Domain 6: Law, Ethics and Security Compliance Management


Terms in this set (...)

American Institute of Certified Accounts
Covering both published and unpublished works, copyright is a form of protection granted by law for original works of authorship fixed in a tangible medium of expression.
The application of layers of security services between the point-of-presence to the external network (e.g. internet) and the internal host software and data storage. It includes employment of such capabilities as router access control lists, virtual local area networks, switch port security, security event logging, out-of-band/back-channel networks, encryption, demilitarized zones, vulnerability scanning, rogue access point scanning, anti-malware software, and network and host-based firewalls and intrusion detection/protection, etc.
Downstream Liability
Failure by an organization to properly protect its systems may be liable for damage that the lack of controls permit.
European Union
End-user license agreement that protects both the software author or copyright holder, and the user, from liability in the event that the software is not used as intended.
Federal Information Security Modernization Act of 2014 (previously Federal Information Security Management Act 2002).
General Data Protection Regulation
Conducting offensive or annoying activities by initiating individual(s) towards victim individual(s), including threats or other unwanted actions.
Health Insurance Portability and Accountability Act 1996
Identity Theft/Fraud
The actions of taking personal information about a victim individual (identity theft) in order to portray oneself as that victim for some personal gain at the expense of the victim (identity fraud).
International Standard on Assurance Engagements
Publicly spreading untrue defamations about a victim in written or broadcast form.
A standard for measuring something (e.g., areas of security compliance). In this domain, metrics are the objective evaluation of value to the organization in terms of organizational security and/or compliance need, and solution existence, effectiveness, and efficiency.
National Institute of Standards and Technology
Organization for Economic Co-operation and Development
Office of Management and Budget (U.S. Executive Branch)
Operational Level Agreement
An OLA is an internal agreement within the company as one department supplies services to another department and is a supporting document for Service Level Agreements (SLAs).
An intellectual property right granted by a government to an inventor to exclude others from making, using, offering for sale, or selling the invention.
Penetration Testing
Penetration testing is the next potential step after vulnerability scanning. It entails exploiting identified vulnerabilities to see how vulnerable the defense-in-depth may be. Soft testing attempts penetration but only to the point of showing the capability to penetrate. Hard testing goes further and attempts to take systems down or otherwise use them in subsequent attacks. Hard testing has much greater potential to interfere with enterprise operations. Most companies do not opt for hard testing because of this danger.
Statement of Auditing Standard
Service Level Requirement
An SLR is a document recording the business requirement for an IT service. The SLR belongs to the senior business representative who owns the service. The SLR will provide a basis for negotiations linked to the formulation of service level objectives (SLOs) or SLAs.
Service Level Agreement
An SLA is a contract that exists between customers and their service providers. It records the common understanding about services, priorities, responsibilities, guarantees, warranties, etc. to be provided - collectively, the level of service. The SLA may specify the levels of availability, serviceability, performance, operation, or other attributes of service, such as billing. In some contracts, penalties may be agreed upon in the case of non-compliance.
Service Level Objective
SLAs can contain numerous service performance metrics with corresponding SLOs. The level of service can also be specified as "target" and "minimum," which inform customers about what to expect (the minimum), while providing a measurable (average) target value that shows the level of organization performance.
Publicly spreading untrue defamation about a victim in oral form.
Special Publication (NIST guidance document type)
Unsolicited messages or advertising sent by way of commercial emails.
Statement on Standards for Attestation Engagements
A trademark or service mark includes any word, name, symbol, device, or any combination used or intended to be used to identify and distinguish the goods/services of one seller or provider from those of others (brand name), and to indicate the source of the goods/services. A trademark lasts as long as the product is in the stream of commerce.
Trade Secret
Proprietary business or technical information, processes, designs, practices. formulations, etc., that are confidential and critical to the business.
Trade-Related Aspects of Intellectual Property Rights - and agreement establishing the World Trade Organization among participating a national governments.
Warranties outline the promises of service levels to be provided such as time to replace equipment, maximum response, outage times, etc.
Work for Hire
Work done by an employee in the ordinary course of business or using specialized equipment belonging to the employer.