Prepare Flashcards by Deleted Deleted

Security protections commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.

Adequate Security

How well did you know this?

Not at all

Perfectly

The process an organization employs to assign security or privacy requirements to an information system or its environment of operation; or to assign controls to specific system elements responsible for providing a security or privacy capability (e.g., router, server, remote sensor).

Allocation

How well did you know this?

Not at all

Perfectly

A software program hosted by an information system.

Application

How well did you know this?

Not at all

Perfectly

The individual, group, or organization responsible for conducting a security or privacy assessment.

Assessor

How well did you know this?

Not at all

Perfectly

System and subsystem components that must be protected, including but not limited to: all hardware, software, data, personnel, supporting physical environment and environmental systems, administrative support and supplies.

Asset

How well did you know this?

Not at all

Perfectly

All components of an information system to be authorized for operation by an authorizing official.

This excludes separately authorized systems to which the information system is connected.

Authorization Boundary

How well did you know this?

Not at all

Perfectly

A senior federal official or executive with the authority to authorize (i.e., assume responsibility for) the operation of an information system or the use of a designated set of common controls at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the nation.

Authorizing Official

How well did you know this?

Not at all

Perfectly

An organizational official acting on behalf of an authorizing official in carrying out and coordinating the required activities associated with the authorization process.

Authorizing Official Designated Representative

How well did you know this?

Not at all

Perfectly

Ensuring timely and reliable access to and use of information.

Availability

How well did you know this?

Not at all

Perfectly

A combination of mutually reinforcing controls implemented by technical means, physical means, and procedural means. Such controls are typically selected to achieve a common information security or privacy purpose.

Capability

How well did you know this?

Not at all

Perfectly

The senior official that provides advice and other assistance to the head of the agency and other senior management personnel of the agency to ensure that IT is acquired and information resources are managed for the agency in a manner that achieves the agency’s strategic goals and information resources management goals; and is responsible for ensuring agency compliance with, and prompt, efficient, and effective implementation of, the information policies and information resources management responsibilities, including the reduction of information collection burdens on the public.

Chief Information Officer

How well did you know this?

Not at all

Perfectly

Another name for “Chief Information Security Officer.”

Senior Agency Information Security Officer

How well did you know this?

Not at all

Perfectly

A security or privacy control that is inherited by multiple information systems or programs.

Common Control

How well did you know this?

Not at all

Perfectly

An organizational official responsible for the development, implementation, assessment, and monitoring of common controls.

Common Control Provider

How well did you know this?

Not at all

Perfectly

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Confidentiality

How well did you know this?

Not at all

Perfectly

Maintaining ongoing awareness to support organizational risk decisions.

Continuous Monitoring

How well did you know this?

Not at all

Perfectly

A program established to collect information in accordance with pre-established metrics, utilizing information readily available in part through implemented security controls.

Continuous Monitoring Program

How well did you know this?

Not at all

Perfectly

The individual, group, or organization responsible for conducting a control assessment.

Assessor

How well did you know this?

Not at all

Perfectly

An organization with a defined mission/goal and a defined boundary, using systems to execute that mission, and with responsibility for managing its own risks and performance.

Enterprise

How well did you know this?

Not at all

Perfectly

A strategic information asset base, which defines the mission; the information necessary to perform the mission; the technologies necessary to perform the mission; and the transitional processes for implementing new technologies in response to changing mission needs; and includes a baseline architecture; a target architecture; and a sequencing plan.

Enterprise Architecture

How well did you know this?

Not at all

Perfectly

The physical surroundings in which an information system processes, stores, and transmits information.

Environment of Operation

How well did you know this?

Not at all

Perfectly

A business-based framework for government-wide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal government to one that is citizen-centered, results-oriented, and market-based.

Federal Enterprise Architecture

How well did you know this?

Not at all

Perfectly

An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.

Federal Information System

How well did you know this?

Not at all

Perfectly

With respect to security, the effect on organizational operations, organizational assets, individuals, other organizations, or the nation (including the national security interests of the United States) of a loss of confidentiality, integrity, or availability of information or a system.

Impact

How well did you know this?

Not at all

Perfectly

Another name for "Impact Level."

Impact Value

The assessed worst-case potential impact that could result from a compromise of the confidentiality, integrity, or availability of information expressed as a value of low, moderate or high.

Impact Value

Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, electronic, or audiovisual forms.

Information

The stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition, to include destruction and deletion.

Information Life Cycle

Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.

Information Owner

The protection of information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity and availability.

Information Security

An embedded, integral part of the enterprise architecture that describes the structure and behavior of the enterprise security processes, security systems, personnel and organizational subunits, showing their alignment with the enterprise's mission and strategic plans.

Information Security Architecture

The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or systems.

Information Security Risk

An agency official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination and disposal.

Information Steward

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of information.

Information System

Any services, equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency.

Information Technology

For purposes of this definition, such services or equipment if used by the agency directly or is used by a contractor under a contract with the agency that requires its use; or to a significant extent, its use in the performance of a service or the furnishing of a product.

Information Technology

Ensuring that information hosted on behalf of an agency and information systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability protections through the application of cost-effective security controls.

Adequate Security

With respect to privacy, the adverse effects that individuals could experience when an information system processes their PII.

Impact

A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor-sensitive, security management) defined by an organization or in some instances, by a specific law, executive order, directive, policy, or regulation.

Information Type

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

Integrity

An entity of any size, complexity, or positioning within an organizational structure (e.g., federal agencies, private enterprises, academic institutions, state, local, or tribal governments or, as appropriate, any of their operational elements).

Organization

Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual.

Personally Identifiable Information (PII)

Individual, group, or organization responsible for ensuring that the system privacy requirements necessary to protect individuals' privacy are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and information systems processing PII.

Privacy Architect

An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise's privacy protection processes, technical measures, personnel and organizational sub-units, showing their alignment with the enterprise's mission and strategic plans.

Privacy Architecture

Privacy Control

Information that describes the privacy posture of an information system or organization.

Privacy Information

A formal document that details the privacy controls selected for an information system or environment of operation that are in place or planned for meeting applicable privacy requirements and managing privacy risks, details how the controls have been implemented, and describes the methodologies and metrics that will be used to assess the controls.

Privacy Plan

A requirement that applies to an information system or an organization that is derived from applicable laws, executive orders, directives, policies, standards, regulations, procedures, and/or mission/business needs with respect to privacy.

Privacy Requirement

Risk to an individual or individuals associated with the agency's creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of their PII.

Privacy Risk

Portion of risk remaining after security measures have been applied.

Residual Risk

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the circumstance or event occurs. (ii) the likelihood of occurrence.

Risk

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the nation, resulting from the operation of a system.

Risk Assessment

An individual or group within an organization, led by the senior accountable official for risk management, that helps to ensure that security risk considerations for individual systems, to include the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and managing risk from individual systems is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success.

Risk Executive (Function)

The program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the nation, and includes: establishing the context for risk-related activities; assessing risk; responding to risk once determined; and monitoring risk over time.

Risk Management

Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.

Risk Mitigation

Accepting, avoiding, mitigating, sharing, or transferring risk to agency operations, agency assets, individuals, other organizations, or the nation.

Risk Response

Individual, group or organization responsible for ensuring that the information security requirements necessary to protect the organization's core missions and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes.

Security Architect

An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise's security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise's mission and strategic plans.

Security Architecture

The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

Security Controls

(i.) Confidentiality (ii.) Integrity (iii.) Availability

Security Objective

A requirement levied on an information system or an organization that is derived from applicable laws, executive orders, directives, policies, standards, instructions, regulations, procedures, and/or mission/business needs to ensure the confidentiality, integrity, and availability of information that is being processed, stored, or transmitted.

Security Requirement

Risk that arises through the loss of confidentiality, integrity, or availability of information or systems and that considers impacts to the organization (including assets, mission, functions, image, or reputation), individuals, other organizations, and the nation.

Security Risk

The senior official, designated by the head of each agency, who has vision into all areas of the organization and is responsible for alignment of information security management processes with strategic, operational, and budgetary planning processes.

Senior Accountable Official for Risk Management

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer's primary liaison to the agency's authorizing officials, information system owners, and information system security officers.

Senior Agency Information Security Officer

The senior official, designated by the head of each agency, who has agency-wide responsibility for privacy, including implementation of privacy protections; compliance with federal laws, regulations and policies relating to privacy; management of privacy risks at the agency; and a central policymaking role in the agency's development and evaluation of legislative, regulatory, and other policy proposals.

Senior Agency Official for Privacy

Any organized assembly of resources and procedures united and regulated by interaction or interdependence to accomplish a set of specific functions.

System

Another name for "Authorization Boundary."

System Boundary

A discrete identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware.

System Component

The scope of activities associated with a system, encompassing the system's initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.

System Development Life Cycle (SDLC)

Member of a set of elements that constitute a system.

System Element

Individual assigned responsibility for conducting systems privacy engineering activities.

Systems Privacy Engineer

Individual with assigned responsibility for maintaining the appropriate operational privacy posture for a system or program.

Systems Privacy Officer

Individual assigned responsibility for conducting systems security engineering activities.

Systems Security Engineer

Individual with assigned responsibility for maintaining the appropriate operational security posture for an information system or program.

Systems Security Officer

Individual, or (system) process acting on behalf of an individual, authorized to access a system.

System User

Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Threat

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability.

Threat Source

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Vulnerability