Читаем CISSP Practice полностью

(1) The property that data originated from its purported source. (2) The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. See authentication.

Authorization

(1) The privilege granted to an individual by management to access information based upon the individual’s clearance and need-to-know principle. (2) It determines whether a subject is trusted to act for a given purpose (e.g., allowed to read a particular file). (3) The granting or denying of access rights to a user, program, or process. (4) The official management decision to authorize operation of an information system and to explicitly accept the risk to organization operations, assets, or individuals, based on the implementation of an agreed-upon set of security controls. (5) Authorization is the permission to do something with information in a computer, such as read a file. Authorization comes after authentication. This is a management and preventive control.

Authorization boundary

All components of an information system to be authorized for operation. This excludes separately authorized systems, to which the information system is connected. It is same as information system boundary.

Authorization key pairs

Authorization key pairs are used to provide privileges to an entity. The private key is used to establish the “right” to the privilege; the public key is used to determine that the entity actually has the right to the privilege.

Authorization principle

The principle whereby allowable actions are distinguished from those that are not.

Authorization process

The actions involving (1) obtaining an access password from a computer system user (whose identity has already been authenticated, perhaps using a personal password), (2) comparing the access password with the password associated with protected data, and (3) authorizing access to data if the entered password and stored password are the same.

Authorized

A system entity or actor that has been granted the right, permission, or capability to access a system resource.

Automated key transport

The transport of cryptographic keys, usually in encrypted form, using electronic means such as a computer network (e.g., key transport/agreement protocols).

Automated password generator

An algorithm that creates random passwords that have no association with a particular user.

Automated security monitoring

The use of automated procedures to ensure that security controls are not circumvented. This is a technical and detective control.

Availability

(1) Ensuring timely and reliable access to and use of information by authorized entities. (2) The ability for authorized entities to access systems as needed.

Avoidance control

The separation of assets from threats or threats from assets so that risk is minimized. Also, resource allocations are separated from resource management.

Awareness (information security)

Activities which seek to focus an individual’s attention on an information security issue or set of issues.

B

B2B

Business-to-business (B2B) is an electronic commerce model involving sales of products and services among businesses (e.g., HP to Costco, EDI, ASP, and exchanges and auctions). Both B2B and B2C e-commerce transactions can take place using m-commerce technology. Reverse auction is practiced in B2B or G2B e-commerce.

B2C

Business-to-consumer (B2C) is an electronic commerce model involving sales of products and services to individual shoppers (e.g., Amazon.com, Barnesandnoble.com, stock trading, and computer software/hardware sales). Both B2B and B2C e-commerce transactions can take place using m-commerce technology.

Backbone

A central network to which other networks connect. It handles network traffic and provides a primary path to or from other networks.

Backdoor

A malicious program that listens for commands on a certain transmission control protocol (TCP) or user datagram protocol (UDP) port. Synonymous with trapdoor.

Backup

A copy of files and programs made to facilitate recovery if necessary. This is an operational and preventive control and ensures the availability goal.

Backup computer facilities

A computer (data) center having hardware and software compatible with the primary computer facility. The backup computer is used only in the case of a major interruption or disaster at the primary computer facility. It provides the ability for continued computer operations, when needed, and should be established by a formal agreement. A duplicate of a hardware system, of software, of data, or of documents intended as replacements in the event of malfunction or disaster.

Backup operations