Like so many disciplines, information security has developed a vocabulary of its own. Rather than inundating you with hundreds of terms and definitions, below you will find information and useful links to the terms that are most relevant to the business of information security.

a : Access Control through Authentication

Return to Top

  • Access Control: Access Control ensures that resources are only granted to those users who are entitled to them.

    See:
  • Authentication: Authentication is the process of confirming the correctness of the claimed identity.

    See:

b : Biometrics through Business Impact Analysis (BIA)

Return to Top

  • Biometrics: Biometrics use physical characteristics of the users to determine access.

    See:
  • Business Continuity Plan (BCP): A Business Continuity Plan is the plan for emergency response, backup operations, and post-disaster recovery steps that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation.

    See:
  • Business Impact Analysis (BIA): A Business Impact Analysis determines what levels of impact to a system are tolerable.

    See:

c : California AB 1950 and SB 1386 through Content filtering

Return to Top

  • California AB 1950 and SB 1386: California AB 1950 and SB 1386 are two privacy bills, now laws in the State of California, that require organizations to notify Californians if their personal information is disclosed during a security breach.

    See:
  • Certificate Authority (CA): A certification authority, or CA, holds a trusted position because the certificate that it issues binds the identity of a person or business to the public and private keys (asymmetric cryptography) that are used to secure most internet transactions.

    See:
  • Certificate-Based Authentication: Certificate-Based Authentication is the use of SSL and certificates to authenticate and encrypt HTTP traffic.

    See:
  • COBIT: Control Objectives for Information and related Technologies (COBIT) is a comprehensive approach to secure IT practices, offering a wide range of tools, guidelines, standards and a control framework for the management of information technologies. It is an important work for auditors, offered by the IT Governance Institute (ITGI) in close association with Information systems Audit and Control Association (ISACA). ISACA's certification for auditors in IT and in Information Security is globally recognized. In addition, tools and documents are designed to work with all levels of the organization, which is consistent with its comprehensive reach.

    See:
  • Computer Emergency Response Team (CERT): An organization that studies computer and network INFOSEC in order to provide incident response services to victims of attacks, publish alerts concerning vulnerabilities and threats, and offer other information to help improve computer and network security.

    See:
  • Computer forensics: Computer Forensics is the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded.

    See:
  • Content filtering: Content filtering is the technique whereby content is blocked or allowed based on analysis of its content, rather than its source or other criteria. It is most widely used on the internet to filter email and web access.

    See:

d : Data Loss Prevention (DLP) through Disaster Recovery Plan (DRP)

Return to Top

  • Data Loss Prevention (DLP): Data Loss Prevention (DLP) refers to systems that identify, monitor, and protect data in use, data in motion, and data at rest through deep content inspection, contextual security analysis of transaction, and with a centralized management framework. The systems are designed to detect and prevent the unauthorized use and transmission of confidential information.

    See:
  • Data risk assessment (DRA): Data risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of data and data systems. A data risk assessment consists of the identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate.

    See:
  • Defense In-Depth: Defense In-Depth is the approach of using multiple layers of security to guard against failure of a single security component.

    See:
  • Demilitarized Zone (DMZ): In computer security, in general a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an organization's internal network and an external network, usually the Internet. DMZ's help to enable the layered security model in that they provide subnetwork segmentation based on security requirements or policy. DMZ's provide either a transit mechanism from a secure source to an insecure destination or from an insecure source to a more secure destination. In some cases, a screened subnet which is used for servers accessible from the outside is referred to as a DMZ.

    See:
  • Denial of Service: The prevention of authorized access to a system resource or the delaying of system operations and functions.

    See:
  • Disaster Recovery Plan (DRP): A Disaster Recovery Plan is the process of recovery of IT systems in the event of a disruption or disaster.

    See:

e : Electronic discovery through Encryption

Return to Top

  • Electronic discovery: Electronic discovery (or e-discovery) refers to discovery in civil litigation which deals with information in electronic format also referred to as Electronically Stored Information (ESI). Electronic information is different from paper information because of its intangible form, volume, transience and persistence. Also, electronic information is usually accompanied by metadata, which is not present in paper documents.

    See:
  • Encryption: Cryptographic transformation of data (called "plaintext") into a form (called "cipher text") that conceals the data's original meaning to prevent it from being known or used.

    See:

f : FFIEC through FISMA

Return to Top

  • FFIEC: The Federal Financial Institutions Examination Council (FFIEC) was established in 1979. It was given the authority to "prescribe uniform principles, standards, and report forms for the federal examination of financial institutions" under the authority of five agencies: the Board of Governors of the Federal Reserve System (Federal Reserve), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).

    See:
  • FIPS 140: Federal Information Processing Standard (FIPS) 140, titled "Security Requirements for Cryptographic Modules" is in its second revision. FIPS 140-2 was signed on 22nd June 2001, superseding FIPS 140-1.

    See:
  • FISMA: The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

    See:

g : Gramm-Leach-Bliley Act (GLBA) through Gramm-Leach-Bliley Act (GLBA)

Return to Top

  • Gramm-Leach-Bliley Act (GLBA): The Gramm-Leach-Bliley Financial Services Modernization Act of 1999 applies to all financial institutions in the U.S. regulated by the Office of the Comptroller of the Currency (OCC). GLBA requires that financial institutions ensure the security and confidentiality of customer personal information against "reasonably foreseeable" internal or external threats.

    See:

h : HIPAA through Hybrid network bridging

Return to Top

  • HIPAA: Two parts of a comprehensive law for the medical industry, Health Insurance Portability and Accountability Act (HIPAA), are especially important for their security implications. A portion of the law, the Administrative Simplification provisions were developed to encourage the industry to work with healthcare information in its electronic forms. The provisions included standards for protecting the privacy of patients and for information security.

    See:
  • HTTPS: When used in the first part of a URL (the part that precedes the colon and specifies an access scheme or protocol), this term specifies the use of HTTP enhanced by a security mechanism, which is usually SSL.

    See:
  • Hybrid network bridging: Hybrid network bridging refers to the accessing of WiFi, Bluetooth, Modems or IrDA links while the PC is connected to the wired corporate LAN.

    See:

i : Internet Protocol Security (IPsec) through ISO 27002

Return to Top

  • Internet Protocol Security (IPsec): A developing standard for security at the network or packet processing layer of network communication.

    See:
  • Intrusion Detection: A security management system for computers and networks. An IDS gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization).

    See:
  • ISO 27002: ISO 27002 is an internationally respected standard for information security.

    See:

k : Key Logging through Key Logging

Return to Top

  • Key Logging: Key logging software runs in the background, in a stealth mode that isn't easy to detect on a PC. It collects every keystroke and hides that information in a file.

    See:

m : Malicious Code through Malicious Code

Return to Top

  • Malicious Code: Software (e.g., Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic.

    See:

p : Payment Card Industry (PCI) Data Security Standard through Public Key Infrastructure (PKI)

Return to Top

  • Payment Card Industry (PCI) Data Security Standard: The Payment Card Industry (PCI) Data Security Standard is an industry regulation developed by VISA, MasterCard and other bank card distributors. It requires organizations that handle bank cards to conform to security standards and follow certain leveled requirements for testing and reporting. MasterCard markets the program as their Site Data Protection (SDP) Program and VISA markets it as their Cardholder Information Security Program (CISP).

    See:
  • Penetration Testing: Penetration testing is used to test the external perimeter security of a network or facility.

    See:
  • Perimeter security: Perimeter security refers to securing a network or system on its perimeter, or where the system interfaces with the rest of the world.

    See:
  • Phishing: The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank the user is doing business with.

    See:
  • Plug-and-play: Plug and play is a term used to describe the characteristic of a computer bus, or device specification, which facilitates the discovery of a hardware component in a system, without the need for physical device configuration, or user intervention in resolving resource conflicts.

    See:
  • Proxy Server: A server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service. A proxy server is associated with or part of a gateway server that separates the enterprise network from the outside network and a firewall server that protects the enterprise network from outside intrusion.

    See:
  • Public Key Infrastructure (PKI): A PKI (public key infrastructure) enables users of a basically unsecured public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates.

    See:

q : Quarantining  through Quarantining 

Return to Top

  • Quarantining : On your local PC, a file may be said to be placed in quarantine if an anti-virus program has flagged it as infected, meaning it is stored within a secure area so that it cannot cause any further damage to other files. In networking terms, a PC may be placed into 'network isolation' or 'network quarantine' if it is believed to be infected with a virus or other malware, ensuring that this cannot spread to other machines on a network.

    See:

r : Risk Assessment through Risk Assessment

Return to Top

  • Risk Assessment: A Risk Assessment is the process by which risks are identified and the impact of those risks determined.

    See:

s : Secure Sockets Layer (SSL) through Spam

Return to Top

  • Secure Sockets Layer (SSL): A protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a public key to encrypt data that's transferred over the SSL connection.

    See:
  • Sensitive Information: Sensitive information, as defined by the federal government, is any unclassified information that, if compromised, could adversely affect the national interest or conduct of federal initiatives.

    See:
  • Shared Assessments (AUP/SIG): The Shared Assessments Program was created for all organizations that are concerned about information controls for personally identifiable client or consumer data in outsourced relationships. Originally created by six major US financial institutions, the Shared Assessments standards are used by outsourcers, service providers and assessment firms in a range of industries.

    See:
  • SIEM: Security Information and Event Management refers to the collection of data (typically log files; e.g. eventlogs) into a central repository for trend analysis.

    See:
  • Social Engineering: A euphemism for non-technical or low-technology means - such as lies, impersonation, tricks, bribes, blackmail, and threats - used to attack information systems.

    See:
  • SOX: Sarbanes–Oxley Act of 2002 set new or enhanced standards for all U.S. public company boards, management and public accounting firms. The act contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law.

    See:
  • Spam: Electronic junk mail or junk newsgroup postings.

    See:

t : Transport Layer Security (TLS) through Trojan Horse

Return to Top

  • Transport Layer Security (TLS): A protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer.

    See:
  • Trojan Horse: A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.

    See:

u : Unprotected Share through Unprotected Share

Return to Top

  • Unprotected Share: In Windows terminology, a "share" is a mechanism that allows a user to connect to file systems and printers on other systems. An "unprotected share" is one that allows anyone to connect to it.

    See:

v : Virtual Private Network (VPN) through Vulnerability

Return to Top

  • Virtual Private Network (VPN): A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network. For example, if a corporation has LANs at several different sites, each connected to the Internet by a firewall, the corporation could create a VPN by (a) using encrypted tunnels to connect from firewall to firewall across the Internet and (b) not allowing any other traffic through the firewalls. A VPN is generally less expensive to build and operate than a dedicated real network, because the virtual network shares the cost of system resources with other users of the real network.

    See:
  • Virus: A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting - i.e., inserting a copy of itself into and becoming part of - another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.

    See:
  • Vulnerability: A security exposure in an operating system or other system software or application software component.

    See: