Term
|
Definition
| Prevent modification of data |
|
|
Term
|
Definition
| Prevent disclosure of data |
|
|
Term
|
Definition
| Ensure reliable timely access to data |
|
|
Term
|
Definition
| Means in which user claims Identity |
|
|
Term
|
Definition
| Establishes the users Identity |
|
|
Term
|
Definition
| Systems ability to determine actions of users |
|
|
Term
|
Definition
| Rights and permissions granted to an individual |
|
|
Term
|
Definition
| Level of confidentiality that a user is given |
|
|
Term
|
Definition
- Has high level enterprise wide benefit
- Demonstrates organizations commitment to security
- Helps identify sensitive and vital information
- Supports C.I.A.
- May be required for legal regulatory reasons |
|
|
Term
|
Definition
| Assess the impact of the threat and the risk of the threat occurring (likelihood) |
|
|
Term
|
Definition
| Neither sensitive nor classified, public release is acceptable |
|
|
Term
| Sensitive But Unclassified (SBU) |
|
Definition
| Minor secret, no serious damage if disclosed |
|
|
Term
|
Definition
| Disclosure could cause damage to National Security |
|
|
Term
|
Definition
| Disclosure could cause serious damage to National Security |
|
|
Term
|
Definition
| Disclosure could cause exponentially grave damage to National Security |
|
|
Term
|
Definition
| Similar to unclassified, should not be disclosed but is not a problem if it is |
|
|
Term
|
Definition
| Data protected from loss of Confidentiality and integrity |
|
|
Term
|
Definition
| Data that is personal in nature and for company use only |
|
|
Term
|
Definition
| Very sensitive for internal use only - could seriously negatively impact the company |
|
|
Term
|
Definition
| Number one criteria classification critera, if it is valuable it should be protected |
|
|
Term
|
Definition
| Value of data lowers over time, automatic de-classification. Number two classification crteria |
|
|
Term
|
Definition
| If the information is made obsolete it can often be de-classified. Number three classification criteria |
|
|
Term
|
Definition
| If the data contains personal information it should remain classified. Number four classificatoin criteria |
|
|
Term
|
Definition
- May be executive or manager
- Has final corporate responsibility of the data protection
- Makes determination of classification level
- Reviews classification level regularly for appropriateness
- Delegates responsibility of data protection to the Custodian |
|
|
Term
|
Definition
- Generally IT systems personnel
- Running regular backups and testing recovery
- Performs restoration when required
- Maintains records in accordance with the classification policy |
|
|
Term
|
Definition
- Anyone the routinely uses the data
- Must follow operating procedures
- Must take due care to protect
- Must use computing resources of the company for company purposes only |
|
|
Term
|
Definition
| A high-level statement of enterprise beliefs, goals, and objectives and the general means for their attainment for a specificed subject area. |
|
|
Term
|
Definition
| Company is required to implement due to legal or regulatory requirements. Usually very detailed and specific to the industry of the organization. Ensure the company is following industry standard procedures and give the company confidence they are following industry standard procedures |
|
|
Term
|
Definition
| Not mandated but strongly suggested. Company wants employees to consider these mandatory. Can have exclusions for certain employees or job functions. |
|
|
Term
|
Definition
| Exist simply to inform the reader. No implied or specified requirements. |
|
|
Term
|
Definition
| A specific product or mechanism that is selected for universal use throughout the organization in order to support policy. |
|
|
Term
|
Definition
| General statements designed to achieve the policy's objectives by providing a framework within which to implement controls not covered by procedures. |
|
|
Term
|
Definition
| Mandatory descriptions of how to implement security packages to ensure that implementations result in a consistent level of security throughout the organization. |
|
|
Term
|
Definition
| Spell out step-by-step specifics of how the policy and supporting standards and guidelines will actually be implemented in an operating environment. |
|
|
Term
|
Definition
| Percent of asset loss caused by threat |
|
|
Term
| Single Loss Expectancy (SLE) |
|
Definition
Expected financial loss for single event
= Asset Value x Exposure Factor |
|
|
Term
| Annualized Rate of Occurrence (ARO) |
|
Definition
| represents estimated frequency in which threat will occur within one year |
|
|
Term
| Annualized Loss Expectancy (ALE) |
|
Definition
Annually expected financial loss
= SLE x ARO |
|
|
Term
|
Definition
| Assigns objective numerical values (dollars) |
|
|
Term
|
Definition
| An analysis based on more intangible values (data), scenario oriented. |
|
|
Term
| Preliminary Security Examination (PSE) |
|
Definition
| Conducted prior to the quantitative analysis. Helps gather elements that will be needed for actual Risk Analysis |
|
|
Term
|
Definition
1)Estimate of potential loss
2)Analyze potential threats
3)Define the Annualized Loss Expectancy (ALE) |
|
|
Term
|
Definition
| Implementation of controls to alter risk position |
|
|
Term
|
Definition
| Get insurance, transfer cost of a loss to insurance |
|
|
Term
|
Definition
| Accept the risk, absorb loss |
|
|
Term
| Qualitative Scenario Procedure |
|
Definition
- Scenario Oriented
- List the threat and the frequency
- Create exposure rating scale for each scenario
- Scenario written that address each major threat
- Scenario reviewed by business users for reality check
- Risk Analysis team evaluates and recommends safeguards
- Work through each finalized scenario
- Submit findings to management |
|
|
Term
|
Definition
| ALE (PreControl) – ALE (PostControl) = Annualized value of the control |
|
|
Term
|
Definition
| The identification, measurement, control, and minimization of loss accociated with uncertain events or risks. |
|
|
Term
|
Definition
| An event the occurence of which could have an undersirable impact on the well-being of an asset. |
|
|
Term
|
Definition
| The absence or weakness or a risk reducing safeguard. |
|
|
Term
| Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) |
|
Definition
| Self-guided assessment developed by Carnegie Mellon has three phase. |
|
|
Term
|
Definition
| Identify critical assets and corresponding threats |
|
|
Term
|
Definition
| Identify vulnerabilities exposing the threats |
|
|
Term
|
Definition
| Develop protection stragtegy |
|
|
Term
| Security Posture Assesement Methodologies |
|
Definition
|
|
Term
| INFOSEC Assessment Methodology |
|
Definition
| Developed by NSA, detailed process of examinging IS vulnerabilities and recommending appropriate countermeasures |
|
|
Term
|
Definition
| Nonintrusive baseline analysis |
|
|
Term
|
Definition
|
|
Term
|
Definition
| "Red Team" activities, penetration testing |
|
|
Term
|
Definition
1)Pre-assessment
2)On-site
3)Post-assessment |
|
|
Term
| Federal Information Technology Security Assessment Framework (FITSAF) |
|
Definition
| Cretead by NIST provides a methodology to determine current security posture and sets targets for improvement |
|
|
Term
|
Definition
1)Documented
2)Complete
3)Implemented
4)Measured
4)Pervasive |
|
|
Term
|
Definition
1)Initiation
2)Development and Acquisition
3)Implementation
4)Operation and Maintenance
5)Disposal |
|
|
Term
|
Definition
1)Processing
2)Storage
3)Tansmission |
|
|
Term
|
Definition
1)Policy and Procedures
2)Technology
3)Eduation, Training, and Awareness |
|
|
Term
|
Definition
| Considering PROs/CONs and Benefit/Cost of a decision |
|
|
Term
|
Definition
-Define the Objective
-Identify Altneratives
-Compare Alternatives |
|
|
Term
|
Definition
| Engineering Principles for IT Security, contains 33 security principles for the life cycle of IS. |
|
|
Term
| Types of Security Controls |
|
Definition
1)Deterrent
2)Preventative
3)Corrective
4)Detective |
|
|
Term
| Security Controls - Change control |
|
Definition
| Documentation detialing changes made to the system architecture or infrastructure |
|
|
Term
| Security Controls - Management |
|
Definition
1)Hardware -disks, peripherals, drivers
2)Network - rules, architecture
3)Application and O/S - service packs, pathces, uprgrades
4)Policies & Procedures
5)Tools - checksums, signatures, integrity software |
|
|
