InfoSec Terms

This ISO standard provides information on how to implement another ISO security standard and how to set up an information security management system. → ISO 27001,

illustrate information security implementations and can help organizations to quickly make improvements through adaptation → Security architecture models,

The third component of the NIST Risk Management Framework → addresses how organizations respond to risk once that risk is determined based on the results of risk assessments,

The NIST special publication: Managing InfoSec Risk → SP 800-39,

Regulates the admission of users into trusted areas of the organization—both the logical access to the information systems, or the physical access to the organization’s facilities → Access Controls,

This ISO standard provides a broad overview of the various areas of security. → ISO 27002,

The calculated value associated with the most likely loss from a single occurrence of a specific attack → Single loss expectancy (SLE),

An analysis that examines how well the proposed information security alternatives will contribute to efficiency, effectiveness, and overall operation of an organization. → Organizational feasibility,

Access control is built on the principles of: → least privilege, need-to-know and separation of duties,

A model that is built upon principles of change control rather than integrity levels,  and was designed for the commercial environment → Clark-Wilson Integrity Model,

The first phase of the Contingency Planning process and serves as an investigation and assessment of the impact that various adverse events can have on the organization → business impact analysis,

The Information Technology Infrastructure Library is: → a collection of methods and practices useful for managing the development and operation of information technology infrastructures.,

The first component of the NIST Risk Management Framework → addresses how organizations frame risk or establish a risk context—that is, describing the environment in which risk-based decisions are made.,

Rules of thumb for selecting a strategy:
When a vulnerability exists in an important asset → Implement security controls to reduce the likelihood of a vulnerability being exploited,

The NIST special publication: Generally Accepted Security Principles and Practices → SP 800-14,

Rules of thumb for selecting a strategy:
When a vulnerability can be exploited → Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack,

The risk treatment strategy  that focuses on planning and preparation to reduce the impact or potential consequences of an incident or disaster. → Mitigation,

A level of performance against which changes can be usefully compared. → Baselining,

An access control model with security rules that prevent information from being moved from a level of higher security level to a level of lower security. → Bell-LaPadula (BLP) confidentiality model,

A term that may be used in the Incident Response plan for events that represent the potential for loss. → Incident candidates

A systematic approach to identifying, evaluating, and prioritizing risks followed by coordinated efforts to minimize, monitor, and control the probability or impact of unfortunate events. → Risk management