Skip to main content
ADOA-ASET Logo
  • Home
  • About
    • Careers
    • Leadership Team
    • Statutes and Rules
    • Meeting Requests
  • Services
    • Current Rates
  • Strategy
    • ACT Recommendations
    • Digital Government
    • Enterprise Architecture
    • Enterprise Project Management Office
    • Strategic Oversight
    • Statewide Strategic IT Plans
  • Governance
    • IT Authorization Committee (ITAC)
    • Chief Information Officer (CIO) Council
    • Change Advisory Board (CAB)
    • Enterprise Security Program Advisory Council (ESPAC)
  • Programs
    • AZNET II - Arizona Network
    • Archived Programs
  • Resources
    • ASET Billing
    • Glossary
    • Policies, Standards and Procedures
    • Security
      • Incident Reporting
    • Service Desk
    • Training
    • Agency Engagement Manager List
  • Home
  • Resources
  • Glossary

Glossary

( (2) | A (142) | B (60) | C (158) | D (101) | E (54) | F (42) | G (13) | H (21) | I (120) | J (3) | K (8) | L (16) | M (39) | N (19) | O (16) | P (74) | Q (2) | R (52) | S (109) | T (47) | U (7) | V (14) | W (12) | Z (1)

Packet Filter (NIST)

A routing device that provides access control functionality for host addresses and communication sessions.

SOURCE:  SP 800-41

Packet Sniffer (NIST)

Software that observes and records network traffic.

SOURCE:  CNSSI-4009

Parity (NIST)

Bit(s) used to determine whether a block of data has been altered.

SOURCE: CNSSI-4009

Partitioning

A file format in which the file is divided into multiple sub files and a directory is established to locate each sub file.

SOURCE: ISACA

Passive Attack (NIST)

An attack against an authentication protocol where the Attacker intercepts data traveling along the network between the Claimant and Verifier, but does not alter the data (i.e., eavesdropping).

SOURCE:  SP 800-63

An attack that does not alter systems or data.

SOURCE: CNSSI-4009

Passive Security Testing (NIST)

Security testing that does not involve any direct interaction with the targets, such as sending packets to a target.

SOURCE:  SP 800-115

Password (NIST)

A secret that a Claimant memorizes and uses to authenticate his or her identity. Passwords are typically character strings.

SOURCE:  SP 800-63

A protected character string used to authenticate the identity of a computer system user or to authorize access to system resources.

SOURCE:  FIPS 181

A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization.

SOURCE:  FIPS 140-2

A protected/private string of letters, numbers, and/or special characters used to authenticate an identity or to authorize access to data.

SOURCE: CNSSI-4009

Password Cracking (NIST)

The process of recovering secret passwords stored in a computer system or transmitted over a network.

SOURCE:  SP 800-115

Password Protected (NIST)

The ability to protect a file using a password access control, protecting the data contents from being viewed with the appropriate viewer unless the proper password is entered.

SOURCE:  SP 800-72

The ability to protect the contents of a file or device from being accessed until the correct password is entered.

SOURCE:  SP 800-124

Patch (NIST)

An update to an operating system, application, or other software issued specifically to correct particular problems with the software.

SOURCE:  SP 800-123

Patch Management (NIST)

The systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions.  These revisions are known as patches, hot fixes, and service packs.

SOURCE: CNSSI-4009

Payment Card Industry (PCI)

The term refers to the Payment Card Industry Security Standards Council, a council originally formed by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International.

The PCI Council formed a body of security standards known as the PCI Data Security Standards, (PCI DSS), and these standards consist of 12 significant requirements including multiple sub-requirements that contain numerous directives against which businesses may measure their own payment card security policies, procedures and guidelines. By complying with qualified assessments of these standards, businesses can become accepted by the PCI Standards Council as compliant with the 12 requirements, and thus receive a compliance certification and a listing on the PCI Standards Council website. Compliance efforts and acceptance must be completed on a periodic basis.

SOURCE: WIKIPEDIA

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes

SOURCE: WIKIPEDIA

PBX

Private Branch Exchange – A telephone system within an enterprise that switches calls between enterprise users on local lines while allowing all users to share a certain number of external phone lines. The main purpose of a PBX is to save the cost of requiring a line for each user to the telephone company's central office.

Penetration Testing (NIST)

A test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an information system.

SOURCE:  SP 800-53A; SP 800-53; CNSSI-4009

Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.

SOURCE:  SP 800-115

Perimeter (NIST)

(C&A)  Encompasses all those components of the system that are to be accredited by the DAA, and excludes separately accredited systems to which the system is connected.

(Authorization)  Encompasses all those components of the system or network for which a Body of Evidence is provided in support of a formal approval to operate.

SOURCE: CNSSI-4009

Perishable Data (NIST)

Information whose value can decrease substantially during a specified time.  A significant decrease in value occurs when the operational circumstances change to the extent that the information is no longer useful.

SOURCE: CNSSI-4009

Personal Digital Assistant (PDA)

Handheld mobile devices with capabilities such as mobile phones, e-mail, or web browser.

SOURCE: PCI DSS GLOSSARY

Personal Firewall (NIST)

A utility on a computer that monitors network activity and blocks communications that are unauthorized.

SOURCE:  SP 800-69

Personal Identification Number – (PIN) (NIST)

A password consisting only of decimal digits.

SOURCE:  SP 800-63

A secret that a claimant memorizes and uses to authenticate his or her identity.  PINs are generally only decimal digits.

SOURCE:  FIPS 201

An alphanumeric code or password used to authenticate an identity.

SOURCE:  FIPS 140-2

A short numeric code used to confirm identity.

SOURCE: CNSSI-4009

Personal Information (PI)

(a) Means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted, redacted or secured by any other method rendering the element unreadable or unusable:

(i) The individual's social security number.

(ii) The individual's number on a driver license issued pursuant to section 28-3166 or number on a nonoperating identification license issued pursuant to section 28-3165.

(iii) The individual's financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to the individual's financial account.

(b) Does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

SOURCE: A.R.S. 44-7501 l.6.

Personally Identifiable Information – (PII) (NIST)

Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

SOURCE: CNSSI-4009

Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

SOURCE:  SP 800-122

Phishing (NIST)

Tricking individuals into disclosing sensitive personal information through deceptive computer-based means.

SOURCE:  SP 800-83

Deceiving individuals into disclosing sensitive personal information through deceptive computer-based means.

SOURCE: CNSSI-4009

A digital form of social engineering that uses authentic-looking—but bogus—emails to request information from users or direct them to a fake Web site that requests information.

SOURCE:  SP 800-115

PII Confidentiality Impact Level (NIST)

The PII confidentiality impact level—low, moderate, or high— indicates the potential harm that could result to the subject individuals and/or the organization if PII were inappropriately accessed, used, or disclosed.

SOURCE:  SP 800-122

PIJ

Project Investment Justification – A business case required for all projects with a onetime cost of $25,000 or more. It is submitted to ADOA-ASET Strategic Oversight for technology standards review.

Plaintext (NIST)

Data input to the Cipher or output from the Inverse Cipher.

SOURCE:  FIPS 197

Intelligible data that has meaning and can be understood without the application of decryption.

SOURCE:  SP 800-21

Unencrypted information.

SOURCE: CNSSI-4009

Policies, Standards and Procedures (PSPs)

Documents generated by management intended to communicate uniform requirements, processes, and controls throughout the organization in order to achieve alignment.  Policies are high level documents signed by a person of significant authority that state a particular control objective critical to the organization’s success.  Standards are mid-level documents designed to ensure uniform application of a policy.  Compliance is mandatory after standards are approved by management.  Procedures are detailed instructions designed to meet policy and standard requirements.

SOURCE: ISACA

Policy-Based Access Control – (PBAC) (NIST)

A form of access control that uses an authorization policy that is flexible in the types of evaluated parameters (e.g., identity, role, clearance, operational need, risk, and heuristics).

SOURCE: CNSSI-4009

PON

A billing term used by ATS and continued by AZNet. All telecommunications services charges billed by AZNet are required to report against PONs to help agencies post charges to their ledgers. Each agency is assigned one or more three-digit PON by AZNet. Each agency specifies which PONs should be used for which charges. 

Port (NIST)

A physical entry or exit point of a cryptographic module that provides access to the module for physical signals, represented by logical information flows (physically separated ports do not share the same physical pin or wire).

SOURCE:  FIPS 140-2

Port Scanning (NIST)

Using a program to remotely determine which ports on a system are open (e.g., whether systems allow connections through those ports).

SOURCE:  CNSSI-4009

Portability

Usability of the same software in different IT environments. The prerequirement for portability is the generalized abstraction between the application logic and system interfaces. When software with the same functionality is produced for several computing platforms, portability is the key issue for development cost reduction.

SOURCE: WIKIPEDIA

Portable Document Format (PDF)

A file format used to present documents in a manner independent of application software, hardware, and operating systems.

SOURCE: WIKIPEDIA

Portal (NIST)

A high-level remote access architecture that is based on a server that offers teleworkers access to one or more applications through a single centralized interface.

SOURCE:  SP 800-46

Post Office Protocol v3 (POP3)

Application-layer protocol used by e-mail clients to retrieve e-mail from a remote server over a TCP/IP connection.

SOURCE: PCI DSS GLOSSARY

POST-COMPLIANCE PARADIGM SHIFT

Change in expectations that says that it’s no longer acceptable to simply “do” work. Instead, for work that exists in an environment with compliance requirements, the work is not complete until you 1. Do it, 2. Control it, 3. Document it, and 4. Prove compliance.

SOURCE: Data Governance Institute

Potential Impact (NIST)

The loss of confidentiality, integrity, or availability could be expected to have:

1) a limited adverse effect (FIPS 199 low);

2) a serious adverse effect (FIPS 199 moderate); or

3) a severe or catastrophic adverse effect (FIPS 199 high) on organizational operations, organizational assets, or individuals.

SOURCE:  SP 800-53;  SP 800-60; SP 800-37; FIPS 199

The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect; a serious adverse effect, or a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

SOURCE:  FIPS 200; CNSSI-4009

Precursor (NIST)

A sign that an attacker may be preparing to cause an incident.

SOURCE:  SP 800-61; CNSSI-4009

Predisposing Condition (NIST)

A condition that exists within an organization, a mission/business process, enterprise architecture, or information system including its environment of operation, which contributes to (i.e., increases or decreases) the likelihood that one or more threat events, once initiated, will result in undesirable consequences or adverse impact to organizational operations and assets, individuals, other organizations, or the Nation.

SOURCE:  SP 800-30

Preventive Control

An internal control that is used to avoid undesirable events, errors and other occurrences that an enterprise has determined could have a negative material effect on a process or end product.

Print Suppression (NIST)

Eliminating the display of characters in order to preserve their secrecy.

SOURCE: CNSSI-4009

Privacy (NIST)

Restricting access to subscriber or Relying Party information in accordance with federal law and agency policy.

SOURCE:  SP 800-32

Privacy Impact Assessment (PIA) (NIST)

An analysis of how information is handled: 1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 2) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and 3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.

SOURCE:  SP 800-53; SP 800-18; SP 800-122; CNSSI-4009; OMB Memorandum 03-22

Privacy System (NIST)

Commercial encryption system that affords telecommunications limited protection to deter a casual listener, but cannot withstand a technically competent cryptanalytic attack.

SOURCE: CNSSI-4009

Private Key (NIST)

The secret part of an asymmetric key pair that is typically used to digitally sign or decrypt data.

SOURCE:  SP 800-63

A cryptographic key, used with a public key cryptographic algorithm, that is uniquely associated with an entity and is not made public. In an asymmetric (public) cryptosystem, the private key is associated with a public key. Depending on the algorithm, the private key may be used, for example, to:

1) Compute the corresponding public key,

2) Compute a digital signature that may be verified by the corresponding public key,

3) Decrypt keys that were encrypted by the corresponding public

key, or

4) Compute a shared secret during a key-agreement transaction.

SOURCE:  SP 800-57 Part 1; FIPS 196; FIPS 140-2

In an asymmetric cryptography scheme, the private or secret key of a key pair which must be kept confidential and is used to decrypt messages encrypted with the public key or to digitally sign messages, which can then be validated with the public key.

SOURCE: CNSSI-4009

Private Network

Network established by an organization that uses private IP address space. Private networks are commonly designed as local area networks. Private network access from public networks should be properly protected with the use of firewalls and routers.

SOURCE: PCI DSS GLOSSARY

Privilege (NIST)

A right granted to an individual, a program, or a process.

SOURCE: CNSSI-4009

Privileged Account (NIST)

An information system account with approved authorizations of a privileged user.

SOURCE: CNSSI-4009; SP 800-53

Privileged User (NIST)

A user that is authorized (and, therefore, trusted) to perform security- relevant functions that ordinary users are not authorized to perform.

SOURCE:  SP 800-53;  CNSSI-4009

Probe (NIST)

A technique that attempts to access a system to learn something about the system.

SOURCE: CNSSI-4009

Problem

A cause of one or more incidents.

SOURCE: ITIL V3

Process

A structured set of activities designed to accomplish a specific objective. A process takes one or more defined inputs and turns them into defined outputs.

SOURCE: ITIL V3

Process Manager

An individual accountable for operational management of a process. There may be several process managers for one process and the process manager role is often assigned to the same person carrying out the process owner role.

SOURCE: ITIL V3

Process Owner

An individual accountable for ensuring that a process is fit for purpose, i.e. that it is capable of meeting its objectives; that it is performed according to the agreed and documented standard; and that it meets the aims of the process definition.

SOURCE: ITIL V3

Process Practitioner

An individual responsible for carrying out one or more process activities. The process practitioner role may be combined with the process manager role, if appropriate.

SOURCE: ITIL V3

Program

A funded project and / or activity performed by one or more BUs.

Project Investment Justification (PIJ)

A written request for investment funds by an agency for a specific purpose.  The request is reviewed by ASET prior to submission to ITAC for approval.

Project Management

The application of knowledge, skills and techniques to execute projects effectively and efficiently. It’s a strategic competency for organizations, enabling them to tie project results to business goals — and thus, better compete in their markets.

SOURCE: PROJECT MANAGEMENT INSTITUTE

Project Management Institute (PMI)

The world's leading not-for-profit professional membership association for the project, program and portfolio management profession.

SOURCE: PROJECT MANAGEMENT INSTITUTE

Project Management Professional (PMP) Certification

The most important industry-recognized certification for project managers.  Administered by the Project Management Institute and requiring passage of a comprehensive examination in addition to industry experience.

SOURCE: PROJECT MANAGEMENT INSTITUTE

Promiscuous Mode (NIST)

A configuration setting for a network interface card that causes it to accept all incoming packets that it sees, regardless of their intended destinations.

SOURCE:  SP 800-94

PROTECT (FUNCTION) (NIST)

Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

SOURCE: NIST CYBERSECURITY FRAMEWORK

Protected Systems

Information systems that contain sensitive, confidential or private data that require effective controls designed to prevent unauthorized or accidental disclosure of said data.

Protocol (NIST)

Set of rules and formats, semantic and syntactic, permitting information systems to exchange information.

SOURCE: CNSSI-4009

Protocol Independent Multicast (PIM)

A family of multicast routing protocols for Internet Protocol (IP) networks that provide one-to-many and many-to-many distribution of data over a LAN, WAN or the Internet. It is termed protocol-independent because PIM does not include its own topology discovery mechanism, but instead uses routing information supplied by other routing protocols.

SOURCE: WIKIPEDIA

Proxy (NIST)

A proxy is an application that “breaks” the connection between client and server.  The proxy accepts certain types of traffic entering or leaving a network and processes it and forwards it.  This effectively closes the straight path between the internal and external networks making it more difficult for an attacker to obtain internal addresses and other details of the organization’s internal network.  Proxy servers are available for common Internet services; for example, a Hyper Text Transfer Protocol (HTTP) proxy used for Web access, and a Simple Mail Transfer Protocol (SMTP) proxy used for email.

SOURCE:  SP 800-44; CNSSI-4009

Proxy Agent (NIST)

A software application running on a firewall or on a dedicated proxy server that is capable of filtering a protocol and routing it between the interfaces of the device.

SOURCE: CNSSI-4009

Proxy Server (NIST)

A server that services the requests of its clients by forwarding those requests to other servers.

SOURCE: CNSSI-4009

PSP

Policies, standards, and procedures.

Public Domain Software (NIST)

Software not protected by copyright laws of any nation that may be freely used without permission of, or payment to, the creator, and that carries no warranties from, or liabilities to the creator.

SOURCE: CNSSI-4009

Public Key (Asymmetric) Cryptographic Algorithm (NIST)

A cryptographic algorithm that uses two related keys, a public key and a private key.  The two keys have the property that deriving the private key from the public key is computationally infeasible.

SOURCE:  FIPS 140-2

Public Key (NIST)

The public part of an asymmetric key pair that is typically used to verify signatures or encrypt data.

SOURCE:  FIPS 201; SP 800-63

A cryptographic key, used with a public key cryptographic algorithm, that is uniquely associated with an entity and may be made public. In an asymmetric (public) cryptosystem, the public key is associated with a private key. The public key may be

known by anyone and, depending on the algorithm, may be used, for example, to:

1) Verify a digital signature that is signed by the corresponding private key,

2) Encrypt keys that can be decrypted by the corresponding private

key, or

3) Compute a shared secret during a key-agreement transaction.

SOURCE:  SP 800-57 Part 1; FIPS 196; FIPS 140-2; CNSSI-4009

Public Key Certificate (NIST)

A digital document issued and digitally signed by the private key of a Certificate authority that binds the name of a Subscriber to a public key. The certificate indicates that the Subscriber identified in the certificate has sole control and access to the private key.

SOURCE:  SP 800-63

A set of data that unambiguously identifies an entity, contains the entity's public key, and is digitally signed by a trusted third party (certification authority).

SOURCE:  FIPS 196

A set of data that uniquely identifies an entity, contains the entity’s public key, and is digitally signed by a trusted party, thereby binding the public key to the entity.

SOURCE:  FIPS 140-2

Public Key Infrastructure (PKI) (NIST)

A set of policies, processes, server platforms, software, and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates.

SOURCE:  SP 800-32; SP 800-63

An architecture which is used to bind public keys to entities, enable other entities to verify public key bindings, revoke such bindings, and provide other services critical to managing public keys.

SOURCE:  FIPS 196

A Framework that is established to issue, maintain, and revoke public key certificates.

SOURCE:  FIPS 186

A support service to the PIV system that provides the cryptographic keys needed to perform digital signature-based identity verification and to protect communications and storage of sensitive verification system data within identity cards and the verification system.

SOURCE:  FIPS 201

The framework and services that provide for the generation, production, distribution, control, accounting, and destruction of public key certificates.  Components include the personnel, policies, processes, server platforms, software, and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, recover, and revoke public key certificates.

SOURCE: CNSSI-4009

Resources

  • ASET Billing
  • Glossary
  • Policies, Standards and Procedures
  • Security
    • Incident Reporting
  • Service Desk
  • Training
  • Agency Engagement Manager List
LinkedIn Twitter YouTube This site (RSS)
Arizona State Seal
Contact Us
ADOA-ASET
100 N. 15th Avenue, Suite 400
Phoenix, AZ 85007
Find in Google Maps
Phone: 602.542.2250
Map Image

Footer Utility

  • Statewide Website Policies
  • Site Map
  • Meeting Requests