A

Question 1

Acceptable interruption window

Answer 1

The maximum period of time that a system can be unavailable before compromising the achievement of the enterprise’s business objectives.

Question 2

Acceptable use policy

Answer 2

A policy that establishes an agreement between users and the enterprise that defines, for all parties, the ranges of use that are approved before gaining access to a network or the Internet

Question 3

Access control

Answer 3

The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises

Question 4

Access path

Answer 4

The logical route that an end user takes to access computerized information.

Question 5

Access rights

Answer 5

The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy

Question 6

Accountability

Answer 6

The ability to map a given activity or event back to the responsible party

Question 7

Administrative control

Answer 7

The rules, procedures and practices dealing with operational effectiveness, efficiency and adherence to regulations and management policies.

Question 8

Advanced Encryption Standard (AES)

Answer 8

A public algorithm that supports keys from 128 bits to 256 bits in size

Question 9

Advanced persistent threat (APT)

Answer 9

An adversary that possesses sophisticated levels of expertise and significant resources, which allow them to create opportunities to achieve their objectives by using multiple attack vectors, e.g., cyber, physical, and
deception. These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information; undermining or
impeding critical aspects of a mission themselves to carry out these objectives in the future.

Question 10

Alert situation

Answer 10

The point in an emergency procedure when the elapsed time passes a threshold and the interruption is not resolved. The enterprise entering into an alert situation initiates a series of escalation steps.

Question 11

Algorithm

Answer 11

A finite set of well-defined, unambiguous rules for the solution of a problem in a finite number of steps, it is a sequence of operational actions that lead to a desired goal and is the basic building block of a program

Question 12

Alternate facilities

Answer 12

Locations and infrastructures from which emergency or backup processes are executed, when the main premises are unavailable or destroyed

Question 13

Alternate process

Answer 13

Automatic or manual process designed and established to continue critical business processes from point-of failure to return-to-normal

Question 14

Annual loss expectancy (ALE)

Answer 14

The total expected loss divided by the number of years in the forecast period yielding the average annual loss

Question 15

Anomaly detection

Answer 15

Detection on the basis of whether the system activity matches that defined as abnormal

Question 16

Antimalware

Answer 16

A widely used technology to prevent, detect and remove many categories of malware, including computer viruses, worms, Trojans, keyloggers, malicious browser plug-ins, adware and spyware

Question 17

Antiphishing

Answer 17

Software that identifies phishing content and attempts to block the content or warn the user about the suspicious nature of the content

Question 18

Antivirus software

Answer 18

An application software deployed at multiple points in an IT architecture. It is designed to detect and potentially eliminate virus code before damage is done and repair or quarantine files that have already been
infected.

Question 19

Application controls

Answer 19

The policies, procedures and activities designed to provide reasonable assurance that objectives relevant to a given automated solution (application) are achieved.

Question 20

Application programming interface (API)

Answer 20

A set of routines, protocols and tools referred to as building blocks used in business application software
development

Question 21

Application service provider (ASP)

Answer 21

Also known as managed service provider (MSP), it deploys, hosts and manages access to a packaged application to multiple parties from a centrally managed facility.

Question 22

Architecture

Answer 22

Description of the fundamental underlying design of the components of the business system, or of one element of the business system (e.g., technology), the relationships among them, and the manner in which they support enterprise objectives

Question 23

Asset inventory

Answer 23

A register that is used to record all relevant assets 24 Asset value The value of an asset to both the business and to competitors

Question 24

Asset

Answer 24

Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation

Question 25

Asymmetric key (public key)

Answer 25

A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message

Question 26

Attack vector

Answer 26

A path or route used by the adversary to gain access to the target (asset)

Question 27

Audit trail

Answer 27

Data in the form of a logical path linking a sequence of events, used to trace the transactions that have affected the contents of a record

Question 28

Authentication

Answer 28

The act of verifying the identity of a user, the user’s eligibility to access computerized information

Question 29

Authorization

Answer 29

The process of determining if the end user is permitted to have access to an information asset or the information system containing the asset.

Question 30

Availability

Answer 30

Ensuring timely and reliable access to and use of information

Question 31

Authentication

Answer 31

The act of verifying identity, i.e., user, system