Chapter 3
security systems development lifecycle
a formal approach to designing information security progams that follows the methodology of a traditional cycle
Stakeholder
A person or organization that has a "stake" or vested interest in a particular aspect of the planning or operation of the organization in this case, the information assets used in a particular organization
Joint Application Design
A systems development approach that incorporated teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project;s success.
Governance, risk management and compliance
An approach to information security strategic guidance from a board of directors or senior management perspective that seeks to integrate the three components of infromation security ... .... .....
controls and safeguards
Security mechanisms, policies, or procedures that can sucessfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization
Strategic Planning
The process of defining and specifying the long term direction to be taken by an organization, and the allocation and acquisition of resources needed to pursue this effort
vulnerability assessment
The process of identifying and documenting specific and provanle flaws in the organizations infromation asset environment
Governance
The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly
Methodology
a formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective
champion
a high level executive such as CIO who will provide political support and influence for a specified project
penetration testing
a set of security tests and evaluations that stimulate attacks by a malicious external source
penetration tester
an information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems