Glossary

Process to remove information from media such that information recovery is not possible. It includes removing all labels, markings, and activity logs.

SOURCE:  FIPS 200

A general term referring to the actions taken to render data written on media unrecoverable by both ordinary and, for some forms of sanitization, extraordinary means.

SOURCE:  SP 800-53; CNSSI-4009

Sending packets or requests to another system to gain information to be used in a subsequent attack.

SOURCE:  CNSSI-4009

Process of identifying all system components, people, and processes to be included in an assessment. The first step of an assessment is to accurately determine the scope of the review.

SOURCE: PCI DSS GLOSSARY

A cryptographic key that is used with a secret-key (symmetric) cryptographic algorithm that is uniquely associated with one or more entities and is not made public. The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key from disclosure.

SOURCE:  SP 800-57

A cryptographic key that is used with a symmetric cryptographic algorithm that is uniquely associated with one or more entities and is not made public. The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key from disclosure.

SOURCE: CNSSI-4009

A cryptographic key that must be protected from unauthorized disclosure to protect data encrypted with the key. The use of the term “secret” in this context does not imply a classification level; rather,

the term implies the need to protect the key from disclosure or substitution.

SOURCE:  FIPS 201

A cryptographic key that is uniquely associated with one or more entities.  The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key

from disclosure or substitution.

SOURCE:  FIPS 198

A cryptographic key, used with a secret key cryptographic algorithm, that is uniquely associated with one or more entities and should not

be made public.

SOURCE:  FIPS 140-2

Philosophy and approach supporting the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.

SOURCE: WIKIPEDIA

A hash algorithm with the property that is computationally infeasible

1) to find a message that corresponds to a given message digest, or 2)

to find two different messages that produce the same message digest.

SOURCE: CNSSI-4009

Protocol suite providing encryption for network services like remote login or remote file transfer.

SOURCE: PCI DSS GLOSSARY

SSL (Secure Sockets Layer) is a commonly-used protocol for managing the security of a message transmission on the Internet; it uses a program layer located between the Internet's HTTP and TCP program layers.

An XML-based security specification developed by the Organization for the Advancement of Structured Information Standards (OASIS) for exchanging authentication (and authorization) information between trusted entities over the Internet.

SOURCE:  SP 800-63

A framework for exchanging authentication and authorization information.  Security typically involves checking the credentials presented by a party for authentication and authorization.  SAML standardizes the representation of these credentials in an XML format called “assertions,” enhancing the interoperability between disparate applications.

SOURCE:  SP 800-95

A protocol consisting of XML-based request and response message formats for exchanging security information, expressed in the form of assertions about subjects, between online business partners.

SOURCE: CNSSI-4009

A method for using specific standardized testing methods to enable automated vulnerability management, measurement, and policy compliance evaluation against a standardized set of security requirements.

SOURCE: CNSSI-4009

The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.

SOURCE:  SP 800-53; FIPS 200

One of the sets of minimum security controls defined for federal information systems in NIST Special Publication 800-53 and CNSS Instruction 1253.

SOURCE:  SP 800-53A

The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

SOURCE:  SP 800-53;  SP 800-37;  SP 800-53A; SP 800-60;  FIPS 200; FIPS 199; CNSSI-4009

A set of subjects, their information objects, and a common security policy.

SOURCE:  SP 800-27

A collection of entities to which applies a single security policy executed by a single authority.

SOURCE:  FIPS 188

A domain that implements a security policy and is administered by a single authority.

SOURCE: SP 800-37; SP 800-53; CNSSI-4009

Application that provides the ability to gather security data from information system components and present that data as actionable information via a single interface.

SOURCE:  SP 800-128

Formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements.

See ‘System Security Plan’ or ‘Information Security Program Plan.’

SOURCE:  SP 800-53; SP 800-53A; SP 800-37; SP 800-18

Requirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.

SOURCE:  FIPS 200; SP 800-53; SP 800-53A;  SP 800-37;  CNSSI-4009

Examination and analysis of the safeguards required to protect an information system, as they have been applied in an operational environment, to determine the security posture of that system.

SOURCE: CNSSI-4009

Data that is private, personal, or proprietary and must be protected from unauthorized access.

SOURCE: Data Governance Institute

Practice of dividing steps in a function among different individuals, so as to keep a single individual from being able to subvert the process.

SOURCE: PCI DSS GLOSSARY

A set of specialized organizational capabilities for providing value to customers in the form of services.

SOURCE: ITIL V3

These reports are intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization that affect  the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the  confidentiality and privacy of the information processed by these systems . Examples of stakeholders who may need these reports are, management or those charged with governance of the user entities and of the service organization, customers of the service organization, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls.  Use of these reports generally is restricted to parties that have this understanding The AICPA Guide:  Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (currently under development) provides guidance for performing these engagements. These reports can play an important role in:

·         Oversight of the organization

·         Vendor management programs

·         Internal corporate governance and risk management processes

·         Regulatory oversight

Similar to a SOC 1 report there are two types of report : A type 2, report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and  a type 1, report on management’s description of a service organization’s system and the suitability of the design of controls.  Use of these reports is generally restricted.   

SOURCE: AICPA WEBSITE

An architectural style and discipline that improves IT's ability to meet business demands. Service-oriented design principles advocate factoring system capabilities into loosely coupled, autonomous components (i.e., services) and making the capabilities available to other system components or external consumers. SOA is not dependent on any particular technology.

SOURCE: The Burton Group (Gartner)

The complete set of services that is managed by a service provider. The service portfolio is used to manage the entire lifecycle of all services, and includes three categories: service pipeline (proposed or in development), service catalogue (live

or available for deployment), and retired services.

SOURCE: ITIL V3

Defines the specific responsibilities of the service provider and sets the customer expectations.

SOURCE: CNSSI-4009

A protocol for broadcasting multicast session information. SAP was published by the IETF as RFC 2974.

SAP typically uses Session Description Protocol (SDP) as the format for Real-time Transport Protocol session descriptions. Announcement data is sent using IP multicast and User Datagram Protocol.

Under SAP, senders periodically broadcast SDP descriptions to a well-known multicast address and port. A SAP listening application can listen to the SAP multicasts and construct a guide of all advertised multicast sessions.

SOURCE: WIKIPEDIA

A signaling communications protocol, widely used for controlling multimedia communication sessions such as voice and video calls over Internet Protocol (IP) networks.

The protocol defines the messages that are sent between endpoints that govern establishment, termination and other essential elements of a call. SIP can be used for creating, modifying and terminating sessions consisting of one or several media streams. SIP can be used for two-party (unicast) or multiparty (multicast) sessions. Other SIP applications include video conferencing, streaming multimedia distribution, instant messaging, presence information, file transfer, fax over IP and online games.

SOURCE: WIKIPEDIA

Severities – Three severity levels have been created to define service degradation/outage impacts and to set priorities for repairs:
 

Sev 1

• Severity 1 – The highest level of severity indicating the most critical of problems. A problem is classified as a Severity Level 1 when either an entire agency site’s ability to perform mission critical business functions, as defined by the agency’s Business Continuity/Disaster Recovery (BCDR) Plan, is in jeopardy or unavailable, or the problem directly impacts the public’s ability to receive critical state agencies’ services.

Sev 2

• Severity 2 – A high level of severity indicating serious problems and/or degrading conditions such that an agency site’s ability to perform mission critical function(s) is in jeopardy or unavailable but a workaround is or can be established within a
• reasonable time.

Sev 3

• Severity 3 – A medium level of severity such that an agency or individual’s ability to perform job function(s) may be impacted or inconvenienced but agency business operations can continue to function. 

State Identity Credential and Access Management.  Described in NIST Special Publication 800-63-2, Electronic Authentication Guideline.

SOURCE: NIST

A public key certificate that contains a public key intended for verifying digital signatures rather than encrypting data or performing any other cryptographic functions.

SOURCE:  SP 800-32; CNSSI-4009

An Internet standard for electronic mail (e-mail) transmission.

SOURCE: WIKIPEDIA

A protocol specification for exchanging structured information in the implementation of web services in computer networks. It relies on XML Information Set for its message format, and usually relies on other application layer protocols, most notably Hypertext Transfer Protocol (HTTP) or Simple Mail Transfer Protocol (SMTP), for message negotiation and transmission.

SOURCE: WIKIPEDIA

Service Level Agreements – A performance metrics required in the contract and subject to service credits when missed. 

An attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks.

SOURCE:  SP 800-61; CNSSI-4009

A general term for attackers trying to trick people into revealing sensitive information or performing certain actions, such as downloading and executing files that appear to be benign but are actually malicious.

SOURCE:  SP 800-114

The process of attempting to trick someone into revealing information (e.g., a password).

SOURCE:  SP 800-115

Use of a platform/service to support collaboration among people who share interests, activities, backgrounds or real-life connections. A social network service consists of a representation of each user (often a profile), his social links, and a variety of additional services. Social networking is web-based services that allow individuals to create a public profile, to create a list of users with whom to share connection, and view and cross the connections within the system. Most social network services are web-based and provide means for users to interact over the Internet, such as e-mail and instant messaging. Social network sites are varied and they incorporate new information and communication tools such as, mobile connectivity, photo/video/sharing and blogging. Online community services are sometimes considered as a social network service, though in a broader sense, social network service usually means an individual-centered service whereas online community services are group-centered. Social networking sites allow users to share ideas, pictures, posts, activities, events, interests with people in their network.

SOURCE: WIKIPEDIA

Acronym for “system development life cycle” or “software development lifecycle.” Phases of the development of a software or computer system that includes planning, analysis, design, testing, and implementation.

SOURCE: PCI  DSS GLOSARY

A program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.

SOURCE: SP 800-53; CNSSI-4009

An assessment object that includes document-based artifacts (e.g., policies, procedures, plans, system security requirements, functional specifications, and architectural designs) associated with an information system.

SOURCE:  SP 800-53A

A computer networking concept that allows a VPN user to access a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same physical network connection. This connection service is usually facilitated through a program such as a VPN client software application.

SOURCE: WIKIPEDIA

Spyware – Software that covertly gathers user information through the user’s Internet connection without the user’s knowledge. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. 

Form of attack on database-driven web site. A malicious individual executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet. SQL injection attacks are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization’s host computers through the computer that is hosting the database.

SOURCE: PCI DSS GLOSSARY

Intermediate Cipher result that can be pictured as a rectangular array of bytes.

SOURCE:  FIPS 197

Responsible for protecting the confidentiality, integrity and availability of government information.

The State Identity and Credential Access Management (SICAM) Guidance and Roadmap outline a strategic vision for state-based identity, credential, and access management efforts, and emphasize the importance of implementing the SICAM architecture and services in support of the challenges associated with trust, interoperability, security, and process improvement.

SOURCE: NASCIO

A communications protocol that treats each request as an independent transaction that is unrelated to any previous request so that the communication consists of independent pairs of request and response. A stateless protocol does not require the server to retain session information or status about each communications partner for the duration of multiple requests.

Examples of stateless protocols include the Internet Protocol (IP) which is the foundation for the Internet, and the Hypertext Transfer Protocol (HTTP) which is the foundation of data communication for the World Wide Web.

SOURCE: Wikipedia

The requirement to use multiple factors for authentication and advanced technology, such as dynamic passwords or digital certificates, to verify an entity’s identity.

SOURCE: CNSSI-4009

The subdivision of a Category into specific outcomes of technical and/or management activities.  Examples of Subcategories include "External information systems are catalogued," "Data-at-rest is protected," and "Notifications from detection systems are investigated."

SOURCE: NIST CYBERSECURITY FRAMEWORK

A billing term used initially by ATS in combination with the PON to specify an agency general ledger code. The subPON is five alpha-numeric characters specified by the agency. Using a subPON is optional. If a subPON is used, an agency may create any subPON it wishes. Some agencies structure their PON-subPONs around major business functions or programs. Others use PONs to represent geographic areas with each subPON representing a program. How PONs and subPONs are organized, is at the discretion of each agency. 

A system of organizations, people, activities, information, and resources, possibly international in scope, that provides products or services to consumers.

SOURCE: SP 800-53; CNSSI-4009

A World Wide Web Consortium (W3C) recommended Extensible Markup Language (XML) markup language to describe multimedia presentations.

SOURCE: WIKIPEDIA

Any organized assembly of resources and procedures united and regulated by interaction or interdependence to accomplish a set of specific functions.

SOURCE: CNSSI-4009

Any software, hardware, data, administrative, physical, communications, or personnel resource within an information system.

SOURCE: CNSSI-4009

The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.

SOURCE:  SP 800-34; CNSSI-4009

Anything on a system component that is required for its operation, including but not limited to database tables, stored procedures, application executables and configuration files, system configuration files, static and shared libraries and DLLs, system executables, device drivers and device configuration files, and third-party components.

SOURCE: PCI DSS GLOSSARY