Business impact analysis (BIA) - A list of the organization's assets, annotated to reflect the criticality of each asset to the organization.
Governance - The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles, and procedures the organization uses to make those decisions.
Confidentiality - Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Recovery point objective (RPO) - A measure of how much data the organization can lose before the organization is no longer viable.
RPO establishes the maximum data loss that is tolerable - Recovery point - how much data
Recovery time objective (RTO) - The target time set for recovering from any interruption.
RTO establishes the maximum amount of time the organization will be down (or how long it takes to recover)
Maximum allowable downtime (MAD) - The measure of how long an organization can survive an interruption of critical functions.
Due diligence - Actions taken by a vendor to demonstrate/provide due care.
Due Care - A legal concept pertaining to the duty owed by a provider to a customer.
Integrity - Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.
Standards - the object - Specific mandates explicitly stating expectations of performance or conformance.
Compliance - the action - Adherence to a mandate both the actions demonstrating adherence and the tools processes and documentation that are used in adherence,
Security control framework - A notional construct outlining the organization's approach to security, including a list of specific security processes, procedures, and solutions used by the organization.
Guidelines – Suggested practices and expectations of activity to best accomplish tasks and attain goals.
Security governance - The entirety of the policies, roles, and processes the organization uses to make security decisions in an organization.
Risk mitigation – Putting security controls in place to attenuate the possible impact and/or likelihood of a specific risk.
Residual risk – The risk remaining after security controls have been put in place as a means of risk mitigation.
Business continuity (BC) – Actions, processes, and tools for ensuring an organization can continue critical operations during a contingency.
Governance committee - A formal body of personnel who determine how decisions will be made within the organization and the entity that can approve changes and exceptions to current relevant governance.
Deterrent frameworks are technology-related and used to discourage malicious activities.
Preventative framework helps establish security policies and security awareness training.
Detective framework is focused on finding unauthorized activity in your environment after a security incident.
Corrective framework focuses on activities to get your environment back after a security incident
Qualitative - uses a risk analysis matrix
Quantitative - uses money or metrics to compute
Hybrid - a combination of qualitative and quantitative
Market approach - used for asset valuation
Reduction analysis attempts to eliminate duplicate analysis and is tied to threat modeling.
STRIDE is used for threat modeling.