CISSP Glossary - Student Guide

Familiarize yourself with the terms you may encounter in the

official ISC2 CISSP courseware.
A B C D E F G H I J K L M N O P Q R S

T U V W

Term Definition

A suitable level of risk commensurate with the potential benefits of the organization’s
Acceptable risk
operations as determined by senior management.

Access control Means to ensure that access to assets is authorized and restricted based on business and
system security requirements related to logical and physical systems.

The system decides if access is to be granted or denied based upon the validity of the
Access control
token for the point where it is read based on time, date, day, holiday, or other condition
tokens
used for controlling validation.

Accountability ensures that account management has assurance that only authorized
Accountability
users are accessing the system and using it properly.

ActiveX Data
A Microsoft high-level interface for all kinds of data.
Objects (ADO)
 Term Definition

Address
Is used at the Media Access Control (MAC) Layer to provide for direct communication
Resolution
between two devices within the same LAN segment.
Protocol (ARP)

Algorithm A mathematical function that is used in the encryption and decryption processes.

Asset An item perceived as having value.

Asset lifecycle The phases that an asset goes through from creation (collection) to destruction.

Not identical on both sides. In cryptography, key pairs are used, one to encrypt, the other
Asymmetric
to decrypt.

Attack surface Different security testing methods find different vulnerability types.

Attribute- based
This is an access control paradigm whereby access rights are granted to users with
access control
policies that combine attributes together.
(ABAC)

Audit/auditing The tools, processes, and activities used to perform compliance reviews.

The process of defining the specific resources a user needs and determining the type of
Authorization
access to those resources the user may have.

Availability Ensuring timely and reliable access to and use of information by authorized users.

Baselines A minimum level of security.

Most essential representation of data (zero or one) at Layer 1 of the Open Systems
Bit
Interconnection (OSI) model.

Black-box testing Testing where no internal details of the system implementation are used.
 Term Definition

Bluetooth
Bluetooth wireless technology is an open standard for short-range radio frequency
(Wireless Personal
communication used primarily to establish wireless personal area networks (WPANs), and
Area Network IEEE
it has been integrated into many types of business and consumer devices.
802.15)

Layer 2 devices that filter traffic between segments based on Media Access Control (MAC)
Bridges
addresses.

Business Actions, processes, and tools for ensuring an organization can continue critical operations
continuity (BC) during a contingency.

Business
continuity and
A term used to jointly describe business continuity and disaster recovery efforts.
disaster recovery
(BCDR)

Business impact A list of the organization’s assets, annotated to reflect the criticality of each asset to the
analysis (BIA) organization.

Capability Maturity
Model for
Software or
Maturity model focused on quality management processes and has five maturity levels
Software
that contain several key practices within each maturity level.
Capability Maturity
Model (CMM or
SW-CMM)

A radio network distributed over land areas called cells, each served by at least one fixed-
Cellular Network
location transceiver, known as a cell site or base station.

Certificate An entity trusted by one or more users as an authority that issues, revokes, and manages
authority (CA) digital certificates tof bind individuals and entities to their public keys.

Change A formal, methodical, comprehensive process for requesting, reviewing, and approving
management changes to the baseline of the IT environment.
 Term Definition

Security model with the three security concepts of confidentiality, integrity, and availability
CIA/AIC Triad
make up the CIA Triad. It is also sometimes referred to as the AIC Triad.

The altered form of a plaintext message, so as to be unreadable for anyone except the
Ciphertext
intended recipients. Something that has been turned into a secret.

Classification Arrangement of assets into categories.

The removal of sensitive data from storage devices in such a way that there is assurance
Clearing that the data may not be reconstructed using normal system functions or software
recovery utilities.

Code-division
multiple access Every call’s data is encoded with a unique key, then the calls are all transmitted at once.
(CDMA)

Common Object
Request Broker A set of standards that addresses the need for interoperability between hardware and
Architecture software products.
(CORBA)

Adherence to a mandate; both the actions demonstrating adherence and the tools,
Compliance
processes, and documentation that are used in adherence.

A program written with functions and intent to copy and disperse itself without the
Computer virus
knowledge and cooperation of the owner or user of the computer.

Concentrators Multiplex connected devices into one signal to be transmitted on a network.

This criterion requires sufficient test cases for each condition in a program decision to
Condition
take on all possible outcomes at least once. It differs from branch coverage only when
coverage
multiple conditions must be evaluated to reach a decision.

Preserving authorized restrictions on information access and disclosure, including means

Confidentiality
for protecting personal privacy and proprietary information.
 Term Definition

Configuration A formal, methodical, comprehensive process for establishing a baseline of the IT

management (CM) environment (and each of the assets within that environment).

Provided by mixing (changing) the key values used during the repeated rounds of
Confusion encryption. When the key is modified for each round, it provides added complexity that
the attacker would encounter.

Content
Is a large distributed system of servers deployed in multiple data centers across the
Distribution
internet.
Network (CDN)

An information flow that is not controlled by a security control and has the opportunity of
Covert channel
disclosing confidential information.

Performed to simulate the threats that are associated with external adversaries. While the
Covert security
security staff has no knowledge of the covert test, the organization management is fully
testing
aware and consents to the test.

Crossover Error
This is achieved when the type I and type II are equal.
Rate (CER)

The study of techniques for attempting to defeat cryptographic techniques and, more
Cryptanalysis
generally, information security services provided through cryptography.

Secret writing. Today provides the ability to achieve confidentiality, integrity, authenticity,
Cryptography
non-repudiation, and access control.

The science that deals with hidden, disguised, or encrypted information and
Cryptology
communications.

Curie Temperature The critical point where a material’s intrinsic magnetic alignment changes direction.

Custodian Responsible for protecting an asset that has value, while in the custodian’s possession.
 Term Definition

Entails analyzing the data that the organization retains, determining its importance and
Data classification
value, and then assigning it to a category.

Data custodian The person/role within the organization owner/controller.

Data flow This criteria requires sufficient test cases for each feasible data flow to be executed at
coverage least once.

A decision-making technique that is based on a series of analytical techniques taken from

Data mining
the fields of mathematics, statistics, cybernetics, and genetics.

Data owner/
An entity that collects or creates PII.
controller

Data subject The individual human related to a set of personal data.

Database
A suite of application programs that typically manages large, structured sets of persistent
Management
data.
System (DBMS)

Describes the relationship between the data elements and provides a framework for
Database model
organizing the data.

Decision (branch) Considered to be a minimum level of coverage for most software products, but decision
coverage coverage alone is insufficient for high-integrity applications.

The reverse process from encryption. It is the process of converting a ciphertext message
Decryption back into plaintext through the use of the cryptographic algorithm and the appropriate
key that was used to do the original encryption.

Defensible
Eliminating data using a controlled, legally defensible, and regulatory compliant way.
destruction
 Term Definition

An approach based on lean and agile principles in which business owners and the
DevOps
development, operations, and quality assurance departments collaborate.

Provided by mixing up the location of the plaintext throughout the ciphertext. The
Diffusion
strongest algorithms exhibit a high degree of confusion and diffusion.

An electronic document that contains the name of an organization or individual, the

business address, the digital signature of the certificate authority issuing the certificate,
Digital certificate the certificate holder’s public key, a serial number, and the expiration date. Used to bind
individuals and entities to their public keys. Issued by a trusted third party referred to as a
Certificate Authority (CA).

Digital rights
A broad range of technologies that grant control and protection to content providers over
management
their own digital media. May use cryptography techniques.
(DRM)

Provide authentication of a sender and integrity of a sender’s message and non-

Digital signatures
repudiation services.

Disaster recovery Those tasks and activities required to bring an organization back from contingency
(DR) operations and reinstate regular operations.

Discretionary
access control The system owner decides who gets access.
(DAC)

Due care A legal concept pertaining to the duty owed by a provider to a customer.

Due diligence Actions taken by a vendor to demonstrate/ provide due care.

Dynamic or Private Ports 49152 – 65535. Whenever a service is requested that is associated with Well- Known
Ports or Registered Ports those services will respond with a dynamic port.

Dynamic testing When the system under test is executed and its behavior is observed.
 Term Definition

Encoding The action of changing a message into another format through the use of a code.

Encryption The process of converting the message from its plaintext to ciphertext.

False Acceptance This is erroneous recognition either by confusing one user with another, or by accepting
Rate (Type II) an imposter as a legitimate user.

False Rejection
This is failure to recognize a legitimate user.
Rate (Type I)

Fibre Channel over A lightweight encapsulation protocol, and it lacks the reliable data transport of the TCP
Ethernet (FCoE) layer.

Devices that enforce administrative security policies by filtering incoming traffic based on
Firewalls
a set of rules.

Frame Data represented at Layer 2 of the Open Systems Interconnection (OSI) model.

Global System for

Each call is transformed into digital data that is given a channel and a time slot.
Mobiles (GSM)

The process of how an organization is managed; usually includes all aspects of how
Governance decisions are made for that organization, such as policies, roles, and procedures the
organization uses to make those decisions.

A formal body of personnel who determine how decisions will be made within the
Governance
organization and the entity that can approve changes and exceptions to current relevant
committee
governance.

Guidelines Suggested practices and expectations of activity to best accomplish tasks and attain goals.

Accepts an input message of any length and generates, through a one-way operation, a
Hash function
fixed-length output called a message digest or hash.
 Term Definition

Machines that exist on the network, but do not contain sensitive or valuable data, and are
Honeypots/ meant to distract and occupy maliciousor unauthorized intruders, as a means ofdelaying
honeynets their attempts to accessproduction data/assets. A number ofmachines of this kind, linked
together as anetwork or subnet, are referred to as a “honeynet.”

Identity as a Cloud-based services that broker identity and access management (IAM) functions to
service (IDaaS) target systems on customers’ premises and/or in the cloud.

The process of collecting and verifying information about a person for the purpose of
proving that a person who has requested an account, a credential, or other special
Identity proofing privilege is indeed who he or she claims to be and establishing a reliable relationship that
can be trusted electronically between the individual and said credential for purposes of
electronic authentication.

A non-secret binary vector used as the initializing input algorithm, or a random starting
Initialization vector
point, for the encryption of a plaintext block sequence to increase security by introducing
(IV)
additional cryptographic variance and to synchronize cryptographic equipment.

Integrated Process
A management technique that simultaneously integrates all essential acquisition activities
and Product
through the use of multidisciplinary teams to optimize the design, manufacturing, and
Development
supportability processes.
(IPPD)

Guarding against improper information modification or destruction and includes ensuring

Integrity
information non-repudiation and authenticity.

Intellectual
Intangible assets (notably includes software and data).
property

Internet Control
Provides a means to send error messages and a way to probe the network to determine
Message Protocol
network availability.
(ICMP)

Internet Group
Used to manage multicasting groups that are a set of hosts anywhere on a network that
Management
are listening for a transmission.
Protocol (IGMP)
 Term Definition

Is the dominant protocol that operates at the Open Systems Interconnection (OSI)
Internet Protocol
Network Layer 3. IP is responsible for addressing packets so that they can be transmitted
(IPv4)
from the source to the destination hosts.

Internet Protocol Is a modernization of IPv4 that includes a much larger address field: IPv6 addresses are
(IPv6) 128 bits that support 2128 hosts.

Intrusion
A solution that monitors the environment and automatically recognizes malicious
detection system
attempts to gain unauthorized access.
(IDS)

Intrusion
A solution that monitors the environment and automatically takes action when it
prevention system
recognizes malicious attempts to gain unauthorized access.
(IPS)

Inventory Complete list of items.

The practice of having personnel become familiar with multiple positions within the
Job rotation organization as a means to reduce single points of failure and to better detect insider
threats.

When different encryption keys generate the same ciphertext from the same plaintext
Key Clustering
message.

The size of a key, usually measured in bits, that a cryptographic algorithm uses in
Key Length
ciphering or deciphering protected information.

The input that controls the operation of the cryptographic algorithm. It determines the
Key or
behavior of the algorithm and permits the reliable encryption and decryption of the
Cryptovariable
message.

Knowledge
A mathematical, statistical, and visualization method of identifying valid and useful
Discovery in
patterns in data.
Databases (KDD)
 Term Definition

The practice of only granting a user the minimal permissions necessary to perform their
Least privilege
explicit job function.

Lifecycle Phases that an asset goes through from creation to destruction.

Log A record of actions and events that have taken place on a computer system.

Logical access
Non-physical system that allows access based upon pre-determined policies.
control system

This criterion requires sufficient test cases for all program loops to be executed for zero,
Loop coverage one, two, and many iterations covering initialization, typical running, and termination
(boundary) conditions.

Mandatory access Access control that requires the system itself to manage access controls in accordance
controls (MAC) with the organization’s security policies.

Maximum
The measure of how long an organization can survive an interruption of critical functions.
allowable
Also known as maximum tolerable downtime (MTD).
downtime (MAD)

Media Any object that contains data.

Message
A small block of data that is generated using a secret key and then appended to the
authentication
message, used to address integrity.
code (MAC)

A small representation of a larger message. Message digests are used to ensure the
Message digest
authentication and integrity of information, not the confidentiality.

Metadata Information about the data.

Misuse case A use case from the point of view of an actor hostile to the system under design.
 Term Definition

Multi-condition These criteria require sufficient test cases to exercise all possible combinations of
coverage conditions in a program decision.

Multi-factor Ensures that a user is who he or she claims to be. The more factors used to determine a
authentication person’s identity, the greater the trust of authenticity.

Multiprotocol
Is a wide area networking protocol that operates at both Layer 2 and 3 and does label
Label Switching
switching.
(MPLS)

Primarily associated with organizations that assign clearance levels to all users and
Need-to-know classification levels to all assets; restricts users with the same clearance level from sharing
information unless they are working on the same effort. Entails compartmentalization.

This ensures the application can gracefully handle invalid input or unexpected user
Negative testing
behavior.

The objective of NFV is to decouple functions such as firewall management, intrusion

Network Function
detection, network address translation, or name service resolution away from specific
Virtualization (NFV)
hardware implementation into software solutions.

Inability to deny. In cryptography, a service that ensures the sender cannot deny a
Non-repudiation message was sent and the integrity of the message is intact, and the receiver cannot claim
receiving a different message.

Null cipher Hiding plaintext within other plaintext. A form of steganography.

The OAuth 2.0 authorization framework enables a third-party application to obtain limited
Open
access to an HTTP service, either on behalf of a resource owner by orchestrating an
Authorization
approval interaction between the resource owner and the HTTP service, or by allowing the
(OAuth)
third-party application to obtain access on its own behalf.

Open Shortest An interior gateway routing protocol developed for IP networks based on the shortest
Path First (OSPF) path first or link-state algorithm.
 Term Definition

OSI Layer 1 Physical layer.

OSI Layer 2 Data-link layer.

OSI Layer 3 Network layer.

OSI Layer 4 Transport layer.

OSI Layer 5 Session layer.

OSI Layer 6 Presentation layer.

OSI Layer 7 Application layer.

Overt testing can be used with both internal and external testing. When used from an
Overt security internal perspective, the bad actor simulated is an employee of the organization. The
testing organization’s IT staff is made aware of the testing and can assist the assessor in limiting
the impact of the test by providing specific guidelines for the test scope and parameters.

Ownership Possessing something, usually of value.

Packet Representation of data at Layer 3 of the Open Systems Interconnection (OSI) model.

A technique called Packet Loss Concealment (PLC) is used in VoIP communications to

Packet Loss
mask the effect of dropped packets.

RAID technique; logical mechanism used to mark striped data; allows recovery of missing
Parity bits
drive(s) by pulling data from adjacent drives.

Patch An update/fix for an IT asset.

Path coverage This criteria require sufficient test cases for each feasible path, basis path, etc., from start
 Term Definition

to exit of a defined program segment, to be executed at least once.

Personally
identifiable Any data about a human being that could be used to identify that person.
information (PII)

Physical access An automated system that manages the passage of people or assets through an
control system opening(s) in a secure perimeter(s) based on a set of authorization rules.

Ping of Death Exceeds maximum packet size and causes receiving system to fail.

Network mapping technique to detect if host replies to a ping, then the attacker knows
Ping Scanning
that a host exists at that address.

Plaintext The message in its natural format has not been turned into a secret.

Point-to-Point Provides a standard method for transporting multiprotocol datagrams over point-to-point
Protocol (PPP) links.

Documents published and promulgated by senior management dictating and describing

Policy
the organization’s strategic goals.

Port Address An extension to NAT to translate all addresses to one routable IP address and translate
Translation (PAT) the source port number in the packet to a unique value.

Positive testing This determines that your application works as expected.

The right of a human individual to control the distribution of information about him- or
Privacy
herself.

Explicit, repeatable activities to accomplish a specific task. Procedures can address one-
Procedures
time or infrequent actions or common, regular occurrences.
 Term Definition

The removal of sensitive data from a system or storage device with the intent that the
Purging
data cannot be reconstructed by any known technique.

Qualitative Measuring something without using numbers, using adjectives, scales, and grades, etc.

Quantitative Using numbers to measure something, usually monetary values.

Real user An approach to web monitoring that aims to capture and analyze every transaction of
monitoring (RUM) every user of a website or application.

Recovery point A measure of how much data the organization can lose before the organization is no
objective (RPO) longer viable.

Recovery time
The target time set for recovering from any interruption.
objective (RTO)

Ports 1024 – 49151. These ports typically accompany non-system applications associated
Registered Ports
with vendors and developers.

Registration
This performs certificate registration services on behalf of a Certificate Authority (CA).
authority (RA)

Remanence Residual magnetism left behind.

The risk remaining after security controls have been put in place as a means of risk
Residual risk
mitigation.

Resources Assets of an organization that can be used effectively.

Responsibility Obligation for doing something. Can be delegated.

The possibility of damage or harm and the likelihood that damage or harm will be
Risk
realized.
 Term Definition

Determining that the potential benefits of a business function outweigh the possible risk
Risk acceptance
impact/likelihood and performing that business function with no other action.

Determining that the impact and/or likelihood of a specific risk is too great to be offset by
Risk avoidance the potential benefits and not performing a certain business function because of that
determination.

Putting security controls in place to attenuate the possible impact and/or likelihood of a
Risk mitigation
specific risk.

Risk transference Paying an external party to accept the financial impact of a given risk.

Role-based access An access control model that bases the access control authorizations on the roles (or
control (RBAC) functions) that the user is assigned within an organization.

Rule-based access An access control model that is based on a list of predefined rules that determine what
control (RBAC) accesses should be granted.

An isolated test environment that simulates the production environment but will not
Sandbox
affect production components/data.

Security Assertion
A version of the SAML standard for exchanging authentication and authorization data
Markup Language
between security domains.
2.0 (SAML 2.0)

Security control A notional construct outlining the organization’s approach to security, including a list of
framework specific security processes, procedures, and solutions used by the organization.

Security The entirety of the policies, roles, and processes the organization uses to make security
governance decisions in an organization.

Segment Data representation at Layer 4 of the Open Systems Interconnection (OSI) model.
 Term Definition

Separation of The practice of ensuring that no organizational process can be completed by a single
duties person; forces collusion as a means to reduce insider threats.

Session Initiation
Is designed to manage multimedia connections.
Protocol (SIP)

Single factor Involves the use of simply one of the three available factors solely to carry out the
authentication authentication process being requested.

ICMP Echo Request sent to the network broadcast address of a spoofed victim causing all
Smurf
nodes to respond to the victim with an Echo Reply.

The level of confidence that software is free from vulnerabilities either intentionally
Software
designed into the software or accidentally inserted at any time during its lifecycle and that
assurance
it functions in the intended manner.

Separates network systems into three components: raw data, how the data is sent, and
Software- defined
what purpose the data serves. This involves a focus on data, control, and application
networks (SDNs)
(management) functions or “planes”.

Software Defined
Is an extension of the SDN practices to connect to entities spread across the internet to
Wide Area
support WAN architecture especially related to cloud migration.
Network (SD-WAN)

Standards Specific mandates explicitly stating expectations of performance or conformance.

This criterion requires sufficient test cases for each program statement to be executed at
Statement
least once; however, its achievement is insufficient to provide confidence in a software
coverage
product’s behavior.

Static source code Analysis of the application source code for finding vulnerabilities without executing the
analysis (SAST) application.

Steganography Hiding something within something else, or data hidden within other data.
 Term Definition

Stream cipher When a cryptosystem performs its encryption on a bit-by-bit basis.

Striping RAID technique; writing a data set across multiple drives.

Substitution The process of exchanging one letter or bit for another.

Switches Operate at Layer 2. A switch establishes a collision domain per port.

Symmetric Operate with a single cryptographic key that is used for both encryption and decryption of
algorithm the message.

Synthetic
performance Involves having external agents run scripted transactions against a web application.
monitoring

Exploits the reassembly of fragmented IP packets in the fragment offset field that
Teardrop Attack indicates the starting position, or offset, of the data contained in a fragmented packet
relative to the data of the original unfragmented packet.

A process by which developers can understand security threats to a system, determine

Threat modeling
risks from those threats, and establish appropriate mitigations.

Allows the operating system to provide well- defined and structured access to processes
Time multiplexing
that need to use resources according to a controlled and tightly managed schedule.

Time of check time

Takes advantage of the dependency on the timing of events that takes place in a
of use (TOCTOU)
multitasking operating system.
Attacks

Transmission
Control Protocol Provides connection-oriented data management and reliable data transfer.
(TCP)
 Term Definition

Transport Control
Protocol/ Internet Layering model structured into four layers (network interface layer, internet layer,
Protocol (TCP/ IP) transport layer, host-to-host transport layer, application layer).
Model

The process of reordering the plaintext to hide the message by using the same letters or
Transposition
bits.

The collection of all of the hardware, software, and firmware within a computer system
Trusted computing
that contains all elements of the system responsible for supporting the security policy and
base (TCB)
the isolation of objects.

Trusted Platform
A secure crypto processor and storage module.
Module (TPM)

Uninterruptible
Batteries that provide temporary, immediate power during times when utility service is
power supplies
interrupted.
(UPS)

Use cases Abstract episodes of interaction between a system and its environment.

User Datagram The User Datagram Protocol provides connectionless data transfer without error
Protocol (UDP) detection and correction.

Virtual Local Area Allow network administrators to use switches to create software-based LAN segments
Networks (VLANs) that can be defined based on factors other than physical location.

Voice over Internet Is a technology that allows you to make voice calls using a broadband internet connection
Protocol (VoIP) instead of a regular (or analog) phone line.

Waterfall
A development model in which each phase contains a list of activities that must be
Development
performed and documented before the next phase begins.
Methodology

Well-Known Ports Ports 0–1023 ports are related to the common protocols that are utilized in the underlying
management of Transport Control Protocol/Internet Protocol (TCP/IP) system, Domain
 Term Definition

Name Service (DNS), Simple Mail Transfer Protocol (SMTP), etc.

A design that allows one to peek inside the “box” and focuses specifically on using internal
White-box testing
knowledge of the\ software to guide the selection of test data.

Whitelisting/ A whitelist is a list of email addresses and/or internet addresses that someone knows as
blacklisting “good” senders. A blacklist is a corresponding list of known “bad” senders.

Wi-Fi (Wireless Primarily associated with computer networking, Wi-Fi uses the IEEE 802.11x specification
LAN IEEE 802.11x) to create a wireless local-area network either public or private.

WiMAX
(Broadband One well-known example of wireless broadband is WiMAX. WiMAX can potentially deliver
Wireless Access data rates of more than 30 megabits per second.
IEEE 802.16)

Work factor This represents the time and effort required to break a cryptography system.

Quick Links
The Center for Cyber Safety & Education

ISC2 Careers

Community

Blog

Contact Service and Support

Frequently Asked Questions

Contact Us

Policies and Procedures

ISC2 Around the World

ISC2 Authorized China Agency

ISC2 Japan

A safe and
secure cyber
world

© Copyright 1996-2024. ISC2, Inc. All Rights Reserved.

All contents of this site constitute the property of ISC2, Inc. and may not be copied,
reproduced or distributed without prior written permission. ISC2, CISSP, SSCP, CCSP, CGRC,
CSSLP, HCISPP, ISSAP, ISSEP, ISSMP, CC, and CBK are registered marks of ISC2, Inc.

Sitemap