Term
Access Authorization/Permission |
|
Definition
Authority permitting an employee performing on government work and having need-to-know to have access to classified information at a stipulated level of classification. Authorization for access at one level of classified information automatically authorizes an
individual for lower levels. SOURCE: www.dhra.mil/perserec/csg/s1class/glossary.htm |
|
|
Term
|
Definition
The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after action recovery and legal action. SOURCE: SP 800-27
Principle that an individual is entrusted to safeguard and control equipment, keying material, and information and is answerable to proper authority for the loss or misuse of that equipment or information. SOURCE: CNSSI-4009 |
|
|
Term
|
Definition
Grounds for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. "Adequately met" includes
(1) functionality that performs correctly,
(2) sufficient protection against unintentional errors (by users or software), and
(3) sufficient resistance to intentional penetration or by-pass. SOURCE: SP 800-27
The grounds for confidence that the set of intended security controls in an information system are effective in their application. SOURCE: SP 800-37; SP 800-53A
Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy. SOURCE: CNSSI-4009 |
|
|
Term
|
Definition
The ISSO must determine what auditable events will be collected based on mode of operation and levels of trust to meet the requirements defined in the information systems security policy. (Source: Panel of Experts, July 1994). Source: http://niatec.info/Glossary.aspx?term=294&alpha=| |
|
|
Term
|
Definition
1. Archive system data
2. Monitor system indicators for abnormal events; and
3. Alert you when anything untoward occurs. Source:http://www.engagent.com/products/SentryII/EvaluatingTools.htm |
|
|
Term
|
Definition
Not Formally Defined by CNSS |
|
|
Term
|
Definition
A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. SOURCE: FIPS 200
Certification – The process of verifying the correctness of a statement or claim and issuing a certificate as to its correctness. SOURCE: FIPS 201
Comprehensive evaluation of the technical and nontechnical security safeguards of an information system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements. See security control assessment. SOURCE: CNSSI-4009 |
|
|
Term
|
Definition
Formal declaration by a Designated Accrediting Authority (DAA) or Principal Accrediting Authority (PAA) that an information system is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. See authorization. SOURCE: CNSSI No. 4009 |
|
|
Term
|
Definition
Change control within quality management systems (QMS) and information technology (IT) systems is a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. It reduces the possibility that unnecessary changes will be introduced to a system without forethought, introducing faults into the system or undoing changes made by other users of software. The goals of a change control procedure usually include minimal disruption to services, reduction in back-out activities, and cost-effective utilization of resources involved in implementing change. SOURCE: http://en.wikipedia.org/wiki/Change_Control |
|
|
Term
|
Definition
Classifying data according to its sensitivity SOURCE: ADAM SWAN |
|
|
Term
|
Definition
Computer crime refers to any crime that involves a computer and a network.[1] The computer may have been used in the commission of a crime, or it may be the target. SOURCE:http://en.wikipedia.org/wiki/Computer_crime#cite_note-moore-0 |
|
|
Term
|
Definition
Process of controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modification prior to, during, and after system implementation. SOURCE: CNSSI-4009; SP 800-37; SP 800-53 |
|
|
Term
|
Definition
A predetermined set of instructions or procedures that describe how an organization’s mission-essential functions will be sustained within 12 hours and for up to 30 days as a result of a disaster event before returning to normal operations. SOURCE: SP 800-34
Management policy and procedures used to guide an enterprise response to a major loss of enterprise capability or damage to its facilities. The COOP is the third plan needed by the enterprise risk managers and is used when the enterprise must recover (often at an alternate site) for a specified period of time. Defines the activities of individual departments and agencies and their sub-components to ensure that their essential functions are performed. This includes plans and procedures that delineate essential functions; specifies succession to office and the emergency delegation of authority; provide for the safekeeping of vital records and databases; identify alternate operating facilities; provide for interoperable communications, and validate the capability through tests, training, and exercises. See also Disaster Recovery Plan and Contingency Plan. SOURCE: CNSSI-4009 |
|
|
Term
|
Definition
List alternative projects/programs. List stakeholders. Select measurement(s) and measure all cost/benefit elements. Predict outcome of cost and benefits over relevant time period. Convert all costs and benefits into a common currency. Apply discount rate. Calculate net present value of project options. Perform sensitivity analysis. Adopt recommended choice. Source:http://en.wikipedia.org/wiki/Cost%E2%80%93benefit_analysis#Process |
|
|
Term
|
Definition
A major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems. SOURCE: CNSSI-4009 (Definition for Asset) |
|
|
Term
|
Definition
The process of granting or denying specific requests to:
1) obtain and use information and related information processing services; and
2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances). SOURCE: FIPS 201; CNSSI-4009 (Definition of Access Control) |
|
|
Term
|
Definition
An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources. SOURCE: SP 800-61
The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.) SOURCE: CNSSI-4009 |
|
|
Term
|
Definition
Not formally defined by CNSS
(Incident Repsonse Plan)
The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization's information system(s). SOURCE: SP 800-34
The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of an incident against an organization's IT system(s). SOURCE: CNSSI-4009
|
|
|
Term
|
Definition
1. Due diligence is the process of systematically researching and verifying the accuracy of a statement. SOURCE:http://whatis.techtarget.com/definition/due-diligence |
|
|
Term
Effect of Countermeasures |
|
Definition
Not formally defined by CNSS
(Countermeasures)
Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards. SOURCE: SP 800-53; SP 800-37; FIPS 200 |
|
|
Term
Environment/natural threats |
|
Definition
Hurricanes, Tornadoes, Rodent Infestation, Sewage Backup.. |
|
|
Term
|
Definition
CHECK OUT:http://computer-forensics.sans.org/blog/2009/09/12/best-practices-in-digital-evidence-collection/ |
|
|
Term
|
Definition
A statute (Title III, P.L. 107-347) that requires agencies to assess risk to information systems and provide information security protections commensurate with the risk. FISMA also requires that agencies integrate information security into their capital planning and enterprise architecture processes, conduct annual information systems security reviews of all programs and systems, and report the results of those reviews to OMB. SOURCE: CNSSI-4009 |
|
|
Term
|
Definition
Unauthorized user who attempts to or gains access to an information system. SOURCE: CNSSI-4009 |
|
|
Term
|
Definition
Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. SOURCE: SP 800-59; CNSSI-4009 |
|
|
Term
|
Definition
The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit. SOURCE: SP 800-27
The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner. SOURCE: CNSSI-4009
(Definition of Data Integrity) |
|
|
Term
|
Definition
Unauthorized act of bypassing the security mechanisms of a system. SOURCE: CNSSI-4009 |
|
|
Term
|
Definition
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. SOURCE: SP 800-53; SP 800-53A; SP 800-18; SP 800-27; SP 800-37; SP 800-60; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542
The property that sensitive data has not been modified or deleted in an unauthorized and undetected manner. SOURCE: FIPS 140-2
The property whereby an entity has not been modified in an unauthorized manner. SOURCE: CNSSI-4009 |
|
|
Term
Life Cycle System Security |
|
Definition
Not formally defined by the CNSS |
|
|
Term
|
Definition
A test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an information system. SOURCE: SP 800-53A
A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system. SOURCE: SP 800-53; CNSSI-4009
Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetrationtests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability. SOURCE: SP 800-115 |
|
|
Term
Personnel Security Policies |
|
Definition
control personnel recruitment process
include security in your job descriptions
develop a disciplinary process
check the backgrounds of job applicants
use confidentiality or non‑disclosure agreements
use employment contracts to protect information
provide information security training
control your information security training
learn from your security incidents
control your software malfunctions
report security threats and weaknesses
report information security incidents
respond to information security incidents
SOURCE: http://www.praxiom.com/iso-17799-6.htm |
|
|
Term
|
Definition
Physical security is the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism. Source:http://searchsecurity.techtarget.com/definition/physical-security |
|
|
Term
|
Definition
The process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with risk assessment. SOURCE: SP 800-27
Examination of information to identify the risk to an information system. See risk assessment. SOURCE: CNSSI-4009 |
|
|
Term
|
Definition
The process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with risk assessment. SOURCE: SP 800-27
Examination of information to identify the risk to an information system. See riskassessment. SOURCE: CNSSI-4009
(Risk Assessment) The process of identifying risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation, arising through the operation of an information system. Part of riskmanagement, incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis. SOURCE: SP 800-53; SP 800-53A; SP 800-37
The process of identifying, prioritizing, and estimating risks. This includes determining the extent to which adverse circumstances or events could impact an enterprise. Uses the results of threat and vulnerability assessments to identify risk to organizational operations and evaluates those risks in terms of likelihood of occurrence and impacts if they occur. The product of a risk assessment is a list of estimated potential impacts and unmitigated vulnerabilities.Risk assessment is part of risk management and is conducted throughout the RiskManagement Framework (RMF). SOURCE: CNSSI-4009 |
|
|
Term
|
Definition
The process of managing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system. SOURCE: SP 800-53; SP 800-53A; SP 800-37
Risk Management – The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system, and includes: 1) the conduct of a risk assessment; 2) the implementation of a risk mitigation strategy; and 3) employment of techniques and procedures for the continuous monitoring of the security state of the information system. SOURCE: FIPS 200
Risk Management – The process of managing risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system. It includes risk assessment; cost-benefit analysis; the selection, implementation, and assessment of security controls; and the formal authorization to operate the system. The process considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations. SOURCE: SP 800-82; SP 800-34
The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation resulting from the operation or use of an information system, and includes: (1) the conduct of a risk assessment; (2) the implementation of a risk mitigation strategy; (3) employment of techniques and procedures for the continuous monitoring of the security state of the information system; and (4) documenting the overall risk management program. SOURCE: CNSSI-4009 |
|
|
Term
Security Laws and Regulations |
|
Definition
Securities Act of 1933
Securities Exchange Act of 1934
Trust Indenture Act of 1939
Investment Company Act of 1940
Investment Advisers Act of 1940
Sarbanes-Oxley Act of 2002
Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
Jumpstart Our Business Startups Act of 2012 Source: http://www.sec.gov/about/laws.shtml |
|
|
Term
|
Definition
The statement of required protection of the information objects. SOURCE: SP 800-27 Pg 173 NIST IR 7298 Revision 1, Glossary of Key Information Security Terms
Security Policy – A set of criteria for the provision of security services. It defines and constrains the activities of a data processing facility in order to maintain a condition of security for systems and data. SOURCE: FIPS 188
A set of criteria for the provision of security services. SOURCE: SP 800-37; SP 800-53; CNSSI-4009 |
|
|
Term
|
Definition
Protective measures and controls prescribed to meet the security requirements specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. SOURCE: CNSSI-4009 |
|
|
Term
Security Test and Evaluation Procedures |
|
Definition
Examination and analysis of the safeguards required to protect an information system, as they have been applied in an operational environment, to determine the security posture of that system. SOURCE: CNSSI-4009 |
|
|
Term
|
Definition
An attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks. SOURCE: SP 800-61
A general term for attackers trying to trick people into revealing sensitive information or performing certain actions, such as downloading and executing files that appear to be benign but are actually malicious. SOURCE: SP 800-114
The process of attempting to trick someone into revealing information (e.g., a password). SOURCE: SP 800-115
An attempt to trick someone into revealing information (e.g., a password) that can be used to attack an enterprise. SOURCE: CNSSI-4009 |
|
|
Term
System protection profile |
|
Definition
Detailed security description of the physical structure, equipment component, location, relationships, and general operating environment of an information system. SOURCE: CNSSI-4009 |
|
|
Term
|
Definition
Formal description and evaluation of the vulnerabilities in an information system. SOURCE: SP 800-53; SP 800-37
Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation. SOURCE: SP 800-53A; CNSSI-4009 |
|
|
Term
Unauthorized System Access |
|
Definition
A person gains logical or physical access without permission to a network, system, application, data, or other IT resource. SOURCE: SP 800-61
Unauthorized Access – Occurs when a user, legitimate or unauthorized, accesses a resource that the user is not permitted to use. SOURCE: FIPS 191
Any access that violates the stated security policy. SOURCE: CNSSI-4009 |
|
|
Term
Vulnerability analysis tools |
|
Definition
Network Scanners
Host Scanners
Database Scanners
Web Application Scanners
Multilevel Scanners
Automated Penetration Test Tools
Vulnerability Scan Consolidators |
|
|