IAS TERMINOLOGY REVIEWER [no caps and no commas :)]

Security measures at the application level that aim to prevent data or code within the app from being stolen or hijacked.

Method of guaranteeing that users are who they say they are and that they have the appropriate access to company data.

Set of processes and techniques used to help an organization recover from a disaster and continue or resume routine business operations.

Strategy for managing an organization's overall governance, enterprise risk management and compliance with regulations.

Addresses ethical behavior and compliance with regulatory frameworks. It includes the investigative measures and techniques that can be used to determine if a crime has been committed, and methods used to gather evidence.addresses ethical behavior and compliance with regulatory frameworks. It includes the investigative measures and techniques that can be used to determine if a crime has been committed, and methods used to gather evidence.

Looks at how information security controls and safeguards are implemented in IT systems in order to protect the Confidentiality, Integrity, and Availability of the data that are used, processed, and stored in those systems.looks at how information security controls and safeguards are implemented in IT systems in order to protect the Confidentiality, Integrity, and Availability of the data that are used, processed, and stored in those systems.

Consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible.

Security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm.

- a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, and determines if information obtained by adversaries could be interpreted to be useful to them.

The study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents

Access Controls restrict users from accessing sensitive Information without permission, encryption protects information at rest or in transit, steganography hides information within images or other files.Access Controls restrict users from accessing sensitive Information without permission, encryption protects information at rest or in transit, steganography hides information within images or other files.

Ensure that information is not altered without authorization; protects an organization's information from accidental or intentional tampering that may come as the result of many different issues.

Ensures that information and systems remain available to authorized users when needed.

Protect system against failure of a single part.

Protects services against the failure of a single server.

Protects services against disruption from a small failure.

Provide authenticity and non-repudiation.

Achieved when the recipient of a message can be confident that the message actually came from the purported sender.

- achieved when the recipient of a message can prove to an independent third party that the message actually came from the purported sender.

Any information that can be traced back to an individual.

individually identifiable health records governed under HIPAA.

No individual should possess two permissions that, in combination, allow them to perform a highly sensitive action.

The ability to trace every action taken on a system back to an individual user without any ambiguity and without allowing the user to deny responsibility for that action.

Limits information access.

Limits system permissions.

- jeopardizes least privilege to implement Least Privilege can be in Group, Account Standardization, Account Management Processes & Procedures.

Implementing several layers of protection.

Indicates that unless something is explicitly allowed it is denied.

- is often called the “Prudent Man” rule, which is doing what any responsible person would do, in other words, this is implementing a security measure to mitigate against certain risk.

It is essentially the management of due care. In other words, ensuring the implemented security measure was done correctly.

Is the opposite of due care; if you’re not performing due care, what a prudent man would do, and you suffer a negative loss, you could be held legally liable.

Authentication is used to prove identity through the use of some type of credential that is previously known by the authenticator.

Include any measures taken to reduce risk via technological means.

Security control that prevents actions.

Security control that sends alert during or after an attack.

Security control that “correct” a damaged system or process.

Security control that deter users from performing actions.

Security control that add additional security by compensating other control’s weaknesses.

Security control that includes implementing different access control methods with technology you can touch.

Security control that include elements that are implemented through technological means.

Security control that defines the human factors of security; it involves all levels of personnel within an organization and determines which users have access to what resources and information.

Policies are the top tier of formalized security documents

Much more specific than policies; standards are tactical documents because they lay out specific steps or processes required to meet a certain requirement.

Minimum level of security that a system, network, or device must adhere to.

Points to a statement in a policy or procedure by which to determine a course of action.

The most specific of security documents; a procedure is a detailed, in-depth, step-by-step document that details exactly what is to be done.

Anything deemed valuable to a company.

The long-term storage of valuable assets, typically driven by: Legal and Regulatory Compliance Requirements and Organizational Requirements.

Step of asset life cycle where new assets should be identified and classified.

Step of asset life cycle secure assets based on the classified value.

Step of asset life cycle that regularly monitor for changes in value and the effectiveness of our security controls.

Step of asset life cycle whereas if an asset is adversely impacted, recovery measures should be in place.

Step of asset life cycle when the usefulness of an asset has been reached and it is to be disposed, there are two primary methods: archiving the asset for long-term storage or defensible destruction, ensuring there is no data remanence.

Data that’s stored on media of any form (hard drive, USB stick, tape, CD). It’s considered at rest because it’s not being transmitted over the network or in use. Data at rest is commonly protected by disk and file encryption.

Data that’s currently moving across a network from one device to another. Data in motion is commonly protected by network encryption, such as SSL, TLS, and VPN connections with IPSec encryption.

- data that’s being used by a system process, application or user. It’s data that’s being created, updated, appended, or erased. Data in use is the hardest to protect because it’s not encrypted while in use. Proper access control, integrity checks, and auditing measures can help protect data in use.

The most valuable asset held by many organizations.

The use of data sets much larger than those that may be handled by conventional data processing and analytic techniques

- describes security levels; classification programs establish the basis for other information and asset handling requirements

Data stored for later use on storage media.

Data being sent over a network between two systems.

Data being actively used in a system’s memory.

Business leaders with overall responsibility for data. They set policies and guidelines for their data sets

Handle the day-to-day data governance activities. They are delegated responsibility by data owners.

Actually store and process information and are often IT Staff Members.

Work with information in their jobs on a daily basis.

The process that businesses and organizations use to implement changes through building and delivering effective change strategies.

(change management) tracks specific device settings.

(change management) provides a configuration snapshot.

(change management) improves the efficiency and effectiveness of configuration management.

(change management) assigns number to each version.

The analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system.

- provides users with the knowledge they need to protect the organization’s security.

Keeps the lessons learned during security training top of mind for employees.

Initial training for new employees; update training for employees with new roles.

Ensure that an organization’s information security controls are consistent with the laws, regulations and standards that govern the org’s activities.

It is the laws, regulations, and standards.

Presents serious risks to cybersecurity; manipulating people into divulging information or performing an action that undermines security.

Social engineering that targets specific organizations or individuals.

Social engineering using mobile phones or telephones.

Social engineering via SMS or text messages.

Social engineering that uses targeted attack aimed at high-profile individuals, such as CEO.

Social engineering that gains a victim’s trust, typically by creating a backstory that makes them sound trustworthy.

Social engineering using physical security attack that involves an attacker following someone into a secure or restricted area.

Social engineering that occurs when the Threat actors directly observes information like log-in credentials, ATM, PINs by hovering over the shoulder of the user.

Social engineering when someone is secretly listening to confidential information while others are conversing.

Single/multi factor authentication, single sign-on (SSO), device authentication and federated access.

Combines authentication techniques from two or more of the authentication categories: Something you know, something you and something you are.

Allows single sign-on (SSO) within a web browser across a variety of systems.

Individuals may have accounts across multiple systems, federated identity management systems share identity information; this reduces the number of individual identities a user must have.

Authentication system that shares a single authentication session across multiple systems, avoiding asking users to log in multiple times.

Supports integrating Active Directory SSO with other services.