Information Security Chapter 4
Standards
: A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance. If the policy states that employees must "use strong passwords, frequently changed," the standard might specify that the password "must be at least 8 characters, with at least one number, one letter, and one special character."
Managerial Guidance SysSPs:
: A systems-specific security policy that expresses management's intent for the acquisition, implementation, configuration, and management of a particular technology, written from a business perspective.
Technical Specification SysSPs
: A type of systems-specific security policy that expresses technical details for the acquisition, implementation, configuration, and management of a particular technology, written from a technical perspective. Typically, the policy includes details on configuration rules, systems policies, and access control
Practices
: Examples of actions that illustrate compliance with policies.
Business Resumption Planning (BRP):
: The actions taken by senior management to develop and implement a combined DR and BC policy, plan, and set of recovery teams.
Incident Response Plan (IR Plan)
: The documented product of incident response planning; a plan that shows the organization's intended efforts in the event of an incident.
Sunset Clause
A component of policy or law that defines an expected end date for its applicability
Service Bureau
A continuity strategy in which an organization contracts with a service agency to provide a BC facility for a fee.
Mutual Agreements
A continuity strategy in which two organizations sign a contract to assist the other in a disaster by providing BC facilities, resources, and services until the organization in need can recover from the disaster
After-Action Review (AAR)
A detailed examination and discussion of the events that occurred, from first detection to final recovery.
Alert Roster
A document that contains contact information for people to be notified in the event of an incident.
Cold Site:
A facility that provides only rudimentary services, with no computer hardware or peripherals. Cold sites are used for BC operations.
Hot Swapped
A hard drive feature that allows individual drives to be replaced without powering down the entire system and without causing a fault during the replacement.
Access Control Matrix
A lattice-based access control with rows of attributes associated with a particular subject (such as a user).
Capabilities Table
A lattice-based access control with rows of attributes associated with a particular subject (such as a user).
Alert Message
A scripted description of the incident that usually contains just enough information so that each person knows what portion of the IR plan to implement without slowing down the notification process.
De Jure Standards
A standard that has been formally evaluated, approved, and ratified by a formal standards organization.
De Facto Standards
A standard that has been widely adopted or accepted by a public group rather than a formal standards organization.
Defense in Depth
A strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.
Incidents
An adverse event that could result in loss of an information asset or assets but does not currently threaten the viability of the entire organization.
Disasters
An adverse event that could threaten the viability of the entire organization. A disaster may either escalate from an incident or be initially classified as a disaster.
Sequential Roster
An alert roster in which a single contact person calls each person on the roster.
Hierarchical Roster
An alert roster in which the first person calls a few other people on the roster, who in turn call others. This method typically uses the organizational chart as a structure.
Security Domains
An area of trust within which information assets share the same level of protection. Each trusted network within an organization is a security domain. Communication between security domains requires evaluation of communications traffic.
Policy Administrator
An employee responsible for the creation, revision, distribution, and storage of a policy in an organization.
Adverse Events
An event with negative consequences that could threaten the organization's information assets or operations. Sometimes referred to as an incident candidate.
Contingency Plan
An event with negative consequences that could threaten the organization's information assets or operations. Sometimes referred to as an incident candidate.
Corporate Governance
Executive management's responsibility to provide strategic direction, ensure the accomplishment of objectives, oversee that risks are appropriately managed, and validate responsible resource use
Information Security Governance
Executive management's responsibility to provide strategic direction, ensure the accomplishment of objectives, oversee that risks are appropriately managed, and validate responsible resource use.
Operational Controls
Information security safeguards focusing on lower-level planning that deals with the functionality of the organization's security. These safeguards include disaster recovery and incident response planning.
Managerial Controls
Information security safeguards that focus on administrative planning, organizing, leading, and controlling, and that are designed by strategic planners and implemented by the organization's security administration. These safeguards include governance and risk management.
Guidelines:
Nonmandatory recommendations the employee may use as a reference in complying with a policy
Systems-Specific Security Policy
Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems. SysSPs can be separated into two general groups—managerial guidance and technical specifications—but may be written as a single unified SysSP document.
Objectives
Sometimes used synonymously with goals; the intermediate states obtained to achieve progress toward a goal or goals.
Goals
Sometimes used synonymously with objectives; the desired end of a planning cycle.
Access Control List (ACL)
Specifications of authorization that govern the rights and privileges of users to a particular information asset. ACLs include user access lists, matrices, and capabilities tables.
Procedures
Step-by-step instructions designed to assist employees in following policies, standards, and guidelines
Tactical Planning
The actions taken by management to specify the intermediate goals and objectives of the organization to obtain specified strategic goals, followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives.
Operations Planning
The actions taken by management to specify the short-term goals and objectives of the organization to obtain specified tactical goals, followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives.
Business Continuity Planning (BCP)
The actions taken by senior management to develop and implement the BC policy, plan, and continuity teams.
Incident Response Planning (IRP)
The actions taken by senior management to develop and implement the IR policy, plan, and computer security incident response team.
Contingency Planning (CP):
The actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster. This planning includes incident response, disaster recovery, and business continuity efforts, as well as preparatory business impact analysis.
Business Continuity Plan (BC Plan)
The documented product of business continuity planning; a plan that shows the organization's intended efforts to continue critical functions when operations at the primary site are not feasible.
Disaster Recovery Plan (DR Plan)
The documented product of disaster recovery planning; a plan that shows the organization's intended efforts in the event of a disaster.
Operational Plans
The documented product of operational planning; a plan for the organization's intended operational efforts on a day-to-day basis for the next several months.
Strategic Plan
The documented product of strategic planning; a plan for the organization's intended strategic efforts over the next several years.
Tactical Plans:
The documented product of tactical planning; a plan for the organization's intended tactical efforts over the next few years.
Configuration Rules:
The instructions a system administrator codes into a server, networking device, or security device to specify how it operates
Recovery Time Objective (RTO)
The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD.
Recovery Point Objective (RPO)
The point in time prior to a disruption or system outage to which mission/business process data can be recovered after an outage (given the most recent backup copy of the data).
Computer Forensics:
The process of collecting, analyzing, and preserving computer-related evidence.
Incident Classification:
The process of examining an incident candidate and determining whether it constitutes an actual incident.
Incident Damage Assessment
The rapid determination of how seriously a breach of confidentiality, integrity, and availability affected information and information assets during an incident or just following one
Time-share
continuity strategy in which an organization co-leases facilities with a business partner or sister organization. A time-share allows the organization to have a BC option while reducing its overall costs.
Disk Mirroring
A RAID implementation (typically referred to as RAID Level 1) in which the computer records all data to twin drives simultaneously, providing a backup if the primary drive fails.
Electronic Vaulting
A backup method that uses bulk batch transfer of data to an off-site facility; this transfer is usually conducted via leased lines or secure Internet connections.
Hot Site
A fully configured computing facility that includes all services, communications links, and physical plant operations. Hot sites are used for BC operations
Server Fault Tolerance
A level of redundancy provided by mirroring entire servers to provide redundant capacity for services.
Disaster Recovery Planning (DRP)
The actions taken by senior management to specify the organization's efforts in preparation for and recovery from a disaster.
Strategic Planning
: The process of defining and specifying the long-term direction (strategy) to be taken by an organization, and the allocation and acquisition of resources needed to pursue this effort.
Disk Striping
A RAID implementation (typically referred to as RAID Level 0) in which one logical volume is created by storing data across several available hard drives in segments called stripes
Database Shadowing
A backup strategy to store duplicate online transaction data along with duplicate databases at the remote site on a redundant server. This server combines electronic vaulting with remote journaling by writing multiple copies of the database simultaneously to two locations.
Warm Site:
A facility that provides many of the same services and options as a hot site, but typically without installed and configured software applications. Warm sites are used for BC operations.
Evidence
A physical object or documented information entered into a legal proceeding that proves an action occurred or identifies the intent of a perpetrator
Information Security Blueprint
In information security, a framework or security model customized to an organization, including implementation details.
Full Backup
The duplication of all files for an entire system, including all applications, operating systems components, and data
Differential Backup
The duplication of all files that have changed or been added since the last full backup.
Incremental Backup
The duplication of only the files that have been modified since the previous incremental backup.
Information Security Policy
Written instructions provided by management that inform employees and others in the workplace about proper behavior regarding the use of information and information assets.
Governance
The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly.
Redundant Array of Independent Disks (RAID)
A system of drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure. By storing the data redundantly, the loss of a drive will not necessarily cause a loss of data. Also known as RAID.
Disk Duplexing
An approach to disk mirroring in which each drive has its own controller to provide additional redundancy.
Business Impact Analysis (BIA)
An investigation and assessment of the various adverse events that can affect the organization, conducted as a preliminary phase of the contingency planning process, which includes a determination of how critical a system or set of information is to the organization's core processes and recovery priorities.
Issue- Specific Security Policy:
An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.
Information Security Framework
In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education and training programs, and technological controls. Also known as a security model.
Technical Controls
Information security safeguards that focus on the application of modern technologies, systems, and processes to protect information assets. These safeguards include firewalls, virtual private networks, and IDPSs.
Work Recovery Time (WRT)
The amount of effort (expressed as elapsed time) necessary to make the business function operational after the technology element is recovered (as identified with RTO). Tasks include testing and validation of the system
Remote Journaling
The backup of data to an off-site facility in close to real time based on transactions as they occur.
Security Perimeter
The boundary in the network within which an organization attempts to maintain security controls for securing information from threats from untrusted network areas. The advent of mobile and cloud information technologies makes the security perimeter increasingly difficult to define and secure.
Contingency Planning Management Team (CPMT):
The group of senior managers and project members organized to conduct and lead all CP efforts
Enterprise Information Security Policy (EISP)
The high-level information security policy that sets the strategic direction, scope, and tone for all an organization's security efforts. An EISP is also known as a security program policy, general security policy, IT security policy, high-level InfoSec policy, or simply an InfoSec policy
Maximum Tolerable Downtime (MTD):
The total amount of time the system owner or authorizing official is willing to accept for a mission/business process outage or disruption, including all impact considerations.
Redundancy
The use of multiple types and instances of technology that prevent the failure of one system from compromising the security of information