VAHTI glossary on risk management in the digital operating environment

Terminological vocabulary ·Valid

Name

VAHTI-riskienhallintasanasto digitaaliseen toimintaympäristöön
VAHTI-ordlista om risk-hantering i digital verk-samhetsmiljö
VAHTI glossary on risk management in the digital operating environment

Description

Tässä sanastossa määritellään digitaalisen turvallisuuden ja riskienhallinnan keskeistä käsitteistöä. Sanastoa voidaan soveltaa kaikissa eri digitaalisen toimintaympäristön turvallisuuden näkökulmissa sekä useimmissa muissa riskienhallinnan kanssa risteävissä käyttötarkoituksissa. Sanasto pyrkii olemaan neutraali muun muassa näkökulman, teknologian, työkalujen ja käyttäjien suhteen, sillä se on tarkoitettu kaikkien käyttöön, ei vain julkiselle hallinnolle.

Sanasto ja aihetta avaavat materiaalit on tuotettu Digi- ja väestötietoviraston JUDO-hankkeessa osaksi VAHTI Hyvät Käytännöt -tukimateriaaleja.

Käsitteiden termejä ja määritelmiä on arvioitu asiantuntijaryhmän kanssa työpajoissa eri näkökulmista, minkä lisäksi useilta tahoilta on kerätty kirjallista palautetta, jotta sanasto vastaisi mahdollisimman hyvin eri sidosryhmien näkemyksiä ja tarpeita. Määrittelyssä huolehdittiin erityisesti yhteensopivuudesta ISO 31000-sarjan riskienhallinnan prosessin standardin kanssa, jolloin yhteentoimivuus toteutuu myös esimerkiksi ISO 27000-sarjan tietoturvallisuuden hallinnan standardin kanssa.

Tässä sanastossa huomautus sisältää useimmiten tietoa, jonka tarkoituksena on helpottaa määritelmän tulkitsemista ja käsitteen kontekstin hahmottamista. Lisäksi tässä sanastossa on huomautuksilla tuotu esiin eroja ja yhtäläisyyksiä muiden lähteiden määritelmiin. Etenkin monialaiset ja merkitykseltään abstraktit käsitteet ovat usein haastavia sanaston käyttäjälle, joten huomautuksilla on pyritty varmistamaan tiedon välittyminen tarkoitetulla tavalla. Sanaston syvällinen ymmärrys vaatii kuitenkin myös aihepiirin tuntemusta tai lisäkoulutusta.

Osana VAHTI Hyvät Käytännöt -tukimateriaaleja julkaistiin tämän sanaston sisällöstä esittelydokumentti "VAHTI-riskienhallintasanasto digitaaliseen toimintaympäristöön – esittely ja johdatusta riskiviestintään". Dokumentissa esitetään ohjaavaa ja täydentävää tietoa sanaston soveltamiseen käytännössä sekä prosesseissa, että viestinnässä. Tukimateriaalin on tarkoitus auttaa ymmärtämään, miten termit liittyvät toisiinsa ja mihin ne vaikuttavat. Ensimmäinen versio julkaistiin 9.6.2022. Korjattu versio 15.11.2022 suomeksi (https://www.dvv.fi/digiturvajulkaisut) ja ruotsiksi (https://dvv.fi/sv/publikationer-om-digital-sakerhet).
I denna ordlista definieras de centrala begreppen kring digital säkerhet och riskhantering. Ordlistan kan tillämpas i alla aspekter av säkerheten i den digitala verksamhetsmiljön samt för de flesta andra användnings-ändamål som tangerar riskhantering. Ordlistan strävar efter att vara neutral bland annat i fråga om perspektiv, teknik, verktyg och användare, eftersom den är avsedd för alla, inte bara för den offentliga förvaltningen.

Ordlistan och det material som beskriver ämnet har producerats inom ramen för projektet JUDO vid Myndigheten för digitalisering och befolkningsdata som en del av stödmaterialet VAHTI God Praxis.

Begreppens termer och definitioner har utvärderats i workshoppar tillsammans med en expertgrupp ur olika synvinklar. Dessutom har man från flera håll samlat in skriftlig respons för att ordlistan så väl som möjligt ska motsvara olika intressentgruppers synsätt och behov. I definitionen säkerställdes i synnerhet kompatibiliteten med standarden för riskhanteringsprocessen i ISO 31000-serien, varvid interoperabiliteten förverkligas också till exempel med standarden för hantering av informationssäkerhet i ISO 27000-serien.

I denna ordlista innehåller anmärkningen oftast information som gör det lättare att tolka definitionen och uppfatta begreppets kontext. Dessutom har anmärkningarna i denna ordlista lyft fram skillnader och likheter jämfört med definitioner i andra källor. I synnerhet branschövergripande begrepp som är abstrakta till sin betydelse är ofta besvärliga för dem som använder ordlistor. Därför har ett syfte med anmärkningarna varit att säkerställa att informationen förmedlas på avsett sätt. En djup förståelse av terminologin kräver dock också kännedom om ämnesområdet eller tilläggsutbildning.

Som en del av stödmaterialet Vahti God Praxis publiceras presentationsdokumenten ”VAHTI-ordlista om risk-hantering i digital verk-samhetsmiljö – presentation och introduktion till riskkommunikation”. I dokumentet ges vägledande och kompletterande information om hur ordlistan tillämpas i praktiken, både i processer och inom kommunikation. Syftet med stödmaterialet är att hjälpa till att förstå hur termerna anknyter till varandra och vad de påverkar. Första version publicerades 9.6.2022. Fixad version 15.11.2022 på finska (https://dvv.fi/digiturvajulkaisut) och på svenska (https://dvv.fi/sv/publikationer-om-digital-sakerhet).
This glossary defines the key concepts of digital security and risk management. The terminology can be applied in all different security aspects of the digital operating environment, as well as in most other uses that intersect with risk management. The vocabulary aims to be neutral regarding perspective, technology, tools and users, among other things, as it is intended for use by everyone, not just public administration.

The vocabulary and the materials that expand on the topic have been produced by Digital and Population Data Services Agency in the JUDO-project as part of the VAHTI Good Practice support materials.

The terms and definitions of the concepts have been evaluated with a group of experts in workshops from different perspectives, in addition to which written feedback has been collected from several parties, so that the vocabulary corresponds as well as possible to the views and needs of different stakeholders. In the definitions, special care was taken to ensure compatibility with the ISO 31000 series risk management process standard, in which case interoperability is also realized with, for example, the ISO 27000 series information security management standard.

In this glossary, a note often contains information intended to facilitate the interpretation of the definition and the understanding of the context of the concept. In addition, in this glossary, differences and similarities with definitions from other sources have been highlighted. In particular, concepts that are multidisciplinary and abstract in meaning are often challenging for the glossary user, so the notes have been used to ensure that meaning is conveyed in the intended way. However, a deep understanding of the terminology also requires knowledge of the subject area or additional training.

As part of VAHTI Good Practice support materials a document was made to expand on the concepts of this glossary, "VAHTI-riskienhallintasanasto digitaaliseen toimintaympäristöön – esittely ja johdatusta riskiviestintään" [available in Finnish and Swedish]. The document presents guiding and supplementary information for applying the vocabulary in practice, both in processes and in communication. The purpose of the support material is to help you understand how the terms are related to each other and what they affect. First version was published 9.6.2022. Revised version 15.11.2022 in Finnish (https://www.dvv.fi/digiturvajulkaisut) and Swedish (https://dvv.fi/sv/publikationer-om-digital-sakerhet).

URI

https://iri.suomi.fi/terminology/digiriski/

Information domain

Legal protection, General information and administrative services, Safety and security

Language

Finnish FI, Swedish SV, English EN

Vocabulary type

Terminological vocabulary

Contact

digiturva@dvv.fi

Organization

Digital and Population Data Services Agency

Created at

Modified at

Go directly to search results.

Terminology concepts

No filters

preliminary assessmentNo contributors

ConceptValid

an assessment made at the beginning of the assessment process to get a rough overview

digital operating environmentNo contributors

ConceptValid

an operating environment consisting of one or more digital information systems

digital securityNo contributors

ConceptValid

a target state where a digital operating environment can be trusted and operations both there and related to it are secure and managed, even in the event of disruptions

digital activity/operation riskNo contributors

ConceptValid

a risk active in the digital operating environment, applicable to or resulting from the digital operating environment

foresightNo contributors

ConceptValid

assessment of the direction of changes in an organisation’s operation and operating environment, and determining the prerequisites for potential developments

uncertaintyNo contributors

ConceptValid

lack of information about the nature or timing of a future event

vulnerabilityNo contributors

ConceptValid

a shortcoming, defect or way of operation that exposes one to security threats

weaknessNo contributors

ConceptValid

from the perspective of an organisation’s objectives, an undesired or harmful feature within the organisation’s operations or assets

intended attack targetNo contributors

ConceptValid

the target that the attack aims to influence

attackNo contributors

ConceptValid

an act or action aimed at damaging or unauthorised use of the target or preventing the target’s objective from being realised

disruptionNo contributors

ConceptValid

an unexpected or undesired event that disrupts the operation of a system, a user of a system or parties dependent on them

continuity managementNo contributors

ConceptValid

the process of an organisation for identifying the risks that are key to operations, assessing their effects within the organisation and its network of actors, and creating an operating method for the management of disruptive events and the continuity of operations in all conditions

residual riskNo contributors

ConceptValid

the risk remaining after risk processing

review levelNo contributors

ConceptValid

the level from which a risk is viewed

concatenated riskNo contributors

ConceptValid

a consequential risk, which may have been transferred from another target

control [method]No contributors

ConceptValid

an action aimed at changing or maintaining a risk

coordination levelNo contributors

ConceptValid

a decision-making level within an organisation at which decisions are made regarding the organisation of the operations of individual operational areas and units, taking strategic-level decisions into account

criticalityNo contributors

ConceptValid

the necessity to achieve objectives or to avoid particularly harmful consequences

cumulative riskNo contributors

ConceptValid

a risk whose magnitude is formed by the combined effects of several risk factors

cybersecurityNo contributors

ConceptValid

a target state in which threats and risks arising from the cyber operating environment to society’s vital functions or other functions dependent on the cyber operating environment are under control, even in the event of disruptions

processing levelNo contributors

ConceptValid

the level at which a risk is addressed

transparency in risk managementNo contributors

ConceptValid

enabling the assessment of risk management for stakeholders and internal actors in such a way that related information is passed on to the extent that this does not in itself produce significant risks

opportunityNo contributors

ConceptValid

an event or course of development that may be caused by the effects of a risk, which can be used to promote objectives

organisational contextNo contributors

ConceptValid

an organisation or part of it from whose point of view an inspection is carried out

inclusivity in risk managementNo contributors

ConceptValid

enabling and encouraging stakeholders to participate in an organisation’s risk management

deviationNo contributors

ConceptValid

the difference between the item examined and the desired or usual one

risk-related communications and information exchangesNo contributors

ConceptValid

continuous and recurring processes by which an organisation provides, shares or acquires information and engages in dialogue within the organisation and with its stakeholders about risk management and risks

riskNo contributors

ConceptValid

effect of uncertainty on objectives

risk analysis [result]No contributors

ConceptValid

the result of risk analysis

risk assessment [result]No contributors

ConceptValid

the result of risk assessment

risk analysis [activity]No contributors

ConceptValid

finding out the information needed for risk assessment or processing about the nature of risks

risk assessment [activity]No contributors

ConceptValid

determining the probability of risks becoming realised and their possible effects

risk assessment processNo contributors

ConceptValid

a process that covers risk identification, risk analysis and risk assessment

risk assessment process toolNo contributors

ConceptValid

a risk management tool that guides one to implement parts of the risk assessment process in a consistent manner, following certain models or methods

risk classificationNo contributors

ConceptValid

groupings done for the efficient assessment and handling of risks, owing to which similar risks or risks belonging to a single area of responsibility, or parts of these risks, can be viewed as a single entity

risk monitoringNo contributors

ConceptValid

determining the state of risks and their directions of change

risk situation pictureNo contributors

ConceptValid

a compiled description of the results of risk monitoring

risk management frameworkNo contributors

ConceptValid

organisation of risk management, division of responsibilities and a detailed operating model, which as part of the management system enable the implementation of risk management principles in an organisation’s processes

risk management monitoringNo contributors

ConceptValid

observing the state of the risk management process and the related activities

risk management situation pictureNo contributors

ConceptValid

a compiled description of the results of risk management monitoring

risk management systemNo contributors

ConceptValid

a management system that covers risk management policies and objectives as well as the processes and possible risk management tools with which these objectives are reached

risk management system monitoringNo contributors

ConceptValid

observation of the methods and scope of application of a risk management system and its change history

risk management system situation pictureNo contributors

ConceptValid

a compiled description of the results of the monitoring of the risk management system

risk management principlesNo contributors

ConceptValid

risk management objectives and a general operating model, which as part of a management system support the creation and preservation of an organisation’s value

risk management policyNo contributors

ConceptValid

an organisation-specific description of risk management principles and risk management frameworks considered key

risk management toolNo contributors

ConceptValid

software, form or other aid that guides one to implement some part of risk management consistently, following certain models or methods

risk criteriaNo contributors

ConceptValid

the grounds for assessing the significance of risks in a uniform manner

risk conceptionNo contributors

ConceptValid

a person’s or an organisation’s perception of what a particular risk is like

risk life cycleNo contributors

ConceptValid

the stages of the existence of a risk, from the formation of the threat to the identification of the risk and further until the potential removal of the risk

threat that evades the limit value of a riskNo contributors

ConceptValid

an attack or other threat that seeks to avoid countermeasures by remaining below the threshold values used in risk assessment

VAHTI glossary on risk management in the digital operating environment

Terminology information and actions

Filter list

Terminology concepts

preliminary assessmentNo contributors

digital operating environmentNo contributors

digital securityNo contributors

digital activity/operation riskNo contributors

foresightNo contributors

uncertaintyNo contributors

vulnerabilityNo contributors

weaknessNo contributors

intended attack targetNo contributors

attackNo contributors

disruptionNo contributors

continuity managementNo contributors

residual riskNo contributors

review levelNo contributors

concatenated riskNo contributors

control [method]No contributors

coordination levelNo contributors

criticalityNo contributors

cumulative riskNo contributors

cybersecurityNo contributors

processing levelNo contributors

transparency in risk managementNo contributors

opportunityNo contributors

organisational contextNo contributors

inclusivity in risk managementNo contributors

deviationNo contributors

risk-related communications and information exchangesNo contributors

riskNo contributors

risk analysis [result]No contributors

risk assessment [result]No contributors

risk analysis [activity]No contributors

risk assessment [activity]No contributors

risk assessment processNo contributors

risk assessment process toolNo contributors

risk classificationNo contributors

risk monitoringNo contributors

risk situation pictureNo contributors

risk management frameworkNo contributors

risk management monitoringNo contributors

risk management situation pictureNo contributors

risk management systemNo contributors

risk management system monitoringNo contributors

risk management system situation pictureNo contributors

risk management principlesNo contributors

risk management policyNo contributors

risk management toolNo contributors

risk criteriaNo contributors

risk conceptionNo contributors

risk life cycleNo contributors

threat that evades the limit value of a riskNo contributors