ISEC Chapter 6 Vocabulary

Baseline

A benchmark used to make sure that a system provides a minimum level of security across multiple applications and across different products

Service level agreement (SLA)

A contractual commitment by a service provider or support organization to its customers or users

Data Classification Standards

A definition of different data types with respect to security sensitive

Authorizing official (AO)

A designated senior manager who reviews a certification report and makes the decision to approve the system for implementation

RFC 1087 "Ethics and the Internet"

A document produced by the IETF, contain standards as well as other specifications or descriptive contents

SQL injection

A form of web application attack in which a hacker submits SQL expressions to cause authentication bypass, extraction of data, planting of information, or access to a command shell

Standard

A mandated requirement for a hardware or software solution that is used to deal with a security risk throughout the organization

Agile development

A method of developing software that is based on small project iterations, or sprints, instead of long-term project schedules

System life cycle (SLC)

A method used in systems engineering to describe the phases of a system's existence, including design, development, deployment, operation, and disposal

Clean desk/clear screen policy

A policy stating that users must never leave sensitive information in plain view on an unattended desk or workstation

Guideline

A recommendation for how to use or how to purchase a product or system

Security policy

A set of policies that establish how an organization secures its facilities and IT infrastructure. Can also address how the organization meets regulatory requirements

Procedure

A set of steb-by-step actions to be performed to accomplish a security requirement, process, or objective

Waterfall model

A software development model that defines how development activities progress from one distinct phase to the next

Event logs

A software or application-generated record that some action has occurred

Functional policy

A statement of an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing

Social engineering

A type of attack that relied on persuading a person to reveal information

Memorandum of Understanding (MOU)

An agreement between two or more parties that expresses areas of common interests that result in shared actions

Blanket purchase agreement (BPA)

An agreement that defines a streamlined method of purchasing supplies or services

Organization for Economic Cooperation and Development (OECD)

An organization of more than 30 countries. Its goal is economic cooperation growth

Classification Process

Determines how you handle classified data

Classification Scope

Determines what data you should classify. To determine this, you should do a business impact analysis to evaluate all your organizations' data.

Change Control Management

Develops a planned approach to controlling change by involving all affected departments

Sprint

One of the small project iterations used in the "agile" method of developing software, in contrast with the usual long project schedules of other methods of development software

Awareness Program

Teaches users about security objective, trends and threats in security, and motivates to comply with security policy

Remediation

The act of fixing a known risk, threat, or vulnerability that is identified or found in an IT infrastructure

Compliance liaison

The act of following laws, rules, and regulations that apply to your organization and its use of IT systems, applications, and data

Proactive change management

The act of initiating changes to avoid expected problems

Security administrator

The group of individuals responsible for planning, designing, implementing, and monitoring an organization's security plan

Principal of least privilege

The idea that users should be granted only the levels of permissions they need in order to perform their duties

Certifier

The individual or team responsible for performing the security test and evaluation for the system.

Organizational compliance

The organization must comply with its own policies, audits, culture, and standards

Emergency operations group

The place in which the recovery team will meet and work during a disaster

Separation of Duties

The process of dividing a task into a series of unique activities performed by different people, each of whom is allowed to execute only one part of the overall task

Change control

The process of managing changes to computer/device configuration or application software.

Configuration control

The process of managing the baseline settings of a system or device

Certification

The technical evaluation of a system to provide assurance that you have implemented the system correctly. Also, an official statement that attests that a person has satisfied specific requirements.