Management of Information Security
Digital Certificate
A block of data, similar to a digital signature, that is attached to a file to certify that the file is from the organization it claims to be from and has not been modified from the original format.
Dumb Card
A category of access control token that includes ID and ATM cards with magnetic strips that contain the digital (and often encrypted) PIN against which user input is compared.
Asynchronous Tokens
A category of access control tokens that use a challenge-response system in which the server challenges the user with a number, which the user enters into his or her token and then returns a generated value.
Dynamic Packet Filtering Firewalls
A class of firewalls that allow only a particular packet with a specific source, destination and port address to pass through the firewall by understanding how the protocol functions and by opening and closing "doors" in the firewall based on the information contained in the packer header.
Electronic Communication Privacy Act (ECPA)
A collection of statutes that regulate the interception of wire, electronic, and oral communications. These statutes are frequently referred to as the "federal wiretapping acts."
Annualized Loss Expectancy (ALE)
A comparative estimate of the losses from successful attacks on an asset over one year.
Certification
A comprehensive assessment of both technical and nontechnical protection strategies for a particular system, as specified by a particular set of requirements.
Bell-LaPadula (BLP) Confidentiality Model
A confidentiality model or "state machine reference model" that ensures the confidentiality of the modeled system by using MACs, data classification, and security clearances.
Biba Integrity Model
A confidentiality model or "state machine reference model" that is similar to BLP and based on the premise that higher levels of integrity are more worthy of trust than lower ones.
Acceptance Risk Control Strategy
A conscious decision to do nothing to protect an information asset from risk, and to accept the outcome from any resulting exploitation.
Digital Malfeasance
A crime against or using digital media, computer technology, or related components (computer as source or object of crime).
After-Action Review (AAR)
A detailed examination by CSIRT team members and key players in the IR process of the events that occurred, from first detection to final recovery.
Business Continuity Plan (BC plan)
A detailed set of processes and procedures that ensure that critical business functions can continue if a disaster occurs, usually by establishing operations at an alternate site.
Disaster Recovery Plan (DR plan)
A detailed set of processes and procedures that prepare for and help recover from the effects of disasters.
Critical Path Method (CPM)
A diagram-based planning process that focuses on the duration of the sequence of tasks, any of which, if delayed, will cause delay to the entire project.
Alert Roster
A document containing contact information on the individuals to be notified in the event of an actual incident.
Cold Site
A facility used for BC operations that provides only rudimentary services and facilities, with no computer hardware or peripherals.
Dual-Homed Host
A firewall configuration in which the bastion host contains two network interfaces: one that is connected to the external network and one that is connected to the internal network. All traffic must go through the firewall to move between the internal and external networks.
Cost Benefit Analysis (CBA)
A form of feasibility study that compares the life-cycle cost of implementing a control mechanism against the estimated economic benefit that would accrue from the implementation of the control.
Hot Site
A fully configured computer facility used for BC operations, with all services, communications links, and physical plant operations.
C.I.A. Triangle
A long-standing industry standard for computer security that focuses on three critical characteristics of information: confidentiality, integrity, and availability.
Decisional Role
A managerial role in which the manager must select from among alternative approaches and resolve conflicts, dilemmas, or challenges.
Defense Risk Control Strategy
A mechanism to control risk by the prevention of an exploitation of a vulnerability.
Champion
A member of the senior management of an organization who seeks to promote the successful outcome of a project or initiative by providing visibility, prestige, or resources.
Diffie-Hellman Key Exchange Method
A methodology invented to enable the exchange of private keys over a non-secure channel without exposure to any third parties, using asymmetric encryption.
Asset Valuation
A process of assigning financial value or worth to each information asset.
Baselining
A process of measuring some action or process against established internal values or standard.
Digital Signature
A process of using a reversed asymmetric encryption process in which a private key is used to encrypt a (usually short) message and the corresponding public key is used to decrypt it to provide nonrepudiation, thus creating encrypted messages whose authenticity can be independently verified by a ventral facility (registry).
Governance, Risk Management, and Compliance (GRC)
A process seeking to integrate the three, previously separated responsibilities into one holistic approach that can provide sound executive-level strategic planning and management of the InfoSec function.
Authorization
A process that determines if a user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to perform a function, such as access, modify, or delete the contents of an information asset.
Cache Server
A proxy server or application-level firewall that exists to store the most recently accessed Web content in its internal caches, minimizing the demand on proxy and internal servers.
Alert Message
A scripted description of the incident that consists of just enough information so that each responder, CSIRT or otherwise, knows what portion of the IR plan to implement without impeding the notification process.
Access Control Policy
A security policy that specifies how access rights are granted to entities and groups.
Business Resumption Plan (BR plan)
A set of plans and procedures combining the DR and BC functions, which is preferred by some organizations.
Content Filter
A software program or a hardware/software appliance that allows administrators to restrict content that comes into a network - for example restricting access to Web sites with non-business-related material, such as pornography or entertainment.
Communications Security
A specialized area of security that encompasses protecting the organization's communications media, technology, and content as well as its ability to use these tools to achieve the organization's objectives.
Availability
A state in which users have access to information in a usable format, without interference or obstruction.
Competitive Disadvantage
A state of falling behind the competition.
Computer Security Incident Response Team (CSIRT)
A subset of the IR team composed of technical and managerial IT and InfoSec professionals prepared to diagnose and respond to an incident.
Business Process
A task performed by an organization or organizational subunit in support of the overall organization's mission.
Discretionary Access Controls (DACs)
Access controls implemented at the discretion or option of the data user.
Crossover Error Rate (CER)
Also called the "equal error rate," this is the point at which the rate of false rejections equals the rate of false acceptances.
Evidentiary Material (EM)
Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal-based or policy-based case against a suspect.
Common Criteria for Information Technology Security Evaluation
Also known as the "Common criteria" (CC), an international standard (ISO/IEC 15408) for computer security certification. It is widely considered the successor to both TCSEC and ITSEC in that it reconciles some of the differences between the various other standards.
Health Insurance Portability and Accountability Act (HIPAA)
Also known as the Kennedy-Kassebaum Act, this law attempts to protect the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data interchange.
Anomaly-Based IDPS
An IDPS method that first collects data from normal traffic and establishes a baseline, then periodically samples network activity, using statistical methods, compares the samples to the baseline, and notifies the administrator when the activity falls outside the clipping level.
Host-Based IDPS (HIDPS)
An IDPS that works by configuring and classifying various categories of systems and data files on predefined computer systems upon which it resides.
Attack
An act or event that exploits a vulnerability seeking to cause a loss to an information asset.
Certificate Authority (CA)
An agency that manages the issuance of certificates and serves as the electronic notary public to verify their origin and integrity.
Baseline
An assessment of the performance of some action or process measured against a prior assessment or an internal goal.
Book Cipher
An encryption method in which the words (or, in some cases, characters) found in a book act as the algorithm to decrypt a message. The key relies on two components: (1) knowing which book to refer to and (2) having a list of codes representing the page number, line number, and word number of the plain text word.
Asymmetric Encryption
An encryption method that uses two different keys, either of which can be used to encrypt or decrypt a message, but not both. Thus, if a private (secret) key is used to encrypt a message, only the public key can be used to decrypt it, and vice versa.
Bottom-Up Approach
An implementation approach that uses grass-roots effort in which systems administrators attempt to improve the security of their systems.
Demilitarized Zone (DMZ)
An intermediate area between a trusted network and an untrusted network, thereby restricting access to internal systems.
Application-Level Firewalls
Firewalls that often consist of dedicated computers kept separate from the first filtering router (called an "edge router"); commonly used in conjunction with proxy servers.
Agent
In IDPS, a piece of software that resides on a system and reports back to a management server.
Capabilities Table
In a lattice-based access control, the row of attributes associated with a particular subject (such as a user).
Ciphertext
In cryptography, the result of encrypting plaintext.
Blueprint
In information security, a specification of a model to be followed in the creation of the design, selection, and initial and ongoing implementation of all subsequent security controls, including InfoSec policies, security education and training programs, and technological controls.
Framework
In information security, the outline version of the more thorough blueprint.
Controlling
In project management, a process of monitoring progress toward completion and making necessary adjustments to achieve desired objectives.
Bastion Host
In screened-host firewalls, a separate application proxy that examines an application-layer protocol, such as HTTP, and performs the proxy services, thus representing a single rich target for external attacks and that should, therefore, be very thoroughly secured.
Footprint
In wireless networking, the geographic area within which there is sufficient signal strength to make a network connection.
Data Owners
Individuals who control (and are therefore responsible for) the security and use of a particular set of information. Data owners may rely on custodians for the practical aspects of protecting their information, specifying which users are authorized to access it, but they are ultimately responsible for it.
Data Custodian
Individuals who work directly with data owners and are responsible for the storage, maintenance, and protection of the information.
Digital Forensics
Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis. Like traditional forensics, digital forensics follows clear, well defined methodologies but still tends to be as much art as science.
Civil Law
Laws pertaining to relationships between and among individuals and organizations
Criminal Law
Laws that address violations harmful to society, actively enforced and prosecuted by the state.
Guidelines
Non-mandatory recommendations that the employee may use as a reference in complying with a policy. If the policy states "Use strong passwords, frequently changed," the guidelines should advise "We recommend you don't use family or pet names, parts of your Social Security number, your employee number, or your phone number in your password."
Computer Security Act (CSA)
One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices, the CSA is a U.S. federal Law that charges the National Bureau of Standards, now NIST, with the development of standards, guidelines, and associated methods and techniques for computer systems, among other responsibilities.
Event-Driven
Refers to a corrective action that is in response to some event in the business community, inside the organization, or within the ranks of employees, customers, or other stakeholders.
Common Criteria (CC)
See "Common Criteria for Information Technology Security Evaluation".
Behavior-Based IDPS
See "anomaly-based IDPS".
Chain of Custody
See "chain of evidence".
Avoidance
See "defense risk control strategy".
Fourth-Generation Firewall
See "dynamic packet filtering firewalls."
First-Generation Firewall
See "packet filtering firewalls."
Due Care
See "standard of due care."
Due Dilligence
See "standard of due diligence."
Honey Pot
See "trap and trace applications."
Ethical Hackers
See "white-hat hackers."
Access Control Lists (ACLs)
Specifications of authorization that govern the rights and privileges of users to a particular information asset. Includes user access lists, matrices, and capability tables.
Affidavit
Sworn testimony that certain facts are in the possession of the investigating officer that the officer believes warrant the examination of specific items located at a specific place. The facts, the items, and the place must be specified in this document.
Access Controls
System components that regulate the admission of users into trusted areas of the organization, both logical access to information systems and physical access to the organization's facilities. Access control is maintained by means of a collection of policies, programs to carry out those policies, and technologies that enforce policies.
Data Users
Systems users who work with the information to perform their daily jobs supporting the mission of the organization, everyone in the organization being responsible for the security of data (and thus playing an InfoSec role).
Desk Check
The CP testing strategy in which copies of the appropriate plans are distributed to all individuals who will be assigned roles during an actual incident or disaster, with each individual reviewing the plan and creating a list of correct and incorrect components.
Full-Interruption Testing
The CP testing strategy in which the individuals follow each and every IR/DR/BC procedure, including the interruption of service, restoration of data from backups, and notification of appropriate individuals.
Business Continuity Planning (BCP)
The actions taken to ensure that critical business functions can continue if a disaster occurs, usually by establishing operations at an alternate site.
Accoutability
The assurance that every activity undertaken can be attributed to a known entity, whether a named person or an automated process.
Accreditation
The authorization by an oversight authority of an IT system to process, store, or transmit information.
Electronic Vaulting
The bulk batch-transfer of data to an off-site facility, usually conducted via leased lines or secure Internet connections.
Confidentiality
The characteristic of information whereby only those with sufficient privileges and a demonstrated need may access it.
Forensics
The coherent application of methodical investigatory techniques to present evidence of crimes in a court or court-like setting. Forensics allows investigators to determine criminal, natural, intentional, or accidental.
Database Shadowing
The combination of electronic vaulting with remote journaling in which multiple copies of the database are written simultaneously to two separate locations.
General Business Community
The community f interest within an organization that primarily seeks to articulate and communicate organizational policy and objectives and allocates resources tot the other groups.
Computer Fraud and Abuse (CFA) Act
The cornerstone of many computer-related federal laws and enforcement efforts, the CFA formally criminalizes "accessing a computer without authorization or exceeding authorized access" for systems containing information of nation interest as determined by the U.S. federal government.
Chain of Evidence
The detailed documentation of the collection, storage, transfer, and ownership of collected evidence from a crime scene through its presentation in court.
Business Impact Analysis (BIA)
The first phase of the CP process and a crucial component of the initial planning stages, the BIA serves as an investigation and assessment of the impact that various adverse events can have on the organization.
Enterprise Information Security Policy (EISP)
The high-level information security policy (also known as a "security program policy," "general security policy," "IT security policy," "high-level InfoSec policy," or simply "InfoSec policy") that sets the strategic direction, scope, and tone for all of an organization's security efforts.
E-Discovery
The identification and preservation of evidentiary material related to a specific legal action.
Crisis Management Team (CMT)
The individuals from various functional area of the organization who are tasked with the development and implementation of the CM plan.
Contingency Planning Management Team (CPMT)
The management team consisting of coordinating executive, representatives from major business and representatives from other teams that is responsible for collecting information about the organization and about the threats it faces, conducting the BIA, and coordinating the development of contingency plans.
Chief Information Security Officer (CISO)
The most senior manager or executive responsible for information security in an organization.
Chief Information Officer (CIO)
The most senior manager or executive responsible for information technology and systems in an organization.
Chief Security Officer (CSO)
The most senior manager or executive responsible for physical and information security in an organization; sometimes misapplied to a functional CISO to follow industry trend.
Fingerprinting
The next phase of the preattack data gathering process that entails the systematic examination of all the organization's Internet addresses collected during the foot printing phase.
Footprinting
The organized research of the Internet addresses owned or controlled by a target organization.
Contingency Planning (CP)
The overall process of preparing for unexpected adverse events.
Disaster Recovery Planning (DRP)
The preparation for an recovery from a disaster, whether natural or human made.
Encryption
The process of converting an original message into a form that cannot be used by unauthorized individuals.
Cryptanalysis
The process of deciphering the original message from an encrypted message without knowing the algorithms and keys used to perform the encryption.
Auditing
The process of reviewing the information collected in and about systems in order to detect misuse or attempted intrusion; includes information collected in logs.
Authentication
The process of validating a supplicant's purported identity, thus ensuring that the entity requesting access is the entity it claims to be.
False Reject Rate
The rate at which authentic users are denied or prevented access to authorized areas as a result of a failure in the biometric device. This failure is also known as a "Type I error" or a "fake negative."
False Accept Rate
The rate at which fraudulent users or nonusers are allowed access to systems or areas as a result of a failure in the biometric device. This failure is also known as a "Type II error" or as a "false positive."
Cost
The resources needed to implement a control, whether money, time, fixed assets, or organizational focus.
Dumpster Diving
The retrieval of information from refuse or recycling bins.
Cryptology
The science of encryption and a very complex field based on advanced mathematical concepts.
Critical Path
The sequence of events or activities that requires the longest duration to complete and that therefore cannot be delayed without delaying the entire project.
Cryptography
The set of processes involved in encoding and decoding messages so that others cannot understand them.
Crisis Management (CM)
The steps taken during and after a disaster that affect the people inside and outside the organization.
Business Continuity Team
The team that manages and executes the BC plan by setting up and starting off-site operations in the event of an incident or disaster.
Disaster Recovery Team
The team that manages and executes the DR plan by detecting, evaluating, and responding to disasters and by reestablishing operations at the primary business site.
Hybrid Encryption System
The use of asymmetric encryption to exchange symmetric keys so that two (or more) organizations can conduct quick, efficient, secure communications based on symmetric encryption.
Compartmentalization
The use of specialty classification schemes, such as "Need-to-know" and "Named Projects," to allow access to information only by individuals who need the information to perform their work; commonly used in federal agencies.
Benefit
The value to the organization of using controls to prevent losses associated with a specific vulnerability.
Controls
Those means undertaken to reduce the risk that information assets face from attacks by threats. Also known as safeguards.
Best Security Practices (BSPs)
Those security efforts that are considered among the best in the industry.
Covert Channels
Unauthorized or unintended methods of communications hidden inside a computer system.
Benchmarking
Using the recommended or existing practices of a similar organization or using an industry-developed standard.