | A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. [NIST Glossary] Note criticality is often determined by the impact to the organization due to a loss of integrity or availability. |
| Cyber Attack | An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information. [NIST Glossary] |
| Cyber Incident | Actions through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein. See Incident. [NIST Glossary] |
| Cyber Risk | Risk of financial loss, operational disruption, or damage, from the failure of the digital technologies employed for informational and/or operational functions introduced to a manufacturing system via electronic means from the unauthorized access, use, disclosure, disruption, modification, or destruction of the manufacturing system. [NIST Glossary] |
| Cybersecurity | Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. [NIST Glossary] |
| Cyberspace | The interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries. [NIST Glossary] |
| Data | Information in a specific representation, usually as a sequence of symbols that have meaning [or] pieces of information from which ‘understandable information’ is derived. [NIST Glossary] |
| Data Processing | The collective set of data actions (i.e., the complete data life cycle, including, but not limited to collection, retention, logging, generation, transformation, use, disclosure, sharing, transmission, and disposal). [NIST Glossary] |
| Decision Analysis | Logical methods for improving decision-making … [including] models for decision-making under conditions of uncertainty or multiple objectives; techniques of risk analysis and risk assessment; experimental and descriptive studies of decision-making behavior; economic analysis of competitive and strategic decisions; techniques for facilitating decision-making by groups; and computer modeling software and expert systems for decision support. [Decision Analysis Society] |
| Decision Support Control | A general class of control that involves actions taken to facilitate the decision analysis process and improve decision-making. [HITRUST] |
| Descriptive Metadata | Information that describes other information. [HITRUST] |
| Detective Control | A general class of control that involves the monitoring and identification of potential threat events. [HITRUST] |
| Deterrent Control | A general class of control that helps discourage a threat actor from initiating or taking advantage of (exploit) a contact. [HITRUST] |
| Diligence | [The] earnest and persistent application of effort, especially as required by law. [FindLaw Dictionary] |
| Due Care | The care that an ordinarily reasonable and prudent person would use under the same or similar circumstances; also called ‘ordinary care’ or ‘reasonable care.’ [FindLaw Dictionary] The level of care expected from a reasonable person of similar competency under similar conditions. [ISACA Glossary] |
| Due Diligence | Such diligence as a reasonable person under the same circumstances would use; use of reasonable but not necessarily exhaustive efforts; also called ‘reasonable diligence.’ [FindLaw Dictionary] The performance of those actions that are generally regarded as prudent, responsible, and necessary to conduct a thorough and objective investigation, review, and/or analysis. [ISACA Glossary] |
| Enhanced Overlay | An overlay that adds controls, enhancements, or additional guidance to security control baselines in order to highlight or address needs specific to the purpose of the overlay. See Overlay. Synonymous with Tailored Overlay. [NIST Glossary] |
| Event | Any observable occurrence in an information system. [NIST Glossary] |
| Factor Analysis of Information Risk | An international standard quantitative model for understanding, analyzing, and quantifying cyber risk and operational risk in financial terms. [FAIR] |
| Frequency | The rate of a repetitive event. If T is the period of a repetitive event, then the frequency f is its reciprocal, 1/T. Conversely, the period is the reciprocal of the frequency, T = 1 / f. [NIST Glossary] |
| High-Value Asset(s) | Those assets, federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to the United States’ national security interests, foreign relations, economy – or to the public confidence, civil liberties, or public health and safety of the American people. [NIST Glossary] |
| High-Value Service(s) | Services built upon high-value assets, for which the success of the organization’s mission depends. [CMMC Glossary, adapted] |
| Impact | The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability. [NIST Glossary] |
| Impact Level | The assessed worst-case potential impact that could result from a compromise of the confidentiality, integrity, or availability of information expressed as a value of low, moderate or high. [NIST Glossary] Synonymous with Impact Value. |
| Impact Value | The assessed potential impact resulting from a compromise of the confidentiality, integrity, or availability of an information type, expressed as a value of low, moderate, or high. [NIST Glossary] Synonymous with Impact Level. |
| Incident | An occurrence that results in actual or potential jeopardy to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. [NIST Glossary] |
| Information | Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual. [NIST Glossary] Not to be confused with the term ‘Data.’ |
| Information Processing | The acquisition, recording, organization, retrieval, display, and dissemination of information. [Britannica] |
| Information Security Risk | The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems. See Risk. [NIST Glossary] |
| Information System | A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information…. to achieve one or more stated purposes…. Interacting elements … include hardware, software, data, humans, processes, facilities, materials, and naturally occurring physical entities…. Systems of systems is included [in this definition]. [NIST Glossary], adapted |
| Information System-Related Security Risk | Risk that arises through the loss of confidentiality, integrity, or availability of information or information systems considering impacts to organizational operations and assets, individuals, other organizations, and the Nation. A subset of Information Security Risk. See Risk. [NIST Glossary] |
| Informative Metadata | Information that informs one’s use of other information. [HITRUST] |
| Inherent Risk | Risk that exists when the status of key controls is not taken into consideration or is otherwise unknown. [HITRUST] |
| Integrity | Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity. [NIST Glossary] |
| Likelihood | A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. [NIST Glossary] |
| Likelihood of Occurrence | See Likelihood. |
| Maturity Model | A set of characteristics, attributes, or indicators that represent progression in a particular domain. A maturity model allows an organization or industry to have its practices, processes, and methods evaluated against a clear set of requirements (such as activities or processes) that define specific maturity levels. At any given maturity level, an organization is expected to exhibit the capabilities of that level. A tool that helps assess the current effectiveness of an organization and supports determining what capabilities they need in order to obtain the next level of maturity in order to continue progression up the levels of the model. [CERT RMM v1.2] |
| Measure(s) | The results of data collection, analysis, and reporting. [NIST Glossary] A standard used to evaluate and communicate performance against expected results (measures are normally quantitative in nature capturing numbers, dollars, percentages, etc., but can also address qualitative information such as customer satisfaction; reporting and monitoring measures help an organization gauge progress toward effective implementation of strategy). [ISACA Glossary] |
| Measurement | The process of data collection, analysis, and reporting. [NIST Glossary] Measurements are “observations that quantitatively reduce uncertainty.” [Hubbard, D., Seiersen, R., Geer Jr., D., and McClure, S. (2016)] |
| Metadata | Data that provides information about other data. [Merriam-Webster] |
| Metric(s) | Tools designed to facilitate decision-making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. [NIST Glossary] A quantifiable entity that allows the measurement of the achievement of a process goal (metrics should be SMART—specific, measurable, actionable, relevant, and timely; complete metric guidance defines the unit used, measurement frequency, ideal target value (if appropriate), and also the procedure to carry out the measurement and the procedure for the interpretation of the assessment). [ISACA Glossary] |
| Motivation (Threat Actor) | The drivers—be it emotional or the pursuit of supremacy or material gain—that causes a threat actor to commit harmful acts. [Derived from Intel] |
| Ontology | In the context of computer and information sciences, an ontology defines a set of representational primitives with which to model a domain of knowledge or discourse. The representational primitives are typically classes (or sets), attributes (or properties), and relationships (or relations among class members). The definitions of the representational primitives include information about their meaning and constraints on their logically consistent application. [Gruber] |
| Operational Risk | Risk of loss resulting from inadequate or failed internal process, people, and systems or from external events. Includes legal risk, but excludes strategic and reputational risk [Basel Committee] |
| Overlay | A specification of security controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process that is intended to complement (and further refine) security control baselines [to fit the user’s specific environment and mission]. The overlay specification may be more stringent or less stringent than the original security control baseline specification and can be applied to multiple information systems. [NIST Glossary] |
| Plan of Action and Milestones | A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones. Synonymous with Corrective Action Plan. [NIST Glossary] |
| Policy | Overall intention and direction as formally expressed by management, most often articulated in documents that record high-level principles or course of actions; the intended purpose is to influence and guide both present and future decision-making to be in line with the philosophy, objectives, and strategic plans established by the enterprise’s management teams. [Adapted from the ISACA Glossary] |
| Possible | Able to be done or achieved, or able to exit. [Cambridge Dictionary] |
| Preventive Control | A general class of controls that help reduce the likelihood a threat event will occur (or decrease their frequency of occurrence). [HITRUST] |
| Probable | Likely to be true or likely to happen. [Cambridge Dictionary] |
| Procedure | A detailed description of the steps necessary to perform specific operations in conformance with applicable standards. Procedures are defined as part of processes. [Adapted from the ISACA Glossary] |
| Processing | See Data Processing and/or Information Processing. |
| Qualitative Assessment | A set of methods, principles, or rules for assessing risk based on non-numerical categories or levels. [NIST Glossary] |
| Quantitative Assessment | A set of methods, principles, or rules for assessing risks based on the use of numbers where the meanings and proportionality of values are maintained inside and outside the context of the assessment. [NIST Glossary] |
| Quasi-Quantitative Assessment | See Semi-Quantitative Assessment. |
| Quasi-Quantitative Residual Risk Analysis (QQRRA) | HTRUST’s patent-pending quasi-quantitative approach to the analysis of excessive residual risk an organization may incur from its use of sensitive information in the conduct of its business/operations. |
| Recovery Control | A general class of control that involves actions taken to restore an organization to a pre-threat event state. [HITRUST] |
| Rely-ability | The ability of a stakeholder to rely upon [i.e., trust or have confidence in] the assurances provided by an entity. [HITRUST] |
| Rely-able | Assurances that provide a high degree of rely-ability. [HITRUST] |
| Relying Party | An internal or external stakeholder that is the intended recipient of an attestation, assessment, or other form of assurance. [HITRUST] |
| Repeatable | The ability to repeat an assessment in the future, in a manner that is consistent with, and hence comparable to, prior assessments. [NIST Glossary] |
| Reproducible | The ability of different experts to produce the same results from the same data. [NIST Glossary] |
| Residual Risk | Portion of risk remaining after security measures have been applied. [NIST Glossary] |
| Responsive Control | A general class of control that involves actions taken to mitigate the potential impact of a threat event. [HITRUST] |
| Risk | The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring. A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. [NIST Glossary] |
| Risk Acceptance | The formal acceptance of a specific amount of risk by an individual or organization. [HITRUST] |
| Risk Analysis | The process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with risk assessment. [NIST Glossary] |
| Risk Appetite | The types and amount of risk, on a broad level, an organization is willing to accept in its pursuit of value. [NIST Glossary] |
| Risk Assessment | The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, and other organizations, resulting from the operation of an information system. Part of risk management, risk assessment incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis. [NIST Glossary] |
| Risk Assessment Methodology | A risk assessment process, together with a risk model, assessment approach, and analysis approach. [NIST Glossary] |
| Risk Avoidance | The elimination of risk by not engaging in a specific activity. [HITRUST] |
| Risk Capacity | The maximum amount of risk that an organization can absorb without disrupting achievement of its objectives. [HITRUST] |
| Risk Evaluation | The process of comparing the estimated risk against given risk criteria to determine the significance of the risk. [ISACA Glossary] |
| Risk Factor | A characteristic in a risk model as an input to determining the level of risk in a risk assessment. [NIST Glossary] |
| Risk Management | The total process of identifying, controlling, and eliminating or minimizing uncertain events that may adversely affect system resources. It includes risk analysis, cost benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review. [NIST Glossary] |
| Risk Management Framework | A structured approach used to oversee and manage risk. [NIST Glossary] |
| Risk Mitigation | Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process. [A subset of Risk Response.] [NIST Glossary] |
| Risk Model | A key component of a risk assessment methodology—in addition to the assessment approach and analysis approach—that defines key terms and assessable risk factors. [NIST Glossary] |
| Risk Monitoring | Maintaining ongoing awareness of an organization’s risk environment, risk management program, and associated activities to support risk decisions. [NIST Glossary] |
| Risk Response | Accepting, avoiding, mitigating, sharing, or transferring risk to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, or other organizations. See Course of Action. Synonymous with Risk Treatment. [NIST Glossary] |
| Risk Target | The desired level of risk that optimizes an organization’s business objectives. [HITRUST] |
| Risk Tolerance | The level of risk an entity is willing to assume in order to achieve a potential desired result for a specific activity. [NIST Glossary], adapted |
| Risk Transference | The redirecting or sharing of risk with another party, e.g., through insurance or indemnification. [HITRUST] |
| Risk Treatment | Selecting and implementing mechanisms to modify risk. Risk treatment options can include avoiding, optimizing, transferring, or retaining [accepting] risk. [ENISA] |
| Safeguard(s) | Protective measures prescribed to meet the privacy (e.g., data quality, transparency of use of personal data) and security (e.g., confidentiality, integrity, and availability) requirements specified for an information system. Safeguards may include privacy and security features, management constraints, personal data minimization, use limitations for personal data, personnel security, and security of physical structures, areas, and devices. Synonymous with ‘Security Controls’ and ‘Countermeasures.’ [NIST Glossary], adapted |
| Scoping | The act of applying scoping guidance, which consists of specific technology-related, infrastructure-related, public access-related, scalability-related, common security control-related, and risk-related considerations on the applicability and implementation of individual security and privacy controls in the control baseline. [NIST Glossary, adapted from Scoping Guidance] |
| Scoping Considerations | A part of tailoring guidance providing organizations with specific considerations on the applicability and implementation of security controls in the security control baseline. Areas of consideration include policy/regulatory, technology, physical infrastructure, system component allocation, operational/ environmental, public access, scalability, common control, and security objective. [NIST Glossary] |
| Security Assessment | See Security Control Assessment. |
| Security Control Baseline | A set of information security controls that has been established through information security strategic planning activities intended to be the initial security control set selected for a specific organization and/or system(s) that provides a starting point for the tailoring process. [NIST Glossary] |
| Security Control(s) | The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an organization and/or information system(s) to protect information confidentiality, integrity, and availability. [NIST Glossary], adapted |
| Security Control(s) Assessment | The testing and/or evaluation of the management, operational, and technical security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization. [NIST Glossary] |
| Semi-Quantitative Assessment | Use of a set of methods, principles, or rules for assessing risk based on bins, scales, or representative numbers whose values and meanings are not maintained in other contexts. Synonymous with Quasi-Quantitative Assessment. [NIST Glossary] |
| Sensitive Information | Information where the loss, misuse, or unauthorized access or modification could adversely affect the [organization] or the conduct of [organizational] programs [or services], or the privacy to which individuals are entitled [by law]. [NIST Glossary], adapted |
| Sensitivity | A measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection. [NIST Glossary] |
| Service | An act or activity performed on behalf of another party. [HITRUST] |
| Standard of Care | The degree of care or competence that one is expected to exercise in a particular circumstance or role. [FindLaw Dictionary] |
| Tailored Overlay | See Enhanced Overlay. |
| Tailored Security Control Baseline | A set of security controls resulting from the application of tailoring guidance to the security control baseline. See Tailoring. [NIST Glossary] |
| Tailoring | The process by which a security control baseline is modified based on: (i) the application of scoping guidance; (ii) the specification of compensating security controls, if needed; and (iii) the specification of organization-defined parameters in the security controls via explicit assignment and selection statements. [NIST Glossary] |
| Taxonomy | A system for classifying multifaceted, complex phenomena according to common conceptual domains and dimensions. [Bradley]. |
| Third Party | An individual or organization that is recognized as being independent with respect to an issue, such as a service, or a function, such as a risk assessment or IT service delivery. [HITRUST] |
| Threat | Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. [NIST Glossary, adapted] |
| Threat Actor | An individual or group posing a threat. [NIST Glossary] |
| Threat Assessment/Analysis | Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat. [NIST Glossary] |
| Threat Event | An event or situation that has the potential for causing undesirable consequences or impact. [NIST Glossary] |
| Threat Scenario | A set of discrete threat events, associated with a specific threat source or multiple threat sources, partially ordered in time. [NIST Glossary] |
| Threat Source | The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally exploit a vulnerability. [NIST Glossary] |
| Total Risk | The potential for the occurrence of an adverse event if no mitigating action is taken (i.e., the potential for any applicable threat to exploit a system vulnerability). [NIST Glossary] |
| Variance | The state of being variable, different, divergent, or deviate; a degree of deviation. [English Encyclopedia] |
| Variance Reduction Control | A general class of control that involves actions taken to reduce the variability in the output of a process without affecting its intended purpose. [HITRUST] |
| Variation | A change in data, characteristic or function caused by one of four factors: special causes, common causes, tampering or structural variation. [ASQ Glossary] |
| Vulnerability | Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. [NIST Glossary] |
| Vulnerability Assessment/ Analysis | Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation. [NIST Glossary] |
| Weakness | A particular part or quality of someone or something that is not good or effective (e.g., an error or defect). [Cambridge Dictionary, adapted] |