Glossary of cybersecurity, risk management, and technical terms used in CST2410 – Introduction to Cybersecurity.Â
|
chapter |
term |
also_see |
defintion |
|
2 |
10.4 password rule |
An industry recommendation for password structure and strength that specifies passwords should be at least 10 characters long and contain at least one uppercase letter, one lowercase letter, one number, and one special character |
|
|
5 |
Acceptance Risk Control Strategy |
The risk control strategy that indicates an organization is willing to accept the current level of residual risk. |
|
|
1 |
Access |
Access, in the context of security, is the privilege or assigned permission to use computer data or resources in some manner. |
|
|
4 |
Access Control List (ACL) |
Access control list (ACL): specifications of authorization that govern the rights and privileges of users to a particular information asset. ACLs include user access lists, matrices, and capabilities tables. |
|
|
4 |
Access control matrix |
Access control matrix: an integration of access control lists (focusing on assets) and capability tables (focusing on users) that results in a matrix with organizational assets listed in the column headings and users listed in the row headings. |
|
|
1 |
Accuracy |
An attribute of information that describes how data is free of errors and has the value that the user expects. |
|
|
4 |
Acquisition |
||
|
8 |
Advanced Encryption Standard (AES) |
The current federal standard for the encryption of data, as specified by NIST. AES is based on the Rijndael algorithm, which was developed by Vincent Rijmen and Joan Daemen. |
|
|
2 |
Advance-fee fraud (AFF) |
A form of social engineering, typically conducted via e-mail, in which an organization or some third party indicates that the recipient is due an exorbitant amount of money and needs only a small advance fee or personal banking information to facilitate the transfer. |
|
|
4 |
Adverse event |
Adverse event: an event with negative consequences that could threaten the organization’s information assets or operations. |
|
|
2 |
Adware |
Malware intended to provided undesired marketing and advertising, including popups and banners on a user’s screen. |
|
|
4 |
After-action review |
After-action review: a detailed examination of the events that occurred from first detection to final recovery. |
|
|
3 |
Aggregate Information |
Collective data that relates to a group or category of people and that has been altered to remove characteristics or components that make it possible to identify individuals within the group. |
|
|
9 |
Air-Aspirating Detector |
A fire detection sensor used in high-sensitivity areas that works by taking in air, filtering it, and passing it through a chamber that contains a laser beam. The alarm triggers if the beam is broken. |
|
|
4 |
Alert message |
Alert message: a scripted description of the incident that usually contains just enough information so that each person knows what portion of the IR plan to implement without slowing down the notification process. |
|
|
4 |
Alert roster |
Alert roster: a document that contains contact information for people to be notified in the event of an incident. |
|
|
4 |
Analysts |
||
|
5 |
Annualized Cost of a safeguard (ACS) |
In a cost-benefit analysis, the total cost of a control or safeguard, including all purchase, maintenance, subscription, personnel, and support fees, divided by the total number of expected years of use. |
|
|
5 |
Annualized Loss Expectancy (ALE) |
In a cost-benefit analysis, the product of the annualized rate of occurrence and single loss expectancy. |
|
|
5 |
Annualized Rate of Occurrence (ARO) |
In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis. |
|
|
8 |
Application Header (AH) protocol |
In IPsec, a protocol that provides system-to-system authentication and data integrity verification, but does not provide secrecy for the content of a network communication. |
|
|
1 |
Asset |
An Asset is any resource, be they tangible or digital. Examples are Information, Data, and Hardware such as Computer Systems. |
|
|
5 |
Asset Exposure |
See loss magnitude. |
|
|
5 |
Asset valuation |
The process of assigning financial value or worth to each information asset. |
|
|
8 |
Asymmetric encryption |
An cryptographic method that incorporates mathematical operations involving both a public key and a private key to encipher or decipher a message. Either key can be used to encrypt a message, but then the other key is required to decrypt it. |
|
|
1 |
At-rest |
"Storage" |
Storage At-Rest is one of the three states of data (the other two being In Transit and In Use.) The data stored in this state is not moving in the network or being used. It is prone to attacks by malicious actors. |
|
2 |
Attack |
An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. |
|
|
1 |
Attack |
An intentional or unintentional act that can cause damage to or otherwise compromise information and/or the system that support it. It can be activer or passive, indirect or direct, and intentional or unintentional. |
|
|
5 |
Attack Success Probability |
The number of successful attacks that are expected to occur within a specified time period. |
|
|
1 |
Authenticity |
The property that data originated from its purported source. |
|
|
1 |
Authorization |
The giving of acccess and permission to classified or restricted information or an area. |
|
|
1 |
Availability |
An attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction. |
|
|
2 |
Availability Disruption |
An interruption of service, usually from a service provider, which causes an adverse event within an organization. |
|
|
5 |
Avoidance of Competitive Advantage |
The adoption and implementation of a business model, method, technique, resource, or technology to prevent being outperformed by a competing organization; working to keep pace with the competition through innovation, rather than falling behind. |
|
|
2 |
Back Door |
A malware payload that provides access to a system by bypassing normal access controls. |
|
|
9 |
Badge |
An identification card typically worn in a visible location to quickly verify an authorized member. The badge may or may not show the wearer’s name |
|
|
5 |
Baseline |
An assessment of the performance of some action or process against which future performance is assessed; the first measurement (benchmark) in benchmarking. |
|
|
5 |
Baselining |
The process of conducting a baseline. See also baseline. |
|
|
5 |
Behavioral Feasibility |
See operational feasibility. |
|
|
5 |
Benchmarking |
An attempt to improve information security practices by comparing an organization’s efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate. Sometimes referred to as external benchmarking. |
|
|
5 |
Best Business Practices |
Security efforts that are considered among the best in the industry. |
|
|
5 |
Bias |
Cognitive bias |
A tendency to err in a particular direction. Example: a weather forecaster who generally predicts the temperature to be hotter than it typically is. |
|
9 |
Biometric Lock |
A lock that reads a unique biological attribute such as a fingerprint, iris, retina, or palm and then uses that input as a key. |
|
|
2 |
Blackout |
A long-term interruption (outrage) in electrical power availability. |
|
|
4 |
Blueprint |
Information security blueprint |
A term borrowed from architecture and engineering which implies a level of detailed design with components all fit together to create a fully functional result. Overused term in business, technology, and especially consulting which has different meanings as construed by different users. |
|
4 |
Board of Directors |
Board |
|
|
2 |
Boot Virus |
Also known as a boot sector virus, a type of virus that targets the boot sector or Master Boot Record (MBR) of a computer system’s hard drive or removable storage media. |
|
|
2 |
Bot |
"Zombie" |
An abbreviation of robot; an automated software program that executes certain commands when it receives a specific input. See also Zombie. |
|
1 |
Bottom-up Approach |
An ineffective method of establishing security policies that begins as a grassroots effort in which systems administrators attempt to improve the security of their systems. |
|
|
2 |
Brownout |
A long-term decrease in electrical power availability. |
|
|
2 |
Brute Force Password Attack |
"Brute Force Attack" |
An attempt to guess a password by attempting every possible combination of characters and numbers in it. |
|
4 |
Budget |
||
|
2 |
Buffer Overrun |
"Buffer Overflow" |
An application error that occurs when more data is sent to a program buffer than it is designed to handle. |
|
4 |
Business as Usual (BAU) |
||
|
4 |
Business Continuity plan (BC plan) |
Business continuity plan (BC plan): the documented product of business continuity planning; a plan that shows the organization’s intended efforts if a disaster renders the organization’s primary site are not feasible. |
|
|
4 |
Business Continuity Planning (BCP) |
Business continuity planning (BCP): The actions taken by senior management to develop and implement the BC policy, plan, and continuity teams. |
|
|
4 |
Business Impact Analysis (BIA) |
Business impact analysis (BIA): An investigation and assessment of the various adverse events that can affect the organization, conducted as a preliminary phase of the contingency planning process, which includes a determination of how critical a system or set of information is to the organization’s core processes and recovery priorities. |
|
|
4 |
Business Resumption Planning (BRP) |
Business resumption planning (BRP): The actions taken by senior management to develop and implement a combined DR and BC policy, plan, and set of recovery teams. |
|
|
4 |
C.E.O. |
||
|
4 |
C.F.O. |
||
|
1 |
C.I.A. Triad |
The industry standard for computer security since the development of the mainframe. The standard is based on three characteristics that describe the utility of information: confidentiality, integrity, and availability. |
|
|
4 |
C.I.O. |
||
|
4 |
C.O.O. |
||
|
4 |
C.T.O. |
||
|
4 |
CAGR |
||
|
4 |
Capabilities table |
Capabilities table: A lattice-based access control with rows of attributes associated with a particular subject (such as a user). |
|
|
4 |
Cash Flow |
||
|
8 |
Certificate Authority (CA) |
In PKI, a third party that manages users’ digital certificates. |
|
|
8 |
Certificate Revocation List (CRL) |
Is a list from the issuing CA of certificates that have been revoked before they were set to expire. In PKI, a published list of revoked or terminated digital certificates. |
|
|
8 |
Certificate Trust Chain |
Is the multi-level hierarchy of trust in a public key infrastrucutre. In practice, these chains tend to interlink with other chains often from other CAs. |
|
|
4 |
Chairperson of Board |
||
|
4 |
Champion |
||
|
4 |
Chief Administrative Officer (C.A.O.) |
||
|
1 |
Chief Information Officer (CIO) |
An executive-level position that oversees the organization’s computing technology and strives to create efficiency in the processing and access of the organization’s information. |
|
|
1 |
Chief Information Security Officer (CISO) |
Typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role reports to the CIO. |
|
|
9 |
Clean Agent |
A fire suppression agent that does not leave any residue after use or interfere with the operation of electrical or electronic equipment. |
|
|
5 |
Clean Desk Policy |
An organizational policy that specifies employees must inspect their work areas and ensure that all classified information, documents, and materials are secured at the end of every work day. |
|
|
9 |
Closed-circuit Television (CCT/CCTV) |
A video capture and recording system used to monitor a facility. |
|
|
5 |
Cognitive bias |
Bias |
A strong, preconceived notion we have of someone or something based on inforrmation we have, perceive to have (but may lack). These preconcieved notions are mental short-cuts which the human brain produces to exepedite processing information and making decisions. |
|
4 |
Cold site |
Cold site: A facility that provides only rudimentary services, with no computer hardware or peripherals. Cold sites are used for BC operations. |
|
|
2 |
Command Injection |
An application error that occurs when user input is passed directly to a compiler or interpreter without screening for content that may disrupt or compromise the intended function. |
|
|
4 |
Commander’s Intent |
||
|
1 |
Communications |
Is the practice of preventing unauthorized interception/access of telecommunications traffic to its intended source. |
|
|
1 |
Communications Security |
The protection of all communications media, technology, and content. |
|
|
1 |
Community of Interest |
A group of people who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives. |
|
|
4 |
Company |
||
|
5 |
Competitive Advantage |
The adoption and implementation of an innovative business model, method, technique, resource, or technology in order to outperform the competition. |
|
|
2 |
Competitive Intelligence |
The collection and analysis of information about an organization’s business competitors through legal and ethical means to gain business intelligence and competitive advantage. |
|
|
4 |
Computer forensics |
Computer forensics: the process of collecting, analyzing, and preserving computer-related evidence. |
|
|
1 |
Computer Security |
In the early days of computers, this term specified the need to secure the physical location of computer technology from outside threats. This term later came to represent all actions taken to preserve computer systems from losses. It has evolved into the current concept of information security as the scope of protecting information in an organization has expanded. |
|
|
1 |
Confidentiality |
enter the definition as plain text here |
|
|
4 |
Configuration rules |
Configuration rules: the instructions a system administrator codes into a server, networking device, or security device to specify how it operates. |
|
|
9 |
Contact and Weight Sensor |
An alarm sensor designed to detect increased pressure or contact at a specific location, such as a floor pad or a window.. |
|
|
4 |
Contingency plan |
Contingency plan: the documented product of contingency planning; a plan that shows the organization’s intended efforts in reaction to adverse events. |
|
|
4 |
Contingency Planning (CP) |
Contingency planning (CP): The actions taken by senior management to specify the organization’s efforts and actions if an adverse event becomes an incident or disaster. This planning includes incident response, disaster recovery, and business continuity efforts, as well as preparatory business impact analysis. |
|
|
4 |
Contingency Planning Management Team (CPMT) |
Contingency planning management team (CPMT): The group of senior managers and project members organized to conduct and lead all CP efforts. |
|
|
4 |
Contractor |
||
|
1 |
Control |
"Safegurd", "Countermeasure" |
The terms controls, safeguards, and countermeasures are often used interchangeably. In essence, they are means, methods, actions, techniques, processes, procedures, or devices that reduce the vulnerability of a system or the possibility of a threat exploiting a vulnerability in a system. |
|
4 |
Controller |
||
|
5 |
Convey |
||
|
5 |
Convince |
||
|
4 |
Corporate |
||
|
4 |
Corporate governance |
Corporate governance: executive management’s responsibility to provide strategic direction, ensure the accomplishment of objectives, oversee that risks are appropriately managed, and validate responsible resource use. |
|
|
4 |
Corporate Secretary |
||
|
5 |
Cost Avoidance |
The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident. |
|
|
5 |
Cost-benefit Analysis (CBA) |
Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization. |
|
|
1 |
Countermeasure |
"Control" |
The terms controls, safeguards, and countermeasures are often used interchangeably. In essence, they are means, methods, actions, techniques, processes, procedures, or devices that reduce the vulnerability of a system or the possibility of a threat exploiting a vulnerability in a system. |
|
2 |
Cracker |
A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use. |
|
|
2 |
Cracking |
Attempting to reverse-engineer, remove, or bypass a password or other access control protection, such as the copyright protection on software. See Cracker. |
|
|
4 |
Crisis management |
Crisis management: An organization’s set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of life as a result of a disaster. |
|
|
8 |
CRL |
Certificate Revocation List |
Is a list from the issuing CA of certificates that have been revoked before they were set to expire. In PKI, a published list of revoked or terminated digital certificates. |
|
8 |
Cross Signing |
Expands trust within your network. When a certificate is signed by two CAs, it allows the certificate to verify trust by more than one CA without the need to distribute a separate certificate for each CA. |
|
|
2 |
Cross Site Scripting (XSS) |
A web application fault that occurs when an application running on a Web server inserts commands into a user’s browser session and causes information to be sent to a hostile server. |
|
|
1 |
Crosstalk |
Unwanted signals in a communication channel caused by trasference of energy from another circuit. |
|
|
8 |
Cryptanalysis |
The process of obtaining the plaintext message from a ciphertext message without knowing the keys used to perform the encryption. |
|
|
8 |
Cryptography |
The process of making and using codes to secure the transmission of information. |
|
|
8 |
Cryptology |
The field of science that encompasses cryptography and cryptanalysis. |
|
|
3 |
Cultural Mores |
The fixed moral attitudes or customs of a particular group. |
|
|
2 |
Cyberactivist |
See Hacktivist. |
|
|
2 |
Cyberterrorist |
A hacker who attacks systems to conduct terrorist activities via networks or internet pathways. |
|
|
2 |
Cyberwarfare |
Formally sanctioned offensive operations conducted by a government or state against information or systems of another government or state. |
|
|
1 |
Data |
Data is any informative asset stored and processed by a computer. |
|
|
2 |
Data |
Items of fact collected by an organization. |
|
|
1 |
Data Custodians |
People who are responsible for the storage, maintenance, and protection of the information. |
|
|
1 |
Data Owners |
Individuals who control, and are therefore responsible for, the security and use of a particular set of information; data owners may rely on custodians for the practical aspects of protecting their information, specifying which users are authorized to access it, but they are ultimately responsible for it. |
|
|
2 |
Data Security |
Commonly used as a surrogate for information security, data security is the focus of protecting data or information in its various states-at rest (in storage), in processing, and in transmission (over networks). |
|
|
1 |
Data Users |
People who work with the information to perform their daily jobs and support the mission of the organization. |
|
|
2 |
Database |
A collection of related data stored in a structured form and usually managed by a database management system. |
|
|
2 |
Database Security |
A subset of information security that focuses on the assessment and protection of information stored in data repositories like database management systems and storage media. |
|
|
4 |
Database shadowing |
Database shadowing: A backup strategy to store duplicate online transaction data along with duplicate databases at the remote site on a redundant server. This server combines electronic vaulting with remote journaling by writing multiple copies of the database simultaneously to two locations. |
|
|
4 |
De facto standard |
De facto standard: a standard that has been widely adopted or accepted by a public group rather than a formal standards organization. |
|
|
4 |
De jure standard |
De jure standard: a standard that has been formally evaluated, approved, and ratified by a formal standards organization. |
|
|
5 |
Decision stacking |
Finding ways to make low-impact, easy-to-quit decisions in advance of a high-impact, harder-to-quit decision in order to build more accurate models of the world. |
|
|
5 |
Defense Control Strategy |
The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. |
|
|
4 |
Defense in Depth |
Defense in depth: a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection. |
|
|
9 |
Delta Conversion Online UPS |
An uninterruptible power supply (UPS) that is similar to a double conversion online UPS except that it incorporates a delta transformer, which assists in powering the inverter while outside power is available. |
|
|
9 |
Deluge Systems |
A fire suppression sprinkler system that keeps all individual sprinkler heads open and applies water to all areas when activated. |
|
|
2 |
Denial-of-service (DoS) Attack |
An attack that attempts to overwhelm a computer target’s ability to handle incoming communications, prohibiting legitimate users from accessing those systems. |
|
|
4 |
Departments |
Functions |
|
|
2 |
Dictionary Password Attack |
"Dictionary Attack" |
A variation of the brute force attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target’s personal information. |
|
8 |
Diffie-Hellman Key Exchange |
A hybrid cryptosystem that facilitates exchanging private keys using public-key encryption. |
|
|
8 |
Digital Certificates |
Public-key container files that allow PKI system components and end users to validate a public key and identify its owner. |
|
|
8 |
Digital Signature Standard (DSS) |
The NIST standard for digital signature algorithm usage by federal information systems. DSS is based on a variant of the ElGamal signature scheme. |
|
|
8 |
Digital Signatures |
Encrypted message components that can be mathematically proven as authentic. |
|
|
4 |
Disaster |
Disaster: an adverse event that could threaten the viability of the entire organization. A disaster may either escalate from an incident or be initially classified as a disaster. |
|
|
4 |
Disaster Recovery plan (DR plan) |
Disaster recovery plan (DR plan): the documented product of disaster recovery planning; a plan that shows the organization’s intended efforts in the event of a disaster. |
|
|
4 |
Disaster Recovery Planning (DRP) |
Disaster recovery planning (DRP): The actions taken by senior management to specify the organization’s efforts in preparation for and recovery from a disaster. |
|
|
5 |
Dispersion of opinion |
||
|
2 |
Distributed Denial-of-Service (DDoS) |
A form of DoS attack in which a coordinated stream of requests is launched against a target from many locations at the same time using bots or zombies. |
|
|
4 |
Divisional Organization Structure |
||
|
2 |
Domain Name System (DNS) Cache Poisoning |
The intentional hacking and modification of a DNS database to redirect legitimate traffic to illegitimate Internet locations. |
|
|
9 |
Double Conversion Online UPS |
A UPS in which the protected device draws power from an output inverter. The inverter is powered by the UPS battery, which is constantly recharged from the outside power. |
|
|
2 |
Downtime |
The percentage of time a particular service is not available; the opposite of uptime. |
|
|
4 |
Drivers |
||
|
9 |
Dry-pipe System |
A fire suppression sprinkler system that has pressurized air in all pipes. The air is released in the event of a fire, allowing water to flow from a central area. |
|
|
3 |
Due Care |
Measures that an organization takes to ensure every employee knows what is acceptable and what is not. |
|
|
3 |
Due Diligence |
Reasonable steps taken by people or organizations to meet the obligations imposed by laws or regulations. |
|
|
5 |
Dumpster Diving |
An information attack that involves searching through a target organization’s trash and recycling bins for sensitive information.. |
|
|
4 |
EBITDA |
||
|
1 |
Education |
enter the definition as plain text here |
|
|
4 |
Efficiency |
||
|
9 |
Electromagnetic Radiation (EMR) |
The transmission of radiant energy through space, commonly referred to as radio waves. |
|
|
9 |
Electromechanical Lock |
A lock that can accept a variety of inputs as keys, including magnetic strips on ID cards, radio signals from name badges, personal identification numbers (PINs) typed into a keypad, or some combination of these to activate an electrically powered locking mechanism. |
|
|
4 |
Electronic vaulting |
Electronic vaulting: A backup method that uses bulk batch transfer of data to an off-site facility; this transfer is usually conducted via leased lines or secure Internet connections. |
|
|
9 |
Electrostatic Discharge (ESD) |
The release of ambient static electricity into a ground. |
|
|
8 |
Encapsulating Security Payload (ESP) protocol |
In IPsec, a protocol that provides secrecy for the contents of network communications as well as system-to-system authentication and data integrity verification. |
|
|
4 |
Enterprise |
||
|
4 |
Enterprise Information Security Policy (EISP) |
Enterprise information security policy (EISP): The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization’s security efforts. |
|
|
4 |
Enterprise Risk Management |
||
|
4 |
Entity |
||
|
1 |
Espionage |
Cyber espionage is a form of cyber attack that steals classified, sensitive data or intellectual property to gain an advantage over a competitive company or government entity |
|
|
3 |
Ethics |
The branchof philosophy that considers nature, criteria, sources, logic, and the validity of moral judgement |
|
|
4 |
Evidence |
Evidence: a physical object or documented information that proves an action occurred or identifies the intent of a perpetrator. |
|
|
8 |
Exclusive OR operation (XOR) |
A function within Boolean algebra used as an encryption function in which two bits are compared. If the two bits are identical, the result is a binary 0; otherwise, the result is a binary 1. |
|
|
4 |
Executive Director |
||
|
4 |
Exit Strategy |
||
|
2 |
Expert Hacker |
A hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information. |
|
|
1 |
Exploit |
An exploit is a code that takes advantage of a software vulnerability or security flaw |
|
|
2 |
Exploit |
A technique used to compromise a system. |
|
|
1 |
Exposure |
enter the definition as plain text here |
|
|
5 |
Exposure Factor (EF) |
In a cost-benefit analysis, the expected percentage of loss that would occur from a particular attack. |
|
|
9 |
Facilities Management |
The aspect of organizational management focused on the development and maintenance of its buildings and physical infrastructure. |
|
|
9 |
Fail-SAFE Lock |
An electromechanical device that automatically releases the lock protecting a control point if a power outage occurs. This type of lock is used for fire safety locations. |
|
|
9 |
Fail-SECURE Lock |
An electromechanical device that stays locked and maintains the security of the control point if a power outage occurs. |
|
|
2 |
Fault |
A short-term interruption in electrical power availability. |
|
|
8 |
Federation |
Is accepting a certificate from another certificate authority without checking it. |
|
|
9 |
Fire Suppression Systems |
Devices that are installed and maintained to detect and respond to a fire, potential fire, or combustion danger. |
|
|
9 |
Fixed Temperature Sensor |
A fire detection sensor that works by detecting the point at which the ambient temperature in an area reaches a predetermined level. |
|
|
9 |
Flame Detector |
A fire detection system that works by detecting the infrared or ultraviolet light produced by an open flame. |
|
|
4 |
Forecast |
||
|
5 |
Forecasts |
||
|
5 |
Framing effect |
Cognitive bias |
A cognitive bias in which the way in which information is presented influences the way the receiver of that information makes decisions using the information. |
|
5 |
Free Roll |
A situation where there is an asymmetry between the upside and the downside consequences of a decision because the potential losses are not significant. |
|
|
4 |
Functions |
Departments |
|
|
9 |
Gaseous (or Chemical Gas) Emission Systems |
Fire suppression systems that operate through the delivery of gases rather than water. |
|
|
4 |
General Manager |
||
|
4 |
Geographic Organization Structure |
||
|
4 |
Goals |
Goals: sometimes used synonymously with objectives; the desired end of a planning cycle. |
|
|
4 |
Governance |
Governance: “The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.” |
|
|
9 |
Ground Fault Circuit Interruption |
A special circuit device designed to immediately disconnect a power supply when a sudden discharge (ground fault) is detected |
|
|
4 |
Growth |
||
|
4 |
Guidelines |
Guidelines: Nonmandatory recommendations the employee may use as a reference in complying with a policy. If the policy states to “use strong passwords, frequently changed,” the guidelines might advise that “we recommend you don’t use family or pet names, or parts of your Social Security number, employee number, or phone number in your password.” |
|
|
2 |
Hacker |
A person who accesses systems and information without authorization and often illegally. |
|
|
2 |
Hacktivist |
A hacker who seeks to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. |
|
|
5 |
Halo effect |
Cognitive bias |
A cognitive bias in which a positive impression of a person in one area of expertise results in a positive view of that person in other, unrelated areas of expertise. |
|
5 |
Happiness test |
Asking whether the outcome of a decision, whether good or bad, will likely have a significant impact on an individual’s, group’s, or organization’s general level of happiness. |
|
|
1 |
Hardware |
Hardware includes the physical components of a computer system, which may wear out over time and require replacement. Software includes sets of instructions that allow a variety of inputs from the user. |
|
|
8 |
Hash algorithms |
Public functions that create a hash value, also known as a message digest, by converting variable-length messages into a single fixed-length value |
|
|
8 |
Hash functions |
Mathematical algorithms that generate a message summary or digest (sometimes called a fingerprint) to confirm message identity and integrity. |
|
|
8 |
Hash value |
See message digest. |
|
|
4 |
Hierarchical roster |
Hierarchical roster: an alert roster in which the first person calls a few other people on the roster, who in turn call others. This method typically uses the organizational chart as a structure. |
|
|
5 |
Hindsight bias |
Cognitive bias |
The tendency to believe that an event, after it has occurred, was predictable or inevitavle. Also referred to as "knew-it-all-along" thinking or "creeping determinism". |
|
4 |
Hot site |
Hot site: A fully configured computing facility that includes all services, communications links, and physical plant operations. Hot sites are used for BC operations. |
|
|
9 |
Humidity |
The amount of moisture in the air. |
|
|
9 |
Identification (ID) Card |
A document used to verify the identity of a member of an organization, group, or domain. |
|
|
3 |
Identity Theft |
The unauthorized taking of personally identifiable information with the intent of committing fraud and abuse of a person’s financial and personal reputation, purchasing goods and services without authorization, and generally impersonating the victim for illegal or unethical purposes. |
|
|
4 |
Incident |
Incident: an adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization. |
|
|
4 |
Incident candidate |
Incident candidate: see adverse event. |
|
|
4 |
Incident classification |
Incident classification: the process of examining an incident candidate and determining whether it constitutes an actual incident. |
|
|
4 |
Incident damage assessment |
Incident damage assessment: the rapid determination of how seriously a breach of confidentiality, integrity, and availability affected information and information assets during an incident or just following one. |
|
|
4 |
Incident Response plan (IR plan) |
Incident response plan (IR plan): the documented product of incident response planning; a plan that shows the organization’s intended efforts in the event of an incident. |
|
|
4 |
Incident response planning (IRP) |
Incident response planning (IRP): the actions taken by senior management to specify the organization’s processes and procedures to anticipate, detect, and mitigate the effects of an incident. |
|
|
5 |
Inconsistency |
Noise |
A tendency to err in a random direction. Example: a weather forecaster who gives a different forecast for two identical days. |
|
4 |
Incremental Benefit |
||
|
4 |
Incremental Cost |
||
|
2 |
Industrial Espionage |
The collection and analysis of information about an organization’s business competitors, often through illegal or unethical means, to gain an unfair competitive advantage. |
|
|
4 |
Inefficiency |
||
|
2 |
Information |
Data that has been organized, structured, and presented to provide additional insight into its context, worth, and usefulness. |
|
|
3 |
Information Aggregation |
Pieces of nonprivate data that, when combined, may create information that violates privacy. |
|
|
2 |
Information Asset |
The focus of information security; information that has value to the organization, and the systems that store, process, and transmit the information. |
|
|
3 |
Information Assurance |
The affirmation or guarantee of the confidentiality, integrity, and availability of information in storage, processing, and transmission. |
|
|
2 |
Information Extortion |
The act of an attacker or trusted insider who steals information from a computer system and demands compensation for its return or for an agreement not to disclose the information. Also known as cyberextortion. |
|
|
1 |
Information Security |
Protection of the confidentiality, integrity and availability of information assets, whether in storage, processing or transmission, via the application of policy, education, training and awareness, and technology. |
|
|
4 |
Information security blueprint |
Blueprint |
Information security blueprint: In information security, a framework or security model customized to an organization, including implementation details. |
|
4 |
Information security framework |
Information security framework: In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education and training programs, and technological controls. Also known as a security model. |
|
|
4 |
Information security governance |
Information security governance: the application of the principles of corporate governance to the information security function. |
|
|
4 |
Information security model |
Information security model: See information security framework. |
|
|
4 |
Information security policy |
Information security policy: a set of rules that protects an organization’s information assets. |
|
|
1 |
Information System (IS) |
The entire set of software, hardware, data, people, procedures, and networks that enable the use of information resources in the organization. |
|
|
4 |
Initial Public Offering (IPO) |
||
|
4 |
Initiative(s) |
||
|
4 |
Inside View |
The view of the world from inside your own perspective, your own experiences, and your own beliefs. |
|
|
2 |
Integer Bug |
A class of computational error caused by methods that computers use to store and manipulate integer numbers; this bug can be exploited by attackers. |
|
|
1 |
Integrity |
Integrity refers to how accurate and trustworthy the data is over its enitre life cycle. |
|
|
2 |
Intellectual Property(IP) |
The creation, ownership, and control of original ideas as well as the representation of those ideas. |
|
|
4 |
Internal Audit |
||
|
8 |
Internet Protocol Security (IPSec) |
The primary and now dominant cryptographic authentication and encryption product of the IETF’s IP Protocol Security Working Group. A framework for security development within the TCP/IP family of protocol standards, IPSec provides application support for all uses within TCP/IP, including virtual private networks. |
|
|
9 |
Ionization Sensor |
A fire detection sensor that works by exposing the ambient air to a small amount of a harmless radioactive material within a detection chamber; an alarm is triggered when the level of electrical conductivity changes within the chamber. |
|
|
4 |
Issue-Specific Security Policy (ISSP) |
Issue-specific security policy (ISSP): An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies. |
|
|
2 |
Jailbreaking |
Escalating privileges to gain administrator-level control over a smartphone operating system (typically associated with Apple iOS smartphones). See also Rooting. |
|
|
3 |
Jurisdiction |
The power to make legal decisions and judgements; typically n area within which an entity such as a court or law enforcement agency is empowered to make legal decision. |
|
|
4 |
Key Performance Indicators (KPIs) |
||
|
4 |
Labor |
||
|
3 |
Laws |
Rules that mandate or prohibit certain behavior and are enforced by the state. |
|
|
4 |
Leading Indicators |
||
|
4 |
Legal Department |
||
|
3 |
Liability |
An entitiy’s legal obligation or responsibility. |
|
|
5 |
Likelihood |
The probability that a specific vulnerability within an organization will be the target of an attack. |
|
|
4 |
Limited Liability Partnership (LLP) |
||
|
9 |
Line-interactive UPS |
A UPS in which a pair of inverters and converters draw power from the outside source both to charge the battery and provide power to the internal protected device. |
|
|
3 |
Long Arm Jurisdiction |
The ability of a legal entity to exercise its influence beyond its normal boundaries by asserting a connection between an out-of-jurisdiction entity and a local legal case. |
|
|
4 |
Long-Range Plan (LRP) |
||
|
1 |
Loss |
a single instance of an information asset suffering damage or destruction, unintended, or unauthorized modification or disclosure, or denial of use. |
|
|
5 |
Loss Frequency |
The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range. |
|
|
5 |
Loss Magnitude |
Also known as event loss magnitude, the combination of an asset’s value and the percentage of it that might be lost in an attack. |
|
|
2 |
Macro Virus |
A type of virus written in a specific macro language to target applications that use the language. |
|
|
2 |
Mail Bomb |
An attack designed to overwhelm the receiver with excessive quantities of email. |
|
|
2 |
Maintenance Hook |
See Back door |
|
|
2 |
Malicious Code |
See Malware. |
|
|
2 |
Malicious Software |
See Malware. |
|
|
2 |
Malware |
Computer software specifically designed to perform malicious or unwanted actions. |
|
|
4 |
Managerial controls |
Managerial controls: information security safeguards that focus on administrative planning, organizing, leading, and controlling, and that are designed by strategic planners and implemented by the organization’s security administration. These safeguards include governance and risk management. |
|
|
4 |
Managerial guidance SysSP |
Managerial guidance SysSP: A systems-specific security policy that expresses management’s intent for the acquisition, implementation, configuration, and management of a particular technology, written from a business perspective. |
|
|
2 |
Man-in-the-Middle |
"Man-in-the-Middle Attack" |
A group of attacks whereby a person intercepts a communications stream and inserts himself in the conversation to convince each of the legitimate parties that he is the other communications partner. |
|
4 |
Marketing |
||
|
4 |
Matrix Organization |
||
|
5 |
Maximizing |
Decision making motivated by the desire to make the optimal decision which results in examning every possible option and the nuances of each option in an attempt to make a perfect decision — also referred to as ‘analysis paralysis". |
|
|
4 |
Maximum Tolerable Downtime (MTD) |
Maximum tolerable downtime (MTD): The total amount of time the system owner or authorizing official is willing to accept for a mission/business process outage or disruption, including all impact considerations |
|
|
1 |
McCumber Cube |
A graphical representation of the architectural approach widely used in computer and information security; commonly shown as a cube of 3x3x3 cells, similar to a Rubik’s Cube. |
|
|
2 |
Mean Time Between Failure (MTBF) |
The average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures. |
|
|
2 |
Mean Time to Diagnose (MTTD) |
The average amount of time a computer technician needs to determine the cause of a failure. |
|
|
2 |
Mean Time to Failure (MTTF) |
The average amount of time until the next hardware failure. |
|
|
2 |
Mean Time to Repair (MTTR) |
The average amount of time a computer technician needs to resolve the cause of a failure through replacement or repair of a faulty unit. |
|
|
9 |
Mechanical Lock |
A physical lock that may rely on either a key or numerical combination to rotate tumblers and release the hasp. Also known as a manual lock. |
|
|
2 |
Media |
As a subset of information assets, the systems and network that store, process, and transmit information. |
|
|
5 |
Memory creep |
When facts learned after a decision or event ‘creep’ into recollection of facts which were known before the decision was made. |
|
|
2 |
Memory-Resident Virus |
"TSR" |
A virus that is capable of installing itself in a computer’s operating system, starting when the computer is activated, and residing in the system’s memory even after the host application is terminated. |
|
5 |
Mental contrasting |
Envisioning the obstacle which may stand in the way of achieving the desired goals and confronting those obstacles. |
|
|
5 |
Menu strategy |
Investing time and effort in rank sorting options so that time may be saved in the final decision making as the top options on the list will include the best choice and there are likely to be less significant differences between the best choice and it’s peers at the top of the list or ‘menu’. |
|
|
4 |
Merger |
||
|
4 |
Mergers and Acquisitions (M&A) |
M&A |
|
|
8 |
Message authentication code (MAC) |
A key-dependent, one-way hash function that allows only specific recipients (symmetric key holders) to access the message digest |
|
|
8 |
Message digest |
A value representing the application of a hash algorithm on a message that is transmitted with the message so it can be compared with the recipient’s locally calculated hash of the same message. If both hashes are identical after transmission, the message has arrived without modification. Also known as a hash value. |
|
|
1 |
Methodology |
A formal approach to solving a problem by means of a structured sequence of procedures. |
|
|
5 |
Metrics-based Measures |
Performance measures or metrics based on observed numerical data. |
|
|
5 |
Mitigation Risk Control Strategy |
The risk control strategy that attempts to reduce the impact of a successful attack through planning and preparation. |
|
|
8 |
Monoalphabetic substitution |
A substitution cipher that only incorporates a single alphabet in the encryption process. |
|
|
9 |
Motion Detector |
An alarm sensor designed to detect movement within a defined space. |
|
|
4 |
Mutual agreement |
Mutual agreement: a continuity strategy in which two organizations sign a contract to assist the other in a disaster by providing BC facilities, resources, and services until the organization in need can recover from the disaster. |
|
|
1 |
Network |
A network is a collection of computers, servers, mainframes, network devices, peripherals, or other devices connected to one another to allow the sharing of data |
|
|
1 |
Network Security |
A subset of communications security; the protection of voice and data networking components, connections, and content. |
|
|
2 |
Noise |
The presence of additional and disruptive signals in network communications or electrical power delivery. |
|
|
9 |
Noise |
The presence of additional and disruptive signals in network communications or electrical power delivery. |
|
|
5 |
Noise |
Inconsistency |
A tendency to err in a random direction. Example: a weather forecaster who gives a different forecast for two identical days. |
|
2 |
Non-Memory-Resident Virus |
A virus that terminates after it has been activated, infected its host system, and replicated itself. |
|
|
8 |
Nonrepudiation |
The process of reversing public-key encryption to verify that a message was sent by the sender and thus cannot be refuted. |
|
|
2 |
Novice Hacker |
A relatively unskilled hacker who uses the work of expert hackers to perform attacks. |
|
|
1 |
Object of Attack |
"Subject of Attack" |
enter the definition as plain text here |
|
4 |
Objectives |
Objectives: sometimes used synonymously with goals; the intermediate states obtained to achieve progress toward a goal or goals. |
|
|
5 |
Only option test |
Asking "if this were the only option would we choose it and be happy?" |
|
|
4 |
Operational controls |
Operational controls: information security safeguards focusing on lower-level planning that deals with the functionality of the organization’s security. These safeguards include disaster recovery and incident response planning. |
|
|
5 |
Operational Feasibility |
An assessment of user acceptance and support, management acceptance and support, and the overall requirements of the organization’s stakeholders. |
|
|
4 |
Operational plan |
Operational plan: the documented product of operational planning; a plan for theorganization’s intended operational efforts on a day-to-day basis for the next several months. |
|
|
4 |
Operational planning |
Operational planning: the actions taken by management to specify the short-term goals and objectives of the organization in order to obtain specified tactical goals, followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives. |
|
|
4 |
Operations |
||
|
5 |
Opportunity cost |
When an option is decided upon or chosen, the potential benefits of the options not chosen are lost and considered the cost of a missed opportunity. |
|
|
4 |
Organic |
||
|
4 |
Organization Hierarchy |
||
|
5 |
Organizational Feasibility |
An assessment of how well the proposed information security alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization. |
|
|
5 |
Overconfidence |
Expressions of high confidence which may include coherent stories and confident predictions with little basis in fact or logic. Overconfidence can be prevalent when self-awareness is low. |
|
|
4 |
Owners |
||
|
2 |
Packet Monkey |
A script kiddie who uses automated exploits to engage in denial-of-service attacks. |
|
|
2 |
Packet Sniffer |
A software program or hardware appliance that can intercept, copy, and interpret network traffic. |
|
|
2 |
Penetration Tester |
An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems. |
|
|
5 |
Performance Gap |
The difference between an organization’s observed and desired performance. |
|
|
8 |
Permutation cipher |
See transposition cipher. |
|
|
1 |
Personally Identifiable Information (PII) |
A set of information that could uniquely identify an individual. |
|
|
3 |
Personally identifiable information (PII) |
Information about a person’s history, background, and attributes that can be used to commit identity theft. This information typically includes a person’s name, address, Social Security number, family information, employment history, and financial information. |
|
|
9 |
Persontrap |
A small room or enclosure with separate entry and exit points, designed to restrain a person who fails an access authorization attempt. |
|
|
2 |
Pharming |
The redirection of legitimate Web to illegitimate Web sites with the intent to collect personal information. |
|
|
2 |
Phishing |
A form of social engineering in which the attacker provides what appears to be a legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects the reply to a third-party site in an effort to extract personal or confidential information. |
|
|
9 |
Photoelectric Sensor |
A fire detection sensor that works by projecting an infrared beam across an area. If the beam is interrupted, presumably by smoke, the alarm or suppression system is activated. |
|
|
2 |
Phreaker |
A hacker who manipulates the public telephone system to make free calls or disrupt services. |
|
|
1 |
Physical Infrastructure |
The physical structure needed by an economy to survive and function properly, things like our transit system or our waste disposal system, all these allow are economy to thrive and function. |
|
|
1 |
Physical Security |
The protection of physical items, objects, or areas from unauthorized access and misuse. |
|
|
9 |
Physical Security |
The protection of physical items, objects, or areas from unauthorized access and misuse. |
|
|
9 |
Plenum |
A space between the ceiling in one level of a commercial building and the floor of the level above. The plenum is used for air return. |
|
|
3 |
Policiy |
Guidelines that dictate certain behavior within the organization. |
|
|
1 |
Policy |
A security policy is a written document in an organization outlining how to protect the organization from threats, including computer security threats, and how to handle situations when they do occur. |
|
|
4 |
Policy administrator |
Policy administrator: an employee responsible for the creation, revision, distribution, and storage of a policy in an organization. |
|
|
5 |
Political Feasibility |
An assessment of which controls can and cannot occur based on the consensus and relationships among communities of interest. |
|
|
8 |
Polyalphabetic substitutions |
A substitution cipher that incorporates two or more alphabets in the encryption process. |
|
|
2 |
Polymorphic Threat |
Malware that over time changes the way it appears to antivirus programs, making it undetectable by techniques that look for preconfigured signatures. |
|
|
1 |
Possession |
An attribute of information that describes how the data’s ownership or control is legitimate or authorized. |
|
|
4 |
Practices |
Practices: Examples of actions that illustrate compliance with policies. If the policy states to “use strong passwords, frequently changed,” the practices might advise that “according to X, most organizations require employees to change passwords at least semi-annually.” |
|
|
9 |
Pre-action System |
A fire suppression sprinkler system that employs a two-phase response to a fire. When a fire is detected anywhere in the facility, the system will first flood all pipes, then activate only the sprinkler heads in the area of the fire. |
|
|
5 |
Pre-mortems |
||
|
4 |
President |
||
|
2 |
Pretexting |
A form of social engineering in which the attacker pretends to be an authority figure who needs information to confirm the target’s identity, but the real object is to trick the target into revealing confidential information. |
|
|
5 |
Prework |
||
|
3 |
Privacy |
In the context of information security, the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality. |
|
|
8 |
Privacy Enhanced Mail (PEM) |
A standard proposed by the Internet Engineering Task Force (IETF) that uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures. |
|
|
8 |
Private-key encryption |
See symmetric encryption. |
|
|
2 |
Privilege Escalation |
The unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources. |
|
|
1 |
Procedures |
A procedure is a set sequence of necessary activities that performs a specific task or function. Procedures are normally designed as a series of steps to be followed as a consistent and repetitive approach or cycle to accomplish an end result. |
|
|
4 |
Procedures |
Procedures: Step-by-step instructions designed to assist employees in following policies, standards, and guidelines. |
|
|
1 |
Process |
Process is a program that is running on a computer. Process can also be used as a verb, which means to perform a series of operations on a set of data. |
|
|
5 |
Process-based Measures |
Performance measures or metrics based on intangible activities. |
|
|
4 |
Procurement |
||
|
2 |
Professional Hacker |
A hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government. |
|
|
4 |
Profit |
||
|
1 |
Project Team |
A small functional team of people who are experienced in one or more multiple facets of the required technical and nontechnical areas for the project to which they are assigned. |
|
|
5 |
Prospective hindsight |
Projecting into a future perspective to consider the decision making process which led to success or failure at achieving a goal. |
|
|
1 |
Protection Profile |
"Security Posture |
Security posture refers to an organization’s overall cybersecurity strength and how well it can predict, prevent and respond to ever-changing cyberthreats. |
|
9 |
Proximity Reader |
An electronic signal receiver used with an electromechanical lock that allows users to place their cards within the reader’s range and release the locking mechanism. |
|
|
8 |
Public Key Infrastructure (PKI) |
An integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services that enables users to communicate securely through the use of digital certificates. |
|
|
8 |
Public-key encryption |
See asymmetric encryption. |
|
|
5 |
Qualitative Assessment |
An asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures. |
|
|
5 |
Quantitative Assessment |
An asset valuation approach that attempts to assign absolute numerical measures. |
|
|
1 |
Radiation |
Radiation detection devices open to cyber attack, researcher finds.Attackers could, for example, falsify readings to simulate a radiation leak to trick authorities into ordering unnecessary evacuations… |
|
|
8 |
RADIUS Server |
Or Remote Authentication Dial-In User Service (RADIUS) is a networking protocol, operating on ports 1812 and 1813, that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. |
|
|
2 |
Rainbow Table |
A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system’s encrypted password file. |
|
|
2 |
Ransomware |
Computer software specifically designed to identify and encrypt valuable information in a victim’s system in order to extort payment for the key needed to unlock the encryption. |
|
|
9 |
Rate-of-rise Sensor |
A fire detection sensor that works by detecting an unusually rapid increase in the area temperature within a relatively short period of time. |
|
|
5 |
Ratings |
||
|
5 |
Rationales |
||
|
4 |
Recovery Point Objective (RPO) |
Recovery point objective (RPO): The point in time prior to a disruption or system outage to which mission/business process data can be recovered after an outage (given the most recent backup copy of the data). |
|
|
4 |
Recovery Time Objective (RTO) |
Recovery time objective (RTO): The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD. |
|
|
4 |
Redundancy |
Redundancy: The use of multiple types and instances of technology that prevent the failure of one system from compromising the security of information. |
|
|
8 |
Registration Authority (RA) |
In PKI, a third party that operates under the trusted collaboration of the certificate authority and handles day-to-day certification functions. |
|
|
4 |
Remote journaling |
Remote journaling: The backup of data to an off-site facility in close to real time based on transactions as they occur. |
|
|
4 |
Reorganization |
||
|
5 |
Repeating options |
When the same type of decision comes up over and over again and there are repeated opportunites to choose options, including options which may have been rejected in the past — an excellent learning environment. |
|
|
5 |
Residual Risk |
The risk to information assets that remains even after current controls have been applied. |
|
|
3 |
Restitution |
A legal requirement to make compensation or payment resulting from a loss or injury. |
|
|
5 |
Resulting |
Equating the quality of a decision with the quality of it’s outcome. |
|
|
4 |
Revenue |
||
|
1 |
Risk |
enter the definition as plain text here |
|
|
5 |
Risk Appetite |
The quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility. |
|
|
5 |
Risk Assessment |
A determination of the extent to which the organizations information assets are exposed or at risk. |
|
|
5 |
Risk Control |
The application of controls to reduce the risks to an organization’s information assets to an acceptable level. |
|
|
5 |
Risk Identification |
The recognition, enumeration, and documentation of risks to an organization’s information assets. |
|
|
5 |
Risk Management |
The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level. |
|
|
5 |
Risk Tolerance |
See risk appetite |
|
|
2 |
Rooting |
Escalating privileges to gain administrator-level control over a computer system (including smartphones). |
|
|
1 |
Sabotage |
Sabotage can be considered violence against technology rather than against people. It includes actions such as putting sand in a tractor’s fuel tank, programming a bug into a computer system, and putting spikes in trees that will wreck a sawmill blade |
|
|
1 |
Safeguard |
"Control" |
The terms controls, safeguards, and countermeasures are often used interchangeably. In essence, they are means, methods, actions, techniques, processes, procedures, or devices that reduce the vulnerability of a system or the possibility of a threat exploiting a vulnerability in a system. |
|
2 |
Sag |
A short-term decrease in electrical power availability. |
|
|
4 |
Sales |
||
|
4 |
Sandbagging |
||
|
4 |
Sarbanes-Oxley (SoX) |
||
|
5 |
Satisfying |
Decision making motivated by choosing the first satisfying option available. |
|
|
2 |
Script Kiddie |
A hacker of limited skill who use expertly written software to attack a system. |
|
|
8 |
Secret key |
A key that can be used in symmetric encryption both to encipher and decipher the message. |
|
|
8 |
Secure Electronic Transactions (SET) |
A protocol developed by credit card companies to protect against electronic payment fraud. |
|
|
9 |
Secure Facility |
A physical location that has controls in place to minimize the risk of attacks from physical threats. |
|
|
8 |
Secure Hash Standard (SHS) |
A standard issued by the National Institute of Standards and Technology (NIST) that specifies secure algorithms, such as SHA-1, for computing a condensed representation of a message or data file. |
|
|
8 |
Secure HTTP (S-HTTP) |
An extended version of Hypertext Transfer Protocol that provides for the encryption of protected Web pages transmitted via the Internet between a client and server |
|
|
8 |
Secure Multipurpose Internet Mail Extensions (S/MIME) |
A security protocol that builds on the encoding format of the Multipurpose Internet Mail Extensions (MIME) protocol and uses digital signatures based on public-key cryptosystems to secure e-mail. |
|
|
8 |
Secure Sockets Layer (SSL) |
A security protocol developed by Netscape to use public-key encryption to secure a channel over the Internet. |
|
|
1 |
Security |
A state of being secure and free from danger or harm. Also, the actions taken to make someone or something secure. |
|
|
5 |
Security Clearance |
A personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is “cleared” to access.. |
|
|
4 |
Security domain |
Security domain: an area of trust within which information assets share the same level of protection. Each trusted network within an organization is a security domain. Communication between security domains requires evaluation of communications traffic. |
|
|
4 |
Security Education, Training, and Awareness (SETA) |
Security education, training, and awareness (SETA): a managerial program designed to improve the security of information assets by providing targeted knowledge, skills, and guidance for an organization’s employees. |
|
|
4 |
Security perimeter |
Security perimeter: The boundary in the network within which an organization attempts to maintain security controls for securing information from threats from untrusted network areas. |
|
|
1 |
Security Posture |
"Protection Profile" |
Security posture refers to an organization’s overall cybersecurity strength and how well it can predict, prevent and respond to ever-changing cyberthreats. |
|
4 |
Sequential roster |
Sequential roster: an alert roster in which a single contact person calls each person on the roster. |
|
|
4 |
Service bureau |
Service bureau: A continuity strategy in which an organization contracts with a service agency to provide a BC facility for a fee. |
|
|
2 |
Service Level Agreement (SLA) |
A document or part of a document that specifies the expected level of service from a service provider. |
|
|
4 |
Service Level Agreement (SLA) |
||
|
2 |
Session Hijacking |
See TCP hijacking. |
|
|
8 |
Session keys |
Limited-use symmetric keys for temporary communications during an online session. |
|
|
4 |
Shareholders |
||
|
2 |
Shoulder Surfing |
The direct, covert observation of individual information or system use. |
|
|
3 |
Signals Intelligence |
The collection, analysis, and distribution of information from foreign communications networks for intelligence and counterintelligence purposes and in support of military operations. |
|
|
5 |
Single Loss Expectancy (SLE) |
In a cost-benefit analysis, the calculated value associated with the most likely loss from an attack. The SLE is the product of the asset’s value and the exposure factor. |
|
|
4 |
Small and Medium Businesses (SMBs) |
||
|
9 |
Smoke Detection System |
A category of fire detection systems that focuses on detecting the smoke from a fire. |
|
|
2 |
Sniffer |
See Packet sniffer. |
|
|
2 |
Social Engineering |
The process of using social skills to convince people to reveal access credentials or other valuable information to the attacker. |
|
|
1 |
Software |
 The programs and other operating infromation used by a computer. |
|
|
1 |
Software Assurance (SA) |
A methodological approach to the development of software that seeks to build security into the development life cycle rather than address it at later stages. SA attempts to intentionally create software free of vulnerabilities and provide effective, efficient software that users can deploy with confidence. |
|
|
2 |
Software Piracy |
The unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property. |
|
|
2 |
Spam |
Undesired e-mail, typically commercial advertising transmitted in bulk. |
|
|
2 |
Spear Phishing |
A highly targeted phishing attack. |
|
|
2 |
Spike |
A short-term increase in electrical power availability, also known as a swell. |
|
|
4 |
Spinoff |
||
|
4 |
Sponsor |
||
|
2 |
Spoofing |
A technique for gaining unauthorized access to computers using a forged or modified source IP address to give the perception that messages are coming from a trusted host. |
|
|
9 |
Sprinkler System |
A fire suppression system designed to apply a liquid, usually water, to all areas in which a fire has been detected. |
|
|
2 |
Spyware |
Any technology that aids in gathering information about a person or organization without their knowledge. |
|
|
4 |
Stakeholder(s) |
||
|
4 |
Standard |
Standard: A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance. |
|
|
9 |
Standby (or Offline) UPS |
An offline battery backup that detects the interruption of power to equipment and activates a transfer switch that provides power from batteries through a DC to AC converter until normal power is restored or the computer is shut down. |
|
|
9 |
Standby Ferroresonant UPS |
A UPS in which the outside power source directly feeds the internal protected device. The UPS serves as a battery backup, incorporating a ferroresonant transformer instead of a converter switch, providing line filtering and reducing the effect of some power problems, and reducing noise that may be present in the power as it is delivered. |
|
|
9 |
Static Electricity |
An imbalance of electrical charges in the atmosphere or on the surface of a material, caused by triboelectrification. |
|
|
5 |
Status Quo bias |
Cognitive bias |
The tendency to believe that the way things are presently will persist into the future. |
|
8 |
Steganography |
The process of hiding messages; for example, hiding a message within the digital encoding of a picture or graphic so that it is almost impossible to detect that the hidden message even exists. |
|
|
1 |
Storage |
"At-rest" |
Storage At-Rest is one of the three states of data (the other two being In Transit and In Use.) The data stored in this state is not moving in the network or being used. It is prone to attacks by malicious actors. |
|
4 |
Strategic plan |
Strategic plan: the documented product of strategic planning; a plan for the organization’s intended strategic efforts over the next several years. |
|
|
4 |
Strategic planning |
Strategic planning: the process of defining and specifying the long-term direction to be taken by an organization, and the allocation and acquisition of resources needed to pursue this. |
|
|
1 |
Subject of Attack |
"Object of Attack" |
enter the definition as plain text here |
|
8 |
Substitution cipher |
An encryption method in which one value is substituted for another. |
|
|
4 |
Sunset clause |
Sunset clause: a component of policy or law that defines an expected end date for its applicability. |
|
|
4 |
Supplier Management |
||
|
4 |
Supply Chain |
||
|
2 |
Surge |
A long-term increase in electrical power availability. |
|
|
4 |
SVP Risk Management |
||
|
8 |
Symmetric encryption |
A cryptographic method in which the same algorithm and secret key are used both to encipher and decipher the message. |
|
|
1 |
Systems Development Life Cycle (SDLC) |
A methodology for the design and implementation of an information system. |
|
|
4 |
Systems-specific security policies (SysSPs) |
Systems-specific security policies (SysSPs): Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems. |
|
|
4 |
Tactical plan |
Tactical plan: the documented product of tactical planning; a plan for the organization’s intended tactical efforts over the next few years. |
|
|
4 |
Tactical planning |
Tactical planning: the actions taken by management to specify the intermediate goals and objectives of the organization in order to obtain specified strategic goals, followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives. |
|
|
9 |
Tailgating |
The process of gaining unauthorized entry into a facility by closely following another person through an entrance and using the credentials of the authorized person to bypass a control point. |
|
|
4 |
Target(s) |
||
|
2 |
TCP Hijacking |
A form of man-in-the-middle attack whereby the attacker inserts himself into TCP/IP-based communications. |
|
|
4 |
Technical controls |
Technical controls: information security safeguards that focus on the application of modern technologies, systems, and processes to protect information assets. These safeguards include firewalls, virtual private networks, and IDPSs. |
|
|
5 |
Technical Feasibility |
An assessment of whether the organization can acquire the technology necessary to implement and support the proposed control. |
|
|
4 |
Technical specifications SysSP |
Technical specifications SysSP: A systems-specific security policy that expresses technical details for the acquisition, implementation, configuration, and management of a particular technology, written from a technical perspective. |
|
|
1 |
Technology |
Technology, the application of scientific knowledge to the practical aims of human life or, as it is sometimes phrased, to the change and manipulation of the human environment. |
|
|
9 |
Telecommuting |
A work arrangement in which employees work from an off-site location and connect to an organization’s equipment electronically. Also known as telework. |
|
|
9 |
Telework |
See telecommuting. |
|
|
9 |
TEMPEST |
A U.S. government program designed to protect computers from electronic remote eavesdropping by reducing EMR emissions. |
|
|
5 |
Termination Risk Control Strategy |
The risk control strategy that eliminates all risk associated with an information asset by removing it from service. |
|
|
2 |
Theft |
The illegal taking of another’s property, which can be physical, electronic, or intellectual. |
|
|
9 |
Thermal Detection System |
AÂ category of fire detection systems that focuses on detecting the heat from a fire. |
|
|
9 |
Thermal Detector |
An alarm sensor designed to detect a defined rate of change in the ambient temperature within a defined space. |
|
|
1 |
Threat |
enter the definition as plain text here |
|
|
1 |
Threat Actor |
A Cyber Threat Actor (CTA) is a participant (person or group) in an action or process that is characterized by malice or hostile action (intending harm) using computers, devices, systems, or networks. |
|
|
1 |
Threat Agent |
Threat Agent is a party that is responsible for, or attempts to bring about, harm to an organization. |
|
|
5 |
Threat Assessment |
An evaluation of the threats to information assets, including a determination of their potential to endanger the organization. |
|
|
1 |
Threat Event |
A threat event is an unforseen problem or situation, that has the potentail to negatively impact your computer. |
|
|
1 |
Threat Source |
enter the definition as plain text here |
|
|
5 |
Threats-Vulnerabilities-Assets (TVA) Triples |
A pairing of an asset with a threat and an identification of vulnerabilities that exist between the two. This pairing is often expressed in the format TxVyAz, where there may be one or more vulnerabilities between Threat X and Asset Z. |
|
|
5 |
Threats-Vulnerabilities-Assets (TVA) Worksheet |
A document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings. |
|
|
5 |
Tilt |
When a bad outcome creates an emotionally hot state which compromises the quality of decision making. |
|
|
5 |
Time/Accuracy tradeoff |
Increasing accuracy costs time. Saving time costs accuracy. |
|
|
4 |
Time-share |
Time-share: A continuity strategy in which an organization co-leases facilities with a business partner or sister organization. A time-share allows the organization to have a BC option while reducing its overall costs. |
|
|
1 |
Top-down Approach |
A methodology of establishing security policies that is initiated by upper management. |
|
|
4 |
Transaction (in M&A) |
||
|
5 |
Transference Risk Control Strategy |
The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations. |
|
|
8 |
Transport mode |
In IPSec, an encryption method in which only a packet’s IP data is encrypted, not the IP headers themselves; this method allows intermediate nodes to read the source and destination addresses. |
|
|
8 |
Transposition cipher |
A cryptographic operation that involves simply rearranging the values within a block based on an established pattern. Also known as a permutation cipher. |
|
|
2 |
Trap Door |
See Back door. |
|
|
4 |
Treasury |
||
|
2 |
Trespass |
Unauthorized entry into the real or virtual property of another party. |
|
|
9 |
Triboelectrification |
The exchange of electrons between two materials when they make contact, resulting in one object becoming more positively charged and the other more negatively charged. |
|
|
2 |
Trojan Horses |
A malware program that hides its true nature and reveals its designed behavior only when activated. |
|
|
8 |
Trust Anchors |
Are root certificates in a trust store — they sign the identity of the device and "innoculate" the device with trusted certificate authorities. |
|
|
8 |
Trust Store |
Is a list of root certificates (sometimes called trust anchors) that comes pre-installed on a device. |
|
|
8 |
Tunnel mode |
In IPSec, an encryption method in which the entire IP packet is encrypted and inserted as the payload in another IP packet. This requires other systems at the beginning and end of the tunnel to act as proxies to send and receive the encrypted packets and then transmit the packets to their ultimate destination. |
|
|
4 |
Uncertainty |
||
|
2 |
Uptime |
The percentage of time a particular service is available; the opposite of downtime. |
|
|
1 |
Utility |
An attribute of information that describes how data has value or usefulness for an end purpose. |
|
|
4 |
Value Chain |
||
|
4 |
Vendor |
||
|
8 |
Vernam Cipher |
A cryptographic technique developed at AT&T and known as the “one-time pad,” this cipher uses a set of characters for encryption operations only one time and then discards it. |
|
|
9 |
Vibration Sensor |
An alarm sensor designed to detect movement of the sensor rather than movement in the environment. |
|
|
8 |
Vigenère Cipher |
An advanced type of substitution cipher that uses a simple polyalphabetic code. |
|
|
9 |
Virtual Organization |
A group of people brought together for a specific task, usually from different organizations, divisions, or departments.. |
|
|
2 |
Virus |
A type of malware that is attached to other executable programs. |
|
|
2 |
Virus Hoax |
A message that reports the presence of a nonexistent virus or worm and wastes valuable time as employees share the message. |
|
|
1 |
Vulnerability |
a vulnerability is a weakness that can be exploited by cybercriminals to gain unauthorized access to a computer system |
|
|
2 |
Vulnerability |
A potential weakness in an asset or its defensive control system(s). |
|
|
4 |
Warm site |
Warm site: a facility that provides many of the same services and options as a hot site, but typically without installed and configured software applications. Warm sites are used for BC operations. |
|
|
9 |
Water Mist Sprinkler |
A fire suppression sprinkler system that relies on ultra-fine mists to reduce the ambient temperature below that needed to sustain a flame. |
|
|
1 |
Waterfall Model |
A type of SDLC in which each phase of the process “flows from” the information gained from the previous phase, with multiple opportunities to return to previous phases and make adjustments. |
|
|
9 |
Wet-pipe System |
A fire suppression sprinkler system that contains pressurized water in all pipes and has some form of valve in each protected area. |
|
|
4 |
Work Recovery Time (WRT) |
Work recovery time (WRT): The amount of effort (expressed as elapsed time) necessary to make the business function operational after the technology element is recovered (as identified with RTO). Tasks include testing and validation of the system. |
|
|
2 |
Worm |
A type of malware that is capable of activation and replication without being attached to an existing program. |
|
|
2 |
Zero-Day Attack |
"Zero Day" |
An attack that makes use of malware that is not yet known by the anti-malware software companies. |
|
2 |
Zombie |
"Bot" |
Another term for bot which is an abbreviation of robot; an automated software program that executes certain commands when it receives a specific input. See also Zombie. |
