Appendix B Glossary

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Appendix B

Glossary

In studying the Imperium, Arrakis, and the whole culture which produced Maud’Dib, many unfamiliar terms occur. To increase understanding is a laudable goal, hence the definitions and explanations given below.

—Dune, Frank Herbert

acceptable use policy (AUP): A policy that defines for all parties the ranges of use that are approved for use of information, systems, and services within an organization.

access control: The process of granting or denying specific requests (1) for accessing and using information and related information processing services and (2) to enter specific physical facilities. Access control ensures that access to assets is authorized and restricted based on business and security requirements.

accidental behavior: Actions that do not involve a motive to harm or a conscious decision to act inappropriately (for example, emailing sensitive information to unauthorized recipients, opening malicious email attachments, publishing personal information on publicly available servers).

accountability: The property of a system or system resource which ensures that the actions of a system entity may be traced uniquely to that entity, which can then be held responsible for its actions.

advanced persistent threat (APT): A network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing, and the financial industry. APTs differ from other types of attack in their careful target selection and persistent, often stealthy, intrusion efforts over extended periods.

application life cycle management: The administration and control of an application from inception to demise. It embraces requirements management, system design, software development, and configuration management and implies an integrated set of tools for developing and controlling the project.

application management: The process of managing the operation, maintenance, versioning and upgrading of an application throughout its life cycle. It includes best practices, techniques, and procedures essential to a deployed application’s optimal operation, performance, and efficiency throughout the enterprise and back-end IT infrastructure.

application performance management: The practice in systems management that targets managing and tracking the availability and efficiency of software applications. It involves translating IT metrics into business meaning. It examines the workflow and the associated IT tools that are deployed to analyze, identify, and report application performance concerns to make sure the expectations of businesses and end users are met. Application performance signifies how quickly transactions are accomplished or details are sent to end users of a particular application.

application portfolio management: An IT management technique that involves applying cost/benefit analysis and other business analytics to IT decision making. Application portfolio management looks at each program and piece of equipment as an asset in a company’s overall portfolio and gives it a score based on factors such as age, importance, and number of users. Further investment in upgrades or changes in the portfolio mix must be justified by projected returns and other measurable factors.

application security: The use of software, hardware, and procedural methods to protect applications from external threats. Application security includes adding features or functionality to the application software to prevent a range of different threats. It also includes security features outside the application, such as firewalls, antivirus, and access control methods.

application whitelisting: The practice of specifying an index of approved software applications that are permitted to be present and active on a computer system and prevents execution of all other software on the system.

architecture: The way the component parts of an entity are arranged, organized, and managed.

asset: Data contained in an information system; or a service provided by a system; or a system capability, such as processing power or communication bandwidth; or an item of system equipment (that is, a system component—hardware, firmware, software, or documentation); or a facility that houses system operations and equipment.

attack: Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or information itself.

attack surface: The reachable and exploitable vulnerabilities in a system.

attribute-based access control (ABAC): Access control based on attributes associated with and about subjects, objects, targets, initiators, resources, or the environment. An access control rule set defines the combination of attributes under which an access may take place.

authentication: Verification of the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

authentication factor: A method of authentication, based on either something the user has (such as a smart card or dongle), something the user knows (such as a password, passphrase, or PIN), or something the user is or does (such as fingerprints or other forms of biometrics).

authenticator: The means used to confirm the identity of a user, process, or device (for example, user password, token). An authentication factor is based on the use of a particular type of authenticator.

authenticity: The property of being genuine and being able to be verified and trusted. This involves verifying that users are who they say they are and that each input arriving at the system came from a trusted source.

authorization: In the context of system access, the granting of access or other rights to a user, program, or process to access system resources. Authorization defines what an individual or program can do after successful authentication.

availability: The property of a system or a system resource being accessible or usable or operational upon demand, by an authorized system entity, according to performance specifications for the system; a system is available if it provides services according to the system design whenever users request them.

bring your own device (BYOD): An IT strategy in which employees, business partners, and other users can utilize a personally selected and purchased client device to execute enterprise applications and access data and the corporate network. Typically, it spans smartphones and tablets, but the strategy may also be used for laptops. It may include a subsidy.

business continuity: Capability of an organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Business continuity embraces all the operations in a company, including how employees function in compromised situations.

business continuity management: A holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and that provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.

business continuity management system: Part of the overall management system that establishes, implements, operates, monitors, reviews, maintains, and improves business continuity. The management system includes organizational structure, policies, planning activities, responsibilities, procedures, processes, and resources.

business continuity manager: An individual who manages, designs, oversees, and/or assesses an enterprise’s business continuity capability to ensure that the enterprise’s critical functions continue to operate following disruptive events.

business continuity plan: Documented procedures that guide organizations to respond, recover, resume, and restore to a predefined level of operation following disruption.

business continuity program: An ongoing management and governance process supported by top management and appropriately resourced to implement and maintain business continuity management.

business impact analysis (BIA): The analysis of an information system’s requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.

business resilience: The ability of an organization to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets, and overall brand equity. Business resilience goes a step beyond disaster recovery, by offering post-disaster strategies to avoid costly downtime, shore up vulnerabilities, and maintain business operations in the face of additional, unexpected breaches.

C-level: Chief level. Refers to high-ranking executive titles within an organization. Officers who hold C-level positions set the company’s strategy, make higher-stakes decisions, and ensure that the day-to-day operations align with fulfilling the company’s strategic goals.

capital planning: A decision-making process for ensuring that IT investments integrate strategic planning, budgeting, procurement, and management of IT in support of an organization’s missions and business needs.

certification: The provision by an independent body of written assurance (a certificate) that the product, service, or system in question meets specific requirements. Also known as third-party conformity assessment.

certification and accreditation: A comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

change control: A systematic approach to managing all changes made to a product or system. The purpose is to ensure that no unnecessary changes are made, that all changes are documented, that services are not unnecessarily disrupted, and that resources are used efficiently.

change control board: A committee that makes decisions regarding whether proposed changes to a system should be implemented.

change management: The process of minimizing resistance to organizational change through involvement of key players and stakeholders.

chief executive officer (CEO): The person who is ultimately responsible for the success or failure of the organization, overseeing the entire operation at a high level. The CEP is the boss of all other executives.

chief information officer (CIO): The person who is in charge of information technology (IT) strategy and the computer, network, and third-party (for example, cloud) systems required to support an enterprise’s objectives and goals.

chief operating officer (COO): Generally the person who is second in command to the CEO. The COO oversees the organization’s day-to-day operations on behalf of the CEO, creating the policies and strategies that govern operations.

chief privacy officer (CPO): The person who is charged with developing and implementing policies designed to protect employee and customer data from unauthorized access.

chief risk officer (CRO): The person who is charged with assessing and mitigating significant competitive, regulatory, and technological threats to an enterprise’s capital and earnings.

chief security officer (CSO) or chief information security officer (CISO): The person who is tasked with ensuring data and systems security. In some larger enterprises, the two roles are separate, with a CSO responsible for physical security and a CISO in charge of digital security.

commercial off the shelf (COTS): An item that is commercially available, leased, licensed, or sold to the general public and that requires no special modification or maintenance over the life cycle of the product to meet the needs of the procuring agency.

Computer Security Incident Response Team (CSIRT): An organization that receives reports of security breaches, conducts analyses of the reports, and responds to the senders.

confidentiality: The property that data is not disclosed to system entities unless they have been authorized to know the data.

configuration management: The process of controlling modifications to a system’s hardware, software, and documentation, which provides sufficient assurance that the system is protected against the introduction of improper modification before, doing, and after system implementation.

configuration management database (CMDB): A database that contains all relevant information about the components of the information system (including software, hardware, and documentation) used in an organization’s IT services and the relationships between those components. A CMDB provides an organized view of data and a means of examining that data from any desired perspective.

countermeasure: An action, a device, a procedure, or a technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.

critical information: Information that needs to be available and have integrity (for example, product prices/exchange rates, manufacturing information, medical records).

cryptographic algorithm: An algorithm that uses the science of cryptography, including encryption algorithms, cryptographic hash algorithms, digital signature algorithms, and key-agreement algorithms.

cryptographic erasure: The process of encrypting all the data on a medium and then destroying the key, making recovery impossible.

cryptosystem (cryptographic system): A set of cryptographic algorithms together with the key management processes that support use of the algorithms in some application context.

cybersecurity: The collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the cyberspace environment and organization and users’ assets. Organization and user assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyberspace environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and users’ assets against relevant security risks in the cyberspace environment. The general security objectives are availability; integrity, which may include authenticity and non-repudiation; and confidentiality.

cyberspace: Artifacts based on or dependent on computer and communications technology; the information that these artifacts use, store, handle, or process; and the interconnections among these various elements.

data loss prevention (DLP): A set of technologies and inspection techniques used to classify information content contained within an object—such as a file, an email, a packet, an application or a data store—while at rest (in storage), in use (during an operation), or in transit (across a network). DLP tools also have the ability to dynamically apply a policy—such as log, report, classify, relocate, tag, and encrypt—and/or apply enterprise data rights management protections.

defense in depth: A process that involves constructing a system’s security architecture with layered and complementary security mechanisms and countermeasures so that if one security mechanism is defeated, one or more other mechanisms (which are “behind” or “beneath” the first mechanism) still provide protection.

demilitarized zone (DMZ): A perimeter network segment that is physically or logically between internal and external networks. The DMZ adds an additional layer of network security between the Internet and an organization’s internal network so that external parties only have direct connections to devices in the DMZ rather than to the entire internal network. It provides external, untrusted sources with restricted access to releasable information while shielding the internal networks from outside attacks.

denial of service (DoS): The prevention of authorized access to resources or the delaying of time-critical operations.

DevOps (development operations): The tighter integration between the developers of applications and the IT department that tests and deploys them. DevOps is said to be the intersection of software engineering, quality assurance, and operations.

directory server: A server that manages user identity and authorization data in a directory format.

disaster recovery (DR): An area of security planning that aims to protect an organization from the effects of significant negative events. DR allows an organization to maintain or quickly resume mission-critical functions following a disaster.

discretionary access control (DAC): Access control based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject.

distributed denial of service (DDoS): A DoS attack in which multiple systems are used to flood servers with traffic in an attempt to overwhelm available resources (transmission capacity, memory, processing power, and so on), making them unavailable to respond to legitimate users.

document management: The capture and management of documents in an organization. The term originally implied only the management of documents after they were scanned into the computer. Subsequently, it became an umbrella term embracing document imaging, workflow, text retrieval, and multimedia.

document management system: Software that manages documents for electronic publishing. It generally supports a large variety of document formats and provides extensive access control and searching capabilities across networks. A document management system may support multiple versions of a document and may be able to combine text fragments written by different authors. It often includes a workflow component that routes documents to the appropriate users.

enterprise architecture: The systems, infrastructure, operations, and management of all information technology throughout an enterprise. The architecture is typically organized as high-level internally compatible representations of organizational business models, data, applications, and information technology infrastructure.

enterprise strategic planning: The definition of long-term goals and objectives for an organization (for example, business enterprise, government agency, nonprofit organization) and the development of plans to achieve these goals and objectives.

environment: A particular configuration of hardware or software. The environment refers to a hardware platform and the operating system that is used in it. A programming environment would include the compiler and associated development tools. Environment is also used to express a type of configuration, such as a networking environment, database environment, transaction processing environment, batch environment, interactive environment, and so on.

event: An occurrence or a change in a particular set of circumstances.

exfiltration: A malware feature that automates the sending of harvested victim data, such as login credentials and cardholder information, back to an attacker-controlled server.

exploit: An attack on a computer system, especially one that takes advantage of a particular vulnerability the system offers to intruders.

external security audit: An audit conducted by an organization independent of the one being audited.

fault: An abnormal condition that causes a device or system component to fail to perform in a required manner and that requires management attention (or action) to repair.

forward proxy: A server that requests resources from the Internet or a remote server on behalf of one or more users on client systems. The proxy may perform protocol translations or other transformations needed between the client’s software and the server application.

functional testing: Security testing in which advertised security mechanisms of an information system are tested under operational conditions to determine if a given function works according to its requirements.

golden record: A single, well-defined version of all the data entities in an organizational ecosystem. In this context, a golden record is sometimes called the “single version of the truth,” where “truth” is understood to mean the reference to which data users can turn when they want to ensure that they have the correct version of a piece of information.

group key: A symmetric cryptographic key shared among multiple participants. A block of data encrypted by any one participant using the group key can be decrypted by any other participant who shares the group key.

hardware: Any physical asset that is used to support corporate information or systems (for example, a server, network device, mobile device, printer, or specialized equipment, such as that used by manufacturing, transport, or utility companies), including the software embedded within them and the operating systems supporting them.

hardware life cycle management: A subset discipline of IT asset management that deals specifically with the hardware portion of IT assets. It is the process of managing the physical components of computers, computer networks, and systems. It begins with acquisition and continues through maintenance until the hardware’s ultimate disposal. Also known as hardware asset management.

hash value: A numerical value produced by a mathematical function, which generates a fixed-length value typically much smaller than the input to the function. The function is many to one, but generally, for all practical purposes, each file or other data block input to a hash function yields a unique hash value.

impact: An adverse change to the level of business objectives achieved. Also called impact level or impact value.

industrial control system (ICS): A system that is used to control industrial processes such as manufacturing, product handling, production, and distribution. Industrial control systems include supervisory control and data acquisition (SCADA) systems used to control geographically dispersed assets, as well as distributed control systems (DCS) and smaller control systems using programmable logic controllers to control localized processes. An ICS consists of combinations of control components (for example, electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (for example, manufacturing, transportation of matter or energy).

information and communications technology (ICT): The collection of devices, networking components, applications, and systems that together allow people and organizations to interact in the digital world. ICT is sometimes used synonymously with IT; however, ICT is generally used to represent a broader, more comprehensive list of all components related to computer and digital technologies than IT.

information security architecture: An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, information security systems, personnel, and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.

information security governance: The process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.

information security implementation/operations: The management of information risk through the implementation, deployment, and ongoing operation of security controls defined within a cybersecurity framework.

information security management: The supervision and making of decisions necessary to achieve business objectives through the protection of the organization’s information assets. Management of information security is expressed through the formulation and use of information security policies, procedures and guidelines, which are then applied throughout the organization by all individuals associated with the organization.

information security management system (ISMS): The policies, procedures, guidelines, and associated resources and activities collectively managed by an organization in the pursuit of protecting its information assets.

information security strategic planning: The process of aligning information security management and operation with enterprise and IT strategic planning.

information system boundaries: Boundaries that establish the scope of protection for organizational information systems (that is, what the organization agrees to protect under its direct management control or within the scope of its responsibilities) and include the people, processes, and information technologies that are part of the systems supporting the organization’s missions and business processes. Also referred to as authorization boundaries.

information system contingency planning: Management policies and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disasters.

information system resilience: The ability of an information system to continue to (1) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (2) recover to an effective operational posture in a time frame consistent with mission needs.

information technology (IT): Applied computer systems, both hardware and software, and often including networking and telecommunications, usually in the context of a business or other enterprise. IT is often the name of the part of an enterprise that deals with all things electronic.

information type: A specific category of information (for example, privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization or, in some instances, by a specific law, directive, policy, or regulation.

inherent risk: The probability of loss arising out of circumstances or existing in an environment in the absence of any action to control or modify the circumstances.

integrity: The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner.

intellectual property rights (IPR): Rights to a body of knowledge, ideas, or concepts produced by an entity that is claimed by that entity to be original and of copyright-type quality.

internal security audit: An audit conducted by personnel responsible to the management of the organization being audited.

IT service management: A general term that describes a strategic approach for designing, delivering, managing, and improving the way IT is used within an organization. The goal of every IT service management framework is to ensure that the right processes, people, and technologies are in place for the organization to meet its business goals.

IT strategic planning: The alignment of IT management and operation with enterprise strategic planning.

key performance indicators (KPIs): Quantifiable measurements, agreed to beforehand, that reflect the critical success factors of an organization.

kill chain: A systematic process to target and engage an adversary to create desired effects. In the context of cybersecurity, it consists of reconnaissance, weaponization, delivery, exploitation, installation, command and control, and action.

least privilege: The principle that access control should be implemented so that each system entity is granted the minimum system resources and authorizations that the entity needs to do its work. This principle tends to limit damage that can be caused by an accident, an error, or a fraudulent or unauthorized act.

level of risk: The magnitude of a risk, expressed in terms of the combination of consequences and their likelihood.

log: A record of the events occurring within an organization’s systems and networks.

log management: The process for generating, transmitting, storing, analyzing, and disposing of log data.

malicious behavior: A combination of motive to cause harm and a conscious decision to act inappropriately (for example, copying business files before taking employment with a competitor, leaking sensitive information, misusing information for personal gain).

malicious software: Software that exploits vulnerabilities in a computing system to create an attack. Also called malware.

managed service provider (MSP): A company that remotely manages a customer’s IT infrastructure and/or end-user systems, typically on a proactive basis and under a subscription model.

maximum tolerable downtime (MTD): The duration after which an organization’s viability will be irrevocably threatened if product and service delivery cannot be resumed.

media sanitization: A process that renders access to target data (the data subject to the sanitization technique) on the media infeasible for a given level of recovery effort.

mission and business processes: What an organization does, what its perceived mission or missions are, and what business processes are involved in fulfilling the mission(s).

multifactor authentication: A process that involves using two or more factors to achieve authentication. Factors include something you know (for example, password, PIN), something you have (for example, cryptographic identification device, token), or something you are (for example, biometric).

multifunction device: A network-attached document-production device that combines two or more of the functions copy, print, scan, and fax.

negligent behavior: Action that does not involve a motive to cause harm but does involve a conscious decision to act inappropriately (for example, using unauthorized services or devices to save time, increase productivity, or enable remote working).

Network Time Protocol (NTP): A protocol that ensures accurate local timekeeping on computer systems, network devices, and other system components, with reference to radio and atomic clocks on the Internet. This protocol is capable of synchronizing distributed clocks within milliseconds over long time periods.

non-repudiation: Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.

office equipment: Equipment including printers, photocopiers, facsimile machines, scanners and multifunction devices (MFDs). Office equipment often contains the same components as a server (for example, operating system, hard disk drives, network interface cards) and runs services such as web, mail, and FTP services.

operational readiness: The capability of a process or equipment to perform the missions or functions for which it is organized and designed. This term may be used in a general sense or to express a level or degree of readiness.

patch management: The systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions. Patch management tasks include maintaining current knowledge of available patches, deciding what patches are appropriate for particular systems, ensuring that patches are installed properly, testing systems after installation, and documenting all associated procedures, such as specific configurations required.

penetration testing: Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, a system, or a network.

personally identifiable information (PII): Information that can be used to distinguish or trace an individual’s identity, such as name, social security number, or biometric records, either alone or when combined with other information that is linked or linkable to a specific individual, such as date and place of birth or mother’s maiden name.

phishing: A digital form of social engineering that involves attempting to acquire sensitive data, such as bank account numbers or passwords, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person.

port mirror: A cross-connection of two or more ports on a network switch so that traffic can be simultaneously sent to a network analyzer or monitor connected to another port.

privacy: The right of individuals to control or influence what information related to them may be collected and stored and by whom, as well as to whom that information may be disclosed.

pseudorandom number generator: A function that deterministically produces a sequence of numbers that are apparently statistically random.

radio-frequency identification (RFID): A data collection technology that uses electronic tags attached to items to allow the items to be identified and tracked by a remote system. The tag consists of an RFID chip attached to an antenna.

records management: The creation, retention, and scheduled destruction of an organization’s sensitive or important paper and electronic records. Computer-generated reports fall into the records management domain, but traditional data processing files do not.

records management system: Software that provides tools for and aids in records management.

recovery point objective (RPO): The amount of data that can be lost without severely impacting the recovery of operations or the point in time in which systems and data must be recovered (for example, the date and time of a business disruption).

recovery time objective (RTO): The target time set for resumption of product, service, or activity delivery after an incident. It is the maximum allowable downtime that can occur without severely impacting the recovery of operations or the time in which systems, applications, or business functions must be recovered after an outage (for example, the point in time at which a process can no longer be inoperable).

reengineering: Using information technology to improve performance and cut costs. Its main premise is to examine the goals of an organization and to redesign work and business processes from the ground up rather than simply automate existing tasks and functions.

residual risk: Risk that remains after risk treatment.

reverse proxy: A server that services requests from the Internet and makes requests to a server or application sitting behind it. Unlike with a forward proxy, with a reverse proxy, the client may not be aware that it is communicating with a reverse proxy; a reverse proxy receives requests as if it were the origin server for the target resource.

risk: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of the adverse impacts that would arise if the circumstance or event occurs and the likelihood of occurrence.

risk aggregation: The process of assessing the overall risk to organizational operations, assets, and individuals, given the set of discrete risks.

risk analysis: A process undertaken to comprehend the nature of risk and to determine the level of risk.

risk assessment: The overall process of risk identification, risk analysis, and risk evaluation.

risk criteria: Terms of reference against which the significance of a risk is evaluated.

risk evaluation: The process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable.

risk identification: The process of finding, recognizing, and describing risks.

risk management: Coordinated activities to direct and control an organization with regard to risk.

risk of exposure: The likelihood of a security incident occurring.

risk treatment: A process to modify risk. Also known as risk response.

role-based access control (RBAC): Access control based on user roles (that is, a collection of access authorizations a user receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions in an organization. A given role may apply to a single individual or to several individuals.

rooting: The process of removing a restricted mode of operation. For example, rooting may enable content with digital rights to be used on any computer, or it may allow enhanced third-party operating systems or applications to be used on a mobile device. While rooting is the term used for Android devices, jailbreaking is the equivalent term used for Apple devices.

screen lock: A computer–user interface element in various operating systems that regulates immediate access to a device by requiring the user to perform a certain action in order to receive access, such as entering a password, using a certain button combination, or performing a certain gesture using a device’s touchscreen.

security awareness: The extent to which staff understand the importance of information security, the level of security required by the organization, and their individual security responsibilities.

security classification: The grouping of information into classes that reflect the value of the information and the level of protection required. Also called security categorization.

security controls: The management, operational, and technical controls (that is, countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

security culture: The extent to which staff demonstrate expected security behavior in line with their individual security responsibilities and the level of security required by the organization.

security event: An occurrence considered by an organization to have potential security implications to a system or its environment. Security events identify suspicious or anomalous activity. Events sometimes provide indications that incidents are occurring.

security incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system; or the information the system processes, stores, or transmits; or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

security objective: The characteristic of security to be achieved, typically consisting of confidentiality, integrity, and availability.

security operations center (SOC): A facility that tracks and integrates multiple security inputs, ascertains risk, determines the targets of an attack, contains the impact of an attack, and recommends and/or executes responses appropriate to a given attack. In some cases, an organization establishes a SOC for itself. In other cases, SOC services are outsourced to a private company that specializes in providing such services.

security performance: The measurable result of security controls applied to information systems and supporting information security programs.

security policy: A set of rules and practices that specify or regulate how a system or an organization provides security services to protect sensitive and critical system resources.

security program: The management, operational, and technical aspects of protecting information and information systems. It encompasses policies, procedures, and management structure and mechanisms for coordinating security activity.

self-encrypting drive: A hard drive with a circuit built into the disk drive controller chip that encrypts all data to the magnetic media and decrypts all the data from the media automatically. All self-encrypting drives encrypt all the time from the factory onward, performing like any other hard drive, with the encryption being completely transparent or invisible to the user. To protect the data from theft, the user must provide a password to read from or write data to the disk.

sensitive information: Information that can only be disclosed to authorized individuals (for example, product designs, merger and acquisition plans, medical records, business strategy information).

side-channel attack: An attack enabled by leakage of information from a physical cryptosystem. Characteristics that could be exploited in a side-channel attack include timing, power consumption, and electromagnetic and acoustic emissions.

single sign-on (SSO): A security subsystem that enables a user’s identity to be authenticated at an identity provider—that is, at a service that authenticates and asserts the user’s identity—and then to have that authentication honored by other service providers.

social engineering: The process of attempting to trick someone into revealing information (for example, a password) that can be used to attack an enterprise or into performing certain actions, such as downloading and executing files that appear to be benign but are actually malicious.

source code repository: A file archive in which a large amount of source code for software is kept, either publicly or privately. Source code repositories are often used by open source software projects and other multiple-developer projects to handle various versions. They help developers submit code patches in an organized fashion. Often these archives support version control, bug tracking, release management, mailing lists, and wiki-based documentation.

spear phishing: Phishing that is targeted against a group, a company, or individuals within a company.

stakeholder: A person, a group, or an organization that has interest or concern in an organization. Stakeholders can affect or be affected by an organization’s actions, objectives, and policies. Some examples of key stakeholders are creditors, directors, employees, government (and its agencies), owners (shareholders), suppliers, unions, and the community from which the business draws its resources.

strategic plan: A document used to communicate with the organization the organization’s goals, the actions needed to achieve those goals, and all the other critical elements developed during the planning exercise.

system owner: The person or organization responsible for the development, procurement, integration, modification, operation, maintenance, and final disposition of an information system.

system security plan: A formal document that provides an overview of the security requirements for the information system and describes the security controls that are in place or planned for meeting those requirements.

technical security controls: Security controls (that is, safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.

technical vulnerability: A hardware, firmware, communication, or software flaw that leaves an information processing system open for potential exploitation either externally or internally, thereby resulting in risk for the system.

threat: A potential for violation of security that exists when there is a circumstance, a capability, an action, or an event that could breach security and cause harm. That is, a threat is a possible danger that might exploit vulnerability.

threat intelligence: The knowledge established as a result of analyzing information about potential or current attacks that threaten an organization. The information is taken from a number of internal and external sources, including application, system, and network logs; security products such as firewalls and intrusion detection systems; and dedicated threat feeds. Also known as cyber threat intelligence (CTI).

total cost of ownership (TCO): A comprehensive assessment of IT or other costs across enterprise boundaries over time. For IT, TCO includes hardware and software acquisition, management and support, communications, end-user expenses, and the opportunity cost of downtime, training, and other productivity losses.

trust relationship: A relationship between two different domains or areas of authority that makes it possible for users in one domain to be authenticated by a domain controller in the other domain.

user testing: A phase of system development in which the software or system is tested in the “real world” by the intended audience. Also called end-user testing.

value proposition: A statement that identifies clear, measurable, and demonstrable benefits consumers get when buying a particular product or service. It should convince consumers that this product or service is better than others on the market.

virtual private network: A restricted-use, logical (that is, artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (that is, real) network (for example, the Internet), often using encryption (located at hosts or gateways) and authentication. The endpoints of the virtual network are said to be tunneled through the larger network.

vulnerability: A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.

Waterfall development: A method of deploying software or systems in which development moves through a series of fairly well-defined stages. With large projects, once each stage is complete, it cannot be easily reversed, much as it is impossible to move up a waterfall. This traditional system engineering flow allows for a requirements-driven process that leads to assured and verified function. Note that although this indicates a linear sequence through the stages, the ability to iterate and propagate changes discovered in one facet to the others is typically observed.

web analytics: The process of analyzing the behavior of visitors to a website. Web analytics involves extracting and categorizing qualitative and quantitative data to identify and analyze onsite and offsite patterns and trends.

whois: An Internet program that allows users to query a database of people and other Internet entities, such as domains, networks, and hosts. The information stored includes a person’s company name, address, phone number, and email address.

zero-day threat: The threat of an unknown security vulnerability in a computer software or application for which either a patch has not been released or the application developers are unaware or have not had sufficient time to address the issue. A zero-day attack is also sometimes defined as an attack that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Appendix B Glossary

Create new playlist

Sign In

Sign Up

Appendix B

Glossary

Table of Contents for
Appendix B Glossary