Glossary

Bit(s) used to determine whether a block of data has been altered.

SOURCE: CNSSI-4009

An attack against an authentication protocol where the Attacker intercepts data traveling along the network between the Claimant and Verifier, but does not alter the data (i.e., eavesdropping).

SOURCE:  SP 800-63

An attack that does not alter systems or data.

SOURCE: CNSSI-4009

A secret that a Claimant memorizes and uses to authenticate his or her identity. Passwords are typically character strings.

SOURCE:  SP 800-63

A protected character string used to authenticate the identity of a computer system user or to authorize access to system resources.

SOURCE:  FIPS 181

A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization.

SOURCE:  FIPS 140-2

A protected/private string of letters, numbers, and/or special characters used to authenticate an identity or to authorize access to data.

SOURCE: CNSSI-4009

The ability to protect a file using a password access control, protecting the data contents from being viewed with the appropriate viewer unless the proper password is entered.

SOURCE:  SP 800-72

The ability to protect the contents of a file or device from being accessed until the correct password is entered.

SOURCE:  SP 800-124

The systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions.  These revisions are known as patches, hot fixes, and service packs.

SOURCE: CNSSI-4009

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes

SOURCE: WIKIPEDIA

A test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an information system.

SOURCE:  SP 800-53A; SP 800-53; CNSSI-4009

Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.

SOURCE:  SP 800-115

Information whose value can decrease substantially during a specified time.  A significant decrease in value occurs when the operational circumstances change to the extent that the information is no longer useful.

SOURCE: CNSSI-4009

A utility on a computer that monitors network activity and blocks communications that are unauthorized.

SOURCE:  SP 800-69

(a) Means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted, redacted or secured by any other method rendering the element unreadable or unusable:

(i) The individual's social security number.

(ii) The individual's number on a driver license issued pursuant to section 28-3166 or number on a nonoperating identification license issued pursuant to section 28-3165.

(iii) The individual's financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to the individual's financial account.

(b) Does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

SOURCE: A.R.S. 44-7501 l.6.

Tricking individuals into disclosing sensitive personal information through deceptive computer-based means.

SOURCE:  SP 800-83

Deceiving individuals into disclosing sensitive personal information through deceptive computer-based means.

SOURCE: CNSSI-4009

A digital form of social engineering that uses authentic-looking—but bogus—emails to request information from users or direct them to a fake Web site that requests information.

SOURCE:  SP 800-115

Project Investment Justification – A business case required for all projects with a onetime cost of $25,000 or more. It is submitted to ADOA-ASET Strategic Oversight for technology standards review.

Documents generated by management intended to communicate uniform requirements, processes, and controls throughout the organization in order to achieve alignment.  Policies are high level documents signed by a person of significant authority that state a particular control objective critical to the organization’s success.  Standards are mid-level documents designed to ensure uniform application of a policy.  Compliance is mandatory after standards are approved by management.  Procedures are detailed instructions designed to meet policy and standard requirements.

SOURCE: ISACA

A billing term used by ATS and continued by AZNet. All telecommunications services charges billed by AZNet are required to report against PONs to help agencies post charges to their ledgers. Each agency is assigned one or more three-digit PON by AZNet. Each agency specifies which PONs should be used for which charges. 

Using a program to remotely determine which ports on a system are open (e.g., whether systems allow connections through those ports).

SOURCE:  CNSSI-4009

A file format used to present documents in a manner independent of application software, hardware, and operating systems.

SOURCE: WIKIPEDIA

Application-layer protocol used by e-mail clients to retrieve e-mail from a remote server over a TCP/IP connection.

SOURCE: PCI DSS GLOSSARY

The loss of confidentiality, integrity, or availability could be expected to have:

1) a limited adverse effect (FIPS 199 low);

2) a serious adverse effect (FIPS 199 moderate); or

3) a severe or catastrophic adverse effect (FIPS 199 high) on organizational operations, organizational assets, or individuals.

SOURCE:  SP 800-53;  SP 800-60; SP 800-37; FIPS 199

The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect; a serious adverse effect, or a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

SOURCE:  FIPS 200; CNSSI-4009

A condition that exists within an organization, a mission/business process, enterprise architecture, or information system including its environment of operation, which contributes to (i.e., increases or decreases) the likelihood that one or more threat events, once initiated, will result in undesirable consequences or adverse impact to organizational operations and assets, individuals, other organizations, or the Nation.

SOURCE:  SP 800-30

Eliminating the display of characters in order to preserve their secrecy.

SOURCE: CNSSI-4009

An analysis of how information is handled: 1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 2) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and 3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.

SOURCE:  SP 800-53; SP 800-18; SP 800-122; CNSSI-4009; OMB Memorandum 03-22

The secret part of an asymmetric key pair that is typically used to digitally sign or decrypt data.

SOURCE:  SP 800-63

A cryptographic key, used with a public key cryptographic algorithm, that is uniquely associated with an entity and is not made public. In an asymmetric (public) cryptosystem, the private key is associated with a public key. Depending on the algorithm, the private key may be used, for example, to:

1) Compute the corresponding public key,

2) Compute a digital signature that may be verified by the corresponding public key,

3) Decrypt keys that were encrypted by the corresponding public

key, or

4) Compute a shared secret during a key-agreement transaction.

SOURCE:  SP 800-57 Part 1; FIPS 196; FIPS 140-2

In an asymmetric cryptography scheme, the private or secret key of a key pair which must be kept confidential and is used to decrypt messages encrypted with the public key or to digitally sign messages, which can then be validated with the public key.

SOURCE: CNSSI-4009

A right granted to an individual, a program, or a process.

SOURCE: CNSSI-4009

A user that is authorized (and, therefore, trusted) to perform security- relevant functions that ordinary users are not authorized to perform.

SOURCE:  SP 800-53;  CNSSI-4009

A cause of one or more incidents.

SOURCE: ITIL V3

An individual accountable for operational management of a process. There may be several process managers for one process and the process manager role is often assigned to the same person carrying out the process owner role.

SOURCE: ITIL V3

An individual responsible for carrying out one or more process activities. The process practitioner role may be combined with the process manager role, if appropriate.

SOURCE: ITIL V3

A written request for investment funds by an agency for a specific purpose.  The request is reviewed by ASET prior to submission to ITAC for approval.

The world's leading not-for-profit professional membership association for the project, program and portfolio management profession.

SOURCE: PROJECT MANAGEMENT INSTITUTE

A configuration setting for a network interface card that causes it to accept all incoming packets that it sees, regardless of their intended destinations.

SOURCE:  SP 800-94

Information systems that contain sensitive, confidential or private data that require effective controls designed to prevent unauthorized or accidental disclosure of said data.

A family of multicast routing protocols for Internet Protocol (IP) networks that provide one-to-many and many-to-many distribution of data over a LAN, WAN or the Internet. It is termed protocol-independent because PIM does not include its own topology discovery mechanism, but instead uses routing information supplied by other routing protocols.

SOURCE: WIKIPEDIA

A software application running on a firewall or on a dedicated proxy server that is capable of filtering a protocol and routing it between the interfaces of the device.

SOURCE: CNSSI-4009

Policies, standards, and procedures.

A cryptographic algorithm that uses two related keys, a public key and a private key.  The two keys have the property that deriving the private key from the public key is computationally infeasible.

SOURCE:  FIPS 140-2

A digital document issued and digitally signed by the private key of a Certificate authority that binds the name of a Subscriber to a public key. The certificate indicates that the Subscriber identified in the certificate has sole control and access to the private key.

SOURCE:  SP 800-63

A set of data that unambiguously identifies an entity, contains the entity's public key, and is digitally signed by a trusted third party (certification authority).

SOURCE:  FIPS 196

A set of data that uniquely identifies an entity, contains the entity’s public key, and is digitally signed by a trusted party, thereby binding the public key to the entity.

SOURCE:  FIPS 140-2