Glossary- S Flashcards Preview

CISA > Glossary- S > Flashcards

Flashcards in Glossary- S Deck (99)
Loading flashcards...
1
Q

sabotage

A

Deliberate damage of an organization’s asset.

2
Q

salvage

A

The process of recovering components or assets that still have value after a disaster.

3
Q

sample

A

A portion of a population of records that is selected for auditing.

4
Q

sample mean

A

The sum of all samples divided by the number of samples.

5
Q

sample standard deviation

A

A computation of the variance of sample values from the sample mean. This is a measurement of the “spread” of values in the sample.

6
Q

sampling

A

A technique that is used to select a portion of a population when it is not feasible to test an entire population.

7
Q

sampling risk

A

The probability that a sample selected does not represent the entire population. This is usually expressed as a percentage, as the numeric inverse of the con- fidence coefficient. See also confidence coefficient.

8
Q

SAS 70 (Statement of Accounting Standards No. 70)

A

An external audit of a service provider. An SAS 70 audit is performed according to rules established by the American Institute of Certified Public Accountants (AICPA). Deprecated by SSAE16. See also SSAE16.

9
Q

scanning attack

A

An attack on a computer or network with the intention of discover- ing potentially vulnerable computers or programs.

10
Q

screened shielded twisted pair (S/STP)

A

A type of twisted-pair cable where a thick metal shield protects each pair of conductors, plus an outer shield that protects all of the conductors together. See also twisted-pair cable.

11
Q

screened unshielded twisted pair (S/UTP)

A

A type of twisted-pair cable where the entire cable has a thick metal shield that protects the cables. See also twisted-pair cable.

12
Q

screening router

A

A network device that filters network traffic based on source and destination IP addresses and ports. See also firewall.

13
Q

script kiddie

A

An inexperienced computer hacker who uses tools developed by others to illegally access computers and networks.

14
Q

Scrum

A

An iterative and incremental methodology used for rapid and agile software development.

15
Q

secondary storage

A

A computer’s long-term storage of information, usually imple- mented with hard disk drives or static random access memory (SRAM).

16
Q

secure copy (SCP)

A

A TCP/IP application layer protocol used as a file transfer protocol that is similar to remote copy (RCP), but is protected using secure shell (SSH). See re- mote copy (RCP), secure shell (SSH).

17
Q

secure electronic transaction (SET)

A

A protocol used to protect credit card transac- tions that uses a digital envelope. SET has been deprecated by Secure Sockets Layer (SSL) and Transport Layer Security (TLS). See also digital envelope, Secure Sockets Layer (SSL), and Transport Layer Security (TLS).

18
Q

Secure File Transfer Protocol (SFTP)

A

A TCP/IP application layer protocol that is an extension of the FTP protocol, where authentication and file transfer are encrypted us- ing SSH. Sometimes referred to as SSH File Transfer Protocol. See also File Transfer Protocol (FTP), secure shell (SSH).

19
Q

Secure Hypertext Transfer Protocol (SHTTP)

A

A protocol used to encrypt webpages between web servers and web browsers. Often confused with Hypertext Transfer Proto- col Secure (HTTPS).

20
Q

Secure Multipurpose Internet Mail Extensions (S/MIME)

A

An e-mail security proto- col that provides sender and recipient authentication and encryption of message con- tent and attachments.

21
Q

secure shell (SSH)

A

A TCP/IP application layer protocol that provides a secure chan- nel between two computers whereby all communications between them are encrypted. SSH can also be used as a tunnel to encapsulate and thereby protect other protocols.

22
Q

Secure Sockets Layer (SSL)

A

An encryption protocol used to encrypt webpages re- quested with the HTTPS (Hypertext Transfer Protocol/Secure) URL. Deprecated by Transport Layer Security (TLS). See also Transport Layer Security (TLS), Hypertext Transfer Protocol Secure (HTTPS).

23
Q

security awareness

A

A formal program used to educate employees, users, customers, or constituents on required, acceptable, and unacceptable security-related behaviors.

24
Q

security governance

A

Management’s control over an organization’s security program.

25
Q

security guards

A

Personnel who control passage at entry points or roam building
premises looking for security issues such as unescorted visitors.

26
Q

security incident

A

An event where the confidentiality, integrity, or availability of infor- mation (or an information system) has been compromised.

27
Q

security incident response

A

The formal, planned response that is enacted when a se- curity incident has occurred. See also security incident.

28
Q

security policy

A

See information security policy.

29
Q

security requirements

A

Formal statements that describe the required security charac-
teristics that a system must support.

30
Q

segregation of duties

A

The concept that ensures single individuals do not possess ex- cess privileges that could result in unauthorized activities such as fraud or the manipu- lation or exposure of sensitive data.

31
Q

separation of duties

A

See segregation of duties.

32
Q

serial line interface protocol (SLIP)

A

A network protocol used to transport TCP/IP

packets over point-to-point serial connections (usually RS-232).

33
Q

server

A

A centralized computer used to perform a specific task.

34
Q

service continuity management

A

The IT function that consists of activities concerned with the organization’s ability to continue providing services, primarily in the event that a natural or man-made disaster has occurred. See also IT service management, busi- ness continuity planning, and disaster recovery planning.

35
Q

service desk

A

The IT function that handles incidents and service requests on behalf of customers by acting as a single point of contact. See also IT service management.

36
Q

service-level agreement (SLA)

A

An agreement that specifies service levels in terms of the quantity of work, quality, timeliness, and remedies for shortfalls in quality or quantity.

37
Q

service-level management

A

The IT function that confirms whether IT is providing ad- equate service to its customers. This is accomplished through continuous monitoring and periodic review of IT service delivery. See also IT service management.

38
Q

service provider audit

A

An audit of a third-party organization that provides services to other organizations.

39
Q

service set identifier (SSID)

A

A friendly name that identifies a particular 802.11 wire- less network.

40
Q

session

A

Layer 5 of the OSI network model. See also OSI network model.

41
Q

session border controller

A

A device deployed in a VoIP network to control VoIP secu-

rity, connectivity, quality of service, and metering.

42
Q

session hijacking

A

An attack on a user’s browser session where the attacker intercepts the user’s session cookie from an unencrypted wired or wireless network and then uses the cookie to take over the victim’s browser session.

43
Q

session initiation protocol (SIP)

A

The network protocol used to set up and tear down Voice over IP (VoIP) and other communications connections. See also Voice over IP (VoIP).

44
Q

shielded twisted pair (STP)

A

A type of twisted-pair cable where a thin metal shield protects each pair of conductors. See also twisted-pair cable.

45
Q

Simple Mail Transfer Protocol (SMTP)

A

A TCP/IP application layer protocol that is used to transport e-mail messages.

46
Q

Simple Network Management Protocol (SNMP)

A

A TCP/IP application layer proto- col used by network devices and systems to transmit management messages indicating a need for administrative attention.

47
Q

Simple Object Access Protocol (SOAP)

A

A protocol that is used to facilitate the ex- change of structured information between systems.

48
Q

simulation

A

A test of disaster recovery, business continuity, or security incident re- sponse procedures where the participants take part in a “mock disaster” or incident to add some realism to the process of thinking their way through emergency response documents.

49
Q

single loss expectancy (SLE)

A

The financial loss when a threat is realized one time. SLE is defined as AV × EF. See also asset value (AV), exposure factor (EF).

50
Q

single sign-on

A

An interconnected environment where applications are logically con- nected to a centralized authentication server that is aware of the logged-in/-out status of each user. A user can log in once to the environment; each application and system is aware of a user’s log-in status and will not require the user to log in to each one separately.

51
Q

site classification policy

A

Policy that defines sensitivity levels, security controls, and security procedures for information processing sites and work centers.

52
Q

smart card

A

A small, credit-card–sized device that contains electronic memory and is accessed with a smart card reader and used in two-factor authentication.

53
Q

smart phone

A

A mobile phone equipped with an operating system and software ap- plications.

54
Q

snapshot

A

A continuous auditing technique that involves the use of special audit modules embedded in online applications that sample specific transactions. The mod- ule copies key database records that can be examined later on.

55
Q

sniffer

A

A program that can be installed on a network-attached system to capture net- work traffic being transmitted to or from the system.

56
Q

social engineering

A

The act of using deception to trick an individual into revealing secrets.

57
Q

Software as a Service (SaaS)

A

A software delivery model where an organization ob- tains a software application for use by its employees and the software application is hosted by the software provider, as opposed to the customer organization.

58
Q

software development life cycle (SDLC)

A

The life cycle process used to develop or acquire and maintain information systems. Also known as systems development life cycle.

59
Q

Software Engineering Institute Capability Maturity Model Integration (SEI CMMI)

A

A maturity model that is used to measure the maturity of an organization’s software development life cycle process.

60
Q

software licensing

A

The process of maintaining accurate records regarding the permit- ted use of software programs.

61
Q

software maintenance

A

An activity in the software development life cycle where mod- ifications are made to the software code.

62
Q

Software Process Improvement and Capability dEtermination (SPICE)

A

A maturity model that is based on the SEI CMM maturity model. SPICE has been made an inter- national standard: ISO 15504.

63
Q

software program library

A

The repository that contains program source code and that usually includes tools to manage the maintenance of source code.

64
Q

source code management

A

The techniques and tools used to manage application source code.

65
Q

source lines of code (SLOC)

A

A sizing technique for software development projects that represents the size of the planned program, expressed as lines of code.

66
Q

sourcing

A

The choices that organizations make when selecting the personnel that will perform functions and where those functions will be performed.

67
Q

spam

A

Unsolicited and unwanted e-mail.

68
Q

spam filter

A

A central program or device that examines incoming e-mail and removes
all messages identified as spam.

69
Q

spike

A

A sharp increase in voltage that lasts for only a fraction of a second.

70
Q

spiral model

A

A software development life cycle process where the activities of re- quirements definition and software design go through several cycles until the project is complete. See also software development life cycle (SDLC).

71
Q

split custody

A

The concept of splitting knowledge of a specific object or task between two persons.

72
Q

spoofing

A

The act of changing the configuration of a device or system in an attempt to masquerade as a different, known, and trusted system or user.

73
Q

spyware

A

A type of malware where software performs one or more surveillance-type actions on a computer, reporting back to the spyware owner.

74
Q

SSAE16 (Statements on Standards for Attestation Engagements No. 16)

A

An exter- nal audit of a service provider. An SSAE16 audit is performed according to rules estab- lished by the American Institute of Certified Public Accountants (AICPA).

75
Q

standard

A

A statement that defines the technologies, protocols, suppliers, and meth- ods used by an IT organization.

76
Q

standard IT balanced scorecard

A

A management tool that is used to measure the per- formance and effectiveness of an IT organization.

77
Q

star topology

A

A network topology where a separate connection is made from a cen- tral device to each station.

78
Q

stateful inspection firewall

A

A network device that filters network traffic based on source and destination IP addresses and ports, and keeps track of individual TCP/IP ses- sions to make filtering decisions, permitting established connections. See also firewall.

79
Q

statement of impact

A

A description of the impact a disaster scenario will have on a business or business process.

80
Q

static random access memory (SRAM)

A

A form of semiconductor memory that does not require refreshing.

81
Q

statistical sampling

A

A sampling technique where items are chosen at random; each item has a statistically equal probability of being chosen. See also sampling.

82
Q

stop-or-go sampling

A

A sampling technique used to permit sampling to stop at the earliest possible time. This technique is used when the auditor feels that there is low risk or a low rate of exceptions in the population. See also sampling.

83
Q

storage area network (SAN)

A

A stand-alone storage system that can be configured to contain several virtual volumes and connected to many servers through fiber optic cables.

84
Q

strategic planning

A

Activities used to develop and refine long-term plans and objectives.

85
Q

stratified sampling

A

A sampling technique where a population is divided into classes or strata, based upon the value of one of the attributes. Samples are then selected from each class. See also sampling.

86
Q

stream cipher

A

This is a type of encryption algorithm that operates on a continuous stream of data, such as a video or audio feed.

87
Q

strong authentication

A

See two-factor authentication.

88
Q

subject

A

A person or a system. See also object.

89
Q

subnet mask

A

A numeric value that determines which portion of an IP address is used to identify the network and which portion is used to identify a station on the network. See also IP address.

90
Q

substantive testing

A

A type of testing that is used to determine the accuracy and integ- rity of transactions that flow through processes and systems.

91
Q

supercomputer

A

The largest type of computer that is capable of performing large, complex calculations such as weather forecasting and earthquake simulations.

92
Q

surge

A

See spike.

93
Q

switch

A

A device that is used to connect computers and other devices to a network. Unlike a hub, which sends all network packets to all stations on the network, a switch sends packets only to intended destination stations on the network.

94
Q

symmetric encryption

A

A method for encryption and decryption where it is necessary for both parties to possess a common encryption key.

95
Q

synchronous optical networking (SONET)

A

A class of common carrier telecommuni- cations network technologies used to transport voice and data over fiber optic networks at very high speeds.

96
Q

synchronous replication

A

A type of replication where writing data to a local and to a remote storage system is performed as a single operation, guaranteeing that data on the remote storage system is identical to data on the local storage system. See also replication.

97
Q

system classification policy

A

Policy that specifies levels of security for systems storing classified information.

98
Q

system hardening

A

See hardening.

99
Q

system testing

A

The portion of software testing where an entire system is tested.