Principles of Information Security (4th edition) Chapter 1

A senior executive who promotes a security project and ensures its support.
Chief information officer (CIO)
An executive-level position in which the person is in charge of the organization’s computing technology, and strives to create efficiency in the processing and accessing of the organization’s information.
community of interest
A group of individuals united by shared interests or values within an organization and who share a common goal of helping the organization to meet its objectives.
Computer security
A term that in the early days of computers specified the need to secure the physical location of hardware from outside threats. This term later came to stand for all actions taken to preserve computer systems from losses. It has evolved into the current concept of information security as the scope of protecting information in the organization has expanded.
The quality or state of information that prevents disclosure or exposure to unauthorized individuals or systems.
hash value
A fingerprint of the author’s message that is compared with the recipient’s locally calculated hash of the same message.
The quality or state of being whole, complete, and uncorrupted.
A formal approach to solving a problem based on a structured sequence of procedures.
object of an attack
The object or entity being attacked.
Organizational culture
The specific social and political atmosphere within a given organization that determines the organization’s procedures and policies and willingness to adapt to changes.
personnel security
To protect the individual or group of individuals who are authorized to access the organization and its operations.
project team
For information security, a group of individuals with experience in the requirements of both technical and nontechnical fields.
risk appetite
The quantity and nature of risk that organizations are willing to accept.
to be protected from adversaries – from those who would do harm, intentionally or otherwise.
threat agent
a specific instance or component that represents a danger to an organization’s assets. can be accidental or purposeful, for example lightning strikes or hackers.
the quality or state of having value for an end purpose. information that serves a purpose.
An intentional or unintentional act that can cause damage to or otherwise compromise information and/or the systems that support it.
a condition or state of being exposed
e-mail spoofing
The act of sending an e-mail message with a modified field
The organizational resource that is being protected. An asset can be logical, such as a Web site or information owned or controlled by the organization; or an asset can be physical, such as a computer system, or other tangible object.
bottom-up approach
A method of establishing security policies that begins as a grassroots effort in which systems administrators attempt to improve the security of their systems.
C.I.A. Triangle
The industry standard for computer security since the development of the mainframe. It is based on three characteristics that describe the utility of information: confidentiality, integrity, and availability.
chief information security officer (CISO)
This position is typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role will report to the chief information officer (CIO).
Synonymous with safeguard and countermeasure. A security mechanism, policy, or procedure that can counter system attack, reduce risks, and resolve vulnerabilities.
Data custodians
Individuals who are responsible for the storage, maintenance, and protection of information.
Data owners
Individuals who determine the level of classification associated with data.
Data users
Individuals who work with information to perform their daily jobs supporting the mission of the organization.
end user
Synonymous with data user. An individual who uses computer applications for his daily work.
enterprise information security policy (EISP)
Also known as a general security policy, IT security policy, or information security policy, this policy is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.
A technique used to compromise a system.
A single instance of a system being open to damage.
file hashing
Method for ensuring information validity. Involves a file being read by a special algorithm that uses the value of the bits in the file to compute a single large number called a hash value.
A single instance of an information asset suffering damage or unintended or unauthorized modification or disclosure.
McCumber Cube
A graphical representation of the architectural approach widely used in computer and information security.
A passive entity in an information system that receives or contains information.
operations security
A process used by an organization to deny an adversary information (generally not confidential information) about its intentions and capabilities by identifying, controlling, and protecting the organization”s planning processes or operations. OPSEC does not replace other security disciplines—it supplements them.
An attempt to obtain personal or financial information using fraudulent means, usually by posing as a legitimate entity.
physical security
An aspect of information security that addresses the design, implementation, and maintenance of countermeasures that protect the physical resources of an organization.
The quality or state of having ownership or control of some object or item.
The probability that something can happen.
risk assessment specialist
An individual who understands financial risk assessment techniques, the value of organizational assets, and security methods.
security policy developer
An individual who understands the organizational culture, existing policies, and requirements for developing and implementing security policies.
security posture
Synonymous with protection profile. The implementation of an organization”s security policies, procedures, and programs.
security professional
A specialist in the technical and nontechnical aspects of security information.
An active entity that interacts with an information system and causes information to move through the system for a specific purpose. Examples include individuals, technical components, and computer processes.
subject of an attack
An agent entity that is used as an active tool to conduct an attack.
systems administrator
An individual responsible for administering information systems.
systems development life cycle (SDLC)
A methodology for the design and implementation of an information system
team leader
For information security, a project manager who understands project management, personnel management, and technical requirements.
An object, person, or other entity that represents a constant danger to an asset.
top-down approach
A methodology of establishing security policies that is initiated by upper management.
The quality or state of having value for an end purpose. Information has ____ if it serves a purpose.
Weakness in a controlled system, where controls are not present or are no longer effective.
waterfall model
A methodology of the system development life cycle in which each phase of the process begins with the information gained in the previous phase.
Information Security (IS)
To protect the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and technology.
Committee on National Security Systems
control, safeguard, or countermeasure
security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization
salami theft
aggregation of information used with criminal theft
Communications security
the protection of communications media, technology, and content
Enables authorized users — persons or computer systems — to access information without interference or obstruction and to receive it in the requested format
when information is free from mistakes or errors and has the value that the end user expects
The quality or state or being genuine or original, rather than a reproduction or fabrication
physical security, personnel security, operations security, communications security, network security, information security
the six layers of security an organization should have in place to protect its operations
network security
the protection of networking components, connections, and contents
Information security (CNSS definition)
The protection of information and its critical elements, including the system and hardware that use, store, and transmit that information
a subject or object’s ability to use, manipulate, modify, or affect another subject or object
protection profile or security posture
the entire set of controls and safeguards, including policy, education, training and awareness, that the organization implements (or fails to implement) to protect the asset
subject of an attack
an agent entity used to conduct the attack
phishing undertaken by law enforcement