Terms and Definitions Flashcards
Adequate Security
Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. Source: OMB Circular A-130
Administrative Controls
Controls implemented through policy and procedures. Examples include access control processes and requiring multiple personnel to conduct a specific operation. Administrative controls in modern environments are often enforced in conjunction with physical and/or technical controls, such as an access-granting policy for new users that requires login and approval by the hiring manager.
Artificial Intelligence
The ability of computers and robots to simulate human intelligence and behavior.
Authentication
The act of identifying or verifying the eligibility of a station, originator, or individual to access specific categories of information. Typically, a measure designed to protect against fraudulent transmissions by establishing the validity of a transmission, message, station or originator.
Asset
Anything of value that is owned by an organization. Assets include both tangible items such as information systems and physical property and intangible assets such as intellectual property.
Authorization
The right or a permission that is granted to a system entity to access a system resource. NIST 800-82 Rev.2 Availability Ensuring timely and reliable access to and use of information by authorized users.
Baseline
A documented, lowest level of security configuration allowed by a standard or organization.
Bot
Malicious code that acts like a remotely controlled “robot” for an attacker, with other Trojan and worm capabilities.
Classified or Sensitive Information
Information that has been determined to require protection against unauthorized disclosure and is marked to indicate its classified status and classification level when in documentary form.
Confidentiality
The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes. NIST 800-66
Criticality
A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. NIST SP 800-60 Vol. 1, Rev. 1
Data Integrity
The property that data has not been altered in an unauthorized manner. Data integrity covers
data in storage, during processing and while in transit. Source: NIST SP 800-27 Rev A
Encryption
The process and act of converting the message from its plaintext to ciphertext. Sometimes it is also referred to as enciphering. The two terms are sometimes used interchangeably in literature and have similar meanings.
General Data Protection Regulation (GDPR)
In 2016, the European Union passed comprehensive legislation that addresses personal privacy, deeming it an individual human right.
Governance
The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles, and procedures the organization uses to make those decisions.
Health Insurance Portability and Accountability Act (HIPAA)
This U.S. federal law is the most important healthcare information regulation in the United States. It directs the adoption of national standards for electronic healthcare transactions while protecting the privacy of individual’s health information. Other provisions address fraud reduction, protections for individuals with health insurance and a wide range of other healthcare-related activities. Est. 1996.
Impact
The magnitude of harm that could be caused by a threat’s exercise of a vulnerability.
Information Security Risk
The potential adverse impacts to an organization’s operations (including its mission, functions and image and reputation), assets, individuals, other organizations, and even the nation, which results from the possibility of unauthorized access, use, disclosure, disruption, modification or destruction of information and/or information systems.
Institute of Electrical and Electronics Engineers
IEEE is a professional organization that sets standards for telecommunications, computer engineering and similar disciplines.
Integrity
The property of information whereby it is recorded, used and maintained in a way that ensures its completeness, accuracy, internal consistency and usefulness for a stated purpose.
International Organization of Standards (ISO)
The ISO develops voluntary international standards in collaboration with its partners in international standardization, the International Electro-technical Commission (IEC) and the International Telecommunication Union (ITU), particularly in the field of information and communication technologies.
Internet Engineering Task Force (IETF)
The internet standards organization, made up of network designers, operators, vendors and researchers, that defines protocol standards (e.g., IP, TCP, DNS) through a process of collaboration and consensus. Source: NIST SP 1800-16B
Likelihood
The probability that a potential vulnerability may be exercised within the construct of the associated threat environment.
Likelihood of Occurrence
A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or set of vulnerabilities.
Multi-Factor Authentication
Using two or more distinct instances of the three factors of authentication (something you know, something you have, something you are) for identity verification.
National Institutes of Standards and Technology (NIST)
The NIST is part of the U.S. Department of Commerce and addresses the measurement infrastructure within science and technology efforts within the U.S. federal government. NIST sets standards in a number of areas, including information security within the Computer Security Resource Center of the Computer Security Divisions.
Non-repudiation
The inability to deny taking an action such as creating information, approving information and sending or receiving a message.
Personally Identifiable Information (PII)
The National Institute of Standards and Technology, known as NIST, in its Special Publication 800- 122 defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information.”
Physical Controls
Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks.