CISSP Official (ISC) 2 Course Flash Cards 2015

CISSP
Administrative Controls
CISSP Training Seminar – March 2015

Procedures implemented to define the
roles, responsibilities, policies, and
administrative functions needed to
manage the control environment.
Security and Risk Management Domain

CISSP
Annualized Rate of Occurrence (ARO)

An estimate of how often a threat will be
successful in exploiting a vulnerability
over the period of a year.

CISSP
Arms Export Control Act of 1976

Authorizes the President to designate
those items that shall be considered as
defense articles and defense services
and control their import and the export.

CISSP
Availability

The principle that ensures that
information is available and accessible to
users when needed.

CISSP
Breach

An incident that results in the disclosure
or potential exposure of data.

CISSP
Compensating Controls

Controls that substitute for the loss of
primary controls and mitigate risk down
to an acceptable level.

CISSP
Compliance

Actions that ensure behavior that
complies with established rules.

CISSP
Confidentiality

Supports the principle of “least privilege”
by providing that only authorized
individuals, processes, or systems should
have access to information on a need-to-
know basis.

CISSP
Copyright

Covers the expression of ideas rather
than the ideas themselves; it usually
protects artistic property such as writing,
recordings, databases, and computer
programs.

CISSP
Corrective: Controls

Controls implemented to remedy
circumstance, mitigate damage, or
restore controls.

CISSP
Data Disclosure

A breach for which it was confirmed that
data was actually disclosed (not just
exposed) to an unauthorized party.

CISSP
Detective Controls

Controls designed to signal a warning
when a security control has been
breached.

CISSP
Deterrent Controls

Controls designed to discourage people
from violating security directives.

CISSP
Directive Controls

Controls designed to specify acceptable
rules of behavior within an organization.

CISSP
Due Care

The care a “reasonable person” would
exercise under given circumstances.

CISSP
Due Diligence

Is similar to due care with the exception
that it is a pre-emptive measure made to
avoid harm to other persons or their
property.

CISSP
Enterprise Risk Management

A process designed to identify potential
events that may affect the entity,
manage risk so it is within its risk
appetite, and provide reasonable
assurance regarding the achievement of
entity objectives.

CISSP
Export Administration Act of 1979

Authorized the President to regulate
exports of civilian goods and
technologies that have military
applications.

CISSP
Governance

Ensures the business focuses on core
activities, clarifies who in the
organization has the authority to make
decisions, determines accountability for
actions and responsibility for outcomes,
and addresses how expected
performance will be evaluated.

CISSP
Incident

A security event that compromises the
confidentiality, integrity, or availability of
an information asset.

CISSP
Integrity

Comes in two forms; making sure that
information is processed correctly and
not modified by unauthorized persons,
and protecting information as it transits
a network.

CISSP
Information Security Officer

Accountable for ensuring the protection
of all of the business information assets
from intentional and unintentional loss,
disclosure, alteration, destruction, and
unavailability.

CISSP
Least Privilege

Granting users only the accesses that are
required to perform their job functions.

CISSP
Logical (Technical) Controls

Electronic hardware and software
solutions implemented to control access
to information and information
networks.

CISSP
Patent

Protects novel, useful, and nonobvious
inventions.

CISSP
Physical Controls

Controls to protect the organization’s
people and physical environment, such
as locks, fire management, gates, and
guards; physical controls may be called
“operational controls” in some contexts.

CISSP
Preventive Controls

Controls implemented to prevent a
security incident or information breach.

CISSP
Recovery Controls

Controls implemented to restore
conditions to normal after a security
incident.

CISSP
Recovery Time Objective (RTO)

How quickly you need to have that
application’s information available after
downtime has occurred.

CISSP
Recovery Point Objective (RPO)

The point in time to which data must be
restored in order to successfully resume
processing.

CISSP
Risk

1. A combination of the probability of an
event and its consequence (ISO 27000)
2. An expectation of loss expressed as

the probability that a particular threat
will exploit a particular vulnerability with
a particular harmful result.(RFC 2828)

CISSP
Risk Acceptance

The practice of accepting certain risk(s),
typically based on a business decision
that may also weigh the cost versus the
benefit of dealing with the risk in
another way.

CISSP
Risk Avoidance

The practice of coming up with
alternatives so that the risk in question is
not realized.

CISSP
Risk Mitigation

The practice of the elimination of or the
significant decrease in the level of risk
presented.

CISSP
Risk Transfer

The practice of passing on the risk in
question to another entity, such as an
insurance company.

CISSP
Risk Management

A systematic process for identifying,
analyzing, evaluating, remedying, and
monitoring risk.

CISSP
Single Loss Expectancy (SLE)

Defined as the difference between the
original value and the remaining value of
an asset after a single exploit.

CISSP
Single Points of Failure (SPOF)

Any single input to a process that, if
missing, would cause the process or
several processes to be unable to
function.

CISSP
Trademark

Any word, name, symbol, color, sound,
product shape, device, or combination of
these that is used to identify goods and
distinguish them from those made or
sold by others.

CISSP
Trade Secret

Proprietary business or technical
information, processes, designs,
practices, etc., that are confidential and
critical to the business.

CISSP
Vulnerability Assessment

Determines the potential impact of
disruptive events on the organization’s
business processes.

CISSP
Wassenaar Arrangement

Established to contribute to regional and
international security and stability by
promoting transparency and greater
responsibility in transfers of
conventional arms and dual-use goods
and technologies, thus preventing
destabilizing accumulations.

CISSP
Categorization

The process of determining the impact of
the loss of confidentiality, integrity, or
availability of the information to an
organization.
Asset Security Domain

CISSP
Clearing

The removal of sensitive data from
storage devices in such a way that there
is assurance that the data may not be
reconstructed using normal system
functions or software file/data recovery
utilities.

CISSP
Curie Temperature

The critical point where a material’s
intrinsic magnetic alignment changes
direction.

CISSP
Data Classification

Entails analyzing the data that the
organization retains, determining its
importance and value, and then
assigning it to a category.

CISSP
Data Custodians

Ensure important datasets are
developed, maintained, and accessible
within their defined specifications.

CISSP
Data Modeling

The methodology that identifies the path
to meet user requirements.

CISSP
Data Remanence

The residual physical representation of
data that has been in some way erased.

CISSP
Data Standards

Objects, features, or items that are
collected, automated, or affected by
activities or the functions of
organizations.

CISSP
Federal Information Processing

Standards (FIPS)

The official series of publications relating
to standards and guidelines adopted.

CISSP
File Encryption Software

Allows greater flexibility in applying
encryption to specific file(s).

CISSP
Framework Core

A set of cybersecurity activities, desired
outcomes, and applicable references
that are common across critical
infrastructure sectors.

CISSP
Framework Implementation Tiers

Provide context on how an organization
views cybersecurity risk and the
processes in place to manage that risk.

CISSP
Framework Profile

Represents the outcomes based on
business needs that an organization has
selected from the Framework Categories
and Subcategories.

CISSP
IT Asset Management (ITAM)

ITAM is a much broader discipline,
adding several dimensions of
management and involving a much
broader base of stakeholders.

CISSP
Media Encryption Software

Software that is used to encrypt
otherwise unprotected storage media
such as CDs, DVDs, USB drives, or laptop
hard drives.

CISSP
The National Checklist Program (NCP)

The U.S. Government repository of
publicly available security checklists (or
benchmarks) that provide detailed low-
level guidance on setting the security
configuration of operating systems and
applications.

CISSP
NIST Computer Security Division (CSD)

Focuses on providing measurements and
standards to protect information
systems against threats to the
confidentiality of information, integrity
of information and processes, and
availability of information and services in
order to build trust and confiden

CISSP
Purging

The removal of sensitive data from a
system or storage device with the intent
that the data cannot be reconstructed by
any known technique.

CISSP
Quality Assurance (QA)

An assessment of quality based on
standards external to the process and
involves reviewing of the activities and
quality control processes to ensure final
products meet predetermined standards
of quality.

CISSP
Quality Control (QC)

An assessment of quality based on
internal standards, processes, and
procedures established to control and
monitor quality.

CISSP
Self-Encrypting USB Drives

Portable USB drives that embed
encryption algorithms within the hard
drive, thus eliminating the need to install
any encryption software.

CISSP
Abstraction

Involves the removal of characteristics
from an entity in order to easily
represent its essential properties.
Security Engineering Domain

CISSP
Access Control Matrix

A two-dimensional table that allows for
individual subjects and objects to be
related to each other.

CISSP
Asymmetric Algorithms

One-way functions, that is, a process
that is much simpler to go in one
direction (forward) than to go in the
other direction (backward or reverse
engineering).

CISSP
Address Space Layout Randomization

(ASLR)

Involves randomly arranging the
positions of key data areas of a program,
including the base of the executable and
the positions of the stack, heap, and
libraries in a process’s memory address
space.

CISSP
Aggregation

Combining non-sensitive data from
separate sources to create sensitive
information.

CISSP
Algorithm

A mathematical function that is used in
the encryption and decryption
processes.

CISSP
Bell–La Padula Model

Explores the rules that would have to be
in place if a subject is granted a certain
level of clearance and a particular mode
of access.

CISSP
Brewer-Nash (The Chinese Wall) Model

This model focuses on preventing
conflict of interest when a given subject
has access to objects with sensitive
information associated with two
competing parties.

CISSP
Cable Plant Management

The design, documentation, and
management of the lowest layer of the
OSI network model – the physical layer.

CISSP
Certificate Authority (CA)

An entity trusted by one or more users
as an authority in a network that issues,
revokes, and manages digital certificates.

CISSP
Ciphertext or Cryptogram

The altered form of a plaintext message,
so as to be unreadable for anyone
except the intended recipients.

CISSP
Cloud Computing

A model for enabling ubiquitous,
convenient, on-demand network access
to a shared pool of configurable
computing resources (e.g., networks,
servers, storage, applications, and
services) that can be rapidly provisioned
and released with minimal management

CISSP
Common Criteria

Provides a structured methodology for
documenting security requirements,
documenting and validating security
capabilities, and promoting international
cooperation in the area of IT security.

CISSP
Community Cloud Infrastructure

Provisioned for exclusive use by a
specific community of consumers from
organizations that have shared concerns.

CISSP
Confusion

Provided by mixing (changing) the key
values used during the repeated rounds
of encryption. When the key is modified
for each round, it provides added
complexity that the attacker would
encounter.

CISSP
Control Objects for Information and

Related Technology (COBIT)

Provides a set of generally accepted
processes to assist in maximizing the
benefits derived using information
technology (IT) and developing
appropriate IT governance.

CISSP
Covert Channels

Communications mechanisms hidden
from the access control and standard
monitoring systems of an information
system.

CISSP
Cryptanalysis

The study of techniques for attempting
to defeat cryptographic techniques and,
more generally, information security
services.

CISSP
Cryptology

The science that deals with hidden,
disguised, or encrypted communications.
It embraces communications security
and communications intelligence.

CISSP
Cyber-Physical Systems (CPS)

Smart networked systems with
embedded sensors, processors, and
actuators that are designed to sense and
interact with the physical world and
support real-time, guaranteed
performance in safety-critical
applications.

CISSP
Data Hiding

Maintains activities at different security
levels to separate these levels from each
other.

CISSP
Data Warehouse

A repository for information collected
from a variety of data sources.

CISSP
Decoding

The reverse process from encoding –
converting the encoded message back
into its plaintext format.

CISSP
Diffusion

Provided by mixing up the location of the
plaintext throughout the ciphertext.

CISSP
Digital Certificate

An electronic document that contains
the name of an organization or
individual, the business address, the
digital signature of the certificate
authority issuing the certificate, the
certificate holder’s public key, a serial
number, and the expiration date

CISSP
Digital Rights Management (DRM)

A broad range of technologies that grant
control and protection to content
providers over their own digital media.

CISSP
Digital Signatures

Provide authentication of a sender and
integrity of a sender’s message.

CISSP
Enterprise Security Architecture (ESA)

Focused on setting the long-term
strategy for security services in the
enterprise.

CISSP
Firmware

The storage of programs or instructions
in ROM.

CISSP
“Generally Accepted Principles and

Practices for Securing Information
Technology Systems” (NIST SP 800-14)

Provides a foundation upon which
organizations can establish and review
information technology security
programs.

CISSP
Graham-Denning

Primarily concerned with how subjects
and objects are created, how subjects
are assigned rights or privileges, and
how ownership of objects is managed.

CISSP
Inference

The ability to deduce (infer) sensitive or
restricted information from observing
available information.

CISSP
ISO/IEC 21827:2008, The Systems

Security Engineering – Capability
Maturity Model (SSE-CMM)

Describes the essential characteristics of
an organization’s security engineering
process that must exist to ensure good
security engineering.

CISSP
Hash Function

Accepts an input message of any length
and generates, through a one-way
operation, a fixed-length output.

CISSP
Industrial Control Systems (ICS)

Used to control industrial processes such
as manufacturing, product handling,
production, and distribution.

CISSP
IT Infrastructure Library (ITIL)

Defines the organizational structure and
skill requirements of an IT organization
as well as the set of operational
procedures and practices that direct IT
operations and infrastructure, including
information security operations.

CISSP
Embedded Systems

Used to provide computing services in a
small form factor with limited processing
power.

CISSP
Encoding

The action of changing a message into
another format through the use of a
code.

CISSP
Hybrid Cloud Infrastructure

A composition of two or more distinct
cloud infrastructures (private,
community, or public) that remain
unique entities but are bound together
by standardized or proprietary
technology that enables data and
application portability.

CISSP
Initialization Vector (IV)

A non-secret binary vector used as the
initializing input algorithm for the
encryption of a plaintext block sequence
to increase security by introducing
additional cryptographic variance and to
synchronize cryptographic equipment.

CISSP
Key Clustering

When different encryption keys generate
the same ciphertext from the same
plaintext message.

CISSP
Key Length

The size of a key, usually measured in
bits or bytes, which a cryptographic
algorithm used in ciphering or
deciphering protected information.

CISSP
Key Space

This represents the total number of
possible values of keys in a cryptographic
algorithm or other security measure,
such as a password.

CISSP
Message Authentication Code (MAC)

A small block of data that is generated
using a secret key and then appended to
the message.

CISSP
Message Digest

A small representation of a larger
message. Message digests are used to
ensure the authentication and integrity
of information, not the confidentiality.

CISSP
Middleware

A connectivity software that enables
multiple processes running on one or
more machines to interact.

CISSP
Multilevel Lattice Models

A security model describes strict layers
of subjects and objects and defines clear
rules that allow or disallow interactions
between them based on the layers they
are in.

CISSP
Non-repudiation

A service that ensures the sender cannot
deny a message was sent and the
integrity of the message is intact.

CISSP
OpenID Connect

An interoperable authentication protocol
based on the OAuth 2.0 family of
specifications.

CISSP
OWASP

A nonprofit organization focused on
improving the security of software.

CISSP
Paging

Divides the memory address space into
equal-sized blocks called pages.

CISSP
Payment Card Industry Data Security

Standard (PCI-DSS)

Provides the security architect with a
framework of specifications to ensure
the safe processing, storing, and
transmission of cardholder information.

CISSP
Plaintext

The message in its natural format.

CISSP
Primary Storage

Stores data that has a high probability of
being requested by the CPU.

CISSP
Private Cloud

In this model, the cloud infrastructure is
provisioned for exclusive use by a single
organization comprising multiple
consumers.

CISSP
Protection Keying

Divides physical memory up into blocks
of a particular size, each of which has an
associated numerical value called a
protection key.

CISSP
Public Cloud Infrastructure

Provisioned for open use by the general
public. It may be owned, managed, and
operated by a business, academic, or
government organization, or some
combination of them. It exists on the
premises of the cloud provider.

CISSP
Registration Authority (RA)

This performs certificate registration
services on behalf of a CA.

CISSP
Secondary Storage

Holds data not currently being used by
the CPU and is used when data must be
stored for an extended period of time
using high-capacity, nonvolatile storage.

CISSP
Security Assertion Markup Language

(SAML)

An XML-based standard used to
exchange authentication and
authorization information.

CISSP
Security Zone of Control

An area or grouping within which a
defined set of security policies and
measures are applied to achieve a
specific level of security.

CISSP
Segmentation

Dividing a computer’s memory into
segments.

CISSP
Sherwood Applied Business Security

Architecture (SABSA) Framework

Holistic life cycle for developing security
architecture that begins with assessing
business requirements and subsequently
creating a “chain of traceability” through
the phases of strategy, concept, design,
implementation, and metrics.

CISSP
State Attacks

Attempt to take advantage of how a
system handles multiple requests.

CISSP
State Machine Model

Describes the behavior of a system as it
moves between one state and another,
from one moment to another.

CISSP
Stream-based Ciphers

When a cryptosystem performs its
encryption on a bit-by-bit basis.

CISSP
Symmetric Algorithms

Operate with a single cryptographic key
that is used for both encryption and
decryption of the message.

CISSP
Substitution

The process of exchanging one letter or
byte for another.

CISSP
System Kernel

The core of an OS, and one of its main
functions is to provide access to system
resources, which includes the system’s
hardware and processes.

CISSP
The Open Group Architecture

Framework (TOGAF)

An architecture content framework
(ACF) to describe standard building
blocks and components as well as
numerous reference models.

CISSP
Transposition

The process of reordering the plaintext
to hide the message.

CISSP
Work Factor

This represents the time and effort
required to break a protective measure.

CISSP
Zachman Framework

A logical structure for identifying and
organizing the descriptive
representations (models) that are
important in the management of
enterprises and to the development of
the systems, both automated and
manual, that comprise them.

CISSP
Bastion hosts

Serve as a gateway between a trusted
and untrusted network that gives
limited, authorized access to untrusted
hosts.
Communications and Network Security

Domain
CISSP
Bridges

Layer 2 devices that filter traffic between
segments based on Media Access
Control (MAC) addresses.

Domain
CISSP
Common application service element

(CASE)

Sublayer that provides services for the
application layer and request services
from the session layer

Domain
CISSP
Concentrators

Multiplex connected devices into one
signal to be transmitted on a network

Domain
CISSP
Direct-Sequence Spread Spectrum (DSSS)

A wireless technology that spreads a
transmission over a much larger
frequency band, and with corresponding
smaller amplitude

Domain
CISSP
Decryption

The process of transforming encrypted
data back into its original form, so it can
be understood.

Domain
CISSP
Fibre Channel over Ethernet (FCoE)

A lightweight encapsulation protocol and
lacks the reliable data transport of the
TCP layer

Domain
CISSP
File Transfer Protocol (FTP)

A stateful protocol that requires two
communication channels

Domain
CISSP
Firewalls

Devices that enforce administrative
security policies by filtering incoming
traffic based on a set of rules

Domain
CISSP
Frequency-Hopping Spread Spectrum

(FHSS)

This wireless technology spreads its
signal over rapidly changing frequencies

Domain
CISSP
Internet Control Message Protocol

(ICMP)

Provides a means to send error
messages for non-transient error
conditions and provides a way to probe
the network in order to determine
general characteristics about the
network.

Domain
CISSP
Layer 1

Physical Layer

Domain
CISSP
Layer 2

Data-Link Layer

Domain
CISSP
Layer 3

Network Layer

Domain
CISSP
Layer 4

Transport Layer

Domain
CISSP
Layer 5

Session Layer

Domain
CISSP
Layer 6

Presentation Layer

Domain
CISSP
Layer 7

Application Layer

Domain
CISSP
Lightweight Directory Access Protocol

(LDAP)

A client/server-based directory query
protocol loosely based upon X.500,
commonly used for managing user
information

Domain
CISSP
Modems

Allow users remote access to a network
via analog phone lines

Domain
CISSP
OSI reference model

Layering model structured into seven
layers (physical layer, data-link layer,
network layer, transport layer, session
layer, presentation layer, application
layer)

Domain
CISSP
Ping scanning

A basic network mapping technique that
helps narrow the scope of an attack

Domain
CISSP
Public-key encryption

Involves a pair of keys-a public key and a
private key-associated with an entity
that needs to authenticate its identity
electronically or to sign or encrypt data

Domain
CISSP
Remote Authentication Dial-in User

Service (RADIUS)

An authentication protocol used mainly
in networked environments, such as
ISPs, or for similar services requiring
single sign-on for layer 3 network access,
for scalable authentication combined
with an acceptable degree of security.

Domain
CISSP
Remote Procedure Calls (RPC)

Represent the ability to allow for the
executing of objects across hosts

Domain
CISSP
Screen Scraper

A program which can extract data from
output on a display intended for a
human

Domain
CISSP
Security perimeter

The first line of protection between
trusted and untrusted networks

Domain
CISSP
Specific application service element

(SASE)

Sublayer that provides application
specific services (protocols)

Domain
CISSP
Spread spectrum

A method commonly used to modulate
information into manageable bits that
are sent over the air wirelessly

Domain
CISSP
TCP/IP or Department of Defense (DoD)

model

Layering model structured into four
layers (link layer, network layer,
transport layer, application layer)

Domain
CISSP
Traceroute

A diagnostic tool that displays the path a
packet traverses between a source and
destination host

Domain
CISSP
Transmission Control Protocol (TCP)

Provides connection-oriented data
management and reliable data transfer

Domain
CISSP
User Datagram Protocol (UDP)

Provides a lightweight service for
connectionless data transfer without
error detection and correction

Domain
CISSP
Virtual Private Network (VPN)

An encrypted tunnel between two hosts
that allows them to securely
communicate over an untrusted network

Domain
CISSP
Voice over Internet Protocol (VoIP)

A technology that allows you to make
voice calls using a broadband Internet
connection instead of a regular (or
analog) phone line

Domain
CISSP
Wireless local area network (WLAN)

Links two or more devices over a short
distance using a wireless distribution
method, usually providing a connection
through an access point for Internet
access.

Domain
CISSP
Wireless mesh network

A wireless network made up of radio
nodes organized in a mesh topology

Domain
CISSP
Wireless metropolitan area networks

A type of wireless network that connects
several wireless LANs

Domain
CISSP
Wireless personal area networks

(WPANs)

Interconnect devices within a relatively
small area that is generally within a
person’s reach

Domain
CISSP
Access badges

Used to enter secured areas of a facility
and are used in conjunction with a badge
reader to read information stored on the
badge
Identity and Access Management

Domain
CISSP
Access Control Systems

Physical or electronic systems designed
to control who, or what, has access to a
network

Domain
CISSP
Account management systems

Systems that attempt to streamline the
administration of user identity across
multiple systems

Domain
CISSP
Authentication

The process of verifying the identity of
the user

Domain
CISSP
Authorization

The process of defining the specific
resources a user needs and determining
the type of access to those resources the
user may have

Domain
CISSP
Cryptographic Device

A hardware device that contains non-
programmable logic and non-volatile
storage dedicated to all cryptographic
operations and protection of private
keys.

Domain
CISSP
Electronic authentication (e-

authentication)

The process of establishing confidence in
user identities electronically presented
to an information system

Domain
CISSP
Facility access control

Protects enterprise assets and provides a
history of who gained access and when
the access was granted

Domain
CISSP
Identity as a Service (IDaaS)

Cloud-based services that broker identity
and access management functions to
target systems on customers’ premises
and/or in the cloud

Domain
CISSP
Identity proofing

The process of collecting and verifying
information about a person for the
purpose of proving that a person who
has requested an account, a credential,
or other special privilege is indeed who
he or she claims to be, and establishing a
reliable relationsh

Domain
CISSP
Kerberos

Developing standard for authenticating
network users. Kerberos offers two key
benefits: it functions in a multi-vendor
network, and it does not transmit
passwords over the network.

Domain
CISSP
Logical access controls

Protection mechanisms that limit users’
access to information and restrict their
forms of access on the system to only
what is appropriate for them

Domain
CISSP
MAC address

A 48-bit number (typically represented in
hexadecimal format) that is supposed to
be globally unique

Domain
CISSP
Mandatory Access Controls (MACs)

Access control that requires the system
itself to manage access controls in
accordance with the organization’s
security policies

Domain
CISSP
Multi-factor Authentication

Ensures that a user is who they claim to
be. The more factors used to determine
a person’s identity, the greater the trust
of authenticity.

Domain
CISSP
Password Management System

A system that manages passwords
consistently across the enterprise

Domain
CISSP
Physical Access Control Systems (PACS)

Allows authorized security personnel to
simultaneously manage and monitor
multiple entry points from a single,
centralized location

Domain
CISSP
Radio Frequency Identification (RFID)

A non-contact, automatic identification
technology that uses radio signals to
identify, track, sort and detect a variety
of objects including people, vehicles,
goods and assets without the need for
direct contact

Domain
CISSP
Role-Based Access Control (RBAC)

An access control model that bases the
access control authorizations on the
roles (or functions) that the user is
assigned within an organization

Domain
CISSP
Rule-Based Access Control

An access control model that based on a
list of predefined rules that determine
what accesses should be granted

Domain
CISSP
Security Assertion Markup Language 2.0

(SAML 2.0)

A version of the SAML OASIS standard
for exchanging authentication and
authorization data between security
domains

Domain
CISSP
Single factor authentication

Involves the use of simply one of the
three available factors solely in order to
carry out the authentication process
being requested

Domain
CISSP
Single Sign-On (SSO)

A unified login experience (from the
viewpoint of the end user) when
accessing one or more systems

Domain
CISSP
Trusted Platform Modules (TPM)

A local hardware encryption engine and
secured storage for encryption keys

Domain
CISSP
User ID

Provides the system with a way of
uniquely identifying a particular user
amongst all the users of that system

Domain
CISSP
2011 CWE/SANS Top 25 Most Dangerous

Software Errors

A list of the most widespread and critical
errors that can lead to serious
vulnerabilities in software.
Security Assessment and Testing Domain

CISSP
Audit Records

Contain security event information such
as successful and failed authentication
attempts, file accesses, security policy
changes, account changes, and use of
privileges.

CISSP
Architecture Security Reviews

A manual review of the product
architecture to ensure that it fulfills the
necessary security requirements.

CISSP
Automated Vulnerability Scanners

Tests an application for the use of
system components or configurations
that are known to be insecure.

CISSP
Condition Coverage

This criteria requires sufficient test cases
for each condition in a program decision
to take on all possible outcomes at least
once. It differs from branch coverage
only when multiple conditions must be
evaluated to reach a decision.

CISSP
Data Flow Coverage

for each feasible data flow to be
executed at least once.

CISSP
Decision (Branch) Coverage

Considered to be a minimum level of
coverage for most software products,
but decision coverage alone is
insufficient for high-integrity
applications.

CISSP
Information Security Continuous

Monitoring (ISCM)

Maintaining ongoing awareness of
information security, vulnerabilities, and
threats to support organizational risk
management decisions.

CISSP
Intrusion Detection Systems (IDS)

Real-time monitoring of events as they
happen in a computer system or
network, using audit trail records and
network traffic and analyzing events to
detect potential intrusion attempts.

CISSP
Intrusion Prevention Systems (IPS)

Any hardware or software mechanism
that has the ability to detect and stop
attacks in progress.

CISSP
Loop Coverage

for all program loops to be executed for
zero, one, two, and many iterations
covering initialization, typical running,
and termination (boundary) conditions.

CISSP
Misuse Case

A Use Case from the point of view of an
Actor hostile to the system under design.

CISSP
Multi-Condition Coverage

to exercise all possible combinations of
conditions in a program decision.

CISSP
Negative Testing

Ensures the application can gracefully
handle invalid input or unexpected user
behavior.

CISSP
Path Coverage

for each feasible path, basis path, etc.,
from start to exit of a defined program
segment, to be executed at least once.

CISSP
Positive Testing

Determines that your application works
as expected.

CISSP
Real User Monitoring (RUM)

An approach to web monitoring that
aims to capture and analyze every
transaction of every user of a website or
application.

CISSP
Regression Analysis

The determination of the impact of a
change based on review of the relevant
documentation.

CISSP
Security Log Management

The process for generating, transmitting,
storing, analyzing, and disposing of
computer security log data.

CISSP
Statement Coverage

for each program statement to be
executed at least once; however, its
achievement is insufficient to provide
confidence in a software product’s
behavior.

CISSP
Static Source Code Analysis (SAST)

Analysis of the application source code
for finding vulnerabilities without
actually executing the application.

CISSP
Synthetic Performance Monitoring

Involves having external agents run
scripted transactions against a web
application.

CISSP
System Events

Operational actions performed by OS
components, such as shutting down the
system or starting a service.

CISSP
Threat Modeling

A process by which developers can
understand security threats to a system,
determine risks from those threats, and
establish appropriate mitigations.

CISSP
Use Cases

Abstract episodes of interaction
between a system and its environment.

CISSP
Validation

The determination of the correctness,
with respect to the user needs and
requirements, of the final program or
software produced from a development
project.

CISSP
Verification

The authentication process by which the
biometric system matches a captured
biometric against the person’s stored
template.

CISSP
Vulnerability Management Software

Log the patch installation history and
vulnerability status of each host, which
includes known vulnerabilities and
missing software updates.

CISSP
Web Proxies

Intermediate hosts through which
websites are accessed.

CISSP
White-box Testing

A design that allows one to peek inside
the “box” and focuses specifically on
using internal knowledge of the software
to guide the selection of test data.

CISSP
Acoustic Sensors

Device that uses passive listening devices
Security Operations Domain

CISSP
Administrator accounts

Accounts that are assigned only to
named individuals that require
administrative access to the system to
perform maintenance activities, and
should be different and separate from a
user’s normal account.

CISSP
Balanced Magnetic Switch (BMS)

Devices that use a magnetic field or
mechanical contact to determine if an
alarm signal is initiated

CISSP
Chain of custody

The who, what, when, where, and how
the evidence was handled—from its
identification through its entire life cycle,
which ends with destruction, permanent
archiving, or returning ot owner.

CISSP
Cipher Lock

A lock controlled by touch screen,
typically 5 to 10 digits that when pushed
in the right combination the lock will
releases and allows entry

CISSP
Configuration management (CM)

A discipline for evaluating, coordinating,
approving or disapproving, and
implementing changes in artifacts that
are used to construct and maintain
software systems

CISSP
Data Leak Prevention (DLP)

A suite of technologies aimed at
stemming the loss of sensitive
information that occurs in the
enterprise.

CISSP
Egress filtering

The practice of monitoring and
potentially restricting the flow of
information outbound from one network
to another

CISSP
Infrared Linear Beam Sensors

A focused infrared (IR) light beam is
projected from an emitter and bounced
off of a reflector that is placed at the
other side of the detection area

CISSP
Instant Keys

Provide a quick way to disable a key by
permitting one turn of the master key to
change a lock

CISSP
Intrusion Detection System (IDS)

A technology that alerts organizations to
adverse or unwanted activity

CISSP
Indemnification

The party to party litigation costs
resulting from its breach of warranties

CISSP
Intrusion Prevention System (IPS)

A technology that monitors activity like
an IDS but will automatically take
proactive preventative action if it detects
unacceptable activity.

CISSP
Honeypot

Decoy servers or systems setup to gather
information regarding an attacker or
intruder into your system

CISSP
Honeyfarm

A centralized collection of honeypots
and analysis tools

CISSP
Honeynet

Two or more honeypots on a network

CISSP
Live evidence

Data that are dynamic and exist in
running processes or other volatile
locations (e.g., system/device RAM) that
disappear in a relatively short time once
the system is powered down

CISSP
Locard’s exchange principle

States that when a crime is committed,
the perpetrators leave something behind
and take something with them, hence
the exchange

CISSP
Magnetic Stripe (mag stripe) cards

Consist of a magnetically sensitive strip
fused onto the surface of a PVC material,
like a credit card

CISSP
Mortise Lock

A lock or latch that is recessed into the
edge of a door, rather than being
mounted to its surface.

CISSP
Power users

Accounts granted greater privileges than
normal user accounts when it is
necessary for the user to have greater
control over the system, but where
administrative access is not required

CISSP
Protocol Anomaly-Based IDS

Identifies any unacceptable deviation
from expected behavior based on known
network protocols

CISSP
Proximity Card (prox cards)

Use embedded antenna wires connected
to a chip within the card through RF.

CISSP
Records and Information Management

(RIM)

Essential activities to protect business
information and can be established in
compliance with laws, regulations, or
corporate governance

CISSP
Remanence

The measure of the existing magnetic
field on the media after degaussing

CISSP
Rim Lock

A lock or latch typically mounted on the
surface of a door, typically associated
with a dead bolt type of lock

CISSP
Sandboxing

A form of software virtualization that
lets programs and processes run in their
own isolated virtual environment

CISSP
Security Informatn and Event

Management (SIEM)

A group of technologies which aggregate
information about access controls and
selected system activity to store for
analysis and correlation

CISSP
Service accounts

Accounts used to provide privileged
access used by system services and core
applications

CISSP
Smart Cards

Credential cards with one or more
microchip processing that accepts or
processes infomraiton and can be
contact or contact less.

CISSP
Statistical Anomaly-based IDS

Analyzes event data by comparing it to
typical, known, or predicted traffic
profiles in an effort to find potential
security breaches

CISSP
Steganography

The science of hiding information

CISSP
Traffic anomaly-based IDS

Identifies any unacceptable deviation
from expected behavior based on actual
traffic structure

CISSP
Time domain Reflectometry (TDR)

Send induced radio frequency (RF)
signals down a cable that is attached to
the fence fabric

CISSP
ActiveX Data Objects (ADO)

A Microsoft high-level interface for all
kinds of data.
Software Development Security Domain

CISSP
Capability Maturity Model for Software

(CMM or SW-CMM)

Maturity model focused on quality
management processes and has five
maturity levels that contain several key
practices within each maturity level.

CISSP
Common Object Request Broker

Architecture (CORBA)

A set of standards that addresses the
need for interoperability between
hardware and software products.

CISSP
Computer Virus

A program written with functions and
intent to copy and disperse itself without
the knowledge and cooperation of the
owner or user of the computer.

CISSP
Configuration Mangement (CM)

Monitoring and managing changes to a
program or documentation.

CISSP
Covert Channel

An information flow that is not
controlled by a security control.

CISSP
Encryption

The conversion of electronic data into
another form, called ciphertext, which
cannot be easily understood by anyone
except authorized parties.

CISSP
Data Mining

The practice of examining large
databases in order to generate new
information.

CISSP
Database Management System (DBMS)

A suite of application programs that
typically manages large, structured sets
of persistent data.

CISSP
Database Model

Describes the relationship between the
data elements and provides a framework
for organizing the data.

CISSP
DevOps

An approach based on lean and agile
principles in which business owners and
the development, operations, and
quality assurance departments
collaborate.

CISSP
Log

A record of the events occurring within
an organization’s systems and networks.

CISSP
Integrated Product and Process

Development (IPPD)

A management technique that
simultaneously integrates all essential
acquisition activities through the use of
multidisciplinary teams to optimize the
design, manufacturing, and
supportability processes.

CISSP
Iterative Models

Development models that allow for
successive refinements of requirements,
design, and coding.

CISSP
Knowledge Discovery in Databases (KDD)

A mathematical, statistical, and
visualization method of identifying valid
and useful patterns in data.

CISSP
Metadata

Information about the data.

CISSP
Rapid Application Development (RAD)

A form of rapid prototyping that requires
strict time limits on each phase and
relies on tools that enable quick
development.

CISSP
Software Assurance (SwA)

The level of confidence that software is
free from vulnerabilities, either
intentionally designed into the software
or accidentally inserted at any time
during its life cycle, and that it functions
in the intended manner.

CISSP
Time Multiplexing

Allows the operating system to provide
well-defined and structured access to
processes that need to use resources
according to a controlled and tightly
managed schedule.

CISSP
Time of Check/Time of Use (TOC/TOU)

Attacks

Takes advantage of the dependency on
the timing of events that takes place in a
multitasking operating system.

CISSP
Trusted Computing Bases (TCB)

The collection of all of the hardware,
software, and firmware within a
computer system that contains all
elements of the system responsible for
supporting the security policy and the
isolation of objects.

CISSP
Waterfall Development Model

A development model in which each
phase contains a list of activities that
must be performed and documented
before the next phase begins.

CISSP Official (ISC) 2 Course Flash Cards 2015

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISSP Official (ISC) 2 Course Flash Cards 2015

Uploaded by

Copyright:

Available Formats

CISSP

CISSP Training Seminar – March 2015

Security and Risk Management Domain

Annualized Rate of Occurrence (ARO)

CISSP Training Seminar – March 2015

Security and Risk Management Domain

Arms Export Control Act of 1976

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

Enterprise Risk Management

CISSP Training Seminar – March 2015

Security and Risk Management Domain

Export Administration Act of 1979

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

Information Security Officer

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

Logical (Technical) Controls

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain

CISSP Training Seminar – March 2015

Security and Risk Management Domain