Chapter - 1

Created by inkool 

Upgrade to
remove ads

Chapter - 1

access

The ability to use, manipulate, modify or affect an object.

accuracy

An attribute of information in which the data is free of errors and has the value that the user expects.

asset

The organizational resource that is being protected. An asset can be logical, such as a Web site or information owned or controlled by the organization; or an asset can be physical, such as a computer system, or other tangible object.

attack

An act that takes advantage of a vulnerability to compromise a controlled system.

authenticity

A quality or state of information characterized by being genuine or original rather than reproduced or fabricated.

availability

A quality or state of information characterized by being accessible and correctly formatted for use without interference or obstruction.

bottom-up approach

A method of establishing security policies that begins as a grassroots effort in which systems administrators attempt to improve the security of their systems.

C.I.A. triangle

The industry standard for computer security since the development of the mainframe. It is based on three characteristics that describe the utility of information: confidentiality, integrity, and availability.

champion

A senior executive who promotes a security project and ensures its support.

chief information officer (CIO)

An executive-level position in which the person is in charge of the organization"s computing technology, and strives to create efficiency in the processing and accessing of the organization"s information.

chief information security officer (CISO)

This position is typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role will report to the chief information officer (CIO).

communications security

Securing information in transit using tools such as cryptographic systems, as well as its associated media and technology.

community of interest

A group of individuals united by shared interests or values within an organization and who share a common goal of helping the organization to meet its objectives.

computer security

A term that in the early days of computers specified the need to secure the physical location of hardware from outside threats. This term later came to stand for all actions taken to preserve computer systems from losses. It has evolved into the current concept of information security as the scope of protecting information in the organization has expanded.

confidentiality

The quality or state of information that prevents disclosure or exposure to unauthorized individuals or systems.

control

Synonymous with safeguard and countermeasure. A security mechanism, policy, or procedure that can counter system attack, reduce risks, and resolve vulnerabilities.

data custodians

Individuals who are responsible for the storage, maintenance, and protection of information.

data owners

Individuals who determine the level of classification associated with data.

data users

Individuals who work with information to perform their daily jobs supporting the mission of the organization.

e-mail spoofing

The process of sending an e-mail with a modified field. The modified field is often the address of the originator.

end user

Synonymous with data user. An individual who uses computer applications for his daily work.

enterprise information security policy (EISP)

Also known as a general security policy, IT security policy, or information security policy, this policy is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.

exploit

A technique used to compromise a system.

exposure

A single instance of a system being open to damage.

file hashing

Method for ensuring information validity. Involves a file being read by a special algorithm that uses the value of the bits in the file to compute a single large number called a hash value.

hash value

A fingerprint of the author"s message that is compared with the recipient"s locally calculated hash of the same message.

information security

The protection of information and the systems and hardware that use, store, and transmit that information.

Components information system (IS)

The entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization.

integrity

The quality or state of being whole, complete, and uncorrupted.

loss

A single instance of an information asset suffering damage or unintended or unauthorized modification or disclosure.

McCumber Cube

A graphical representation of the architectural approach widely used in computer and information security.

methodology

A formal approach to solving a problem based on a structured sequence of procedures.

network security

The protection of the networks (systems and hardware) that use, store, and transmit an organization"s information.

object

A passive entity in an information system that receives or contains information.

object of an attack

The object or entity being attacked.

operations security

A process used by an organization to deny an adversary information (generally not confidential information) about its intentions and capabilities by identifying, controlling, and protecting the organization"s planning processes or operations.

organizational culture

The specific social and political atmosphere within a given organization that determines the organization"s procedures and policies and willingness to adapt to changes.

personnel security

To protect the individual or group of individuals who are authorized to access the organization and its operations.

phishing

An attempt to obtain personal or financial information using fraudulent means, usually by posing as a legitimate entity.

physical security

An aspect of information security that addresses the design, implementation, and maintenance of countermeasures that protect the physical resources of an organization.

possession

The quality or state of having ownership or control of some object or item.

project team

For information security, a group of individuals with experience in the requirements of both technical and nontechnical fields.

risk

The probability that something can happen.

risk appetite

The quantity and nature of risk that organizations are willing to accept.

risk assessment specialist

An individual who understands financial risk assessment techniques, the value of organizational assets, and security methods.

salami theft

Aggregation of information used with criminal intent.

security

To be protected from adversaries—from those who would do harm, intentionally or otherwise.

security policy developer

An individual who understands the organizational culture, existing policies, and requirements for developing and implementing security policies.

security posture

Synonymous with protection profile. The implementation of an organization"s security policies, procedures, and programs.

security professional

A specialist in the technical and nontechnical aspects of security information.

subject

An active entity that interacts with an information system and causes information to move through the system for a specific purpose. Examples include individuals, technical components, and computer processes.

subject of an attack

An agent entity that is used as an active tool to conduct an attack.

systems administrator

An individual responsible for administering information systems.

systems development life cycle (SDLC)

A methodology for the design and implementation of an information system

team leader

For information security, a project manager who understands project management, personnel management, and technical requirements.

threat

An object, person, or other entity that represents a constant danger to an asset.

threat agent

A specific instance or component that represents a danger to an organization"s assets. Threats can be accidental or purposeful, for example lightning strikes or hackers.

top-down approach

A methodology of establishing security policies that is initiated by upper management.

utility

The quality or state of having value for an end purpose.

vulnerability

Weakness in a controlled system, where controls are not present or are no longer effective.

waterfall model

A methodology of the system development life cycle in which each phase of the process begins with the information gained in the previous phase.

MULTICS

First operating system created with security as its primary goal

ARPANET

Advanced Research Project Agency (ARPA) began to examine feasibility of redundant networked communications. The predecessor to the internet.

Phases of SDLC

1. Investigation
2. Analysis
3. Logical Design
4. Physical Design
5. Implementation
6. Maintenance and Change

Phases of SecSDLC

1. Investigation
2. Analysis
3. Logical Design
4. Physical Design
5. Implementation
6. Maintenance and Change

Investigation Phase (SDLC)

The phase is used to outline the scope and goals of implementing a security system. It will also cover the budget, time frames, and feasibility of the system.

NIST SP 800-12

presents a comprehensive information security model and has become a widely accepted evaluation standard for the security of information systems.

Procedures

written instructions for accomplishing a specific task.

Rand Report R-609

A study sponsored by the department of defense which attempted to define multiple controls and mechanisms necessary for the protection of multilevel computer systems.

Analysis Phase (SDLC)

Consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems.

Logical Design Phase (SDLC)

The information gained from the analysis phase is used to begin creating a solution system for a business problem.

Physical Design Phase (SDLC)

Specific technologies are selected to support the alternitives identified and evaluated in the logical design phase.

Implementation Phase (SDLC)

Any needed software, hardware, or components are purchased, revived and tested.

Maintenance and Change Phase (SDLC)

Longest and most expensive phase.
Consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle.

Investigation Phase (SecSDLC)

begins with a directive from upper management, dictating the process, outcomes, and goals of the project, as well as the constraints placed on the activity.

Analysis (SecSDLC)

Documents from the Investigation phase are studied, existing security is examined, threats are documented, and existing controls are assessed.

Logical Design (SecSDLC)

Devolves the blueprint for security. Examines and implements key policies. Develops incident response plan.

Physical Design Phase (SecSDLC)

Technologies are chosen to support the blueprint from the logical design phase. Plan is presented to all involved parties.

Implementation Phase (SecSDLC)

Security solutions are acquired, tested, implemented and tested again.

Maintenance and Change Phase (SecSDLC)

longest and most important phase. Adapt the Security plan to new and evolving threats to maintain security.

Software (IS Component)

Applications, OS, and command utilities. Most difficult to secure.

Please allow access to your computer’s microphone to use Voice Recording.

Having trouble? Click here for help.

We can’t access your microphone!

Click the icon above to update your browser permissions above and try again

Example:

Reload the page to try again!

Reload

Press Cmd-0 to reset your zoom

Press Ctrl-0 to reset your zoom

It looks like your browser might be zoomed in or out. Your browser needs to be zoomed to a normal size to record audio.

Please upgrade Flash or install Chrome
to use Voice Recording.

For more help, see our troubleshooting page.

Your microphone is muted

For help fixing this issue, see this FAQ.

Star this term

You can study starred terms together

NEW! Voice Recording

Create Set