ISEC Chapter 6 Vocabulary
Baseline
A benchmark used to make sure that a system provides a minimum level of security across multiple applications and across different products
Service level agreement (SLA)
A contractual commitment by a service provider or support organization to its customers or users
Data Classification Standards
A definition of different data types with respect to security sensitive
Authorizing official (AO)
A designated senior manager who reviews a certification report and makes the decision to approve the system for implementation
RFC 1087 "Ethics and the Internet"
A document produced by the IETF, contain standards as well as other specifications or descriptive contents
SQL injection
A form of web application attack in which a hacker submits SQL expressions to cause authentication bypass, extraction of data, planting of information, or access to a command shell
Standard
A mandated requirement for a hardware or software solution that is used to deal with a security risk throughout the organization
Agile development
A method of developing software that is based on small project iterations, or sprints, instead of long-term project schedules
System life cycle (SLC)
A method used in systems engineering to describe the phases of a system's existence, including design, development, deployment, operation, and disposal
Clean desk/clear screen policy
A policy stating that users must never leave sensitive information in plain view on an unattended desk or workstation
Guideline
A recommendation for how to use or how to purchase a product or system
Security policy
A set of policies that establish how an organization secures its facilities and IT infrastructure. Can also address how the organization meets regulatory requirements
Procedure
A set of steb-by-step actions to be performed to accomplish a security requirement, process, or objective
Waterfall model
A software development model that defines how development activities progress from one distinct phase to the next
Event logs
A software or application-generated record that some action has occurred
Functional policy
A statement of an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing
Social engineering
A type of attack that relied on persuading a person to reveal information
Memorandum of Understanding (MOU)
An agreement between two or more parties that expresses areas of common interests that result in shared actions
Blanket purchase agreement (BPA)
An agreement that defines a streamlined method of purchasing supplies or services
Organization for Economic Cooperation and Development (OECD)
An organization of more than 30 countries. Its goal is economic cooperation growth
Classification Process
Determines how you handle classified data
Classification Scope
Determines what data you should classify. To determine this, you should do a business impact analysis to evaluate all your organizations' data.
Change Control Management
Develops a planned approach to controlling change by involving all affected departments
Sprint
One of the small project iterations used in the "agile" method of developing software, in contrast with the usual long project schedules of other methods of development software
Awareness Program
Teaches users about security objective, trends and threats in security, and motivates to comply with security policy
Remediation
The act of fixing a known risk, threat, or vulnerability that is identified or found in an IT infrastructure
Compliance liaison
The act of following laws, rules, and regulations that apply to your organization and its use of IT systems, applications, and data
Proactive change management
The act of initiating changes to avoid expected problems
Security administrator
The group of individuals responsible for planning, designing, implementing, and monitoring an organization's security plan
Principal of least privilege
The idea that users should be granted only the levels of permissions they need in order to perform their duties
Certifier
The individual or team responsible for performing the security test and evaluation for the system.
Organizational compliance
The organization must comply with its own policies, audits, culture, and standards
Emergency operations group
The place in which the recovery team will meet and work during a disaster
Separation of Duties
The process of dividing a task into a series of unique activities performed by different people, each of whom is allowed to execute only one part of the overall task
Change control
The process of managing changes to computer/device configuration or application software.
Configuration control
The process of managing the baseline settings of a system or device
Certification
The technical evaluation of a system to provide assurance that you have implemented the system correctly. Also, an official statement that attests that a person has satisfied specific requirements.