Exam 1 Flashcards

1
Q

Asset

A

Organizational resource that is being protected. Can be logical, such as a web site, software information, or data; can be physical, such as a person, computer system, hardware, or other tangible object. Assets, particularly information assets, are the focus of what security efforts are attempting to protect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Information Asset

A

Focus of information security; information that has value to the organization, and the systems that store, process, and transmit the information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Information Security (InfoSec)

A

Protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Security

A

State of being secure and free from danger or harm. In addition, the actions taken to make someone or something secure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Accountability

A

Access control mechanism that ensures all actions on a system - authorized or unauthorized - can be attributed to an authenticated identity. Also known as audibility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Authentication

A

Access control mechanism that requires the validation and verification of an unauthenticated entity’s purported identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Authorization

A

Access control mechanism that represents the matching of an authenticated entity to a list of information assets and corresponding access levels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Availability

A

Attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

C.I.A. Triad

A

Industry standard for computer security since the development of the mainframe. The standard is based on three characteristics that describe the utility of information: confidentiality, integrity, and availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Confidentiality

A

Attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Disclosure

A

In information security, the intentional or unintentional exposure of an information asset to unauthorized parties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Identification

A

Access control mechanism whereby unverified entities who seek access to a resource provide a label by which they are known to the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Information Aggregation

A

Collection and combination of pieces of non private data, which could result in information that violates privacy. Not to be confused with aggregate information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Integrity

A

Attribute of information that describes how data is whole, complete, and uncorrupted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Privacy

A

In the context of information security, the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Attack

A

Intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. Threat Event.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Exploit

A

Technique used to compromise a system. This term can be a verb or noun. Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Loss

A

Single instance of an information asset suffering damage or destruction, unintended or unauthorized modification or disclosure, or denial of use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Threat

A

Any event or circumstance that has the potential to adversely affect operations and assets. The term threat source is commonly used interchangeably with the more generic term threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Threat Agent

A

Specific instance or a component of a threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Vulnerability

A

Potential weakness in an asset or its defensive control system(s).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Intellectual Property (IP)

A

Creation, ownership, and control of original ideas as well as the representation of those ideas.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Software Piracy

A

Unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Availability Disruption

A

Interruption in service, usually from a service provider, which causes an adverse event within an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Blackout

A

Long-term interruption in electrical power availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Brownout

A

Long-term decrease in the quality of electrical power availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Fault

A

Short-term interruption in electrical power availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Noise

A

Presence of additional and disruptive signals in network communications or electrical power delivery.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Sag

A

Short-term decrease in electrical power availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Service Level Agreement (SLA)

A

Document or part of a document that specifies the expected level of service from a service provider. Usually contains provisions for minimum acceptable availability and penalties or remediation procedures for downtime.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Spike

A

Short-term increase in electrical power availability, also known as swell.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Surge

A

Long-term increase in electrical power availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Advanced Persistent Threat (APT)

A

Collection of processes, usually directed by a human agent, that targets a specific organization or individual.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Brute Force Password Attack

A

Attempt to guess a password by attempting every possible combination of characters and numbers in it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Competitive Intelligence

A

Collection and analysis of information about an organization’s business competitors through legal and ethical means to gain business intelligence and competitive advantage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Cracker

A

Hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Cracking

A

Attempting to reverse-engineer, remove, or bypass a password or other access control protection, such as the copyright protection on software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Dictionary Password Attack

A

Variation of the brute force password attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target’s personal information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Expert Hacker

A

Hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information. Also known as elite hackers. Often create automated exploits,scripts, and tools used by other hackers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Industrial Espionage

A

Collection and analysis of information about an organization’s business competitors, often through illegal or unethical means, to gain an unfair competitive advantage. Also known as corporate spying, which is distinguished from espionage for national security reasons.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Jailbreaking

A

Escalating privileges to gain administrator-level control over a smartphone operating system (usually i phones)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Novice Hacker

A

Relatively unskilled hacker who uses the work of expert hackers to perform attacks. aka neophyte, n00b, or newbie. Includes script kiddies and packet monkeys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Packet Monkey

A

Script kiddie who uses automated exploits to engage in denial-of-service attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Penetration Tester

A

Information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Phreaker

A

Hacker who manipulates the public telephone system to make free calls or disrupt services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Pretexting

A

Form of social engineering in which the attacker pretends to be an authority figure who needs information to confirm the target’s identity, but the real object is to trick the target into revealing confidential information. Commonly performed by telephone.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Privilege Escalation

A

Unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Professional Hacker

A

Hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government. Not to be confused with a penetration tester.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Rainbow Table

A

Table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system’s encrypted password file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Rooting

A

Escalating privileges to gain administrator-level control over a computer system (including smart phones). Typically associated with Linux and Android operating systems. See also jailbreaking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Script Kiddie

A

Hacker of limited skill who uses expertly written software to attack a system. aka skids, kiddies, or script bunnies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Shoulder Surfing

A

Direct, covert observation of individual information or system use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Trespass

A

Unauthorized entry into the real or virtual property of another party.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Advance-Fee Fraud (AFF)

A

Form of social engineering, typically conducted via email, in which an organization or some third party indicates that the recipient is due an exorbitant amount of money and needs only a small advance fee or personal banking information to facilitate the transfer. This may also involve prepayment for services with a payment larger than required; the overpayment is returned and then the initial payment is repudiated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Phishing

A

Form of social engineering in which the attacker provides what appears to be a legitimate communication, but it contains hidden or embedded code that redirects the reply to a third-party site in an effort to extract personal or confidential information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Social Engineering

A

Process of using social skills to convince people to reveal access credentials or other valuable information to an attacker.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Spear Phishing

A

Any highly targeted phishing attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Information Extortion

A

Act of an attacker or trusted insider who steals information from a computer system and demands compensation for its return or for an agreement not to disclose the information. aka cyberextortion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Ransomware

A

Computer software specifically designed to identify and encrypt valuable information in a victim’s system in order to extort payment for the key needed to unlock the encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Cyberterrorism

A

Conduct of terrorist activities by online attackers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Cyberwarfare

A

Formally sanctioned offensive operations conducted by a government or state against information or systems of another government or state aka information warefare

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Hacktivist

A

Hacker who seeks to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. aka cyberactivist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Back Door

A

Malware payload that provides access to a system by bypassing normal access controls. Also an intentional access control bypass left by a system designer to facilitate development.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Boot Virus

A

Type of virus that targets the boot sector or Master Boot Record of a computer system’s hard drive or removable storage media.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Clickbait

A

Content such as email attachments or embedded links crafted to convince unsuspecting users into clicking them which results in more web traffic for the content provider or the installation of unwanted software or malware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Denial-of-Service (DoS) Attack

A

Attempts to overwhelm a computer target’s ability to handle incoming communications, prohibiting legitimate users from accessing those systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Distributed Denial-of-Service (DDoS) Attack

A

DoS attack in which a coordinated stream of requests is launched against a target from many locations at the same time using bots or zombies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

Domain Name System (DNS) Cache Poisoning

A

Intentional hacking and modification of a DNS database to redirect legitimate traffic to illegitimate internet locations. aka DNS spoofing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Macro Virus

A

Type of virus w written in a specific macro language to target applications that use the language. Virus is activated when the application’s product is opened. Typically affects documents, slideshows, emails, or spreadsheets created by office suite applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Malware

A

Computer software specifically designed to perform malicious or unwanted actions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Polymorphic Threat

A

Malware that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Virus

A

Type of malware that is attached to other executable programs. When activated, it replicates and propagates itself to multiple systems, spreading by multiple communications vectors. For example, a virus might send copies of itself to all users in the infected system’s email program.

73
Q

Mean Time Between Failures (MTBF)

A

Average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures.

74
Q

Mean Time to Diagnose (MTTD)

A

Average amount of time a computer repair technician needs to determine the cause of a failure.

75
Q

Mean Time to Failure (MTTF)

A

Average amount of time until the next hardware failure.

76
Q

Mean Time to Repair (MTTR)

A

Average amount of time a computer repair technician needs to resolve the cause of a failure through replacement or repair of a faulty unit.

77
Q

Leadership

A

Process of influencing others and gaining their willing cooperation to achieve an objective by providing purpose, direction, and motivation.

78
Q

Management

A

Process of achieving objectives by appropriately applying a given set of resources.

79
Q

Controlling

A

Process of monitoring progress and making necessary adjustments to achieve desired goals or objectives.

80
Q

Organizing

A

Structuring of resources to maximize their efficiency and ease of use.

81
Q

Planning

A

Process of creating designs or schemes for future efforts or performance.

82
Q

Governance

A

Set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly.

83
Q

Policy

A

Guidelines that dictate certain behavior within the organization.

84
Q

Ethics

A

Branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment.

85
Q

Deterrence

A

Act of attempting to prevent an unwanted action by threatening punishment or retaliation on the instigator if the act takes place.

86
Q

Computer Fraud and Abuse (CFA) Act

A

Cornerstone of many computer-related federal laws and enforcement efforts, the CFA formally criminalizes “accessing a computer without authorization or exceeding authorized access” for systems containing information of national interest as determined by the U.S. government.

87
Q

Computer Security Act (CSA)

A

US law designed to improve security of federal information systems. It charged the National Bureau of Standards, now NIST, with the development of standards, guidelines, and associated methods and techniques for computer systems, among other responsibilities.

88
Q

Electronic Communications Privacy Act (ECPA) of 1986

A

Collection of statutes that regulate the interception of wire, electronic, and oral communications. These statutes are frequently referred to as the “federal wiretapping acts.”

89
Q

Health Insurance Portability and Accountability Act (HIPAA) of 1996

A

Attempts to protect the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data interchange.

90
Q

Privacy Act of 1974

A

Federal law that regulates the government’s collection, storage, use, and dissemination of individual personal information contained in records maintained by the federal government.

91
Q

Due Care

A

Measures that an organization takes to ensure every employee knows what is acceptable and what is not.

92
Q

Due Diligence

A

Reasonable steps taken by people or organizations to meet the obligations imposed by laws or regulations.

93
Q

Jurisdiction

A

Power to make legal decisions and judgments, typically an area within which an entity such as a court or law enforcement agency is empowered to make legal decisions.

94
Q

Liability

A

Entity’s legal obligation or responsibility.

95
Q

Long-Arm Jurisdiction

A

Ability of a legal entity to exercise its influence beyond its normal boundaries by asserting a connection between an out-of-jurisdiction entity and a local legal case.

96
Q

Restitution

A

Legal requirement to make compensation or payment resulting from a loss or injury.

97
Q

Digital Forensics

A

Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis. Like traditional forensics, digital forensics follows clear, well defined methodologies but still tends to be as much art as science.

98
Q

Digital Malfeasance

A

Crime against or using digital media, computer technology, or related components; in other words, a computer is the source of a crime or the object of a crime.

99
Q

e-discovery

A

Identification and preservation of evidentiary material related to a specific legal action.

100
Q

Evidentiary Material

A

Also known as “items of potential evidentiary value,” any information that could potentially support the organization’s legal or policy-based case against a suspect.

101
Q

Evidentiary Material Policy (EM Policy)

A

Policy document that guides the development and implementation of EM procedures regarding the collection, handling, and storage of items of potential evidentiary value, as well as the organization and conduct of EM collection teams.

102
Q

Forensics

A

Coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court-like setting. Forensics allows investigators to determine what happened by examining the results of an event - criminal, natural, intentional, or accidental.

103
Q

Search Warrant

A

Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator’s lab for examination. An affidavit becomes a search warrant when signed by an approving authority.

104
Q

Stakeholder

A

A person or organization that has a stake or vested interest in a particular aspect of the planning or operation of the organization in this case, the information assets used in a particular organization.

105
Q

Strategic Planning

A

Process of defining and specifying the long-term direction (strategy) to be taken by an organization, and the allocation and acquisition of resources needed to pursue this effort.

106
Q

Governance, Risk Management, and Compliance (GRC)

A

An approach to information security strategic guidance from a board of directors or senior management perspective that seeks to integrate the three components of information security governance, risk managements, and regulatory compliance.

107
Q

Champion

A

High-level executive, such as a CIO or VP-IT, who will provide political support and influence for a specific project.

108
Q

Controls and Safeguards

A

Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization.

109
Q

Methodology

A

Formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective.

110
Q

Security Systems Development Life Cycle (SecSDLC)

A

Formal approach to designing information security programs that follows the methodology of a traditional information systems development life cycle (SDLC), including a recursive set of phases such as investigation, analysis, logical design, physical design, implementation, and maintenance and change.

111
Q

Systems Development Life Cycle (SDLC)

A

Methodology for the design and implementation of an information system. The SDLC contains different phases depending on the methodology deployed, but generally the phases address the investigation, analysis, design, implementation, and maintenance of an information system.

112
Q

Information Security Policies

A

Written instructions provided by management that inform employees and others in the workplace about proper behavior regarding the use of information and information assets.

113
Q

Policy

A

In business, a statement of managerial intent designed to guide and regulate employee behavior in the organization; in IT, a computer configuration specification used to standardize system and user behavior.

114
Q

Guidelines

A

Nonmandatory recommendations the employee may use as a reference in complying with a policy. If the policy states to “use strong passwords, frequently Changed,” the guidelines might advise that “we recommend you don’t use family or pet names, or parts of your Social Security number, employee number, or phone number in your password.”

115
Q

Practices

A

Examples of actions that illustrate compliance with policies. If the policy states to “use strong passwords, frequently changed,” the practices might advise that “according to X, most organizations require employees to change passwords at least semiannually.”

116
Q

Procedures

A

Step-by-step instructions designed to assist employees in following policies standards and guidelines. If the policy states to “use strong passwords, frequently changed,” the procedure might advise that “in order to change your password, first click on the Windows Start button, then . . .”

117
Q

Standard

A

A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance. If the policy states that employees must “use strong passwords, frequently changed,” the standard might specify that the password “must be at least 8 characters, with at least one number, one letter, and one special character.”

118
Q

Enterprise Information Security Policy (EISP)

A

The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization’s security efforts. An EISP is also known as a security program policy, general security policy, IT security policy, high-level InfoSec policy, or simply an InfoSec policy.

119
Q

Issue-Specific Security Policy (ISSP)

A

Organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.

120
Q

Access Control Lists (ACLs)

A

Specifications of authorization that govern the rights and privileges of users to a particular information asset. ACLs include user access lists, matrices, and capability tables.

121
Q

System-Specific Security Policies (SysSPs)

A

Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems. SysSPs can be separated into two general groups, managerial guidance and technical specifications, but may be written as a single unified SysSP document.

122
Q

Information Security Program

A

Entire set of activities, resources, personnel, and technologies used by an organization to manage the risks to its information assets.

123
Q

Chief Information Officer (CIO)

A

Typically considered the top information technology officer in an organization. The CIO is usually an executive-level position, and frequently the person in this role reports to the CEO.

124
Q

Chief Information Security Officer (CISO)

A

Typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role reports to the CIO.

125
Q

Chief Security Officer (CSO)

A

In some organizations, an alternate title for the CISO; in other organizations, the title most commonly assigned to the most senior manager or executive responsible for both information and physical security.

126
Q

Security Administrator

A

Hybrid position comprising the responsibilities of both a security technician and a security manager.

127
Q

Security Analyst

A

Specialized security administrator responsible for performing systems development life cycle (SDLC) activities in the development of a security system.

128
Q

Security manager

A

In larger organizations, a manager responsible for some aspect of information security who reports to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator.

129
Q

Security Technician

A

Technical specialist responsible for the implementation and administration of some security-related technology.

130
Q

Security Watchstander

A

Entry-level InfoSec professional responsible for the routine monitoring and operation of a particular InfoSec technology. Also known as a security staffer.

131
Q

Security Awareness

A

Portion of the SETA program dedicated to keeping conscious of key InfoSec issues through the use of newsletters, posters, trinkets, and other methods.

132
Q

Security Education

A

Portion of the SETA program based on formal delivery of knowledge of InfoSec issues and operations, usually through institutions of higher learning.

133
Q

Security Education, Training, and Awareness (SETA)

A

Managerial program designed to improve the security of information assets by providing targeted knowledge, skills, and guidance for organizational employees.

134
Q

Security Training

A

Portion of the SETA program focused on providing users with the knowledge, skill, and/or ability to use their assigned resources wisely to avoid creating additional risk to organizational information assets.

135
Q

Project Management

A

Process of identifying and controlling the resources applied to a project as well as measuring progress and adjusting the process as progress is made toward the goal.

136
Q

Scope Creep

A

Expansion of the quantity or quality of project deliverables from the original project plan.

137
Q

Critical Path Method (CPM)

A

Diagramming technique, similar to PERT, designed to identify the sequence of tasks that make up the shortest elapsed time needed to complete a project.

138
Q

Gantt Chart

A

Diagramming technique named for its developer, Henry Gantt, which lists activities on the vertical axis of a bar chart and provides a simple timeline on the horizontal axis.

139
Q

Program Evaluation and Review Technique (PERT)

A

Diagramming technique developed in the late 1950s that involves specifying activities and their sequence and duration.

140
Q

Projectitis

A

Situation in project planning in which the project manager spends more time documenting project tasks, collecting performance measurements, recording prject task information, and updating project completion forecasts in the project management software than accomplishing meaningful project work.

141
Q

Work Breakdown Structure (WBS)

A

List of the tasks to be accomplished in the project; the WBS provides details for the work to be accomplished, the skill sets or even specific individuals to perform the tasks, the start and end dates for the task, the estimated resources required, and the dependencies between and among tasks.

142
Q

Enterprise Risk Management (ERM)

A

Evaluation and reaction to risk to the entire organization; ERM is not restricted to the risk facing information assets.

143
Q

Risk Assessment

A

An approach to combining risk identification, risk analysis, and risk evaluation into a single strategy.

144
Q

Risk Management (RM)

A

Entire program of planning for and managing risk to information assets in the organization. Also InfoSec risk management.

145
Q

RM Framework

A

The overall structure of the strategic planning and design for the entirety of the organizations RM (risk management).

146
Q

RM Process

A

Identification, analysis, evaluation, and treatment of risk to information assets, as specified in the RM framework.

147
Q

Risk Management Policy

A

Policy designed to regulate organizational efforts related to the identification, assessment, and treatment of risk to information assets.

148
Q

Residual Risk

A

Risk to information assets that remains even after current controls have been applied.

149
Q

Risk Appetite

A

Quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.

150
Q

Risk Appetite Statement

A

Formal document developed by the organization that specifies its overall willingness to accept risk to its information assets, based on a synthesis of individual risk tolerances.

151
Q

Risk Management Plan

A

A document that contains specifications for the implementation and conduct of RM efforts.

152
Q

Risk Tolerance/Risk Threshold

A

Assessment of the amount of risk an organization is willing to accept for a particular information asset, typically synthesized into the organization’s overall risk appetite.

153
Q

Zero Tolerance Risk Exposure

A

Extreme level of risk tolerance whereby the organization is unwilling to allow any successful attacks or suffer any loss to an information asset.

154
Q

Data Classification Scheme

A

Formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it.

155
Q

Information Asset

A

Within the context of risk management, any collection, set or database of information or any asset that collects, stores, processes, or transmits information of value to the organization. Here the terms data and information are interchangeable.

156
Q

Media

A

Hardware, integral operating systems, and utilities that collect, store, process, and transmit information.

157
Q

Risk Identification

A

Recognition, enumeration, and documentation of risks to an organiation’s information assets.

158
Q

Threat Assessment

A

Evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack.

159
Q

Impact

A

Understanding of the potential consequences of a successful attack on an information asset by a threat.

160
Q

Likelihood

A

Probability that a specific vulnerability within an organization will be attacked by a threat.

161
Q

Risk Analysis

A

Determination of the extent to which an organization’s information assets are exposed to risk.

162
Q

Uncertainty

A

State of having limited or imperfect knowledge of a situation, making it less likely that organizations can successfully anticipate future events or outcomes.

163
Q

Risk Evaluation

A

Process of comparing an information asset’s risk rating to the numerical representation of the organization’s risk appetite or risk threshold to determine if risk treatment is required.

164
Q

Process Communications

A

Necessary information flow within and between the governance group, RM framework team, and RM process team during the implementation of RM.

165
Q

Process monitoring and Review

A

Data collection and feedback associated with performance measures used during the conduct of the process.

166
Q

Bot

A

Abbreviation for robot, an automated software program that executes certain commands when it receives a specific input. Also zombie.

167
Q

Mail Bomb

A

Attack designed to overwhelm the receiver with excessive quantities of email.

168
Q

Malware

A

Computer software specifically designed to perform malicious or unwanted actions.

169
Q

Man-In-The-Middle

A

Group of attacks whereby a person intercepts a communications stream and inserts himself in the conversation to convince each of the legitimate parties that the attacker is the other communications partner. Some attacks involve encryption functions.

170
Q

Packet Sniffer / Network Sniffer

A

Software program or hardware appliance that can intercept, copy, and interpret network traffic.

171
Q

Pharming

A

Redirection of legitimate user Web traffic to illegitimate Web sites with the intent to collect personal information.

172
Q

Polymorphic Threat

A

Malware (a virus or worm) that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures.

173
Q

Spam

A

Unsolicited commercial e-mail, typically advertising transmitted in bulk.

174
Q

Spoofing

A

Technique for gaining unauthorized access to computers using a forged or modified source IP address to give the perception that messages are coming from a trusted host.

175
Q

TCP Hijacking / Session Hijacking

A

Form of man-in-the-middle attack whereby the attacker inserts himself into TCP/IP-based communications. TCP/IP is short for Transmission Control Protocol/Internet Protocol.

176
Q

Tools, Techniques, and Procedures (TTP)

A

Means and methods used by adversaries to attack an information asset. Also referred to as tactics, techniques, and procedures.

177
Q

Trojan Horse

A

Malware program that hides its true nature and reveals its designed behavior only when activated.

178
Q

Worm

A

Type of malware that is capable of activation and replication without being attached to an existing program.