Term
|
Definition
The processes, rules and deployment mechanisms that control access to information systems, resources and
physical access to premises |
|
|
Term
|
Definition
The logical route that an end user takes to access computerized information. Typically it includes a route through the operating system, telecommunications software, selected application software and the access
control system. |
|
|
Term
|
Definition
The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by
data owners and the information security policy |
|
|
Term
|
Definition
The ability to map a given activity or event back to the
responsible party |
|
|
Term
| Address Resolution Protocol (ARP) |
|
Definition
Defines the exchanges between network interfaces
connected to an Ethernet media segment in order to map an IP address to a link layer address on demand |
|
|
Term
|
Definition
| The rules, procedures and practices dealing with operational effectiveness, efficiency and adherence to regulations and management policies |
|
|
Term
Advance encryption
standard (AES) |
|
Definition
| The international encryption standard that replaced 3DES |
|
|
Term
|
Definition
The point in an emergency procedure when the elapsed time passes a threshold and the interruption is not resolved. The organization entering into an alert situation
initiates a series of escalation steps. |
|
|
Term
|
Definition
A finite set of step-by-step instructions for a problem-
solving or computation procedure, especially one that can be implemented by a computer |
|
|
Term
|
Definition
Locations and infrastructures from which emergency or backup processes are executed, when the main premises are unavailable or destroyed. This includes other
buildings, offices or data processing centers. |
|
|
Term
|
Definition
Automatic or manual process designed and established to continue critical business processes from point-of-failure
to return-to-normal |
|
|
Term
Annual loss expectancy
(ALE) |
|
Definition
The total expected loss divided by the number of years in
the forecast period yielding the average annual loss |
|
|
Term
|
Definition
Detection on the basis of whether the system activity
matches that defined as abnormal |
|
|
Term
| Anonymous File Transfer Protocol (AFTP) |
|
Definition
A method of downloading public files using the File Transfer Protocol (FTP). AFTP does not require users to identify themselves before accessing files from a particular server. In general, users enter the word "anonymous" when the host prompts for a username.
Anything can be entered for the password, such as the user's e-mail address or simply the word "guest." In many cases, an AFTP site will not prompt a user for a name and
password. |
|
|
Term
|
Definition
| An application software deployed at multiple points in an IT architecture. It is designed to detect and potentially eliminate virus code before damage is done, and repair or quarantine files that have already been infected |
|
|
Term
|
Definition
The policies, procedures and activities designed to
provide reasonable assurance that objectives relevant to a given automated solution (application) are achieved |
|
|
Term
|
Definition
In the Open Systems Interconnection (OSI) communications model, the application layer provides services for an application program to ensure that effective communication with another application program in a network is possible. The application layer is not the application that is doing the communication; it is a
service layer that provides these services. |
|
|
Term
| Application programming interface (API) |
|
Definition
A set of routines, protocols and tools referred to as "building blocks" used in business application software development. A good API makes it easier to develop a program by providing all the building blocks related to functional characteristics of an operating system that applications need to specify, for example, when interfacing with the operating system (e.g., provided by Microsoft Windows, different versions of UNIX). A programmer utilizes these APIs in developing applications that can operate effectively and efficiently on the
platform chosen. |
|
|
Term
| Application service provider (ASP) |
|
Definition
Also known as managed service provider (MSP), it deploys, hosts and manages access to a packaged application to multiple parties from a centrally managed facility. The applications are delivered over networks on a
subscription basis. |
|
|
Term
|
Definition
Description of the fundamental underlying design of the components of the business system, or of one element of the business system (e.g., technology), the relationships among them, and the manner in which they support the
organization's objectives |
|
|
Term
|
Definition
| A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message |
|
|
Term
|
Definition
A specific sequence of events indicative of an unauthorized access attempt. Typically a characteristic byte pattern used in malicious code or an indicator, or set of indicators, that allows the identification of malicious
network activities. |
|
|
Term
|
Definition
A visible trail of evidence enabling one to trace information contained in statements or reports back to
the original input source |
|
|
Term
|
Definition
| The act of verifying the identity (i.e., user, system) |
|
|
Term
|
Definition
Access privileges granted to a user, program, or process
or the act of granting those privileges |
|
|
Term
|
Definition
Information that is accessible when required by the
business process now and in the future |
|
|
Term
|
Definition
An alternate facility to continue IT/IS operations when the
primary data processing (DP) center is unavailable |
|
|
Term
|
Definition
The minimum security controls required for safeguarding
an IT system based on its identified needs for confidentiality, integrity, and/or availability protection |
|
|
Term
|
Definition
A systematic approach to comparing an organization's performance against peers and competitors in an effort to learn the best ways of conducting business. Examples include benchmarking of quality, logistic efficiency and
various other metrics. |
|
|
Term
|
Definition
The smallest unit of information storage; a contraction of the term "binary digit;" one of two symbols "0" (zero) and
"1" (one) that are used to represent binary numbers |
|
|
Term
|
Definition
Provides an exact image of the original and is a
requirement for legally justifiable forensics |
|
|
Term
|
Definition
| Bit-stream backups, also referred to as mirror image backups, involve the backup of all areas of a computer hard disk drive or other type of storage media. Such backups exactly replicate all sectors on a given storage device including all files and ambient data storage areas. |
|
|
Term
|
Definition
A large number of compromised computers that are used to create and send spam or viruses or flood a network
with messages such as a denial-of-service attack |
|
|
Term
|
Definition
Repeatedly trying all possible combinations of passwords
or encryption keys until the correct one is found |
|
|
Term
|
Definition
Documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the
investment through its full economic life cycle |
|
|
Term
| Business continuity plan (BCP) |
|
Definition
A plan used by an organization to respond to disruption of critical business processes. Depends on the
contingency plan for restoration of critical systems |
|
|
Term
Business dependency
assessment |
|
Definition
A process of identifying resources critical to the operation
of a business process |
|
|
Term
|
Definition
The net effect, positive or negative, on the achievement of
business objectives |
|
|
Term
| Business impact analysis/assessment (BIA) |
|
Definition
Evaluating the criticality and sensitivity of information assets. An exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting system. This process also includes addressing: income loss, unexpected expense, legal issues (regulatory compliance or contractual), interdependent processes, and loss of
public reputation or public confidence. |
|
|
Term
| Business Model for Information Security (BMIS) |
|
Definition
| A holistic and business-oriented model that supports enterprise governance and management information security, and provides a common language for information security professionals and business management |
|
|
Term
| Capability Maturity Model (CMM) |
|
Definition
Contains the essential elements of effective processes for one or more disciplines. It also describes an evolutionary improvement path from ad hoc, immature processes, to disciplined, mature processes, with improved quality and
effectiveness. |
|
|
Term
| Certificate (certification) authority (CA) |
|
Definition
A trusted third party that serves authentication infrastructures or enterprises and registers entities and
issues them certificates |
|
|
Term
| Certificate revocation list (CRL) |
|
Definition
An instrument for checking the continued validity of the certificates for which the certification authority (CA) has responsibility. The CRL details digital certificates that are no longer valid. The time gap between two updates is very critical and is also a risk in digital certificates
verification. |
|
|
Term
| Certification practice statement (1 of 2) |
|
Definition
A detailed set of rules governing the certificate authority's operations. It provides an understanding of the value and trustworthiness of certificates issued by a given certificate
authority (CA). |
|
|
Term
| Certification practice statement (2 of 2) |
|
Definition
| Stated in terms of the controls that an organization observes, the method it uses to validate the authenticity of certificate applicants and the CA's expectations of how its certificates may be used |
|
|
Term
|
Definition
A legal principle regarding the validity and integrity of evidence. It requires accountability for anything that will be used as evidence in a legal proceeding to ensure that it can be accounted for from the time it was collected until the time it is presented in a court of law. This includes documentation as to who had access to the evidence and when, as well as the ability to identify evidence as being the exact item that was recovered or tested. Lack of control over evidence can lead to it being discredited.
Chain of custody depends on the ability to verify that evidence could not have been tampered with. This is accomplished by sealing off the evidence, so it cannot be changed, and providing a documentary record of custody to prove that the evidence was, at all times, under strict
control and not subject to tampering. |
|
|
Term
|
Definition
A process and record that shows who obtained the evidence, where and when the evidence was obtained, who secured the evidence and who had control or possession of the evidence. The "sequencing" of the chain of evidence follows this order: collection and identification, analysis, storage, preservation, presentation
in court, return to owner. |
|
|
Term
|
Definition
| A method of user authentication that is carried out through use of the Challenge Handshake Authentication Protocol (CHAP). When a user tries to log onto the server using CHAP, the server sends the user a "challenge," which is a random value. The user enters a password, which is used as an encryption key to encrypt the "challenge" and return it to the server. The server is aware of the password. It, therefore, encrypts the "challenge" value and compares it with the value received from the user. If the values match, the user is authenticated. The challenge/response activity continues throughout the session and this protects the session from password sniffing attacks. In addition, CHAP is not vulnerable to "man-in-the-middle" attacks because the challenge value is a random value that changes on each access attempt. |
|
|
Term
|
Definition
A holistic and proactive approach to managing the
transition from a current to a desired organizational state |
|
|
Term
|
Definition
A mathematical value that is assigned to a file and used to
"test" the file at a later date to verify that the data contained in the file have not been maliciously changed. |
|
|
Term
|
Definition
A cryptographic checksum is created by performing a complicated series of mathematical operations (known as a cryptographic algorithm) that translates the data in the file into a fixed string of digits called a hash value, which is then used as the checksum. Without knowing which cryptographic algorithm was used to create the hash value, it is highly unlikely that an unauthorized person would be able to change data without inadvertently changing the corresponding checksum. Cryptographic checksums are used in data transmission and data storage. Cryptographic checksums are also known as message authentication codes, integrity check values, modification
detection codes or message integrity codes. |
|
|
Term
| Chief information officer (CIO) |
|
Definition
The most senior official of the enterprise who is accountable for IT advocacy, aligning IT and business strategies, and planning, resourcing and managing the delivery of IT services, information and the deployment of associated human resources. In some cases, the CIO role has been expanded to become the chief knowledge officer (CKO) who deals in knowledge, not just
information. Also see chief technology officer. |
|
|
Term
| Chief information security officer (CISO) |
|
Definition
Responsible for managing information risk, the information security program, and ensuring appropriate confidentiality, integrity and availability of information
assets |
|
|
Term
| Chief security officer (CSO) |
|
Definition
Typically responsible for physical security in the
organization although increasingly the CISO and CSO roles are merged |
|
|
Term
| Chief technology officer (CTO) |
|
Definition
| The individual who focuses on technical issues in an organization |
|
|
Term
|
Definition
An approach using external services for convenient on- demand IT operations using a shared pool of configurable computing capability. Typical capabilities include infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS), e.g., networks, servers, storage, applications and services, that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics (on-demand self service, ubiquitous network access, location independent resource pooling, rapid elasticity, and measured service). It allows users to access technology-based services from the network cloud without knowledge of, expertise with, or control over, the technology infrastructure that supports them and provides four models for enterprise access (Private cloud,
Community cloud, Public cloud, and Hybrid cloud). |
|
|
Term
|
Definition
Formerly known as Control Objectives for Information and related Technology (CUBIT); now used only as the acronym in its fifth iteration. A complete, internationally accepted framework for governing and managing enterprise information and technology (IT) that supports enterprise executives and management in their definition and achievement of business goals and related IT goals. CUBIT describes five principles and seven enablers that support enterprises in the development, implementation, and continuous improvement and monitoring of goodlT-
related governance and management practices. |
|
|
Term
|
Definition
| Earlier versions of CUBIT focused on control objectives related to IT processes, management and control of IT processes and IT governance aspects. Adoption and use of the CUBIT framework are supported by guidance from a growing family of supporting products. (See www.isaca.org/cobit for more information.) |
|
|
Term
|
Definition
Formerly known as Control Objectives for Information and related Technology (CUBIT). A complete, internationally accepted process framework for IT that supports business and IT executives and management in their definition and achievement of business goals and related IT goals by providing a comprehensive IT governance, management, control and assurance model. COBIT describes IT processes and associated control objectives, management guidelines (activities, accountabilities, responsibilities and performance metrics) and maturity models. CUBIT supports enterprise management in the development, implementation, continuous improvement and monitoring of good IT-
related practices. |
|
|
Term
| Common vulnerabilities and exposures (CVE) |
|
Definition
A system that provides a reference method for publicly known information-security vulnerabilities and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security Division of the United
States Department of Homeland Security. |
|
|
Term
|
Definition
An internal control that reduces the risk of an existing or
potential control weakness resulting in errors and omissions |
|
|
Term
|
Definition
The application of the scientific method to digital media to establish factual information for judicial review. This process often involves investigating computer systems to determine whether they are or have been used for illegal or unauthorized activities. As a discipline, it combines elements of law and computer science to collect and analyze data from information systems (e.g., personal computers, networks, wireless communication and digital storage devices) in a way that is admissible as evidence in
a court of law. |
|
|
Term
|
Definition
| The protection of sensitive or private information from unauthorized disclosure |
|
|
Term
|
Definition
The control of changes to a set of configuration items
over a system life cycle |
|
|
Term
|
Definition
Controlling access to a network by analyzing the contents of the incoming and outgoing packets and either letting them pass or denying them based on a list of rules. Differs from packet filtering in that it is the data in the packet that are analyzed instead of the attributes of the packet itself (e.g., source/target IP address, transmission control
protocol [TCP] flags) |
|
|
Term
|
Definition
A plan used by an organization or business unit to
respond to a specific systems failure or disruption |
|
|
Term
|
Definition
The process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends. The process includes: 1) the development of a strategy to regularly evaluate selected IS controls/metrics, 2) recording and evaluating IS-relevant events and the effectiveness of the enterprise in dealing with those events, 3) recording changes to IS controls, or changes that affect IS risks, and 4) publishing the current security status to enable informationsharing decisions involving
the enterprise. |
|
|
Term
|
Definition
Hosts the recovery meetings where disaster recovery
operations are managed |
|
|
Term
|
Definition
A policy defining control operational and failure modes, e.g., fail secure, fail open, allowed unless specifically
denied, denied unless specifically permitted |
|
|
Term
|
Definition
| The system by which enterprises are directed and controlled. The board of directors is responsible for the governance of their enterprise. It consists of the leadership and organizational structures and processes that ensure the enterprise sustains and extends strategies and objectives. |
|
|
Term
|
Definition
Committee of Sponsoring Organizations of the Treadway Commission. Its 1992 report "Internal Control—Integrated Framework" is an internationally accepted standard for
corporate governance. See www.coso.org. |
|
|
Term
|
Definition
A systematic process for calculating and comparing
benefits and costs of a project, control or decision |
|
|
Term
|
Definition
| Any process that directly reduces a threat or vulnerability |
|
|
Term
|
Definition
A measure of the impact that the failure of a system to
function as required will have on the organization. |
|
|
Term
|
Definition
An analysis to evaluate resources or business functions to identify their importance to the organization, and the impact if a function cannot be completed or a resource is
not available |
|
|
Term
|
Definition
A well-defined computational procedure that takes
variable inputs, including a cryptographic key, and produces an output |
|
|
Term
|
Definition
A measure of the expected number of operations
required to defeat a cryptographic mechanism |
|
|
Term
|
Definition
The art of designing, analyzing and attacking
cryptographic schemes |
|
|
Term
Cyclical redundancy check
(CRC) |
|
Definition
A method to ensure that data have not been altered after
being sent through a communication channel |
|
|
Term
|
Definition
The determination of the extent of damage that is necessary to provide for an estimation of the recovery
time frame and the potential loss to the organization |
|
|
Term
|
Definition
| The assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levels of sensitivity of data are assigned according to predefined categories as data are created, amended, enhanced, stored or transmitted. The classification level is an indication of the value or importance of the data to the organization. |
|
|
Term
|
Definition
The individual(s) and/or department(s) responsible for the
storage and safeguarding of computerized data |
|
|
Term
| Data Encryption Standard (DES) |
|
Definition
An algorithm for encoding binary data. It is a secret key cryptosystem published by the National Bureau of Standards (NBS), the predecessor of the US National Institute of Standards and Technology (NIST). DES and its variants have been replaced by the Advanced Encryption
Standard (AES). |
|
|
Term
|
Definition
The property that data meet with a priority expectation of
quality and that the data can be relied on |
|
|
Term
|
Definition
Siphoning out or leaking information by dumping
computer files or stealing computer reports and tapes |
|
|
Term
| Data leak protection (DLP) |
|
Definition
A suite of technologies and associated processes that locate, monitor and protect sensitive information from
unauthorized disclosure |
|
|
Term
|
Definition
A technique used to analyze existing information, usually with the intention of pursuing new avenues to pursue
business |
|
|
Term
|
Definition
A structured process for organizing data into tables in such a way that it preserves the relationships among the
data |
|
|
Term
|
Definition
The individual(s), normally a manager or director, who has
responsibility for the integrity, accurate reporting and use of computerized data |
|
|
Term
|
Definition
A generic term for a system that stores, retrieves and manages large volumes of data. Data warehouse software often includes sophisticated comparison and hashing
techniques for fast searches, as well as advanced filtering. |
|
|
Term
|
Definition
The process of distributing computer processing to
different locations within an organization |
|
|
Term
|
Definition
| A digital piece of information used to recover plaintext from the corresponding ciphertext by decryption |
|
|
Term
|
Definition
The practice of layering defenses to provide added protection. Defense in depth increases security by raising the effort needed in an attack. This strategy places multiple barriers between an attacker and an
organization's computing and information resources. |
|
|
Term
|
Definition
The application of variable levels of alternating current for the purpose of demagnetizing magnetic recording media. The process involves increasing the alternating current field gradually from zero to some maximum value and back to zero, leaving a very low residue of magnetic
induction on the media. Degauss loosely means: to erase. |
|
|
Term
|
Definition
A screened (firewalled) network segment that acts as a buffer zone between a trusted and untrusted network. A DMZ is typically used to house systems such as web servers that must be accessible from both internal
networks and the Internet. |
|
|
Term
| Denial-of-service (DoS) attack |
|
Definition
An assault on a service from a single source that floods it with so many requests that it becomes overwhelmed and is either stopped completely or operates at a significantly
reduced rate |
|
|
Term
|
Definition
A process to authenticate (or certify) a party's digital
signature; carried out by trusted third parties |
|
|
Term
|
Definition
The process of digitally signing computer code to ensure
its integrity |
|
|
Term
|
Definition
The communication to appropriate internal and external parties that the disaster recovery plan is being put into
operation |
|
|
Term
| Disaster notification fee |
|
Definition
The fee the recovery site vendor charges when the customer notifies them that a disaster has occurred and the recovery site is required. The fee is implemented to
discourage false disaster notifications. |
|
|
Term
| Disaster recovery plan (DRP) |
|
Definition
| A set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency or disaster |
|
|
Term
| Disaster recovery plan desk checking |
|
Definition
Typically a read-through of a disaster recovery plan without any real actions taking place. Generally involves a reading of the plan, discussion of the action items and
definition of any gaps that might be identified |
|
|
Term
| Disaster recovery plan walk- through |
|
Definition
Generally a robust test of the recovery plan requiring that some recovery activities take place and are tested. A disaster scenario is often given and the recovery teams talk through the steps they would need to take to recover.
As many aspects of the plan should be tested as possible. |
|
|
Term
| Discretionary access control (DAC) |
|
Definition
A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that
permission (perhaps indirectly) on to any other subject. |
|
|
Term
|
Definition
The practice of duplicating data in separate volumes on two hard disks to make storage more fault tolerant.
Mirroring provides data protection in the case of disk
failure because data are constantly updated to both disks. |
|
|
Term
Distributed denial-of-service
(DDoS) attack |
|
Definition
| A denial-of-service (DoS) assault from multiple sources |
|
|
Term
|
Definition
A hierarchical database that is distributed across the Internet that allows names to be resolved into IP addresses (and vice versa) to locate services such as web
and e-mail servers |
|
|
Term
|
Definition
A procedure that uses two or more entities (usually persons) operating in concert to protect a system resource so that no single entity acting alone can access
that resource |
|
|
Term
|
Definition
The level of care expected from a reasonable person of
similar competency under similar conditions |
|
|
Term
|
Definition
| The performance of those actions that are generally regarded as prudent, responsible and necessary to conduct a thorough and objective investigation, review and/or analysis |
|
|
Term
| Dynamic Host Configuration Protocol (DHCP) |
|
Definition
A protocol used by networked computers (clients) to obtain IP addresses and other parameters such as the default gateway, subnet mask and IP addresses of domain name system (DNS) servers from a DHCP server. The DHCP server ensures that all IP addresses are unique (e.g., no IP address is assigned to a second client while the first client's assignment is valid [its lease has not expired]).
Thus, IP address pool management is done by the server
and not by a human network administrator. |
|
|
Term
| Electronic data interchange (EDI) |
|
Definition
The electronic transmission of transactions (information) between two enterprises. EDI promotes a more efficient paperless environment. EDI transmissions can replace the use of standard documents, including invoices or
purchase orders. |
|
|
Term
| Electronic funds transfer (EFT) |
|
Definition
The exchange of money via telecommunications. EFT refers to any financial transaction that originates at a terminal and transfers a sum of money from one account
to another. |
|
|
Term
|
Definition
The process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an
encrypted message (ciphertext) |
|
|
Term
|
Definition
A set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources
are used responsibly. |
|
|
Term
|
Definition
The potential loss to an area due to the occurrence of an
adverse event |
|
|
Term
|
Definition
| The location that contains the backup copies to be used in case recovery or restoration is required in the event of a disaster |
|
|
Term
|
Definition
The transfer of service from an incapacitated primary
component to its backup component |
|
|
Term
|
Definition
Describes the design properties of a computer system
that allow it to resist active attempts to attack or bypass it |
|
|
Term
|
Definition
An optimized code based on a branch prediction that predicts which way a program will branch when an
application is presented |
|
|
Term
|
Definition
A system or combination of systems that enforces a boundary between two or more networks typically forming a barrier between a secure and an open
environment such as the Internet |
|
|
Term
|
Definition
An attack that attempts to cause a failure in a system by providing more input than the system can process
properly |
|
|
Term
|
Definition
An accurate bit-for-bit reproduction of the information contained on an electronic device or associated media, whose validity and integrity has been verified using an
accepted algorithm |
|
|
Term
|
Definition
The process of collecting, assessing, classifying and documenting digital evidence to assist in the identification
of an offender and the method of compromise |
|
|
Term
|
Definition
A description of a particular way of accomplishing
something that is less prescriptive than a procedure |
|
|
Term
|
Definition
To configure a computer or other network device to resist
attacks |
|
|
Term
|
Definition
| An algorithm that maps or translates one set of bits into another (generally smaller) so that a message yields the same result every time the algorithm is executed using the same message as input. It is computationally infeasible for a message to be derived or reconstituted from the result produced by the algorithm or to find two different messages that produce the same hash result using the same algorithm. |
|
|
Term
|
Definition
A service offered via telephone/Internet by an organization to its clients or employees that provides information, assistance and troubleshooting advice regarding software, hardware or networks. A help desk is staffed by people who can either resolve the problem on their own or escalate the problem to specialized personnel. A help desk is often equipped with dedicated customer relationship management (CRM) software that
logs the problems and tracks them until they are solved. |
|
|
Term
|
Definition
A specially configured server, also known as a decoy server, designed to attract and monitor intruders in a manner such that their actions do not affect production
systems |
|
|
Term
|
Definition
A fully operational offsite data processing facility
equipped with hardware and system software to be used in the event of a disaster |
|
|
Term
| Hypertext Transfer Protocol (HTTP) |
|
Definition
A communication protocol used to connect to servers on the World Wide Web. Its primary function is to establish a connection with a web server and transmit hypertext markup language (HTML), extensible markup language
(XML) or other pages to the client browsers. |
|
|
Term
|
Definition
The process of verifying the identity of a user, process or device, usually as a prerequisite for granting access to
resources in an information system |
|
|
Term
|
Definition
A study to prioritize the criticality of information resources for the organization based on costs (or consequences) of adverse events. In an impact analysis, threats to assets are identified and potential business losses determined for different time periods. This assessment is used to justify the extent of safeguards that are required and recovery time frames. This analysis is the basis for establishing the
recovery strategy. |
|
|
Term
|
Definition
| Any event that is not part of the standard operation of a service and that causes, or may cause, an interruption to, or a reduction in, the quality of that service |
|
|
Term
|
Definition
An action plan for dealing with intrusions, cybertheft, denial-of-service attack, fire, floods, and other security- related events. It is comprised of a six-step process: Preparation, Identification, Containment, Eradication,
Recovery, and Lessons Learned. |
|
|
Term
|
Definition
Ensures that only authorized users (confidentiality) have access to accurate and complete information (integrity)
when required (availability) |
|
|
Term
| Information security governance |
|
Definition
The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources
are used responsibly |
|
|
Term
| Information security program |
|
Definition
The overall combination of technical, operational and procedural measures, and management structures implemented to provide for the confidentiality, integrity and availability of information based on business
requirements and risk analysis |
|
|
Term
|
Definition
| The accuracy, completeness and validity of information |
|
|
Term
|
Definition
The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events
will be prevented or detected and corrected |
|
|
Term
| Internet service provider (ISP) |
|
Definition
A third party that provides individuals and organizations access to the Internet and a variety of other Internet-
related services |
|
|
Term
|
Definition
| The time the company can wait from the point of failure to the restoration of the minimum and critical services or applications. After this time, the progressive losses caused by the interruption are excessive for the organization. |
|
|
Term
|
Definition
The process of monitoring the events occurring in a computer system or network to detect signs of unauthorized access or attack . Intrusion detection system (IDS) Inspects network and host security activity to identify suspicious patterns that may indicate a network or
system attack. |
|
|
Term
| Intrusion prevention system (IPS) |
|
Definition
Inspects network and host security activity to identify suspicious patterns that may indicate a network or system attack and then blocks it at the firewall to prevent damage
to information resources |
|
|
Term
|
Definition
A set of protocols developed by the Internet Engineering Task Force (IETF) to support the secure exchange of
packets |
|
|
Term
|
Definition
ISO/IEC 15504 Information technology—Process assessment. ISO/IEC 15504 provides a framework for the assessment of processes. The framework can be used by organizations involved in planning, managing, monitoring, controlling and improving the acqu sition, supply, development, operation, evolution and support of
products and services. |
|
|
Term
|
Definition
Originally released as part of the British Standard for Information Security in 1999 and then as the Code of Practice for Information Security Management in October 2000, it was elevated by the International Organization for Standardization (ISO) to an international code of practice for information security management. This standard defines information's confidentiality, integrity and availability controls in a comprehensive information security management system. The latest version is ISO/IEC
17799:2005. |
|
|
Term
|
Definition
| An international standard, released in 2005 and revised in 2006, that defines a set of requirements for an information security management system. Prior its adoption by the ISO, this standard was known as BS 17799 Part 2, which was originally published in 1999. |
|
|
Term
|
Definition
A code of practice that contains a structured list of suggested information security controls for organizations implementing an information security management system. Prior to its adoption by ISO/IEC, this standard
existed as BS 77799. |
|
|
Term
|
Definition
ISO 31000:2009 Risk management—Principles and guidelines. Provides principles and generic guidelines on risk management. It is industry- and sector-agnostic and can be used by any public, private or community
enterprise, association, group or individual. |
|
|
Term
|
Definition
The responsibility of executives and the board of directors; consists of the leadership, organizational structures and processes that ensure that the enterprise's IT sustains and extends the organization's strategies and
objectives |
|
|
Term
|
Definition
An executive management-level committee that assists the executive in the delivery of the IT strategy, oversees day to day management of IT service delivery and IT
projects and focuses on implementation aspects |
|
|
Term
|
Definition
A long term plan( i.e., three to five year horizon) in which business and IT management cooperatively describe how IT resources will contribute to the enterprise's strategic
objectives (goals) |
|
|
Term
|
Definition
A committee at the level of the board of directors to ensure that the board is involved in major IT matters and decisions. The committee is primarily accountable for managing the portfolios of IT enabled investments, IT services and other IT resources. The committee is the
owner of the portfolio. |
|
|
Term
|
Definition
| A measure that tells management, after the fact, whether an IT process has achieved its business requirements; usually expressed in terms of information criteria |
|
|
Term
| Key performance indicator (KPI) |
|
Definition
A measure that determines how well the process is performing in enabling the goal to be reached. A KPI is a lead indicator of whether a goal will likely be reached, and a good indicator of capability, practices and skills. It measures an activity goal, which is an action that the process owner must take to achieve effective process
performance. |
|
|
Term
|
Definition
A subset of risk indicators that are highly relevant and
possess a high probability of predicting or indicating important risk |
|
|
Term
|
Definition
The principle of allowing users or applications the least
amount of permissions necessary to perform their intended function |
|
|
Term
|
Definition
An electronic mail (email) server that relays messages so
that neither the sender nor the recipient is a local user |
|
|
Term
|
Definition
Software (e.g., Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user
into executing other malicious logic |
|
|
Term
|
Definition
Software designed to infiltrate, damage or obtain information from a computer system without the owner's consent Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware.
Spyware is generally used for marketing purposes and, as such, is not malicious, although it is generally unwanted.
Spyware can, however, be used to gather information for
identity theft or other clearly illicit purposes. |
|
|
Term
| Mandatory access control (MAC) |
|
Definition
| A means of restricting access to data based on varying degrees of security requirements for information contained in the objects and the corresponding security clearance of users or programs acting on their behalf. |
|
|
Term
| Man-in-the-middle attack (MitM) |
|
Definition
An attack strategy in which the attacker intercepts the communication stream between two parts of the victim system and then replaces the traffic between the two components with the intruder's own system, eventually
assuming control of the communication. |
|
|
Term
|
Definition
Attackers that penetrate systems by using the identity of
legitimate users and their login credentials |
|
|
Term
Maximum tolerable outages
(MTO) |
|
Definition
Maximum time the organization can support processing in
alternate mode |
|
|
Term
| Media access control (MAC) |
|
Definition
Applied to the hardware at the factory and cannot be modified, MAC is a unique, 48-bit, hard-coded address of a physical layer device, such as an Ethernet local area
network (LAN) or a wireless network card. |
|
|
Term
| Message authentication code |
|
Definition
An American National Standards Institute (ANSI) standard checksum that is computed using the Data Encryption
Standard (DES) |
|
|
Term
|
Definition
A cryptographic checksum, typically generated for a file that can be used to detect changes to the file; Secure Hash Algorithm-1 (SHA-1) is an example of a message
digest algorithm. |
|
|
Term
|
Definition
An alternate site that contains the same information as the original. Mirror sites are set up for backup and disaster recovery as well as to balance the traffic load for numerous download requests. Such download mirrors are often placed in different locations throughout the
Internet. |
|
|
Term
|
Definition
The use of a mobile/temporary facility to serve as a business resumption location. They can usually be delivered to any site and can house information
technology and staff |
|
|
Term
|
Definition
| Rules outlining or delineating the way in which information about the use of computers, networks, applications and information is captured and interpreted. |
|
|
Term
| Multipurpose Internet mail extension (MIME) |
|
Definition
A specification for formatting non-ASCII messages so that they can be sent over the Internet. Many email clients now support MIME, which enables them to send and receive graphics, audio and video files via the Internet mail system. In addition, MIME supports messages in character
sets other than ASCII. |
|
|
Term
|
Definition
Calculated by using an after-tax discount rate of an investment and a series of expected incremental cash outflows (the initial investment and operational costs) and cash inflows (cost savings or revenues) that occur at regular periods during the life cycle of the investment. To arrive at a fair NPV calculation, cash inflows accrued by the business up to about five years after project
deployment also should be taken into account. |
|
|
Term
| Network address translation (NAT) |
|
Definition
Basic NATs are used when there is a requirement to interconnect two IP networks with incompatible addressing. However, it is common to hide an entire IP address space, usually consisting of private IP addresses, behind a single IP address (or in some cases a small group of IP addresses) in another (usually public) address space. To avoid ambiguity in the handling of returned packets, a one-to-many NAT must alter higher level information such as Transmission Control Protocol (TCP)/User Datagram Protocol (UDP) ports in outgoing communications and must maintain a translation table so that return packets
can be correctly translated back. |
|
|
Term
| Network-based intrusion detection (NID) |
|
Definition
Provides broader coverage than host-based approaches but functions in the same manner detecting attacks using either an anomaly-based or signature-based approach or
both |
|
|
Term
|
Definition
| The use of transported probes or traces to assemble information, track traffic and identify vulnerabilities |
|
|
Term
|
Definition
The assurance that a party cannot later deny originating data; that is, it is the provision of proof of the integrity and origin of the data and can be verified by a third party. A
digital signature can provide nonrepudiation. |
|
|
Term
|
Definition
Computer file storage media not physically connected to the computer; typically tapes or tape cartridges used for
backup purposes |
|
|
Term
Open Shortest Path First
(OSPF) |
|
Definition
A routing protocol developed for IP networks. It is based
on the shortest path first or link state algorithm. |
|
|
Term
Open Source Security
Testing Methodology |
|
Definition
An open and freely available methodology and manual
for security testing |
|
|
Term
|
Definition
Represents the consequences of actions previously taken; often referred to as a lag indicator. An outcome measure frequently focuses on results at the end of a time period and characterizes historical performance. It is also referred to as a key goal indicator (KGI) and is used to indicate whether goals have been met. Can be measured
only after the fact and, therefore, is called a lag indicator. |
|
|
Term
|
Definition
Data unit that is routed from source to destination in a packetswitched network. A packet contains both routing information and data. Transmission Control Protocol/Internet Protocol (TCP/IP) is such a packet-
switched network. |
|
|
Term
|
Definition
Controlling access to a network by analyzing the attributes of the incoming and outgoing packets, and either letting them pass or denying them based on a list of
rules |
|
|
Term
|
Definition
| Software that observes and records network traffic |
|
|
Term
|
Definition
Individual packets follow their own paths through the network from one endpoint to another and reassemble at
the destination. |
|
|
Term
|
Definition
| Major divisions of the total physical hard disk space |
|
|
Term
|
Definition
A response option in intrusion detection in which the system simply reports and records the problem detected,
relying on the user to take subsequent action |
|
|
Term
|
Definition
A tool that tests the strength of user passwords searching for passwords that are easy to guess. It repeatedly tries words from specially crafted dictionaries and often also generates thousands (and in some cases, even millions) of
permutations of characters, numbers and symbols. |
|
|
Term
|
Definition
A live test of the effectiveness of security defenses
through mimicking the actions of real-life attackers |
|
|
Term
Personally Identifiable
Information (PII) |
|
Definition
Information that can be used alone or with other sources
to uniquely identify, contact or locate a single individual |
|
|
Term
|
Definition
This is a more sophisticated form of a man-in-the-middle (MITM) attack. A user's session is redirected to a masquerading website. This can be achieved by corrupting a domain name system (DNS) server on the Internet and pointing a URL to the masquerading web
site's IP address. |
|
|
Term
|
Definition
This is a type of electronic mail (email) attack that attempts to convince a user that the originator is genuine, but with the intention of obtaining information for use in social engineering. Phishing attacks may take the form of masquerading as a lottery organization advising the recipient or the user's bank of a large win; in either case, the intent is to obtain account and personal identification number (PIN) details. Alternative attacks may seek to obtain apparently innocuous business information, which
may be used in another form of active attack. |
|
|
Term
|
Definition
Overall intention and direction as formally expressed by
management |
|
|
Term
|
Definition
| A hardware interface between a CPU and a peripheral device. Can also refer to a software (virtual) convention that allows remote services to connect to a host operating system in a structured manner |
|
|
Term
|
Definition
Freedom from unauthorized intrusion or disclosure of
information an individual |
|
|
Term
|
Definition
A mathematical key (kept secret by the holder) used to create digital signatures and, depending on the algorithm, to decrypt messages or files encrypted (for
confidentiality) with the corresponding public key |
|
|
Term
|
Definition
A document containing a detailed description of the steps necessary to perform specific operations in conformance with applicable standards. Procedures are defined as part
of processes. |
|
|
Term
|
Definition
A server that acts on behalf of a user. Typically proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps perform additional authentication, and then complete a connection to a
remote destination on behalf of the user. |
|
|
Term
|
Definition
In an asymmetric cryptographic scheme, the key that may be widely published to enable the operation of the
scheme |
|
|
Term
|
Definition
Emergency processing agreements among two or more organizations with similar equipment or applications.
Typically, participants promise to provide processing time
to each other when an emergency arises. |
|
|
Term
|
Definition
Execution of a response or task according to a written
procedure |
|
|
Term
| Recovery point objective (RPO) |
|
Definition
Determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time to which it is acceptable to recover data. It effectively quantifies the permissible amount of data loss
in case of interruption. |
|
|
Term
| Recovery time objective (RTO) |
|
Definition
| The amount of time allowed for the recovery of a business function or resource after a disaster occurs |
|
|
Term
| Redundant Array of Inexpensive Disks (RAID) |
|
Definition
Provides performance improvements and fault-tolerant capabilities, via hardware or software solutions, by writing to a series of multiple disks to improve performance
and/or save large files simultaneously |
|
|
Term
|
Definition
A recovery strategy involving the duplication of key information technology components, including data or other key business processes, whereby fast recovery can
take place |
|
|
Term
| Request for proposal (RFP) |
|
Definition
A document distributed to software vendors requesting
them to submit a proposal to develop or provide a software product |
|
|
Term
|
Definition
The remaining risk after management has implemented
risk response |
|
|
Term
|
Definition
The ability of a system or network to resist failure or to recover quickly from any disruption, usually with minimal
recognizable effect |
|
|
Term
| Return on investment (ROI) |
|
Definition
A measure of operating performance and efficiency, computed in its simplest form by dividing net income by
the total investment over the period being considered |
|
|
Term
| Return on security investment (ROSI) |
|
Definition
An estimate of return on security investment based on
how much will be saved by reduced losses divided by the investment |
|
|
Term
|
Definition
The combination of the probability of an event and its
consequence. (ISO/IEC 73). Risk has traditionally been expressed as Threats x Vulnerabilities = Risk. |
|
|
Term
|
Definition
| A process used to identify and evaluate risk and potential effects. Risk assessment includes assessing the critical functions necessary for an organization to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event. |
|
|
Term
|
Definition
The process for systematically avoiding risk, constituting
one approach to managing risk |
|
|
Term
|
Definition
The management and reduction of risk through the use of
countermeasures and controls |
|
|
Term
|
Definition
The acceptable level of variation that management is
willing to allow for any particular risk while pursuing its objectives |
|
|
Term
|
Definition
The process of assigning risk to another organization,
usually through the purchase of an insurance policy or outsourcing the service |
|
|
Term
|
Definition
The ability of systems to withstand attack, operate reliably across a wide range of operational conditions and to fail
gracefully outside of the operational range |
|
|
Term
| Role-based access control |
|
Definition
Assigns users to job functions or titles. Each job function
or title defines a specific authorization level. |
|
|
Term
|
Definition
A process of diagnosis to establish origins of events,
which can be used for learning from consequences, typically of errors and problems |
|
|
Term
|
Definition
A software suite designed to aid an intruder in gaining
unauthorized administrative access to a computer system |
|
|
Term
|
Definition
A cryptographic key that is used with a secret key (symmetric) cryptographic algorithm, that is uniquely associated with one or more entities and is not made public. The same key is used to both encrypt and decrypt data. The use of the term "secret" in this context does not imply a classification level, but rather implies the need to
protect the key from disclosure. |
|
|
Term
| Secure hash algorithm (SHA) |
|
Definition
| A hash algorithm with the property that is computationally infeasible 1) to find a message that corresponds to a given message digest, or 2) to find two different messages that produce the same message digest |
|
|
Term
| Security information and event management (SIEM) |
|
Definition
SIEM solutions are a combination of the formerly disparate product categories of SIM (security information management) and SEM (security event management).
SIEM technology provides realtime analysis of security alerts generated by network hardware and applications. SIEM solutions come as software, appliances or managed services, and are also used to log security data and generate reports for compliance purposes. Capabilities
include: |
|
|
Term
|
Definition
SIEM/LM (log management) solutions aggregate data from many sources, including network, security, servers, databases and applications, providing the ability to consolidate monitored data to help avoid missing crucial events. Correlation: Looks for common attributes, and links events together into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources, in order to turn data into useful information. Alerting: The automated analysis of correlated events and production of alerts, to notify recipients of immediate issues.
Dashboards: SIEM/LM tools take event data and turn them into informational charts to assist in seeing patterns, or identifying activity that is not forming a standard pattern. Compliance: SIEM applications can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance and auditing processes. Retention: SIEM/SIM solutions employ long-term storage of historical data to facilitate correlation of data over time, and to provide the retention
necessary for compliance requirements. |
|
|
Term
|
Definition
| A standard of measurement used in management of securityrelated activities |
|
|
Term
| Segregation/separation of duties (SoD) |
|
Definition
A basic internal control that prevents or detects errors and irregularities by assigning to separate individuals the responsibility for initiating and recording transactions and for the custody of assets. Segregation/separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or
malicious code without detection. |
|
|
Term
|
Definition
A measure of the impact that improper disclosure of
information may have on an organization |
|
|
Term
| Service delivery objective (SDO) |
|
Definition
Directly related to business needs, SDO is the level of services to be reached during the alternate process mode
until the normal situation is restored |
|
|
Term
| Service level agreement (SLA) |
|
Definition
An agreement, preferably documented, between a service provider and the customer(s)/user(s) that defines minimum performance targets for a service and how they
will be measured |
|
|
Term
|
Definition
A single-use symmetric key used for a defined period of communication between two computers, such as for the duration of a single communication session or transaction
set |
|
|
Term
|
Definition
A script written for the shell, or command line interpreter, of an operating system; it is often considered a simple domain-specific programming language. Typical operations performed by shell scripts include file manipulation, program execution and printing text.
Usually, shell script refers to scripts written for a UNIX shell, while COMMAND.COM (DOS) and cmd.exe (Windows) command line scripts are usually called batch files.Others, such as AppleScript, add scripting capability to computing environments lacking a command line interface. Other examples of programming languages primarily intended for shell scripting include digital command language (DCL) and job control language (JCL). |
|
|
Term
|
Definition
The process by which data traversing a network are
captured or monitored |
|
|
Term
|
Definition
An attack based on deceiving users or administrators at the target site into revealing confidential or sensitive
information |
|
|
Term
| Split knowledge/split key |
|
Definition
A security technique in which two or more entities separately hold data items that individually convey no knowledge of the information that results from combining the items; a condition under which two or more entities separately have key components that individually convey no knowledge of the plaintext key that will be produced when the key components are combined in the
cryptographic module |
|
|
Term
|
Definition
Faking the sending address of a transmission in order to
gain illegal entry into a secure system |
|
|
Term
|
Definition
A mandatory requirement, code of practice or specification approved by a recognized external standards organization, such as International Organization
for Standardization (ISO) |
|
|
Term
| Symmetric key encyryption |
|
Definition
System in which a different key (or set of keys) is used by each pair of trading partners to ensure that no one else can read their messages. The same key is used for
encryption and decryption. |
|
|
Term
|
Definition
Person or organization having responsibility for the development, procurement, integration, modification, operation and maintenance, and/or final disposition of an
information system |
|
|
Term
|
Definition
Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. A potential cause of an unwanted incident. (ISO/IEC
13335) |
|
|
Term
|
Definition
| Methods and things used to exploit a vulnerability. Examples include determination, capability, motive and resources. |
|
|
Term
|
Definition
An evaluation of the type, scope and nature of events or actions that can result in adverse consequences; identification of the threats that exist against information assets. The threat analysis usually also defines the level of
threat and the likelihood of it materializing. |
|
|
Term
|
Definition
The identification of types of threats to which an
organization might be exposed |
|
|
Term
|
Definition
Any event where a threat element/actor acts against an asset in a manner that has the potential to directly result in
harm |
|
|
Term
|
Definition
Used to describe a given threat and the harm it could to
do a system if it has a vulnerability |
|
|
Term
|
Definition
| The method a threat uses to exploit the target |
|
|
Term
|
Definition
A device that is used to authenticate a user, typically in addition to a user name and password. A token is usually a device the size of a credit card that displays a pseudo
random number that changes every few minutes. |
|
|
Term
| Total cost of ownership (TCO) |
|
Definition
Includes the original cost of the computer plus the cost of: software, hardware and software upgrades, maintenance, technical support, training, and certain
activities performed by users |
|
|
Term
|
Definition
A system that employs sufficient hardware and software assurance measures to allow its use for processing simultaneously a range of sensitive or classified
information |
|
|
Term
|
Definition
Commonly used to bridge between incompatible hosts/routers or to provide encryption; a method by which one network protocol encapsulates another
protocol within itself |
|
|
Term
| Two-factor authentication |
|
Definition
| The use of two independent mechanisms for authentication, (e.g., requiring a smart card and a password); typically the combination of something you know, are or have |
|
|
Term
| Uniform resource locator (URL) |
|
Definition
The global address of documents and other resources on the World Wide Web. The first part of the address indicates what protocol to use; the second part specifies the IP address or the domain name where the resource is
located (e.g., http://www. isaca.org). |
|
|
Term
| Virtual private network (VPN) |
|
Definition
A secure private network that uses the public telecommunications infrastructure to transmit data. In contrast to a much more expensive system of owned or leased lines that can only be used by one company, VPNs are used by enterprises for both extranets and wide areas of intranets. Using encryption and authentication, a VPN encrypts all data that pass between two Internet points,
maintaining privacy and security. |
|
|
Term
|
Definition
The file of virus patterns that are compared with existing
files to determine if they are infected with a virus or worm |
|
|
Term
|
Definition
Similar to a hot site, but not fully equipped with all of the
necessary hardware needed for recovery |
|
|
Term
|
Definition
The business of providing the equipment and services required to host and maintain files for one or more web sites and provide fast Internet connections to those sites. Most hosting is "shared," which means that web sites of multiple companies are on the same server to
share/reduce costs. |
|
|
Term
|
Definition
Using the client-server model and the World Wide Web's
Hypertext Transfer Protocol (HTTP), Web server is a software program that serves web pages to users. |
|
|
Term
|
Definition
| A computer network connecting different remote locations that may range from short distances, such as a floor or building, to long transmissions that encompass a large region or several countries |
|
|
Term
|
Definition
Also called IP Telephony, Internet Telephony and Broadband Phone, a technology that makes it possible to have a voice conversation over the Internet or over any dedicated Internet Protocol (IP) network instead of over
dedicated voice transmission lines |
|
|
Term
|
Definition
A weakness in the design, implementation, operation or internal controls in a process that could be exploited to
violate system security |
|
|
Term
|
Definition
| A process of identifying and classifying vulnerabilities |
|
|
Term
|
Definition
A programmed network attack in which a self-replicating program does not attach itself to programs, but rather
spreads independently of users' action |
|
|
Term
| Wi-Fi protected access 2 (WPA2) |
|
Definition
| The replacement security method for WPA for wireless networks that provides stronger data protection and network access control. It provides enterprise and consumer Wi-Fi users with a high level of assurance that only authorized users can access their wireless networks. Based on the ratified IEEE 802.11 i standard, WPA2 provides government-grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant advanced encryption standard (AES) encryption algorithm and 802.1X-based authentication. |
|
|
Term
|
Definition
| Protect, Act, Provide, Advance. |
|
|
Term
|
Definition
| Confidentiality, Integrity, Availability |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
| U Should Count Six Tauntauns |
|
Definition
Unclassified,
Sensitive But Unclassified, Classified, Secret, Top Secret. |
|
|
Term
|
Definition
| Layering, or Onion defense. |
|
|
Term
| Security through obscurity |
|
Definition
|
|
Term
| RMF: “Crime Scene Investigators Always Act Modestly |
|
Definition
Categorize,
Select, Implement, Assess, Authorize, Maintain |
|
|
Term
|
Definition
| Has IT in it; IT governance |
|
|
Term
|
Definition
| Annualized Rate of Occurrence |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| International Organization for Standardization |
|
|
Term
| ISO Raging Crackheads Risk Health |
|
Definition
Requirements(ISO27001)Code of practice, Risk
Management (ISO27002), Health (ISO 27799). |
|
|
Term
|
Definition
Simple/R = read ; */W = write ; U = UP ; D = DOWN
Bell LaPadula: |
|
|
Term
|
Definition
Confidentiality – Simple N R U || * N W D || Strong * N R/W
U/D. |
|
|
Term
|
Definition
| Integrity – Simple N R D || * N W U || Invocation N R/W U. |
|
|
Term
| Access Control types: 2C - 3D - PR |
|
Definition
corrective compensating, detective
deterrent directive, preventative recovering. |
|
|
Term
|
Definition
|
|
Term
|
Definition
| Diffie, El Gamal, RSA, ECC, Knapsack, Quantum |
|
|
Term
|
Definition
| 2fish, 3DES, Blowfish, RC5, AES, IDEA, DES, Skipjack |
|
|
Term
|
Definition
| Stream = RC4 / Block - Everything else. |
|
|
Term
| Fire Extinguisher Classes: |
|
Definition
A (Ash) Combustible, B (Boil) Liquid, C (Current)
Electrical, D (Dent) Metal, K (Kitchen) Oil/Fat. |
|
|
Term
| CPU Pipelining order: FDEW |
|
Definition
| Fetch, Decode, Execute, Write |
|
|
Term
|
Definition
| Physical, Datalink, Network, Transport, Session, Presentation, Application |
|
|
Term
|
Definition
| Please Do Not Throw Sausage Pizza Away |
|
|
Term
|
Definition
| All People Seem To Need Data Processing. |
|
|
Term
|
Definition
| Network access, Internet, Transport, Application. |
|
|
Term
|
Definition
Spoofing, Tampering, Repudiation, Information disclosure, DoS, Escalation of
privilege |
|
|
Term
|
Definition
| Damage, Reproducibility, Exploitability, Affected users, Discoverability |
|
|
Term
| 4 Ds of Physical Security |
|
Definition
| Deter → Deny → Detect → Delay |
|
|
Term
|
Definition
| Evaluation Assurance Level |
|
|
Term
|
Definition
| For Sure My Mother-So Sweet Forever. |
|
|
Term
|
Definition
Fun Stress Method Medical-Doctors Seem Somewhat Verifiably Foolish(Functionally, Structurally, Methodically, Methodically Designed, Semi-formally,
Semi-formally Designed, Verified, Formally Verified) |
|
|
Term
| Multi-Factor Authentication |
|
Definition
| Something you know, something you have, something you are. |
|
|
Term
| Incident Response Forensics: PDRMR3L |
|
Definition
Prepare, Detect, Response, Mitigate,
Reporting, Recovery, Remediation, Lesson Learned. |
|
|
Term
|
Definition
| Initiating, Diagnosing, Establishing, Acting, Learning |
|
|
Term
|
Definition
| DHCP: DORA - Discover, Offer, Request, ACK. |
|
|
Term
|
Definition
1 VM hosts, 0 Kernel, 1 Operating System, 2
Drivers, 3 User |
|
|
Term
TCP Header Flags
Unskilled Attackers Pester
Real Security Folks |
|
Definition
|
|
Term
Digital forensics model:
I Prefer Coffee Everytime Anyone Provides
Donuts |
|
Definition
Identification, Preservation, Collection, Examination, Analysis,
Presentation, Decision |
|
|
Term
|
Definition
RRA/RTID Request, Review, Approve or
Reject, Test, Implement, Document. |
|
|
Term
| The 7 steps of a cyber-attack: RSA ESA O |
|
Definition
Reconnaissance, Scanning,
Access and Escalation, Exfiltration, Sustainment, Assault, Obfuscation |
|
|
Term
|
Definition
BCP policy → BIA → Identify preventive controls → Develop
recovery strategies → Develop DRP → DRP training/testing → BCP/DRP
maintenance |
|
|
Term
| SDLC2: “I Reckon All Dem Dere Taters’ Really Delicious” |
|
Definition
Initiation,
Requirements, Architecture, Design, Develop, Testing, Release,
Disposal. |
|
|
Term
|
Definition
| Atomic, Consistency, Isolation, Durability |
|
|
Term
SW-CMM
I Ran Down My Ostrich |
|
Definition
Initial, Repeatable, Defined,
Managed, Optimized. |
|
|
Term
SDLC1: IDIOD
Don’t be an IDIOD |
|
Definition
Initiation, Design, Implement,
Operations, Disposal |
|
|
Term
|
Definition
|
|
Term
|
Definition
| CTO: Chief Technology Officer. |
|
|
Term
|
Definition
|
|
Term
|
Definition
| Chief Information Security Officer. |
|
|
Term
|
Definition
|
|
Term
|
Definition
| Chief Information Officer. |
|
|
Term
|
Definition
Payment Card Industry Data
Security Standard |
|
|
Term
OCTAVE
Self-Directed Risk Management |
|
Definition
| Operationally Critical Threat, Asset, and Vulnerability Evaluation |
|
|
Term
|
Definition
| Control Objectives for Information and related Technology |
|
|
Term
COSO
Goals for the entire organization |
|
Definition
| Committee of Sponsoring Organizations. |
|
|
Term
|
Definition
| Facilitated Risk Analysis Process |
|
|
Term
Security Governance Priciples
Vaules |
|
Definition
| What are our values? Ethics, Principles, Beliefs. |
|
|
Term
Security Governance Priciples
Vision |
|
Definition
| What do we aspire to be? Hope and Ambition. |
|
|
Term
Security Governance Priciples
Mission |
|
Definition
| Who do we do it for? Motivation and Purpose. |
|
|
Term
Security Governance Priciples
Strategic Objectives |
|
Definition
| How are we going to progress? Plans, goals, and sequencing. |
|
|
Term
Security Governance Priciples
Action & KPI's |
|
Definition
| What do we need to do and how do we know when we achieved it? Actions, Recourses, Outcomes, Owners, and Timeframes |
|
|
Term
|
Definition
Operating Expense :
is the ongoing cost for running a product, business, or system. (Keeping the lights on) |
|
|
Term
|
Definition
Capital Expenditure
is the money a company spends to buy, maintain, or improve its fixed assets, such as buildings, vehicles, equipment, or land |
|
|
Term
|
Definition
Key Goal Indicators
Define measures that tell management, after the fact – whether an IT process has achieved its business requirements |
|
|
Term
|
Definition
Key Performance Indicators
Define measures that determine how well the IT process is performing in enabling the goal to be reached |
|
|
Term
|
Definition
Key Risk Indicators
Metrics that demonstrate the risks that an organization is facing or how risky an activity is.
They are the mainstay of measuring adherence to and establishing enterprise risk appetite.
Key risk indicators are metrics used by organizations to provide an early signal of increasing risk exposures in various areas of the enterprise.
KRI gives an early warning to identify potential event that may harm continuity of the activity/project |
|
|
Term
|
Definition
| Responsible, Accountable, Consulted, Informed |
|
|
