NIST Managing Information Security Risk 2011 (†484)Managing Information Security Risk: Organization, Mission, and Information System View (NIST, 2011).
- acceptable risk (p. 6): Levels of risk, types of risk, and degree of risk uncertainty that are acceptable. (†734)
- risk management (p. 9): To integrate the risk management process throughout the organization, a three-tiered approach is employed that addresses risk at the: (i) organization level; (ii) mission/business process level; and (iii) information system level. The risk management process is carried out seamlessly across the three tiers with the overall objective of continuous improvement in the organization’s risk-related activities and effective inter- tier and intra-tier communication among all stakeholders having a shared interest in the mission/business success of the organization.
- risk mitigation (p. 42): Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred. The alternatives to mitigate risk depend on: (i) the risk management tier and the scope of risk response decisions assigned or delegated to organizational officials at that tier (defined by the organizational governance structures); and (ii) the organizational risk management strategy and associated risk response strategies. The means used by organizations to mitigate risk can involve a combination of risk response measures across the three tiers (†739)
- risk mitigation (p. B-8): Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process. (†740)
- risk tolerance (p. 6): Levels of risk, types of risk, and degree of risk uncertainty that are acceptable. (†732)
- risk tolerance (p. 14 ): Risk tolerance is the level of risk or degree of uncertainty that is acceptable to organizations and is a key element of the organizational risk frame. Risk tolerance affects all components of the risk management process – having a direct impact on the risk management decisions made by senior leaders/executives throughout the organization and providing important constraints on those decisions. For example, risk tolerance affects the nature and extent of risk management oversight implemented in organizations, the extent and rigor of risk assessments performed, and the content of organizational strategies for responding to risk. With regard to risk assessments, more risk-tolerant organizations may be concerned only with those threats that peer organizations have experienced while less risk-tolerant organizations may expand the list to include those threats that are theoretically possible, but which have not been observed in operational environments. (†733)