A standard for network authentication and access control used to determine whether a device will be permitted to attach to a LAN or wireless LAN.
A U.S. Office of Management and Budget (OMB) government circular that defines the management responsibilities for internal controls in U.S. federal agencies.
acceptable interruption window (AIW)
A theoretical time period, measured from the onset of a disaster, after which the organizations ongoing viability would be at risk
acceptable use policy
Security policy that defines the types of activities that are acceptable and those that are not acceptable. An acceptable use policy is generally written for general audiences, applying to all personnel in an organization.
Any attempt by an intruder to bypass access controls to gain entry into a system.
Any means that detects or prevents unauthorized access and that permits authorized access.
access control policy
Statement that defines the policy for the granting, review, and revocation of access to systems and work areas.
Policies, procedures, and activities that enforce access policy and management control.
A formal business process that is used to control access to networks and information systems.
The process of reconfirming subjects access to objects in an organization.
A review of the users, systems, or other subjects that are permitted to access protected objects. The purpose of a review is to ensure that all subjects should still be authorized to have access.
An administrative lock that is placed on a user account when a predetermined event occurs, such as reaching an expiration date or when there have been several unsuccessful attempts to access the user account.
accumulation of privileges
A situation where an employee accumulates computer system access privileges over a long period of time because of internal transfers or other privilege changes and old access privileges not being removed.
An audit of operational efficiency.
Controls in the form of policies, processes, procedures, and standards.
advanced persistent threat (APT)
A class of threat actor that uses an array of reconnaissance and attack techniques to establish a long-term presence within a target organization.
In cryptography, a specific mathematical formula that is used to perform encryption, decryption, message digests, and digital signatures.
allowable interruption window (AIW)
A theoretical time period, measured from the onset of a disaster, after which the organizations ongoing viability would be at risk.
annualized loss expectancy (ALE)
The expected loss of asset value due to threat realization. ALE is defined as SLExARO.
annualized rate of occurrence (ARO)
An estimate of the number of times that a threat will occur every year.
Any of several techniques whose objective is to make it more difficult for a forensic examiner to identify and understand a computer intrusion.
Software that uses various means to detect and block or prevent malware from carrying out its purpose.
Software that is designed to detect and remove computer viruses.
A type of computer with preinstalled software that requires little or no maintenance.
A device used to control packets being sent to an application server, primarily to block unwanted or malicious content.
A standard that defines technology architecture at the database, system, or network level.
An examination of a business process or information system to determine its state and effectiveness.
The process of confirming the existence, location, and condition of assets. also, the results of such a process.
The processes used to manage the inventory, classification, use, and disposal of assets.
asset value (AV)
The value of an IT asset, which is usually (but not necessarily) the assets replacement value.
The collection of property that is owned by an organization.
A method for encryption, decryption, and digital signatures that uses pairs of encryption keys, consisting of a public key and a private key.
A type of replication where writing data to the remote storage system is not kept in sync with updates on the local storage system. Instead, there may be a time lag, and there is no guarantee that data on the remote system is identical to that on the local storage system.
A metaphor often used to depict a greater or lesser extent of attackable systems, services, and personnel in an organization, or the attackable programs, services, and features in a running operating system.
attestation of compliance
A written statement that serves as an assertion of compliance to a requirement, standard, or law. An attestation of compliance is often signed by a high-ranking official or executive.
As defined by Blacks Law Dictionary, a clients right privilege to refuse to disclose and to prevent any other person from disclosing confidential communications between the client and the attorney. In the context of information security, certain business proceedings can be protected with attorneyclient privilege as a means for preventing those proceedings from being made available during legal discovery.
A formal review of one or more processes, controls, or systems to determine their state against a standard.
A feature in an application, operating system, or database management system where events are recorded in a separate log.
A set of audit procedures that is used to accomplish a set of audit objectives.
The purpose or goals of an audit. Generally, the objective of an audit is to determine whether controls exist and are effective in some specific aspect of business operations in an organization.
A formal document that guides the control and execution of an audit. An audit plan should align with audit objectives and specify audit procedures to be used.
The step-by-step instructions and checklists required to perform specific audit activities. Procedures may include a list of people to interview and questions to ask them, evidence to request, audit tools to use, sampling rates, where and how evidence will be archived, and how evidence will be evaluated.
The plan for conducting audits over a long period.
The final, written product of an audit. An audit report will include a description of the purpose, scope, and type of audit performed. people interviewed. evidence collected. rates and methods of sampling. and findings on the existence and effectiveness of each control.
The process, procedures, systems, and applications that are the subject of an audit.
The process of asserting ones identity and providing proof of that identity. Typically, authentication requires a user ID (the assertion) and a password (the proof). However, authentication can also require stronger means of proof, such as a digital certificate, token, smart card, or biometric.
A control that is enacted through some automatic mechanism that requires little or no human intervention.
The IT function that consists of activities concerned with the availability of IT applications and services.
The process of verifying an employment candidates employment history, education records, professional licenses and certifications, criminal background, and financial background.
A procedure used to reverse the effect of a change that was not successful.
The process of copying important data to another media device in the event of a hardware failure, error, or software bug that causes damage to data.
backup media rotation
Any scheme used to determine how backup media is to be reused.
basic inputoutput system (BIOS)
The firmware on a computer that tests the computers hardware and initiates the bootup sequence. Superseded by unified extensible firmware interface (UEFI). See also unified extensible firmware interface (UEFI).
bare metal restore
The process of recovering a system by reformatting main storage, re-installing the operating system, and restoring files.
Any use of a machine-readable characteristic of a users body that uniquely identifies the user. Biometrics can be used for multifactor authentication. Types of biometrics include voice recognition, fingerprint, hand scan, palm vein scan, iris scan, retina scan, facial scan, and handwriting. See also authentication, multifactor authentication.
An encryption algorithm that operates on blocks of data.
board of directors
A body of elected or appointed people who oversee the activities of an organization.
A type of malware in which agents are implanted by other forms of malware and are programmed to obey remotely issued instructions.
A collection of bots that are under the control of an individual.
bring your own app
A practice whereby workers use personally owned applications and use them for company business.
bring your own device (BYOD)
A practice whereby workers use personally owned devices (typically laptop computers and mobile devices) for company business.
A plan for allocating resources over a certain time period.
An explanation of the expected benefits to the business that will be realized as a result of a program or project.
business continuity planning (BCP)
The activities required to ensure the continuation of critical business processes.
business functional requirements
Formal statements that describe required business functions that a system must support.
business impact analysis (BIA)
A study that is used to identify the impact that different disaster scenarios will have on ongoing business operations.
business recovery plan
The activities required to recover and resume critical business processes and activities.
A method for ensuring the timely notification of key personnel, such as after a disaster.
capability maturity model
A model that is used to measure the relative maturity of an organization or of its processes.
Capability Maturity Model Integration for Development (CMMi-DEV)
A maturity model that is used to measure the maturity of a software development process.
The IT function that consists of activities that confirm there is sufficient capacity in IT systems and IT processes to meet service needs. Primarily, an IT system or process has sufficient capacity if its performance falls within an acceptable range, as specified in service level agreements (SLAs). See also IT service management (ITSM), service level agreement (SLA).
As defined by the PCI Security Standards Council At a minimum, cardholder data consists of the full PAN (Primary Account Number, also known as a credit card number). Cardholder data may also appear in the form of the full PAN plus any of the following cardholder name, expiration date andor service code.
The progression of responsibilities and job titles that a worker will attain over time.
A type of fraud where a perpetrator, impersonating an organizations CEO, sends phishing e-mails to other company executives and directs them to wire large amounts of money to a bank account, typically in support of a secret merger or acquisition. See also phishing, spear phishing, and whaling.
certificate authority (CA)
A trusted party that stores digital certificates and public encryption keys.
certificate revocation list (CRL)
An electronic list of digital certificates that have been revoked prior to their expiration date.
certification practice statement (CPS)
A published statement that describes the practices used by the CA to issue and manage digital certificates.
chain of custody
Documentation that shows the acquisition, storage, control, and analysis of evidence. The chain of custody may be needed if the evidence is to be used in a legal proceeding.
change control board (CCB)
The group of stakeholders from IT and business who propose, discuss, and approve changes to IT systems. Also known as a change advisory board.
The IT function that is used to control changes made to an IT environment. See also IT service management (ITSM).
A formal request for a change to be made in an environment. See also change management.
A formal review of a requested change. See also change request, change management.
chief information risk officer (CIRO)
The typical job title for the topmost information security executive in an organization.
chief information security officer (CISO)
The typical job title for the topmost information security executive in an organization.
chief risk officer (CRO)
The typical job title for the topmost risk officer in an organization.
chief security officer (CSO)
The typical job title for the topmost security officer in an organization.
A message, file, or stream of data that has been transformed by an encryption algorithm and rendered unreadable.
A control framework maintained by the Center for Internet Security (CIS).
The practice of obtaining legitimate e-mail messages, exchanging attachments or URLs for those that are malicious, and sending the altered e-mail messages to target users in the hopes the messages will trick users on account of their genuine appearance.
Internet-based computing resources.
cloud access security broker (CASB)
A system that monitors and, optionally, controls users access to, or use of, cloud-based resources.
A technique of providing a dynamically scalable and usually virtualized computing resource as a service.
A tightly coupled collection of computers that is used to solve a common task. In a cluster, one or more servers actively perform tasks, while zero or more computers may be in a standby state, ready to assume active duty should the need arise.
A control framework for managing information systems and security. COBIT is published by ISACA.
code of ethics
A statement that defines acceptable and unacceptable professional conduct.
An alternate processing center where the degree of readiness for recovery systems is low. At the least, a cold site is nothing more than an empty rack or just allocated space on a computer room floor.
command and control (C&C)
Network traffic associated with a system compromised with malware. Command-and-control traffic represents communication between the malware and a central controlling entity.
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
A private sector organization that provides thought leadership, control frameworks, and guidance on enterprise risk management.
common vulnerability scoring system (CVSS)
An open framework for communicating the quantitative characteristics and impacts of IT vulnerabilities.
A control that is implemented because another control cannot be implemented or is ineffective.
Activities related to the examination of systems and processes to ensure they conform to applicable policies, standards, controls, requirements, and regulations also, the state of conformance to applicable policies, standards, controls, requirements, and regulations.
An audit to determine the level and degree of compliance to a law, regulation, standard, contract provision, or internal control. See also audit.
Risk associated with any general or specific consequences of not being compliant with a law, regulation, or private legal obligation.
A configuration setting in an IT asset. See also configuration management.
The IT function where the configuration of components in an IT environment is independently recorded. Configuration management is usually supported by the use of automated tools used to inventory and control system configurations. See also IT service management (ITSM).
configuration management database (CMDB)
A repository for every component in an environment that contains information on every configuration change made on those components.
A standard that defines the detailed configurations that are used in servers, workstations, operating systems, database management systems, applications, network devices, and other systems.
A list of key personnel and various methods used to contact them. See also response document.
A form of virtualization where an operating system permits the existence of multiple isolated user spaces, called containers. See also virtualization.
continuity of operations plan (COOP)
The activities required to continue critical and strategic business functions at an alternate site. See also response document.
continuous log review
A process where the event log for one or more systems is being continuously reviewed in real time to determine whether a security or operational event warranting attention is taking place. See also security information and event management system (SIEM).
The cultural desire to increase the efficiency and effectiveness of processes and controls over time.
content delivery network (CDN)
Also known as a content distribution network, a globally distributed network of servers in multiple data centers designed to optimize the speed and cost of delivery of content from centralized servers to end users.
A binding legal agreement between two or more parties that may be enforceable in a court of law.
Policy, process, or procedure that is created to ensure desired outcomes or to avoid unwanted outcomes.
An activity that takes place in an audit where the auditor seeks to determine whether an expected control is in place.
A collection of controls, organized into logical categories.
A foundational statement that describes desired states or outcomes from business operations.
The risk that a significant or material error exists that will not be prevented or detected by a control.
control self-assessment (CSA)
A methodology used by an organization to review key business objectives, risks, and controls. Control self-assessment is a self-regulation activity that may or may not be required by applicable laws or regulations.
An action that is initiated to correct an undesired condition.
A control that is used after an unwanted event has occurred.
Any activity or mechanism that is designed to reduce risk.
Any organization that stores or processes electronic protected health information (ePHI). See also Health Insurance Portability and Accountability Act (HIPAA).
critical path methodology (CPM)
A technique that is used to identify the most critical path in a project to understand which tasks are most likely to affect the project schedule.
criticality analysis (CA)
A study of each system and process, a consideration of the impact on the organization if it is incapacitated, the likelihood of incapacitation, and the estimated cost of mitigating the risk or impact of incapacitation.
An attack on a cryptosystem where the attacker is attempting to determine the encryption key that is used to encrypt messages.
The practice of hiding information from unwanted people.
The collective attitudes, practices, communication, communication styles, ethics, and other behavior in an organization.
A person or group delegated to operate or maintain an asset.
The step in the software development life cycle where an old replaced system is shut down and a new replacement system is started.
An actual test of disaster recovery andor business continuity response plans. The purpose of a parallel test is to evaluate the ability of personnel to follow directives in emergency response plansto actually set up the DR business processing or data processing capability. In a cutover test, personnel shut down production systems and operate recovery systems to assume actual business workload. See also disaster recovery plan.
cyber risk insurance
An insurance policy designed to compensate an organization for unexpected costs related to a security breach.
cybersecurity framework (CSF)
See NIST CSF.
cyclical controls testing
A life cycle process in which selected controls are examined for effectiveness.
The process of examining assets after a disaster to determine the extent of damage.
The act of obtaining data for later use in a forensic investigation.
data classification policy
Policy that defines sensitivity levels and handling procedures for information.
data loss prevention (DLP) system
A hardware or software system that detects and, optionally, blocks the movement or storage of sensitive data.
The process of copying data from backup media to a target system for the purpose of restoring lost or damaged data.
Those controls that seek to maintain confidentiality, integrity, and availability of information.
The process of transforming ciphertext into plaintext so that a recipient can read it.
denial of service (DoS)
An attack on a computer or network with the intention of causing disruption or malfunction of the target.
A nonportable computer used by an individual end user and located at the users workspace.
Software technology that separates the physical computing environment from the software that runs on an endpoint, effectively transforming an endpoint into a display terminal. See also virtualization.
A control that is used to detect events.
A control that is designed to deter people from performing unwanted activities.
A popular key exchange algorithm. See also key exchange.
An electronic document that contains an identity that is signed with the public key of a certificate authority (CA).
A method that uses two layers of encryption. A symmetric key is used to encrypt a message then a public or private key is used to encrypt the symmetric key.
digital rights management (DRM)
Any technology used to control the distribution and use of electronic content.
The result of encrypting the hash of a message with the originators private encryption key, used to prove the authenticity and integrity of a message.
A centralized service that provides information for a particular function.
An unexpected and unplanned event that results in the disruption of business operations.
disaster declaration criteria
The conditions that must be present to declare a disaster, triggering response and recovery operations.
disaster declaration procedure
Instructions to determine whether to declare a disaster and trigger response and recovery operations. See also disaster declaration criteria.
disaster recovery and business continuity requirements
Formal statements that describe required recoverability and continuity characteristics that a system must support.
disaster recovery plan
The activities required to restore critical IT systems and other critical assets, whether in alternate or primary locations. See also response document.
disaster recovery planning (DRP)
Activities related to the assessment, salvage, repair, and restoration of facilities and assets.
disaster recovery-as-a-service (DRaaS)
A cloud-based set of tools and services that streamline the planning and execution of data backup and data replication for disaster recovery purposes.
A sampling technique where at least one exception is sought in a population. See also sampling.
A chassis in which several hard disks can be installed and connected to a server. The individual disk drives can be hot swapped in the chassis while the array is still operating.
distributed denial of service (DDoS)
A denial-of-service (DoS) attack that originates from many computers. See also denial of service (DoS).
A network system or device used to protect systems from malicious content through manipulation of the results of DNS queries. See also web content filter.
A review of some or all disaster recovery and business continuity plans, procedures, and other documentation. Individuals typically review these documents on their own, at their own pace, but within whatever time constraints or deadlines that may have been established.
The inclusive term that describes charters, processes, procedures, standards, requirements, and other written documents.
Domain Name System (DNS)
A TCPIP application layer protocol used to translate domain names (such as www.isecbooks.com) into IP addresses.
The period of time that elapses from the start of a security incident to the organizations awareness of the incident.
dynamic application security testing (DAST)
Tools used to identify security defects in a running software application.
The act of secretly intercepting and, optionally, recording a voice or data transmission.
The property of infrastructure-as-a-service whereby additional virtual assets can be created or withdrawn in response to rising and falling workloads.
A system consisting of an internal combustion engine powered by gasoline, diesel fuel, or natural gas that spins an electric generator. A generator can supply electricity for as long as several days, depending upon the size of its fuel supply and whether it can be refueled.
electronic protected health information (ePHI)
Any informationin electronic formabout the health, health status, and medical treatment of a human patient.
A public key cryptography algorithm.
A network-based service used to transmit messages between individuals and groups.
emergency communications plan
The communications that are required during a disaster. See also response document.
The urgent activities that immediately follow a disaster, including evacuation of personnel, first aid, triage of injured personnel, and possibly firefighting.
See employee policy manual.
employee policy manual
A formal statement of the terms of employment, facts about the organization, benefits, compensation, conduct, and policies.
A legal contract between an organization and an employee, which may include a description of duties, roles and responsibilities, confidentiality, compliance, and termination.
The act of hiding sensitive information in plain sight. Encryption works by scrambling the characters in a message using a method known only to the sender and receiver, making the message useless to anyone who intercepts the message.
A block of characters, used in combination with an encryption algorithm, to encrypt or decrypt a stream or block of data.
A general term used to describe any of the types of devices used by end users, including mobile phones, smartphones, terminals, tablet computers, laptop computers, and desktop computers.
Activities that ensure important business needs are met by IT systems the model that is used to map business functions into the IT environment and IT systems in increasing levels of detail.
enterprise risk management (ERM)
The methods and processes used by an organization to identify and manage business risks.
Instructions to safely evacuate a work facility in the event of a fire, earthquake, or other disaster.
The practice of backing up information to an off-site location, often a third-party service provider.
An occurrence of relevance to a business or system.
The practice of examining the events that occur on information systems, including operating systems, subsystems such as database management systems, applications, network devices, and end-user devices.
A capability that permits an organization to be aware of activities that may be a sign of a security incident.
Information gathered by the auditor that provides proof that a control exists and is being operated.
The process of exploiting a vulnerability in a target system in order to take control of the system.
exposure factor (EF)
The financial loss that results from the realization of a threat, expressed as a percentage of the assets total value.