Glossary A

Question 1

Expanding on functional testing to include operations outside of the intended use of an application in order to test for security flaws or application stability problems

Answer 1

Abuse case testing

Question 2

Modern approach to development that uses an iterative process of “sprints” to segment coding and features into manageable chunks

Answer 2

Agile

Question 3

Value derived by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). ALE = SLE x ARO

Answer 3

ALE (annualized loss expectancy)

Question 4

A tool that sits between client systems and the back-end services they call via API requests in order to serve as a reverse proxy for security and performance capabilities

Answer 4

API Gateway

Question 5

A set of functions, routines, tools or protocols for building applications. Allows for interaction between systems and applications that can be leveraged by developers as building blocks for their applications and data access through a common method, without custom coding for each integration

Answer 5

Application Programming Interface (API)

Question 6

Estimated number of the times a threat will successfully exploit a given vulnerability over the course of a single year

Answer 6

ARO (Annualized rate of occurrence)

Question 7

A threat-modeling approach composed of Architecture, Threats, Attack Surfaces, and Mitigations

Answer 7

ATASM

Question 8

The ability to properly capture, analyze, and report on any and all events that happen within a system or application, such as data access and modification, user actions and processes, controls and compliance, and regulatory and contractual compliance

Answer 8

Auditability

Question 9

The process of evaluating credentials presented by a user, application, or service to prove its identity as compared to values already known and verified by the authentication system

Answer 9

Authentication

Question 10

The process of granting or denying access to a system, network, or application after successful authentication has been performed, based on approved criteria set by policy or regulation

Answer 10

Authorization

Question 11

Means or method of accessing a system or application while bypassing the typical and required authentication and authorization methods. Can be unauthenticated methods discovered by malicious actors to get into a system, or they can be methods purposefully employed by developers or support staff to access systems for maintenance or other support activities. Created by developers or hackers.

Answer 11

Backdoor

Question 12

Part of the change management process, which establishes an agreed-upon standard configuration and the attributes that comprise it and forms the basis for managing change from that point forward

Answer 12

Baseline

Question 13

Heavily fortified system that serves as a jump box or proxy between an untrusted network and trusted networks

Answer 13

bastion host

Question 14

Refers to collection, processing, and analysis of data sets that are so large that traditional data processing and analysis tools are inadequate to properly handle them. Often applied in regard to predictive analysis and user analytics of data sets rather than referring to a specific size of the data involved.

Answer 14

Big Data

Question 15

The practice of allowing employees of an organization to use their own computers, phones, tablets or other electronic resources to access official computing resources, rather than using devices provided and supported by the organization.

Answer 15

Bring your own device (BYOD)

Question 16

The capability of an organization to continue the operation of systems or applications at a predetermined level after an incident or a disruption of service

Answer 16

Business Continuity

Question 17

A process designed to identify risks, threats, and vulnerabilities that could disrupt or impact services, with the intent of determining mitigation strategies and response processes should they occur

Answer 17

Business continuity management

Question 18

A developed and tested document, containing information from stakeholders and staff, for the continuation of operations and services in the event of a disruption or incident

Answer 18

Business continuity plan

Question 19

A structured methodology to identify and evaluate the possible risks and threats that operations or services could be impacted by, as well as the possible or likely extent of impact and disruption

Answer 19

Business Impact Analysis (BIA)

Question 20

Formal documentation showing the chronological control and disposition of data or evidence, either physical or electronic. Includes creation, all changes of possession, and final disposition. It is absolutely essential to maintain the integrity of evidence and its admissibility in legal proceedings.

Answer 20

Chain of custody

Question 21

Group that assists the change team and change management process by evaluating, prioritizing, and approving change requests

Answer 21

Change Advisory Board (CAB)

Question 22

Individual with a role in the change management process who ensures the overall change process is properly executed. This person also directly handles low-level tasks related to the change process.

Answer 22

Change Manager

Question 23

A software tool or service that sits between cloud resources and the clients or systems accessing them. It serves as a gateway that can perform a variety of security and policy enforcement functions. Can consolidate and perform the functions of firewalls and web application firewalls as well as provide authentication and data loss prevention capabilities.

Answer 23

Cloud Access Security Broker (CASB)

Question 24

Application that is never installed on a local server or desktop but is instead accessed via network or the Internet. Merges the functionality of a local application with the accessibility of a web-based application

Answer 24

Cloud Application

Question 25

Within a PaaS implementation, this serves as the framework and specification for managing platform services, encompassing a RESTful protocol for managing services, the model for describing and documenting the components that comprise the platform, and the language describing the overall platform, its components and services, and the metadata about it

Answer 25

Cloud Application Management for Platforms (CAMP)

Question 26

An auditor that is specifically responsible for conducting audits of cloud systems and cloud applications. Responsible for assessing the effectiveness of the cloud service and identifying control deficiencies between the cloud customer and the cloud provider, as well as the cloud broker if one is used

Answer 26

Cloud Auditor

Question 27

The process of using a cloud-based backup system, with files and data being sent over the network to a public or private cloud provider for backup, rather than running traditional backup systems within a data center

Answer 27

Cloud Backup

Question 28

A public or private cloud services organization that offers backup services to either the public or organizational clients, either on a free basis or using various costing models based on either the amount of data or number of systems

Answer 28

Cloud backup service provider

Question 29

services that run within a public or private cloud offering backup solutions, either through client-based software that does automatic or scheduled backups or through manual backups initiated by a user or system

Answer 29

cloud backup solutions

Question 30

a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computer resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud model is composed of five essential characteristics, three service models, and four deployment models

Answer 30

Cloud Computing

Question 31

An organization that sells and offers cloud services, and possibly cloud support services, to various organizations and works as a middleman between the cloud customer and cloud provider

Answer 31

Cloud Computing reseller

Question 32

A formally published guide by the Cloud Security Alliance that enables cloud customers to evaluate a prospective cloud provider in regard to its security posture. Allows a cloud provider to structure its security approach.

Answer 32

Cloud Controls Matrix (CCM)

Question 33

An organization or individual that utilizes and consumes resources and services from a cloud provider. This can be in the form of free public services and systems or private and fee-based applications or solutions.

Answer 33

Cloud Customer

Question 34

The ability to move data between cloud providers

Answer 34

Cloud data portability

Question 35

A database that is installed in a cloud environment and accessed via the network or the Internet by a user or application. Elasticity, scalability, and high availability can be achieved and maximized.

Answer 35

Cloud database

Question 36

How cloud computing is delivered through a set of particular configurations and features of virtual resources. The cloud deployment models are public, private, hybrid, and community.

Answer 36

Cloud Deployment Model

Question 37

The creation of a public cloud environment through the offering of services or infrastructure

Answer 37

Cloud enablement

Question 38

The oversight and operations management of a cloud environment by the cloud service provider, whether it is a public or private cloud environment

Answer 38

Cloud Management

Question 39

The process of moving services, systems, applications, or data from a traditional data center hosting model into a cloud environment

Answer 39

Cloud migration

Question 40

Used to denote an operating system in a Platform as a Service (PaaS) implementation and signify the implementation within a cloud environment

Answer 40

Cloud Operating System

Question 41

A service provider that makes storage or software applications available via the Internet or private networks to customers. Since applications are offered as a service, the platform and underlying software, as well as operations and security systems, are maintained by the provider and abstracted from the customers

Answer 41

Cloud Provider

Question 42

The process of allocating cloud resources from the cloud provider to the cloud customers based on specific requests and requirements of the customers as far as the number of virtual machines and their specific computing resources

Answer 42

Cloud Provisioning

Question 43

The most prominent and well-known organization to raise awareness of best practices for security within a cloud environment

Answer 43

Cloud Security Alliance (CSA)

Question 44

The hosting and location of servers within a virtualized cloud environment, rather than the virtual or physical hosting that’s done in a traditional data center

Answer 44

Cloud Server Hosting

Question 45

Capabilities offered via a cloud provider and accessible via a client

Answer 45

Cloud service

Question 46

A partner that servers as an intermediary between a cloud service customer and cloud service provider

Answer 46

Cloud Service Broker

Question 47

A group of cloud services with a common set of features of qualities

Answer 47

Cloud Service Category

Question 48

One that holds a relationship with either a cloud service provider or a cloud service customer to assist with cloud services and their delivery

Answer 48

Cloud Service Partner

Question 49

One that interacts with and consumes services offered by a cloud service provider

Answer 49

Cloud Service user

Question 50

The testing of systems, services, or applications by leveraging cloud platforms and resources to simulate the size and scale of real-world traffic and users

Answer 50

Cloud testing

Question 51

Set of international guidelines and specifications for evaluation of IT security resources to ensure they meet an agreed-upon set of security standards, focused on government computing and security needs and requirements.The Common Criteria for Information Technology Security Evaluation is formalized as an international standard in ISO/IEC 15408

Answer 51

Common Criteria

Question 52

Cloud infrastructure provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns. Owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of these, and it may exist on or off premises.

Answer 52

Community Cloud

Question 53

Allows for the execution of compute-intensive workloads to be performed in the cloud. Code can be executed in a serverless environment where the customer only pays for the computing time and cycles they consume, without the need for setting up server instances or environments

Answer 53

Compute as a Service (CaaS)

Question 54

A paradigm that isolates the processing of data within protected CPU segments that are completely isolated from other users and systems

Answer 54

Confidential Computing

Question 55

Establishing a controlled means of consistency throughout a systems lifecycle, based on its requirements and technical specifications, to properly ensure configuration controls, performance standards, and design requirements

Answer 55

Configuration management

Question 56

A software package that contains all of the code, configurations, and libraries needed for an application to operate, packaged inside a single unit

Answer 56

Container

Question 57

The process of taking logs from many different systems and putting them together based on a commonality in order to fully track a session or transaction

Answer 57

Correlation

Question 58

Very common type of security vulnerability found with web applications, where an attacker can inject client-side scripts into web pages that are then viewed and executed by other users. The goal of this attack from an attacker’s perspective is to bypass the security controls of an application, such as an access control with a same-origin policy

Answer 58

Cross-site scripting (XSS)

Question 59

Data that resides on a system in persistent storage, such as disks, tapes, databases, or any other type of storage device

Answer 59

data at rest (DAR)

Question 60

Feature of cloud storage where data is spread across data centers or wide geographic areas for redundancy and speed. The degree of dispersion is typically based on the needs of the application and the level of service procured by the cloud customer

Answer 60

data dispersion

Question 61

serverless, managed data processing service offered by a cloud provider for the execution of data pipelines

Answer 61

data flow

Question 62

data that flows over a networked connection, either through public unsecured networks or internal protected corporate networks

Answer 62

data in transit (DIT)

Question 63

data within a system or application that is currently being processed or is in use, either through the computing resources or residing in memory

Answer 63

data in use (DIU)

Question 64

An overall strategy and process for ensuring that users cannot send sensitive or protected information outside of networks or systems that are secured and protected. This can be related to the intentional attempt by users to transfer such information, but it also applies to preventing the accidental sending or leakage of data.

Answer 64

Data loss prevention (DLP)

Question 65

the ability to easily move data from one system to another without having to re-enter it

Answer 65

data portability

Question 66

a suite of tools used to monitor database operations and functions in real time in order to detect security concerns or anomalies

Answer 66

database activity monitoring (DAM)

Question 67

A subscription service where the database is installed, configured, secured, and maintained by the cloud provider, with the cloud customer only responsible for loading their schema and data

Answer 67

Database as a Service (DBaaS)

Question 68

An attempt to make computing resources or a network unavailable to its intended users by denying legitimate traffic access totally or by degrading performance to unacceptable levels

Answer 68

denial-of-service (DoS) attack

Question 69

A cloud-based equivalent of a traditional virtual desktop interface (VDI) that is hosted and managed by a cloud provider rather than on hardware owned by the customer

Answer 69

Desktop as a Service (DaaS)

Question 70

Combines software development with IT operations, with a goal of shortening the software development time and providing optimal uptime and quality of service

Answer 70

DevOps

Question 71

Process of integrating security at all levels and stages of development and operations to fully ensure best practices and a focus on security

Answer 71

DevSecOps

Question 72

Information that specifically applies to a unique individual, such as name, address, phone number, e-mail address, or unique identifying numbers or codes.

Answer 72

Direct identifier

Question 73

A utility from VMWare that balances computing demands and available resources within the virtualized environment

Answer 73

Distributed Resource Scheduler (DRS)

Question 74

The testing of an application, while is, is in an operational state with currently running systems, applications, and networks

Answer 74

Dynamic Application Security Testing (DAST)

Question 75

The process of moving and reallocating virtual machines and resources within a cluster environment to maintain optimal performance with balanced and distributed resource utilization

Answer 75

Dynamic optimization (DO)

Question 76

A computing paradigm that is based on putting the processing of data and computing resources as close to the source of that data as possible

Answer 76

Edge computing

Question 77

The process for a criminal or civil legal case where electronic data is determined, located, and secured to be used as evidence

Answer 77

eDiscovery

Question 78

The process of encoding and securing data so that only authorized parties in possession of the correct information, credentials, or keys can access it

Answer 78

encryption

Question 79

An application that runs on a large and distributed scale and is deemed mission critical to a company or organization

Answer 79

enterprise application

Question 80

A cloud-based backup and recovery service that is related to and similar to those offered for personal use, but scaled and focused on large-scale and organizational-level service

Answer 80

enterprise cloud backup

Question 81

Temporary, unstructured storage that is only used for a node or service while it is active and in use and then is destroyed upon being shut down or deleted

Answer 81

ephemeral storage

Question 82

Free and open source software for utilizing Amazon Web Services (AWS) to build public and private cloud offerings. The use of this word is intended as an acronym for Elastic Utility Computing Architecture for Linking Your Programs To Useful Systems

Answer 82

Eucalyptus

Question 83

An action or situation that is recognized by software that then causes some action or response by the software to be taken

Answer 83

event

Question 84

The set of rules and procedures that govern civil legal proceedings in the United States federal courts to provide uniformity and efficiency in resolving legal matters and proceedings

Answer 84

Federal Rules of Civil Procedure (FRCP)

Question 85

The set of rules that apply to United States federal courts for collecting evidence in a uniform and official manner

Answer 85

Federal Rules of Evidence (FRE)

Question 86

A group of IT service providers that interoperate based on an agreed-upon set of standards and operations

Answer 86

federation

Question 87

A security standard published by the United States federal government that pertains to the accreditation of cryptographic modules

Answer 87

FIPS 140-2

Question 88

A part of a computing network, provided by either hardware or software implementations, that controls which network connections are allowed to be made in regard to origin, destination, and ports, while blocking all other inbound or outbound connections

Answer 88

firewall

Question 89

the use of a location technology such as Wi-Fi, cellular networks, RFID tags, IP address locations, or GPS to control access or behavior of devices

Answer 89

geofencing

Question 90

A physical device, typically a plug-in card or an external device, that attaches to a physical computer. It is used to perform encryption and decryption of digital signatures, authentication operations, and other services where cryptography is necessary

Answer 90

hardware security module (HSM)

Question 91

taking data of an arbitrary type, length, or size and using a mathematical function to map the data to a value that is of fixed size. Can be applied to virtually any type of data objet – text strings, documents, images, binary data, and virtual machine images

Answer 91

hashing

Question 92

This act provided incentives for healthcare providers to expand their use of technology, including the widespread adoption of electronic health record (EHR) systems

Answer 92

Health Information Technology for Economic and Clinical Health (HITECH) Act

Question 93

This act requires the US Department of Health and Human Services to publish and enforce regulations pertaining to electronic health records and identifiers between patients, providers, and insurance companies. It is focused on the security controls and confidentiality of medical records, rather than the specific technologies used, so long as they meet the requirements of the regulation

Answer 93

Health Insurance Portability and Accountability Act (HIPAA)

Question 94

A computer that is connected to a network and provides computing services to either users or other hosts on the network

Answer 94

host

Question 95

A host-based intrusion detection system monitors the internal resources of a system for malicious attempts. It can also be used for packet inspection and network monitoring.

Answer 95

Host-based intrusion detection system (HIDS)

Question 96

A cloud infrastructure composed of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (for example, cloud bursting for load balancing between clouds)

Answer 96

hybrid cloud

Question 97

A virtual machine manager that allows and enables multiple virtual hosts to reside on the same physical host

Answer 97

hypervisor

Question 98

A subscription-based service for Identity & Access Management (IAM) and single sign-on (SSO) that is offered over the internet versus deployed by the customer

Answer 98

Identity as a Service (IDaas)

Question 99

A system responsible for determining the authenticity of a user or system, thus providing assurance to a service that the identity is valid and known and possibly providing additional information about the identity of the user or system to the service provider requesting it

Answer 99

identity provider (IdP)

Question 100

An event that could potentially cause a disruption to an organization’s systems, services, or applications

Answer 100

incident

Question 101

Pieces of information about an entity that cannot be used individually to identify that entity uniquely but can be used in combination to potentially do so. Examples include place of birth, race, employment history, and educational history

Answer 101

indirect identifiers

Question 102

A subset of digital rights management that is focused on protecting sensitive information from unauthorized exposure or use

Answer 102

information rights management (IRM)

Question 103

The capability provided to a consumer to provision processing, storage, networks, and other fundamental computing resources in order to deploy and run arbitrary software, including operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications – and possibly limited control of select networking components such as host firewalls

Answer 103

Infrastructure as a Service (IaaS)

Question 104

A way of managing and provisioning infrastructure components through definition files, versus the traditional way of using configuration tools. Typically, administrators maintain definition files that contain all the options and settings needed to deploy virtual machines or other pieces of a virtual infrastructure.

Answer 104

Infrastructure as Code (IaC)

Question 105

A method for monitoring an application while it is running and has processes interacting with it, continually scanning for any security vulnerabilities

Answer 105

Interactive Application Security Testing (IAST)

Question 106

Refers to the extension of Internet connectivity to devices beyond traditional computing platforms. This can include home appliances, thermostats, sensors, lighting fixtures, and is very common within the scope of “smart home” technologies

Answer 106

Internet of Things (IoT)

Question 107

The ease and ability to reuse components of a system or application regardless of the underlying system design and provider

Answer 107

Interoperability

Question 108

A device, appliance, or software implementation that monitors servers, systems, or networks for malicious activities

Answer 108

intrusion detection system (IDS)

Question 109

A network-baed appliance or software that examines network traffic for known exploits, or any attempts to use exploits, and actively stops them or blocks attempts

Answer 109

intrusion prevention system (IPS)

Question 110

A formal specification for information security management systems that provides, through completion of a formal audit, certification from an accredited body for compliance.

Answer 110

ISO/IEC 27001 and 27001:2018

Question 111

A collection of papers and concepts that lays out a vision for IT Service Management (ITSM) framework and IT services and user support

Answer 111

IT Infrastructure Library

Question 112

the authority to exert regulatory and legal control over a defined area of responsibility. Can overlap between the local, state/province, and national levels

Answer 112

jurisdiction

Question 113

A system or service that manages keys used for encryption within a system or application that is separate from the actual host system. Will generate, secure, and validate keys.

Answer 113

Key Management Service (KMS)

Question 114

A metric that provides a quantitative value that can be used to evaluate how effectively key business requirements are being met

Answer 114

key performance indicator (KPI)

Question 115

the process of collecting and preserving data as required by an official request from a legal authority

Answer 115

legal hold

Question 116

a broad term that encompasses software, scripts, content, and executable code that takes the form of viruses, Trojan horses, ransomware, spyware, and other malicious programs that intend to steal information or computing resources

Answer 116

malware

Question 117

A provider of IT services where the technology software, and operations are determined and managed away from the customer or user

Answer 117

managed service provider

Question 118

the process of aligning data values and fields with specific definitions or requirements

Answer 118

mapping

Question 119

A measure, typically in hours, of what the average time between failures is for a hardware component in order to determine its reliability

Answer 119

mean time between failures (MTBF)

Question 120

A measure for hardware components of the typical or average time to repair and recover after a failure

Answer 120

mean time to repair (MTTR)

Question 121

A cloud service that’s delivered and billed in a metered way

Answer 121

measured service

Question 122

Data that gives additional or descriptive information about other data. This can be in the form of structural data that pertains to how the information is stored and represented or it can be descriptive data that contains information about the actual content of the data.

Answer 122

metadata

Question 123

Cloud-based storage, typically used for mobile devices such as tablets, phones, and laptops, that enables the user to access their data from any network location and across multiple devices in a uniform way

Answer 123

mobile cloud storage

Question 124

An encompassing term for a suite of policies, technologies, and infrastructure that enables an organization to manage and secure mobile devices that are granted access to its data across a homogenous environment. Accomplished by installing software on a mobile device that allows the IT department to enforce security configurations and policies, regardless of whether it is owned by the organization or is a private device owned by the user.

Answer 124

mobile device management

Question 125

Having multiple customers and applications running within the same environment but in a way that they are isolated from each other and not visible to each other, while still sharing the same resources

Answer 125

multitenancy

Question 126

A cloud-based virtual network where customers can quickly and easily change network configurations via software, versus the traditional need for cabling and hardware appliances

Answer 126

Network as a Service (NaaS)

Question 127

A device placed at strategic places on a network to monitor and analyze all network traffic traversing the subnet and then compare it against signatures for known vulnerabilities and attacks

Answer 127

Network-based intrusion detection systems (NIDS)

Question 128

Contains a set of rules that can be applied to network resources for the processing and handling of network traffic. The group contains information used to filter traffic based on the direction of traffic flow, source address, destination address, ports of both the source and destination, and the protocols being used for transmission

Answer 128

network security group

Question 129

provides a set of security controls for all systems under the United States federal government, with the exception of systems dedicated to national security

Answer 129

NIST SP 800-53

Question 130

the ability to confirm the origin or authenticity of data to a high degree of certainty

Answer 130

nonrepudiation

Question 131

A set of standards for protecting the national power grid and systems, specifically from a cybersecurity perspective

Answer 131

NERC/CIP - North American Electric Reliability Corporation/Critical Infrastructure Protection

Question 132

A storage method used with IaaS where data elements are managed as objects rather than hierarchically with a file system and directory structure

Answer 132

object storage

Question 133

the ability for a cloud customer to provision services in an automatic manner, when needed, with minimal involvement from the cloud provider

Answer 133

on-demand self-service

Question 134

An official ITIL term that relates to a specialized service level agreement (SLA) pertaining to internal parties of an organization, rather than between a customer and provider

Answer 134

operational level agreement (OLA)

Question 135

the automation of tasks within a public or private cloud that manages administration, workloads, and operations within the environment

Answer 135

orchestration

Question 136

the hiring of external entities to perform work that a company or organization would typically do through its own employees

Answer 136

outsourcing

Question 137

the process of securely removing data from a system by writing blocks of random or opaque data on storage media to destroy any previous data and make it unrecoverable

Answer 137

overwriting

Question 138

Seven-step methodology that is platform agnostic and combines business objectives, technical requirements, and compliance for threat management

Answer 138

P.A.S.T.A - Process for Attack Simulation and Threat Analysis

Question 139

An industry regulation that applies to organizations that handle credit card transactions. Rather than being a legal regulation passed by government authorities, it is enforced and administered by the credit card industry itself. The regulations are designed to enforce security best practices to reduce credit card fraud.

Answer 139

Payment Card Industry Data Security Standard (PCI DSS)

Question 140

the process of testing systems and applications for vulnerabilities and weaknesses by employing the same tools and strategies used by malicious actors. Any exploits discovered can then be proactively addressed by the organization before a malicious actor can discover them.

Answer 140

Pen (Penetration) testing

Question 141

The capability provided to the customer to deploy onto the cloud infrastructure any consumer-created or acquired applications written using programming languages, libraries, services, and tools supported by the provider. The customer does not manage or control the underlying cloud infrastructure, including the network, servers, operating systems, and storage, but does have control over the deployed applications and possibly configuration settings for the application-hosting environment.

Answer 141

Platform as a Service (PaaS)

Question 142

the ability of a system or application to seamlessly and easily move between different cloud providers

Answer 142

portability

Question 143

A specific type of analysis conducted by n organization that stores or processes sensitive and private data. The organization will evaluate its internal processes for development and operations with an eye toward the protection of personal data throughout the entire lifetime of its possession and use

Answer 143

Privacy impact assessment (PIA)

Question 144

A declaration published by the cloud service provider documenting its approach to data privacy. The cloud service provider implements and maintains the PLA for the systems it hosts.

Answer 144

Privacy level agreement (PLA)

Question 145

A cloud infrastructure provisioned for exclusive use by a single organization composed of multiple consumers (for example, business units). it may be owned, managed, and operated by the organization, a third party, or some combination, and it may exist on or off premises.

Answer 145

private cloud

Question 146

A special designation of data under United States law that encompasses any health-related data that can be tied to an individual, including health status, healthcare services sought or provided, or any payment related to healthcare

Answer 146

protected health information (PHI)

Question 147

A cloud infrastructure provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic organization, or governmental organization, or some combination. It exists on the premises of the cloud provider.

Answer 147

public cloud

Question 148

Involves the use of quantum phenomena, such as the interaction between atoms or wave movements, to aid in computation.

Answer 148

Quantum computing

Question 149

A point of time in the past that an organization is willing to revert in order to restore lost data or services following an interruption

Answer 149

Recovery point objective (RPO)

Question 150

A defined maximum time duration for which an organization can accept the loss of data or services following an interruption

Answer 150

Recovery time objective (RTO)

Question 151

A system or application that provides access to secure data through the use of an identity provider

Answer 151

relying party

Question 152

A proprietary technology, developed by Microsoft, to allow users to connect to a remote computer over a network and utilize a graphical interface with the Windows operating system

Answer 152

Remote Desktop Protocol (RDP)

Question 153

A system for designing and implementing networked applications by utilizing a stateless, cacheable, client/server protocol, almost always via HTTP.

Answer 153

Representational State Transfer (REST)

Question 154

A key component of the change management process that involves a formal documented change request, including what change is needed, why it is needed, the urgency of the change, and the impact if the change is not made

Answer 154

Request for Change (RFC)

Question 155

the aggregation and allocation of resources from the cloud provider to serve the cloud customers

Answer 155

resource pooling

Question 156

the ability of a cloud customer to recover all data and applications from a cloud provider and completely remove all data from the cloud providers environment

Answer 156

reversibility

Question 157

Security technology and systems integrated into a system or application that enables it to detect and prevent attacks in real time

Answer 157

runtime application self-protection (RASP)

Question 158

the segregation and isolation of information or processes from others within the same system or application, typically for security concerns

Answer 158

sandboxing

Question 159

Enables companies to contract with an external vendor to supply and manage their security operations for such technologies as intrusion detection systems (IDSs), intrusion prevention systems (IPSs), data loss prevention (DLP), and antivirus implementations

Answer 159

Security as a Service (SECaaS)

Question 160

A centralized group that deals with security issues within an organization or enterprise. It is responsible for the monitoring, reporting, and handling of security incidents. This is done at both a technical and organizational level and touches all information assets within the organization

Answer 160

Security Operations Center

Question 161

A computing system or application that processes data

Answer 161

service

Question 162

A document agreed upon between a customer and a service provider that defines and maps out minimum performance standards for a variety of contract requirements. An SLA typically includes minimum standards for processes, uptime, availability, security, auditing, reporting, customer service, and potentially many other requirements

Answer 162

Service Level Agreement (SLA)

Question 163

An organization that provides IT services and applications to other organizations in a sourced manner

Answer 163

Service Provider (SP)

Question 164

A system of providing IT applications and data services to other components through communications protocols over a network, independent of any particular technology, system, provider, or implementation

Answer 164

Service-Oriented Architecture (SOA)

Question 165

A proven methodology for developing business-driven, risk and opportunity focused security architectures, at both the enterprise and solutions levels, that traceably support business objectives. Widely used for information assurance architectures and risk management frameworks. Composed of a series of integrated frameworks, models, methods, and processes and can be used independently or as a holistic, integrated enterprise solution

Answer 165

Sherwood Applied Business Security Architecture (SABSA)

Question 166

A messaging protocol that is operating system agnostic and used to communicate with other systems through HTTP and XML

Answer 166

Simple Object Access Protocol (SOAP)

Question 167

The monetary value assigned to the occurrence of a single instance of risk or exploit to an IT Service, application or system

Answer 167

SLE (Single Loss Expectancy)

Question 168

Audit and accounting reports, focused on an organization’s controls, that are employed when providing secure services to users

Answer 168

SOC 1/SOC 2/SOC 3

Question 169

The capability provided to the customer to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser or program interface. The consumer does not manage or control the underlying cloud infrastructure, including the network, servers, operating systems, storage, and individual application capabilities, with the possible exception of limited user-specific application settings

Answer 169

Software as a Service (SaaS)

Question 170

An automated process that scans a codebase to identify any code that is from an open source package or repository It is crucial for both security and license compliance.

Answer 170

Software composition analysis (SCA)

Question 171

An approach to separate the network configurations for the control plane and the data plane. This allows an abstraction for network administrators to configure and control those aspects of the network important to modern systems and applications without having to get involved with the actual mechanisms for forwarding network traffic

Answer 171

software-defined networking (SDN)

Question 172

A defined period of time for development to be accomplished with a running list of deliverables that are planned one sprint in advance

Answer 172

Sprint

Question 173

A method used by malicious actors to insert SQL statements into a data-driven application in various input fields, attempting to get the application to access arbitrary code and return the results to the attacker. This could include attempts to access a full database or the protected data within it or to modify or delete data.

Answer 173

SQL Injection

Question 174

Security testing of applications by analyzing their source code, binaries, and configurations. This is done by testers who have in-depth knowledge of systems and applications, with the testing performed in a nonrunning state

Answer 174

Static Application Security Testing (SAST)

Question 175

A cloud service where the provider offers storage space and solutions on a subscription service. Cloud customers incur costs based on the amount of storage that is consumed or reserved.

Answer 175

Storage as a Service (STaaS)

Question 176

One or more cloud customers who share access to a pool of resources

Answer 176

tenant

Question 177

An open enterprise architecture model intended to be a high-level approach that design teams can use to optimize success, efficiency, and returns throughput to a systems’s lifecycle

Answer 177

The Open Group Architecture Framework (TOGAF)

Question 178

The process of replacing and substituting secured or sensitive data in a data set with an abstract or opaque value that has no use outside of the application

Answer 178

tokenization

Question 179

A program or application used to trick a user or administrator into executing an attack by disguising its true intention

Answer 179

Trojan

Question 180

The security concept of separating systems and data into different levels (or zones) and applying security methods and practices to each zone, based on the requirements of that particular group of systems. In many instances, zones of a higher degree of trust may access those with a lower degree, but not vice versa

Answer 180

trust zones

Question 181

a contract negotiated and agreed upon between an organization and an external service provider or vendor

Answer 181

underpinning contract (UC)

Question 182

the optimization of cloud computing resources for a particular stack or vertical, such as a specific type of application or system, or by a particular industry sector or need

Answer 182

vertical cloud computing

Question 183

a computing environment that is a software implementation running on a host system, versus a physical hardware environment

Answer 183

virtual host or virtual machine

Question 184

Facilitates the extension of a private network over public networks, and it enables a device to operate as if it were on the private network directly. Works by enabling an encrypted point-to-point connection from a device into a private network, typically through software applications, but this also can be done via hardware accelerators

Answer 184

virtual private network (VPN)

Question 185

A type of rootkit installed in a virtualized environment between the underlying host system and the virtual machine. It is then executed and used when the virtual machine is started. Very difficult to detect in an environment, but also very difficult to successfully implement

Answer 185

VM-based rootkit (VMBR)

Question 186

a more typical or standard file system used with IaaS that provides a virtual partition or hard disk to a virtual machine. It can be used just like a traditional hard drive would be, with a file system, folders, and file organization methods

Answer 186

volume storage

Question 187

a traditional development methodology where projects are divided into phases that must be fully developed, tested, approved, and implemented before moving onto the next phase

Answer 187

waterfall

Question 188

an appliance or software plug-in that parses and filters HTTP traffic from a browser or client and then applies a set of rules before the traffic is allowed to proceed to the actual application server

Answer 188

web application firewall (WAF)

Question 189

a web-based application that provides tools, reporting, and visibility for a user into multiple systems. In a cloud environment, this provides metrics and service capabilities to add or expand for the customer to consume.

Answer 189

web portal

Question 190

an appliance implemented within a network to secure and manage XML traffic. It is particularly used within a cloud environment to help integrate cloud-based systems with those still residing in traditional data centers.

Answer 190

XML appliance

Question 191

A reference in the developer’s code to data on the application side, such as a database key, the directory structure of the application, configuration information about the hosting system, or any other information that pertains to the workings of the application that should not be exposed to users or the network.

Answer 191

XML external entity