Key Terms

The following acronyms and terms are used in this chapter. For the explanation and definition purpose of this chapter, these acronyms and terms are defined as follows:

Asset

Anything of value owned or possessed by an individual or business.

Due care

The standard of conduct taken by a reasonable and prudent person. When you see the term due care, think of the first letter of each word and remember “do correct,” because due care is about the actions that you take to reduce risk and keep it at that level.

Due diligence

The execution of due care over time. When you see the term due diligence, think of the first letter of each word and remember “do detect,” because due diligence is about finding the threats an organization faces. This is accomplished by using standards, best practices, and checklists.

Firewall

A hardware or software security system that is intended to protect an organization’s network against external threats, such as attackers, coming from another network or the Internet.

Generally Accepted System Security Principles (GASSP)

A NIST special publication 800-14 that is designed to help organizations improve their operation and management security controls.

Gold standard

Generally regarded as practices and procedures that are the best of the best.

Information Technology Security Evaluation Criteria (ITSEC)

A European standard that was developed in the 1980s to evaluate confidentiality, integrity, and availability of an entire system.

ISO 17799

A comprehensive security standard that is divided into 10 sections. It is considered a leading standard and a code of practice for information security management.

Red team

A group of ethical hackers who help organizations explore network and system vulnerabilities by means of penetration testing.

Risk

The exposure or potential for loss or damage to IT assets within that IT infrastructure.

Risk acceptance

An informed decision to suffer the consequences of likely events.

Risk assessment

A process for evaluating the exposure or potential loss or damage to the IT and data assets for an organization.

Risk avoidance

A decision to take action to avoid the risk.

Risk mitigation

Taking action to reduce the effect of potential risk.

Risk transference

Shifting the responsibility or burden to another party or individual.

Trusted Computer System Evaluation Criteria (TCSEC)

U.S. DoD Trusted Computer System Evaluation Criteria, also called the Orange Book. TCSEC is a system designed to evaluate standalone systems and place them into one of four levels: A, B, C, and D. Its basis of measurement is confidentiality.

Uber hacker

An expert and dedicated computer hacker.