81 terms

Chapter - 1

Chapter - 1
The ability to use, manipulate, modify or affect an object.
An attribute of information in which the data is free of errors and has the value that the user expects.
The organizational resource that is being protected. An asset can be logical, such as a Web site or information owned or controlled by the organization; or an asset can be physical, such as a computer system, or other tangible object.
An act that takes advantage of a vulnerability to compromise a controlled system.
A quality or state of information characterized by being genuine or original rather than reproduced or fabricated.
A quality or state of information characterized by being accessible and correctly formatted for use without interference or obstruction.
bottom-up approach
A method of establishing security policies that begins as a grassroots effort in which systems administrators attempt to improve the security of their systems.
C.I.A. triangle
The industry standard for computer security since the development of the mainframe. It is based on three characteristics that describe the utility of information: confidentiality, integrity, and availability.
A senior executive who promotes a security project and ensures its support.
chief information officer (CIO)
An executive-level position in which the person is in charge of the organization"s computing technology, and strives to create efficiency in the processing and accessing of the organization"s information.
chief information security officer (CISO)
This position is typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role will report to the chief information officer (CIO).
communications security
Securing information in transit using tools such as cryptographic systems, as well as its associated media and technology.
community of interest
A group of individuals united by shared interests or values within an organization and who share a common goal of helping the organization to meet its objectives.
computer security
A term that in the early days of computers specified the need to secure the physical location of hardware from outside threats. This term later came to stand for all actions taken to preserve computer systems from losses. It has evolved into the current concept of information security as the scope of protecting information in the organization has expanded.
The quality or state of information that prevents disclosure or exposure to unauthorized individuals or systems.
Synonymous with safeguard and countermeasure. A security mechanism, policy, or procedure that can counter system attack, reduce risks, and resolve vulnerabilities.
data custodians
Individuals who are responsible for the storage, maintenance, and protection of information.
data owners
Individuals who determine the level of classification associated with data.
data users
Individuals who work with information to perform their daily jobs supporting the mission of the organization.
e-mail spoofing
The process of sending an e-mail with a modified field. The modified field is often the address of the originator.
end user
Synonymous with data user. An individual who uses computer applications for his daily work.
enterprise information security policy (EISP)
Also known as a general security policy, IT security policy, or information security policy, this policy is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.
A technique used to compromise a system.
A single instance of a system being open to damage.
file hashing
Method for ensuring information validity. Involves a file being read by a special algorithm that uses the value of the bits in the file to compute a single large number called a hash value.
hash value
A fingerprint of the author"s message that is compared with the recipient"s locally calculated hash of the same message.
information security
The protection of information and the systems and hardware that use, store, and transmit that information.
Components information system (IS)
The entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization.
The quality or state of being whole, complete, and uncorrupted.
A single instance of an information asset suffering damage or unintended or unauthorized modification or disclosure.
McCumber Cube
A graphical representation of the architectural approach widely used in computer and information security.
A formal approach to solving a problem based on a structured sequence of procedures.
network security
The protection of the networks (systems and hardware) that use, store, and transmit an organization"s information.
A passive entity in an information system that receives or contains information.
object of an attack
The object or entity being attacked.
operations security
A process used by an organization to deny an adversary information (generally not confidential information) about its intentions and capabilities by identifying, controlling, and protecting the organization"s planning processes or operations.
organizational culture
The specific social and political atmosphere within a given organization that determines the organization"s procedures and policies and willingness to adapt to changes.
personnel security
To protect the individual or group of individuals who are authorized to access the organization and its operations.
An attempt to obtain personal or financial information using fraudulent means, usually by posing as a legitimate entity.
physical security
An aspect of information security that addresses the design, implementation, and maintenance of countermeasures that protect the physical resources of an organization.
The quality or state of having ownership or control of some object or item.
project team
For information security, a group of individuals with experience in the requirements of both technical and nontechnical fields.
The probability that something can happen.
risk appetite
The quantity and nature of risk that organizations are willing to accept.
risk assessment specialist
An individual who understands financial risk assessment techniques, the value of organizational assets, and security methods.
salami theft
Aggregation of information used with criminal intent.
To be protected from adversaries—from those who would do harm, intentionally or otherwise.
security policy developer
An individual who understands the organizational culture, existing policies, and requirements for developing and implementing security policies.
security posture
Synonymous with protection profile. The implementation of an organization"s security policies, procedures, and programs.
security professional
A specialist in the technical and nontechnical aspects of security information.
An active entity that interacts with an information system and causes information to move through the system for a specific purpose. Examples include individuals, technical components, and computer processes.
subject of an attack
An agent entity that is used as an active tool to conduct an attack.
systems administrator
An individual responsible for administering information systems.
systems development life cycle (SDLC)
A methodology for the design and implementation of an information system
team leader
For information security, a project manager who understands project management, personnel management, and technical requirements.
An object, person, or other entity that represents a constant danger to an asset.
threat agent
A specific instance or component that represents a danger to an organization"s assets. Threats can be accidental or purposeful, for example lightning strikes or hackers.
top-down approach
A methodology of establishing security policies that is initiated by upper management.
The quality or state of having value for an end purpose.
Weakness in a controlled system, where controls are not present or are no longer effective.
waterfall model
A methodology of the system development life cycle in which each phase of the process begins with the information gained in the previous phase.
First operating system created with security as its primary goal
Advanced Research Project Agency (ARPA) began to examine feasibility of redundant networked communications. The predecessor to the internet.
Phases of SDLC
1. Investigation
2. Analysis
3. Logical Design
4. Physical Design
5. Implementation
6. Maintenance and Change
Phases of SecSDLC
1. Investigation
2. Analysis
3. Logical Design
4. Physical Design
5. Implementation
6. Maintenance and Change
Investigation Phase (SDLC)
The phase is used to outline the scope and goals of implementing a security system. It will also cover the budget, time frames, and feasibility of the system.
NIST SP 800-12
presents a comprehensive information security model and has become a widely accepted evaluation standard for the security of information systems.
written instructions for accomplishing a specific task.
Rand Report R-609
A study sponsored by the department of defense which attempted to define multiple controls and mechanisms necessary for the protection of multilevel computer systems.
Analysis Phase (SDLC)
Consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems.
Logical Design Phase (SDLC)
The information gained from the analysis phase is used to begin creating a solution system for a business problem.
Physical Design Phase (SDLC)
Specific technologies are selected to support the alternitives identified and evaluated in the logical design phase.
Implementation Phase (SDLC)
Any needed software, hardware, or components are purchased, revived and tested.
Maintenance and Change Phase (SDLC)
Longest and most expensive phase.
Consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle.
Investigation Phase (SecSDLC)
begins with a directive from upper management, dictating the process, outcomes, and goals of the project, as well as the constraints placed on the activity.
Analysis (SecSDLC)
Documents from the Investigation phase are studied, existing security is examined, threats are documented, and existing controls are assessed.
Logical Design (SecSDLC)
Devolves the blueprint for security. Examines and implements key policies. Develops incident response plan.
Physical Design Phase (SecSDLC)
Technologies are chosen to support the blueprint from the logical design phase. Plan is presented to all involved parties.
Implementation Phase (SecSDLC)
Security solutions are acquired, tested, implemented and tested again.
Maintenance and Change Phase (SecSDLC)
longest and most important phase. Adapt the Security plan to new and evolving threats to maintain security.
Software (IS Component)
Applications, OS, and command utilities. Most difficult to secure.