S

Question 1

safeguard

Answer 1

A software configuration, hardware, or procedure that eliminates a vulnerability or reduces the risk of a threat agent from being able to exploit a vulnerability. Also called a countermeasure or control.

Question 2

sandboxing

Answer 2

A type of control that isolates processes from the operating system to prevent security violations.

Question 3

secure configuration management

Answer 3

Implementing the set of appropriate procedures to control the life cycle of an application, document the necessary change control activities, and ensure that the changes will not violate the security policy.

Question 4

Security Assertion Markup Language (SAML)

Answer 4

An XML standard that allows the exchange of authentication and authorization data to be shared between security domains.

Question 5

security evaluation

Answer 5

Assesses the degree of trust and assurance that can be placed in systems for the secure handling of sensitive information.

Question 6

security kernel

Answer 6

The hardware, firmware, and software elements of a trusted computing base (TCB) that implement the reference monitor concept. The kernel must mediate all access between subjects and objects, be protected from modification, and be verifiable as correct.

Question 7

security label

Answer 7

An identifier that represents the security level of an object.

Question 8

security perimeter

Answer 8

An imaginary boundary between the components within the trusted computing base (TCB) and mechanisms that do not fall within the TCB. It is the distinction between trusted and untrusted processes.

Question 9

security policy

Answer 9

Documentation that describes senior management’s directives toward the role that security plays within the organization. It provides a framework within which an organization establishes needed levels of information security to achieve the desired confidentiality, availability, and integrity goals. A policy is a statement of information values, protection responsibilities, and organization commitment managing risks.

Question 10

security testing

Answer 10

Testing all security mechanisms and features within a system to determine the level of protection they provide. Security testing can include penetration testing, formal design and implementation verification, and functional testing.

Question 11

sensitive information

Answer 11

Information that would cause a negative effect on the company if it were lost or compromised.

Question 12

sensitivity label

Answer 12

A piece of information that represents the security level of an object. Sensitivity labels are used by the TCB as the basis for mandatory access control (MAC) decisions.

Question 13

separation of duties

Answer 13

A security principle that splits up a critical task among two or more individuals to ensure that one person cannot complete a risky task by himself.

Question 14

shoulder surfing

Answer 14

When a person looks over another person’s shoulder and watches keystrokes or watches data as it appears on the screen in order to uncover information in an unauthorized manner.

Question 15

simple security property

Answer 15

A Bell-LaPadula security model rule that stipulates that a subject cannot read data at a higher security level.

Question 16

single loss expectancy (SLE)

Answer 16

A dollar amount that is assigned to a single event that represents the company’s potential loss amount if a specific threat were to take place.

asset value × exposure factor = SLE

Question 17

single sign-on (SSO)

Answer 17

A technology that allows a user to authenticate one time and then access resources in the environment without needing to reauthenticate.

Question 18

social engineering

Answer 18

The act of tricking another person into providing confidential information by posing as an individual who is authorized to receive that information.

Question 19

software-defined networking (SDN)

Answer 19

An approach to networking that relies on distributed software to provide improved agility and efficiency by centralizing the configuration and control of networking devices.

Question 20

spoofing

Answer 20

Presenting false information, usually within packets, to trick other systems and hide the origin of the message. This is usually done by hackers so that their identity cannot be successfully uncovered.

Question 21

standards

Answer 21

Rules indicating how hardware and software should be implemented, used, and maintained. Standards provide a means to ensure that specific technologies, applications, parameters, and procedures are carried out in a uniform way across the organization. They are compulsory.

Question 22

star property (*-property)

Answer 22

A Bell-LaPadula security model rule that stipulates that a subject cannot write data to an object at a lower security level.

Question 23

strategic goals

Answer 23

Long-term goals that are broad, general statements of intent. Operational and tactical goals support strategic goals and all are a part of a planning horizon.

Question 24

subject

Answer 24

An active entity, generally in the form of a person, process, or device, that causes information to flow among objects or that changes the system state.

Question 25

supervisor state

Answer 25

One of several states in which an operating system may operate, and the only one in which privileged instructions may be executed by the CPU.

Question 26

supervisory control and data acquisition (SCADA)

Answer 26

A system for remotely monitoring and controlling physical systems such as power and manufacturing plants.

Question 27

synthetic transaction

Answer 27

A transaction that is executed in real time by a software agent to test or monitor the performance of a distributed system.