Читаем CISSP Practice полностью

(1) A set of assessment objectives and an associated set of assessment methods and assessment objects. (2) A set of activities or actions employed by an assessor to determine the extent to which a security control is implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Asset

A major application, general support system, high impact program, physical plant, mission critical system or a logically related group of systems. Any software, data, hardware, administrative, physical, communications, or personnel resource within an IT system or activity.

Asset Valuation

IT assets include computers, business-oriented applications, system-oriented applications, security-oriented applications, operating systems, database systems, telecommunications systems, data center facilities, hardware, computer networks, and data and information residing in these assets. Assets can also be classified as tangible (physical such as equipment) and intangible (non-physical, such as copyrights and patents). Each type of asset has its own valuation methods.

The value of data and information can be measured by using two methods: book value and current value. A relevant question to ask is what is the worth of particular data to an insider (such as an owner, sponsor, management employee, or non-management employee) and an outsider (such as a customer, supplier, intruder, or competitor)? This means, the value of information is measured by its value to others.

Sensitive criteria for computer systems are defined in terms of the value of having, or the cost of not having, an application system or needed information. The concept of information economics (that is, cost and benefit) should be used here. Organizations should modernize inefficient business processes to maximize the value and minimize the risk of IT investments. The value of IT assets is determined by their replacement cost, recovery cost, and penalty cost.

Information and data are collected and analyzed using several methods for determining their value. Examples of data collection techniques include checklists, questionnaires, interviews, and meetings. Examples of data analysis techniques include both quantitative methods (objective methods using net present value and internal rate of return calculations) and qualitative methods (subjective methods using Delphi techniques and focus groups).

Assurance

(1) The grounds for confidence that the set of intended security controls in an information system are effective in their application. (2) It is one of the five security goals. (3) It involves support for our confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (i) functionality that performs correctly, (ii) sufficient protection against unintentional errors (by users or software), and (iii) sufficient resistance to intentional penetration or bypass. (4) It is the grounds for confidence that an entity meets its security objectives.

Assurance testing

A process used to determine that the system’s security features are implemented as designed and that they are adequate for the proposed environment. This process may include hands-on functional testing, penetration testing, and/or verification.

Asymmetric key algorithm

An encryption algorithm that requires two different keys for encryption and decryption. These keys are commonly referred to as the public and private keys. Asymmetric algorithms are slower than symmetric algorithms. Furthermore, speed of encryption may be different from the speed of decryption. Generally, asymmetric algorithms are either used to exchange symmetric session keys or to digitally sign a message (e.g., RSA). Cryptography that uses separate keys for encryption and decryption; also known as public-key cryptography.

Asymmetric key cryptography

Two related keys, a public key and a private key that are used to perform complementary operations, such as encryption and decryption or signature generation and signature verification.

Asynchronous attack

(1) An attempt to exploit the interval between a defensive act and the attack in order to render inoperative the effect of the defensive act. For instance, an operating task may be interrupted at once following the checking of a stored parameter. The user regains control and malevolently changes the parameter; the operating system regains control and continues processing using the maliciously altered parameter. (2) It is an indirect attack on the program by altering legitimate data or codes at a time when the program is idle, then causing the changes to be added to the target program at later execution.

Asynchronous transfer mode (ATM) network