Glossary

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z


A

Acceptable Risk- is a concern that is acceptable to responsible management, due to the cost and magnitude of implementing controls.

Access Controls- restrict the ability to do something with a computer resource.

Accreditation- is the authorization and approval granted to a major application or general support system to process in an operational environment. It is made on the basis of a certification by designated technical personnel that the system meets pre-specified technical requirements for achieving adequate system security.

Agency/Group/Division- a hierarchical organizational component.

Asset- is a major application, general support system, high impact program, physical plant, mission critical system, or a logically related group of systems.

Audit Trails- a record of system activity by system or application processes and by user activity.

Authentication- verifying the identity of a user, process, or device often as a prerequisite to allowing access to resources in a system.

Availability- the information technology resource (system or data) must be available on a timely basis to meet mission requirements or to avoid substantial losses. Availability also includes ensuring that resources are used only for intended purposes.

Availability Protection- requires backup of system and information, contingency plans, disaster recovery plans, and redundancy. Examples of systems and information requiring availability protection are time-share systems, mission-critical applications, time and attendance, financial, procurement, or life-critical.

Awareness, Training, and Education- awareness programs set the stage for training by changing organizational attitudes towards realization of the importance of security and the adverse consequences of its failure; the purpose of training is to teach people the skills that will enable them to perform their jobs more effectively; and education is more in-depth than training and is targeted for security professionals and those whose jobs require expertise in IT security.

B

Boundary Controls- the security measures that protect an interconnected system from unauthorized access.

C

Certification- is the technical evaluation that establishes the extent to which a computer system, application, or network design and implementation meets a pre-specified set of security requirements.

Computer Security- the protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).

Confidentiality- the security goal that generates the requirement for protection from intentional or accidental attempts to perform unauthorized data reads. Confidentiality has three different protection requirements: High, a critical concern of the system; Medium, an important concern, but not necessarily paramount in the organization’s priorities; or Low, some minimal level of security is requires, but not to the same degree as the previous two categories.

G

General Support System- is an interconnected information resource under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, facilities, and people and provides support for a variety of users and/or applications. Individual applications support different mission-related functions. Users may be from the same or different organizations.

H

High- a critical concern of the system.

I

Implemented- procedures and controls that are carried out.

Individual Accountability- requires individual users to be held accountable for their actions after being notified of the rules of behavior in the use of the system and the penalties associated with the violation of those rules.

Information- any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual forms.

Information Owner- is responsible for establishing the rules for appropriate use and protection of the data/information. The information owner retains that responsibility even when the data/information are shared with other organizations.

Integrated- a comprehensive security program that is an integral part of an agency's organizational culture. Decision making is based on cost, risk, and mission impact.

Integrity- the security goal that generates the requirement for protection against either intentional or accidental attempts to violate data integrity (the property that data has when it has not been altered in an unauthorized manner) or system integrity (the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation).

Interconnected System- any system that is connected to another system.

L

Logical Access Controls- are the system-based mechanisms used to designate who or what is to have access to a specific system resource and the type of transactions and functions that are permitted.

Low- some minimal level of security is required.

M

Major Application- is an application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to, or modification of, the information in the application. A breach in a major application might comprise many individual application programs and hardware, software, and telecommunications components. Major applications can be either a major software application or a combination of hardware/software where the only purpose of the system is to support a specific mission-related function.

Management Controls- controls that focus on the management of the IT security system and the management of risk for a system.

Material Weakness- is used to identify control weaknesses that pose a significant risk or a threat to the operations and/or assets of an audited entity. “Material weakness” is a very specific term that is defined one way for financial audits and another way for weaknesses reported under the Federal Managers Financial Integrity Act of 1982. Such weaknesses may be identified by auditors or by management.

Medium- an important concern, but not necessarily paramount in the organization's priorities.

N

Networks- include communication capability that allows one user or system to connect to another user or system and can be part of a system or a separate system. Examples of networks include local area network or wide area networks, including public networks such as the Internet.

Not Applicable- does not apply to the question.

O

Operational Controls- address security methods that focus on mechanisms that primarily are implemented and executed by people (as opposed to systems).

Organizational Standards- required technologies or procedures that are specific to an organization.

P

Policy- senior management's directives to create a computer security program, establish its goals, and assign responibilities.

Procedures- document the implementation of specific security controls.

R

Risk- is the possibility of harm or loss to any software, information, hardware, administrative, physical, communications, or personnel resource within an automated information system or activity.

Risk Based Decision- a decision that is made based upon looking at the possibility of harm or loss to any software, information, hardware, administrative, physical, communications, or personnel resource within an automated information system or activity and then weigh it against the impact and the cost of prevention.

Risk Management- is the ongoing process of assessing the risk to automated information resources and information, as part of a risk-based approach used to determine adequate security for a system by analyzing the threats and vulnerabilities and selecting appropriate cost-effective controls to achieve and maintain an acceptable level of risk.

S

Sensitive Information- refers to information whose loss, misuse, or unauthorized access to or modification of could adversely affect the national interest or the conduct of Federal programs or the privacy to which individuals are entitled.

Sensitivity- an information technology environment consists of the system, data, and applications that must be examined individually and in total. All systems and applications require some level of protection for confidentiality, integrity, and/or availability that is determined by an evaluation of the sensitivity of the information processed, the relationship of the system to the organizations mission, and the economic value of the system components.

System- is a generic term used for briefness to mean either a major application or a general support system.

System Assessor- is either a subject-matter expert or someone who knows and uses the system that will answer or help answer questions within the NIST Self-Assessment.

System Criticality- is the degree of sensitivity based on the confidentiality, integrity, and availability needs of the system.

System Name- is the name assigned to a given system.

System Number- is the unique identifier given to a system.

System Operational Status- is either Operational; system is operating, Under Development; system is being designed, developed, or implementated, or Undergoing a Major Modification; system is undergoing a major conversion or transition.

System Type- identifies the type of category the system is: major application or general support.

T

Technical Control- focuses on security controls that the computer system executes.

Tested- evaluates the adequacy and effectiveness of security policies, procedures and controls.

Threat- is an event or activity, deliberate or unintentional, with the potential for causing harm to an IT system or activity.

V

Vulnerability- is a flaw or weakness that may allow harm to occur to an IT system or activity.

Back to Main Page | Back to top | Close Window