Читаем CISSP Practice полностью

A countermeasure principle that does not work in practice because attackers can compromise the security of any system at any time. The meaning of this principle is that trying to keep something secret when it is not does more harm than good.

Security-oriented code review

A code review, or audit, investigates the coding practices used in the application. The main objective of such reviews is to discover security defects and potentially identify solutions.

Security parameters

The variable secret components that control security processes; examples include passwords, encryption keys, encryption initialization vectors, pseudo-random number generator seeds, and biometrics identity parameters.

Security parameters index

Randomly chosen value that acts as an identifier for an IPsec connection.

Security perimeter

A physical or logical boundary that is defined for a system, domain, or enclave, within which a particular security policy, security control, or security architecture is applied to protect assets. A security perimeter typically includes a security kernel, some trusted-code facilities, hardware, and possibly some communications channels.

Security plan

A formal document providing an overview of the security requirements for an information system or an information security program and describing the security controls in place or planned for meeting those requirements.

Security policy

Refers to the conventional security services (e.g., confidentiality, integrity, and availability) and underlying mechanisms and functions. (2) The set of laws, rules, criteria, and practices that regulate how an organization manages, protects, and distributes sensitive information and critical systems. (3) The statement of required protection for the information objects.

Security policy filter

A secure subsystem of an information system that enforces security policy on the data passing through it.

Security posture

The security status of an enterprise’s networks, information, and systems based on information assurance resources (e.g., people, hardware, software, and policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.

Security priorities

Security priorities need to be developed so that investments on those areas of highest sensitivity or risk can be allocated.

Security program assessment

An assessment of an organization’s information security program to ensure that information and information system assets are adequately secured.

Security protections

Measures against threats that are intended to compensate for a computer’s security weaknesses.

Security requirements

(1) The types and levels of protection necessary for equipment, data, information, applications, and facilities to meet security policy. (2) Requirements levied on an information system that are derived from laws, executive orders, directives, policies, procedures, standards, instructions, regulations, organizational mission or business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.

Security safeguards

The protective measures and controls prescribed to meet the security requirements specified for a computer system. Those safeguards may include but are not necessarily limited to hardware and software security features; operating procedures; accountability procedures; access and distribution controls; management constraints; personnel security; and physical security, which cover structures, areas, and devices.

Security service

(1) A processing or communication service that is provided by a system to give a specific kind of protection to resources, where said resources reside with said system or reside with other systems, for example, an authentication service or a PKI-based document attribution and authentication service. A security service is a superset of authentication, authorization, and accounting (AAA) services. Security services typically implement portions of security policies and are implemented via security mechanisms. (2) A service, provided by a layer of communicating open systems, that ensures adequate security of the systems or of data transfers. (3) A capability that supports one, or many, of the security goals. Examples of security services are key management, access control, and authentication.

Security specification

A detailed description of countermeasures (safeguards) required to protect a computer system or network from unauthorized (accidental or unintentional) disclosure, modification, and destruction of data or denial of service.

Security strength