Glossary

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Glossary

The glossary comes from several international sources. It includes terms used in the United States and terms used in other economies, nations, and industries.

access Opportunity to make use of an information system resource.

access control Limiting access to information system resources only to authorized users, programs, processes, or other systems.

access control list (ACL) Mechanism implementing discretionary and/or mandatory access control between subjects and objects. It specifies which subjects are authorized to access a specific object and defines the level of authorization.

access control matrix A representation of subject and object in a tabulated form whereby privileges (of subjects upon objects) are defined at the cell where the intersection of subject and object happens.

Advanced Audio Coding (AAC) A technique for compressing digital audio files. Officially part of the MPEG-4 standard, it is most widely used to create small digital audio files. AAC usually achieves better sound quality than the more popular MP3 format when compared at the same bit rate.

Advanced Encryption Standard (AES) FIPS-approved cryptographic algorithm that is a symmetric block cipher using cryptographic key sizes of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits. (See NIST FIPS 197)

annualized loss expectancy (ALE) The estimated amount of loss in a year.

annualized rate of occurrence (ARO) Frequency of a particular threat in a year.

application Software program that performs a specific function directly for a user and executed without access to system control, monitoring, or administrative privileges.

asset Any tangible or intangible thing that has value to an organization.

assurance Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.

asymmetric cryptography A class of algorithm that uses a different key for encryption than for decryption.

audit Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.

authenticate To verify the identity of a user, user device, or other entity, or the integrity of data stored, transmitted, or otherwise exposed to unauthorized modification in an information system, or to establish the validity of a transmission.

authentication The process of validating the identity provided by a user.

availability A condition in which information or processes are reasonably accessible and usable by an authorized party and are timely and critical.

back door Hidden software or hardware mechanism used to circumvent security controls. This is synonymous with trap door.

backup Creation of a copy of data or software or hardware devices for the purpose of restoration if the masters were to become lost, damaged, or otherwise unavailable for use.

biometrics Automated methods of authenticating or verifying an individual based upon a physical or behavioral characteristic.

capability table An authorization table identifying subjects and specifying access rights allowed to those subjects. The rows of tables list the capabilities that subjects can have with respect to all objects.

certificate Digitally signed document that binds a public key with an identity. The certificate contains, at a minimum, the identity of the issuing certification authority, the user identification information, and the user’s public key.

certificate management Process whereby certificates are generated, stored, protected, transferred, loaded, used, and destroyed.

certification authority (CA) C&A: Official responsible for performing the comprehensive evaluation of the security features of an information system and determining the degree to which it meets its security requirements. PKI: Trusted entity authorized to create, sign, and issue public key certificates. By digitally signing each certificate issued, the user’s identity is certified, and the association of the certified identity with a public key is validated.

change management A process that ensures all changes to IT infrastructure are assessed, approved, implemented, and reviewed in a controlled manner to reduce or eliminate disruptions to business activities.

checksum (1) A form of redundancy checks to ensure integrity of information. (2) A value computed on data to detect error or manipulation during transmission. (See hash.)

cipher Any cryptographic system in which arbitrary symbols or groups of symbols represent units of plain text or in which units of plain text are rearranged, or both.

cipher text Enciphered information.

common criteria Provides a comprehensive, rigorous method for specifying security function and assurance requirements for products and systems (per International Standard ISO/IEC 5408, Common Criteria for Information Technology Security Evaluation).

computer security Protection given to an IT system to achieve the purposes of retaining confidentiality, integrity, and availability of information system resources.

confidentiality Assurance that information is not disclosed to unauthorized individuals, processes, or devices. This is the condition in which sensitive data is protected and disclosed to authorized parties only, such as by using encryption disclosed or other methods.

configuration control Process of controlling modifications to hardware, firmware, software, and documentation to ensure the information system is protected against improper modifications prior to, during, and after system implementation.

configuration management (1) A process of controlling changes to device configurations in an IT environment under the control of change management. It involves identifying, recording, and tracking all IT components, including their versions, constituent components, and relationships. (2) Management of security features and assurances through control of changes made to hardware, software, firmware, test, test fixtures, and documentation throughout the life cycle of an information system.

constrained user interface A way to limit access of subjects to resources or information by presenting them with only the information, function, or access to resources for which they have privileges.

content-dependent access control A technique to control access to objects based on the content of objects themselves.

continuity of operations plan Plan for continuing an organization’s essential functions at an alternate site and performing those functions for the duration of an event with little or no loss of continuity before returning to normal operations.

control Measures or safeguards that, when correctly employed, will prevent or reduce the risk of exploitation of vulnerabilities.

copyright The exclusive legal rights to reproduce, publish, sell, or distribute the matter and form of something (as a literary, musical, or artistic work).

Data Encryption Standard (DES) Cryptographic algorithm designed for the protection of unclassified data and published by the National Institute of Standards and Technology (NIST) in Federal Information Processing Standard (FIPS) Publication 46.

decree An authoritative order having the force of law.

defense-in-depth, security-in-depth Information assurance (IA) strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of networks.

degauss A process that demagnetizes magnetic media so that a low residue of magnetic induction is left on the media. It is used to effectively erase data from media.

demilitarized zone (DMZ) Perimeter network segment that is logically between internal and external networks. Its purpose is to enforce the internal network’s information assurance policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding the internal networks from outside attacks. A DMZ is also called a screened subnet.

denial of service (DOS) An incident in which a user or organization is deprived of the services of a resource that it would normally expect to have. This could be any action or series of actions that prevents any part of an information system from functioning.

detective controls Used to identify undesirable events that have occurred.

disaster recovery plan Provides for the continuity of system operations after a disaster.

discretionary access control (DAC) (1) An access control model whereby the owner of an object (resource) decides the subject and what privileges that subject can have over the object. (2) Means of restricting access to objects based on the identity and need-to-know of users and/or groups to which the object belongs. Controls are discretionary in the sense that a subject with certain access permission is capable of passing that permission (directly or indirectly) to any other subject. (See mandatory access control.)

dual control Control whereby two or more individuals are required to perform a task at any one time.

e-mail A message sent or retrieved electronically.

firewall A hardware or software system used to enforce an access control policy between network segments or zones.

guidelines General statements of objectives designed to achieve the policy’s objective.

hash A one-way algorithm that maps or translates one set of bits into another (generally smaller) in such a way that the algorithm yields the same hash results every time for the same message, and it is computationally infeasible for a message to be reconstituted from the hash result. Two different messages cannot produce the same hash results.

host Any computer on a network that is a repository for services available to other computers on the network.

impact Outcome or consequences of an event.

incident Assessed occurrence having actual or potentially adverse effects on an information system.

information assurance (IA) (1) Technical and managerial controls designed to ensure the confidentiality, possession of control, integrity, authenticity, availability, and utility of information and information systems. (2) Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. These measures include providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities.

information owner Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.

information system (IS) Set of information resources organized for the collection, storage, processing, maintenance, use, sharing, dissemination, disposition, display, or transmission of information.

integrity (1) A condition in which data has not been changed or destroyed in an unauthorized way, such that the current state is identical to the original state. (2) Condition existing when data is unchanged from its source and has not been accidentally or maliciously modified, altered, or destroyed. (3) Quality of an information system reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data.

Note that, in a formal security mode, integrity is interpreted more narrowly to mean protection against unauthorized modification or destruction of information.

Internet The world’s largest collection of networks ranging from those of small organizations to those of large corporations, universities, or governments.

Internet Protocol (IP) Standard protocol for the transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks.

intrusion Unauthorized act of bypassing the security mechanisms of a system.

intrusion detection A method or process to detect break-ins or attempts to attack via the use of software systems operating on the system or network. Intrusion detection systems often combine network monitoring with real-time capture and analysis to identify attacks.

Kerberos A secret key-based service for providing network authentication. Uses tickets and requires time synchronization.

least privilege Grants users only that access they need to perform their official duties.

likelihood Probability or frequency.

magnetic remanence Magnetic representation of residual information remaining on a magnetic medium after the medium has been cleared.

malicious applets Small application programs automatically downloaded and executed that perform an unauthorized function on an information system.

malicious code Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. (See Trojan horse.)

malicious logic Hardware, software, or firmware capable of performing an unauthorized function on an information system.

mandatory access control (MAC) (1) An access control model whereby the access policy is controlled by the system, not the owner of the object. (2) Means of restricting access to objects based on the sensitivity of the information contained in the objects and the formal authorization (in other words, clearance, formal access approvals, and need-to-know) of subjects to access information of such sensitivity. (See discretionary access control.) (3) Media Access Control address a unique identifier associated with hardware.

message authentication code A short piece of information used to authenticate a message.

mobile code Software modules obtained from remote systems, transferred across a network, and then downloaded and executed on local systems without explicit installation or execution by the recipient.

MSR Refers to a security model adopted by ACM based on an article by Maconachy, Schou, Ragsdale, and Welch.

network intrusion prevention A device (hardware or software) that manages network packets to prevent and defend computers in a network from exploitation.

nonrepudiation A term used for the service that ensures entities are honest in their actions.

object Passive entity containing or receiving information. This access to an object implies access to the information it contains.

OODA Loop Observation-Orientation-Decision-Act A model whereby every person involved in a challenge (business or action loop military) must go through a loop. For example, first observe the conditions of the situation, then become oriented to a position for an action, decide on how to act (some theorists combine the orient-decide step), and finally, act in response to the situation.

password Protected/private string of letters, numbers, and special characters used to authenticate an identity or to authorize access to data.

patch Software code inserted into a system to temporarily fix a defect. Patches are developed and released by software vendors when vulnerabilities are discovered.

patent An set of exclusive rights granted by the government to secure exclusive right to make, use, or sell an invention for a set term.

Perimeter Subnet An isolated network segment between two routers where public accessible computers can be placed.

personal digital assistant (PDA) A handheld device that combines computing, telephone/fax, Internet, and networking features.

physical information security controls Procedures put into place to prevent intruders from physically accessing a system or facility.

Plan-Do-Check-Act model An approach to improvement that emphasizes planning a set of actions, implementing the actions, checking data to assess both the results and the plan, and acting on the data.

policy A high-level statement of an organization’s beliefs, goals, objectives, and the general means for their attainment for a specified subject area.

procedure Step-by-step guidance or methods for attaining policy objectives.

process A series of linked steps necessary to accomplish work. A process turns input such as information or raw materials into output such as products, services, and reports.

product accreditation Formal acceptance of the adequacy of a system’s IT security to meet operational requirements within an acceptable risk level. This is an acceptance of risk.

product certification Evaluation of controls present within a system to ensure compliance with predefined functional and IT security requirements.

proxy server A mechanism used to offer a computer network service to allow clients to make indirect network connections to other network services through it, thus making the clients invisible to connections from the net.

public key infrastructure (PKI) A system of digital certificates, certificate authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction.

residual risk The remaining level of risk after risk treatment has been taken.

risk (1) The chance of something happening that will have impact upon objectives. (2) Possibility that a particular threat will adversely impact an information system by exploiting a particular vulnerability.

risk assessment Process of analyzing threats to and vulnerabilities of an information system, and the potential impact resulting from the loss of information or capabilities of a system. This analysis is a basis for identifying appropriate and cost-effective security countermeasures.

risk management (1) The process by which resources are planned, organized, directed, and controlled to ensure risk remains within acceptable bounds at optimal cost. (2) Process of managing risks to an organization’s operations (including mission, functions, image, or reputation), assets, or individuals resulting from the operation of an information system. It includes risk assessment; cost-benefit analysis; the selection, implementation, and assessment of security controls; and the formal authorization to operate the system. The process considers effectiveness, efficiency, and constraints because of laws, directives, policies, or regulations.

role-based access control An access control model that uses a centrally managed set of rules that grants access to objects based on the roles of the subject.

rule-based access control An access control model that uses simple rules to determine the result of privileges that a subject can have over an object.

screening router A rule based packet-filtering system to protect the network (administrator controlled).

separation of duties Division of roles and responsibilities so that a single individual cannot sabotage a critical process.

service-oriented architecture Architecture whose style of investment looks at the overall current information status of organizations and the immediate controls required.

single loss expectancy (SLE) The amount of loss incurred in a single threat event.

social engineering To talk, lie, or play-act to trick legitimate users for secrets of systems such as user lists, user passwords, and network architecture.

spoofing Unauthorized use of legitimate identification and authentication (I&A) data, however it was obtained, to mimic a subject different from the attacker. Impersonating, masquerading, piggybacking, and mimicking are forms of spoofing.

standard Mandatory activities, actions, rules, or regulations designed to provide policies with the support structure and specific direction they require to be meaningful and effective.

subject Generally, an individual, process, or device causing information to flow among objects or change to the system state.

symmetric cryptography A class of algorithm that uses the same key for both encryption and decryption.

system development life cycle The overall process of creating, implementing, and retiring information systems through a multistep process from initiation, analysis, design, implementation, and maintenance to disposal.

Telnet A protocol for connecting to a remote system as a terminal. A potential vulnerability

threat (1) An event or occurrence that has the potential to compromise the information security of an asset. (2) Any circumstance or event with the potential to adversely impact an information system through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.

trade secret Proprietary information that is important for its survival and profitability.

trademark Any distinguishing name, symbol, sound, character, or logo that establishes identity for a product, service, or organization.

Triple DES Product cipher that, like DES, operates on 64-bit data blocks. There are several forms, each of which uses the DES cipher three times. Some forms use two 56-bit keys; some use three. (See NIST FIPS 46-3.)

Trojan horse Program containing hidden code allowing the unauthorized collection, falsification, or destruction of information.

uninterruptible power supply A device that maintains a continuous supply of electric power to connected equipment by supplying power from a separate source when utility power is not available.

USB flash drive A small, portable flash memory card that plugs into a computer’s USB port and functions as a portable hard drive.

validation Process of applying specialized security test and evaluation procedures, tools, and equipment needed to establish acceptance for the joint usage of an information system by one or more departments or organizations and their contractors.

verification Process of comparing two levels of an information system specification for proper correspondence (such as a security policy model with top-level specification, top-level specification with source code, or source code with object code).

virtual private network (VPN) (1) A secure network that uses a public network to connect users to their offices, homes, or organizational networks. (2) Protected information system link utilizing tunneling, security controls (see information assurance), and endpoint address translation giving the impression of a dedicated line.

virus (1) A code written with malicious intent to modify the way a computer operates, without approval of the user. (2) Self-replicating, malicious code that attaches itself to an application program or other executable system component and leaves no obvious signs of its presence.

vulnerability (1) A flaw or weakness in procedure, design, implementation, or internal controls that can be exploited and can result in an information security breach or a violation of information security policy. (2) Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited.

web filter A tool used to control access of end users to the Internet.

zero-day This term describes a newly discovered vulnerability with no known patch or mitigation.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Glossary

Create new playlist

Sign In

Sign Up

Glossary

Table of Contents for
Glossary