Chapter 04
operational controls
Information security safeguards focusing on lower-level planning that deals with the functionality of the organization's security. These safeguards include disaster recovery and incident response planning.
technical controls
Information security safeguards that focus on the application of modern technologies, systems, and processes to protect information assets. These safeguards include firewalls, virtual private networks, and IDPSs.
business resumption planning (BRP)
The actions taken by senior management to develop and implement a combined DR and BC policy, plan, and set of recovery teams.
incident response planning (IRP)
The actions taken by senior management to develop and implement the IR policy, plan, and computer security incident response team.
Business Continuity Planning (BCP)
The actions taken by senior management to development and implement the BC policy, plan, and continuity teams.
contingency planning (CP)
The actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster. This planning includes incident response, disaster recovery, and business continuity efforts, as well as preparatory business impact analysis.
Disaster recovery planning (DRP)
The actions taken by senior management to specify the organization's efforts in preparation for and recovery from a disaster.
Recovery Time Objective (RTO)
The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD.
Recovery Point Objective (RPO)
The point in time, prior to a disruption or system outage, to which mission/business process data can be recovered (given the most recent backup copy of the data) after an outage.
computer forensics
The process of collecting, analyzing, and preserving computer-related evidence.
governance
"The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly
sequential roster
An alert roster in which a single contact person calls each person on the roster
Hierarchical roster
An alert roster in which the first person calls a few other people on the roster, who in turn call others. This method typically uses the organizational chart as a structure.
Electronic Valuting
A backup method that uses bulk batch transfer of data to an off-site facility; this transfer is usually conducted via leased lines or secure Internet connections.
database shadowing
A backup strategy to store duplicate online transaction data along with duplicate databases at the remote site on a redundant server. This server combines electronic vaulting with remote journaling by writing multiple copies of the database simultaneously to two locations.
Sunset Clause
A component of policy or law that defines an expected end date for its applicability.
Service Bureau
A continuity strategy in which an organization contracts with a service agency to provide a BC facility for a fee.
mutual agreement
A continuity strategy in which two organizations sign a contract to assist the other in a disaster by providing BC facilities, resources, and services until the organization in need can recover from the disaster.
after-action review
A detailed examination and discussion of the events that occurred, from first detection to final recovery
standard
A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance. If the Policy states that employees must "use strong passwords, frequently changed," the standard might specify that the password "must be at least 8 characters, with at least one number, one letter, and one special character."
alert roster
A document that contains contact information for people to be notified in the event of an incident
warm site
A facility that provides many of the same services and options as a hot site, but typically without installed and configured software applications. Warm sites are used for BC operations.
cold site
A facility that provides only rudimentary services, with no computer hardware or peripherals. Cold sites are used for BC operations.
hot site
A fully configured facility that includes all services, communications links, and physical plant operations. Hot sites are used for BC operations.
Security education, training, and awareness (SETA)
A managerial program designed to improve the security of information assets by providing targeted knowledge, skills, and guidance for an organization's employees.
evidence
A physical object or documented information entered into a legal proceeding that proves and action occurred or identifies the intent of a perpetrator
alert message
A scripted description of the incident that usually contains just enough information so that each person knows what portion of the IR plan to implement without slowing down the notification process
Access control list (ACL)
A specification of an organization's information asset, the users who may access and use it, and their rights and privileges for using the asset. ACLs include user access lists, matrices, and capabilities tables.
de jure standard
A standard that has been formally evaluated, approved, and ratified by a formal standards organization. Contrast with a de facto standard.
de facto standard
A standard that has been widely adopted or accepted by a public group rather than a formal standards organization. Contrast with de jure standard.
defense in depth
A strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.
managerial guidance SysSp
A systems-specific security policy that expresses management's intent for the acquisition, implementation, configuration, and management of a particular technology, written from a business perspective.
technical specifications SysSp
A type of systems-specific security policy that expressed technical details for the acquisition, implementation, configuration, and management of a particular technology, written from a technical perspectives. Typically the policy includes details on configuration rules, systems policies, and access control.
security domain
An area of trust within which information assets share the same level of protection. Each trusted network within an organization is a security domain. Communication between security domains requires evaluation of communications traffic
policy administrator
An employee responsible for the creation, revision, distribution, and storage of a policy in an organization.
adverse event
An event with negative consequences that could threaten the organization's information assets or operations. Sometimes referred to as an incident candidate.
access control matrix
An integration of access control lists (focusing on assets) and capability tables (focusing on users) that results in a matrix with organizational assets listed in the column headings and users listed in the row headings. The matrix contains ACLs in columns for a particular device or asset and capability tables in rows for a particular user.
business impact analysis (BIA)
An investigation and assessment of the various adverse events that can affect the organization, conducted as a preliminary phase of the contingency planning process, which includes a determination of how critical a system or set of information is to the organization's core processes and recovery priorities.
Issue-specific security policy (ISSP)
An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.
corporate governance
Executive management's responsibility to provide strategic direction, ensure the accomplishment of objectives, oversee that risks are appropriately managed, and validate responsible resource use.
capabilities table
In a lattice-based access control, the row of attributes associated with a particular subject (such as a user).
information security blueprint
In information security, a framework or security model customized to an organization, including implementation details.
information security framework
In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education and training programs, and technological controls. Also known as security model.
Systems-Specific Security Policies (SysSPs)
Organizational policies that often function as standards or procedures to be used when configuring or maintaining system. SysSPs can be separated into two general groups- managerial guidance and technical specifications- but may be written as a single unified SysSP document.
incident candidate
See adverse event.
information security model
See information security framework.
tactical planning
The actions taken by management to specify the intermediate goals and objectives of the organization in order to obtain specified strategic goals, followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives
operational planning
The actions taken by management to specify the short term goals and objectives of the organization in order to obtain specified tactical goals, followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives
work recovery time (WRT)
The amount of effort (expressed as elapsed time) necessary to make the business function operational after the technology element is recovered (as identified with RTO). Tasks include testing and validation of the system.
information security governance
The application of the principles of corporate governance to the information security function
remote journaling
The backup of data to an off-site facility in close to real time based on transactions as they occur.
security perimeter
The boundary in the network within which an organization attempts to maintain security controls for securing information from threats from untrusted network areas. The advent of mobile and cloud information technologies makes the security perimeter increasingly difficult to define and secure.
business continuity plan (BC plan)
The documented product of business continuity planning; a plan that shows the organization's intended efforts to continue critical functions when operations at the primary site are not feasible
contingency plan
The documented product of contingency planning; a plan that shows the organization's intended efforts in reaction to adverse events
disaster recovery plan (DR plan)
The documented product of disaster recovery planning; a plan that shows the organization's intended efforts in the event of a disaster.
incident response plan (IR Plan)
The documented product of incident response planning; a plan that shows the organization's intended efforts in the event of an incident.
operational plan
The documented product of operational planning; a plan for the organization's intended operational efforts on a day-to-day basis for the next several months.
tactical plan
The documented product of tactical planning; a plan for the organization's intended tactical efforts over the next few years.
contingency planning management team (CPMT)
The group of senior managers and project members organized to conduct and lead all CP efforts.
enterprise information security policy (EISP)
The high-level security policy that is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts. An EISP is also known as a security program policy, general security policy, IT security policy, high-level InfoSec policy, or simply and InfoSec policy.
configuration rules
The instructions a system administrator codes into a server, networking device, or security device to specify how it operates.
Incident classification
The process of examining an incident candidate and determining whether it constitutes an actual incident.
Incident damage assessment
The rapid determination of how seriously a breach of confidentiality, integrity, and availability affected information and information assets during an incident or just following one.
Maximum Tolerable Downtime (MTD)
The total amount of the system owners or authorizing official is willing to accept for a mission/business process outage or disruption, including all impact considerations.
information security policy
Written instructions provided by management that inform employees and others in the workplace about proper behavior regarding the use of information and information assets.
time-share
a continuity strategy in which an organization co-leases facilities with a business partner or sister organization. A time-share allows the organization to have a BC option while reducing its overall costs.
incident
an adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization.
disaster
an adverse event that could threaten the viability of the entire organization. A disaster may either escalate from an incident or be initially classified as a disaster.
crisis management
an organization's set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of life as a result of a disaster.
practices
examples of actions that illustrate compliance with policies. If the policy states to "use strong passwords, frequently changed," the practices might advise that "according to X, most organizations require employees to changes passwrods at least semi-annually."
managerial controls
information security safeguards that focus on administrative planning, organizing, leading, and controlling, and that are designed by strategic planners and implemented by the organization's security administration. These safeguards include governance and risk management.
guidelines
non mandatory recommendations the employee may use as a reference in complying with a policy. If the policy states to "use strong passwords, frequently changed," the guidelines might advise that "we recommend you don't use family or pet names, or parts of your Social Security number, employee number , or phone number in your password."
objective
sometimes used synonymously with goals; the intermediate states obtained to achieve progress toward a goal or goals.
goals
sometimes used synonymously with objectives; the desired end of a planning cycle
procedures
step-by-step instructions designed to assist employees in following policies, standards, and guidelines. If the policy states to "use strong passwords, frequently changed," the procedure might advise that "in order to change your password, first click the Windows Start button, then..."
strategic plan
the documented product of strategic planning; a plan for the organization's intended strategic efforts over the next several years
strategic planning
the process of defining and specifying the long-term direction (strategy) to be taken by an organization, and the allocation and acquisition of resources needed to pursue this effort.
redundancy
the use of multiple types and instances of technology that prevent the failure of one system from compromising the security of information