The following acronyms and terms are used in this chapter. For the explanation and definition purpose of this chapter, these acronyms and terms are defined as follows:
The standard of conduct taken by a reasonable and prudent person. When you see the term due care, think of the first letter of each word and remember “do correct,” because due care is about the actions that you take to reduce risk and keep it at that level.
The execution of due care over time. When you see the term due diligence, think of the first letter of each word and remember “do detect,” because due diligence is about finding the threats an organization faces. This is accomplished by using standards, best practices, and checklists.
A hardware or software security system that is intended to protect an organization’s network against external threats, such as attackers, coming from another network or the Internet.
A NIST special publication 800-14 that is designed to help organizations improve their operation and management security controls.
A European standard that was developed in the 1980s to evaluate confidentiality, integrity, and availability of an entire system.
A comprehensive security standard that is divided into 10 sections. It is considered a leading standard and a code of practice for information security management.
A group of ethical hackers who help organizations explore network and system vulnerabilities by means of penetration testing.
A process for evaluating the exposure or potential loss or damage to the IT and data assets for an organization.
U.S. DoD Trusted Computer System Evaluation Criteria, also called the Orange Book. TCSEC is a system designed to evaluate standalone systems and place them into one of four levels: A, B, C, and D. Its basis of measurement is confidentiality.