SecurITyCerts dot Org

       Navigating Security Certifications

CISSP Acronym Edge: CISSP Study & Review Guide December 2016+

Main CISSP Acronym Edge Index

Domain 1: Security and Risk Management

Of course you need to study and be prepared, but you will never feel 100% prepared. That is OK! Whether you barely pass, or pass with a 99%, you will still be a CISSP. And if you pass with a 99%, you’ve wasted a lot of your life preparing, memorizing things you’d look up in the real world, and that’s time you’ll never get back.

Ethics are covered in this domain, and on ethics questions pick the most conservative approach or answer.

Get a PDF of The CISSP Acronym Edge: CISSP Study & Review Guide -  signup below & I'll send it to you.

CIA – Confidentiality, Integrity, and Availability, the three tenets of security. For every organization one of these will be most important, but they will all be important.

DAD – Disclosure, Alteration, and Destruction. The opposite of CIA. CIA is often expressed as DAD, its opposite. Confidentiality and (unauthorized) Disclosure as well as Integrity and (unauthorized) Alteration are fairly obvious opposites. By Availability and Destruction being opposites we mean any “Destruction of Access.”

Confidentiality – Only authorized access by authorized entities for authorized purposes. Authorized entities accessing data they are authorized to access for unauthorized purposes is a breach of confidentiality. For example an authorized hospital employee accessing a medical record they are authorized to access because the patient is famous and they are curious is a breach of confidentiality.

Integrity – Only authorized alterations by authorized entities for authorized purposes.

Availability – Data and services are available when needed for authorized business purposes.

Least Privilege – The concept that a user has the least privileges needed to fulfill their role. Least privilege is probably impossible to implement perfectly. In dynamic organizations without well defined roles it is harder to implement than in more static organizations with well defined roles, but a little least privilege goes a long way and it must always be implemented even if far from perfect.

Need to Know – Need to Know is a related concept to Least Privilege and is more granular and hence may further restrict access. A user only has access to a specific piece of data when they have a need to know it.

Separation of Duties – If an operation is too sensitive for one user to be able to do it, it can be separated so that two or more users are required. For example, think of bank safe deposit boxes, and launching nuclear weapons. No one individual has the privilege alone to do these operations.

Rotation of Duties – Rotation of duties is often added in addition to Separation of Duties to lessen the likelihood of collusion, two or more individuals cooperating to defeat Separation of Duties.

Quantitative Risk Assessment – Risk Assessment using “quantities” or metric, commonly expressed as dollars. For example, “If XYZ happens, it will cost the organization 7750 dollars.”

Qualitative Risk Assessment – Risk Assessment using banded values, for example very low risk, low risk, medium risk, high risk, and very high risk, instead of quantities/metrics.

EF – Exposure Factor. The amount of an asset that is lost when a threat is manifested. For example, if you sell vintage wedding dresses, and the threat is theft, the EF is 100% - if a dress is stolen it is 100% gone!

SLE – Single Loss Expectancy. The asset value times the Exposure Factor. If each vintage wedding dress is worth $20,000, the SLE is $20,000.

ARO – Annualized Rate of Occurrence. How many times a year a threat is manifest. If 5 of your vintage wedding dresses are stolen each year, your ARO is 5.

ALE – Annualized Loss Expectancy. Your SLE times your ARO. If your SLE is $20,000 per wedding dress stolen, and your ARO is 5, your ALE is $100,000. Knowing this value helps you make intelligent business decisions including those pertaining to security controls.

TCO – Total Cost of Ownership. A financial estimate of the direct and indirect costs of a product or system. For example, an Intrusion Detection System (IDS) might cost $25,000, but if there are expenses involved with setup, training of personnel, and personnel time or maybe even dedicated personnel are required, the TCO will be much higher. For an IDS it will typically be significantly higher.

ROI – Return on Investment. If the ROI is positive, it is “worth” doing. If it is negative, it is not.

RFI – Request For Information. A business process used to collect information from potential suppliers. Often used to identify suppliers to be included in an RFP/RFQ.

RFQ – Request For Quote. A document sent to potential suppliers asking for pricing information, i.e. a “quote.”

RFP – Request For Proposal. A request to potential suppliers, often via a bidding process, for proposals. Even for non security related proposals/projects, security is very often important and unfortunately the inclusion of appropriate security is often falsely assumed. A RFP may include a RFI and RFQ or they may be separate requests.

BPA – Business Partnership Agreement. A legal agreement between partners detailing the relationship and individual contributions and obligations. Often a complex document as it attempts to cover all possible business situations. Certainly security breaches and other security situations are one possible situation which could cause stress in a partnership.

MOU – Memorandum Of Understanding. A document detailing an agreement between two entities. Often seen in government, as government agencies typically cannot have contracts with each other.

MOA – Memorandum Of Agreement. See MOU above.

ISA – Interconnection Security Agreement. An agreement specifying technical requirements between organizations connecting systems and networks designed to support the MOU/MOA. Most commonly seen in governments like the MOU/MOA.

ELA – Enterprise License Agreement. An enterprise level software licensing agreement.

SLA – Service Level Agreements. A service level agreement is a contract stipulating a certain level of performance with financial penalties for not meeting that performance. For example an SLA with a service provider might stipulate 99% uptime for full payment, with payment prorated or otherwise reduced for not maintaining 99% uptime or greater.

OLA – An internal document specifying agreements between internal departments designed to support the SLA.

COTS –Commercial Off The Self (or sometimes Common Off The Shelf), as in COTS software. Microsoft Office is COTS software. Custom applications are not. The term COTS originated from and is used by the USA government.

STRIDE/DREAD – Microsoft’s threat modeling approach is known as STRIDE. Their previous approach was known as DREAD.

(STRIDE - Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
DREAD - Damage, Reproducibility, Exploitability, Affected users, Discoverability). No need to memorize these!

OCTAVE – Operationally Critical Threat, Asset, and Vulnerability Evaluation. A threat modeling approach from Carnegie Mellon University.

OWASP – Open Web Application Security Project, a non-profit focused on software security.

CVSS – Common Vulnerability Scoring System. An open standard metric for comparing the severity of IT vulnerabilities.

MITM – Man In The Middle attack. In a MITM attack, two parties believe they are directly communicating but a third party is in the middle secretly reading, possibly modifying, and relaying the messages.

DOS – Denial of Service.

DDOS – Distributed Denial of Service. An example of DDOS would be a 100,000 computer strong botnet where each computer sends a few packets to one IP address. Good chance that whatever sits at that IP address will be overwhelmed.

EMI – Electronic Magnetic Interference or Electromagnetic Interference. Especially with older systems, for example ones using Cathode Ray Tube based monitors, there is a substantial amount of EMI. It is possible to remotely receive this EMI and recreate what is on the screen. Although perhaps beyond the capability of your competitors, this is well within the capability of many nation-states.

TEMPEST – The codename for NSA specifications and a NATO certification to prevent spying via EMI. TEMPEST includes both methods for spying and shielding requirements to prevent such spying.

MLAT – Mutual Legal Assistance Treaty. An agreement between countries covering gathering and sharing information for the purpose of enforcing laws.

CAPEX – CAPital EXpenditure. A business expense which is an investment in the future of the organization. Examples include investments in software, hardware, and buildings.

OPEX – OPerational EXpenditure. A business expense which is required for the day to day operation of an organization, but which is NOT an investment in the future. Examples include taxes, maintenance, salaries, and depreciation.

NDA – Non Disclosure Agreement. A short legal document between two or more parties usually doing business together which states that confidential information may be shared but cannot be disclosed to other parties. For example I have an NDA with The SANS Institute that allows them to share confidential information with me such as new class dates and new course information that is not yet public, and I cannot disclose that information to anyone else.

BSA – Business Software Alliance, an industry group whose primary purpose is to prevent copyright infringement of software produced by its members. Software piracy is a big issue, but they are controversial because of some of their tactics, including their “Bust Your Boss!” campaign and others which pay disgruntled employees up to $200,000 to report alleged software piracy.

OECD – European Organization for Economic Cooperation and Development. Primarily European countries but also including Australia, Canada, the USA, Japan and others.

FISMA – Federal Information Security Management Act. A USA government framework designed to strengthen information security.

PCI – See PCI DSS below.

PCI DSS – Payment Card Industry Data Security Standard, usually abbreviated to PCI. Originally started by Visa but now controlled by an industry consortium. A set of best practices for organizations that handle payment cards such as credit and debit cards.

SOX – Sarbanes–Oxley Act of 2002. USA regulatory law covering financial information for publically traded companies which states that top management must personally certify accuracy of financial information. Some parts of SOX also apply to privately held companies.

GLBA – Gramm–Leach–Bliley Act, also known as the Financial Services Modernization Act of 1999, is USA regulatory law covering financial services companies such as brokerages, banks, and insurance companies.

HIPAA – Health Insurance Portability and Accountability Act of 1996, is USA regulatory law covering health care organizations.

Get a PDF of The CISSP Acronym Edge: CISSP Study & Review Guide -  signup below & I'll send it to you.

We respect your email privacy