Glossary

Procedure for identifying and authenticating a remote information system terminal, whereby the host system disconnects the terminal and reestablishes contact.

SOURCE: CNSSI-4009

Customer Account Manager – The AZNet team of customer service representatives who assist agencies with small projects and pricing quotes.

The process of determining the system capacity needed to deliver specific performance levels through quantification and analysis of current and projected workload.

The method of taking a biometric sample from an end user.

Source:  FIPS 201

Both of these terms are commonly used to refer to the number printed on a card to help secure "card not present" transactions - other terms include CVC, CID and CSC. To be precise, the code printed on the card is actually the CVV2 - and the CVV is integrity-check data encoded on the magnetic strip - but both terms are widely used online.

SOURCE: VERIZON PCI SECURITY

All people, processes and technologies that store, process or transmit cardholder data (CHD) or sensitive authentication data (SAD).

SOURCE: VERIZON PCI SECURITY

Carrier Services are telephone and data communications through some type of high-speed network channels to transport data between points in a Wide Area Network (WAN). Over time, as communications equipment becomes more sophisticated, the distinction between the types of traffic carried will cease.

A style sheet language used for describing the look and formatting of a document written in a markup language.

SOURCE: WIKIPEDIA

See Cipher Block Chaining-Message Authentication Code

the basic data unit for ATM switching and multiplexing. Cells contain identifiers that specify the data stream to which they belong. Each cell consists of a 5-byte header and 48 bytes of payload.

A digital representation of information which at least

1) identifies the certification authority issuing it,

2) names or identifies its subscriber,

3) contains the subscriber's public key,

4) identifies its operational period, and

5) is digitally signed by the certification authority issuing it.

SOURCE: SP 800-32

A set of data that uniquely identifies an entity, contains the entity’s public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity.

Additional information in the certificate could specify how the key is used and its cryptoperiod.

SOURCE: SP 800-21

A digitally signed representation of information that 1) identifies the authority issuing it, 2) identifies the subscriber, 3) identifies its valid operational period (date issued / expiration date). In the information assurance (IA) community, certificate usually implies public key certificate and can have the following types:

cross certificate – a certificate issued from a CA that signs the public key of another CA not within its trust hierarchy that establishes a trust relationship between the two CAs.

encryption certificate – a certificate containing a public key that can encrypt or decrypt electronic messages, files, documents, or data transmissions, or establish or exchange a session key for these same purposes. Key management sometimes refers to the process of storing, protecting, and escrowing the private component of the key pair associated with the encryption certificate.

identity certificate – a certificate that provides authentication of the identity claimed.  Within the National Security Systems (NSS) PKI, identity certificates may be used only for authentication or may be used for both authentication and digital signatures.

SOURCE:  CNSSI-4009

A set of data that uniquely identifies a key pair and an owner that is authorized to use the key pair. The certificate contains the owner’s public key and possibly other information, and is digitally signed by a Certification Authority (i.e., a trusted party), thereby binding the public key to the owner.

SOURCE: FIPS 186

A Certification Authority (CA) or a Registration Authority (RA).

SOURCE: SP 800-32

A formal document that describes the various roles involved in creating, maintaining, and validating digital certificates. It also specifies obligations associated with the roles and which parts of the process may be delegated.

A list of revoked public key certificates created and digitally signed by a Certification Authority.

SOURCE: SP 800-63; FIPS 201

A list of revoked but un-expired certificates issued by a CA.

SOURCE: SP 800-21

A list of revoked public key certificates created and digitally signed by a Certification Authority.

SOURCE: CNSSI-4009

The use of SSL and certificates to authenticate and encrypt HTTP traffic

A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security

requirements for the system.

SOURCE: FIPS 200

The process of verifying the correctness of a statement or claim and issuing a certificate as to its correctness.

SOURCE: FIPS 201

Comprehensive evaluation of the technical and nontechnical security safeguards of an information system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements. See Security Control Assessment.

SOURCE: CNSSI-4009

A trusted entity that issues and revokes public key certificates.

SOURCE: FIPS 201

The entity in a public key infrastructure (PKI) that is responsible for issuing certificates and exacting compliance to a PKI policy.

SOURCE: SP 800-21; FIPS 186

1. For Certification and Accreditation (C&A) (C&A Assessment): Official responsible for performing the comprehensive evaluation of the security features of an information system and determining the degree to which it meets its security requirements

2. For Public Key Infrastructure (PKI): A trusted third party that issues digital certificates and verifies the identity of the holder of the digital certificate.

SOURCE: CNSSI-4009

Product of the certification effort documenting the detailed results of the certification activities.

SOURCE: CNSSI-4009

A process and record that shows who obtained the evidence; where and when the evidence was obtained; who secured the evidence; and who had control or possession of the evidence. The "sequencing" of the chain of evidence follows this order: collection and identification; analysis; storage; preservation; presentation in court; return to owner.

SOURCE: CNSSI-4009

Uses a challenge/response authentication mechanism where the response varies every challenge to prevent replay attacks.

The addition, modification or removal of anything that could have an effect on IT services. The scope should include changes to all architectures, processes, tools, metrics and documentation, as well as changes to IT services and other configuration items.

SOURCE: ITIL V3

A committee that makes decisions regarding whether or not proposed changes to a software project should be implemented. In short any changes to the Baseline Requirements agreed with the client, should be taken up by project team on approval from this committee. If any change is agreed by the committee, it is communicated to the project team and client and the requirement is Baselined with the change. The change control board is constituted of project stakeholders or their representatives. The authority of the change control board may vary from project to project, but decisions reached by the change control board are often accepted as final and binding. The decision of acceptance of the changes also depends upon the stage or phase of the project. The main objective is to ensure acceptance of the project (deliverable) by the client.

SOURCE: WIKIPEDIA

Value computed on data to detect error or manipulation.

SOURCE: CNSSI-4009

See Senior Agency Information Security Officer

A secret-key block-cipher algorithm used to encrypt data and to generate a Message Authentication Code (MAC) to provide assurance that the payload and the associated data are authentic.

SOURCE: SP 800-38C

Cryptographic logic that uses previous cipher text to generate a key stream.

SOURCE: CNSSI-4009

A party whose identity is to be verified using an authentication protocol.

SOURCE: SP 800-63; FIPS 201

An entity that is or represents a principal for the purposes of authentication, together with the functions involved in an authentication exchange on behalf of that entity. A claimant acting on behalf of a principal must include the functions necessary for engaging in an authentication exchange. (e.g., a smartcard [claimant] can act on behalf of a human user [principal])

SOURCE: FIPS 196

An entity (user, device or process) whose assertion is to be verified using an authentication protocol.

SOURCE: CNSSI-4009

To use software or hardware products to overwrite storage space on the media with nonsensitive data. This process may include overwriting not only the logical storage location of a file(s) (e.g., file allocation table) but also may include all addressable locations. See comments on Clear/Purge Convergence.

SOURCE: SP 800-88

Removal of data from an information system, its storage devices, and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using common system capabilities (i.e., through the keyboard); however, the data may be reconstructed using laboratory methods.

SOURCE: CNSSI-4009

A system entity, usually a computer process acting on behalf of a human user, that makes use of a service provided by a server.

SOURCE: SP 800-32

Environment providing sufficient assurance that applications and equipment are protected against the introduction of malicious logic during an information system life cycle. Closed security is based upon a system's developers, operators, and maintenance personnel having sufficient clearances, authorization, and configuration control.

SOURCE: CNSSI-4009

A model for enabling on-demand network access to a shared pool of configurable IT capabilities/ resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. It allows users to access technology-based services from the network cloud without knowledge of, expertise with, or control over the technology infrastructure that supports them. This cloud model is composed of five essential characteristics (on-demand self- service, ubiquitous network access, location independent resource pooling, rapid elasticity, and measured service); three service delivery models (Cloud Software as a Service [SaaS], Cloud Platform as a Service [PaaS], and Cloud Infrastructure as a Service [IaaS]); and four models for enterprise access (Private cloud, Community cloud, Public cloud, and Hybrid cloud).

Note: Both the user's data and essential security services may reside in and be managed within the network cloud.

SOURCE: CNSSI-4009

Backup site that can be up and operational in a relatively short time span, such as a day or two. Provision of services, such as telephone lines and power, is taken care of, and the basic office furniture might be in place, but there is unlikely to be any computer equipment, even though the building might well have a network infrastructure and a room ready to act as a server room. In most cases, cold sites provide the physical location and basic services.

SOURCE: CNSSI-4009

A backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event that the user has to move from their main computing location to an alternate site.

SOURCE: SP 800-34

Two or more distinct inputs produce the same output. Also see Hash Function.

SOURCE: SP 800-57 Part 1

An information system service (e.g., telecommunications service) provided by a commercial service provider typically to a large and diverse set of consumers. The organization acquiring and/or receiving the commodity service possesses limited visibility into the management structure and operations of the provider, and while the organization may be able to negotiate service-level agreements, the organization is typically not in a position to require that the provider implement specific security controls.

SOURCE: SP 800-53

In a telecommunications context, a telecommunications company that holds itself out to the public for hire to provide communications transmission services. Note: In the United States, such companies are usually subject to regulation by federal and state regulatory commissions.

SOURCE: SP 800-53

A set of measures of the severity of software security configuration issues.

SOURCE: NISTIR 7502

A SCAP specification for measuring the severity of software security configuration issues.

SOURCE: SP 800-128

A SCAP specification that provides a standard naming convention for operating systems, hardware, and applications for the purpose of providing consistent, easily parsed names that can be shared by multiple parties and solutions to refer to the same specific platform type.

SOURCE: SP 800-128

An SCAP specification for communicating the characteristics of vulnerabilities and measuring their relative severity.

SOURCE: SP 800-128

The process of comparing a biometric with a previously stored reference.

SOURCE: FIPS 201

The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the low, moderate, or high baselines described in NIST Special Publication 800-53, that provide equivalent or comparable protection for an information system.

SOURCE: SP 800-37

The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the baselines described in NIST Special Publication 800-53 and CNSS Instruction 1253, that provide equivalent or comparable protection for an information system.

SOURCE: SP 800-53A; SP 800-53

A discipline, set of practices, and/or organizational group that deals with adhering to laws, regulations, standards, and contractual  arrangements. Also, the adherence to requirements. Data Governance programs often support many types of compliance requirements: Regulatory compliance, contractual compliance, adherence to internal standards, policies, and architectures, and conformance to rules for data management, project management, and other disciplines.

SOURCE: Data Governance Institute

A test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Also known as white box testing.

SOURCE: SP 800-53A

Use of a crypto-algorithm program by a computer to authenticate or encrypt/decrypt information.

SOURCE: CNSSI-4009

An organization that studies computer and network INFOSEC in order to provide incident response services to victims of attacks, publish alerts concerning vulnerabilities and threats, and offer other information to help improve computer and network security

Actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.

SOURCE: CNSSI-4009

Enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary information systems or networks.

SOURCE: CNSSI-4009

Measures and controls that ensure confidentiality, integrity, and availability of information system assets including hardware, software, firmware, and information being processed, stored, and communicated.

SOURCE: CNSSI-4009

A capability set up for the purpose of assisting in responding to computer security-related incidents; also called a Computer Incident Response Team (CIRT) or a CIRC (Computer Incident Response Center, Computer Incident Response Capability).

SOURCE: SP 800-61

A resource, tool, or mechanism used to maintain a condition of security in a computerized environment. These objects are defined in terms of attributes they possess, operations they perform or are performed on them, and their relationship with other objects.

SOURCE: FIPS 188; CNSSI-4009

Data that is protected from unauthorized disclosure based on laws, regulations, and other legal agreements.

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

SOURCE: SP 800-53; SP 800-53A; SP 800-18; SP 800-27; SP 800-

60; SP 800-37; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542

The property that sensitive information is not disclosed to unauthorized individuals, entities, or processes.

SOURCE: FIPS 140-2

The property that information is not disclosed to system entities (users, processes, devices) unless they have been authorized to access the information.

SOURCE: CNSSI-4009

Process of controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modification prior to, during, and after system implementation.

SOURCE: CNSSI-4009; SP 800-37; SP 800-53

Any component or other service asset that needs to be managed in order to deliver an IT service.

SOURCE: ITIL V3

Establish a known baseline condition and manage it

Type of incident involving the introduction of data of one security classification or security category into data of a lower security classification or different security category.

SOURCE: CNSSI-4009

Management policy and procedures used to guide an enterprise response to a perceived loss of mission capability. The Contingency Plan is the first plan used by the enterprise risk managers to determine what happened, why, and what to do. It may point to the Continuity of Operations Plan (COOP) or Disaster Recovery Plan for major disruptions.

SOURCE: CNSSI-4009

See also Information System Contingency Plan.

The process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends. The process includes: 1) The development of a strategy to regularly evaluate selected IA controls/metrics, 2) Recording and evaluating IA relevant events and the effectiveness of the enterprise in dealing with those events, 3) Recording changes to IA controls, or changes that affect IA risks, and 4) Publishing the current security status to enable information-sharing decisions involving the enterprise.

SOURCE: CNSSI-4009

Maintaining ongoing awareness to support organizational risk decisions.

SOURCE: SP 800-137

The power or authority to manage the record throughout its life cycle, including restricting, regulating and administering its use or disclosure.

Physical area (e.g., building, room, etc.) to which only authorized personnel are granted unrestricted access. All other personnel are either escorted by authorized personnel or are under continuous surveillance.

SOURCE: CNSSI-4009

A boundary with a set of mechanisms that enforces the security policies and controls the flow of information between interconnected information systems.

SOURCE: CNSSI-4009; SP 800-37

Electronically exchanging functions of locally generated, random components, from which both terminals of a secure circuit construct traffic encryption key or key encryption key for use on that circuit. See Per-Call Key.

SOURCE: CNSSI-4009

A threat action that undesirably alters system operation by adversely modifying system functions or data.

Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards.

SOURCE: SP 800-53; SP 800-37; FIPS 200

Testing performed using covert methods and without the knowledge of the organization’s IT staff, but with the full knowledge and permission of upper management.

SOURCE: SP 800-115

Establishing metrics to define what scenarios constitute a crisis and should consequently trigger the necessary response mechanisms. Communication that occurs within the response phase of emergency-management scenarios. Crisis-management methods of a business or an organization are called a crisis-management plan.

SOURCE: WIKIPEDIA

System and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. [Critical Infrastructures Protection Act of 2001, 42 U.S.C. 5195c(e)]

SOURCE: CNSSI-4009

Vulnerability that is created from insecure coding techniques, resulting in improper input validation. Often used in conjunction with CSRF and/or SQL injection.

SOURCE: PCI DSS GLOSSARY

A well-defined computational procedure that takes variable inputs, including a cryptographic key, and produces an output.

SOURCE: SP 800-21; CNSSI-4009

A value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification.

SOURCE: SP 800-63

A binary string used as a secret parameter by a cryptographic algorithm.

SOURCE: SP 800-108

A parameter used in conjunction with a cryptographic algorithm that determines the specific operation of that algorithm.

SOURCE: FIPS 201; FIPS 198

A parameter used in conjunction with a cryptographic algorithm that determines

* the transformation of plaintext data into ciphertext data,

* the transformation of ciphertext data into plaintext data,

* a digital signature computed from data,

* the verification of a digital signature computed from data,

* an authentication code computed from data, or

* an exchange agreement of a shared secret.

SOURCE: FIPS 140-2

A token where the secret is a cryptographic key.

SOURCE: SP 800-63

A portable, user-controlled physical device (e.g., smart card or PCMCIA card) used to store cryptographic information and possibly also perform cryptographic functions.

SOURCE: CNSSI-4009

The science that deals with hidden, disguised, or encrypted communications. It includes communications security and communications intelligence.

SOURCE: SP 800-60

The mathematical science that deals with cryptanalysis and cryptography.

SOURCE: CNSSI-4009

Carrier Savings Initiative – A potential carrier (voice and data) savings opportunities identified by AZNet and presented to agencies for approval to implement.

Having physical possession of a record, even though the public body does not necessarily have responsibility for the record. Physical possession normally includes responsibility for access, managing, maintaining, preserving, disposing and providing security.

An online transaction processing (OLTP) program that, together with the COBOL programming language, has formed over the past several decades the most common set of tools for building customer transaction applications in large enterprise, mainframe computing. A large number of the legacy applications still in use are COBOL/CICS applications.

Actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein. See Incident.

SOURCE: CNSSI-4009

The ability to protect or defend the use of cyberspace from cyber attacks.

SOURCE: CNSSI-4009

The process of protecting information by preventing, detecting, and responding to attacks.

SOURCE: NIST CYBERSECURITY FRAMEWORK

A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.

SOURCE: CNSSI-4009