An attribute of information in which the data is free of errors and has the value that the user expects.
The organizational resource that is being protected. An asset can be logical, such as a Web site or information owned or controlled by the organization; or an asset can be physical, such as a computer system, or other tangible object.
A quality or state of information characterized by being genuine or original rather than reproduced or fabricated.
A quality or state of information characterized by being accessible and correctly formatted for use without interference or obstruction.
A method of establishing security policies that begins as a grassroots effort in which systems administrators attempt to improve the security of their systems.
The industry standard for computer security since the development of the mainframe. It is based on three characteristics that describe the utility of information: confidentiality, integrity, and availability.
chief information officer (CIO)
An executive-level position in which the person is in charge of the organization"s computing technology, and strives to create efficiency in the processing and accessing of the organization"s information.
chief information security officer (CISO)
This position is typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role will report to the chief information officer (CIO).
Securing information in transit using tools such as cryptographic systems, as well as its associated media and technology.
community of interest
A group of individuals united by shared interests or values within an organization and who share a common goal of helping the organization to meet its objectives.
A term that in the early days of computers specified the need to secure the physical location of hardware from outside threats. This term later came to stand for all actions taken to preserve computer systems from losses. It has evolved into the current concept of information security as the scope of protecting information in the organization has expanded.
The quality or state of information that prevents disclosure or exposure to unauthorized individuals or systems.
Synonymous with safeguard and countermeasure. A security mechanism, policy, or procedure that can counter system attack, reduce risks, and resolve vulnerabilities.
Individuals who are responsible for the storage, maintenance, and protection of information.
Individuals who work with information to perform their daily jobs supporting the mission of the organization.
The process of sending an e-mail with a modified field. The modified field is often the address of the originator.
Synonymous with data user. An individual who uses computer applications for his daily work.
enterprise information security policy (EISP)
Also known as a general security policy, IT security policy, or information security policy, this policy is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.
Method for ensuring information validity. Involves a file being read by a special algorithm that uses the value of the bits in the file to compute a single large number called a hash value.
A fingerprint of the author"s message that is compared with the recipient"s locally calculated hash of the same message.
The protection of information and the systems and hardware that use, store, and transmit that information.
Components information system (IS)
The entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization.
A single instance of an information asset suffering damage or unintended or unauthorized modification or disclosure.
A graphical representation of the architectural approach widely used in computer and information security.
The protection of the networks (systems and hardware) that use, store, and transmit an organization"s information.
A process used by an organization to deny an adversary information (generally not confidential information) about its intentions and capabilities by identifying, controlling, and protecting the organization"s planning processes or operations.
The specific social and political atmosphere within a given organization that determines the organization"s procedures and policies and willingness to adapt to changes.
To protect the individual or group of individuals who are authorized to access the organization and its operations.
An attempt to obtain personal or financial information using fraudulent means, usually by posing as a legitimate entity.
An aspect of information security that addresses the design, implementation, and maintenance of countermeasures that protect the physical resources of an organization.
For information security, a group of individuals with experience in the requirements of both technical and nontechnical fields.
risk assessment specialist
An individual who understands financial risk assessment techniques, the value of organizational assets, and security methods.
security policy developer
An individual who understands the organizational culture, existing policies, and requirements for developing and implementing security policies.
Synonymous with protection profile. The implementation of an organization"s security policies, procedures, and programs.
A specialist in the technical and nontechnical aspects of security information.
An active entity that interacts with an information system and causes information to move through the system for a specific purpose. Examples include individuals, technical components, and computer processes.
systems development life cycle (SDLC)
A methodology for the design and implementation of an information system
For information security, a project manager who understands project management, personnel management, and technical requirements.
A specific instance or component that represents a danger to an organization"s assets. Threats can be accidental or purposeful, for example lightning strikes or hackers.
A methodology of establishing security policies that is initiated by upper management.
Weakness in a controlled system, where controls are not present or are no longer effective.
A methodology of the system development life cycle in which each phase of the process begins with the information gained in the previous phase.
Advanced Research Project Agency (ARPA) began to examine feasibility of redundant networked communications. The predecessor to the internet.
Phases of SDLC
3. Logical Design
4. Physical Design
6. Maintenance and Change
Phases of SecSDLC
3. Logical Design
4. Physical Design
6. Maintenance and Change
Investigation Phase (SDLC)
The phase is used to outline the scope and goals of implementing a security system. It will also cover the budget, time frames, and feasibility of the system.
NIST SP 800-12
presents a comprehensive information security model and has become a widely accepted evaluation standard for the security of information systems.
Rand Report R-609
A study sponsored by the department of defense which attempted to define multiple controls and mechanisms necessary for the protection of multilevel computer systems.
Analysis Phase (SDLC)
Consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems.
Logical Design Phase (SDLC)
The information gained from the analysis phase is used to begin creating a solution system for a business problem.
Physical Design Phase (SDLC)
Specific technologies are selected to support the alternitives identified and evaluated in the logical design phase.
Implementation Phase (SDLC)
Any needed software, hardware, or components are purchased, revived and tested.
Maintenance and Change Phase (SDLC)
Longest and most expensive phase.
Consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle.
Investigation Phase (SecSDLC)
begins with a directive from upper management, dictating the process, outcomes, and goals of the project, as well as the constraints placed on the activity.
Documents from the Investigation phase are studied, existing security is examined, threats are documented, and existing controls are assessed.
Logical Design (SecSDLC)
Devolves the blueprint for security. Examines and implements key policies. Develops incident response plan.
Physical Design Phase (SecSDLC)
Technologies are chosen to support the blueprint from the logical design phase. Plan is presented to all involved parties.
Implementation Phase (SecSDLC)
Security solutions are acquired, tested, implemented and tested again.
Maintenance and Change Phase (SecSDLC)
longest and most important phase. Adapt the Security plan to new and evolving threats to maintain security.