Glossary
S/MIME (NIST)
A set of specifications for securing electronic mail. Secure/ Multipurpose Internet Mail Extensions (S/MIME) is based upon the widely used MIME standard and describes a protocol for adding cryptographic security services through MIME encapsulation of digitally signed and encrypted objects. The basic security services offered by S/MIME are authentication, non-repudiation of origin, message integrity, and message privacy. Optional security services include signed receipts, security labels, secure mailing lists, and an extended method of identifying the signer’s certificate(s).
SOURCE: SP 800-49
Safeguards (NIST)
Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.
SOURCE: SP 800-53; SP 800-37; FIPS 200; CNSSI-4009
Sanitization (NIST)
Process to remove information from media such that information recovery is not possible. It includes removing all labels, markings, and activity logs.
SOURCE: FIPS 200
A general term referring to the actions taken to render data written on media unrecoverable by both ordinary and, for some forms of sanitization, extraordinary means.
SOURCE: SP 800-53; CNSSI-4009
Scalability
The ability of a system, network, or process to handle a growing amount of work in a capable manner or its ability to be enlarged to accommodate that growth.
SOURCE: WIKIPEDIA
Scanning (NIST)
Sending packets or requests to another system to gain information to be used in a subsequent attack.
SOURCE: CNSSI-4009
Schema
A template in computer science used in the field of genetic algorithms that identifies a subset of strings with similarities at certain string positions. Schemata are a special case of cylinder sets; and so form a topological space.
SOURCE: WIKIPEDIA
Scoping
Process of identifying all system components, people, and processes to be included in an assessment. The first step of an assessment is to accurately determine the scope of the review.
SOURCE: PCI DSS GLOSSARY
Seat
Seat – An AZNet contract term for pricing of bundled services. A seat includes telephone equipment, dial tone, voice mail, Wide Area Network data access, e911 auto location, specific quantity of free MACs, maintenance and support service.
Secret Key (NIST)
A cryptographic key that is used with a secret-key (symmetric) cryptographic algorithm that is uniquely associated with one or more entities and is not made public. The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key from disclosure.
SOURCE: SP 800-57
A cryptographic key that is used with a symmetric cryptographic algorithm that is uniquely associated with one or more entities and is not made public. The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key from disclosure.
SOURCE: CNSSI-4009
A cryptographic key that must be protected from unauthorized disclosure to protect data encrypted with the key. The use of the term “secret” in this context does not imply a classification level; rather,
the term implies the need to protect the key from disclosure or substitution.
SOURCE: FIPS 201
A cryptographic key that is uniquely associated with one or more entities. The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key
from disclosure or substitution.
SOURCE: FIPS 198
A cryptographic key, used with a secret key cryptographic algorithm, that is uniquely associated with one or more entities and should not
be made public.
SOURCE: FIPS 140-2
Section 508
Section 508 of the Rehabilitation Act (29 U.S.C. § 794d) is a portion of federal code directing federal agencies to design their websites in such a manner as to make them accessible to citizens with disabilities
Secure Coding Guidelines
Philosophy and approach supporting the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.
SOURCE: WIKIPEDIA
Secure DNS (SECDNS) (NIST)
Configuring and operating DNS servers so that the security goals of data integrity and source authentication are achieved and maintained.
SOURCE: SP 800-81
Secure Hash Algorithm (SHA) (NIST)
A hash algorithm with the property that is computationally infeasible
1) to find a message that corresponds to a given message digest, or 2)
to find two different messages that produce the same message digest.
SOURCE: CNSSI-4009
Secure Hash Standard (NIST)
This Standard specifies secure hash algorithms -SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256 -for computing a condensed representation of electronic data (message).
When a message of any length less than 2^64 bits (for SHA-1, SHA-224 and SHA-256) or less than 2^128 bits (for SHA-384, SHA-512, SHA-512/224 and SHA-512/256) is input to a hash algorithm, the result is an output called a message digest. The message digests range in length from 160 to 512 bits, depending on the algorithm. Secure hash algorithms are typically used with other cryptographic algorithms, such as digital signature algorithms and keyed-hash message authentication codes, or in the generation of random numbers (bits).
The hash algorithms specified in this Standard are called secure because, for a given algorithm, it is computationally infeasible 1) to find a message that corresponds to a given message digest, or 2) to find two different messages that produce the same message digest. Any change to a message will, with a very high probability, result in a different message digest. This will result in a verification failure when the secure hash algorithm is used with a digital signature algorithm or a keyed-hash message authentication algorithm.
SOURCE: FIPS 180-4
Specification for a secure hash algorithm that can generate a condensed message representation called a message digest.
SOURCE: CNSSI-4009
Secure Shell (SSH)
Protocol suite providing encryption for network services like remote login or remote file transfer.
SOURCE: PCI DSS GLOSSARY
Secure Socket Layer (SSL) (NIST)
A protocol used for protecting private information during transmission via the Internet.
Note: SSL works by using a public key to encrypt data that's transferred over the SSL connection. Most Web browsers support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with “https:” instead of “http:.”
SOURCE: CNSSI-4009
Secure Sockets Layer (SSL)
SSL (Secure Sockets Layer) is a commonly-used protocol for managing the security of a message transmission on the Internet; it uses a program layer located between the Internet's HTTP and TCP program layers.
Security (NIST)
A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach.
SOURCE: CNSSI-4009
Security Assertion Markup Language (SAML) (NIST
An XML-based security specification developed by the Organization for the Advancement of Structured Information Standards (OASIS) for exchanging authentication (and authorization) information between trusted entities over the Internet.
SOURCE: SP 800-63
A framework for exchanging authentication and authorization information. Security typically involves checking the credentials presented by a party for authentication and authorization. SAML standardizes the representation of these credentials in an XML format called “assertions,” enhancing the interoperability between disparate applications.
SOURCE: SP 800-95
A protocol consisting of XML-based request and response message formats for exchanging security information, expressed in the form of assertions about subjects, between online business partners.
SOURCE: CNSSI-4009
Security Attribute (NIST)
A security-related quality of an object. Security attributes may be represented as hierarchical levels, bits in a bit map, or numbers. Compartments, caveats, and release markings are examples of security attributes.
SOURCE: FIPS 188
An abstraction representing the basic properties or characteristics of an entity with respect to safeguarding information; typically associated with internal data structures (e.g., records, buffers, files) within the information system which are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.
SOURCE: SP 800-53; CNSSI-4009
Security Content Automation (SCAP) (NIST)
A method for using specific standardized testing methods to enable automated vulnerability management, measurement, and policy compliance evaluation against a standardized set of security requirements.
SOURCE: CNSSI-4009
Security Control Assessment (NIST)
The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
SOURCE: SP 800-37; SP 800-53; SP 800-53A; CNSSI-4009
Security Control Baseline (NIST)
The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.
SOURCE: SP 800-53; FIPS 200
One of the sets of minimum security controls defined for federal information systems in NIST Special Publication 800-53 and CNSS Instruction 1253.
SOURCE: SP 800-53A
Security Control Effectiveness (NIST)
The measure of correctness of implementation (i.e., how consistently the control implementation complies with the security plan) and how well the security plan meets organizational needs in accordance with current risk tolerance.
SOURCE: SP 800-137
Security Controls (NIST)
The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
SOURCE: SP 800-53; SP 800-37; SP 800-53A; SP 800-60; FIPS 200; FIPS 199; CNSSI-4009
Security Controls Baseline (NIST)
The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.
SOURCE: CNSSI-4009
Security Domain (NIST)
A set of subjects, their information objects, and a common security policy.
SOURCE: SP 800-27
A collection of entities to which applies a single security policy executed by a single authority.
SOURCE: FIPS 188
A domain that implements a security policy and is administered by a single authority.
SOURCE: SP 800-37; SP 800-53; CNSSI-4009
Security Impact Analysis (NIST)
The analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system.
SOURCE: SP 800-53; SP 800-53A; SP 800-37; CNSSI-4009
Security Information and Event Management (SIEM) Tool (NIST)
Application that provides the ability to gather security data from information system components and present that data as actionable information via a single interface.
SOURCE: SP 800-128
Security Objective (NIST)
Confidentiality, integrity, or availability.
SOURCE: SP 800-53; SP 800-53A; SP 800-60; SP 800-37; FIPS 200; FIPS 199
Security Plan (NIST)
Formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements.
See ‘System Security Plan’ or ‘Information Security Program Plan.’
SOURCE: SP 800-53; SP 800-53A; SP 800-37; SP 800-18
Security Policy (NIST)
The statement of required protection of the information objects.
SOURCE: SP 800-27
A set of criteria for the provision of security services. It defines and constrains the activities of a data processing facility in order to maintain a condition of security for systems and data.
SOURCE: FIPS 188; SOURCE: SP 800-37; SP 800-53; CNSSI-4009
Security Requirements (NIST)
Requirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.
SOURCE: FIPS 200; SP 800-53; SP 800-53A; SP 800-37; CNSSI-4009
Security Safeguards (NIST)
Protective measures and controls prescribed to meet the security requirements specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices.
SOURCE: CNSSI-4009
Security Test & Evaluation – (ST&E) (NIST)
Examination and analysis of the safeguards required to protect an information system, as they have been applied in an operational environment, to determine the security posture of that system.
SOURCE: CNSSI-4009
Security Testing (NIST)
Process to determine that an information system protects data and maintains functionality as intended.
SOURCE: CNSSI-4009
SENSITIVE DATA
Data that is private, personal, or proprietary and must be protected from unauthorized access.
SOURCE: Data Governance Institute
Sensitive Information (NIST)
Information, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.
SOURCE: SP 800-53; CNSSI-4009
Separation of Duties
Practice of dividing steps in a function among different individuals, so as to keep a single individual from being able to subvert the process.
SOURCE: PCI DSS GLOSSARY
Service
A means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific costs and risks.
SOURCE: ITIL V3
Service Management
A set of specialized organizational capabilities for providing value to customers in the form of services.
SOURCE: ITIL V3
Service Organization Control (SOC) -1 Report
These reports, prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, are specifically intended to meet the needs of the managements of user entities and the user entities’ auditors, as they evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions. These reports are important components of user entities’ evaluation of their internal controls over financial reporting for purposes of comply with laws and regulations such as the Sarbanes-Oxley Act and the user entities’ auditors as they plan and perform audits of the user entities’ financial statements. There are two types of reports for these engagements:
Type 2 - report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
The use of these reports is restricted to the management of the service organization, user entities of the service organization and user auditors.
SOURCE: AICPA WEBSITE
Service Organization Control (SOC) -2 Report
These reports are intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems . Examples of stakeholders who may need these reports are, management or those charged with governance of the user entities and of the service organization, customers of the service organization, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls. Use of these reports generally is restricted to parties that have this understanding The AICPA Guide: Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (currently under development) provides guidance for performing these engagements. These reports can play an important role in:
· Oversight of the organization
· Vendor management programs
· Internal corporate governance and risk management processes
· Regulatory oversight
Similar to a SOC 1 report there are two types of report : A type 2, report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and a type 1, report on management’s description of a service organization’s system and the suitability of the design of controls. Use of these reports is generally restricted.
SOURCE: AICPA WEBSITE
Service Organization Control (SOC) -3 Report
These reports are designed to meet the needs of users who need assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems used by a service organization to process users’ information, and the confidentiality, or privacy of that information, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. These reports are prepared using the AICPA/Canadian Institute of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Because they are general use reports, SOC 3 reports can be freely distributed or posted on a website as a SysTrust for Service Organizations seal. For more information about the SysTrust for Service Organization seal program go to www.webtrust.org.
SOURCE: AICPA WEBSITE
Service Oriented Architecture (SOA)
An architectural style and discipline that improves IT's ability to meet business demands. Service-oriented design principles advocate factoring system capabilities into loosely coupled, autonomous components (i.e., services) and making the capabilities available to other system components or external consumers. SOA is not dependent on any particular technology.
SOURCE: The Burton Group (Gartner)
Service Owner
An individual responsible to the customer for the initiation, transition, and ongoing maintenance and support of a particular service; and accountable to the IT director or
service management director for the delivery of a specific IT service. Service ownership is critical to service management and a single person may fulfill the service owner role for more than one service.
SOURCE: ITIL V3
Service Portfolio
The complete set of services that is managed by a service provider. The service portfolio is used to manage the entire lifecycle of all services, and includes three categories: service pipeline (proposed or in development), service catalogue (live
or available for deployment), and retired services.
SOURCE: ITIL V3
Service Request
A formal request from a user for something to be provided.
SOURCE: ITIL V3
Service-Level Agreement (SLA) (NIST)
Defines the specific responsibilities of the service provider and sets the customer expectations.
SOURCE: CNSSI-4009
Session
A semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user (see Login session). A session is set up or established at a certain point in time, and then torn down at some later point. An established communication session may involve more than one message in each direction. A session is typically, but not always, stateful, meaning that at least one of the communicating parts needs to save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses.
SOURCE: WIKIPEDIA
Session Announcement Protocol (SAP)
A protocol for broadcasting multicast session information. SAP was published by the IETF as RFC 2974.
SAP typically uses Session Description Protocol (SDP) as the format for Real-time Transport Protocol session descriptions. Announcement data is sent using IP multicast and User Datagram Protocol.
Under SAP, senders periodically broadcast SDP descriptions to a well-known multicast address and port. A SAP listening application can listen to the SAP multicasts and construct a guide of all advertised multicast sessions.
SOURCE: WIKIPEDIA
Session Description Protocol (SDP)
A format for describing streaming media initialization parameters. SDP is intended for describing multimedia communication sessions for the purposes of session announcement, session invitation, and parameter negotiation. SDP does not deliver media itself but is used for negotiation between end points of media type, format, and all associated properties. The set of properties and parameters are often called a session profile. SDP is designed to be extensible to support new media types and formats.
SOURCE: WIKIPEDIA
Session Initiation Protocol (SIP)
A signaling communications protocol, widely used for controlling multimedia communication sessions such as voice and video calls over Internet Protocol (IP) networks.
The protocol defines the messages that are sent between endpoints that govern establishment, termination and other essential elements of a call. SIP can be used for creating, modifying and terminating sessions consisting of one or several media streams. SIP can be used for two-party (unicast) or multiparty (multicast) sessions. Other SIP applications include video conferencing, streaming multimedia distribution, instant messaging, presence information, file transfer, fax over IP and online games.
SOURCE: WIKIPEDIA
Session Lock
A control that terminates a user’s access to a resource and prevents the user from accessing the same resource until some condition is met.
Severities
Severities – Three severity levels have been created to define service degradation/outage impacts and to set priorities for repairs:
Sev 1
- Severity 1 – The highest level of severity indicating the most critical of problems. A problem is classified as a Severity Level 1 when either an entire agency site’s ability to perform mission critical business functions, as defined by the agency’s Business Continuity/Disaster Recovery (BCDR) Plan, is in jeopardy or unavailable, or the problem directly impacts the public’s ability to receive critical state agencies’ services.
Sev 2
- Severity 2 – A high level of severity indicating serious problems and/or degrading conditions such that an agency site’s ability to perform mission critical function(s) is in jeopardy or unavailable but a workaround is or can be established within a
- reasonable time.
Sev 3
- Severity 3 – A medium level of severity such that an agency or individual’s ability to perform job function(s) may be impacted or inconvenienced but agency business operations can continue to function.
Shell
Interface between the server and the user.
SICAM ASSURANCE MODEL (NIST)
State Identity Credential and Access Management. Described in NIST Special Publication 800-63-2, Electronic Authentication Guideline.
SOURCE: NIST
Signature (NIST)
A recognizable, distinguishing pattern associated with an attack, such as a binary string in a virus or a particular set of keystrokes used to gain unauthorized access to a system.
SOURCE: SP 800-61; CNSSI-4009
A set of characteristics of known malware instances that can be used to identify known malware and some new variants of known malware.
SOURCE: GUIDE TO MALWARE INCIDENT PREVENTION AND HANDLING FOR DESKTOPS AND LAPTOPS
Signature Certificate (NIST)
A public key certificate that contains a public key intended for verifying digital signatures rather than encrypting data or performing any other cryptographic functions.
SOURCE: SP 800-32; CNSSI-4009
Signed Data (NIST)
Data on which a digital signature is generated.
SOURCE: FIPS 196
Simple Mail Transfer Protocol (SMTP)
An Internet standard for electronic mail (e-mail) transmission.
SOURCE: WIKIPEDIA
Simple Network Management Protocol (SNMP)
An Internet-standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks and more. It is used in network management systems to monitor network-attached devices for conditions that warrant administrative attention. SNMP is a component of the Internet Protocol Suite as defined by the Internet Engineering Task Force (IETF). It consists of a set of standards for network management, including an application layer protocol, a database schema, and a set of data objects.
SOURCE: WIKIPEDIA
Simple Object Access Protocol (SOAP)
A protocol specification for exchanging structured information in the implementation of web services in computer networks. It relies on XML Information Set for its message format, and usually relies on other application layer protocols, most notably Hypertext Transfer Protocol (HTTP) or Simple Mail Transfer Protocol (SMTP), for message negotiation and transmission.
SOURCE: WIKIPEDIA
Single Point of Failure
A resource whose loss will result in the loss of service or production.
SOURCE: ISACA
SLA
Service Level Agreements – A performance metrics required in the contract and subject to service credits when missed.
SNMP
Simple Network Management Protocol – The protocol governing network management and the monitoring of network devices and their functions.
Social Engineering (NIST)
An attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks.
SOURCE: SP 800-61; CNSSI-4009
A general term for attackers trying to trick people into revealing sensitive information or performing certain actions, such as downloading and executing files that appear to be benign but are actually malicious.
SOURCE: SP 800-114
The process of attempting to trick someone into revealing information (e.g., a password).
SOURCE: SP 800-115
Social Media
The interaction among people in which they create, share or exchange information and ideas in virtual communities and networks.
SOURCE: WIKIPEDIA
Social Networking
Use of a platform/service to support collaboration among people who share interests, activities, backgrounds or real-life connections. A social network service consists of a representation of each user (often a profile), his social links, and a variety of additional services. Social networking is web-based services that allow individuals to create a public profile, to create a list of users with whom to share connection, and view and cross the connections within the system. Most social network services are web-based and provide means for users to interact over the Internet, such as e-mail and instant messaging. Social network sites are varied and they incorporate new information and communication tools such as, mobile connectivity, photo/video/sharing and blogging. Online community services are sometimes considered as a social network service, though in a broader sense, social network service usually means an individual-centered service whereas online community services are group-centered. Social networking sites allow users to share ideas, pictures, posts, activities, events, interests with people in their network.
SOURCE: WIKIPEDIA
Software (NIST)
Level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner.
SOURCE: CNSSI-4009
Software Development Life Cycle (SDLC)
Acronym for “system development life cycle” or “software development lifecycle.” Phases of the development of a software or computer system that includes planning, analysis, design, testing, and implementation.
SOURCE: PCI DSS GLOSARY
Spam (NIST)
The abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.
SOURCE: SP 800-53
Unsolicited bulk commercial email messages.
SOURCE: SP 800-45
Electronic junk mail or the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.
SOURCE: CNSSI-4009
Special Access Program (SAP) (NIST)
A program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.
SOURCE: SP 800-53; CNSSI-4009
Special Character (NIST)
Any non-alphanumeric character that can be rendered on a standard American-English keyboard. Use of a specific special character may be application-dependent.
The list of special characters follows:
` ~ ! @ # $ % ^ & * ( ) _ + | } { “ : ? > < [ ] \ ; ’ , . / - =
SOURCE: CNSSI-4009
Specification (NIST)
An assessment object that includes document-based artifacts (e.g., policies, procedures, plans, system security requirements, functional specifications, and architectural designs) associated with an information system.
SOURCE: SP 800-53A
Spillage (NIST)
Security incident that results in the transfer of classified or CUI information onto an information system not accredited (i.e., authorized) for the appropriate security level.
SOURCE: CNSSI-4009
Split Tunneling
A computer networking concept that allows a VPN user to access a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same physical network connection. This connection service is usually facilitated through a program such as a VPN client software application.
SOURCE: WIKIPEDIA
Spoofing (NIST)
“IP spoofing” refers to sending a network packet that appears to come from a source other than its actual source.
SOURCE: SP 800-48
Involves—
1) the ability to receive a message by masquerading as the legitimate receiving destination, or
2) masquerading as the sending machine and sending a message to a destination. SOURCE: FIPS 191
1. Faking the sending address of a transmission to gain illegal entry into a secure system. Impersonating, masquerading, piggybacking, and mimicking are forms of spoofing.
2. The deliberate inducement of a user or resource to take incorrect action.
SOURCE: CNSSI-4009
Spyware
Spyware – Software that covertly gathers user information through the user’s Internet connection without the user’s knowledge. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else.
Spyware (NIST)
Software that is secretly or surreptitiously installed into an information system to gather information on individuals or organizations without their knowledge; a type of malicious code.
SOURCE: SP 800-53; CNSSI-4009
SQL Injection
Form of attack on database-driven web site. A malicious individual executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet. SQL injection attacks are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization’s host computers through the computer that is hosting the database.
SOURCE: PCI DSS GLOSSARY
STAKEHOLDER
Anyone who has a responsibility for, an expectation from or some other interest in the enterprise.
Scope Note: Examples: shareholders, users, government, suppliers, customers and the public
SOURCE: ISACA GLOSSARY
State (NIST)
Intermediate Cipher result that can be pictured as a rectangular array of bytes.
SOURCE: FIPS 197
State Chief Information Officer (CIO)
State executive responsible for setting IT policy and managing IT resources for the State of Arizona.
State Chief Information Security Officer (CISO)
Responsible for protecting the confidentiality, integrity and availability of government information.
State Data Center (SDC)
Facility located on 15th Avenue in Phoenix that houses ADOA IT assets.
State Identity Credential and Access Management (SICAM)
The State Identity and Credential Access Management (SICAM) Guidance and Roadmap outline a strategic vision for state-based identity, credential, and access management efforts, and emphasize the importance of implementing the SICAM architecture and services in support of the challenges associated with trust, interoperability, security, and process improvement.
SOURCE: NASCIO
Stateful Inspection
Also called “dynamic packet filtering.” Firewall capability that provides enhanced security by keeping track of the state of network connections. Programmed to distinguish legitimate packets for various connections, only packets matching an established connection will be permitted by the firewall; all others will be rejected.
SOURCE: PCI DSS GLOSSARY
Stateless Protocol
A communications protocol that treats each request as an independent transaction that is unrelated to any previous request so that the communication consists of independent pairs of request and response. A stateless protocol does not require the server to retain session information or status about each communications partner for the duration of multiple requests.
Examples of stateless protocols include the Internet Protocol (IP) which is the foundation for the Internet, and the Hypertext Transfer Protocol (HTTP) which is the foundation of data communication for the World Wide Web.
SOURCE: Wikipedia
Storage Area Network (SAN)
A dedicated network that provides access to consolidated, block level data storage. SANs are primarily used to enhance storage devices, such as disk arrays, tape libraries, and optical jukeboxes, accessible to servers so that the devices appear like locally attached devices to the operating system.
SOURCE: WIKIPEDIA
Strong Authentication (NIST)
The requirement to use multiple factors for authentication and advanced technology, such as dynamic passwords or digital certificates, to verify an entity’s identity.
SOURCE: CNSSI-4009
Structured Query Language (SQL)
Computer language used to create, modify, and retrieve data from relational database management systems.
SOURCE: PCI DSS GLOSSARY
SUBCATEGORY (NIST)
The subdivision of a Category into specific outcomes of technical and/or management activities. Examples of Subcategories include "External information systems are catalogued," "Data-at-rest is protected," and "Notifications from detection systems are investigated."
SOURCE: NIST CYBERSECURITY FRAMEWORK
Subject Matter Expert (SME)
A person who is an authority in a particular area or topic.
SOURCE: WIKIPEDIA
SubPON
A billing term used initially by ATS in combination with the PON to specify an agency general ledger code. The subPON is five alpha-numeric characters specified by the agency. Using a subPON is optional. If a subPON is used, an agency may create any subPON it wishes. Some agencies structure their PON-subPONs around major business functions or programs. Others use PONs to represent geographic areas with each subPON representing a program. How PONs and subPONs are organized, is at the discretion of each agency.
Subscriber (NIST)
A party who receives a credential or token from a CSP (Credentials Service Provider) and becomes a claimant in an authentication protocol.
SOURCE: CNSSI-4009; SP 800-63
Supply Chain (NIST)
A system of organizations, people, activities, information, and resources, possibly international in scope, that provides products or services to consumers.
SOURCE: SP 800-53; CNSSI-4009
Symmetric Key (NIST)
A cryptographic key that is used to perform both the cryptographic operation and its inverse, for example to encrypt and decrypt, or create a message authentication code and to verify the code.
SOURCE: SP 800-63; CNSSI-4009
A single cryptographic key that is used with a secret (symmetric) key algorithm.
SOURCE: SP 800-21 [2nd Ed]
Synchronized Multimedia Integration Language
A World Wide Web Consortium (W3C) recommended Extensible Markup Language (XML) markup language to describe multimedia presentations.
SOURCE: WIKIPEDIA
Synchronous Optical Networking (SONET)
A standard protocol that transfers multiple digital bit streams over optical fiber using lasers or highly coherent light from light-emitting diodes (LEDs). At low transmission rates, data can also be transferred via an electrical interface.
SOURCE: WIKIPEDIA
System (NIST)
Any organized assembly of resources and procedures united and regulated by interaction or interdependence to accomplish a set of specific functions.
SOURCE: CNSSI-4009
System Administrator (NIST)
A person who manages the technical aspects of a system.
SOURCE: SP 800-40
Individual responsible for the installation and maintenance of an information system, providing effective information system utilization, adequate security parameters, and sound implementation of established Information Assurance policy and procedures.
SOURCE: CNSSI-4009
System Assets (NIST)
Any software, hardware, data, administrative, physical, communications, or personnel resource within an information system.
SOURCE: CNSSI-4009
System Availability
Ability for the user to perform needed services using the application or device, typically expressed as a percentage of available time.
System Development Life Cycle – (SDLC) (NIST)
The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.
SOURCE: SP 800-34; CNSSI-4009
System Integrity (NIST)
The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental.
SOURCE: SP 800-27
Attribute of an information system when it performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.
SOURCE: CNSSI-4009
System Level Object
Anything on a system component that is required for its operation, including but not limited to database tables, stored procedures, application executables and configuration files, system configuration files, static and shared libraries and DLLs, system executables, device drivers and device configuration files, and third-party components.
SOURCE: PCI DSS GLOSSARY
System Security Plan (NIST)
Formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements.
SOURCE: SP 800-37; SP 800-53; SP 800-53A; SP 800-18; FIPS 200
The formal document prepared by the information system owner (or common security controls owner for inherited controls) that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements. The plan can also contain as supporting appendices or as references, other key security-related documents such as a risk assessment, privacy impact assessment, system interconnection agreements, contingency plan, security configurations, configuration management plan, and incident response plan.
SOURCE: CNSSI-4009
System Software (NIST)
The special software within the cryptographic boundary (e.g., operating system, compilers or utility programs) designed for a specific computer system or family of computer systems to facilitate the operation and maintenance of the computer system, associated programs, and data.
SOURCE: FIPS 140-2