CIS 481 - Chapter 4

information security blueprint

a framework or security model customized to an organization, including implementation details

capabilities table

access control with rows of attributes associated with a particular subject

tactical planning

actions taken by management to specify the intermediate goals of the organization in order to obtain the strategic goals

disaster recovery planning

actions taken by management to specify the organization's efforts in preparation for and recovery from a disaster

operational planning

actions taken by management to specify the short-term goals of the organization in order to obtain the tactical goals

Business continuity planning

actions taken by senior management to develop and implement the BC policy, plan, and continuity teams

contingency planning

actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster

incident

adverse event that could result in loss of an information asset, but does not currently threaten the viability of the entire organization

disaster

adverse event that could threaten the viability of the entire organization

security domain

area of trust within which information assets share the same level of protection

electronic vaulting

backup method that uses bulk batch transfer of data to an off-site facility

remote journaling

backup of data to an off-site facility in close to real time based on transactions as they occur

database shadowing

backup strategy to store duplicate online transaction data along with duplicate databases at the remote site on a redundant server

security perimeter

boundary in the network within which an organization attempts to maintain security controls for securing information from threats

sunset clause

component of policy or law that defines an expected end date for its applicability

standard

detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance

full backup

duplication of all files for an entire system

differential backup

duplication of all files that have been changed since the last full backup

incremental backup

duplication of only the files that have been changed since the previous incremental backup

policy administrator

employee responsible for the creation, revision, distribution, and storage of a policy in an organization

adverse event

event with negative consequences that could threaten the organization's information assets

practices

examples of actions that illustrate compliance with policies

configuration rules

instructions a systems admin codes into a server, networking device, or security device to specify how it operates

guidelines

non-mandatory recommendations the employee may use as a reference in complying with a policy

crisis management

organization's set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of life as a result of the disaster

issue-specific security policy

organizational policy that provides detailed guidance in the use of resource

systems-specific security policy

policies that often function as standards or procedures to be used when configuring or maintaining systems

strategic planning

process of establishing an overall course of action for an organization

operational controls

safeguards focusing on lower-level planning that deals with the functionality of the organizational's security

managerial controls

safeguards that focus on administrative planning, organizing, leading, controlling, and are designed by the strategic planners

enterprise information security policy

security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts

access control list

specifications of authorization that govern the rights and privileges of users to a particular information asset

de facto standard

standard that has been widely adopted by a public group rather than a formal standards organization

de jure standards

standards that have been formally evaluated, approved, and ratified by a formal standards organization

procedures

step-by-step instructions designed to assist employees in following policies, standards, and guidelines

defense in depth

strategy for the protection of information assets that uses multiple layers and different types of controls for optimal protection

objectives

the intermediate states obtained to achieve progress toward a goal or goals

redundancy

use of multiple types and instances of technology that prevent the failure of one system from compromising the security of information

information security policy

written instructions provided by management that inform employees about proper behavior regarding the use of information assets

information security framework

specification of a model to be followed during the design, selection, and initial and ongoing implementation of all controls