C-GLOSSARY

Question 1

Capability Maturity Model Integration (CMMI)

Answer 1

Contains the essential elements of effective processes for one or more disciplines. It also describes an evolutionary improvement path from ad hoc, immature processes, to disciplined, mature processes, with improved quality and effectiveness.

Question 2

Certificate (certification) authority (CA)

Answer 2

A trusted third party that serves authentication infrastructures or enterprises and registers entities and issues them certificates

Question 3

Certificate revocation list (CRL)

Answer 3

An instrument for checking the continued validity of the certificates for which the certification authority (CA) has responsibility. The CRL details digital certificates that are no longer valid. The time gap between two
updates is very critical and is also a risk in digital certificates verification.

Question 4

Certification practice statement

Answer 4

A detailed set of rules governing the certificate authority’s operations. It provides an understanding of the value and trustworthiness of certificates issued by a given certificate authority (CA).
Stated in terms of the controls that an organization observes, the method it uses to validate the authenticity of certificate applicants and the CA’s
expectations of how its certificates may be used.

Question 5

Chain of custody

Answer 5

A legal principle regarding the validity and integrity of evidence. It requires accountability for anything that will be used as evidence in a legal proceeding to ensure that it can be accounted for from the time it was
collected until the time it is presented in a court of law. This includes documentation as to who had access to the evidence and when, as well as the ability to identify evidence as being the exact item that was recovered
or tested. Lack of control over evidence can lead to it being discredited.
Chain of custody depends on the ability to verify that evidence could not have been tampered with. This is accomplished by sealing off the evidence, so it cannot be changed, and providing a documentary record of
custody to prove that the evidence was, at all times, under strict control and not subject to tampering.

Question 6

Chain of evidence

Answer 6

A process and record that shows who obtained the evidence, where and when the evidence was obtained, who secured the evidence, and who had control or possession of the evidence. The “sequencing” of the chain of evidence follows this order: collection and identification, analysis, storage, preservation, presentation in court, return to owner.

Question 7

Challenge/response token

Answer 7

A method of user authentication that is carried out through use of the Challenge Handshake Authentication Protocol (CHAP). When a user tries
to log onto the server using CHAP, the server sends the user a “challenge,”which is a random value. The user enters a password, which is used as an encryption key to encrypt the “challenge” and return it to the server.
The server is aware of the password. It, therefore, encrypts the “challenge”value and compares it with the value received from the user. If the values
match, the user is authenticated. The challenge/response activity continues throughout the session and this protects the session from password
sniffing attacks. In addition, CHAP is not vulnerable to “man-in-the middle” attacks because the challenge value is a random value that changes on each access attempt.

Question 8

Change management

Answer 8

A holistic and proactive approach to managing the transition from a current to a desired organizational state.

Question 9

Checksum

Answer 9

A mathematical value that is assigned to a file and used to “test” the file at a later date to verify that the data contained in the file have not been maliciously changed.
A cryptographic checksum is created by performing a complicated series of mathematical operations (known as a cryptographic algorithm) that translates the data in the file into a fixed string of digits called a hash
value, which is then used as the checksum. Without knowing which cryptographic algorithm was used to create the hash value, it is highly unlikely that an unauthorized person would be able to change data without inadvertently changing the corresponding checksum.
Cryptographic checksums are used in data transmission and data storage. Cryptographic
checksums are also known as message authentication codes, integrity check values, modification detection codes or message integrity codes.

Question 10

Chief information officer (CIO)

Answer 10

The most senior official of the enterprise who is accountable for IT advocacy, aligning IT and business strategies, and planning, resourcing and managing the delivery of IT services, information and the deployment
of associated human resources. In some cases, the CIO role has been expanded to become the chief knowledge officer (CKO) who deals in knowledge, not just information. Also see chief technology officer.

Question 11

Chief information security officer (CISO)

Answer 11

Responsible for managing information risk, the information security program, and ensuring appropriate confidentiality, integrity and availability of information assets

Question 12

Chief security officer (CSO)

Answer 12

Typically responsible for physical security in the organization although increasingly the CISO and CSO roles are merged.

Question 13

Chief technology officer (CTO)

Answer 13

The individual who focuses on technical issues in an organization.

Question 14

Cloud computing

Answer 14

An approach using external services for convenient on-demand IT operations using a shared pool of configurable computing capability.
Typical capabilities include :-
infrastructure as a service (IaaS),
platform asa service (PaaS)
software as a service (SaaS) (e.g., networks, servers,
storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
This cloud model is composed of five essential characteristics (on-demand self-service, ubiquitous network access, location independent resource
pooling, rapid elasticity, and measured service).
It allows users to access technology-based services from the network cloud without knowledge of, expertise with, or control over, the technology infrastructure that supports them and provides four models for enterprise access (private cloud,
community cloud, public cloud and hybrid cloud).

Question 15

Common vulnerabilities and exposures (CVE)

Answer 15

A system that provides a reference method for publicly known information-security vulnerabilities and exposures.
MITRE Corporation maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security.

Question 16

Compensating control

Answer 16

An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions

Question 17

Computer forensics

Answer 17

The application of the scientific method to digital media to establish factual information for judicial review. This process often involves investigating computer systems to determine whether they are or have been used for illegal or unauthorized activities.
As a discipline, it combines elements of law and computer science to collect and analyze data from information systems (e.g., personal computers, networks, wireless communication and digital storage devices) in a way that is admissible as evidence in a court of law.

Question 18

Content filtering

Answer 18

Controlling access to a network by analyzing the contents of the incoming and outgoing packets and either letting them pass or denying them based
on a list of rules. Differs from packet filtering in that it is the data in the packet that are analyzed instead of the attributes of the packet itself (e.g., source/target IP address, transmission control protocol [TCP] flags).

Question 19

Contingency plan

Answer 19

A plan used by an organization or business unit to respond to a specific systems failure or disruption

Question 20

Continuous monitoring

Answer 20

The process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends.
The process includes:
1) the development of a strategy to regularly
evaluate selected IS controls/metrics,
2) recording and evaluating IS relevant events and the effectiveness of the enterprise in dealing with those events
3) recording changes to IS controls, or changes that affect IS risks.
4) publishing the current security status to enable information sharing decisions involving the enterprise

Question 21

Control

Answer 21

The means of managing risk, including policies, procedures, guidelines, practices or organizational structures which can be of an administrative, technical, management or legal nature.

Question 22

Control center

Answer 22

Hosts the recovery meetings where disaster recovery operations are managed.

Question 23

Controls policy

Answer 23

A policy defining control operational and failure modes (e.g., fail secure, fail open, allowed unless specifically denied, denied unless specifically permitted).

Question 24

Corporate governance

Answer 24

The system by which enterprises are directed and controlled. The board of directors is responsible for the governance of their enterprise. It consists of the leadership and organizational structures and processes that ensure the enterprise sustains and extends strategies and objectives.

Question 25

COSO

Answer 25

Committee of Sponsoring Organizations of the Treadway Commission. Its report “Internal Control–Integrated Framework” is an internationally
accepted standard for corporate governance.
See www.coso.org.

Question 26

Cost-benefit analysis

Answer 26

A systematic process for calculating and comparing benefits and costs of a project, control or decision.

Question 27

Countermeasures

Answer 27

Any process that directly reduces a threat or vulnerability.

Question 28

Criticality

Answer 28

A measure of the impact that the failure of a system to function as required will have on the organization

Question 29

Criticality analysis

Answer 29

An analysis to evaluate resources or business functions to identify their importance to the organization, and the impact if a function cannot be completed or a resource is not available.

Question 30

Cryptographic algorithm

Answer 30

A well-defined computational procedure that takes variable inputs, including a cryptographic key, and produces an output.

Question 31

Cryptographic strength

Answer 31

A measure of the expected number of operations required to defeat a cryptographic mechanism.

Question 32

Cryptography

Answer 32

The art of designing, analyzing and attacking cryptographic schemes.

Question 33

Cyclical redundancy check (CRC)

Answer 33

A method to ensure that data have not been altered after being sent through a communication channel.