Appendix B - Glossary
| Access Control | The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances). SOURCE: FIPS 201-2 |
| Accountability | The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. SOURCE: SP 800-27 Rev. A |
| Assurance Grounds | for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or by-pass. SOURCE: SP 800-27 Rev. A |
| Attack | Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself. SOURCE: CNSSI-4009 |
| Audit | Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures. SOURCE: CNSSI-4009 |
| Authentication | Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system. SOURCE: FIPS 200 |
| Authorization | The official management decision given by a senior official to authorize operation of a system or the common controls inherited by designated organizations systems and to explicitly accept the risk to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security and privacy controls. Also known as authorization to operate. SOURCE: OMB Circular A-130, adapted |
| Authorizing Official (AO) | A senior (federal) official or executive with the authority to formally assume responsibility for operating a system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. SOURCE: SP 800-37 Rev 1 |
| Back door | An undocumented way of gaining access to computer system. A backdoor is a potential security risk. SOURCE: NIST SP 800-82 Rev 2 |
| Biometrics | A measurable physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity, of an applicant. Facial images, fingerprints, and iris scan samples are all examples of biometrics. SOURCE: FIPS 201 |
| Bit | A binary digit having a value of 0 or 1. SOURCE: FIPS 180-4 |
| Challenge-Response Protocol | An authentication protocol where the verifier sends the claimant a challenge (usually a random value or a nonce) that the claimant combines with a secret (often by hashing the challenge and a shared secret together, or by applying a private key operation to the challenge) to generate a response that is sent to the verifier. The verifier can independently verify the response generated by the Claimant (such as by re-computing the hash of the challenge and the shared secret and comparing to the response, or performing a public key operation on the response) and establish that the Claimant possesses and controls the secret. SOURCE: SP 800-63- 2 |
| Checksum | A value that (a) is computed by a function that is dependent on the content of a data object and (b) is stored or transmitted together with the object, for detecting changes in the data SOURCE: IETF RFC 4949 Ver. 2 |
| Ciphertext | Data in its encrypted form. SOURCE: SP 800-57 Part 1 Rev. 4 |
| Denial of Service | The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided). SOURCE: CNSSI-4009 |
| Digital Signature | The result of a cryptographic transformation of data which, when properly implemented, provides the services of: 1. origin authentication, 2. data integrity, and 3. signer non-repudiation. SOURCE: FIPS 140-2 |
| Encryption | The cryptographic transformation of data to produce ciphertext. SOURCE: ISO 7498- 2 |
| End-to-End Encryption | Communications encryption in which data is encrypted when being passed through a network, but routing information remains visible. |
| Firewall | A gateway that limits access between networks in accordance with local security policy. SOURCE: SP 800-32 |
| Gateway | An intermediate system (interface, relay) that attaches to two (or more) computer networks that have similar functions but dissimilar implementations and that enables either one-way or two-way communication between the networks. SOURCE: IETF RFC 4949 Ver. 2 |
| Hacker | Unauthorized user who attempts to or gains access to an information system. SOURCE: CNSSI-4009 |
| Incident | An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. SOURCE: FIPS 200 |
| Information | 1. Facts and ideas, which can be represented (encoded) as various forms of data. 2. Knowledge—e.g., data, instructions—in any medium or form that can be communicated between system entities. SOURCE: IETF RFC 4949 Ver. 2 |
| Information Assurance | Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. Note: DoDI 8500.01 has transitioned from the term information assurance (IA) to the term cybersecurity. This could potentially impact IA related terms. SOURCE: CNSSI-4009 |
| Information Security | The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. SOURCE: 44 U.S.C., Sec. 3542 |
| Information Security Policy | Aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information. SOURCE: CNSSI-4009 |
| Information Security Risk | The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or a system. SOURCE: SP 800-30 Rev 1 |
| Information System | A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. [Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.] SOURCE: 44 U.S.C., Sec. 3502 |
| Information Technology | (A) with respect to an executive agency means any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency that requires the use— (i) of that equipment; or (ii) of that equipment to a significant extent in the performance of a service or the furnishing of a product; (B) includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources; but (C) does not include any equipment acquired by a federal contractor incidental to a federal contract. SOURCE: 40 U.S.C., Sec. 11101 |
| Integrity | Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. SOURCE: 44 U.S.C., Sec. 3542 |
| Intrusion Detection System (IDS) | Software that automates the intrusion detection process. SOURCE: SP 800- 94 |
| Key | A parameter used in conjunction with a cryptographic algorithm that determines its operation. Examples applicable to this Standard include: 1. The computation of a digital signature from data, and 2. The verification of a digital signature. SOURCE: FIPS 186-4 |
| Key Management | The activities involving the handling of cryptographic keys and other related security parameters (e.g., initialization vectors) during the entire lifecycle of the keys, including their generation, storage, establishment, entry and output, use and destruction. SOURCE: SP 800-57 Part 1 Rev 4 |
| Keystroke Monitoring | The process used to view or record both the keystrokes entered by a computer user and the computer’s response during an interactive session. Keystroke monitoring is usually considered a special case of audit trails. |
| Least Privilege | The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function. SOURCE: CNSSI-4009 |
| Link Encryption | Encryption of information between nodes of a communications system. SOURCE: CNSSI-4009 |
| Logic Bomb | A piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. COURCE: CNSSI-4009 |
| Malicious Code | Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of a system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code. SOURCE: SP 800-53 |
| Malware | See Malicious Code. SOURCE: SP 800-53 |
| Password | A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization. SOURCE: FIPS 140-2 |
| Penetration Testing | A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of a system. SOURCE: SP 800-53 |
| Phishing | A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person. SOURCE: IETF RFC 4949 Ver 2 |
| Private Key | A cryptographic key, used with a public key cryptographic algorithm, that is uniquely associated with an entity and is not made public. SOURCE: FIPS 140-2 |
| Privilege | A right granted to an individual, a program, or a process. SOURCE: CNSSI-4009 |
| Public Key | A cryptographic key used with a public key cryptographic algorithm that is uniquely associated with an entity and that may be made public. SOURCE: FIPS 140-2 |
| Public Key Cryptography | Encryption system that uses a public-private key pair for encryption and/or digital signature. SOURCE: CNSSI-4009 |
| Public Key Infrastructure (PKI) | A Framework that is established to issue, maintain, and revoke public key certificates. SOURCE: FIPS 186-4 |
| Reciprocity | Mutual agreement among participating enterprises to accept each other’s security assessments in order to reuse information system resources and/or to accept each other’s assessed security posture in order to share information. SOURCE: NIST SP 800-37 |
| Risk | A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. [Note: System-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Adverse impacts to the Nation include, for example, compromises to systems that support critical infrastructure applications or are paramount to government continuity of operations as defined by the Department of Homeland Security.] SOURCE: SP 800-37 |
| Risk Assessment | The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis. SOURCE: SP 800-39 |
| Risk Management | The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, and includes: (i) establishing the context for risk-related activities; (ii) assessing risk; (iii) responding to risk once determined; and (iv) monitoring risk over time. SOURCE: SP 800-39 |
| Risk Management Framework (RMF) | A structured approach used to oversee and manage risk for an enterprise. SOURCE: CNSSI-4009 |
| Role | A job function or employment position to which people or other system entities may be assigned in a system. SOURCE: IETF RFC 4949 Ver 2 |
| Safeguards | Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for a system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures. SOURCE: FIPS 200 |
| Secret Key | A cryptographic key, used with a secret key cryptographic algorithm, that is uniquely associated with one or more entities and should not be made public. SOURCE: FIPS 140- 2 |
| Security | A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s riskmanagement approach. SOURCE: CNSSI-4009 |
| Security Control Assessment | The testing and/or evaluation of the management, operational, and technical security controls in a system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. SOURCE: SP 800-37 |
| Security Controls | The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for a system to protect the confidentiality, integrity, and availability of the system and its information. SOURCE: FIPS 199 |
| Security Engineering | An interdisciplinary approach and means to enable the realization of secure systems. It focuses on defining customer needs, security protection requirements, and required functionality early in the systems development life cycle, documenting requirements, and then proceeding with design, synthesis, and system validation while considering the complete problem. SOURCE: CNSSI-4009 |
| Security Label | The means used to associate a set of security attributes with a specific information object as part of the data structure for that object. SOURCE: SP 800- 53 |
| Sensitivity | A measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection. SOURCE: SP 800-60 |
| Signature | A recognizable, distinguishing pattern associated with an attack, such as a binary string in a virus or a particular set of keystrokes used to gain unauthorized access to a system. SOURCE: SP 800-61 |
| Spam | Electronic junk mail or the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages. SOURCE: CNSSI-4009 |
| Spyware | Software that is secretly or surreptitiously installed into a system to gather information on individuals or organizations without their knowledge; a type of malicious code. SOURCE: SP 800-53 |
| System | Any organized assembly of resources and procedures united and regulated by interaction or interdependence to accomplish a set of specific functions. Note: Systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems. SOURCE: SP 800-53 |
| System Integrity | The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental. SOURCE: SP 800-27 |
| System Security Plan | Formal document that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements. SOURCE: SP 800-18 |
| Tailoring | The process by which a security control baseline is modified based on: (i) the application of scoping guidance; (ii) the specification of compensating security controls, if needed; and (iii) the specification of organization-defined parameters in the security controls via explicit assignment and selection statements. SOURCE: SP 800-37 |
| Threat | Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. SOURCE: SP 800-30 |
| Threat Event | An event or situation that has the potential for causing undesirable consequences or impact. SOURCE: NIST SP 800-30 |
| Token | Something that the Claimant possesses and controls (typically a key or password) that is used to authenticate the Claimant’s identity. SOURCE: SP 800-63-2 |
| Trojan Horse | A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. SOURCE: CNSSI-4009 |
| Trusted Computing Base | Totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination responsible for enforcing a security policy. SOURCE: CNSSI-4009 |
| Trustworthy System | Computer hardware, software and procedures that— 1) are reasonably secure from intrusion and misuse; 2) provide a reasonable level of availability, reliability, and correct operation; 3) are reasonably suited to performing their intended functions; and 4) adhere to generally accepted security procedures. SOURCE: SP 800-32 |
| Validation | Confirmation (through the provision of strong, sound, objective evidence) that requirements for a specific intended use or application have been fulfilled (e.g., a trustworthy credential has been presented, or data or information has been formatted in accordance with a defined set of rules, or a specific process has demonstrated that an entity under consideration meets, in all respects, its defined attributes or requirements). SOURCE: CNSSI-4009 |
| Virus | A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers, or even erase everything on a hard disk. See malicious code. Source: CNSSI-4009 |
| Vulnerability | Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. SOURCE: NIST SP 800-30 Rev 1 |
| Worm | A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself. See Malicious Code. SOURCE: CNSSI-4009 |