Vocab 2 Flashcards
The documentation and tracking of accepted exceptions to policy.
exception management
When a vulnerability isn’t detected but it does actually exist.
false negative
When a vulnerability is reported that isn’t actually legitimate.
false positive
U.S. law designed to protect the privacy of students in educational institutions. FERPA covers access control over data, as well as the circumstances under which information may be disclosed about students from educational records. The law, in particular, prescribes access control requirements for students older than 18 with regard to parents’ rights of access to data, including grades, financial, and other records.
Family Educational Rights and Privacy Act (FERPA)
An overall methodology prescribing higher-level processes.
framework
The legal or corporate standards that prescribe how an organization will conduct itself with regard to its behavior in handling information and data.
governance
U.S. law that requires financial institutions (to include banks, loan companies, insurance, and investment companies) to protect sensitive financial data and make their information-sharing practices known to their customers. Of particular interest to security professionals is the Safeguards Rule incorporated into GLBA, which requires institutions under the jurisdiction of the Federal Trade Commission to have specific measures in place to protect customer information.
Gramm-Leach-Bliley Act (GLBA)
Law passed in 1996 requiring the U.S. government’s Health and Human Services Department to establish requirements for protecting the privacy and security of personal health information (PHI). The two important elements of HIPAA of interest to security professionals are the HIPAA Privacy Rule and the HIPAA Security Rule, which set forth specific standards on how to protect electronic PHI.
Health Insurance Portability and Accountability Act (HIPAA)
The process of initially presenting credentials to a system for the purposes of identifying an authorized user.
identification
The level of potential harm or damage to an asset or the organization if a given threat were to exploit a given vulnerability.
impact
The processes and methods used to manage the security life cycle of information and systems. ISSE typically follows and is adapted to the organization’s system development life-cycle model but embeds security processes into each phase of the life cycle so that security is considered early on in the development process, rather than as an afterthought when the system is implemented and data produced.
Information System Security Engineering (ISSE)
The goal of preventing unauthorized modification to a system or data.
integrity
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which together are responsible for a majority of information technology standards that are used worldwide, including several that apply to information security and risk management.
ISO/IEC standards
Used to understand and enable the measurement of control performance.
key performance indicators (KPIs)
Highly probable indicators designed to accurately predict important levels of risk based on defined thresholds.
key risk indicators (KRIs)