Security and Risk Management

Posted on by
CIA as Security Objectives
- Control


1. verification that acceptance criteria are met

Source: ISO 22716:2007 (Cosmetics — Good Manufacturing Practices (GMP) — Guidelines on Good Manufacturing Practices)

2. regulation of variables within specified limits

Source: ISO 11607-1:2019 (Packaging for terminally sterilized medical devices — Part 1: Requirements for materials, sterile barrier systems and packaging systems)

3. condition or set of conditions required for a function to produce correct output

Source: ISO 20534:2018 (Industrial automation systems and integration — Formal semantic models for the configuration of global production networks)

- Internal Control

1. process(es) used by an organization's managers to help it achieve its objectives

Note 1 to entry: Internal control helps an organization run its operations efficiently and effectively, report reliable information about its operations and comply with applicable laws and regulations.

Note 2 to entry: Internal control applies to all activities, irrespective of whether they are financial or non-financial.

Note 3 to entry: Internal control supports sound decision-making, taking into account risks to the achievement of objectives and reducing them to acceptable levels through cost-effective controls.

Note 4 to entry: This definition of internal control is derived from the definition provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)[9], which also provides further useful information on this topic.

Source: ISO/TS 55010:2019 (Asset management — Guidance on the alignment of financial and non-financial functions in asset management)

2. An overarching mechanism that an enterprise uses to achieve and monitor enterprise objectives.

Source: NISTIR 8286

- Security Controls


1. management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information


[SOURCE:NIST SP 800-53]


Note 1 to entry: This definition is intended to include controls that provide accountability, authenticity, non-repudiation, privacy and reliability, which are sometimes considered as distinct from confidentiality, integrity and availability.

Source: ISO/IEC TR 19791:2010 (Information technology — Security techniques — Security assessment of operational systems)

2. The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

Source: FIPS 199

3. The safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.


Sources: NIST SP 800-160 Vol. 2 Rev. 1 

4. COUNTERMEASURES: Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. [CNSS Instruction 4009] Synonymous with security controls and safeguards.

Source: FIPS 200

- Security Control Baseline

The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.

Source: FIPS 200

- Security Assessment (Security Control Assessment)

the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.

Source: OMB Circular A-130 (2016)

The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Source: NIST SP 800-137

- Vulnerability

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Source: FIPS 200

- Weakness


defect or characteristic that can lead to undesirable behaviour


EXAMPLE  1:Missing requirement or specification.


EXAMPLE  2:Architectural or design flaw, including incorrect design of a security protocol.


EXAMPLE  3:Implementation weakness, including hardware and software defect, incorrect implementation of a security protocol.


EXAMPLE  4:Flaw in the operational process or procedure, including misuse and inadequate user training.


EXAMPLE  5:Use of an outdated or deprecated function, including cryptographic algorithms.


Source: ISO/SAE 21434:2021

Leave a Reply