Flashcards in Glossary- S Deck (99):
Deliberate damage of an organization’s asset.
The process of recovering components or assets that still have value after a disaster.
A portion of a population of records that is selected for auditing.
The sum of all samples divided by the number of samples.
sample standard deviation
A computation of the variance of sample values from the sample mean. This is a measurement of the “spread” of values in the sample.
A technique that is used to select a portion of a population when it is not feasible to test an entire population.
The probability that a sample selected does not represent the entire population. This is usually expressed as a percentage, as the numeric inverse of the con- fidence coefficient. See also confidence coefficient.
SAS 70 (Statement of Accounting Standards No. 70)
An external audit of a service provider. An SAS 70 audit is performed according to rules established by the American Institute of Certified Public Accountants (AICPA). Deprecated by SSAE16. See also SSAE16.
An attack on a computer or network with the intention of discover- ing potentially vulnerable computers or programs.
screened shielded twisted pair (S/STP)
A type of twisted-pair cable where a thick metal shield protects each pair of conductors, plus an outer shield that protects all of the conductors together. See also twisted-pair cable.
screened unshielded twisted pair (S/UTP)
A type of twisted-pair cable where the entire cable has a thick metal shield that protects the cables. See also twisted-pair cable.
A network device that filters network traffic based on source and destination IP addresses and ports. See also firewall.
An inexperienced computer hacker who uses tools developed by others to illegally access computers and networks.
An iterative and incremental methodology used for rapid and agile software development.
A computer’s long-term storage of information, usually imple- mented with hard disk drives or static random access memory (SRAM).
secure copy (SCP)
A TCP/IP application layer protocol used as a file transfer protocol that is similar to remote copy (RCP), but is protected using secure shell (SSH). See re- mote copy (RCP), secure shell (SSH).
secure electronic transaction (SET)
A protocol used to protect credit card transac- tions that uses a digital envelope. SET has been deprecated by Secure Sockets Layer (SSL) and Transport Layer Security (TLS). See also digital envelope, Secure Sockets Layer (SSL), and Transport Layer Security (TLS).
Secure File Transfer Protocol (SFTP)
A TCP/IP application layer protocol that is an extension of the FTP protocol, where authentication and file transfer are encrypted us- ing SSH. Sometimes referred to as SSH File Transfer Protocol. See also File Transfer Protocol (FTP), secure shell (SSH).
Secure Hypertext Transfer Protocol (SHTTP)
A protocol used to encrypt webpages between web servers and web browsers. Often confused with Hypertext Transfer Proto- col Secure (HTTPS).
Secure Multipurpose Internet Mail Extensions (S/MIME)
An e-mail security proto- col that provides sender and recipient authentication and encryption of message con- tent and attachments.
secure shell (SSH)
A TCP/IP application layer protocol that provides a secure chan- nel between two computers whereby all communications between them are encrypted. SSH can also be used as a tunnel to encapsulate and thereby protect other protocols.
Secure Sockets Layer (SSL)
An encryption protocol used to encrypt webpages re- quested with the HTTPS (Hypertext Transfer Protocol/Secure) URL. Deprecated by Transport Layer Security (TLS). See also Transport Layer Security (TLS), Hypertext Transfer Protocol Secure (HTTPS).
A formal program used to educate employees, users, customers, or constituents on required, acceptable, and unacceptable security-related behaviors.
Management’s control over an organization’s security program.
Personnel who control passage at entry points or roam building
premises looking for security issues such as unescorted visitors.
An event where the confidentiality, integrity, or availability of infor- mation (or an information system) has been compromised.
security incident response
The formal, planned response that is enacted when a se- curity incident has occurred. See also security incident.
See information security policy.
Formal statements that describe the required security charac-
teristics that a system must support.
segregation of duties
The concept that ensures single individuals do not possess ex- cess privileges that could result in unauthorized activities such as fraud or the manipu- lation or exposure of sensitive data.
separation of duties
See segregation of duties.
serial line interface protocol (SLIP)
A network protocol used to transport TCP/IP
packets over point-to-point serial connections (usually RS-232).
A centralized computer used to perform a specific task.
service continuity management
The IT function that consists of activities concerned with the organization’s ability to continue providing services, primarily in the event that a natural or man-made disaster has occurred. See also IT service management, busi- ness continuity planning, and disaster recovery planning.
The IT function that handles incidents and service requests on behalf of customers by acting as a single point of contact. See also IT service management.
service-level agreement (SLA)
An agreement that specifies service levels in terms of the quantity of work, quality, timeliness, and remedies for shortfalls in quality or quantity.
The IT function that confirms whether IT is providing ad- equate service to its customers. This is accomplished through continuous monitoring and periodic review of IT service delivery. See also IT service management.
service provider audit
An audit of a third-party organization that provides services to other organizations.
service set identifier (SSID)
A friendly name that identifies a particular 802.11 wire- less network.
Layer 5 of the OSI network model. See also OSI network model.
session border controller
A device deployed in a VoIP network to control VoIP secu-
rity, connectivity, quality of service, and metering.
An attack on a user’s browser session where the attacker intercepts the user’s session cookie from an unencrypted wired or wireless network and then uses the cookie to take over the victim’s browser session.
session initiation protocol (SIP)
The network protocol used to set up and tear down Voice over IP (VoIP) and other communications connections. See also Voice over IP (VoIP).
shielded twisted pair (STP)
A type of twisted-pair cable where a thin metal shield protects each pair of conductors. See also twisted-pair cable.
Simple Mail Transfer Protocol (SMTP)
A TCP/IP application layer protocol that is used to transport e-mail messages.
Simple Network Management Protocol (SNMP)
A TCP/IP application layer proto- col used by network devices and systems to transmit management messages indicating a need for administrative attention.
Simple Object Access Protocol (SOAP)
A protocol that is used to facilitate the ex- change of structured information between systems.
A test of disaster recovery, business continuity, or security incident re- sponse procedures where the participants take part in a “mock disaster” or incident to add some realism to the process of thinking their way through emergency response documents.
single loss expectancy (SLE)
The financial loss when a threat is realized one time. SLE is defined as AV × EF. See also asset value (AV), exposure factor (EF).
An interconnected environment where applications are logically con- nected to a centralized authentication server that is aware of the logged-in/-out status of each user. A user can log in once to the environment; each application and system is aware of a user’s log-in status and will not require the user to log in to each one separately.
site classification policy
Policy that defines sensitivity levels, security controls, and security procedures for information processing sites and work centers.
A small, credit-card–sized device that contains electronic memory and is accessed with a smart card reader and used in two-factor authentication.
A mobile phone equipped with an operating system and software ap- plications.
A continuous auditing technique that involves the use of special audit modules embedded in online applications that sample specific transactions. The mod- ule copies key database records that can be examined later on.
A program that can be installed on a network-attached system to capture net- work traffic being transmitted to or from the system.
The act of using deception to trick an individual into revealing secrets.
Software as a Service (SaaS)
A software delivery model where an organization ob- tains a software application for use by its employees and the software application is hosted by the software provider, as opposed to the customer organization.
software development life cycle (SDLC)
The life cycle process used to develop or acquire and maintain information systems. Also known as systems development life cycle.
Software Engineering Institute Capability Maturity Model Integration (SEI CMMI)
A maturity model that is used to measure the maturity of an organization’s software development life cycle process.
The process of maintaining accurate records regarding the permit- ted use of software programs.
An activity in the software development life cycle where mod- ifications are made to the software code.
Software Process Improvement and Capability dEtermination (SPICE)
A maturity model that is based on the SEI CMM maturity model. SPICE has been made an inter- national standard: ISO 15504.
software program library
The repository that contains program source code and that usually includes tools to manage the maintenance of source code.
source code management
The techniques and tools used to manage application source code.
source lines of code (SLOC)
A sizing technique for software development projects that represents the size of the planned program, expressed as lines of code.
The choices that organizations make when selecting the personnel that will perform functions and where those functions will be performed.
Unsolicited and unwanted e-mail.
A central program or device that examines incoming e-mail and removes
all messages identified as spam.
A sharp increase in voltage that lasts for only a fraction of a second.
A software development life cycle process where the activities of re- quirements definition and software design go through several cycles until the project is complete. See also software development life cycle (SDLC).
The concept of splitting knowledge of a specific object or task between two persons.
The act of changing the configuration of a device or system in an attempt to masquerade as a different, known, and trusted system or user.
A type of malware where software performs one or more surveillance-type actions on a computer, reporting back to the spyware owner.
SSAE16 (Statements on Standards for Attestation Engagements No. 16)
An exter- nal audit of a service provider. An SSAE16 audit is performed according to rules estab- lished by the American Institute of Certified Public Accountants (AICPA).
A statement that defines the technologies, protocols, suppliers, and meth- ods used by an IT organization.
standard IT balanced scorecard
A management tool that is used to measure the per- formance and effectiveness of an IT organization.
A network topology where a separate connection is made from a cen- tral device to each station.
stateful inspection firewall
A network device that filters network traffic based on source and destination IP addresses and ports, and keeps track of individual TCP/IP ses- sions to make filtering decisions, permitting established connections. See also firewall.
statement of impact
A description of the impact a disaster scenario will have on a business or business process.
static random access memory (SRAM)
A form of semiconductor memory that does not require refreshing.
A sampling technique where items are chosen at random; each item has a statistically equal probability of being chosen. See also sampling.
A sampling technique used to permit sampling to stop at the earliest possible time. This technique is used when the auditor feels that there is low risk or a low rate of exceptions in the population. See also sampling.
storage area network (SAN)
A stand-alone storage system that can be configured to contain several virtual volumes and connected to many servers through fiber optic cables.
Activities used to develop and refine long-term plans and objectives.
A sampling technique where a population is divided into classes or strata, based upon the value of one of the attributes. Samples are then selected from each class. See also sampling.
This is a type of encryption algorithm that operates on a continuous stream of data, such as a video or audio feed.
See two-factor authentication.
A person or a system. See also object.
A numeric value that determines which portion of an IP address is used to identify the network and which portion is used to identify a station on the network. See also IP address.
A type of testing that is used to determine the accuracy and integ- rity of transactions that flow through processes and systems.
The largest type of computer that is capable of performing large, complex calculations such as weather forecasting and earthquake simulations.
A device that is used to connect computers and other devices to a network. Unlike a hub, which sends all network packets to all stations on the network, a switch sends packets only to intended destination stations on the network.
A method for encryption and decryption where it is necessary for both parties to possess a common encryption key.
synchronous optical networking (SONET)
A class of common carrier telecommuni- cations network technologies used to transport voice and data over fiber optic networks at very high speeds.
A type of replication where writing data to a local and to a remote storage system is performed as a single operation, guaranteeing that data on the remote storage system is identical to data on the local storage system. See also replication.
system classification policy
Policy that specifies levels of security for systems storing classified information.