Читаем CISSP Practice полностью

A situation in which an information system or application receives protection from security controls that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application. These entities can be either internal or external to the organization where the system or application resides. Common controls are inherited.

Security controls

The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

Security domain

(1) Implements a security policy and administered by a single authority. (2) A set of subjects, their information objects, and a common security policy.

Security evaluation

An evaluation to assess the degree of trust that can be placed in systems for the secure handling of sensitive information. It is a major step in the certification and accreditation process.

Security event management tools (SEM)

A type of centralized logging software that can facilitate aggregation and consolidation of logs from multiple information system components. The SEM tools help an organization to integrate the analysis of vulnerability scanning information, performance data, network monitoring, and system audit record information, and provide the ability to identify inappropriate or unusual activity. For example, the SEM tools can facilitate audit record correlation and analysis with vulnerability scanning information to determine the veracity of the vulnerability scans and correlating attack detection events with scanning results. The sources of audit record information include operating systems, application servers (for example, Web servers and e-mail servers), security software, and physical security devices such as badge readers.

Security failure

Any event that is a violation of a particular system’s explicit or implicit security policy.

Security fault analysis

A security analysis, usually performed on hardware at gate level, to determine the security properties of a device when a hardware fault is detected.

Security fault injection test

Involves data perturbation (i.e., alteration of the type of data the execution environment components pass to the application, or that the application’s components pass to one another). Fault injection can reveal the effects of security defects on the behavior of the components themselves and on the application as a whole.

Security features

The security-relevant functions, mechanisms, and characteristics of system hardware and software. Security features are a subset of system security safeguards.

Security filter

A set of software routines and techniques employed in a computer system to prevent automatic forwarding of specified data over unprotected links or to unauthorized persons.

Security flaw

An error of commission or omission in a computer system that may allow protection mechanisms to be bypassed.

Security functions

The hardware, software, and firmware of the information system responsible for supporting and enforcing the system security policy and supporting the isolation of code and data on which the protection is based.

Security goals

The five security goals are confidentiality, availability, integrity, accountability, and assurance.

Security governance

Information security governance are defined as the process of establishing and maintaining a framework and supporting management structure and processes. They provide assurance that information security strategies are aligned with and are supportive of business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk. Note that information security governance is a part of information technology governance, which, in turn, is a part of corporate governance.

The information security management should integrate its information security governance activities with the overall organization structure and activities by ensuring appropriate participation of management officials in overseeing implementation of information security controls throughout the organization. The key activities that facilitate such integration are information security strategic planning, information security governance structures (that is, centralized, decentralized, and hybrid), establishment of roles and responsibilities, integration with the enterprise architecture, documentation of security objectives (such as, confidentiality, integrity, availability, accountability, and assurance) in policies and guidance, and ongoing monitoring.