1. attack
    An act or event that exploits a vulnerability seeking to cause a loss to an information asset.
  2. bottom- up approach
    An implementation approach that uses grass- roots effort in which systems administrators attempt to improve the security of their systems.
  3. champion
    "A member of the senior management of an organization who seeks to promote the successful outcome of a project or initiative by providing visibility
  4. chief information officer (CIO)
    The most senior manager or executive responsible for information technology and systems in an organization.
  5. chief information security officer (CISO)
    The most senior manager or executive responsible for information security in an organization.
  6. chief security officer (CSO)
    The most senior manager or executive responsible for physical and information security in an organization; sometimes misapplied to a functional CISO to follow industry trend.
  7. controls
    Those means undertaken to reduce the risk that information assets face from attacks by threats. Also known as safeguards.
  8. data custodians
    "Individuals who work directly with data owners and are responsible for the storage
  9. data owners
    "Individuals who control (and are therefore responsible for) the security and use of a particular set of information. Data owners may rely on custodians for the practical aspects of protecting their information
  10. data users
    "Systems users who work with the information to perform their daily jobs supporting the mission of the organization
  11. ethical hackers
    See white- hat hackers.
  12. event- driven
    "Refers to a corrective action that is in response to some event in the business community
  13. "governance
    risk management
  14. joint application design (JAD)
    "A process in which designers
  15. managerial controls
    "Processes or tools that define
  16. methodology
    A formal approach to solving a problem based on a structured sequence of procedures.
  17. operational controls
    "Processes or tools that deal with the operational functionality of security in the organization. They cover management functions and lower- level planning
  18. penetration testing
    A process in which security personnel simulate or perform specific and controlled attacks to compromise or disrupt systems by exploiting documented vulnerabilities.
  19. plan-driven
    Refers to a corrective action that is the result of a carefully developed planning strategy.
  20. red teams
    See white- hat hackers.
  21. risk assessment
    A process that assigns a comparative risk rating or score to each specific information asset. This enables the organization to gauge the relative risk introduced by each vulnerable information asset and allows comparative ratings later in the risk control process.
  22. risk management
    "A process that identifies vulnerabilities in an organization's information system and takes carefully reasoned steps to assure the confidentiality
  23. safeguards
    See controls.
  24. security manager
    A supervisory- level member of an organization accountable for some or all of the day- to-day operation of an InfoSec program.
  25. security technician
    "A technically qualified individual who may configure firewalls and IDPSs
  26. stakeholder
    "Those entities
  27. strategic planning
    "A process to lay out the long- term direction to be taken by an organization to guide organizational efforts and focus resources toward specific
  28. structured review
    "A process during which a project design team and its management- level reviewers decide whether a project should be continued
  29. technical controls
    Means by which technical approaches are used to implement security in the organization.
  30. threat
    An entity with the potential to damage or steal an organization's information or physical assets.
  31. threat agent
    A specific instance of a threat.
  32. tiger teams
    See white- hat hackers.
  33. top- down approach
    "A security approach in which upper- management directs actions and provides support and in which high- level managers provide resources; give direction; issue policies
  34. vulnerability
    An identified weakness of a controlled information asset resulting from absent or inadequate controls.
  35. vulnerability assessment
    A process of evaluating possible vulnerabilities in order to distinguish actual weaknesses from false reports.
  36. white-hat hackers
    "Persons given authority to engage in penetration testing in order to discover systems weakness that can be controlled to improve security. Also known as ethical hackers
Card Set
BAKER ITS305 Management of Information Security Chap 2