Energy Credit Best Practices – Chapter: Information Technology http://ccro.org © Copyright 2022, CCRO. All rights reserved. 38 Risk Management - The program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the Nation, and includes: establishing the context for risk-related activities assessing risk responding to risk once determined and monitoring risk over time. Risk Tolerance/Appetite — An organization’s willingness to absorb declines in the value of an asset while pursuing its objectives and before any action is determined to be necessary in order to reduce the risk Security - A condition that results from the establishment and maintenance of protective measures that enable an organization to perform its mission or critical functions despite risks posed by threats to its use of System s. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the organization’s Risk Management approach. Security Architecture - An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, Information Security Systems, personnel, and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans. Security Control - The safeguards or countermeasures prescribed for an Information System or an organization to protect the confidentiality, Integrity, and availability of the System and its information. Security Requirement - A requirement levied on an Information System or an organization that is derived from applicable laws, executive orders, directives, policies, standards, instructions, regulations, procedures, and/or mission/business needs to ensure the confidentiality, Integrity, and availability of information that is being processed, stored, or transmitted.1 Security Governance - Security governance is a process for overseeing the Cybersecurity teams who are responsible for mitigating IT business risks. Security governance leaders make the decisions that allow risks to be prioritized so that security efforts are focused on business priorities rather than their own. They also govern the interplay of mitigating identified IT business risks, addressing internal and external threats, and dealing with compliance. Security Patching – Is an update that is pushed from a software developer to all the devices that have the software that needs the update. The reason for these delayed patch updates is because the hole or vulnerability is not discovered before the major update or initial software is released. The purpose of a security patch update is to cover the security holes that a major software update or initial software download did not. Shared Ledger - (see Blockchain) Standard Operating Procedure (SOP) - A set of instructions used to describe a process or procedure that performs an explicit operation or explicit reaction to a given event. 1 (Note: Security requirements can be used in a variety of contexts from high-level policy activities to low-level implementation activities in System development and engineering disciplines.)