General Terms
This is applied to requirements, an activity that makes a 1:1 comparison between one requirement and another to determine if they're related.
What is Crosswalk
Set of related requirements, guidelines, or standards intended to influence the governance of an organization.
What is Program
This is a security principle that data or systems should only be accessed by those who are authorized.
What is Confidentiality
These are a collection of activities intended to identify risks including their likelihood and impact on the organization if realized.
This is documentation owned by an auditor as evidence of how an audit was performed, the evidence collected upon which evaluation is based, and comprises both the current and permanent audit file.
What is working papers.
This is an independent test of our compliance against specific requirements, demonstrated by our controls and the evidence presented in our defense.
What is an Audit
This is a security principle that data or systems can be accessed when needed.
What is Availability.
This is a documented inventory of an organization's known risks.
What is a Risk Register
This is the effort and evaluation a reasonable person makes to ensure successful outcomes.
What is Due Diligence
This is substantiation provided to an auditor that demonstrates our compliance with requirements. Can take many forms (observation, testing, walkthroughs) but is more often than not some type of file (screenshot, video, pdf, log file, etc.).
What is Evidence
This is a security principle that data or systems exist in an unaltered, trustworthy state.
What is integrity
Avoid, Accept, Transfer, and Mitigate are all examples of...
What is (Risk) Response or Treatment
These are activities intended to assess a current and future state between two objectives. Can be applied to a number of use cases.
What is Gap Analysis
These are activities, processes, procedures, technologies, written and implemented to 1) satisfy program requirements, and 2) mitigate risk.
This is a security principle that defeats Availability - the absence of data, resources, or systems at the time of access.
What is a Destruction
The maximum amount of risk variance management is willing to accept on behalf of an organization.
What is Risk Tolerance
This is the practice of implementing what was determined as part of the due diligence effort.
What is Due Care
These are guidelines, standards, criteria, sometimes called controls, can be either normative or prescriptive - essentially a collection of obligations or expectations set forth in a program.
What is a Requirement
This is a security principle that defeats Confidentiality - the unauthorized distribution of otherwise protected data.
What is a Disclosure
This is the amount of risk management is willing to accept on behalf of an organization.
What is a Risk Appetite