Security Glossary - R

This glossary has been created to assist security professionals in defining security terms commonly used by the profession and the industry, worldwide. It is a developing list that will be maintained, and where appropriate, modified, and changed over time. Terms borrowed from related fields, such as engineering, investigations, safety, etc. will be included when deemed necessary for the security professional.

REFERENCE NOTE

The definition's source is cited in brackets [ ] following the definition. View the key to all cited reference sources.

It is NOT our goal to publish this glossary in print since it is intended to be a current online reference (on the ASIS website) to serve the security professional on an ongoing basis.

 
A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z
 
  
Definition
readiness

​The first step of a business continuity plan that addresses assigning accountability for the plan, conducting a risk assessment and a business impact analysis, agreeing on strategies to meet the needs identified in the risk assessment and business impact analysis, and forming Crisis Management and any other appropriate response teams.
[ASIS GDL BC 01 2005]

record

​(1) A document stating results achieved or providing evidence of activities performed.
[ASIS SPC.1-2009]  [ANSI/ASIS PAP.1-2012]
Note: Records can be used, for example, to document traceability and to provide evidence of verification, preventive action, and corrective action.
[ANSI/ASIS PSC.1-2012]

(2) A document set down in writing or some other permanent form for later reference.
[ANSI/ASIS/RIMS RA.1-2015]

recovery point objective

​Point in time to which data or capacity of a process is in a known and valid or integral state can be restored from.  This should be less than the maximum amount of loss tolerance and may be defined in hours or days.
[ASIS/BSI BCM.01-2010]

recovery time objective

(1) Period of time after which it is planned to recover each activities and resources to an acceptable capability after a disruptive event.  This may be a simple resumption of full service or a phased return over a period. 
[ASIS/BSI BCM.01-2010]

(2) Time goal for the restoration and recovery of functions or resources based on the acceptable down time and acceptable level of performance in case of a disruption of operations.
[ASIS SPC.1-2009]

recovery/resumption

​Plans and processes to bring an organization out of a crisis that resulted in an interruption. Recovery/resumption steps should include damage and impact assessments, prioritization of critical processes to be resumed, and the return to normal operations or to reconstitute operations to a new condition.  Also called business resumption or business recovery.
[ASIS GDL BC 01 2005]

regular employee

​(ITAR Definition) “(a) A regular employee means for purposes of this subchapter: (1) An individual permanently and directly employed by the company, or (2) An individual in a long term contractual relationship with the company where the individual works at the company’s facilities, works under the company’s direction and control, works full time and exclusively for the company, and executes nondisclosure certifications for the company, and where the staffing agency that has seconded the individual has no role in the work the individual performs (other than providing that individual for that work) and the staffing agency would not have access to any controlled technology (other than where specifically authorized by a license).”
[ASIS GDL PBSS-2015]​

regulatory body

​Any state board, commission, department, or office -- except those in the legislative or judicial branches -- authorized by law to conduct adjudicative proceedings, issue permits, registrations, licenses, or other forms of authorization to offer or perform private security officer services, or to control or affect the interests of identified persons.
[ASIS GDL PSO-2010]

residual risk

(1) ​Risk remaining after risk treatment.
[ASIS SPC.1-2009]
Note 1: Residual risk can contain unidentified risk.
Note 2: Residual risk can also be known as retained risk.
[ANSI/ASIS PAP.1-2012]  [ANSI/ASIS PSC.1-2012]
[ANSI/ASIS SCRM.1-2014]

(2) Remaining risk after risk treatment.
Note: Residual risk may include risk retained by informed decision, untreatable risk, and/or unidentified risk.
[ANSI/ASIS/RIMS RA.1-2015]

resilience

​The adaptive capacity of an organization in a complex and changing environment.
[ANSI/ASIS PSC.1-2012] [ANSI/ASIS/RIMS RA.1-2015]
Note 1: Resilience is the ability of an organization to resist being affected by an event or the ability to return to an acceptable level of performance in an acceptable period of time after being affected by an event.
Note 2: Resilience is the capability of a system to maintain its functions and structure in the face of internal and external change and to degrade gracefully when it must.
[ASIS SPC.1-2009]  [ANSI/ASIS PAP.1-2012]  [ANSI/ASIS SPC.4-2012] [ANSI/ASIS SCRM.1-2014]

resources

​Any asset (human, physical, information or intangible), facilities, equipment, materials, products, or waste that has potential value and can be used. 
[ASIS SPC.1-2009] [ANSI/ASIS PAP.1-2012] [ANSI/ASIS PSC.1-2012] [ANSI/ASIS/RIMS RA.1-2015]

response

​Executing the plan and resources identified to perform those duties and services to preserve and protect life and property as well as provide services to the surviving population. Response steps should include potential crisis recognition, notification, situation assessment, and crisis declaration, plan execution, communications, and resource management.
[ASIS GDL BC 01 2005]

response and recovery plan

​Documented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident.
[ANSI/ASIS PAP.1-2012]

response and recovery program

​Plan, processes, and resources to perform the activities and services necessary to preserve and protect life, property, operations, and critical assets.
Note: Response steps generally include incident recognition, notification, assessment, declaration, plan execution, communications, and resources management.
[ANSI/ASIS PAP.1-2012]

response plan

​A documented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident. 
[ASIS SPC.1-2009]

response program

​Plan, processes, and resources to perform the activities and services necessary to preserve and protect life, property, operations, and critical assets. 
Note: Response steps generally include incident recognition, notification, assessment, declaration, plan execution, communications, and resources management.  
[ASIS SPC.1-2009]

response team

​A group of individuals responsible for developing, executing, rehearsing, and maintaining the response plan, including the processes and procedures.          
[ASIS SPC.1-2009]

restitution

​Returning to the proper owner property or the monetary value of loss.
[ANSI/ASIS INV.1-2015]

return on investment (ROI)

​The return enjoyed on any particular investment. The return may be monetary or otherwise.
[ANSI/ASIS INV.1-2015]

review

​Activity undertaken to determine the suitability, adequacy, and effectiveness of the management system and its component elements to achieve established objectives.
[ANSI/ASIS PSC.1-2012] [ANSI/ASIS/RIMS RA.1-2015]

risk

(1) Effect of uncertainty on the achievement of strategic, tactical, and operational objectives. 
Note 1: Risk is considered as potentially having positive and/or negative outcomes.
Note 2:  Uncertainty is the state where outcomes are unknown, lacking sufficient information, or otherwise undetermined or undefined in the course of decision-making.
Note 3: Objectives may include strategic goals related to the whole or parts of the organization and its value chain, as well as operational and tactical issues at levels of the organization.
Note 4: Risk can be characterized by the effect of uncertainty on tangible and/or intangible assets and/or potential risk events.
Note 5: Risk is often expressed in terms of a combination of the consequences and likelihood of the outcomes of uncertainty.
Note 6: Sometimes risk is focused on negative outcomes where it is considered a function of threats, vulnerabilities, and consequences.
[ANSI/ASIS/RIMS RA.1-2015]

​(2) An effect of uncertainty on objectives. [ISO Guide 73:2009]

  • Note 1: An effect is a deviation from the expected – positive and/or negative.
  • Note 2: Objectives can have different aspects such as financial, health and safety, and environmental goals and can apply at different levels such as strategic, organization-wide, project, product, and process.
  • Note 3: Risk is often characterized by reference to potential events, consequences, or a combination of these and how they can affect the achievement of objectives.
  • Note 4: Risk is often expressed in terms of a combination of the consequences of an event or a change in circumstances, and the associated likelihood of occurrence.

[ASIS SPC.1-2009]  [ANSI/ASIS PAP.1-2012] [ANSI/ASIS SPC.4-2012] [ANSI/ASIS PSC.3-2013] [ANSI/ASIS PSC.4-2013]
[ANSI/ASIS SCRM.1-2014]

  • Note 5: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.

[ANSI/ASIS PSC.1-2012]

(3) The possibility of loss resulting from a threat, security incident, or event.
[ASIS GDL GLCO 01 012003]

risk acceptance

(1) Informed action of consenting to retain, receive, or undertake a particular risk.
[ANSI/ASIS/RIMS RA.1-2015]

(2) Informed decision to take a particular risk.
Note 1: Risk acceptance can occur without risk treatment or during the process of risk treatment.
Note 2: Accepted risks are subject to monitoring and review.
[ANSI/ASIS PSC.1-2012]

​(3) An informed decision to take a particular risk. 
Note 1: Risk acceptance can occur without risk treatment or during the process of risk treatment.
Note 2: Risk acceptance can also be a process.
Note 3: Risks accepted are subject to monitoring and review.
[ASIS SPC.1-2009] [ANSI/ASIS PAP.1-2012]

(4) The process of identifying internal and external threats and vulnerabilities, identifying the likelihood of an event arising from such threats or vulnerabilities, defining the critical functions necessary to continue an organization’s operations, defining the controls in place or necessary to reduce exposure, and evaluating the cost for such controls.   
[ASIS GDL BC 01 2005]

risk analysis

(1) Process to characterize and understand the nature of risk and to define the level of risk.
Note:  Risk analysis assesses the likelihood and consequences of a risk to provide the basis for risk evaluation and risk treatment decision-making.
[ANSI/ASIS/RIMS RA.1-2015]

​(2) A process to comprehend the nature of risk and to determine the level of risk.
Note 1: Risk analysis provides the basis for risk evaluation and decisions about risk treatment.
[ASIS SPC.1-2009]  [ANSI/ASIS PAP.1-2012]
[ANSI/ASIS SCRM.1-2014]
Note 2: Risk analysis includes risk estimation.
[ANSI/ASIS PSC.1-2012] [ANSI/ASIS SCRM.1-2014]

(3) A detailed examination including risk assessment, risk evaluation, and risk management alternatives, performed to understand the nature of unwanted, negative consequences to human life, health, property, or the environment; an analytical process to provide information regarding undesirable events; the process of quantification of the probabilities and expected consequences for identified risks.
[ASIS GDL GLCO 01 012003]

risk appetite

​(1) The total exposed amount that an organization wishes to undertake on the basis of risk-return trade-offs for one or more desired and expected outcomes.  [RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance]
[ANSI/ASIS/RIMS RA.1-2015]

(2) Amount and type of risk that an organization is prepared to pursue, retain, or take.
[ASIS/BSI BCM.01-2010] [ANSI/ASIS PAP.1-2012] [ANSI/ASIS PSC.1-2012]
Note:  The risk appetite of an organization reflects its philosophy towards managing risk.
[ANSI/ASIS SCRM.1-2014]

risk assessment

(1) Overall and systematic process of evaluating the effects of uncertainty on achieving objectives.
Note:  Risk assessment includes risk identification, risk analysis, and risk evaluation.
[ANSI/ASIS/RIMS RA.1-2015]

(2) Overall process of risk identification, risk analysis, and risk evaluation.
[ANSI/ASIS PSC.1-2012] [ANSI/ASIS SCRM.1-2014]
Note: Risk assessment involves the process of identifying internal and external threats and vulnerabilities, identifying the probability and impact of an event arising from such threats or vulnerabilities, defining critical functions necessary to continue the organization’s operations, defining the controls in place necessary to reduce exposure, and evaluating the cost of such controls.
[ASIS SPC.1-2009]  [ANSI/ASIS PAP.1-2012]

(3) The process of assessing security-related risks from internal and external threats to an entity, its assets, or personnel.
[ASIS GDL FPSM-2009]

(4) The process of identifying internal and external threats and vulnerabilities, identifying the likelihood of an event arising from such threats or vulnerabilities, defining the critical functions necessary to continue an organization’s operations, defining the controls in place or necessary to reduce exposure, and evaluating the cost for such controls.
[ASIS GDL BC 01 2005]

risk attitude

​Organization’s or individual’s view/perspective of the perceived qualitative and quantitative value that may be gained in comparison to the related potential loss or losses. [RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance]

risk communication

​The exchange or sharing of information about risk between the decision-maker and other stakeholders. 
Note:  The information can relate to the existence, nature, form, probability, severity, acceptability, treatment, or other aspects of risk.
[ASIS SPC.1-2009]

risk criteria

(1) Terms of reference used to measure and evaluate the significance and effects of risk.
Note 1:  Risk criteria are a function of the organization’s objectives, values, and policies, as well as the external and internal environment.
Note 2:  Risk criteria can be derived from jurisdictional laws, obligations, and other requirements.
[ANSI/ASIS/RIMS RA.1-2015]

(2) Terms of reference by which the significance of risk is assessed.
Note: Risk criteria can include associated cost and benefits, legal and statutory requirements, socio-economic and environmental aspects, the concerns of stakeholders, priorities, and other inputs to the assessment.
[ASIS SPC.1-2009] [ANSI/ASIS PAP.1-2012]

(3) Terms of reference against which the significance of a risk is evaluated.
Note 1: Risk criteria are based on organizational objectives, and external and internal context.
Note 2:  Risk criteria can be derived from standards, laws, policies, and other requirements.
[ANSI/ASIS PSC.1-2012] [ANSI/ASIS SCRM.1-2014]

risk driver

​Event, individual(s), process, or trends having impact on the objectives of the organization.
[ANSI/ASIS/RIMS RA.1-2015]

risk evaluation

​(1) Process of equating the results of risk analysis with risk criteria to determine whether a particular risk level is within an acceptable tolerance or presents a potential opportunity.
Note:  Risk evaluation provides the basis for decision about risk treatment methods.
[ANSI/ASIS/RIMS RA.1-2015]

(2) Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable.
Note: Risk evaluation assists in the decision about risk treatment.
[ANSI/ASIS PSC.1-2012] [ANSI/ASIS SCRM.1-2014]

risk identification

​(1) Process for determining what risks are anticipated, their characteristics, time dependencies, frequencies, duration period, and possible outcomes.
Note:  Risk identification involves the identification of threats, opportunities, criticalities, weaknesses, and strengths, as well as identifying sources of risk and potential events and their causes and impacts.
[ANSI/ASIS/RIMS RA.1-2015]

(2) Process of finding, recognizing, and describing risks.
Note 1:  Risk identification involves the identification of
risk sources, events, their causes and their potential consequences.
Note 2:  Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholder's needs.
[ANSI/ASIS PSC.1-2012] [ANSI/ASIS SCRM.1-2014]

risk maker

​Individual that creates uncertainty.
[ANSI/ASIS SPC.4-2012]

risk management

(1) A strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. [RIMS Resources]
[ANSI/ASIS/RIMS RA.1-2015]

(2) Coordinated activities to direct and control an organization with regard to risk.
[ANSI/ASIS PSC.1-2012] [ANSI/ASIS SCRM.1-2014]
Note: Risk management generally includes risk assessment, risk treatment, risk acceptance, and risk communication.
[ASIS SPC.1-2009]  [ANSI/ASIS PAP.1-2012]

(3) A business discipline consisting of three major functions: loss prevention, loss control, and loss indemnification.
[ASIS GDL FPSM-2009]

risk reduction

​Actions taken to lessen the probability, negative consequences, or both, associated with a risk.
[ASIS SPC.1-2009] [ANSI/ASIS PAP.1-2012]

risk register

​A compilation for all risks identified, analyzed, and evaluated in the risk assessment process.
Note: The risk register includes information on likelihood, consequences, treatments, and risk owners.
[ANSI/ASIS PSC.1-2012] [ANSI/ASIS/RIMS RA.1-2015]

risk source

​A factor with the potential to create uncertainty in achieving objectives.
Note:  A risk source may include tangible or intangible factors alone or in combination.
[ANSI/ASIS/RIMS RA.1-2015]

risk taker

​Individual that accepts uncertainty.
[ANSI/ASIS SPC.4-2012]

risk tolerance

(1) An organization’s readiness to bear the risk after risk treatments in order to achieve its objectives.
Note: Risk tolerance can be limited by legal or regulatory requirements.
[ASIS SPC.1-2009]  [ANSI/ASIS PAP.1-2012]

(2) Organization's or stakeholder's readiness to bear the risk after risk treatment in order to achieve its objectives.
Note: Risk tolerance can be influenced by client, stakeholder, legal, or regulatory requirements.
[ANSI/ASIS PSC.1-2012]

(3) The amount of uncertainty an organization is prepared to accept in total or more narrowly within a certain business unit, a particular risk category, or for a specific initiative.
Note:  The level of tolerance or acceptable level of variation related to achieving objectives may be influenced by jurisdiction law and stakeholder requirements. 
[RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance]
[ANSI/ASIS/RIMS RA.1-2015]

risk transfer

​Sharing with another party the burden of loss or benefit or gain, for a risk.
Note 1: Legal or statutory requirements can limit, prohibit, or mandate the transfer of certain risk.
Note 2: Risk transfer can be carried out through insurance or other agreements.
Note 3: Risk transfer can create new risks or modify existing risks.
Note 4: Relocation of the source is not risk transfer.
[ASIS SPC.1-2009]  [ANSI/ASIS PAP.1-2012]

risk treatment

(1) Process of selecting and implementing measures to modify risk to achieve objectives.
Note 1:  Measures to modify risk may include:
   • Avoiding the risk;
   • Adapting internal or external parameters to change the nature of the risk;
   • Exploiting a risk to pursue an opportunity;
   • Eliminating or influencing the risk source;
   • Modifying the likelihood;
   • Modifying the consequences;
   • Sharing the risk (e.g., insurance, contracts, outsourcing, etc.); and
   • Accepting the risk by informed decision.
Note 2:  Risk treatment can change the characteristics of existing risks or generate new risks.
Note 3:  Risk treatment may require a reallocation of resources or modification of plans and priorities.
[ANSI/ASIS/RIMS RA.1-2015]

​(2) The process of selection and implementation of measures to modify risk.

  • Note 1: The term “risk treatment” is sometimes used for the measures themselves.
  • Note 2: Risk treatment measures can include avoiding, optimizing, transferring, or retaining risk.

[ASIS SPC.1-2009]

(3) Process to modify risk.

  • Note 1: Risk treatment can involve:
    — Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
    — Taking or increasing risk in order to pursue an opportunity;
    — Removing the risk source;
    — Changing the likelihood;
    — Changing the consequences;
    — Sharing the risk with another party or parties [including contracts and risk financing]; and
    — Retaining the risk by informed choice.
  • Note 2: Risk treatments that deal with negative consequences are sometimes referred to as risk mitigation, risk elimination, risk prevention, and risk reduction.
  • Note 3: Risk treatment can create new risks or modify existing risks.

[ANSI/ASIS PAP.1-2012]  [ANSI/ASIS PSC.1-2012] [ANSI/ASIS PSC.3-2013] [ANSI/ASIS PSC.4-2013] [ANSI/ASIS SCRM.1-2014]

root cause analysis

​A technique used to identify the conditions that initiate the occurrence of an undesired activity or state.
[ASIS GDL IAP 05 2007]