Chapter 3

security systems development lifecycle

a formal approach to designing information security progams that follows the methodology of a traditional cycle

Stakeholder

A person or organization that has a "stake" or vested interest in a particular aspect of the planning or operation of the organization in this case, the information assets used in a particular organization

Joint Application Design

A systems development approach that incorporated teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project;s success.

Governance, risk management and compliance

An approach to information security strategic guidance from a board of directors or senior management perspective that seeks to integrate the three components of infromation security ... .... .....

controls and safeguards

Security mechanisms, policies, or procedures that can sucessfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization

Strategic Planning

The process of defining and specifying the long term direction to be taken by an organization, and the allocation and acquisition of resources needed to pursue this effort

vulnerability assessment

The process of identifying and documenting specific and provanle flaws in the organizations infromation asset environment

Governance

The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly

Methodology

a formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective

champion

a high level executive such as CIO who will provide political support and influence for a specified project

penetration testing

a set of security tests and evaluations that stimulate attacks by a malicious external source

penetration tester

an information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems