Acceptable Use Policy (AUP)
A policy that defines what employees, contractors, and third parties are authorized to do on the organization's IT infrastructure and its assets. AUPs are common for access to IT resources, systems, applications, Internet access, email access, and so on.
Change Control Board
A governance organization or committee that consists of executive management in regard to changes, modifications, or updates to the IT infrastructure and its assets.
Change Management Policy
A policy that is defined by a Change Control Board to manage, review, and approve changes to the IT infrastructure and its assets. Typically, changes that impact the IT infrastructure and its assets must obtain approval of the organization's Change Control Board.
Data Classification Standard
A standard that defines an organization's classification of its data assets. Typically, a data classification standard will dictate the level of minimum acceptable risk within the seven areas of information security responsibility.
A term used to describe a layered approach to information security for an IT infrastructure.
IT Security Architecture and Framework
A term used to describe a hierarchical definition for information security policies, standards, procedures, and guidelines.
Minimum Acceptable Level of Risk
The stake in the ground that an organization defines for the seven areas of information security responsibility. Depending on the goals and objectives for maintaining confidentiality, integrity, and availability of the IT infrastructure and its assets, the minimum level of acceptable risk will dictate the amount of information security countermeasures that are needed to be in compliance with this definition.
Network Operations Center (NOC)
An organization's help desk or interface to its end users where trouble calls, questions, and trouble tickets are generated.
Security Operations Center (SOC)
An organization's or service provider's help desk or interface to its end users or customers where trouble calls, questions, and trouble tickets pertaining to security issues, breaches, and incidents are forwarded.
Security Workflow Definitions
Given the defense-in-depth, layered approach to information security roles, tasks, responsibilities, and accountabilities, a security workflow definition is a flowchart that defines the communications, checks and balances, and domain of responsibility and accountability for the organization's IT and IT security staff.
Separation of Duties
Given the seven areas of information security responsibility, separation of duties defines the roles, tasks, responsibilities, and accountabilities for information security uniquely for the different duties of the IT staff and IT security staff.
Service Level Agreements (SLAs)
A contractual agreement between an organization and its service provider. SLAs define and protect the organization in regard to holding the service provider accountable for the requirements as defined in an SLA.
Software Vulnerability Standard
A standard that accompanies an organization's Vulnerability Assessment and Management Policy. This standard typically defines the organization's vulnerability window definition and how the organization is to provide software vulnerability management and software patch management throughout the enterprise.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template