CIS 481 - Chapter 4
information security blueprint
a framework or security model customized to an organization, including implementation details
capabilities table
access control with rows of attributes associated with a particular subject
tactical planning
actions taken by management to specify the intermediate goals of the organization in order to obtain the strategic goals
disaster recovery planning
actions taken by management to specify the organization's efforts in preparation for and recovery from a disaster
operational planning
actions taken by management to specify the short-term goals of the organization in order to obtain the tactical goals
Business continuity planning
actions taken by senior management to develop and implement the BC policy, plan, and continuity teams
contingency planning
actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster
incident
adverse event that could result in loss of an information asset, but does not currently threaten the viability of the entire organization
disaster
adverse event that could threaten the viability of the entire organization
security domain
area of trust within which information assets share the same level of protection
electronic vaulting
backup method that uses bulk batch transfer of data to an off-site facility
remote journaling
backup of data to an off-site facility in close to real time based on transactions as they occur
database shadowing
backup strategy to store duplicate online transaction data along with duplicate databases at the remote site on a redundant server
security perimeter
boundary in the network within which an organization attempts to maintain security controls for securing information from threats
sunset clause
component of policy or law that defines an expected end date for its applicability
standard
detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance
full backup
duplication of all files for an entire system
differential backup
duplication of all files that have been changed since the last full backup
incremental backup
duplication of only the files that have been changed since the previous incremental backup
policy administrator
employee responsible for the creation, revision, distribution, and storage of a policy in an organization
adverse event
event with negative consequences that could threaten the organization's information assets
practices
examples of actions that illustrate compliance with policies
configuration rules
instructions a systems admin codes into a server, networking device, or security device to specify how it operates
guidelines
non-mandatory recommendations the employee may use as a reference in complying with a policy
crisis management
organization's set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of life as a result of the disaster
issue-specific security policy
organizational policy that provides detailed guidance in the use of resource
systems-specific security policy
policies that often function as standards or procedures to be used when configuring or maintaining systems
strategic planning
process of establishing an overall course of action for an organization
operational controls
safeguards focusing on lower-level planning that deals with the functionality of the organizational's security
managerial controls
safeguards that focus on administrative planning, organizing, leading, controlling, and are designed by the strategic planners
enterprise information security policy
security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts
access control list
specifications of authorization that govern the rights and privileges of users to a particular information asset
de facto standard
standard that has been widely adopted by a public group rather than a formal standards organization
de jure standards
standards that have been formally evaluated, approved, and ratified by a formal standards organization
procedures
step-by-step instructions designed to assist employees in following policies, standards, and guidelines
defense in depth
strategy for the protection of information assets that uses multiple layers and different types of controls for optimal protection
objectives
the intermediate states obtained to achieve progress toward a goal or goals
redundancy
use of multiple types and instances of technology that prevent the failure of one system from compromising the security of information
information security policy
written instructions provided by management that inform employees about proper behavior regarding the use of information assets
information security framework
specification of a model to be followed during the design, selection, and initial and ongoing implementation of all controls