CISSP (Glossary)

Question 1

access

Answer 1

A subject’s ability to view, modify, or communicate with an object. Access
enables the flow of information between the subject and the object.

Question 2

access control

Answer 2

Mechanisms, controls, and methods of limiting access to resources
to authorized subjects only.

Question 3

access control list (ACL)

Answer 3

A list of subjects that are authorized to access a particular
object. Typically, the types of access are read, write, execute, append, modify,
delete, and create.

Question 4

access control mechanism

Answer 4

Administrative, physical, or technical control that is

designed to detect and prevent unauthorized access to a resource or environment.

Question 5

accountability

Answer 5

A security principle indicating that individuals must be identifiable
and must be held responsible for their actions.

Question 6

accredited

Answer 6

A computer system or network that has received official authorization
and approval to process sensitive data in a specific operational environment. There
must be a security evaluation of the system’s hardware, software, configurations, and
controls by technical personnel.

Question 7

add-on security

Answer 7

Security protection mechanisms that are hardware or software

retrofitted to a system to increase that system’s protection level.

Question 8

administrative controls

Answer 8

Security mechanisms that are management’s responsibility
and referred to as “soft” controls. These controls include the development and publication
of policies, standards, procedures, and guidelines; the screening of personnel; security-
awareness training; the monitoring of system activity; and change control procedures.

Question 9

AIC triad

Answer 9

The three security principles: availability, integrity, and confidentiality

Question 10

annualized loss expectancy (ALE)

Answer 10

A dollar amount that estimates the loss
potential from a risk in a span of a year.
single loss expectancy (SLE) × annualized rate of occurrence (ARO) = ALE

Question 11

annualized rate of occurrence (ARO)

Answer 11

The value that represents the estimated

possibility of a specific threat taking place within a one-year timeframe.

Question 12

assurance

Answer 12

A measurement of confidence in the level of protection that a specific
security control delivers and the degree to which it enforces the security policy.

Question 13

attack

Answer 13

An attempt to bypass security controls in a system with the mission of using
that system or compromising it. An attack is usually accomplished by exploiting a current
vulnerability.

Question 14

audit trail

Answer 14

A chronological set of logs and records used to provide evidence of a
system’s performance or activity that took place on the system. These logs and records
can be used to attempt to reconstruct past events and track the activities that took place,
and possibly detect and identify intruders.

Question 15

authenticate

Answer 15

To verify the identity of a subject requesting the use of a system and/
or access to network resources. The steps to giving a subject access to an object should
be identification, authentication, and authorization.

Question 16

authorization

Answer 16

Granting access to an object after the subject has been properly
identified and authenticated.

Question 17

automated information system (AIS)

Answer 17

A computer system that is used to process
and transmit data. It is a collection of hardware, software, and firmware that works
together to accept, compute, communicate, store, process, transmit, and control dataprocessing
functions.

Question 18

availability

Answer 18

The reliability and accessibility of data and resources to authorized individuals
in a timely manner.

Question 19

audit trail

Answer 19

A chronological set of logs and records used to provide evidence of a
system’s performance or activity that took place on the system. These logs and records
can be used to attempt to reconstruct past events and track the activities that took place,
and possibly detect and identify intruders.

Question 20

authenticate

Answer 20

To verify the identity of a subject requesting the use of a system and/
or access to network resources. The steps to giving a subject access to an object should
be identification, authentication, and authorization.

Question 21

authorization

Answer 21

Granting access to an object after the subject has been properly
identified and authenticated.

Question 22

automated information system (AIS)

Answer 22

A computer system that is used to process
and transmit data. It is a collection of hardware, software, and firmware that works
together to accept, compute, communicate, store, process, transmit, and control dataprocessing
functions.

Question 23

availability

Answer 23

The reliability and accessibility of data and resources to authorized individuals
in a timely manner.

Question 24

back up

Answer 24

Copy and move data to a medium so that it may be restored if the original
data is corrupted or destroyed. A full backup copies all the data from the system to the
backup medium. An incremental backup copies only the files that have been modified
since the previous backup. A differential backup backs up all files since the last full backup.

Question 25

backdoor

Answer 25

An undocumented way of gaining access to a computer system. After a
system is compromised, an attacker may load a program that listens on a port (backdoor)
so that the attacker can enter the system at any time. A backdoor is also referred
to as a trapdoor.

Question 26

baseline

Answer 26

The minimum level of security necessary to support and enforce a security
policy.

Question 27

Bell-LaPadula model

Answer 27

The model uses a formal state transition model that describes
its access controls and how they should perform. When the system must transition
from one state to another, the security of the system should never be lowered or
compromised. See also multilevel security, simple security property, and star property
(*-property).