acceptable use policy (AUP) A policy that informs employees what is considered acceptable use for IT systems and data. Sometimes, banners and login screens are used to remind personnel of the policy.

accepting One of the techniques used to manage risk. When the cost to reduce the risk is greater than the potential loss, the risk is accepted. A risk is also accepted if management considers the risk necessary and tolerable for business.

account management policy A written policy created to ensure that user and computer accounts are managed securely. It identifies details for creating accounts, such as using a firstname.lastname format, and specifies what to do with unused accounts. It can also include requirements for account lockout and password policies. This written policy is usually enforced with a technical policy.

Advanced Encryption Standard (AES) The standard defined by NIST for symmetric encryption. It is fast, efficient, and commonly used to encrypt data on drives, including universal serial bus (USB) flash drives.

affinity diagram A method used to create lists of threats, vulnerabilities, or response plans. It starts with a large topic, such as a problem statement, and then narrows down the problem to individual sources.

annual loss expectancy (ALE) Total expected loss from a given risk for a year. ALE is calculated by multiplying SLE × ARO. ALE is part of a quantitative risk assessment.

annual rate of occurrence (ARO) Number of times loss from a given threat is expected to occur in a year. It is used with the SLE to calculate the ALE. ARO is part of a quantitative risk assessment.

anonymizer A website used to hide a user’s activity on the Internet. The user visits the anonymizer site and then requests pages from other sites. The anonymizer retrieves the webpages and serves them as if they are served from the anonymizer site.

asset Something that represents data, device, or infrastructure of value to an organization.

asset management Used to manage all types of assets and includes more detailed information than an inventory management system. For example, it would include installed components, hardware peripherals, installed software, update versions, and more.

asset valuation The process of determining the fair market value of an asset. The value of the asset can be determined from the actual cost or based on what the asset provides to the organization.

attack surface How much can be attacked on a server. Every additional service or protocol running or enabled increases the attack surface. By disabling services or protocols that are not needed, the attack surface can be reduced.

attorney general (AG) A state or federal position. A state AG represents the state in all legal matters. The U.S. AG is the head of the U.S. Department of Justice.

audit A check to see if an organization is following rules and guidelines. A vulnerability assessment audit checks to see if internal policies are followed.

audit trail A series of events recorded in one or more logs. Audit trail events record who, what, where, and when. They can be in operating system logs like the Microsoft Security log, or application logs like a firewall log.

availability Ensuring that data or a service is available when needed. Data and services are protected using fault tolerance and redundancy techniques.

avoiding One of the techniques used to manage risk. A risk can be avoided by eliminating the source of the risk or the exposure of assets to the risk. A company can either stop the risk activity or move the asset.

big data Data sets that are so large and complex that they are difficult to process with existing database tools. Instead, specialists build new applications to meet the needs of these large data sets.

blacklist A list of addresses or domains used in a spam filter to block email. They are added to the blacklist to ensure that email from these sources is always marked as spam.

brainstorming A creative method used to generate a large number of ideas on a topic. Participants are encouraged to mention any idea that comes to mind. Ideas are recorded without judgments.

buffer overflow A common exploit used against public-facing servers. Attackers in a buffer overflow attack send more or different data than is expected. They can use it to gain additional privileges on the system.

business continuity plan (BCP) A comprehensive plan that helps a company prepare for different types of emergencies. Its goal is to ensure that mission-critical functions continue to operate even after a disaster strikes.

business function An activity carried out by an organization, including core and support functions.

business impact analysis (BIA) Part of a business continuity plan. It identifies the impact to the business if one or more IT functions fail.

Capability Maturity Model Integration (CMMI) A process improvement approach to management. It includes six levels from 0 to 5. Level 0 indicates a process doesn’t exist. Level 5 indicates the process is very mature and effective.

cause and effect diagram Also known as an Ishikawa diagram or fishbone diagram. It shows the relationships between causes and problems.

certificate A file that is used for security, which includes identification and encryption. Certificates can be issued to users or systems, which are then presented to other entities. A certificate includes a public key that is shared with others. The public key is matched with a private key, which is always kept private.

certificate authority (CA) An entity that issues and manages certificates. A CA can be public or private. Public CAs are accessible on the Internet, whereas private CAs are internal to an organization. Certificates are used by users and systems for security purposes, such as identification and encryption.

change management A formal process that requires that proposed changes go through a review process. Changes are implemented only after approval, which helps reduce outages caused by unauthorized changes.

Children’s Internet Protection Act (CIPA) A U.S. law passed in 2000. It requires schools and libraries receiving E-Rate funds to filter Internet content. The primary purpose is to protect minors from obscene or harmful images.

CIRT plan A formal plan created by an organization to respond to computer incidents. It includes a definition of a computer incident and formally designates the computer incident response team (CIRT).

cloud computing A technology that allows an organization to access required services over a public network, such as the Internet. Organizations often contract with third-party vendors to provide services using cloud computing.

COBIT See Control Objectives for Information and Related Technology.

cold site An alternate location used for disaster recovery. This site is an available building that has electricity, running water, and restrooms, but none of the equipment or data is staged at the site. A cold site is inexpensive to maintain, but much effort is needed to make it functional, and it is very difficult to test. Other alternate locations are warm sites and hot sites.

Common Vulnerabilities and Exposures (CVE) Database of vulnerabilities maintained by the MITRE Corporation. MITRE works in conjunction with the U.S. Department of Homeland Security to maintain the CVE. The list includes over 40,000 items.

compliance When an organization is complying with relevant laws and regulations, it is said to be in compliance. Many organizations have programs in place to ensure that they remain in compliance.

computer incident Also known as a computer security incident. Any activity that threatens the security of the computer systems. It affects the organization’s security and may result in loss of confidentiality, integrity, or availability.

computer incident response team (CIRT) A group of people who will respond to incidents. The CIRT can be a formal team designated in advance or an informal team created after an incident occurs.

confidentiality Protecting data from unauthorized disclosure. Data is protected using access controls and encryption technologies.

configuration management Standards used to ensure that systems are configured similarly. Additionally, compliance auditing can be performed regularly to ensure that systems have not been improperly modified.

continuous monitoring A philosophy centered on the principle that security requires continuous effort. Controls are put into place, and, later, checks and audits are performed to ensure they are still working as expected.

control Action or change put in place to reduce weaknesses or potential losses. A control is also referred to as a countermeasure.

Control Objectives for Information and Related Technology (COBIT) A framework of good practices for IT management. COBIT is well respected and frequently used. It includes five principles and seven enablers. COBIT was originally an acronym for Control Objectives for Information and Related Technology. ISACA now uses only the short form of COBIT.

corrective control A class of controls identified by their function. A corrective control attempts to reverse the effect of an exploited vulnerability. For example, antivirus software can work as a corrective control by cleaning an infected file, which corrects the problem.

cost-benefit analysis (CBA) A process used to determine how to manage a risk. If the benefits of a control outweigh the costs, the control can be implemented to reduce the risk. If the costs are greater than the benefits, the risk can be accepted.

countermeasure A security control or safeguard. It is put into place to reduce a risk, which it does by reducing the vulnerability or threat impact.

critical business function (CBF) A function considered vital to an organization. If a CBF fails, the organization will lose the ability to perform a critical operation necessary for its mission.

critical path chart A chart of critical tasks in a project. If any task in the critical path is delayed, the entire project will be delayed.

critical success factor (CSF) An element necessary for the success of an organization. CSFs often contribute to critical business functions (CBFs).

damage assessment team (DAT) A team that collects data after a disruption to determine the extent of the damage. The DAT collects data on damage to systems and facilities and reports the data to the emergency management team (EMT). The EMT, DAT, and technical recovery team (TRT) are designated by the BCP.

dark web This is a part of the Internet with encrypted online content and not visible to traditional search engines.

data leakage Loss of data outside an organization. Many peer-to-peer (P2P) programs cause data leakage. P2P programs are commonly used to download pirated music, movies, and applications. Users are often unaware that the P2P programs also share data on their systems. Data leakage occurs when data on a user’s system is shared without the user’s knowledge.

data mining The process of retrieving data from a data warehouse. Data mining allows decision makers to view the data from different perspectives and to make predictions about future behavior or outcomes.

data warehousing The process of gathering data from different databases and storing it centrally. An extract, transform, load (ETL) process is used. Data is extracted from the original database and then transformed to match the target database. Finally, it is loaded into the target database.

deep web Also known as the invisible web, this concept represents parts of the Internet where the contents are not indexed by typical search engines.

defense in depth A security principle used to provide multiple layers of controls. Even though one control may provide protection, additional controls are added to provide stronger protection. A defense-in-depth strategy ensures a risk is mitigated even if one control fails.

demilitarized zone (DMZ) A buffer zone separating the Internet from the internal network. A DMZ is often created with two separate firewalls. Public-facing servers, such as web or email servers, are then placed in the DMZ.

denial of service (DoS) attack An attack designed to prevent a system from providing a service. A DoS attack is launched from a single client.

Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) A risk management process applied to U.S. Department of Defense (DoD) systems. It is fully documented in DoD instruction 8510.1. Systems must go through a formal certification and accreditation process before being authorized for operation.

Department of Homeland Security (DHS) A major department in the U.S. government charged with protecting the United States from threats and emergencies.

detective control A class of controls identified by their function. A detective control detects when a vulnerability is being exploited. An intrusion detection system (IDS) is an example of a detective control.

digital signature A method used for identification. Digital signatures use certificates issued by a certificate authority. A hash of a message is created, and the hash is encrypted with the sender’s private key. If the receiver can decrypt the encrypted hash with the sender’s public key, the hash has been verified that it was encrypted and sent with the sender’s private key. Only the sender has the private key.

disaster recovery The procedures to bring a system back into service after it has failed. Disaster recovery occurs after a disaster. Disaster recovery steps are documented in a disaster recovery plan that is a part of a business continuity plan.

disaster recovery plan (DRP) A plan used to recover a system or systems after a disaster. A DRP is part of a business continuity plan.

distributed denial of service (DDos) attack A DoS attack is an attack launched from multiple clients at the same time. A DDoS attack often includes zombies controlled in a botnet.

due care Taking reasonable steps to protect against risks.

due diligence Taking a reasonable amount of time and effort to identify risks. The person or organization conducting due diligence investigates risks in order to understand them.

emergency management team (EMT) A team composed of senior management personnel who have overall authority during a disruption or disaster. The EMT, damage assessment team (DAT), and technical recovery team (TRT) are designated by the BCP.

E-Rate funding A program that provides discounts to schools and libraries for Internet access. Any school or library that requests discounts under the E-Rate program must comply with the Children’s Internet Protection Act (CIPA) rules. CIPA mandates the filtering of Internet content for children under 17 years of age.

exploit The act of initiating a vulnerability. It occurs when a command or program is executed to take advantage of a weakness. Examples include buffer overflows, DoS attacks, and DDoS attacks.

exploit assessment An attempt to discover what vulnerabilities an attacker can exploit. Exploit assessments are also called penetration tests.

exploit testing Testing that tries to exploit vulnerabilities. Vulnerability testing identifies potential vulnerabilities, and exploit testing determines if the vulnerabilities can actually be exploited. Exploit testing can take down systems.

Exploit Wednesday The day after Patch Tuesday. After patches have been released, attackers attempt to reverse engineer the patches to learn the vulnerabilities. They then create attacks to exploit the vulnerabilities before the patches have been widely applied. Compare to Patch Tuesday.

Exposure factor (EF) The percentage loss to an asset if a threat is realized. EF is often subjective.

Failover cluster A technology used to ensure a service can continue to run even if a server fails. A failover cluster has at least two servers. One server is active, and the second server is inactive but available to take over if the active server fails.

Family Educational Rights and Privacy Act (FERPA) A U.S. law passed in 1974 that mandates the protection of student records. Student records include all records with education or health data. All institutions receiving federal funds for education are covered by this law.

Federal Deposit Insurance Corporation (FDIC) A federal agency created in 1933 that provides insurance for depositor funds in FDIC-insured banks. The goal is to promote confidence in U.S. banks.

Federal Information Security Management Act (FISMA) A U.S. law passed in 2002 that requires federal agencies to protect IT systems and data. Additionally, agencies must have annual inspections, which provide independent evaluations of security programs.

Federal Trade Commission (FTC) A federal agency created in 1914 whose primary goal is to promote consumer protection. It also works to prevent unfair methods of competition.

fiduciary responsibility A relationship of trust between two entities. A fiduciary could be a person who is trusted and who has a responsibility to uphold this trust.

firewall Filters traffic. Rules are configured on the firewall to define what traffic is allowed and what traffic is blocked. A network firewall is a combination of hardware and software. Individual systems can include a single software-based firewall.

firewall appliance A self-contained firewall solution. It includes hardware and software to provide security protection for a network.

firewall policy A document that identifies what traffic to allow or block. A firewall policy is often used to implement rules on the firewall.

Gantt chart A bar chart used to show a project schedule. Gantt charts are commonly used in project management and can be used in risk management plans.

gap analysis A report created by comparing exploits that should be controlled with the exploits that are controlled. Any uncontrolled exploits represent a gap in the security. A gap analysis is often performed when an organization is trying to comply with legal requirements such as HIPAA.

General Data Protection Regulation (GDPR) A legal framework that sets guidelines to collect and process the personal information of individuals who live in the EU and the European Economic Area (EEA).

goodwill Helpful and collaborative attitude.

Gramm-Leach-Bliley Act (GLBA) A law passed in 1999 that applies to financial institutions. The financial privacy rule and the safeguards rule apply to IT security. Companies need to tell customers how customer data is used and take steps to protect financial data.

Group Policy An automated management tool that makes possible configuring a setting once and applying it to all users or computers equally, which is much more efficient than configuring the setting on individual computers.

guideline A principle, instruction, or direction to help achieve an action.

hardening a server The act of making a server more secure than the default. Defaults are changed, the attack surface is reduced, and the system is kept up to date.

Health Insurance Portability and Accountability Act (HIPAA) A U.S. law passed in 1999 that mandates the protection of health information. Any organization handling any type of health information, which includes health care providers and employers offering health plans, must comply with this law.

host-based intrusion detection system (HIDS) An intrusion detection system that is installed on a single host, such as a workstation or server. Any intrusion detection system detects intrusions and attacks.

hot site An alternate location used for disaster recovery. This site includes all the equipment and data necessary to take over business functions in a short period of time and is able to assume operations within hours and sometimes minutes. Hot sites are very expensive to maintain. Other alternate locations are cold sites and warm sites.

impact The amount of a loss resulting from a threat exploiting a vulnerability. The loss can be expressed in monetary terms or as a relative value. The impact identifies the severity of the loss. Impact is derived from the opinions of experts.

implicit deny A philosophy applied to routers and firewalls. All traffic is blocked unless it is explicitly allowed. For example, port 80 can be opened to allow HTTP traffic with a firewall rule. If there are no other rules, no other traffic is allowed. Even though the firewall doesn’t have a rule explicitly denying traffic on port 77 (or any port other than 80), it is still denied.

information technology governance (ITG) The processes that ensure IT resources are enabling the organization to achieve its goals.

Information Technology Infrastructure Library (ITIL) A group of books developed by the United Kingdom’s Office of Government Commerce. These books document good practices that can be used in IT networks.

in-place control A control that is currently installed. Controls can be in place or planned.

intangible value Value that isn’t directly related to the actual cost of a physical asset. Intangibles can include future lost revenue, client confidence, and customer influence. Compare to tangible value.

integrity Ensuring data or IT systems are not modified or destroyed. Hashing is often used to ensure integrity.

intellectual property (IP) Data created by a person or an organization. It can include creative works, such as literary, musical, or artistic. It can also include industrial designs, trademarks, inventions, and patents.

intentional threat An act that is hostile to the organization. Intentional threats come from criminals, vandals, disgruntled employees, hackers, and others.

International Electrotechnical Commission (IEC) An international standards organization that focuses on electrical, electronic, and related technologies. The IEC works with the ISO on some standards. The IEC published IEC 31010 Risk Management—Risk Assessment Techniques.

International Organization for Standardization (ISO) An international standards organization. Three risk-related documents that ISO published are ISO 27002, ISO 31000, and ISO 73.

intrusion detection system (IDS) A system that can monitor a network and send an alert if an intrusion is detected. Both host-based IDS (HIDS) and network-based IDS (NIDS) systems are commonly used. A passive IDS logs and alerts on events. An active IDS can block a detected attack.

intrusion prevention system (IPS) A system placed in-line with traffic to monitor for intrusions. It can prevent malicious traffic from reaching internal networks.

inventory management Used to manage hardware inventories. Basic information is included, such as model numbers, serial numbers, and locations.

IT governance (ITG) Processes that help ensure IT resources are enabling an organization to achieve its goals. ITG also helps ensure these resources are effective and efficient.

job rotation Rotating employees through different jobs, which results in additional oversight for past transactions. It can help prevent or reduce fraudulent activity, such as collusion, and increase technical expertise on specific systems.

malware Malicious software, which includes viruses, worms, Trojan horses, or any other type of malicious code.

mandatory vacation Requiring employees to take an annual vacation of at least five consecutive days. While the employee is on vacation, someone else must perform the job, which increases the likelihood that illegal activities will be discovered.

maximum acceptable outage (MAO) The maximum amount of time a system or service can be down before affecting a company’s mission. The MAO directly affects the required recovery time, which means that a system must be recoverable before the MAO time has been reached.

maximum tolerable period of disruption (MTPD) This helps to determine which critical business functions need to be recovered and restarted as soon as possible after a disaster, identifies the specific resources needed to restart the CBF, and helps to determine how soon these systems need to be recovered.

milestone A scheduled event for a project that indicates the completion of a major task or group of tasks. Milestones are used to track a project’s progress.

milestone plan chart A graphic representation of major milestones showing the time relationship of milestones to each other and dependencies.

minimum business continuity objective (MBCO) The minimum level of services that is acceptable to an organization to meet its business needs and objectives during a disaster.

mission critical Any system, function, or process identified as critical to the mission of the organization. Mission-critical systems and activities are necessary to keep the organization functioning.

mitigating One of the techniques used to manage risk. Mitigation is also known as risk reduction. Vulnerabilities are reduced by implementing controls, or countermeasures.

mobile site A site that can be easily set up in 36 to 72 hours in an outside space close to an impacted site. It is in between a hot site and a cold site.

National Cybersecurity and Communications Integration Center (NCCIC) An element within the Department of Homeland Security (DHS). It works together with private, public, and international parties to secure cyberspace and America’s cyberassets.

National Institute of Standards and Technology (NIST) A division of the U.S. Department of Commerce whose mission is to promote U.S. innovation and industrial competitiveness. The Information Technology Laboratory (ITL) is within NIST. ITL publishes special publications that are widely used in IT risk management.

network load balancing A technology that allows a load to be shared among several servers. As new clients connect, they are directed to the server that has the least load. Load balancing is used in web farms.

NIST Risk Management Framework A set of information security policies and standards the federal government developed through the National Institute of Standards and Technology (NIST).

nonrepudiation Used to prevent someone from denying that he or she took an action. Audit logs record details of who, what, where, and when on events. If an audit log records an action by a user after the user logs on, the user cannot believably deny the action. Digital signatures are also used for nonrepudiation.

operational impact The impact of a security control on operations. Controls frequently consume resources, which can impact normal operations if they are not controlled.

password policy A written or technical policy that specifies security requirements for passwords. Requirements include length, age, and complexity. For example, a password policy may specify that passwords must be at least eight characters and changed every 90 days. Complexity requirements specify the use of uppercase letters, lowercase letters, symbols, and numbers.

patch management Ensuring that patches are deployed when needed. Because software regularly develops bugs, vendors release patches to correct the problems. Patch management ensures that appropriate patches are deployed. Many bugs present serious security risks so that, if the patches aren’t deployed, the systems are vulnerable to attacks.

Patch Tuesday The day that Microsoft releases patches for Microsoft products. Patch Tuesday is the second Tuesday of every month. Compare to Exploit Wednesday.

Payment Card Industry Data Security Standard (PCI DSS) An international standard used to protect credit card data whose requirements are set by the PCI Security Council. Merchants are required to comply with the standards.

penetration testing Testing performed to see if a vulnerability can be exploited. Penetration testing is done after a vulnerability assessment. It can be invasive and can take systems down.

physical control A control that restricts physical access to areas or systems or protects the physical environment. Examples include locked rooms, guards, cameras, and heating and cooling systems to control the environment.

plan of action and milestones (POAM) A document used to track activities in a risk management plan. A POAM assigns responsibility for specific tasks and makes it easier for management to follow up on the tasks.

planned control A control that is planned to be added sometime in the future. Controls can be in place or planned.

policy A formal statement that is issued directly by an organization’s leaders, such as an acceptable use policy, which describes both acceptable and unacceptable behavior when using company-owned computers and network resources.

preventive control A class of controls identified by their function. A preventive control attempts to prevent the risk from occurring. For example, an unneeded protocol is removed from a server to harden it so that any attacks on this protocol are now prevented on the server.

principle of least privilege A security principle that grants users only the minimum rights and permissions needed to perform their job. This principle is similar to the principle of need to know. However, the principle of need to know focuses only on permissions for data, not rights.

principle of need to know A security principle that grants users access only to the data they need to perform their job. This is similar to the principle of least privilege. However, the principle of least privilege includes rights and permissions, whereas the principle of need to know focuses only on permissions for data.

principle of proportionality This principle simply states that the amount spent on controls should be proportional to the risk.

probability Refers to the likelihood that a risk will occur, which is derived from the opinions of experts and is used in a qualitative risk assessment. A risk occurs when a threat exploits a vulnerability.

procedural control A control in place based on the rules and guidelines directed by upper-level management. It is also called an administrative control.

procedure A formal, established way of doing things.

profitability The ability of a company to make a profit. It is calculated as revenues minus costs. Risk management considers both profitability and survivability.

proxy server A server used to accept requests from clients for webpages, retrieve the webpages, and then serve the webpages to the clients. Proxy servers can filter requests so that clients cannot access certain webpages and can be used as a technology protection measure for the Children’s Internet Protection Act (CIPA).

qualitative risk assessment A subjective method used for risk assessment that uses relative values based on opinions from experts. A qualitative risk assessment can be completed rather quickly. Qualitative risk assessments do not have predefined formulas.

quantitative risk assessment An objective method used for risk assessments that uses numbers, such as actual dollar values. Quantitative risk assessments require a significant amount of data that sometimes can be difficult to obtain. The data is then entered into a formula.

reasonableness A judgment test that a company can apply to determine whether the risk should be managed. If a reasonable person would expect the risk to be managed, it should be managed.

recovery point objective (RPO) The maximum amount of acceptable data loss for a system. The RPO can be as short as less than one minute or up to the moment of failure, and it can be longer, such as a day or a week. The RPO is dependent on the value of the data and the ability to reproduce it.

recovery time objective (RTO) The time in which a system or function must be recovered. The RTO would be equal to or less than the maximum acceptable outage (MAO). For example, if the MAO is 10 minutes, the RTO would be 10 minutes or less.

redundant array of independent disks (RAID) Also called redundant array of inexpensive disks. Multiple disks are used together to provide fault tolerance. A fault can occur with a disk, and the system can tolerate it and continue to operate.

residual risk Also referred to as acceptable risk. The risk that remains after controls have been applied. Residual risk is expressed in the following formula: Residual risk = Total risk – Controls.

return on investment (ROI) A value that determines the monetary benefits of purchasing or improving a system. If the cost of a control is close to the annual projected benefits, the ROI can be calculated to determine whether the control will be valuable over the lifetime of the control.

risk An uncertainty that may lead to a loss. Losses occur when a threat exploits a vulnerability. Risk is often expressed as Risk = Threat × Vulnerability.

risk assessment A process used to identify and evaluate risks based on an analysis of threats and vulnerabilities to assets. Risks are quantified based on their importance or impact severity. These risks are then prioritized.

risk management The practice of identifying, assessing, controlling, and mitigating risks. Techniques to manage risk include avoiding, sharing or transferring, mitigating, and accepting the risk.

risk statement A statement used to summarize risks. Risk statements often use an “if/then” format. The “if” part of the statement identifies the elements of the risk. The “then” portion of the statement identifies the result.

rules of behavior A document users must read before accessing a system that identifies what they can and cannot do on the system. Office of Management and Budget (OMB) Circular A-130, Appendix III, mandates the use of rules of behavior for agencies under OMB jurisdiction. The rules of behavior document is also called an acceptable use policy (AUP) in most private organizations.

safeguard Another term for control. Safeguards and controls are used to mitigate risk. They can mitigate the risk by reducing the impact of the threat or reducing the vulnerabilities.

safeguard value The actual cost of the safeguard or control. This data can be used to complete a cost-benefit analysis.

Sarbanes-Oxley Act (SOX) A U.S. law passed in 2002 that applies to any publicly traded company. Senior officers and board members are directly responsible for the accuracy of data. If data is misreported, they can be fined and go to jail.

scale out A method of increasing capability by adding additional servers to a service. Efficient scale-out techniques don’t require the modification of the core application. For example, an additional server can be added to a web farm without changing the core web application. The load is then spread equally among the servers.

scale up A method of increasing capability by adding additional resources to a server. A server can be scaled up by adding additional RAM or upgrading the processor.

scope The boundaries of a risk management plan, which define what the plan should cover. Defining the scope helps prevent scope creep.

scope creep A problem with projects resulting from uncontrolled changes. Scope creep should be avoided because it results in cost overruns and missed deadlines.

script kiddie An attacker without much knowledge about programming or the potential harm he or she might cause. The idea is that some hacking tools are so easy to use that a kid can use them.

Securities and Exchange Commission (SEC) A federal agency that regulates the securities industry. Securities include stocks, options, and other securities. Any publicly traded company or company that trades securities needs to comply with SEC rules.

security policy A written policy created by senior management that includes identifying resources and implementing security in the organization. It will usually include individual policies, such as a password policy, an acceptable use policy, and a firewall policy.

separation of duties A principle that ensures that a single person does not control all the functions of a critical process. It is designed to prevent fraud, theft, and errors.

service level agreement (SLA) A document that identifies an expected level of performance. It can specify the minimum uptime or the maximum downtime. It is often written as a contract between a service provider and a customer. An SLA can identify monetary penalties if the terms aren’t met.

service pack (SP) A group of updates, patches, and fixes that apply to a specific operating system. Most SPs are cumulative. They include all the updates, patches, and fixes since the operating system was first released.

single loss expectancy (SLE) Total loss resulting from a single incident. The loss is expressed as a dollar value, which includes the value of hardware, software, and data. It is used to help calculate ALE (ALE = SLE × ARO). SLE is part of a quantitative risk assessment.

single point of failure (SPOF) The failure of any single component that can result in the total loss of a system. An SPOF is typically addressed by adding redundancy. For example, a disk drive can be protected with a RAID configuration, and failover clusters remove servers as a single point of failure.

sniffer A tool used to capture traffic on a network in order to analyze it. Wireshark is a free packet analyzer that can be used as a sniffer. If data is sent in cleartext, the captured traffic can easily be read.

social engineering Tactics used to trick people into revealing sensitive information or taking unsafe actions. Social engineering tactics include conning people over the phone or in person and phishing and other technical tactics.

spear phishing A phishing attempt that targets a specific company. It often looks as if it came from someone within the company and is more successful against untrained employees.

SQL injection attack An attack on websites that access a database. The attacker uses Structured Query Language (SQL) code to retrieve or modify data in the database. Developers follow best practices to prevent SQL injection attacks.

stakeholder An individual or group that has a stake, or interest, in the success of a project. A stakeholder has some authority over the project and can provide resources for the project.

standard A mandatory rule written to support or at least provide some direction to a policy. For example, a password standard could follow an acceptable use policy.

survivability The ability of a company to survive loss from a risk. Some losses can be so severe that they will cause the business to fail if they are not managed.

SYN flood attack A common DoS attack where the attacker withholds the third packet in a three-way handshake. When the attacker does this repeatedly in a short time period, the server’s resources are consumed, and the server can crash.

tangible value The actual cost of an asset. Compare to intangible value.

technical control A control that uses technology to reduce vulnerabilities. Examples include antivirus software, intrusion detection systems, access controls, and firewalls. Technical controls provide automation.

technical recovery team (TRT) A team responsible for recovering critical systems after a disruption or outage. The BIA identifies the critical systems. The emergency management team (EMT), damage assessment team (DAT), and TRT are designated by the BCP.

technology protection measure (TPM) A requirement of the Children’s Internet Protection Act (CIPA). A TPM will filter offensive content on school and library computers, which ensures that minors are not exposed to the offensive content. A TPM can be disabled if an adult needs to use the computer.

threat Any activity that represents a possible danger, which includes any circumstances or events with the potential to adversely impact confidentiality, integrity, or availability of a business’s assets.

threat assessment A process used to identify and evaluate potential threats. The goal is to identify as many potential threats as possible. These threats are then evaluated to determine the likelihood the threat will exploit a vulnerability.

threat modeling A process used to identify possible threats on a system. Threat modeling attempts to look at a system from the attacker’s perspective.

threat/vulnerability pair A threat exploits a vulnerability, which results in a harmful event or a loss.

total risk The amount of risk when the affected asset value is known. Total risk is often expressed as Total risk = Threat × Vulnerability × Asset value.

transaction A database term. Transactions allow several database statements to succeed as a whole, or if any single statement fails, the entire transaction fails. Failed transactions are not applied to the database.

transferring One of the techniques used to manage risk. The risk is transferred by shifting responsibility to another party. Risk can be completely shifted by transferring the risk or shared by partially transferring the risk. This can be done by purchasing insurance or outsourcing the activity.

uncertainty level A method of indicating the accuracy of data. Data consistency is evaluated to determine a level of certainty. The uncertainty level can then be calculated as 100 minus the percentage of certainty.

unintentional threat A threat that doesn’t have a perpetrator. These threats include those in the following categories: environmental, human, accidents, and failures.

uninterruptible power supply (UPS) A battery or bank of batteries used to provide immediate power to systems if the main power source fails. UPS units are intended to provide short-term power, which gives a system enough time to shut down gracefully or switch over to a long-term power source.

United States Computer Emergency Readiness Team (US-CERT) Part of the National Cyber Security Division. The US-CERT provides response support and defense against cyberattackers. Its focus is on the protection of federal government resources. It collaborates and shares information with state and local governments and other public and private sectors.

U.S. Attorney General (U.S. AG) The senior federal law enforcement official; head of the U.S. Department of Justice and a member of the president’s cabinet.

version control A process that ensures that changes to files are controlled and tracked. Version control is often used with application development. Programmers check out a module or file, make their changes, and then check the file back in.

virtualization A technology that allows a single physical server to host multiple virtual servers, which saves money in hardware and facility costs. Additionally, virtualization can be used for disaster recovery because a virtual server can be copied as a file and easily moved to a different location.

vulnerability A weakness or exposure to a threat. The weakness can be in an asset or the environment. Controls mitigate risks related to vulnerabilities.

vulnerability assessment A process used to discover weaknesses in a system. The assessment prioritizes the vulnerabilities, which identifies the vulnerabilities with the greatest risk to the organization.

warm site An alternate location used for disaster recovery. This site is a compromise between a cold site and a hot site. It usually includes most of the equipment needed for operations. However, data will need to be updated. Management is able to match the desired cost with an acceptable amount of time for an outage by using a warm site. Other alternate locations are cold sites and hot sites.

web farm A group of several servers used to host a single website. A web farm allows a service to easily support more clients just by adding an additional server. If a server in the web farm fails, clients will not be directed to that server, which provides a measure of fault tolerance.

web of trust Something used in Pretty Good Privacy (PGP)- and OpenPGP-compatible systems to ensure that the binding between a public key and its owner is authentic. It is an alternative to the PKI, which relies on a CA.

whitelist A list used in a spam filter to allow email. It is a list of email addresses or email domains. You add the addresses or domains to the whitelist to ensure that email from these sources is not marked as spam.