From 4fec676b8cb3411f8632a9e9b88cc0c1d9e5a3fb Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Tue, 5 Mar 2024 10:20:23 -0500 Subject: [PATCH 1/3] update references in risk tolerance also adjust format/spacing --- docs/topics/risk_tolerance_and_priority.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/topics/risk_tolerance_and_priority.md b/docs/topics/risk_tolerance_and_priority.md index aa0e484d..edcdce3a 100644 --- a/docs/topics/risk_tolerance_and_priority.md +++ b/docs/topics/risk_tolerance_and_priority.md @@ -1,14 +1,15 @@ # Risk Tolerance and Response Priority SSVC enables stakeholders to balance and manage their risks themselves. -We follow the risk management vocabulary from [@ISO73] and define risk as “effect of uncertainty on objectives;” -see [@ISO73] for notes on the terms in the definition. +We follow the risk management vocabulary from the [ISO 31073:2022(en) +Risk management — Vocabulary](https://www.iso.org/obp/ui/#iso:std:iso:31073:ed-1:v1:en) and define risk as “effect of uncertainty on objectives;” +see the original document for notes on the terms in the definition. A successful vulnerability management practice must balance at least two risks: !!! tip inline end "Contexualizing Risk" - To place these risks in context, we follow the SEI's Taxonomy of Operational Cyber Security Risks [@cebula2010taxonomy]. - + To place these risks in context, we follow the SEI's + [Taxonomy of Operational Cyber Security Risks](https://insights.sei.cmu.edu/library/a-taxonomy-of-operational-cyber-security-risks/). **Change risk** can be characterized as a combination of Class 2 and/or Class 3 risks. - Class 2: Systems and Technology Failures includes hardware, software, and systems risks. @@ -26,6 +27,9 @@ In developing the decision trees in this document, we had in mind stakeholders w We therefore remind our readers that the labels on the trees (defer, immediate, etc.) can and should be customized to suit the needs of individual stakeholders wherever necessary and appropriate. + +--- + !!! example "Risk Tolerance Influences Response Priority" - An organization with a high aversion to change risk might choose to accept more vulnerability risk by From d8cbaf2db74984bb1a86a9ccd414bddbc6b89d91 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Tue, 5 Mar 2024 10:25:13 -0500 Subject: [PATCH 2/3] typo fix --- docs/topics/risk_tolerance_and_priority.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/topics/risk_tolerance_and_priority.md b/docs/topics/risk_tolerance_and_priority.md index edcdce3a..26f01d86 100644 --- a/docs/topics/risk_tolerance_and_priority.md +++ b/docs/topics/risk_tolerance_and_priority.md @@ -6,7 +6,7 @@ Risk management — Vocabulary](https://www.iso.org/obp/ui/#iso:std:iso:31073:ed see the original document for notes on the terms in the definition. A successful vulnerability management practice must balance at least two risks: -!!! tip inline end "Contexualizing Risk" +!!! tip inline end "Contextualizing Risk" To place these risks in context, we follow the SEI's [Taxonomy of Operational Cyber Security Risks](https://insights.sei.cmu.edu/library/a-taxonomy-of-operational-cyber-security-risks/). From 792b873a4b01df3b6f51844111e3d5d705dd1fc8 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Tue, 5 Mar 2024 10:26:00 -0500 Subject: [PATCH 3/3] typo fix --- docs/topics/risk_tolerance_and_priority.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/topics/risk_tolerance_and_priority.md b/docs/topics/risk_tolerance_and_priority.md index 26f01d86..631be2dc 100644 --- a/docs/topics/risk_tolerance_and_priority.md +++ b/docs/topics/risk_tolerance_and_priority.md @@ -1,7 +1,7 @@ # Risk Tolerance and Response Priority SSVC enables stakeholders to balance and manage their risks themselves. -We follow the risk management vocabulary from the [ISO 31073:2022(en) +We follow the risk management vocabulary from [ISO 31073:2022(en) Risk management — Vocabulary](https://www.iso.org/obp/ui/#iso:std:iso:31073:ed-1:v1:en) and define risk as “effect of uncertainty on objectives;” see the original document for notes on the terms in the definition. A successful vulnerability management practice must balance at least two risks: