Читаем CISSP Practice полностью

A security control that is inherited by one or more organization’s information systems and has the following properties (1) the development, implementation, and assessment of the control can be assigned to a responsible official or organizational element (other than the information system owner); and (2) the results from the assessment of the control can be used to support the security certification and accreditation processes of an organization‘s information system where that control has been applied.

Common vulnerabilities and exposures (CVE)

A dictionary of common names for publicly known IT system vulnerabilities.

Communications protocol

A set of rules or standards designed to enable computers to connect with one another and to exchange information with as little error as possible.

Communications security

It defines measures that are taken to deny unauthorized persons information derived from telecommunications facilities.

Comparison

The process of comparing a biometric with a previously stored reference template or templates.

Compartmentalization

The isolation of the operating system, user programs, and data files from one another in main storage in order to provide protection against unauthorized or concurrent access by other users or programs. This term also refers to the division of sensitive data into small, isolated blocks for the purpose of reducing risk to the data.

Compensating control (general)

A concept that states that the total environment should be considered when determining whether a specific policy, procedure, or control is violated or a specific risk is present. If controls in one area are weak, they should be compensated or mitigated for in another area. Some examples of compensating controls are: strict personnel hiring procedures, bonding employees, information system risk insurance, increased supervision, rotation of duties, review of computer logs, user sign-off procedures, mandatory vacations, batch controls, user review of input and output, system activity reconciliations, and system access security controls.

Compensating security controls

The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the low, moderate, or high security baseline controls that provide equivalent or comparable protection for an information system. In other words, compensating controls are applied when baseline controls are not available, applicable, or cost-effective.

Compiled virus

A virus that has had its source code converted by a compiler program into a format that can be directly executed by an operating system.

Compiler

Software used to translate a program written in a high-level programming language (source code) into a machine language for execution and outputs into a complete binary object code. The availability of diagnostic aids, compatibility with the operating system, and the difficulty of implementation are the most important factors to consider when selecting a compiler.

Complementary control

A complementary control can enhance the effectiveness of two or more controls when applied to a function, program, or operation. Here, two controls working together can strengthen the overall control environment.

Complete mediation

The principle of complete mediation stresses that every access request to every object must be checked for authority. This requirement forces a global perspective for access control, during all functional phases (e.g., normal operation and maintenance). Also stressed are reliable identification access request sources and reliable maintenance of changes in authority.

Completeness

The degree to which all of the software’s required functions and design constraints are present and fully developed in the software requirements, software design, and code.

Compliance

An activity of verifying that both manual and computer processing of transactions or events are in accordance with the organization’s policies and procedures, generally accepted security principles, governmental laws, and regulatory agency rules and requirements.

Compliance review

A review and examination of records, procedures, and review activities at a site in order to assess the unclassified computer security posture and to ensure compliance with established, explicit criteria.

Comprehensive testing

A test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Comprehensive testing is also known as white box testing.

Compression