802.1x   Port-based authentication. 802.1x denies users access to a network segment to which they are physically connected until the user has authenticated.

802.11x   Shorthand for referring to all the 802.11 technologies: 802.11a, 802.11b, 802.11g, and 802.11n.

AES   Advanced Encryption Standard. A symmetric-key encryption algorithm used by various technologies.

ARP   Address Resolution Protocol. A Layer 2 protocol used to determine the Layer 2 (MAC) address for a given Layer 3 address.

audit   A formal check to determine policy compliance, typically performed either by internal auditors at an organization or by an independent third party.

availability   The degree to which information is available when it is needed by authorized parties. Availability may be measured as the percentage of time information is available for use by authorized websites. For example, a business website may strive for availability above 99 percent.

Balanced Scorecard (BSC)   A performance measurement framework that is intended to enrich traditional financial performance measures with strategic nonfinancial performance measures, thereby giving a more balanced view of organizational performance. Developed in the 1990s by Dr. Robert Kaplan (Harvard Business School) and Dr. David Norton. (For additional information, see www.balancedscorecard.org.)

Black Swan event   An event that is highly improbable and therefore likely to end up at the bottom of the list of priorities to address. See The Black Swan: The Impact of the Highly Improbable, by Nassim Taleb, for further reading on the theory of Black Swan events.

botnet   A malicious botnet is a network of compromised computers that is used to transmit information, send spam, or launch denial-of-service (DoS) attacks on the attacker’s specified target. Essentially, a malicious botnet is a group of computers, acting as a supercomputer, created by and managed by a hacker, fraudster, or cybercriminal.

brute force   A somewhat nontechnical approach to obtaining a password in which every combination of possible choices is attempted until the correct value is obtained.

BSS   Basic Service Set. The most basic group of wireless stations communicating to form a wireless network.

BSSID   Basic Service Set Identifier. A unique identifier for a BSS. It takes the same format as a MAC address.

captive portal   A technology that intercepts a user’s network session and prevents him from reaching the intended service until he has performed a specified task such as accepting the terms of service or providing authentication information.

CAPWAP   Control And Provisioning of Wireless Access Points. An open standard based on LWAPP for the configuration and management of wireless access points from a central controller.

CCMP   Counter Mode with Cipher Block Chaining Message Authentication Control Protocol (CCM Protocol). An encryption technology used with WPA2 to replace the weaker TKIP protocol.

charter   A document that describes the specific rights and privileges granted from the organization to the information security team.

CIA   Confidentiality, integrity, and availability. CIA is an industry-standard acronym used to describe three of the most important concepts for a secure information system (sometimes referred to as the CIA triad).

cloud computing   As defined by the National Institute of Standards and Technology (NIST), cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (for example, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

compliance   Adherence to a set of policies and standards. Two broad categories of compliance are compliance with internal policies (specific to a particular organization) and compliance with external or regulatory policies, standards, or frameworks.

confidentiality   The prevention of disclosure of information to unauthorized parties.

consultant   A subject matter expert who is contracted to perform a specific set of activities. Typically, a statement of work outlines the deliverables to be completed by the consultant and the deadlines for each deliverable.

core competencies   The fundamental strengths of a program that add value. They are the primary functions of a program and cannot or should not be done by outside groups or partners.

data cleansing   The actions performed on a set of data in order to improve the data quality and achieve better accuracy, completion, or consistency.

dirty data   Data that has unacknowledged correlation or undocumented origins or that is biased, non-independent, internally inconsistent, inaccurate, incomplete, unsuitable for integration with data from other important sources, unsuitable for consumption by tools that automate computation and visualization, or lacking integrity in some other respect.

EAP   Extensible Authentication Protocol. A protocol framework used to carry various authentication method used in WPA and WPA2.

ESSID   Extended Service Set Identifier. Identifies one or more connected Basic Service Sets, typically referred to as the human readable network name.

false negative   A result that indicates no problem exists where one actually does exist, such as occurs when a vulnerability scanner incorrectly reports no vulnerabilities exist on a system that actually has a vulnerability.

false positive   A result that indicates a problem exists where none actually exists, such as occurs when a vulnerability scanner incorrectly identifies a vulnerability that does not exist on a system.

GPS   Global Positioning System. A global system that uses satellites to determine the precise location on Earth of GPS receivers.

honeypot   A system designed to lure a specific type of user, typically an attacker, by mimicking the attributes of a vulnerable system.

information classification standards   Standards that specify the treatment of data (requirements for storage, transfer, access, encryption, and so on) according to the data’s classification (public, private, confidential, sensitive, and so on).

information security   The protection of information and information systems from unauthorized access, use, disclosure, modification, or destruction. Also commonly referred to as data security, computer security, or IT security.

integrity   The prevention of data modification by unauthorized parties.

intercept of a line   Identifies the point where the line crosses the vertical y-axis. An intercept is typically expressed as a single value (b) but can also be expressed as the point (0, b).

IV   Initialization Vector. A 24-bit value prepended to the WEP key used to provide entropy so that the same WEP key is never used twice.

LWAPP   Lightweight Access Point Protocol. A protocol used to configure and manage multiple access points from a central controller.

MAC address   Media Access Control address. The address that uniquely identifies a node on a network at Layer 2.

metrics project distance   The amount of a change you want to achieve in your target measurement by the end of the metrics project.

metrics project timeline   How long you want to spend to achieve the metrics project distance.

mission statement   Outlines an information security program’s overall goals and provides guidelines for its strategic direction.

MITM attack   Man-in-the-middle attack. An attack in which an attacker is placed in the logical path between an end station and its destination in order to view or manipulate their communications.

objective desired direction   The direction in which you want the metrics project measurement to go to achieve the benefits of an information security metrics program, especially the benefit of improvement.

offshoring   Contracting work to resources in a different country (either third party or in-house).

online analytical processing (OLAP)   A specific type of data storage and retrieval mechanism that is optimized for swift queries that involve summarization of data along multiple factors or dimensions.

orchestration   The administrative oversight that ensures the workflow is executed as specified. Orchestration includes functions such as signing off on a metric definition, deploying its implementation, scheduling its calculation at regular intervals, and executing and delivering updates. See also workflow.

outsourcing   Contracting work to a third-party vendor.

PEAP   Protected EAP. An implementation of the EAP protocol within an encrypted TLS tunnel.

penetration test   An authorized test used to simulate the efforts of an attacker to determine weaknesses in a given system.

PKI   Public Key Infrastructure. The technology, servers, systems, and human processes that support public key cryptography and digital certificates.

PPTP   Point-to-Point Tunneling Protocol. A virtual private networking technology commonly seen on Windows platforms.

prioritization   An exercise in determining the relative importance of tasks, projects, and initiatives.

project management   Defining an end goal and identifying the activities, milestones, and resources necessary to reach that end goal.

project scope   Indicates project coverage, typically by identifying the different regions, different networks, and/or different groups of people the project encompasses.

quartiles   The division of all observations into four equal groups that hold the lowest one-fourth of all observed values (first quartile), the highest one-fourth of all observed values (fourth quartile), and the two middle fourths—one-fourth above and one-fourth below the median value (or the value that divides the set of observations into two equal halves).

RADIUS   Remote Authentication Dial-In User Service. A flexible system for authenticating users against a central database.

RASCI   A project management methodology for assigning roles in projects that involve many people and teams. Each letter in RASCI stands for a different type of role: Responsible, Approver, Supporter, Consultant, and Informed. Each role has corresponding responsibilities.

RBAC   Role-Based Access Control. A system for determining access to a system based on a user’s role within a system.

Request for Proposal (RFP)   A document that an organization uses to solicit proposals for a project that has specific requirements. The organization can then use the responses to the RFP to evaluate and compare the proposals of multiple vendors.

ROI   Return on investment. The ratio of benefit to be gained to the cost of a given investment.

RSPAN   Remote Switch Port Analyzer. A system for forwarding traffic to a remote switch where it can be analyzed by packet-sniffing devices.

sacred cow   An idiom for a practice that is implemented simply because it is “how it’s always been done,” without regard for its usefulness or whether it can help achieve a target goal or outcome.

slope of a line   A value that represents how fast the y values are rising or falling as the x values of the line increase.

sniffer   Hardware and/or software that is capable of capturing and analyzing network traffic.

SPAN   Switch Port Analyzer. A network switch technology used to copy packets from one or more source ports to one or more destination ports, typically for the purposes of analyzing network traffic.

SSID   Service Set Identifier. Identifies one or more connected Basic Service Sets, typically referred to as the human readable network name.

SSL   Secure Sockets Layer. A cryptographic protocol used to create secure tunnels over an insecure network. Commonly used for creating secure HTTP connections over the Internet.

stakeholders   Leaders responsible for critical decision-making and key supporters who will drive change throughout the organization.

threat analysis   An alternative approach to risk management that involves identifying and analyzing potential attacks, threats, and risks and preparing countermeasures accordingly.

TKIP   Temporal Key Integrity Protocol. A temporary solution to help mitigate the risks from the cryptographic weaknesses in WEP.

TLS   Transport Layer Security. The next-generation replacement for the SSL protocol.

VLAN   Virtual local area network. A technology for creating multiple virtual networks at Layer 2 from one physical Layer 2 device.

VPN   Virtual private network. A technology that creates a secured virtual link between end systems over an insecure network.

wardriving   A method of discovering all the wireless networks available in a given area by “driving” in the area with appropriate wireless equipment.

WEP   Wired Equivalent Privacy. A technology used for authentication and encryption of communications for 802.11 networks

workflow   A collection of rules that govern the relationship of steps required to complete a process. Relationships might include sequence order, branching conditions, looping, and number of repetitions.

WPA   Wi-Fi Protected Access. A wireless security standard designed to completely mitigate the vulnerabilities in the WEP protocol.