Vocab

Question 1

Acceptable Risk

Answer 1

A risk that is understood and tolerated by a system’s user, operator, owner, or accreditor, usually because the cost or difficulty of implementing an effective countermeasure for the associated vulnerability exceeds the expectation of loss. (See adequate security, risk, “second law” under “Courtney’s laws”.)

Question 2

Add-On Security

Answer 2

the retrofitting of protection mechanisms, implemented by hardware or software, in an information system after the system has become operational

Question 3

Baked in Security

Answer 3

The inclusion of security mechanisms in an information system beginning at an early point in the systems life cycle, e.e during the design phase or at least early in the implementation phase

Question 4

Common Criteria for Information Technology Security

Answer 4

A standard for evaluating IT products and systems. it states requirements for security functions and for assurance measures.

Question 5

compartmented security mode

Answer 5

A mode of system operation wherein all users having access to the system have the necessary security clearance for the single, hierarchical classification level of all data handled by the system, but some users do not have the clearance for a non-hierarchical category of some data handled by the system

Question 6

computer security [COMPUSEC]

Answer 6

Measures to implement and assure security services in a computer system, particularly those that assure access control service

Question 7

data confidentiality

Answer 7

The property that data is not disclosed to system entities unless they have been authorized to know the data (see: Belle-LaPadula model)

Question 8

data integrity

Answer 8

The property that data has not been changed, destroyed or lost in an unauthorized or accidental manner

Question 9

defense in depth

Answer 9

The siting of mutually supporting defense positions designed to absorb and progressively weaken attack, prevent initial observations of the whole position by the enemy, and [enable] the commander to maneuver the reserve

Question 10

discretionary access control

Answer 10

An access control service that (a) enforces a security policy based on the identity of system entities and the authorizations associated with the identities and
(b) incorporates a concept of ownership in which access rights for a system resource may be granted and revoked by the entity that owns the resource

Question 11

economy of mechanism

Answer 11

the principe that a security mechanism should be designed to be as simple as possible, so that [a] the mechanism can be correctly implemented and
[b] it can be verified that the operation of the mechanism enforces the system’s security policy

Question 12

FIPS

Answer 12

he Federal Information Processing Standards Publication (FIPSPUB) series issued by NIST under the provisions of Section 111(d) of the Federal Property and Administrative Services Act of 1949 as amended by the Computer Security Act of 1987 (Public Law 100-235)as technical guidelines for U.S. Government procurements of information processing system equipment and services. (See:

Question 13

HIPPA

Answer 13

Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information.

Question 14

Mission critical

Answer 14

a condition of a system service or other system resource such that a denial of access to, or lack of availability of, the resource would jeopardize a systems user’s ability to perform a primary mission function or would result in other serious consequences

Question 15

mission essential

Answer 15

U.S. DoD/ Refers to materiel that is authorized and available to combat, combat support, combat service support, and combat readiness training forces to accomplish their assigned missions. [JP1] (Compare: mission critical.)

Question 16

phreaking

Answer 16

contraction of “telephone breaking”. An attack on or penetration of a telephone system or, by extension, any other communication or information system.

Question 17

residual risk

Answer 17

The portion of an original risk or set of risks that remains after countermeasures have been applied

Question 18

risk

Answer 18

An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result.

Question 19

risk analysis

Answer 19

An assessment process that systematically (a) identifies valuable system resources and threats to those resources, (b) quantifies loss exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence, and (c) optionally) recommends how to allocate available resources to countermeasures so as to minimize total exposure. (See: risk management, business-case analysis. Compare: threat analysis.)

Question 20

security

Answer 20

A system condition that results from the establishment and
maintenance of measures to protect the system.

  1b. (I) A system condition in which system resources are free from
  unauthorized access and from unauthorized or accidental change,
  destruction, or loss. (Compare: safety.)

  2. (I) Measures taken to protect a system.

Question 21

security architecture

Answer 21

A plan and set of principles that describe (a) the security
services that a system is required to provide to meet the needs of
its users, (b) the system components required to implement the
services, and (c) the performance levels required in the
components to deal with the threat environment (e.g., [R2179]).
(See: defense in depth, IATF, OSIRM Security Architecture,
security controls, Tutorial under “security policy”.)

  Tutorial: A security architecture is the result of applying the
  system engineering process. A complete system security
  architecture includes administrative security, communication
  security, computer security, emanations security, personnel
  security, and physical security. A complete security architecture
  needs to deal with both intentional, intelligent threats and
  accidental threats.