Glossary Flashcards
What is Adequate Security?
Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse or unauthorized access to or modification of information.
Source: OMB Circular A-130
What are Administrative Controls?
Controls implemented through policy and procedures. Administrative controls in modern environments are often enforced in conjunction with physical and/or technical controls, such as an access-granting policy for new users that requires login and approval by the hiring manager.
Administrative controls are often enforced in conjunction with physical and/or technical controls.
What are Adverse Events?
Events with a negative consequence, such as system crashes, network packet floods, unauthorized use of system privileges, defacement of a web page or execution of malicious code that destroys data.
What is an Application Programming Interface (API)?
A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or web tool.
What is an Application Server?
A computer responsible for hosting applications to user workstations.
Source: NIST SP 800-82 Rev.2
What is Artificial Intelligence?
The ability of computers and robots to simulate human intelligence and behavior.
What is an Asset?
Anything of value that is owned by an organization, including tangible items like information systems and physical property, and intangible assets like intellectual property.
What is Asymmetric Encryption?
An algorithm that uses one key to encrypt and a different key to decrypt the input plaintext.
What is an Audit?
Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures. NIST SP 1800-15B
Source: NIST SP 1800-15B
What is Authentication?
The act of identifying or verifying the eligibility of a station, originator, or individual to access specific categories of information. Typically, a measure designed to protect against fraudulent transmissions by establishing the validity of a transmission, message, station or originator.
What is Authorization?
The right or a permission that is granted to a system entity to access a system resource. NIST 800-82 Rev.2
Source: NIST 800-82 Rev.2
What is Availability?
Ensuring timely and reliable access to and use of information by authorized users.
What is a Baseline?
A documented, lowest level of security configuration allowed by a standard or organization.
What is a Biometric?
Biological characteristics of an individual, such as a fingerprint, hand geometry, voice, or iris patterns.
What is a Bit?
The most essential representation of data (zero or one) at Layer 1 of the Open Systems Interconnection (OSI) model.
What is a Bot?
Malicious code that acts like a remotely controlled ‘robot’ for an attacker, with other Trojan and worm capabilities.
What is a Breach?
The loss of control, compromise, unauthorized disclosure, unauthorized acquisition or any similar occurrence where: a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for other than an authorized purpose. Source: NIST SP 800-53 Rev. 5
Source: NIST SP 800-53 Rev. 5
What is Broadcast?
Broadcast transmission is a one-to-many (one-to-everyone) form of sending internet traffic.
What is Business Continuity (BC)?
Actions, processes and tools for ensuring an organization can continue critical operations during a contingency.
What is a Business Continuity Plan (BCP)?
The documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business processes will be sustained during and after a significant disruption.
What is a Business Impact Analysis (BIA)?
An analysis of an information system’s requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption. NIST SP 800-34 Rev. 1
Source: NIST SP 800-34 Rev. 1
What is a Byte?
A unit of digital information that most commonly consists of eight bits.
What is a Checksum?
A digit representing the sum of the correct digits in a piece of stored or transmitted digital data, against which later comparisons can be made to detect errors in the data.
What is Ciphertext?
The altered form of a plaintext message so it is unreadable for anyone except the intended recipients.
What is Classification?
Classification identifies the degree of harm to the organization, its stakeholders or others that might result if an information asset is divulged to an unauthorized person, process or organization. In short, classification is focused first and foremost on maintaining the confidentiality of the data, based on the data sensitivity.
What is Classified or Sensitive Information?
Information that has been determined to require protection against unauthorized disclosure and is marked to indicate its classified status and classification level when in documentary form.
What is Cloud Computing?
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. NIST 800-145
Source: NIST 800-145
What is a Community Cloud?
A system in which the cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy and compliance considerations). It may be owned, managed and operated by one or more of the organizations in the community, a third party or some combination of them, and it may exist on or off premises. NIST 800-145
What is Confidentiality?
The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes. NIST 800-66
Source: NIST 800-66
What is Configuration Management?
A process and discipline used to ensure that the only changes made to a system are those that have been authorized and validated.
What is Crime Prevention through Environmental Design (CPTED)?
An architectural approach to the design of buildings and spaces that emphasizes passive features to reduce the likelihood of criminal activity.
What is Criticality?
A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. NIST SP 800-60 Vol. 1, Rev. 1
Source: NIST SP 800-60 Vol. 1, Rev. 1
What is a Cryptanalyst?
One who performs cryptanalysis, which is the study of mathematical techniques for attempting to defeat cryptographic techniques and/or information systems security. This includes the process of looking for errors or weaknesses in the implementation of an algorithm or of the algorithm itself.
What is Cryptography?
The study or applications of methods to secure or protect the meaning and content of messages, files, or other information, usually by disguise, obscuration, or other transformations of that content and meaning.
What is Data Integrity?
The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing and while in transit.
Source: NIST SP 800-27 Rev A
What is Data Loss Prevention (DLP)?
System capabilities designed to detect and prevent the unauthorized use and transmission of information.
What is Decryption?
The reverse process from encryption. It is the process of converting a ciphertext message back into plaintext through the use of the cryptographic algorithm and the appropriate key for decryption (which is the same for symmetric encryption, but different for asymmetric encryption).
This term is also used interchangeably with “deciphering.”
What is De-encapsulation?
The opposite process of encapsulation, in which bundles of data are unpacked or revealed.
What is Defense in Depth?
Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.
Source: NIST SP 800-53 Rev 4
What is Degaussing?
A technique of erasing data on disk or tape (including video tapes) that, when performed properly, ensures that there is insufficient magnetic remanence to reconstruct data.
What is Denial-of-Service (DoS)?
The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.)
Source: NIST SP 800-27 Rev A
What is a Digital Signature?
The result of a cryptographic transformation of data which, when properly implemented, provides the services of: origin authentication, data integrity, and signer non-repudiation.
Source: NIST SP 800-12 Rev. 1
What is a Disaster?
Related to business orgainzation.
A disaster is when an organization’s critical business function(s) cannot be performed at an acceptable level within a predetermined period following a disruption.
What is Disaster Recovery (DR)?
In information systems terms, the activities necessary to restore IT and communications services to an organization during and after an outage, disruption or disturbance of any kind or scale.
What is a Disaster Recovery Plan (DRP)?
The processes, policies and procedures related to preparing for recovery or continuation of an organization’s critical business functions, technology infrastructure, systems and applications after the organization experiences a disaster.
What is Discretionary Access Control (DAC)?
A certain amount of access control is left to the discretion of the object’s owner, or anyone else who is authorized to control the object’s access. The owner can determine who should have access rights to an object and what those rights should be.
Source: NIST SP 800-192
What is Domain Name Service (DNS)?
This acronym can be applied to three interrelated elements: a service, a physical server and a network protocol.
What is Egress Monitoring?
Monitoring of outgoing network traffic.
What is Encapsulation?
Enforcement of data hiding and code hiding during all phases of software development and operational use.
Also used to refer to taking any set of data, and packaging it, or hiding it in another data structure, as is common in network protocols and encryption.
The process of enclosing data within a specific protocol header as it moves through the layers of a network model, such as the OSI or TCP/IP model. Each layer adds its own header (and sometimes trailer) to the data, forming a “data packet” that is transmitted over the network.
What does Encrypt mean?
To protect private information by converting it into a form that can only be read by authorized individuals.
What is Encryption?
The process of converting a message from plaintext to ciphertext, sometimes referred to as enciphering.
What is an Encryption System?
The total set of algorithms, processes, hardware, software, and procedures that provide encryption and decryption capability.
What is an Event in a network or system?
Any observable occurrence in a network or system.
Source: NIST SP 800-61 Rev 2
What is an Exploit?
A particular attack. It is named this way because these attacks exploit system vulnerabilities.
What is File Transfer Protocol (FTP)?
The internet protocol (and program) used to transfer files between hosts.
What are Firewalls?
Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules.
What is a Fragment Attack?
An attack where an attacker fragments traffic so that a system cannot reassemble data packets.
What is the General Data Protection Regulation (GDPR)?
Comprehensive legislation passed by the European Union in 2016 that addresses personal privacy, deeming it an individual human right.
What is Governance?
The process of how an organization is managed, including how decisions are made regarding policies, roles, and procedures.
