Vocab 1 Flashcards
Organizational policy that describes both acceptable and unacceptable actions when using organizational computing resources, as well as the consequences of violating the policy.
acceptable use policy (AUP)
The processes and technologies involved in protecting information, systems, and data against unauthorized disclosure, modification, or loss through the control of access to those resources physically and/or logically.
access control
The ability to trace an action or event to a definitive user and to hold that user responsible for their actions.
accountability
Tools that interact actively with a system and can often give you a more realistic perspective of vulnerabilities and the overall control effectiveness; can also cause performance issues.
active tools
The process of determining whether a program or a project is meeting specified objectives and of determining whether the controls selected to protect the system are performing their desired function to the level required.
assessment
Anything of value to an organization; assets can include tangible items such as information, data, equipment, supplies, facilities, and systems, or intangible items such as customer loyalty and reputation.
asset
The process of reviewing different data sources, including log files and access control records, to determine compliance with security policy or detect deviations or anomalies.
auditing
The process of validating credentials that a user has supplied to verify that they are the actual authorized user and that the credentials belong to that user.
authentication
The process of giving authenticated users the proper accesses to systems, data, and facilities.
authorization
The goal of having information and systems available to authorized users whenever and however they need them.
availability
Must be made if the response can’t be quickly or easily implemented without a significant cost or change to the organization or the system. A business case for a risk response justifies the expense and work required to make the response function properly.
business case
The process, generally detailed in a supporting plan, that keeps the company operating and functioning in the event of a power outage, IT malfunction, or major disaster.
business continuity
The process of analyzing the critical missions and business processes and the systems used to complete those tasks and of determining the impact to the mission of a loss or disruption in access to those systems.
business impact assessment
The ability for the organization to implement a risk response.
capability
Control Objectives for Information and Related Technology (but now typically referred to by its acronym). This management and governance framework was developed and is used extensively by ISACA in its various risk management and business process frameworks. It is currently in version 5.
COBIT
Controls spanning the entire organization and protecting multiple assets rather than only a specific system. Physical controls are good examples of common controls, and the responsible entity for these controls would be the common controls provider.
common controls
The goal of protecting systems and information from unauthorized disclosure.
confidentiality
A measure put in place to increase protection for an asset, to make up for a lack of protection for an asset, or to strengthen a weakness for an asset. Controls can be administrative, technical, or physical and operational. They can also be further divided by functionality, including deterrent, preventative, detective, and so on.
control
The process of determining the difference between the existing state of a control’s effectiveness and its desired state.
control gap analysis
The financial impacts of any decision, as well as the less-easily quantified aspects such as loss of goodwill, loss of brand status, and other hard-to-define attributes. Cost also includes the maintenance of the responsive mitigation over its required life span.
cost
The level of protection information or data required based upon its impact to the organization if it were disclosed to unauthorized people, subject to unauthorized modification, or otherwise lost.
data sensitivity
When risk response options simply don’t make good business sense, risk is assumed temporarily, perhaps until the costs are reduced, alternate measures are adopted, or risk is ultimately accepted.
deferral
The process of reacting to an incident or disaster and recovering an organization, its personnel, and systems to a functioning state.
disaster recovery (DR)
The design principle that states that you should attempt to design and implement controls that can be applied to more than one system or set of data or that provide more than one function in effectively mitigating risk. The goal is to minimize single-use controls (controls that apply only to a specific system or set of data) because they can be more expensive and specialized to implement.
economy of use
The extent to which the response reduces the likelihood or the impact of the risk event to the organization; also the degree and depth that a control fulfills its security requirements.
effectiveness
