COMPTIA Advanced Security Practitioner (CASP+)

Gramm-Leach-Bliley Act (GLBA)

A U.S. law that requires banks and financial institutions to alert customers of their policies and practices in disclosing customer information.

Bring Your Own Device (BYOD)

A business policy that permits, and in some cases, encourages, employees to use their own mobile devices (smartphones, tablets, or laptops) to access company computing resources and applications, including email, corporate databases, the corporate intranet, and the Internet.

Committee of Sponsoring Organizations (COSO)

A committee that provides thought leadership related to enterprise risk management, internal control, and fraud deterrence. A private-sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute.

Master Service Agreement (MSA)

A contract where parties agree to the terms that will govern future actions. This makes future services and contracts easier to handle and define.

Lightweight Directory Access Protocol (LDAP)

A directory service protocol that runs over TCP/IP networks. Clients authenticate to the service, and the services schema defines that tasks that clients can and cannot perform while accessing a database.

Request for Comments (RFC)

A document published by the IETF that details information about standardized Internet protocols and those in various development stages.

statement of applicability (SOA)

A document that identifies the controls chosen by an organization and explains how and why the controls are appropriate.

Extensible Access Control Markup Language (XACML)

A markup language used to define access control policies within an XML format, and it commonly implements rolebased access controls. It helps provide assurances to all members in a federation that they are granting the same level of access to different roles.

Secure LDAP (LDAPS)

A method of implementing another directory service protocol securely using SSL/TLS.

Meant Time Between Failures (MTBF)

A metric showing the reliability of the system as it measures the average time to the next failure.

Service Level Agreement (SLA)

A negotiated agreement between the customer and the vendor. The SLA may specify the levels of availability, serviceability, performance, operation, or other commitment requirements.

Business Continuity Plan (BCP)

A plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined time after a disaster or extended disruption

Enterprise Security Architecture (ESA)

A proactive approach to enterprise security that involves developing an overall plan of mitigation for each specific threat, vulnerability, and risk. Ex. NIST 800-37, ITIL.

Common Vulnerability Scoring System (CVSS)

A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.

Risk Avoidance

A risk response strategy whereby the project team acts to eliminate the threat or protect the project from its impact.

Risk Mitigation

A risk response strategy whereby the project team acts to reduce the probability of occurrence or impact of a risk.

Risk Acceptance

A risk response strategy whereby the project team decides to acknowledge the risk and not take any action unless the risk occurs.

Incident Response

A set of procedures that an investigator follows when examining a computer security incident.

Request for Information (RFI)

A standard business process whose purpose is to collect written information about the capabilities of various suppliers

Business Impact Analysis (BIA)

A study of the possible impact if a disruption to a business's vital resources were to occur.

Peer Trust Model

A transitive trust relationship. If resource A trusts resource B, and B trusts C, the A trusts (implicitly) C.

Request for Proposal (RFP)

A type of procurement document used to request proposals from prospective sellers of products or services. In some application areas, it may have a narrower or more specific meaning.

Business Partnership Agreement (BPA)

A written agreement defining the terms and conditions of a business partnership.

Annual Loss Expectancy (ALE)

ARO X SLE =

Base Metrics

Access Vector, Access Complexity, Authentication, Confidentiality impact, Integrity impact, Availability impact.

Service Provisioning Markup Language (SPML)

Allows for the automation of user management (account creation, amendments, revocation) and access entitlement configuration related to electronically published services across multiple provisioning systems.

Policy Enforcement Point (PEP)

An XACML entity that protects a resource that a subject (a user or an application) is attempting to access.

Policy Decision Point (PDP)

An XACML entity that retrieves all applicable polices in XACML and compares the request with the policies.

Interconnection Security Agreement (ISA)

An agreement between parties intended to minimize security risks for data transmitted across a network.

Interoperability Agreement (IA)

An agreement between two or more organizations to work together to allow information exchange.

Memorandum of Understanding (MOU)

An agreement between two or more parties to enable them to work together that is not legally enforceable but is more formal than an unwritten agreement.

Lessons Learned Report (LLR)

An analysis of events that can provide insight into how to improve response processes in the future.

Governance, Risk Management and Compliance (GRC)

An approach to information security strategic guidance from a board of directors or senior management perspective that seeks to integrate the three components of information security governance, risk management, and regulatory compliance.

context-aware authentication

An authentication method using multiple elements to authenticate a user and a mobile device. It can include identity, geolocation, the device type, and more.

Diameter

An authentication protocol that is an updated version of RADIUS and improves on some of its features. (e.g. Uses TCP, requires IPSec and TLS.)

Protected Extensible Authentication Protocol (PEAP)

An extension of another authentication protocol, it encapsulates it in an encrypted TLS tunnel to strengthen its authentication communications.

Data sovereignty (Geographic considerations)

An important element to factor into the cost of the backup strategy the expense of storing the backups. ___________ is a relatively new type of legislation several countries have enacted recently that mandates data stored within their borders is subject to their laws, and in some cases that data originating within their borders must be stored there.

Operating Level Agreement (OLA)

An internal organizational document that details the relationships that exist between departments to support business activities.

Common Vulnerabilities and Exposures (CVE)

An online list of known vulnerabilities (and patches) to software, especially web servers. It is maintained by the MITRE Corporation.

OAuth

An open source standard used for authorization with Internet-based single sign-on solutions. Ex. "Login using Facebook"

Extensible Authentication Protocol (EAP)

Authentication wrapper that compliant applications can use to accept one of many types of authentication. While it is a general-purpose authentication wrapper, its only substantial use is in wireless networks.

OAuth Grant Types

Authorization Code, Implicit, Resource owner password credentials, Client Credentials

quantitative analysis

Based completely on numeric values.

Lightweight Extensible Authentication Protocol (LEAP)

CISCO's proprietary version of another authentication protocol. Features mutual authentication between client and RADIUS server.

Hierarchical Trust Model

Certificate Authority is at the top Intermediate CAs are the next level Users are the bottom level

Public, private, restricted, confidential

Classes of information

Environmental Metrics

Collateral damage potential, target distribution, confidentiality requirements, integrity requirements, Availability Requirements.

enterprise resilience

Consists of an organization's ability to adapt to short-term and long-term changes.

trust model

Defines the relationships between authentication services so that hey may accept each other's assertions of users' identities and permissions.

Health Insurance Portability and Accountability Act (HIPAA)

Established in 1996 to protect the privacy of patient medical information through restricted access to medical records and regulations for sharing them.

semi-quantitative analysis

Exists because it's impossible for a purely quantitative risk assessment to exist given that some issues defy numbers.

Single Loss Expectancy (SLE)

Expected monetary loss every time a risk occurs; calculated by multiplying asset value (AV) by exposure factor (EF).

Temporal Metrics

Exploit-ability, Remediation level, Report confidence.

Request for Quote (RFQ)

From buyer to seller. Requests the seller to provide a price for the procured product or service.

Policies

High-level, broad statements of what the organization wants to accomplish.

Return on Investment (ROI)

How much money or benefit will be gained in relation to the amount of money that is being spent.

Risk Exposure

How susceptible an organization is to loss. Product of the probability that an incident will occur.

802.1x authentication

IEEE standard used to provide a device port-based authentication mechanism. (Not protocol ports like TCP/UDP)

Gap anlysis

Identifies the differences between the current state of an environment and the desired state of that environment, and identifies the steps required to close that gap.

Challenge Handshake Authentication Protocol (CHAP)

Like PAP, performs one-way authentication. However, authentication is performed through a three-way handshake (challenge, response, and acceptance messages) between a server and a client. The three-way handshake allows a client to be authenticated without sending credential information across a network. Use MD5 hashes.

Key risk indicators (KRIs)

Metrics that provide an early warning of increasing levels of uncertainty in a particular business area.

Risk Transfer

Moves the responsibility for managing risk to another organization, such as an insurance company.

International Organization for Standardization (ISO)

Organization designed to help create a series of standards that governments and industries can adhere to in order to have common guidelines for processes and operations at the international level.

Federal Information Security Management Act (FISMA)

Passed in 2002 to address the evolutionary nature of information systems security in the federal government. Include things such as identify types of information within systems and perform risk assessment to identify areas requiring additional protection.

Provisioning Service Point (PSP)

Process the service provisioning request sent by the Requesting Authority and create or modifies a user account in the target system.

Remote Authentication Dial-In User Service (RADIUS)

Provides centralized remote access authentication, authorization, and auditing services via a Network Access Server (NAS). Can use PAP, CHAP, EAP, PEAP, or LEAP authentication methods.

Least Privilege

Providing only the minimum amount of privileges necessary to perform a job or function.

Guidelines

Recommended, non-mandatory controls that support standards or that provide a reference for decision making.

After Action Report (AAR)

Report that summarizes key exercise-related evaluation information, including the exercise overview and analysis of objectives and core capabilities.

Sarbanes-Oxley Act (SOX)

Requires companies to review internal control and take responsibility for the accuracy and completeness of their financial reports.

Standards

Specific low-level mandatory controls that help enforce and support policies.

job rotation

States that no one person stays in a vital job role for too long. Helps an organization ensure vital knowledge is not tied too firmly to any one individual.

Procedures

Step-by-Step instructions on tasks required to implement various policies, standards and guidelines.

Aggregate CIA Score

Sum of total risk.

Mean Time to Failure (MTTF)

The average amount of time expected until the first failure of a piece of equipment.

Mean Time to Repair (MTTR)

The average amount of time required to repair a device.

Enterprise Risk Management (ERM)

The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.

brand image

The idea/ impression/ image that customers have in their minds about the brand.

Unified Collaboration (UC)

The integration of a large number of communication platforms that traverse disparate types of networking technologies. Ex. Web Conferencing, SLACK, etc.

Recovery Point Objective (RPO)

The maximum amount of time that an organization can tolerate lost data being unrecoverable.

Maximum Tolerable Downtime (MTD)

The maximum period of time that a business process can be down before the survival of the organization is at risk.

Annual Rate of Occurrence (ARO)

The number of times an incident is expected to occur in a year

Password Authentication Protocol (PAP)

The oldest and most basic form of authentication protocol and also the least safe because it sends all passwords in cleartext..

Separation of Duties

The practice of requiring that processes should be divided between two or more individuals.

Identity proofing

The process of collecting and verifying information about a person for the purpose of proving that a person who has requested an account, a credential, or other special privilege is indeed who he or she claims to be and establishing a reliable relationship that can be trusted electronically between the individual and said credential for purposes of electronic authentication.

push-based authentication

The process of pushing out a special access code to the user's device that the user must input to a form in order to authenticate to a system.

de-perimeterization

The process of shifting, reducing, or removing an enterprise's boundaries to facilitate interaction with the outside world.

Inherent Risk

The risk that an event will pose if no controls are put in place.

Risky analysis

The security process used for assessing risk damages that can affect an organization.

qualitative analysis

Uses descriptions and words to measure the likelihood and impact of risk. Ex. Severe, High, Low.

Total Risk

Value of information times threat value.

Mandatory Vacations

When an organization requires that an employee take a certain amount of days of vacation consecutively.

Non-Disclosure Agreement (NDA)

a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes but wish to restrict access to or by third parties

Key Performance Indicator (KPI)

business metric used to evaluate the success of an organization, employee, etc., to track and analyze factors crucial to the success of an organization

Internet Engineering Task Force (IETF)

develops and promotes voluntary Internet standards and protocols, in particular the standards that comprise the Internet protocol suite (TCP/IP).

cost-benefit analysis

economic model that compares the marginal costs and marginal benefits of a decision

Personally Identifiable Information (PII)

information about an individual that identifies, links, relates, or describes them.

Total Cost of Ownership (TCO)

the cost of owning and operating a system, including the total cost of acquisition, as well as all costs associated with its ongoing use and maintenance

Recovery Time Objective (RTO)

the maximum tolerable time to restore an organization's information system following a disaster, representing the length of time that the organization is willing to attempt to function without its information system.

Residual Risk

the risk that remains after management implements internal controls or some other response to risk