ConceptDocumentation
AssetAsset Definition in ISO 27005, Chapter „Identifying and describing information security risks“ [§7.2.1] (Page 17): „An asset is anything that has value to the organization and therefore requires protection.“ Asset Definition NIST SP 800-160v1r1 „The Concept of Assets“ [§3.4] Page 16: „An asset is an item of value. There are many different types of assets. Assets are broadly categorized as either tangible or intangible. Tangible assets include physical items, such as hardware, computing platforms, other technology components, and humans. Intangible assets include humans, firmware, software, capabilities, functions, services, trademarks, intellectual property, data, copyrights, patents, image, or reputation.“
Security ObjectiveThe Security Objectives are defined as the CIA-Triad (Confidentiality, Integrity, Availability) (Synonym: Security Attribute, Security Propaty) FIPS PUB 199 - Standards for Security Categorization of Federal Information and Information Systems: "The FISMA defines three security objectives for information and information systems: CONFIDENTIALITY “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542 ] A loss of confidentiality is the unauthorized disclosure of information. INTEGRITY “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [ 44 U.S.C., Sec. 3542] A loss of integrity is the unauthorized modification or destruction of information. AVAILABILITY “Ensuring timely and reliable access to and use of information…” [44 U.S.C., S EC. 3542 ] A loss of availability is the disruption of access to or use of information or an information system."
Severity Level
ConsequenceThe violation of an Security Objective has a Consequence. NIST SP 800-160v1r1 and ISO/IEC 15026-1:2019 describing Consequence as following: "Effect (change or non-change), usually associated with an event or condition or with the system and usually allowed, facilitated, caused, prevented, changed, or contributed to by the event, condition, or system."
Effect
ConfidentialityConfidentiality is a Security Objective. Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., Sec. 3542]
IntegrityIntegrity is a Security Objective. Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. [44 U.S.C., Sec. 3542]
AvailabilityAvailability is a Security Objective. Availability: Ensuring timely and reliable access to and use of information. [44 U.S.C., Sec. 3542]
S0-No Effect
S1-Minor
S2-Major
S3-Hazardous
S4-Catastrophic
Effect on System
Effect on Operator
Effect on People
Effect on Environment
Description