Glossary Audit
Transcript of Glossary Audit
-
8/9/2019 Glossary Audit
1/89
Glossary
A
Acceptable interruption window
The maximum period of time that a system can be unavailable before
compromising the achievement of the business objectives
Acceptable use policy
A policy that establishes an agreement between users and the organization,
and denes for all parties’ ranges of use that are approved before gainingaccess to a networ or the !nternet
Access controls
The processes, rules and deployment mechanisms that control access to
information systems, resources and physical access to premises
Access path
The logical route that an end user taes to access computerized information" Typically, it includes a route through the operating system,
telecommunications software, selected application software and the access
control system"
Access rights
The permission or privileges granted to users, programs or worstations to
create, change, delete or view data and les within a system, as dened by
rules established by data owners and the information security policy
Accountability
The ability to map a given activity or event bac to the responsible party
#
-
8/9/2019 Glossary Audit
2/89
Action plan
A plan for the steps necessary to navigate the roadmap to achieve objectives
Ad hoc
Arbitrary approach, no formal plan or process
Administrative controls
The rules, procedures and practices dealing with operational e$ectiveness,
e%ciency and adherence to regulations and management policies
Adware
Any software pacage that automatically plays, displays or downloads
advertising material to a computer after the software is installed on it or
while the application is being used" !n most cases, this is done without any
notication to the user or without the user’s consent" The term adware may
also refer to software that displays advertisements, whether or not it does so
with the user’s consent& such programs display advertisements as an
alternative to shareware registration fees" These are classied as adware in
the sense of advertising'supported software, but not as spyware" Adware in
this form does not operate surreptitiously or mislead the user, and providesthe user with a specic service"
Advance (ncryption )tandard *A()+
The international encryption standard that replaced -()"
Algorithm
A nite set of step'by'step instructions for a problem'solving or computation
procedure, especially one that can be implemented by a computer"
.
-
8/9/2019 Glossary Audit
3/89
Anomaly'/ased -etection
The process of comparing denitions of what activity is considered normal
against observed events to identify signicant deviations" This approach is
used on some intrusion detection systems"
Annual 0oss (xpectation *A0(+
The total expected loss divided by the number of years in the forecast period
yielding the average annual loss
Alert situation
The point in an emergency procedure when the elapsed time passes a
threshold and the interruption is not resolved" The organization entering into
an alert situation initiates a series of escalation steps"
Alternate facilities
0ocations and infrastructures from which emergency or bacup processes are
executed, when the main premises are unavailable or destroyed" This
includes other buildings, o%ces or data processing centers"
Alternate process
Automatic or manual processes designed and established to continue critical
business processes from point'of'failure to return'to'normal
Anonymous 1ile Transfer 2rotocol *A1T2+
A method of downloading public les using the 1ile Transfer 2rotocol *1T2+"
A1T2 does not re3uire users to identify themselves before accessing les
from a particular server" !n general, users enter the word 4anonymous5 when
the host prompts for a username" Anything can be entered for the password,such as the user’s e'mail address or simply the word 4guest"5 !n many cases,
an A1T2 site will not prompt a user for a name and password"
-
8/9/2019 Glossary Audit
4/89
Antivirus software
An application software deployed at multiple points in an !T architecture" !t is
designed to detect and potentially eliminate virus code before damage is
done, and repair or 3uarantine les that have already been infected
Application 2rogramming !nterface *A2!+
An application programming interface *A2!+ is a source code'based
specication intended to be used as an interface by software components to
communicate with each other"
Application controls
The policies, procedures and activities designed to provide reasonable
assurance that objectives relevant to a given automated solution
*application+ are achieved
Application layers
!n the 6pen )ystems !nterconnection *6)!+ communications model, the
application layer provides services for an application program to ensure that
e$ective communication with another application program in a networ is
possible" The application layer is not the application that is doing thecommunication& it is a service layer that provides these services"
Application service provider *A)2+
Also nown as managed service provider *7)2+, it deploys, hosts and
manages access to a pacaged application to multiple parties from a
centrally managed facility" The applications are delivered over networs on a
subscription basis"
Architecture
-escription of the fundamental underlying design of the components of the
business system, or of one element of the business system *e"g",
8
http://en.wikipedia.org/wiki/Source_codehttp://en.wikipedia.org/wiki/Source_code
-
8/9/2019 Glossary Audit
5/89
technology+, the relationships among them, and the manner in which they
support the organization9s objectives
A:2 *see also :A:2+
A:2 denes the exchanges between networ interfaces connected to an
(thernet media segment in order to map an !2 address to a lin layer address
on demand"
Assurance
The grounds for condence that the set of intended security controls in an
information system are e$ective in their application"
Assurance 2rocess !ntegration!ntegration of organizational assurance processes to achieve greater
e%ciencies and counter typical silo e$ects"
Assymetric encryption
A cryptographic ey that may be widely published and is used to enable the
operation of an asymmetric cryptography scheme" This ey is
mathematically lined with a corresponding private ey" Typically, a public
ey can be used to encrypt, but not decrypt, or to validate a signature, but
not to sign"
Attac )ignature
A specic se3uence of events indicative of an unauthorized access attempt"
Typically a characteristic byte pattern used in malicious code or an indicator,
or set of indicators that allows the identication of malicious networ
activities"
Attributes
The fundamental characteristics of something
;
-
8/9/2019 Glossary Audit
6/89
Audit
!ndependent review and examination of records and activities to assess the
ade3uacy of system controls, to ensure compliance with established policies
and operational procedures, and to recommend necessary changes in
controls, policies, or procedures
Audit :eview
The assessment of an information system to evaluate the ade3uacy of
implemented security controls, assure that they are functioning properly,
identify vulnerabilities, and assist in implementation of new security controls
where re3uired" This assessment is conducted annually or whenever
signicant change has occurred and may lead to recertication of theinformation system"
Audit trail
A series of records either in hard copy or in electronic format that provide a
chronological record of user activity and other events that show the details of
user and system activity" Audit trails can be used to document when users
log in, how long they are engaged in various activities, what they were doing,
and whether any actual or attempted security violations occurred"
Authentication
The act of verifying the identity of an entity *e"g", a user, a system, a
networ node+
Authorization
Access privileges granted to a user, program, or process or the act of
granting those privileges
Automated
-
8/9/2019 Glossary Audit
7/89
-
8/9/2019 Glossary Audit
8/89
mining, complex event processing, business performance
management, benchmaring, text mining and predictive analytics"
/usiness intelligence aims to support better business decision'maing" Thus
a /! system can be called a decision support system *-))+
/usiness impact assessment */!A+
An analysis of an information system’s re3uirements, functions, and
interdependencies used to characterize system contingency re3uirements
and priorities in the event of a signicant disruption"
/aseline )ecurity
The minimum security controls re3uired for safeguarding an !T system based
on its identied needs for condentiality, integrity, and@or availability
protection"
/astion =ost
A special'purpose computer on a networ specically designed and
congured to withstand attacs"
/usiness continuity management */
-
8/9/2019 Glossary Audit
9/89
/enchmaring
A systematic approach to comparing an organization’s performance against
peers and competitors in an e$ort to learn the best ways of conducting
business" (xamples include benchmaring of 3uality, logistical e%ciency and
various other metrics"
/usiness !mpact Assessment */!A+
An analysis of an information system’s re3uirements, functions, and
interdependencies used to characterize system contingency re3uirements
and priorities in the event of a signicant disruption"
/iometric
A measurable physical characteristic or personal behavioral trait used to
recognize the identity, or verify the claimed identity, of an applicant" 1acial
images, ngerprints, and iris scan samples are all examples of biometrics"
/it'stream image
/it'stream bacups, also referred to as mirror image bacups, involve the
bacup of all areas of a computer hard dis drive or other type of storagemedia" )uch bacups exactly replicate all sectors on a given storage device
including all les and ambient data storage areas"
/it copy
A bit copy provides an exact image of the original and is a re3uirement for
legally justiable forensics
/it The smallest unit of information storage& a contraction of the term Ebinary
digit&E one of two symbolsFEE *zero+ and E#E *one+ ' that are used to
represent binary numbers"
H
-
8/9/2019 Glossary Audit
10/89
/laclisting
The process of the system invalidating a user !- based on the user’s
inappropriate actions" A blaclisted user !- cannot be used to log on to the
system, even with the correct authenticator" /laclisting and lifting of a
blaclisting are both security'relevant events" /laclisting also applies to
blocs placed against !2 addresses to prevent inappropriate or unauthorized
use of !nternet resources"
/otnet
A botnet is a large number of compromised computers that are used to
create and send spam or viruses or Iood a networ with messages as a
denial of service attac"
/oundary
2hysical or logical perimeter of a system
/rute force attac
:epeatedly trying all possible combinations of passwords or encryption eys
until the correct one is found
/usiness case
-ocumentation of the rationale for maing a business investment, used both
to support a business decision on whether to proceed with the investment
and as an operational tool to support management of the investment
through its full economic life cycle
/usiness dependency assessment
A process of identifying resources critical to the operation of a businessprocess
#
-
8/9/2019 Glossary Audit
11/89
/usiness impact analysis@assessment */!A+
(valuating the criticality and sensitivity of information assets" An exercise
that determines the impact of losing the support of any resource to an
organization, establishes the escalation of that loss over time, identies the
minimum resources needed to recover, and prioritizes the recovery of
processes and supporting system" This process also includes addressingJ
income loss, unexpected expense, legal issues *regulatory compliance or
contractual+, interdependent processes, and loss of public reputation or
public condence"
/usiness 7odel for !nformation )ecurity */7!)+
/7!) is a business'oriented model for managing information security utilizingsystems thining to clarify complex relationships within an enterprise" The
four elements and six dynamic interconnections form the basis of a three
dimensional model that establish the boundaries of an information security
program and models how the program functions and reacts to internal and
external change" /7!) provides the context for framewors such as sually holds one character of information and
usually means eight bits"
<
-
8/9/2019 Glossary Audit
12/89
-
8/9/2019 Glossary Audit
13/89
name or ey space it represents"
-
8/9/2019 Glossary Audit
14/89
the ability to identify evidence as being the exact item that was recovered or
tested" 0ac of control over evidence can lead to it being discredited"
-
8/9/2019 Glossary Audit
15/89
not directly intercept the password itself, but the eavesdropper may be able
to nd the password with an o$'line password guessing attac"
#;
-
8/9/2019 Glossary Audit
16/89
the chief nowledge o%cer *
security program, and ensuring appropriate condentiality, integrity and
availability of information assets"
-
8/9/2019 Glossary Audit
17/89
-
8/9/2019 Glossary Audit
18/89
there is unliely to be any computer e3uipment, even though the building
might well have a networ infrastructure and a room ready to act as a server
room" !n most cases, cold sites provide the physical location and basic
services"
-
8/9/2019 Glossary Audit
19/89
or a
-
8/9/2019 Glossary Audit
20/89
-
8/9/2019 Glossary Audit
21/89
-
8/9/2019 Glossary Audit
22/89
-
8/9/2019 Glossary Audit
23/89
-
8/9/2019 Glossary Audit
24/89
-
8/9/2019 Glossary Audit
25/89
-ata
-
8/9/2019 Glossary Audit
26/89
-ata lea protection *-02+
A suite of technologies and associated processes that locate, monitor and
protect sensitive information from unauthorized disclosure
-ata normalizationA structured process for organizing data into tables in a common form in
such a way that it preserves the relationships among the data
-ata warehouse
A generic term for a system that stores, retrieves and manages large
volumes of data" -ata warehouse software often includes sophisticated
comparison and hashing techni3ues for fast searches, as well as advanced
ltering"
-ecentralization
The process of distributing computer processing to di$erent locations within
an organization
-ecryption
-ecryption is the process of transforming an encrypted message into its
original plaintext"
-ecryption ey
A digital piece of information used to recover plaintext from the
corresponding ciphertext by decryption
-efense in depth
The practice of layering defenses to provide added protection" -efense in
depth increases security by raising the e$ort needed in an attac" This
strategy places multiple barriers between an attacer and an organization’s
computing and information resources"
.?
-
8/9/2019 Glossary Audit
27/89
-egauss
The application of variable levels of alternating current for the purpose of
demagnetizing magnetic recording media" The process involves increasing
the alternating current eld gradually from zero to some maximum value and
bac to zero, leaving a very low residue of magnetic induction on the media"
-egauss loosely meansJ to erase"
-emilitarized zone *-7Q+
A screened *rewalled+ networ segment that acts as a bu$er zone between
a trusted and untrusted networ" A -7Q is typically used to house systems
such as web servers that must be accessible from both internal networs and
the !nternet"
-enial of service *-6)+
A denial'of'service attac *-o) attac+ is an attempt to mae a computer or
networ resource unavailable to its intended users by overloading the
system with re3uests causing it to fail"
-isruption
An unplanned event that causes the general system or major application tobe inoperable for an unacceptable length of time *e"g", minor or extended
power outage, extended unavailable networ, or e3uipment or facility
damage or destruction+"
-igital certicate
An electronic credential issued by a certicate authority *
-
8/9/2019 Glossary Audit
28/89
-igital code signing
The process of digitally signing computer code to ensure its integrity
-isaster declaration
The communication to appropriate internal and external parties that the
disaster recovery plan is being put into operation
-isaster notication fee
The fee the recovery site vendor charges when the customer noties them
that a disaster has occurred and the recovery site is re3uired" The fee is
implemented to discourage false disaster notications"
-isaster recovery plan *-:2+A set of human, physical, technical and procedural resources to recover,
within a dened time and cost, an activity interrupted by an emergency or
disaster
-isaster recovery plan des checing
Typically a read'through of a disaster recovery plan without any real actions
taing place" !t generally involves a reading of the plan, discussion of the
action items and denition of any gaps that might be identied"
-isaster recovery plan wal'through
Generally a robust test of the recovery plan re3uiring that some recovery
activities tae place and are tested" A disaster scenario is often given and
the recovery teams tal through the steps they would need to tae to
recover" As many aspects of the plan should be tested as possible"
-iscretionary access control *-A
-
8/9/2019 Glossary Audit
29/89
sense that a subject with a certain access permission is capable of passing
that permission *perhaps indirectly+ on to any other subject"
-is mirroring
The practice of duplicating data in separate volumes on two hard diss to
mae storage more fault tolerant" 7irroring provides data protection in the
case of dis failure because data are constantly updated to both diss"
-is !maging
Generating a bit'for'bit copy of the original media, including free space and
slac space"
-istributed denial of service *--6)+A denial'of'service attac *-o) attac+ is an attempt to mae a computer or
networ resource unavailable to its intended users by overloading the
system with re3uests from multiple sources *such as a botnet+ causing it to
fail"
-omain
A sphere of nowledge, or a collection of facts about some program entities
or a number of networ points or addresses, identied by a name" 6n the
!nternet, a domain consists of a set of networ addresses" !n the !nternet9s
domain name system, a domain is a name with which name server records
are associated that describe sub'domains or host" !n Lindows MT and
Lindows ., a domain is a set of networ resources *applications, printers,
and so forth+ for a group of users" The user need only to log in to the domain
to gain access to the resources, which may be located on a number of
di$erent servers in the networ"
.H
-
8/9/2019 Glossary Audit
30/89
-omain name system *-M)+
A hierarchical database that is distributed across the !nternet that allows
names to be resolved into !2 addresses *and vice versa+ to locate services
such as web and e'mail servers
-ual control
A procedure that uses two or more entities *usually persons+ operating in
concert to protect a system resource such that no single entity acting alone
can access that resource
-ue care
The level of care expected from a reasonable person of similar competency
under similar conditions
-ue diligence
The performance of those actions that are generally regarded as prudent,
responsible and necessary to conduct a thorough and objective investigation,
review and@or analysis
-ynamic host conguration protocol *-=
-
8/9/2019 Glossary Audit
31/89
system, i"e" from one trading partner to another trading partner without
human intervention"
(lectronic funds transfer *(1T+
(lectronic funds transfer *(1T+ is the electronic exchange or transfer of
money from one account to another, either within a single nancial
institution or across multiple institutions, through computer'based systems
(ncryption
-
8/9/2019 Glossary Audit
32/89
external environment at the enterprise’s boundary, how they are operated to
support the enterprise mission, and how they contribute to the enterprise’s
overall security posture"
(nterprise :is 7anagement The methods and processes used by an enterprise to manage riss to its
mission and to establish the trust necessary for the enterprise to support
shared missions" !t involves the identication of mission dependencies on
enterprise capabilities, the identication and prioritization of riss due to
dened threats, the implementation of countermeasures to provide both a
static ris posture and an e$ective dynamic response to active threats& and it
assesses enterprise performance against threats and adjustscountermeasures as necessary"
(ntitlements
(ntitlements is the process business users manage the data that controls
how policies are evaluated at runtime" They can add and delete users for
applications and put those users into groups or assign them to roles" They
manage sets of actions *permissions+ that can be logically grouped for a
particular business function" They assign those sets of actions to users or to
roles dened for the application"
(thernet
The most widely'installed 0AM technology" )pecied in a standard, !(((
D.", an (thernet 0AM typically uses coaxial cable or special grades of
twisted pair wires" -evices are connected to the cable and compete for
access"
(vent
An event is an observable occurrence in a system or networ"
.
-
8/9/2019 Glossary Audit
33/89
(xposure
The extent of the area exposed to a viable threat creating a ris" i"e /oth a
viable threat and a susceptible vulnerability may exist but the ris is a
function of the degree of exposure"
(xternal storage
The location that contains the bacup copies to be used in case recovery or
restoration is re3uired in the event of a disaster
(xtranet
A private networ that uses Leb technology, permitting the sharing of
portions of an enterprise’s information or operations with suppliers, vendors,
partners, customers, or other enterprises"
1
1ail )afe
Automatic protection of programs and@or processing systems when hardware
or software failure is detected"
1ailover
The capability to switch over automatically *typically without human
intervention or warning+ to a redundant or standby information system upon
the failure or abnormal termination of the previously active system"
1all'through logic
An optimized code based on a branch prediction that predicts which way a
program will branch when an application is presented
1alse 2ositive
An alert that incorrectly indicates that malicious activity is occurring
-
8/9/2019 Glossary Audit
34/89
1alse Megative
A lac of or incorrect alert indicating that no malicious activity is occurring
1ederal energy regulatory commission *1(:)A
The 1ederal (nergy :egulatory
-
8/9/2019 Glossary Audit
35/89
1inancial security authority *1)A+ >K
The 1inancial )ervices Authority is the regulator of the nancial services
industry in the >K"
1irewallA system or combination of systems that enforces a boundary between two
or more networs typically forming a barrier between a secure and an open
environment such as the !nternet
1irmware
-
8/9/2019 Glossary Audit
36/89
1orensic examination
The process of collecting, assessing, classifying and documenting digital
evidence to assist in the identication of an o$ender and the method of
compromise
1orensic )pecialist
A professional who locates, identies, collects, analyzes, and examines data
while preserving the integrity and maintaining a strict chain of custody of
information discovered"
1orensics
The practice of gathering, retaining, and analyzing computer'related data for
investigative purposes in a manner that maintains the integrity of the data"
1ull -is (ncryption *1-(+
The process of encrypting all the data on the hard dis drive used to boot a
computer, including the computer’s operating system, and permitting access
to the data only after successful authentication with the full dis encryption
product
G
Generally accepted information security principles *GA!)2+
GA!)2 describes eight pervasive principles and fourteen practices for
information security" (ach of the principles applies to each of the practices"
Gap analysis
A process used to determine the di$erence between and what is re3uired tomove from an existing state and the desired state"
?
-
8/9/2019 Glossary Audit
37/89
Guideline
A description of a particular way of accomplishing something that is less
prescriptive than a procedure
=
=ardening
-
8/9/2019 Glossary Audit
38/89
=oneypot
A specially congured server, also nown as a decoy server, designed to
attract and monitor intruders in a manner such that their actions do not
a$ect production systems
=ot site
A fully operational o$site data processing facility e3uipped with hardware
and system software to be used in the event of a disaster
=ypertext 7arup 0anguage *=T70+
The set of marup symbols or codes inserted in a le intended for display on
a Lorld Lide Leb browser page"
=ypertext Transfer 2rotocol *=TT2+
A communication protocol used to connect to servers on the Lorld Lide
Leb" !ts primary function is to establish a connection with a web server and
transmit =T70, S70 or other pages to the client browsers"
=TT2)
A secure form of =TT2 using encryption
=eating, ventilation and air conditioning *=NA
-
8/9/2019 Glossary Audit
39/89
units, showing their alignment with the enterprise’s mission and strategic
plans"
!A !nfrastructure
The underlying security framewor that lies beyond an enterprise’s dened
boundary, but supports its !A and !A'enabled products, its security posture
and its ris management plan"
!
-
8/9/2019 Glossary Audit
40/89
used to justify the extent of safeguards that are re3uired and recovery time
frames" This analysis is the basis for establishing the recovery strategy"
!nformation communication technologies *!
-
8/9/2019 Glossary Audit
41/89
!ncremental /acups
!ncremental bacups only bacup the les that have been modied since the
last bacup" !f dump levels are used, incremental bacup’s only bacup les
changed since last bacup of a lower dump level"
!nformation Assurance *!A+
7easures that protect and defend information and information systems by
ensuring their availability, integrity, authentication, condentiality, and non'
repudiation" These measures include providing for restoration of information
systems by incorporating protection, detection, and reaction capabilities"
)ynonymous with information security
!nformation security governance
The set of responsibilities and practices exercised by the board and
executive management with the goal of providing strategic direction,
ensuring that objectives are achieved, ascertaining that riss are managed
appropriately and verifying that the enterprise’s resources are used
responsibly
!nformation security program The overall combination of technical, operational and procedural measures,
and management structures implemented to provide for the condentiality,
integrity and availability of information based on business re3uirements and
ris analysis
!nformation )ecurity
The protection of information and information systems from unauthorized
access, use, disclosure, disruption, modication, or destruction in order to
provide condentiality, integrity, and availability" )ynonymous with
!nformation Assurance *!A+
8#
-
8/9/2019 Glossary Audit
42/89
!nformation )ecurity Architect
!ndividual, group, or organization responsible for ensuring that the
information security re3uirements necessary to protect the organization’s
core missions and business processes are ade3uately addressed in all
aspects of enterprise architecture including reference models, segment and
solution architectures, and the resulting information systems supporting
those missions and business processes"
!ntegrity
The accuracy, completeness and validity of information
!ntellectual 2roperty
>seful artistic, technical, and@or industrial information, nowledge or ideas
that convey ownership and control of tangible or virtual usage and@or
representation" i"e" intangible property of value
!nternal controls
The policies, procedures, practices and organizational structures designed to
provide reasonable assurance that business objectives will be achieved and
undesired events will be prevented or detected and corrected
!nternal :ate of :eturn *!::+
The internal rate of return on an investment or project is the Eannualized
e$ective compounded return rateE or Erate of returnE that maes the net
present value *M2N as M(T#@*#U!::+Vyear+ of all cash Iows *both positive
and negative+ from a particular investment e3ual to zero"
!nternal rates of return are commonly used to evaluate the desirability of
investments or projects" The higher a project9s internal rate of return, the
more desirable it is to undertae the project" Assuming all projects re3uire
the same amount of up'front investment, the project with the highest !::
would be considered the best and undertaen rst"
8.
http://en.wikipedia.org/wiki/Net_present_valuehttp://en.wikipedia.org/wiki/Net_present_valuehttp://en.wikipedia.org/wiki/Net_present_valuehttp://en.wikipedia.org/wiki/Net_present_value
-
8/9/2019 Glossary Audit
43/89
!nternet
A term to describe connecting multiple separate networs together"
!nternet
-
8/9/2019 Glossary Audit
44/89
!ntrusion detection system *!-)+
An !-) inspects networ and host security activity to identify suspicious
patterns that may indicate a networ or system attac
!ntrusion prevention system *!2)+An !2) inspects networ and host security activity to identify suspicious
patterns that may indicate a networ or system attac and then blocs it at
the rewall to prevent damage to information resources"
!2 )ecurity *!2)ec+
A set of protocols developed by the !nternet (ngineering Tas 1orce *!(T1+ to
support the secure exchange of pacets
!)6@!(< #CCHH
6riginally released as part of the /ritish )tandard for !nformation )ecurity in
#HHH and then as the
-
8/9/2019 Glossary Audit
45/89
management system" 2rior to its adoption by !)6@!(
-
8/9/2019 Glossary Audit
46/89
!)6@!(< #;;8
!)6@!(< #;;8 !nformation technology O 2rocess assessment, also nown
as )2!
-
8/9/2019 Glossary Audit
47/89
K
Kerberos
A widely used authentication protocol developed at the 7assachusetts
!nstitute of Technology *7!T+" !n 4classic5 Kerberos, users share a secret
password with a Key -istribution
-
8/9/2019 Glossary Audit
48/89
Keystroe 7onitoring
The process used to view or record both the eystroes entered by a
computer user and the computer’s response during an interactive session"
Keystroe monitoring is usually considered a special case of audit trails"
0
0east 2rivilege
0east 2rivilege is the principle of allowing users or applications the least
amount of permissions necessary to perform their intended function"
0ielihood of 6ccurrence
!n !nformation Assurance ris analysis, a weighted factor based on a
subjective analysis of the probability that a given threat is capable of
exploiting a given vulnerability"
0ightweight -irectory Access 2rotocol *0-A2+
A software protocol for enabling anyone to locate organizations, individuals,
and other resources such as les and devices in a networ, whether on the
public !nternet or on a corporate !ntranet"
0in (ncryption
0in encryption encrypts all of the data along a communications path *e"g", a
satellite lin, telephone circuit, or T# line+" )ince lin encryption also encrypts
routing data, communications nodes need to decrypt the data to continue
routing"
0ocal area networA local area networ *0AM+ is a computer networ that interconnects
computers in a limited area such as a home, school, computer laboratory, or
o%ce building using networ media"#B The dening characteristics of 0AMs,
in contrast to wide area networs *LAMs+, include their usually higher data'
8D
http://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Local_area_network#cite_note-0http://en.wikipedia.org/wiki/Wide_area_networkhttp://en.wikipedia.org/wiki/Bit_ratehttp://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Local_area_network#cite_note-0http://en.wikipedia.org/wiki/Wide_area_networkhttp://en.wikipedia.org/wiki/Bit_rate
-
8/9/2019 Glossary Audit
49/89
transfer rates, smaller geographic area, and lac of a need for leased
telecommunication lines
0ocal :egistration Authority *0:A+
A :egistration Authority with responsibility for a local community in a 2K!'
enabled environment"
0ogic /omb
A piece of code intentionally inserted into a software system that will set o$
a malicious function when specied conditions are met"
7
7A< Address
A physical address& a numeric value that uni3uely identies that networ
device from every other device on the planet"
7ail relay server
An e'mail server that relays messages so that neither the sender nor the
recipient is a local user
7alicious
-
8/9/2019 Glossary Audit
50/89
7an'in'the'middle Attac *7it7+
An attac on the authentication protocol run in which the attacer positions
himself in between the claimant and verier so that he can intercept and
alter data traveling between them"
7as3ueraders
Attacers that penetrate systems by using the identity of legitimate users
and their login credentials
7aximum tolerable outages *7T6+
7aximum time the organization can support processing in alternate mode
7essage Authentication
-
8/9/2019 Glossary Audit
51/89
7obile site
The use of a mobile@temporary facility to serve as a business resumption
location" They can usually be delivered to any site and can house information
technology and sta$"
7onitoring policy
:ules outlining or delineating the way in which information about the use of
computers, networs, applications and information is captured and
interpreted"
7ultipurpose internet mail extension *7!7(+
A specication for formatting non'A)
over the !nternet" 7any e'mail clients now support 7!7(, which enables
them to send and receive graphics, audio, and video les via the !nternet
mail system" !n addition, 7!7( supports messages in character sets other
than A)
Meed'To'Know
A method of isolating information resources based on a user’s need to have
access to that resource in order to perform their job but no more" The terms
Xneed'to now5 and 4least privilege5 express the same idea" Meed'to'now
is generally applied to people, while least privilege is generally applied to
processes"
;#
http://www.webopedia.com/TERM/A/ASCII.htmlhttp://www.webopedia.com/TERM/I/Internet.htmlhttp://www.webopedia.com/TERM/E/e_mail_client.htmlhttp://www.webopedia.com/TERM/M/mime.htmlhttp://www.webopedia.com/TERM/C/character_set.htmlhttp://www.webopedia.com/TERM/A/ASCII.htmlhttp://www.webopedia.com/TERM/I/Internet.htmlhttp://www.webopedia.com/TERM/E/e_mail_client.htmlhttp://www.webopedia.com/TERM/M/mime.htmlhttp://www.webopedia.com/TERM/C/character_set.html
-
8/9/2019 Glossary Audit
52/89
Met present value *M2N+
The discounted value of an investment9s cash inIows minus the discounted
value of its cash outIows" To be ade3uately protable, an investment should
have a net present value greater than zero
Metwor address translation *MAT+
/asic MATs are used when there is a re3uirement to interconnect two !2
networs with incompatible addressing" =owever it is common to hide an
entire !2 address space, usually consisting of private !2 addresses, behind a
single !2 address *or in some cases a small group of !2 addresses+ in another
*usually public+ address space" To avoid ambiguity in the handling of returned
pacets, a one'to'many MAT must alter higher level information such as
T-2 ports in outgoing communications and must maintain a translation
table so that return pacets can be correctly translated bac
Metwor based intrusion detection *M!-s+
Metwor based intrusion detection provides broader coverage than host
based approaches but functions in the same manner detecting attacs using
either an anomaly based or signature based approach or both"
Monce
A value used in security protocols that is never repeated with the same ey"
1or example, challenges used in challenge'response authentication protocols
generally must not be repeated until authentication eys are changed, or
there is a possibility of a replay attac" >sing a nonce as a challenge is a
di$erent re3uirement than a random challenge, because a nonce is not
necessarily unpredictable"
Monintrusive monitoring
The use of transported probes or traces to assemble information, trac tra%c
and identify vulnerabilities
;.
http://en.wikipedia.org/wiki/Private_IP_addresshttp://en.wikipedia.org/wiki/Private_IP_address
-
8/9/2019 Glossary Audit
53/89
Monrepudiation
The assurance that a party cannot later deny originating data& that is, it is
the provision of proof of the integrity and origin of the data and can be
veried by a third party" A digital signature can provide nonrepudiation"
6
6rganization for (conomic
-
8/9/2019 Glossary Audit
54/89
user or program is at a computer e3uipped with these seven layers of
function" )o, in a given message between users, there will be a Iow of data
through each layer at one end down through the layers in that computer and,
at the other end, when the message arrives, another Iow of data up through
the layers in the receiving computer and ultimately to the end user or
program" The actual programming and hardware that furnishes these seven
layers of function is usually a combination of the computer operating system,
applications *such as your Leb browser+, T
-
8/9/2019 Glossary Audit
55/89
• 0ayer 8J The transport layer"""This layer manages the end'to'end
control *for example, determining whether all pacets have arrived+
and error'checing" !t ensures complete data transfer"• 0ayer J The networ layer"""This layer handles the routing of the data
*sending it in the right direction to the right destination on outgoing
transmissions and receiving incoming transmissions at the pacet
level+" The networ layer does routing and forwarding"• 0ayer .J The data'lin layer"""This layer provides synchronization for the
physical level and does bit'stu%ng for strings of #9s in excess of ;" !t
furnishes transmission protocol nowledge and management"• 0ayer #J The physical layer"""This layer conveys the bit stream through
the networ at the electrical and mechanical level" !t provides the
hardware means of sending and receiving data on a carrier"
6perations )ecurity *62)(
-
8/9/2019 Glossary Audit
56/89
2
2acet
A piece of a message transmitted over a pacet'switching networ" 6ne of
the ey features of a pacet is that it contains the destination address in
addition to the data" !n !2 networs, pacets are often called datagrams"
2acet ltering
-
8/9/2019 Glossary Audit
57/89
2assword )ni%ng
2assive wiretapping, usually on a local area networ, to gain nowledge of
passwords"
2atchA patch is a small update released by a software manufacturer to x bugs in
existing programs"
2atching
2atching is the process of updating software to a di$erent version"
2atch 7anagement
The systematic notication, identication, deployment, installation, and
verication of operating system and application software code revisions"
These revisions are nown as patches, hot xes, and service pacs"
2assive response
A response option in intrusion detection in which the system simply reports
and records the problem detected, relying on the user to tae subse3uent
action
2assword cracer
A tool that tests the strength of user passwords searching for passwords that
are easy to guess by repeatedly trying words from specially crafted
dictionaries and often also by generating thousands *and, in some cases,
even millions+ of permutations of characters, numbers and symbols
2ayment card industry *2
The term is specically used to refer to the 2ayment
-
8/9/2019 Glossary Audit
58/89
directives against which businesses may measure their own payment card
security policies, procedures and guidelines
2enetration testing
A live test of the e$ectiveness of security defenses through mimicing the
actions of real'life attacers
2ersonally !dentiable !nformation *2!!+
!nformation which can be used to distinguish or trace an individual9s identity,
such as their name, social security number, biometric records, etc", alone, or
when combined with other personal or identifying information which is lined
or linable to a specic individual, such as date and place of birth, mother’s
maiden name, etc"
2harming
This is a more sophisticated form of 7!T7 attac" A user’s session is
redirected to a mas3uerading website" This can be achieved by corrupting a
-M) server on the !nternet and pointing a >:0 to the mas3uerading
website’s !2" Almost all users use a >:0 lie www"worldban"com instead of
the real !2 *#H."D?"HH"#8+ of the website"
:0 can be redirected to send
tra%c to the !2 of the pseudo website" At the pseudo website, transactions
can be mimiced and information lie login credentials can be gathered" Lith
this the attacer can access the real www"worldban"com site and conduct
transactions using the credentials of a valid user on that website"
;D
http://en.wikipedia.org/wiki/PCI_DSShttp://en.wikipedia.org/wiki/PCI_DSShttp://en.wikipedia.org/wiki/PCI_DSShttp://en.wikipedia.org/wiki/PCI_DSS
-
8/9/2019 Glossary Audit
59/89
2hishing
The use of e'mails that appear to originate from a trusted source to tric a
user into entering valid credentials at a fae website" Typically the e'mail and
the web site loos lie they are part of a ban the user is doing business
with"
2ort )canning
>sing a program to remotely determine which ports on a system are open
*e"g", whether systems allow connections through those ports+"
2lan'do'chec'act *2-
-
8/9/2019 Glossary Audit
60/89
to each port, one at a time" The ind of response received indicates whether
the port is used and can therefore be probed for weaness"
2ost 6%ce 2rotocol, Nersion *262+
An !nternet )tandard protocol by which a client worstation can dynamically
access a mailbox on a server host to retrieve mail messages that the server
has received and is holding for the client
2rotocol
A formal specication for communicating& an !2 address the special set of
rules that end points in a telecommunication connection use when they
communicate" 2rotocols exist at several levels in a telecommunication
connection"
2rivacy
1reedom from unauthorized intrusion or disclosure of information about
individuals
2rivate Key
The secret part of an asymmetric ey pair that is typically used to digitally
sign or decrypt data in a 2K!"
2rivileged Accounts
!ndividuals who have access to set 4access rights5 for users on a given
system" )ometimes referred to as system or networ administrative
accounts"
2rocedures
A detailed description of the steps necessary to perform specic operations
in conformance with applicable standards
?
-
8/9/2019 Glossary Audit
61/89
2roxy
A proxy is an application that 4breas5 the connection between client and
server" The proxy accepts certain types of tra%c entering or leaving a
networ and processes it and forwards it" This e$ectively closes the straight
path between the internal and external networs maing it more di%cult for
an attacer to obtain internal addresses and other details of the
organization’s internal networ" 2roxy servers are available for common
!nternet services& for example, a =yper Text Transfer 2rotocol *=TT2+ proxy
used for Leb access, and a )imple 7ail Transfer 2rotocol *)7T2+ proxy used
for email"
2roxy serverA server that acts on behalf of a user" Typically proxies accept a connection
from a user, mae a decision as to whether or not the user or client !2
address is permitted to use the proxy, perhaps perform additional
authentication, and then complete a connection to a remote destination on
behalf of the user"
2roximity factors
The distance from potential hazards, which can include Iooding ris from
nearby waterways, hazardous material manufacturing or storage, or other
situations that may pose a ris to the operation of a recovery
2ublic Key
The public part of an asymmetric ey pair that is typically used to verify
signatures or encrypt data in a 2K!
2ublic ey infrastructure *2K!+
The framewor and services that provide for the generation, production,
distribution, control, accounting, and destruction of public ey certicates"
-
8/9/2019 Glossary Audit
62/89
and public'private ey pairs, including the ability to issue, maintain, recover,
and revoe public ey certicates"
\
\uality assurance *\A+
A process for testing to ensure specications are met
:
:ed Team
A group of people authorized and organized to emulate a potential
adversary’s attac or exploitation capabilities against an enterprise’s
security posture" The :ed Team’s objective is to improve enterprise
!nformation Assurance by demonstrating the impacts of successful attacs
and by demonstrating what wors for the defenders *i"e", the /lue Team+ in
an operational environment"
:elying 2arty
An entity that relies upon the subscriber’s credentials, typically to process atransaction or grant access to information or a system typically in a 2K!"
:emediation
The act of correcting a vulnerability or eliminating a threat" Three possible
types of remediation are installing a patch, adjusting conguration settings,
or uninstalling a software application"
:eciprocal agreement(mergency processing agreements among two or more organizations with
similar e3uipment or applications" Typically, participants promise to provide
processing time to each other when an emergency arises"
?.
-
8/9/2019 Glossary Audit
63/89
:ecovery action
(xecution of a response or tas according to a written procedure
:ecovery point objective *:26+
-etermined based on the acceptable data loss in case of a disruption of
operations" !ndicates the earliest point in time to which it is acceptable to
recover data" ($ectively 3uanties the permissible amount of data loss in
case of interruption i"e" the last point of nown good data
:ecovery time objective *:T6+
The amount of time allowed for the recovery of a business function or
resource after a disaster occurs
:edundant Array of !nexpensive -iss *:A!-+
A technology that provides performance improvements and fault'tolerant
capabilities, via hardware or software solutions, by writing to a series of
multiple diss to improve performance and save large les simultaneously
:edundant site
A recovery strategy involving the duplication of ey information technology
components, including data or other ey business processes, whereby fast
recovery can tae place
:egistration Authority
A trusted entity that establishes and vouches for the identity of a subscriber
to a
-
8/9/2019 Glossary Audit
64/89
through a bidding process, to submit a proposal on a
specic commodity or service" The :12 process brings structure to the
procurement decision and is meant to allow the riss and benets to be
identied clearly up front"
The :12 may dictate to varying degrees the exact structure and format of
the supplier9s response" ($ective :12s typically reIect the strategy and
short@long'term business objectives, providing detailed insight upon which
suppliers will be able to o$er a matching perspective
:eplay Attacs
An attac that involves the capture of transmitted authentication or access
control information and its subse3uent retransmission with the intent ofproducing an unauthorized e$ect or gaining unauthorized access"
:esidual ris
The remaining ris after management has implemented ris response
:esilience
The ability of a system or networ to resist failure or to recover 3uicly from
any disruption, usually with minimal recognizable e$ect
:eturn on investment *:6!+
A measure of operating performance and e%ciency, computed in its simplest
form by dividing net income by the total investment over the period being
considered
:eturn on security investment *:6)!+
An estimate of return on security investment based on how much will besaved by reduced losses divided by the investment"
?8
http://en.wikipedia.org/wiki/Biddinghttp://en.wikipedia.org/wiki/Proposal_(business)http://en.wikipedia.org/wiki/Commodityhttp://en.wikipedia.org/wiki/Service_(economics)http://en.wikipedia.org/wiki/Biddinghttp://en.wikipedia.org/wiki/Proposal_(business)http://en.wikipedia.org/wiki/Commodityhttp://en.wikipedia.org/wiki/Service_(economics)
-
8/9/2019 Glossary Audit
65/89
:is
The combination of the probability of an event and its conse3uence" *!)6@!(<
C+" :is has traditionally been expressed as Threats S Nulnerabilities ] :is"
:is assessmentA process used to identify and evaluate ris and potential e$ects" :is
assessment includes assessing the critical functions necessary for an
organization to continue business operations, dening the controls in place
to reduce organization exposure and evaluating the cost for such controls"
:is analysis often involves an evaluation of the probabilities of a particular
event"
:is avoidance
The process for systematically avoiding ris, constituting one approach to
managing ris
:is mitigation
The management and reduction of ris through the use of countermeasures
and controls
:is Tolerance
The acceptable level of deviation from acceptable ris
:is transfer
The process of assigning ris to another organization, usually through the
purchase of an insurance policy or outsourcing the service
:obustness
The extent of the ability of systems to withstand attac& system strength"
The ability of an !nformation Assurance entity to operate correctly and
reliably across a wide range of operational conditions, and to fail gracefully
outside of that operational range"
?;
-
8/9/2019 Glossary Audit
66/89
:ole /ased Access
-
8/9/2019 Glossary Audit
67/89
)ecure =ash Algorithm *)=A+
A hash algorithm with the property that is computationally infeasible #+ to
nd a message that corresponds to a given message digest, or .+ to nd two
di$erent messages that produce the same message digest"
)ecurity Attribute
A security'related 3uality of an object" )ecurity attributes may be
represented as hierarchical levels, bits in a bit map, or numbers"
-
8/9/2019 Glossary Audit
68/89
perform a variety of correlation techni3ues to integrate di$erent
sources, in order to turn data into useful information"• AlertingJ the automated analysis of correlated events and production of
alerts, to notify recipients of immediate issues"
• DashboardsJ )!(7@07 tools tae event data and turn it intoinformational charts to assist in seeing patterns, or identifying activity
that is not forming a standard pattern";B• ComplianceJ )!(7 applications can be employed to automate the
gathering of compliance data, producing reports that adapt to existing
security, governance and auditing processes"?B• RetentionJ )!(7@)!7 solutions employ long'term storage of historical
data to facilitate correlation of data over time, and to provide the
retention necessary for compliance re3uirements"
)ecurity 2osture
The security status of an enterprise’s networs, information, and systems
based on !A resources *e"g", people, hardware, software, policies+ and
capabilities in place to manage the defense of the enterprise and to react as
the situation changes"
)ensitivityA measure of the impact that improper disclosure of information may have
on an organization
)eparation of -uties
)eparation of duties is the principle of splitting privileges among multiple
individuals or systems to reduce ris of fraud or other malfeasance
)ession Key!n the context of symmetric encryption, a ey that is temporary or is used for
a relatively short period of time" >sually, a session ey is used for a dened
period of communication between two computers, such as for the duration of
a single connection or transaction set, or the ey is used in an application
?D
http://en.wikipedia.org/wiki/Security_information_and_event_management#cite_note-4http://en.wikipedia.org/wiki/Security_information_and_event_management#cite_note-5http://en.wikipedia.org/wiki/Security_information_and_event_management#cite_note-4http://en.wikipedia.org/wiki/Security_information_and_event_management#cite_note-5
-
8/9/2019 Glossary Audit
69/89
that protects relatively large amounts of data and, therefore, needs to be re'
eyed fre3uently"
)ervice delivery objective *)-6+
-irectly related to business needs, )-6 is the level of services to be reached
during the alternate process mode until the normal situation is restored"
)ervice level agreement *)0A+
An agreement, preferably documented, between a service provider and the
customer*s+@user*s+ that denes minimum performance targets for a service
and how they will be measured
)hell programmingA shell script is a script written for the shell, or command line interpreter, of
an operating system" !t is often considered a simple domain'specic
programming language" Typical operations performed by shell scripts include
le manipulation, program execution and printing text" >sually, shell script
refers to scripts written for a >nix shell, while
-
8/9/2019 Glossary Audit
70/89
)imming
The unauthorized use of a reader to read tags without the authorization or
nowledge of the tag’s owner or the individual in possession of the tag"
)mart
-
8/9/2019 Glossary Audit
71/89
)ecure shell *))=+
)ecure )hell *))=+ is a networ protocol for secure data communication,
remote shell services or command execution and other secure networ
services between two networed computers that it connects via a secure
channel over an insecure networJ
)ecure socets layer *))0+
Transport 0ayer )ecurity *T0)+ and its predecessor, )ecure )ocets
0ayer *))0+, are cryptographic protocols that provide
communication security over the !nternet"#B T0) and ))0 encrypt the
segments of networ connections above the Transport 0ayer, using
asymmetric cryptography for ey exchange, symmetric encryption forprivacy, and message authentication codes for message integrity"
)ecurity steering group *))G+
The ))G is generally charged with incident management and response
organization and oversight"
)ingle sign'on *))6+
))6 is a process to allow access to numerous systems using one set ofauthentication credentials"
)pyware
)oftware that is secretly or surreptitiously installed into an information
system to gather information on individuals or organizations without their
nowledge& a type of malicious code"
)tructured 3uery language *)\0+)tructured \uery 0anguage+ is a programming language designed for
managing data in relational database management systems
C#
http://en.wikipedia.org/wiki/Network_protocolhttp://en.wikipedia.org/wiki/Secure_channelhttp://en.wikipedia.org/wiki/Secure_channelhttp://en.wikipedia.org/wiki/Cryptographic_protocolhttp://en.wikipedia.org/wiki/Securityhttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Secure_Socket_Layer#cite_note-0http://en.wikipedia.org/wiki/Encryptionhttp://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Transport_Layerhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Symmetric-key_algorithmhttp://en.wikipedia.org/wiki/Message_authentication_codehttp://en.wikipedia.org/wiki/Programming_languagehttp://en.wikipedia.org/wiki/Relational_database_management_systemhttp://en.wikipedia.org/wiki/Network_protocolhttp://en.wikipedia.org/wiki/Secure_channelhttp://en.wikipedia.org/wiki/Secure_channelhttp://en.wikipedia.org/wiki/Cryptographic_protocolhttp://en.wikipedia.org/wiki/Securityhttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Secure_Socket_Layer#cite_note-0http://en.wikipedia.org/wiki/Encryptionhttp://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Transport_Layerhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Symmetric-key_algorithmhttp://en.wikipedia.org/wiki/Message_authentication_codehttp://en.wikipedia.org/wiki/Programming_languagehttp://en.wikipedia.org/wiki/Relational_database_management_system
-
8/9/2019 Glossary Audit
72/89
)tandard
An internal mandatory re3uirement dening allowable boundaries of people,
processes and technologies or a specication approved by a recognized
external standards organization, such as !)6
)tandard operation procedure *)62+
An )62 is a written document or instruction detailing all steps and activities
of a process or procedure" !)6 H# essentially re3uires the documentation
of all procedures used in any manufacturing process that could a$ect the
3uality of the product or service"
)teganography
The art and science of communicating in a way that hides the existence of
the communication" 1or example, a secret documentcan be hidden inside
another graphic image le, audio le, or other le format"
)upervisory control and data ac3uisition *)sually shared rather than
dedicated"
)upply
-
8/9/2019 Glossary Audit
73/89
)ystem development life cycle *)-0
-
8/9/2019 Glossary Audit
74/89
Threat
Anything *e"g", object, substance, human+ that is capable of acting against
an asset in a manner that can result in harm" A potential cause of an
unwanted incident" *!)6@!(< #;+
Threat agent
7ethods and things used to exploit a vulnerability" (xamples include
determination, capability, motive and resources"
Threat analysis
An evaluation of the type, scope and nature of events or actions that can
result in adverse conse3uences& identication of the threats that exist
against information assets and information technology" The threat analysis
usually also denes the level of threat and the lielihood of it materializing"
Threat event
Any event where a threat element@actor acts against an asset in a manner
that has the potential to directly result in harm
Threat Assessment
A threat assessment is the identication of types of threats that an
organization might be exposed to"
Threat 7odel
A threat model is used to describe a given threat and the harm it could to do
a system if it has a vulnerability"
Threat Nector
The method a threat uses to get to the target"
Transport 0ayer )ecurity *T0)+
Transport 0ayer )ecurity *T0)+ and its predecessor, )ecure )ocets
0ayer *))0+, are cryptographic protocols that provide
C8
http://en.wikipedia.org/wiki/Cryptographic_protocolhttp://en.wikipedia.org/wiki/Cryptographic_protocol
-
8/9/2019 Glossary Audit
75/89
communication security over the !nternet"#B T0) and ))0 encrypt the
segments of networ connections above the Transport 0ayer, using
asymmetric cryptography for ey exchange, symmetric encryption for
privacy, and message authentication codes for message integrity"
Toen
)omething that the claimant possesses and controls *typically a ey or
password+ used to authenticate the claimant’s identity"
Toen'/ased Access
-
8/9/2019 Glossary Audit
76/89
Transmission control protocol *T
-
8/9/2019 Glossary Audit
77/89
Tunneling
Technology enabling one networ to send its data via another networ’s
connections" Tunneling wors by encapsulating a networ protocol within
pacets carried by the second networ"
>
>nauthorized Access
A person gains logical or physical access without permission to a networ,
system, application, data, or other !T resource" Any access that violates the
stated security policy"
>nauthorized -isclosure
An event involving the exposure of information to entities not authorized
access to the information"
>niform :esource 0ocator *>:0+
The global address of documents and other resources on the Lorld Lide
Leb" The rst part of the address indicates what protocol to use, and the
second part species the !2 address or the domain name where the resourceis located" 1or example, httpJ@@www"pcwebopedia"com@index"html"
>nix
A popular multi'user, multitasing operating system developed at /ell 0abs
in the early #HCs" nix was
designed to be a small, Iexible system used exclusively by programmers"
>ser datagram protocol *>-2+ The >ser -atagram 2rotocol *>-2+ is one of the core members of the !nternet
2rotocol )uite, the set of networ protocols used for the !nternet" Lith >-2,
computer applications can send messages, in this case referred to
as datagrams, to other hosts on an !nternet 2rotocol *!2+ networ without
CC
http://en.wikipedia.org/wiki/Internet_Protocol_Suitehttp://en.wikipedia.org/wiki/Internet_Protocol_Suitehttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Datagramhttp://en.wikipedia.org/wiki/Internet_Protocolhttp://en.wikipedia.org/wiki/Internet_Protocol_Suitehttp://en.wikipedia.org/wiki/Internet_Protocol_Suitehttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Datagramhttp://en.wikipedia.org/wiki/Internet_Protocol
-
8/9/2019 Glossary Audit
78/89
re3uiring prior communications to set up special transmission channels or
data paths"
>ninterruptable power supply *>2)+
>2) is typically battery power converted to standard A< operating current
using an inverter" !t is designed to automatically supply power in the event
the primary source fails"
N
Nalidation
The process of demonstrating that the system under consideration meets in
all respects the specication of that system"
Nalue at ris *NA:+
NA: computes the probability of the maximum loss at a H; or HH^ certainty
over a dened period based on historical information and exercising all the
variables using 7onte
-
8/9/2019 Glossary Audit
79/89
Nirus signature les
The le of virus patterns that are compared with existing les to determine if
they are infected with a virus or worm
Noice over !2 *N6!2+Noice over !2 *No!2+ commonly refers to the communication protocols,
technologies, methodologies, and transmission techni3ues involved in the
delivery of voice communications and multimedia sessions over !nternet
2rotocol *!2+ networs, such as the !nternet
Nulnerability
A weaness in the design, implementation, operation or internal controls in a
process that could be exploited to violate system security
Nulnerability analysis
2rocess of identifying and classifying vulnerabilities
L
Larm site
A warm site is similar to a hot site& however, a warm site is not fully
e3uipped with all necessary hardware needed
for recovery"
Leb hosting
The business of providing the e3uipment and services re3uired to host and
maintain les for one or more web sites, and provide fast !nternet
connections to those sites" 7ost hosting is 4shared,5 which means that websites of multiple companies are on the same server to share@reduce costs"
CH
http://en.wikipedia.org/wiki/Communication_protocolhttp://en.wikipedia.org/wiki/Voice_communicationhttp://en.wikipedia.org/wiki/Multimediahttp://en.wikipedia.org/wiki/Internet_Protocolhttp://en.wikipedia.org/wiki/Internet_Protocolhttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Communication_protocolhttp://en.wikipedia.org/wiki/Voice_communicationhttp://en.wikipedia.org/wiki/Multimediahttp://en.wikipedia.org/wiki/Internet_Protocolhttp://en.wikipedia.org/wiki/Internet_Protocolhttp://en.wikipedia.org/wiki/Internet
-
8/9/2019 Glossary Audit
80/89
Leb server
>sing the client'server model and the Lorld Lide Leb’s =ypertext Transfer
2rotocol *=TT2+, Leb server is a software program that serves web pages to
users"
Lide area networ *LAM+
A Lide Area Metwor *LAM+ is a telecommunication networ that covers a
broad area *i"e", any networ that lins across metropolitan, regional, or
national boundaries+"
Lii
Leb applications or similar tools that allow identiable users to add content
*as in an !nternet forum+ and allow anyone to edit that content collectively"
Lired (3uivalent 2rivacy *L(2+
A security protocol, specied in the !((( D."## standard, that is designed to
provide a L0AM with a level of security and privacy comparable to what is
usually expected of a wired 0AM" L(2 is no longer considered a viable
encryption mechanism due to nown weanesses"
Lireless Access 2oint *LA2+
A device that acts as a conduit to connect wireless communication devices
together to allow them to communicate and create a wireless networ"
Lorm
A programmed networ attac in which a self'replicating program does not
attach itself to programs, but rather spreads independently of users’ actions
Li'1i 2rotected Access . *L2A.+
The follow on security method to L2A for wireless networs that provides
stronger data protection and networ access control" !t provides enterprise
and consumer Li'1i users with a high level of assurance that only authorized
D
-
8/9/2019 Glossary Audit
81/89
users can access their wireless networs" /ased on the ratied !((( D."##i
standard, L2A. provides government grade security by implementing the
Mational !nstitute of )tandards and Technology *M!)T+ 1!2) #8'. compliant
A() encryption algorithm and D."#S'based authentication
D#
-
8/9/2019 Glossary Audit
82/89
Acronyms
The
Acronym
Description
-
8/9/2019 Glossary Audit
83/89
A) niversity
-
8/9/2019 Glossary Audit
84/89
-
8/9/2019 Glossary Audit
85/89
1!2) 1ederal !nformation 2rocessing )tandards *>)A+1!)7A 1ederal !nformation )ecurity 7anagement Act *>)A+1)A 1inancial )ecurity Authority *>)A+GA!)2 Generally Accepted !nformation )ecurity 2rinciplesGA) Generalized audit softwareGA))2 Generally Accepted )ecurity )ystem 2rinciplesG0/A Gramm'0each'/liley Act *>)A+G7! Governance 7etrics !nternational=-'-N- =igh denition@high density'digital video disc=!-) =ost'based intrusion detection system=!2AA =ealth !nsurance 2ortability and Accountability Act *>)A+=!26 =ierarchy !nput'2rocess'6utput=: =uman resources=TT2 =ypertext Transfer 2rotocol
=TT2) )ecure =ypertext Transfer 2rotocol=NA< =eating, ventilating and air conditioning!RA !dentication and Authentication!@6 !nput@output!
-
8/9/2019 Glossary Audit
86/89
!))A !nformation )ystem )ecurity Association!))(A !nternational )ystem )ecurity (ngineering Association!TG! !T Governance !nstitute [
-
8/9/2019 Glossary Audit
87/89
2
)71 )ystem management facility)62 )tandard operating procedure)2! )ecurity 2arameter !ndex)2!
-
8/9/2019 Glossary Audit
88/89
)\0 )tructured \uery 0anguage))G )ecurity steering group))= )ecure )hell))0 )ecure )ocets 0ayer))6 )ingle sign'on T)/ >niversal )erial /usNA: Nalue at risNo!2 Noice'over !2N2M Nirtual private networLAM Lide area networS/:0 (xtensible /usiness :eporting 0anguage
DD
-
8/9/2019 Glossary Audit
89/89