The intermixing of data at different sensitivity and need-to-know levels. The lower level data are said to be contaminated by the higher level data; thus, the contaminating (higher level) data may not receive the required level of protection.
Content delivery networks (CDNs) are used to deliver the contents of music, movies, games, and news providers from their websites to end users quickly with the use of tools and techniques such as caching, replication, redirection, and a proxy content server to enhance the Web performance in terms of optimizing the disk size and preload time.
The process of monitoring communications such as e-mail and Web pages, analyzing them for suspicious content, and preventing the delivery of suspicious content to users.
Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disaster. Also called disaster recovery plan, business resumption plan, or business continuity plan. This is a management and recovery control and ensures the availability goal.
A predetermined set of instructions or procedures that describe how an organization’s essential functions will be sustained for up to 30 days as a result of a disaster event before returning to normal operations.
The documentation of a predetermined set of instructions or procedures that describe how to sustain major applications and general support systems in the event of a significant disruption.
Two or more controls are in conflict with each other. Installation of one control does not fit well with the other controls due to incompatibility. This means that implementation of one control can affect other, related controls negatively. Examples include (1) installation of a new software patch that can undo or break another related, existing software patch either in the same system or other related systems. This incompatibility can be due to errors in the current patch or previous patch or that the new patches and the previous patches were not fully tested either by the software vendor or by the user organization and (2) telecommuting work and organization’s software piracy policies could be in conflict with each other if noncompliant telecommuters implement such policies improperly and in an unauthorized manner when they purchase and load unauthorized software on the home/work PC.
Any protective action, device, procedure, technique, or other measure that reduces exposure. Controls can prevent, detect, or correct errors, and can minimize harm or loss. It is any action taken by management to enhance the likelihood that established objectives and goals will be achieved.
These provide overall guidance to user organizations as a frame of reference for security governance and for implementation of security-related controls. Several organizations within the U.S. and outside the U.S. provide such guidance.
Developed and promoted by the IT Governance Institute (ITGI), Control Objectives for Information and related Technology (COBIT) starts from the premise that IT must deliver the information that the enterprise needs to achieve its objectives. In addition to promoting process focus and process ownership, COBIT looks at the fiduciary, quality, and security needs of enterprises and provides seven information criteria that can be used to generally define what the business requires from IT: effectiveness, efficiency, availability, integrity, confidentiality, reliability, and compliance.
The Information Security Forum’s (ISF’s) Standard of Good Practice for Information Security is based on research and the practical experience of its members. The standard divides security into five component areas: security management, critical business applications, computer installations, networks, and system development.
Other U.S. organizations promoting information security governance include National Institute of Standards and Technology (NIST) and the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.
Organizations outside the U.S. that are promoting information security governance include Organization for Economic Co-Operation and Development (OECD), European Union (EU), and International Organization for Standardization (ISO).
Information that is entered into a cryptographic module for the purposes of directing the operation of the module.
