Term
|
Definition
| Identifying secuirty requirements and designing a system meets those requirements and business needs |
|
|
Term
|
Definition
| Confidentaility, Integrity and Availability |
|
|
Term
|
Definition
| Continuity, Repeatability, efficiency, assurance |
|
|
Term
| Security Engineering Assurance |
|
Definition
| Confidence that things are working as inttended with respect to security |
|
|
Term
| Security Engineering process steps |
|
Definition
1)Identify needs
2)Define requirements
3)Define architecture
4)Develop detailed design
5)Implement
6)Assess effectiveness |
|
|
Term
| DoD Archetecture Framework (DODAF) |
|
Definition
-Required by OMB Circular A-11 & A-130
-Required to provided 26 views in 4 sets
-Example OV-1 highlevel view of system |
|
|
Term
|
Definition
-IT solutions for specific business goals
-2 dimensionsal model (matrix)
1)who, what, where, when, why, how
2)Planner, Owners,Designer, Builder, Implementer, Worker |
|
|
Term
|
Definition
| Basis for functional and business needs of a system. |
|
|
Term
|
Definition
Requirements should be
Specific, Measurable, Attainable, Realstic, Testable |
|
|
Term
| Requirement Analysis Process |
|
Definition
Identify
Verify and validate
Document |
|
|
Term
|
Definition
-Buisness policies
-Legal and regulatory concerns
-risk analysis |
|
|
Term
|
Definition
| Threat x vulnerability x impact / countermeasures |
|
|
Term
|
Definition
1)Develop business case
2)Characterize system
3)Identify threats, vulnerability, controls
4)Identify impact
5)Develop mitigatin strategy
6)Determine risk level
7)Report residual risk |
|
|
Term
| Players in a Risk Analysis |
|
Definition
1)Owners
2)Assets
3)Threat Agents
4)Threat
5)Risks
6)Safeguards
7)Vulnerabilities |
|
|
Term
|
Definition
| Individuals,groups, organizations that can harm an asset |
|
|
Term
|
Definition
| Tools used by threat agents to harm an asset |
|
|
Term
|
Definition
| Weakness in an asset due to technical flaw, lack of control or misconfiguration |
|
|
Term
|
Definition
| Controls or countermeasures to protect an assest. Can be administrative, technical/logical, or phyiscal |
|
|
Term
|
Definition
| Causes an impact if realized |
|
|
Term
|
Definition
| Percentage of asset is affected |
|
|
Term
|
Definition
| Manner in which a threat agent accomplishes thier goals; method of attack; identified during a risk assessment |
|
|
Term
|
Definition
|
|
Term
|
Definition
1)Email
2)Deception - social engineering, hoaxes
3)Web pages - counterfiet sites
4)Wormss
5)Documents
6)Instant Messaging
7)IRC
8)P2P |
|
|
Term
|
Definition
-Defines Common Criteria
a.Defines methodologies which resolve between the preceding standard like TCSEC & ITSEC
b.Provides common frame of reference and language
c.Establish internationally accepted testing standards |
|
|
Term
| Common Critera Documentation |
|
Definition
Has three parts
1)Introduction and general model
2)Security functional requirements
3)Security assurance requirements |
|
|
Term
|
Definition
1)Protection Profile (PP)
2)Target of evaluation (TOE)
3)Security Target (ST)
4)Assuarnace Level |
|
|
Term
| Evaluation Assurance Levels |
|
Definition
EAL0 - Not tested
EAL1 - Functionally Tested
EAL2 - Structurally Tested
EAL3 - Methodically Tested & Checked
EAL4 - Methodically Designed, Tested & Reviewed
EAL5 - Semi-formally Designed and Tested
EAL6 - Semi-formally Verified Designed and Tested
EAL7 - Formally Verified Design and Tested |
|
|
Term
|
Definition
Series describes a security framework for an Information Security Management System (ISMS) within the context of business risk.
ISO 27000- glossary
IS0 1700` - requirements for certification
ISO 27002 - guide of best security practies
ISO 27003 - ISMS implementation guidance
ISO 27004 - measure ISMS effectiveness
ISO 27005 - risk management
ISO 27006 - auditor and certifier requirements |
|
|
Term
|
Definition
| System Secuirty Engineering - Capability Maturity Model (SEE-CMM)- provides a framework for the security community |
|
|
Term
|
Definition
Level 0 - Not performed
Level 1 - Unpredictable
Level 2 - Inconsistent
Level 3 - Consistent
Level 4 - Measured
Level 5 - Continously improved |
|
|
Term
|
Definition
1. PAO1 Administer security controls
2. PAO2 Assess impact
3. PAO3 Assess security risk
4. PA04 Assess threat
5. PAO5 Assess vulnerability
6. PAO6 Build assurance argument
7. PAO7 Coordinate security
8. PAO8 Monitor security posture
9. PAO9 Provide security input
10. PA10 Specify security needs
11. PA11 Verify and validate security |
|
|
Term
| SSE CCM Project Process Areas |
|
Definition
PA12 Ensure quality
PA13 Manage configurations
PA14 Manage program risks
PA15 Monitor and control technical effort
PA16 Plan technical effort |
|
|
Term
| SSE CMM Organization Process Areas |
|
Definition
PA17 Define security engineering processes
PA18 Improve security engineering processes
PA19 Manage security product evolution
PA20 Manage supporting environment
PA21 Provide ongoing skills and knowledge
PA11 Coordinate with suppliers |
|
|
Term
|
Definition
| Security Architecture - permit exchange of information among systems that are "open" or compliant with this standard |
|
|
Term
| ISO 7498-2 Security Architecture Security Services |
|
Definition
1. Authentication
2. Access Control
3. Data Integrity
4. Data confidentiality
5. Non-repudiation |
|
|
Term
| ISO 7498-2 Security Architecture Security Mechanisms |
|
Definition
1. Digital Signature
2. Encipherment
3. Access control
4. Data Integrity
5. Routing control
6. Notarization
7. Authentication exchanges
8. Traffic padding |
|
|
Term
| PIC-DSS Payment Card Industry - Data Security Standards |
|
Definition
Implemenation of various security frameworks. Mandates
-secure network
-customer information protection
-conduct vulnerability management
-implement access control
-regular monitoring and testing
-backed by policy |
|
|
Term
| PCI-DSS Control Objectives |
|
Definition
1)Secure network
2)Protect customer information
3)Conduct Vulnerability management
4)Implement access control
5)Regular monitoring and testing
6)Back by policy |
|
|
