NIST Information Security Terms Flashcards

NISTIR 7298 Revision 2 Familiarization with key information security terms

1
Q

Access

A

Ability to make use of any information system (IS) resource.
SOURCE: SP 800-32
Ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Access Authority

A

An entity responsible for monitoring and granting access privileges for other authorized entities.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Access Control

A

The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances).
SOURCE: FIPS 201; CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Access Control List (ACL)

A
  1. A list of permissions associated with an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object.
  2. A mechanism that implements access control for a system resource by enumerating the system entities that are permitted to access the resource and stating, either implicitly or explicitly, the access modes granted to each entity.
    SOURCE: CNSSI-4009
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Access Control Lists (ACLs)

A

A register of:
1. users (including groups, machines, processes) who have been given permission to use a particular system resource, and
2. the types of access they have been permitted.
SOURCE: SP 800-12

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Access Control Mechanism

A
Security safeguards (i.e., hardware and software features, physical controls, operating procedures, management procedures, and various combinations of these) designed to detect and deny unauthorized access and permit authorized access to an information system.
SOURCE: CNSSI-4009
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Access Level

A

A category within a given security classification limiting entry or system connectivity to only authorized persons.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Access List

A

Roster of individuals authorized admittance to a controlled area.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Access Point

A

A device that logically connects wireless client devices operating in infrastructure to one another and provides access to a distribution system, if connected, which is typically an organization’s enterprise wired network.
SOURCE: SP 800-48; SP 800-121

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Access Profile

A

Association of a user with a list of protected objects the user may access.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Access Type

A

Privilege to perform action on an object. Read, write, execute, append, modify, delete, and create are examples of access types. See Write.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Account Management, User

A

Involves
1) the process of requesting, establishing, issuing, and closing user accounts;
2) tracking users and their respective access authorizations; and
3) managing these functions.
SOURCE: SP 800-12

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Accountability

A

The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.
SOURCE: SP 800-27
Principle that an individual is entrusted to safeguard and control equipment, keying material, and information and is answerable to proper authority for the loss or misuse of that equipment or information.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Accounting Legend Code (ALC)

A

Numeric code used to indicate the minimum accounting controls required for items of accountable communications security (COMSEC) material within the COMSEC Material Control System.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Accounting Number

A

Number assigned to an item of COMSEC material to facilitate its control.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Accreditation

A

See Authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Accreditation Authority

A

See Authorizing Official

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Accreditation Boundary

A

See Authorization Boundary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Accreditation Package

A

Product comprised of a System Security Plan (SSP) and a report documenting the basis for the accreditation decision.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Accrediting Authority

A

Synonymous with Designated Accrediting Authority (DAA). See also Authorizing Official.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Activation Data

A

Private data, other than keys, that are required to access cryptographic modules.
SOURCE: SP 800-32

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Active Attack

A

An attack that alters a system or data.
SOURCE: CNSSI-4009
An attack on the authentication protocol where the Attacker transmits data to the Claimant, Credential Service Provider, Verifier, or Relying Party. Examples of active attacks include man-in-the-middle, impersonation, and session hijacking.
SOURCE: SP 800-63

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Active Content

A

Electronic documents that can carry out or trigger actions automatically on a computer platform without the intervention of a user.
SOURCE: SP 800-28
Software in various forms that is able to automatically carry out or trigger actions on a computer platform without the intervention of a user.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Active Security Testing

A

Security testing that involves direct interaction with a target, such as sending packets to a target.
SOURCE: SP 800-115

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Activities

A

An assessment object that includes specific protection-related
pursuits or actions supporting an information system that involve people (e.g., conducting system backup operations, monitoring network traffic).
SOURCE: SP 800-53A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Ad Hoc Network

A

A wireless network that dynamically connects wireless client devices to each other without the use of an infrastructure device, such as an access point or a base station.
SOURCE: SP 800-121

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Add-on Security

A

Incorporation of new hardware, software, or firmware safeguards in an operational information system.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Adequate Security

A

Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.
SOURCE: SP 800-53; FIPS 200; OMB Circular A-130, App. III
Security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.
Note: This includes assuring that information systems operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls.
SOURCE: CNSSI-4009; SP 800-37

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Administrative Account

A

A user account with full privileges on a computer.

SOURCE: SP 800-69

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Administrative Safeguards

A

Administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic health information and to manage the conduct of the covered entity’s workforce in relation to protecting that information.
SOURCE: SP 800-66

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Advanced Encryption Standard –

AES

A

The Advanced Encryption Standard specifies a U.S. government-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. This standard specifies the Rijndael algorithm, a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits.
SOURCE: FIPS 197

A U.S. government-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Advanced Key Processor (AKP)

A

A cryptographic device that performs all cryptographic functions for a management client node and contains the interfaces to 1) exchange information with a client platform, 2) interact with fill devices, and 3) connect a client platform securely to the primary services node (PRSN).
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Advanced Persistent Threats(APT)

A

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.
SOURCE: SP 800-39

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Adversary

A

Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.
SOURCE: SP 800-30

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Advisory

A

Notification of significant new trends or developments regarding the threat to the information systems of an organization. This notification may include analytical insights into trends, intentions, technologies, or tactics of an adversary targeting information systems.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Agency

A

Any executive department, military department, government corporation, government-controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include: 1) the Government Accountability Office; 2) the Federal Election Commission; 3) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or 4) government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.
SOURCE: FIPS 200; 44 U.S.C., Sec. 3502
ALSO See Executive Agency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Agency Certification Authority –

CA

A

A CA that acts on behalf of an agency and is under the operational control of an agency.
SOURCE: SP 800-32

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Agent

A

A program acting on behalf of a person or organization.

SOURCE: SP 800-95

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Alert

A

Notification that a specific attack has been directed at an organization’s information systems.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Allocation

A

The process an organization employs to determine whether security controls are defined as system-specific, hybrid, or common.
The process an organization employs to assign security controls to specific information system components responsible for providing a particular security capability (e.g., router, server, remote sensor).
SOURCE: SP 800-37

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Alternate COMSEC Custodian

A

Individual designated by proper authority to perform the duties of the COMSEC custodian during the temporary absence of the COMSEC custodian.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Alternate Work Site

A

Governmentwide, national program allowing federal employees to work at home or at geographically convenient satellite offices for part of the work week (e.g., telecommuting).
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Analysis

A

The examination of acquired data for its significance and probative value to the case.
SOURCE: SP 800-72

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Anomaly-Based Detection

A

The process of comparing definitions of what activity is considered normal against observed events to identify significant deviations.
SOURCE: SP 800-94

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Anti-jam

A

Countermeasures ensuring that transmitted information can be received despite deliberate jamming attempts.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Anti-spoof

A

Countermeasures taken to prevent the unauthorized use of legitimate Identification & Authentication (I&A) data, however it was obtained, to mimic a subject different from the attacker.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Antispyware Software

A

A program that specializes in detecting both malware and non-malware forms of spyware.
SOURCE: SP 800-69

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Antivirus Software

A

A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents.
SOURCE: SP 800-83

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Applicant

A

The subscriber is sometimes called an “applicant” after applying to a certification authority for a certificate, but before the certificate issuance procedure is completed.
SOURCE: SP 800-32

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Application

A

A software program hosted by an information system.
SOURCE: SP 800-37
Software program that performs a specific function directly for a user and can be executed without access to system control, monitoring, or administrative privileges.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Approval to Operate (ATO)

A

The official management decision issued by a DAA or PAA to authorize operation of an information system and to explicitly accept the residual risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.
SOURCE: CNSSI-4009

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Approved

A

Federal Information Processing Standard (FIPS)-approved or National Institute of Standards and Technology (NIST)-recommended. An algorithm or technique that is either
1) specified in a FIPS or NIST Recommendation, or
2) adopted in a FIPS or NIST Recommendation.
SOURCE: FIPS 201
Approved –
FIPS-approved and/or NIST-recommended.
SOURCE: FIPS 140-2
FIPS-approved and/or NIST-recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, 2) adopted in a FIPS or NIST Recommendation, or 3) specified in a list of NIST-approved security functions.
SOURCE: FIPS 186

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Approved Mode of Operation

A
A mode of the cryptographic module that employs only Approved security functions (not to be confused with a specific mode of an Approved security function, e.g., Data Encryption Standard Cipher-Block Chaining (DES CBC) mode).
SOURCE: FIPS 140-2
54
Q

Approved Security Function

A

A security function (e.g., cryptographic algorithm, cryptographic key management technique, or authentication technique) that is either
a) specified in an Approved Standard;
b) adopted in an Approved Standard and specified either in an appendix of the Approved Standard or in a document referenced by the Approved Standard; or
c) specified in the list of Approved security functions.
SOURCE: FIPS 140-2

55
Q

Assessment

A

See Security Control Assessment

56
Q

Assessment Findings

A

Assessment results produced by the application of an assessment procedure to a security control or control enhancement to achieve an assessment objective; the execution of a determination statement within an assessment procedure by an assessor that results in either
a satisfied or other than satisfied condition.
SOURCE: SP 800-53A

57
Q

Assessment Method

A

One of three types of actions (i.e., examine, interview, test) taken by assessors in obtaining evidence during an assessment.
SOURCE: SP 800-53A

58
Q

Assessment Object

A
The item (i.e., specifications, mechanisms, activities, individuals) upon which an assessment method is applied during an assessment.
SOURCE: SP 800-53A
59
Q

Assessment Objective

A

A set of determination statements that expresses the desired outcome for the assessment of a security control or control enhancement.
SOURCE: SP 800-53A

60
Q

Assessment Procedure

A

A set of assessment objectives and an associated set of assessment methods and assessment objects.
SOURCE: SP 800-53A

61
Q

Assessor

A

See Security Control Assessor

62
Q

Asset

A

A major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems.
SOURCE: CNSSI-4009

63
Q

Asset Identification

A

Security Content Automation Protocol (SCAP) constructs to uniquely identify assets (components) based on known identifiers and/or known information about the assets.
SOURCE: SP 800-128

64
Q

Asset Reporting Format (ARF)

A

SCAP data model for expressing the transport format of information about assets (components) and the relationships between assets and reports.
SOURCE: SP 800-128

65
Q

Assurance

A

Grounds for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or by-pass.
SOURCE: SP 800-27
The grounds for confidence that the set of intended security controls in an information system are effective in their application.
SOURCE: SP 800-37; SP 800-53A
Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.
SOURCE: CNSSI-4009; SP 800-39

In the context of OMB M-04-04 and this document, assurance is defined as 1) the degree of confidence in the vetting process used to establish the identity of an individual to whom the credential was issued, and 2) the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued.
SOURCE: SP 800-63

66
Q

Assurance Case

A

A structured set of arguments and a body of evidence showing that an information system satisfies specific claims with respect to a given quality attribute.
SOURCE: SP 800-53A; SP 800-39

67
Q

Assured Information Sharing

A

The ability to confidently share information with those who need it, when and where they need it, as determined by operational need and an acceptable level of security risk.
SOURCE: CNSSI-4009

68
Q

Assured Software

A

Computer application that has been designed, developed, analyzed, and tested using processes, tools, and techniques that establish a level of confidence in it.
SOURCE: CNSSI-4009

69
Q

Asymmetric Cryptography

A

See Public Key Cryptography.

SOURCE: CNSSI-4009

70
Q

Asymmetric Keys

A

Two related keys, a public key and a private key that are used to perform complementary operations, such as encryption and decryption or signature generation and signature verification.
SOURCE: FIPS 201

71
Q

Attack

A

An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity.
SOURCE: SP 800-32
Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.
SOURCE: CNSSI-4009

72
Q

Attack Sensing and Warning (AS&W)

A

Detection, correlation, identification, and characterization of intentional unauthorized activity with notification to decision makers so that an appropriate response can be developed.
SOURCE: CNSSI-4009

73
Q

Attack Signature

A

A specific sequence of events indicative of an unauthorized access attempt.
SOURCE: SP 800-12
A characteristic byte pattern used in malicious code or an indicator, or set of indicators, that allows the identification of malicious network activities.
SOURCE: CNSSI-4009

74
Q

Attribute Authority

A

An entity, recognized by the Federal Public Key Infrastructure (PKI) Policy Authority or comparable agency body as having the authority to verify the association of attributes to an identity.
SOURCE: SP 800-32

75
Q

Attribute-Based Access Control

A

Access control based on attributes associated with and about subjects, objects, targets, initiators, resources, or the environment. An access control rule set defines the combination of attributes under which an access may take place.
SOURCE: SP 800-53; CNSSI-4009

76
Q

Attribute-Based Authorization

A

A structured process that determines when a user is authorized to access information, systems, or services based on attributes of the user and of the information, system, or service.
SOURCE: CNSSI-4009

77
Q

Audit

A

Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.
SOURCE: SP 800-32
Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.
SOURCE: CNSSI-4009

78
Q

Audit Data

A

Chronological record of system activities to enable the reconstruction and examination of the sequence of events and changes in an event.
SOURCE: SP 800-32

79
Q

Audit Log

A

A chronological record of system activities. Includes records of system accesses and operations performed in a given period.
SOURCE: CNSSI-4009

80
Q

Audit Reduction Tools

A

Preprocessors designed to reduce the volume of audit records to facilitate manual review. Before a security review, these tools can remove many audit records known to have little security significance. These tools generally remove records generated by specified classes of events, such as records generated by nightly backups.
SOURCE: SP 800-12; CNSSI-4009

81
Q

Audit Review

A

The assessment of an information system to evaluate the adequacy of implemented security controls, assure that they are functioning properly, identify vulnerabilities, and assist in implementation of new security controls where required. This assessment is conducted annually or whenever significant change has occurred and may lead to recertification of the information system.
SOURCE: CNSSI-4009

82
Q

Audit Trail

A

A record showing who has accessed an Information Technology (IT) system and what operations the user has performed during a given period.
SOURCE: SP 800-47
A chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security relevant transaction from inception to final result.
SOURCE: CNSSI-4009

83
Q

Authenticate

A

To confirm the identity of an entity when that identity is presented.
SOURCE: SP 800-32
To verify the identity of a user, user device, or other entity.
SOURCE: CNSSI-4009

84
Q

Authentication

A

Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
SOURCE: SP 800-53; SP 800-53A; SP 800-27; FIPS 200; SP 800-30
Authentication –
The process of establishing confidence of authenticity.
SOURCE: FIPS 201
A process that establishes the origin of information or determines an entity’s identity.
SOURCE: SP 800-21
The process of verifying the identity or other attributes claimed by or assumed of an entity (user, process, or device), or to verify the source and integrity of data.
SOURCE: CNSSI-4009
The process of establishing confidence in the identity of users or information systems.
SOURCE: SP 800-63

85
Q

Authentication Code

A

A cryptographic checksum based on an Approved security function (also known as a Message Authentication Code [MAC]).
SOURCE: FIPS 140-2

86
Q

Authentication Mechanism

A

Hardware-or software-based mechanisms that force users to prove their identity before accessing data on a device.
SOURCE: SP 800-72; SP 800-124
Hardware or software-based mechanisms that forces users, devices, or processes to prove their identity before accessing data on an information system.
SOURCE: CNSSI-4009

87
Q

Authentication Mode

A

A block cipher mode of operation that can provide assurance of the authenticity and, therefore, the integrity of data.
SOURCE: SP 800-38B

88
Q

Authentication Period

A

The maximum acceptable period between any initial authentication process and subsequent reauthentication processes during a single terminal session or during the period data is being accessed.
SOURCE: CNSSI-4009

89
Q

Authentication Protocol

A

A defined sequence of messages between a Claimant and a Verifier that demonstrates that the Claimant has possession and control of a valid token to establish his/her identity, and optionally, demonstrates to the Claimant that he or she is communicating with the intended Verifier.
SOURCE: SP 800-63
A well-specified message exchange process between a claimant and a verifier that enables the verifier to confirm the claimant’s identity.
SOURCE: CNSSI-4009

90
Q

Authentication Tag

A

A pair of bit strings associated to data to provide assurance of its authenticity.
SOURCE: SP 800-38B

91
Q

Authentication Token

A

Authentication information conveyed during an authentication exchange.
SOURCE: FIPS 196

92
Q

Authenticator

A

The means used to confirm the identity of a user, process, or device (e.g., user password or token).
SOURCE: SP 800-53; CNSSI-4009

93
Q

Authenticity

A

The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. See Authentication.
SOURCE: SP 800-53; SP 800-53A; CNSSI-4009; SP 800-39

94
Q

Authority

A

Person(s) or established bodies with rights and responsibilities to exert control in an administrative sphere.
SOURCE: CNSSI-4009

95
Q

Authorization

A

Access privileges granted to a user, program, or process or the act of granting those privileges.
SOURCE: CNSSI-4009

96
Q

Authorization (to operate)

A

The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.
SOURCE: SP 800-53; SP 800-53A; CNSSI-4009; SP 800-37

97
Q

Authorization Boundary

A

All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected.
SOURCE: CNSSI-4009; SP 800-53; SP 800-53A; SP 800-37

98
Q

Authorize Processing

A

See Authorization (to operate)

The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.
SOURCE: SP 800-53; SP 800-53A; CNSSI-4009; SP 800-37

99
Q

Authorized Vendor

A

Manufacturer of information assurance equipment authorized to produce quantities in excess of contractual requirements for direct sale to eligible buyers. Eligible buyers are typically U.S. government organizations or U.S. government contractors.
SOURCE: CNSSI-4009

100
Q

Authorized Vendor Program(AVP)

A

Program in which a vendor, producing an information systems security (INFOSEC) product under contract to NSA, is authorized to produce that product in numbers exceeding the contracted requirements for direct marketing and sale to eligible buyers. Eligible buyers are typically U.S. government organizations or U.S. government contractors. Products approved for marketing and sale through the AVP are placed on the Endorsed Cryptographic Products List (ECPL).
SOURCE: CNSSI-4009

101
Q

Authorizing Official

A

Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals. Synonymous with Accreditation Authority.
SOURCE: FIPS 200
Senior federal official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.
SOURCE: CNSSI-4009
A senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.
SOURCE: SP 800-53; SP 800-53A; SP 800-37

102
Q

Authorizing Official

Designated Representative

A

An organizational official acting on behalf of an authorizing official in carrying out and coordinating the required activities associated with security authorization.
SOURCE: CNSSI-4009; SP 800-37; SP 800-53A

103
Q

Automated Key Transport

A

The transport of cryptographic keys, usually in encrypted form, using electronic means such as a computer network (e.g., key transport/agreement protocols).
SOURCE: FIPS 140-2

104
Q

Automated Password Generator

A

An algorithm which creates random passwords that have no association with a particular user.
SOURCE: FIPS 181

105
Q

Automated Security Monitoring

A

Use of automated procedures to ensure security controls are not circumvented or the use of these tools to track actions taken by subjects suspected of misusing the information system.
SOURCE: CNSSI-4009

106
Q

Automatic Remote Rekeying

A

Procedure to rekey a distant crypto-equipment electronically without specific actions by the receiving terminal operator. See Manual Remote Rekeying.
SOURCE: CNSSI-4009

107
Q

Autonomous System (AS)

A

One or more routers under a single administration operating the same routing policy.
SOURCE: SP 800-54

108
Q

Availability

A

Ensuring timely and reliable access to and use of information.
SOURCE: SP 800-53; SP 800-53A; SP 800-27; SP 800-60; SP 800-37; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542
The property of being accessible and useable upon demand by an authorized entity.
SOURCE: CNSSI-4009

109
Q

Awareness (Information Security)

A

Activities which seek to focus an individual’s attention on an (information security) issue or set of issues.
SOURCE: SP 800-50

110
Q

Back Door

A

Typically unauthorized hidden software or hardware mechanism used to circumvent security controls.
SOURCE: CNSSI-4009

111
Q

Backdoor

A

An undocumented way of gaining access to a computer system. A backdoor is a potential security risk.
SOURCE: SP 800-82

112
Q

Backtracking Resistance

A

Backtracking resistance is provided relative to time T if there is assurance that an adversary who has knowledge of the internal state of the Deterministic Random Bit Generator (DRBG) at some time subsequent to time T would be unable to distinguish between observations of ideal random bitstrings and (previously unseen) bitstrings that were output by the DRBG prior to time T. The complementary assurance is called Prediction Resistance.
SOURCE: SP 800-90A

113
Q

Backup

A

A copy of files and programs made to facilitate recovery, if necessary.
SOURCE: SP 800-34; CNSSI-4009

114
Q

Banner

A

Display on an information system that sets parameters for system or data use.
SOURCE: CNSSI-4009

115
Q

Banner Grabbing

A

The process of capturing banner information—such as application type and version—that is transmitted by a remote port when a connection is initiated.
SOURCE: SP 800-115

116
Q

Baseline

A

Hardware, software, databases, and relevant documentation for an information system at a given point in time.
SOURCE: CNSSI-4009

117
Q

Baseline Configuration

A

A set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.
SOURCE: SP 800-128

118
Q

Baseline Security

A

The minimum security controls required for safeguarding an IT system based on its identified needs for confidentiality, integrity, and/or availability protection.
SOURCE: SP 800-16

119
Q

Baselining

A

Monitoring resources to determine typical utilization patterns so that significant deviations can be detected.
SOURCE: SP 800-61

120
Q

Basic Testing

A

A test methodology that assumes no knowledge of the internal structure and implementation detail of the assessment object. Also known as black box testing.
SOURCE: SP 800-53A

121
Q

Bastion Host

A

A special-purpose computer on a network specifically designed and configured to withstand attacks.
SOURCE: CNSSI-4009

122
Q

Behavioral Outcome

A
What an individual who has completed the specific training module is expected to be able to accomplish in terms of IT security-related job performance.
SOURCE: SP 800-16
123
Q

Benign Environment

A

A non-hostile location protected from external hostile elements by physical, personnel, and procedural security countermeasures.
SOURCE: CNSSI-4009

124
Q

Binding

A

Process of associating two related elements of information.
SOURCE: SP 800-32
Binding –
An acknowledgement by a trusted third party that associates an entity’s identity with its public key. This may take place through (1) a certification authority’s generation of a public key certificate, (2) a security officer’s verification of an entity’s credentials and placement of the entity’s public key and identifier in a secure database, or (3) an analogous method.
SOURCE: SP 800-21
Process of associating a specific communications terminal with a specific cryptographic key or associating two related elements of information.
SOURCE: CNSSI-4009

125
Q

Biometric

A

A physical or behavioral characteristic of a human being.
SOURCE: SP 800-32
Biometric –
A measurable physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity, of an applicant. Facial images, fingerprints, and iris scan samples are all examples of biometrics.
SOURCE: FIPS 201

126
Q

Biometric Information

A

The stored electronic information pertaining to a biometric. This information can be in terms of raw or compressed pixels or in terms of some characteristic (e.g., patterns.)
SOURCE: FIPS 201

127
Q

Biometric System

A

An automated system capable of:
1) capturing a biometric sample from an end user;
2) extracting biometric data from that sample;
3) comparing the extracted biometric data with data contained in one or more references;
4) deciding how well they match; and
5) indicating whether or not an identification or verification of identity has been achieved.
SOURCE: FIPS 201

128
Q

Biometrics

A

Measurable physical characteristics or personal behavioral traits used to identify, or verify the claimed identity, of an individual. Facial images, fingerprints, and handwriting samples are all examples of biometrics.
SOURCE: CNSSI-4009

129
Q

Bit

A

A contraction of the term Binary Digit. The smallest unit of information in a binary system of notation.
SOURCE: CNSSI-4009
A binary digit having a value of 0 or 1.
SOURCE: FIPS 180-4

130
Q

Bit Error Rate

A

Ratio between the number of bits incorrectly received and the total number of bits transmitted in a telecommunications system.
SOURCE: CNSSI-4009

131
Q

BLACK

A

Designation applied to encrypted information and the information systems, the associated areas, circuits, components, and equipment processing that information. See also RED.
SOURCE: CNSSI-4009

132
Q

Black Box Testing

A

See Basic Testing…
A test methodology that assumes no knowledge of the internal structure and implementation detail of the assessment object. Also known as black box testing.
SOURCE: SP 800-53A