The following acronyms and terms are used in this chapter. For the explanation and definition purpose of this chapter, these acronyms and terms are defined as follows:
A component of the business continuity plan. The BIA looks at all the components that an organization is reliant upon the continued functionality. It seeks to distinguish which are more crucial than others and require a greater allocation of funds in the wake of a disaster.
A security professional who legally attempts to break into a computer system or network to find its vulnerabilities.
The initial meeting of the assessment team and management that is used to strategize and plan the assessment activities. It is also an opportunity for everyone present to ask questions and work out any problems that may need to be addressed.
This type of vulnerability assessment examines the controls implemented to protect information in storage, transmission, or being processed. It involves no hands-on testing. It is a review of the process and procedures in place and focuses on interviews and demonstrations.
This type of assessment is more in-depth than a level I. Level II assessments include vulnerability scans and hands-on testing.
This type of assessment is adversarial in nature and is also know as a penetration test. It is an attempt to find and exploit vulnerabilities. It seeks to determine what a malicious user or outsider could do if determined to damage the organization.
The National Security Agency (NSA) Information Security Assessment Methodology (IAM) is a systematic process used by government agencies and private organizations for the assessment of security vulnerabilities.
The OICM is a means of determining critical information types within the organization. IT is based on what the organization determines is most critical. It is a qualitative process.
A method of evaluating the security of a network or computer system by simulating an attack by a malicious hacker but without doing harm and with the owners consent.
An analysis of risk that places the probability results into terms such as none, low, medium, and high.
This is the uncontrolled change in the project’s scope. It causes the assessment to drift away form its original scope and results in budget and schedule overruns.
Similar to the OICM, the SCM is used to define the organization’s critical systems. This allows the organization to identify and focus its security mechanisms on the systems that are most critical to the organization’s mission.