Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
مفاهيم
1. Term حٌّقطٍق Definition طؼش٠ف حٌّقطٍق
Ability to make use of any حٌمذسس ػٍٝ ح٨عظفخدس
Access حٌٛفٛي / حٌذخٛي information system (IS) ِٓ أٞ ِٛسد ِٓ ِٛحسد
resource. .ٓ١ٔظخَ ِؼٍِٛخص ِؼ
An entity responsible for ٓحٌى١خْ حٌّغئٚي ػ
monitoring and granting ِشحلزش ِٕٚق ف٩ك١خص
Access Authority ٘١جش حٌٛفٛي
access privileges for other حٌٛفٛي ٌٍـٙخص حٌُّقشَّف
authorized entities. .ٌٙخ
لزٛي أٚ سفل هٍزخص
The process of granting or
ِؼ١ٕش طخظـ رـ
denying specific requests:
ٍٝ1) حٌلقٛي ػ
1) for obtaining and using
(ك١خصس) ِؼٍِٛخص
information and related
ٚحعظخذحِٙخ ٚ وزٌه
information processing
ٟحٌظلىُ ف حٌلقٛي ػٍٝ خذِخص
Access Control services; and
حٌٛفٛي طظؼٍك رّؼخٌـظٙخ
2) to enter specific physical
2) حٌذخٛي اٌٝ ِٕؾآص
facilities (e.g., Federal
ًِخد٠ش ِلذدس ِؼ
buildings, military
حٌّزخٟٔ حٌلىِٛ١ش
establishments, and border
ٚحٌّئعغخص حٌؼغىش٠ش
crossing entrances).
.ٚٔمخه حٌؼزٛس حٌلذٚد٠ش
: ُعـً ٠ن
A register of:
ٓ١ِ1) ر١خٔخص حٌّغظخذ
1) users (including groups,
( ؽخٍِشً حٌّـّٛػخص
machines, processes) who
)ٚحٌّؼذحص ٚحٌؼٍّ١خص
Access Control ُلٛحثُ حٌظلى have been given permission
ْحٌّّٕٛك١ٓ ار
Lists - (ACLs) فٟ حٌٛفٛي to use a particular system
َرخعظخذحَ ِٛسد ٔظخ
resource, and
ٚ ٓ١ِؼ
2) the types of access they
2) أٔٛحع حٌٛفٛي حٌُّقشَّف
have been permitted.
.ٌُٙ
Involves ّٓطظن
1) the process of requesting, 1) ػٍّ١ش هٍذ ٚأؾخء
establishing, issuing, and ٚافذحس ٚاغ٩ق كغخرخص
User Account ادحسس كغخد closing user accounts; َحٌّغظخذ
Management َحٌّغظخذ 2) tracking users and their ٓ١ِ2) طظزغ حٌّغظخذ
respective access ٚطقخس٠ق حٌٛفٛي حٌخخفش
authorizations; and ُٙر
3) managing these functions. .3) ادحسس ٘زٖ حٌٛظخثف
The security goal that حٌٙذف ح٤ِٕٟ حٌزٞ ٠ٌٛذ
generates the requirement حٌلخؿش ٌظظزغ أػّخي
for actions of an entity to be ؿٙش رؼ١ٕٙخ. ٠ذػُ رٌه
Accountability – حٌّغئٌٚ١ش traced uniquely to that entity. ، ػذَ ح٦ٔىخس ، حٌشدع
This supports non- ، طؾخ١ـ حٌخهؤ
repudiation, deterrence, fault حوظؾخف ِٕٚغ ح٨خظشحق
isolation, intrusion detection ٍٝ، حٌمذسس ػ
2. and prevention, and after- ح٨عظشؿخع رؼذ طٕف١ز
action recovery and legal حٌفؼً ، ح٦ؿشحء
action. .ٟٔٛٔحٌمخ
لشحس ح٦دحسس حٌشعّ١ش
فخدس ِٓ أكذ حٌىٛحدس
The official management
حٌؼٍ١خ ٌٙ١جش ِخ ٌٍظقش٠ق
decision given by a senior
ً١رخٌّٛحفمش ػٍٝ طؾغ
agency official to authorize
ٔظخَ ِؼٍِٛخص ٚحٌمزٛي
operation of an system and
فشحكشً رظؼش٠ل ػٍّ١خص
to explicitly accept the risk to
افذحس/حػظّخد طٍه حٌٙ١جش ٌٍّخخهشس
Accreditation – agency operations (including
ِٛحفمشحي ٚ(رّخ فٟ رٌه سعخٌظٙخ أ
mission, functions, image, or
ٚٚظخثفٙخ أٚ ِقذحل١ظٙخ أ
reputation), agency assets, or
ٚعّؼظٙخ) أٚ أفٌٛٙخ أ
individuals, based on the
ٍِٕٝغٛر١ٙخ رٕخءً ػ
implementation of an agreed-
ططز١ك ِـّٛػش ػٕخفش
upon set of security controls.
حٌظلىُ ح٤ِٕٟ حٌّظفك
ػٍ١ٙخ
All components of an وً ِخ ٠مَٛ "ِٛظف
information system to be "افذحس حٌظقش٠ق
accredited by an authorizing ِٓ ٗ١ٍرخٌّٛحفمش ػ
Accreditation official and excludes ِىٛٔخص ٔظخَ ِؼٍِٛخص
كذٚد ح٨ػظّخد
Boundary – separately accredited رخعظؼٕخء ِخ طُ حٌّٛحفمش
systems, to which the ِٓ ًػٍ١ٗ رؾىً ِٕفق
information system is َأٔظّش ٠ظقً رٙخ ٔظخ
connected. .حٌّؼٍِٛخص
The evidence provided to the ٌٝح٤دٌش حٌّمذِش ا
authorizing official to be used "ِٛظف "افذحس حٌظقش٠ق
in the security accreditation ٨عظخذحِٙخ فٟ ػٍّ١ش
decision process. Evidence افذحس لشحس حٌّٛحفمش
includes, but is not limited to: ح٤ِٕ١ش. طظنّٓ طٍه
Accreditation
)1 ك١ؼ١خص ح٨ػظّخدthe system security plan; ً١ح٤دٌش ػٍٝ عز
Package –
2) the assessment results :حٌّؼخي ٌٚ١ظ حٌلقش
from the security َ1) حٌخطش ح٤ِٕ١ش ٌٍٕظخ
certification; and 2) ٔظخثؾ حٌظم١١ُ حٌقخدسس
3) the plan of action and ِٟٕ٤ػٓ حٌظٛػ١ك ح
milestones. .ٍٗ3) خطش حٌؼًّ ِٚشحك
حٌـٙش حٌّخٛي ٌٙخ
Official with the authority to
ْٛسعّ١خً عٍطش أْ طى
formally assume responsibility
ً١ِغجٌٛش ػٓ طؾغ
for operating an information
ٓ١ٔظخَ ِؼٍِٛخص ِؼ
Accrediting system at an acceptable level
ؿٙش ح٨ػظّخد ِٓ مّٓ كذ ِمزٛي
Authority – of risk to agency operations
حٌّخخهشس رؼٍّ١خص ٘١جش
(including mission, functions,
ًِّؼ١ٕش رّخ ٠ؾ
image, or reputation), agency
سعخٌظٙخ ٚٚظخثفٙخ
assets, or individuals.
ِٚقذحل١ظٙخ ٚعّؼظٙخ
3. ٚرخ٦مخفش اٌٝ أفٌٛٙخ أ
.ِٕغٛر١ٙخ
ٟ٘ طٍه حٌز١خٔخص
Private data, other than keys, حٌخخفش حٌّطٍٛرش
Activation Data
ر١خٔخص حٌظٕؾ١و that are required to access ٌٍٛفٛي اٌٝ ٚكذحص
–
cryptographic modules. حٌظؾف١ش حٌّٕط١ش
.رخعظؼٕخء حٌّفخط١ق
٠ؾ١ش حٌّلظٜٛ حٌٕؾو
Active content refers to
اٌٝ حٌٛػخثك ح٨ٌىظشٚٔ١ش
electronic documents that are
ٚحٌظٟ ٠ّىٕٙخ طٕف١ز أ
able to automatically carry
Active Content – حٌّلظٜٛ حٌٕؾو ٍٝطؾغ١ً أػّخي ػ
out or trigger actions on a
ًِٕقش حٌلخعٛد آٌ١خ
computer platform without
ِٓ ًرذْٚ طذخ
the intervention of a user.
.َحٌّغظخذ
Security commensurate with ح٤ِٓ حٌزٞ ٠ظٕخعذ ِغ
the risk and the magnitude of ِذٜ حٌّخخهشس ٚحٌنشس
Adequate harm resulting from the loss, حٌٕخطؾ ِٓ طؼشك
ٟح٤ِٓ حٌىخف
Security – misuse, or unauthorized ٚحٌّؼٍِٛخص اٌٝ حٌفمذ أ
access to or modification of حٌؼزغ أٚ حٌٛفٛي غ١ش
information. .حٌّقشف رٗ أٚ حٌظغ١١ش
Administrative actions,
policies, and procedures to أػّخي ٚع١خعخص
manage the selection, ُٚاؿشحءحص ادحس٠ش ٌٍظلى
development, فٟ حخظ١خس ٚططٛ٠ش
implementation, and ٚططز١ك ٚف١خٔش ِؼخ٠١ش
Administrative ح٦ؿشحءحص ح٦دحس٠ش maintenance of security ح٤ِٓ رغشك كّخ٠ش
Safeguards – حٌٛلخث١ش measures to protect حٌّؼٍِٛخص ح٨ٌىظشٚٔ١ش
electronic health information ٓ١ٍِٚمزو طقشفخص حٌؼخ
and to manage the conduct دحخً حٌـٙش حٌّئََِّٕش
of the covered entity's ف١ّخ ٠خظـ رلّخ٠ش
workforce in relation to .حٌّؼٍِٛخص
protecting that information.
The Advanced Encryption َ٠لذد حٌّؼ١خس حٌّظمذ
Standard specifies a U.S. ٌٍظؾف١ش خٛحسصِ١ش
Government-approved حٌظؾف١ش حٌقخدس رؾؤٔٙخ
cryptographic algorithm that ِٛحفمش ِٓ حٌلىِٛش
can be used to protect ٓح٤ِش٠ى١ش حٌظٟ ٠ّى
Advanced
electronic data. The AES حعظخذحِٙخ ٌلّخ٠ش
Encryption َحٌّؼ١خس حٌّظمذ
algorithm is a symmetric .حٌز١خٔخص ح٨ٌىظشٚٔ١ش
Standard (AES) ٌٍظؾف١ش
block cipher that can encrypt ٚطّؼً خٛحسصِ١ش حٌّؼ١خس
–
(encipher) and decrypt حٌّظمذَ ٌٍظؾف١ش لخٌذ
(decipher) information. This ِظٕخظش ِٓ حٌظشِ١ض
standard specifies the ٠ّىٕٗ طؾف١ش ٚفه
Rijndael algorithm, a طؾف١ش حٌّؼٍِٛخص. ٠لذد
symmetric block cipher that ٘زح حٌّؼ١خس خٛحسصِ١ش
4. can process data blocks of ٟ٘ٚ "ً٠"س٠ـٕذح
128 bits, using cipher keys طؾف١ش لخٌذ ِظٕخظش
with lengths of 128, 192, and ٠ّىٕٙخ ِؼخٌـش لٛحٌذ
256 bits. ر١خٔخص رطٛي 821 رض
رخعظخذحَ ِفخط١ق طشِ١ض
256 ٚ 192 ٚ 128 هٌٛٙخ
.رض
ًّ٘١جش طقذ٠ك طؼ
A CA that acts on behalf of an
Agency رخٌٕ١خرش ػٓ ٚوخٌش ِؼ١ٕش
٘١جش حٌظٛػ١ك Agency, and is under the
Certification رل١غ طىْٛ خخمؼش
حٌظخرؼش ٌٛوخٌش operational control of an
Authority – (CA) ٌٍشلخرش حٌظؾغ١ٍ١ش ٌظٍه
Agency.
حٌٛوخٌش
ٟرشٔخِؾ ٠غظخذَ ف
٘ـّخص كـذ حٌخذِش
A program used in distributed
ًحٌّٛصَّػّش حٌظٟ طشع
denial of service (DDoS)
ع١ً ِٓ حٌز١خٔخص
Agent – ً١ّحٌؼ attacks that sends malicious
ٌٝحٌخز١ؼش ٠ظذفك ا
traffic to hosts based on the
ٍٝحٌّن١ف رٕخءحً ػ
instructions of a handler.
ِٓ طؼٍ١ّخص فخدسس
.ُِؼخٌؾ طلى
The examination of acquired فلـ ر١خٔخص ُِـِّّؼش
Analysis – ً١ٍطل data for its significance and ٔظشحً ٤ّ٘١ظٙخ ٚد٨ٌظٙخ
probative value to the case. .ٌٍلخٌش ِٛمغ حٌٕمخػ
رشٔخِؾ ٠مَٛ رّشحلزش
A program that monitors a حٌلخعٛد أٚ حٌؾزىش
computer or network to ٌٍظؼشف ػٍٝ وً أٔٛحع
Antivirus رشحِؾ ِىخفلش
identify all major types of حٌزشِـ١خص حٌخز١ؼش ِٕٚغ
Software – حٌف١شٚعخص
malware and prevent or ِٓ أٚ ػضي ِخ ٠ظٙش
contain malware incidents. كخ٨ص (أػشحك) طٍه
.حٌزشِـ١خص حٌخز١ؼش
فٟ رؼل ح٤ك١خْ ٠طٍك
The subscriber is sometimes ُػٍٝ حٌّؾظشن حع
called an ―applicant‖ after "ِمذَ حٌطٍذ" رؼذ
/ ُِمَذَِ حٌطٍذ applying to a certification طمذ٠ّٗ هٍزخً اٌٝ ٘١جش
Applicant –
ِؾظَشِن authority for a certificate, but ٍٝحٌظٛػ١ك ٌٍلقٛي ػ
before the certificate issuance ْٛؽٙخدس ػٍٝ أْ ٠ى
procedure is completed. رٌه لزً حٔظٙخء اؿشحءحص
.افذحس طٍه حٌؾٙخدس
حعظخذحَ حٌّٛحسد
The use of information
حٌّؼٍِٛخط١ش (حٌّؼٍِٛخص
resources (information and
)ٚطمٕ١ش حٌّؼٍِٛخص
Application – ططز١ك information technology) to
ٌظٍز١ش ِـّٛػش ِلذدس
satisfy a specific set of user
ِٓ ِظطٍزخص
requirements.
.َحٌّغظخذ
5. ً١٠مَٛ حِؾ ٚو
ْرش
رظقف١ش ِلظٜٛ حٌظطز١ك
Application content filtering is
٦صحٌش أٚ ػضي حٌف١شٚعخص
performed by a software
ٟحٌظٟ سرّخ طشد ف
proxy agent to remove or
ِشفمخص حٌزش٠ذ
quarantine viruses that may
ح٨ٌىظشٟٚٔ أٚ كـض أٔٛحع
Application be contained in email
ٜٛطقف١ش ِلظ ِؼ١ٕش ِٓ حِظذحدحص رش٠ذ
Content Filtering attachments, to block specific
حٌظطز١ك ح٨ٔظشٔض حٌّظؼذدس
– Multipurpose Internet Mail
ح٤غشحك أٚ ٌظقف١ش أٔٛحع
Extensions (MIME) types, or
ٜٛأخشٜ ِٓ حٌّلظ
to filter other active content
ٚ حٌٕؾو ِؼً ؿخفخ
such as Java, JavaScript, and
ؿخفخعىش٠زض ٚػٕخفش
ActiveX® Controls.
حٌظلىُ ِٓ ٔٛع حوظف
.اوظ
ِخ ٠ظفك ِغ حٌّؼ١خس
حٌف١ذسحٌٟ ٌّؼخٌـش
حٌّؼٍِٛخص أٚ ِخ ٠قذس
ِٓ ٗ١رؾؤٔٗ طٛف
Federal Information
ٟٕحٌّؼٙذ حٌٛه
Processing Standard (FIPS)
ٌّمخ٠١ظ ٚحٌظمٕ١شي
approved or National Institute
ٚرّؼٕٝ أخش خٛحسصِ١ش أ
of Standards and Technology
هش٠مش
(NIST) recommended. An
ٗٔفخدس رؾؤ 1) ِلذدس فٟ حٌّؼ١خس
Approved – algorithm or technique that is
ِٛحفمش حٌف١ذسحٌٟ ٌّؼخٌـش
either
ٟحٌّؼٍِٛخص أٚ ف
1) specified in a FIPS or NIST
ٟٕطٛف١خص حٌّؼٙذ حٌٛه
Recommendation, or
ٌٍّٚمخ٠١ظ ٚحٌظمٕ١ش أ
2) adopted in a FIPS or NIST
2) ِطزمش فٟ حٌّؼ١خس
Recommendation.
حٌف١ذسحٌٟ ٌّؼخٌـش
حٌّؼٍِٛخص أٚ طٛف١خص
ٟٕحٌّؼٙذ حٌٛه
.ٌٍّمخ٠١ظ ٚحٌظمٕ١ش
ٚمؼ١ش ِؼ١ٕش ٌٛكذس
ٟحٌظؾف١ش حٌّٕط١ش حٌظ
A mode of the cryptographic
طمَٛ رظؾغ١ً ٚظخثف
module that employs only
ح٤ِٓ حٌقخدس رؾؤٔٙخ
approved security functions
ِٛحفمش فمو ( ٨ ٠ـذ
ً١ٚمؼ١ش حٌظؾغ (not to be confused with a
Approved Mode حٌخٍو ر١ٕٙخ ٚر١ٓ ٚمؼ١ش
حٌقخدس رؾؤٔٙخspecific mode of an approved
of Operation – ِلذدس ٌٛظ١فش إِٔ١ش
ِٛحفمش security function, e.g., Data
فخدس رؾؤٔٙخ ِٛحفمش
Encryption Standard (DES)
ِؼً ٚمؼ١ش ِؼ١خس
Cipher Block Chaining (CBC)
طؾف١ش حٌز١خٔخص ٚٚمؼ١ش
mode).
لخٌذ حٌظشِ١ض
. )ًحٌّغٍغ
Approved ٚظ١فش إِٔ١ش A security function (e.g., ًٚظ١فش إِٔ١ش (ِؼ
Security فخدس رؾؤٔٙخ cryptographic algorithm, ٚخٛحسصِ١ش حٌظؾف١ش أ
6. Function – ِٛحفمش cryptographic key هش٠مش ادحسس ِفظخف
management technique, or حٌظؾف١ش أٚ هش٠مش
authentication technique) ْٛحٌظقذ٠ك) ٚحٌظٟ طى
that is either اِخ
a) specified in an approved أ) ِلذدس فٟ ِؼ١خس
standard, فخدس رؾؤٔٗ ِٛحفمش
b) adopted in an approved ٟد) أٚ ُِغظخذَِش ف
standard and specified either ِٗٔؼ١خس فخدس رؾؤ
in an appendix of the ِٟٛحفمش ِٚزوٛسس ف
approved standard or in a ٍِلك خخؿ رزٌه
document referenced by the حٌّؼ١خس أٚ فٟ ٚػ١مش
approved standard, or ٍِٗؾخس اٌ١ٙخ دحخ
c) specified in the list of ّٓؽ) أٚ ِلذدس م
approved security functions. لخثّش ِٓ ٚظخثف إِٔ١ش
.ِقذِّق ػٍ١ٙخ
A focused activity or action ٔؾخه أٚ ػًّ ُِشوَّض
Assessment employed by an assessor for ٠ززٌٗ حٌُّم١ُِّ ٌم١خط
ُ١١أعٍٛد حٌظم
Method – evaluating a particular خخف١ش ِؼ١ٕش ِٓ خٛحؿ
attribute of a security control. .حٌشلخرش ح٤ِٕ١ش
ِـّٛػش ِٓ ح٤ٔؾطش
A set of activities or actions
أٚ ح٤ػّخي ٠مَٛ رٙخ
employed by an assessor to
ٜحٌُّم١ُِّ ٌظلذ٠ذ ِذ
determine the extent to
ططز١ك حٌشلخرش ح٤ِٕ١ش
which a security control is
رؾىً فل١ق ٚطؾغ١ٍٙخ
Assessment implemented correctly,
ُ١١اؿشحءحص حٌظم كغذ حٌّطٍٛد
Procedure – operating as intended, and
ٚطلم١مٙخ ٌٍٕظخثؾ
producing the desired
حٌّشؿٛس ِٕٙخ ف١ّخ
outcome with respect to
٠خظـ رخعظ١فخء
meeting the security
حٌّظطٍزخص ح٤ِٕ١ش
requirements for the system.
.ٌٍَٕظخ
َططز١ك سث١غٟ أٚ ٔظخ
A major application, general
ٌٗ دػُ ػخَ أٚ رشٔخِؾ
support system, high impact
طؤػ١ش رخٌغ أٚ ِٕؾؤس
أفً / (ِٛسد program, physical plant,
Asset – ًِِخد٠ش أٚ ٔظخَ ٌٍظؼخ
ٟ)سث١غ mission critical system, or a
ِٚغ حٌُ٘خَ حٌلشؿش أ
logically related group of
ِـّٛػش ِٓ ح٤ٔظّش
systems.
.ًحٌّشطزطش ِٕطم١خ
One of the five ―Security أكذ ح٤٘ذحف حٌخّغش
Goals.‖ It involves support for ٌّٓ٥ِٓ حٌظٟ طظن
our confidence that the other دػّخً ٌؼمظٕخ رخعظ١فخء
four security goals (integrity, ٜح٤سرغ أ٘ذحف ح٤خش
Assurance – ْطؤِ١ٓ / مّخ
availability, confidentiality, ، ًٌِ٥ِٓ (حٌظىخ
and accountability) have been حعظّشحس٠ش طٛفش حٌخذِش
adequately met by a specific )، حٌغش٠ش ، حٌّغئٌٚ١ش
implementation. ―Adequately رؾىً وخفٍ ِٓ خ٩ي
7. met‖ includes ٟهش٠مش ِلذدس ف
(1) functionality that ّٓحٌظٕف١ز. ٠ظن
performs correctly, ح٨عظ١فخء حٌىخًِ ٌظٍه
(2) sufficient protection حٌؼٕخفش
against unintentional errors 1) ع٩ِش ح٤دحء
(by users or software), and ٌٍٕٛحكٟ حٌٛظ١ف١ش
(3) sufficient resistance to 2) مّخْ كّخ٠ش وخف١ش
intentional penetration or by- مذ ح٤خطخء غ١ش
pass. ِٓ( حٌّظؼّذس
ٚحٌّغظخذِ١ٓ أ
)حٌزشحِؾ
3) ٚحٌّمخِٚش حٌىخف١ش
ٌّلخٚ٨ص ح٨خظشحق
.ٚحٌظخطٟ حٌّظؼّذس
Two related keys, a public ٓ١ِفظخك١ٓ ِشطزط
key and a private key that are َأكذّ٘خ ِفظخف ػخ
used to perform ُٚح٤خش خخؿ ٠ظ
Asymmetric ِفخط١ق غ١ش complementary operations, حعظخذِّٙخ ٤دحء
Keys ِظٕخظشس such as encryption and ًػٍّ١خص ِظىخٍِش ِؼ
decryption or signature ٚحٌظؾف١ش ٚفه حٌظؾف١ش أ
generation and signature افذحس حٌظٛل١غ ٚحٌظلمك
verification. .ِٓ فلش حٌظٛل١غ
ِٓ ِـّٛػش ِظغٍغٍش
A specific sequence of events
Attack Signature ٌٝح٤كذحع طؾ١ش ا
َٛرقّش ٘ـ indicative of an unauthorized
– ٚؿٛد ِلخٌٚش ٚفٛي غ١ش
access attempt.
.ِقشف رٙخ
An entity, recognized by the ؿٙش طلذد٘خ ٘١جش
Federal Public Key حٌغ١خعخص حٌف١ذسحٌ١ش
Infrastructure (PKI) Policy ٌغ١خعخص حٌزٕ١ش
٘١جش حٌظلمك
Attribute Authority or comparable ٚحٌظلظ١ش ٌٍّفظخف حٌؼخَ أ
ِٓ خقخثـ
Authority – Agency body as having the ٚوخٌش ِّخػٍش رل١غ
حٌٙٛ٠ش
authority to verify the ٠ىْٛ ٌٙخ عٍطش حٌظلمك
association of attributes to an ِٓ طٛحفك خقخثـ ِغ
حي
identity. .٘ٛ٠ش ِؼ١ٕش
ِشحؿؼش ِغظمٍش ٚفلـ
Independent review and
ٌٍغـ٩ص ٚح٤ٔؾطش
examination of records and
ٌظم١١ُ وفخ٠ش ػٕخفش
activities to assess the
ِٓ طلىُ حٌٕظخَ ٌٍظؤوذ
adequacy of system controls,
ِٛحفمظٙخ ٌٍغ١خعخص
to ensure compliance with
Audit – حٌظذل١ك ٚحٌفلـ ً١ٚاؿشحءحص حٌظؾغ
established policies and
حٌّمشسس، ٚافذحس
operational procedures, and
ٛ٘ حٌظٛف١خص كٛي ِخ
to recommend necessary
ٟمشٚسٞ ِٓ طغ١١شحص ف
changes in controls, policies,
ٚػٕخفش حٌظلىُ أ
or procedures
.حٌغ١خعخص أٚ ح٦ؿشحءحص
8. Chronological record of عـً طخس٠خٟ ٤ٔؾطش
system activities to enable حٌٕظخَ ٌظٛف١ش اِىخٔ١ش
ر١خٔخص حٌظذل١ك the reconstruction and اػخدس رٕخء ٚفلـ
Audit Data –
ٚحٌفلـ examination of the sequence ٚ عٍغٍش ِٓ ح٤كذحع
of events and changes in an حٌظغ١١شحص حٌظٟ ؽٙذ٘خ
event. .ٓ١كذع ِؼ
ِؼخٌـخص طُ اػذحد٘خ
ُِغزمخً ٌخفل كـ
عـ٩ص حٌفلـ
Preprocessors designed to ً١ٙٚحٌظذل١ك رغشك طغ
reduce the volume of audit ًحٌّشحؿؼش حٌ١ذٚ٠ش. لز
records to facilitate manual اؿشحء حٌّشحؿؼش ح٤ِٕ١ش
review. Before a security طغظط١غ ٘زٖ ح٤دٚحص
review, these tools can اصحٌش حٌؼذ٠ذ ِٓ عـ٩ص
remove many audit records حٌظذل١ك ٚحٌفلـ
Audit Reduction أدٚحص ط١غ١ش
known to have little security حٌّؼشٚفش رخٔخفخك
Tools – حٌظذل١ك ٚحٌفلـ
significance. These tools َٛأّ٘١ظٙخ ح٤ِٕ١ش. طم
generally remove records ً٘زٖ ح٤دٚحص ػِّٛخ
generated by specified ِٓ ربصحٌش أٔٛحع ِلذدس
classes of events, such as ح٤كذحع ِؼً طٍه
records generated by nightly ٓحٌغـ٩ص حٌٕخطـش ػ
backups. ػٍّ١خص حٌٕغخ
ٟح٨كظ١خهٟ حٌذٚس٠ش حٌظ
ًطلذع فٟ ٔٙخ٠ش و
.ٌ١ٍش
A record showing who has
َعـً ٠ٛمق ِٓ لخ
accessed an Information
رخٌذخٛي اٌٝ ٔظخَ طمٕ١ش
ٚ عـً حٌفلـ Technology (IT) system and
Audit Trail – ِؼٍِٛخص ٚ حٌؼٍّ١خص
حٌّشحؿؼش what operations the user has
حٌظٟ لخَ رظٕف١ز٘خ أػٕخء
performed during a given
.فظشس ِؼ١ٕش
period.
To confirm the identity of an حٌظؤوذ ِٓ ٘ٛ٠ش ؿٙش
/ ٍٝ٠قذِّق ػ
Authenticate – entity when that identity is ِؼ١ٕش ػٕذ طمذ٠ُ طٍه
٠ظلمك ِٓ ٘ٛ٠ش
presented. .حٌٙٛ٠ش
Verifying the identity of a حٌظؤوذ ِٓ فلش ٘ٛ٠ش
user, process, or device, حٌخخفش رؤكذ
often as a prerequisite to ٚحٌّغظخذِ١ٓ أ
allowing access to resources .حٌؼٍّ١خص أٚ ح٤ؿٙضس
/ حٌظقذ٠ك in an information system. The ٠ىْٛ رٌه ػخدس وؤكذ
Authentication – ِٓ حٌظلمك process of establishing ِظطٍزخص حٌغّخف
حٌٙٛ٠ش confidence of authenticity. رخٌٛفٛي اٌٝ حٌّٛحسد
Encompasses identity َحٌّٛؿٛدس فٟ ٔظخ
verification, message origin ِؼٍِٛخص ِؼ١ٓ. ػٍّ١ش
authentication, and message ًّطؤع١ظ حٌؼمش ٚطؾ
content authentication. A حٌظلمك ِٓ فلش حٌٙٛ٠ش
9. process that establishes the ٚحٌظلمك ِٓ ِقذس
origin of information or .حٌشعخٌش ِٚلظٛح٘خ
determines an entity‘s ػٍّ١ش طٙذف اٌٝ طلذ٠ذ
identity. ِٚقذس حٌّؼٍِٛخص أ
.٘ٛ٠ش ؿٙش ِخ
ِؼخدٌش طؾف١ش كغخر١ش
A cryptographic checksum
طؼظّذ ػٍٝ ٚظ١فش
based on an approved
Authentication ؽفشس حٌظلمك إِٔ١ش فخدس رؾؤٔٙخ
security function (also known
Code – ِٓ حٌٙٛ٠ش ًِٛحفمش (طؼشف أ٠نخ
as a Message Authentication
رخعُ ؽفشس سعخٌش
Code (MAC)).
. )حٌظقذ٠ك
The process of establishing ٟػٍّ١ش اػزخص حٌؼمش ف
Electronic ِٓ حٌظلمك confidence in user identities ٓ١ِ٘ٛ٠خص حٌّغظخذ
Authentication – ًحٌٙٛ٠ش حٌىظشٚٔ١خ electronically presented to an ًحٌظٟ طمذَ حٌىظشٚٔ١خ
information system. .ٌٕظخَ ِؼٍِٛخص
ٍٝآٌ١خص طؼظّذ ػ
ح٤ؿٙضس أٚ حٌزشحِؾ رل١غ
Hardware or software-based
ٓ١ِطُـزِش حٌّغظخذ
Authentication ِٓ آٌ١ش حٌظلمك mechanisms that force users
ًػٍٝ اػزخص ٘ٛ٠خطُٙ لز
Mechanism – حٌٙٛ٠ش to prove their identity before
حٌٛفٛي ٌٍز١خٔخص
accessing data on a device.
حٌّٛؿٛدس ػٍٝ أكذ
.ح٤ؿٙضس
A block cipher mode of َٚمؼ١ش طؾغ١ً طغظخذ
operation that can provide لخٌذ طشِ١ض ِؼ١ٓ ٠ّىٕٙخ
Authentication ٚمؼ١ش حٌظلمك
assurance of the authenticity طؤِ١ٓ حٌؼمش فٟ ٘ٛ٠ش
Mode – ِٓ حٌٙٛ٠ش
and, therefore, the integrity ٟحٌّغظخذَ ٚرخٌظخٌٟ ف
of data. .طىخًِ حٌز١خٔخص
ًػٍّ١ش طزخدي ٌٍشعخث
ِٞلذدس رذلش ٠ـش
ِٓ خ٩ٌٙخ حٌظلمك
A well specified message
فلش حِظ٩ن حكذ حٌشِٛص
exchange process that
حٌّّ١ضس رغشك حٌظلمك
verifies possession of a token
ػٓ رؼذ ِٓ ٘ٛ٠ش
to remotely authenticate a
حٌؾخـ حٌزٞ ٠طٍذ
claimant. Some
.ٓ١حٌظؼخًِ ِغ ٔظخَ ِؼ
Authentication رشطٛوٛي حٌظلمك authentication protocols also
رؼل رشطٛوٛ٨ص
Protocol – ِٓ حٌٙٛ٠ش generate cryptographic keys
حٌظقذ٠ك طمَٛ ربٔؾخء
that are used to protect an
ََِفخط١ق طؾف١ش طُغظخذ
entire session, so that the
ٌظٛف١ش حٌلّخ٠ش هٛحي
data transferred in the
َفظشس حٌظؼخًِ ِغ حٌٕظخ
session is cryptographically
ٌٚزٌه طىْٛ حٌز١خٔخص
protected.
لٌٛش خ٩ي طٍه ٌّٓح
ًحٌفظشس ِلّ١ش رفن
.طؾف١ش٘خ
10. A pair of bit strings ًصٚؿ١ٓ ِٓ حٌغ٩ع
Authentication
ػ٩ِش حٌظقذ٠ك associated to data to provide حٌٕق١ش ِشطزطش رخٌز١خٔخص
Tag –
assurance of its authenticity. .ٌٍظؤوذ ِٓ ِقذحل١ظٙخ
حٌشِض حٌّّ١ض Authentication information ِؼٍِٛخص حٌظلمك
Authentication
ِٓ ٌٍظلمك conveyed during an حٌّظزخدٌش أػٕخء حٌظلمك
Token –
حٌٙٛ٠ش authentication exchange. ِٓ فلش حٌٙٛ٠ش
The property of being ًخخف١ش أْ طىْٛ أفٍ١خ
genuine and being able to be ِٓ ٚلخرً ٌٍظلمك
خخف١ش verified and trusted; ِٓ ٘ٛ٠ظه ٚحٌٛػٛق رٙخ
Authenticity –
حٌّقذحل١ش confidence in the validity of a ٟخ٩ي ِٕق حٌؼمش ف
transmission, a message, or فلش ح٦سعخي ٚحٌشعخٌش
message originator. .ِٚشعٍٙخ
لشحس ح٦دحسس حٌشعّ١ش
The official management حٌقخدس ِٓ أكذ حٌىٛحدس
decision given by a senior حٌؼٍ١خ ٌٙ١جش ِخ ٨ػظّخد
agency official to authorize ً١حٌّٛحفمش ػٍٝ طؾغ
operation of an information ٔظخَ ِؼٍِٛخص ٚحٌمزٛي
system and to explicitly ػ٩ٔ١شً رظؼش٠ل ػٍّ١خص
accept the risk to agency طٍه حٌٙ١جش ٌٍّخخهشس
Authorization – طقش٠ق
operations (including mission, (رّخ فٟ رٌه سعخٌظٙخ
functions, image, or ٚٚظخثفٙخ ِٚقذحل١ظٙخ
reputation), agency assets, or ٚٚعّؼظٙخ) أٚ أفٌٛٙخ أ
individuals, based on the ٍِٕٝغٛر١ٙخ رٕخءحً ػ
implementation of an agreed- ِٓ طٕف١ز ِـّٛػش
upon set of security controls. ِٟٕ٤ػٕخفش حٌظلىُ ح
.حٌّظفك ػٍ١ٙخ
Official with the authority to )ْحٌّٛظف (حٌى١خ
formally assume responsibility ٓحٌّغجٛي سعّ١خً ػ
for operating an information طؾغ١ً ٔظخَ َػٍِٛخص
system at an acceptable level ِؼ١ٓ مّٓ كذ ِمزٛي
Authorizing ِٛظف افذحس of risk to agency operations ِٓ حٌّخخهشس رؼٍّ١خص
Official – حٌظقش٠ق (including mission, functions, ًّ٘١جش ِؼ١ٕش (رّخ ٠ؾ
image, or reputation), agency سعخٌظٙخ ٚٚظخثفٙخ
assets, or individuals. )ِٚقذحل١ظٙخ ٚعّؼظٙخ
Synonymous with ٚرخ٦مخفش اٌٝ أفٌٛٙخ أ
Accreditation Authority. .ِٕغٛر١ٙخ
Individual selected by an ؽخـ ٠خظخسٖ ِٛظف
authorizing official to act on ًّافذحس حٌظقش٠ق ٌٍؼ
Authorizing
their behalf in coordinating ٔ١خرش ػٕٗ فٟ طٕغ١ك
Official –
ِٕذٚد افذحس and carrying out the ٚطٕف١ز ح٤ٔؾطش
Designated
حٌظقش٠ق necessary activities required حٌنشٚس٠ش حٌّطٍٛرش أػٕخء
Representative
during the security حٌظٛػ١ك ٚ ح٨ػظّخد
–
certification and accreditation ح٤ِٕٟ ٤كذ أٔظّش
of an information system. .حٌّؼٍِٛخص
11. The transport of ٔمً ِفخط١ق حٌظؾف١ش
cryptographic keys, usually in )(ػخدس رطش٠مش ِؾفشس
encrypted form, using ًرخعظخذحَ ٚعخث
Automated Key ٌٟ٢حٌٕمً ح
electronic means such as a حٌىظشٚٔ١ش ِؼً ؽزىخص
Transport – ٌٍّفظخف
computer network (e.g., key حٌلخعٛد وّخ ٘ٛ حٌلخي
transport/agreement ًفٟ رشٚطٛوٛ٨ص ٔم
protocols). .ٌِٗٛفظخف حٌظؾف١ش ٚلز
An algorithm which creates خٛحسصِ١ش طمَٛ ربٔؾخء
Automated
ٌِٛذ وٍّش حٌّشٚسrandom passwords that have وٍّخص ِشٚس حٌؼؾٛحث١ش
Password
ٌٟ٢ح no association with a َغ١ش ِشطزطش رّغظخذ
Generator –
particular user. .ٓ١ِؼ
حٌظؤوذ ِٓ اِىخٔ١ش
Ensuring timely and reliable حٌٛفٛي اٌٝ حٌّؼٍِٛخص
حعظّشحس٠ش طٛفش
Availability – access to and use of ٚحعظخذحِٙخ فٟ حٌٛلض
حٌخذِش
information. حٌّٕخعذ ٚرؾىً ٠ُؼظَّذ
.ٗ١ٍػ
ٝح٤ٔؾطش حٌظٟ طغؼ
Activities which seek to focus
Information ٌٌٝـزد حٔظزخٖ ح٤فشحد ا
ِٓحٌٛػٟ رؤ an individual‘s attention on an
Security ِٓ ِٛمٛع أٚ ِـّٛػش
حٌّؼٍِٛخص (information security) issue or
Awareness – ِٓحٌّٛمٛػخص فٟ أ
set of issues.
.حٌّؼٍِٛخص
ٔغخش ِٓ حٌٍّفخص
A copy of files and programs
ٚحٌزشحِؾ ٌظغٙ١ً ػٍّ١ش
Backup – ٔغخش حكظ١خه١ش made to facilitate recovery if
ح٨عظشؿخع فٟ كخٌش
necessary.
.حٌنشٚسس
حٌلذ ح٤دٔٝ ِٓ ػٕخفش
The minimum security حٌظلىُ ح٤ِٕ١ش حٌّطٍٛرش
controls required for ٌلّخ٠ش ٔظخَ ِؼٍِٛخص
Baseline ِٓ ٝٔحٌلذ ح٤د safeguarding an IT system ٍِٝؼ١ٓ رٕخءحً ػ
Security – ِٓ٤ح based on its identified needs ح٨كظ١خؿخص حٌّلذدس
for confidentiality, integrity ًٌِلّخ٠ش عش٠ش ٚطىخ
and/or availability protection. ٚ/أٚ حعظّشحس٠ش طٛفش
.َخذِش ٘زح حٌٕظخ
Monitoring resources to ِشحلزش حٌّٛحسد ٌظلذ٠ذ
حٌشلخرش ٚحٌّظخرؼش determine typical utilization ًّٔخرؽ ح٨عظخذحَ ح٤ِؼ
Baselining –
ٚحٌنزو patterns so that significant رٙذف وؾف ح٨ٔلشحفخص
deviations can be detected. .حٌخط١شس
A bastion host is typically a
٘ٛ ؿذحس كّخ٠ش
firewall implemented on top
ّٗٔٛرؿٟ ٠ـشٜ طٕق١ز
ؿٙخص حٌّن١ف of an operating system that
Bastion Host – ٜػٍٝ ٔظخَ طؾغ١ً ؿش
ٓحٌّلق has been specially configured
ًاػذحدٖ ٚطمٛ٠ظٗ خق١قخ
and hardened to be resistant
.ٌ١ىْٛ ِمخَٚ ٌٍٙـّخص
to attack.
12. What an individual who has ِخ ٠ظٛلغ ِٓ ؽخـ
completed the specific ٕٗطٍمٝ طذس٠زخً خخفخً ٠ِّّى
Behavioral حٌّلقٍش training module is expected ِٓ اظٙخس ِشدٚد ِخ
Outcome – حٌغٍٛو١ش to be able to accomplish in ِٓطؼٍّٗ ػٓ أ
terms of IT security-related حٌّؼٍِٛخص ِٓ خ٩ي
job performance. .ٟأدحءٖ حٌٛظ١ف
ٓ٠ػٍّ١ش مُ ػٕقش
ِشطزط١ٓ ِٓ ػٕخفش
Process of associating two
ِٓ حٌّؼٍِٛخص. حػظشحف
related elements of
َٛهشف ػخٌغ ِٛػٛق ٠م
information. An
رشرو ٘ٛ٠ش ؿٙش ِؼ١ٕش
acknowledgement by a
َرّفظخف حٌظؾف١ش حٌؼخ
trusted third party that
ٌْظٍه حٌـٙش. ٠ّىٓ أ
associates an entity‘s identity
ِٓ ٠ظُ ططز١ك رٌه
with its public key. This may
خ٩ي
take place through
1) ل١خَ ٘١جش طٛػ١ك
(1) a certification authority‘s
Binding – حٌشرو ربفذحس ؽٙخدس ِفظخف
generation of a public key
َحٌظؾف١ش حٌؼخ
certificate,
ِٓ2) ل١خَ ِٛظف أ
(2) a security officer‘s
رخٌظلمك ِٓ ر١خٔخص
verification of an entity‘s
دخٛي طٍه حٌـٙش ٚٚمغ
credentials and placement of
َِفظخف حٌظؾف١ش حٌؼخ
the entity‘s public key and
ٌُظٍه حٌـٙش ِغ سل
identifier in a secure
ِّ١ض فٟ لخػذس ر١خٔخص
database, or
ٚإِٓش أ
(3) an analogous method.
3) اطزخع ح٤عٍٛد
.ٞحٌظٕخظش
A physical or behavioral ِٚ١ضس ؿغذ٠ش أ
characteristic of a human عٍٛو١ش ِٓ ِّ١ضحص
being. A measurable, physical ح٦ٔغخْ. ِ١ضس ؿغذ٠ش
characteristic or personal أٚ ففش عٍٛن
behavioral trait used to حٌؾخقٟ لخرٍش ٌٍم١خط
Biometric – ٞٛ١ل١خط ك recognize the identity, or طُغظخذََ فٟ طؼش٠ف
verify the claimed identity, of ٚؽخق١ش ِمذَ حٌطٍذ أ
an applicant. Facial images, حٌظلمك ِٕٙخ. طؼذ فٛس
fingerprints, and handwriting حٌٛؿٗ ٚرقّخص ح٤فخرغ
samples are all examples of ّٚٔخرؽ حٌىظخرش ِٓ أِؼٍش
biometrics. .حٌم١خعخص حٌل١ٛ٠ش
The stored electronic ٟ٘ طٍه حٌّؼٍِٛخص
information pertaining to a ح٨ٌىظشٚٔ١ش حٌّخضٔش
biometric. This information ٞٛ١رخقٛؿ ِم١خط ك
Biometric ِؼٍِٛخص حٌم١خط
can be in terms of raw or ًِؼ١ٓ ٚ طىْٛ فٟ ؽى
Information – ٞٛ١حٌل
compressed pixels or in terms ٚٔمخه خخَ أٚ ِنغٛهش أ
of some characteristic (e.g. فٟ ؽىً ٌٗ رؼل
patterns.) .حٌخقخثـ ِؼً حٌّٕخرؽ
13. An automated system :ٍٝٔظخَ آٌٟ لخدس ػ
capable of: 1) حٌلقٛي ػٍٝ ػ١ٕش
1) capturing a biometric ِٓ ل١خط ك١ٛ٠ش
sample from an end user; ٟحٌّغظخذَ حٌٕٙخث
2) extracting biometric data 2) حعظخ٩ؿ ر١خٔخص
from that sample; حٌم١خط حٌل١ٛٞ ِٓ طٍه
3) comparing the biometric حٌؼ١ٕش
Biometric ٔظخَ ل١خط data with that contained in 3) ِمخسٔش ر١خٔخص حٌم١خط
System – ٞٛ١ك one or more reference حٌل١ٛٞ رظٍه حٌّٛؿٛدس
templates; فٟ ّٔٛرؽ أٚ أوؼش
4) deciding how well they ً4) طمذ٠ش ِذٜ حٌظّخػ
match; and ٚ ر١ّٕٙخ
5) indicating whether or not 5) ح٦ؽخسس اٌٝ ِخ ارح
an identification or وخْ حٌظؼشف أٚ حٌظلمك
verification of identity has ِٓ فلش حٌؾخق١ش لذ
been achieved. .٨ َطُ أـخصٖ أ
A characteristic of biometric أكذ خٛحؿ ِؼٍِٛخص
Biometric ّٔٛرؽ ل١خط
information (e.g. minutiae or ( ٞٛ١حٌم١خط حٌل
Template – ٞٛ١ك
patterns.) .)ً ٩طفخف١ً أٚ ؽىً ِؼ
ؽفشس رشِـ١ش خز١ؼش
Blended Attack Malicious code that uses
حٌٙـَٛ حٌّخظٍََو طغظخذَ ػذس أعخٌ١ذ
– multiple methods to spread.
.ٖوٟ طذػُ حٔظؾخس
طغٍغً ِٓ ٚكذحص
ًحٌزض حٌؼٕخث١ش ٠ؾى
Sequence of binary bits that
حٌّذخ٩ص ٚحٌّخشؿخص
comprise the input, output,
ٚحٌلخٌش ٚحٌّفخط١ق
State, and Round Key. The
حٌّظؼخلزش. هٛي رٌه
Block – لخٌذ length of a sequence is the
حٌظغٍغً ٘ٛ ػذد
number of bits it contains.
ٟٚكذحص حٌزض حٌظ
Blocks are also interpreted as
٠ظنّٕٙخ. طُفغش حٌمٛحٌذ
arrays of bytes.
أ٠نخً ٜ أٔٙخ ِقفٛفش
ًػ
.ِٓ ٚكذحص حٌزخ٠ض
A symmetric key
خٛحسصِ١ش طؾف١ش
cryptographic algorithm that
ِٓ ِظٕخظشس طُلِّٛي لخٌذ
transforms a block of
حٌّؼٍِٛخص فٟ ٚلض
information at a time using a
ٚحكذ ِغظخذِش ِفظخف
Block Cipher – طؾف١ش حٌمخٌذ cryptographic key. For a
طؾف١ش. ِٓ ففخص طٍه
block cipher algorithm, the
حٌخٛحسصِ١ش أْ هٛي لخٌذ
length of the input block is
حٌّذخ٩ص ٘ٛ ٔفظ
the same as the length of the
.هٛي لخٌذ حٌّخشؿخص
output block.
A family of functions and ِـّٛػش ِٓ حٌذٚحي
Block Cipher خٛحسصِ١ش طؾف١ش their inverses that is حٌلغخر١ش ِٚؼىٛعخطٙخ
Algorithm – حٌمخٌذ parameterized by a ً٠ـشٞ طٛك١ذ٘خ ِؼ١خس٠خ
cryptographic key; the رخعظخذحَ ِفظخف
14. function maps bit strings of a طؾف١ش ك١غ طمَٛ حٌذحٌش
fixed length to bit strings of رظلٛ٠ً عٍغٍش رحص
the same length. هٛي ِلذد ِٓ ٚكذحص
ِٓ حٌزض اٌٝ عٍغٍش
ٚكذحص حٌزض ٌٙخ ٔفظ
.حٌطٛي
ف١شٚط ٠مَٛ رضسحػش
A virus that plants itself in a
ٔفغٗ دحخً لطخع
Boot Sector ف١شٚط لطخع system‘s boot sector and
ُطؾغ١ً ٔظخَ ِؼ١ٓ ػ
Virus – ً١حٌظؾغ infects the master boot
ً١٠ق١ذ عـً حٌظؾغ
record.
.ٟحٌشث١غ
ُفشك حٌشلخرش ٚحٌظلى
Monitoring and control of ٍٝفٟ ح٨طقخ٨ص ػ
communications at the ٓ١حٌلذٚد حٌخخسؿ١ش ر
external boundary between أٔظّش حٌّؼٍِٛخص
information systems حٌخخمؼش رخٌىخًِ ٦دحسس
completely under the ٚسلخرش ِٕظّش ِؼ١ٕش
management and control of ٨ ٟٚطٍه ح٤ٔظّش حٌظ
the organization and طخنغ ٦دحسطٙخ ٚسلخرظٙخ
information systems not رؾىً وخًِ، رخ٦مخفش
completely under the ٍٝاٌٝ فشمّٙخ ػ
management and control of حٌلذٚد حٌذحخٍ١ش
Boundary كّخ٠ش كذٚد the organization, and at key ُحٌشث١غ١ش ر١ٓ ٔظ
Protection – َحٌٕظخ internal boundaries between حٌّؼٍِٛخص حٌظٟ طخنغ
information systems رؤوٍّٙخ ٦دحسس ٚسلخرش
completely under the طٍه حٌّٕظّش رغشك ِٕغ
management and control of ٚحوظؾخف ِلخٚ٨ص
the organization, to prevent ح٨طقخي حٌخز١ؼش ٚغ١ش
and detect malicious and حٌّقشف رٙخ ٚوزٌه
other unauthorized حعظؼّخي ٚعخثً حطقخي
communication, employing ً٠ّىٓ حٌظلىُ رٙخ ِؼ
controlled interfaces (e.g., حٌٛو١ً ٚرٛحرخص حٌٛفٛي
proxies, gateways, routers, ْٚحٌّٛؿٙخص ٚؿذسح
firewalls, encrypted tunnels). حٌلّخ٠ش ٚحٌمٕٛحص
.حٌّؾفشس
ِٛؿٗ خخسؿٟ ٠ٛمغ
A boundary router is located
Boundary ِٛؿٗ حطقخي ػٍٝ ٔمخه حطقخي
at the organizations boundary
Router – ٟخخسؿ حٌّٕظّخص ِغ ؽزىش
to an external network.
.خخسؿ١ش
A method of accessing an أعٍٛد ٌّلخٌٚش حٌذخٛي
هش٠مش obstructed device through ٟػٍٝ أكذ ح٤ؿٙضس حٌظ
Brute Force
ٟح٨عظمقخء ف attempting multiple طّؼً ػخثمخً ِٓ خ٩ي
Password Attack
ٍٝحٌٙـَٛ ػ combinations of numeric اؿشحء حٌّلخٚ٨ص
–
وٍّش حٌّشٚس and/or alphanumeric رخعظخذحَ وٍّخص َسٚس
passwords. ِٓ ِظٕٛػش طـّغ ػذد
15. .َحٌلشٚف ٚ/أٚ ح٤سلخ
ؽشه فٟ لٕخس ح٨طقخي
٠ّىٓ ِٓ خ٩ٌٗ ٚمغ
ػذد حوزش ِٓ حٌّذخ٩ص
A condition at an interface فٟ ِٕطمش ِخققش
under which more input can ٨كظـخص حٌز١خٔخص رّخ
be placed into a buffer or ٠فٛق لذسطٙخ
data holding area than the ِٓ ح٨عظ١ؼخر١ش ٌزٌه
capacity allocated, خ٩ي حعظزذحي
Buffer Overflow اغشحق رحوشس
overwriting other information. حٌّؼٍِٛخص حٌّٛؿٛدس
– حٌظخض٠ٓ حٌّئلض
Attackers exploit such a َرخٌىظخرش ػٍ١ٙخ. ٠غظخذ
condition to crash a system حٌّٙخؿّْٛ رٌه حٌؾشه
or to insert specially crafted ٦عمخه حٌٕظخَ أٚ ادخخي
code that allows them to gain ُؽفشحص خخفش ط
control of the system. اػذحد٘خ رّٙخسس ػخٌ١ش
طغّق ٌُٙ رخٌغ١طشس
ُػٍٝ حٌٕظخَ ٚحٌظلى
.ٗ١ف
أعٍٛد حٌظلّ١ً حٌضحثذ
ٌٍز١خٔخص دحخً ِغخكش
A method of overloading a
ِٟلذدس عٍفخً ف
حٌٙـَٛ ربغشحق predefined amount of space
Buffer Overflow ِٕطمش كفع حٌز١خٔخص
ٓ٠رحوشس حٌظخض in a buffer, which can
Attack – ِّخ ٠ئدٜ اٌٝ حكظّخٌ١ش
حٌّئلض potentially overwrite and
حٌىظخرش ػٍٝ حٌىظخرش
corrupt data in memory.
ٚحٌّٛؿٛدس فٟ حٌزحوشس أ
.طخش٠زٙخ
The documentation of a
ِٓ طٛػ١ك ِـّٛػش
predetermined set of
حٌظؼٍ١ّخص ٚح٦ؿشحءحص
instructions or procedures
Business خطش حٌلفخظ حٌُّؼَذِّس عٍفخً ٌٛفف
that describe how an
Continuity Plan ػٍٝ حعظّشحس٠ش ٍٝو١ف١ش حٌلفخظ ػ
organization‘s business
(BCP) – ًّحٌؼ ًٚظخثف حٌؼًّ دحخ
functions will be sustained
ِٕظّش ِؼ١ٕش أػٕخء ٚرؼذ
during and after a significant
.كذٚع خًٍ خط١ش
disruption.
َطلٍ١ً ٌّخ ٠خـ ٔظخ
An analysis of an information
ِٓ طمٕ١ش حٌّؼٍِٛخص
technology (IT) system‘s
ِظطٍزخص ٚػٍّ١خص
requirements, processes, and
ٚػ٩لخص ِظزخدٌش
Business Impact طلٍ١ً ِظطٍزخص interdependencies used to
طُغظخذََ فٟ طٛف١ف ِخ
Analysis (BIA) – حٌطٛحسة characterize system
ِٓ َ٠خـ حٌٕظخ
contingency requirements
ِظطٍزخص هخسثش ٚأٌٚٛ٠خص
and priorities in the event of
ًٍفٟ كخٌش كذٚع خ
a significant disruption.
.خط١ش
Business خطش حعظؼخدس The documentation of a ِٓ طٛػ١ك ٌّـّٛػش
Recovery- ًّكشوش حٌؼ predetermined set of حٌظؼٍ١ّخص ٚح٦ؿشحءحص
16. Resumption instructions or procedures حٌّلذدس عٍفخً طقف
Plan – (BRP) that describe how business و١ف١ش حعظؼخدس كشوش
processes will be restored ًٍحٌؼًّ رؼذ كذٚع خ
after a significant disruption .خط١ش
has occurred.
The method of taking a ٍٝأعٍٛد حٌلقٛي ػ
Capture – حٌظمخه biometric sample from an end ِٓ ٞٛ١ػ١ٕش ل١خط ك
user. .ِٟغظخذَ ٔٙخث
An individual possessing an ؽخـ ِؼ١ٓ ٠ّظٍه
Cardholder – كخًِ حٌزطخلش issued Personal Identity رطخلش ؽخق١ش ٌظلذ٠ذ
Verification (PIV) card. .حٌٙٛ٠ش
ؽىً سلّٟ ٌٍز١خٔخص
ٍٟ٠ ٠ٛفش ػٍٝ ح٤لً ِخ
1) طلذ٠ذ ٘١جش حٌظٛػ١ك
حٌظٟ أفذسص حٌؾٙخدس
A digital representation of ٓ١2) أعّخء حٌّؾظشو
information which at least ف١ٙخ
1) identifies the certification َ3) حٌّفظخف حٌؼخ
authority issuing it, ٌٍّؾظشن
2) names or identifies its ٟ4) ٠لذد حٌفظشس حٌظ
subscriber, طىْٛ خ٩ٌٙخ طٍه
3) contains the subscriber's ًّحٌؾٙخدس فخٌلش ٌٍؼ
public key, 5) ٠لًّ حٌظٛل١غ
4) identifies its operational ح٨ٌىظشٟٚٔ ٌٙ١جش
period, and حٌظٛػ١ك حٌظٟ أفذسص
5) is digitally signed by the ِٓ حٌؾٙخدس. ِـّٛػش
Certificate – ؽٙخدس سلّ١ش certification authority issuing حٌز١خٔخص حٌظٟ طؾ١ش
it. A set of data that uniquely ْرؾىً ِٕفشد اٌٝ و١خ
identifies an entity, contains ٍٝٚحكذ رل١غ طلظٜٛ ػ
the entity‘s public key and حٌّفظخف حٌؼخَ ٌزٌه
possibly other information, حٌى١خْ ٚأٞ ِؼٍِٛخص
and is digitally signed by a ْٛأخشٜ ِّىٕش. طى
trusted party, thereby binding حٌشعخٌش ُِقَذق ػٍ١ٙخ
the public key to the entity. سلّ١خً ِٓ هشف ػخٌغ
Additional information in the ِٛػٛق رٗ ٚػٍ١ٗ ٠ظُ سرو
certificate could specify how حٌّفظخف حٌؼخَ رزٌه
the key is used and its حٌى١خْ. ٕ٘خن ِؼٍِٛخص
cryptoperiod. امخف١ش فٟ حٌؾٙخدس
ِٓ ٓحٌشلّ١ش ٠ّى
خ٩ٌٙخ طلذ٠ذ و١ف١ش
حعظخذحَ حٌّفظخف ِٚذس
.ٖطؾف١ش
A Certificate Policy is a ِٓ ؽىً خخؿ
Certificate Policy ع١خعش
specialized form of حٌغ١خعخص ح٦دحس٠ش
(CP) – حٌؾٙخدس حٌشلّ١ش
administrative policy tuned to ٠ظٛحءَ ِغ ِؼخِ٩ص
17. electronic transactions اٌىظشٚٔ١ش طُطزك أػٕخء
performed during certificate .ادحسس حٌؾٙخدس حٌشلّ١ش
management. A Certificate طؼخٌؾ ع١خعش حٌؾٙخدس
Policy addresses all aspects ٝحٌشلّ١ش وً حٌٕٛحك
associated with the حٌّشطزطش رخفذحس٘خ
generation, production, ٚحعظخشحؿٙخ ٚطٛص٠ؼٙخ
distribution, accounting, ٚكغخرخطٙخ ٚحعظؼخدطٙخ
compromise recovery and ًٚوزٌه ادحسطٙخ. ٚرؾى
administration of digital ٓغ١ش ِزخؽش ٠ّى
certificates. Indirectly, a ٌغ١خعش حٌؾٙخدس
certificate policy can also ٝحٌشلّ١ش أْ طظلىُ ف
govern the transactions حٌّؼخِ٩ص حٌُّٕـضس
conducted using a ٌٗ رٕظخَ حطقخ٨ص طظٛفش
communications system َحٌلّخ٠ش ِٓ خ٩ي ٔظخ
protected by a certificate- ٍٝأِٓ ٠ؼظّذ ػ
based security system. By ِٓ .حٌؾٙخدس حٌشلّ١ش
controlling certificate ٟخ٩ي حٌظلىُ ف
extensions, such policies and ح٨ِظذحدحص حٌخخفش
associated enforcement رخٌؾٙخدحص حٌشلّ١ش
technology can support حٌلشؿش ٠ّىٓ ٌظٍه
provision of the security حٌغ١خعخص ِٚخ ٠قخكزٙخ
services required by ِٓ طمٕ١ش حٌّظخرؼش
particular applications. ٚحٌنزو دػُ طذحر١ش
ٟحٌخذِخص ح٤ِٕ١ش حٌظ
.ططٍزٙخ ططز١مخص ِؼ١ٕش
Certificate
٘١جش ادحسس A Certification Authority (CA)
Management ٘١جش طٛػ١ك أٚ ٘١جش
حٌؾٙخدحص or a Registration Authority
Authority (CMA) .ً١طغـ
حٌشلّ١ش (RA).
–
ِؼٍِٛخص غ١ش ِنخفش
Information, such as a
ًٌٍؾٙخدس حٌشلّ١ش ِؼ
subscriber's postal address,
Certificate- ِؼٍِٛخص ِشطزطش ٞحٌؼٕٛحْ حٌزش٠ذ
that is not included in a
Related رخٌؾٙخدحص ٌٍّؾظشن. سرّخ
certificate. May be used by a
Information – حٌشلّ١ش طغظخذَ ٘١جش طٛػ١ك
Certification Authority (CA)
ِؼ١ٓ طٍه حٌز١خٔخص ٦دحسس
managing certificates.
.حٌؾٙخدحص حٌشلّ١ش
لخثّش ؽٙخدحص حٌّفظخف
A list of revoked public key
Certificate حٌؼخَ حٌٍّغ١ش. ٠ظُ افذحس
لخثّش حٌؾٙخدحص certificates created and
Revocation List طٍه حٌمخثّش ٚحٌظٛل١غ
حٌشلّ١ش حٌٍّغخس digitally signed by a
(CRL) – ػٍ١ٙخ سلّ١خً رٛحعطش
Certification Authority.
.٘١جش طٛػ١ك
A trusted entity that provides و١خْ ِٛػٛق ف١ٗ طٛفش
Certificate
٘١جش طلذ٠ذ كخٌش on-line verification to a رؾىً ِزخؽش ٌطشف
Status Authority
حٌؾٙخدس حٌشلّ١ش Relying Party of a subject ِٓ طخرغ حِىخٔ١ش حٌظلمك
–
certificate's trustworthiness, ِقذحل١ش ؽٙخدس سلّ١ش