802.1X
A standard for network authentication and access control used to determine whether a device will be permitted to attach to a LAN or wireless LAN.
A-123
A U.S. Office of Management and Budget (OMB) government circular that defines the management responsibilities for internal controls in U.S. federal agencies.
acceptable interruption window (AIW)
A theoretical time period, measured from the onset of a disaster, after which the organizations ongoing viability would be at risk
acceptable use policy
Security policy that defines the types of activities that are acceptable and those that are not acceptable. An acceptable use policy is generally written for general audiences, applying to all personnel in an organization.
access bypass
Any attempt by an intruder to bypass access controls to gain entry into a system.
access control
Any means that detects or prevents unauthorized access and that permits authorized access.
access control policy
Statement that defines the policy for the granting, review, and revocation of access to systems and work areas.
access governance
Policies, procedures, and activities that enforce access policy and management control.
access management
A formal business process that is used to control access to networks and information systems.
access recertification
The process of reconfirming subjects access to objects in an organization.
access review
A review of the users, systems, or other subjects that are permitted to access protected objects. The purpose of a review is to ensure that all subjects should still be authorized to have access.
account lockout
An administrative lock that is placed on a user account when a predetermined event occurs, such as reaching an expiration date or when there have been several unsuccessful attempts to access the user account.
accumulation of privileges
A situation where an employee accumulates computer system access privileges over a long period of time because of internal transfers or other privilege changes and old access privileges not being removed.
administrative audit
An audit of operational efficiency.
administrative control
Controls in the form of policies, processes, procedures, and standards.
advanced persistent threat (APT)
A class of threat actor that uses an array of reconnaissance and attack techniques to establish a long-term presence within a target organization.
algorithm
In cryptography, a specific mathematical formula that is used to perform encryption, decryption, message digests, and digital signatures.
allowable interruption window (AIW)
A theoretical time period, measured from the onset of a disaster, after which the organizations ongoing viability would be at risk.
annualized loss expectancy (ALE)
The expected loss of asset value due to threat realization. ALE is defined as SLExARO.
annualized rate of occurrence (ARO)
An estimate of the number of times that a threat will occur every year.
antiforensics
Any of several techniques whose objective is to make it more difficult for a forensic examiner to identify and understand a computer intrusion.
anti-malware
Software that uses various means to detect and block or prevent malware from carrying out its purpose.
antivirus software
Software that is designed to detect and remove computer viruses.
appliance
A type of computer with preinstalled software that requires little or no maintenance.
application firewall
A device used to control packets being sent to an application server, primarily to block unwanted or malicious content.
architecture standard
A standard that defines technology architecture at the database, system, or network level.
assessment
An examination of a business process or information system to determine its state and effectiveness.
asset inventory
The process of confirming the existence, location, and condition of assets. also, the results of such a process.
asset management
The processes used to manage the inventory, classification, use, and disposal of assets.
asset value (AV)
The value of an IT asset, which is usually (but not necessarily) the assets replacement value.
assets
The collection of property that is owned by an organization.
asymmetric encryption
A method for encryption, decryption, and digital signatures that uses pairs of encryption keys, consisting of a public key and a private key.
asynchronous replication
A type of replication where writing data to the remote storage system is not kept in sync with updates on the local storage system. Instead, there may be a time lag, and there is no guarantee that data on the remote system is identical to that on the local storage system.
attack surface
A metaphor often used to depict a greater or lesser extent of attackable systems, services, and personnel in an organization, or the attackable programs, services, and features in a running operating system.
attestation of compliance
A written statement that serves as an assertion of compliance to a requirement, standard, or law. An attestation of compliance is often signed by a high-ranking official or executive.
attorneyclient privilege
As defined by Blacks Law Dictionary, a clients right privilege to refuse to disclose and to prevent any other person from disclosing confidential communications between the client and the attorney. In the context of information security, certain business proceedings can be protected with attorneyclient privilege as a means for preventing those proceedings from being made available during legal discovery.
audit
A formal review of one or more processes, controls, or systems to determine their state against a standard.
audit logging
A feature in an application, operating system, or database management system where events are recorded in a separate log.
audit methodology
A set of audit procedures that is used to accomplish a set of audit objectives.
audit objective
The purpose or goals of an audit. Generally, the objective of an audit is to determine whether controls exist and are effective in some specific aspect of business operations in an organization.
audit plan
A formal document that guides the control and execution of an audit. An audit plan should align with audit objectives and specify audit procedures to be used.
audit procedures
The step-by-step instructions and checklists required to perform specific audit activities. Procedures may include a list of people to interview and questions to ask them, evidence to request, audit tools to use, sampling rates, where and how evidence will be archived, and how evidence will be evaluated.
audit program
The plan for conducting audits over a long period.
audit report
The final, written product of an audit. An audit report will include a description of the purpose, scope, and type of audit performed. people interviewed. evidence collected. rates and methods of sampling. and findings on the existence and effectiveness of each control.
audit scope
The process, procedures, systems, and applications that are the subject of an audit.
authentication
The process of asserting ones identity and providing proof of that identity. Typically, authentication requires a user ID (the assertion) and a password (the proof). However, authentication can also require stronger means of proof, such as a digital certificate, token, smart card, or biometric.
automatic control
A control that is enacted through some automatic mechanism that requires little or no human intervention.
availability management
The IT function that consists of activities concerned with the availability of IT applications and services.
background check
The process of verifying an employment candidates employment history, education records, professional licenses and certifications, criminal background, and financial background.
back-out plan
A procedure used to reverse the effect of a change that was not successful.
backup
The process of copying important data to another media device in the event of a hardware failure, error, or software bug that causes damage to data.
backup media rotation
Any scheme used to determine how backup media is to be reused.
basic inputoutput system (BIOS)
The firmware on a computer that tests the computers hardware and initiates the bootup sequence. Superseded by unified extensible firmware interface (UEFI). See also unified extensible firmware interface (UEFI).
bare metal restore
The process of recovering a system by reformatting main storage, re-installing the operating system, and restoring files.
biometrics
Any use of a machine-readable characteristic of a users body that uniquely identifies the user. Biometrics can be used for multifactor authentication. Types of biometrics include voice recognition, fingerprint, hand scan, palm vein scan, iris scan, retina scan, facial scan, and handwriting. See also authentication, multifactor authentication.
block cipher
An encryption algorithm that operates on blocks of data.
board of directors
A body of elected or appointed people who oversee the activities of an organization.
bot
A type of malware in which agents are implanted by other forms of malware and are programmed to obey remotely issued instructions.
botnet
A collection of bots that are under the control of an individual.
bring your own app
A practice whereby workers use personally owned applications and use them for company business.
bring your own device (BYOD)
A practice whereby workers use personally owned devices (typically laptop computers and mobile devices) for company business.
budget
A plan for allocating resources over a certain time period.
business case
An explanation of the expected benefits to the business that will be realized as a result of a program or project.
business continuity planning (BCP)
The activities required to ensure the continuation of critical business processes.
business functional requirements
Formal statements that describe required business functions that a system must support.
business impact analysis (BIA)
A study that is used to identify the impact that different disaster scenarios will have on ongoing business operations.
business recovery plan
The activities required to recover and resume critical business processes and activities.
call tree
A method for ensuring the timely notification of key personnel, such as after a disaster.
capability maturity model
A model that is used to measure the relative maturity of an organization or of its processes.
Capability Maturity Model Integration for Development (CMMi-DEV)
A maturity model that is used to measure the maturity of a software development process.
capacity management
The IT function that consists of activities that confirm there is sufficient capacity in IT systems and IT processes to meet service needs. Primarily, an IT system or process has sufficient capacity if its performance falls within an acceptable range, as specified in service level agreements (SLAs). See also IT service management (ITSM), service level agreement (SLA).
cardholder data
As defined by the PCI Security Standards Council At a minimum, cardholder data consists of the full PAN (Primary Account Number, also known as a credit card number). Cardholder data may also appear in the form of the full PAN plus any of the following cardholder name, expiration date andor service code.
career path
The progression of responsibilities and job titles that a worker will attain over time.
CEO fraud
A type of fraud where a perpetrator, impersonating an organizations CEO, sends phishing e-mails to other company executives and directs them to wire large amounts of money to a bank account, typically in support of a secret merger or acquisition. See also phishing, spear phishing, and whaling.
certificate authority (CA)
A trusted party that stores digital certificates and public encryption keys.
certificate revocation list (CRL)
An electronic list of digital certificates that have been revoked prior to their expiration date.
certification practice statement (CPS)
A published statement that describes the practices used by the CA to issue and manage digital certificates.
chain of custody
Documentation that shows the acquisition, storage, control, and analysis of evidence. The chain of custody may be needed if the evidence is to be used in a legal proceeding.
change control board (CCB)
The group of stakeholders from IT and business who propose, discuss, and approve changes to IT systems. Also known as a change advisory board.
change management
The IT function that is used to control changes made to an IT environment. See also IT service management (ITSM).
change request
A formal request for a change to be made in an environment. See also change management.
change review
A formal review of a requested change. See also change request, change management.
chief information risk officer (CIRO)
The typical job title for the topmost information security executive in an organization.
chief information security officer (CISO)
The typical job title for the topmost information security executive in an organization.
chief risk officer (CRO)
The typical job title for the topmost risk officer in an organization.
chief security officer (CSO)
The typical job title for the topmost security officer in an organization.
ciphertext
A message, file, or stream of data that has been transformed by an encryption algorithm and rendered unreadable.
CIS Controls
A control framework maintained by the Center for Internet Security (CIS).
clone phishing
The practice of obtaining legitimate e-mail messages, exchanging attachments or URLs for those that are malicious, and sending the altered e-mail messages to target users in the hopes the messages will trick users on account of their genuine appearance.
cloud
Internet-based computing resources.
cloud access security broker (CASB)
A system that monitors and, optionally, controls users access to, or use of, cloud-based resources.
cloud computing
A technique of providing a dynamically scalable and usually virtualized computing resource as a service.
cluster
A tightly coupled collection of computers that is used to solve a common task. In a cluster, one or more servers actively perform tasks, while zero or more computers may be in a standby state, ready to assume active duty should the need arise.
COBIT
A control framework for managing information systems and security. COBIT is published by ISACA.
code of ethics
A statement that defines acceptable and unacceptable professional conduct.
cold site
An alternate processing center where the degree of readiness for recovery systems is low. At the least, a cold site is nothing more than an empty rack or just allocated space on a computer room floor.
command and control (C&C)
Network traffic associated with a system compromised with malware. Command-and-control traffic represents communication between the malware and a central controlling entity.
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
A private sector organization that provides thought leadership, control frameworks, and guidance on enterprise risk management.
common vulnerability scoring system (CVSS)
An open framework for communicating the quantitative characteristics and impacts of IT vulnerabilities.
compensating control
A control that is implemented because another control cannot be implemented or is ineffective.
compliance
Activities related to the examination of systems and processes to ensure they conform to applicable policies, standards, controls, requirements, and regulations also, the state of conformance to applicable policies, standards, controls, requirements, and regulations.
compliance audit
An audit to determine the level and degree of compliance to a law, regulation, standard, contract provision, or internal control. See also audit.
compliance risk
Risk associated with any general or specific consequences of not being compliant with a law, regulation, or private legal obligation.
configuration item
A configuration setting in an IT asset. See also configuration management.
configuration management
The IT function where the configuration of components in an IT environment is independently recorded. Configuration management is usually supported by the use of automated tools used to inventory and control system configurations. See also IT service management (ITSM).
configuration management database (CMDB)
A repository for every component in an environment that contains information on every configuration change made on those components.
configuration standard
A standard that defines the detailed configurations that are used in servers, workstations, operating systems, database management systems, applications, network devices, and other systems.
contact list
A list of key personnel and various methods used to contact them. See also response document.
containerization
A form of virtualization where an operating system permits the existence of multiple isolated user spaces, called containers. See also virtualization.
continuity of operations plan (COOP)
The activities required to continue critical and strategic business functions at an alternate site. See also response document.
continuous log review
A process where the event log for one or more systems is being continuously reviewed in real time to determine whether a security or operational event warranting attention is taking place. See also security information and event management system (SIEM).
continuous improvement
The cultural desire to increase the efficiency and effectiveness of processes and controls over time.
content delivery network (CDN)
Also known as a content distribution network, a globally distributed network of servers in multiple data centers designed to optimize the speed and cost of delivery of content from centralized servers to end users.
contract
A binding legal agreement between two or more parties that may be enforceable in a court of law.
control
Policy, process, or procedure that is created to ensure desired outcomes or to avoid unwanted outcomes.
control existence
An activity that takes place in an audit where the auditor seeks to determine whether an expected control is in place.
control framework
A collection of controls, organized into logical categories.
control objective
A foundational statement that describes desired states or outcomes from business operations.
control risk
The risk that a significant or material error exists that will not be prevented or detected by a control.
control self-assessment (CSA)
A methodology used by an organization to review key business objectives, risks, and controls. Control self-assessment is a self-regulation activity that may or may not be required by applicable laws or regulations.
corrective action
An action that is initiated to correct an undesired condition.
corrective control
A control that is used after an unwanted event has occurred.
countermeasure
Any activity or mechanism that is designed to reduce risk.
covered entity
Any organization that stores or processes electronic protected health information (ePHI). See also Health Insurance Portability and Accountability Act (HIPAA).
critical path methodology (CPM)
A technique that is used to identify the most critical path in a project to understand which tasks are most likely to affect the project schedule.
criticality analysis (CA)
A study of each system and process, a consideration of the impact on the organization if it is incapacitated, the likelihood of incapacitation, and the estimated cost of mitigating the risk or impact of incapacitation.
cryptanalysis
An attack on a cryptosystem where the attacker is attempting to determine the encryption key that is used to encrypt messages.
cryptography
The practice of hiding information from unwanted people.
culture
The collective attitudes, practices, communication, communication styles, ethics, and other behavior in an organization.
custodian
A person or group delegated to operate or maintain an asset.
cutover
The step in the software development life cycle where an old replaced system is shut down and a new replacement system is started.
cutover test
An actual test of disaster recovery andor business continuity response plans. The purpose of a parallel test is to evaluate the ability of personnel to follow directives in emergency response plansto actually set up the DR business processing or data processing capability. In a cutover test, personnel shut down production systems and operate recovery systems to assume actual business workload. See also disaster recovery plan.
cyber risk insurance
An insurance policy designed to compensate an organization for unexpected costs related to a security breach.
cybersecurity framework (CSF)
See NIST CSF.
cyclical controls testing
A life cycle process in which selected controls are examined for effectiveness.
damage assessment
The process of examining assets after a disaster to determine the extent of damage.
data acquisition
The act of obtaining data for later use in a forensic investigation.
data classification policy
Policy that defines sensitivity levels and handling procedures for information.
data loss prevention (DLP) system
A hardware or software system that detects and, optionally, blocks the movement or storage of sensitive data.
data restore
The process of copying data from backup media to a target system for the purpose of restoring lost or damaged data.
data security
Those controls that seek to maintain confidentiality, integrity, and availability of information.
decryption
The process of transforming ciphertext into plaintext so that a recipient can read it.
denial of service (DoS)
An attack on a computer or network with the intention of causing disruption or malfunction of the target.
desktop computer
A nonportable computer used by an individual end user and located at the users workspace.
desktop virtualization
Software technology that separates the physical computing environment from the software that runs on an endpoint, effectively transforming an endpoint into a display terminal. See also virtualization.
detective control
A control that is used to detect events.
deterrent control
A control that is designed to deter people from performing unwanted activities.
DiffieHellman
A popular key exchange algorithm. See also key exchange.
digital certificate
An electronic document that contains an identity that is signed with the public key of a certificate authority (CA).
digital envelope
A method that uses two layers of encryption. A symmetric key is used to encrypt a message then a public or private key is used to encrypt the symmetric key.
digital rights management (DRM)
Any technology used to control the distribution and use of electronic content.
digital signature
The result of encrypting the hash of a message with the originators private encryption key, used to prove the authenticity and integrity of a message.
directory
A centralized service that provides information for a particular function.
disaster
An unexpected and unplanned event that results in the disruption of business operations.
disaster declaration criteria
The conditions that must be present to declare a disaster, triggering response and recovery operations.
disaster declaration procedure
Instructions to determine whether to declare a disaster and trigger response and recovery operations. See also disaster declaration criteria.
disaster recovery and business continuity requirements
Formal statements that describe required recoverability and continuity characteristics that a system must support.
disaster recovery plan
The activities required to restore critical IT systems and other critical assets, whether in alternate or primary locations. See also response document.
disaster recovery planning (DRP)
Activities related to the assessment, salvage, repair, and restoration of facilities and assets.
disaster recovery-as-a-service (DRaaS)
A cloud-based set of tools and services that streamline the planning and execution of data backup and data replication for disaster recovery purposes.
discovery sampling
A sampling technique where at least one exception is sought in a population. See also sampling.
disk array
A chassis in which several hard disks can be installed and connected to a server. The individual disk drives can be hot swapped in the chassis while the array is still operating.
distributed denial of service (DDoS)
A denial-of-service (DoS) attack that originates from many computers. See also denial of service (DoS).
DNS filter
A network system or device used to protect systems from malicious content through manipulation of the results of DNS queries. See also web content filter.
document review
A review of some or all disaster recovery and business continuity plans, procedures, and other documentation. Individuals typically review these documents on their own, at their own pace, but within whatever time constraints or deadlines that may have been established.
documentation
The inclusive term that describes charters, processes, procedures, standards, requirements, and other written documents.
Domain Name System (DNS)
A TCPIP application layer protocol used to translate domain names (such as www.isecbooks.com) into IP addresses.
dwell time
The period of time that elapses from the start of a security incident to the organizations awareness of the incident.
dynamic application security testing (DAST)
Tools used to identify security defects in a running software application.
eavesdropping
The act of secretly intercepting and, optionally, recording a voice or data transmission.
elasticity
The property of infrastructure-as-a-service whereby additional virtual assets can be created or withdrawn in response to rising and falling workloads.
electric generator
A system consisting of an internal combustion engine powered by gasoline, diesel fuel, or natural gas that spins an electric generator. A generator can supply electricity for as long as several days, depending upon the size of its fuel supply and whether it can be refueled.
electronic protected health information (ePHI)
Any informationin electronic formabout the health, health status, and medical treatment of a human patient.
elliptic curve
A public key cryptography algorithm.
e-mail
A network-based service used to transmit messages between individuals and groups.
emergency communications plan
The communications that are required during a disaster. See also response document.
emergency response
The urgent activities that immediately follow a disaster, including evacuation of personnel, first aid, triage of injured personnel, and possibly firefighting.
employee handbook
See employee policy manual.
employee policy manual
A formal statement of the terms of employment, facts about the organization, benefits, compensation, conduct, and policies.
employment agreement
A legal contract between an organization and an employee, which may include a description of duties, roles and responsibilities, confidentiality, compliance, and termination.
encryption
The act of hiding sensitive information in plain sight. Encryption works by scrambling the characters in a message using a method known only to the sender and receiver, making the message useless to anyone who intercepts the message.
encryption key
A block of characters, used in combination with an encryption algorithm, to encrypt or decrypt a stream or block of data.
endpoint
A general term used to describe any of the types of devices used by end users, including mobile phones, smartphones, terminals, tablet computers, laptop computers, and desktop computers.
enterprise architecture
Activities that ensure important business needs are met by IT systems the model that is used to map business functions into the IT environment and IT systems in increasing levels of detail.
enterprise risk management (ERM)
The methods and processes used by an organization to identify and manage business risks.
evacuation procedure
Instructions to safely evacuate a work facility in the event of a fire, earthquake, or other disaster.
e-vaulting
The practice of backing up information to an off-site location, often a third-party service provider.
event
An occurrence of relevance to a business or system.
event monitoring
The practice of examining the events that occur on information systems, including operating systems, subsystems such as database management systems, applications, network devices, and end-user devices.
event visibility
A capability that permits an organization to be aware of activities that may be a sign of a security incident.
evidence
Information gathered by the auditor that provides proof that a control exists and is being operated.
exploitation
The process of exploiting a vulnerability in a target system in order to take control of the system.
exposure factor (EF)
The financial loss that results from the realization of a threat, expressed as a percentage of the assets total value.
Nice work!
You just studied 193 terms!
Start over