proceso global que comprende la identificación del
riesgo, el análisis del riesgo y la evaluación del riesgo. [UNE-ISO GUÍA
73:2010]
[UNE-ISO/IEC 27000:2014]
Proceso global que comprende la identificación del
riesgo, el análisis del riesgo y la evaluación del riesgo [UNE Guía 73:2010]
Proceso que identifica los recursos valiosos de un
sistema y sus amenazas; cuantifica la exposición a pérdida (es decir, el
potencial de pérdida) según frecuencias estimadas y costos derivados por
siniestros; y, opcionalmente, recomienda el modo de asignar recursos como
medidas preventivas que minimicen el índice total de exposición.
http://es.pcisecuritystandards.org
Los pasos iniciales de la Gestión de Riesgos. Al
analizar el valor de los Activos del negocio, identificando Amenazas a esos
Activos, y evaluando cuan Vulnerable cada Activo es a esas Amenazas. El
Gravamen de Riesgo puede ser cuantitativo (basado en información numérica) o
cualitativa. [ITIL:2007]
overall process of risk
identification, risk analysis and risk evaluation [ISO Guide 73:2009]
[ISO/IEC 27000:2014]
overall process of risk
identification, risk analysis and risk evaluation [ISO Guide 73:2009]
The process of identifying
risks to organizational operations (including mission, functions, image,
reputation), organizational assets, individuals, other organizations, and the
Nation, resulting from the operation of an information system. Part of risk management,
incorporates threat and vulnerability analyses, and considers mitigations
provided by security controls planned or in place. Synonymous
with risk analysis. [NIST-SP800-53:2013]
The process of identifying,
prioritizing, and estimating risks. This includes determining the extent to
which adverse circumstances or events could impact an enterprise. Uses the
results of threat and vulnerability assessments to identify risk to
organizational operations and evaluates those risks in terms of likelihood of
occurrence and impacts if they occur. The product of a risk assessment is a
list of estimated, potential impacts and unmitigated vulnerabilities. Risk
assessment is part of risk management and is conducted throughout the Risk
Management Framework (RMF).
NIST SP 800-53: The process
of identifying risks to organizational operations (including mission,
functions, image, reputation), organizational assets, individuals, other
organizations, and the Nation, resulting from the operation of an information
system.
Part of risk management,
incorporates threat and vulnerability analyses, and considers mitigations
provided by security controls planned or in place. Synonymous with risk
analysis.
[CNSSI_4009:2010]
product or process which
collects information and assigns values to risks for the purpose of informing
priorities, developing or comparing courses of action, and informing decision
making
Extended Definition:
appraisal of the risks facing an entity, asset, system, network, geographic
area or other grouping Annotation: A risk assessment can be the resulting
product created through analysis of the component parts of risk.
DHS Risk
Lexicon, September 2008
set of methods, principles,
or rules for assessing risk based on non-numerical categories or levels
DHS Risk Lexicon, September
2008
set of methods, principles,
or rules for assessing risks based on the use of numbers where the meanings and
proportionality of values are maintained inside and outside the context of the
assessment
Annotation: While a
semi-quantitative methodology also involves the use of numbers, only a purely
quantitative methodology uses numbers in a way that allows for the consistent
use of values outside the context of the assessment.
DHS Risk Lexicon, September
2008
Definition: set of methods,
principles, or rules to assess risk that uses bins, scales, or representative
numbers whose values and meanings are not maintained in other contexts
Example: By giving the
"low risk, "medium risk," and "high risk" categories
corresponding numerical values, the assessor used a semi-quantitative risk
assessment methodology.
Annotation: While numbers
may be used in a semi-quantitative methodology, the values are not applicable
outside of the methodology, and numerical results from one methodology cannot
be compared with those from other methodologies.
DHS Risk
Lexicon, September 2008
The initial steps of Risk
Management. Analysing the value of Assets to the business, identifying Threats
to those Assets, and evaluating how Vulnerable each Asset is to those Threats.
Risk Assessment can be quantitative (based on numerical data) or qualitative. [ITIL:2007]
A study of vulnerabilities,
threats, likelihood, loss or impact, and theoretical effectiveness of security
measures. The process of evaluating threats and vulnerabilities, known and
postulated, to determine expected loss and establish the degree of
acceptability to system operations. [TDIR:2003]
Process that identifies
valuable system resources and threats; quantifies loss exposures (that is, loss
potential) based on estimated frequencies and costs of occurrence; and
(optionally) recommends how to allocate resources to countermeasures so as to
minimize total exposure.
https://www.pcisecuritystandards.org/security_standards/glossary.php
Process of evaluating the
risks of information loss based on an analysis of threats to, and
vulnerabilities of, a system, operation or activity.
http://www.ioss.gov/docs/definitions.html
For the purpose of this
handbook, risk analysis is defined as the probabilistic assessment of
performance such that the probability of not meeting a particular performance
commitment can be quantified.
NASA Risk Management
Handbook, NASA/SP-2011-3422, Version 1.0, November 2011
ensemble du processus
d'identification des risques, d'analyse du risque et d'évaluation du risque
[ISO Guide 73:2009]
Processus identifiant
systématiquement les ressources système précieuses et les menaces qui leur sont
associées. Ce processus quantifie l’exposition aux pertes (pertes éventuelles)
en fonction de la fréquence et des coûts d’occurrence estimés, et (en option)
recommande la manière d’affecter des ressources aux contre-mesures dans le but
de réduire l’exposition totale.
http://fr.pcisecuritystandards.org/