- A-123 A U.S. Office of Management and Budget (OMB) government circular that defines the management responsibilities for internal controls in U.S. federal agencies.
- acceptable interruption window (AIW) See maximum tolerable downtime (MTD).
- acceptable use policy Security policy that defines the types of activities that are acceptable and those that are not acceptable. An acceptable use policy is generally written for general audiences, applying to all personnel in an organization.
- access bypass Any attempt by an intruder to bypass access controls to gain entry into a system.
- access control Any means that detects or prevents unauthorized access and that permits authorized access.
- access control policy Statement that defines the policy for the granting, review, and revocation of access to systems and work areas.
- access governance Policies, procedures, and activities that enforce access policy and management control.
- access management A formal business process that is used to control access to networks and information systems.
- access recertification The process of reconfirming subjects’ access to objects in an organization.
- access review A review of the users, systems, or other subjects that are permitted to access protected objects. The purpose of a review is to ensure that all subjects should still be authorized to have access.
- account lockout An administrative lock that is placed on a user account when a predetermined event occurs, such as reaching an expiration date or when there have been several unsuccessful attempts to access the user account.
- accumulation of privileges A situation where an employee accumulates computer system access privileges over a long period of time because of internal transfers or other privilege changes and old access privileges not being removed.
- administrative audit An audit of operational efficiency.
- administrative control Controls in the form of policies, processes, procedures, and standards.
- advanced persistent threat (APT) A class of threat actor that uses an array of reconnaissance and attack techniques to establish a long-term presence within a target organization.
- algorithm In cryptography, a specific mathematical formula that is used to perform encryption, decryption, message digests, and digital signatures.
- allowable interruption window (AIW) See maximum tolerable downtime (MTD).
- annualized loss expectancy (ALE) The expected loss of asset value due to threat realization. ALE is defined as SLE × ARO.
- annualized rate of occurrence (ARO) An estimate of the number of times that a threat will occur every year.
- antiforensics Any of several techniques whose objective is to make it more difficult for a forensic examiner to identify and understand a computer intrusion.
- anti-malware Software that uses various means to detect and block or prevent malware from carrying out its purpose. See also antivirus software.
- antivirus software Software that is designed to detect and remove computer viruses.
- appliance A type of computer with preinstalled software that requires little or no maintenance.
- application firewall A device used to control packets being sent to an application server, primarily to block unwanted or malicious content.
- APT See advanced persistent threat.
- architecture standard A standard that defines technology architecture at the database, system, or network level.
- assessment An examination of a business process or information system to determine its state and effectiveness.
- asset inventory The process of confirming the existence, location, and condition of assets; also, the results of such a process.
- asset management The processes used to manage the inventory, classification, use, and disposal of assets.
- asset value (AV) The value of an IT asset, which is usually (but not necessarily) the asset’s replacement value.
- assets The collection of property that is owned by an organization.
- asymmetric encryption A method for encryption, decryption, and digital signatures that uses pairs of encryption keys, consisting of a public key and a private key.
- asynchronous replication A type of replication where writing data to the remote storage system is not kept in sync with updates on the local storage system. Instead, there may be a time lag, and there is no guarantee that data on the remote system is identical to that on the local storage system. See also replication.
- attack surface A metaphor often used to depict a greater or lesser extent of attackable systems, services, and personnel in an organization, or the attackable programs, services, and features in a running operating system.
- attestation of compliance A written statement that serves as an assertion of compliance to a requirement, standard, or law. An attestation of compliance is often signed by a high-ranking official or executive.
- attorney–client privilege As defined by Black’s Law Dictionary, “a client’s right privilege to refuse to disclose and to prevent any other person from disclosing confidential communications between the client and the attorney.” In the context of information security, certain business proceedings can be protected with attorney–client privilege as a means for preventing those proceedings from being made available during legal discovery.
- audit A formal review of one or more processes, controls, or systems to determine their state against a standard.
- audit logging A feature in an application, operating system, or database management system where events are recorded in a separate log.
- audit methodology A set of audit procedures that is used to accomplish a set of audit objectives.
- audit objective The purpose or goals of an audit. Generally, the objective of an audit is to determine whether controls exist and are effective in some specific aspect of business operations in an organization.
- audit plan A formal document that guides the control and execution of an audit. An audit plan should align with audit objectives and specify audit procedures to be used.
- audit procedures The step-by-step instructions and checklists required to perform specific audit activities. Procedures may include a list of people to interview and questions to ask them, evidence to request, audit tools to use, sampling rates, where and how evidence will be archived, and how evidence will be evaluated.
- audit program The plan for conducting audits over a long period.
- audit report The final, written product of an audit. An audit report will include a description of the purpose, scope, and type of audit performed; people interviewed; evidence collected; rates and methods of sampling; and findings on the existence and effectiveness of each control.
- audit scope The process, procedures, systems, and applications that are the subject of an audit.
- authentication The process of asserting one’s identity and providing proof of that identity. Typically, authentication requires a user ID (the assertion) and a password (the proof). However, authentication can also require stronger means of proof, such as a digital certificate, token, smart card, or biometric.
- automatic control A control that is enacted through some automatic mechanism that requires little or no human intervention.
- availability management The IT function that consists of activities concerned with the availability of IT applications and services. See also IT service management (ITSM).
- 3G Third generation
- 3GPP Third Generation Partnership Project
- ASP Application Service Provider
- BSS Business Support System(s)
- CAGR Compounded Annual Growth Rate capex Capital expenditure
- CDMA2000 3G variant of Code Division
- Multiple Access CDR Call Detail Record
- CEO Chief Executive Officer CIO Chief Information Officer CMO Chief Marketing Officer CRM Customer Relationship Management
- CS Circuit Switched
- CSCF Call Session Control Function CSR Customer Service Representative DSL Digital Subscriber Line
- EAI Enterprise Application Integration ESB Enterprise Service Bus
- FMC Fixed–Mobile Convergence GPRS General Packet Radio Service GSM Global System for Mobile
- HSS Home Subscriber Server
- IM-SSF IP Multimedia Service Switching Function
- IMPRES Instant Messaging and Presence IMS IP Multimedia Subsystem
- IP Internet Protocol
- IPTV Internet Protocol Television IPv6 Internet Protocol version 6
- IT Information Technology
- IVR Interactive Voice Response LSE London Stock Exchange M&A Merger and Acquisition MMD Multimedia Domain
- MMS Multimedia Messaging Service NGS Next-Generation Services NYSE New York Stock Exchange opex Operational expenditure OSA-SCS Open Service Access – Service Capability Server
- OSS Operations Support System(s)
- PRM Partner Relationship Management PSTN Public Switched Telephone Network
- QoS Quality of Service
- ROI Return on Investment S-CSCF Serving CSCF
- SDP Service Delivery Platform SIP Session Initiation Protocol SIP-AS SIP Application Server
- SLA Service Level Agreement SMS Short Message Service
- SOA Service-Oriented Architecture SRLP Service-Related Local Policy UMTS Universal Mobile Telecommunications Systems VAS Value-Added Services
- VC Venture Capital
- VNO Virtual Network Operator VoIP Voice over IP
- VPN Virtual Private Network WLAN Wireless Local Area Network XML Extensible Mark-up Language Y2K Year 2000
802.1X A standard for network authentication and access control used to determine whether a device will be permitted to attach to a LAN or wireless LAN. See also network access control (NAC).
background check The process of verifying an employment candidate’s employment history, education records, professional licenses and certifications, criminal background, and financial background.
background verification See background check.
back-out plan A procedure used to reverse the effect of a change that was not successful.
backup The process of copying important data to another media device in the event of a hardware failure, error, or software bug that causes damage to data.
backup media rotation Any scheme used to determine how backup media is to be reused.
basic input/output system (BIOS) The firmware on a computer that tests the computer’s hardware and initiates the bootup sequence. Superseded by unified extensible firmware interface (UEFI). See also unified extensible firmware interface (UEFI).
bare metal restore The process of recovering a system by reformatting main storage, re-installing the operating system, and restoring files.
biometrics Any use of a machine-readable characteristic of a user’s body that uniquely identifies the user. Biometrics can be used for multifactor authentication. Types of biometrics include voice recognition, fingerprint, hand scan, palm vein scan, iris scan, retina scan, facial scan, and handwriting. See also authentication, multifactor authentication.
block cipher An encryption algorithm that operates on blocks of data.
board of directors A body of elected or appointed people who oversee the activities of an organization.
bot A type of malware in which agents are implanted by other forms of malware and are programmed to obey remotely issued instructions. See also botnet.
botnet A collection of bots that are under the control of an individual. See also bot.
bring your own app A practice whereby workers use personally owned applications and use them for company business.
bring your own device (BYOD) A practice whereby workers use personally owned devices (typically laptop computers and mobile devices) for company business.
budget A plan for allocating resources over a certain time period.
bug See software defect.
business case An explanation of the expected benefits to the business that will be realized as a result of a program or project.
business continuity planning (BCP) The activities required to ensure the continuation of critical business processes.
business e-mail compromise See CEO fraud.
business functional requirements Formal statements that describe required business functions that a system must support.
business impact analysis (BIA) A study that is used to identify the impact that different disaster scenarios will have on ongoing business operations.
business recovery plan The activities required to recover and resume critical business processes and activities. See also response document.
call tree A method for ensuring the timely notification of key personnel, such as after a disaster.
capability maturity model A model that is used to measure the relative maturity of an organization or of its processes.
Capability Maturity Model Integration for Development (CMMi-DEV) A maturity model that is used to measure the maturity of a software development process.
capacity management The IT function that consists of activities that confirm there is sufficient capacity in IT systems and IT processes to meet service needs. Primarily, an IT system or process has sufficient capacity if its performance falls within an acceptable range, as specified in service level agreements (SLAs). See also IT service management (ITSM), service level agreement (SLA).
cardholder data As defined by the PCI Security Standards Council: “At a minimum, cardholder data consists of the full PAN (Primary Account Number, also known as a credit card number). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.” See also Payment Card Industry Data Security Standard (PCI-DSS).
career path The progression of responsibilities and job titles that a worker will attain over time.
CEO fraud A type of fraud where a perpetrator, impersonating an organization’s CEO, sends phishing e-mails to other company executives and directs them to wire large amounts of money to a bank account, typically in support of a secret merger or acquisition. See also phishing, spear phishing, and whaling.
certificate authority (CA) A trusted party that stores digital certificates and public encryption keys.
certificate revocation list (CRL) An electronic list of digital certificates that have been revoked prior to their expiration date.
certification practice statement (CPS) A published statement that describes the practices used by the CA to issue and manage digital certificates.
chain of custody Documentation that shows the acquisition, storage, control, and analysis of evidence. The chain of custody may be needed if the evidence is to be used in a legal proceeding.
change advisory board (CAB) See change control board (CCB).
change control See change management.
change control board (CCB) The group of stakeholders from IT and business who propose, discuss, and approve changes to IT systems. Also known as a change advisory board.
change management The IT function that is used to control changes made to an IT environment. See also IT service management (ITSM).
change request A formal request for a change to be made in an environment. See also change management.
change review A formal review of a requested change. See also change request, change management.
charter See program charter.
chief information risk officer (CIRO) The typical job title for the topmost information security executive in an organization.
chief information security officer (CISO) The typical job title for the topmost information security executive in an organization.
chief risk officer (CRO) The typical job title for the topmost risk officer in an organization.
chief security officer (CSO) The typical job title for the topmost security officer in an organization.
ciphertext A message, file, or stream of data that has been transformed by an encryption algorithm and rendered unreadable.
CIS Controls A control framework maintained by the Center for Internet Security (CIS).
clone phishing The practice of obtaining legitimate e-mail messages, exchanging attachments or URLs for those that are malicious, and sending the altered e-mail messages to target users in the hopes the messages will trick users on account of their genuine appearance.
cloud Internet-based computing resources.
cloud access security broker (CASB) A system that monitors and, optionally, controls users’ access to, or use of, cloud-based resources.
cloud computing A technique of providing a dynamically scalable and usually virtualized computing resource as a service.
cluster A tightly coupled collection of computers that is used to solve a common task. In a cluster, one or more servers actively perform tasks, while zero or more computers may be in a “standby” state, ready to assume active duty should the need arise.
COBIT A control framework for managing information systems and security. COBIT is published by ISACA.
code of ethics A statement that defines acceptable and unacceptable professional conduct.
cold site An alternate processing center where the degree of readiness for recovery systems is low. At the least, a cold site is nothing more than an empty rack or just allocated space on a computer room floor.
command and control (C&C) Network traffic associated with a system compromised with malware. Command-and-control traffic represents communication between the malware and a central controlling entity.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) A private sector organization that provides thought leadership, control frameworks, and guidance on enterprise risk management.
common vulnerability scoring system (CVSS) An open framework for communicating the quantitative characteristics and impacts of IT vulnerabilities.
compensating control A control that is implemented because another control cannot be implemented or is ineffective.
compliance Activities related to the examination of systems and processes to ensure they conform to applicable policies, standards, controls, requirements, and regulations; also, the state of conformance to applicable policies, standards, controls, requirements, and regulations.
compliance audit An audit to determine the level and degree of compliance to a law, regulation, standard, contract provision, or internal control. See also audit.
compliance risk Risk associated with any general or specific consequences of not being compliant with a law, regulation, or private legal obligation.
configuration item A configuration setting in an IT asset. See also configuration management.
configuration management The IT function where the configuration of components in an IT environment is independently recorded. Configuration management is usually supported by the use of automated tools used to inventory and control system configurations. See also IT service management (ITSM).
configuration management database (CMDB) A repository for every component in an environment that contains information on every configuration change made on those components.
configuration standard A standard that defines the detailed configurations that are used in servers, workstations, operating systems, database management systems, applications, network devices, and other systems.
contact list A list of key personnel and various methods used to contact them. See also response document.
containerization A form of virtualization where an operating system permits the existence of multiple isolated user spaces, called containers. See also virtualization.
continuity of operations plan (COOP) The activities required to continue critical and strategic business functions at an alternate site. See also response document.
continuous log review A process where the event log for one or more systems is being continuously reviewed in real time to determine whether a security or operational event warranting attention is taking place. See also security information and event management system (SIEM).
continuous improvement The cultural desire to increase the efficiency and effectiveness of processes and controls over time.
content delivery network (CDN) Also known as a content distribution network, a globally distributed network of servers in multiple data centers designed to optimize the speed and cost of delivery of content from centralized servers to end users.
content distribution network (CDN) See content delivery network (CDN).
contract A binding legal agreement between two or more parties that may be enforceable in a court of law.
control Policy, process, or procedure that is created to ensure desired outcomes or to avoid unwanted outcomes.
control existence An activity that takes place in an audit where the auditor seeks to determine whether an expected control is in place.
control framework A collection of controls, organized into logical categories.
control objective A foundational statement that describes desired states or outcomes from business operations.
control risk The risk that a significant or material error exists that will not be prevented or detected by a control.
control self-assessment (CSA) A methodology used by an organization to review key business objectives, risks, and controls. Control self-assessment is a self-regulation activity that may or may not be required by applicable laws or regulations.
corrective action An action that is initiated to correct an undesired condition.
corrective control A control that is used after an unwanted event has occurred.
countermeasure Any activity or mechanism that is designed to reduce risk.
covered entity Any organization that stores or processes electronic protected health information (ePHI). See also Health Insurance Portability and Accountability Act (HIPAA).
critical path methodology (CPM) A technique that is used to identify the most critical path in a project to understand which tasks are most likely to affect the project schedule.
criticality analysis (CA) A study of each system and process, a consideration of the impact on the organization if it is incapacitated, the likelihood of incapacitation, and the estimated cost of mitigating the risk or impact of incapacitation.
cryptanalysis An attack on a cryptosystem where the attacker is attempting to determine the encryption key that is used to encrypt messages.
cryptography The practice of hiding information from unwanted people.
culture The collective attitudes, practices, communication, communication styles, ethics, and other behavior in an organization.
custodian A person or group delegated to operate or maintain an asset.
cutover The step in the software development life cycle where an old replaced system is shut down and a new replacement system is started.
cutover test An actual test of disaster recovery and/or business continuity response plans. The purpose of a parallel test is to evaluate the ability of personnel to follow directives in emergency response plans—to actually set up the DR business processing or data processing capability. In a cutover test, personnel shut down production systems and operate recovery systems to assume actual business workload. See also disaster recovery plan.
cyber risk insurance An insurance policy designed to compensate an organization for unexpected costs related to a security breach.
cybersecurity framework (CSF) See NIST CSF.
cyclical controls testing A life cycle process in which selected controls are examined for effectiveness.
damage assessment The process of examining assets after a disaster to determine the extent of damage.
data acquisition The act of obtaining data for later use in a forensic investigation.
data classification policy Policy that defines sensitivity levels and handling procedures for information.
data loss prevention (DLP) system A hardware or software system that detects and, optionally, blocks the movement or storage of sensitive data.
data restore The process of copying data from backup media to a target system for the purpose of restoring lost or damaged data.
data security Those controls that seek to maintain confidentiality, integrity, and availability of information.
decryption The process of transforming ciphertext into plaintext so that a recipient can read it.
denial of service (DoS) An attack on a computer or network with the intention of causing disruption or malfunction of the target.
desktop computer A nonportable computer used by an individual end user and located at the user’s workspace.
desktop virtualization Software technology that separates the physical computing environment from the software that runs on an endpoint, effectively transforming an endpoint into a display terminal. See also virtualization.
destructware See wiper.
detective control A control that is used to detect events.
deterrent control A control that is designed to deter people from performing unwanted activities.
Diffie–Hellman A popular key exchange algorithm. See also key exchange.
digital certificate An electronic document that contains an identity that is signed with the public key of a certificate authority (CA).
digital envelope A method that uses two layers of encryption. A symmetric key is used to encrypt a message; then a public or private key is used to encrypt the symmetric key.
digital rights management (DRM) Any technology used to control the distribution and use of electronic content.
digital signature The result of encrypting the hash of a message with the originator’s private encryption key, used to prove the authenticity and integrity of a message.
directory A centralized service that provides information for a particular function.
disaster An unexpected and unplanned event that results in the disruption of business operations.
disaster declaration criteria The conditions that must be present to declare a disaster, triggering response and recovery operations.
disaster declaration procedure Instructions to determine whether to declare a disaster and trigger response and recovery operations. See also disaster declaration criteria.
disaster recovery and business continuity requirements Formal statements that describe required recoverability and continuity characteristics that a system must support.
disaster recovery plan The activities required to restore critical IT systems and other critical assets, whether in alternate or primary locations. See also response document.
disaster recovery planning (DRP) Activities related to the assessment, salvage, repair, and restoration of facilities and assets.
disaster recovery-as-a-service (DRaaS) A cloud-based set of tools and services that streamline the planning and execution of data backup and data replication for disaster recovery purposes.
discovery sampling A sampling technique where at least one exception is sought in a population. See also sampling.
disk array A chassis in which several hard disks can be installed and connected to a server. The individual disk drives can be “hot swapped” in the chassis while the array is still operating.
distributed denial of service (DDoS) A denial-of-service (DoS) attack that originates from many computers. See also denial of service (DoS).
DNS filter A network system or device used to protect systems from malicious content through manipulation of the results of DNS queries. See also web content filter.
document review A review of some or all disaster recovery and business continuity plans, procedures, and other documentation. Individuals typically review these documents on their own, at their own pace, but within whatever time constraints or deadlines that may have been established.
documentation The inclusive term that describes charters, processes, procedures, standards, requirements, and other written documents.
Domain Name System (DNS) A TCP/IP application layer protocol used to translate domain names (such as www.isecbooks.com) into IP addresses.
dwell time The period of time that elapses from the start of a security incident to the organization’s awareness of the incident.
dynamic application security testing (DAST) Tools used to identify security defects in a running software application.
eavesdropping The act of secretly intercepting and, optionally, recording a voice or data transmission.
elasticity The property of infrastructure-as-a-service whereby additional virtual assets can be created or withdrawn in response to rising and falling workloads.
electric generator A system consisting of an internal combustion engine powered by gasoline, diesel fuel, or natural gas that spins an electric generator. A generator can supply electricity for as long as several days, depending upon the size of its fuel supply and whether it can be refueled.
electronic protected health information (ePHI) Any information—in electronic form—about the health, health status, and medical treatment of a human patient.
elliptic curve A public key cryptography algorithm.
e-mail A network-based service used to transmit messages between individuals and groups.
emergency communications plan The communications that are required during a disaster. See also response document.
emergency response The urgent activities that immediately follow a disaster, including evacuation of personnel, first aid, triage of injured personnel, and possibly firefighting.
employee handbook See employee policy manual.
employee policy manual A formal statement of the terms of employment, facts about the organization, benefits, compensation, conduct, and policies.
employment agreement A legal contract between an organization and an employee, which may include a description of duties, roles and responsibilities, confidentiality, compliance, and termination.
encryption The act of hiding sensitive information in plain sight. Encryption works by scrambling the characters in a message using a method known only to the sender and receiver, making the message useless to anyone who intercepts the message.
encryption key A block of characters, used in combination with an encryption algorithm, to encrypt or decrypt a stream or block of data.
endpoint A general term used to describe any of the types of devices used by end users, including mobile phones, smartphones, terminals, tablet computers, laptop computers, and desktop computers.
enterprise architecture Activities that ensure important business needs are met by IT systems; the model that is used to map business functions into the IT environment and IT systems in increasing levels of detail.
enterprise risk management (ERM) The methods and processes used by an organization to identify and manage business risks.
evacuation procedure Instructions to safely evacuate a work facility in the event of a fire, earthquake, or other disaster.
e-vaulting The practice of backing up information to an off-site location, often a third-party service provider.
event An occurrence of relevance to a business or system.
event monitoring The practice of examining the events that occur on information systems, including operating systems, subsystems such as database management systems, applications, network devices, and end-user devices.
event visibility A capability that permits an organization to be aware of activities that may be a sign of a security incident.
evidence Information gathered by the auditor that provides proof that a control exists and is being operated.
exploitation The process of exploiting a vulnerability in a target system in order to take control of the system.
exposure factor (EF) The financial loss that results from the realization of a threat, expressed as a percentage of the asset’s total value.
facilities classification A method for assigning classification or risk levels to work centers and processing centers, based on their operational criticality or other risk factors.
feasibility study An activity that seeks to determine the expected benefits of a program or project.
fiduciary A person who has a legal trust relationship with another party.
fiduciary duty The highest standard of care that a fiduciary renders to a beneficiary.
file A sequence of zero or more characters that is stored as a whole in a file system. A file may be a document, spreadsheet, image, sound file, computer program, or data that is used by a program.
file activity monitoring (FAM) A program that monitors the use of files on a server or endpoint as a means for detecting indicators of compromise.
file integrity monitoring (FIM) A program that periodically scans file systems on servers and workstations, as a means of detecting changes to file contents or permissions that may be indicators of compromise.
file server A server that is used to store files in a central location, usually to make them available to many users.
fileless malware Malware that resides in a computer’s memory instead of the file system.
financial audit An audit of an accounting system, accounting department processes, and procedures to determine whether business controls are sufficient to ensure the integrity of financial statements. See also audit.
financial management Management for IT services that consists of several activities, including budgeting, capital investment, expense management, project accounting, and project ROI. See also IT service management (ITSM), return on investment (ROI).
fingerprint See biometrics, key fingerprint.
firewall A device that controls the flow of network messages between networks. Placed at the boundary between the Internet and an organization’s internal network, firewalls enforce security policy by prohibiting all inbound traffic except for the specific few types of traffic that are permitted to a select few systems.
first in, first out (FIFO) A backup media rotation scheme where the oldest backup volumes are used next. See also backup media rotation.
forensic audit An audit that is performed in support of an anticipated or active legal proceeding. See also audit.
forensics The application of procedures and tools during an investigation of a computer or network-related event.
fraud The intentional deception made for personal gain or for damage to another party.
gap analysis An examination of a process or system to determine differences between its existing state and a desired future state.
general computing controls (GCCs) Controls that are general in nature and implemented across most or all information systems and applications.
general data protection regulation (GDPR) The European law, which takes effect in 2018, that protects the privacy of European residents.
governance Management’s control over policy and processes.
governance, risk, and compliance (GRC) tool A software program used to track key aspects of an organization’s information risk program.
grandfather-father-son A hierarchical backup media rotation scheme that provides for longer retention of some backups. See also backup media rotation.
hacker Someone who interferes with or accesses another’s computer without authorization.
hard disk drive (HDD) A storage device using magnetic storage on rapidly rotating disks.
hardening The technique of configuring a system so that only its essential services and features are active and all others are deactivated. This helps to reduce the “attack surface” of a system to only its essential components.
hardening standard A document that describes the security configuration details of a system, or class of systems. See also configuration standard, hardening.
hardware monitoring Tools and processes used to continuously observe the health, performance, and capacity of one or more computers.
hash function A cryptographic operation on a block of data that returns a fixed-length string of characters, used to verify the integrity of a message.
Health Insurance Portability and Accountability Act (HIPAA) A U.S. law requiring the enactment of controls to protect electronic protected health information (EPHI).
HITRUST A healthcare control framework and certification that serves as an external attestation of an organization’s IT controls.
host-based intrusion detection system (HIDS) An intrusion detection system (IDS) that is installed on a system and watches for anomalies that could be signs of intrusion. See also intrusion detection system (IDS).
hot site An alternate processing center where backup systems are already running and in some state of near-readiness to assume production workload. The systems at a hot site most likely have application software and database management software already loaded and running, perhaps even at the same patch levels as the systems in the primary processing center.
human resources (HR) The department in most organizations that is responsible for employee onboarding, offboarding, internal transfers, training, and signing important documents such as security policy.
human resource information system (HRIS) An information system used to manage information about an organization’s workforce.
human resource management (HRM or HR) Activities regarding the acquisition, onboarding, support, and termination of workers in an organization.
hybrid cryptography A cryptosystem that employs two or more iterations or types of cryptography.
Hypertext Transfer Protocol (HTTP) A TCP/IP application layer protocol used to transmit web page contents from web servers to users who are using web browsers.
Hypertext Transfer Protocol Secure (HTTPS) A TCP/IP application layer protocol that is similar to HTTP in its use for transporting data between web servers and browsers. HTTPS is not a separate protocol but instead is the instance where HTTP is encrypted with SSL or TLS. See also Hypertext Transfer Protocol (HTTP), Secure Sockets Layer (SSL), Transport Layer Security (TLS).
hypervisor Virtualization software that facilitates the operation of one or more virtual machines.
identity and access management (IAM) The activities and supporting systems that are used to manage workers’ identities and their access to information systems and data.
identity management The activity of managing the identity of each employee, contractor, temporary worker, and, optionally, customer, for use in a single environment or multiple environments.
image A binary representation of a fully installed and configured operating system and applications for a server or an end user’s computer.
impact The actual or expected result from some action such as a threat or disaster.
impact analysis The analysis of a threat and the impact it would have if it were realized.
incident Any event that is not part of the standard operation of a service and that causes, or may cause, interruption to or a reduction in the quality of that service.
incident declaration The process of determining that a security incident is taking place so that incident responders can begin the task of managing it.
incident management (ITSM) The IT function that analyzes service outages, service slowdowns, security incidents, and software bugs, and seeks to resolve them to restore normal service. See also IT service management (ITSM), security incident management.
incident prevention Proactive steps taken to reduce the probability or impact of security incidents.
incident responder A worker in an organization who has responsibility for responding to a security incident.
incident response retainer A legal agreement between an organization and a security professional services firm that arranges for the security firm to render assistance to the organization in the event of a security incident.
incident response team (IRT) Personnel who are trained in incident response techniques.
indicator of compromise (IoC) An observation on a network or in an operating system that indicates evidence of a network or computer intrusion.
industrial control system (ICS) A control system used to monitor and manage physical machinery in an industrial environment. See also supervisory control and data acquisition (SCADA).
information classification The process of assigning a sensitivity classification to an information asset.
information risk Paraphrased from the ISACA Risk IT Framework: the business risk associated with the use, ownership, operation, involvement, influence, and adoption of information within an enterprise.
information security management The aggregation of policies, processes, procedures, and activities to ensure that an organization’s security policy is effective.
Information Security Management System (ISMS) The collection of activities for managing information security in an organization, as defined by ISO/IEC 27001.
information security policy A statement that defines how an organization will classify and protect its important assets.
infrastructure The collection of networks, network services, devices, facilities, and system software that facilitates access to, communications with, and protection of business applications.
infrastructure-as-a-service (IaaS) A cloud computing model where a service provider makes computers and other infrastructure components available to subscribers. See also cloud computing.
inherent risk The risk that there are material weaknesses in existing business processes and no compensating controls to detect or prevent them.
initialization vector (IV) A random number that is needed by some encryption algorithms to begin the encryption process.
insider threat Any scenario where an employee or contractor knowingly, or unknowingly, commits acts that result in security incidents or breaches.
integrated audit An audit that combines an operational audit and a financial audit. See also operational audit, financial audit.
integrated development environment (IDE) A software application that facilitates the writing, updating, testing, and debugging of application source code.
intellectual property A class of assets owned by an organization; includes an organization’s designs, architectures, software source code, processes, and procedures.
internal audit A formal audit of an organization’s controls, processes, or systems, which is carried out by personnel who are part of the organization. See also audit.
internal audit (IA) The name of an organization’s internal department that performs audits.
Internet The interconnection of the world’s TCP/IP networks.
Internet hygiene The practice of security awareness while accessing the Internet with a computer or mobile device to reduce the possibility of attack.
intrusion detection system (IDS) A hardware or software system that detects anomalies that may be signs of an intrusion.
intrusion kill chain The computer intrusion model developed by Lockheed-Martin that depicts a typical computer intrusion. The phases of the kill chain are reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective.
intrusion prevention system (IPS) A hardware or software system that detects and blocks malicious network traffic that may be signs of an intrusion.
intrusive monitoring Any technique used by an organization to actively monitor activities within a third party’s IT environment.
IS audit An audit of an IS department’s operations and systems. See also audit.
ISACA Formerly the Information Systems Audit and Control Association, now just ISACA. Global organization the develops and administers numerous certifications including Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk, Information Security, and Control (CRISC), and Certified in the Governance of Enterprise IT (CGEIT).
ISACA audit standards The minimum standards of performance related to security, audits, and the actions that result from audits. The standards are published by ISACA and updated periodically. ISACA audit standards are considered mandatory.
ISAE 3402 (International Standard on Assurance Engagement) An external audit of a service provider. An ISAE 3402 audit is performed according to rules established by the International Auditing and Assurance Standards Board (IAASB).
ISO/IEC 20000 An ISO/IEC standard for IT service management (ITSM).
ISO/IEC 27001 An ISO/IEC standard for IT security management.
ISO/IEC 27002 An ISO/IEC standard for IT security controls.
IT Infrastructure Library (ITIL) See IT service management (ITSM).
IT service management (ITSM) The set of activities that ensures the delivery of IT services is efficient and effective, through active management and the continuous improvement of processes.
job description A written description of a job in an organization. A job description usually contains a job title, work experience requirements, knowledge requirements, and responsibilities.
job title See position title.
judgmental sampling A sampling technique where items are chosen based upon the auditor’s judgment, usually based on risk or materiality. See also sampling.
key See encryption key.
key compromise Any unauthorized disclosure or damage to an encryption key. See also key management.
key custody The policies, processes, and procedures regarding the management of keys. See also key management.
key disposal The process of decommissioning encryption keys. See also key management.
key encrypting key An encryption key that is used to encrypt another encryption key.
key exchange A technique that is used by two parties to establish a symmetric encryption key when no secure channel is available.
key fingerprint A short sequence of characters that is used to authenticate a public key.
key generation The initial generation of an encryption key. See also key management.
key goal indicator (KGI) Measure of progress in the attainment of strategic goals in the organization.
key length The size (measured in bits) of an encryption key. Longer encryption keys mean that it takes greater effort to successfully attack a cryptosystem.
key logger A hardware device or a type of malware that records a user’s keystrokes and, optionally, mouse movements and clicks, and sends this data to the key logger’s owner.
key management The various processes and procedures used by an organization to generate, protect, use, and dispose of encryption keys over their lifetime.
key performance indicator (KPI) Measure of business processes’ performance and quality, used to reveal trends related to efficiency and effectiveness of key processes in the organization.
key protection All means used to protect encryption keys from unauthorized disclosure and harm. See also key management.
key risk indicator (KRI) Measure of information risk, used to reveal trends related to levels of risk of security incidents in the organization.
key rotation The process of issuing a new encryption key and reencrypting data protected with the new key. See also key management.
kill chain See intrusion kill chain.
laptop computer A portable computer used by an individual user.
last in, first out (LIFO) A backup media rotation scheme where the newest backup volumes are used next. See also backup media rotation.
learning management system (LMS) An on-premise or cloud-based system that makes online training and testing facilities available to an organization’s personnel. Some LMSs automatically maintain records of training enrollment, test scores, and training completion.
least privilege The concept where an individual user should have the lowest privilege possible that will still enable them to perform their tasks.
Lightweight Directory Access Protocol (LDAP) A TCP/IP application layer protocol used as a directory service for people and computing resources.
log correlation The process of combining log data from many devices in order to discern patterns that may be indicators of operational problems or compromise.
log review An examination of the event log in an information system, typically to see whether any security events or incidents have occurred. See also continuous log review.
log server A system or device to which event logs from other systems are sent for processing and storage. See also security information and event management (SIEM).
macro virus Malicious software that is embedded within another file such as a document or spreadsheet.
malware The broad class of programs that are designed to inflict harm on computers, networks, or information. Types of malware include viruses, worms, Trojan horses, spyware, and rootkits.
man-made disaster A disaster that is directly or indirectly caused by human activity, through action or inaction. See also disaster.
managed security service provider (MSSP) An organization that provides security monitoring and/or management services for customers.
manual control A control that requires a human to operate it.
maximum acceptable outage (MAO) See maximum tolerable outage (MTO).
maximum tolerable downtime (MTD) A theoretical time period, measured from the onset of a disaster, after which the organization’s ongoing viability would be at risk.
maximum tolerable outage (MTO) The maximum period of time that an organization can tolerate operating in recovery (or alternate processing) mode.
message digest The result of a cryptographic hash function.
methodology standard A standard that specifies the practices used by the IT organization.
metric A measurement of a periodic or ongoing activity, for the purpose of understanding the activity within the context of overall business operations.
microsegmentation A design characteristic of a network where each network node resides on its own segment, resulting in improved network security and efficiency.
mitigating control See compensating control.
mobile device A portable computer in the form of a smartphone, tablet computer, or wearable device.
mobile site A portable recovery center that can be delivered to almost any location in the world.
monitoring The continuous or regular evaluation of a system or control to determine its operation or effectiveness.
multifactor authentication Any means used to authenticate a user that is stronger than the use of a user ID and password. Examples of multifactor authentication include digital certificate, token, smart card, or biometric.
natural disaster A disaster that occurs in the natural world with little or no assistance from mankind. See also disaster.
netflow A network diagnostic tool that collects all network metadata, which can be used for network diagnostic or security purposes.
network access control (NAC) An approach for network authentication and access control that determines whether devices will be permitted to attach to a LAN or wireless LAN.
network anomaly detection A technique used to identify network traffic that may be a part of an intrusion or other unwanted event.
network attached storage (NAS) A stand-alone storage system that contains one or more virtual volumes. Servers access these volumes over the network using the Network File System (NFS) or Server Message Block/Common Internet File System (SMB/CIFS) protocols, common on Unix and Windows operating systems, respectively.
network segmentation The practice of dividing a network into two or more zones, with protective measures such as firewalls between the zones.
network tap A connection on a network router or network switch. A copy of all of the network traffic passing through the router or switch is also sent to the network tap. Also known as a span port.
NIST CSF A risk management methodology and controls framework developed by the U.S. National Institute for Standards and Technology (NIST).
NIST 800 Series A collection of documents published by the U.S. National Institute for Standards and Technology (NIST).
nonrepudiation The property of encryption and digital signatures that can make it difficult or impossible for a party to later deny having sent a digitally signed message—unless they admit to having lost control of their private encryption key.
North American Reliability Corporation (NERC) The organization that maintains resilience and security controls for use by public utilities.
North American Reliability Council Critical Infrastructure Protection (NERC CIP) The standards and requirements defined by the North American Reliability Council for protection of the electric power generation and distribution grid.
occupant emergency plan (OEP) Activities required to safely care for occupants in a business location during a disaster. See also response document.
off-site media storage The practice of storing media such as backup tapes at an off-site facility located away from the primary computing facility.
onboarding The process undertaken when an organization hires a new worker or when it begins a business relationship with a third party.
operational audit An audit of IS controls, security controls, or business controls to determine control existence and effectiveness. See also audit.
operational risk The risk of loss resulting from failed controls, processes, and systems; internal and external events; and other occurrences that impact business operations and threaten an organization’s survival.
Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE) A qualitative risk analysis methodology developed at Carnegie Mellon University.
orchestration In the context of security information and event management (SIEM), this is the scripted, automated response that is automatically or manually triggered when specific events occur. See also security information and event management (SIEM).
organization chart A diagram that depicts the manager-subordinate relationships in an organization or in part of an organization.
out of band Communications that takes place separately from the main communications method.
outsourcing A form of sourcing where an employer will use contract employees to perform a function. The contract employees may be located on-site or off-site.
owner A person or group responsible for the management and/or operation of an asset.
packet sniffer A device, or a program that can be installed on a network-attached system, to capture network traffic.
parallel test An actual test of disaster recovery (DR) or business continuity response plans. The purpose of a parallel test is to evaluate the ability of personnel to follow directives in emergency response plans—to actually set up the DR business processing or data processing capability. In a parallel test, personnel operate recovery systems in parallel with production systems to compare the results between the two to determine the actual capabilities of recovery systems.
password An identifier that is created by a system manager or a user; a secret combination of letters, numbers, and other symbols that is known only to the user who uses it.
password complexity The characteristics required of user account passwords. For example, a password may not contain dictionary words and must contain uppercase letters, lowercase letters, numbers, and symbols.
password length The minimum and maximum number of characters permitted for a password that is associated with a computer account.
password reset The process of changing a user account password and unlocking the user account so that the user’s use of the account may resume.
password reuse The act of reusing a prior password for a user account. Some information systems can prevent the use of prior passwords in case any were compromised with or without the user’s knowledge.
patch management The process of identifying, analyzing, and applying patches (including security patches) to systems.
Payment Card Industry Data Security Standard (PCI-DSS) A security standard whose objective is the protection of credit card numbers in storage, while processed, and while transmitted. The standard was developed by the PCI Security Standards Council, a consortium of credit card companies, including Visa, MasterCard, American Express, Discover, and JCB.
personally identifiable information (PII) Information that can be used on its own, or combined with other information, to identify a specific person.
phishing A social engineering attack on unsuspecting individuals where e-mail messages that resemble official communications entice victims to visit imposter web sites that contain malware or request credentials to sensitive or valuable assets. See also CEO fraud, spear phishing, whaling.
physical control Controls that employ physical means.
plaintext An original message, file, or stream of data that can be read by anyone who has access to it.
platform-as-a-service (PaaS) A cloud computing delivery model where the service provider supplies the platform on which an organization can build and run software.
playbook A procedure to be performed to accomplish some purpose.
policy A statement that specifies what must be done (or not done) in an organization. A policy usually defines who is responsible for monitoring and enforcing the policy.
population A complete set of entities, transactions, or events that are the subject of an audit.
position title A label that designates a person’s place or role in an organization.
pre-audit An examination of business processes, controls, and records in anticipation of an upcoming audit. See also audit.
preventive control A control that is used to prevent unwanted events from happening.
privacy The protection of personal information from unauthorized disclosure, use, and distribution.
private cloud A cloud infrastructure that is dedicated to a single organization.
private key cryptosystem A cryptosystem that is based on a symmetric cryptographic algorithm.
procurement The process of making a purchase of hardware, software, and services; also, the name of the department that performs this activity.
probability The chances that an event may occur.
probability analysis The analysis of a threat and the probability of its realization.
problem An incident—often multiple incidents—that exhibits common symptoms and whose root cause is not known.
problem management The IT function that analyzes chronic incidents and seeks to resolve them and also enacts proactive measures in an effort to avoid problems. See also IT service management (ITSM).
procedure A written sequence of instructions used to complete a task.
process A collection of one or more procedures used to perform a business function. See also procedure.
process A logical container in an operating system in which a program executes.
program An organization of many large, complex activities; it can be thought of as a set of projects that work to fulfill one or more key business objectives or goals.
program charter A formal definition of the objectives of a program, its main timelines, sources of funding, the names of its principal leaders and managers, and the business executives who are sponsoring the program.
program management The management of a group of projects that exist to fulfill a business goal or objective.
project A coordinated and managed sequence of tasks that results in the realization of an objective or goal.
project management The activities that are used to control, measure, and manage the activities in a project.
project plan The chart of tasks in a project, which also includes start and completion dates, resources required, and dependencies and relationships between tasks.
project planning The activities that are related to the development and management of a project.
protocol analyzer A device that is connected to a network in order to view network communications at a detailed level.
public cloud A cloud infrastructure used by multiple organizations.
public key cryptography See asymmetric encryption.
public key infrastructure (PKI) A centralized function that is used to store and publish public keys and other information.
questionnaire A list of questions sent to a third party, used to assess control effectiveness and risk.
qualitative risk analysis A risk analysis methodology where risks are classified on a nonquantified scale, for example, from High to Medium to Low.
quantitative risk analysis A risk analysis methodology where risks are estimated in the form of actual costs and/or probabilities of occurrence.
quarantine A holding place for e-mail messages that have been blocked by a spam or phishing filter.
Responsible, Accountable, Consulted, Informed (RACI) Chart A tool used to assign roles to individuals and groups according to their responsibilities.
rank A part of a person’s position title that denotes seniority or span of control in an organization.
ransomware Malware that performs some malicious action, requiring payment from the victim to reverse the action. Such actions include data erasure, data encryption, and system damage.
reciprocal site A data center that is operated by another company. Two or more organizations with similar processing needs will draw up a legal contract that obligates one or more of the organizations to temporarily house another party’s systems in the event of a disaster.
reconnaissance Any activity in which a would-be intruder or researcher explores a potential target system or network, generally to learn of its makeup, to determine a potentially successful attack strategy.
records Documents describing business events such as meeting minutes, contracts, financial transactions, decisions, purchase orders, logs, and reports.
recovery capacity objective (RCapO) The processing and/or storage capacity of an alternate process or system, as compared to the normal process or site. RCO is usually expressed as a percentage, as compared to the primary processing site.
recovery consistency objective (RCO) A measure of the consistency and integrity of processing at a recovery site, as compared to the primary processing site. RCO is calculated as 1 – (number of inconsistent objects) / (number of objects).
recovery control A control that is used after an unwanted event to restore a system or process to its pre-event state.
recovery point objective (RPO) The period of acceptable data loss due to an incident or disaster. RPO is usually measured in hours or days.
recovery procedure Instructions that key personnel use to bootstrap services that support critical business functions identified in the business impact assessment (BIA).
recovery strategy A high-level plan for resuming business operations after a disaster.
recovery time objective (RTO) The period from the onset of an outage until the resumption of service. RTO is usually measured in hours or days.
Redundant Array of Independent Disks (RAID) A family of technologies that is used to improve the reliability, performance, or size of disk-based storage systems.
registration authority (RA) An entity that works within or alongside a certificate authority (CA) to accept requests for new digital certificates.
release management The IT function that controls the release of software programs, applications, and environments. See also IT service management (ITSM).
release process The IT process whereby changes to software programs, applications, and environments are requested, reviewed, approved, and implemented.
remote access A service that permits a user to establish a network connection from a remote location so that the user can access network resources remotely.
remote access Trojan (RAT) Malware that permits the attacker to remotely access and control a target system.
remote destruct The act of commanding a device, such as a laptop computer or mobile device, to destroy stored data. Remote destruct is sometimes used when a device is lost or stolen to prevent anyone from being able to read data stored on the device.
remote work The practice of employees working in locations other than their organizations’ work premises.
reperformance An audit technique where an IS auditor repeats actual tasks performed by auditees in order to confirm they were performed properly.
replication An activity where data that is written to a storage system is also copied over a network to another storage system and written. The result is the presence of up-to-date data that exists on two or more storage systems, each of which could be located in a different geographic region.
request for change (RFC) See change request.
request for information (RFI) A formal process where an organization solicits information regarding solution proposals from one or more vendors. This is usually used to gather official information about products or services that may be considered in the future.
request for proposal (RFP) A formal process where an organization solicits solution proposals from one or more vendors. The process usually includes formal requirements and desired terms and conditions. It is used to formally evaluate vendor proposals to make a selection.
requirements Formal statements that describe required (and desired) characteristics of a system that is to be changed, developed, or acquired.
residual risk The risk that remains after being reduced through other risk treatment options.
response document Required action of personnel after a disaster strikes. It includes the business recovery plan, occupant emergency plan, emergency communication plan, contact lists, disaster recovery plan, continuity of operations plan (COOP), and security incident response plan (SIRP).
responsibility A stated expectation of activities and performance.
retainer agreement A contract in which an organization pays in advance for professional services. Examples include external legal counsel and security incident response.
return on investment (ROI) The ratio of money gained or lost as compared to an original investment.
return on security investment (ROSI) The return on investment (ROI) based on the reduction of security-related losses compared to the cost of related controls.
right to audit A clause in a contract where one party has the right to conduct an audit of the other party’s operations.
risk Generally, the fact that undesired events can happen that may damage property or disrupt operations; specifically, an event scenario that can result in property damage or disruption.
risk acceptance The risk treatment option where management chooses to accept the risk as is.
risk analysis The process of identifying and studying risks in an organization.
risk appetite The level of risk that an organization is willing to accept while in pursuit of its mission, strategy, and objectives, and before action is needed to treat the risk.
risk assessment A process where risks, in the form of threats and vulnerabilities, are identified for each asset.
risk avoidance The risk treatment option involving a cessation of the activity that introduces identified risk.
risk awareness Programmatic activities whose objective is to make business leaders, stakeholders, and other personnel aware of the organization’s information risk management program. See also security awareness.
risk capacity The objective amount of loss that an organization can tolerate without its continued existence being called into question.
risk ledger See risk register.
risk management The management activities used to identify, analyze, and treat risks.
risk mitigation The risk treatment option involving implementation of a solution that will reduce an identified risk.
risk monitoring Ongoing activities including control effectiveness assessments and risk assessments to observe changes in risk.
risk register A business record containing business risks and information about their origin, potential impact, affected assets, probability of occurrence, and treatment.
risk tolerance See risk appetite.
risk transfer The risk treatment option involving the act of transferring risk to another party, such as an insurance company.
risk treatment The decision to manage an identified risk. The available choices are mitigate the risk, avoid the risk, transfer the risk, or accept the risk.
roadmap The list of steps required to achieve a strategic objective.
role A set of user privileges in an application; also, a formal designation assigned to an individual by virtue of a job title or other label.
rollback A step in the software development life cycle where system changes need to be reversed, returning the system to its previous state.
root cause analysis (RCA) Analysis of a problem to identify the underlying origins, not merely factors or symptoms. See also problem management.
sabotage Deliberate damage of an organization’s asset.
salvage The process of recovering components or assets that still have value after a disaster.
sample A portion of a population of records that is selected for auditing.
sample mean The sum of all samples divided by the number of samples.
sample standard deviation A computation of the variance of sample values from the sample mean. This is a measurement of the “spread” of values in the sample.
sampling A technique that is used to select a portion of a population when it is not feasible to test an entire population.
sampling risk The probability that a sample selected does not represent the entire population. This is usually expressed as a percentage, as the numeric inverse of the confidence coefficient.
sandbox A security mechanism, often used by antimalware programs, for separating running programs. See also anti-malware.
SANS 20 Critical Security Controls See CIS Controls.
Sarbanes–Oxley A U.S. law requiring public corporations to enact business and technical controls, perform internal audits of those controls, and undergo external audits.
SAS 70 (Statement of Accounting Standards No. 70) An external audit of a service provider. An SAS 70 audit is performed according to rules established by the American Institute of Certified Public Accountants (AICPA). This has been deprecated by SSAE 18. See also Statements on Standards for Attestation Engagements No. 18 (SSAE 18).
scanning tool A security tool that is used to scan files, processes, network addresses, systems, or other objects, often for the purpose of identifying assets or vulnerabilities that may be present in assets.
screening router A network device that filters network traffic based on source and destination IP addresses and ports. See also firewall.
secure coding The practice of developing program source code that is free of security defects. See also secure development training.
secure development training Training for software developers on the techniques of writing secure code and avoiding security defects that could be exploited by adversaries.
secure electronic transaction (SET) A protocol used to protect credit card transactions that uses a digital envelope. SET has been deprecated by Secure Sockets Layer (SSL) and Transport Layer Security (TLS). See also digital envelope, Secure Sockets Layer (SSL), Transport Layer Security (TLS).
Secure Multipurpose Internet Mail Extensions (S/MIME) An e-mail security protocol that provides sender and recipient authentication and encryption of message content and attachments.
Secure Shell (SSH) A TCP/IP application layer protocol that provides a secure channel between two computers whereby all communications between them are encrypted. SSH can also be used as a tunnel to encapsulate and thereby protect other protocols.
Secure Sockets Layer (SSL) An encryption protocol used to encrypt web pages requested with the HTTPS URL. This has been deprecated by Transport Layer Security (TLS). See also Transport Layer Security (TLS), Hypertext Transfer Protocol Secure (HTTPS).
security architecture The mission of understanding the interplay between all of the security controls and configurations that work together to protect information systems and information assets.
security audit A formal review of security controls, processes, or systems to determine their state. See also audit.
security awareness A formal program used to educate employees, users, customers, or constituents on required, acceptable, and unacceptable security-related behaviors. See also risk awareness.
security by design The concept of product and software development that incorporates security into the design of the software rather than as an afterthought.
security governance Management’s control over an organization’s security program.
security incident An event where the confidentiality, integrity, or availability of information (or an information system) has been compromised.
security information and event management (SIEM) A system that collects logs from systems, correlates log data, and produces alerts that require attention.
security incident log A business record consisting of security incidents that have occurred.
security incident management The overall program and activities to ensure that an organization is able to quickly detect, respond, and contain a security incident.
security incident response The formal, planned response that is enacted when a security incident has occurred. See also security incident.
security operations center (SOC) An IT function wherein personnel centrally monitor and manage security functions and devices, watch for security anomalies and incidents, and take actions as warranted.
security policy See information security policy.
security review An examination of a process, procedure, system, program, or other object to determine the state of security.
semiquantitative risk analysis A risk analysis methodology where risks are classified on a simple numeric scale, such as 1 to 5.
segregation of duties (SOD) The concept that ensures single individuals do not possess excess privileges that could result in unauthorized activities such as fraud or the manipulation or exposure of sensitive data.
separation of duties See segregation of duties (SOD).
server A centralized computer used to perform a specific task.
service continuity management The IT function that consists of activities concerned with the organization’s ability to continue providing services, primarily in the event that a natural or man-made disaster has occurred. See also IT service management (ITSM), business continuity planning (BCP), disaster recovery planning (DRP).
service delivery objective (SDO) The level or quality of service that is required after an event, as compared to business normal operations.
service desk The IT function that handles incidents and service requests on behalf of customers by acting as a single point of contact. See also IT service management (ITSM).
service level agreement (SLA) An agreement that specifies service levels in terms of the quantity of work, quality, timeliness, and remedies for shortfalls in quality or quantity.
service level management The IT function that confirms whether IT is providing adequate service to its customers. This is accomplished through continuous monitoring and periodic review of IT service delivery. See also IT service management (ITSM).
shadow IT The phenomenon wherein individuals, groups, departments, and business units bypass corporate IT and procure their own computing services, typically through SaaS and IaaS services. See also cloud, infrastructure-as-a-service (IaaS), software-as-a-service (IaaS).
shared responsibility model A model that depicts responsibilities between service providers and customers, typically in a cloud environment.
simulation A test of disaster recovery, business continuity, or security incident response procedures where the participants take part in a “mock disaster” or incident to add some realism to the process of thinking their way through emergency response documents.
single loss expectancy (SLE) The financial loss when a threat is realized one time. SLE is defined as AV × EF. See also asset value (AV), exposure factor (EF).
single point of failure An element or device in a system or network lacking redundancy, and when it fails for any reason, the entire network or system will experience an outage.
smart card A small, credit-card–sized device that contains electronic memory and is accessed with a smart card reader and used in two-factor authentication.
smartphone A mobile phone equipped with an operating system and software applications.
smishing Phishing in the context of SMS messaging. See also phishing.
snapshot A continuous auditing technique that involves the use of special audit modules embedded in online applications that sample specific transactions. The module copies key database records that can be examined later.
sniffer See packet sniffer.
social engineering The act of using deception to trick an individual into revealing secrets or performing actions.
software defect A defect introduced into a program that results in unexpected behavior. Commonly known as a bug.
Software Engineering Institute Capability Maturity Model (SEI-CMM) A model used to determine the maturity of security processes. See also Capability Maturity Model Integration for Development (CMMi-DEV).
software-as-a-service (SaaS) A software delivery model where an organization obtains a software application for use by its employees and the software application is hosted by the software provider, as opposed to the customer organization.
software-defined networking (SDN) A class of capabilities where network infrastructure devices such as routers, switches, and firewalls are created, configured, and managed as virtual devices in virtualization environments.
solid-state drive (SSD) A solid-state device used for persistent data storage, generally a replacement for a hard-disk drive. See also hard disk drive (HDD).
SOX See Sarbanes–Oxley.
spam Unsolicited and unwanted e-mail.
spam filter A central program or device that examines incoming e-mail and removes all messages identified as spam.
span port See network tap.
spear phishing Phishing that is specially crafted for a specific target organization or group. See also CEO fraud, phishing, whaling.
spim Spam or phishing in the context of instant messaging. See also phishing, smishing, spam.
spyware A type of malware where software performs one or more surveillance-type actions on a computer, reporting back to the spyware owner. See also malware.
standard A statement that defines the technologies, protocols, suppliers, and methods used by an IT organization.
statement of impact A description of the impact a disaster scenario will have on a business or business process.
Statements on Standards for Attestation Engagements No. 16 (SSAE 16) An audit standard superseded by Statements on Standards for Attestation Engagements No. 18. See also Statements on Standards for Attestation Engagements No. 18 (SSAE 18).
Statements on Standards for Attestation Engagements No. 18 (SSAE 18) A standard for audits performed on a financial service provider. An SSAE 18 audit is performed according to rules established by the American Institute of Certified Public Accountants (AICPA). See also System and Organization Controls 1 (SOC1).
static application security testing (SAST) Tools that are used to scan software source code to identify security defects.
statistical sampling A sampling technique where items are chosen at random; each item has a statistically equal probability of being chosen. See also sampling.
steganography Any technique where data is hidden within another data file.
System and Organization Controls 1 (SOC1) An external audit of a service provider. A SOC1 audit is performed according to the SSAE18 standard established by the American Institute of Certified Public Accountants (AICPA). See also Statements on Standards for Attestation Engagements No. 18 (SSAE 18).
System and Organization Controls 2 (SOC2) An external audit of a service provider on one or more of the following trust principles: security, availability, processing integrity, confidentiality, and privacy. A SOC2 audit is performed according to audit standards established by the American Institute of Certified Public Accountants (AICPA).
System and Organization Controls 3 (SOC3) An external audit of a service provider on one or more of the following trust principles: security, availability, processing integrity, confidentiality, and privacy.
stop-or-go sampling A sampling technique used to permit sampling to stop at the earliest possible time. This technique is used when the auditor thinks there is low risk or a low rate of exceptions in the population. See also sampling.
storage area network (SAN) A stand-alone storage system that can be configured to contain several virtual volumes and connected to many servers through fiber-optic cables.
strategic objective A corporate objective that is a part of a high-level strategy.
strategic planning Activities used to develop and refine long-term plans and objectives.
strategy The plan required to achieve an objective.
stratified sampling A sampling technique where a population is divided into classes or strata, based upon the value of one of the attributes. Samples are then selected from each class. See also sampling.
stream cipher A type of encryption algorithm that operates on a continuous stream of data, such as a video or audio feed.
strong authentication See multifactor authentication.
supervisory control and data acquisition (SCADA) A control system used to monitor and manage physical machinery in an industrial environment. See also industrial control system (ICS).
symmetric encryption A method for encryption and decryption where it is necessary for both parties to possess a common encryption key.
synchronous replication A type of replication where writing data to a local and to a remote storage system is performed as a single operation, guaranteeing that data on the remote storage system is identical to data on the local storage system. See also replication.
tablet A mobile device with a touchscreen interface. See also mobile device.
technical control A control that is implemented in IT systems and applications.
technology standard A standard that specifies the software and hardware technologies that are used by the IT organization.
telework See remote work.
termination The process of discontinuing employment of an employee or contractor.
terrorist A person or group who perpetrates violence for political or religious reasons.
The Open Group Architecture Framework (TOGAF) A life-cycle enterprise architecture framework used for the design, plan, implementation, and governance of an enterprise security architecture.
third party An external organization providing goods or services to an organization.
third-party risk management (TPRM) The practice of identifying risks associated with the use of outsourced organizations to perform business processes.
threat An event that, if realized, would bring harm to an asset.
threat assessment An examination of threats and the likelihood and impact of their occurrence.
threat hunting The proactive search for intrusions, intruders, and indicators of compromise.
threat intel feed A subscription service containing information about known threats. A threat intel feed can come in the form of human-readable or machine-readable information.
threat intelligence Information about security tools, tactics, and trends of intrusions that can help an organization know how to better protect itself from intrusion.
threat management Activities undertaken by an organization to learn of relevant security threats so that the organization can take appropriate action to counter the threats.
threat modeling The activity of looking for potential threats in a business process, information system, or software application.
Towers of Hanoi A complex backup media rotation scheme that provides for more lengthy retention of some backup media. It is based on the Towers of Hanoi puzzle. See also backup media rotation.
Towers of Sauron A collection of towers, including Dol Guldur, Orthanc, Cirith Ungol, Minas Tirith, Minas Morgul, and Barad-dûr, all located in Middle-earth.
total cost of ownership (TCO) A financial estimate of all of the costs associated with a process or system.
training The process of educating personnel; to impart information or provide an environment where they can practice a new skill.
Transport Layer Security (TLS) An encryption protocol used to encrypt web pages requested with the HTTPS URL. This is a replacement for Secure Sockets Layer (SSL). See also Secure Sockets Layer (SSL), Hypertext Transfer Protocol Secure (HTTPS).
unified extensible firmware interface (UEFI) The firmware on a computer that tests the computer’s hardware and initiates the bootup sequence. UEFI is considered a successor to BIOS. See also basic input/output system (BIOS).
uninterruptible power supply (UPS) A system that filters the incoming power of spikes and other noise and supplies power for short periods through a bank of batteries.
user A business or customer who uses an information system.
user behavior analytics (UBA) A capability where user behavior is baselined and anomalous activities trigger events or alarms.
user ID An identifier that is created by a system manager and issued to a user for the purpose of identification or authentication.
variable sampling A sampling technique used to study the characteristics of a population to determine the numeric total of a specific attribute from the entire population. See also sampling.
vendor standard A standard that specifies which suppliers and vendors are used for various types of products and services.
virtual machine A software implementation of a computer, usually an operating system or other program running within a hypervisor. See also hypervisor.
virtualization Software technology that separates the physical computing environment from the software that runs on a system, permitting several instances of operating systems to operate concurrently and independently on a single system.
virus A type of malware where fragments of code attach themselves to executable programs and are activated when the program they are attached to is run.
vulnerability A weakness that may be present in a system that can be exploited by a threat.
vulnerability assessment An assessment whose objective is to identify vulnerabilities in target assets.
vulnerability management A formal business process that is used to identify and mitigate vulnerabilities in an IT environment.
walk-through A review of some or all disaster recovery and business continuity plans, procedures, and other documentation. A walk-through is performed by an entire group of individuals in a live discussion.
war room A meeting room or other place where incident responders will gather to coordinate incident response activities.
warm site An alternate processing center where recovery systems are present but at a lower state of readiness than recovery systems at a hot site. For example, while the same version of the operating system may be running on the warm site system, it may be a few patch levels behind primary systems.
watering hole attack An attack on one more organizations that is performed by introducing malicious code on a web site that personnel in target organizations are thought to frequent.
weaponization The process of creating or obtaining malware that is to be delivered to a target as a part of a computer intrusion.
web application firewall (WAF) A firewall that examines the contents of information in transit between a web server and its users, for the purpose of identifying and blocking malicious content that could represent an attack on the web server.
web content filter A central program or device that monitors and, optionally, filters web communications. A web content filter is often used to control the sites (or categories of sites) that users are permitted to access from the workplace. Some web content filters can also protect an organization from malware.
web proxy filter See web content filter.
web server A server that runs specialized software that makes static and dynamic HTML pages available to users.
web-based application An application design where the database and all business logic are stored on central servers and where user workstations use only web browsers to access the application.
whaling Spear phishing that targets executives and other high-value and high-privilege individuals in an organization. See also CEO fraud, phishing, spear phishing.
white list In a security system, a list of identifiers that should always be permitted, regardless of their other characteristics.
whole-disk encryption The practice of encrypting the main storage on a server, workstation, or mobile device.
wiper Malware designed to wipe the hard drive of a system.
wired equivalent privacy (WEP) A now deprecated encryption protocol used by WiFi networks.
worm A type of malware containing stand-alone programs capable of human-assisted and automatic propagation.
Zachman framework An enterprise architecture framework used to describe an IT architecture in increasing levels of detail.
- Consider a Alphabetically-ordered Glossary
- Consider a glossary of terms.
- Consider a glossary of File Formats