(1) The capability to quickly adapt and recover from any known or unknown changes to the environment through holistic implementation of risk management, contingency measures, and continuity planning. (2) The capability of a computer system to continue to function correctly despite the existence of a fault or faults in one or more of its component parts.
Anything used or consumed while performing a function. The categories of resources are time, information, objects (information containers), or processors (the ability to use information). Specific examples are CPU time, terminal connect time, amount of directly addressable memory, disk space, number of input/output requests per minute, and so on.
A method by which the reference-monitor mediates accesses to an information system resource. Resource is protected and not directly accessible by a subject. Satisfies requirement for accurate auditing of resource usage.
It is the containment of subjects and objects in a system in such a way that they are separated from one another, as well as from the protection controls of the operating system.
The entity that responds to the initiator of the authentication exchange.
The resumption of the execution of a computer program using the data recorded at a checkpoint. This is a technical and recovery control.
The process of retrieving a data set migrated to off-line storage and restoring it to online storage. This is a technical and recovery control.
A program to save documents, forms, history logs, master and transaction data files, computer programs (both source and object level), and other documents of the system until no longer needed. Retention periods should satisfy organization and legal requirements.
A ratio indicating what percentage of the investment the annual benefit in terms of cash flow is. It is calculated as annual operating cash inflows divided by the annual net investment.
The ROI can be used to assess the financial feasibility of an investment in information security program.
Used to gain a better understanding of the current system’s complexity and functionality and to identify “trouble spots.” Errors can be detected and corrected, and modifications can be made to improve system performance. The information gained during reverse engineering can be used to restructure the system, thus making the system more maintainable. Maintenance requests can then be accomplished easily and quickly. Software reengineering also enables the reuse of software components from existing systems. The knowledge gained from reverse engineering can be used to identify candidate systems composed of reusable components, which can then be used in other applications. Reverse engineering can also be used to identify functionally redundant parts in existing application systems.
A technique that allows images to be authenticated and then restored to their original form by removing the watermark and replacing the image data, which had been overwritten. This makes the images acceptable for legal purposes.
The authority responsible for evaluating and approving or disapproving proposed changes to a system and ensuring implementation of approved changes. This is a management and preventive control.
Passive information security testing techniques, generally conducted manually, used to evaluate systems, applications, networks, policies, and procedures to discover vulnerabilities. Review techniques include documentation review, log review, ruleset review, system configuration review, network sniffing, and file-integrity checking.
A change to a baseline configuration item that encompasses error correction, minor enhancements, or adaptations but to which there is no change in the functional capabilities.
The cryptographic key lifecycle state in which a currently active cryptographic key is not to be used to encode, encrypt, or sign again within a domain or context.
Any use of a preexisting software artifact (e.g., component and specification) in a context different from that in which it was created.
Cryptographic algorithm specified in the advanced encryption standard (AES).
Ring topology is a network topology in which all nodes are connected to one another in the shape of a closed loop, so that each node is connected directly to two other nodes, one on either side of it. These nodes are attached to repeaters connected in a closed loop. Two kinds of ring topology exist: token ring and token bus.