CISSP Vocabulary

Here's the vocabulary you need to navigate any security publication.  Sitting on the train?  Do a low-stress brain refresh.

*(star) Integrity Axiom (* Axiom)

An axiom of the Biba model that states that a subject at a specific classification level cannot write data to a higher classification level. This is often shortened to "no write up."

*(star) Security Property (* Property)

A property of the Bell-LaPadula model that states that a subject at a specific classification level cannot write data to a lower classification level. This is often shortened to "no write down."

802.11i (WPA-2)

An amendment to the 802.11 standard that defines a new authentication and encryption technique that is similar to IPSec. To date, no real-world attack has compromised a properly configured WPA-2 wireless network.


The IEEE standard that defines VLAN tagging. VLAN tagging is used by switches and bridges to manage traffic within and between VLANs.


A form of wireless authentication protection that requires all wireless clients to pass a gauntlet of RADIUS or TACACS services before network access is granted.


A form of twisted-pair cable that supports 1000 Mbps or 1 Gbps throughput at 100 meter distances. Often called Gigabit Ethernet.


Another form of twisted-pair cable similar to 100Base-T. 100Base-TX is the most common form of Fast Ethernet.


A type of coaxial cable. Often used to connect systems to backbone trunks. 10Base2 has a maximum span of 185 meters with maximum throughput of 10 Mbps. Also called thinnet.


A type of coaxial cable. Often used as a network's backbone. 10Base5 has a maximum span of 500 meters with maximum throughput of 10 Mbps. Also called thicknet.


A type of network cable that consists of four pairs of wires that are twisted around each other and then sheathed in a PVC insulator. Also called twisted-pair.

abnormal activity

Any system activity that does not normally occur on your system. Also referred to as suspicious activity.


The collection of similar elements into groups, classes, or roles for the assignment of security controls, restrictions, or permissions as a collective.

acceptable use policy

A policy that defines a level of acceptable performance and expectation of behavior and activity for employees. Failure to comply with the policy may result in job action warnings, penalties, or termination

acceptance testing

A form of testing that attempts to verify that a system satisfies the stated criteria for functionality and possibly also for security capabilities of a product. It is used to determine whether end users or customers will accept the completed product.

accepting risk

The valuation by management of the cost/benefit analysis of possible safeguards and the determination that the cost of the countermeasure greatly outweighs the possible cost of loss because of a risk.


The transfer of information from an object to a subject.

access aggregation

Collecting multiple pieces of nonsensitive information and combining it or aggregating it to learn sensitive information. Reconnaissance attacks often use access aggregation methods.

access control

The mechanism by which subjects are granted or restricted access to objects. It includes hardware, software, and organizational policies or procedures that identify and authenticate subjects, verify authorization to objects, and monitor or record access attempts.

access control list (ACL)

The column of an access control matrix that specifies what level of access each subject has over an object.

access control matrix

A table of subjects and objects that indicates the actions or functions that each subject can perform on each object. Each column of the matrix is an ACL. Each row of the matrix is a capability list.

access control types

Categories of access controls. Preventive controls attempt to prevent security incidents from occurring, detective controls attempt to discover incidents after they've occurred, and corrective controls attempt to correct any problems causedCategories of access controls. Preventive controls attempt to prevent security incidents from occurring, detective controls attempt to discover incidents after they've occurred, and corrective controls attempt to correct any problems caused by detected incidents. Other control types include recovery, deterrent, directive, and compensation access controls. Controls are implemented using administrative, logical/ technical, or physical means.

access tracking

Auditing, logging, and monitoring the attempted access or activities of a subject. Also referred to as activity tracking.

account lockout

An element of the password policy's programmatic controls that disables a user account after a specified number of failed logon attempts. Account lockout is an effective countermeasure to brute-force and dictionary attacks against a system's logon prompt.


The process of holding someone responsible (accountable) for something. In this context, accountability is possible if a subject's identity and actions can be tracked and verified.


The formal declaration by the Designated Approving Authority (DAA) that an IT system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.

ACID model

The letters in ACID represent the four required characteristics of database transactions: atomicity, consistency, isolation, and durability.

active content

Web programs that users download to their own computer for execution rather than consuming server-side resources.


Microsoft's component object model (COM) technology used in web applications. ActiveX is implemented using any one of a variety of languages, including Visual Basic, C, C++, and Java.

ad hoc

A peer-to-peer wireless network connection between two (or more) individual systems without the need for a wireless base station.

Address Resolution Protocol (ARP)

A subprotocol of the TCP/IP protocol suite that operates at the Data Link layer (layer 2). ARP is used to discover the MAC address of a system by polling using its IP address.


The means by which a processor refers to various locations in memory.

administrative access controls

The policies and procedures defined by an organization's security policy to implement and enforce overall access control. Examples of administrative access controls include hiring practices, background checks, data classification, security training, vacation history reviews, work supervision, personnel controls, and testing.

administrative law

Regulations that cover a range of topics from procedures to be used within a federal agency to immigration policies that will be used to enforce the laws passed by Congress. Administrative law is published in the Code of Federal Regulations (CFR).

administrative physical security controls

Security controls that include facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures.

admissible evidence

Evidence that is relevant to determining a fact. The fact that the evidence seeks to determine must be material (in other words, related) to the case.Evidence that is relevant to determining a fact. The fact that the evidence seeks to determine must be material (in other words, related) to the case. In addition, the evidence must be competent, meaning that it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.

Advanced Encryption Standard (AES)

The encryption standard selected in October 2000 by the National Institute of Standards and Technology (NIST) that is based on the Rijndael cipher.

advanced persistent threat (APT)

An organized group of attackers who are highly motivated, skilled, and patient. They are often sponsored by a government, are focused on a specific target, and will continue attacking for a very long time until they achieve their goal.

advisory policy

A policy that discusses behaviors and activities that are acceptable and defines consequences of violations. An advisory policy discusses the senior management's desires for security and compliance within an organization. Most policies are advisory.


Software that uses a variety of techniques to display advertisements on infected computers. Commonly related to or linked to spyware.


An intelligent code object that performs actions on behalf of a user. It typically takes initial instructions from the user and then carries on its activity in an unattended manner for a predetermined period of time, until certain conditions are met, or for an indefinite period.

aggregate functions

SQL functions, such as COUNT(), MIN(), MAX(), SUM(), and AVG(), that can be run against a database to produce an information set.


A number of functions that combine records from one or more tables to produce potentially useful information.

agile software development

A set of software development approaches that eschew the rigid models of the past in favor of approaches that place an emphasis on the needs of the customer and on quickly developing new functionality that meets those needs in an iterative fashion.


A mechanism that is separate from a motion detector and triggers a deterrent, triggers a repellant, and/or triggers a notification. Whenever a motion detector registers a significant or meaningful change in the environment, it triggers an alarm.

alarm triggers

Notifications sent to administrators when a specific event occurs.


A set of rules or procedures to perform on input data. Commonly related to cryptographic functions that dictate the permutations of encryption and decryption.


See repeater.

analytic attack

An algebraic manipulation that attempts to reduce the complexity of a cryptographic algorithm. This attack focuses on the logic of the algorithm itself.


The operation (represented by the are both true. symbol) that checks to see whether two values

annualized loss expectancy (ALE)

The possible yearly cost of all instances of a specific realized threat against a specific asset. The ALE is calculated using the formula ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO).

annualized rate of occurrence (ARO)

The expected frequency that a specific threat or risk will occur (in other words, become realized) within a single year. Also known as probability determination.

anomaly detection

See behavior-based detection.


See Automatic Private IP Addressing (APIPA).


Code objects sent from a server to a client to perform some action. Applets are self- contained miniature programs that execute independently of the server that sent them.


A suite of protocols developed by Apple for networking of Macintosh systems, originally released in 1984. Support for AppleTalk was removed from the Apple operating system as of the 2009 release of Mac OS X v10.6.

Application layer

Layer 7 of the Open Systems Interconnection (OSI) model.

application-level gateway firewall

A firewall that filters traffic based on the Internet service (in other words, application) used to transmit or receive the data. Application-level gateways are known as second-generation firewalls.

application programming interfaces (APIs)

APIs allow application developers to bypass traditional web pages and interact directly with the underlying service through function calls. While offering and using APIs creates tremendous opportunities for service providers, it also poses some security risks. Developers must be aware of these challenges and address them when they create and use APIs.

ARP cache poisoning

An attack where an attacker inserts bogus information into the ARP cache (the local memory store of discovered IP to MAC relationships).

assembly language

A higher-level alternative to machine language code. Assembly languages use mnemonics to represent the basic instruction set of a CPU but still require hardware-specific knowledge.


Anything within an environment that should be protected. The loss or disclosure of an asset could result in an overall security compromise, loss of productivity, reduction in profits, additional expenditures, discontinuation of the organization, and numerous intangible consequences.

asset valuation

A dollar value assigned to an asset based on actual cost and nonmonetary expenses, such as costs to develop, maintain, administer, advertise, support, repair, and replace; as well as other values, such as public confidence, industry support, productivity enhancement, knowledge equity, and ownership benefits.

asset value (AV)

A dollar value assigned to an asset based on actual cost and nonmonetary expenses.

assigning risk

See transferring risk.


The degree of confidence that security needs are satisfied. Assurance must be continually maintained, updated, and reverified.

asymmetric key

A form of cryptography that does not use symmetric keys. It either uses complex formulas to solve problems (such as Diffie-Hellman to generate/exchange symmetric keys) or uses key pair sets to provide digital signatures and digital envelopes. This latter form is also known as public key cryptography.

asynchronous dynamic password token

A token device that generates onetime passwords after the user enters a PIN in the token device. The PIN is provided by a server as a challenge, and the user enters the onetime password created by the token as the response.

asynchronous transfer mode (ATM)

A cell-switching technology rather than a packet- switching technology like Frame Relay. ATM uses virtual circuits much like Frame Relay, but because it uses fixed-size frames or cells, it can guarantee throughput. This makes ATM an excellent WAN technology for voice and videoconferencing.


One of the four required characteristics of all database transactions. A database transaction must be an "all-or-nothing" affair. If any part of the transaction fails, the entire transaction must be rolled back as if it never occurred.


The exploitation of a vulnerability by a threat agent.


Any person who attempts to perform a malicious action against a system.


The loss of signal strength and integrity on a cable because of the length of the cable.


A column within a table of a relational database.

attribute-based access control (ABAC)

An advanced implementation of a rule-BAC that uses policies that include multiple attributes for rules. Many software-defined networking applications use ABAC models.

audit or auditing

A methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes.

audit trail

The records created by recording information about events and occurrences into a database or log file. Some common uses of audit trails include reconstructing an event, extracting information about an incident, and proving or disproving culpability.


The person or group responsible for testing and verifying that the security policy is properly implemented and the derived security solutions are adequate.


The process of verifying or testing that the identity claimed by a subject is valid.

Authentication Header (AH)

An IPSec protocol that provides authentication, integrity, and nonrepudiation.

authenticated scan

A security scanner is granted authenticated read-only access to the servers being scanned (typically via a user account) and can use this access to read configuration information from the target system and use that information when analyzing vulnerability testing results.

authentication protocols

Protocols used to provide the transport mechanism for logon credentials.

Authentication Service (AS)

An element of the Kerberos Key Distribution Center (KDC). The AS verifies or rejects the authenticity and timeliness of tickets.


A process that ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity (in other words, subject).

Automatic Private IP Addressing (APIPA)

A feature of Windows that assigns an IP address to a system should DHCP address assignment fail. The IP address range used by APIPA is

auxiliary alarm system

An additional function that can be added to either local or centralized alarm systems. The purpose of an auxiliary alarm system is to notify local police or fire services when an alarm is triggered.


The assurance that authorized subjects are granted timely and uninterrupted access to objects.


A form of security teaching that is a prerequisite to training. The goal of awareness is to bring security into the forefront and make it a recognized entity for students/users.