Читаем CISSP Practice полностью

In addition, security governance committee should ensure that appropriate security staff represents in the acquisitions and divestitures of new business assets or units, performing due diligence reviews.

Organizations can use a variety of data originating from the ongoing information security program activities to monitor performance of programs under their purview, including plans of action and milestones, performance measurement and metrics, continuous assessment, configuration management and control, network monitoring, and incident and event statistics.

Security impact analysis (SIA)

The analysis conducted by an organization official, often during the continuous monitoring phase of the security certification and accreditation process, to determine the extent to which changes to the information system have affected the security state of the system.

Security incident

Any incident involving classified information in which there is a deviation from the requirements of governing security regulations. Compromise, inadvertent disclosure, need-to-know violation, planting of malicious code, and administrative deviation are examples of a security incident.

Security incident triad

Includes three elements such as detect, respond, and recover. An organization should have the ability to detect an attack, respond to an attack, and recover from an attack by limiting consequences or impacts from an attack.

Security-in-depth

See Defense-in-depth.

Security kernel

The central part of a computer system (software and hardware) that implements the fundamental security procedures for controlling access to system resources. A most trusted portion of a system that enforces a fundamental property and on which the other portions of the system depend.

Security label

(1) The means used to associate a set of security attributes with a specific information object as part of the data structure for that object. Labels could be designated as proprietary data or public data. (2) A marking bound to a resource (which may be a data unit) that names or designates the security attributes of that resource. (3) Explicit or implicit marking of a data structure or output media associated with an information system representing the security category, or distribution limitations or handling caveats of the information contained therein.

Security level

A hierarchical indicator of the degree of sensitivity to a certain threat. It implies, according to the security policy being enforced, a specific level of protection. A clearance level associated with a subject or a classification level (or sensitivity label) associated with an object.

Security life of data

The time period during which data has security value.

Security management

The process of monitoring and controlling access to network resources. This includes monitoring usage of network resources, recording information about usage of resources, detecting attempted or successful violations, and reporting such violations.

Security management dashboard

A tool that consolidates and communicates information relevant to the organizational security posture in near-real time to security management stakeholders.

Security management infrastructure (SMI)

A set of interrelated activities providing security services needed by other security features and mechanisms. SMI functions include registration, ordering, key generation, certificate generation, distribution, accounting, compromise recovery, re-key, destruction, data recovery, and administration.

Security marking

Human-readable information affixed to information system components, removable media, or system outputs indicating the distribution limitations, handling caveats and applicable security markings.

Security measures

Elements of software, firmware, hardware, or procedures included in a system for the satisfaction of security specifications.

Security mechanism

A device designed to provide one or more security services usually rated in terms of strength of service and assurance of the design.

Security metrics

Security metrics strive to offer a quantitative and objective basis for security assurance.

Security model

A formal presentation of the security policy enforced by the system. It must identify the set of rules and practices that regulate how a system manages, protects, and distributes sensitive information.

Security objectives

The five security objectives are confidentiality, availability, integrity, accountability, and assurance. Some use only three objectives such as confidentiality, integrity, and availability.

Security-by-obscurity