Created by Fred Jones
over 8 years ago
|
||
Question | Answer |
Acceptable interruption window | The maximum period of that a system can be unavailable before compromising the achievement of the business objectives |
Acceptable use policy | A policy that establishes an agreement between user and the organization, defines for all parties' ranges of use that are approved before gaining access to a network or the Internet |
Access Controls | The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises |
Access path | The logical route that an end user takes to access computerized information. Typically, it includes a route through the operating system, telecommunications software, selected application software and the access control system |
Accountability | The ability to map a given activity or event back to the responsible party |
Action plan | A plan for the steps necessary to navigate the roadmap to achieve objectives |
Ad hoc | Arbitrary approach, no formal plan or process |
Administrative controls | The rules, procedures and practices dealing with operational effectiveness, efficiency and adherence to regulations and management policies |
Adware | Any software that automatically plays. displays or downloads advertising material to a computer after the software is installed on it or while the application is being used. In most cases, this is done without any notification to the user or without the user's consent. The term adware may also refer to software that displays advertisements, whether or not it does so with the user's consent; such programs display advertisements as an alternate to shareware registration fees. These are classified as adware in the sense of advertising-supported software, but not as software. Adware in this form does not operate surreptitiously or mislead the user, and provides the user with a specific service. |
Advance Encryption Standard (AES) | The international encryption standard that replaced 3DES |
Algorithm | A finite set off step-by-step instructions for a problem-solving or computation procedure, especially one that can be implemented by the computer |
Anomaly-Base Detection | The process of comparing definitions of what activity is considered normal against observed events to identify significant deviations. This approach is used on some intrusion detection systems |
Annual Loss Expectation (ALE) | The total expected loss divided by the number of years in the forecast period yielding the average annual loss |
Alert situation | The point in an emergency procedure when the elapsed time passes a threshold and the interruption is not resolved. The organization entering into an alert situation initiates a series of escalation steps. |
Alternate facilities | Locations and infrastructures from which emergency or backup processes are executed, when the main premises are unavailable or destroyed. This includes other buildings, offices or data processing centers. |
Alternate process | Automatic or manual processes designed and established to continue critical business processes from point-of-failure to return-to-normal |
Anonymous File Transfer Protocol (AFTP) | A method of downloading public files using the File Transfer Protocol (FTP). AFTP does not require users to identify themselves before accessing files from a particular server. In general, users enter the word “anonymous” when the host prompts for a username. Anything can be entered for the password, such as the user’s e-mail address or simply the word “guest.” In many cases, an AFTP site will not prompt a user for a name and password. |
Antivirus software | An application software deployed at multiple points in an IT architecture. It is designed to detect and potentially eliminate virus code before damage is done, and repair or quarantine files that have already been infected |
Application Programming Interface (API) | An application programming interface (API) is a source code-based specification intended to be used as an interface by software components to communicate with each other. |
Application controls | The policies, procedures and activities designed to provide reasonable assurance that objectives relevant to a given automated solution (application) are achieved |
Application layers | In the Open Systems Interconnection (OSI) communications model, the application layer provides services for an application program to ensure that effective communication with another application program in a network is possible. The application layer is not the application that is doing the communication; it is a service layer that provides these services. |
Application service provider (ASP) | Also known as managed service provider (MSP), it deploys, hosts and manages access to a packaged application to multiple parties from a centrally managed facility. The applications are delivered over networks on a subscription basis. |
Architecture | Description of the fundamental underlying design of the components of the business system, or of one element of the business system (e.g., technology), the relationships among them, and the manner in which they support the organization's objectives |
ARP (see also RARP) | ARP defines the exchanges between network interfaces connected to an Ethernet media segment in order to map an IP address to a link layer address on demand. |
Assurance | The grounds for confidence that the set of intended security controls in an information system are effective in their application. |
Asymmetric encryption | A cryptographic key that may be widely published and is used to enable the operation of an asymmetric cryptography scheme. This key is mathematically linked with a corresponding private key. Typically, a public key can be used to encrypt, but not decrypt, or to validate a signature, but not to sign. |
Attack Signature | A specific sequence of events indicative of an unauthorized access attempt. Typically a characteristic byte pattern used in malicious code or an indicator, or set of indicators that allows the identification of malicious network activities. |
Attributes | The fundamental characteristics of something |
Audit | Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures |
Audit Review | The assessment of an information system to evaluate the adequacy of implemented security controls, assure that they are functioning properly, identify vulnerabilities, and assist in implementation of new security controls where required. This assessment is conducted annually or whenever significant change has occurred and may lead to recertification of the information system. |
Audit trail | A series of records either in hard copy or in electronic format that provide a chronological record of user activity and other events that show the details of user and system activity. Audit trails can be used to document when users log in, how long they are engaged in various activities, what they were doing, and whether any actual or attempted security violations occurred. |
Authentication | The act of verifying the identity of an entity (e.g., a user, a system, a network node) |
Authorization | Access privileges granted to a user, program, or process or the act of granting those privileges |
Automated Clearing House (ACH) | ACH is an electronic network for financial transactions in the United States. ACH processes large volumes of credit and debit transactions in batches. Credit transfers include direct deposit payroll and vendor payments and ACH direct debit transfers include consumer payments on insurance premiums, mortgage loans, and other kinds of bills |
Availability | Information that is accessible when required by the business process now and in the future |
Awareness (Information Security) | Activities which seek to focus an individual’s attention on an (information security) issue or set of issues. |
Backup center | An alternate facility to continue IT/IS operations when the primary DP center is unavailable |
Biometrics | To recognize the identity, or verify the claimed identity, of an applicant. Facial images, fingerprints, and iris scan samples are all examples of biometrics. |
Business intelligence (BI) | Business intelligence (BI) mainly refers to computer-based techniques used in identifying, extracting,[clarification needed] and analyzing business data, such as sales revenue by products and/or departments, or by associated costs and incomes.[1] BI technologies provide historical, current and predictive views of business operations. Common functions of business intelligence technologies are reporting, online analytical processing, analytics, data mining, process mining, complex event processing, business performance management, benchmarking, text mining and predictive analytics. Business intelligence aims to support better business decision-making. Thus a BI system can be called a decision support system (DSS) |
Business impact assessment (BIA) | An analysis of an information system’s requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption. |
Baseline Security | The minimum security controls required for safeguarding an IT system based on its identified needs for confidentiality, integrity, and/or availability protection. |
Bastion Host | A special-purpose computer on a network specifically designed and configured to withstand attacks. |
Business continuity management (BCM) | Business Continuity Management (BCM) planning focuses on assuring continuous business processes and is a major factor in an organization's survival during and after a disruption. BCM is a key component of Comprehensive Emergency Management |
Business continuity planning (BCP) | The documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business functions will be sustained during and after a significant disruption. |
Benchmarking | A systematic approach to comparing an organization’s performance against peers and competitors in an effort to learn the best ways of conducting business. Examples include benchmarking of quality, logistical efficiency and various other metrics. |
Business Impact Assessment (BIA) | An analysis of an information system’s requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption. |
Biometric | A measurable physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity, of an applicant. Facial images, fingerprints, and iris scan samples are all examples of biometrics. |
Bit-stream image | Bit-stream backups, also referred to as mirror image backups, involve the backup of all areas of a computer hard disk drive or other type of storage media. Such backups exactly replicate all sectors on a given storage device including all files and ambient data storage areas. |
Bit copy | A bit copy provides an exact image of the original and is a requirement for legally justifiable forensics |
Bit | The smallest unit of information storage; a contraction of the term "binary digit;" one of two symbolsÑ"0" (zero) and "1" (one) - that are used to represent binary numbers. |
Blacklisting | The process of the system invalidating a user ID based on the user’s inappropriate actions. A blacklisted user ID cannot be used to log on to the system, even with the correct authenticator. Blacklisting and lifting of a blacklisting are both security-relevant events. Blacklisting also applies to blocks placed against IP addresses to prevent inappropriate or unauthorized use of Internet resources. |
Botnet | A botnet is a large number of compromised computers that are used to create and send spam or viruses or flood a network with messages as a denial of service attack. |
Boundary | Physical or logical perimeter of a system |
Brute force attack | Repeatedly trying all possible combinations of passwords or encryption keys until the correct one is found |
Business case | Documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle |
Business dependency assessment | A process of identifying resources critical to the operation of a business process |
Business impact analysis/assessment (BIA) | Evaluating the criticality and sensitivity of information assets. An exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting system. This process also includes addressing: income loss, unexpected expense, legal issues (regulatory compliance or contractual), interdependent processes, and loss of public reputation or public confidence. |
Business Model for Information Security (BMIS) | Evaluating the criticality and sensitivity of information assets. An exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting system. This process also includes addressing: income loss, unexpected expense, legal issues (regulatory compliance or contractual), interdependent processes, and loss of public reputation or public confidence. |
Byte | A fundamental unit of computer storage; the smallest addressable unit in a computer's architecture. Usually holds one character of information and usually means eight bits. |
Capability Maturity Model (CMM) | CMM is a qualitative approach typically using a 0 to 5 scale with each value assigned a set of attributes or characteristics to determine a relative level of competency and proficiency. |
Certificate | A digitally signed representation of information that 1) identifies the authority issuing it, 2) identifies the subscriber, 3) identifies its valid operational period (date issued / expiration date). In the information assurance (IA) community, certificate usually implies public key certificate and can have the following types: Cross certificate a certificate issued from a CA that signs the public key of another CA not within its trust hierarchy that establishes a trust relationship between the two CAs. Encryption certificate a certificate containing a public key that can encrypt or decrypt electronic messages, files, documents, or data transmissions, or establish or exchange a session key for these same purposes. Key management sometimes refers to the process of storing, protecting, and escrowing the private component of the key pair associated with the encryption certificate. Identity certificate a certificate that provides authentication of the identity claimed. Within the National Security Systems (NSS) PKI, identity certificates may be used only for authentication or may b |
Certificate (Certification) Authority (CA) | In cryptography, a CA is a trusted third party that issues digital certificates. A CA attests, as the trusted provider of the public/private key pairs, to the authenticity of the owner (entity or individual) to whom a public/private key pair has been given. The process involves a CA who makes a decision to issue a certificate based on evidence or knowledge obtained in verifying the identity of the recipient. Upon verifying the identity of the recipient, the CA signs the certificate with its private key for distribution to the user, where, upon receipt, the user will decrypt the certificate with the CA's public key (e.g., commercial CAs, such as VeriSign, provide public keys on web browsers). The ideal CA is authoritative (someone the user trusts) for the name or key space it represents. CAs are characteristic of many public key infrastructure (PKI) schemes. Many commercial CAs charge for their services. Institutions and governments may have their own CAs, and there are free CAs. |
Certificate policy (CP) | A specialized form of administrative policy tuned to electronic transactions performed during certificate management. A Certificate Policy addresses all aspects associated with the generation, production, distribution, accounting, compromise recovery, and administration of digital certificates. Indirectly, a certificate policy can also govern the transactions conducted using a communications system protected by a certificate-based security system. By controlling critical certificate extensions, such policies and associated enforcement technology can support provision of the security services required by particular applications. |
Certification Practice Statement | A statement of the practices that a Certification Authority employs in issuing, suspending, revoking, and renewing certificates and providing access to them, in accordance with specific requirements (i.e., requirements specified in this Certificate Policy, or requirements specified in a contract for services). |
Certificate revocation list (CRL) | A list of revoked public key certificates created and digitally signed by a Certification Authority. |
Chain of custody | The chain of custody is a legal principle regarding the validity and integrity of evidence. It requires accountability for anything that will be used as evidence in a legal proceeding, to ensure that it can be accounted for from the time it was collected until the time it is presented in a court of law. This includes documentation as to who had access to the evidence and when, as well as the ability to identify evidence as being the exact item that was recovered or tested. Lack of control over evidence can lead to it being discredited. Chain of custody depends on the ability to verify that evidence could not have been tampered with. This is accomplished by sealing off the evidence, so it cannot be changed, and providing a documentary record of custody to prove that the evidence was, at all times, under strict control and not subject to tampering. |
Chain of Evidence | A process and record that shows who obtained the evidence; where and when the evidence was obtained; who secured the evidence; and who had control or possession of the evidence. The “sequencing” of the chain of evidence follows this order: collection and identification; analysis; storage; preservation; presentation in court; return to owner. |
Challenge and Reply Authentication | Prearranged procedure in which a subject requests authentication of another and the latter establishes validity with a correct reply. |
Challenge-Response Protocol | An authentication protocol where the verifier sends the claimant a challenge (usually a random value or a nonce) that the claimant combines with a shared secret (often by hashing the challenge and secret together) to generate a response that is sent to the verifier. The verifier knows the shared secret and can independently compute the response and compare it with the response generated by the claimant. If the two are the same, the claimant is considered to have successfully authenticated himself. When the shared secret is a cryptographic key, such protocols are generally secure against eavesdroppers. When the shared secret is a password, an eavesdropper does not directly intercept the password itself, but the eavesdropper may be able to find the password with an off-line password guessing attack. |
Change management | A controlled approach to managing the transition from a current to a desired organizational state while ensuring that critical success factors and potential risks are determined and addressed. |
Checksum | A value that is computed by a function that is dependent on the contents of a data object and is stored or transmitted together with the object, for the purpose of detecting changes in the data. |
Cipher | A cryptographic algorithm for encryption and decryption. |
Cipher-text | A cryptographic algorithm for encryption and decryption. |
Chief executive officer (CEO) | The highest ranking individual in an organization |
Chief financial officer (CFO) | The CFO is a fiduciary responsible for an organizations finance and accounting as well as compliance with various financial regulatory requirements. |
Chief information officer (CIO) | The most senior official of the enterprise who is accountable for IT advocacy, aligning IT and business strategies, and planning, resourcing and managing the delivery of IT services, information and the deployment of associated human resources. In some cases, the CIO role has been expanded to become the chief knowledge officer (CKO) who deals in knowledge, not just information. Also see chief technology officer. |
Chief information officer (CIO) | The most senior official of the enterprise who is accountable for IT advocacy, aligning IT and business strategies, and planning, resourcing and managing the delivery of IT services, information and the deployment of associated human resources. In some cases, the CIO role has been expanded to become the chief knowledge officer (CKO) who deals in knowledge, not just information. Also see chief technology officer. |
Chief information security officer (CISO) | The CISO is responsible for managing information risk, the information security program, and ensuring appropriate confidentiality, integrity and availability of information assets. |
Chief Operating Officer (COO) | The COO is typically responsible for oversight and management of operations at the direction of the Chief Executive. |
Chief security officer (CSO) | The CSO is typically responsible for physical security in the organization although increasingly the CISO and CSO roles are merged. |
Chief technology officer (CTO) | The individual (typically a corporate officer) who focuses on technology issues in an organization. |
Acceptable interruption window | The maximum period of time that a system can be unavailable before compromising the achievement of the enterprise's business objectives |
Acceptable use policy | A policy that establishes an agreement between users and the enterprise and defines for all parties' the ranges of use that are approved before gaining access to a network or the Internet |
Access path | The logical route that an end user takes to access computerized informationScope Note: Typically includes a route through the operating system, telecommunications software, selected application software and the access control system |
Access rights | The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy |
Accountability | The ability to map a given activity or event back to the responsible party |
Administrative control | The rules, procedures and practices dealing with operational effectiveness, efficiency and adherence to regulations and management policies |
Adware | A software package that automatically plays, displays or downloads advertising material to a computer after the software is installed on it or while the application is being usedScope Note: In most cases, this is done without any notification to the user or without the user’s consent. The term adware may also refer to software that displays advertisements, whether or not it does so with the user’s consent; such programs display advertisements as an alternative to shareware registration fees. These are classified as adware in the sense of advertising supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, and it provides the user with a specific service. |
Alert situation | The point in an emergency procedure when the elapsed time passes a threshold and the interruption is not resolved. The enterprise entering into an alert situation initiates a series of escalation steps. |
Alternate facilities | Locations and infrastructures from which emergency or backup processes are executed, when the main premises are unavailable or destroyedScope Note: Includes other buildings, offices or data processing centers |
Alternate process | Automatic or manual process designed and established to continue critical business processes from point-of-failure to return-to-normal |
Antivirus software | An application software deployed at multiple points in an IT architecture It is designed to detect and potentially eliminate virus code before damage is done and repair or quarantine files that have already been infected |
Application controls | The policies, procedures and activities designed to provide reasonable assurance that objectives relevant to a given automated solution (application) are achieved |
Application layer | In the Open Systems Interconnection (OSI) communications model, the application layer provides services for an application program to ensure that effective communication with another application program in a network is possible.Scope Note: The application layer is not the application that is doing the communication; a service layer that provides these services. |
Application service provider (ASP) | Also known as managed service provider (MSP), it deploys, hosts and manages access to a packaged application to multiple parties from a centrally managed facility.Scope Note: The applications are delivered over networks on a subscription basis. |
Architecture | Description of the fundamental underlying design of the components of the business system, or of one element of the business system (e.g., technology), the relationships among them, and the manner in which they support enterprise objectives |
Benchmarking | A systematic approach to comparing enterprise performance against peers and competitors in an effort to learn the best ways of conducting businessScope Note: Examples include benchmarking of quality, logistic efficiency and various other metrics. |
Bit-stream image | Bit-stream backups, also referred to as mirror image backups, involve the backup of all areas of a computer hard disk drive or other type of storage media.Scope Note: Such backups exactly replicate all sectors on a given storage device including all files and ambient data storage areas. |
Brute force attack | Repeatedly trying all possible combinations of passwords or encryption keys until the correct one is found |
Business case | Documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle |
Business dependency assessment | A process of identifying resources critical to the operation of a business process |
Business impact analysis/assessment (BIA) | Evaluating the criticality and sensitivity of information assets An exercise that determines the impact of losing the support of any resource to an enterprise, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and the supporting systemScope Note: This process also includes addressing: -Income loss -Unexpected expense -Legal issues (regulatory compliance or contractual) -Interdependent processes -Loss of public reputation or public confidence |
Chain of custody | A legal principle regarding the validity and integrity of evidence. It requires accountability for anything that will be used as evidence in a legal proceeding to ensure that it can be accounted for from the time it was collected until the time it is presented in a court of law.Scope Note: Includes documentation as to who had access to the evidence and when, as well as the ability to identify evidence as being the exact item that was recovered or tested. Lack of control over evidence can lead to it being discredited. Chain of custody depends on the ability to verify that evidence could not have been tampered with. This is accomplished by sealing off the evidence, so it cannot be changed, and providing a documentary record of custody to prove that the evidence was at all times under strict control and not subject to tampering. |
Change management | A holistic and proactive approach to managing the transition from a current to a desired organizational state, focusing specifically on the critical human or "soft" elements of changeScope Note: Includes activities such as culture change (values, beliefs and attitudes), development of reward systems (measures and appropriate incentives), organizational design, stakeholder management, human resources (HR) policies and procedures, executive coaching, change leadership training, team building and communication planning and execution |
Chief executive officer (CEO) | The highest ranking individual in an enterprise |
Chief financial officer (CFO) | The individual primarily responsible for managing the financial risk of an enterprise |
Chief information officer (CIO) | The most senior official of the enterprise who is accountable for IT advocacy, aligning IT and business strategies, and planning, resourcing and managing the delivery of IT services, information and the deployment of associated human resourcesScope Note: In some cases, the CIO role has been expanded to become the chief knowledge officer (CKO) who deals in knowledge, not just information. Also see chief technology officer (CTO). |
Chief technology officer (CTO) | The individual who focuses on technical issues in an enterpriseScope Note: Often viewed as synonymous with chief information officer (CIO) |
Cloud computing | Convenient, on-demand network access to a shared pool of resources that can be rapidly provisioned and released with minimal management effort or service provider interaction |
Computer emergency response team (CERT) | A group of people integrated at the enterprise with clear lines of reporting and responsibilities for standby support in case of an information systems emergency This group will act as an efficient corrective control, and should also act as a single point of contact for all incidents and issues related to information systems. |
Confidentiality | Preserving authorized restrictions on access and disclosure, including means for protecting privacy and proprietary information |
Control | The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management, or legal nature.Scope Note: Also used as a synonym for safeguard or countermeasure. See also Internal control. |
Countermeasure | Any process that directly reduces a threat or vulnerability |
Criticality analysis | An analysis to evaluate resources or business functions to identify their importance to the enterprise, and the impact if a function cannot be completed or a resource is not available |
Cybercop | An investigator of activities related to computer crime |
Damage evaluation | The determination of the extent of damage that is necessary to provide for an estimation of the recovery time frame and the potential loss to the enterprise |
Data classification | The assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levels of sensitivity of data are assigned according to predefined categories as data are created, amended, enhanced, stored or transmitted. The classification level is an indication of the value or importance of the data to the enterprise. |
Data Encryption Standard (DES) | An algorithm for encoding binary dataScope Note: It is a secret key cryptosystem published by the National Bureau of Standards (NBS), the predecessor of the US National Institute of Standards and Technology (NIST). DES and its variants has been replaced by the Advanced Encryption Standard (AES) |
Data leakage | An algorithm for encoding binary dataScope Note: It is a secret key cryptosystem published by the National Bureau of Standards (NBS), the predecessor of the US National Institute of Standards and Technology (NIST). DES and its variants has been replaced by the Advanced Encryption Standard (AES) |
Data normalization | A structured process for organizing data into tables in such a way that it preserves the relationships among the data |
Data warehouse | A generic term for a system that stores, retrieves and manages large volumes of dataScope Note: Data warehouse software often includes sophisticated comparison and hashing techniques for fast searches as well as for advanced filtering. |
Decentralization | The process of distributing computer processing to different locations within an enterprise |
Decryption key | A digital piece of information used to recover plaintext from the corresponding ciphertext by decryption |
Defense in depth The practice | The practice of layering defenses to provide added protection Defense in depth increases security by raising the effort needed in an attack. This strategy places multiple barriers between an attacker and an enterprise's computing and information resources. |
Degauss | The application of variable levels of alternating current for the purpose of demagnetizing magnetic recording mediaScope Note: The process involves increasing the alternating current field gradually from zero to some maximum value and back to zero, leaving a very low residue of magnetic induction on the media. Degauss loosely means to erase. |
Denial-of-service attack (DoS) | An assault on a service from a single source that floods it with so many requests that it becomes overwhelmed and is either stopped completely or operates at a significantly reduced rate |
Digital certificate | A piece of information, a digitized form of signature, that provides sender authenticity, message integrity and nonrepudiation. A digital signature is generated using the sender’s private key or applying a one-way hash function. |
Digital code signing | The process of digitally signing computer code to ensure its integrity |
Disaster recovery plan (DRP) desk checking | Typically a read-through of a disaster recovery plan (DRP) without any real actions taking placeScope Note: Generally involves a reading of the plan, discussion of the action items and definition of any gaps that might be identified |
Disaster recovery plan (DRP) | A set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency or disaster |
Disaster recovery plan (DRP) walk-through | Generally a robust test of the recovery plan requiring that some recovery activities take place and are tested. A disaster scenario is often given and the recovery teams talk through the steps that they would need to take to recover. As many aspects of the plan as possible should be tested. |
Want to create your own Flashcards for free with GoConqr? Learn more.