Term
| Cybersecurity General Goals (1st Level) |
|
Definition
Prevention: You should try to prevent bad things from happening.
Detection: If you can't prevent, can you at least detect?
Recovery: If you can't prevent or detect, you better be able to recover. |
|
|
Term
| Common Cyber Security Objectives (2nd Level) |
|
Definition
Confidentiality
Integrity
Availability |
|
|
Term
|
Definition
Privacy/confidentiality
Authentication
Authorization
Possession |
|
|
Term
|
Definition
|
|
Term
|
Definition
| Is this remote request really coming from who it says it is? |
|
|
Term
|
Definition
| Does an access request come from a source allowed to do it? |
|
|
Term
|
Definition
| Do I (or my enterprise) have control over the content of data I create? |
|
|
Term
|
Definition
Authenticity
Unmarred
Non-repudiation
Auditing |
|
|
Term
|
Definition
Did this data come from the expected correspondent?
|
|
|
Term
|
Definition
Is data/process/system corrupted?
|
|
|
Term
|
Definition
Can a counterparty deny their system activities?
|
|
|
Term
|
Definition
What happened, when, how?
|
|
|
Term
|
Definition
|
|
Term
|
Definition
Are systems present and ready for immediate use?
|
|
|
Term
|
Definition
Is access minimized as per business purpose? (similar to Least Privileges)
|
|
|
Term
| Security Standards (systemigram path) |
|
Definition
| Security Standards dictate process that recommends controls to reduce vulnerability. |
|
|
Term
| Security Program Composition |
|
Definition
Strategy -> Policy -> Awareness -> Implementation
-> Monitoring -> Compliance -> Strategy
(Prevention -> Detection -> Correction -> Prevention) |
|
|
Term
| Triad and True (Five triads) |
|
Definition
1. Prevent, Detect, Respond/Correct/Recover
2. Confidentiality, Integrity, Availability
3. People, Process, Technology
4. Audit, Review, Assess
5. Monitor, Measure, Manage |
|
|
Term
| Roles of the Security Organization: Strategy |
|
Definition
| Strategic Alignment with business/organizaion objections |
|
|
Term
| Roles of the Security Organization: Policy |
|
Definition
| Information Security Management (ISM) writes and publishes policy. |
|
|
Term
| Roles of the Security Organization: Awareness |
|
Definition
| Information Security Management (ISM) conducts classes and publishes annoucnements. |
|
|
Term
| Role of the Security Organization: Implementation |
|
Definition
| Via the security review process as well as occasional security-specific projects, ISM contributes secure architecture, design, and engineering strategy |
|
|
Term
| Role of the Security Organization: Monitoring |
|
Definition
| ISM reviews critical configuration on a periodic basis, and maintains metrics on security configuration and logs of user activity |
|
|
Term
| Role of the Security Organization: Compliance |
|
Definition
| ISM is the point of escalation for security issues that may require investigation. |
|
|
Term
| Program Organization: Strategy |
|
Definition
| Technology Steering Committe, Outsource Management, Legal, Physical Security, and other executive manangement |
|
|
Term
| Program Organization: Policy |
|
Definition
| All statekholders contribute |
|
|
Term
| Program Organization: Awareness |
|
Definition
| Legal and Human Resources take the lead on many issues, Business Application and Data Owners, Operations and Product Managers reinforce |
|
|
Term
| Program Organization: Implementation |
|
Definition
| Subject Matter Experts, Technology, Architects, Product Owners, Managers of Platform Maintenance, Systems Administrators, Operations Managers, Executive Assistants |
|
|
Term
| Program Organization: Monitoring |
|
Definition
| Operations Managers and Internal Auditors have primary responsibility, Managers of platform maintenance contribute |
|
|
Term
| Program Organization :Compliance |
|
Definition
| Human Resources and Legal take the lead on many issues, product owners, operations managers contribute |
|
|
Term
| Program Execution Process Hierarchy |
|
Definition
Policy
Standards
Procedures
Guidelines
Technologies |
|
|
Term
|
Definition
Workflow designed to support a given outcome.
Information Security Governance Requires
process commensurate with the size and nature
of the organization, as well as the diversity in roles and responsibilities.
|
|
|
Term
|
Definition
Forms the basis for a methodology for
complying with management and regulatory
objectives for data confidentiality, integrity, and
availability. They are documents that contain management mandates for the security program.
|
|
|
Term
|
Definition
Organizational directives for technical
configurations that comply with policy.
Domain may be organization-wide or within a single department.
|
|
|
Term
|
Definition
Step-by-step process descriptions or even more
detailed procedures to provide staff with
instruction on things like technology
configuration.
Used for ensuring that standards are followed and training new personnel.
|
|
|
Term
|
Definition
Suggestions for following security policy,
sometimes including several alternatives for
activity that will result in compliance. Not mandatory even within a department.
|
|
|
Term
|
Definition
Lowest level of management process
Highest degree of reliability in controls. |
|
|
