Below is a list of Industry Terms and Acronyms which might prove useful.
1st Party audit
A 1st Party audit is an internal audit conducted to ensure compliance with some specification, perhaps prior to a 2nd/3rd party audit in respect of certification to a standard such as ISO27001.
2nd Party audit
A 2nd Party audit is an external audit of a partner company/subcontractor prior to entering into a contract of similar relationship.
ACPO guidelines
Electronic/hi-tech evidence must be obtained, handled and presented in court in as similar a manner to that of more conventional evidence thus the Association of Chief Police Officers (ACPO) have issued guidelines for the correct handling of such evidence in order to be complaint with relevant legislation.
BCP
Business Continuity Planning (BCP) is a means to mitigate the risks of business interruption through the provision of predefined and rehearsed contingency procedures such as alternative work sites and Information and Communications Technology (ICT) provision.
BIA
A Business Impact Analysis (BIA) is often the first step in BCP/DR (qv) encompassing the identification of the key components of business processes, such as personnel, equipment, documentation, and the likely impact of their loss or degradation.
BS7799
BS 7799 is a British Standard detailing the planning and execution of Information Security. It comes in 2 parts, the first being a checklist of areas to address and the 2nd a specification, against which certification may be gained, for the implementation of an Information Security Management System (ISMS – qv). The international equivalent is ISO27001 (qv).
BS25999
BS 25999 is a UK British Standards Institute (BSI) standard, derived from PAS56, detailing the conduct of Business Continuity Planning (BCP – qv).
BS8470
BS 8470 is a UK British Standards Institute (BSI) standard detailing the secure destruction of information bearing media such as paper and computer disks.
Computer forensics
Computer (or hi-tech) forensics is the scientific gathering of submissible evidence to support administrative or legal processes. It can be applied to stand-alone computers (including servers), networked computer systems, PDAs, smart phones, mobile phones and digital cameras – in fact any piece of electronics into which a person might have entered information relevant to the administrative/legal process.
ComSec
ComSec, or Communications Security, is the securing of a telecommunications link in order to prevent any compromise in the confidentiality, integrity or availability of information carried thereon. Principally, ComSec involves the provision of encryption, in hardware or software, although other more involved concepts, such as Traffic Flow Security and TEMPEST, may be involved.
Computer network defence
Computer Network Defence (CND) is the process of hardening computer networks against compromise through the use of firewalls, electronic Intruder Detection Systems (IDS)/Intruder Prevention Systems (IPSs) virus-scanning gateways, ComSec (qv) and associated security technologies.
Information Commissioner
The Information Commissioner is the UK’s official protector of privacy, in respect of information, whilst promoting easy access to official information such as via the Freedom of Information Act.
DR
Disaster Recovery (DR) is a preplanned, reactive process to recover vital Information and Communications Technology (ICT) facilities, not necessarily at their original site, to a point where the business process may continue at an acceptable level pending full BCP (qv) recovery processes.
Information Security
Information Security, also known as Information Assurance, is the prevention, detection, containment and recovery from compromises in the confidentiality, integrity and availability of information assets. Where confidentiality is that quality of an asset which means that it is known only to authorized persons, integrity is the quality which implies that the information can be trusted as accurate and availability is the quality of being available, to authorised persons, as and when needed.
IPR
IPR is a term referring to Intellectual Property Rights, a legal term relating to such legislation as the UK’s Copyright, Designs and Patents Act, but more colloquially used to refer to proprietary information.
ISMS
An Information Security Management System is a British Standards Institute (BSI)/International Standards Organisation (ISO) term referring to the formal processes associated with the implementation of Information Security within an organisation. Both BSI and OSI have issued specifications for the implementation of an ISMS as BS7799:Part 2 and ISO27001 respectively.
ISO17799
ISO17799 is an International Standards Organisation (ISO) document, derived from BS7799 (qv), detailing best practice in Information Security implementation.
ISO27001
ISO27001 is an International Standards Organisation (ISO) document, derived from BS7799:Part2 (qv), specifying the implementation of an Information Security Management System (ISMS – qv).
JSP440
Joint Services Publication 440 (JSP440), also known as the Defence Manual of Security (DMS), is UK MoD’s interpretation of the UK Cabinet Office’s Manual of Protective Security (MPS – qv).
JSP480
Joint Services Publication 480 (JSP480) is UK MoD’s policy, based on British Standards and industry best practice, for the reliable, safe and secure installation of Information and Communications Technology (ICT) infrastructure.
JSP503
Joint Services Publication 504 (JSP503) is UK MoD’s Business Continuity Planning (BCP) policy document.
Manual of Protective Security
The Manual of Protective Security (MPS) is HMG’s policy on securing both physical and logical assets. MPS is derived from advice from the Security Service and the Communications and Electronic Security Group, a branch of GCHQ charged with protecting HMG’s information assets.
Note: This has now been superceded by “HMG Security Policy Framework”
Managed Security Services
Managed Security Services are simply outsourced security processes which cannot be undertaken in-house through lack of resources or where a business decision warrants such outsourcing. Providers of such services are usually referred to as Managed Security Services Providers (MSSPs).
MiFID
Coming into effect in November 2007, the Markets in Financial Instruments Directive (MiFID) is the European equivalent of the US Govt’s SOX legislation, mandating standards in corporate governance in respect of financial services including processes for ensuring information security.
Penetration Testing
Penetration testing, more colloquially known as PenTesting, is the systematic and scientific process of identifying vulnerabilities in electronic systems, such as computer or telephony networks, and the reporting thereof. The allied process of Ethical Hacking seeks to take NetPen a stage further through actual compromise of these systems, under controlled circumstances, to prove the vulnerability beyond any doubt. PenTesting can be done from a ‘zero knowledge’ position, known as Red Team PenTesting, or with knowledge of the network structure, known as Blue Team PenTesting.
PCI DSS
The Payment Cards Industry Data Security Standard (PCI DSS) is the PCI’s own standard for protecting financial transactions and customers where payment cards are in use. PCI DSS mandates certain Computer Network Defences (CND – qv) as well as periodic testing through PenTesting (qv).
Requirements management
Requirements Management (RM) is the systematic elicitation of system functionality and performance requirements, from multiple stakeholders, prior to the design and implementation of a complex system.
Risk Analysis
Risk Analysis (RA) is the systematic determination of relative risk to assets (physical of logical) involving evaluation of likely threat vectors, their potential impacts to assets and likelihood of realisation. RA will generally result in risk register, or report, from which mitigation (avoidance, transfer, acceptance or mitigation) action may be derived.
Sarbanes Oxley
The US Sarbanes-Oxley legislation, more colloquially known as SOX, is the US Govt’s response to lax procedures in the follow-up to such events as the fall of Enron. Its principal InfoSec related section is Section 404 pertaining to internal controls which mandate the protection of the confidentiality, integrity and availability of financial information. Although a US piece of legislation, SOX requires that non-US companies, listed within the US, also comply with its terms.
Secure destruction
Secure destruction is the process of irretrievably destroying electronic and physical information, perhaps prior to final disposal of electronic equipment, usually done in accordance with BS8470 (qv). Secure destruction usually involves shredding, for paper documents, overwriting, for rewriteable electronic media, or physical destruction for write-once electronic media.
Security Vetting
HMG’s Manual of Protective Security (MPS) defines several levels of vetting for individuals which involves varying degrees of investigation into their identity, background and susceptibility to subversion prior to permitting them access to protectively-marked (aka ‘classified’) information.
Technical Surveillance
Technical Surveillance is the employment of electronic or software implants to listen to, observe or follow the movements and activities of individuals. The term implants includes bugging devices such as miniature transmitters, typical of espionage movies, concealed cameras and keyloggers, in software or hardware, which copy every computer keystroke for the surveillance team to see.
TEMPEST
TEMPEST is a codeword covering the concept of illicit information retrieval derived from unintended emanations from electronic equipment. Known as ‘Van Eck radiation’, in non-government circles, TEMPEST is a highly specialised area of information security usually of concern only at national security levels of processing.
TSCM
Technical Surveillance CounterMeasures (TSCM) are measures taken to prevent, detect contain and recover from compromise through the employment of technical surveillance (qv). TSCM includes physical, procedural and technical countermeasures but more generally refers to TSCM inspections (aka ‘bug sweeping’), to detect implants, employing highly specialised search equipment and trained personnel.
Virtual Teaming
Virtual teaming is the coming together of individuals, with key skills, for the purpose of undertaking a project for a finite time. Teams may be from within a companies own assets, perhaps spread across various departments, or comprise individuals from different companies altogether; the aim being to achieve the right mix of skills for the task at hand.
