“AAA of access control”
Acceptable usage policy (AUP)
authorized security controls
change regulations
consequences of violations
copyright infringement
data
goals
machines
misuse
organization’s IT equipment and data
overview
personal usage
privacy
privacy disclaimers
protect confidential data
rollout
sanctions
scope
security
social media
use of IT resources
Access control
defining
effectiveness
tools
Accountability
Account reset mechanism
Address Resolution Protocol (ARP)
Adjacent systems
Administrative access
Administrative controls
application security
asset management
change control
CMM
documented processes
machines
policies
record and media management
security policy document
verbal work culture
Adversarial risk
advanced threats
bare-minimum threat
cyber-criminals
cyber-militants
FAIR
FBI cyber-crime
hacktivist
malicious insiders
Microsoft Windows vulnerabilities
NSA
power-ups
proximity of attacker
sample qualitative risk
sample quantitative risk
technical capability
techniques
time
Adversarial risk
ALS
American Institute of Certified Public Accountants (AICPA)
Annualized loss expectancy (ALS)
Anti-business complaints
Anti-counterfeiting tool
Anti-theft software agents, laptop
Antivirus software
Antivirus solutions
Application attacks
Application barriers
Application whitelisting
Approved scanning vendor (ASV)
Assassin, open source spam
Asset management
Asset value assessment
examples of
information classification
internal and valuing information
Association for Certified Fraud Examiners
Assume breach mindset
attackers
failure of security
over—residual risk
rigid security policies
security professionals
Assumptions examples
Attachment filtering, e-mail
Attacker incentives
monetization schemes
personal
political
Attackers
Attacking techniques
exfiltration
kill chain
stealing authentication
Audited organization’s role
Auditor
auditing
external
internal
competence
independence
training classes
role
Audits
antivirus software
audited organization’s role
and auditors
auditor’s role
background checks
bolted-on security controls
business-to-business
business transactions
change control
control objectives
customer intellectual property
definition
disagree with auditor’s findings
document review
evidence
explicit
as forcing function
guide for
industry audit certifications
IT organizations
IT security controls
IT security program
lawsuit
misconceptions
onsite review
PCI DSS
period of
pre-assessment
regulated industries
scope
scope control barriers
security program, checklist
SOC 1
SOC 2/3
SSAE 16 audits
SSAE 16 reports
standards types
ISO 27001
PCI DSS
The SSAE 16
surveillance audits
third-party roles
Type 1
Type 2
URLS
workflow
Authentication
electronic
firewall
multi-factor
problem
sample standards and procedures
standards
tokens
Authenticator
tokens
types of
Authorization
limit administrative access
privileges
problems
role-based access control
service accounts
sample authorization standards
system authorization
Availability service principle
Backup policy
Badges, visitor
Biometrics
Botnet
BOYD
Bridge letters
Bring your own device (BOYD)
Business continuity policy
Business impact analysis (BIA)
business continuity plan
disaster impact scenarios
facilities
normal business operations
sample scenario overview
threat mapping with FMEA to generalized threats
Business model
agility/ability of organization
BYOD
challenges
communication problems
communication with customers and entities
consumer trust
course of action
expertises
goods and services
intellectual property
organization’s secrets
problems
research
risk explanation
Business-to-business (B2B)
Capability Maturity Model (CMM)
Cardholder data (CHD)
Cardholder data environment (CDE)
Challenge-response fashion
Change control standards
Change control tracking
CHD
Chemical Facility Anti-Terrorism Standards (CFATS)
Chesterton’s fence
Chief Technology Officer (CTO)
Child pornography
Children’s Online Privacy Protection Act (COPPA)
Cisco Security report
City of Gotham Department of Accounting Services and Computer Services
Clean desk policies, office
Cobra effect
Combined technical barriers
Commercial Off The Shelf software (COTS)
Common Vulnerability Scoring Standard (CVSS)
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA)
Compliance impacts
NERC and FTC
PCI and HIPAA
Computing technology
Confidentiality service principle
Control design
best practices
compensating controls
control failure modes
cost of controls
documentation
financial information
firewall filters
flexibility
functionality
functions and failures
GAIT principles
hard dollar costs
IRS
key controls
legacy systems
minimum standard of care
reasonable standard of care
risk
standardization and measurement
standards bodies and organizations
technical controls
technical professionals
workstation antivirus blocks
Control effectiveness
Control Objectives for Information and Related Technology (COBIT)
Critical internal IT services
Cryptography
failures
infrastructure
Cryptosystem
Custom controls, Internet services security
Customer-facing IT services
Cyber-criminals
Cyber-militants
Cybernetic memory
Database administrative access standards
Data breaches
ALE
Privacy Rights Clearinghouse
Verizon Data Breach Investigations Report
Data/digital loss/leak prevention (DLP)
Data encryption, Internet services security
hard
storage crypto policy and standards
tokenization
viability against threats
Data-erasure software applications
Defense in depth
Defensive tools, specialized
Demilitarized zone (DMZ)
Deming Cycle
Denial-of-service (DoS)
DiffieHellman’s Iron Box
Diffusion of responsibility
Disaster recovery planning
DNS Security Extensions (DNSSEC)
DNS security, Internet services security
DomainKeys Identified Mail (DKIM) signatures
Domain Name Server (DNS)
Eidetic memory
Electronic authentication
Electronic personal health information (EPHI)
Elevated system access
E-mail security, Internet services security
attachment filtering
mail verification
sample policy
spam prevention
Empathy
Encryption, laptop
Enhanced Mitigation Experience Toolkit (EMET)
ENISA Cloud Computing Security Risk Assessment guide
Executive management, audit
Exfiltration
External auditors
External DNS server
External feedback mechanism
External vulnerability scans
Factor analysis of information risk (FAIR)
defined
risk modeling
Failover systems
Failure mode and effects analysis (FMEA)
breakdown of personnel
essence of
example of facilities
International Standard IEC 60812
Internet banking system
Failure modeling
analysis
description
internet banking system
FAIR
Fair and Accurate Credit Transaction Act (FACTA)
Fear Uncertainty and Doubt (FUD)
Federal Financial Institutions Examination Council (FFIEC)
Federal Information Security Management Act (FISMA)
Federal Rules of Civil Procedure (FRCP)
Federal Trade Commission (FTC)
Federated identity systems
FEMA
File Transfer Protocol sites (FTP)
Firewall access rules, standard
Firewall authentication
Flood Hazard map (FEMA)
FMEA
Formal disaster declaration
For-profit business
Fort Pulaski
exploit technology
Gilmore’s shore cannons
gun ranges
ownership changes hand
Savannah river
US Army Corps of Engineers
FTC
Function analysis
description
factors
Global services for customer service centers
Governance
asset custodian
asset owner
asset user
auditor
audit role
control objectives
CSO
departmental heads and roles
effectiveness and appropriateness
executive sponsorship
formal CSO role
frameworks
internal policy statements
ISMS charter
ISMS committee
ISMS Governance Strategy
ISMS Steering Committee
IT personnel
IT security
leadership
management
Puget Regional Bank ISMS charter
risk acceptance
risk and controls
risk elimination
risk reduction with controls
risk transfer
risk treatment
roles and responsibilities diagram
security departments
statement of applicability
tactics vs . strategy
Gramm-Leach-Bliley Act (GLBA)
Hackers
amateur
cyber-crimes
disgruntled sysadmin
ideology
motivations
Hacktivist
Harvesting attacks
Hash
password
Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Information Trust Alliance (HITRUST)
Health Insurance Portability and Accountability Act (HIPAA)
Heating ventilation and air conditioning (HVAC) systems
Heat maps
risk
simple two-dimensional qualitiative risk map
Host-based IDS (HIDS)
transmission encryption
Hosted systems
Human Resource Security Policy
agreements
background screening
confidential information and systems
credit checks
disciplinary process
educational and professional certification
employee on boarding and off boarding
modern building management companies
passport verification
person’s past actions
pre-employment screen
security and compliance requirements
security and sanity’s sake
security vulnerability
serious background checks
showstoppers
SLA
training
urgent terminations
user management
vendor support
ICMP Redirect
Identification
Impact calculation
See alsoIndirect impacts
assessment
assets
compliance
customer confidential records
IT asset inventory
legal/compliance department
SLAs
Incident response policy
Indicator of compromise (IOC)
Indirect impacts
IT resources
law enforcement, management and regulation bodies
loss of user productivity
public leakage attacks
Information classification
Information security management system (ISMS)
Information Security Risk Management
Initial Report on Compliance (IROC)
Insiders
Internal audit
plan
process
ISO standard for measurement
measuring control
publish to management
records
role of
auditor competence
auditor independence
external audit findings
organization’s security
sample organization chart
Internal feedback mechanisms
International Organization for Standardization/International Electrotechnical Commission standard (ISO 27001)
Internet banking system
Internet services security
building custom controls
data encryption
hard
storage crypto policy and standards
tokenization
DNS security
e-mail security
attachment filtering
mail verification
sample policy
spam prevention
malware controls
anti-malware policy and standards
defense
Web services
Web application attacks
Web stack
Intrusion detection systems (IDS)
Intrusion prevention systems (IPS)
IP address
IPsec virtual private networks
ISMS
ISMS charter
ISMS steering committee
ISO 27001 audit
ISO training institutions, internal auditor
IT department
access control
authentication standards
challenges
controls
dragging projects
high-value targets
IKEA effect
infinitely long IT work queue
vs . IT security
perpetual design
poor hygiene
risk analysis
security champions
security roles
builder
hiring for
responder
testers
security-savvy developer
technical expertise
IT systems, complexity
attackers
DNS
fallacy of composition
internet calls
IP address
ISPs sending
ports and protocols
standards, web transaction
TCP handshake
vulnerability
web of code
Key management, data encryption
Kill chain
command and control
delivery
description
exploitation
install
reconnaissance
weaponization
Laptop security
Legacy, encryption
Likelihood
common IT security threats
description
examples of threats
vulnerability factors
Logical access barriers
Logical access control
accountability
authentication
authorization
components
organization
Logical access controls
Log repository
Mail verification
Malware controls, Internet services security
anti-malware policy and standards
defense
Malware-infected hosts
Mandiant Intelligence Center Report
Man-in-the-middle attack
Media Access Control (MAC)
Media and portable media controls
laptop controls
media destruction
Media files, e-mail attached
Media-shredding companies
Memorandums of Understanding (MOU)
Microsoft Security Intelligence Report
Mobile banking project
Modern operating systems
Morris worm
Multifactor authentication
National Hurricane Center Storm Surge map
National Institute of Standards
National Security Agency’s (NSA)
Natural disasters
Natural hazards
determination
gravitational constant
for North America, research
quantitative risk analysis
Seattle Hazard Explorer
types
Natural vs . man-made risks
Negative error cultures
NERC
Network Access Control (NAC) system
Network address translation (NAT)
Network barriers
Network File System (NFS)
Network Security
acceptable encryption methods
commercial Internet usage
console encryption
cryptographic modules
drive-by-download attacks
exfiltration of data
firewall
designs
management
hardening standards
HIDS
IDS deployment
impersonation
IT security attacks
jump hosts and firewalls
man-in-the-middle
Morris worm
network attacks and impacts
network controls
network denial of service
networking technology
network worm
ORGANIZATION
procedures
remote exploits
remote password guessing
self-replicating malware
sniffing attacks
virtual private networks
web encryption
wireless encryption
Network Time Protocol (NTP)
Network worms
Neutron stars
Nmap
NOAA Severe Storm Labs
Non-company standard browsers
Non-repudiation
North American Electric Reliability Corporation (NERC)
OCTAVE Cyber Risk and Resilience Management
Offices, security in
clean desk policies
locked doors
NAC
screen saver lockouts
Operational failure mode
Order takers and refunds
Organization
logical access control
passwords for authentication
physical security policy
two-factor authentication
Packet filter firewalls
PAN
“Paperless office”
Passwords
hash
policy
rotation scheme for
standards
Payment Application Data Security Standard (PA-DSS)
Payment Card Industry Data Security Standard (PCI DSS)
People
administrative rights
customer
DLP
employment agreements
Human Resource Security Policy
ISMS committee
monitoring
policy violations
security policy
security professionals
security training
segregation of duties
threat of malicious insiders
user management
Personal identification numbers (PINs)
Personal incentives
Personally identifiable information (PII)
Personnel security
training
visitor security
Phishing/social engineering
Physical barriers
Physical security
and IT security controls
in offices
clean desk policies
locked doors
NAC
screen saver lockouts
media controls
laptop controls
media destruction
personnel security
training
visitor security
physical controls and their defeat
physical risk assessments
policy
problems
risk assessments
secured facilities controls
access to
alarms
cameras
environmental controls
guards
racks and cages
PII
PIN Transaction Security (PTS) Standard
Plan-Do-Check-Act (PDCA)
Point-of-Sale (POS) terminals
Poisoning attacks
Policy
amendment process
AUP
encryption methods
ISMS charter
and the Law
non-technical people
organizational security
potty
procedures and standards
records
security policy
authority
components of
goals
governance
ISMS
objectives
risk management
scope and limitations
user behavior
WISP
standards
Political incentives
POS
Post audit improvement
audit report
bridge letters
controls improvement
deliberate actions
direct and indirect costs
expectations
ideas and examples
implementation/operation
Internet age
plans
policy constraints
quality of controls
risk analysis framework
root cause analysis
sample security incident register
security awareness training
security policy violation
security program
shearing layers
temporary solutions and work-arounds
Power Outage Data Explorer
Primary account number (PAN)
Privacy disclaimer
Privacy principle
Process barriers
Processing integrity principle
Promiscuous mode
Proxy firewalls
Qualified security assessors (QSA)
Qualitative analysis
clarifying impact, example of
clarifying likelihood, example of
heat maps
high impact and low likelihood
low impact and high likelihood
medium impact/likelihood
simple risk list
subject matter experts
vague/misleading
Quantitative analysis
data breaches
example of analysis
RACI diagram
Real-time Blackhole Lists (RBL)
Recovery time objective (RTO)
Redesigned processes
Reflection denial-of-service attack
Remote Desktop Protocol (RDP)
Report on Compliance (ROC)
Reputation blacklisting
Request for proposal (RFP) process
Response controls
after action analysis
backup and failover
business continuity planning
incident response plan
incidents
logging
Risk analysis
fuzziness of
GAIT principles
gap analysis
impact calculation
IT security information
likelihood and impact
likelihood, calculation of
qualitative
quantitative
realistic, actionable and reproducible
Robert Courtney Jr., first law
security decisions
Risk modeling
cyber-criminals/malicious insiders
likelihood and impact
likelihood and potential damaging events
list of risks
natural vs . man-made
Role-based access control
Root cause analysis
SaaS
SAD
Safety, culture of
Sample security incident register
Sarbanes-Oxley Act of 2002 (SOX)
Schneier’s Law
Scope
adjacent systems
barriers
application
combined technical
logical access
network
physical
process
technical
controls
double check
effectiveness and efficiency, controls
examples of
hints
but not too small
simplification
start small and expand
IT security program
logical, physical, operational and human factors
non-IT departments
overlapping
PCI DSS
PII
public sources
SaaS company
SSAE 16 SOC 1
third-party process dependencies
Scope containment
Screen saver lockouts
Seattle Hazard Explorer
Secondary authentication systems
Secured facilities
access to
alarms
cameras
environmental controls
guards
racks and cages
Secure Shell (SSH) sites
Security department
access control
authentication standards
two-factor authentication
Security incident
Security policy
Internet
violation
Security professionals
Security service principle
Security solutions
Self-Assessment Questionnaire (SAQ)
Self-enrollment system
Semi-critical internal IT services
Sender Policy Framework (SPF)
Sensitive authentication data (SAD)
Servers, DNS
Service level agreements (SLA)
Service Organization Controls (SOC)
Session hijacking
Shorter rotation cycles
Simple Network Management Protocol (SNMP)
Simple Syndication (RSS)
Single sign-on (SSO) tools
SLA
Sniffing attacks
Social engineering
incentive
ring of familiarity
story
urgency
Software-as-a-Service (SaaS)
Software objects
Software service accounts
Someone else’s problem
Spam-filtering solutions
Spamhaus Project
Spam prevention, e-mail
Spam-relaying malware
Span ports
Standards for Attestation Engagements 16 (SSAE 16)
Stateful inspection firewalls
Statement of applicability (SoA)
Static web sites
StuxNet malware
Surf pornography
Symantec Security Threat Report
System administrative access standards
System administrators
System authorization
TCP/IP protocol
Technical barriers
Third party process dependencies
Third-party roles
Third-party security
agreement
audit reports
authentication and authorization
control gap analysis approach
controls
critical systems
e-commerce
getting answers
IT and security department
IT security programs
management process
maturity and effectiveness
network controls
organization
problems
responsibility
risk analysis
security service agreements
software procurement
technical controls
vulnerability and risk monitoring
Tokens, authentication
Tools, access control
Top-down approach
Trivial File Transfer Protocol (TFTP)
Two-factor authentication
UDP protocol
Unix operating systems
Unsolicited e-mail
Untrained internal audit team
Users
antivirus software works
automated process
complexity
confidential data leakage
contextual shift
culture clashes
empathy
intention and vision of controls
manual process
organizations
paradigm and goals
powerful techniques
problems faced by
security awareness training
security system
standards
access control
authentication
with work
work flow
User self-help tool
USGS Earthquakes maps
USGS Natural Hazards map
VERIS Community Database
Verizon Data Breach Investigations Report
Virtual LANs (VLANs)
Virtual Private Network (VPN)
Visitor security
VPN tunnel
Vulnerability management
activities
application security testing
automatic patching routines
breakdown of responsibilities
description
exploitable security vulnerabilities
hardening standards
higher priority
lower priority
network port scanner software
notification
patching
PCI DSS requirements
penetration testing
physical and virtual machines
prioritization and risk
scanning
unpatched hole
VulnPryer engine
Watering hole attack
Web application firewalls
Web server
Web services, Internet services security
Web application attacks
Web stack
Web sites
static
three-tier architecture for
Wi-Fi Protected Access (WPA)
Written Information Security Program (WISP)