Professional Documents
Culture Documents
Glossary Terms
Glossary Terms
accountability
authentication
availability
C.I.A. triangle
A long- standing industry standard for computer security that focuses on three
critical characteristics of information: confidentiality, integrity, and
availability.
controlling
controls
Those means undertaken to reduce the risk that information assets face from
attacks by threats. Also known as safeguards.
critical path
Critical Path
Method (CPM)
decisional role
A managerial role in which the manager must select from among alternative
approaches and resolve conflicts, dilemmas, or challenges.
general business The community of interest within an organization that primarily seeks to
community
articulate and communicate organizational policy and objectives and allocates
resources to the other groups.
identification
information
security
(InfoSec)
information
security
community
protect the organization's information assets from the many threats they face.
information
technology
community
informational
role
integrity
interpersonal
role
leadership
management
network security A specialized area of security that encompasses protecting the organization's
data networking devices, connections, and contents as well as protecting the
ability to use that network to accomplish the organization's data
communication functions.
operations
security
organizing
physical
security
planning
privacy
A state in which information is used only in ways approved by the person who
provided it.
Program
Evaluation and
Review
Technique
(PERT)
A project task- scheduling approach that was developed in the late 1950s to
meet the needs of the rapidly expanding engineering projects associated with
government acquisitions such as weapons systems. A PERT diagram depicts a
number of events followed by key activities and their durations.
project
management
A process for identifying and controlling the resources applied to the project as
well as measuring progress and adjusting the process as progress is made
slack time
The difference between the time needed to complete the critical path and the
time needed to arrive at completion using any other path. Also, the amount of
time allowed for task to be completed minus the time it would take to do the
task.
work
A straightforward planning process to develop a project plan in which larger
breakdown
and more complex tasks are decomposed into sequences of simpler tasks.
structure (WBS)
Chapter 2
attack
bottom- up
approach
champion
chief
The most senior manager or executive responsible for information technology and
information
systems in an organization.
officer (CIO)
chief
information
security
officer
(CISO)
chief security The most senior manager or executive responsible for physical and information
officer
security in an organization; sometimes misapplied to a functional CISO to follow
(CSO)
industry trend.
controls
Those means undertaken to reduce the risk that information assets face from
attacks by threats. Also known as safeguards.
data
custodians
Individuals who work directly with data owners and are responsible for the
storage, maintenance, and protection of the information.
data owners
Individuals who control (and are therefore responsible for) the security and use of
a particular set of information. Data owners may rely on custodians for the
practical aspects of protecting their information, specifying which users are
authorized to access it, but they are ultimately responsible for it.
data users
Systems users who work with the information to perform their daily jobs
event- driven Refers to a corrective action that is in response to some event in the business
community, inside the organization, or within the ranks of employees, customers,
or other stakeholders.
governance,
risk
A process seeking to integrate the three, previously separate responsibilities into
management,
one holistic approach that can provide sound executive- level strategic planning
and
and management of the InfoSec function.
compliance
(GRC)
joint
A process in which designers, developers, and planners work with key end- users
application
to formulate and/or assess design specifications for system implementation or
design (JAD) improvement.
managerial
controls
Processes or tools that define, communicate, and enforce management's intent for
the management of the security processes for information assets.
Processes or tools that deal with the operational functionality of security in the
organization. They cover management functions and lower- level planning, such
as disaster recovery and incident response planning.
penetration
testing
plan-driven
red teams
risk
assessment
risk
A process that identifies vulnerabilities in an organization's information system
management and takes carefully reasoned steps to assure the confidentiality, integrity, and
availability of all components in the organization's information system.
safeguards
See controls.
security
manager
security
technician
stakeholder
strategic
planning
structured
review
A process during which a project design team and its management- level
reviewers decide whether a project should be continued, discontinued,
outsourced, or postponed until additional expertise or organizational knowledge is
acquired.
technical
controls
threat
threat agent
tiger teams
top- down
approach
after- action
review
(AAR)
alert
message
alert roster
business
continuity
plan (BC
plan)
A detailed set of processes and procedures that ensure that critical business
functions can continue if a disaster occurs, usually by establishing operations at an
alternate site.
business
continuity
planning
(BCP)
The actions taken to ensure that critical business functions can continue if a
disaster occurs, usually by establishing operations at an alternate site.
business
continuity
team
The team that manages and executes the BC plan by setting up and starting offsite operations in the event of an incident or disaster.
business
impact
analysis
(BIA)
The first phase of the CP process and a crucial component of the initial planning
stages, the BIA serves as an investigation and assessment of the impact that
various adverse events can have on the organization.
business
process
business
resumption
plan (BR
plan)
cold site
A facility used for BC operations that provides only rudimentary services and
facilities, with no computer hardware or peripherals.
computer
security
incident
response
team
(CSIRT)
contingency
planning
(CP)
contingency
planning
management
team
(CPMT)
crisis
The steps taken during and after a disaster that affect the people inside and outside
desk check
The CP testing strategy in which copies of the appropriate plans are distributed to
all individuals who will be assigned roles during an actual incident or disaster,
with each individual reviewing the plan and creating a list of correct and incorrect
components.
disaster
recovery
plan (DR
plan)
A detailed set of processes and procedures that prepare for and help recover from
the effects of disasters.
disaster
recovery
planning
(DRP)
The preparation for and recovery from a disaster, whether natural or human made.
disaster
recovery
team
The team that manages and executes the DR plan by detecting, evaluating, and
responding to disasters and by reestablishing operations at the primary business
site.
electronic
vaulting
The bulk batch- transfer of data to an off- site facility, usually conducted via
leased lines or secure Internet connections.
fullinterruption
testing
The CP testing strategy in which the individuals follow each and every IR/DR/BC
procedure, including the interruption of service, restoration of data from backups,
and notification of appropriate individuals.
hot site
A fully configured computer facility used for BC operations, with all services,
communications links, and physical plant operations.
incident
candidate
incident
The process of examining a possible incident or incident candidate and
classification determining if it constitutes an actual incident.
incident
response
(IR)
incident
response
plan (IR
A detailed set of processes and procedures that anticipate, detect, and mitigate the
effects of an unexpected event that might compromise information resources and
assets.
plan)
incident
response
planning
(IRP)
incident
response
team
The team that manages and executes the IR plan by detecting, evaluating, and
responding to incidents.
Maximum
Tolerable
Downtime
(MTD)
The total amount of time the system owner/authorizing official is willing to accept
for a mission/business process outage or disruption and includes all impact
considerations.
mutual
agreement
A contract between two organizations in which each party agrees to assist the
other in the event of a disaster by providing the necessary BC facilities, resources,
and services until the receiving organization is able to recover from the disaster.
parallel
testing
rapid-onset
disasters
Disasters that occur suddenly, with little warning, taking the lives of people and
destroying the means of production. Examples include earthquakes, floods, storm
winds, tornadoes, or mud flows.
recovery
point
objective
(RPO)
recovery
time
objective
(RTO)
The maximum amount of time that a system resource can remain unavailable
before there is an unacceptable impact on other system resources, supported
mission/business processes, and the MTD.
remote
journaling
The transfer of live transactions to an off- site facility in which only transactions
are transferred and the transfer takes place online and in real time or near real
time.
rolling
mobile site
service
bureau
simulation
slow- onset
disasters
Disasters that occur over time and gradually degrade the capacity of an
organization to withstand their effects. Examples include droughts, famines,
environmental degradation, desertification, deforestation, and pest infestation.
structured
walkthrough
The CP testing strategy in which all involved individuals walk through and
discuss the steps they would take during an actual CP event, either as an actual
on- site walk- through or as more of a conference room talk- through or chalk talk.
timeshare
A facility that operates like a hot, warm, or cold site but is leased in conjunction
with a business partner or sister organization, designed to allow the organization
to provide a BC option while reducing its overall costs.
warm site
A facility used for BC operations that provides many of the same services and
options as a hot site, but typically without installed and configured software
applications.
Work
The amount of effort (expressed as elapsed time) that is necessary to get the
Recovery
business function operational after the technology element is recovered (as
Time (WRT) identified with RTO).
Chapter 4
Specifications of authorization that govern the rights and privileges of users to a
access
control lists particular information asset. Includes user access lists, matrices, and capability
tables.
(ACLs)
enterprise
information
security
policy
(EISP)
guidelines
The high- level information security policy (also known as a security program
policy, general security policy, IT security policy, high- level InfoSec policy, or
simply InfoSec policy) that sets the strategic direction, scope, and tone for all of
an organization's security efforts.
Non-mandatory recommendations that the employee may use as a reference in
complying with a policy. If the policy states Use strong passwords, frequently
changed, the guidelines should advise We recommend you don't use family or pet
names, parts of your Social Security number, your employee number, or your
phone number in your password.
standard
systemspecific
security
policies
(SysSPs)
Chapter 5
due care
information
security
program
security
education,
training, and
awareness
(SETA)
A program under the responsibility of the CISO that is designed to reduce the incidence
of security breaches by communicating policy to employees, contractors, consultants,
vendors, and business partners who come into contact with its information assets and
keeping them continually alert to these policy requirements.
Chapter 6
Bell-LaPadula
(BLP)confidentiality
model
blueprint
capabilities table
Common Criteria
(CC)
compartmentalization The use of specialty classification schemes, such as Need- to-Know and
Named Projects, to allow access to information only by individuals who
need the information to perform their work; commonly used in federal
agencies.
covert channels
discretionary access
controls (DACs)
dumpster diving
framework
Information
Technology System
Evaluation Criteria
(ITSEC)
lattice-based access
control
least privilege
mandatory access
control (MAC)
need-to-know
nondiscretionary
controls
reference monitor
role-based access
controls (RBACs)
security clearance
security model
separation of duties
storage channels
timing channels
Trusted Computer
System Evaluation
Criteria (TCSEC)
trusted computing
base (TCB)
accreditation
baseline
baselining
Those security efforts that are considered among the best in the industry.
certification
due care
due diligence
InfoSec
performance
management
metrics
performance Data or the trends in data that may indicate the effectiveness of security
measurements countermeasures or controlstechnical and managerialas implemented in the
organization.
recommended
Those security efforts that seek to provide a superior level of performance in the
business
protection of information.
practices
standard of
due care
standard of
due diligence
likelihood
The overall ratinga numerical value on a defined scaleof the probability that a
specific vulnerability will be exploited.
programs
qualitative
risk
assessment
residual risk
The risk that remains even after the existing control has been applied.
risk analysis
risk
assessment
The determination of a relative risk rating or score for each vulnerability in the
organization; a major component of risk management.
risk
The process of discovering the risks to an organization's operations; a major
identification component of risk management.
risk
The process of discovering and assessing the risks to an organization's operations
management and determining how those risks can be controlled or mitigated.
Chapter 9
acceptance
risk control
strategy
Annualized
Loss
Expectancy
(ALE)
A comparative estimate of the losses from successful attacks on an asset over one
year.
asset
valuation
avoidance
benefit
The value to the organization of using controls to prevent losses associated with a
specific vulnerability.
competitive
A state of falling behind the competition.
disadvantage
cost
The resources needed to implement a control, whether money, time, fixed assets,
or organizational focus.
Cost Benefit A form of feasibility study that compares the life- cycle cost of implementing a
Analysis
control mechanism against the estimated economic benefit that would accrue from
(CBA)
the implementation of the control.
defense risk
control
strategy
mitigation
risk control
strategy
An approach to control risk by attempting to reduce the impact of the loss caused
by a realized incident, disaster, or attack by means of planning and preparation.
residual risk
The risk that remains even after the existing control has been applied.
risk appetite
The quantity and nature of risk that organizations are willing to accept as they
evaluate the trade- offs between perfect security and unlimited accessibility.
risk
tolerance
single loss
expectancy
(SLE)
The calculated value associated with the most likely loss from a single occurrence
of a specific attack.
termination
risk control
strategy
A choice not to protect an asset and the removal of it from the environment that
represents risk.
transferal
risk control
strategy
A mechanism to control risk by attempting to shift the risk to other assets, other
processes, or other organizations.
Chapter 10
access control
policy
A security policy that specifies how access rights are granted to entities and
groups.
access controls
System components that regulate the admission of users into trusted areas of
the organization, both logical access to information systems and physical
access to the organization's facilities. Access control is maintained by means of
a collection of policies, programs to carry out those policies, and technologies
that enforce policies.
accountability
agent
anomaly-based
IDPS
An IDPS method that first collects data from normal traffic and establishes a
baseline, then periodically samples network activity, using statistical methods,
compares the samples to the baseline, and notifies the administrator when the
activity falls outside the clipping level.
applicationlevel firewalls
Firewalls that often consist of dedicated computers kept separate from the first
filtering router (called an edge router); commonly used in conjunction with
proxy servers.
asymmetric
encryption
An encryption method that uses two different keys, either of which can be used
to encrypt or decrypt a message, but not both. Thus, if a private (secret) key is
used to encrypt a message, only the public key can be used to decrypt it, and
vice versa.
asynchronous
tokens
auditing
authentication
authorization
bastion host
IDPS
book cipher
An encryption method in which the words (or, in some cases, characters) found
in a book act as the algorithm to decrypt a message. The key relies on two
components: (1) knowing which book to refer to and (2) having a list of codes
representing the page number, line number, and word number of the plaintext
word.
cache server
A proxy server or application- level firewall that exists to store the most
recently accessed Web content in its internal caches, minimizing the demand
on proxy and internal servers.
certificate
authority (CA)
An agency that manages the issuance of certificates and serves as the electronic
notary public to verify their origin and integrity.
chief
information
officer (CIO)
chief
information
security officer
(CISO)
chief security
officer (CSO)
The most senior manager or executive responsible for physical and information
security in an organization; sometimes misapplied to a functional CISO to
follow industry trend.
ciphertext
content filter
Crossover Error Also called the equal error rate, this is the point at which the rate of false
Rate (CER)
rejections equals the rate of false acceptances.
cryptanalysis
cryptography
cryptology
demilitarized
zone (DMZ)
Diffie- Hellman A methodology invented to enable the exchange of private keys over a nonkey exchange
secure channel without exposure to any third parties, using asymmetric
method
encryption.
digital
certificate
dumb card
A category of access control token that includes ID and ATM cards with
magnetic strips that contain the digital (and often encrypted) PIN against which
user input is compared.
dynamic packet A class of firewalls that allow only a particular packet with a specific source,
filtering
destination, and port address to pass through the firewall by understanding how
firewalls
the protocol functions and by opening and closing doors in the firewall based
on the information contained in the packet header.
encryption
The process of converting an original message into a form that cannot be used
by unauthorized individuals.
false accept rate The rate at which fraudulent users or nonusers are allowed access to systems or
areas as a result of a failure in the biometric device. This failure is also known
as a Type II error or a false positive.
false reject rate The rate at which authentic users are denied or prevented access to authorized
areas as a result of a failure in the biometric device. This failure is also known
as a Type I error or a false negative.
fingerprinting
The next phase of the preattack data- gathering process that entails the
systematic examination of all the organization's Internet addresses collected
during the footprinting phase.
first- generation
See packet filtering firewalls.
firewall
footprint
footprinting
fourthgeneration
firewall
honey pot
host-based
IDPS (HIDPS)
hybrid
encryption
system
The use of asymmetric encryption to exchange symmetric keys so that two (or
more) organizations can conduct quick, efficient, secure communications based
on symmetric encryption.
identification
intrusion
detection and
prevention
system (IDPS)
IP Security
(IPSec)
Kerberos
knowledgebased IDPS
monoalphabetic
A substitution cipher that uses only one alphabet.
substitution
networkaddress
translation
(NAT)
network-based
IDPS (NIDPS)
An IDPS that monitors network traffic, looking for patterns of network traffic,
such as large collections of related traffic that can indicate a DoS attack or a
series of related packets that could indicate a port scan in progress.
nonrepudiation
The use of cryptographic tools to assure that parties to the transaction are
authentic, so that they cannot later deny having participated in a transaction.
packet filtering
firewalls
packet filtering
routers
A router that can be configured to block packets that the organization does not
allow into the network, thus acting as a packet filtering firewall.
packet sniffer
A network tool that collects and analyzes copies of packets from the network.
passphrase
password
A secret word or combination of characters that only the user should know;
used to authenticate the user.
permutation
cipher
plaintext
polyalphabetic
substitution
port scanners
port-address
translation
(PAT)
private key
encryption
proxy server
public key
encryption
public key
infrastructure
(PKI)
Remote
Authentication
Dial- In User
Service
(RADIUS)
running key
cipher
sacrificial host
screened-host
firewall
A firewall architectural model that combines the packet filtering router with a
separate, dedicated firewall such as an application proxy server.
screened-subnet A firewall architectural model that consists of one or more internal bastion
firewall
hosts located behind a packet filtering router, with each host protecting the
trusted network.
secondgeneration
firewall
secret key
Secure
Electronic
Transactions
(SET)
Secure
Hypertext
Transfer
Protocol
(SHTTP)
Secure Shell
(SSH)
Secure Sockets
Layer (SSL)
security event
Log management systems specifically tasked to collect log data from a number
information
of servers or other network devices for the purpose of interpreting, filtering,
management
correlating, analyzing, storing, and reporting the data.
(SEIM) systems
security
manager
security
technician
sensor
See agent.
signaturebased IDPS
An IDPS method that examines data traffic for something that matches the
signatures, which comprise preconfigured, predetermined attack patterns.
smart card
A category of access control tokens containing a computer chip that can verify
and validate information in addition to PINs.
socket
stateful
inspection
firewalls
In third- generation firewalls, a table or function that tracks the state and
context of each exchanged packet by recording which station sent which packet
and when.
A type of firewall that keeps track of each network connection established
between internal and external systems using a state table.
statistical
anomaly- based See anomaly- based IDPS.
IDPS
strong
authentication
substitution
cipher
supplicant
symmetric
encryption
An encryption method in which the same algorithm and secret key is used to
both encipher and decipher the message.
synchronous
tokens
systems logs
Terminal
Access
Commonly used in UNIX systems, a remote access authorization system based
Controller
on a client/server configuration that makes use of a centralized data service in
Access Control
order to validate the user's credentials at the TACACS server.
System
(TACACS)
third-generation
See stateful inspection firewalls.
firewalls
transport mode
transposition
cipher
Applications that entice individuals who are illegally perusing the internal
areas of a network by providing simulated rich content areas but distract the
attacker while the software notifies the administrator of the intrusion. Some are
capable of tracking the attacker back through the network.
trusted network In networking, the network on the inside or internal connection of a firewallfor
example, the organization's network.
tunnel mode
Unified Threat
Management
(UTM)
untrusted
network
Vernam cipher
Developed at AT&T and also known as the one- time pad, this cipher uses a set
of characters for encryption operations only one time and then discards it.
virtual
password
virtual private A private, secure network operated over a public and insecure network, which
network (VPN) keeps the contents of the network messages hidden from observers who may
have access to public traffic.
vulnerability
scanners
war driving
war-dialer
Wi-Fi Protected A set of protocols used to secure wireless networks; created by the Wi- Fi
Access (WPA) Alliance. Includes WPA and WPA2.
Wired
Equivalent
Privacy (WEP)
wireless access
point (WAP)
A device used to connect wireless networking users and their devices to the rest
of the organization's network(s).
XOR cipher
conversion
Chapter 11
mandatory
vacation
policy
Chapter 12
affidavit
Sworn testimony that certain facts are in the possession of the investigating
officer that the officer believes warrant the examination of specific items
located at a specific place. The facts, the items, and the place must be
specified in this document.
civil law
Computer Fraud The cornerstone of many computer- related federal laws and enforcement
and Abuse
efforts, the CFA formally criminalizes accessing a computer without
(CFA) Act
authorization or exceeding authorized access for systems containing
information of national interest as determined by the U.S. federal government.
Computer
Security Act
(CSA)
criminal law
digital forensics
digital
malfeasance
E- discovery
Electronic
A collection of statutes that regulate the interception of wire, electronic, and
Communications oral communications. These statutes are frequently referred to as the federal
Privacy Act
(ECPA)
wiretapping acts.
evidentiary
material (EM)
forensics
Health Insurance
Also known as the Kennedy- Kassebaum Act, this law attempts to protect the
Portability and
confidentiality and security of health care data by establishing and enforcing
Accountability
standards and by standardizing electronic data interchange.
Act (HIPAA)
InfraGard
jurisdiction
A court's right to hear a case. Under the U.S. legal system, any court can
impose its authority if the act was committed in its territory or involve its
citizenry.
laws
Rules that have been adopted and are enforced by a sovereign authority to
codify expected behavior in modern society.
liability
long- arm
jurisdiction
Jurisdiction that enables the long arm of the law to reach across the country or
around the world to bring the accused into its court systems.
private law
Laws that regulate the relationships among individuals and among individuals
and organizations; it encompasses family law, commercial law, and labor law.
public law
restitution
search warrant
tort law
A subset of civil law that allows individuals to seek redress in the event of
personal, physical, or financial injury. Tort law is pursued in civil court and is
not prosecuted by the state.