Security glossary and terms
A - C
+Access control - The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner.
Access Authority - An entity responsible for monitoring and granting access privileges for other authorized entities.
Access Level – A category within a given security classification limiting entry or system connectivity to only authorized persons.
Audit - An independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.
Authentication: - The process of verifying the identity or other attributes claimed by or assumed of an entity (user, process, or device), or to verify the source and integrity of data.
Baseline Security – The minimum security controls required for safeguarding an IT system based on its identified needs for confidentiality, integrity, and/or availability protection.
Biometric – A measurable physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity, of an applicant. Facial images, fingerprints, and iris scan samples are all examples of biometrics.
Body of Evidence (BoE) – The set of data that documents the information system’s adherence to the security controls applied.
Business Continuity Plan (BCP) – The documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business functions will be sustained during and after a significant disruption.
Business Impact Analysis (BIA) – An analysis of an information system’s requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.
Confidentiality - The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
Chain of Custody – A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.
Chain of Evidence – A process and record that shows who obtained the evidence; where and when the evidence was obtained; who secured the evidence; and who had control or possession of the evidence. The “sequencing” of the chain of evidence follows this order: collection and identification; analysis; storage; preservation; presentation in court; return to owner.
Command Authority – Individual responsible for the appointment of user representatives for a department, agency, or organization and their key ordering privileges.
Contingency Plan – Management policy and procedures used to guide an enterprise response to a perceived loss of mission capability. The Contingency Plan is the first plan used by the enterprise risk managers to determine what happened, why, and what to do.
Continuous Monitoring – The process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends.
Credential – An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber.
D - F
+Data Aggregation – Compilation of individual data systems and data that could result in the totality of the information being classified, or classified at a higher level, or of beneficial use to an adversary.
Data Integrity – The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit.
Data Security – Protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure.
Electronic Signature – The process of applying any mark in electronic form with the intent to sign a data object
Encryption - The cryptographic transformation of data (see cryptography) to produce ciphertext.
End-to-end security - The safeguarding of information in an information system from its point of origin to its intended destination.
Enterprise Risk Management – The methods and processes used by an enterprise to manage risks to its mission and to establish the trust necessary for the enterprise to support shared missions.
Fail Safe – Automatic protection of programs and/or processing systems when hardware or software failure is detected.
False Positive – An alert that incorrectly indicates that malicious activity is occurring
Firewall - A system designed to prevent unauthorized access to or from a private network. [3] Firewalls can be implemented in both hardware and software, or a combination of both.
Forensics – The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.
G - I
+Graduated Security – A security system that provides several levels (e.g., low, moderate, high) of protection based on threats, risks, available technology, support services, time, human concerns, and economics.
Guard (System) – A mechanism limiting the exchange of information between information systems or subsystems.
High Availability – A failover feature to ensure availability during device or component interruptions.
Hybrid Security Control – A security control that is implemented in an information system in part as a common control and in part as a system-specific control. See also Common Control and System-Specific Security Control.
Identification – The process of verifying the identity of a user, process, or device, usually as a prerequisite for granting access to resources in an IT system.
Identity-Based Access Control – Access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity
Identity-based security policy - A security policy based on the identities and/or attributes of users, a group of users, or entities acting on behalf of the users and the resources/objects being accessed
Interim Security Clearance - A security clearance based on the completion of minimum investigative requirements, which is granted on a temporary basis, pending the completion of the full investigative requirements
Intrusion - Unauthorized act of bypassing the security mechanisms of a system.
Intrusion Detection System (IDS) - A security alarm system to detect unauthorized entry.
J - L
+Joint Authorization – Security authorization involving multiple authorizing officials.
Key Management Infrastructure – (KMI) -All parts – computer hardware, firmware, software, and other equipment and its documentation; facilities that house the equipment and related functions; and companion standards, policies, procedures, and doctrine that form the system that manages and supports the ordering and delivery of cryptographic material and related information products and services to users
Labeled Security Protections – Access control protection features of a system that use security labels to make access control decisions.
Level of Concern – Rating assigned to an information system indicating the extent to which protection measures, techniques, and procedures must be applied. High, Medium, and Basic are identified levels of concern.
Level of Protection – Extent to which protective measures, techniques, and procedures must be applied to information systems and networks based on risk, threat, vulnerability, system interconnectivity considerations, and information assurance needs.
M - O
+Management Controls – The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security.
Management Security Controls – The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information systems security.
Multilevel Security (MLS) – Concept of processing information with different classifications and categories that simultaneously permits access by users with different security clearances and denies access to users who lack authorization.
Need for Access - A determination that an employee requires access to a particular level of classified information in order to perform or assist in a lawful and authorized organizational function.
Need To Know Determination – Decision made by an authorized holder of official information that a prospective recipient requires access to specific official information to carry out official duties.
Operational Controls – The security controls (i.e., safeguards or countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems).
P - R
+ P
Passive Security Testing – Security testing that does not involve any direct interaction with the targets, such as sending packets to a target.
Policy-Based Access Control – (PBAC) - A form of access control that uses an authorization policy that is flexible in the types of evaluated parameters (e.g., identity, role, clearance, operational need, risk, and heuristics).
Privileged User – A user that is authorized (and, therefore, trusted) to perform security relevant functions that ordinary users are not authorized to perform.
Q
Qualitative Assessment – Use of a set of methods, principles, or rules for assessing risk based on nonnumeric categories or levels.
Quality of Service – The measurable end-to-end performance properties of a network service, which can be guaranteed in advance by a Service-Level Agreement between a user and a service provider, so as to satisfy specific customer application requirements.
Response - Immediate actions to save lives, protect property and the environment, and meet basic human needs. Response also includes the execution of emergency plans and actions to support short term recovery
Response Force Personnel ,- not including those on fixed security posts, appropriately equipped and trained, whose duties include initial or follow up response to situations
Risk - A measure of the potential degree to which protected information is subject to loss through adversary exploitation. See: Risk Management Risk Analysis A method by which individual vulnerabilities are compared to perceived or actual security threat scenarios in order to determine the likelihood of compromise of critical information
Risk Assessment - A written evaluation supporting the adjudicative process, especially when a significant exception to a personnel security standard is being considered.
Risk Avoidance - A security philosophy which postulates that adversaries are all-knowing and highly competent, against which risks are avoided by maximizing defenses and minimizing vulnerabilities.
S - V
+Safeguarding - Controls that are prescribed to protect classified information.
Security - The protection of information to assure it is not accidentally or intentionally disclosed to unauthorized personnel.
Security Incident - A security compromise, infraction, or violation.
Security Policy - The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.
Security Profile - The approved aggregate of hardware and software and administrative controls used to protect the system.
Security Testing - A process used to determine that the security features of a system are implemented as designed and that they are adequate for a proposed application environment. This process includes hands-on functional testing, penetration testing, and verification
Sensitive Activities - Sensitive activities are Special Access (SAPs) or code word programs, critical research and development efforts, operations or intelligence activities, special plans, special activities, or sensitive support to the customer, customer contractors, or clients
Surreptitious Entry - Unauthorized entry in a manner which leaves no readily discernible evidence. Surveillance The systematic observation of aerospace, surface or subsurface areas, places, persons, or things, by visual, aural, photographic, or other means
System Security Plan (SSP) - Formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements.
Target - An individual, operation, or activity which an adversary has determined possesses information that might prove useful in attaining his or her objective
Technical Security- A security discipline dedicated to detecting, neutralizing, and/or exploiting a wide variety of hostile and foreign penetration technologies.
Temporary Access - Eligibility Access based on the completion of minimum investigative requirements under exceptional circumstances where official functions must be performed prior to completion of the investigation and adjudication process
Terrorism - The calculated use of violence or threat of violence to inculcate fear; intended to coerce or to intimidate governments or societies in the pursuit of goals that are generally political, religious, or ideological.
Threat Assessment - An evaluation of the intelligence collection threat to a program activity, system, or operation.
Threat Monitoring - The analysis, assessment, and review of Information System (IS) audit trails and other data collected for the purpose of searching out system events that may constitute violations or attempted violations of data or system security.
Unauthorized Disclosure (UD) - A communication or physical transfer of classified information to an unauthorized recipient
Unauthorized Person - A person not authorized to have access to specific classified information.
Uncontrolled Access Area (UAA) - The space in and around a building where no personnel access controls are exercised.
Undercover Operation - A phrase usually associated with the law enforcement community and which describes an operation that is so planned and executed as to conceal the identity of, or permit plausible denial by, the sponsor
Unfavorable Administrative - Action Adverse action taken as the result of personnel security determinations and unfavorable personnel security determinations
User Identification - A unique symbol or character string that is used by an Information System (IS) to uniquely identify a specific user.
Vault - A room(s) used for the storing, handling, discussing, and/or processing of Special Access Program (SAP) information
Violation - Any knowing, willful, or negligent action that could reasonably be expected to result in an unauthorized disclosure of classified information
Virus - A malicious computer program that is designed to replicate itself by copying itself into the other programs stored in a computer. The intent of the virus is varying levels of negative effects, such as causing a program to operate incorrectly or corrupting a computer’s memory
Vulnerability - A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Vulnerability Analysis - A process which examines a friendly operation or activity from the point of view of an adversary, seeking ways in which the adversary might determine critical information in time to disrupt or defeat the operation or activity.
Vulnerability Assessment - The results of a vulnerability analysis expressed as a degree of probable exploitation by an adversary.
W- Z
+Waiver - An exemption from a specific requirement.
Waiver (Personnel Security) - Access eligibility granted or continued despite the presence of substantial issue information that would normally preclude access
Weapons of Mass Destruction (WMD) - Chemical, Biological, Radiological, Nuclear, and High-Explosive (CBRNE) weapons capable of a high order of destruction and/or causing mass casualties.