Security Glossary - Anne & Lynn Wheeler

Fastpath

access control, assurance, attack, audit, authentication, authorization, automated information system, availability, certification, Common Criteria for Information Technology Security, cryptography, evaluation, identity, key management, privacy, requirements, risk, risk management, security, security target, software development, threat, trust, Trusted Computer System Evaluation Criteria, user,

3DES AADS ABC ACC ACH ACL ACO ADM ADP AE AH AICPA AIG AIN AIN AIRK AIS AJ AJP AK AKDC AKD/RCU AKMC AKMS ALC AMPS AMS AMS ANDVT ANSI AOSS APC API API APU ARPANET ASCII ASIM ASN.1 ASPJ ASSIST ASU ATM AUP AUTH AUTODIN AV AVP BBS BCA BCI BCP BER BIA BIN BLP BPI BPR BS7799 C2 C2W C3 C3I C4 CA C&A CA CA CAAT CADS CAPI CASE CAW CAW CBC CC1 CC2 CC CCA CCEP CCI CCITSE CCO CCTL CCTP CDMA CDS CDSA CDSA CEM CEOI CEPR CER CER CERT CERT CFB CFD CGI CHAP CIAC CIAC CIK CIK CIO CIP CIPSO CIRK CIRT CISSP CK CKG CKL CM CMCS CNA CNCS CND CNK COAST COBIT CoCo COCOMO COMPUSEC COMSEC CONOP COPS COR COR COSO COTS CPM CPS CPS CPU CRAM CRC CRL CRP CSE CSIRC CSIRT CSOR CSP CSP CSS CSS CSS CSS CSSM CSSO CSTVRP CTAK CTCPEC CT&E CTTA CUP DA DAA DAA DAA DAC DAC DAMA DASD DASS DBA DBMS DCE DCID DCL DCS DCS DCSP DD DDL DDoS DDP DDS DEA DEK DES DFD DIAP DIB DII DISN DITSCAP DLED DMA DML DMS DMZ DN DNS DOI DoS DPL DSA DSN DSS DSS DSVT DTD DTLS DTS DUA EA EAL EAM EAP EBT ECB ECC ECCM ECDSA ECM ECPL EDAC EDC EDESPL EDI EDM EDMS EES EFD EFP EFT EFTO EFTS EGADS EIS EISA EKMS ELINT ELSEC EMC EMI EMRT EMSEC EMSEC EMV EP EPL EQA ERP ERTZ ES ESA ESP ETL ETPL EUC EUCI EV EW FAX FCv1 FDDI FDIU FDMA FEP FIPS140 FIPS FIRST FNBDT FOCI FOUO FPC FPKI FSM FSRS FSTS FTAM FTLS FTP FTS GAO GCA GCCS GETS GIG GNIE GPS GRIP GSS-API GSSP GTS GUI GULS GWEN HDM HIPO HMAC HTML HTTP HUS HUSK I&A I&A IA IAB IANA IBAC IC ICANN ICMP ICQ ICRL ICU IDEA IDIOT IDS IEEE IEMATS IESG IETF IFF IFFN IIA IIRK IKE ILS IMAP4 INFOSEC INFOSEC IO I/O IP IPM IPRA IPsec IPSO IR IRK IRR IS ISA ISACA ISACF ISAKMP ISD ISDN IS/IT ISO ISO ISOC ISP ISS ISSA ISSE ISSM ISSO ISSO IT ITAR ITF ITSEC ITSEC ITU IUT IV IW KAK KDC KEA KEK KEK KG KMASE KMC KMI KMID KMID KMODC KMP KMPDU KMS KMSA KMUA KP KPK KSD KSOS KTC KVG L2F L2TP LAN LDAP LEAD LEAF LKG LMD LMD/KP LME LMI LOCK LOTOS LPC LPD LPI LRIP LSI MAC MAC MAD MAN MAN MATSYM MCA MCCB MDC MEECN MEI MEP MER MHS MI MIB MIJI MIME MINTERM MIPS MISPC MISSI MLS MNS MOSS MRT MSE MSP MTBF MTBO MTSR MTTF MTTR NACAM NACSI NACSIM NAK NAT NCCD NCS NCS NCS NCSC NCSC/TG004 NIAP NIC NII NISAC NIST NKSR NLSP NLZ NORA NPV NQA NSA NSAD NSD NSDD 145 NSDD NSEP NSI NSO NSTAC NSTISSAM NSTISSC NSTISSD NSTISSI NSTISSP NTCB NTIA NTISSAM NTISSD NTISSD NTISSI NTISSP NVLAP OADR OCR OCSP OFAC OFB OID OOP OPCODE OPSEC ORA OSE OSI OSI OSIRM OTAD OTAR OTAT OTP OTP OTT P1363 P2P PAA PAAP PAD PAE PAIIN PAIN PAL PAN PAP PBX PC PCA PCMCIA PCO PCT PCZ PDA PDCA PDR PDS PDS PDU PEM PERT PES PGP PIN PIV PKA PKC PKCS PKI PKSD PNE PNEK POP3 POS PP PPD PPL PPP PPS PPTP PRBAC PROM PROPIN PSE PSL PSYOP PTM PWDS QA QA/QC QC QFD QOP RA RACE RAD RADIUS RAID RAM RAMP RBAC RC2 RC4 RFC RFI RFP RJE ROM RPC RQT RSA RSA SA SABI SAID SAISS SAML SAO SAP SAP SAR SARK SASL SBU SCA SCADA SCI SCIF SCM SDE SDLC SDNRIU SDNS SDR SDSI SENV SET SF SFA SFP SFUG SHA-1 SHA S-HTTP SI SIGSEC SILS SIO SISS SKIP SMDS SMI S/MIME SML SMTP SMU SNMP SOF SP3 SP4 SPC SPC SPI SPI SPK SPKI SPKI/SDSI SPS SQA SQL SRA SRR SS-7 SSAA SSH SSL SSL SSO SSO SSP SSPI SSSO ST STD STE ST&E STS STU SUT SV SV&V SWOT TA TACACS+ TACTED TACTERM TAG TCB TCD TCP TCP/IP TCSEC TCSEC TD TDMA TED TEK TEP TESS TFM TFS TLS TLS TLSO TLSP TNI TNIEG TOE TPC TPEP TPI TQM TRANSEC TRB TRI-TAC TSA TSC TSCM TSEC TSF TSFI TSIG TSK TSP TTR UA UDP UIRK UIS UORA UPP UPS URI URL URN USDE VAN VPN V&V W3 WAIS WAN WAP WBS WWW XDM/X XML

Terms

*-property

(N) (Pronounced 'star property'.) See: 'confinement property' under Bell-LaPadula model. [RFC2828] (see also confinement property, model, Bell-LaPadula security model)

2-factor authentication

Authentication processing using two factors, typically: 'something you have' and 'something you know'. [misc] (see also 3-factor authentication)

3-factor authentication

Authentication processing using three factors:

something you have
something you know
something you are

ABA Guidelines

(N) 'American Bar Association (ABA) Digital Signature Guidelines', a framework of legal principles for using digital signatures and digital certificates in electronic commerce. [RFC2828] (see also certificate, digital signature)

abend

An unexpected processing termination that may indicate that program coding was incorrectly performed and that earlier testing was not adequate or not adequately controlled. Abend stands for abnormal ending. [SRV] (see also failure, test)

abort

The termination of computer program execution prior to its completion. [SRV] (see also failure)

Abrams, Jojodia, Podell essays (AJP)

M. Abrams, S. Jajodia, and H. Podell, eds, Information Security An Integrated Collection of Essays, IEEE Computer Society Press, January 1995. [AJP] (see also security)

Abstract Syntax Notation One (ASN.1)

(N) A standard for describing data objects. (C) OSI standards use ASN.1 to specify data formats for protocols. OSI defines functionality in layers. Information objects at higher layers are abstractly defined to be implemented with objects at lower layers. A higher layer may define transfers of abstract objects between computers, and a lower layer may define transfers concretely as strings of bits. Syntax is needed to define abstract objects, and encoding rules are needed to transform between abstract objects and bit strings. (C) In ASN.1, formal names are written without spaces, and separate words in a name are indicated by capitalizing the first letter of each word except the first word. For example, the name of a CRL is 'certificateRevocationList'. [RFC2828] (see also certificate, public-key infrastructure) (includes Basic Encoding Rules, Distinguished Encoding Rules, object identifier)

abuse of privilege

When a user performs an action that they should not have, according to organizational policy or law. [AFSEC] (see also threat)

acceptable level of risk

A judicious and carefully considered assessment by the appropriate authority that a computing activity or network meets the minimum requirements of applicable security directives. The assessment should take into account the value of assets; threats and vulnerabilities; countermeasures and operational requirements. [AFSEC] The level of risk that the organization line manager decides is tolerable. This decision is based on an analysis of threats and vulnerabilities, the sensitivity of data and applications, and cost/benefit, technical, and operational feasibility of available controls. However, some installations are critical to the organization's mission or have the potential to cause the loss of human life or serious injury to humans. For these installations, management may consider controls for implementation that are not cost effective. [NASA] (see also assessment, countermeasure, networks, threat)

acceptable risk

A concern that is acceptable to responsible management, due to the cost and magnitude of implementing security controls. [800-37] The level of Residual Risk that has been determined to be a reasonable level of potential loss/disruption for a specific IT system. [CIAO] (see also risk)

acceptable use policy (AUP)

A set of rules and guidelines that specify in more or less detail the expectations in regard to appropriate use of systems or networks. [RFC2504] It documents permitted system uses and activities for a specific user, and the consequences of noncompliance. [FFIEC] This refers to policies that restrict the way in which a network may be used. Usually, a network administrator makes and enforces decisions dealing with acceptable use. [AFSEC] (see also networks, policy)

acceptance criteria

The criteria that a system or component must satisfy in order to be accepted by a user, customer, or other authorized entity. [IEEE610] (see also authorized, acceptance procedure)

acceptance inspection

The final inspection to determine whether or not a facility or system meets the specified technical and performance standards. Note: this inspection is held immediately after facility and software testing and is the basis for commissioning or accepting the information system. [AJP][NCSC/TG004] (see also security testing, software, test, acceptance procedure)

acceptance procedure

A procedure which takes objects produced during the development, production, and maintenance processes for a Target of Evaluation and, as a positive act, places them under the controls of a Configuration Control system. [AJP][ITSEC] (see also control system, software development, target of evaluation) (includes acceptance criteria, acceptance inspection, acceptance testing, object)

acceptance testing

Formal testing conducted to determine whether or not a system satisfies its acceptance criteria and to enable the customer to determine whether or not to accept the system. [IEEE610] Testing to determine whether products meet the requirements specified in the contract or by the user. [SRV] (see also acceptance procedure, security testing, test)

access

(1) A specific type of interaction between a subject and an object that results in the flow of information from one to the other. (2) The ability and the means necessary to approach, to store or retrieve data, to communicate with, or to make use of any resource of an ADP system. [TNI] (1) The ability and means to communicate with (i.e. input to or receive output from) or otherwise make use of any information, resource, or component in an information technology (IT) product. (2) A specific type of interaction between a subject and an object that results in the flow of information from one to the other. Note: An individual does not have 'access' if the proper authority or a physical, technical, or procedural measure prevents him or her from obtaining knowledge or having an opportunity to alter information, material, resources, or components. [AJP] (I) The ability and means to communicate with or otherwise interact with a system in order to use system resources to either handle information or gain knowledge of the information the system contains. (O) 'A specific type of interaction between a subject and an object that results in the flow of information from one to the other.' (C) In this Glossary, 'access' is intended to cover any ability to communicate with a system, including one-way communication in either direction. In actual practice, however, entities outside a security perimeter that can receive output from the system but cannot provide input or otherwise directly interact with the system, might be treated as not having 'access' and, therefore, be exempt from security policy requirements, such as the need for a security clearance. [RFC2828] 1) The right to enter or use a system and its resources; to read, write, modify, or delete data; or to use software processes or network bandwidth. 2) Opportunity to make use of an information system (IS) resource. [CIAO] A specific type of interaction between a subject and an object that results in the flow of information from one to the other. [NCSC/TG004][TCSEC] A specific type of interaction between a subject and an object that results in the flow of information from one to the other. A subject's right to use an object. [SRV] Ability and means to communicate with (i.e. input to or receive output from), or otherwise make use of any information, resource, or component in an Information Technology (IT) Product. Note: An individual does not have 'access' if the proper authority or a physical, technical, or procedural measure prevents them from obtaining knowledge or having an opportunity to alter information, material, resources, or components. [FCv1] Opportunity to make use of an information system (IS) resource. [CNSSI] (see also access control) (includes delete access, execute access, merge access, object, read access, remote access, subject, update access)

access category

One of the classes to which a user, program, or process may be assigned on the basis of the resources or groups of resources that each user, program, or process is authorized to use. [SRV] (see also authorized, access control)

access control

(1) The limiting of rights or capabilities of a subject to communicate with other subjects, or to use functions or services in a system or network. (2) Restrictions controlling a subject's access to an object. [TNI] (1) The process of limiting access to the resources of an information technology (IT) product only to authorized users, programs, processes, systems (in a network), or other IT products. (Synonymous with controlled access and limited access.) (2) The limiting of rights or capabilities of a subject to communicate with other subjects, or to use functions or services in a system or network. (3) Restrictions controlling a subject's access to an object. [AJP] (I) Protection of system resources against unauthorized access; a process by which use of system resources is regulated according to security policy and is permitted by only authorized entities (users, programs, processes, or other systems) according to that policy. (O) 'The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner.' [RFC2828] 1) Limiting access to information system resources to authorized users, programs, processes, or other systems only. 2) Procedures and controls that limit or detect access to MEI Resource Elements (People, Technology, Applications, Data and/or Facilities) thereby protecting these resources against loss of Integrity, Confidentiality Accountability and/or Availability. [CIAO] A security service that prevents the unauthorized use of information system resources (hardware and software) only to authorized users and the unauthorized disclosure or modification of data (stored and communicated). [IATF] Enable authorized use of a resource while preventing unauthorized use or use in an unauthorized manner. [800-33] Limiting access to information system resources only to authorized users, programs, processes, or other systems. [CNSSI] Process of limiting access to the resources of an IT product only to authorized users, programs, processes, systems, or other IT products. [FCv1] The process of limiting access to the resources of a system only to authorized programs, processes, or other systems (in a network). [NCSC/TG004] The process of limiting access to the resources of a system only to authorized programs, processes, or other systems (in a network). Synonymous with controlled access and limited access. [SRV] (see also Bell-LaPadula model, Bell-LaPadula security model, Clark Wilson integrity model, Defensive Information Operations, Escrowed Encryption Standard, Identification Protocol, Internet Engineering Task Force, Internet Protocol Security Option, Internet Protocol security, Network File System, PIV issuer, POSIX, RA domains, Remote Authentication Dial-In User Service, SOCKS, TCB subset, TOE security functions interface, U.S.-controlled facility, U.S.-controlled space, accreditation range, active wiretapping, adequate security, administrative security, adversary, application, application program interface, application proxy, archiving, attack, audit, audit trail, authenticate, authentication, authorized, availability, availability service, backdoor, bastion host, benign, between-the-lines-entry, boundary, boundary host, breach, buffer overflow, call back, capability, category, classified, clearance, clearance level, client, client server, common gateway interface, communications, compartment, compartmentalization, compartmented mode, computer intrusion, computer security, computer security intrusion, confidentiality, confinement property, controlled security mode, controlled space, covert channel, covert channel analysis, cracker, credentials, critical, critical system, cryptographic application programming interface, cryptographic equipment room, data compromise, data integrity service, data management, dedicated mode, default account, demilitarized zone, demon dialer, denial of service, dictionary attack, directory service, disclosure of information, domain, domain name system, domain parameter, dominated by, dual control, encapsulation, exploit, exploitation, external security controls, external system exposure, extranet, federated identity, federation, fedline, firewall, flooding, formulary, guard, hacker, host, https, hyperlink, hypertext, identification, identification and authentication, identification authentication, identity credential issuer, identity verification, identity-based security policy, impersonation, inadvertent disclosure, individual accountability, individual electronic accountability, inference, information assurance product, information category, information security, information systems security, integrity, interception, interface, internal security controls, internal system exposure, internet service provider, intranet, intruder, intrusion, intrusion detection, intrusion detection tools, kerberos, key recovery, key-escrow, kiosk, labeled security protections, list-oriented, lock-and-key protection system, lockout, logic bomb, logical completeness measure, maintenance hook, major application, malicious intruder, malicious logic, masquerade, masquerading, minimum essential infrastructure, mode of operation, modes of operation, motivation, multilevel mode, multilevel secure, multilevel security, multilevel security mode, national security information, need to know determination, network component, network security, network weaving, networks, no-lone zone, non-discretionary security, noncomputing security methods, operations manager, operator, packet filtering, partitioned security mode, password system, passwords, peer-to-peer communication, penetration, permissions, personal identification number, personnel security, physical and environmental protection, physical security, piggyback, piggyback attack, piggyback entry, point-to-point tunneling protocol, policy, pop-up box, privacy, probe, protected network, protection ring, protection-critical portions of the TCB, proximity, proxy server, real-time reaction, records, reference monitor, reference monitor concept, reference validation mechanism, remote administration tool, repository, resource encapsulation, restricted area, rootkit, rule-based security policy, rules of behavior, ruleset, salt, sampling frame, scoping guidance, screen scraping, secure single sign-on, security clearance, security compromise, security controls, security domain, security incident, security intrusion, security label, security management, security management infrastructure, security policy, security safeguards, security violation, segregation of duties, sensitive compartmented information, sensitive information, signature, simple network management protocol, simple security condition, simple security property, single sign-on, social engineering, software, source program, spoof, spoofing, star (*) property, storage object, subject security level, subset-domain, system high mode, system resources, system software, system-high security mode, tcpwrapper, technological attack, term rule-based security policy, theft, threat, threat consequence, ticket, ticket-oriented, timing attacks, tokens, transaction, trap door, trespass, trojan horse, trust relationship, trusted gateway, trusted identification forwarding, trusted subject, two-person integrity, uniform resource locator, unprotected network, user PIN, verification, virus, vulnerability, web browser cache, website, wide-area network, wireless gateway server, wiretapping, workstation, world wide web, Automated Information System security, authorization, risk management, security, security-relevant event, trusted computing base, user) (includes IT default file protection parameters, Terminal Access Controller Access Control System, access, access category, access control center, access control list, access control mechanism, access control officer, access control service, access level, access list, access mode, access period, access port, access profile, access type, access with limited privileges, accessibility, administrative access, browse access protection, centralized authorization, classified information, component reference monitor, context-dependent access control, controlled access area, controlled access protection, controlled sharing, cookies, default file protection, discretionary access control, entry control, failure access, fetch protection, file protection, file security, file transfer access management, formal access approval, granularity, identity based access control, logged in, logical access, logical access control, login, logoff, logon, mandatory access control, media access control address, multiple access rights terminal, need-to-know, network reference monitor, non-discretionary access control, on-access scanning, partition rule base access control, peer access approval, peer access enforcement, physical access control, privileged, random access memory, remote access software, role-based access control, sandboxed environment, secure state, security kernel, security perimeter, sensitivity label, special access office, special access program, special access program facility, system entry, technical policy, unauthorized access, write access)

access control center (ACC)

(I) A computer containing a database with entries that define a security policy for an access control service. (C) An ACC is sometimes used in conjunction with a key center to implement access control in a key distribution system for symmetric cryptography. [RFC2828] (see also cryptography, key, access control)

access control list (ACL)

(1) A list of subjects authorized for specific access to an object. (2) A list of entities, together with their access rights, which are authorized to have access to a resource. [TNI] (1) A mechanism implementing discretionary access control in an IT product that identifies the users who may access an object and the type of access to the object that a user is permitted. (2) A list of subjects authorized for specific access to an object. (3) A list of entities, together with their access rights, which are authorized to have access to a resource. [AJP] (I) A mechanism that implements access control for a system resource by enumerating the identities of the computer system entities that are permitted to access the resource. [RFC2828] A list of the subjects that are permitted to access an object and the access rights of each subject. [SRV] A mechanism that implements access control for a system resource by enumerating the identities of the system entities that are permitted to access the resources. [800-82] Mechanism implementing discretionary access control in an IT product that identifies the users who may access an object and the type of access to the object that a user is permitted. [FCv1] Mechanism implementing discretionary and/or mandatory access control between subjects and objects. [CNSSI][IATF] (see also authorized, communications security, access control) (includes ACL-based authorization)

access control mechanism

(1) Security safeguards designed to detect and prevent unauthorized access, and to permit authorized access in an IT product. (2) Hardware or software features, operating procedures, management procedures, and various combinations of these designed to detect and prevent unauthorized access and to permit authorized access in an automated system. [AJP] Hardware or software features, operating procedures, management procedures, and various combinations of these designed to detect and prevent unauthorized access and to permit authorized access in an automated system. [NCSC/TG004][SRV] Security safeguard designed to detect and deny unauthorized access and permit authorized access in an IS. [CNSSI] Security safeguards designed to detect and prevent unauthorized access, and to permit authorized access in an IT product. [FCv1] (see also authorized, software, unauthorized access, access control)

access control officer (ACO)

(see also access control)

access control service

(I) A security service that protects against a system entity using system resource in a way not authorized by the systems security policy; in short, protection of system resources against unauthorized access. (C) This service includes protecting against use of a resource in an unauthorized manner by an entity that is authorized to use the resource in some other manner. The two basic mechanisms for implementing this service are ACLs and tickets. [RFC2828] (see also authorized, unauthorized access, access control)

access level

Hierarchical portion of the security level used to identify the sensitivity of IS data and the clearance or authorization of users. Access level, in conjunction with the nonhierarchical categories, forms the sensitivity label of an object. [CNSSI] The hierarchical portion of the security level used to identify the sensitivity of data and the clearance or authorization of users. Note: The access level, in conjunction with the non-hierarchical categories, forms the sensitivity label of an object. [AJP][NCSC/TG004][SRV] (see also identify, access control, security level)

access list

(IS) Compilation of users, programs, or processes and the access levels and types to which each is authorized. (COMSEC) Roster of individuals authorized admittance to a controlled area. [CNSSI] A list of users, programs, and/or processes and the specifications of access categories to which each is assigned. [NCSC/TG004][SRV] (see access control list) (see also authorized, access control)

access mediation

Process of monitoring and controlling access to the resources of an IT product, including but not limited to the monitoring and updating of policy attributes during accesses as well as the protection of unauthorized or inappropriate accesses. [AJP][FCv1] (see also authorized)

access mode

(I) A distinct type of data processing operation-- e.g. read, write, append, or execute--that a subject can potentially perform on an object in a system. [RFC2828] (see also access control, automated information system)

access period

A segment of time, generally expressed on a daily or weekly basis, during which access rights prevail. [AJP][NCSC/TG004][SRV] (see also access control)

access port

A logical or physical identifier that a computer uses to distinguish different terminal input/output data streams. [AJP][NCSC/TG004][SRV] (see also access control)

access profile

Associates each user with a list of protected objects the user may access. [CNSSI] (see also access control)

access type

Privilege to perform action on an object. Read, write, execute, append, modify, delete, and create are examples of access types. [CNSSI] The nature of an access right to a particular device, program, or file (e.g. read, write, execute, append, modify, delete, or create). [AJP][NCSC/TG004][SRV] (see also access control)

access with limited privileges

A user who can circumvent the security controls and processes of a domain or application within an IT system [NASA] (see also access control)

accessibility

The ability to obtain the use of a computer system resource, or the ability and means necessary to store data, retrieve data, or communicate with a system. [SRV] (see also access control)

account aggregation

A service that gathers information from many websites, presents that information to the customer in a consolidated format and, in some cases, may allow the customer to initiate activity on the aggregated accounts. Aggregation services typically involve three different entities: (1) The aggregator that offers the aggregation service and maintains information on the customer's relationships/accounts with other on-line providers. (2) The aggregation target or website/entity from which the information is gathered or extracted by means of direct data feeds or screen scraping. (3) The aggregation customer who subscribes to aggregation services and provides customer IDs and passwords for the account relationships to be aggregated. [FFIEC]

account authority digital signature (AADS)

relying party obtains public key from its own account registery record for digital signature authentication [misc] (see also authentication, public-key infrastructure)

account fraud

(see also identity theft)

account hijacking

assumption of a customer's identity on a valid existing account [FTC] (see account fraud)

account management

Activities such as balance inquiry, statement balancing, transfers between the customer's accounts at the same financial institution, maintenance of personal information, etc. [FFIEC]

account takeover

(see account fraud)

accountability

(1) Means of linking individuals to their interactions with an IT product, thereby supporting identification of and recovery from unexpected or unavoidable failures of the control objectives. (2) The quality or state that enables actions on an ADP system to be traced to individuals who may then be held responsible. These actions include violations and attempted violation of the security policy, as well as allowed actions. (3) The property that enables activities on a system to be traced to individuals who may then be held responsible for their actions. [AJP] (I) The property of a system (including all of its system resources) that ensures that the actions of a system entity may be traced uniquely to that entity, which can be held responsible for its actions. (C) Accountability permits detection and subsequent investigation of security breaches. [RFC2828] (IS) Process of tracing IS activities to a responsible source. (COMSEC) Principle that an individual is entrusted to safeguard and control equipment, keying material, and information and is answerable to proper authority for the loss or misuse of that equipment or information. [CNSSI] 1) Principle that responsibilities for ownership and/or oversight of IS resources are explicitly assigned and that assignees are answerable to proper authorities for stewardship of resources under their control. 2) The explicit assignment of responsibilities for oversight of areas of control to executives, managers, staff, owners, providers, and users of MEI Resource Elements. [CIAO] Means of linking individuals to their interactions with an IT product, thereby supporting identification of and recovery from unexpected or unavoidable failures of the control objectives. [FCv1] Property that allows auditing of activities in an automated information system (AIS) to be traced to persons who may then be held responsible for their actions. [IATF] Property that allows the ability to identify, verify, and trace system entities as well as changes in their status. Accountability is considered to include authenticity and non-repudiation. [800-37] The principle that individuals using a facility or a computer system must be able to be identified. With accountability, violations or attempted violation of system security can be traced to individuals who can then be held responsible for their actions. [AFSEC] The property that enables activities on a system to be traced to individuals who may then be held responsible for their actions. [NCSC/TG004][SRV] The property that ensures that the actions of an entity may be traced uniquely to the entity. [SC27] The quality or state which enables actions on an ADP system to be traced to individuals who may then be held responsible. These actions include violations and attempted violation of the security policy, as well as allowed actions. [TNI] The security objective that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. [800-30][800-33] (see also audit, communications security, deterrence, failure, fault isolation, identify, intrusion, intrusion detection, intrusion prevention, minimum essential infrastructure, nonrepudiation, quality, recovery, trust, security goals) (includes automated information system, identification, object, user)

accounting legend code (ALC)

Numeric code used to indicate the minimum accounting controls required for items of accountable COMSEC material within the COMSEC Material Control System. [CNSSI] (see also communications security, control system)

accounting number

Number assigned to an item of COMSEC material to facilitate its control. [CNSSI] (see also communications security)

accredit

(see accreditation)

accreditation

The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls. [800-60] (1) The procedure for accepting an IT system to process sensitive information within a particular operational environment. (2) The formal procedure for recognizing both the technical competence and the impartiality of an IT test laboratory (evaluation body) to carry out its associated tasks. (3) Formal declaration by a designated approving authority that an Automated Information System (AIS) is approved to operate in a particular security configuration using a prescribed set of safeguards. (4) The managerial authorization and approval granted to an ADP system or network to process sensitive data in an operational environment, made on the basis of a certification by designated technical personnel of the extent to which design and implementation of the computer system meet pre-specified technical requirements, e.g. TCSEC (Trusted Computer System Evaluation Criteria), for achieving adequate data security. Management can accredit a system to operate at a higher or lower level than the risk level recommended (e.g. by the requirements guideline) for the certification level of the computer system. If management accredits the system to operate at a higher level than is appropriate for the certification level, management is accepting the additional risk incurred. (5) A formal declaration by the DAA (designated approving authority) that the AIS is approved to operate in a particular security mode using a prescribed set of safeguards. Accreditation is the official management authorization for operation of an AIS and is based on the certification process as well as other management considerations. The accreditation statement affixes security responsibility with the DAA and shows that due care has been taken for security. [AJP] (I) An administrative declaration by a designated authority that an information system is approved to operate in a particular security configuration with a prescribed set of safeguards. (C) An accreditation is usually based on a technical certification of the computer system's security mechanisms. The terms 'certification' and 'accreditation' are used more in the U.S. Department of Defense and other government agencies than in commercial organizations. However, the concepts apply any place where managers are required to deal with and accept responsibility for security risks. The American Bar Association is developing accreditation criteria for CAs. [RFC2828] A formal declaration by the DAA that the AIS is approved to operate in a particular security mode using a perscribed set of safeguards. Accreditation is the official management authorization for operation of an AIS and is based on the certification process as well as other management considerations. The accreditation statement affixes security responsibility with the DAA and shows that due care has been taken for security. [NCSC/TG004] A management's formal acceptance of the adequacy of a computer system's security. [SRV] Formal declaration by a Designated Accrediting Authority (DAA) that an IS is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. [CNSSI] Formal declaration by a Designated Approving Authority that an IS is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. [GSA] Formal declaration by a designated approving authority that an Automated Information System (AIS) is approved to operate in a particular security configuration using a prescribed set of safeguards. [FCv1] Formal declaration by the responsible management approving the operation of an automated system in a particular security mode using a particular set of safeguards. Accreditation is the official authorization by management for the operation of the computer system, and acceptance by that management of the associated residual risks. Accreditation is based on the certification process as well as other management considerations. [SC27] Has two definitions according to circumstances: a)the procedure for accepting an IT system for use within a particular environment; b)the procedure for recognizing both the technical competence and the impartiality of a test laboratory to carry out its associated tasks. [ITSEC] The authorization of an IT system to process, store, or transmit information, granted by a management official. Accreditation, that is required under OMB Circular A-130, is based on an assessment of the management, operational, and technical controls associated with an IT system. [800-37] The managerial authorization and approval, granted to an ADP system or network to process sensitive data in an operational environment, made on the basis of a certification by designated technical personnel of the extent to which design and implementation of the computer system meet pre-specified technical requirements, e.g. TCSEC, for achieving adequate data security. Management can accredit a system to operate at a higher/lower level than the risk level recommended (e.g. by the Requirements Guideline-) for the certification level of the computer system. If management accredits the system to operate at a higher level than is appropriate for the certification level, management is accepting the additional risk incurred. [TNI] The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls. [800-82] Two definitions according to circumstances: 1) Operational system accreditation: The authorization that is granted for use of an IT system to process sensitive information in its operational environment. (ANSI modified) 2) Laboratory accreditation: The formal recognition that a testing laboratory is technically competent to carry out its specified tasks. [JTC1/SC27] (see also Common Criteria Testing Laboratory, National Information Assurance Partnership, accredited, approved technologies list, approved test methods list, assessment, authorization, cascading, certificate, certificate revocation list, certification phase, certifier, controlled security mode, dedicated security mode, evaluation, external security controls, multilevel security mode, networks, partitioned security mode, pre-certification phase, risk, security evaluation, security testing, site certification, system-high security mode, test, trust, trusted computer system, certification) (includes DoD Information Technology Security Certification and Accreditation Process, National Voluntary Laboratory Accreditation Program, Scope of Accreditation, accreditation authority, accreditation body, accreditation boundary, accreditation disapproval, accreditation multiplicity parameter, accreditation package, accreditation phase, accreditation range, approval/accreditation, automated information system, certification and accreditation, designated approving authority, full accreditation, interim accreditation, interim accreditation action plan, post-accreditation phase, private accreditation exponent, private accreditation information, public accreditation verification exponent, security, site accreditation, system accreditation, type accreditation)

accreditation authority

Entity trusted by all members of a group of entities for the purposes of the generation of private accreditation information. [SC27] (see also trust, accreditation)

accreditation body

An independent organization responsible for assessing the performance of other organizations against a recognized standard, and for formally confirming the status of those that meet the standard. [NIAP] (see also National Information Assurance Partnership, accreditation)

accreditation boundary

All components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected. [800-60] 1. (IA) - Identifies the information resources covered by an accreditation decision, as distinguished from separately accredited information resources that are interconnected or with which information is exchanged via messaging. (Synonymous with Security Perimeter) 2. (IC) - For the purposes of identifying the Protection Level for confidentiality of a system to be accredited, the system has a conceptual boundary that extends to all intended users of the system, both directly and indirectly connected, who receive output from the system (DCID 6/3, 5 Jun 99) [CNSSI] (see also security perimeter, security, accreditation)

accreditation disapproval

The system does not meet the security requirements and security controls as stated in the security plan; residual risk is too great, and mission criticality does not mandate the immediate operational need. Therefore, the developmental system is not approved for operation or, if the system is already operational, the operation of the system is halted. [800-37] (see also risk, security, accreditation)

accreditation multiplicity parameter

Positive integer equal to the number of items of secret accreditation information provided to an entity by the accreditation authority. [SC27] (see also accreditation)

accreditation package

Product comprised of a System Security Plan (SSP) and a report documenting the basis for the accreditation decision. [CNSSI] The accreditation letter and supporting documentation and rationale for the accreditation decision. [800-37] (see also accreditation)

accreditation phase

The accreditation phase is the third phase of the certification and accreditation process. Its purpose is to complete the final risk assessment on the IT system, update the security plan, prepare the certification findings, and issue the accreditation decision. [800-37] (see also assessment, risk, security, accreditation)

accreditation range

The accreditation range of a host with respect to a particular network is a set of mandatory access control levels (according to 'Computer Security Requirements: Guidance for Applying the Department of Defense Trusted Computer System Evaluation Criteria in Specific Environments,' CSC-STD-003-85) for data storage, processing, and transmission. The accreditation range will generally reflect the sensitivity levels of data that the accreditation authority believes the host can reliably keep segregated with an acceptable level of risk in the context of the particular network for which the accreditation range is given. Thus, although a host system might be accredited to use the mandatory access control levels Confidential, Secret, and Top Secret in stand-alone operation, it might have an accreditation range consisting of the single value Top Secret for attachment to some network. [AJP] (see also access control, computer security, evaluation, networks, risk, security, trust, trusted computer system, accreditation)

accredited

Formally confirmed by an accreditation body as meeting a predetermined standard of impartiality and general technical, methodological, and procedural competence. [NIAP] (see also accreditation, evaluation)

accrediting authority

Synonymous with Designated Accrediting Authority (DAA). [CNSSI]

accuracy

A qualitative assessment of correctness, or freedom from error. [SRV] (see also assessment)

ACH debit fraud

unauthorized payment, using fraudulently obtained account number [FTC] (see also authorized, fraud, identity theft)

ACL-based authorization

A scheme where the authorization agent consults an ACL to grant or deny access to a principal. [misc] (see also access control list, authorization) (includes distributed computing environment)

acquirer

(N) SET usage: 'The financial institution that establishes an account with a merchant and processes payment card authorizations and payments.' (O) 'The institution (or its agent) that acquires from the card acceptor the financial data relating to the transaction and initiates that data into an interchange system.' [RFC2828] (see also authorization, Secure Electronic Transaction)

acquisition plan

A document that records management's decisions; contains the requirements; provides appropriate analysis of technical options and the life cycle plans for development, production, training, and support of material items. [SRV] (see also analysis)

acquisition strategy

The conceptual framework for conducting systems acquisition, encompassing the broad concepts and objectives that direct and control the overall development, production, and deployment of a system. It evolves in parallel with the system's maturation. It must be stable enough to provide continuity but dynamic and flexible enough to accommodate change. It is tailored to fit the needs for developing, producing, and fielding the system. The set of decisions that determines how products and services will be acquired, including contracting method, contract duration, contract pricing, and quantities. [SRV]

active attack

An attack on the authentication protocol where the Attacker transmits data to the Claimant or Verifier. Examples of active attacks include a man-in-the-middle, impersonation, and session hijacking. [800-63] (see also authentication, impersonation, attack)

active content

WWW pages which contain references to programs which are downloaded and executed automatically by WWW browsers. [SRV]

active security testing

Hands-on security testing of systems and networks to identify their security vulnerabilities. [800-115] (see also security testing)

active wiretapping

The attaching of an unauthorized device, such as a computer terminal, to a communications circuit for the purpose of obtaining access to data through the generation of false messages or control signals, or by altering the communications of legitimate users. [SRV] (see also access control, authorized, communications, wiretapping)

activity analysis

The analysis and measurement (in terms of time, cost, and throughput) of distinct units of work (activities) that make up a process. [SRV] (see also analysis, security software)

activity-based costing (ABC)

(see also business process)

actuator

A pneumatic, hydraulic, or electrically powered device that supplies force and motion so as to position a valve's closure member at or between the open or closed position. [800-82]

ad hoc

Something that is ad hoc or that is done on an ad hoc basis happens or is done only when the situation makes it necessary or desirable, rather than being arranged in advance or being part of a general plan. [OVT]

ad hoc testing

Testing carried out using no recognised test case design technique. [OVT] (see also security testing, test)

ad-lib test

A test executed without prior planning; especially if the expected test outcome is not predicted beforehand. An undocumented test. [OVT] (see also test)

adaptive predictive coding (APC)

add-on security

(I) 'The retrofitting of protection mechanisms, implemented by hardware or software, after the [automatic data processing] system has become operational.' [RFC2828] Incorporation of new hardware, software, or firmware safeguards in an operational IS. [CNSSI] The retrofitting of protection mechanisms, implemented by hardware or software, after the computer system has become operational. [SRV] The retrofitting of protection mechanisms, implemented by hardware or software. [AJP][NCSC/TG004] (see also software, security)

address

A sequence of bits or characters that identifies the destination and the source of a transmission. [SRV]

address indicator group (AIG)

address of record

The official location where an individual can be found. The address of record always includes the residential street address of an individual and may also include the mailing address of the individual. In very limited circumstances, an Army Post Office box number, Fleet Post Office box number or the street address of next of kin or of another contact individual can be used when a residential street address for the individual is not available. [800-63]

address spoofing

A type of attack in which the attacker steals a legitimate network (e.g. IP) address of a system and uses it to impersonate the system that owns the address. [misc] (see also impersonation, networks, masquerade, spoofing) (includes ip spoofing)

adequate security

Security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. [800-37] Security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that information systems operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls. (OMB Circular A-130) [CNSSI] (see also access control, authorized, risk, unauthorized access, security)

administration documentation

The information about a Target of Evaluation supplied by the developer for use by an administrator. [AJP][ITSEC] (see also target of evaluation)

administrative access

Individuals or terminals authorized to perform network administrator or system administrator functions. [FFIEC] (see also authorized, access control)

administrative security

(I) Management procedures and constraints to prevent unauthorized access to a system. (O) 'The management constraints, operational procedures, accountability procedures, and supplemental controls established to provide an acceptable level of protection for sensitive data.' (C) Examples include clear delineation and separation of duties, and configuration control. [RFC2828] The management constraints and supplemental controls established to provide an acceptable level of protection for data. [AJP][NCSC/TG004][NSAINT] The management constraints and supplemental controls established to provide an acceptable level of protection for data. Synonymous with procedural security. [SRV] (see procedural security) (see also access control, authorized, unauthorized access, security)

administrator

A person in contact with the Target of Evaluation who is responsible for maintaining its operational capability. [AJP][ITSEC] (see also target of evaluation)

advanced development model (ADM)

(see also software development)

advanced encryption standard

(N) A future FIPS publication being developed by NIST to succeed DES. Intended to specify an unclassified, publicly-disclosed, symmetric encryption algorithm, available royalty-free worldwide. [RFC2828] FIPS approved cryptographic algorithm that is a symmetric block cypher using cryptographic key sizes of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits. [CNSSI] (see also classified, encryption, National Institute of Standards and Technology, symmetric cryptography)

advanced intelligence network (AIN)

(see also networks)

advanced intelligent network (AIN)

An evolving architecture that allows rapid creation and modification of telecommunication services. [SRV] (see also networks)

Advanced Mobile Phone Service (AMPS)

The standard system for analog cellular telephone service in the U.S. AMPS allocates frequency ranges within the 800 -- 900 MHz spectrum to cellular telephones. Signals cover an area called a cell. Signals are passed into adjacent cells as the user moves to another cell. The analog service of AMPS has been updated to include digital service. [IATF] (see also user)

advanced narrowband digital voice terminal (ANDVT)

Advanced Research Projects Agency Network (ARPANET)

(see also networks)

advanced self-protection jammer (ASPJ)

(see also assurance, communications security)

adversary

(I) An entity that attacks, or is a threat to, a system. [RFC2828] Person or organization that must be denied accesses to information. [IATF] (see also access control, threat, security)

advisory

Notification of significant new trends or developments regarding the threat to the IS of an organization. This notification may include analytical insights into trends, intentions, technologies, or tactics of an adversary targeting ISs. [CNSSI] (see also threat)

agency

Federal department, major organizational unit within a department, or independent agency. [CIAO]

agent

A host-based intrusion detection and prevention program that monitors and analyzes activity and may also perform prevention actions. [800-94] A program used in distributed denial of service (DDoS) attacks that sends malicious traffic to hosts based on the instructions of a handler. [800-61] (see also attack, intrusion, intrusion detection)

aggregation

(I) A circumstance in which a collection of information items is required to be classified at a higher security level than any of the individual items that comprise it. [RFC2828] (see also security)

aggressive mode

Mode used in IPsec phase 1 to negotiate the establishment of an IKE SA through three messages. [800-77] (see also Internet Protocol security)

alarm

A device or function that signals the existence of an abnormal condition by making an audible or visible discrete change, or both, so as to attract attention to that condition. [800-82] (see also countermeasure)

alarm reporting

An OSI terms that refers to the communication of information about a possible detected fault. This information generally includes the identification of the network device or network resource in which the fault was detected, the type of the fault, its severity, and its probable cause. [SRV] (see also fault, identification, networks, security software)

alarm surveillance

The set of functions that enable: (1) the monitoring of the communications network to detect faults and fault-related events or conditions; (2) the logging of this information for future use in fault detection and other network management activities; and (3) the analysis and control of alarms, notifications, and other information about faults to ensure that the resources of network management are directed toward faults that affect the operation of the communications network. Analysis of alarms consists of alarm filtering, alarm correlation, and fault prediction. [SRV] (see also analysis, fault, networks, security software)

alert

A formatted message describing a circumstance relevant to network security. Alerts are often derived from critical audit events. [NSAINT] A notification of an important observed event. Anomaly-Based Detection: The process of comparing definitions of what activity is considered normal against observed events to identify significant deviations. [800-94] Notice of specific attack directed at an organization's IS resources. [CIAO] Notification that a specific attack has been directed at the IS of an organization. [CNSSI] (see also attack, audit, communications security, identify, networks, security)

algorithm

(I) A finite set of step-by-step instructions for a problem-solving or computation procedure, especially one that can be implemented by a computer. [RFC2828] A mathematical procedure that can usually be explicitly encoded in a set of computer language instructions that manipulate data. Cryptographic algorithms are mathematical procedures used for such purposes as encrypting and decrypting messages and signing documents digitally. [AJP] (see also Data Encryption Standard, cryptanalysis, cryptographic key, cryptographic module, cryptography, cyclic redundancy check, initialization vector, key-escrow system, metric) (includes International Data Encryption Algorithm, Rivest-Shamir-Adelman algorithm, asymmetric algorithm, crypto-algorithm, digital signature algorithm, message digest algorithm 5, secure hash algorithm, symmetric algorithm)

alias

(I) A name that an entity uses in place of its real name, usually for the purpose of either anonymity or deception. [RFC2828] (see also anonymous, masquerade)

alignment

The degree of agreement, conformance, and consistency among organizational purpose, mission, vision, and values; structures, systems, and processes; and individual values, skills, and behaviors. [SRV]

allowed traffic

Packets forwarded as a result of the rule set of the device under test/system under test (DUT/SUT). Firewalls typically are configured to forward only those packets explicitly permitted in the rule set. Forwarded packets must be included in calculating the bit forwarding rate or maximum bit forwarding rate of the DUT/SUT. All other packets must not be included in bit forwarding rate calculations. [RFC2647] (see also bit forwarding rate, ruleset, test)

alternate COMSEC custodian

Individual designated by proper authority to perform the duties of the COMSEC custodian during the temporary absence of the COMSEC custodian. [CNSSI] (see also communications security)

alternative work site

Government-wide, national program allowing Federal employees to work at home or at geographically convenient satellite offices for part of the work week (e.g., telecommuting). [CNSSI]

American institute of certified public accountants (AICPA)

American National Standards Institute (ANSI)

(N) A private, not-for-profit association of users, manufacturers, and other organizations, that administers U.S. private sector voluntary standards. (C) ANSI is the sole U.S. representative to the two major non-treaty international standards organizations, ISO and, via the U.S. National Committee (USNC), the International Electrotechnical Commission (IEC). [RFC2828] organization responsible for approving standards, including computers and communications. [misc] (see also automated information system)

American Standard Code for Information Interchange (ASCII)

(see also automated information system)

analog signal

A continuous electrical signal whose amplitude varies in direct correlation with the original input. [SRV]

analysis

analysis of alternatives

The process of determining how an organization's information needs will be met. It is an analysis to compare and evaluate the costs and benefits of various alternatives for meeting a requirement for the purpose of selecting the alternative that is most advantageous to the organization. [SRV] (see also analysis)

ankle-biter

A person who aspires to be a hacker/cracker but has very limited knowledge or skills related to AIS's. Usually associated with young teens who collect and use simple malicious programs obtained from the Internet. [NSAINT] (see also threat)

anomaly

An anomaly is a rule or practice that is different from what is normal or usual, and that is therefore unsatisfactory. Anything observed in the documentation or operation of software that deviates from expectations based on previously verified software products or reference documents. [OVT] Any condition that departs from the expected. This expectation can come from documentation (e.g. requirements specifications, design documents, user documents) or from perceptions or experiences. An anomaly is not necessarily a problem in the software, but a deviation from the expected, so that errors, defects, faults, and failures are considered anomalies. [SRV] (see also bug, failure, fault, software)

anomaly detection

Detecting intrusions by looking for activity that is different from the user's or system's normal behavior. [CIAO] (see also countermeasure, intrusion, security software)

anomaly detection model

A model where intrusions are detected by looking for activity that is different from the user's or system's normal behavior. [NSAINT] (see also intrusion, model, security policy model)

anonymity

A security service that prevents the disclosure of information that leads to the identification of the end users. [IATF] (see also identification, user)

anonymous

(I) The condition of having a name that is unknown or concealed. (C) An application may require security services that maintain anonymity of users or other system entities, perhaps to preserve their privacy or hide them from attack. To hide an entity's real name, an alias may be used. For example, a financial institution may assign an account number. Parties to a transaction can thus remain relatively anonymous, but can also accept the transaction as legitimate. Real names of the parties cannot be easily determined by observers of the transaction, but an authorized third party may be able to map an alias to a real name, such as by presenting the institution with a court order. In other applications, anonymous entities may be completely untraceable. [RFC2828] (see also alias, attack, authorized, privacy, security)

anonymous and guest login

Services may be made available without any kind of authentication. This is commonly done, for instance, with the FTP protocol to allow anonymous access. Other systems provide a special account named 'guest' to provide access, typically restricting the privileges of this account. [RFC2504] (see also authentication, login)

anonymous login

(I) An access control feature (or, rather, an access control weakness) in many Internet hosts that enables users to gain access to general-purpose or public services and resources on a host (such as allowing any user to transfer data using File Transfer Protocol) without having a pre-established, user-specific account (i.e., user name and secret password). (C) This feature exposes a system to more threats than when all the users are known, pre-registered entities that are individually accountable for their actions. A user logs in using a special, publicly known user name (e.g. 'anonymous', 'guest', or 'ftp'). To use the public login name, the user is not required to know a secret password and may not be required to input anything at all except the name. In other cases, to complete the normal sequence of steps in a login protocol, the system may require the user to input a matching, publicly known password (such as 'anonymous') or may ask the user for an e-mail address or some other arbitrary alphanumeric string. [RFC2828] (see also passwords, threat, internet, login)

anti-jam

Measures ensuring that transmitted information can be received despite deliberate jamming attempts. [CNSSI][IATF] (see also communications security)

anti-jamming (AJ)

(see also communications security)

anti-spoof

Measures taken to prevent the unauthorized use of legitimate Identification & Authentication (I&A) data, however it was obtained, to mimic a subject different from the attacker. [CNSSI] (see also spoofing, security software)

antivirus software

A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents. [800-83] A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents. Application-Based Intrusion Detection and Prevention System: A host-based intrusion detection and prevention system that performs monitoring for a specific application service only, such as a Web server program or a database server program. [800-94] Computer programs that offer protection from viruses by making additional checks of the integrity of the operating system and electronic files. Also known as virus protection software [FFIEC] (see also countermeasure, identify, integrity, intrusion, intrusion detection, security software, virus)

antivirus tools

Software products and technology used to detect malicious code, prevent it from infecting a system, and remove malicious code that has infected the system. [800-82] (see also countermeasure, virus)

appendix

A string of bits formed by the signature and an optional text field. [SC27]

applet

A small program that typically is transmitted with a Web page. [FFIEC] Small applications written in various programming languages which are automatically downloaded and executed by applet-enabled WWW browsers. [SRV] (see also world wide web)

applicant

A person who has applied to become a key holder, prior to the time at which keys and certificates are issued to and accepted by them. [800-103] An entity (organisation, individual etc.) which requests the assignment of a register entry and entry label. [SC27]

applicant assertion

A party undergoing the processes of registration and identity proofing. A statement from a Verifier to a Relying Party that contains identity information about a Subscriber. Assertions may also contain verified attributes. [800-63] (see also identity)

application

1) All application systems, internal and external, utilized in support of the core process. 2) A software package designed to perform a specific set of functions, such as word processing or communications. [CIAO] A computer program designed to perform specific functions, such as inventory control, scheduling, and payroll. [SRV] A program that performs a function directly for a user, such as ftp and telnet. [misc] Software program that performs a specific function directly for a user and can be executed without access to system control, monitoring, or administrative privileges. [CNSSI] (see also access control, software)

application controls

Controls related to individual application systems, which help ensure that transactions are valid, complete, authorized, processed, and reported. [SRV] Controls related to transactions and data within application systems. Application controls ensure the completeness and accuracy of the records and the validity of the entries made resulting from both programmed processing and manual data entry. Examples of application controls include data input validation, agreement of batch totals and encryption of data transmitted [FFIEC] (see also authorized, security controls)

application data backup/recovery

Data backup is the process of saving software and information on magnetic media and storing the media in a location away from the IT facility. This process provides the means to ensure application recovery; that is, the means to restore the application and/or information after damage to or destruction of the IT hardware, software, or information. [NASA] (see also availability, backup)

application entity (AE)

application gateway firewall

A type of firewall system that runs an application, called a proxy, that acts like the server to the Internet client. The proxy takes all requests from the Internet client and, if allowed, forwards them to the Intranet server. Application gateways are used to make certain that the Internet client and the Intranet server are using the proper application protocol for communicating. Popular proxies include Telnet, ftp, and http. Building proxies requires knowledge of the application protocol. [misc] (see also firewall)

application generator

A type of tool that uses software designs and/or requirements to generate entire software applications automatically, including program source code and program control statements. [SRV] (see also software)

application level gateway

A firewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. Application level firewalls often re-address traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host. [NSAINT] (see also application proxy, firewall)

application program interface (API)

A set of standard software interrupts, calls, and data formats that application programs use to initiate contact with network services, mainframe communications programs, telephone equipment, or program-to-program communications. [IATF] System access point or library function that has a well-defined syntax and is accessible from application programs or user code to provide well-defined functionality. [AJP][FCv1] (see also access control, networks, security, software)

application programming interface (API)

The interface between the application software and the application platform (i.e., operating system), across which all services are provided. [GAO06178] The interface between the application software and the application platform, across which all services are provided. The API is primarily in support of application portability, but system and application interoperability is also supported by a communication API. [SRV] (see also software)

application proxy

A proxy service that is set up and torn down in response to a client request, rather than existing on a static basis. Circuit proxies always forward packets containing a given port number if that port number is permitted by the rule set. Application proxies, in contrast, forward packets only once a connection has been established using some known protocol. When the connection closes, a firewall using application proxies rejects individual packets, even if they contain port numbers allowed by a rule set. [RFC2647] An application that forwards application traffic through a firewall. It is also called a proxy server. Proxies tend to be specific to the protocol they are designed to forward, and may provide increased access control or audit. [SRV] (see also application level gateway, access control, audit, firewall, proxy) (includes gateway)

application server attack

A computer responsible for hosting applications to user workstations. An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity, availability, or confidentiality. [800-82] (see also authorized, availability, compromise, integrity, user, attack)

application software

Programs that perform specific tasks, such as word processing, database management, or payroll. Software that interacts directly with some nonsoftware system (e.g. human, robot, etc.). [SRV] (see also software)

application system

An integrated set of computer programs designed to serve a well-defined function and having specific input, processing, and output activities (e.g., general ledger, manufacturing resource planning, human resource management). [FFIEC] (see also automated information system)

application-level firewall

A firewall system in which service is provided by processes that maintain complete TCP connection state and sequencing; application level firewalls often re-address traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host. In contrast to packet filtering firewalls, this firewall must have knowledge of the application data transfer protocol and often has rules about what may be transmitted and what may not. [IATF] (see also firewall, security)

approach

The method used or steps taken in setting about a task, problem, etc. [SC27]

approval for service use (ASU)

approval/accreditation

The official authorization that is granted to an ADP system to process sensitive information in its operational environment, based upon comprehensive security evaluation of the computer system's hardware, firmware, and software security design, configuration, and implementation, and of the other system procedural, administrative, physical, TEMPEST, personnel, and communications security controls. [AJP][TCSEC] (see also TEMPEST, authorization, communications security, evaluation, security, software, accreditation)

approved

FIPS approved or NIST recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation. [800-63]

approved technologies list

The list of approved information technology areas maintained by the NIAP Oversight Body which can be selected by a CCTL in choosing its scope of accreditation, that is, the types of IT security evaluations that can be conducted using NVLAP accredited test methods. [NIAP] (see also accreditation, computer security, evaluation, test, Common Criteria Testing Laboratory, National Information Assurance Partnership)

approved test methods list

The list of approved test methods maintained by the NIAP Oversight Body which can be selected by a CCTL in choosing its scope of accreditation, that is, the types of IT security evaluations that it will be authorized to conduct using NVLAP accredited test methods. [NIAP] (see also accreditation, authorized, computer security, evaluation, Common Criteria Testing Laboratory, National Information Assurance Partnership, test)

architectural design

A phase of the development process wherein the top-level definition and design of a Target of Evaluation are specified. [AJP][ITSEC] (see also software development, target of evaluation)

architecture

A description of all functional activities to be performed to achieve the desired mission, the system elements needed to perform the functions, and the designation of performance levels of those system elements. An architecture also includes information on the technologies, interfaces, and location of functions and is considered an evolving description of an approach to achieving a desired mission. [SRV] A highly structured specification of an acceptable approach within a framework for solving a specific problem. An architecture contains descriptions of all the components of a selected, acceptable solution while allowing certain details of specific components to be variable to satisfy related constraints (e.g., costs, local environment, user acceptability). [GSA] (see also user)

archive

(I) (1.) Noun: A collection of data that is stored for a relatively long period of time for historical and other purposes, such as to support audit service, availability service, or system integrity service. (2.) Verb: To store data in such way. (C) A digital signature may need to be verified many years after the signing occurs. The CA--the one that issued the certificate containing the public key needed to verify that signature--may not stay in operation that long. So every CA needs to provide for long-term storage of the information needed to verify the signatures of those to whom it issues certificates. [RFC2828] Long-term storage of system information and records. Items commonly archived include but are not limited to magnetic media copies of operating system software, application software, and data; and hardcopies of system records such as console logs, data listings, and software and firmware listings. [NASA] Long-term, physically separate storage [GSA] (see also archiving, audit, backup, certificate, digital signature, integrity, key, public-key infrastructure, recovery)

archiving

Moving electronic files no longer being used to less accessible and usually less expensive storage media for safe keeping. [SRV] (see also archive, access control, backup)

area interswitch rekeying key (AIRK)

(see also key, rekey)

areas of control

Collectively, controls consist of the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. [CIAO]

areas of potential compromise

These broad topical areas represent categories where losses can occur that will impact both a department or agency's MEI and its ability to conduct core missions. [CIAO] (see also minimum essential infrastructure, compromise, vulnerability)

ARPANET

(N) Advanced Research Projects Agency Network, a pioneer packet-switched network that was built in the early 1970s under contract to the U.S. Government, led to the development of today's Internet, and was decommissioned in June 1990. [RFC2828] (see also internet, networks)

as is process model

A model that portrays how a business process is currently structured. In process improvement efforts, it is used to establish a baseline for measuring subsequent business improvement actions and progress. [SRV] (see also baseline, business process, model)

assessment

Surveys and Inspections; an analysis of the vulnerabilities of an AIS. Information acquisition and review process designed to assist a customer to determine how best to use resources to protect information in systems. [NSAINT] Verification of a deliverable against a standard using the corresponding method to establish compliance and determine the assurance. [SC27] (see also Common Criteria for Information Technology Security, Common Criteria for Information Technology Security Evaluation, acceptable level of risk, accreditation, accreditation phase, accuracy, analysis, authorize processing, binding of functionality, certification, certification package, certification phase, cost-risk analysis, deliverable, ease of use, evaluation, evaluation pass statement, evaluator, metric, monitoring and evaluation, operations security, pre-certification phase, process assurance, rating, risk analysis, risk management, scheme, security, security category, security fault analysis, site certification, strength of mechanisms, suitability of functionality, threat monitoring, verification) (includes computer incident assessment capability, criticality assessment, independent assessment, national computer security assessment pro