Glossary
A.R.S. § 18-104
Statute concerning powers and duties of the department; violation; classification.
A.R.S. § 18-105
Statute concerning statewide information security and privacy office; duties; suspension of budget unit's information infrastructure
A.R.S. § 38-448
Statute concerning State employees; access to internet pornography prohibited; cause for dismissal; definitions.
A.R.S. § 41-3532
Statute concerning alternative methods of access to electronic or information technology; complaint procedure; rules
Acceptance
The point at which the end-users of a system declare, formally, that the system meets their needs and has performed satisfactorily during the test procedures. Unless a system has been acquired, installed, or amended, purely for IT department it is not sufficient for technical staff to declare it acceptable; the end users must be involved.
Access (Logical)
The process of being able to enter, modify, delete, or inspect, records and data held on a computer system by means of providing an ID and password (if required). The view that restricting physical access relieves the need for logical access restrictions is misleading. Any BU with communications links to the outside world has a security risk of logical access.
Access (NIST)
Ability to make use of any information system (IS) resource.
SOURCE: SP 800-32
Ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions.
SOURCE: CNSSI-4009
Access (Physical)
The process of obtaining use of a computer system (for example by sitting down at a keyboard) or of being able to enter specific area(s) of the BU of where the main computer systems are located.
Access is to instruct, communicate with, store data in, retrieve data from, or otherwise make use of any resources of a computer, computer system or network.
Access Control (NIST)
The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, and border crossing entrances).
SOURCE: FIPS 201; CNSSI-4009
Access Control List (ACL) (NIST)
- 1. A list of permissions associated with an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object.
- 2. A mechanism that implements access control for a system resource by enumerating the system entities that are permitted to access the resource and stating, either implicitly or explicitly, the access modes granted to each entity.
- SOURCE: CNSSI-4009
Access Control Mechanism (NIST)
Security safeguards (i.e., hardware and software features, physical controls, operating procedures, management procedures, and various combinations of these) designed to detect and deny unauthorized access and permit authorized access to an information system.
SOURCE: CNSSI-4009
Access Control Services
A security service that provides protection of system resources against unauthorized access. The two basic mechanisms for implementing this service are ACLs and tickets
Access Level (NIST)
A category within a given security classification limiting entry or system connectivity to only authorized persons.
SOURCE: CNSSI-4009
Access List (NIST)
Roster of individuals authorized admittance to a controlled area.
SOURCE: CNSSI-4009
ACCESS MANAGEMENT
A discipline that focuses on ensuring that only approved roles are able to create, read, update, or delete data – and only using appropriate and controlled methods. Data Governance programs often focus on supporting Access Management by aligning the requirements and constraints posed by Governance, Risk Management, Compliance, Security, and Privacy efforts.
SOURCE: Data Governance Institute
ACCESS Point (NIST)
A device that logically connects wireless client devices operating in infrastructure to
one another and provides access to a distribution system, if connected, which is typically an organization's enterprise network.
SOURCE: SP 800-48; SP 800-121
Access Profile (NIST)
Association of a user with a list of protected objects the user may access.
SOURCE: CNSSI-4009
Access Rights
The powers granted to users to create, change, delete, or simply view data and files
within a system, according to a set of rules defined by IT and business management. It
is not necessarily true that the more senior a person, the more power is granted. For
example, most data capture - essentially creating new files or transactions, is
performed at relatively junior level, and it is not uncommon for senior management
to have access rights only to view data with no power to change it. There are very
good Internal Control and Audit reasons for adopting this approach
Access Type (NIST)
Privilege to perform action on an object. Read, write, execute, append, modify, delete, and create are examples of access types. See Write.
SOURCE: CNSSI-4009
Account
An 'account' is the term used most commonly to describe a user's profile that permits
access to computer systems. Sometimes the account refers simply to the means of
gaining network access to printers and the filing system; in other instances 'accounts'
can be application systems' specific and incorporate a range of optional privileges
controlling a user's level of access. (See Access Control).
Account Data
Cardholder data plus sensitive authentication data.
SOURCE: VERIZON PCI SECURITY
Account Management, User (NIST)
Involves
1) the process of requesting, establishing, issuing, and closing user accounts;
2) tracking users and their respective access authorizations; and
3) managing these functions.
SOURCE: SP 800-12
Accountability (NIST)
The security goal that generates the requirement for actions of an entity to be traced
uniquely to that entity. This supports non- repudiation, deterrence, fault isolation,
intrusion detection and prevention, and after-action recovery and legal action.
SOURCE: SP 800-27
Principle that an individual is entrusted to safeguard and control equipment, keying
material, and information and is answerable to proper authority for the loss or misuse
of that equipment or information.
SOURCE: CNSSI-4009
Accounting Legend Code (ALC) (NIST)
Numeric code used to indicate the minimum accounting controls required for items of
accountable communications security (COMSEC) material within the COMSEC
Material Control System.
SOURCE: CNSSI-4009
Accounting Number
Number assigned to an item of COMSEC material to facilitate its control.
SOURCE: CNSSI-4009
Accreditation (NIST)
See Authorization
Accreditation Authority (NIST)
See Authorizing Official
Accreditation Boundary (NIST)
See Authorization Boundary
Accreditation Package (NIST)
Product comprised of a System Security Plan (SSP) and a report documenting the
basis for the accreditation decision.
SOURCE: CNSSI-4009
Accrediting Authority (NIST)
Synonymous with Designated Accrediting Authority (DAA). See also Authorizing
Official.
SOURCE: CNSSI-4009
Activation Data (NIST)
Private data, other than keys, that are required to access cryptographic modules.
SOURCE: SP 800-32
Active Attack (NIST)
An attack that alters a system or data.
SOURCE: CNSSI-4009
An attack on the authentication protocol where the Attacker transmits data to the
Claimant, Credential Service Provider, Verifier, or Relying Party. Examples of active
attacks include man-in-the-middle, impersonation, and session hijacking.
SOURCE: SP 800-63
Active Content (NIST)
Electronic documents that can carry out or trigger actions automatically on a
computer platform without the intervention of a user.
SOURCE: SP 800-28
Software in various forms that is able to automatically carry out or trigger actions on a
computer platform without the intervention of a user.
SOURCE: CNSSI-4009
Active Security Testing (NIST)
Security testing that involves direct interaction with a target, such as sending packets
to a target.
SOURCE: SP 800-115
Active Server Page (ASP)
an HTML page that includes one or more scripts (small-embedded programs) that are processed on a Microsoft Web server before the page is sent to the user. An ASP is somewhat similar to a serverside include or a common gateway interface (CGI) application in that all involve programs that run on the server, usually tailoring a page for the user. Typically, the script in the Web page at the server uses input received as the result of the user's request for the page to access data from a database and then builds or customizes the page on the fly before sending it to the requestor.
Activities (NIST)
An assessment object that includes specific protection-related pursuits or actions
supporting an information system that involve people (e.g., conducting system
backup operations, monitoring network traffic).
SOURCE: SP 800-53A
Activity Monitors
Activity monitors aim to prevent virus infection by monitoring for malicious activity
on a system, and blocking that activity when possible.
Ad Hoc Network (NIST)
A wireless network that dynamically connects wireless client devices to each other
without the use of an infrastructure device, such as an access point or a base station.
SOURCE: SP 800-121
ADABAS
a high-performance database for large, missioncritical applications. Adabas can be accessed via native calls from any development environment that is able to submit a call. Data is administered via SQL and standard interfaces such as ODBC or JDBC. Adabas is available on mainframe, Windows™ NT, and UNIX operating system platforms.
Adaptability
the capability of a software application or product (hardware or software) to adjust fittingly to new requirements, conditions, and environments without requiring extensive modification.
Adaptive
showing or having a capacity for or tendency toward adaptation, which is the adjustment or modification that makes something more fit given the conditions of its environment.
Add-on Security (NIST)
Incorporation of new hardware, software, or firmware safeguards in an operational
information system.
SOURCE: CNSSI-4009
Adequate Security (NIST)
Security commensurate with the risk and the magnitude of harm resulting from the
loss, misuse, or unauthorized access to or modification of information.
SOURCE: SP 800-53; FIPS 200; OMB Circular A-130, App. III
Security commensurate with the risk and magnitude of harm resulting from the loss,
misuse, or unauthorized access to or modification of information.
Note: This includes assuring that information systems operate effectively and provide
appropriate confidentiality, integrity, and availability, through the use of cost effective
management, personnel, operational, and technical controls.
SOURCE: CNSSI-4009; SP 800-37
Administrative Account (NIST)
A user account with full privileges on a computer.
SOURCE: SP 800-69
Administrative Safeguards (NIST)
Administrative actions, policies, and procedures to manage the selection,
development, implementation, and maintenance of security measures to protect
electronic health information and to manage the conduct of the covered entity's
workforce in relation to protecting that information.
SOURCE: SP 800-66
Advanced Encryption Standard – (AES) (NIST)
The Advanced Encryption Standard specifies a U.S. government- approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. This standard specifies the Rijndael algorithm, a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits.
SOURCE: FIPS 197
A U.S. government-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information.
SOURCE: CNSSI-4009
Advanced Key Processor (AKP) (NIST)
A cryptographic device that performs all cryptographic functions for a management client node and contains the interfaces to 1) exchange information with a client platform, 2) interact with fill devices, and 3) connect a client platform securely to the primary services node (PRSN).
SOURCE: CNSSI-4009
Advanced Persistent Threats(APT) (NIST)
An adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.
SOURCE: SP 800-39
Advantage™
Computer Associate’s family of database management, application development, and enterprise reporting solutions that support ongoing business operations, coupled with continued business growth. Given today’s rapid expansion of business information and the need to consistently re-deploy this information throughout the enterprise, businesses must have solutions that minimize technology risk while maximizing return on technology investment. Advantage™ provides a broad range of proven production-worthy solutions that preserves the integrity of on-going business operations, providing a solid foundation that flexibly extends to embrace new business opportunities, enhancing return on investment for the overall IT infrastructure.
Adversary (NIST)
Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.
SOURCE: SP 800-30
Advisory (NIST)
Notification of significant new trends or developments regarding the threat to the information systems of an organization. This notification may include analytical insights into trends, intentions, technologies, or tactics of an adversary targeting information systems.
SOURCE: CNSSI-4009
Adware
any software application in which advertising banners are displayed while the program is running. The authors of these applications include additional code that delivers the ads, which can be viewed through pop-up windows or through a bar that appears on a computer screen.
Affordable Care Act
U.S. federal statute signed into law on March 23, 2010, with the goal of expanding public and private insurance coverage and reducing the cost of healthcare for individuals and the government.
SOURCE: IRS PUB 1075
Agency Platform
See Arizona Enterprise Services Platform.
Agent (NIST)
A program acting on behalf of a person or organization.
SOURCE: SP 800-95
Alert (NIST)
Notification that a specific attack has been directed at an organization’s information systems.
SOURCE: CNSSI-4009
Algorithm
A step-by-step procedure for calculations. Algorithms are used for calculation, data processing, and automated reasoning.
An algorithm is an effective method expressed as a finite list of well-defined instructions for calculating a function. Starting from an initial state and initial input (perhaps empty), the instructions describe a computation that, when executed, proceeds through a finite number of well-defined successive states, eventually producing "output" and terminating at a final ending state. The transition from one state to the next is not necessarily deterministic; some algorithms, known as randomized algorithms, incorporate random input.
SOURCE: WIKIPEDIA
Allocation (NIST)
The process an organization employs to determine whether security controls are defined as system-specific, hybrid, or common.
The process an organization employs to assign security controls to specific information system components responsible for providing a particular security capability (e.g., router, server, remote sensor).
SOURCE: SP 800-37
Alternate Processing Site
Locations and infrastructures from which emergency or backup processes are executed, when the main premises are unavailable or destroyed.
SOURCE: ISACA
Alternate Storage Site
A secure location that is distant from the primary IT location used to store backup media.
Alternate Work Site
Program allowing employees to work at home or at geographically convenient satellite offices for part of the workweek (e.g., telecommuting).
American National Standards Institute (ANSI)
A voluntary organization composed of corporate, government, and other members that coordinates standards-related activities, approves U.S. national standards, and develops positions for the United States in international standards organizations. ANSI helps develop international and United States standards relating to, among other things, communications and networking. ANSI is a member of the IEC and the ISO.
American Standard Code for Information Interchange (ASCII)
A character-encoding scheme originally based on the English alphabet that encodes 128 specified characters - the numbers 0-9, the letters a-z and A-Z, some basic punctuation symbols, some control codes that originated with Teletype machines, and a blank space - into the 7-bit binary integers.
SOURCE: WIKIPEDIA
AMS
Asset Management System – The system used by AZNet to inventory and manage the State’s telecommunications assets.
Analysis (NIST)
The examination of acquired data for its significance and probative value to the case.
SOURCE: SP 800-72
Anomaly-Based Detection (NIST)
The process of comparing definitions of what activity is considered normal against observed events to identify significant deviations.
SOURCE: SP 800-94
Anti-spoof (NIST)
Countermeasures taken to prevent the unauthorized use of legitimate Identification & Authentication (I&A) data, however it was obtained, to mimic a subject different from the attacker.
SOURCE: CNSSI-4009
Anti-virus Programs
Infection prevention programs that prevent the infection and replication process from occurring on computers, networks, operating, and communication systems.
Anti-virus Software (NIST)
A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents.
SOURCE: SP 800-83
Antispyware Software (NIST)
A program that specializes in detecting both malware and non- malware forms of spyware.
SOURCE: SP 800-69
AOP
Annual Operating Plan – A document produced in the spring of each year to correspond with the planning cycle of state agencies. The AOP outlines prior, present and future areas of focus and investment toward the goal of a statewide converged network for the AZNet Program.
Applicant (NIST)
The subscriber is sometimes called an “applicant” after applying to a certification authority for a certificate, but before the certificate issuance procedure is completed.
SOURCE: SP 800-32
Application (NIST)
A software program hosted by an information system.
SOURCE: SP 800-37
Software program that performs a specific function directly for a user and can be executed without access to system control, monitoring, or administrative privileges.
SOURCE: CNSSI-4009
Application Program Interface (API)
An API specifies how some software components should interact with each other.
In addition to accessing databases or computer hardware, such as hard disk drives or video cards, an API can be used to ease the work of programming graphical user interface components. In practice, many times an API comes in the form of a library that includes specifications for routines, data structures, object classes, and variables. In some other cases, notably for SOAP and REST services, an API comes as just a specification of remote calls exposed to the API consumers.
SOURCE: WIKIPEDIA
Application Service Providers (ASPs)
companies that offer individuals or enterprises access over the Internet to applications and related services that would otherwise have to be located in their own personal or enterprise computers. Sometimes referred to as "apps-on-tap," ASP services are expected to become an important alternative, not only for smaller companies with low budgets for information technology, but also for larger companies as a form of outsourcing and for many services for individuals as well. Most corporations are essentially providing their own ASP service in-house, moving applications off personal computers, and putting them on a special kind of application server that is designed to handle the stripped-down kind of thin-client workstation. This allows an enterprise to reassert the central control over application cost and usage that corporations formerly had prior to the advent of the PC.
Approval to Operate (ATO) (NIST)
The official management decision issued by a DAA or PAA to authorize operation of an information system and to explicitly accept the residual risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.
SOURCE: CNSSI-4009
Approved Mode of Operation (NIST)
A mode of the cryptographic module that employs only Approved security functions (not to be confused with a specific mode of an Approved security function, e.g., Data Encryption Standard Cipher- Block Chaining (DES CBC) mode).
SOURCE: FIPS 140-2
Approved Security Function (NIST)
A security function (e.g., cryptographic algorithm, cryptographic key management technique, or authentication technique) that is either
a) specified in an Approved Standard;
b) adopted in an Approved Standard and specified either in an appendix of the Approved Standard or in a document referenced by the Approved Standard; or
c) specified in the list of Approved security functions.
SOURCE: FIPS 140-2
Arizona Enterprise Services Platform (AESP)
an aggregation of front-end and back-end services designed to provide core, reusable capabilities that can be used by the State to develop, deploy and maintain business specific applications and is the technical foundation for delivering on ADOA-ASET's "Big, Hairy, Audacious Goal" (BHAG) of enabling agencies to deliver “Every service, available at anytime, anywhere to every Arizonan.”
Arizona Public Records Law
A.R.S. § 39, Public Records.
SOURCE: STATE OF ARIZONA REVISED STATUTES WEBSITE
Arizona Revised Statutes (A.R.S.)
Statutes passed by the Arizona State Legislature and signed into law by the Governor. Statutes are binding upon ADOA and compliance is mandatory. ADOA’s responsibilities are contained in Title 41, State Government, Chapter 32, Government Information Technology, Article 1, General Provisions.
Assessment (NIST)
See Security Control Assessment
Assessment Findings (NIST)
Assessment results produced by the application of an assessment procedure to a security control or control enhancement to achieve an assessment objective; the execution of a determination statement within an assessment procedure by an assessor that results in either a satisfied or other than satisfied condition.
SOURCE: SP 800-53A
Assessment Method (NIST)
One of three types of actions (i.e., examine, interview, test) taken by assessors in obtaining evidence during an assessment.
SOURCE: SP 800-53A
Assessment Object (NIST)
The item (i.e., specifications, mechanisms, activities, individuals) upon which an assessment method is applied during an assessment.
SOURCE: SP 800-53A
Assessment Procedure (NIST)
A set of assessment objectives and an associated set of assessment methods and assessment objects.
SOURCE: SP 800-53A
Assessor (NIST)
See Security Control Assessor
Asset (NIST)
A major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems.
SOURCE: CNSSI-4009
Asset Identification (NIST)
Security Content Automation Protocol (SCAP) constructs to uniquely identify assets (components) based on known identifiers and/or known information about the assets.
SOURCE: SP 800-128
Asset Reporting Format (ARF) (NIST)
SCAP data model for expressing the transport format of information about assets (components) and the relationships between assets and reports.
SOURCE: SP 800-128
ASSURANCE
Activities designed to reach a measure of confidence. Assurance is different from audit, which is more concerned with compliance to formal standards or requirements.
SOURCE: Data Governance Institute
Assurance (NIST)
Grounds for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or by-pass.
SOURCE: SP 800-27
The grounds for confidence that the set of intended security controls in an information system are effective in their application.
SOURCE: SP 800-37; SP 800-53A
Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.
SOURCE: CNSSI-4009; SP 800-39
In the context of OMB M-04-04 and this document, assurance is defined as 1) the degree of confidence in the vetting process used to establish the identity of an individual to whom the credential was issued, and 2) the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued.
SOURCE: SP 800-63
Assurance Case (NIST)
A structured set of arguments and a body of evidence showing that an information system satisfies specific claims with respect to a given quality attribute.
SOURCE: SP 800-53A; SP 800-39
Assured Information Sharing (NIST)
The ability to confidently share information with those who need it, when and where they need it, as determined by operational need and an acceptable level of security risk.
SOURCE: CNSSI-4009
Assured Software (NIST)
Computer application that has been designed, developed, analyzed, and tested using processes, tools, and techniques that establish a level of confidence in it.
SOURCE: CNSSI-4009
Asymmetric Cryptography (NIST)
See Public Key Cryptography.
SOURCE: CNSSI-4009
Asymmetric Keys (NIST)
Two related keys, a public key and a private key that are used to perform complementary operations, such as encryption and decryption or signature generation and signature verification.
SOURCE: FIPS 201
Asynchronous Transfer Mode (ATM)
A telecommunications concept defined by ANSI and ITU standards for carriage of a complete range of user traffic, including voice, data, and video signals.
SOURCE: WIKIPEDIA
ATM
Asynchronous Transmission Mode – A network protocol for electronic digital data transmission that uses packet switching of variable sizes and establishes a virtual circuit between two endpoints before the actual data exchange begins. This technology is suitable for wide area data networking as well as real-time media transport.
Attack (NIST)
An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity.
SOURCE: SP 800-32
Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.
SOURCE: CNSSI-4009
Attack Sensing and Warning (AS&W) (NIST)
Detection, correlation, identification, and characterization of intentional unauthorized activity with notification to decision makers so that an appropriate response can be developed.
SOURCE: CNSSI-4009
Attack Signature (NIST)
A specific sequence of events indicative of an unauthorized access attempt.
SOURCE: SP 800-12
A characteristic byte pattern used in malicious code or an indicator, or set of indicators, that allows the identification of malicious network activities.
SOURCE: CNSSI-4009
Attribute Authority (NIST)
An entity, recognized by the Federal Public Key Infrastructure (PKI) Policy Authority or comparable agency body as having the authority to verify the association of attributes to an identity.
SOURCE: SP 800-32
Attribute-Based Access Control (NIST)
Access control based on attributes associated with and about subjects, objects, targets, initiators, resources, or the environment. An access control rule set defines the combination of attributes under which an access may take place.
SOURCE: SP 800-53; CNSSI-4009
Attribute-Based Authorization (NIST)
A structured process that determines when a user is authorized to access information, systems, or services based on attributes of the user and of the information, system, or service.
SOURCE: CNSSI-4009
AUDIT
An independent examination of an effort to determine its compliance with a set of requirements. An audit may be carried out by internal or external groups.
SOURCE: Data Governance Institute
Audit (NIST)
Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.
SOURCE: SP 800-32
Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.
SOURCE: CNSSI-4009
Audit Data (NIST)
Chronological record of system activities to enable the reconstruction and examination of the sequence of events and changes in an event.
SOURCE: SP 800-32
Audit Finding
A documented instance where the audit team identifies one or more exceptions and concludes that a policy, standard or control is absent, designed ineffectively or not operating effectively.
Audit Log (NIST)
A chronological record of system activities. Includes records of system accesses and operations performed in a given period.
SOURCE: CNSSI-4009
Audit Reduction Tools (NIST)
Preprocessors designed to reduce the volume of audit records to facilitate manual review. Before a security review, these tools can remove many audit records known to have little security significance. These tools generally remove records generated by specified classes of events, such as records generated by nightly backups.
SOURCE: SP 800-12; CNSSI-4009
Audit Review (NIST)
The assessment of an information system to evaluate the adequacy of implemented security controls, assure that they are functioning properly, identify vulnerabilities, and assist in implementation of new security controls where required. This assessment is conducted annually or whenever significant change has occurred and may lead to recertification of the information system.
SOURCE: CNSSI-4009
AUDIT TRAIL
A record that can be interpreted by auditors to establish that an activity has taken place. Often, a chronological record of system activities to enable the reconstruction and examination of the sequence of events and/or changes in an event. An audit trail of system resource usage may include user login, file access, and triggers that indicate whether any actual or attempted security violations occurred.
SOURCE: Data Governance Institute
Audit Trail (NIST)
A record showing who has accessed an Information Technology (IT) system and what operations the user has performed during a given period.
SOURCE: SP 800-47
A chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security relevant transaction from inception to final result.
SOURCE: CNSSI-4009
Auditing
Auditing is the information gathering and analysis of assets to ensure such things as policy compliance and security from vulnerabilities
Authenticate (NIST)
To confirm the identity of an entity when that identity is presented.
SOURCE: SP 800-32
To verify the identity of a user, user device, or other entity.
SOURCE: CNSSI-4009
Authentication (NIST)
Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
SOURCE: SP 800-53; SP 800-53A; SP 800-27; FIPS 200; SP 800-30
The process of establishing confidence of authenticity.
SOURCE: FIPS 201
Encompasses identity verification, message origin authentication, and message content authentication.
SOURCE: FIPS 190
A process that establishes the origin of information or determines an entity’s identity.
SOURCE: SP 800-21
The process of verifying the identity or other attributes claimed by or assumed of an entity (user, process, or device), or to verify the source and integrity of data.
SOURCE: CNSSI-4009
The process of establishing confidence in the identity of users or information systems.
SOURCE: SP 800-63
Authentication Code (NIST)
A cryptographic checksum based on an Approved security function (also known as a Message Authentication Code [MAC]).
SOURCE: FIPS 140-2
Authentication Mechanism (NIST)
Hardware-or software-based mechanisms that force users to prove their identity before accessing data on a device.
SOURCE: SP 800-72; SP 800-124
Hardware or software-based mechanisms that forces users, devices, or processes to prove their identity before accessing data on an information system.
SOURCE: CNSSI-4009
Authentication Mode (NIST)
A block cipher mode of operation that can provide assurance of the authenticity and, therefore, the integrity of data.
SOURCE: SP 800-38B
Authentication Period (NIST)
The maximum acceptable period between any initial authentication process and subsequent reauthentication processes during a single terminal session or during the period data is being accessed.
SOURCE: CNSSI-4009
Authentication Protocol (NIST)
A defined sequence of messages between a Claimant and a Verifier that demonstrates that the Claimant has possession and control of a valid token to establish his/her identity, and optionally, demonstrates to the Claimant that he or she is communicating with the intended Verifier.
SOURCE: SP 800-63
A well-specified message exchange process between a claimant and a verifier that enables the verifier to confirm the claimant’s identity.
SOURCE: CNSSI-4009
Authentication Tag (NIST)
A pair of bit strings associated to data to provide assurance of its authenticity.
SOURCE: SP 800-38B
Authentication Token (NIST)
Authentication information conveyed during an authentication exchange.
SOURCE: FIPS 196
Authenticator (NIST)
The means used to confirm the identity of a user, process, or device (e.g., user password or token).
SOURCE: SP 800-53; CNSSI-4009
Authenticity (NIST)
The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. See authentication.
SOURCE: SP 800-53; SP 800-53A; CNSSI-4009; SP 800-39
Authority (NIST)
Person(s) or established bodies with rights and responsibilities to exert control in an administrative sphere.
SOURCE: CNSSI-4009
Authorization
The process of establishing and enforcing an entity’s rights and privileges to access or provide specified resources, information, data, or documents.
Authorization (NIST)
Access privileges granted to a user, program, or process or the act of granting those privileges.
SOURCE: CNSSI-4009
Authorization (to operate) (NIST)
The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.
SOURCE: SP 800-53; SP 800-53A; CNSSI-4009; SP 800-37
Authorization Boundary (NIST)
All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected.
SOURCE: CNSSI-4009; SP 800-53; SP 800-53A; SP 800-37
Authorize Processing (NIST)
See Authorization (to operate).
Authorized Connected Devices
Devices that are connected to a network that have permission to access data and / or services. (e.g., smart phones, authorized virtual office computer equipment, and defined external interfaces);
Authorizing Official (NIST)
Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals. Synonymous with Accreditation Authority.
SOURCE: FIPS 200
Senior federal official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.
SOURCE: CNSSI-4009; SP 800-53; SP 800-53A; SP 800-37
Automated Key Transport (NIST)
The transport of cryptographic keys, usually in encrypted form, using electronic means such as a computer network (e.g., key transport/agreement protocols).
SOURCE: FIPS 140-2
Automated Security Monitoring (NIST)
Use of automated procedures to ensure security controls are not circumvented or the use of these tools to track actions taken by subjects suspected of misusing the information system.
SOURCE: CNSSI-4009
Autonomous System (AS) (NIST)
One or more routers under a single administration operating the same routing policy.
SOURCE: SP 800-54
Availability
in the context of information security, refers to ensuring timely and reliable access to and use of information. The loss of availability is the disruption of access to or use of information or an information system. [44 U.S.C., Sec. 3542]
Availability (NIST)
Ensuring timely and reliable access to and use of information.
SOURCE: SP 800-53; SP 800-53A; SP 800-27; SP 800-60; SP 800-
37; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542
The property of being accessible and useable upon demand by an authorized entity.
SOURCE: CNSSI-4009
Awareness (Information Security) (NIST)
Activities which seek to focus an individual’s attention on an (information security) issue or set of issues.
SOURCE: SP 800-50
az.gov domain
Domain intended to be the basis for all statewide agencies and to be administered by the State Digital Government Program Manager.
AZNet II
Centralized data and voice service provided by ADOA-ASET using third-parties to all State Agencies.