glossary audit

Upload: madunix

Post on 01-Jun-2018

215 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/9/2019 Glossary Audit

    1/89

    Glossary 

    A

    Acceptable interruption window

     The maximum period of time that a system can be unavailable before

    compromising the achievement of the business objectives

    Acceptable use policy

    A policy that establishes an agreement between users and the organization,

    and denes for all parties’ ranges of use that are approved before gainingaccess to a networ or the !nternet

    Access controls

     The processes, rules and deployment mechanisms that control access to

    information systems, resources and physical access to premises

    Access path

     The logical route that an end user taes to access computerized information" Typically, it includes a route through the operating system,

    telecommunications software, selected application software and the access

    control system"

    Access rights

     The permission or privileges granted to users, programs or worstations to

    create, change, delete or view data and les within a system, as dened by

    rules established by data owners and the information security policy

    Accountability

     The ability to map a given activity or event bac to the responsible party

     #

  • 8/9/2019 Glossary Audit

    2/89

    Action plan

    A plan for the steps necessary to navigate the roadmap to achieve objectives

    Ad hoc

    Arbitrary approach, no formal plan or process

    Administrative controls

     The rules, procedures and practices dealing with operational e$ectiveness,

    e%ciency and adherence to regulations and management policies

    Adware

    Any software pacage that automatically plays, displays or downloads

    advertising material to a computer after the software is installed on it or

    while the application is being used" !n most cases, this is done without any

    notication to the user or without the user’s consent" The term adware may

    also refer to software that displays advertisements, whether or not it does so

    with the user’s consent& such programs display advertisements as an

    alternative to shareware registration fees" These are classied as adware in

    the sense of advertising'supported software, but not as spyware" Adware in

    this form does not operate surreptitiously or mislead the user, and providesthe user with a specic service"

    Advance (ncryption )tandard *A()+

     The international encryption standard that replaced -()"

    Algorithm

    A nite set of step'by'step instructions for a problem'solving or computation

    procedure, especially one that can be implemented by a computer"

     .

  • 8/9/2019 Glossary Audit

    3/89

    Anomaly'/ased -etection

     The process of comparing denitions of what activity is considered normal

    against observed events to identify signicant deviations" This approach is

    used on some intrusion detection systems"

    Annual 0oss (xpectation *A0(+

     The total expected loss divided by the number of years in the forecast period

    yielding the average annual loss

    Alert situation

     The point in an emergency procedure when the elapsed time passes a

    threshold and the interruption is not resolved" The organization entering into

    an alert situation initiates a series of escalation steps"

    Alternate facilities

    0ocations and infrastructures from which emergency or bacup processes are

    executed, when the main premises are unavailable or destroyed" This

    includes other buildings, o%ces or data processing centers"

    Alternate process

    Automatic or manual processes designed and established to continue critical

    business processes from point'of'failure to return'to'normal

    Anonymous 1ile Transfer 2rotocol *A1T2+

    A method of downloading public les using the 1ile Transfer 2rotocol *1T2+"

    A1T2 does not re3uire users to identify themselves before accessing les

    from a particular server" !n general, users enter the word 4anonymous5 when

    the host prompts for a username" Anything can be entered for the password,such as the user’s e'mail address or simply the word 4guest"5 !n many cases,

    an A1T2 site will not prompt a user for a name and password"

     

  • 8/9/2019 Glossary Audit

    4/89

    Antivirus software

    An application software deployed at multiple points in an !T architecture" !t is

    designed to detect and potentially eliminate virus code before damage is

    done, and repair or 3uarantine les that have already been infected

    Application 2rogramming !nterface *A2!+

    An application programming interface *A2!+ is a source code'based

    specication intended to be used as an interface by software components to

    communicate with each other"

    Application controls

     The policies, procedures and activities designed to provide reasonable

    assurance that objectives relevant to a given automated solution

    *application+ are achieved

    Application layers

    !n the 6pen )ystems !nterconnection *6)!+ communications model, the

    application layer provides services for an application program to ensure that

    e$ective communication with another application program in a networ is

    possible" The application layer is not the application that is doing thecommunication& it is a service layer that provides these services"

    Application service provider *A)2+

    Also nown as managed service provider *7)2+, it deploys, hosts and

    manages access to a pacaged application to multiple parties from a

    centrally managed facility" The applications are delivered over networs on a

    subscription basis"

    Architecture

    -escription of the fundamental underlying design of the components of the

    business system, or of one element of the business system *e"g",

    8

    http://en.wikipedia.org/wiki/Source_codehttp://en.wikipedia.org/wiki/Source_code

  • 8/9/2019 Glossary Audit

    5/89

    technology+, the relationships among them, and the manner in which they

    support the organization9s objectives

    A:2 *see also :A:2+

    A:2 denes the exchanges between networ interfaces connected to an

    (thernet media segment in order to map an !2 address to a lin layer address

    on demand"

    Assurance

     The grounds for condence that the set of intended security controls in an

    information system are e$ective in their application"

    Assurance 2rocess !ntegration!ntegration of organizational assurance processes to achieve greater

    e%ciencies and counter typical silo e$ects"

    Assymetric encryption

    A cryptographic ey that may be widely published and is used to enable the

    operation of an asymmetric cryptography scheme" This ey is

    mathematically lined with a corresponding private ey" Typically, a public

    ey can be used to encrypt, but not decrypt, or to validate a signature, but

    not to sign"

    Attac )ignature

    A specic se3uence of events indicative of an unauthorized access attempt"

     Typically a characteristic byte pattern used in malicious code or an indicator,

    or set of indicators that allows the identication of malicious networ

    activities"

    Attributes

     The fundamental characteristics of something

     ;

  • 8/9/2019 Glossary Audit

    6/89

    Audit

    !ndependent review and examination of records and activities to assess the

    ade3uacy of system controls, to ensure compliance with established policies

    and operational procedures, and to recommend necessary changes in

    controls, policies, or procedures

    Audit :eview

      The assessment of an information system to evaluate the ade3uacy of

    implemented security controls, assure that they are functioning properly,

    identify vulnerabilities, and assist in implementation of new security controls

    where re3uired" This assessment is conducted annually or whenever

    signicant change has occurred and may lead to recertication of theinformation system"

    Audit trail

    A series of records either in hard copy or in electronic format that provide a

    chronological record of user activity and other events that show the details of 

    user and system activity" Audit trails can be used to document when users

    log in, how long they are engaged in various activities, what they were doing,

    and whether any actual or attempted security violations occurred"

    Authentication

     The act of verifying the identity of an entity *e"g", a user, a system, a

    networ node+

    Authorization

    Access privileges granted to a user, program, or process or the act of

    granting those privileges

    Automated

  • 8/9/2019 Glossary Audit

    7/89

  • 8/9/2019 Glossary Audit

    8/89

    mining, complex event processing, business performance

    management, benchmaring, text mining and predictive analytics"

    /usiness intelligence aims to support better business decision'maing" Thus

    a /! system can be called a decision support system *-))+

    /usiness impact assessment */!A+

    An analysis of an information system’s re3uirements, functions, and

    interdependencies used to characterize system contingency re3uirements

    and priorities in the event of a signicant disruption"

    /aseline )ecurity

     The minimum security controls re3uired for safeguarding an !T system based

    on its identied needs for condentiality, integrity, and@or availability

    protection"

    /astion =ost

    A special'purpose computer on a networ specically designed and

    congured to withstand attacs"

    /usiness continuity management */

  • 8/9/2019 Glossary Audit

    9/89

    /enchmaring

    A systematic approach to comparing an organization’s performance against

    peers and competitors in an e$ort to learn the best ways of conducting

    business" (xamples include benchmaring of 3uality, logistical e%ciency and

    various other metrics"

    /usiness !mpact Assessment */!A+

    An analysis of an information system’s re3uirements, functions, and

    interdependencies used to characterize system contingency re3uirements

    and priorities in the event of a signicant disruption"

    /iometric

    A measurable physical characteristic or personal behavioral trait used to

    recognize the identity, or verify the claimed identity, of an applicant" 1acial

    images, ngerprints, and iris scan samples are all examples of biometrics"

    /it'stream image

    /it'stream bacups, also referred to as mirror image bacups, involve the

    bacup of all areas of a computer hard dis drive or other type of storagemedia" )uch bacups exactly replicate all sectors on a given storage device

    including all les and ambient data storage areas"

    /it copy

    A bit copy provides an exact image of the original and is a re3uirement for

    legally justiable forensics

    /it The smallest unit of information storage& a contraction of the term Ebinary

    digit&E one of two symbolsFEE *zero+ and E#E *one+ ' that are used to

    represent binary numbers"

     H

  • 8/9/2019 Glossary Audit

    10/89

    /laclisting

     The process of the system invalidating a user !- based on the user’s

    inappropriate actions" A blaclisted user !- cannot be used to log on to the

    system, even with the correct authenticator" /laclisting and lifting of a

    blaclisting are both security'relevant events" /laclisting also applies to

    blocs placed against !2 addresses to prevent inappropriate or unauthorized

    use of !nternet resources"

    /otnet

    A botnet is a large number of compromised computers that are used to

    create and send spam or viruses or Iood a networ with messages as a

    denial of service attac"

    /oundary

    2hysical or logical perimeter of a system

    /rute force attac

    :epeatedly trying all possible combinations of passwords or encryption eys

    until the correct one is found

    /usiness case

    -ocumentation of the rationale for maing a business investment, used both

    to support a business decision on whether to proceed with the investment

    and as an operational tool to support management of the investment

    through its full economic life cycle

    /usiness dependency assessment

    A process of identifying resources critical to the operation of a businessprocess

     #

  • 8/9/2019 Glossary Audit

    11/89

    /usiness impact analysis@assessment */!A+

    (valuating the criticality and sensitivity of information assets" An exercise

    that determines the impact of losing the support of any resource to an

    organization, establishes the escalation of that loss over time, identies the

    minimum resources needed to recover, and prioritizes the recovery of

    processes and supporting system" This process also includes addressingJ

    income loss, unexpected expense, legal issues *regulatory compliance or

    contractual+, interdependent processes, and loss of public reputation or

    public condence"

    /usiness 7odel for !nformation )ecurity */7!)+

    /7!) is a business'oriented model for managing information security utilizingsystems thining to clarify complex relationships within an enterprise" The

    four elements and six dynamic interconnections form the basis of a three

    dimensional model that establish the boundaries of an information security

    program and models how the program functions and reacts to internal and

    external change" /7!) provides the context for framewors such as sually holds one character of information and

    usually means eight bits"

    <

  • 8/9/2019 Glossary Audit

    12/89

  • 8/9/2019 Glossary Audit

    13/89

    name or ey space it represents"

  • 8/9/2019 Glossary Audit

    14/89

    the ability to identify evidence as being the exact item that was recovered or

    tested" 0ac of control over evidence can lead to it being discredited"

  • 8/9/2019 Glossary Audit

    15/89

    not directly intercept the password itself, but the eavesdropper may be able

    to nd the password with an o$'line password guessing attac"

     #;

  • 8/9/2019 Glossary Audit

    16/89

    the chief nowledge o%cer *

    security program, and ensuring appropriate condentiality, integrity and

    availability of information assets"

  • 8/9/2019 Glossary Audit

    17/89

  • 8/9/2019 Glossary Audit

    18/89

    there is unliely to be any computer e3uipment, even though the building

    might well have a networ infrastructure and a room ready to act as a server

    room" !n most cases, cold sites provide the physical location and basic

    services"

  • 8/9/2019 Glossary Audit

    19/89

    or a

  • 8/9/2019 Glossary Audit

    20/89

  • 8/9/2019 Glossary Audit

    21/89

  • 8/9/2019 Glossary Audit

    22/89

  • 8/9/2019 Glossary Audit

    23/89

  • 8/9/2019 Glossary Audit

    24/89

  • 8/9/2019 Glossary Audit

    25/89

    -ata

  • 8/9/2019 Glossary Audit

    26/89

    -ata lea protection *-02+

    A suite of technologies and associated processes that locate, monitor and

    protect sensitive information from unauthorized disclosure

    -ata normalizationA structured process for organizing data into tables in a common form in

    such a way that it preserves the relationships among the data

    -ata warehouse

    A generic term for a system that stores, retrieves and manages large

    volumes of data" -ata warehouse software often includes sophisticated

    comparison and hashing techni3ues for fast searches, as well as advanced

    ltering"

    -ecentralization

     The process of distributing computer processing to di$erent locations within

    an organization

    -ecryption

    -ecryption is the process of transforming an encrypted message into its

    original plaintext"

    -ecryption ey

    A digital piece of information used to recover plaintext from the

    corresponding ciphertext by decryption

    -efense in depth

     The practice of layering defenses to provide added protection" -efense in

    depth increases security by raising the e$ort needed in an attac" This

    strategy places multiple barriers between an attacer and an organization’s

    computing and information resources"

     .?

  • 8/9/2019 Glossary Audit

    27/89

    -egauss

     The application of variable levels of alternating current for the purpose of

    demagnetizing magnetic recording media" The process involves increasing

    the alternating current eld gradually from zero to some maximum value and

    bac to zero, leaving a very low residue of magnetic induction on the media"

    -egauss loosely meansJ to erase"

    -emilitarized zone *-7Q+

    A screened *rewalled+ networ segment that acts as a bu$er zone between

    a trusted and untrusted networ" A -7Q is typically used to house systems

    such as web servers that must be accessible from both internal networs and

    the !nternet"

    -enial of service *-6)+

    A denial'of'service attac *-o) attac+ is an attempt to mae a computer or

    networ resource unavailable to its intended users by overloading the

    system with re3uests causing it to fail"

    -isruption

    An unplanned event that causes the general system or major application tobe inoperable for an unacceptable length of time *e"g", minor or extended

    power outage, extended unavailable networ, or e3uipment or facility

    damage or destruction+"

    -igital certicate

    An electronic credential issued by a certicate authority *

  • 8/9/2019 Glossary Audit

    28/89

    -igital code signing

     The process of digitally signing computer code to ensure its integrity

    -isaster declaration

     The communication to appropriate internal and external parties that the

    disaster recovery plan is being put into operation

    -isaster notication fee

     The fee the recovery site vendor charges when the customer noties them

    that a disaster has occurred and the recovery site is re3uired" The fee is

    implemented to discourage false disaster notications"

    -isaster recovery plan *-:2+A set of human, physical, technical and procedural resources to recover,

    within a dened time and cost, an activity interrupted by an emergency or

    disaster

    -isaster recovery plan des checing

     Typically a read'through of a disaster recovery plan without any real actions

    taing place" !t generally involves a reading of the plan, discussion of the

    action items and denition of any gaps that might be identied"

    -isaster recovery plan wal'through

    Generally a robust test of the recovery plan re3uiring that some recovery

    activities tae place and are tested" A disaster scenario is often given and

    the recovery teams tal through the steps they would need to tae to

    recover" As many aspects of the plan should be tested as possible"

    -iscretionary access control *-A

  • 8/9/2019 Glossary Audit

    29/89

    sense that a subject with a certain access permission is capable of passing

    that permission *perhaps indirectly+ on to any other subject"

    -is mirroring

     The practice of duplicating data in separate volumes on two hard diss to

    mae storage more fault tolerant" 7irroring provides data protection in the

    case of dis failure because data are constantly updated to both diss"

    -is !maging

    Generating a bit'for'bit copy of the original media, including free space and

    slac space"

    -istributed denial of service *--6)+A denial'of'service attac *-o) attac+ is an attempt to mae a computer or

    networ resource unavailable to its intended users by overloading the

    system with re3uests from multiple sources *such as a botnet+ causing it to

    fail"

    -omain

    A sphere of nowledge, or a collection of facts about some program entities

    or a number of networ points or addresses, identied by a name" 6n the

    !nternet, a domain consists of a set of networ addresses" !n the !nternet9s

    domain name system, a domain is a name with which name server records

    are associated that describe sub'domains or host" !n Lindows MT and

    Lindows ., a domain is a set of networ resources *applications, printers,

    and so forth+ for a group of users" The user need only to log in to the domain

    to gain access to the resources, which may be located on a number of

    di$erent servers in the networ"

     .H

  • 8/9/2019 Glossary Audit

    30/89

    -omain name system *-M)+

    A hierarchical database that is distributed across the !nternet that allows

    names to be resolved into !2 addresses *and vice versa+ to locate services

    such as web and e'mail servers

    -ual control

    A procedure that uses two or more entities *usually persons+ operating in

    concert to protect a system resource such that no single entity acting alone

    can access that resource

    -ue care

     The level of care expected from a reasonable person of similar competency

    under similar conditions

    -ue diligence

     The performance of those actions that are generally regarded as prudent,

    responsible and necessary to conduct a thorough and objective investigation,

    review and@or analysis

    -ynamic host conguration protocol *-=

  • 8/9/2019 Glossary Audit

    31/89

    system, i"e" from one trading partner to another trading partner without

    human intervention"

    (lectronic funds transfer *(1T+

    (lectronic funds transfer *(1T+ is the electronic exchange or transfer of

    money from one account to another, either within a single nancial

    institution or across multiple institutions, through computer'based systems

    (ncryption

  • 8/9/2019 Glossary Audit

    32/89

    external environment at the enterprise’s boundary, how they are operated to

    support the enterprise mission, and how they contribute to the enterprise’s

    overall security posture"

    (nterprise :is 7anagement The methods and processes used by an enterprise to manage riss to its

    mission and to establish the trust necessary for the enterprise to support

    shared missions" !t involves the identication of mission dependencies on

    enterprise capabilities, the identication and prioritization of riss due to

    dened threats, the implementation of countermeasures to provide both a

    static ris posture and an e$ective dynamic response to active threats& and it

    assesses enterprise performance against threats and adjustscountermeasures as necessary"

    (ntitlements

    (ntitlements is the process business users manage the data that controls

    how policies are evaluated at runtime" They can add and delete users for

    applications and put those users into groups or assign them to roles" They

    manage sets of actions *permissions+ that can be logically grouped for a

    particular business function" They assign those sets of actions to users or to

    roles dened for the application"

    (thernet

     The most widely'installed 0AM technology" )pecied in a standard, !(((

    D.", an (thernet 0AM typically uses coaxial cable or special grades of

    twisted pair wires" -evices are connected to the cable and compete for

    access"

    (vent

    An event is an observable occurrence in a system or networ"

     .

  • 8/9/2019 Glossary Audit

    33/89

    (xposure

     The extent of the area exposed to a viable threat creating a ris" i"e /oth a

    viable threat and a susceptible vulnerability may exist but the ris is a

    function of the degree of exposure"

    (xternal storage

     The location that contains the bacup copies to be used in case recovery or

    restoration is re3uired in the event of a disaster

    (xtranet

    A private networ that uses Leb technology, permitting the sharing of

    portions of an enterprise’s information or operations with suppliers, vendors,

    partners, customers, or other enterprises"

    1

    1ail )afe

    Automatic protection of programs and@or processing systems when hardware

    or software failure is detected"

    1ailover

     The capability to switch over automatically *typically without human

    intervention or warning+ to a redundant or standby information system upon

    the failure or abnormal termination of the previously active system"

    1all'through logic

    An optimized code based on a branch prediction that predicts which way a

    program will branch when an application is presented

    1alse 2ositive

    An alert that incorrectly indicates that malicious activity is occurring

     

  • 8/9/2019 Glossary Audit

    34/89

    1alse Megative

    A lac of or incorrect alert indicating that no malicious activity is occurring

    1ederal energy regulatory commission *1(:)A

     The 1ederal (nergy :egulatory

  • 8/9/2019 Glossary Audit

    35/89

    1inancial security authority *1)A+ >K 

     The 1inancial )ervices Authority is the regulator of the nancial services

    industry in the >K"

    1irewallA system or combination of systems that enforces a boundary between two

    or more networs typically forming a barrier between a secure and an open

    environment such as the !nternet

    1irmware

  • 8/9/2019 Glossary Audit

    36/89

    1orensic examination

     The process of collecting, assessing, classifying and documenting digital

    evidence to assist in the identication of an o$ender and the method of

    compromise

    1orensic )pecialist

    A professional who locates, identies, collects, analyzes, and examines data

    while preserving the integrity and maintaining a strict chain of custody of

    information discovered"

    1orensics

     The practice of gathering, retaining, and analyzing computer'related data for

    investigative purposes in a manner that maintains the integrity of the data"

    1ull -is (ncryption *1-(+

     The process of encrypting all the data on the hard dis drive used to boot a

    computer, including the computer’s operating system, and permitting access

    to the data only after successful authentication with the full dis encryption

    product

    G

    Generally accepted information security principles *GA!)2+

    GA!)2 describes eight pervasive principles and fourteen practices for

    information security" (ach of the principles applies to each of the practices"

    Gap analysis

    A process used to determine the di$erence between and what is re3uired tomove from an existing state and the desired state"

     ?

  • 8/9/2019 Glossary Audit

    37/89

    Guideline

    A description of a particular way of accomplishing something that is less

    prescriptive than a procedure

    =

    =ardening

  • 8/9/2019 Glossary Audit

    38/89

    =oneypot

    A specially congured server, also nown as a decoy server, designed to

    attract and monitor intruders in a manner such that their actions do not

    a$ect production systems

    =ot site

    A fully operational o$site data processing facility e3uipped with hardware

    and system software to be used in the event of a disaster

    =ypertext 7arup 0anguage *=T70+

     The set of marup symbols or codes inserted in a le intended for display on

    a Lorld Lide Leb browser page"

    =ypertext Transfer 2rotocol *=TT2+

    A communication protocol used to connect to servers on the Lorld Lide

    Leb" !ts primary function is to establish a connection with a web server and

    transmit =T70, S70 or other pages to the client browsers"

    =TT2)

    A secure form of =TT2 using encryption

    =eating, ventilation and air conditioning *=NA

  • 8/9/2019 Glossary Audit

    39/89

    units, showing their alignment with the enterprise’s mission and strategic

    plans"

    !A !nfrastructure

     The underlying security framewor that lies beyond an enterprise’s dened

    boundary, but supports its !A and !A'enabled products, its security posture

    and its ris management plan"

    !

  • 8/9/2019 Glossary Audit

    40/89

    used to justify the extent of safeguards that are re3uired and recovery time

    frames" This analysis is the basis for establishing the recovery strategy"

    !nformation communication technologies *!

  • 8/9/2019 Glossary Audit

    41/89

    !ncremental /acups

    !ncremental bacups only bacup the les that have been modied since the

    last bacup" !f dump levels are used, incremental bacup’s only bacup les

    changed since last bacup of a lower dump level"

    !nformation Assurance *!A+

    7easures that protect and defend information and information systems by

    ensuring their availability, integrity, authentication, condentiality, and non'

    repudiation" These measures include providing for restoration of information

    systems by incorporating protection, detection, and reaction capabilities"

    )ynonymous with information security

    !nformation security governance

     The set of responsibilities and practices exercised by the board and

    executive management with the goal of providing strategic direction,

    ensuring that objectives are achieved, ascertaining that riss are managed

    appropriately and verifying that the enterprise’s resources are used

    responsibly

    !nformation security program The overall combination of technical, operational and procedural measures,

    and management structures implemented to provide for the condentiality,

    integrity and availability of information based on business re3uirements and

    ris analysis

    !nformation )ecurity

     The protection of information and information systems from unauthorized

    access, use, disclosure, disruption, modication, or destruction in order to

    provide condentiality, integrity, and availability" )ynonymous with

    !nformation Assurance *!A+

     8#

  • 8/9/2019 Glossary Audit

    42/89

    !nformation )ecurity Architect

      !ndividual, group, or organization responsible for ensuring that the

    information security re3uirements necessary to protect the organization’s

    core missions and business processes are ade3uately addressed in all

    aspects of enterprise architecture including reference models, segment and

    solution architectures, and the resulting information systems supporting

    those missions and business processes"

    !ntegrity

     The accuracy, completeness and validity of information

    !ntellectual 2roperty

    >seful artistic, technical, and@or industrial information, nowledge or ideas

    that convey ownership and control of tangible or virtual usage and@or

    representation" i"e" intangible property of value

    !nternal controls

     The policies, procedures, practices and organizational structures designed to

    provide reasonable assurance that business objectives will be achieved and

    undesired events will be prevented or detected and corrected

    !nternal :ate of :eturn *!::+

     The internal rate of return on an investment or project is the Eannualized

    e$ective compounded return rateE or Erate of returnE that maes the net

    present value *M2N as M(T#@*#U!::+Vyear+ of all cash Iows *both positive

    and negative+ from a particular investment e3ual to zero"

    !nternal rates of return are commonly used to evaluate the desirability of

    investments or projects" The higher a project9s internal rate of return, the

    more desirable it is to undertae the project" Assuming all projects re3uire

    the same amount of up'front investment, the project with the highest !::

    would be considered the best and undertaen rst"

     8.

    http://en.wikipedia.org/wiki/Net_present_valuehttp://en.wikipedia.org/wiki/Net_present_valuehttp://en.wikipedia.org/wiki/Net_present_valuehttp://en.wikipedia.org/wiki/Net_present_value

  • 8/9/2019 Glossary Audit

    43/89

    !nternet

    A term to describe connecting multiple separate networs together"

    !nternet

  • 8/9/2019 Glossary Audit

    44/89

    !ntrusion detection system *!-)+

    An !-) inspects networ and host security activity to identify suspicious

    patterns that may indicate a networ or system attac

    !ntrusion prevention system *!2)+An !2) inspects networ and host security activity to identify suspicious

    patterns that may indicate a networ or system attac and then blocs it at

    the rewall to prevent damage to information resources"

    !2 )ecurity *!2)ec+

    A set of protocols developed by the !nternet (ngineering Tas 1orce *!(T1+ to

    support the secure exchange of pacets

    !)6@!(< #CCHH

    6riginally released as part of the /ritish )tandard for !nformation )ecurity in

    #HHH and then as the

  • 8/9/2019 Glossary Audit

    45/89

    management system" 2rior to its adoption by !)6@!(

  • 8/9/2019 Glossary Audit

    46/89

    !)6@!(< #;;8

    !)6@!(< #;;8 !nformation technology O 2rocess assessment, also nown

    as )2!

  • 8/9/2019 Glossary Audit

    47/89

    Kerberos

    A widely used authentication protocol developed at the 7assachusetts

    !nstitute of Technology *7!T+" !n 4classic5 Kerberos, users share a secret

    password with a Key -istribution

  • 8/9/2019 Glossary Audit

    48/89

    Keystroe 7onitoring

     The process used to view or record both the eystroes entered by a

    computer user and the computer’s response during an interactive session"

    Keystroe monitoring is usually considered a special case of audit trails"

    0

    0east 2rivilege

    0east 2rivilege is the principle of allowing users or applications the least

    amount of permissions necessary to perform their intended function"

    0ielihood of 6ccurrence

    !n !nformation Assurance ris analysis, a weighted factor based on a

    subjective analysis of the probability that a given threat is capable of

    exploiting a given vulnerability"

    0ightweight -irectory Access 2rotocol *0-A2+

    A software protocol for enabling anyone to locate organizations, individuals,

    and other resources such as les and devices in a networ, whether on the

    public !nternet or on a corporate !ntranet"

    0in (ncryption

    0in encryption encrypts all of the data along a communications path *e"g", a

    satellite lin, telephone circuit, or T# line+" )ince lin encryption also encrypts

    routing data, communications nodes need to decrypt the data to continue

    routing"

    0ocal area networA local area networ *0AM+ is a computer networ that interconnects

    computers in a limited area such as a home, school, computer laboratory, or

    o%ce building using networ media"#B The dening characteristics of 0AMs,

    in contrast to wide area networs *LAMs+, include their usually higher data'

     8D

    http://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Local_area_network#cite_note-0http://en.wikipedia.org/wiki/Wide_area_networkhttp://en.wikipedia.org/wiki/Bit_ratehttp://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Local_area_network#cite_note-0http://en.wikipedia.org/wiki/Wide_area_networkhttp://en.wikipedia.org/wiki/Bit_rate

  • 8/9/2019 Glossary Audit

    49/89

    transfer rates, smaller geographic area, and lac of a need for leased

    telecommunication lines

    0ocal :egistration Authority *0:A+

    A :egistration Authority with responsibility for a local community in a 2K!'

    enabled environment"

    0ogic /omb

    A piece of code intentionally inserted into a software system that will set o$

    a malicious function when specied conditions are met"

    7

    7A< Address

    A physical address& a numeric value that uni3uely identies that networ

    device from every other device on the planet"

    7ail relay server

    An e'mail server that relays messages so that neither the sender nor the

    recipient is a local user

    7alicious

  • 8/9/2019 Glossary Audit

    50/89

    7an'in'the'middle Attac *7it7+

    An attac on the authentication protocol run in which the attacer positions

    himself in between the claimant and verier so that he can intercept and

    alter data traveling between them"

    7as3ueraders

    Attacers that penetrate systems by using the identity of legitimate users

    and their login credentials

    7aximum tolerable outages *7T6+

    7aximum time the organization can support processing in alternate mode

    7essage Authentication

  • 8/9/2019 Glossary Audit

    51/89

    7obile site

     The use of a mobile@temporary facility to serve as a business resumption

    location" They can usually be delivered to any site and can house information

    technology and sta$"

    7onitoring policy

    :ules outlining or delineating the way in which information about the use of

    computers, networs, applications and information is captured and

    interpreted"

    7ultipurpose internet mail extension *7!7(+

    A specication for formatting non'A)

    over the !nternet" 7any e'mail clients now support 7!7(, which enables

    them to send and receive graphics, audio, and video les via the !nternet

    mail system" !n addition, 7!7( supports messages in character sets other

    than A)

    Meed'To'Know

    A method of isolating information resources based on a user’s need to have

    access to that resource in order to perform their job but no more" The terms

    Xneed'to now5 and 4least privilege5 express the same idea" Meed'to'now

    is generally applied to people, while least privilege is generally applied to

    processes"

     ;#

    http://www.webopedia.com/TERM/A/ASCII.htmlhttp://www.webopedia.com/TERM/I/Internet.htmlhttp://www.webopedia.com/TERM/E/e_mail_client.htmlhttp://www.webopedia.com/TERM/M/mime.htmlhttp://www.webopedia.com/TERM/C/character_set.htmlhttp://www.webopedia.com/TERM/A/ASCII.htmlhttp://www.webopedia.com/TERM/I/Internet.htmlhttp://www.webopedia.com/TERM/E/e_mail_client.htmlhttp://www.webopedia.com/TERM/M/mime.htmlhttp://www.webopedia.com/TERM/C/character_set.html

  • 8/9/2019 Glossary Audit

    52/89

    Met present value *M2N+

     The discounted value of an investment9s cash inIows minus the discounted

    value of its cash outIows" To be ade3uately protable, an investment should

    have a net present value greater than zero

    Metwor address translation *MAT+

     /asic MATs are used when there is a re3uirement to interconnect two !2

    networs with incompatible addressing" =owever it is common to hide an

    entire !2 address space, usually consisting of private !2 addresses, behind a

    single !2 address *or in some cases a small group of !2 addresses+ in another

    *usually public+ address space" To avoid ambiguity in the handling of returned

    pacets, a one'to'many MAT must alter higher level information such as

     T-2 ports in outgoing communications and must maintain a translation

    table so that return pacets can be correctly translated bac

    Metwor based intrusion detection *M!-s+

    Metwor based intrusion detection provides broader coverage than host

    based approaches but functions in the same manner detecting attacs using

    either an anomaly based or signature based approach or both"

    Monce

    A value used in security protocols that is never repeated with the same ey"

    1or example, challenges used in challenge'response authentication protocols

    generally must not be repeated until authentication eys are changed, or

    there is a possibility of a replay attac" >sing a nonce as a challenge is a

    di$erent re3uirement than a random challenge, because a nonce is not

    necessarily unpredictable"

    Monintrusive monitoring

     The use of transported probes or traces to assemble information, trac tra%c

    and identify vulnerabilities

     ;.

    http://en.wikipedia.org/wiki/Private_IP_addresshttp://en.wikipedia.org/wiki/Private_IP_address

  • 8/9/2019 Glossary Audit

    53/89

    Monrepudiation

     The assurance that a party cannot later deny originating data& that is, it is

    the provision of proof of the integrity and origin of the data and can be

    veried by a third party" A digital signature can provide nonrepudiation"

    6

    6rganization for (conomic

  • 8/9/2019 Glossary Audit

    54/89

    user or program is at a computer e3uipped with these seven layers of

    function" )o, in a given message between users, there will be a Iow of data

    through each layer at one end down through the layers in that computer and,

    at the other end, when the message arrives, another Iow of data up through

    the layers in the receiving computer and ultimately to the end user or

    program" The actual programming and hardware that furnishes these seven

    layers of function is usually a combination of the computer operating system,

    applications *such as your Leb browser+, T

  • 8/9/2019 Glossary Audit

    55/89

    • 0ayer 8J The transport layer"""This layer manages the end'to'end

    control *for example, determining whether all pacets have arrived+

    and error'checing" !t ensures complete data transfer"• 0ayer J The networ layer"""This layer handles the routing of the data

    *sending it in the right direction to the right destination on outgoing

    transmissions and receiving incoming transmissions at the pacet

    level+" The networ layer does routing and forwarding"• 0ayer .J The data'lin layer"""This layer provides synchronization for the

    physical level and does bit'stu%ng for strings of #9s in excess of ;" !t

    furnishes transmission protocol nowledge and management"• 0ayer #J The physical layer"""This layer conveys the bit stream through

    the networ at the electrical and mechanical level" !t provides the

    hardware means of sending and receiving data on a carrier"

    6perations )ecurity *62)(

  • 8/9/2019 Glossary Audit

    56/89

    2

    2acet

    A piece of a message transmitted over a pacet'switching networ" 6ne of

    the ey features of a pacet is that it contains the destination address in

    addition to the data" !n !2 networs, pacets are often called datagrams"

    2acet ltering

  • 8/9/2019 Glossary Audit

    57/89

    2assword )ni%ng

    2assive wiretapping, usually on a local area networ, to gain nowledge of

    passwords"

    2atchA patch is a small update released by a software manufacturer to x bugs in

    existing programs"

    2atching

    2atching is the process of updating software to a di$erent version"

    2atch 7anagement

     The systematic notication, identication, deployment, installation, and

    verication of operating system and application software code revisions"

     These revisions are nown as patches, hot xes, and service pacs"

    2assive response

    A response option in intrusion detection in which the system simply reports

    and records the problem detected, relying on the user to tae subse3uent

    action

    2assword cracer

    A tool that tests the strength of user passwords searching for passwords that

    are easy to guess by repeatedly trying words from specially crafted

    dictionaries and often also by generating thousands *and, in some cases,

    even millions+ of permutations of characters, numbers and symbols

    2ayment card industry *2

     The term is specically used to refer to the 2ayment

  • 8/9/2019 Glossary Audit

    58/89

    directives against which businesses may measure their own payment card

    security policies, procedures and guidelines

    2enetration testing

    A live test of the e$ectiveness of security defenses through mimicing the

    actions of real'life attacers

    2ersonally !dentiable !nformation *2!!+

    !nformation which can be used to distinguish or trace an individual9s identity,

    such as their name, social security number, biometric records, etc", alone, or

    when combined with other personal or identifying information which is lined

    or linable to a specic individual, such as date and place of birth, mother’s

    maiden name, etc"

    2harming

     This is a more sophisticated form of 7!T7 attac" A user’s session is

    redirected to a mas3uerading website" This can be achieved by corrupting a

    -M) server on the !nternet and pointing a >:0 to the mas3uerading

    website’s !2" Almost all users use a >:0 lie www"worldban"com instead of

    the real !2 *#H."D?"HH"#8+ of the website"

    :0 can be redirected to send

    tra%c to the !2 of the pseudo website" At the pseudo website, transactions

    can be mimiced and information lie login credentials can be gathered" Lith

    this the attacer can access the real www"worldban"com site and conduct

    transactions using the credentials of a valid user on that website"

     ;D

    http://en.wikipedia.org/wiki/PCI_DSShttp://en.wikipedia.org/wiki/PCI_DSShttp://en.wikipedia.org/wiki/PCI_DSShttp://en.wikipedia.org/wiki/PCI_DSS

  • 8/9/2019 Glossary Audit

    59/89

    2hishing

     The use of e'mails that appear to originate from a trusted source to tric a

    user into entering valid credentials at a fae website" Typically the e'mail and

    the web site loos lie they are part of a ban the user is doing business

    with"

    2ort )canning

    >sing a program to remotely determine which ports on a system are open

    *e"g", whether systems allow connections through those ports+"

    2lan'do'chec'act *2-

  • 8/9/2019 Glossary Audit

    60/89

    to each port, one at a time" The ind of response received indicates whether

    the port is used and can therefore be probed for weaness"

    2ost 6%ce 2rotocol, Nersion *262+

    An !nternet )tandard protocol by which a client worstation can dynamically

    access a mailbox on a server host to retrieve mail messages that the server

    has received and is holding for the client

    2rotocol

    A formal specication for communicating& an !2 address the special set of

    rules that end points in a telecommunication connection use when they

    communicate" 2rotocols exist at several levels in a telecommunication

    connection"

    2rivacy

    1reedom from unauthorized intrusion or disclosure of information about

    individuals

    2rivate Key

     The secret part of an asymmetric ey pair that is typically used to digitally

    sign or decrypt data in a 2K!"

    2rivileged Accounts

    !ndividuals who have access to set 4access rights5 for users on a given

    system" )ometimes referred to as system or networ administrative

    accounts"

    2rocedures

    A detailed description of the steps necessary to perform specic operations

    in conformance with applicable standards

     ?

  • 8/9/2019 Glossary Audit

    61/89

    2roxy

    A proxy is an application that 4breas5 the connection between client and

    server" The proxy accepts certain types of tra%c entering or leaving a

    networ and processes it and forwards it" This e$ectively closes the straight

    path between the internal and external networs maing it more di%cult for

    an attacer to obtain internal addresses and other details of the

    organization’s internal networ" 2roxy servers are available for common

    !nternet services& for example, a =yper Text Transfer 2rotocol *=TT2+ proxy

    used for Leb access, and a )imple 7ail Transfer 2rotocol *)7T2+ proxy used

    for email"

    2roxy serverA server that acts on behalf of a user" Typically proxies accept a connection

    from a user, mae a decision as to whether or not the user or client !2

    address is permitted to use the proxy, perhaps perform additional

    authentication, and then complete a connection to a remote destination on

    behalf of the user"

    2roximity factors

     The distance from potential hazards, which can include Iooding ris from

    nearby waterways, hazardous material manufacturing or storage, or other

    situations that may pose a ris to the operation of a recovery

    2ublic Key

     The public part of an asymmetric ey pair that is typically used to verify

    signatures or encrypt data in a 2K!

    2ublic ey infrastructure *2K!+

     The framewor and services that provide for the generation, production,

    distribution, control, accounting, and destruction of public ey certicates"

  • 8/9/2019 Glossary Audit

    62/89

    and public'private ey pairs, including the ability to issue, maintain, recover,

    and revoe public ey certicates"

    \

    \uality assurance *\A+

    A process for testing to ensure specications are met

    :

    :ed Team

    A group of people authorized and organized to emulate a potential

    adversary’s attac or exploitation capabilities against an enterprise’s

    security posture" The :ed Team’s objective is to improve enterprise

    !nformation Assurance by demonstrating the impacts of successful attacs

    and by demonstrating what wors for the defenders *i"e", the /lue Team+ in

    an operational environment"

    :elying 2arty

    An entity that relies upon the subscriber’s credentials, typically to process atransaction or grant access to information or a system typically in a 2K!"

    :emediation

     The act of correcting a vulnerability or eliminating a threat" Three possible

    types of remediation are installing a patch, adjusting conguration settings,

    or uninstalling a software application"

    :eciprocal agreement(mergency processing agreements among two or more organizations with

    similar e3uipment or applications" Typically, participants promise to provide

    processing time to each other when an emergency arises"

     ?.

  • 8/9/2019 Glossary Audit

    63/89

    :ecovery action

    (xecution of a response or tas according to a written procedure

    :ecovery point objective *:26+

    -etermined based on the acceptable data loss in case of a disruption of

    operations" !ndicates the earliest point in time to which it is acceptable to

    recover data" ($ectively 3uanties the permissible amount of data loss in

    case of interruption i"e" the last point of nown good data

    :ecovery time objective *:T6+

     The amount of time allowed for the recovery of a business function or

    resource after a disaster occurs

    :edundant Array of !nexpensive -iss *:A!-+

    A technology that provides performance improvements and fault'tolerant

    capabilities, via hardware or software solutions, by writing to a series of

    multiple diss to improve performance and save large les simultaneously

    :edundant site

    A recovery strategy involving the duplication of ey information technology

    components, including data or other ey business processes, whereby fast

    recovery can tae place

    :egistration Authority

    A trusted entity that establishes and vouches for the identity of a subscriber

    to a

  • 8/9/2019 Glossary Audit

    64/89

    through a bidding process, to submit a proposal on a

    specic commodity or service" The :12 process brings structure to the

    procurement decision and is meant to allow the riss and benets to be

    identied clearly up front"

     The :12 may dictate to varying degrees the exact structure and format of

    the supplier9s response" ($ective :12s typically reIect the strategy and

    short@long'term business objectives, providing detailed insight upon which

    suppliers will be able to o$er a matching perspective

    :eplay Attacs

    An attac that involves the capture of transmitted authentication or access

    control information and its subse3uent retransmission with the intent ofproducing an unauthorized e$ect or gaining unauthorized access"

    :esidual ris

     The remaining ris after management has implemented ris response

    :esilience

     The ability of a system or networ to resist failure or to recover 3uicly from

    any disruption, usually with minimal recognizable e$ect

    :eturn on investment *:6!+

    A measure of operating performance and e%ciency, computed in its simplest

    form by dividing net income by the total investment over the period being

    considered

    :eturn on security investment *:6)!+

    An estimate of return on security investment based on how much will besaved by reduced losses divided by the investment"

     ?8

    http://en.wikipedia.org/wiki/Biddinghttp://en.wikipedia.org/wiki/Proposal_(business)http://en.wikipedia.org/wiki/Commodityhttp://en.wikipedia.org/wiki/Service_(economics)http://en.wikipedia.org/wiki/Biddinghttp://en.wikipedia.org/wiki/Proposal_(business)http://en.wikipedia.org/wiki/Commodityhttp://en.wikipedia.org/wiki/Service_(economics)

  • 8/9/2019 Glossary Audit

    65/89

    :is

     The combination of the probability of an event and its conse3uence" *!)6@!(<

    C+" :is has traditionally been expressed as Threats S Nulnerabilities ] :is"

    :is assessmentA process used to identify and evaluate ris and potential e$ects" :is

    assessment includes assessing the critical functions necessary for an

    organization to continue business operations, dening the controls in place

    to reduce organization exposure and evaluating the cost for such controls"

    :is analysis often involves an evaluation of the probabilities of a particular

    event"

    :is avoidance

     The process for systematically avoiding ris, constituting one approach to

    managing ris

    :is mitigation

     The management and reduction of ris through the use of countermeasures

    and controls

    :is Tolerance

     The acceptable level of deviation from acceptable ris

    :is transfer

     The process of assigning ris to another organization, usually through the

    purchase of an insurance policy or outsourcing the service

    :obustness

     The extent of the ability of systems to withstand attac& system strength"

     The ability of an !nformation Assurance entity to operate correctly and

    reliably across a wide range of operational conditions, and to fail gracefully

    outside of that operational range"

     ?;

  • 8/9/2019 Glossary Audit

    66/89

    :ole /ased Access

  • 8/9/2019 Glossary Audit

    67/89

    )ecure =ash Algorithm *)=A+

    A hash algorithm with the property that is computationally infeasible #+ to

    nd a message that corresponds to a given message digest, or .+ to nd two

    di$erent messages that produce the same message digest"

    )ecurity Attribute

    A security'related 3uality of an object" )ecurity attributes may be

    represented as hierarchical levels, bits in a bit map, or numbers"

  • 8/9/2019 Glossary Audit

    68/89

    perform a variety of correlation techni3ues to integrate di$erent

    sources, in order to turn data into useful information"•   AlertingJ the automated analysis of correlated events and production of 

    alerts, to notify recipients of immediate issues"

    •   DashboardsJ )!(7@07 tools tae event data and turn it intoinformational charts to assist in seeing patterns, or identifying activity

    that is not forming a standard pattern";B•   ComplianceJ )!(7 applications can be employed to automate the

    gathering of compliance data, producing reports that adapt to existing

    security, governance and auditing processes"?B•   RetentionJ )!(7@)!7 solutions employ long'term storage of historical

    data to facilitate correlation of data over time, and to provide the

    retention necessary for compliance re3uirements"

    )ecurity 2osture

     The security status of an enterprise’s networs, information, and systems

    based on !A resources *e"g", people, hardware, software, policies+ and

    capabilities in place to manage the defense of the enterprise and to react as

    the situation changes"

    )ensitivityA measure of the impact that improper disclosure of information may have

    on an organization

    )eparation of -uties

    )eparation of duties is the principle of splitting privileges among multiple

    individuals or systems to reduce ris of fraud or other malfeasance

    )ession Key!n the context of symmetric encryption, a ey that is temporary or is used for

    a relatively short period of time" >sually, a session ey is used for a dened

    period of communication between two computers, such as for the duration of 

    a single connection or transaction set, or the ey is used in an application

    ?D

    http://en.wikipedia.org/wiki/Security_information_and_event_management#cite_note-4http://en.wikipedia.org/wiki/Security_information_and_event_management#cite_note-5http://en.wikipedia.org/wiki/Security_information_and_event_management#cite_note-4http://en.wikipedia.org/wiki/Security_information_and_event_management#cite_note-5

  • 8/9/2019 Glossary Audit

    69/89

    that protects relatively large amounts of data and, therefore, needs to be re'

    eyed fre3uently"

    )ervice delivery objective *)-6+

    -irectly related to business needs, )-6 is the level of services to be reached

    during the alternate process mode until the normal situation is restored"

    )ervice level agreement *)0A+

    An agreement, preferably documented, between a service provider and the

    customer*s+@user*s+ that denes minimum performance targets for a service

    and how they will be measured

    )hell programmingA shell script is a script written for the shell, or command line interpreter, of

    an operating system" !t is often considered a simple domain'specic

    programming language" Typical operations performed by shell scripts include

    le manipulation, program execution and printing text" >sually, shell script

    refers to scripts written for a >nix shell, while

  • 8/9/2019 Glossary Audit

    70/89

    )imming

     The unauthorized use of a reader to read tags without the authorization or

    nowledge of the tag’s owner or the individual in possession of the tag"

    )mart

  • 8/9/2019 Glossary Audit

    71/89

    )ecure shell *))=+

    )ecure )hell *))=+ is a networ protocol for secure data communication,

    remote shell services or command execution and other secure networ

    services between two networed computers that it connects via a secure

    channel over an insecure networJ

    )ecure socets layer *))0+

     Transport 0ayer )ecurity *T0)+ and its predecessor, )ecure )ocets

    0ayer *))0+, are cryptographic protocols that provide

    communication security over the !nternet"#B T0) and ))0 encrypt the

    segments of networ connections above the Transport 0ayer, using

    asymmetric cryptography for ey exchange, symmetric encryption forprivacy, and message authentication codes for message integrity"

    )ecurity steering group *))G+

     The ))G is generally charged with incident management and response

    organization and oversight"

    )ingle sign'on *))6+

    ))6 is a process to allow access to numerous systems using one set ofauthentication credentials"

    )pyware

    )oftware that is secretly or surreptitiously installed into an information

    system to gather information on individuals or organizations without their

    nowledge& a type of malicious code"

    )tructured 3uery language *)\0+)tructured \uery 0anguage+ is a programming language designed for

    managing data in relational database management systems

     C#

    http://en.wikipedia.org/wiki/Network_protocolhttp://en.wikipedia.org/wiki/Secure_channelhttp://en.wikipedia.org/wiki/Secure_channelhttp://en.wikipedia.org/wiki/Cryptographic_protocolhttp://en.wikipedia.org/wiki/Securityhttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Secure_Socket_Layer#cite_note-0http://en.wikipedia.org/wiki/Encryptionhttp://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Transport_Layerhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Symmetric-key_algorithmhttp://en.wikipedia.org/wiki/Message_authentication_codehttp://en.wikipedia.org/wiki/Programming_languagehttp://en.wikipedia.org/wiki/Relational_database_management_systemhttp://en.wikipedia.org/wiki/Network_protocolhttp://en.wikipedia.org/wiki/Secure_channelhttp://en.wikipedia.org/wiki/Secure_channelhttp://en.wikipedia.org/wiki/Cryptographic_protocolhttp://en.wikipedia.org/wiki/Securityhttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Secure_Socket_Layer#cite_note-0http://en.wikipedia.org/wiki/Encryptionhttp://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Transport_Layerhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Symmetric-key_algorithmhttp://en.wikipedia.org/wiki/Message_authentication_codehttp://en.wikipedia.org/wiki/Programming_languagehttp://en.wikipedia.org/wiki/Relational_database_management_system

  • 8/9/2019 Glossary Audit

    72/89

    )tandard

    An internal mandatory re3uirement dening allowable boundaries of people,

    processes and technologies or a specication approved by a recognized

    external standards organization, such as !)6

    )tandard operation procedure *)62+

    An )62 is a written document or instruction detailing all steps and activities

    of a process or procedure" !)6 H# essentially re3uires the documentation

    of all procedures used in any manufacturing process that could a$ect the

    3uality of the product or service"

    )teganography

     The art and science of communicating in a way that hides the existence of

    the communication" 1or example, a secret documentcan be hidden inside

    another graphic image le, audio le, or other le format"

    )upervisory control and data ac3uisition *)sually shared rather than

    dedicated"

    )upply

  • 8/9/2019 Glossary Audit

    73/89

    )ystem development life cycle *)-0

  • 8/9/2019 Glossary Audit

    74/89

     Threat

    Anything *e"g", object, substance, human+ that is capable of acting against

    an asset in a manner that can result in harm" A potential cause of an

    unwanted incident" *!)6@!(< #;+

     Threat agent

    7ethods and things used to exploit a vulnerability" (xamples include

    determination, capability, motive and resources"

     Threat analysis

    An evaluation of the type, scope and nature of events or actions that can

    result in adverse conse3uences& identication of the threats that exist

    against information assets and information technology" The threat analysis

    usually also denes the level of threat and the lielihood of it materializing"

     Threat event

    Any event where a threat element@actor acts against an asset in a manner

    that has the potential to directly result in harm

     Threat Assessment

    A threat assessment is the identication of types of threats that an

    organization might be exposed to"

     Threat 7odel

    A threat model is used to describe a given threat and the harm it could to do

    a system if it has a vulnerability"

     Threat Nector

     The method a threat uses to get to the target"

     Transport 0ayer )ecurity *T0)+

     Transport 0ayer )ecurity *T0)+ and its predecessor, )ecure )ocets

    0ayer *))0+, are cryptographic protocols that provide

    C8

    http://en.wikipedia.org/wiki/Cryptographic_protocolhttp://en.wikipedia.org/wiki/Cryptographic_protocol

  • 8/9/2019 Glossary Audit

    75/89

    communication security over the !nternet"#B T0) and ))0 encrypt the

    segments of networ connections above the Transport 0ayer, using

    asymmetric cryptography for ey exchange, symmetric encryption for

    privacy, and message authentication codes for message integrity"

     Toen

    )omething that the claimant possesses and controls *typically a ey or

    password+ used to authenticate the claimant’s identity"

     Toen'/ased Access

  • 8/9/2019 Glossary Audit

    76/89

     Transmission control protocol *T

  • 8/9/2019 Glossary Audit

    77/89

     Tunneling

     Technology enabling one networ to send its data via another networ’s

    connections" Tunneling wors by encapsulating a networ protocol within

    pacets carried by the second networ"

    >

    >nauthorized Access

    A person gains logical or physical access without permission to a networ,

    system, application, data, or other !T resource" Any access that violates the

    stated security policy"

    >nauthorized -isclosure

    An event involving the exposure of information to entities not authorized

    access to the information"

    >niform :esource 0ocator *>:0+

     The global address of documents and other resources on the Lorld Lide

    Leb" The rst part of the address indicates what protocol to use, and the

    second part species the !2 address or the domain name where the resourceis located" 1or example, httpJ@@www"pcwebopedia"com@index"html"

    >nix

    A popular multi'user, multitasing operating system developed at /ell 0abs

    in the early #HCs" nix was

    designed to be a small, Iexible system used exclusively by programmers"

    >ser datagram protocol *>-2+ The >ser -atagram 2rotocol *>-2+ is one of the core members of the !nternet

    2rotocol )uite, the set of networ protocols used for the !nternet" Lith >-2,

    computer applications can send messages, in this case referred to

    as datagrams, to other hosts on an !nternet 2rotocol *!2+ networ without

    CC

    http://en.wikipedia.org/wiki/Internet_Protocol_Suitehttp://en.wikipedia.org/wiki/Internet_Protocol_Suitehttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Datagramhttp://en.wikipedia.org/wiki/Internet_Protocolhttp://en.wikipedia.org/wiki/Internet_Protocol_Suitehttp://en.wikipedia.org/wiki/Internet_Protocol_Suitehttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Datagramhttp://en.wikipedia.org/wiki/Internet_Protocol

  • 8/9/2019 Glossary Audit

    78/89

    re3uiring prior communications to set up special transmission channels or

    data paths"

    >ninterruptable power supply *>2)+

    >2) is typically battery power converted to standard A< operating current

    using an inverter" !t is designed to automatically supply power in the event

    the primary source fails"

    N

    Nalidation

     The process of demonstrating that the system under consideration meets in

    all respects the specication of that system"

    Nalue at ris *NA:+

    NA: computes the probability of the maximum loss at a H; or HH^ certainty

    over a dened period based on historical information and exercising all the

    variables using 7onte

  • 8/9/2019 Glossary Audit

    79/89

    Nirus signature les

     The le of virus patterns that are compared with existing les to determine if

    they are infected with a virus or worm

    Noice over !2 *N6!2+Noice over !2 *No!2+ commonly refers to the communication protocols,

    technologies, methodologies, and transmission techni3ues involved in the

    delivery of voice communications and multimedia sessions over !nternet

    2rotocol *!2+ networs, such as the !nternet

    Nulnerability

    A weaness in the design, implementation, operation or internal controls in a

    process that could be exploited to violate system security

    Nulnerability analysis

    2rocess of identifying and classifying vulnerabilities

    L

    Larm site

    A warm site is similar to a hot site& however, a warm site is not fully

    e3uipped with all necessary hardware needed

    for recovery"

    Leb hosting

     The business of providing the e3uipment and services re3uired to host and

    maintain les for one or more web sites, and provide fast !nternet

    connections to those sites" 7ost hosting is 4shared,5 which means that websites of multiple companies are on the same server to share@reduce costs"

     CH

    http://en.wikipedia.org/wiki/Communication_protocolhttp://en.wikipedia.org/wiki/Voice_communicationhttp://en.wikipedia.org/wiki/Multimediahttp://en.wikipedia.org/wiki/Internet_Protocolhttp://en.wikipedia.org/wiki/Internet_Protocolhttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Communication_protocolhttp://en.wikipedia.org/wiki/Voice_communicationhttp://en.wikipedia.org/wiki/Multimediahttp://en.wikipedia.org/wiki/Internet_Protocolhttp://en.wikipedia.org/wiki/Internet_Protocolhttp://en.wikipedia.org/wiki/Internet

  • 8/9/2019 Glossary Audit

    80/89

    Leb server

    >sing the client'server model and the Lorld Lide Leb’s =ypertext Transfer

    2rotocol *=TT2+, Leb server is a software program that serves web pages to

    users"

    Lide area networ *LAM+

    A Lide Area Metwor *LAM+ is a telecommunication networ that covers a

    broad area *i"e", any networ that lins across metropolitan, regional, or

    national boundaries+"

    Lii

    Leb applications or similar tools that allow identiable users to add content

    *as in an !nternet forum+ and allow anyone to edit that content collectively"

    Lired (3uivalent 2rivacy *L(2+

    A security protocol, specied in the !((( D."## standard, that is designed to

    provide a L0AM with a level of security and privacy comparable to what is

    usually expected of a wired 0AM" L(2 is no longer considered a viable

    encryption mechanism due to nown weanesses"

    Lireless Access 2oint *LA2+

    A device that acts as a conduit to connect wireless communication devices

    together to allow them to communicate and create a wireless networ"

    Lorm

    A programmed networ attac in which a self'replicating program does not

    attach itself to programs, but rather spreads independently of users’ actions

    Li'1i 2rotected Access . *L2A.+

     The follow on security method to L2A for wireless networs that provides

    stronger data protection and networ access control" !t provides enterprise

    and consumer Li'1i users with a high level of assurance that only authorized

    D

  • 8/9/2019 Glossary Audit

    81/89

    users can access their wireless networs" /ased on the ratied !((( D."##i

    standard, L2A. provides government grade security by implementing the

    Mational !nstitute of )tandards and Technology *M!)T+ 1!2) #8'. compliant

    A() encryption algorithm and D."#S'based authentication

     D#

  • 8/9/2019 Glossary Audit

    82/89

    Acronyms

     The

    Acronym

      Description

  • 8/9/2019 Glossary Audit

    83/89

    A) niversity

  • 8/9/2019 Glossary Audit

    84/89

  • 8/9/2019 Glossary Audit

    85/89

    1!2) 1ederal !nformation 2rocessing )tandards *>)A+1!)7A 1ederal !nformation )ecurity 7anagement Act *>)A+1)A 1inancial )ecurity Authority *>)A+GA!)2 Generally Accepted !nformation )ecurity 2rinciplesGA) Generalized audit softwareGA))2 Generally Accepted )ecurity )ystem 2rinciplesG0/A Gramm'0each'/liley Act *>)A+G7! Governance 7etrics !nternational=-'-N- =igh denition@high density'digital video disc=!-) =ost'based intrusion detection system=!2AA =ealth !nsurance 2ortability and Accountability Act *>)A+=!26 =ierarchy !nput'2rocess'6utput=: =uman resources=TT2 =ypertext Transfer 2rotocol

    =TT2) )ecure =ypertext Transfer 2rotocol=NA< =eating, ventilating and air conditioning!RA !dentication and Authentication!@6 !nput@output!

  • 8/9/2019 Glossary Audit

    86/89

    !))A !nformation )ystem )ecurity Association!))(A !nternational )ystem )ecurity (ngineering Association!TG! !T Governance !nstitute [

  • 8/9/2019 Glossary Audit

    87/89

    2

    )71 )ystem management facility)62 )tandard operating procedure)2! )ecurity 2arameter !ndex)2!

  • 8/9/2019 Glossary Audit

    88/89

    )\0 )tructured \uery 0anguage))G )ecurity steering group))= )ecure )hell))0 )ecure )ocets 0ayer))6 )ingle sign'on T)/ >niversal )erial /usNA: Nalue at risNo!2 Noice'over !2N2M Nirtual private networLAM Lide area networS/:0 (xtensible /usiness :eporting 0anguage

     DD

  • 8/9/2019 Glossary Audit

    89/89