An assessment is a set of requirements or questions supplied by a guide and supplemented with responses that reflect organizational cybersecurity posture. Assessments are designed to facilitate evaluation of cybersecurity risk by documenting evidence that the requirements are met or are not met, or soundly justifying answers to the questions.

Controls are risk reduction measures. They may be directly communicated by management, or may be documented in the hierarchical levels of method: policy, process, standard, procedure, and guideline.

Events are incidents of interest to risk management. Cybersecurity events of interest may happen within an organization, or within an external organization that is similar to the organization. External events may foreshadow increase in probability of similar events happening internally. Events may also be hypothetical exercises in risk awareness, and these are called Scenarios.

Issues are indications of vulnerability to risk. Cybersecurity issues are typically software vulnerabilities or other control weaknesses, but may be any circumstance that indicates potential for an increase in risk of successful cyber attack.

Risks are categories of events that present potential negative impact to the Enterprise. Risks are measured using probability of event occurrence and associated with a qualitative risk appetite and quantitative tolerance measures.

Threats embolden adversaries to exploit vulnerabilities that expose assets and enable an adversary to achieve objectives such as financial gain, terror, or damage to data confidentiality, integrity, or availability. The adversary is a threat actor. The threat itself is a circumstance or event that the adversary believes will enable objectives to be achieved.

Any assessment guide that is public may be uploaded into FrameCyber, and Decision Framework Systems will format publicly available guides that are requested by our subscribers and make them available for upload via our knowledge base. Some publicly available guides are:

CSA-CAIQ

CSSF

FFIEC-CAT

GDPR

HIPAA

NIST-800-53

NIST-800-207

NIST-CSF

NY-DFS-500

SWIFT-CSCF

Where guide material is licensed, subscribers must use their own licensed material to create the upload-able version, or contract with Decision Framework Systems for assistance in formatting their licensed material. We also provide excel templates that allow customers to upload any guide to which they have authorized access.

Analysis is a FrameCyber tool that allows Framework Elements to be cross-linked and filtered in a customizable manner. Studies are data-gathering efforts wherein new data is combined into Framework Element records to shed light on a topic of interest. When it is complete, a study may become the basis for a standard report.  Reports are predefined sets of formats with which to review data input into FrameCyber, and to review metrics with respect to FrameCyber user activity.

Specifically in the context of FrameCyber, a study is defined as an assessment, a control document, an event catalog, an issue catalog, a metric catalog, a risk document, a threat catalog, or a custom risk analysis report template that is created, modified, or stored in FrameCyber.