CISSP Glossary Flashcards
Acceptable risk
A suitable level of risk commensurate with the potential benefits of the organization’s operations as determined by senior management.
Access control system
Means to ensure that access to assets is authorized and restricted based on business and security requirements related to logical and physical systems.
Access control tokens
The system decides if access is to be granted or denied based upon the validity of the token for the point where it is read based on time, date, day, holiday, or other condition used for controlling validation.
Accountability
Accountability ensures that account management has assurance that only authorized users are accessing the system and using it properly.
ActiveX Data Objects (ADO)
A Microsoft high-level interface for all kinds of data.
Address Resolution Protocol
ARP
Is used at the Media Access Control (MAC) Layer to provide for direct communication between two devices within the same LAN segment.
Algorithm
A mathematical function that is used in the encryption and decryption processes.
Asset
An item perceived as having value.
Asset lifecycle
The phases that an asset goes through from creation (collection) to destruction.
Asymmetric
Not identical on both sides. In cryptography, key pairs are used, one to encrypt, the other to decrypt.
Attack surface
Different security testing methods find different vulnerability types.
Attribute- based access control (ABAC)
This is an access control paradigm whereby access rights are granted to users with policies that combine attributes together.
Audit/auditing
The tools, processes, and activities used to perform compliance reviews.
Authorization
The process of defining the specific resources a user needs and determining the type of access to those resources the user may have.
Availability
Ensuring timely and reliable access to and use of information by authorized users.
Baselines
A minimum level of security.
Bit
Most essential representation of data (zero or one) at Layer 1 of the Open Systems Interconnection (OSI) model.
Black-box testing
Testing where no internal details of the system implementation are used.
Bluetooth
Wireless Personal Area Network IEEE 802.15
Bluetooth wireless technology is an open standard for short-range radio frequency communication used primarily to establish wireless personal area networks (WPANs), and it has been integrated into many types of business and consumer devices.
Bridges
Layer 2 devices that filter traffic between segments based on Media Access Control (MAC) addresses.
Business continuity (BC)
Actions, processes, and tools for ensuring an organization can continue critical operations during a contingency.
Business continuity and disaster recovery
BCDR
A term used to jointly describe business continuity and disaster recovery efforts.
Business impact analysis (BIA)
A list of the organization’s assets, annotated to reflect the criticality of each asset to the organization.
Capability Maturity Model for Software or
Software Capability Maturity Model
(CMM or SW-CMM)
Maturity model focused on quality management processes and has five maturity levels that contain several key practices within each maturity level.
Cellular Network
A radio network distributed over land areas called cells, each served by at least one fixed-location transceiver, known as a cell site or base station.
Certificate authority
CA
An entity trusted by one or more users as an authority that issues, revokes, and manages digital certificates to bind individuals and entities to their public keys.
Change management
A formal, methodical, comprehensive process for requesting, reviewing, and approving changes to the baseline of the IT environment.
CIA/AIC Triad
Security model with the three security concepts of confidentiality, integrity, and availability make up the CIA Triad. It is also sometimes referred to as the AIC Triad.
Ciphertext
The altered form of a plaintext message, so as to be unreadable for anyone except the intended recipients. Something that has been turned into a secret.
Classification
Arrangement of assets into categories.
Clearing
The removal of sensitive data from storage devices in such a way that there is assurance that the data may not be reconstructed using normal system functions or software recovery utilities.
Code-division multiple access (CDMA)
Every call’s data is encoded with a unique key, then the calls are all transmitted at once.
Common Object Request Broker Architecture (CORBA)
A set of standards that addresses the need for interoperability between hardware and software products.
Compliance
Adherence to a mandate; both the actions demonstrating adherence and the tools, processes, and documentation that are used in adherence.
Computer virus
A program written with functions and intent to copy and disperse itself without the knowledge and cooperation of the owner or user of the computer.
Concentrators
Multiplex connected devices into one signal to be transmitted on a network.
Condition coverage
This criterion requires sufficient test cases for each condition in a program decision to take on all possible outcomes at least once. It differs from branch coverage only when multiple conditions must be evaluated to reach a decision.
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Configuration management (CM)
A formal, methodical, comprehensive process for establishing a baseline of the IT environment (and each of the assets within that environment).
Confusion
Provided by mixing (changing) the key values used during the repeated rounds of encryption. When the key is modified for each round, it provides added complexity that the attacker would encounter.
Content Distribution Network (CDN)
Is a large distributed system of servers deployed in multiple data centers across the internet.
Covert channel
An information flow that is not controlled by a security control and has the opportunity of disclosing confidential information.
Covert security testing
Performed to simulate the threats that are associated with external adversaries. While the security staff has no knowledge of the covert test, the organization management is fully aware and consents to the test.
Crossover Error Rate (CER)
This is achieved when the type I and type II are equal.
Cryptanalysis
The study of techniques for attempting to defeat cryptographic techniques and, more generally, information security services provided through cryptography.
Cryptography
Secret writing. Today provides the ability to achieve confidentiality, integrity, authenticity, non-repudiation, and access control.
Cryptology
The science that deals with hidden, disguised, or encrypted information and communications.
Curie Temperature
The critical point where a material’s intrinsic magnetic alignment changes direction.
Custodian
Responsible for protecting an asset that has value, while in the custodian’s possession.
Data classification
Entails analyzing the data that the organization retains, determining its importance and value, and then assigning it to a category.
Data custodian
The person/role within the organization owner/controller.
Data flow coverage
This criteria requires sufficient test cases for each feasible data flow to be executed at least once.
Data mining
A decision-making technique that is based on a series of analytical techniques taken from the fields of mathematics, statistics, cybernetics, and genetics.
Data owner/ controller
An entity that collects or creates PII.
Data subject
The individual human related to a set of personal data.
Database Management System (DBMS)
A suite of application programs that typically manages large, structured sets of persistent data.
Database model
Describes the relationship between the data elements and provides a framework for organizing the data.
Decision (branch) coverage
Considered to be a minimum level of coverage for most software products, but decision coverage alone is insufficient for high-integrity applications.
Decryption
The reverse process from encryption. It is the process of converting a ciphertext message back into plaintext through the use of the cryptographic algorithm and the appropriate key that was used to do the original encryption.
Defensible destruction
Eliminating data using a controlled, legally defensible, and regulatory compliant way.
DevOps
An approach based on lean and agile principles in which business owners and the development, operations, and quality assurance departments collaborate.
Diffusion
Provided by mixing up the location of the plaintext throughout the ciphertext. The strongest algorithms exhibit a high degree of confusion and diffusion.
Digital certificate
An electronic document that contains the name of an organization or individual, the business address, the digital signature of the certificate authority issuing the certificate, the certificate holder’s public key, a serial number, and the expiration date. Used to bind individuals and entities to their public keys. Issued by a trusted third party referred to as a Certificate Authority (CA).
Digital rights management (DRM)
A broad range of technologies that grant control and protection to content providers over their own digital media. May use cryptography techniques.
Digital signatures
Provide authentication of a sender and integrity of a sender’s message and non-repudiation services.
Disaster recovery (DR)
Those tasks and activities required to bring an organization back from contingency operations and reinstate regular operations.
Discretionary access control (DAC)
The system owner decides who gets access.
Due care
A legal concept pertaining to the duty owed by a provider to a customer.
Due diligence
Actions taken by a vendor to demonstrate/ provide due care.
Dynamic or Private Ports
Ports 49152 – 65535. Whenever a service is requested that is associated with Well- Known or Registered Ports those services will respond with a dynamic port.
Dynamic testing
When the system under test is executed and its behavior is observed.
Encoding
The action of changing a message into another format through the use of a code.
Encryption
The process of converting the message from its plaintext to ciphertext.
False Acceptance Rate (Type II)
This is erroneous recognition either by confusing one user with another, or by accepting an imposter as a legitimate user.
False Rejection Rate (Type I)
This is failure to recognize a legitimate user.
Fibre Channel over Ethernet (FCoE)
A lightweight encapsulation protocol, and it lacks the reliable data transport of the TCP layer.
Firewalls
Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules.
Frame
Data represented at Layer 2 of the Open Systems Interconnection (OSI) model.
Global System for Mobiles (GSM)
Each call is transformed into digital data that is given a channel and a time slot.
Governance
The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles, and procedures the organization uses to make those decisions.
Governance committee
A formal body of personnel who determine how decisions will be made within the organization and the entity that can approve changes and exceptions to current relevant governance.
Guidelines
Suggested practices and expectations of activity to best accomplish tasks and attain goals.
Hash function
Accepts an input message of any length and generates, through a one-way operation, a fixed-length output called a message digest or hash.
Honeypots/ honeynets
Machines that exist on the network, but do not contain sensitive or valuable data, and are meant to distract and occupy maliciousor unauthorized intruders, as a means ofdelaying their attempts to accessproduction data/assets. A number ofmachines of this kind, linked together as anetwork or subnet, are referred to as a “honeynet.”