(1) A program that provides user and administrator interfaces to an intrusion detection and prevention system. (2) A terminal used by system and network administrators to issue system commands and to watch the operating system activities.

Consumer device

A small, usually mobile computer that does not run a standard PC-OS. Examples of consumer devices are networking-capable personal digital assistants (PDAs), cell phones, and video game systems.

Contamination

The intermixing of data at different sensitivity and need-to-know levels. The lower level data are said to be contaminated by the higher level data; thus, the contaminating (higher level) data may not receive the required level of protection.

Content delivery networks (CDNs)

Content delivery networks (CDNs) are used to deliver the contents of music, movies, games, and news providers from their websites to end users quickly with the use of tools and techniques such as caching, replication, redirection, and a proxy content server to enhance the Web performance in terms of optimizing the disk size and preload time.

Content filtering

The process of monitoring communications such as e-mail and Web pages, analyzing them for suspicious content, and preventing the delivery of suspicious content to users.

Contingency plan

Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disaster. Also called disaster recovery plan, business resumption plan, or business continuity plan. This is a management and recovery control and ensures the availability goal.

Continuity of operations plan

A predetermined set of instructions or procedures that describe how an organization’s essential functions will be sustained for up to 30 days as a result of a disaster event before returning to normal operations.

Continuity of support plan

The documentation of a predetermined set of instructions or procedures that describe how to sustain major applications and general support systems in the event of a significant disruption.

Contradictory controls

Two or more controls are in conflict with each other. Installation of one control does not fit well with the other controls due to incompatibility. This means that implementation of one control can affect other, related controls negatively. Examples include (1) installation of a new software patch that can undo or break another related, existing software patch either in the same system or other related systems. This incompatibility can be due to errors in the current patch or previous patch or that the new patches and the previous patches were not fully tested either by the software vendor or by the user organization and (2) telecommuting work and organization’s software piracy policies could be in conflict with each other if noncompliant telecommuters implement such policies improperly and in an unauthorized manner when they purchase and load unauthorized software on the home/work PC.

Control

Any protective action, device, procedure, technique, or other measure that reduces exposure. Controls can prevent, detect, or correct errors, and can minimize harm or loss. It is any action taken by management to enhance the likelihood that established objectives and goals will be achieved.

Control frameworks

These provide overall guidance to user organizations as a frame of reference for security governance and for implementation of security-related controls. Several organizations within the U.S. and outside the U.S. provide such guidance.

Developed and promoted by the IT Governance Institute (ITGI), Control Objectives for Information and related Technology (COBIT) starts from the premise that IT must deliver the information that the enterprise needs to achieve its objectives. In addition to promoting process focus and process ownership, COBIT looks at the fiduciary, quality, and security needs of enterprises and provides seven information criteria that can be used to generally define what the business requires from IT: effectiveness, efficiency, availability, integrity, confidentiality, reliability, and compliance.

The Information Security Forum’s (ISF’s) Standard of Good Practice for Information Security is based on research and the practical experience of its members. The standard divides security into five component areas: security management, critical business applications, computer installations, networks, and system development.

Other U.S. organizations promoting information security governance include National Institute of Standards and Technology (NIST) and the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.

Organizations outside the U.S. that are promoting information security governance include Organization for Economic Co-Operation and Development (OECD), European Union (EU), and International Organization for Standardization (ISO).

Control information

Information that is entered into a cryptographic module for the purposes of directing the operation of the module.

Control zone

Three-dimensional space (expressed in feet of radius) surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is considered not practical. It also means legal authorities can identify and remove a potential TEMPEST exploitation. Control zone deals with physical security over sensitive equipment containing sensitive information. It is synonymous with zone of control.

Controlled access protection

Consists of a minimum set of security functions that enforces access control on individual users and makes them accountable for their actions through login procedures, auditing of security-relevant events, and resource isolation.

Controlled interface

A boundary with a set of mechanisms that enforces the security policies and controls the flow of information between interconnected information systems. It also controls the flow of information into or out of an interconnected system. Controlled interfaces, along with managed interfaces, use boundary protection devices, such as proxies, gateways, routers, firewalls, hardware/software guards, and encrypted tunnels (e.g., routers protecting firewalls and application gateways residing on a protected demilitarized zone). These devices prevent and detect malicious and other unauthorized communications.

Controllers (hardware)

A controller is a hardware device that coordinates and manages the operation of one or more input/output devices, such as computer terminals, workstations, disks, and printers.

Controlled access area

Part or all of an environment where all types and aspects of an access are checked and controlled.

Cookies (website)

(1) A small file that stores information for a website on a user’s computer. (2) A piece of state information supplied by a Web server to a browser, in a response for a requested resource, for the browser to store temporarily and return to the server on any subsequent visits or requests. Cookies have two mandatory parameters such as name and value, and have four optional parameters such as expiration date, path, domain, and secure. Four types of cookies exist: persistent, session, tracking, and encrypted.

Corrective controls

Actions taken to correct undesirable events and incidents that have occurred. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment.

Corrective maintenance

Changes to software necessitated by actual errors in a system.