Term
| Acceptable use policies (AUPs) |
|
Definition
| Formal written policies that describe proper and unacceptable behavior when using computer and network systems. For example, an acceptable use policy may set rules on what type of Web site browsing is permitted or if personal e-mails over the Internet are allowed. |
|
|
Term
|
Definition
| A state of indifference, or the suppression of emotions such as concern, excitement, motivation and passion. |
|
|
Term
|
Definition
| An individual accountable for assessing the design and effectiveness of security policies. Auditors may be internal or external to an organization. |
|
|
Term
|
Definition
| The process of determining the identity of an individual or device. |
|
|
Term
|
Definition
| A security control that stops behavior immediately and does not rely on human decisions. |
|
|
Term
|
Definition
| Ensuring accessibility of information to authorized users when required. |
|
|
Term
|
Definition
| A confirmed event that compromises the confidentiality, integrity, or availability of information. |
|
|
Term
| Chief privacy officer (CPO) |
|
Definition
| Most senior leader responsible for managing risks related to data privacy. |
|
|
Term
|
Definition
| The ability to reasonably ensure conformity and adherence to organization policies, standards, procedures, laws, and regulations. |
|
|
Term
|
Definition
| An individual accountable for monitoring adherence to laws and regulations. |
|
|
Term
|
Definition
| Limiting access to information/data to authorized users only. |
|
|
Term
| Confidentiality agreement (CA) |
|
Definition
| Legally binding agreements on the handling and disclosure of company material. |
|
|
Term
|
Definition
| Established rules on how consumers and their information should be handled during an e-commerce transaction. |
|
|
Term
|
Definition
| An ad hoc, ongoing effort to improve business products, services, or processes. |
|
|
Term
|
Definition
| A security control that restores a system or process. |
|
|
Term
|
Definition
| The state of data stored on any type of media. |
|
|
Term
|
Definition
| Level of protection based on data type. |
|
|
Term
|
Definition
| is an individual responsible for the day to day maintenance of data and the quality of that data. May perform backups and recover data as needed. Data custodian also grants access based on approval from the data owner |
|
|
Term
|
Definition
| when data is encrypted, the actual information can be viewed only when the data is decrypted |
|
|
Term
|
Definition
| the state of data when traveling over or through a network |
|
|
Term
| Data Loss Prevention (DLP) |
|
Definition
| A formal program that reduces the likelihood of accidental or malicious loss of data may also stand for “Data Leakage Protection.” |
|
|
Term
|
Definition
| an individual who establishes procedures on how data should be handled |
|
|
Term
|
Definition
| An individual who approves user access rights to information that is needed to perform day-today operations. |
|
|
Term
|
Definition
| the laws that set expectations on how your personal information should be protected and limits place on how the data should be shared |
|
|
Term
|
Definition
| The end user of an application. A data user is accountable for handling data appropriately by understanding security policies and following approved processes and procedures. |
|
|
Term
|
Definition
| it is the approach of using multiple layers of security to protect against a single point of failure. |
|
|
Term
|
Definition
| it is taken from the military, a buffer between two opposing forces. With regards to networks, it is the segment that sits between the public internet and a private local area network. A DMZ is built to protect private LANs from the internet. It uses a series of firewalls, routers. |
|
|
Term
|
Definition
| it is a manual security control that identifies a behavior after it has happened |
|
|
Term
|
Definition
| These are any digital materials owned by an organization including text, graphics, audio, video and animations. |
|
|
Term
|
Definition
| in the context of workstation central management systems, refers to processes that determine what is installed on a workstation. It could also refer to knowing what information sits on a workstation. |
|
|
Term
|
Definition
| a logical piece of our technology infrastructure with similar risks and business requirements |
|
|
Term
|
Definition
| a policy that discusses what’s acceptable when using the company email system |
|
|
Term
|
Definition
| is a person with enthusiasm for a cause or project. An evangelist often gains acceptance for a project from a wide audience. |
|
|
Term
|
Definition
| information that supports a conclusion. Material presented to a regulator to show compliance |
|
|
Term
|
Definition
| A deviation from a centrally supported and approved IT security standard. |
|
|
Term
|
Definition
| A senior business leader accountable for approving security policy implementation, driving the security message within an organization, and ensuring that policies are given appropriate priority |
|
|
Term
|
Definition
| A device that filters the traffic in and out of a local area network (LAN). |
|
|
Term
|
Definition
| A network with little or no controls that limit network traffic. |
|
|
Term
|
Definition
| The concept that an individual should know what information about them is being collected. |
|
|
Term
|
Definition
| The act of managing implementation and compliance with organizational policies. |
|
|
Term
|
Definition
| The parameters within which a policy, standard, or procedure recommended when possible but are optional. |
|
|
Term
|
Definition
| In the context of workstation central management systems, provides support to the end user. |
|
|
Term
|
Definition
| Used to connect multiple devices within a local area network (LAN). It has ports and as the traffic flows through the device, the traffic is duplicated so all ports can see the traffic. You use a hub to connect computers or segments. |
|
|
Term
|
Definition
| The implementation of controls designed to ensure confidentiality, integrity, availability, and non-repudiation. |
|
|
Term
| Information security officer (ISO) |
|
Definition
| An individual accountable for identifying, developing, and implementing security policies and corresponding security controls. |
|
|
Term
| Information security program charter |
|
Definition
| A capstone document that establishes the reporting lines and delegation of responsibilities for Information Security to management below the organization’s chief information officer (CEO) or other executive leader. |
|
|
Term
| Information security risk assessment |
|
Definition
| A formal process to identify threats, potential attacks, and impacts to an organization. |
|
|
Term
| Information systems security management life cycle |
|
Definition
| The five-phase management process of controlling the planning, implementation, evaluation, and maintenance of information systems security. |
|
|
Term
| Information Technology and Infrastructure Library (ITIL) |
|
Definition
| A framework that contains a comprehensive list of concepts, practices, and processes for managing IT services. |
|
|
Term
|
Definition
| The act of ensuring that information has not been improperly changed. |
|
|
Term
| Intellectual property (IP) |
|
Definition
| Any product of human intellect that is unique and not obvious with some value in the marketplace. |
|
|
Term
|
Definition
| Software that blocks access to specific sites on the Internet. |
|
|
Term
|
Definition
| In the context of workstation central management systems, refers to tracking what workstation and related network devices exist. This usually takes place whenever a workstation connects to the local area network (LAN). |
|
|
Term
|
Definition
| Information security standards published by the ISO and by the International Electrotechnical Commission (IEC). ISO/IEC 27002, for example, provides best practice recommendations on information security management for those who are responsible for initiating, implementing, or maintaining an information security management system. |
|
|
Term
|
Definition
| A standard that focuses on areas of current relevance and concern to an organization. Such standards are used to express security control requirements, typically for nontechnical processes and are used to guide human behavior. |
|
|
Term
|
Definition
| A logical structure that is established to organize policy documentation into groupings and categories that make it easier for employees to find and understand the contents of various policy documents. Policy frameworks can also be used to help in the planning and development of the policies for an organization. |
|
|
Term
|
Definition
| This domain refers to the organization’s local area network (LAN) infrastructure. A LAN allows two or more computers to be connected within a small area. The small area could be a home, office, or group of buildings. |
|
|
Term
|
Definition
| This domain refers to the technical infrastructure that connects the organization’s local area network (LAN) to a wide area network (WAN), such as the Internet. This allows end users to surf the Internet. |
|
|
Term
|
Definition
| In the context of workstation central management systems, refers to extracting logs from the workstation. Typically, moving the logs to a central repository. Later these logs are scanned to look for security weakness or patterns of problems. |
|
|
Term
|
Definition
| A security control that does not stop behavior immediately and relies on human decisions. |
|
|
Term
|
Definition
| A principle that restricts information access to only those users with an approved and valid requirement. |
|
|
Term
|
Definition
| A publication for the U.S. National Institute of Standards and Technology (NIST), titled “Recommended Security Controls for Federal Information Systems and Organizations.” |
|
|
Term
| Non-disclosure agreement (NDA) |
|
Definition
| Legally binding agreement on the handling and disclosure of company material. This is also known as a confidentiality agreement. |
|
|
Term
|
Definition
| The concept of applying technology in way that an individual cannot deny or dispute they were part of a transaction. |
|
|
Term
|
Definition
| The difference between what policies and procedure state should be done and what is actually performed. |
|
|
Term
|
Definition
| The practice of agreeing to use of personal information beyond its original purpose. An example of opt-in is asking a consumer who just sold his or her home if the real-estate company can share the consumer’s information with a moving company. |
|
|
Term
|
Definition
| The practice of declining permission to use personal information beyond its original purpose. For example, a consumer who just sold his or her home may decline permission for the real estate company to share his or her information with a moving company. |
|
|
Term
|
Definition
| Refers to making sure that devices on the network, such as workstations and servers, have current patches from the vendor. It’s particularly important to apply security patches in a timely way to address known vulnerabilities. |
|
|
Term
| Payment Card Industry Data Security Standard (PCI DSS) |
|
Definition
| A worldwide information security standard that describes how to protect credit card information. If you accept Visa, MasterCard, or American Express, you are required to follow PCI DSS. |
|
|
Term
|
Definition
| In e-commerce, broadly deals with how personal information is handled and what it used for. |
|
|
Term
| Personally identifiable information (PII) |
|
Definition
| Sensitive information used to uniquely identify an individual in a way that could potentially be exploited. |
|
|
Term
|
Definition
| A document that states how the organization is to perform and conduct business functions and transactions with a desired outcome. |
|
|
Term
|
Definition
| A structure for organizing policies, standards, procedures, and guidelines. |
|
|
Term
|
Definition
| An automated security control that stops a behavior immediately. |
|
|
Term
|
Definition
| Places importance on privacy in the business and discusses the regulatory landscape and government mandates. This policy often talks about physical security and the importance of "locking up" sensitive information. |
|
|
Term
|
Definition
| A written statement describing the steps required to implement a process. |
|
|
Term
|
Definition
| Any record required by law to be made available to the public. These types of records are made or filed by a governmental entity. |
|
|
Term
|
Definition
| This domain refers to the technology that controls how end users connect to organization's local area network (LAN). A typical example is someone needing to connect to the office from his or her home. |
|
|
Term
|
Definition
| Enhanced authentication over what's typically found in the office. Usually it requires more than an ID and password, such as a security token or smartcard. |
|
|
Term
|
Definition
| The risk that remains after all the controls have been applied. |
|
|
Term
|
Definition
Periodically assess the risk to operations, assets, and people when
using information systems or transmitting information. |
|
|
Term
|
Definition
| Connects local area networks (LANs) or a LAN and a wide area network (WAN). |
|
|
Term
| Security awareness program |
|
Definition
| Training about security policies, threats, and handling of digital assets. |
|
|
Term
|
Definition
| When related to compliance, it's the mapping of regulatory requirements to policies and controls. |
|
|
Term
|
Definition
| Refers to managing security in an organization, usually IT security. This can include making sure end users have limited rights and access controls are in place, among many other techniques and processes. |
|
|
Term
|
Definition
| A set of policies that establish how an organization secures its facilities and IT infrastructure. Can also address how the organization meets regulatory requirements. |
|
|
Term
| Security policy compliance |
|
Definition
| Adherence to the organization's set of rules with regard to security policies. |
|
|
Term
|
Definition
| A network that limits how computers are able to talk to each other. |
|
|
Term
| Server level agreement (SLA) |
|
Definition
| The portion of a service contract that formally defines the level of service. These agreements are typical in telecommunications contracts for voice and data transmission circuits. |
|
|
Term
|
Definition
| A person who buys stock in a company (investor). |
|
|
Term
|
Definition
| A network device that can read communications traffic on a local area network (LAN). |
|
|
Term
|
Definition
| An established and proven norm or method. This can be a procedural standard or a technical standard implemented organization-wide. |
|
|
Term
|
Definition
| A piece of equipment similar to a hub but can filter traffic. You can set up rules that control what traffic can flow where. Unlike hubs that duplicate the traffic to all ports, a switch typically routes traffic only to the port where the system is connected. This reduces network traffic, thus reducing the chance of someone intercepting the traffic. |
|
|
Term
|
Definition
| Rules of conduct on how and when access to systems is permitted. This policy covers end user credentials like IDs and passwords. The policy may also be specific to the business or application, such as the use of role based access control (RBAC). |
|
|
Term
| System/Application Domain |
|
Definition
| This domain refers to the technology needed to collect, process, and store the information. It includes controls related to hardware and software. |
|
|
Term
|
Definition
| A standard that focuses on specific technology or systems being used within an organization. These are used to express the security control implementation requirements for some specific technology. |
|
|
Term
| Two-factor authentication |
|
Definition
| Requires end users to authenticate their identity using at least two of three different types of credentials. The three most commonly accepted types of credentials are something you know, something you have, and something you are. |
|
|
Term
|
Definition
| This domain refers to any user accessing information. This includes customers, employees, consultants, contractors, or any other third party. These users are often referred to as an “end user.” |
|
|
Term
| Virtual Private Network (VPN) |
|
Definition
| A VPN is set up between two devices to create an encrypted tunnel. All communications are protected from eavesdropping and considered highly secure. |
|
|
Term
|
Definition
| This domain includes wide area networks (WANs), which are networks that cover large geographical areas. The Internet is an example of a WAN. A private WAN can be built for a specific company to link offices across the country or globally. |
|
|
Term
|
Definition
| Alterations to a Web page that result from a Web site defacement attack. Web site graffiti can contain abusive language or even pornographic images. |
|
|
Term
|
Definition
| An attack on a Web site in which the site’s content is altered, usually in a way that embarrasses the Web site owner. |
|
|
Term
|
Definition
| This domain refers to any computing device used by end users. This usually means a desktop or laptop that is the main computer for the end user. |
|
|
