What is a 1st Party audit?

A 1st Party audit is an internal audit conducted to ensure compliance with some specification, perhaps prior to a 2nd/3rd party audit in respect of certification to a standard such as ISO27001.

What is a 2nd Party audit?

A 2nd Party audit is an external audit of a partner company/subcontractor prior to entering into a contract of similar relationship.

What are the ACPO guidelines?

Electronic/hi-tech evidence must be obtained, handled and presented in court in as similar a manner to that of more conventional evidence thus the Association of Chief Police Officers (ACPO) have issued guidelines for the correct handling of such evidence in order to be complaint with relevant legislation.

What is BCP?

Business Continuity Planning (BCP) is a means to mitigate the risks of business interruption through the provision of predefined and rehearsed contingency procedures such as alternative work sites and Information and Communications Technology (ICT) provision.

What is a BIA?

A Business Impact Analysis (BIA) is often the first step in BCP/DR (qv) encompassing the identification of the key components of business processes, such as personnel, equipment, documentation, and the likely impact of their loss or degradation.

What is BS7799?

BS 7799 is a British Standard detailing the planning and execution of Information Security.  It comes in 2 parts, the first being a checklist of areas to address and the 2nd a specification, against which certification may be gained, for the implementation of an Information Security Management System (ISMS - qv). The international equivalent is ISO27001 (qv).

What is BS25999?

BS 25999 is a UK British Standards Institute (BSI) standard, derived from PAS56, detailing the conduct of Business Continuity Planning (BCP - qv).

What is BS8470?

BS 8470 is a UK British Standards Institute (BSI) standard detailing the secure destruction of information bearing media such as paper and computer disks.

What is computer forensics?

Computer (or hi-tech) forensics is the scientific gathering of submissible evidence to support administrative or legal processes. It can be applied to stand-alone computers (including servers), networked computer systems, PDAs, smart phones, mobile phones and digital cameras - in fact any piece of electronics into which a person might have entered information relevant to the administrative/legal process.

What is ComSec?

ComSec, or Communications Security, is the securing of a telecommunications link in order to prevent any compromise in the confidentiality, integrity or availability of information carried thereon. Principally, ComSec involves the provision of encryption, in hardware or software, although other more involved concepts, such as Traffic Flow Security and TEMPEST, may be involved.

What is computer network defence?

Computer Network Defence (CND) is the process of hardening computer networks against compromise through the use of firewalls, electronic Intruder Detection Systems (IDS)/Intruder Prevention Systems (IPSs) virus-scanning gateways, ComSec (qv) and associated security technologies.

What/Who is the Information Commissioner?

The Information Commissioner is the UK's official protector of privacy, in respect of information, whilst promoting easy access to official information such as via the Freedom of Information Act.

What is DR?

Disaster Recovery (DR) is a preplanned, reactive process to recover vital Information and Communications Technology (ICT) facilities, not necessarily at their original site, to a point where the business process may continue at an acceptable level pending full BCP (qv) recovery processes.

What is Information Security?

Information Security, also known as Information Assurance, is the prevention, detection, containment and recovery from compromises in the confidentiality, integrity and availability of information assets.  Where confidentiality is that quality of an asset which means that it is known only to authorized persons, integrity is the quality which implies that the information can be trusted as accurate and availability is the quality of being available, to authorised persons, as and when needed.

What is IPR?

IPR is a term referring to Intellectual Property Rights, a legal term relating to such legislation as the UK's Copyright, Designs and Patents Act, but more colloquially used to refer to proprietary information.

What is an ISMS?

An Information Security Management System is a British Standards Institute (BSI)/International Standards Organisation (ISO) term referring to the formal processes associated with the implementation of Information Security within an organisation.  Both BSI and OSI have issued specifications for the implementation of an ISMS as BS7799:Part 2 and ISO27001 respectively.

What is ISO17799?

ISO17799 is an International Standards Organisation (ISO) document, derived from BS7799 (qv), detailing best practice in Information Security implementation.

What is ISO27001?

ISO27001 is an International Standards Organisation (ISO) document, derived from BS7799:Part2 (qv), specifying the implementation of an Information Security Management System (ISMS - qv).

What is JSP440?

Joint Services Publication 440 (JSP440), also known as the Defence Manual of Security (DMS), is UK MoD's interpretation of the UK Cabinet Office's Manual of Protective Security (MPS - qv).

What is JSP480?

Joint Services Publication 480 (JSP480) is UK MoD's policy, based on British Standards and industry best practice, for the reliable, safe  and secure installation of Information and Communications Technology (ICT) infrastructure.

What is JSP503?

Joint Services Publication 504 (JSP503) is UK MoD's Business Continuity Planning (BCP) policy document.

What is the Manual of Protective Security?

The Manual of Protective Security (MPS) is HMG's policy on securing both physical and logical assets. MPS is derived from advice from the Security Service and the Communications and Electronic Security Group, a branch of GCHQ charged with protecting HMG's information assets.

What are managed security services?

Managed Security Services are simply outsourced security processes which cannot be undertaken in-house through lack of resources or where a business decision warrants such outsourcing. Providers of such services are usually referred to as Managed Security Services Providers (MSSPs).

What is MiFID?

Coming into effect in November 2007, the Markets in Financial Instruments Directive (MiFID) is the European equivalent of the US Govt's SOX legislation, mandating standards in corporate governance in respect of financial services including processes for ensuring information security.

What is penetration testing?

Penetration testing, more colloquially known as PenTesting, is the systematic and scientific process of identifying vulnerabilities in electronic systems, such as computer or telephony networks, and the reporting thereof. The allied process of Ethical Hacking seeks to take NetPen a stage further through actual compromise of these systems, under controlled circumstances, to prove the vulnerability beyond any doubt.  PenTesting can be done from a 'zero knowledge' position, known as Red Team PenTesting, or with knowledge of the network structure, known as Blue Team PenTesting.

What is PCI DSS?

The Payment Cards Industry Data Security Standard (PCI DSS) is the PCI's own standard for protecting financial transactions and customers where payment cards are in use.  PCI DSS mandates certain Computer Network Defences (CND - qv) as well as periodic testing through PenTesting (qv).

What is requirements management?

Requirements Management (RM) is the systematic elicitation of system functionality and performance requirements, from multiple stakeholders, prior to the design and implementation of a complex system.

What is Risk Analysis?

Risk Analysis (RA) is the systematic determination of relative risk to assets (physical of logical) involving evaluation of likely threat vectors, their potential impacts to assets and likelihood of realisation. RA will generally result in risk register, or report, from which mitigation (avoidance, transfer, acceptance or mitigation) action may be derived.

What is Sarbanes Oxley?

The US Sarbanes-Oxley legislation, more colloquially known as SOX, is the US Govt's response to lax procedures in the follow-up to such events as the fall of Enron.  Its principal InfoSec related section is Section 404 pertaining to internal controls which mandate the protection of the confidentiality, integrity and availability of financial information.  Although a US piece of legislation, SOX requires that non-US companies, listed within the US, also comply with its terms.

What is secure destruction?

Secure destruction is the process of irretrievably destroying electronic and physical information, perhaps prior to final disposal of electronic equipment, usually done in accordance with BS8470 (qv).  Secure destruction usually involves shredding, for paper documents, overwriting, for rewriteable electronic media, or physical destruction for write-once electronic media.

What is Security Vetting?

HMG's Manual of Protective Security (MPS) defines several levels of vetting for individuals which involves varying degrees of investigation into their identity, background and susceptibility to subversion prior to permitting them access to protectively-marked (aka 'classified') information.

What is Technical Surveillance?

Technical Surveillance is the employment of electronic or software implants to listen to, observe or follow the movements and activities of individuals.  The term implants includes bugging devices such as miniature transmitters, typical of espionage movies, concealed cameras and keyloggers, in software or hardware, which copy every computer keystroke for the surveillance team to see.

What is TEMPEST?

TEMPEST is a codeword covering the concept of illicit information retrieval derived from unintended emanations from electronic equipment.  Known as 'Van Eck radiation', in non-government circles, TEMPEST is a highly specialised area of information security usually of concern only at national security levels of processing.

What is TSCM?

Technical Surveillance CounterMeasures (TSCM) are measures taken to prevent, detect contain and recover from compromise through the employment of technical surveillance (qv).  TSCM includes physical, procedural and technical countermeasures but more generally refers to TSCM inspections (aka 'bug sweeping'), to detect implants, employing highly specialised search equipment and trained personnel.

What is Virtual Teaming?

Virtual teaming is the coming together of individuals, with key skills, for the purpose of undertaking a project for a finite time. Teams may be from within a companies own assets, perhaps spread across various departments, or comprise individuals from different companies altogether; the aim being to achieve the right mix of skills for the task at hand.