A
Acceptable use policies (AUPs) | Formal written policies that describe proper and unacceptable behavior when using computer and network systems. For example, an acceptable use policy may set rules on what type of Web site browsing is permitted or if personal e-mails over the Internet are allowed.
Access control list (ACL) | An implementation technique to control access to a resource by maintaining a table of authorized user IDs.
Active content | Software or plug-ins that run within a client browser, usually on certain Web sites. Examples include Java applets, JavaScript, and ActiveX controls.
Agent | In the context of distributed infrastructure, a piece of code that sits on a distributed device, such as the laptop or tablet of a mobile sales representative, to manage it. An agent typically reports the state of the device to the central server, reports any malware detected, and receives commands and updates.
Agentless central management tool | In the context of distributed infrastructure, a piece of software housed on the central server that “pushes” changes, such as updates, to remote devices.
Apathy | A state of indifference, or the suppression of emotions such as concern, excitement, motivation, and passion.
Application software | Generally any business software that an end user (including customers) touches is considered an application. This includes e-mail, word processing, and spreadsheet software.
Architecture operating model | A framework for helping an organization understand how security controls are to be implemented. One common issue for the organization is that of centralization or decentralization of security within the business. An architecture operating model discussion can identify areas of disagreement and create a common set of beliefs on the proper placement and implementation of controls.
Architecture review committee | A gateway committee that approves standard technologies and architectures.
Attribute based access control (ABAC) | An authorization control that relies on dynamic roles rather than the static roles of role based access control. In ABAC, you build an expression of attributes describing the role that is dynamically built at run time.
Audit | The act of recording relevant security events that occur on a computing or network device (server, workstation, firewall, etc.). Can also refer to a review of business and financial processes and files by an auditor.
Audit committee | A committee that deals with audit issues and non-financial risks.
Auditor | An individual accountable for assessing the design and effectiveness of security policies. Auditors may be internal or external to an organization.
Authentication | The process of determining the identity of an individual or device.
Authorization | The process of granting permission to some people to access systems, applications, and data.
Automated control | A security control that stops behavior immediately and does not rely on human decisions.
Automatic declassification | Automatically removing a classification after a certain period of time, such as 25 years.
Availability | Ensuring accessibility of information to authorized users when required.
Best fit access privileges | Refers to an approach to granting systems access. Best fit privilege provides a group or class of users only the access they need to do their job. Compare with least access privileges, an approach that typically customizes access to individual users.
Best practices | Leading techniques, methodologies, or technologies that through experience have proved to be very reliable. Best practices tend to produce consistent and quality results.
Bolt-on | In terms of information security, refers to adding information security as a distinct layer of control. Bolt-on security is the opposite of integrated security, in which information security controls are an integral part of the process design and not a separate distinct layer.
Breach | A confirmed event that compromises the confidentiality, integrity, or availability of information.
Bring Your Own Device (BYOD) | A policy of allowing employees, contractors, and others to sign on to their organization’s network with their own phones, computers, and other devices rather than equipment belonging to the organization.
Business as usual (BAU) | A term used with reference to an organization’s budget, to mean normal spending. Integrating the costs of governance into an organization’s BAU budget makes these costs seem like a normal operating expense rather than something exceptional.
Business continuity plan (BCP) | A plan on how to continue business after a disaster. A BCP includes a disaster recovery plan (DRP) as a component.
Business continuity representative | An individual who understands the organization’s capability to restore the system, application, network, or data. This individual also has access to call lists to contact anyone in the organization during off hours.
Business impact analysis (BIA) | A formal analysis to determine the impact on an organization in the event that key processes and technology are not available.
Business process reengineering (BPR) | A management technique used to improve the efficiency and effectiveness of a process within an organization.
C
Chain of custody | A legal term referring to how evidence is documented and protected. Evidence must be documented and protected from the time it’s obtained to the time it’s presented in court.
Change agent | A person who challenges current thinking.
Change management | The practice of managing upgrades to an IT system, including understanding the impact of change and knowing how to recover if something goes wrong.
Chief information officer (CIO) | The person who determines the overall strategic direction and business contribution of the information systems function in an organization; often the one within the organization designated as accountable for information security.
Chief information security officer (CISO) | The person within an organization responsible for securing anything related to digital information; this person often has a role in ensuring the organization’s compliance with the information security provisions of laws such as the Gramm-Leach-Bliley Act. Sometimes referred to simply as information security officer (ISO).
Chief privacy officer (CPO) | Most senior leader responsible for managing risks related to data privacy.
Committee of Sponsoring Organizations (COSO) | An organization that developed a framework for validating internal controls and managing enterprise risks; focuses on financial operations and risk management.
Communications plan | Outlines what information is to be shared and how the information will be disseminated.
Compensating control | A security control that achieves the desired outcome and policy intent, but doesn’t necessarily achieve it the way the policy says to do it. The outcome is the same, however.
Compliance | The ability to reasonably ensure conformity and adherence to organization policies, standards, procedures, laws, and regulations.
Compliance officer | An individual accountable for monitoring adherence to laws and regulations.
Compliance risk | Relates to the impact on the business for failing to comply with legal obligations.
Computer-based training (CBT) | Training done partly or fully on computer-based channels of communication, such as the Internet or through training software.
Confidential | A level of government classification that refers to data in which unauthorized disclosure would reasonably be expected to cause some damage to the national security.
Confidentiality agreement (CA) | Legally binding agreements on the handling and disclosure of company material.
Confidentiality | Limiting access to information/data to authorized users only.
Configuration management (CM) | A collection of activities that track system configuration. It starts with a baseline configuration. It continues through a system’s life cycle including changing and monitoring configurations.
Consumer rights | Established rules on how consumers and their information should be handled during an e-commerce transaction.
Contingent accounts | Accounts used to recover a system in case of disaster; such accounts need unlimited rights to install, configure, repair, and recover networks and applications, and to restore data. This elevated level of access makes such accounts prime targets for hackers.
Continuous improvement | An ad hoc, ongoing effort to improve business products, services, or processes.
Contractors | Temporary workers who can be assigned to any role.
Control environment | A term describing the overall way in which an organization’s controls are governed and executed.
Control Objectives for Information and related Technology (COBIT) | A widely accepted framework that brings together business and control requirements with technical issues.
Control partners | People within an organization whose responsibility it is to offer an opinion on the soundness and impact of security policy. Control partners often work in the areas of internal audit or operational risk, or the compliance or legal departments of their organizations.
Coordinated operating model | An operating model in which the technology solution shares data across the enterprise, but there is only minimal sharing and standardization of services.
Corrective control | A security control that restores a system or process.
Critical infrastructure | Assets that are essential for the society and economy to function, such as key elements of the transportation, energy, communications, banking, and other systems.
Cyberterrorism | An attack that attempts to cause fear or major disruptions in a society through attacking government computers, major companies, or key areas of the economy.
D
Data administrator | Implements policies and procedures such as backup, versioning, uploading, downloading, and database administration.
Data at rest | The state of data stored on any type of media.
Data classification | Level of protection based on data type.
Data custodian | An individual responsible for the day-to-day maintenance of data and the quality of that data. May perform backups and recover data as needed. A data custodian also grants access based on approval from the data owner.
Data encryption | When data is encrypted, the actual information can be viewed only when the data is decrypted with a key.
Data in transit | The state of data when traveling over or through a network.
Data leakage | Unauthorized sharing of sensitive company information, whether intentional or accidental.
Data leakage protection (DLP) | A formal program that reduces the likelihood of accidental or malicious loss of data. May also stand for “Data Loss Protection.”
Data loss protection (DLP) | A formal program that reduces the likelihood of accidental or malicious loss of data. May also stand for “Data Leakage Protection.”
Data manager | An individual who establishes procedures on how data should be handled.
Data owner | An individual who approves user access rights to information that is needed to perform day-to-day operations.
Data privacy | The laws that set expectations on how your personal information should be protected and limits place on how the data should be shared.
Data security administrator | One who grants access rights and assesses information security threats to the organization.
Data steward | Owner of data and approver of access rights; responsible for data quality.
Data user | The end user of an application. A data user is accountable for handling data appropriately by understanding security policies and following approved processes and procedures.
Declassification | The process of changing the status of classified data to unclassified data.
Defense in depth | The approach of using multiple layers of security to protect against a single point of failure.
Demilitarized zone (DMZ) | Taken from the military, a buffer between two opposing forces. With regards to networks, it is the segment that sits between the public Internet and a private local area network (LAN). A DMZ is built to protect private LANs from the Internet. It uses a series of firewalls, routers, IDSs, and/or IPSs. The DMZ is where public Web servers, e-mail servers, and public DNS servers are located.
Detective control | A manual security control that identifies a behavior after it has happened.
Digital assets | Any digital material owned by an organization including text, graphics, audio, video, and animations.
Disaster recovery plan (DRP) | A plan to recover an organization’s IT assets during a disaster, including software, data, and hardware.
Discovery management | In the context of workstation central management systems, refers to processes that determine what is installed on a workstation. It could also refer to knowing what information sits on a workstation.
Distributed infrastructure | A term for an organization’s collection of computers, including laptops, tablets, and smartphones, networked together and equipped with distributed system software, so that they work together as one, even though from various locations.
Diversified operating model | An operating model in which the technology solution has a low level of integration and standardization within the enterprise. Typically, the exchange of data and use of services outside the business unit itself is minimal.
Division of labor | How various tasks are grouped into specialties to enhance the depth and quality of work product.
Domain | A logical piece of our technology infrastructure with similar risks and business requirements.
Dormant account | An account that hasn’t been used for an extended period of time.
Due care | A legal term that refers to effort made to avoid harm to another party. It essentially refers to the care that a person would reasonably be expected to see under particular circumstances.
E
Early adopter | One who adopts a security policy early on as a type of pilot. Early adopters provide useful feedback to the IT team, and can serve as role models of good practice for other users within the organization.
E-mail policy | A policy that discusses what’s acceptable when using the company e-mail system.
Enterprise data management (EDM) | The discipline of creating, integrating, securing, disseminating, and managing data across the enterprise. Larger organizations may have a dedicated EDM team.
Enterprise risk management (ERM) | A framework that aligns strategic goals, operations effectiveness, reporting, and compliance objectives; not technology specific.
Entitlement | A fine-grained granting of access to information resources, often facilitated through use of an application gateway. For example, an application can allow a user to approve a payment but limit the amount to less than $1,000.
Escalation | In the context of information security, refers to a process by which senior leaders through a chain of command are apprised of a risk. An escalation continues one level of organizational structure at a time until the issue is addressed or the escalation reaches the highest level of the organization.
Evangelists | People with enthusiasm for a cause or project. Evangelists often gain acceptance for a project from a wide audience.
Evidence | 1. Information that supports a conclusion. 2. Material presented to a regulator to show compliance.
Exception | A deviation from a centrally supported and approved IT security standard. Exceptions can come about because of a lack of preparedness by the organization to comply with a standard or due to the use of a technology that has not been sanctioned by the standards.
Executive | A senior business leader accountable for approving security policy implementation, driving the security message within an organization, and ensuring that policies are given appropriate priority.
Executive committee | A committee that helps align the security committee to organization goals and objectives.
Executive management sponsorship | Getting senior management to participate in training to improve the effectiveness of security policies.
External connection committee | A gateway committee that approves external data connections.
F
Federal Desktop Core Configuration (FDCC) | A standard image mandated for use on all systems running Windows XP or Vista in any federal agency. This image locks down the operating system with specific security settings.
File Transfer Protocol (FTP) | A protocol used to exchange files over a local area network (LAN) or wide area network (WAN).
Financial risk | Events that could potentially impact the business when it fails to provide adequate liquidity to meet its obligations.
Firecall-ID process | Granting elevated rights temporarily to enable a person to resolve a problem quickly. Provides emergency access to unprivileged users.
Firewall | A device that filters the traffic in and out of a local area network (LAN). Many firewalls can do deep packet inspection, in which they examine the content, as well as the type, of the traffic. A firewall can be used internally on the network to further protect segments. Firewalls are most commonly used to filter traffic between the public Internet and an internal private LAN.
Flat network | A network with little or no controls that limit network traffic.
Flat organizational structure | An organization with few layers separating the leaders from the bottom ranks of workers.
Full disclosure | The concept that an individual should know what information about them is being collected. An individual should also be told how that information is being used.
G
Gateway committees | Committees that review technology activity and provide approvals before the project or activity can proceed to the next stage.
General counsel | The highest ranking lawyer in an organization, who usually reports to the president or chief executive officer. He or she is asked to give legal opinions on various organization issues, participate in contract negotiations, and to act as a liaison with outside law firms retained by the organization.
Globalization | The development of a world economy held together by advanced technology for communications, transportation, and finance.
Gold master | A master image that is copied for deployment. Use of golden images saves time by eliminating the need for repetitive configuration changes and performance tweaks. It ensures all images imaged using a copy of the gold master are configured the same.
Governance | The act of managing implementation and compliance with organizational policies.
Governance, risk management, and compliance (GRC) | A set of tools that bring together the capabilities to systematically manage risk and policy compliance.
Granularity | The level of detail a set of security policies goes into. The more granular a policy, the easier it is to enforce and to detect violations. But less granular policies may be more helpful in responding to new threats.
Group Policy | An automated management tool used in Microsoft domains. Administrators can configure a setting one time in Group Policy and it will apply to multiple users and computers.
Guideline | A parameter within which a policy, standard, or procedure is recommended when possible but is optional.
H
Harden | To eliminate as many security risks as possible by reducing access rights to the minimum needed to perform any task, ensuring access is authenticated to unique individuals, removing all nonessential software, and other configuration steps that eliminate opportunities for unauthorized access.
Head of information management | A role that deals with all aspects of information such as security, quality, definition, and availability; responsible for data quality.
Help desk management | In the context of workstation central management systems, services that provide support to the end user. This includes allowing the help desk technician to remotely access the workstation to diagnose problems, reconfigure software, and reset IDs.
Hierarchical organizational structure | An organization with multiple layers of reporting, which separates leaders from the bottom ranks of workers.
Highly sensitive classification | A classification level used to protect highly regulated data or strategic information.
Honeypot | A network security device that acts as a decoy to analyze hacker activity.
Human resources representative | An individual who is an expert on HR policies and disciplinary proceedings or employee counseling.
I
Imaging | A technology used to create baselines of systems. An image is captured from a source computer. This image can then be deployed to other systems. Images include the operating system, applications, configuration settings, and security settings.
Incident | An event that violates an organization’s security policies.
Incident response team (IRT) | A specialized group of people whose purpose is to respond to major incidents.
Information assurance | The implementation of controls designed to ensure confidentiality, integrity, availability, and non-repudiation.
Information security | The act of protecting information or data from unauthorized use, access, disruption, or destruction.
Information security officer (ISO) | See chief information security officer.
Information security program charter | A capstone document that establishes the reporting lines and delegation of responsibilities for Information Security to management below the organization’s chief information officer (CEO) or other executive leader.
Information security representative | In the context of an IRT team, an information security representative provides risk management and analytical skills. A representative may also have specialized forensic skills for collecting and analyzing evidence.
Information security risk assessment | A formal process to identify threats, potential attacks, and impacts to an organization.
Information systems security (ISS) | The act of protecting information systems or IT infrastructures from unauthorized use, access, disruption, or destruction.
Information systems security management life cycle | The five-phase management process of controlling the planning, implementation, evaluation, and maintenance of information systems security.
Information systems security policies | Collections of documents that outline the controls, actions, and processes to be performed by an organization to protect its information systems.
Information Technology and Infrastructure Library (ITIL) | A framework that contains a comprehensive list of concepts, practices, and processes for managing IT services.
Information technology subject matter expert | An individual who has intimate knowledge of the systems and configurations of an organization. This individual is typically a developer, system administrator or network administrators. He or she has the needed technical skills to make critical recommendations on how to top an attack.
Insider | An employee, consultant, contractor, or vendor. The insider may even be the IT technical people who designed the system, application, or security that is being hacked. The insider knows the organization and the applications.
Integrated audit | An audit in which two or more audit disciplines are combined to conduct a single audit.
Integrity | The act of ensuring that information has not been improperly changed.
Intellectual property (IP) | Any product of human intellect that is unique and not obvious with some value in the marketplace.
Interactive | Refers to system accounts (also known as service accounts) to which it is possible for someone to log on. System accounts, because of their high level of access, are attractive to hackers. Interactivity makes these accounts more vulnerable to hackers. Non-interactive system accounts are much more secure.
Internal classification | A classification level for data that would cause disruption to daily operations and some financial loss to the business if leaked.
International Organization for Standardization (ISO) | An organization that creates widely accepted international standards on information security and IT risks.
Internet filters | Software that blocks access to specific sites on the Internet.
Intrusion detection system (IDS) | A series of software agents, appliances, and servers that monitor for network activity that is deemed a threat, alerts administrators, and logs the information. IDSs operate by matching signatures of known possible network attack traffic or by building over time a baseline of normal behavior then alerting on traffic that is anomalous to that normal pattern of behavior.
Intrusion prevention system (IPS) | A system that intercepts potentially hostile activity prior to it being processed.
Inventory management | In the context of workstation central management systems, refers to tracking what workstation and related network devices exist. This usually takes place whenever a workstation connects to the local area network (LAN).
IRT coordinator | The person who keeps track of all the activity if the IRT during an incident. He or she acts as the official scribe of the team. All activity flows through this person. The person records who’s doing what.
IRT manager | The IRT manager is the team lead. This individual makes all the final calls on how to respond to an incident. He or she is the interface with management.
ISO/IEC 27000 series | Information security standards published by the ISO and by the International Electrotechnical Commission (IEC). ISO/IEC 27002, for example, provides best practice recommendations on information security management for those who are responsible for initiating, implementing, or maintaining an information security management system.
Issue-specific standard | A standard that focuses on areas of current relevance and concern to an organization. Such standards are used to express security control requirements, typically for non-technical processes and are used to guide human behavior.
IT policy framework | A logical structure that is established to organize policy documentation into groupings and categories that make it easier for employees to find and understand the contents of various policy documents. Policy frameworks can also be used to help in the planning and development of the policies for an organization.
L
Label | A mark or comment placed inside the document itself indicating a level of protection.
LAN Domain | This domain refers to the organization’s local area network (LAN) infrastructure. A LAN allows two or more computers to be connected within a small area. The small area could be a home, office, or group of buildings.
LAN-to-WAN Domain | This domain refers to the technical infrastructure that connects the organization’s local area network (LAN) to a wide area network (WAN), such as the Internet. This allows end users to surf the Internet.
Law | Any rule prescribed under the authority of a government entity. Establishes legal thresholds.
Layered security approach | Having two or more layers of independent controls to reduce risk.
Least access privileges | Refers to the principle of granting users only the systems access they need to accomplish their jobs. Typically this is done by customizing access to individuals. Compare with best fit access privileges, an approach that typically customizes access to a group or class of users.
Legal representative | An individual who has an understanding of laws and regulatory compliance.
Lessons learned | Knowledge gained from a particular experience, such as the implementation of a policy change. Lessons learned can be shared with others, turned into standard procedure, and applied to similar situations in the future.
Log management | In the context of workstation central management systems, refers to extracting logs from the workstation. Typically, moving the logs to a central repository. Later these logs are scanned to look for security weakness or patterns of problems.
Log server | Is a separate platform used to collect logs from platforms throughout the network.
M
Mandatory declassification | A process of reviewing specific records when requested and declassifying them if warranted.
Manual control | A security control that does not stop behavior immediately and relies on human decisions.
Matrix relationships | The complex relationships between multiple stakeholders in an organization.
Mitigating control | A security control after the fact. It assumes the absence or breakdown of a primary control. A mitigating control addresses the security issue at hand, but may not achieve a policy’s full intent.
Multifactor authentication | Authentication of users on a network by more than one factor, such as a combination of password and access code.
N
Nation-states | Sovereign countries with their own national governments.
National Institute of Standards and Technology (NIST) | An organization that creates security guidelines on security controls for federal information systems.
Need to know | A principle that restricts information access to only those users with an approved and valid requirement.
NIST SP 800-53 | A publication for the U.S. National Institute of Standards and Technology (NIST), titled “Recommended Security Controls for Federal Information Systems and Organizations.”
Nondisclosure agreement (NDA) | Legally binding agreement on the handling and disclosure of company material. This is also known as a confidentiality agreement.
Nonrepudiation | The concept of applying technology in way that an individual cannot deny or dispute they were part of a transaction.
O
Operational deviation | The difference between what policies and procedure state should be done and what is actually performed.
Operational risk | An event that disrupts the daily activities of an organization.
Operational risk committee | A committee that provides important information on the risk appetite of the organization and various businesses.
Opt-in | The practice of agreeing to use of personal information beyond its original purpose. An example of opt-in is asking a consumer who just sold his or her home if the real-estate company can share the consumer’s information with a moving company.
Opt-out | The practice of declining permission to use personal information beyond its original purpose. For example, a consumer who just sold his or her home may decline permission for the real estate company to share his or her information with a moving company.
Organizational culture | The traditions, customs, patterns of behavior, values, and beliefs shared by members of an organization. Anyone seeking to introduce change into an organization, such as a new set of security policies, must know and take account of organizational culture.
Outdated technology | Hardware or software that makes it difficult to implement best practices consistently.
P
Patch management | Refers to making sure that devices on the network, such as workstations and servers, have current patches from the vendor. It’s particularly important to apply security patches in a timely way to address known vulnerabilities.
Payment Card Industry Data Security Standard (PCI DSS) | A worldwide information security standard that describes how to protect credit card information. If you accept Visa, MasterCard, or American Express, you are required to follow PCI DSS.
Penetration test | A test designed not just to identify but to actually exploit weaknesses in system architecture or the computing environment.
Personal privacy | In e-commerce, broadly deals with how personal information is handled and what it used for.
Personally identifiable information (PII) | Sensitive information used to uniquely identify an individual in a way that could potentially be exploited.
Pervasive control | A common control, such as the same ID and password, which is used across a significant population of systems, applications, and operations.
Policy | A document that states how the organization is to perform and conduct business functions and transactions with a desired outcome.
Policy definitions document | A glossary for an organization’s security policies, ideally clear and concise, often used by auditors and regulators when evaluating the soundness of an organization’s controls.
Policy framework | A structure for organizing policies, standards, procedures, and guidelines.
Policy principles document | A document that communicates general rules that cut across the entire organization. The principles focus on key risks or behaviors and express core values of the organization that often include the areas where there will be zero tolerance for transgression.
Pretexting | When a hacker outlines a story in which the employee is asked to reveal information that weakens the security.
Preventive control | An automated security control that stops a behavior immediately.
Privacy policy | Places importance on privacy in the business and discusses the regulatory landscape and government mandates. This policy often talks about physical security and the importance of “locking up” sensitive information.
Privileged-level access agreement (PAA) | Designed to heighten the awareness and accountability of those users with administrator rights.
Procedure | A written statement describing the steps required to implement a process.
Project committee | A gateway committee that approves project funding, phases, and base requirements.
Public classification | A classification level for data that has no negative impact on the business if released to the public.
Public record | Any record required by law to be made available to the public. These types of records are made or filed by a governmental entity.
Public relations representative | In the context of an IRT team, it is an individual who can advise on how to communicate to the public and customers that might be impacted by the incident. This person is valuable in ensuring that accurate information gets out and damaging misconceptions are prevented.
Q
Quality assurance | A kind of preventive, before-the-fact control within an organization that prevents mistakes from happening.
Quality control | A kind of detective, after-the-fact control that affords an organization opportunities to learn from its mistakes.
R
Recovery point objectives (RPOs) | The maximum acceptable levels of data loss after a disaster.
Recovery time objective (RTO) | A measure of how quickly a business process should be recovered after a disaster. The RTO identifies the maximum allowed downtime for a given business process.
Reduction in force | Laying off employees or down-sizing to save money.
Regulations | Established rules of what an organization has to do to meet legal requirements.
Remote Access Domain | This domain refers to the technology that controls how end users connect to organization’s local area network (LAN). A typical example is someone needing to connect to the office from his or her home.
Remote authentication | Enhanced authentication over what’s typically found in the office. Usually it requires more than an ID and password, such as a security token or smartcard.
Replicated operating model | An operating model, the technology solution shares services across the enterprise, but the level of data sharing is minimal.
Residual risk | The risk that remains after all the controls have been applied.
Risk | The likelihood or probability of an event and its impact.
Risk appetite | Understanding risks and determining how much potential risk and related problems the business is willing accept.
Risk and control self-assessment (RCSA) | A tool that allows an organization to understand its risks and their potential impact on the business. It a formal exercise many organizations conduct annually.
Risk assessment | See information security risk assessment.
Risk culture | The way an organization normally deals with risk; for instance, whether by following security policies consistently or not. The leaders of an organization are usually a strong influence on its risk culture.
Risk Evaluation | A domain in the ISACA Risk IT framework that calls for analyzing risk and determining impact on the business.
Risk Governance | A domain in the ISACA Risk IT framework that ensures that risk management activity aligns with the business goals, objectives, and tolerances.
Risk Response | A domain in the ISACA Risk IT framework that specifies the ability to react so that risks are reduced and remedied in a cost-effective manner.
Risk tolerance | The dominant view within an organization of how much risk is acceptable.
Roadshow | In the information security context, a presentation before a large group, on a topic such as a new security policy. A roadshow may involve gathering all employees of a company into a large auditorium, or simply showing up at as a guest speaker at a department’s regular staff meeting.
Role based access control (RBAC) | A system of granting users access to a network on the basis of their “role” rather than individual identity. An accounting firm may have a role of “accountant,” for instance, and all newly hired accountants may be assigned the same package of access privileges.
Router | Connects local area networks (LANs) or a LAN and a wide area network (WAN).
Secret | A level of government classification that refers to data, the unauthorized disclosure of which would reasonably be expected to cause serious damage to the national security.
Security awareness program | Training about security policies, threats, and handling of digital assets.
Security baseline | Defines a set of basic configurations to achieve defined security objectives. These defined security objectives are typically represented by security policies and a well-defined security framework.
Security committee | A committee that acts as a steering committee for the information security program.
Security compliance committee | A gateway committee that approves uses of specific controls for compliance.
Security Content Automation Protocol (SCAP) | A group of specifications that standardize how security software products measure, evaluate, and report compliance. NIST created SCAP and several private companies created SCAP-compliant tools.
Security control mapping | When related to compliance, it’s the mapping of regulatory requirements to policies and controls.
Security event | Any undesirable event that occurs outside the normal daily security operations. Typically, a security event relates to a breakdown in controls as defined by the security policies.
Security management | Refers to managing security in an organization, usually IT security. This can include making sure end users have limited rights and access controls are in place, among many other techniques and processes.
Security personnel | Individuals responsible for designing and implementing a security program within an organization.
Security policy compliance | Adherence to the organization’s set of rules with regard to security policies.
Security policies | A set of policies that establish how an organization secures its facilities and IT infrastructure. Can also address how the organization meets regulatory requirements.
Security token | A hardware device or software code that generates a token (usually represented as a series of numbers) at logon. A security token is extremely difficult and some say impossible to replicate. When assigned to an individual as part his or her required logon, it provides assurance of who is accessing the network.
Segmented network | A network that limits how computers are able to talk to each other.
Segregation of duties | Another term for separation of duties.
Sensitive but unclassified | A level of government classification that refers to data that is confidential and not subject to release under the Freedom of Information Act.
Sensitive classification | A classification level for data that would mean significant financial loss if leaked.
Separation of duties (SOD) | A requirement that high-risk tasks be divided so that it takes more than one person to perform them. The idea is to prevent employees from concealing errors or fraud in the normal course of their duties.
Service level agreement (SLA) | The portion of a service contract that formally defines the level of service. These agreements are typical in telecommunications contracts for voice and data transmission circuits.
Shareholder | A person who buys stock in a company (investor).
Simple Network Management Protocol (SNMP) | A protocol used to query and manage network devices. SNMP v1 had known vulnerabilities such as transmitting the community name in clear text. SNMP v2 and v3 improved security and performance of SNMP.
Sniffer | A network device that can read communications traffic on a local area network (LAN).
Social engineering | Manipulating or tricking a person into weakening the security of an organization.
Span of control | Relates to the number of areas of control achieved through the number of direct reports found in an organization.
Standard | An established and proven norm or method. This can be a procedural standard or a technical standard implemented organization-wide.
Stateful firewall | A firewall that watches all the traffic for a given connection. It inspects packets containing data, looking for patterns and sequences that don’t make sense. This is useful to block packets from someone pretending to be someone else in an attempt to hijack your session.
Stateless firewall | A firewall that restricts and blocks traffic based on source and destination addresses or other static values. It looks at each data packet independently.
Statement on Standards for Attestation Engagements No. 16 (SSAE16) | Engagements No. 16 (SSAE16) | A standard created by the American Institute of Certified Public Accountants for auditing an organization’s control environment, including information security controls.
Strategic risk | An event that may change how the entire organization operates.
Structured Query Language (SQL) injection | A type of attack in which the hacker adds SQL code to a Web or application input box to gain access to or alter data in the database.
Structured Query Language (SQL) | A standardized language used to access a database.
Switch | A piece of equipment that is similar to a hub but can filter traffic. You can set up rules that control what traffic can flow where. Unlike hubs that duplicate the traffic to all ports, a switch typically routes traffic only to the port where the system is connected. This reduces network traffic, thus reducing the chance of someone intercepting the traffic.
System access policy | Rules of conduct on how and when access to systems is permitted. This policy covers end user credentials like IDs and passwords. The policy may also be specific to the business or application, such as the use of role based access control (RBAC).
System software | Software that supports the running of the applications.
System/Application Domain | This domain refers to the technology needed to collect, process, and store the information. It includes controls related to hardware and software.
Systematic declassification | A process of reviewing records exempted from automatic declassification and then removing the data from classification.
Systems administrators | IT staff who provide administrative support to the systems and databases.
System-specific standard | A standard that focuses on specific technology or systems being used within an organization. These are used to express the security control implementation requirements for some specific technology.
T
Target state | A term used in technology to describe a desired future state of information security, including policy goals and objectives and the tools, processes, and resources needed to achieve them.
Taxonomy | The practice and science of classification. A hierarchical taxonomy is a tree structure of classifications for a given set of objects or documents.
Threat | A human or natural event that could impact the system.
Threat vector | A general information security term to describe a tool or path by which a hacker can gain unauthorized access.
Tone at the top | The message from an organization’s leadership on a given subject. When senior executives voice support for a policy, they are said to be setting the tone at the top.
Top Secret | A level of government classification that refers to data, the unauthorized disclosure of which would reasonably be expected to cause grave damage to the national security.
Town hall meeting | A gathering of teams to make announcements and discuss topics.
Trouble ticket | A complete record of what access was granted and the business reason behind it in order to resolve a problem.
Two-factor authentication | Requires end users to authenticate their identity using at least two of three different types of credentials. The three most commonly accepted types of credentials are something you know, something you have, and something you are.
Unclassified | A level of government classification that refers to data available to the public.
Unified operating model | An operating model in which the technology solution both shares data and has standardized services across the enterprise.
User Domain | This domain refers to any user accessing information. This includes customers, employees, consultants, contractors, or any other third party. These users are often referred to as an “end user.”
User proxy | An application firewall that is used to control the flow of traffic to and from the Internet to user workstations attached to a local area network (LAN). The proxy intercepts the user’s request for an Internet resource, initiates a new connection, and proxies the result back to the requestor.
V
Value delivery | Focusing resources to deliver the greatest benefits.
Vendor governance committee | A gateway committee that approves new vendors and has oversight of existing vendors. This includes making sure new vendors meet minimum security policy requirements such as having a formal contract in place and adequate proof of security controls.
Virtual private network (VPN) | A VPN is set up between two devices to create an encrypted tunnel. All communications are protected from eavesdropping and considered highly secure.
Vulnerability | A weakness in a system that can be exploited.
W
WAN Domain | This domain includes wide area networks (WANs), which are networks that cover large geographical areas. The Internet is an example of a WAN. A private WAN can be built for a specific company to link offices across the country or globally.
Web graffiti | Alterations to a Web page that result from a Web site defacement attack. Web site graffiti can contain abusive language or even pornographic images.
Web services | Automated information services over the Internet using standardized technologies and formats/protocols that simplify the exchange and integration of data. Web services help organizations to inter-operate regardless of the types of operating systems, programming languages, and databases being used.
Web site defacement | An attack on a Web site in which the site’s content is altered, usually in a way that embarrasses the Web site owner.
Web-Based Enterprise Management (WBEM) | A set of standards and technologies used to query and manage systems and applications in a network. It is used on the Internet and internal networks. WBEM capabilities are built into GUI-based applications and command line applications.
Workstation Domain | This domain refers to any computing device used by end users. This usually means a desktop or laptop that is the main computer for the end user.