Glossary

A
Acceptable interruption window
The maximum period of time that a system can be unavailable before
compromising the achievement of the business objectives

Acceptable use policy

A policy that establishes an agreement between users and the organization,
and defines for all parties ranges of use that are approved before gaining
access to a network or the Internet

Access controls
The processes, rules and deployment mechanisms that control access to
information systems, resources and physical access to premises

Access path
The logical route that an end user takes to access computerized information.
Typically, it includes a route through the operating system,
telecommunications software, selected application software and the access
control system.

Access rights
The permission or privileges granted to users, programs or workstations to
create, change, delete or view data and files within a system, as defined by
rules established by data owners and the information security policy

Accountability
The ability to map a given activity or event back to the responsible party

Action plan
A plan for the steps necessary to navigate the roadmap to achieve objectives

Ad hoc
Arbitrary approach, no formal plan or process

Administrative controls
The rules, procedures and practices dealing with operational effectiveness,
efficiency and adherence to regulations and management policies

Adware
Any software package that automatically plays, displays or downloads
advertising material to a computer after the software is installed on it or
while the application is being used. In most cases, this is done without any
notification to the user or without the users consent. The term adware may
also refer to software that displays advertisements, whether or not it does so
with the users consent; such programs display advertisements as an
alternative to shareware registration fees. These are classified as adware in
the sense of advertising-supported software, but not as spyware. Adware in
this form does not operate surreptitiously or mislead the user, and provides
the user with a specific service.

Advance Encryption Standard (AES)

The international encryption standard that replaced 3DES.

Algorithm
A finite set of step-by-step instructions for a problem-solving or computation
procedure, especially one that can be implemented by a computer.

Anomaly-Based Detection
The process of comparing definitions of what activity is considered normal
against observed events to identify significant deviations. This approach is
used on some intrusion detection systems.

Annual Loss Expectation (ALE)

The total expected loss divided by the number of years in the forecast period
yielding the average annual loss

Alert situation
The point in an emergency procedure when the elapsed time passes a
threshold and the interruption is not resolved. The organization entering into
an alert situation initiates a series of escalation steps.

Alternate facilities
Locations and infrastructures from which emergency or backup processes are
executed, when the main premises are unavailable or destroyed. This
includes other buildings, offices or data processing centers.

Alternate process
Automatic or manual processes designed and established to continue critical
business processes from point-of-failure to return-to-normal

Anonymous File Transfer Protocol (AFTP)

A method of downloading public files using the File Transfer Protocol (FTP).
AFTP does not require users to identify themselves before accessing files
from a particular server. In general, users enter the word anonymous when
the host prompts for a username. Anything can be entered for the password,
such as the users e-mail address or simply the word guest. In many cases,
an AFTP site will not prompt a user for a name and password.

Antivirus software
An application software deployed at multiple points in an IT architecture. It is
designed to detect and potentially eliminate virus code before damage is
done, and repair or quarantine files that have already been infected

Application Programming Interface (API)

An application programming interface (API) is a source code-based
specification intended to be used as an interface by software components to
communicate with each other.

Application controls
The policies, procedures and activities designed to provide reasonable
assurance that objectives relevant to a given automated solution
(application) are achieved

Application layers
In the Open Systems Interconnection (OSI) communications model, the
application layer provides services for an application program to ensure that
effective communication with another application program in a network is
possible. The application layer is not the application that is doing the
communication; it is a service layer that provides these services.

Application service provider (ASP)

Also known as managed service provider (MSP), it deploys, hosts and
manages access to a packaged application to multiple parties from a
centrally managed facility. The applications are delivered over networks on a
subscription basis.

Architecture
Description of the fundamental underlying design of the components of the
business system, or of one element of the business system (e.g.,

technology), the relationships among them, and the manner in which they
support the organization's objectives

ARP (see also RARP)

ARP defines the exchanges between network interfaces connected to an
Ethernet media segment in order to map an IP address to a link layer address
on demand.

Assurance
The grounds for confidence that the set of intended security controls in an
information system are effective in their application.

Assurance Process Integration

Integration of organizational assurance processes to achieve greater
efficiencies and counter typical silo effects.

Assymetric encryption
A cryptographic key that may be widely published and is used to enable the
operation of an asymmetric cryptography scheme. This key is
mathematically linked with a corresponding private key. Typically, a public
key can be used to encrypt, but not decrypt, or to validate a signature, but
not to sign.

Attack Signature
A specific sequence of events indicative of an unauthorized access attempt.
Typically a characteristic byte pattern used in malicious code or an indicator,
or set of indicators that allows the identification of malicious network
activities.

Attributes
The fundamental characteristics of something

Audit
Independent review and examination of records and activities to assess the
adequacy of system controls, to ensure compliance with established policies
and operational procedures, and to recommend necessary changes in
controls, policies, or procedures

Audit Review
The assessment of an information system to evaluate the adequacy of
implemented security controls, assure that they are functioning properly,
identify vulnerabilities, and assist in implementation of new security controls
where required. This assessment is conducted annually or whenever
significant change has occurred and may lead to recertification of the
information system.

Audit trail
A series of records either in hard copy or in electronic format that provide a
chronological record of user activity and other events that show the details of
user and system activity. Audit trails can be used to document when users
log in, how long they are engaged in various activities, what they were doing,
and whether any actual or attempted security violations occurred.

Authentication
The act of verifying the identity of an entity (e.g., a user, a system, a
network node)

Authorization
Access privileges granted to a user, program, or process or the act of
granting those privileges

Automated Clearing House (ACH)

ACH is an electronic network for financial transactions in the United States.
ACH processes large volumes of credit and debit transactions in batches.
6

Credit transfers include direct deposit payroll and vendor payments and
ACH direct debit transfers include consumer payments on insurance
premiums, mortgage loans, and other kinds of bills

Availability
Information that is accessible when required by the business process now
and in the future

Awareness (Information Security)

Activities which seek to focus an individuals attention on an (information
security) issue or set of issues.

B
Backup center
An alternate facility to continue IT/IS operations when the primary DP center
is unavailable

Biometrics
To recognize the identity, or verify the claimed identity, of an applicant.
Facial images, fingerprints, and iris scan samples are all examples of
biometrics.

Business intelligence (BI)

Business intelligence (BI) mainly refers to computer-based techniques used
in identifying, extracting,[clarification needed] and analyzing business data,
such as sales revenue by products and/or departments, or by associated
costs and incomes.[1]
BI technologies provide historical, current and predictive views of business
operations. Common functions of business intelligence technologies are
reporting, online analytical processing, analytics, data mining, process

mining, complex event processing, business performance

management, benchmarking, text mining and predictive analytics.
Business intelligence aims to support better business decision-making. Thus
a BI system can be called a decision support system (DSS)

Business impact assessment (BIA)

An analysis of an information systems requirements, functions, and
interdependencies used to characterize system contingency requirements
and priorities in the event of a significant disruption.

Baseline Security
The minimum security controls required for safeguarding an IT system based
on its identified needs for confidentiality, integrity, and/or availability
protection.

Bastion Host
A special-purpose computer on a network specifically designed and
configured to withstand attacks.

Business continuity management (BCM)

Business Continuity Management (BCM) planning focuses on assuring
continuous business processes and is a major factor in an organization's
survival during and after a disruption. BCM is a key component
of Comprehensive Emergency Management

Business continuity planning (BCP)

The documentation of a predetermined set of instructions or procedures that
describe how an organizations mission/business functions will be sustained
during and after a significant disruption.

Benchmarking
A systematic approach to comparing an organizations performance against
peers and competitors in an effort to learn the best ways of conducting
business. Examples include benchmarking of quality, logistical efficiency and
various other metrics.

Business Impact Assessment (BIA)

An analysis of an information systems requirements, functions, and
interdependencies used to characterize system contingency requirements
and priorities in the event of a significant disruption.

Biometric
A measurable physical characteristic or personal behavioral trait used to
recognize the identity, or verify the claimed identity, of an applicant. Facial
images, fingerprints, and iris scan samples are all examples of biometrics.

Bit-stream image
Bit-stream backups, also referred to as mirror image backups, involve the
backup of all areas of a computer hard disk drive or other type of storage
media. Such backups exactly replicate all sectors on a given storage device
including all files and ambient data storage areas.

Bit copy
A bit copy provides an exact image of the original and is a requirement for
legally justifiable forensics

Bit
The smallest unit of information storage; a contraction of the term "binary
digit;" one of two symbols"0" (zero) and "1" (one) - that are used to
represent binary numbers.

Blacklisting
The process of the system invalidating a user ID based on the users
inappropriate actions. A blacklisted user ID cannot be used to log on to the
system, even with the correct authenticator. Blacklisting and lifting of a
blacklisting are both security-relevant events. Blacklisting also applies to
blocks placed against IP addresses to prevent inappropriate or unauthorized
use of Internet resources.

Botnet
A botnet is a large number of compromised computers that are used to
create and send spam or viruses or flood a network with messages as a
denial of service attack.

Boundary
Physical or logical perimeter of a system

Brute force attack

Repeatedly trying all possible combinations of passwords or encryption keys
until the correct one is found

Business case
Documentation of the rationale for making a business investment, used both
to support a business decision on whether to proceed with the investment
and as an operational tool to support management of the investment
through its full economic life cycle

Business dependency assessment

A process of identifying resources critical to the operation of a business
process

10

Business impact analysis/assessment (BIA)

Evaluating the criticality and sensitivity of information assets. An exercise
that determines the impact of losing the support of any resource to an
organization, establishes the escalation of that loss over time, identifies the
minimum resources needed to recover, and prioritizes the recovery of
processes and supporting system. This process also includes addressing:
income loss, unexpected expense, legal issues (regulatory compliance or
contractual), interdependent processes, and loss of public reputation or
public confidence.

Business Model for Information Security (BMIS)

BMIS is a business-oriented model for managing information security utilizing
systems thinking to clarify complex relationships within an enterprise. The
four elements and six dynamic interconnections form the basis of a three
dimensional model that establish the boundaries of an information security
program and models how the program functions and reacts to internal and
external change. BMIS provides the context for frameworks such as COBIT.

Byte
A fundamental unit of computer storage; the smallest addressable unit in a
computer's architecture. Usually holds one character of information and
usually means eight bits.

C
Capability Maturity Model (CMM)
CMM is a qualitative approach typically using a 0 to 5 scale with each value
assigned a set of attributes or characteristics to determine a relative level of
competency and proficiency.

11

Certificate
A digitally signed representation of information that 1) identifies the
authority issuing it, 2) identifies the subscriber, 3) identifies its valid
operational period (date issued / expiration date). In the information
assurance (IA) community, certificate usually implies public key certificate
and can have the following types:
Cross certificate a certificate issued from a CA that signs the public key of
another CA not within its trust hierarchy that establishes a trust relationship
between the two CAs.
Encryption certificate a certificate containing a public key that can encrypt or
decrypt electronic messages, files, documents, or data transmissions, or
establish or exchange a session key for these same purposes.
Key management sometimes refers to the process of storing, protecting, and
escrowing the private component of the key pair associated with the
encryption certificate.
Identity certificate a certificate that provides authentication of the identity
claimed. Within the National Security Systems (NSS) PKI, identity certificates
may be used only for authentication or may be used for both authentication
and digital signatures.

Certificate (Certification) Authority (CA)

In cryptography, a CA is a trusted third party that issues digital certificates. A
CA attests, as the trusted provider of the public/private key pairs, to the
authenticity of the owner (entity or individual) to whom a public/private key
pair has been given. The process involves a CA who makes a decision to
issue a certificate based on evidence or knowledge obtained in verifying the
identity of the recipient. Upon verifying the identity of the recipient, the CA
signs the certificate with its private key for distribution to the user, where,
upon receipt, the user will decrypt the certificate with the CA's public key
(e.g., commercial CAs, such as VeriSign, provide public keys on web
browsers). The ideal CA is authoritative (someone the user trusts) for the
12

name or key space it represents. CAs are characteristic of many public key
infrastructure (PKI) schemes. Many commercial CAs charge for their services.
Institutions and governments may have their own CAs, and there are free
CAs.

Certificate policy (CP)

A specialized form of administrative policy tuned to electronic transactions
performed during certificate management. A Certificate Policy addresses all
aspects associated with the generation, production, distribution, accounting,
compromise recovery, and administration of digital certificates. Indirectly, a
certificate policy can also govern the transactions conducted using a
communications system protected by a certificate-based security system.
By controlling critical certificate extensions, such policies and associated
enforcement technology can support provision of the security services
required by particular applications.

Certification Practice Statement

A statement of the practices that a Certification Authority employs in issuing,
suspending, revoking, and renewing certificates and providing access to
them, in accordance with specific requirements (i.e., requirements specified
in this Certificate Policy, or requirements specified in a contract for services).

Certificate revocation list (CRL)

A list of revoked public key certificates created and digitally signed by a
Certification Authority.

Chain of custody
The chain of custody is a legal principle regarding the validity and integrity of
evidence. It requires accountability for anything that will be used as evidence
in a legal proceeding, to ensure that it can be accounted for from the time it
was collected until the time it is presented in a court of law. This includes
documentation as to who had access to the evidence and when, as well as
13

the ability to identify evidence as being the exact item that was recovered or
tested. Lack of control over evidence can lead to it being discredited. Chain
of custody depends on the ability to verify that evidence could not have been
tampered with. This is accomplished by sealing off the evidence, so it cannot
be changed, and providing a documentary record of custody to prove that
the evidence was, at all times, under strict control and not subject to
tampering.

Chain of Evidence
A process and record that shows who obtained the evidence; where and
when the evidence was obtained; who secured the evidence; and who had
control or possession of the evidence. The sequencing of the chain of
evidence follows this order: collection and identification; analysis; storage;
preservation; presentation in court; return to owner.

Challenge and Reply Authentication

Prearranged procedure in which a subject requests authentication of another
and the latter establishes validity with a correct reply.

Challenge-Response Protocol
An authentication protocol where the verifier sends the claimant a challenge
(usually a random value or a nonce) that the claimant combines with a
shared secret (often by hashing the challenge and secret together) to
generate a response that is sent to the verifier. The verifier knows the shared
secret and can independently compute the response and compare it with the
response generated by the claimant. If the two are the same, the claimant is
considered to have successfully authenticated himself. When the shared
secret is a cryptographic key, such protocols are generally secure against
eavesdroppers. When the shared secret is a password, an eavesdropper does

14

not directly intercept the password itself, but the eavesdropper may be able
to find the password with an off-line password guessing attack.

Change management
A controlled approach to managing the transition from a current to a desired
organizational state while ensuring that critical success factors and potential
risks are determined and addressed.

Checksum
A value that is computed by a function that is dependent on the contents of
a data object and is stored or transmitted together with the object, for the
purpose of detecting changes in the data.

Cipher
A cryptographic algorithm for encryption and decryption.

Cipher-text
Cipher-text is the encrypted form of the message being sent.

Chief executive officer (CEO)

The highest ranking individual in an organization

Chief financial officer (CFO)

The CFO is a fiduciary responsible for an organizations finance and
accounting as well as compliance with various financial regulatory
requirements.

Chief information officer (CIO)

The most senior official of the enterprise who is accountable for IT advocacy,
aligning IT and business strategies, and planning, resourcing and managing
the delivery of IT services, information and the deployment of associated
human resources. In some cases, the CIO role has been expanded to become

15

the chief knowledge officer (CKO) who deals in knowledge, not just
information. Also see chief technology officer.

Chief information security officer (CISO)

The CISO is responsible for managing information risk, the information
security program, and ensuring appropriate confidentiality, integrity and
availability of information assets.

Chief Operating Officer (COO)

The COO is typically responsible for oversight and management of operations
at the direction of the Chief Executive.

Chief security officer (CSO)

The CSO is typically responsible for physical security in the organization
although increasingly the CISO and CSO roles are merged.

Chief technology officer (CTO)

The individual (typically a corporate officer) who focuses on technology
issues in an organization.

Classification
The system or process that segregates information resources according to
their sensitivity and criticality.

Chief Risk Office (CRO)

The individual, usually a corporate officer, charged with identifying and
managing organizational risk.

Cipher
Series of transformations that converts plaintext to ciphertext using the
Cipher Key

16

Clear Text
Information that is not encrypted

Client-Client server
Individual or process acting on behalf of an individual who makes requests of
a dedicated server. The clients requests to the dedicated server can involve
data transfer to, from, or through dedicated server.

Cloud computing
An approach using external services for convenient on-demand IT operations
using a shared pool of configurable computing capability. Typical capabilities
include infrastructure as a service (IaaS), platform as a service (PaaS) and
software as a service (SaaS). (e.g., networks, servers, storage, applications
and services) that can be rapidly provisioned and released with minimal
management effort or service provider interaction.
This cloud model is composed of five essential characteristics (on-demand
selfservice, ubiquitous network access, location independent resource
pooling, rapid elasticity, and measured service).
It allows users to access technology-based services from the network cloud
without knowledge of, expertise with, or control over the technology
infrastructure that supports them and provides and four models for
enterprise access (Private cloud, Community cloud, Public cloud, and Hybrid
cloud)

COBIT
The international IT management framework and set of IT control objectives
published by ISACA, 2007, 2005, 2000, 1998, 1996

Cold Site
Backup site that can be up and operational in a relatively short time span,
such as a day or two. Provision of services, such as telephone lines and
power, is taken care of, and the basic office furniture might be in place, but
17

there is unlikely to be any computer equipment, even though the building

might well have a network infrastructure and a room ready to act as a server
room. In most cases, cold sites provide the physical location and basic
services.

Common Carrier
In a telecommunications context, a telecommunications company that holds
itself out to the public for hire to provide communications transmission
services. Note: In the United States, such companies are usually subject to
regulation by federal and state regulatory commissions.

Community of Interest (COI)

A collaborative group of users who exchange information in pursuit of their
shared goals, interests, missions, or business processes, and who therefore
must have a shared vocabulary for the information they exchange. The
group exchanges information within and between systems to include security
domains.

Compartmentalization
A nonhierarchical grouping of sensitive information used to control access to
data more finely than with hierarchical security classification alone.

Compensating Security Control

A management, operational, and/or technical control (i.e., safeguard or
countermeasure) employed by an organization in lieu of a recommended
security control in the low, moderate, or high baselines that provides
equivalent or comparable protection for an information system.

Competitive Intelligence
Competitive Intelligence is espionage using legal, or at least not obviously
illegal, means.

18

Compromise Disclosure of information to unauthorized persons, or a violation

of the security policy of a system in which unauthorized intentional or
unintentional disclosure, modification, destruction, or loss of an object may
have occurred.

Computer emergency response team (CERT)

A group of people integrated at the organization with clear lines of reporting
and responsibilities for standby support in case of an information systems
emergency. This group will act as an efficient corrective control, and should
also act as a single point of contact for all incidents and issues related to
information systems.

Computer Incident Response Team (CIRT)

Group of individuals usually consisting of Security Analysts organized to
develop, recommend, and coordinate immediate mitigation actions for
containment, eradication, and recovery resulting from computer security
incidents. Also called a Computer Security Incident Response Team (CSIRT)
or a CIRC (Computer Incident Response Center, Computer Incident Response
Capability, or Cyber Incident Response Team)

Confidentiality
The protection of sensitive or private information from unauthorized
disclosure

Control center
Hosts the recovery meetings where disaster recovery operations are
managed

Controls
Any regulatory document, process, structure or technology

19

Configuration Management
Process of controlling modifications to hardware, firmware, software, and
documentation to protect the information system against improper
modification prior to, during, and after system implementation

Controls policy
A policy defining control operational and failure modes e.g. fail secure, fail
open, allowed unless specifically denied, denied unless specifically
permitted.

Content Filtering
The process of monitoring communications such as email and Web pages,
analyzing them for suspicious content, and preventing the delivery of
suspicious content to users.

Contingency Plan
Management policy and procedures used to guide an enterprise response to
a perceived loss of mission capability. The Contingency Plan is the first plan
used by the enterprise risk managers to determine what happened, why, and
what to do. It may point to the Continuity of Operations Plan (COOP) or
Disaster Recovery Plan for major disruptions

Convergence
The trend of combining physical and information security under one manager
to increase efficiency and effectiveness

Continuity of operations plan (COOP)

A predetermined set of instructions or procedures that describe how an
organizations mission-essential functions will be sustained within 12 hours
and for up to 30 days as a result of a disaster event before returning to
normal operations.

20

Continuous Monitoring
The process implemented to maintain a current security status for one or
more information systems or for the entire suite of information systems on
which the operational mission of the enterprise depends. The process
includes:
The development of a strategy to regularly evaluate selected IA
controls/metrics,
Recording and evaluating IA relevant events and the effectiveness of the
enterprise in dealing with those events,
Recording changes to IA controls, or changes that affect IA risks, and
Publishing the current security status to enable information-sharing decisions
involving the enterprise.

Corporate governance
The system by which organizations are directed and controlled. Boards of
directors are responsible for the governance of their organizations.

COSO
Refers to the report Internal ControlAn Integrated Framework, sponsored
by the Committee of Sponsoring Organizations of the Treadway Commission
in 1992. It provides guidance and a comprehensive framework of internal
control for all organizations.

Countermeasures
Any process that directly reduces a threat or vulnerability

Credential
An object that authoritatively binds an identity (and optionally, additional
attributes) to a token possessed and controlled by a person.

21

Critical Infrastructure
System and assets, whether physical or virtual, so vital to a country that the
incapacity or destruction of such systems and assets would have a
debilitating impact on security, national economic security, national public
health or safety, or any combination of those matters.

Critical success factor(s) (CSF)

The issues that must be resolved or the specific steps that must be
completed that are essential to the achievement of an objective

Criticality
A measure of the impact that the failure of a system to function as required
will have on the organization.

Criticality analysis
An analysis to evaluate resources or business functions to identify their
importance to the organization, and the impact if a function cannot be
completed or a resource is not available

Common vulnerabilities and exposures (CVE)

The Common Vulnerabilities and Exposures or CVE system provides a
reference-method for publicly known information-securityvulnerabilities and
exposures. MITRE Corporation maintains the system, with funding from
the National Cyber Security Division of the United States Department of
Homeland Security.

Cost Benefit Analysis

Costbenefit analysis (CBA), sometimes called benefitcost analysis (BCA), is
a systematic process for calculating and comparing benefits and costs of a
project, decision

22

Cross-Certificate
A certificate used to establish a trust relationship between two Certification
Authorities.

Critical path
Critical Path Analysis (CPA) or the Critical Path Method (CPM) defines all
essential tasks that must be completed in sequence as part of a project in
the least possible time.

Culture
The set of shared attitudes, values, goals, and practices that characterizes
an institution or organization

Cryptographic Algorithm
A well-defined computational procedure that takes variable inputs, including
a cryptographic key, and produces an output

Cryptographic Hash Function

A function that maps a bit string of arbitrary length to a fixed length bit
string. Approved hash functions satisfy the following properties:
1. (One-way) It is computationally infeasible to find any input which maps
to any pre-specified output, and
2. (Collision resistant) It is computationally infeasible to find any two
distinct inputs that map to the same output.

Cryptographic Strength
A measure of the expected number of operations required to defeat a
cryptographic mechanism.

Cryptography
The discipline that embodies the principles, means, and methods for the
transformation of data in order to hide their semantic content, prevent their
unauthorized use, or prevent their undetected modification.
23

Cybercops
An investigator of computer-crime-related activities

Cyclical Redundancy Check (CRC)

A method to ensure data has not been altered after being sent through a
communication channel

D
Discretionary Access Control (DAC)
In computer security, discretionary access control (DAC) is a type of access
control defined by the Trusted Computer System Evaluation Criteria[1] "as a
means of restricting access to objects based on the identity of subjects
and/or groups to which they belong. The controls arediscretionary in the
sense that a subject with a certain access permission is capable of passing
that permission (perhaps indirectly) on to any other subject

Damage evaluation
The determination of the extent of damage that is necessary to provide for
an estimation of the recovery time frame and the potential loss to the
organization

Data classification
The assignment of a level of sensitivity to data (or information) that results in
the specification of controls for each level of classification. Levels of
sensitivity of data are assigned according to predefined categories as data
are created, amended, enhanced, stored or transmitted. The classification
level is an indication of the value or importance of the data to the
organization.

24

Data Custodian
A Data Custodian is the entity currently using or manipulating the data, and
therefore, temporarily taking responsibility for the data.

Data Integrity
The property that data has not been altered in an unauthorized manner.
Data integrity covers data in storage, during processing, and while in transit.

Data Mining
Data Mining is a technique used to analyze existing information, usually with
the intention of pursuing new avenues to pursue business.

Data Owner
A Data Owner is the entity having responsibility and authority for the data.
Data Warehousing
Data Warehousing is the consolidation of several previously independent
databases into one location.

Data Encryption Standard (DES)

An algorithm for encoding binary data. It is a secret key cryptosystem
published by the National Bureau of Standards (NBS), the predecessor of the
US National Institute of Standards and Technology (NIST). DES and its
variants has been replaced by the Advanced Encryption Standard (AES)

Decrypt
Generic term encompassing decode and decipher

Data leakage
Siphoning out or leaking information by dumping computer files or stealing
computer reports and tapes

25

Data leak protection (DLP)

A suite of technologies and associated processes that locate, monitor and
protect sensitive information from unauthorized disclosure

Data normalization
A structured process for organizing data into tables in a common form in
such a way that it preserves the relationships among the data

Data warehouse
A generic term for a system that stores, retrieves and manages large
volumes of data. Data warehouse software often includes sophisticated
comparison and hashing techniques for fast searches, as well as advanced
filtering.

Decentralization
The process of distributing computer processing to different locations within
an organization

Decryption
Decryption is the process of transforming an encrypted message into its
original plaintext.

Decryption key
A digital piece of information used to recover plaintext from the
corresponding ciphertext by decryption

Defense in depth
The practice of layering defenses to provide added protection. Defense in
depth increases security by raising the effort needed in an attack. This
strategy places multiple barriers between an attacker and an organizations
computing and information resources.

26

Degauss
The application of variable levels of alternating current for the purpose of
demagnetizing magnetic recording media. The process involves increasing
the alternating current field gradually from zero to some maximum value and
back to zero, leaving a very low residue of magnetic induction on the media.
Degauss loosely means: to erase.

Demilitarized zone (DMZ)

A screened (firewalled) network segment that acts as a buffer zone between
a trusted and untrusted network. A DMZ is typically used to house systems
such as web servers that must be accessible from both internal networks and
the Internet.

Denial of service (DOS)

A denial-of-service attack (DoS attack) is an attempt to make a computer or
network resource unavailable to its intended users by overloading the
system with requests causing it to fail.

Disruption
An unplanned event that causes the general system or major application to
be inoperable for an unacceptable length of time (e.g., minor or extended
power outage, extended unavailable network, or equipment or facility
damage or destruction).

Digital certificate
An electronic credential issued by a certificate authority (CA). A digital
certificate binds a user's identity to a public key. It contains a user identifier,
a unique serial number, valid to-from dates, usage information, a copy of the
certificate holders public key, and a thumbprint (hash) to verify integrity.
The certificate is signed by the digital signature of the certificate-issuing
authority so that a recipient can verify the validity of the certificate.

27

Digital code signing

The process of digitally signing computer code to ensure its integrity

Disaster declaration
The communication to appropriate internal and external parties that the
disaster recovery plan is being put into operation

Disaster notification fee

The fee the recovery site vendor charges when the customer notifies them
that a disaster has occurred and the recovery site is required. The fee is
implemented to discourage false disaster notifications.

Disaster recovery plan (DRP)

A set of human, physical, technical and procedural resources to recover,
within a defined time and cost, an activity interrupted by an emergency or
disaster

Disaster recovery plan desk checking

Typically a read-through of a disaster recovery plan without any real actions
taking place. It generally involves a reading of the plan, discussion of the
action items and definition of any gaps that might be identified.

Disaster recovery plan walk-through

Generally a robust test of the recovery plan requiring that some recovery
activities take place and are tested. A disaster scenario is often given and
the recovery teams talk through the steps they would need to take to
recover. As many aspects of the plan should be tested as possible.

Discretionary access control (DAC)

A means of restricting access to objects based on the identity of subjects
and/or groups to which they belong. The controls are discretionary in the

28

sense that a subject with a certain access permission is capable of passing

that permission (perhaps indirectly) on to any other subject.

Disk mirroring
The practice of duplicating data in separate volumes on two hard disks to
make storage more fault tolerant. Mirroring provides data protection in the
case of disk failure because data are constantly updated to both disks.

Disk Imaging
Generating a bit-for-bit copy of the original media, including free space and
slack space.

Distributed denial of service (DDOS)

A denial-of-service attack (DoS attack) is an attempt to make a computer or
network resource unavailable to its intended users by overloading the
system with requests from multiple sources (such as a botnet) causing it to
fail.

Domain
A sphere of knowledge, or a collection of facts about some program entities
or a number of network points or addresses, identified by a name. On the
Internet, a domain consists of a set of network addresses. In the Internet's
domain name system, a domain is a name with which name server records
are associated that describe sub-domains or host. In Windows NT and
Windows 2000, a domain is a set of network resources (applications, printers,
and so forth) for a group of users. The user need only to log in to the domain
to gain access to the resources, which may be located on a number of
different servers in the network.

29

Domain name system (DNS)

A hierarchical database that is distributed across the Internet that allows
names to be resolved into IP addresses (and vice versa) to locate services
such as web and e-mail servers

Dual control
A procedure that uses two or more entities (usually persons) operating in
concert to protect a system resource such that no single entity acting alone
can access that resource

Due care
The level of care expected from a reasonable person of similar competency
under similar conditions

Due diligence
The performance of those actions that are generally regarded as prudent,
responsible and necessary to conduct a thorough and objective investigation,
review and/or analysis

Dynamic host configuration protocol (DHCP)

Dynamic Host Configuration Protocol is a protocol for assigning dynamic IP
addresses to devices on a network. With dynamic addressing, a device can
have a different IP address every time it connects to the network. In some
systems, the device's IP address can even change while it is still connected.
DHCP also supports a mix of static and dynamic IP addresses.

E
Electronic data exchange (EDI)
Electronic data interchange (EDI) is the structured transmission of data
between organizations by electronic means. It is used to transfer electronic
documents or business data from one computer system to another computer
30

system, i.e. from one trading partner to another trading partner without
human intervention.

Electronic funds transfer (EFT)

Electronic funds transfer (EFT) is the electronic exchange or transfer of
money from one account to another, either within a single financial
institution or across multiple institutions, through computer-based systems

Encryption
Cryptographic transformation of data (called "plaintext") into a form (called
"cipher text") that conceals the data's original meaning to prevent it from
being known or used.

Encipher
Convert plain text to cipher text by means of a cryptographic system

End-to-End Encryption
Communications encryption in which data is encrypted when being passed
through a network, but routing information remains visible.

End-to-End Security
Safeguarding information in an information system from point of origin to
point of destination.

Enterprise governance
A set of responsibilities and practices exercised by the board and executive
management with the goal of providing strategic direction, ensuring that
objectives are achieved, ascertaining that risks are managed appropriately
and verifying that the enterprises resources are used responsibly.

Enterprise Architecture (EA)

The description of an enterprises entire set of information systems: how
they are configured, how they are integrated, how they interface to the
31

external environment at the enterprises boundary, how they are operated to

support the enterprise mission, and how they contribute to the enterprises
overall security posture.

Enterprise Risk Management

The methods and processes used by an enterprise to manage risks to its
mission and to establish the trust necessary for the enterprise to support
shared missions. It involves the identification of mission dependencies on
enterprise capabilities, the identification and prioritization of risks due to
defined threats, the implementation of countermeasures to provide both a
static risk posture and an effective dynamic response to active threats; and it
assesses enterprise performance against threats and adjusts
countermeasures as necessary.

Entitlements
Entitlements is the process business users manage the data that controls
how policies are evaluated at runtime. They can add and delete users for
applications and put those users into groups or assign them to roles. They
manage sets of actions (permissions) that can be logically grouped for a
particular business function. They assign those sets of actions to users or to
roles defined for the application.

Ethernet
The most widely-installed LAN technology. Specified in a standard, IEEE
802.3, an Ethernet LAN typically uses coaxial cable or special grades of
twisted pair wires. Devices are connected to the cable and compete for
access.

Event
An event is an observable occurrence in a system or network.

32

Exposure
The extent of the area exposed to a viable threat creating a risk. i.e Both a
viable threat and a susceptible vulnerability may exist but the risk is a
function of the degree of exposure.

External storage
The location that contains the backup copies to be used in case recovery or
restoration is required in the event of a disaster

Extranet
A private network that uses Web technology, permitting the sharing of
portions of an enterprises information or operations with suppliers, vendors,
partners, customers, or other enterprises.

F
Fail Safe
Automatic protection of programs and/or processing systems when hardware
or software failure is detected.

Failover
The capability to switch over automatically (typically without human
intervention or warning) to a redundant or standby information system upon
the failure or abnormal termination of the previously active system.

Fall-through logic
An optimized code based on a branch prediction that predicts which way a
program will branch when an application is presented

False Positive
An alert that incorrectly indicates that malicious activity is occurring

33

False Negative
A lack of or incorrect alert indicating that no malicious activity is occurring

Federal energy regulatory commission (FERC) USA

The Federal Energy Regulatory Commission (FERC) is the United
States federal agency with jurisdiction over interstate electricity
sales, wholesale electric rates, hydroelectric licensing,natural gas pricing,
and oil pipeline rates. FERC also reviews and authorizes liquefied natural
gas (LNG) terminals, interstate natural gas pipelines and nonfederal hydropower projects

Federal financial institutions examination council (FFIEC) USA

The Federal Financial Institutions Examination Council, or FFIEC, is a formal
interagency body of the United States government empowered to prescribe
uniform principles, standards, and report forms for the federal examination
of financial institutions by the Board of Governors of the Federal Reserve
System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National
Credit Union Administration (NCUA), the Office of the Comptroller of the
Currency (OCC), MAIC Mergers & Acquisitions International Clearing and
the Consumer Financial Protection Bureau(CFPB) and to make
recommendations to promote uniformity in the supervision of financial
institutions.

File Encryption
The process of encrypting individual files on a storage medium and
permitting access to the encrypted data only after proper authentication is
provided.

File Transfer Protocol (FTP)

A TCP/IP protocol specifying the transfer of text or binary files across the
network.

34

Financial security authority (FSA) UK

The Financial Services Authority is the regulator of the financial services
industry in the UK.

Firewall
A system or combination of systems that enforces a boundary between two
or more networks typically forming a barrier between a secure and an open
environment such as the Internet

Firmware
Computer programs and data stored in hardware - typically in read-only
memory (ROM) or programmable read-only memory (PROM) - such that the
programs and data cannot be dynamically written or
modified during execution of the programs.

Flooding
An attack that attempts to cause a failure in a system by providing more
input than the system can process properly.

Foreign corrupt practices act (FPCA)

In 1998 the United States Congress and 33 other countries acted against the
bribery of foreign officials, essentially government officials in an attempt to
reduce corruption and money laundering through the global financial system.

Forensic Copy
An accurate bit-for-bit reproduction of the information contained on an
electronic device or associated media, whose validity and integrity has been
verified using an accepted algorithm.

35

Forensic examination
The process of collecting, assessing, classifying and documenting digital
evidence to assist in the identification of an offender and the method of
compromise

Forensic Specialist
A professional who locates, identifies, collects, analyzes, and examines data
while preserving the integrity and maintaining a strict chain of custody of
information discovered.

Forensics
The practice of gathering, retaining, and analyzing computer-related data for
investigative purposes in a manner that maintains the integrity of the data.

Full Disk Encryption (FDE)

The process of encrypting all the data on the hard disk drive used to boot a
computer, including the computers operating system, and permitting access
to the data only after successful authentication with the full disk encryption
product

G
Generally accepted information security principles (GAISP)
GAISP describes eight pervasive principles and fourteen practices for
information security. Each of the principles applies to each of the practices.

Gap analysis
A process used to determine the difference between and what is required to
move from an existing state and the desired state.

36

Guideline
A description of a particular way of accomplishing something that is less
prescriptive than a procedure

H
Hardening
Configuring a hosts operating systems and applications to reduce the hosts
security weaknesses.

Hash Function
An algorithm that computes a value based on a data object thereby mapping
the data object to a smaller data object.

Help desk
A service offered via telephone/Internet by an organization to its clients or
employees, which provides information, assistance and troubleshooting
advice regarding software, hardware or networks. A help desk is staffed by
people that can either resolve the problem on their own or escalate the
problem to specialized personnel. A help desk is often equipped with
dedicated customer relationship management (CRM) software that logs the
problems and tracks them until they are solved.

High Availability
A failover feature to ensure availability during device or component
interruptions.

Host based Intrusion Detection System (HIDS)

A host-based IDS monitors all or parts of the dynamic behavior and the state
of a computer system.

37

Honeypot
A specially configured server, also known as a decoy server, designed to
attract and monitor intruders in a manner such that their actions do not
affect production systems

Hot site
A fully operational offsite data processing facility equipped with hardware
and system software to be used in the event of a disaster

Hypertext Markup Language (HTML)

The set of markup symbols or codes inserted in a file intended for display on
a World Wide Web browser page.

Hypertext Transfer Protocol (HTTP)

A communication protocol used to connect to servers on the World Wide
Web. Its primary function is to establish a connection with a web server and
transmit HTML, XML or other pages to the client browsers.

HTTPS
A secure form of HTTP using encryption

Heating, ventilation and air conditioning (HVAC)

The main purposes of a Heating, Ventilation, and Air-Conditioning (HVAC)
system are to help maintain good indoor air quality through adequate
ventilation with filtration and provide thermal protection for IT equipment

I
IA Architecture
A description of the structure and behavior for an enterprises security
processes, information security systems, personnel and organizational sub-

38

units, showing their alignment with the enterprises mission and strategic
plans.

IA Infrastructure
The underlying security framework that lies beyond an enterprises defined
boundary, but supports its IA and IA-enabled products, its security posture
and its risk management plan.

ICT
ICT is an acronym that stands for Information Communications Technology
and is largely synonymous with IT

Identification
The process of verifying the identity of a user, process, or device, usually as
a prerequisite for granting access to resources in an IT system

Identity
A unique name of an individual person or device. Since the legal names of
persons are not necessarily unique, the identity of a person must include
sufficient additional information to make the complete name unique

Impact
The magnitude of harm that can be expected to result from the
consequences of unauthorized disclosure of information, unauthorized
modification of information, unauthorized destruction of information, or loss
of information or information system availability.

Impact analysis
An impact analysis is a study to prioritize the criticality of information
resources for the organization based on costs (or consequences) of adverse
events. In an impact analysis, threats to assets are identified and potential
business losses determined for different time periods. This assessment is

39

used to justify the extent of safeguards that are required and recovery time
frames. This analysis is the basis for establishing the recovery strategy.
Information communication technologies (ICT)

Incident
An incident as an adverse network event in an information system or
network or the threat of the occurrence of such an event.

Incident Handling
Incident Handling is an action plan for dealing with intrusions, cyber-theft,
denial of service, fire, floods, and other security-related events. It is
comprised of a six step process: Preparation, Identification, Containment,
Eradication, Recovery, and Lessons Learned.

Incident management team (IMT)

An Incident Management Team (IMT) is a team of highly trained,
experienced, and credentialed people that can come together and deploy
with appropriate equipment and personnel to address unanticipated
disruptive security events

Incident response team (IRT)

The IRT is the operational capability of incident management and are the first
responders to unanticipated disruptive events with the objective of
containing damage, restoring services and investigating causes.

Incident response plan (IRP)

The IRP is part of business continuity planning and addresses the nature,
scope, constituency and charter of the IMT and IRT as well as notification and
escalation procedures. It also defines severity and declaration criteria, triage
procedures, training and deployment requirements and other significant
aspects of incident response.

40

Incremental Backups
Incremental backups only backup the files that have been modified since the
last backup. If dump levels are used, incremental backups only backup files
changed since last backup of a lower dump level.

Information Assurance (IA)

Measures that protect and defend information and information systems by
ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. These measures include providing for restoration of information
systems by incorporating protection, detection, and reaction capabilities.
Synonymous with information security

Information security governance

The set of responsibilities and practices exercised by the board and
executive management with the goal of providing strategic direction,
ensuring that objectives are achieved, ascertaining that risks are managed
appropriately and verifying that the enterprises resources are used
responsibly

Information security program

The overall combination of technical, operational and procedural measures,
and management structures implemented to provide for the confidentiality,
integrity and availability of information based on business requirements and
risk analysis

Information Security
The protection of information and information systems from unauthorized
access, use, disclosure, disruption, modification, or destruction in order to
provide confidentiality, integrity, and availability. Synonymous with
Information Assurance (IA)

41

Information Security Architect

Individual, group, or organization responsible for ensuring that the
information security requirements necessary to protect the organizations
core missions and business processes are adequately addressed in all
aspects of enterprise architecture including reference models, segment and
solution architectures, and the resulting information systems supporting
those missions and business processes.

Integrity
The accuracy, completeness and validity of information

Intellectual Property
Useful artistic, technical, and/or industrial information, knowledge or ideas
that convey ownership and control of tangible or virtual usage and/or
representation. i.e. intangible property of value

Internal controls
The policies, procedures, practices and organizational structures designed to
provide reasonable assurance that business objectives will be achieved and
undesired events will be prevented or detected and corrected

Internal Rate of Return (IRR)

The internal rate of return on an investment or project is the "annualized
effective compounded return rate" or "rate of return" that makes the net
present value (NPV as NET*1/(1+IRR)^year) of all cash flows (both positive
and negative) from a particular investment equal to zero.
Internal rates of return are commonly used to evaluate the desirability of
investments or projects. The higher a project's internal rate of return, the
more desirable it is to undertake the project. Assuming all projects require
the same amount of up-front investment, the project with the highest IRR
would be considered the best and undertaken first.

42

Internet
A term to describe connecting multiple separate networks together.

Internet Control Message Protocol (ICMP)

An Internet Standard protocol that is used to report error conditions during IP
datagram processing and to exchange other information concerning the
state of the IP network.

Internet Message Access Protocol (IMAP)

A protocol that defines how a client should fetch mail from and return mail to
a mail server. IMAP is intended as a replacement for or extension to the Post
Office Protocol (POP). It is defined in RFC 1203 (v3) and RFC 2060 (v4).

Internet service provider (ISP)

A third party that provides individuals and organizations access to the
Internet and a variety of other Internet-related services

Interruption window
The time the company can wait from the point of failure to the restoration of
the minimum and critical services or applications. After this time, the
progressive losses caused by the interruption are excessive for the
organization.

Intranet
A computer network, especially one based on Internet technology that an
organization uses for its own internal, and usually private, purposes and that
is closed to outsiders.

Intrusion detection
The process of monitoring the events occurring in a computer system or
network to detect signs of unauthorized access or attack

43

Intrusion detection system (IDS)

An IDS inspects network and host security activity to identify suspicious
patterns that may indicate a network or system attack

Intrusion prevention system (IPS)

An IPS inspects network and host security activity to identify suspicious
patterns that may indicate a network or system attack and then blocks it at
the firewall to prevent damage to information resources.

IP Security (IPSec)
A set of protocols developed by the Internet Engineering Task Force (IETF) to
support the secure exchange of packets

ISO/IEC 17799
Originally released as part of the British Standard for Information Security in
1999 and then as the Code of Practice for Information Security Management
in October 2000, it was elevated by the International Organization for
Standardization (ISO) to an international code of practice for information
security management. This standard defines informations confidentiality,
integrity and availability controls in a comprehensive information security
management system. The latest version is ISO/IEC 17799:2005.

ISO/IEC 27001
An international standard, released in 2005 and revised in 2006, that defines
a set of requirements for an information security management system. Prior
its adoption by the ISO, this standard was known as BS 17799 Part 2, which
was originally published in 1999.

ISO/IEC 27002
A code of practice that contains a structured list of suggested information
security controls for organizations implementing an information security

44

management system. Prior to its adoption by ISO/IEC, this standard existed

as BS 77799.

ISO/IEC Family

ISO/IEC 27000 Information security management systems

Overview and vocabulary [1]

ISO/IEC 27001 Information security management systems

Requirements
ISO/IEC 27002 Code of practice for information security

management
ISO/IEC 27003 Information security management system

implementation guidance
ISO/IEC 27004 Information security management Measurement
ISO/IEC 27005 Information security risk management
ISO/IEC 27006 Requirements for bodies providing audit and

certification of information security management systems

ISO/IEC 27011 Information security management guidelines for

telecommunications organizations based on ISO/IEC 27002

ISO/IEC 27031 Guidelines for information and communications

technology readiness for business continuity

ISO/IEC 27033-1 Network security overview and concepts
ISO/IEC 27035 Security incident management
ISO 27799 Information security management in health using ISO/IEC
27002

ISO/IEC 31000
The purpose of ISO 31000:2009 is to provide principles and generic
guidelines on risk management. ISO 31000 seeks to provide a universally
recognized paradigm for practitioners and companies employing risk
management processes to replace the myriad of existing standards,
methodologies and paradigms that differed between industries, subject
matters and regions

45

ISO/IEC 15504
ISO/IEC 15504 Information technology Process assessment, also known
as SPICE (Software Process Improvement and Capability Determination), is a
set of technical standards documents for the computer software
development process and related business management functions

IT governance
The responsibility of executives and the board of directors. Consists of the
leadership, organizational structures and processes that ensure that the
enterprises IT sustains and extends the organization's strategies and
objectives.

IT steering committee
An executive management-level committee that assists the executive in the
delivery of the IT strategy, oversees daytoday management of IT service
delivery and IT projects and focuses on implementation aspects

IT strategic plan
A longterm plan, i.e., three to fiveyear horizon, in which business and IT
management cooperatively describe how IT resources will contribute to the
enterprises strategic objectives (goals)

IT strategy committee
A committee at the level of the board of directors to ensure that the board is
involved in major IT matters and decisions. The committee is primarily
accountable for managing the portfolios of ITenabled investments, IT
services and other IT resources. The committee is the owner of the portfolio.

46

K
Kerberos
A widely used authentication protocol developed at the Massachusetts
Institute of Technology (MIT). In classic Kerberos, users share a secret
password with a Key Distribution Center (KDC). The user, Alice, who wishes
to communicate with another user, Bob, authenticates to the KDC and is
furnished a ticket by the KDC to use to authenticate with Bob. When
Kerberos authentication is based on passwords, the protocol is known to be
vulnerable to off-line dictionary attacks by eavesdroppers who capture the
initial user-toKDC exchange.

Key goal indicator (KGI)

A measure that tells management, after the fact, whether an IT process has
achieved its business requirements; usually expressed in terms of
information criteria

Key Logger
A program designed to record which keys are pressed on a computer
keyboard used to obtain passwords or encryption keys and thus bypass other
security measures.

Key performance indicator (KPI)

A measure that determines how well the process is performing in enabling
the goal to be reached. A KPI is a lead indicator of whether a goal will likely
be reached, and a good indicator of capability, practices and skills. It
measures an activity goal, which is an action that the process owner must
take to achieve effective process performance.

Key risk indicator (KRI)

A subset of risk indicators that are highly relevant and possess a high
probability of predicting or indicating important risk
47

Keystroke Monitoring
The process used to view or record both the keystrokes entered by a
computer user and the computers response during an interactive session.
Keystroke monitoring is usually considered a special case of audit trails.

L
Least Privilege
Least Privilege is the principle of allowing users or applications the least
amount of permissions necessary to perform their intended function.

Likelihood of Occurrence
In Information Assurance risk analysis, a weighted factor based on a
subjective analysis of the probability that a given threat is capable of
exploiting a given vulnerability.

Lightweight Directory Access Protocol (LDAP)

A software protocol for enabling anyone to locate organizations, individuals,
and other resources such as files and devices in a network, whether on the
public Internet or on a corporate Intranet.

Link Encryption
Link encryption encrypts all of the data along a communications path (e.g., a
satellite link, telephone circuit, or T1 line). Since link encryption also encrypts
routing data, communications nodes need to decrypt the data to continue
routing.

Local area network

A local area network (LAN) is a computer network that interconnects
computers in a limited area such as a home, school, computer laboratory, or
office building using network media.[1] The defining characteristics of LANs,
in contrast to wide area networks (WANs), include their usually higher data48

transfer rates, smaller geographic area, and lack of a need for leased
telecommunication lines

Local Registration Authority (LRA)

A Registration Authority with responsibility for a local community in a PKIenabled environment.

Logic Bomb
A piece of code intentionally inserted into a software system that will set off
a malicious function when specified conditions are met.

M
MAC Address
A physical address; a numeric value that uniquely identifies that network
device from every other device on the planet.

Mail relay server

An e-mail server that relays messages so that neither the sender nor the
recipient is a local user

Malicious Code
Software (e.g., Trojan horse) that appears to perform a useful or desirable
function, but actually gains unauthorized access to system resources or
tricks a user into executing other malicious logic.

Malware
A generic term for a number of different types of malicious code.

Mandatory access control (MAC)

A means of restricting access to data based on varying degrees of security
requirements for information contained in the objects and the corresponding
security clearance of users or programs acting on their behalf.
49

Man-in-the-middle Attack (MitM)

An attack on the authentication protocol run in which the attacker positions
himself in between the claimant and verifier so that he can intercept and
alter data traveling between them.

Masqueraders
Attackers that penetrate systems by using the identity of legitimate users
and their login credentials

Maximum tolerable outages (MTO)

Maximum time the organization can support processing in alternate mode

Message Authentication Code

An ANSI standard checksum that is computed using the Data Encryption
Standard (DES)

Message Digest
A cryptographic checksum, typically generated for a file that can be used to
detect changes to the file; Secure Hash Algorithm-1 (SHA-1) is an example of
a message digest algorithm.

Metric
A measure from one or more points of reference

Maximum tolerable outage (MTO)

The maximum time that the organization can support processing in the
alternate mode

Mirrored site
An alternate site that contains the same information as the original. Mirror
sites are set up for backup and disaster recovery as well as to balance the
traffic load for numerous download requests. Such download mirrors are
often placed in different locations throughout the Internet.
50

Mobile site
The use of a mobile/temporary facility to serve as a business resumption
location. They can usually be delivered to any site and can house information
technology and staff.

Monitoring policy
Rules outlining or delineating the way in which information about the use of
computers, networks, applications and information is captured and
interpreted.

Multipurpose internet mail extension (MIME)

A specification for formatting non-ASCII messages so that they can be sent
over the Internet. Many e-mail clients now support MIME, which enables
them to send and receive graphics, audio, and video files via the Internet
mail system. In addition, MIME supports messages in character sets other
than ASCII.

N
Naming Authority
An organizational entity responsible for assigning distinguished names (DNs)
and for assuring that each DN is meaningful and unique within its domain.

Need-To-Know
A method of isolating information resources based on a users need to have
access to that resource in order to perform their job but no more. The terms
need-to know and least privilege express the same idea. Need-to-know
is generally applied to people, while least privilege is generally applied to
processes.

51

Net present value (NPV)

The discounted value of an investment's cash inflows minus the discounted
value of its cash outflows. To be adequately profitable, an investment should
have a net present value greater than zero

Network address translation (NAT)

Basic NATs are used when there is a requirement to interconnect two IP
networks with incompatible addressing. However it is common to hide an
entire IP address space, usually consisting of private IP addresses, behind a
single IP address (or in some cases a small group of IP addresses) in another
(usually public) address space. To avoid ambiguity in the handling of returned
packets, a one-to-many NAT must alter higher level information such as
TCP/UDP ports in outgoing communications and must maintain a translation
table so that return packets can be correctly translated back

Network based intrusion detection (NIDs)

Network based intrusion detection provides broader coverage than host
based approaches but functions in the same manner detecting attacks using
either an anomaly based or signature based approach or both.

Nonce
A value used in security protocols that is never repeated with the same key.
For example, challenges used in challenge-response authentication protocols
generally must not be repeated until authentication keys are changed, or
there is a possibility of a replay attack. Using a nonce as a challenge is a
different requirement than a random challenge, because a nonce is not
necessarily unpredictable.

Nonintrusive monitoring
The use of transported probes or traces to assemble information, track traffic
and identify vulnerabilities
52

Nonrepudiation
The assurance that a party cannot later deny originating data; that is, it is
the provision of proof of the integrity and origin of the data and can be
verified by a third party. A digital signature can provide nonrepudiation.

O
Organization for Economic Cooperation and Development (OECD)
The Organization for Economic Co-operation and
Development (OECD, French:Organisation de coopration et de
dveloppement conomiques, OCDE) is an international economic
organisation of 34 countries founded in 1961 to stimulate economic progress
and world trade. It is a forum of countries committed to democracy and
the market economy, providing a platform to compare policy experiences,
seek answers to common problems, identify good practices, and co-ordinate
domestic and international policies of its members

Offline files
Computer file storage media not physically connected to the computer;
typically tapes or tape cartridges used for backup purposes

Open Shortest Path First (OSPF)

A routing protocol developed for IP networks. It is based on the shortest path
first or link state algorithm.

Open Source Security Testing Methodology

An open and freely available methodology and manual for security testing

Open systems interconnection (OSI)

The main idea in OSI is that the process of communication between two end
points in a telecommunication network can be divided into layers, with each
layer adding its own set of special, related functions. Each communicating
53

user or program is at a computer equipped with these seven layers of

function. So, in a given message between users, there will be a flow of data
through each layer at one end down through the layers in that computer and,
at the other end, when the message arrives, another flow of data up through
the layers in the receiving computer and ultimately to the end user or
program. The actual programming and hardware that furnishes these seven
layers of function is usually a combination of the computer operating system,
applications (such as your Web browser), TCP/IP or alternative transport and
network protocols, and the software and hardware that enable you to put a
signal on one of the lines attached to your computer. OSI divides
telecommunication into seven layers. The layers are in two groups. The
upper four layers are used whenever a message passes from or to a user.
The lower three layers (up to the network layer) are used when any message
passes through the host computer or router. Messages intended for this
computer pass to the upper layers. Messages destined for some other host
are not passed up to the upper layers but are forwarded to another host. The
seven layers are:

Layer 7: The application layer...This is the layer at which

communication partners are identified, quality of service is identified,
user authentication and privacy are considered, and any constraints on
data syntax are identified. (This layer is not the application itself,

although some applications may perform application layer functions.)

Layer 6: The presentation layer...This is a layer, usually part of an
operating system, that converts incoming and outgoing data from one
presentation format to another (for example, from a text stream into a
popup window with the newly arrived text). Sometimes called the

syntax layer.
Layer 5: The session layer...This layer sets up, coordinates, and
terminates conversations, exchanges, and dialogs between the
applications at each end. It deals with session and connection
coordination.

54

Layer 4: The transport layer...This layer manages the end-to-end

control (for example, determining whether all packets have arrived)

and error-checking. It ensures complete data transfer.

Layer 3: The network layer...This layer handles the routing of the data
(sending it in the right direction to the right destination on outgoing
transmissions and receiving incoming transmissions at the packet

level). The network layer does routing and forwarding.

Layer 2: The data-link layer...This layer provides synchronization for the
physical level and does bit-stuffing for strings of 1's in excess of 5. It

furnishes transmission protocol knowledge and management.

Layer 1: The physical layer...This layer conveys the bit stream through
the network at the electrical and mechanical level. It provides the
hardware means of sending and receiving data on a carrier.

Operations Security (OPSEC)

Systematic and proven process by which potential adversaries can be
denied information about capabilities and intentions by identifying,
controlling, and protecting generally unclassified evidence of the planning
and execution of sensitive activities. The process involves five steps:
identification of critical information, analysis of threats, analysis of
vulnerabilities, assessment of risk, remediation.

Outcome measure
Represents the consequences of actions previously taken and is often
referred to as a lag indicator. An outcome measure frequently focuses on
results at the end of a time period and characterizes historical performance.
Also referred to as a key goal indicator (KGI) and used to indicate whether
goals have been met. Can be measured only after the fact and, therefore, is
called a lag indicator.

55

P
Packet
A piece of a message transmitted over a packet-switching network. One of
the key features of a packet is that it contains the destination address in
addition to the data. In IP networks, packets are often called datagrams.

Packet filtering
Controlling access to a network by analyzing the attributes of the incoming
and outgoing packets, and either letting them pass or denying them based
on a list of rules

Packet Sniffer
Software that observes and records network traffic.

Packet Switched Network

A packet switched network is where individual packets each follow their own
paths through the network from one endpoint to another.

Partitions
Major divisions of the total physical hard disk space.

Password Authentication Protocol (PAP)

Password Authentication Protocol is a simple, weak authentication
mechanism where a user enters the password and it is then sent across the
network, usually in the clear.

Password Cracking
Password cracking is the process of attempting to guess passwords, given
the password file information.

56

Password Sniffing
Passive wiretapping, usually on a local area network, to gain knowledge of
passwords.

Patch
A patch is a small update released by a software manufacturer to fix bugs in
existing programs.

Patching
Patching is the process of updating software to a different version.

Patch Management
The systematic notification, identification, deployment, installation, and
verification of operating system and application software code revisions.
These revisions are known as patches, hot fixes, and service packs.

Passive response
A response option in intrusion detection in which the system simply reports
and records the problem detected, relying on the user to take subsequent
action

Password cracker
A tool that tests the strength of user passwords searching for passwords that
are easy to guess by repeatedly trying words from specially crafted
dictionaries and often also by generating thousands (and, in some cases,
even millions) of permutations of characters, numbers and symbols

Payment card industry (PCI)

The term is specifically used to refer to the Payment Card Industry Security
Standards Council, a council originally formed by American Express, Discover
Financial Services, JCB, MasterCard Worldwide and Visa International on Sept.
7, 2006, with the goal of managing the ongoing evolution of the Payment

57

Card Industry Data Security Standard. The council itself claims to be

independent of the various card vendors that make up the council.

Payment card industry data security standard (PCI-DSS)

The PCI Council formed a body of security standards known as the PCI Data
Security Standards, (PCI DSS), and these standards consist of 12 significant
requirements including multiple sub-requirements which contain numerous
directives against which businesses may measure their own payment card
security policies, procedures and guidelines

Penetration testing
A live test of the effectiveness of security defenses through mimicking the
actions of real-life attackers

Personally Identifiable Information (PII)

Information which can be used to distinguish or trace an individual's identity,
such as their name, social security number, biometric records, etc., alone, or
when combined with other personal or identifying information which is linked
or linkable to a specific individual, such as date and place of birth, mothers
maiden name, etc.

Pharming
This is a more sophisticated form of MITM attack. A users session is
redirected to a masquerading website. This can be achieved by corrupting a
DNS server on the Internet and pointing a URL to the masquerading
websites IP. Almost all users use a URL like www.worldbank.com instead of
the real IP (192.86.99.140) of the website.
Changing the pointers on a DNS server, the URL can be redirected to send
traffic to the IP of the pseudo website. At the pseudo website, transactions
can be mimicked and information like login credentials can be gathered. With
this the attacker can access the real www.worldbank.com site and conduct
transactions using the credentials of a valid user on that website.
58

Phishing
The use of e-mails that appear to originate from a trusted source to trick a
user into entering valid credentials at a fake website. Typically the e-mail and
the web site looks like they are part of a bank the user is doing business
with.

Port Scanning
Using a program to remotely determine which ports on a system are open
(e.g., whether systems allow connections through those ports).

Plan-do-check-act (PDCA)
PDCA (plandocheckact or plandocheckadjust) is an iterative four-step
management method used in business for the control and continuous
improvement of processes and products. It is also known as the
Deming circle/cycle/wheel, Shewhart cycle, control circle/cycle, or plando
studyact (PDSA).

Policies
High-level statements of management intent and direction

Port
A hardware interface between a CPU and a peripheral device. Can also refer
to a software (virtual) convention that allows remote services to connect to a
host operating system in a structured manner

Port Scan
A port scan is a series of messages sent by someone attempting to break
into a computer to learn which computer network services, each associated
with a "well-known" port number, the computer provides. Port scanning, a
favorite approach of computer cracker, gives the assailant an idea where to
probe for weaknesses. Essentially, a port scan consists of sending a message

59

to each port, one at a time. The kind of response received indicates whether
the port is used and can therefore be probed for weakness.

Post Office Protocol, Version 3 (POP3)

An Internet Standard protocol by which a client workstation can dynamically
access a mailbox on a server host to retrieve mail messages that the server
has received and is holding for the client

Protocol
A formal specification for communicating; an IP address the special set of
rules that end points in a telecommunication connection use when they
communicate. Protocols exist at several levels in a telecommunication
connection.

Privacy
Freedom from unauthorized intrusion or disclosure of information about
individuals

Private Key
The secret part of an asymmetric key pair that is typically used to digitally
sign or decrypt data in a PKI.

Privileged Accounts
Individuals who have access to set access rights for users on a given
system. Sometimes referred to as system or network administrative
accounts.

Procedures
A detailed description of the steps necessary to perform specific operations
in conformance with applicable standards

60

Proxy
A proxy is an application that breaks the connection between client and
server. The proxy accepts certain types of traffic entering or leaving a
network and processes it and forwards it. This effectively closes the straight
path between the internal and external networks making it more difficult for
an attacker to obtain internal addresses and other details of the
organizations internal network. Proxy servers are available for common
Internet services; for example, a Hyper Text Transfer Protocol (HTTP) proxy
used for Web access, and a Simple Mail Transfer Protocol (SMTP) proxy used
for email.

Proxy server
A server that acts on behalf of a user. Typically proxies accept a connection
from a user, make a decision as to whether or not the user or client IP
address is permitted to use the proxy, perhaps perform additional
authentication, and then complete a connection to a remote destination on
behalf of the user.

Proximity factors
The distance from potential hazards, which can include flooding risk from
nearby waterways, hazardous material manufacturing or storage, or other
situations that may pose a risk to the operation of a recovery

Public Key
The public part of an asymmetric key pair that is typically used to verify
signatures or encrypt data in a PKI

Public key infrastructure (PKI)

The framework and services that provide for the generation, production,
distribution, control, accounting, and destruction of public key certificates.
Components include the personnel, policies, processes, server platforms,
software, and workstations used for the purpose of administering certificates
61

and public-private key pairs, including the ability to issue, maintain, recover,
and revoke public key certificates.

Q
Quality assurance (QA)
A process for testing to ensure specifications are met

R
Red Team
A group of people authorized and organized to emulate a potential
adversarys attack or exploitation capabilities against an enterprises
security posture. The Red Teams objective is to improve enterprise
Information Assurance by demonstrating the impacts of successful attacks
and by demonstrating what works for the defenders (i.e., the Blue Team) in
an operational environment.

Relying Party
An entity that relies upon the subscribers credentials, typically to process a
transaction or grant access to information or a system typically in a PKI.

Remediation
The act of correcting a vulnerability or eliminating a threat. Three possible
types of remediation are installing a patch, adjusting configuration settings,
or uninstalling a software application.

Reciprocal agreement
Emergency processing agreements among two or more organizations with
similar equipment or applications. Typically, participants promise to provide
processing time to each other when an emergency arises.

62

Recovery action
Execution of a response or task according to a written procedure

Recovery point objective (RPO)

Determined based on the acceptable data loss in case of a disruption of
operations. Indicates the earliest point in time to which it is acceptable to
recover data. Effectively quantifies the permissible amount of data loss in
case of interruption i.e. the last point of known good data

Recovery time objective (RTO)

The amount of time allowed for the recovery of a business function or
resource after a disaster occurs

Redundant Array of Inexpensive Disks (RAID)

A technology that provides performance improvements and fault-tolerant
capabilities, via hardware or software solutions, by writing to a series of
multiple disks to improve performance and save large files simultaneously

Redundant site
A recovery strategy involving the duplication of key information technology
components, including data or other key business processes, whereby fast
recovery can take place

Registration Authority
A trusted entity that establishes and vouches for the identity of a subscriber
to a CSP i.e binds physical identity to a logical identity such as a certificate.
The RA may be an integral part of a CSP, or it may be independent of a CSP,
but it has a relationship to the CSP(s)

Request for proposal (RFP)

A request for proposal (RFP) is issued at an early stage in
a procurement process, where an invitation is presented for suppliers, often

63

through a bidding process, to submit a proposal on a

specific commodity or service. The RFP process brings structure to the
procurement decision and is meant to allow the risks and benefits to be
identified clearly up front.
The RFP may dictate to varying degrees the exact structure and format of
the supplier's response. Effective RFPs typically reflect the strategy and
short/long-term business objectives, providing detailed insight upon which
suppliers will be able to offer a matching perspective

Replay Attacks
An attack that involves the capture of transmitted authentication or access
control information and its subsequent retransmission with the intent of
producing an unauthorized effect or gaining unauthorized access.

Residual risk
The remaining risk after management has implemented risk response

Resilience
The ability of a system or network to resist failure or to recover quickly from
any disruption, usually with minimal recognizable effect

Return on investment (ROI)

A measure of operating performance and efficiency, computed in its simplest
form by dividing net income by the total investment over the period being
considered

Return on security investment (ROSI)

An estimate of return on security investment based on how much will be
saved by reduced losses divided by the investment.

64

Risk
The combination of the probability of an event and its consequence. (ISO/IEC
73). Risk has traditionally been expressed as Threats X Vulnerabilities = Risk.

Risk assessment
A process used to identify and evaluate risk and potential effects. Risk
assessment includes assessing the critical functions necessary for an
organization to continue business operations, defining the controls in place
to reduce organization exposure and evaluating the cost for such controls.
Risk analysis often involves an evaluation of the probabilities of a particular
event.

Risk avoidance
The process for systematically avoiding risk, constituting one approach to
managing risk

Risk mitigation
The management and reduction of risk through the use of countermeasures
and controls

Risk Tolerance
The acceptable level of deviation from acceptable risk

Risk transfer
The process of assigning risk to another organization, usually through the
purchase of an insurance policy or outsourcing the service

Robustness
The extent of the ability of systems to withstand attack; system strength.
The ability of an Information Assurance entity to operate correctly and
reliably across a wide range of operational conditions, and to fail gracefully
outside of that operational range.

65

Role Based Access Control

Role based access control assigns users to roles based on their
organizational functions and determines authorization based on those roles.

Root
Root is the name of the administrator account in Unix systems.

Router
Routers interconnect logical networks by forwarding information to other
networks based upon IP addresses.

Root cause analysis

Process of diagnosis to establish origins of events, which can be used for
learning from consequences, typically of errors and problems

Rootkit
A rootkit is a set of software tools intended to conceal running processes,
files or system data from the operating system. Rootkits have their origin in
benign applications, but have been used increasingly by malware to help
intruders maintain access to systems while avoiding detection. Rootkits exist
for a variety of operating systems such as Microsoft Windows, Linux and
Solaris. Rootkits often modify parts of the operating system or install
themselves as drivers or kernel modules.

S
Secret key
A cryptographic key that is used with a secret key (symmetric) cryptographic
algorithm, that is uniquely associated with one or more entities and is not
made public. The same key is used to both encrypt and decrypt data. The
use of the term secret in this context does not imply a classification level,
but rather implies the need to protect the key from disclosure.
66

Secure Hash Algorithm (SHA)

A hash algorithm with the property that is computationally infeasible 1) to
find a message that corresponds to a given message digest, or 2) to find two
different messages that produce the same message digest.

Security Attribute
A security-related quality of an object. Security attributes may be
represented as hierarchical levels, bits in a bit map, or numbers.
Compartments, caveats, and release markings are examples of security
attributes.

Security metrics
A standard of measurement from one or more reference points used in
management of security-related activities

Security information and event management (SIEM)

Security Information and Event Management (SIEM) solutions are a
combination of the formerly disparate product categories of SIM (security
information management) and SEM (security event management). SIEM
technology provides real-time analysis of security alerts generated by
network hardware and applications. SIEM solutions come as software,
appliances or managed services, and are also used to log security data and
generate reports for compliance purposes.
Capabilities include:

Data Aggregation: SIEM/LM (log management) solutions aggregate

data from many sources, including network, security, servers,
databases, applications, providing the ability to consolidate monitored

data to help avoid missing crucial events.

Correlation: looks for common attributes, and links events together
into meaningful bundles. This technology provides the ability to

67

perform a variety of correlation techniques to integrate different

sources, in order to turn data into useful information.

Alerting: the automated analysis of correlated events and production of

alerts, to notify recipients of immediate issues.

Dashboards: SIEM/LM tools take event data and turn it into
informational charts to assist in seeing patterns, or identifying activity

that is not forming a standard pattern.[5]

Compliance: SIEM applications can be employed to automate the
gathering of compliance data, producing reports that adapt to existing

security, governance and auditing processes.[6]

Retention: SIEM/SIM solutions employ long-term storage of historical
data to facilitate correlation of data over time, and to provide the
retention necessary for compliance requirements.

Security Posture
The security status of an enterprises networks, information, and systems
based on IA resources (e.g., people, hardware, software, policies) and
capabilities in place to manage the defense of the enterprise and to react as
the situation changes.

Sensitivity
A measure of the impact that improper disclosure of information may have
on an organization

Separation of Duties
Separation of duties is the principle of splitting privileges among multiple
individuals or systems to reduce risk of fraud or other malfeasance

Session Key
In the context of symmetric encryption, a key that is temporary or is used for
a relatively short period of time. Usually, a session key is used for a defined
period of communication between two computers, such as for the duration of
a single connection or transaction set, or the key is used in an application
68

that protects relatively large amounts of data and, therefore, needs to be rekeyed frequently.

Service delivery objective (SDO)

Directly related to business needs, SDO is the level of services to be reached
during the alternate process mode until the normal situation is restored.

Service level agreement (SLA)

An agreement, preferably documented, between a service provider and the
customer(s)/user(s) that defines minimum performance targets for a service
and how they will be measured

Shell programming
A shell script is a script written for the shell, or command line interpreter, of
an operating system. It is often considered a simple domain-specific
programming language. Typical operations performed by shell scripts include
file manipulation, program execution and printing text. Usually, shell script
refers to scripts written for a Unix shell, while COMMAND.COM (DOS) and
cmd.exe (Windows) command line scripts are usually called batch files.
Many shell script interpreters double as command line interface such as the
various Unix shells, Windows PowerShell or the MS-DOS COMMAND.COM.
Others, such as AppleScript, add scripting capability to computing
environments lacking a command line interface. Other examples of
programming languages primarily intended for shell scripting include digital
command language (DCL) and job control language (JCL).

Secure multipurpose internet mail extension (S/MIME)

(Secure/Multipurpose Internet Mail Extensions is a standard for public key
encryption and signing of MIME data.

69

Skimming
The unauthorized use of a reader to read tags without the authorization or
knowledge of the tags owner or the individual in possession of the tag.

Smart Card
A credit card-sized card with embedded integrated circuits that can store,
process, and communicate information.

Sniffing
The process by which data traversing a network are captured or monitored

Social engineering
An attack based on deceiving users or administrators at the target site into
revealing confidential or sensitive information

Specification
An assessment object that includes document-based artifacts (e.g., policies,
procedures, plans, system security requirements, functional specifications,
and architectural designs) associated with an information system.

Split knowledge /split key

A security technique in which two or more entities separately hold data items
that individually convey no knowledge of the information that results from
combining the items; a condition under which two or more entities
separately have key components that individually convey no knowledge of
the plaintext key that will be produced when the key components are
combined in the cryptographic module.

Spoofing
Faking the sending address of a transmission in order to gain illegal entry
into a secure system

70

Secure shell (SSH)

Secure Shell (SSH) is a network protocol for secure data communication,
remote shell services or command execution and other secure network
services between two networked computers that it connects via a secure
channel over an insecure network:

Secure sockets layer (SSL)

Transport Layer Security (TLS) and its predecessor, Secure Sockets
Layer (SSL), are cryptographic protocols that provide
communication security over the Internet.[1] TLS and SSL encrypt the
segments of network connections above the Transport Layer, using
asymmetric cryptography for key exchange, symmetric encryption for
privacy, and message authentication codes for message integrity.

Security steering group (SSG)

The SSG is generally charged with incident management and response
organization and oversight.

Single sign-on (SSO)

SSO is a process to allow access to numerous systems using one set of
authentication credentials.

Spyware
Software that is secretly or surreptitiously installed into an information
system to gather information on individuals or organizations without their
knowledge; a type of malicious code.

Structured query language (SQL)

Structured Query Language) is a programming language designed for
managing data in relational database management systems

71

Standard
An internal mandatory requirement defining allowable boundaries of people,
processes and technologies or a specification approved by a recognized
external standards organization, such as ISO

Standard operation procedure (SOP)

An SOP is a written document or instruction detailing all steps and activities
of a process or procedure. ISO 9001 essentially requires the documentation
of all procedures used in any manufacturing process that could affect the
quality of the product or service.

Steganography
The art and science of communicating in a way that hides the existence of
the communication. For example, a secret documentcan be hidden inside
another graphic image file, audio file, or other file format.

Supervisory control and data acquisition (SCADA)

A generic name for a computerized system that is capable of gathering and
processing data and applying operational controls over long distances.
Typical uses include power transmission and distribution and pipeline
systems. SCADA was designed for the unique communication challenges
(delays, data integrity, etc.) posed by the various media that must be used,
such as phone lines, microwave, and satellite. Usually shared rather than
dedicated.

Supply Chain
A system of organizations, people, activities, information, and resources,
possibly international in scope, that provides products or services to
consumers

72

System development life cycle (SDLC)

The scope of activities associated with a system, encompassing the systems
initiation, development and acquisition, implementation, operation and
maintenance, and ultimately its disposal that instigates another system
initiation.

Symmetric Cryptography
A branch of cryptography involving algorithms that use the same key for two
different steps of the algorithm (such as encryption and decryption, or
signature creation and signature verification). Symmetric cryptography is
sometimes called "secret-key cryptography" (versus public-key
cryptography) because the entities that share the key.

Symmetric Key
A cryptographic key that is used in a symmetric cryptographic algorithm.
Also called a secret key based on the notion of a shared secret.

System Owner
Person or organization having responsibility for the development,
procurement, integration, modification, operation and maintenance, and/or
final disposition of an information system.

T
Technical Controls
The security controls (i.e., safeguards or countermeasures) for an information
system that are primarily implemented and executed by the information
system through mechanisms contained in the hardware, software, or
firmware components of the system.

73

Threat
Anything (e.g., object, substance, human) that is capable of acting against
an asset in a manner that can result in harm. A potential cause of an
unwanted incident. (ISO/IEC 13335)

Threat agent
Methods and things used to exploit a vulnerability. Examples include
determination, capability, motive and resources.

Threat analysis
An evaluation of the type, scope and nature of events or actions that can
result in adverse consequences; identification of the threats that exist
against information assets and information technology. The threat analysis
usually also defines the level of threat and the likelihood of it materializing.

Threat event
Any event where a threat element/actor acts against an asset in a manner
that has the potential to directly result in harm

Threat Assessment
A threat assessment is the identification of types of threats that an
organization might be exposed to.

Threat Model
A threat model is used to describe a given threat and the harm it could to do
a system if it has a vulnerability.

Threat Vector
The method a threat uses to get to the target.

Transport Layer Security (TLS)

Transport Layer Security (TLS) and its predecessor, Secure Sockets
Layer (SSL), are cryptographic protocols that provide
74

communication security over the Internet.[1] TLS and SSL encrypt the
segments of network connections above the Transport Layer, using
asymmetric cryptography for key exchange, symmetric encryption for
privacy, and message authentication codes for message integrity.

Token
Something that the claimant possesses and controls (typically a key or
password) used to authenticate the claimants identity.

Token-Based Access Control

Token based access control associates a list of objects and their privileges
with each user. (The opposite of list based.)

Token-Based Devices
A token-based device is triggered by the time of day, so every minute the
password changes, requiring the user to have the token with them when they
log in.

Topology
The geometric arrangement of a computer system. Common topologies
include a bus, star, and ring. The specific physical, i.e., real, or logical, i.e.,
virtual, arrangement of the elements of a network. Note 1: Two networks
have the same topology if the connection configuration is the same,
although the networks may differ in physical interconnections, distances
between nodes, transmission rates, and/or signal types.

Total cost of ownership (TCO)

The computation of all costs related to acquisition, deployment, training,
testing, maintenance, and end of life costs.

75

Transmission control protocol (TCP)

The Transmission Control Protocol (TCP) is one of the core protocols of
the Internet Protocol Suite. TCP is one of the two original components of the
suite, complementing the Internet Protocol (IP), and therefore the entire suite
is commonly referred to as TCP/IP. TCP provides reliable, ordered delivery of a
stream of bytes from a program on one computer to another program on
another computer. TCP is the protocol that major Internet applications such
as the World Wide Web, email, remote administration and file transfer rely on

Transmission control protocol/ internet protocol (TCP/IP)

IP is one of the core protocols of the Internet protocol suite and combined
with TCP is referred to as TCP/IP

Trojan horse
A Trojan horse, or Trojan, is a standalone malicious program which may give
full control of infected PC to another PC[1]. It may also perform
typical computer virus activities. Trojan horses may make copies of
themselves, steal information, or harm their host computer systems.

Two-factor authentication
The use of two independent mechanisms for authentication, for example,
requiring a smart card and a password. Typically the combination of
something you know, are or have.

Trusted Computer System

A system that employs sufficient hardware and software assurance measures
to allow its use for processing simultaneously a range of sensitive or
classified information.

Trusted Computing Base (TCB)

Totality of protection mechanisms within a computer system, including
hardware, firmware, and software,
76

Tunneling
Technology enabling one network to send its data via another networks
connections. Tunneling works by encapsulating a network protocol within
packets carried by the second network.

U
Unauthorized Access
A person gains logical or physical access without permission to a network,
system, application, data, or other IT resource. Any access that violates the
stated security policy.

Unauthorized Disclosure
An event involving the exposure of information to entities not authorized
access to the information.

Uniform Resource Locator (URL)

The global address of documents and other resources on the World Wide
Web. The first part of the address indicates what protocol to use, and the
second part specifies the IP address or the domain name where the resource
is located. For example, http://www.pcwebopedia.com/index.html.

Unix
A popular multi-user, multitasking operating system developed at Bell Labs
in the early 1970s. Created by just a handful of programmers, Unix was
designed to be a small, flexible system used exclusively by programmers.

User datagram protocol (UDP)

The User Datagram Protocol (UDP) is one of the core members of the Internet
Protocol Suite, the set of network protocols used for the Internet. With UDP,
computer applications can send messages, in this case referred to
as datagrams, to other hosts on an Internet Protocol (IP) network without
77

requiring prior communications to set up special transmission channels or

data paths.

Uninterruptable power supply (UPS)

UPS is typically battery power converted to standard AC operating current
using an inverter. It is designed to automatically supply power in the event
the primary source fails.

V
Validation
The process of demonstrating that the system under consideration meets in
all respects the specification of that system.

Value at risk (VAR)

VAR computes the probability of the maximum loss at a 95 or 99% certainty
over a defined period based on historical information and exercising all the
variables using Monte Carlo simulations. While primarily used in financial
analysis, it has been shown to have significant potential value in generally
managing risk.

Virtual Machine (VM)

Software that allows a single host to run one or more guest operating
systems.

Virtual private network (VPN)

A secure private network that uses the public telecommunications
infrastructure to transmit data. In contrast to a much more expensive system
of owned or leased lines that can only be used by one company, VPNs are
used by enterprises for both extranets and wide areas of intranets. Using
encryption and authentication, a VPN encrypts all data that pass between
two Internet points, maintaining privacy and security.
78

Virus signature files

The file of virus patterns that are compared with existing files to determine if
they are infected with a virus or worm

Voice over IP (VOIP)

Voice over IP (VoIP) commonly refers to the communication protocols,
technologies, methodologies, and transmission techniques involved in the
delivery of voice communications and multimedia sessions over Internet
Protocol (IP) networks, such as the Internet

Vulnerability
A weakness in the design, implementation, operation or internal controls in a
process that could be exploited to violate system security

Vulnerability analysis
Process of identifying and classifying vulnerabilities

W
Warm site
A warm site is similar to a hot site; however, a warm site is not fully
equipped with all necessary hardware needed
for recovery.

Web hosting
The business of providing the equipment and services required to host and
maintain files for one or more web sites, and provide fast Internet
connections to those sites. Most hosting is shared, which means that web
sites of multiple companies are on the same server to share/reduce costs.

79

Web server
Using the client-server model and the World Wide Webs Hypertext Transfer
Protocol (HTTP), Web server is a software program that serves web pages to
users.

Wide area network (WAN)

A Wide Area Network (WAN) is a telecommunication network that covers a
broad area (i.e., any network that links across metropolitan, regional, or
national boundaries).

Wiki
Web applications or similar tools that allow identifiable users to add content
(as in an Internet forum) and allow anyone to edit that content collectively.

Wired Equivalent Privacy (WEP)

A security protocol, specified in the IEEE 802.11 standard, that is designed to
provide a WLAN with a level of security and privacy comparable to what is
usually expected of a wired LAN. WEP is no longer considered a viable
encryption mechanism due to known weaknesses.

Wireless Access Point (WAP)

A device that acts as a conduit to connect wireless communication devices
together to allow them to communicate and create a wireless network.

Worm
A programmed network attack in which a self-replicating program does not
attach itself to programs, but rather spreads independently of users actions

Wi-Fi Protected Access 2 (WPA2)

The follow on security method to WPA for wireless networks that provides
stronger data protection and network access control. It provides enterprise
and consumer Wi-Fi users with a high level of assurance that only authorized

80

users can access their wireless networks. Based on the ratified IEEE 802.11i
standard, WPA2 provides government grade security by implementing the
National Institute of Standards and Technology (NIST) FIPS 140-2 compliant
AES encryption algorithm and 802.1X-based authentication

81

Acronyms
The CISM candidate should be familiar with the following list of acronyms.
These acronyms are the only standalone abbreviations used in examination
questions.
Acrony
m
CD
CD-ROM
DMZ
HTML
ID
IP
IPS
IPSec
IS
ISP
IT
OS
URL
XML

Description
Compact Disk
Compact Disk Read Only
Memory
Demilitarized zone
Hypertext Markup Language
Identification
Internet Protocol
Intrusion prevention system
Internet Protocol Security
Information systems
Internet service provider
Information technology
Operating system
Universal resource locator
Extensible Markup
Language

In addition to the aforementioned acronyms, candidates may also wish to

become familiar with the following additional acronyms. Should any of these
abbreviations be used in examination questions, their meanings would be
included when the acronym appears.
Acrony
m
AES
AESRM
AICPA
AIW
ALE
API
ARP
AS/NZS
82

Description
Advanced Encryption Standard
Alliance for Enterprise Security Risk Management
American Institute of Certified Public Accountants
Acceptable interruption window
Annual loss expectancy
Application programming interface
Address Resolution Protocol
Australian Standard/New Zealand Standard

ASCII
ASIC
ASP
ATM
BCI
BCM
BCP
BGP
BI
BIA
BIMS
BIOS
BIS
BITS
BLP
BLP
BMS
BS
CA
CASPR
CBT
CCO
CEO
CERT
CFO
CICA
CIM
CIO
CIRT
CIS
CISO
CLC
CMM
CMU
COO
COOP
CORBA
COSO
CPO
83

American Standard Code for Information Interchange

Application-specific integrated circuit
Application service provider
Asynchronous Transfer Mode
Business Continuity Institute
Business continuity management
Business continuity planning
Border Gateway Protocol
Business intelligence
Business impact analysis
Biometric information management and security
Basic input/output system
Bank for International Settlements
Banking Information Technology Standards
Bell-LaPadula
Bypass label process
Building management systems
British Standard
Certificate authority
Commonly accepted security practices and recommendations
Computer-based training
Chief compliance officer
Chief executive officer
Computer emergency response team
Chief financial officer
Canadian Institute of Chartered Accountants
Computer-integrated manufacturing
Chief information officer
Computer incident response team
Center for Internet Security
Chief information security officer
Chief legal counsel
Capability Maturity Model
Carnegie Mellon University
Chief operating officer
Continuity of operations plan
Common Object Request Broker Architecture
Committee of Sponsoring Organizations of the Treadway
Commission
Chief privacy officer

CPS
CPU
CRL
CRM
CSA
CSF
CSIRT
CSO
CSRC
CTO
CVE
CW
DAC
DBMS
DCE
DCE
DCE
DCL
DDoS
DES
DHCP
DLP
DLT
DNS
DNSSEC
DoS
DOSD
DR
DRII
DRP
EDI
EER
EFT
EGRP
EIGRP
EU
FAR
FCPA
FERC
FFIEC
84

Certification practice statement

Central processing unit
Certificate revocation list
Customer relationship management
Control self-assessment
Critical success factor
Computer security incident response team
Chief security officer
Computer Security Resources Center (USA)
Chief technology officer
Common vulnerabilities and exposures
Clark-Wilson
Discretionary access controls
Database management system
Distributed control environment
Data communications equipment
Distributed computing environment
Digital command language
Distributed denial of service
Data Encryption Standard
Dynamic Host Configuration Protocol
Data leakage protection
Digital linear tape
Domain name system
Domain Name Service Secure
Denial of service
Data-oriented system development
Disaster recovery
Disaster Recovery Institute International
Disaster recovery planning
Electronic data interchange
Equal error rate
Electronic funds transfer
External Gateway Routing Protocol
Enhanced Interior Gateway Routing Protocol
European Union
False-acceptance rate
Foreign Corrupt Practices Act
Federal Energy Regulatory Commission (USA)
Federal Financial Institution Examination Council (USA)

FIPS
FISMA
FSA
GAISP
GAS
GASSP
GLBA
GMI
HD-DVD
HIDS
HIPAA
HIPO
HR
HTTP
HTTPS
HVAC
I&A
I/O
ICMP
ICT
IDC
IDEFIX
IDS
IEC
IETF
IFAC
IIA
IMT
IPF
IPL
IPMA
IPRs
IPS
IRP
IRS
IRT
ISF
ISO
ISO
ISS
85

Federal Information Processing Standards (USA)

Federal Information Security Management Act (USA)
Financial Security Authority (USA)
Generally Accepted Information Security Principles
Generalized audit software
Generally Accepted Security System Principles
Gramm-Leach-Bliley Act (USA)
Governance Metrics International
High definition/high density-digital video disc
Host-based intrusion detection system
Health Insurance Portability and Accountability Act (USA)
Hierarchy Input-Process-Output
Human resources
Hypertext Transfer Protocol
Secure Hypertext Transfer Protocol
Heating, ventilating and air conditioning
Identification and Authentication
Input/output
Internet control message protocol
Information and communication technologies
International Development Corp.
Integration Definition for Information Modeling
Intrusion detection system
International Electrotechnical Commission
Internet engineering task force
International Federation of Accountants
Institute of Internal Auditors
Incident management team
Information processing facility
Initial program load
International Project Management Association
Intellectual property rights
Intrusion-prevention system
Incident response plan
Internal Revenue Service (USA)
Incident response team
Information Security Forum
International Organization for Standardization
Information security officer
Institutional Shareholders Services

ISSA
ISSEA
ITGI
JCL
KGI
KLOC
KPI
KRI
L2TP
LAN
LCP
M&A
MAC
MAO
MIME
MIS
MitM
MTD
MTO
NAT
NCP
NDA
NetBIO
S
NFPA
NFS
NIC
NIDS
NIST
NPV
OCC
OCSP
OCTAVE
OECD
OEM
OEP
OSI
OSPF
PAN
PC
86

Information System Security Association

International System Security Engineering Association
IT Governance Institute
Job control language
Key goal indicator
Kilo lines of code
Key performance indicator
Key risk indicator
Layer 2 Tunneling Protocol
Local area network
Link Control Protocol
Mergers and Acquisition
Mandatory access control
Maximum allowable outage
Multipurpose Internet mail extension
Management information system
Man-in-the-middle
Maximum tolerable downtime
Maximum tolerable outage
Network address translation
Network Control Protocol
Nondisclosure agreement
Network basic input/output systems
National Fire Protection Association
Network file system
Network interface card
Network intrusion detection system
National Institute of Standards and Technology (USA)
Net present value
Office of the Comptroller of the Currency (USA)
Online Certificate Status Protocol
Operationally Critical Threat, Asset and Vulnerability Evaluation
Organization for Economic Co-operation and Development
Original equipment manufacturer
Occupant emergency plan
Open systems interconnection
Open Shortest Path First
Personal area network
Personal computer/microcomputer

PCI
PDCA
PKI
PMBOK
POS
PPP
PPPoE
PPT
PSTN
PVC
QA
RAID
RARP
RCERT
ROI
ROSI
RPO
RRT
RSA
RTO
S/HTTP
S/MIME
SABSA
SAC
SCADA
SDLC
SDO
SEC
SEI
SIEM
SIM
SLA
SMART
SMF
SOP
SPI
SPICE
SPOC
SPOOL
87

Payment Card Industry

Plan-do-check-act
Public key infrastructure
Project Management Body of Knowledge
Point-of-sale
People, process and policy
Point-to-point Protocol over Ethernet
People, process and technology
Public switched telephone network
Permanent virtual circuit
Quality assurance
Redundant Array of Inexpensive Disks
Reverse Address Resolution Protocol
Regional Computer Emergency Response Team (USA)
Return on investment
Return on security investment
Recovery point objective
Risk Reward Theorem/Tradeoff
Rivest, Shamir and Adleman (RSA stands for the initials of the
developers last names)
Recovery time objective
Secure Hypertext Transfer Protocol
Secure multipurpose Internet mail extension
Sherwood Applied Business Security Architecture
Systems auditability and control
Supervisory Control and Data Acquisition
System development life cycle
Service delivery objective
Securities and Exchange Commission (USA)
Software Engineering Institute
Security information and event management
Security information management
Service level agreement
Specific, measurable, achievable, relevant, time-bound
System management facility
Standard operating procedure
Security Parameter Index
Software process improvement and capability determination
Single point of contact
Simultaneous peripheral operations online

SQL
SSG
SSH
SSL
SSO
TCO
TCP
TCP/IP
TCP/UD
P
TLS
UDP
UPS
USB
VAR
VoIP
VPN
WAN
XBRL

88

Structured Query Language

Security steering group
Secure Shell
Secure Sockets Layer
Single sign-on
Total cost of ownership
Transmission Control Protocol
Transmission Control Protocol/Internet Protocol
Transmission Control Protocol/User Datagram Protocol
Transport layer security
User Datagram Protocol
Uninterruptible power supply
Universal Serial Bus
Value at risk
Voice-over IP
Virtual private network
Wide area network
Extensible Business Reporting Language

89