qualitative risk analysis
A risk analysis methodology where risks are classified on a nonquantified scale, for example, from High to Medium to Low.
quantitative risk analysis
A risk analysis methodology where risks are estimated in the form of actual costs andor probabilities of occurrence.
A holding place for e-mail messages that have been blocked by a spam or phishing filter.
Responsible, Accountable, Consulted, Informed (RACI) Chart
A tool used to assign roles to individuals and groups according to their responsibilities.
A part of a persons position title that denotes seniority or span of control in an organization.
Malware that performs some malicious action, requiring payment from the victim to reverse the action. Such actions include data erasure, data encryption, and system damage.
A data center that is operated by another company. Two or more organizations with similar processing needs will draw up a legal contract that obligates one or more of the organizations to temporarily house another partys systems in the event of a disaster.
Any activity in which a would-be intruder or researcher explores a potential target system or network, generally to learn of its makeup, to determine a potentially successful attack strategy.
Documents describing business events such as meeting minutes, contracts, financial transactions, decisions, purchase orders, logs, and reports.
recovery capacity objective (RCapO)
The processing andor storage capacity of an alternate process or system, as compared to the normal process or site. RCO is usually expressed as a percentage, as compared to the primary processing site.
recovery consistency objective (RCO)
A measure of the consistency and integrity of processing at a recovery site, as compared to the primary processing site. RCO is calculated as 1 (number of inconsistent objects) (number of objects).
A control that is used after an unwanted event to restore a system or process to its pre-event state.
recovery point objective (RPO)
The period of acceptable data loss due to an incident or disaster. RPO is usually measured in hours or days.
Instructions that key personnel use to bootstrap services that support critical business functions identified in the business impact assessment (BIA).
A high-level plan for resuming business operations after a disaster.
recovery time objective (RTO)
The period from the onset of an outage until the resumption of service. RTO is usually measured in hours or days.
Redundant Array of Independent Disks (RAID)
A family of technologies that is used to improve the reliability, performance, or size of disk-based storage systems.
registration authority (RA)
An entity that works within or alongside a certificate authority (CA) to accept requests for new digital certificates.
The IT function that controls the release of software programs, applications, and environments. See also IT service management (ITSM).
The IT process whereby changes to software programs, applications, and environments are requested, reviewed, approved, and implemented.
A service that permits a user to establish a network connection from a remote location so that the user can access network resources remotely.
remote access Trojan (RAT)
Malware that permits the attacker to remotely access and control a target system.
The act of commanding a device, such as a laptop computer or mobile device, to destroy stored data. Remote destruct is sometimes used when a device is lost or stolen to prevent anyone from being able to read data stored on the device.
The practice of employees working in locations other than their organizations work premises.
An audit technique where an IS auditor repeats actual tasks performed by auditees in order to confirm they were performed properly.
An activity where data that is written to a storage system is also copied over a network to another storage system and written. The result is the presence of up-to-date data that exists on two or more storage systems, each of which could be located in a different geographic region.
request for information (RFI)
A formal process where an organization solicits information regarding solution proposals from one or more vendors. This is usually used to gather official information about products or services that may be considered in the future.
request for proposal (RFP)
A formal process where an organization solicits solution proposals from one or more vendors. The process usually includes formal requirements and desired terms and conditions. It is used to formally evaluate vendor proposals to make a selection.
Formal statements that describe required (and desired) characteristics of a system that is to be changed, developed, or acquired.
The risk that remains after being reduced through other risk treatment options.
Required action of personnel after a disaster strikes. It includes the business recovery plan, occupant emergency plan, emergency communication plan, contact lists, disaster recovery plan, continuity of operations plan (COOP), and security incident response plan (SIRP).
A stated expectation of activities and performance.
A contract in which an organization pays in advance for professional services. Examples include external legal counsel and security incident response.
return on investment (ROI)
The ratio of money gained or lost as compared to an original investment.
return on security investment (ROSI)
The return on investment (ROI) based on the reduction of security-related losses compared to the cost of related controls.
right to audit
A clause in a contract where one party has the right to conduct an audit of the other partys operations.
Generally, the fact that undesired events can happen that may damage property or disrupt operations specifically, an event scenario that can result in property damage or disruption.
The risk treatment option where management chooses to accept the risk as is.
The process of identifying and studying risks in an organization.
The level of risk that an organization is willing to accept while in pursuit of its mission, strategy, and objectives, and before action is needed to treat the risk.
A process where risks, in the form of threats and vulnerabilities, are identified for each asset.
The risk treatment option involving a cessation of the activity that introduces identified risk.
Programmatic activities whose objective is to make business leaders, stakeholders, and other personnel aware of the organizations information risk management program. See also security awareness.
The objective amount of loss that an organization can tolerate without its continued existence being called into question.
The management activities used to identify, analyze, and treat risks.
The risk treatment option involving implementation of a solution that will reduce an identified risk.
Ongoing activities including control effectiveness assessments and risk assessments to observe changes in risk.
A business record containing business risks and information about their origin, potential impact, affected assets, probability of occurrence, and treatment.
The risk treatment option involving the act of transferring risk to another party, such as an insurance company.
The decision to manage an identified risk. The available choices are mitigate the risk, avoid the risk, transfer the risk, or accept the risk.
The list of steps required to achieve a strategic objective.
A set of user privileges in an application also, a formal designation assigned to an individual by virtue of a job title or other label.
A step in the software development life cycle where system changes need to be reversed, returning the system to its previous state.
root cause analysis (RCA)
Analysis of a problem to identify the underlying origins, not merely factors or symptoms. See also problem management.
Deliberate damage of an organizations asset.
The process of recovering components or assets that still have value after a disaster.
A portion of a population of records that is selected for auditing.
The sum of all samples divided by the number of samples.
sample standard deviation
A computation of the variance of sample values from the sample mean. This is a measurement of the spread of values in the sample.
A technique that is used to select a portion of a population when it is not feasible to test an entire population.
The probability that a sample selected does not represent the entire population. This is usually expressed as a percentage, as the numeric inverse of the confidence coefficient.
A security mechanism, often used by antimalware programs, for separating running programs. See also anti-malware.
A U.S. law requiring public corporations to enact business and technical controls, perform internal audits of those controls, and undergo external audits.
SAS 70 (Statement of Accounting Standards No. 70)
An external audit of a service provider. An SAS 70 audit is performed according to rules established by the American Institute of Certified Public Accountants (AICPA). This has been deprecated by SSAE 18. See also Statements on Standards for Attestation Engagements No. 18 (SSAE 18).
A security tool that is used to scan files, processes, network addresses, systems, or other objects, often for the purpose of identifying assets or vulnerabilities that may be present in assets.
A network device that filters network traffic based on source and destination IP addresses and ports. See also firewall.
The practice of developing program source code that is free of security defects. See also secure development training.
secure development training
Training for software developers on the techniques of writing secure code and avoiding security defects that could be exploited by adversaries.
secure electronic transaction (SET)
A protocol used to protect credit card transactions that uses a digital envelope. SET has been deprecated by Secure Sockets Layer (SSL) and Transport Layer Security (TLS). See also digital envelope, Secure Sockets Layer (SSL), Transport Layer Security (TLS).
Secure Multipurpose Internet Mail Extensions (SMIME)
An e-mail security protocol that provides sender and recipient authentication and encryption of message content and attachments.
Secure Shell (SSH)
A TCPIP application layer protocol that provides a secure channel between two computers whereby all communications between them are encrypted. SSH can also be used as a tunnel to encapsulate and thereby protect other protocols.
Secure Sockets Layer (SSL)
An encryption protocol used to encrypt web pages requested with the HTTPS URL. This has been deprecated by Transport Layer Security (TLS). See also Transport Layer Security (TLS), Hypertext Transfer Protocol Secure (HTTPS).
The mission of understanding the interplay between all of the security controls and configurations that work together to protect information systems and information assets.
A formal review of security controls, processes, or systems to determine their state. See also audit.
A formal program used to educate employees, users, customers, or constituents on required, acceptable, and unacceptable security-related behaviors. See also risk awareness.
security by design
The concept of product and software development that incorporates security into the design of the software rather than as an afterthought.
Managements control over an organizations security program.
An event where the confidentiality, integrity, or availability of information (or an information system) has been compromised.
security information and event management (SIEM)
A system that collects logs from systems, correlates log data, and produces alerts that require attention.
security incident log
A business record consisting of security incidents that have occurred.
security incident management
The overall program and activities to ensure that an organization is able to quickly detect, respond, and contain a security incident.
security incident response
The formal, planned response that is enacted when a security incident has occurred. See also security incident.
security operations center (SOC)
An IT function wherein personnel centrally monitor and manage security functions and devices, watch for security anomalies and incidents, and take actions as warranted.
See information security policy.
An examination of a process, procedure, system, program, or other object to determine the state of security.
semiquantitative risk analysis
A risk analysis methodology where risks are classified on a simple numeric scale, such as 1 to 5.
segregation of duties (SOD)
The concept that ensures single individuals do not possess excess privileges that could result in unauthorized activities such as fraud or the manipulation or exposure of sensitive data.
A centralized computer used to perform a specific task.
service continuity management
The IT function that consists of activities concerned with the organizations ability to continue providing services, primarily in the event that a natural or man-made disaster has occurred. See also IT service management (ITSM), business continuity planning (BCP), disaster recovery planning (DRP).
service delivery objective (SDO)
The level or quality of service that is required after an event, as compared to business normal operations.
The IT function that handles incidents and service requests on behalf of customers by acting as a single point of contact. See also IT service management (ITSM).
service level agreement (SLA)
An agreement that specifies service levels in terms of the quantity of work, quality, timeliness, and remedies for shortfalls in quality or quantity.
service level management
The IT function that confirms whether IT is providing adequate service to its customers. This is accomplished through continuous monitoring and periodic review of IT service delivery. See also IT service management (ITSM).
The phenomenon wherein individuals, groups, departments, and business units bypass corporate IT and procure their own computing services, typically through SaaS and IaaS services. See also cloud, infrastructure-as-a-service (IaaS), software-as-a-service (IaaS).
shared responsibility model
A model that depicts responsibilities between service providers and customers, typically in a cloud environment.
A test of disaster recovery, business continuity, or security incident response procedures where the participants take part in a mock disaster or incident to add some realism to the process of thinking their way through emergency response documents.
single loss expectancy (SLE)
The financial loss when a threat is realized one time. SLE is defined as AV EF. See also asset value (AV), exposure factor (EF).
single point of failure
An element or device in a system or network lacking redundancy, and when it fails for any reason, the entire network or system will experience an outage.
A small, credit-cardsized device that contains electronic memory and is accessed with a smart card reader and used in two-factor authentication.
A mobile phone equipped with an operating system and software applications.
Phishing in the context of SMS messaging. See also phishing.
A continuous auditing technique that involves the use of special audit modules embedded in online applications that sample specific transactions. The module copies key database records that can be examined later.
The act of using deception to trick an individual into revealing secrets or performing actions.
A defect introduced into a program that results in unexpected behavior. Commonly known as a bug.
Software Engineering Institute Capability Maturity Model (SEI-CMM)
A model used to determine the maturity of security processes. See also Capability Maturity Model Integration for Development (CMMi-DEV).
A software delivery model where an organization obtains a software application for use by its employees and the software application is hosted by the software provider, as opposed to the customer organization.
software-defined networking (SDN)
A class of capabilities where network infrastructure devices such as routers, switches, and firewalls are created, configured, and managed as virtual devices in virtualization environments.
solid-state drive (SSD)
A solid-state device used for persistent data storage, generally a replacement for a hard-disk drive. See also hard disk drive (HDD).
Unsolicited and unwanted e-mail.
A central program or device that examines incoming e-mail and removes all messages identified as spam.
Phishing that is specially crafted for a specific target organization or group. See also CEO fraud, phishing, whaling.
Spam or phishing in the context of instant messaging. See also phishing, smishing, spam.
A type of malware where software performs one or more surveillance-type actions on a computer, reporting back to the spyware owner. See also malware.
A statement that defines the technologies, protocols, suppliers, and methods used by an IT organization.
statement of impact
A description of the impact a disaster scenario will have on a business or business process.
static application security testing (SAST)
Tools that are used to scan software source code to identify security defects.
A sampling technique where items are chosen at random each item has a statistically equal probability of being chosen. See also sampling.
Any technique where data is hidden within another data file.
System and Organization Controls 1 (SOC1)
An external audit of a service provider. A SOC1 audit is performed according to the SSAE18 standard established by the Ameri can Institute of Certified Public Accountants (AICPA).
System and Organization Controls 2 (SOC2)
An external audit of a service provider on one or more of the following trust principles security, availability, processing integrity, confidentiality, and privacy. A SOC2 audit is performed according to audit standards established by the American Institute of Certified Public Accountants (AICPA).
System and Organization Controls 3 (SOC3)
An external audit of a service provider on one or more of the following trust principles security, availability, processing integrity, confidentiality, and privacy.
A sampling technique used to permit sampling to stop at the earliest possible time. This technique is used when the auditor thinks there is low risk or a low rate of exceptions in the population. See also sampling.
storage area network (SAN)
A stand-alone storage system that can be configured to contain several virtual volumes and connected to many servers through fiber-optic cables.
A corporate objective that is a part of a high-level strategy.
Activities used to develop and refine long-term plans and objectives.
The plan required to achieve an objective.
A sampling technique where a population is divided into classes or strata, based upon the value of one of the attributes. Samples are then selected from each class. See also sampling.
A type of encryption algorithm that operates on a continuous stream of data, such as a video or audio feed.
supervisory control and data acquisition (SCADA)
A control system used to monitor and manage physical machinery in an industrial environment. See also industrial control system (ICS).
A method for encryption and decryption where it is necessary for both parties to possess a common encryption key.
A type of replication where writing data to a local and to a remote storage system is performed as a single operation, guaranteeing that data on the remote storage system is identical to data on the local storage system. See also replication.
A control that is implemented in IT systems and applications.
A standard that specifies the software and hardware technologies that are used by the IT organization.
The process of discontinuing employment of an employee or contractor.
A person or group who perpetrates violence for political or religious reasons.
The Open Group Architecture Framework (TOGAF)
A life-cycle enterprise architecture framework used for the design, plan, implementation, and governance of an enterprise security architecture.
An external organization providing goods or services to an organization.
third-party risk management (TPRM)
The practice of identifying risks associated with the use of outsourced organizations to perform business processes.
An event that, if realized, would bring harm to an asset.
An examination of threats and the likelihood and impact of their occurrence.
The proactive search for intrusions, intruders, and indicators of compromise.
threat intel feed
A subscription service containing information about known threats. A threat intel feed can come in the form of human-readable or machine-readable information.
Information about security tools, tactics, and trends of intrusions that can help an organization know how to better protect itself from intrusion.
Activities undertaken by an organization to learn of relevant security threats so that the organization can take appropriate action to counter the threats.
The activity of looking for potential threats in a business process, information system, or software application.
Towers of Hanoi
A complex backup media rotation scheme that provides for more lengthy retention of some backup media. It is based on the Towers of Hanoi puzzle. See also backup media rotation.
Towers of Sauron
A collection of towers, including Dol Guldur, Orthanc, Cirith Ungol, Minas Tirith, Minas Morgul, and Barad-dr, all located in Middle-earth.
total cost of ownership (TCO)
A financial estimate of all of the costs associated with a process or system.
The process of educating personnel to impart information or provide an environment where they can practice a new skill.
Transport Layer Security (TLS)
An encryption protocol used to encrypt web pages requested with the HTTPS URL. This is a replacement for Secure Sockets Layer (SSL). See also Secure Sockets Layer (SSL), Hypertext Transfer Protocol Secure (HTTPS).
unified extensible firmware interface (UEFI)
The firmware on a computer that tests the computers hardware and initiates the bootup sequence. UEFI is considered a successor to BIOS. See also basic inputoutput system (BIOS).
uninterruptible power supply (UPS)
A system that filters the incoming power of spikes and other noise and supplies power for short periods through a bank of batteries.
A business or customer who uses an information system.
user behavior analytics (UBA)
A capability where user behavior is baselined and anomalous activities trigger events or alarms.
An identifier that is created by a system manager and issued to a user for the purpose of identification or authentication.
A sampling technique used to study the characteristics of a population to determine the numeric total of a specific attribute from the entire population. See also sampling.
A standard that specifies which suppliers and vendors are used for various types of products and services.
A software implementation of a computer, usually an operating system or other program running within a hypervisor. See also hypervisor.
Software technology that separates the physical computing environment from the software that runs on a system, permitting several instances of operating systems to operate concurrently and independently on a single system.
A type of malware where fragments of code attach themselves to executable programs and are activated when the program they are attached to is run.
A weakness that may be present in a system that can be exploited by a threat.
An assessment whose objective is to identify vulnerabilities in target assets.
A formal business process that is used to identify and mitigate vulnerabilities in an IT environment.
A review of some or all disaster recovery and business continuity plans, procedures, and other documentation. A walk-through is performed by an entire group of individuals in a live discussion.
A meeting room or other place where incident responders will gather to coordinate incident response activities.
An alternate processing center where recovery systems are present but at a lower state of readiness than recovery systems at a hot site. For example, while the same version of the operating system may be running on the warm site system, it may be a few patch levels behind primary systems.
watering hole attack
An attack on one more organizations that is performed by introducing malicious code on a web site that personnel in target organizations are thought to frequent.
The process of creating or obtaining malware that is to be delivered to a target as a part of a computer intrusion.
web application firewall (WAF)
A firewall that examines the contents of information in transit between a web server and its users, for the purpose of identifying and blocking malicious content that could represent an attack on the web server.
web content filter
A central program or device that monitors and, optionally, filters web communications. A web content filter is often used to control the sites (or categories of sites) that users are permitted to access from the workplace. Some web content filters can also protect an organization from malware.
A server that runs specialized software that makes static and dynamic HTML pages available to users.
An application design where the database and all business logic are stored on central servers and where user workstations use only web browsers to access the application.
Spear phishing that targets executives and other high-value and high-privilege individuals in an organization. See also CEO fraud, phishing, spear phishing.
In a security system, a list of identifiers that should always be permitted, regardless of their other characteristics.
The practice of encrypting the main storage on a server, workstation, or mobile device.
Malware designed to wipe the hard drive of a system.
wired equivalent privacy (WEP)
A now deprecated encryption protocol used by WiFi networks.
A type of malware containing stand-alone programs capable of human-assisted and automatic propagation.
An enterprise architecture framework used to describe an IT architecture in increasing levels of detail.