Term
|
Definition
The process of limiting access to the resources of an IS only to authorized users, programs, processes, or other
systems. System-specific policy is often implemented through the use of access controls. For example, it may be a
policy decision that only two individuals in an organization are authorized to run a check-printing program. Access
controls are used by the system to implement (or enforce) this policy. |
|
|
Term
|
Definition
| Property that enables auditing of activities on an IS to be traced to persons who may then be held responsible for their actions. (COMSEC) Principle that an individual is responsible for safeguarding and controlling of COMSEC equipment, keying materiel, and information entrusted to his or her care and is answerable to proper authority for the loss or misuse of that equipment or information. |
|
|
Term
|
Definition
| A formal declaration by a designated approving authority (DAA) that an IS is approved to operate in a particular security mode using a prescribed set of safeguards |
|
|
Term
Accreditation authority or Designated
Approving Authority (DAA) |
|
Definition
Official with the authority to formally assume responsibility for
operating an IS or network at an acceptable level of risk. |
|
|
Term
|
Definition
| Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies or procedures |
|
|
Term
|
Definition
Chronological record of system activities to enable the construction,
and examination of the sequence of events and/or changes in an
event. An audit trail may apply to information in an IS, to message
routing in a communications system, or to the transfer of COMSEC
material. |
|
|
Term
|
Definition
| To verify the identity of a user, user device, or other entity, or the integrity of data stored, transmitted, or otherwise exposed to possible unauthorized modification in an automated information system, or establish the validity of a transmitted message |
|
|
Term
|
Definition
| Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's identity or eligibility to receive specific categories of information or perform specific actions |
|
|
Term
|
Definition
| A copy of computer files that can be restored in the event of failure, corruption, or other system mishap. By controlling backups centrally, you can ensure the backup schedule and procedures are being followed. There are several types of backups. Here are two |
|
|
Term
|
Definition
| A backup that will be stored for a long time. A routine that makes it possible to back up all files. This procedure requires a lot of time and consumes significant storage space |
|
|
Term
|
Definition
| Making a copy of only the files that have changed since the last backup instead of backing up every file. An incremental backup saves a lot of time and can save storage space. This type of backup is usually performed after a full backup. If a full backup is ever restored, any incremental backups must also be restored (in the same order they were backed up). |
|
|
Term
|
Definition
Comprehensive evaluation of the technical and non-technical
security features of an IS and other safeguards, made in support of
the accreditation process, to establish the extent to which a
particular design and implementation meets a set of specified
security requirements. |
|
|
Term
|
Definition
Unintentional signals that, if intercepted and analyzed, would
disclose the information transmitted, received, handled, or
otherwise processed by telecommunications or automated
information systems equipment (See TEMPEST). |
|
|
Term
| Computer or Computer System |
|
Definition
| In this course, the terms computers and computer systems are used to refer to the entire spectrum of information technology, including application and support systems |
|
|
Term
|
Definition
A machine capable of accepting data, performing calculations on,
or otherwise manipulating that data, storing it, and producing new
data. |
|
|
Term
|
Definition
| A small general-purpose computer designed to support a single user at a time. Disk drives, printers, and other equipment associated with the small computer are considered part of the small computer and normally referred to as a personal computer. In addition to the above standard definition and the changing mission of the Army, the definition of a small computer has been enhanced so that a small computer or any PC or workstation that attaches to a Server (as through a LAN) in a client server environment is considered to be a small computer |
|
|
Term
|
Definition
| An automated information system that is physically, electronically and electrically isolated from all other automated information systems |
|
|
Term
|
Definition
A computer system that is characterized by dedicated operators (beyond the
system users); high capacity, distinct storage devices; special environmental
considerations; and an identifiable computer room or complex |
|
|
Term
| Central computer facility |
|
Definition
| One or more computers with their peripheral and storage units, central processing units, and communications equipment in a single controlled area. Central computer facilities are those areas where computer(s) (other than personal computer(s)) are housed to provide necessary environmental, physical, or other controls |
|
|
Term
|
Definition
| Computer hardware used to provide client-requested files, data, and software applications. It provides processing capabilities for user workstations and normally used for the connection and control for the workstations to the Local Area Network (LAN |
|
|
Term
|
Definition
| A system or group of systems that enforces an access control policy between two networks with the properties of allowing only authorized traffic to pass between the networks from inside and outside the controlled environment and is immune to penetration |
|
|
Term
|
Definition
| Measures and controls that ensure confidentiality, integrity, and availability of the information processed and stored by a computer |
|
|
Term
|
Definition
Process of controlling modifications to a telecommunications or information systems
hardware, firmware, software, and documentation to ensure the system is protected
against improper modifications prior to, during, and after system implementation |
|
|
Term
| [image] Configuration Management |
|
Definition
[image] The management of security features and assurances through control of changes
made to hardware, software, firmware, documentation, test, test fixtures, and test
documentation of an IS throughout the development and operational life of the
system |
|
|
Term
| Controlled access protection |
|
Definition
Login procedures, audit of security-relevant events, and resource isolation as
prescribed for class C2 in DoD 5200.28-STD, often referred to as the “Orange Book”. |
|
|
Term
|
Definition
An action, device, procedure, technique, or other measure that reduces the
vulnerability of an IS. |
|
|
Term
|
Definition
Protection of data from unauthorized (accidental or intentional)
modification, destruction, or disclosure |
|
|
Term
| Declassification (of magnetic storage media) |
|
Definition
An administrative procedure resulting in a determination that classified information
formerly stored on a magnetic medium has been removed or overwritten sufficiently
to permit reuse in an unclassified environment. |
|
|
Term
|
Definition
Result of any action or series of actions that prevents any part of a
telecommunications system or IS from functioning. Denial is the term used
throughout the course and respective references |
|
|
Term
| DOD Trusted Computer System Evaluation Criteria (TCSEC) |
|
Definition
Document containing basic requirements and evaluation classes for assessing
degrees of effectiveness of hardware and software security controls built into IS. This
document, DOD 5200.28 STD, is frequently referred to as the Orange Book. |
|
|
Term
|
Embedded (computer) system |
|
Definition
Computer system that is an integral part of a larger system or subsystem that
performs or controls a function, either in whole or in part. |
|
|
Term
|
Definition
Protection resulting from all measures taken to deny unauthorized persons
information of value which might be derived from intercept and analysis of
compromising emanations from cryptographic equipment, ISs, and
telecommunications systems. |
|
|
Term
|
Definition
Software that is permanently stored in a hardware device that allows reading and
executing the software, but not writing or modifying it. |
|
|
Term
|
Definition
Documented approval by a data owner to allow access to a particular category of
information |
|
|
Term
| Information Assurance (IA) |
|
Definition
The protection of systems and information in storage, processing, or transit from
unauthorized access or modification; denial of service to unauthorized users; or the
provision of service to authorized users. It also includes those measures necessary
to detect, document, and counter such threats. This regulation designates IA as the
security discipline that encompasses COMSEC, INFOSEC, and control of
compromising emanations (TEMPEST). |
|
|
Term
| Information Assurance Vulnerability Management (IAVM) |
|
Definition
| IAVM is the DoD program to identify and resolve identified vulnerabilities in operating systems. It requires the completion of four distinct phases to ensure compliance. These phases are: (1) vulnerability identification, dissemination, and acknowledgement; (2) application of measures to affected systems to make them compliant; (3) compliance reporting; and (4) compliance verification. This program includes Alerts (IAVAs), Bulletins (IAVBs), and Technical Advisories (TAs). |
|
|
Term
|
Definition
| Any equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data and that includes computer software, firmware, and hardware. Included are computers, word processing systems, networks, or other electronic information handling systems and associated equipment. |
|
|
Term
|
Definition
| The degree of protection for data and systems from intentional or unintentional alteration or misuse. In lay usage, information has integrity when it is timely, accurate, complete, and consistent. However, computers are unable to provide or protect all of these qualities. Therefore, in the computer security field, integrity is often discussed more narrowly as having two facets |
|
|
Term
|
Definition
|
A requirement that information and programs are changed only in a specified and authorized manner |
|
|
Term
|
Definition
| A requirement that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system |
|
|
Term
|
Definition
| A global collaboration of data networks that are connected to each other, using common protocols (e.g., TCP/IP) to provide instant access to an almost indescribable wealth of information from computers around the world |
|
|
Term
|
Definition
| Principle that requires that each subject be granted the most restrictive set of privileges needed for the performance of authorized tasks. This also applies to system privileges that might not be needed to perform their assigned job. NOTE: Application of this principle limits the damage that can result from errors, and accidental and unauthorized use of an IS. |
|
|
Term
|
Definition
| Any software code intentionally created or introduced into a computer system for the distinct purpose of causing harm or loss to the computer system, its data, or other resources. Many users equate malicious code with computer viruses, which can lie dormant for long periods of time until the computer system executes the trigger that invokes the virus to execute. Within the last several years, the internet has been the conduit of various types of computer viruses. However, there are other types of malicious codes used to cause havoc that are not as well publicized as the virus. Examples are viruses, worms, bombs, and Trojan horses |
|
|
Term
|
Definition
| Concept of processing information with different classifications and categories that simultaneously permits access by users with different security clearances, but prevents users from obtaining access to information for which they lack authorization |
|
|
Term
|
Definition
| Approved access to, or knowledge or possession of, specific information required to carry out official duties. The possession of a security clearance does not automatically grant a person the need-to-know. Persons in one area may not have the need-to-know information in another area, even though access to either area requires the same level security clearance |
|
|
Term
|
Definition
| Communications medium and all components attached to that medium whose function is the transfer of information. Components may include ISs, packet switches, telecommunications controllers, key distribution centers, and technical control devices. A network is basically a series of wires and cables connecting a number of computers. Modern networks can be connected by wire and wireless means. Data is exchanged between computers via these connections |
|
|
Term
|
Local Area Networks (LAN) |
|
Definition
A system that allows microcomputers to share information and resource within a limited (local) area. Can be measured in meters to kilometers. They usually have a high bandwidth with data rates from 1Mbps to 250Mbps (1 Megabit to 250 Megabits per second).
|
|
|
Term
|
Definition
The protection of networks and their services from unauthorized modification, destruction, or disclosure. Network security provides for assurance that a network performs its critical functions correctly and there are no harmful side effects. |
|
|
Term
|
Definition
Process of analyzing threats to and vulnerabilities of an information system, and determining potential adverse effects that the loss of information or capabilities of a system would have on national security and using the analysis as a basis for identifying appropriate and cost-effective countermeasures. |
|
|
Term
|
Definition
| Process of analyzing threats to and vulnerabilities of an information system, and determining potential adverse effects that the loss of information or capabilities of a system would have on national security and using the analysis as a basis for identifying appropriate and cost-effective countermeasures |
|
|
Term
|
Definition
| Process of identifying, assessing, and controlling risks arising from operational factors and threats and making decisions that balance risks and costs with mission benefits |
|
|
Term
|
Definition
| Any unexplained event that could result in the loss, corruption, or the denial of access to data, as well as any event that cannot be easily dismissed or explained as normal operations of the system. Also, an occurrence involving classified or sensitive information being processed by an IS where there may be: a deviation from the requirements of the governing security regulations; a suspected or confirmed compromise or unauthorized disclosure of the information; questionable data or information integrity (e.g., unauthorized modification); unauthorized modification of data; or unavailable information for a period of time |
|
|
Term
|
Definition
|
A categorization of computer systems according to the security protection they provide. Determination of the security processing mode of an IS is based on the classification or sensitivity and the formal categories of data processed and the clearance, formal access approval, and need-to-know of users of the system. There are four security-operating modes. |
|
|
Term
|
Definition
|
Processing, transmission, storage, or data is handled across different information categories with "simultaneous" access by individual users or processes. (All users and processes may not have the same clearances or need to know. Access controls are different for each user and process.) |
|
|
Term
|
Definition
|
Processing, transmission, or storage is within a single information category. (All users and processes have a valid security clearance for all processes and data, and all users or processes have the same need to know. Access controls are equal for all users and processes.)
|
|
|
Term
|
Definition
|
Processing, transmission, storage, or data is handled across different information categories with single-level access by individual users or processes at any "given time." (All users and processes have a valid clearance for the most restricted information processed in the system, and a valid need-to-know for the information that the user or process will have access. Access controls are different for each user and process.) |
|
|
Term
|
Definition
|
Processing, transmission, storage, or data while actually across different information categories, is handled as if it were in a single information category or processing domain. (All users and processes have valid security clearance to all processes and data. All users and processes may not have the same need to know. Access controls are equal for all users and processes.) |
|
|
Term
|
Definition
| Any information the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under Section 552a of Title 5, United States Code (The Privacy Act), but which has not been specifically authorized under criteria established by executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy. Sensitive information includes information in routine DoD payroll, finance, logistics, and personnel management systems. Examples of sensitive information include, but are not limited to, the following categories: (1) FOUO-IAW DoD 5400.7-R, information that may be withheld from mandatory public disclosure under the Freedom of Information Act (FOIA)-see definition above; (2) Unclassified Technical Data-Data related to military or dual-use technology that is subject to approval, licenses, or authorization under the Arms Export Control Act and withheld from public disclosure IAW DoD 5320.25; (3) Department of State Sensitive But Unclassified (SBU)-Information originating from the Department of State (DOS) that has been determined to be SBU under appropriate DOS information security polices; (4) Foreign Government Information-Information originating from a foreign government that isn ot classified CONFIDENTIAL or higher but must be protected IAW DoD 5200.1-R; or (5) Privacy Data-Personal and private information (e.g., individual medical information, home address and telephone number, social security number) as defined in the Privacy Act of 1974 |
|
|
Term
|
Definition
There are three parts to Systems Security.
a. Computer Security (COMPUSEC) is composed of measures and controls that protect an IS against denial of service, unauthorized disclosure, modification, or destruction of IS and data (information).
b. Communications Security (COMSEC) is measures and controls taken to deny unauthorized persons information derived from telecommunications of the U.S. government. Government communications regularly travel by computer networks, telephone systems, and radio calls.
c. Information Security (INFOSEC) is controls and measures taken to protect telecommunications systems, automated information systems, and the information they process, transmit, and store |
|
|
Term
| Computer Security (COMPUSEC) |
|
Definition
| is composed of measures and controls that protect an IS against denial of service, unauthorized disclosure, modification, or destruction of IS and data (information). |
|
|
Term
| Communications Security (COMSEC) |
|
Definition
measures and controls taken to deny unauthorized persons information derived from telecommunications of the U.S. government. Government communications regularly travel by computer networks, telephone systems, and radio calls.
|
|
|
Term
| Information Security (INFOSEC) |
|
Definition
| is controls and measures taken to protect telecommunications systems, automated information systems, and the information they process, transmit, and store. |
|
|
