U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

Computer Security Resource Center

Computer Security Resource Center

This is an archive
(replace .gov by .rip)
    Glossary
A  |  B  |  C  |  D  |  E  |  F  |  G  |  H  |  I  |  J  |  K  |  L  |  M  |  N  |  O  |  P  |  Q  |  R  |  S  |  T  |  U  |  V  |  W  |  X  |  Y  |  Z

security policy

Definition(s):

  A set of criteria for the provision of security services.
Source(s):
CNSSI 4009-2015 from NIST SP 800-53 Rev. 4
NIST SP 800-137 under Security Policy from CNSSI 4009
NIST SP 800-30 Rev. 1 under Security Policy from CNSSI 4009
NIST SP 800-39 under Security Policy from CNSSI 4009
NIST SP 800-53 Rev. 5
NIST SP 800-57 Part 2 Rev.1 under Security policy
NIST SP 800-37 Rev. 1 [Superseded] under Security Policy from CNSSI 4009
NIST SP 800-53 Rev. 4 [Superseded] under Security Policy from CNSSI 4009

  Security policies define the objectives and constraints for the security program. Policies are created at several levels, ranging from organization or corporate policy to specific operational constraints (e.g., remote access). In general, policies provide answers to the questions “what” and “why” without dealing with “how.” Policies are normally stated in terms that are technology-independent.
Source(s):
NIST SP 800-82 Rev. 2 under Security Policy from ISA99

  A set of rules that governs all aspects of security-relevant system and system element behavior. Note 1: System elements include technology, machine, and human, elements. Note 2: Rules can be stated at very high levels (e.g., an organizational policy defines acceptable behavior of employees in performing their mission/business functions) or at very low levels (e.g., an operating system policy that defines acceptable behavior of executing processes and use of resources by those processes).
Source(s):
NIST SP 800-160 Vol. 1

  The statement of required protection for the information objects.
Source(s):
NIST SP 800-192 under Security Policy
NISTIR 7316 under Security Policy

  A set of rules that governs all aspects of security-relevant system and system element behavior. Note 1:  System elements include technology, machine, and human, elements. Note 2: Rules can be stated at very high levels (e.g., an organizational policy defines acceptable behavior of employees in performing their mission/business functions) or at very low levels (e.g., an operating system policy that defines acceptable behavior of executing processes and use of resources by those processes).
Source(s):
NIST SP 800-160 Vol. 1

  A set of rules that governs all aspects of security-relevant system and system component behavior.
Source(s):
NIST SP 800-53 Rev. 5 from NIST SP 800-160 Vol. 1 - Adapted

  The statement of required protection of the information objects.
Source(s):
NIST SP 800-27 Rev. A [Withdrawn]
NIST SP 800-33 [Withdrawn]

  Defines the threats that a system shall address and provides high-level mechanisms for addressing those threats.
Source(s):
NIST SP 800-57 Part 2 [Superseded] under Security policy