Term
|
Definition
| Reliable and timely access to data and resources is provided to authorized individuals. |
|
|
Term
|
Definition
| Accuracy and reliability of the information and systems are provided and any unauthorized modification is prevented. |
|
|
Term
|
Definition
| Necessary level of secrecy is enforced and unauthorized disclosure is prevented. |
|
|
Term
|
Definition
| Viewing information in an unauthorized manner by looking over the shoulder of someone else. |
|
|
Term
|
Definition
| Gaining unauthorized access by tricking someone into divulging sensitive information. |
|
|
Term
|
Definition
| Weakness or a lack of a countermeasure. |
|
|
Term
|
Definition
| Entity that can exploit a vulnerability. |
|
|
Term
|
Definition
| The danger of a threat agent exploiting a vulnerability. |
|
|
Term
|
Definition
| The probability of a threat agent exploiting a vulnerability and the associated impact. |
|
|
Term
|
Definition
| Safeguard that is put in place to reduce a risk, also called a countermeasure. |
|
|
Term
|
Definition
| Presence of a vulnerability, which exposes the organization to a threat. |
|
|
Term
| Security through obscurity |
|
Definition
| Relying upon the secrecy or complexity of an item as its security, instead of practicing solid security practices. |
|
|
Term
|
Definition
| Industry-recognized best practices for the development and management of an information security management system. |
|
|
Term
|
Definition
| Enterprise architecture framework used to define and understand a business environment developed by John Zachman. |
|
|
Term
|
Definition
The Open Group Architecture Framework
Enterprise architecture framework used to define and understand a business environment developed by The Open Group.
[image] |
|
|
Term
|
Definition
Sherwood Applied Business Security Architecture
Risk-driven enterprise security architecture that maps to business initiatives, similar to the Zachman framework. |
|
|
Term
|
Definition
| U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals. |
|
|
Term
|
Definition
| Architecture framework used mainly in military support missions developed by the British Ministry of Defence. |
|
|
Term
|
Definition
Set of control objectives used as a framework for IT governance developed by Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI).
It defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs.
CobiT is broken down into four domains:
- Plan and Organize,
- Acquire and Implement
- Deliver and Support
- Monitor and Evaluate.
|
|
|
Term
|
Definition
| Set of controls that are used to secure U.S. federal systems developed by NIST. |
|
|
Term
|
Definition
| Internal control model used for corporate governance to help prevent fraud developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. |
|
|
Term
|
Definition
| Best practices for information technology services management processes developed by the United Kingdom’s Office of Government Commerce. |
|
|
Term
|
Definition
| Business management strategy developed by Motorola with the goal of improving business processes. |
|
|
Term
|
Definition
| Risk Management Guide for Information Technology Systems A U.S. federal standard that is focused on IT risks. |
|
|
Term
| Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) |
|
Definition
| Team-oriented approach that assesses organizational and IT risks through facilitated workshops. |
|
|
Term
|
Definition
| Australia and New Zealand business risk management assessment approach. |
|
|
Term
|
Definition
| International standard for the implementation of a risk management program that integrates into an information security management system (ISMS). |
|
|
Term
| Failure Modes and Effect Analysis |
|
Definition
| Approach that dissects a component into its basic functions to identify flaws and those flaws’ effects. |
|
|
Term
|
Definition
| Approach to map specific flaws to root causes in complex systems. |
|
|
Term
|
Definition
| Central Computing and Telecommunications Agency Risk Analysis and Management Method. |
|
|
Term
| Quantitative risk analysis |
|
Definition
| Assigning monetary and numeric values to all the data elements of a risk assessment. |
|
|
Term
| Qualitative risk analysis |
|
Definition
Opinion-based method of analyzing risk with the use of scenarios and ratings.
[image] |
|
|
Term
|
Definition
| One instance of an expected loss if a specific vulnerability is exploited and how it affects a single asset. Asset Value × Exposure Factor = SLE. |
|
|
Term
| Annualized loss expectancy |
|
Definition
| Annual expected loss if a specific vulnerability is exploited and how it affects a single asset. SLE × ARO = ALE. |
|
|
Term
|
Definition
| Assigning confidence level values to data elements. |
|
|
Term
|
Definition
| Data collection method that happens in an anonymous fashion. |
|
|
Term
|
Definition
| Calculating the value of a control. (ALE before implementing a control) – (ALE after implementing a control) – ,(annual cost of control) = value of control. |
|
|
Term
| Functionality versus effectiveness of control |
|
Definition
| Functionality is what a control does, and its effectiveness is how well the control does it. |
|
|
Term
|
Definition
| Full risk amount before a control is put into place. Threats × vulnerabilities × assets = total risk. |
|
|
Term
|
Definition
| Risk that remains after implementing a control. Threats × vulnerabilities × assets × (control gap) = residual risk. |
|
|
Term
|
Definition
| Accept, transfer, mitigate, avoid. |
|
|
Term
|
Definition
| High-level document that outlines senior management’s security directives. |
|
|
Term
|
Definition
| Organizational (master), issue-specific, system-specific. |
|
|
Term
| Policy functionality types |
|
Definition
| Regulatory, advisory, informative. |
|
|
Term
|
Definition
| Compulsory rules that support the security policies. |
|
|
Term
|
Definition
| Suggestions and best practices. |
|
|
Term
|
Definition
| Step-by-step implementation instructions. |
|
|
Term
|
Definition
| Individual responsible for the protection and classification of a specific data set. |
|
|
Term
|
Definition
| Individual responsible for implementing and maintaining security controls to meet security requirements outlined by data owner. |
|
|
Term
|
Definition
| Preventive administrative control used to ensure one person cannot carry out a critical task alone. |
|
|
Term
|
Definition
| Two or more people working together to carry out fraudulent activities. |
|
|
Term
|
Definition
Employees should be moved into different roles with the idea that they may be able to detect suspicious activity carried out by the previous employee carrying out that position.
Detective administrative control used to uncover potential fraudulent activities. |
|
|
Term
|
Definition
| Detective administrative control used to uncover potential fraudulent activities by requiring a person to be away from the organization for a period of time. |
|
|
Term
|
Definition
this means it provides a structure for individual
architectures to be built from. |
|
|
Term
|
Definition
| this means it provides the processes to follow to build and maintain this architecture. |
|
|
