Glossary

The underlying security framework that lies beyond an enterprise’s defined boundary, but supports its IA and IA-enabled products, its security posture and its risk management plan.

SOURCE: CNSSI-4009

The process of verifying the identity of a user, process, or device, usually as a prerequisite for granting access to resources in an IT system.

SOURCE: SP 800-47

The process of discovering the true identity (i.e., origin, initial history) of a person or item from the entire collection of similar persons or items.

SOURCE:  FIPS 201

An act or process that presents an identifier to a system so that the system can recognize a system entity (e.g., user, process, or device) and distinguish that entity from all others.

SOURCE: CNSSI-4009

Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

SOURCE: NIST CYBERSECURITY FRAMEWORK

Binding of the vetted claimed identity to the individual (through biometrics) according to the issuing authority.

SOURCE:  FIPS 201

The process of making a person’s identity known to the Personal Identity Verification (PIV) system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system.

SOURCE:  FIPS 201;  CNSSI-4009

Tests enabling an information system to authenticate users or resources.

SOURCE: CNSSI-4009

Access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity.

SOURCE: SP 800-53; CNSSI-4009

Infrastructure Investment Charges – A component of the monthly seat charge that is used to fund projects for a converged data, voice and video statewide network. The projects upgrade statewide networks and supporting technologies, consolidate disparate agency networks, consolidate business and operational processes, improve measurable service levels, provide improved protection of the network from current and emerging security threats, and assist in a statewide network business continuity and disaster recovery program.

The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

SOURCE: CNSSI-4009

High, Moderate, or Low security categories of an information system established in FIPS 199 which classify the intensity of a potential impact that may occur if the information system is jeopardized.

SOURCE:  SP 800-34

An unplanned interruption to an IT service, or a reduction in the quality of an IT service. Failure of a configuration item that has not yet impacted service is also an incident.

SOURCE: ITIL V3 SERVICE OPERATION 7.2.2

The mitigation of violations of security policies and recommended practices.

SOURCE:  SP 800-61

Entity that reviews the soundness of independent tests and system compliance with all stated security controls and risk mitigation actions. IVAs will be designated by the Authorizing Official as needed.

SOURCE: CNSSI-4009

Recognized action, specific, generalized, or theoretical, that an adversary might be expected to take in preparation for an attack.

SOURCE: CNSSI-4009

A sign that an incident may have occurred or may be currently occurring.

SOURCE:  SP 800-61

Natural language description, possibly supplemented by mathematical arguments, demonstrating the correspondence of the functional specification to the high-level design.

SOURCE: CNSSI-4009

In its broadest definition, a discipline, process, and/or program focusing on the design and organization of data, unstructured information, and documents. In the context of Enterprise Architecture, it is a synonym for Data Architecture, which is one of the four Enterprise Architectures (with Application Architecture, Business Architecture, and System Architecture). In the context of designing documents and web pages, it is the structuring of large sets of information, as opposed to the development of the content of any content unit within the larger set.

SOURCE: Data Governance Institute

Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation.  These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.

SOURCE:  SP 800-59; CNSSI-4009

A designation indicating the information classification, e.g., “Public”, “Standard”, “High”.

A three-part concept for information sharing, independent of, and across information systems and security domains that 1) identifies information sharing participants as individual members, 2) contains shared information objects, and 3) provides a security policy that identifies the roles and privileges of the members and the protections required for the information objects.

SOURCE: CNSSI-4009

Affixing a physical or electronic label identifying the security category of a document, file or records series in order to alert those who handle it that it requires protection at the applicable level.

Information models, also referred to as "meta-metadata," are components of data warehouse technology and typically document the following in a repository:

1. The business process driving the need for the data warehouse
2. The data elements involved (and the associated metadata)
3. Relationships between data elements
4. The flow of data into and out of the data warehouse, including the detailed processes that occur to input or output data in the data warehouse
5. Business events affecting the data warehouse
6. Security requirements

The physical location housing any information processing system, service or infrastructure; this includes storage facilities for equipment not yet deployed or awaiting disposal.

The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

SOURCE:  SP 800-37; SP 800-53; SP 800-53A; SP 800-18; SP 800-60; CNSSI-4009; FIPS 200; FIPS 199; 44 U.S.C., Sec.3542

Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—

1) integrity, which means guarding against improper information modification or destruction, and includes ensuring information

nonrepudiation and authenticity;

2) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal

privacy and proprietary information; and

3) availability, which means ensuring timely and reliable access to and use of information.

SOURCE:  SP 800-66; 44 U.S.C., Sec 3541

An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.

SOURCE:  SP 800-39

Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

[Note: The terms “continuous” and “ongoing” in this context mean that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information.]

SOURCE:  SP 800-137

Aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.

SOURCE:  SP 800-53; SP 800-37; SP 800-18; CNSSI-4009

A perpetual inventory of information technology assets of the state. All agencies, boards, and commissions are required to have all IT inventory entered and accurate as possible by September 30th of each year. Inventory submitted as CSV or Microsoft Excel files.

SOURCE: ASET WEBSITE

Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disasters.

SOURCE:  SP 800-34

The ability of an information system to continue to operate while under attack, even if in a degraded or debilitated state, and to rapidly recover operational capabilities for essential functions after a successful attack.

SOURCE:  SP 800-30

The ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs.

SOURCE:  SP 800-39

Individual with assigned responsibility for maintaining the appropriate operational security posture for an information system or program.

SOURCE:  SP 800-37; SP 800-53

Individual assigned responsibility by the senior agency information security officer, authorizing official, management official, or information system owner for maintaining the appropriate operational security posture for an information system or program.

SOURCE:  SP 800-53A;  SP 800-60

Individual assigned responsibility by the senior agency information security officer, authorizing official, management official, or information system owner for ensuring that the appropriate operational security posture is maintained for an information system or program.

SOURCE:  SP 800-18

Individual assigned responsibility for maintaining the appropriate operational security posture for an information system or program.

SOURCE: CNSSI-4009

Individual assigned responsibility by the senior agency information security officer, authorizing official, management official, or information system owner for maintaining the appropriate operational security posture for an information system or program.

SOURCE: SP 800-39

Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which—

1) requires the use of such equipment; or

2) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product.

The term information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.

SOURCE:  SP 800-53; SP 800-53A; SP 800-37; SP 800-18; SP 800-60; FIPS 200; FIPS 199; CNSSI-4009; 40 U.S.C., Sec. 11101 and Sec 1401

The Information Technology Authorization Committee (ITAC) consists of public and private business and business IT leaders. The committee meets monthly to review IT projects and other Strategic IT issues as necessary. Any IT project valued over $1 million must be approved by the Information Technology Authorization Committee.

SOURCE: ASET WEBSITE

A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management), defined by an organization or in some instances, by a specific law, Executive Order, directive, policy, or regulation.

SOURCE:  SP 800-53; SP 800-53A; SP 800-37; SP 800-18; SP 800-60; FIPS 200; FIPS 199; CNSSI-4009

Hardware and software employed by an organization to support processe

Setting the state of a cryptographic logic prior to key generation, encryption, or other operating mode.

SOURCE: CNSSI-4009

Vulnerability that is created from insecure coding techniques resulting in improper input validation, which allows attackers to relay malicious code through a web application to the underlying system. This class of vulnerabilities includes SQL injection, LDAP injection, and XPath injection.

SOURCE: PCI DSS GLOSSARY

An entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service.

SOURCE:  SP 800-32

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

SOURCE:  SP 800-53; SP 800-53A; SP 800-18; SP 800-27; SP 800-37; SP 800-60; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542

The property that sensitive data has not been modified or deleted in an unauthorized and undetected manner.

SOURCE:  FIPS 140-2

The property whereby an entity has not been modified in an unauthorized manner.

SOURCE: CNSSI-4009

An idea, invention, process, program, or application that derives from the work of the mind or intellect – specifically, one that has had its ownership registered for the purpose of protection from unauthorized use by others (from Merriam- Webster's Dictionary of Law ©1996).

Contract between State Agencies whereby one Agency provides a service to another, and the second Agency pays the first for the service. 

Common boundary between independent systems or modules where interactions take place.

SOURCE: CNSSI-4009

This publication provides guidance to ensure the policies, practices, controls, and

safeguards employed by recipient agencies, agents, or contractors adequately protect

the confidentiality of Federal Taxpayer Information (FTI).

SOURCE: IRS PUB. 1075

Security testing conducted from inside the organization’s security perimeter.

SOURCE:  SP 800-115

The single, interconnected, worldwide system of commercial, governmental, educational, and other computer networks that share (a) the protocol suite specified by the Internet Architecture Board (IAB), and (b) the name and address spaces managed by the Internet Corporation for Assigned Names and Numbers (ICANN).

SOURCE: CNSSI-4009

An application-layer Internet protocol that allows an e-mail client to access e-mail on a remote mail server.

SOURCE: PCI DSS GLOSSARY

The network layer protocol in the TCP/IP stack offering a connectionless internetwork service. IP provides features for addressing, type-of-service specification, fragmentation and reassembly, and security. IPv4 routes each packet based on a 32-bit destination address called an IP address (e.g., 123.122.211.111). IPv6 uses a sixteen-octet 128-bit IP address.

See Voice over Internet Protocol (VoIP).

1. The ability of Information Technology (IT) systems to provide services to and accept services from other IT systems and to use the services so exchanged to enable them to operate effectively together.
2. The ability of disparate systems to be linked together and then operate as a single entity through the exchange of information facilitated through open standards or non-proprietary protocols.

Unauthorized act of bypassing the security mechanisms of a system.

SOURCE: CNSSI-4009

Network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it.

SOURCE: WIKIPEDIA  

Suite of protocols for securing Internet Protocol (IP) communications at the network layer, layer 3 of the OSI model by authenticating and/or encrypting each IP packet in a data stream.  IPsec also includes protocols for cryptographic key establishment.

SOURCE: CNSSI-4009

A family of standards published by the International Organization for Standardization designed to keep information assets secure.  ISO 27001 provides requirements for an information security management system.

SOURCE: ISO WEBSITE

A process for scoping and defining a problem prior to solving it. How a decision is framed limits the possible choices that are seriously considered.

SOURCE: Data Governance Institute

The leadership, organizational structures, and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives.

SOURCE: The IT Governance Institute

A key function of IT Governance, IT portfolio management is the formal process for managing IT assets such as software, hardware, middleware, an IT project, internal staff, an application or external consulting.

SOURCE: Data Governance Institute

The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.

SOURCE:  SP 800-50

The “documentation of IT security decisions” in an organization.

NIST SP 800-12 categorizes IT Security Policy into three basic types:

1) Program Policy—high-level policy used to create an organization’s IT security program, define its scope within the organization, assign implementation responsibilities, establish strategic direction, and assign resources for implementation.

2) Issue-Specific Policies—address specific issues of concern to the organization, such as contingency planning, the use of a particular methodology for systems risk management, and implementation of new regulations or law. These policies are likely to require more frequent revision as changes in technology and related factors take place.

3) System-Specific Policies—address individual systems, such as establishing an access control list or in training users as to what system actions are permitted. These policies may vary from system to system within the same organization. In addition, policy may refer to entirely different matters, such as the specific managerial decisions setting an organization’s electronic mail (email) policy or fax security policy.

SOURCE:  SP 800-35

The implementation and management of Quality IT Services that meet the needs of the Business. IT Service Management is performed by IT Service Providers through an appropriate mix of people, Process and Information Technology. (Baseline IT definition)

SOURCE: Data Governance Institute

Information Technology Authorization Committee – A committee of appointed state officials charged with the jurisdiction to approve or reject Information Technology projects with development costs exceeding $1 million for all three (executive, judicial and legislative) branches of government.