3DES (Triple DES): An enhancement to the original DES algorithm that uses multiple keys to encrypt plaintext. See also DES.
AAA: Shorthand for the system controls authentication, authorization, and accountability.
Abstraction: A process of viewing an application from its highest-level functions, which makes lower-level functions abstract.
Access control: The ability to permit or deny the use of an object (a passive entity such as a system or file) by a subject (an active entity such as a person or process).
Access matrix model: Provides object access rights (read/write/execute, or R/W/X) to subjects in a discretionary access control (DAC) system. An access matrix consists of access control lists (ACLs) and capability lists. See also DAC, ACL.
Accountability: The ability to associate users and rocesses with their actions (what a subject did).
Accreditation: An official, written approval for the operation of a specific system in a specific environment as documented in a certification report.
ACL (access control list): Lists the specific rights and permissions assigned to a subject for a given object.
Address space: Specifies where memory is located in a computer system.
Administrative controls: The policies and procedures that an organization implements as part of its overall information security strategy.
Administrative (or regulatory) laws: Define standards of performance and conduct for major industries (such as banking, energy, and healthcare), organizations, and officials.
Adware: Legitimate, albeit annoying, software that is commonly installed with a freeware or shareware program. It provides a source of revenue for the software developer and only runs when you are using the associated program or until you purchase the program (in the case of shareware).
AES (Advanced Encryption Standard): A block cipher based on the Rijndael cipher, which is expected to eventually replace DES. See also DES.
Agent: A software component that performs a particular service.
Aggregation: A database security issue that describes the act of obtaining information classified at a higher sensitivity level by combining lower sensitivity information.
AH (Authentication Header): In IPSec, provides integrity, authentication, and non-repudiation. See also IPSec.
ALE (Annualized Loss Expectancy): Provides a standard, quantifiable measure of the impact that a realized threat will have on an organization’s assets. ALE is determined by the formula
SLE × ARO = ALE
SLE (Single Loss Expectancy) is a measure —
Asset Value ($) × Exposure
Factor (EF) — of the loss incurred from a single realized threat or event, expressed in dollars. EF (Exposure Factor) is a measure, expressed as a percentage, of the negative effect or impact that a realized threat or event would have on a specific asset. ARO (Annualized Rate of Occurrence) is the estimated annual frequency of occurrence for a specific threat or event.
ANSI: American National Standards Institute.
Antivirus software: Software that is designed to detect and prevent computer viruses and other malware from entering and harming a system.
Applet: A component in a distributed environment that is downloaded into, and executed by, another program such as a Web browser.
Application level firewall (or proxy server): A type of firewall that transfers a copy of permitted data packets from one network to another.
Application scan: A test used to identify weaknesses in a software application. BC-2 CISSP For Dummies, 2nd Edition
Application Software: Computer software that a person uses to accomplish a specific task.
Archive: In a PKI infrastructure, an archive is responsible for long-term storage of archived information from the CA. See also PKI, CA.
ARP (Address Resolution Protocol): The network protocol used to query and discover the MAC address of a device on a LAN.
Asset: A resource,...