A

Abend

An abnormal end to a computer job; termination of a task prior to its completion because of an error condition that cannot be resolved by recovery facilities while the task is executing. [ISACA]

Ablate

Describes the process by which laser-readable “pits” are burned into the recorded layer of optical discs, DVD-ROMs and CD-ROMs. [Sedona Conference]

Ablative

Unalterable data. See also Ablate [Sedona Conference]

Absorbed overhead

A part of financial management, it is the indirect cost of providing a service, which can be fairly allocated to specific customers. This can be based on usage or some other fair measurement. For example, cost of providing network bandwidth or shared servers. See also direct cost, indirect cost, unabsorbed overhead. [ITIL]

Acceptable level of risk

The tolerable level of risk that is determined from: an analysis of threats and vulnerabilities, the sensitivity of data and applications, a cost/benefit analysis, and a study of the technical and operational feasibility of available controls. [Centers for Medicare & Medicaid Services (CMS)]

Acceptance

See assurance. [ITIL]

Access

A property of threat that defines how a threat actor accesses an asset (network access, physical access). This only applies to human actors. In terms of information management it means the right, opportunity, means of finding, using, or retrieving information. This results in the flow of information between one source and another. [CERT OCTAVE, ISO 15489, DIRKS, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, US National Information Assurance (IA) Glossary, NIST 800 series]

Access Authority

An entity responsible for monitoring and granting access privileges for other authorized entities. [NIST 800 series]

Access control

Measures that limit access to information or information processing resources to those authorized persons or applications according to the system or data classification. HIPAA defines this as the ability to implement a mechanism to encrypt and decrypt regulated data. However, NIST defines this as the ability to enable authorized use of a resource while preventing unauthorized use or use in an unauthorized manner. Both share the same underlying principle of ensuring confidentiality and integrity. Access control can be defined by the system (mandatory access control, or MAC) or defined by the user who owns the object (discretionary access control, or DAC). [HIPAA, NIST 800 series, ISACA, FISCAM, Centers for Medicare & Medicaid Services (CMS), CobiT, ISO/IEC 27001:2005, PCI-DSS, Workgroup for Electronic Data Interchange, US National Information Assurance (IA) Glossary, FIPS Pubs]

Access Control Facility (ACF2)

[FISCAM]

Access Control Lists (ACL)

A register of 1) users (including groups, machines, processes) who have been given permission to use a particular system resource, and 2) the types of access they have been permitted. [NIST 800 series, Centers for Medicare & Medicaid Services (CMS), Sedona Conference, US National Information Assurance (IA) Glossary]

Access control mechanism

Security safeguard designed to detect and deny unauthorized access and permit authorized access in an IS. [US National Information Assurance (IA) Glossary]

Access control software

Mechanisms that restrict access to computer resources. This type of software, which is external to the operating system, provides a means of specifying who has access to a system, who has access to specific resources, and what capabilities authorized users are granted. Access control software can generally be implemented in different modes that provide varying degrees of protection such as denying access for which the user is not expressly authorized, allowing access which is not expressly authorized but providing a warning, or allowing access to all resources without warning regardless of authority. [Centers for Medicare & Medicaid Services (CMS), FISCAM]

Access control table

An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals. [ISACA]

Access level

Hierarchical portion of the security level used to identify the sensitivity of IS data and the clearance or authorization of users. Access level, in conjunction with the nonhierarchical categories, forms the sensitivity label of an object. See also category. [US National Information Assurance (IA) Glossary]

Access list

Compilation of users, programs, or processes and the access levels and types to which each is authorized. Also, a roster of individuals who have admittance to a controlled area. [US National Information Assurance (IA) Glossary]

Access method

The technique used for selecting records in a file for processing, retrieval, or storage. The access method is related to, but distinct from, the file organization that determines how the records are stored. [FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS)]

Access path

Ways in which information or services can be accessed via an organization’s network. Any component capable of enforcing access restrictions or any component that could be used to bypass an access restriction should be considered part of the access path. The access path can also be defined as the path through which user requests travel, including the telecommunications software, transaction processing software, application programs, etc. See also data flow. [CERT OCTAVE, FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS)]

Access point

In a wireless local area network (WLAN), an access point transmits and receives data. It connects users to other users within the network and can serve multiple users within a certain area. [Network Frontiers]

Access privileges

See access rights. [FISCAM]

Access profile

Associates each user with a list of protected objects the user may access. [US National Information Assurance (IA) Glossary]

Access rights

Precise statements that define the extent to which an individual can access computer systems and use or modify the programs and data on the system, and under what circumstances this access will be allowed. Access rights determine the actions users can perform (e.g., read, write, execute, create, and delete) on files in shared volumes or file shares on the server. [ISACA, ISO/IEC 27001:2005]

Access script

A program or a series of encoded commands that enable a user to log onto a system. [Centers for Medicare & Medicaid Services (CMS)]

Access type

Privilege to perform action on an object. Read, write, execute, append, modify, delete, and create are examples of access types. [US National Information Assurance (IA) Glossary]

Accession log

A serial list of numbers assigned to records in a numeric storage system, also called an accession file or a numeric file list. [ARMA]

Account harvesting

A method to determine existing user accounts based on trial and error. For example, giving too much information in an error message can disclose information that makes it easier for an attacker to penetrate or compromise the system. [PCI-DSS]

Account management

In network and systems management, a set of functions that 1) enables network or system service use to be measured and the costs of such use to be determined; and 2) includes all the resources consumed, the facilities used to collect accounting data, the facilities used to set billing parameters for the services used by customers, maintenance of the databases used for billing purposes, and the preparation of resource usage and billing reports. [Centers for Medicare & Medicaid Services (CMS)]

Account Manager

In business relationship management, a role that is very similar to business relationship manager, but includes more commercial aspects. Most commonly used when dealing with external customers. [ITIL]

Account number

The payment card number (credit or debit) that identifies the issuer and the particular cardholder account. The 16-digit account number that appears in print on the front of all valid Visa cards. The number is one of the card security features that should be checked by merchants to ensure that a card-present transaction is valid [PCI-DSS, VISA Glossary of Terms]

Account Risk Analysis (ARA)

[GAO/PCIE Financial Audit Manual]

Accountability

Accountability is the ability to hold responsible the owners, providers, and users of information systems and other parties. Hence it is the repercussions of actions taken by individuals. It is the principle that individuals, organizations, and the community are responsible for their actions and may be required to explain them to others. NIST 800-33 would say that accountability is the security objective that generates the requirement for actions of an organization to be traced uniquely to that organization. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, after-action recovery, and legal action. This accountability needs to be made explicit in terms of sanctions for not being accountable. In terms of HIPAA and FISCAM, accountability is accomplished through maintaining a record of the movements of hardware and electronic media and any person responsible for that movement. All requests for and access granted to stored information must be logged for review and possible investigation. Logging should include such items as a date/time stamp, the identification of the user, the type of access, e.g., create, read, modify, delete, the success or failure of the request, and identification of the data acted upon. [HIPAA, NIST 800 series, ISO 15489, DIRKS, FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, US National Information Assurance (IA) Glossary]

Accountability report

An agency’s accountability report integrates the 1) Federal Managers’ Financial Integrity Act (FMFIA) Report; 2) Chief Financial Officers’ (CFO) Act Annual Report, including audited financial statements; 3) Management’s Report on Final Action as required by the Inspector General Act; 4) the Debt Collection Improvement Act, Civil Monetary Penalty Act and Prompt Payment Act reports; and 5) available information on organizational performance compared with the agency’s stated goal and objectives. [GAO/PCIE Financial Audit Manual]

Accountable

See accountability. [CobiT]

Accounting

In the context of IT service management, this is a synonym for IT accounting, which is the tracking of user’s network resources. [ITIL, PCI-DSS]

Accounting Legend Code (ALC)

Numeric code used to indicate the minimum accounting controls required for items of accountable COMSEC material within the COMSEC Material Control System. [US National Information Assurance (IA) Glossary]

Accounting and Auditing Policy Committee (AAPC)

[GAO/PCIE Financial Audit Manual]

Accounting applications

The procedures and records used to identify, record, process, summarize, and report a class of transactions. Common accounting applications are 1) billings, 2) accounts receivable, 3) cash receipts, 4) purchasing and receiving, 5) accounts payable, 6) cash disbursements, 7) payroll, 8) inventory control, and 9) property and equipment. [GAO/PCIE Financial Audit Manual]

Accounting number

The number assigned to an item of COMSEC material to facilitate its control. [US National Information Assurance (IA) Glossary]

Accounting period

Within financial management, a period of time for which budgets, charges, depreciation and other financial calculations are made. Usually one year. See also financial year. [AICPA]

Accounting Standards Executive Committee of the AICPA (AsSEC)

[GAO/PCIE Financial Audit Manual]

Accounting system

The methods and records established to identify, assemble, analyze, classify, record, and report an entity’s transactions and to maintain accountability for the related assets and liabilities. [GAO/PCIE Financial Audit Manual]

Accreditation

The official management authorization for the operation of an application and is based on the certification process as well as other management considerations. A formal declaration that the system is approved to operate in a particular security mode using a prescribed set of safeguards. Accreditation is the official management authorization for operation of the system and is based on the certification process as well as other management considerations. The accreditation statement affixes security responsibility and shows that due care has been taken for security. [Centers for Medicare & Medicaid Services (CMS), FIPS Pubs, US National Information Assurance (IA) Glossary, NIST 800 series]

Accreditation Authority

See Authorizing Official [NIST 800 series]

Accreditation boundary

Identifies the information resources covered by an accreditation decision, as distinguished from separately accredited information resources that are interconnected or with which information is exchanged via messaging. For the purposes of identifying the Protection Level for confidentiality of a system to be accredited, the system has a conceptual boundary that extends to all intended users of the system, both directly and indirectly connected, who receive output from the system. [US National Information Assurance (IA) Glossary, NIST 800 series]

Accreditation package

Product comprised of a System Security Plan (SSP) and a report documenting the basis for the accreditation decision. The combination of which provides the evidence provided to the authorizing official to be used in the security accreditation decision process. Evidence includes, but is not limited to: 1) the system security plan; 2) the assessment results from the security certification; and 3) the plan of action and milestones. [US National Information Assurance (IA) Glossary, NIST 800 series]

Accredited

Officially authorized to carry out a role. For example, an accredited body may be authorized to provide training or to conduct audits. Within security management, official authorization for a certified configuration to be used for a specific purpose. See also Registered Certification Body (RCB). [ITIL]

Accrediting authority

Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals. See also Designated Accrediting Authority (DAA), Principal Accrediting Authority, [US National Information Assurance (IA) Glossary, NIST 800 series]

Accrediting official or committee

The accrediting official is the person within the organization who has the authority to accept a systems continuity plan’s safeguards and approve the plan for operation. Therefore, this person or committee must be authorized to allocate resources to achieve continuity and remedy any deficiencies found in the auditing process. This is also the person or committee held liable for continuity inadequacies. [NIST 800 series]

Accuracy ratio

A measure of a record filer’s ability to find requested records. [ARMA]

Acetate-base film

A safety film (ANSI Standard) substrate used to produce microfilm. [Sedona Conference]

Acknowledgement (ACK)

A flag set in a packet to indicate to the sender that the previous packet sent was accepted correctly by the receiver without errors, or that the receiver is now ready to accept a transmission. [de facto]

Acquirer

A bankcard association member that initiates and maintains relationships with merchants that accept Visa or MasterCard cards. [PCI-DSS, VISA Glossary of Terms]

Acquisition and Implementation

A high-level control objective that defines how IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure that the life cycle is continued for these systems. [CobiT]

Action list

Defines actions that people in an organization can take in the near term without the need for specialized training, policy or system changes, etc. It is essentially a list of near-term action items. [CERT OCTAVE]

Action tracking

A process in which time limits for actions are monitored and imposed upon those conducting the business. [ISO 15489]

Activation Data

Private data, other than keys, that are required to access cryptographic modules. [NIST 800 series]

Active Content

Active content refers to electronic documents that are able to automatically carry out or trigger actions on a computer platform without the intervention of a user. [NIST 800 series]

Active data

Active Data is information residing on the direct access storage media (disk drives or servers) of computer systems, which is readily visible to the operating system and/or application software with which it was created and immediately accessible to users without restoration or reconstruction. [Sedona Conference]

Active record

A record needed to perform current operations. It is subject to frequent use (at least 3 or more times a month). An active record resides in native application format and is accessible for purposes of business processing with no restrictions on alteration beyond normal business rules. See also Inactive records. [ARMA, Sedona Conference]

Active recovery site

Recovery strategy that involves two active sites, each capable of taking over the other’s workload in the event of a disaster. Each site will have enough idle processing power to restore data from the other site and to accommodate the excess workload in the event of a disaster. See also dedicated work area, immediate recovery. [ISACA]

Active response

A response, in which the system (automatically or in concert with the user) blocks or otherwise affects the progress of a detected attack. The response takes one of three forms -- amending the environment, collecting more information or striking back against the perpetrator. [ISACA]

Activity

Activities are the major tasks performed by the organization to accomplish each of its functions. Activities are usually defined as part of processes or plans, and are documented in procedures. Several activities may be associated with each function. An activity is identified by the name it is given and its scope (or definition). The scope of the activity encompasses all of the transactions that take place in relation to it. Depending on the nature of the transactions involved, an activity may be performed in relation to one function, or it may be performed in relation to many functions. In cost accounting, an activity is the actual work task or step performed in producing and delivering products and services. An aggregation of activities performed within an organization that is useful for purposes of activity-based costing. CobiT lists this as the main actions taken to operate the CobiT process. [DIRKS, GAO/PCIE Financial Audit Manual, CobiT, ISO/IEC 27001:2005, ITIL, BS 25999]

Activity ratio

A measure of frequency of records use. [ARMA]

Actor

A property of threat that defines who or what may violate the security requirements (confidentiality, integrity, availability) of an asset. [CERT OCTAVE]

Add-on security

Incorporation of new hardware, software, or firmware safeguards in an operational IS. [US National Information Assurance (IA) Glossary]

Address

The code used to designate the location of a specific piece of data within computer storage. Also, addresses using a number of different protocols are commonly used on the Internet. These addresses include e-mail addresses (Simple Mail Transfer Protocol or SMTP), IP (Internet Protocol) addresses and URLs (Uniform Resource Locators), commonly known as Web addresses. [ISACA, ISO/IEC 27001:2005, Sedona Conference]

Address Resolution Protocol (ARP)

A protocol used to obtain a node’s physical address. A client station broadcasts an ARP request onto the network with the Internet Protocol (IP) address of the target note it wishes to communicate with, and the node with the address response by sending back its physical address so that packets can be transmitted. [Workgroup for Electronic Data Interchange]

Address space

The number of distinct locations that may be referred to with a machine address. For most binary machines, it is equal to 2 to the power of n, where n is the number of bits in the machine address. [ISACA]

Address Verification Service (AVS)

AVS allows merchants that accept card-not-present transactions to compare the billing address (the address to which the card issuer sends its monthly statement for that account) given by a customer with the billing address on the card issuer's master file before shipping an order. AVS helps merchants minimize the risk of accepting fraudulent transactions in a card-not-present environment by indicating the result of the address comparison. [VISA Glossary of Terms]

Addressing

The method used to identify the location of a participant in a network. Ideally, addressing specifies where the participant is located rather than who they are (name) or how to get there (routing). [ISACA, ISO/IEC 27001:2005]

Adequate

Records should be adequate for the purposes for which they are kept. Thus, a major initiative will be extensively documented, while a routine administrative action can be documented with an identifiable minimum of information. There should be adequate evidence of the conduct of business activity to be able to account for that conduct. See also full and accurate records. [DIRKS, ISO/IEC 27001:2005]

Adequate security

Security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that information systems operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls according to the level of concern as identified by the organization. See also level of concern. [OMB Circular A-130, US National Information Assurance (IA) Glossary, FIPS Pubs, Clinger-Cohen Act, NIST 800 series]

Adjusting period

The calendar can contain “real” accounting periods and/or adjusting accounting periods. The “real” accounting periods must not overlap, and cannot have any gaps between “real” accounting periods. Adjusting accounting periods can overlap with other accounting periods. For example, a period called DEC-93 can be defined that includes 01-DEC-1993 through 31-DEC-1993. An adjusting period called DEC31-93 can also be defined that includes only one day: 31-DEC-1993 through 31-DEC-1993. [ISACA]

Administrative controls

The actions/controls encompassing operational effectiveness, efficiency, and adherence to regulations and management policies. [ISACA]

Administrative Functions Disposal Authority (AFDA)

The Administrative Functions Disposal Authority was released in March 2000 by the National Archives and relates to common administrative functions performed by most Commonwealth agencies. The structure of the Authority is based on the business classification scheme of the Keyword AAA: Thesaurus of General Terms Commonwealth Version. See also disposal authorities. [DIRKS]

Administrative Safeguards

Administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic health information and to manage the conduct of the covered entity's workforce in relation to protecting that information. [NIST 800 series]

Advanced Encryption Standard (AES)

Advanced Encryption Standard (AES) is the Rijndael cryptographic algorithm adopted by the National Institute of Standards and Technology (NIST) as the new Federal Information Processing Standard (FIPS). AES replaces DES and 3DES, and is one of the recommended encryption standards meeting HIPAA requirements. See also data encryption standard. [FIPS Pubs]

Advisory

Notification of significant new trends or developments regarding the threat to the IS of an organization. This notification may include analytical insights into trends, intentions, technologies, or tactics of an adversary targeting information systems. [US National Information Assurance (IA) Glossary]

Agency

Agency means any executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the government, or any independent regulatory agency. Within the Executive Office of the President, the term includes only the Office of Management and Budget and Office of Administration. The term agency does not include: 1) the Government Accountability Office; 2) the Federal Election Commission; 3) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or 4) government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities. See also organization, or entity. See also Executive Agency. [Network Frontiers, Centers for Medicare & Medicaid Services (CMS), OMB Circular A-130, FIPS Pubs, NIST 800 series]

Agency Certification Authority (CA)

A CA that acts on behalf of an Agency, and is under the operational control of an Agency. [NIST 800 series]

Agency Locator Code

[GAO/PCIE Financial Audit Manual]

Agent

A program used in distributed denial of service (DDoS) attacks that sends malicious traffic to hosts based on the instructions of a handler. [NIST 800 series]

Aggregation

The process of combining data inputs from different creation and authoring tools and other systems. [AIIM]

Agreed service time

Within availability management, a synonym for service hours, commonly used in formal calculations of availability. See also downtime. [ITIL]

Agreed Upon Procedures (AUP)

[GAO/PCIE Financial Audit Manual]

Agreement

A document that describes a formal understanding between two or more parties. An agreement is not legally binding, unless it forms part of a contract. See also service level agreement, operational level agreement. [ITIL]

AIIM: the ECM Association (AIIM)

AIIM formerly stood for Association for Information and Image Management. It has since changed its name to the Enterprise Content Management (ECM) Association. For more information, see http://www.aiim.org. [AIIM, Sedona Conference]

Alert

A warning that a threshold has been reached, something has changed, or a failure has occurred. Alerts are often created and managed by system management tools and are managed by the event management process. [ITIL, US National Information Assurance (IA) Glossary]

Algorithm

A detailed formula or set of steps for solving a particular problem. To be an algorithm, a set of rules must be unambiguous and have a clear stopping point [Sedona Conference]

Aliasing

When computer graphics output has jagged edges or a stair-stepped, rather than a smooth, appearance when magnified. The graphics output can be smoothed using anti-aliasing algorithms. [Sedona Conference]

Allocation entry

A recurring journal entry used to allocate revenues or costs. For example, an allocation entry could be defined to allocate costs to each department based on headcount. [ISACA]

Alpha

The use of alphabetic characters or an alphabetic character string. [ISACA]

Alphanumeric

Characters composed of letters, numbers (and sometimes punctuation marks). Excludes control characters. [Sedona Conference]

Alternate COMSEC custodian

Individual designated by proper authority to perform the duties of the COMSEC custodian during the temporary absence of the COMSEC custodian. [US National Information Assurance (IA) Glossary]

Alternate emergency coordinator

A person who is trained to perform the duties of an emergency coordinator in the absence of the primary coordinator, or in case he/she needs assistance. [Centers for Medicare & Medicaid Services (CMS)]

Alternate site

An operating location other than the one at which an activity is usually performed for use by business functions when the primary facilities are unavailable. [Centers for Medicare & Medicaid Services (CMS)]

Alternative work site

Allowing employees to work at home or at geographically convenient satellite offices for part of the work week (e.g., telecommuting). [US National Information Assurance (IA) Glossary]

Ambient data

See Residual data. [Sedona Conference]

Ambient functions

High-level functions that define and provide context and meaning to the activities of records creators in any domain other than the native organization or recordkeeping system of the records creator. [DIRKS]

American Bar Association (ABA)

[GAO/PCIE Financial Audit Manual]

American Institute of Certified Public Accountants (AICPA)

Committed to member service and the public interest, the American Institute of Certified Public Accountants and its predecessors have been serving the accounting profession since 1887. See also http://www.aicpa.org/index.htm for more information. [GAO/PCIE Financial Audit Manual]

American National Standards Institute (ANSI)

The American National Standards Institute (ANSI) coordinates the development and use of voluntary consensus standards in the United States and represents the needs and views of US stakeholders in standardization forums around the globe. The Institute oversees the creation, promulgation and use of thousands of norms and guidelines that directly impact businesses in nearly every sector: from acoustical devices to construction equipment, from dairy and livestock production to energy distribution, and many more. ANSI is also actively engaged in accrediting programs that assess conformance to standards – including globally-recognized cross-sector programs such as the ISO 9000 (quality) and ISO 14000 (environmental) management systems. See also http://www.ansi.org for more information. [de facto, PCI-DSS, Sedona Conference]

American Standard Code for Information Interchange (ASCII)

Pronounced “ask-ee,” ASCII is a nonproprietary text format, standard seven-bit code for representing (or 255 for extended ASCII) alphanumeric and control characters that was adopted by the American Standards Association to achieve compatibility between data devices. Documents in ASCII format consist of only text with no formatting and can be read by most computer systems. [Sedona Conference]

Analog

A transmission signal that varies continuously in amplitude and time and is generated in wave formation. Analog signals are used in telecommunications. Analog is the opposite of digital. [ISACA, Sedona Conference]

Analog to Digital Converter (ADC)

Converts analog data to a digital format. [Sedona Conference]

Analysis

The examination of acquired data for its significance and probative value to the case. [NIST 800 series]

Analysis team

An interdisciplinary team comprising representatives of both the mission-related and information technology areas of the organization. The analysis team conducts the evaluation and analyzes the information. An analysis team consists of about three to five people, depending on the size of the overall organization and the scope of the evaluation. [CERT OCTAVE]

Analytical Modeling

A technique that uses mathematical models to predict the behavior of a configuration item or IT service. Analytical models are commonly used in capacity management and availability management. See also modeling. [ITIL]

Analytical procedures

The comparison of recorded account balances with expectations developed by the auditor, based on an analysis and understanding of the relationships between the recorded amounts and other data, to form a conclusion on the recorded amount. A basic premise underlying the application of analytical procedures is that plausible relationships among data may reasonably be expected to continue unless there are known conditions that would change the relationships. [GAO/PCIE Financial Audit Manual]

Annotations

The changes, additions, or editorial comments made or applicable to a document - usually an electronic image file - using electronic sticky notes, highlighter, or other electronic tools. Annotations should be overlaid and not change the original document. [Sedona Conference]

Annual financial statement

As defined by OMB, the annual financial statement comprises an overview of the reporting organization (or Management’s discussion and Analysis, MD&A), the financial statements and related notes, required supplementary stewardship information, required supplementary information, and other accompanying information. [GAO/PCIE Financial Audit Manual]

Annualized Loss Expectancy (ALE)

The total expected monetary loss of an information asset over one year; calculated as the SLE times the EAF. [Network Frontiers]

Anomaly

Unusual or statistically rare. [ISACA]

Anomaly detection

Detection on the basis of whether the system activity matched that defined as abnormal. [ISACA]

Anonymity

The quality or state of not being named or identified. [ISACA]

Anonymous File Transfer Protocol

A method for downloading public files using the File Transfer Protocol (FTP). Anonymous FTP is called anonymous because users do not need to identify themselves before accessing files from a particular server. In general, users enter the word anonymous when the host prompts for a username; anything can be entered for the password, such as the user’s e-mail address or simply the word guest. In many cases, an anonymous FTP site will not even prompt users for a name and password. [ISACA]

Anti-jam

Measures ensuring that transmitted information can be received despite deliberate jamming attempts. [US National Information Assurance (IA) Glossary]

Anti-spoof

Measures taken to prevent the unauthorized use of legitimate Identification & Authentication (I&A) data, however it was obtained, to mimic a subject different from the attacker. [US National Information Assurance (IA) Glossary]

Anti-virus software

Applications that detect, prevent and possibly remove all known viruses from files. [ISACA, Centers for Medicare & Medicaid Services (CMS), PCI-DSS]

Anti-virus/Anti-Spam server

A computer that houses applications that manage virus and spam detection and elimination. [Network Frontiers]

Antivirus software

A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents. [NIST 800 series]

Aperture card

An IBM punch card with a window which holds a 35mm frame of microfilm. Indexing information is punched in the card. [Sedona Conference]

Appearance

The act of giving the idea or impression of being or doing something. [ISACA]

Appearance of independence

Behavior adequate to meet the situations occurring during audit work (interviews, meetings, reporting, etc.). The IS auditor should be aware that appearance of independence depends upon the perceptions of others and can be influenced by improper actions or associations. [ISACA]

Applet

A program written in a portable, platform independent computer language, such as Java. It is usually embedded in an HTML page and then executed by a browser. Applets can only perform a restricted set of operations, thus preventing, or at least minimizing, the possible security compromise of the host computers. [ISACA]

Applicant

The subscriber is sometimes called an “applicant” after applying to a certification authority for a certificate, but before the certificate issuance procedure is completed. [NIST 800 series]

Application

In the boradest sense, the use of information resources (information and information technology) to satisfy a specific set of user requirements. When speaking about software, any program designed to perform a specific function directly for the user or, in some cases, for another application. A computer program designed to help people perform a certain type of work, including specific functions, such as payroll, inventory control, accounting, and mission support. Depending on the work for which it was designed, an application can manipulate text, numbers, graphics, or a combination of these elements. An application contrasts with systems program, such as an operating system or network control program, and with utility programs, such as copy or sort. See also program, application management, application portfolio. [FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, ITIL, US National Information Assurance (IA) Glossary, Clinger-Cohen Act, PCI-DSS, Sedona Conference, NIST 800 series]

Application acquisition review

An evaluation of an application system being acquired or evaluated, which considers such matters as: appropriate controls are designed into the system; the application will process information in a complete, accurate and reliable manner; the application will function as intended; the application will function in compliance with any applicable statutory provisions; the system is acquired in compliance with the established system acquisition process. [ISACA]

Application Content Filtering

Application content filtering is performed by a software proxy agent to remove or quarantine viruses that may be contained in email attachments, to block specific Multipurpose Internet Mail Extensions (MIME) types, or to filter other active content such as Java, JavaScript, and ActiveX® Controls. [NIST 800 series]

Application controls

Application controls are directly related to individual applications. They ensure that transactions are valid, properly authorized, and completely and accurately processed and reported. They are management’s control activities (procedures) that are incorporated directly into individual computer applications to provide reasonable assurance of accurate and reliable procession. Application controls address 1) data input, 2) data processing, and 3) data output. FISCAM categories of application controls that more closely tie into the FAM methodology are 1) authorization control, 2) completeness control, 3) accuracy control, and 4) control over integrity of processing and data files. Examples of application controls include data input validation, agreement of batch totals, and encryption of data transmitted. [FISCAM, GAO/PCIE Financial Audit Manual, ISACA, Centers for Medicare & Medicaid Services (CMS), CobiT, ISO/IEC 27001:2005]

Application development review

An evaluation of an application system under development which considers matters such as: appropriate controls are designed into the system; the application will process information in a complete, accurate and reliable manner; the application will function as intended; the application will function in compliance with any applicable statutory provisions; the system is developed in compliance with the established systems development life cycle process. [ISACA]

Application implementation review

An evaluation of any part of an implementation project (e.g., project management, test plans, user acceptance testing procedures). [ISACA]

Application layer

A layer within the International Organization for Standardization (ISO)/Open Systems Interconnection (OSI) model. It is used in information transfers between users through application programs and other devices. In this layer various protocols are needed. Some of them are specific to certain applications and others are more general for network services. [ISACA]

Application maintenance review

An evaluation of any part of a project to perform maintenance on an application system (e.g., project management, test plans, user acceptance testing procedures). [ISACA]

Application management

The process responsible for managing applications throughout their lifecycle. See also application portfolio. [ITIL]

Application portfolio

A database used to manage Applications throughout their lifecycle. An application portfolio contains key attributes of all applications deployed in the business. See also portfolio of services. [ITIL]

Application program

See application. [ISACA]

Application Program [or programming] Interface (API)

[AIIM]

Application programmer

A person who develops and maintains application programs, as opposed to system programmers who develop and maintain the operating system and system utilities. See application programming. [FISCAM, Centers for Medicare & Medicaid Services (CMS)]

Application Programming Interface

A set of routines, protocols, and tools referred to as “building blocks” used in business application software development. A good API makes it easier to develop a program by providing all the building blocks related to the functional characteristics of an operating system because the applications need to specify different methods for interfacing with different operating systems (e.g., MS-Windows, different versions of UNIX). A programmer would utilize these APIs in developing applications that can operate effectively and efficiently on the platform chosen. [ISACA]

Application programs

See applications. [Centers for Medicare & Medicaid Services (CMS)]

Application proxy firewall

A proxy service that connects programs running on internal networks to services on exterior networks by creating two connections, one from the requesting client and another to the destination service. Software implemented on a server that acts as an intermediary between two computer systems engaged in communication. The application proxy firewall accepts service requests to and from client computers (computers placed behind and protected by the firewall) and makes the connection to a desired destination on behalf of the requesting party. As application proxy firewalls act on behalf of client computers and internal systems, network structures are protected and hidden from public view. Application proxy firewalls differ from simple packet screening firewalls because they have the capability to view application layer data (web content, e-mail) and make informed decisions based on packet content rather than simply packet headers. [ISACA, Centers for Medicare & Medicaid Services (CMS)]

Application security

See application security controls. [ISACA]

Application security controls

Refers to the security aspects supported by any application, primarily with regard to the roles or responsibilities and audit trails within the applications. [Network Frontiers]

Application Service Provider (ASP)

A third party that delivers and manages applications and computer services, including security services to multiple users via the Internet or a private network. [ISACA, AIIM]

Application sizing

A part of capacity management, the activity responsible for understanding the resource requirements needed to support a new application, or a major change to an existing application. Application sizing helps to ensure that the IT service can meet its agreed service level targets for capacity and performance. [ITIL]

Application software

See application. [Centers for Medicare & Medicaid Services (CMS)]

Application software tracing and mapping

Specialized tools that can be used to analyze the flow of data through the processing logic of the application software and document the logic, paths, control conditions, and processing sequences. Both the command language or job control statements and programming language can be analyzed. This technique includes program/system mapping, tracing, snapshots, parallel simulations, and code comparisons. [ISACA]

Application system

These are understood to be the sum of manual and programmed procedures and applications. An integrated set of computer programs designed to serve a particular function that has specific input, processing, and output activities (e.g., general ledger, manufacturing resource planning, human resource management). [CobiT, ISACA, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005]

Appraisal

The process of evaluating business activities to determine which records need to be captured and how long the records need to be kept to meet business needs, the requirements of organizational accountability, and community expectations. [DIRKS]

Appropriation

The most common form of budget authority; an authorization by an act of Congress that permits federal agencies to incur obligations and to make payments out of the Treasury for specified purposes. Appropriations do not represent cash actually set aside in the Treasury for purposes specified in the appropriation acts. They represent limitations of amounts that agencies may obligate during the period specified in the appropriation acts. [GAO/PCIE Financial Audit Manual]

Approved

Federal Information Processing Standard (FIPS) approved or National Institute of Standards and Technology (NIST) recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation. [NIST 800 series, FIPS Pubs, FIPS Pubs]

Approved Mode of Operation

A mode of the cryptographic module that employs only Approved security functions (not to be confused with a specific mode of an Approved security function, e.g., Data Encryption Standard (DES) Cipher Block Chaining (CBC) mode). [NIST 800 series, FIPS Pubs]

Approved Security Function

A security function (e.g., cryptographic algorithm, cryptographic key management technique, or authentication technique) that is either 1) specified in an Approved standard, 2) adopted in an Approved standard and specified either in an appendix of the Approved standard or in a document referenced by the Approved standard, or 3) specified in the list of Approved security functions. [NIST 800 series, FIPS Pubs]

Approved standards

Approved standards are standardized algorithms (like in ISO and ANSI) and well-known commercially available standards (like Blowfish) that meet the intent of strong cryptography. Examples of approved standards are AES (128 bits and higher), TDES (two or three independent keys), RSA (1024 bits) and ElGamal (1024 bits). [PCI-DSS]

Architecture

The term architecture refers to the hardware, software or combination of hardware and software comprising a computer system or network. The architecture of a system always defines its broad outlines, and may define precise mechanisms as well. For example, it may describe functional requirements of the system and the information interaction between entities of the system. The term “open architecture” is used to describe computer and network components that are more readily interconnected and interoperable. Conversely, the term “closed architecture” describes components that are less readily interconnected and interoperable. [Centers for Medicare & Medicaid Services (CMS), Sedona Conference]

Archival authority

Also known as the archival organization, archival institution, archival program. This is the organization or program responsible for selecting, acquiring and preserving archives, making them available, and approving destruction of other records. [ISO 15489]

Archival data

Archival Data is information an organization maintains for long-term storage and record keeping purposes, but which is not immediately accessible to the user of a computer system. Archival data may be written to removable media such as a CD, magneto-optical media, tape or other electronic storage device, or may be maintained on system hard drives. Some systems allow users to retrieve archival data directly while other systems require the intervention of an IT professional. [Sedona Conference]

Archive

Information and records formatted for long-term storage for disaster recovery or other purposes. Items commonly archived include but are not limited to, magnetic media copies of operating system software, application software, and data and hardcopies of system records such as console logs, data listings, and software and firmware listings. Electronic archives preserve the content, prevent or track alterations, and control access to electronic records. [Centers for Medicare & Medicaid Services (CMS), ARMA, Sedona Conference]

Archive record

A record that has continuing or historical value and is preserved permanently by an organization. [ARMA]

Area of concern

A situation or scenario where someone is concerned about a threat to important assets. Typically, areas of concern have a source and an outcome - a causal action that has an effect on the organization. [CERT OCTAVE]

Arithmetic Logic Unit (ALU)

The area of the central processing unit that performs mathematical and analytical operations. [ISACA]

ARMA: the Association for Information Management Professionals (ARMA)

ARMA International is a not-for-profit professional association and the authority on managing records and information – paper and electronic. For more information, see http://www.arma.org/about/index.cfm. [ARMA, Sedona Conference]

Arson

Any willful or malicious burning or attempt to burn, with or without intent to defraud, a dwelling house, public building, motor vehicle, personal property of another, etc. [Centers for Medicare & Medicaid Services (CMS)]

Artificial Intelligence (AI)

The subfield of computer science concerned with the concepts and methods of symbolic inference by computer and symbolic knowledge representation for use in making inferences - an attempt to model aspects of human thought on computers. It is also sometimes defined as trying to solve by computer any problem once believed to be solvable only by humans. AI is the capability of a device to perform functions that are normally associated with human intelligence, such as reasoning and optimization through experience. It attempts to approximate the results of human reasoning by organizing and manipulating factual and heuristic knowledge. Areas of AI activity include expert systems, natural language understanding, speech recognition, vision, and robotics. [ISACA, Sedona Conference]

Aspect ratio

The relationship of the height and width of any image. The aspect ratio of an image must be maintained to prevent distortion. [Sedona Conference]

Assembler

A program that takes as input a program written in assembly language and translates it into machine code or relocatable code. [ISACA]

Assembly CI

A part of configuration management, a configuration item (CI), that is made up from a number of other CIs. For example, a server CI may contain CIs for CPUs, discs, memory etc. An IT service CI may contain many hardware, software and other CIs. See also component CI, build. [ITIL]

Assembly language

A low-level procedural programming language in which each program statement corresponds directly to a single machine instruction. Assembly languages are thus specific to a given processor. [FISCAM, ISACA]

Assertion

Financial statement assertions are management representations that are embodied in financial statement components. The assertions can be either explicit or implicit and can be classified into the following broad categories: existence or occurrence (an entity’s assets or liabilities exist at a given date and recorded transactions have occurred during a given period), completeness (all transactions and accounts that should be presented in the financial statements are so included), rights and obligations (assets are the rights of the organization, and liabilities are the obligations of the organization at a given date), valuation or allocation (asset, liability, revenue, and expense components have been included in the financial statements at appropriate amounts), and presentation and disclosure (the particular components of the financial statements are properly classified, described, and disclosed). [FISCAM, GAO/PCIE Financial Audit Manual]

Assessing control risk

The process of evaluating the effectiveness of an entity’s internal control in preventing or detecting misstatements in financial statement assertions. [GAO/PCIE Financial Audit Manual]

Assessment Method

A focused activity or action employed by an assessor for evaluating a particular attribute of a security control. [NIST 800 series]

Assessment Procedure

A set of activities or actions employed by an assessor to determine the extent to which a security control is implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. [NIST 800 series]

Asset

Something of value to the organization. Information technology assets are the combination of logical and physical assets and are grouped into the specific classes (information, systems, software, hardware, people). Assets that need to be individually managed are also configuration items. For example, the door lock on a computer room or a consumable item would not be a configuration item. In the context of financial management, items below a specific value are not considered to be assets as it would not be cost effective to track and manage them. See also asset management, depreciation, risk assessment, critical assets, components. [CERT OCTAVE, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 13335-1:2004, ISO/IEC 27001:2005, PCI-DSS, ITIL, NIST 800 series]

Asset evaluation

A quantitative and/or qualitative assessment to determine the importance of the physical resources of the facilities, information, sensitivity of information, the operational impact of loss and/or denial of support, and the automated information systems resources providing that support. [Centers for Medicare & Medicaid Services (CMS)]

Asset management

A part of financial management, asset management is the business process responsible for tracking and reporting the value and ownership of financial assets throughout their lifecycle. See also asset register. [ITIL]

Asset register

A part of financial management, a list of assets, which includes their ownership and value. The asset register is maintained by asset management. [ITIL]

Assurance

Grounds for confidence that the other four security objectives (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes 1) functionality that performs correctly, 2) sufficient protection against unintentional errors (by users or software), and 3) sufficient resistance to intentional penetration or by-pass. Assurance is the complement of audit risk, which is an auditor judgment. This is not the same as confidence level, which relates to an individual sample. [NIST 800 series, GAO/PCIE Financial Audit Manual, Centers for Medicare & Medicaid Services (CMS), ITIL, PAS 56, US National Information Assurance (IA) Glossary]

Assured software

Software that has been designed, developed, analyzed and tested using processes, tools, and techniques that establish a level of confidence in its trustworthiness appropriate for its intended use. [US National Information Assurance (IA) Glossary]

Asymmetric key

A cipher technique whereby different cryptographic keys are used to encrypt and decrypt a message. See also public key. Two related keys, a public key and a private key that are used to perform complementary operations, such as encryption and decryption or signature generation and signature verification. [ISACA, NIST 800 series, FIPS Pubs]

Asynchronous Transfer Mode (ATM)

ATM is a high-bandwidth low-delay switching and multiplexing technology. It is a data link layer protocol. This means that it is a protocol-independent transport mechanism. ATM allows integration of real-time voice and video as well as data. ATM allows very high speed data transfer rates at up to 155 Mbit/s. [ISACA]

Asynchronous transmission

Transmission of data in which time intervals between transmitted characters may be of unequal length. Transmission is controlled by start and stop bits at the beginning and end of each character. In modem communication, a form of data transmission in which data is sent intermittently, one character at a time, rather than in a steady stream with characters separated by fixed time intervals. Asynchronous transmission relies on the use of a start bit and stop bit(s), in addition to the bits representing the character (and an optional parity bit), to distinguish separate characters. In data transmission, each character is individually synchronized, usually by start bits and stop bits. Timing information is usually included in the transmitted character. [ISACA]

Attachment

An attachment is a record or file associated with another record for the purpose of retention or transfer. There may be multiple attachments associated with a single “parent” or “master” record. In many records and information management programs the attachments and associated record are managed and processed as a single unit. In common use, this term refers to a file (or files) associated with an e-mail for retention and storage as a single message unit. [Sedona Conference]

Attack

The act of trying to bypass security controls on a system. An attack may be active, resulting in the alteration of data; or passive, resulting in the release of data. Note: The fact that an attack is made does not necessarily mean that it will succeed. The degree of success depends on the vulnerability of the system or activity and the effectiveness of existing countermeasures. [Centers for Medicare & Medicaid Services (CMS), US National Information Assurance (IA) Glossary]

Attack Sensing and Warning (AS&W)

Detection, correlation, identification, (AS&W) and characterization of intentional unauthorized activity with notification to decision makers so that an appropriate response can be developed. [US National Information Assurance (IA) Glossary]

Attack signature

A specific sequence of events indicative of an unauthorized access attempt. [NIST 800 series]

Attest reporting engagement

An engagement where an IS auditor either examines management’s assertion regarding a particular subject matter or examines the subject matter directly. The IS auditor’s report consists of an opinion on one of the following: The subject matter. These reports relate directly to the subject matter itself rather than an assertion. In certain situations, management will not be able to make an assertion over the subject of the engagement. An example of this situation is when IT services are out-sourced to third party. Management will not ordinarily be able to make an assertion over the controls that the third-party is responsible for. Hence, an IS auditor would have to report directly on the subject matter rather than an assertion. Management’s assertion about the effectiveness of the control procedures. Examination reporting engagement where the IS auditor is engaged to issue an opinion on particular subject matter. These engagements can include reports on controls implemented by management and on their operating effectiveness. [ISACA]

Attestation Reference (AT)

Reference to statements on standards for attestation engagements in the sections of the Codification of Statements on Auditing Standards. [GAO/PCIE Financial Audit Manual]

Attitude

Way of thinking, behaving, feeling, etc. [ISACA]

Attribute

An attribute is a characteristic of data that sets it apart from other data, such as location, length, or type. The term attribute is sometimes used synonymously with “data element” or “property.” [Sedona Conference]

Attribute Authority

An entity, recognized by the Federal Public Key Infrastructure (PKI) Policy Authority or comparable Agency body as having the authority to verify the association of attributes to an identity. [NIST 800 series]

Attribute sampling

Statistical sampling that reaches a conclusion about the population in terms of a rate of occurrence. An audit technique used to select items from a population for audit testing purposes based on selecting all those items that have certain attributes or characteristics (such as all items over a certain size). [GAO/PCIE Financial Audit Manual, ISACA]

Audio-Video Interleave (AVI)

A Microsoft standard for Windows animation files that interleaves audio and video to provide medium quality multimedia. [Sedona Conference]

Audit

The formal process of generating, recording and reviewing a chronological record of system events to ascertain their accuracy, effectiveness, and efficiency (or all three) according to a formal set of guidelines. Auditing is an activity to determine the adequacy of and adherence (compliance) to established procedures, instructions, specifications, codes and standards, or other applicable contractual and licensing requirements, and effectiveness of implementation. In addition, audits recommend necessary changes in controls, policies, or procedures. Most common forms of audits are compliance, operational, or vulnerability. An audit may be carried out by internal or external groups. See also certification, assurance. [ISACA, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, ITIL, US National Information Assurance (IA) Glossary, NIST 800 series]

Audit accountability

Performance measurement of service delivery including cost, timeliness, and quality against agreed service levels. [ISACA]

Audit authority

A statement of the position within the organization, including lines of reporting and the rights of access. [ISACA]

Audit charter

A document which defines the IS audit function’s responsibility, authority and accountability, and approved by the board. [ISACA, CobiT]

Audit data

Chronological record of system activities to enable the reconstruction and examination of the sequence of events and changes in an event. [NIST 800 series]

Audit evidence

The information systems auditor (IS auditor) gathers information in the course of performing an IS audit. The information used by the IS auditor to meet audit objectives is referred to as audit evidence (evidence). Also used to describe the level of risk that an auditor is prepared to accept during an audit engagement. [ISACA]

Audit expert systems

Expert or decision support systems that can be used to assist IS auditors in the decision-making process by automating the knowledge of experts in the field. This technique includes automated risk analysis, systems software, and control objectives software packages. [ISACA]

Audit log

A chronological record of system activities that is sufficient for the reconstruction, reviewing, and examination of the sequence of environments and activities surrounding or leading to an operation, a procedure, or an event in a transaction from its inception to final results. Sometimes specifically referred to as a security audit trail. [PCI-DSS]

Audit objective

The specific goal(s) of an audit. These often center on substantiating the existence of internal controls to minimize business risk. [ISACA]

Audit plan

A high level description of the audit work to be performed in a certain period of time (ordinarily a year). It includes the areas to be audited, the type of work planned, the high level objectives and scope of the work, and topics such as budget, resource allocation, schedule dates, type of report, and its intended audience and other general aspects of the work. [ISACA]

Audit program

A series of steps to complete an audit objective. [ISACA]

Audit Reduction Tools

Preprocessors designed to reduce the volume of audit records to facilitate manual review. Before a security review, these tools can remove many audit records known to have little security significance. These tools generally remove records generated by specified classes of events, such as records generated by nightly backups. [NIST 800 series]

Audit Reference (AU)

Reference to Statements on Auditing Standards in the sections of the Codification of Statements on Auditing Standards. [GAO/PCIE Financial Audit Manual]

Audit responsibility

The roles, scope, and objectives documented in the service level agreement between management and audit. [ISACA]

Audit risk

The risk that information or financial reports will contain material errors that the auditor may not detect. The overall risk that the auditor may unknowingly fail to appropriately modify his or her opinion on financial statements that are materially misstated. This is an auditor judgment. [FISCAM, GAO/PCIE Financial Audit Manual, ISACA]

Audit sampling

See sampling. [ISACA]

Audit software

Generic audit software consists of a special program or set of programs designed to audit data stored on computer media. Audit software performs functions such as data extraction and reformatting, file creation, sorting, and downloading. This type of audit software may also be used to perform computations, data analysis, sample selection, summarization, file stratification, field comparison, file matching, or statistical analysis. The term audit software may also refer to programs that audit specific functions, features, and controls associated with specific types of computer systems to evaluate integrity and identify security exposures. See also audit expert systems. [FISCAM]

Audit trail

A visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source. The log of who changed what and when for accountability. These recordings must enable the re-creation, review, and examination of all events surrounding counter-policy activities within the system. In an accounting package, any program feature that automatically keeps a record of transactions so you can backtrack to find the origin of specific figures that appear on reports. In computer systems, a step-by-step (chronological) history of a transaction, especially a transaction with security sensitivity. Includes source documents, electronic logs, and records of accesses to restricted files. [AIIM, FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS), US National Information Assurance (IA) Glossary, Sedona Conference, NIST 800 series]

Auditability

The level to which transactions can be traced and audited through a system. [ISACA]

Auditing

The process of conducting an audit, or being audited. If you are being audited, this feels very much like a proctologic exam. See also audit. [de facto]

Auditor

The auditor’s intent is to discover unrecognized risks and to help the organization mitigate them. The IS auditor’s job is to “drill down” into the technical specifications, question vendor claims, and identify potential technical or security problems, and business risks. Auditors can either inside or outside of the organization. See also information systems auditor. [NIST 800 series, 17 CFR 240.17a-3 & 4]

Authenticate

To verify the identity of a user, user device, or other entity, or the integrity of data stored, transmitted, or otherwise exposed to unauthorized modification in an IS, or to establish the validity of a transmission. [US National Information Assurance (IA) Glossary, NIST 800 series]

Authentication

The act of verifying the identity of a user and the user’s eligibility to access computerized information. Designed to protect against fraudulent activity. NIST 800-33 would say that verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system is the definition of authentication. All systems that store, process or protect regulated data need to implement access controls in order to manage where this information is allowed to flow and who is allowed to create, view or change it. If the authentication attempt fails then access has to be blocked. For HIPAA, all attempts to gain access to a system containing ePHI have to be logged for later investigation. Authentication can also refer to the verification of the correctness of a piece of data. See also identification, key management, system access control. [HIPAA, NIST 800 series, FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS), CobiT, ISO/IEC 27001:2005, PCI-DSS, FIPS Pubs, US National Information Assurance (IA) Glossary, FIPS Pubs, FIPS Pubs]

Authentication code

A cryptographic checksum based on an Approved security function (also known as a Message Authentication Code (MAC)). [NIST 800 series]

Authentication Header (AH)

A security protocol that authenticates packets from servers and ensures messages are not tampered with while en route. [Network Frontiers]

Authentication mechanism

Hardware or software-based mechanisms that force users to prove their identity before accessing data on a device. [NIST 800 series]

Authentication mode

A block cipher mode of operation that can provide assurance of the authenticity and, therefore, the integrity of data. [NIST 800 series]

Authentication protocol

A well specified message exchange process that verifies possession of a token to remotely authenticate a claimant. Some authentication protocols also generate cryptographic keys that are used to protect an entire session, so that the data transferred in the session is cryptographically protected. [NIST 800 series]

Authentication system

A computer that houses software that authenticates users and data attempting to access the network. Restriction of access to computer systems is the first defense against system compromise. [US National Information Assurance (IA) Glossary]

Authentication tag

A pair of bit strings associated to data to provide assurance of its authenticity. [NIST 800 series]

Authentication token

Authentication information conveyed during an authentication exchange. [NIST 800 series, FIPS Pubs]

Authentication, Authorization and Accounting protocol (AAA)

Authentication refers to the confirmation that a user who is requesting services is a valid user of the network services requested. Authentication is accomplished via the presentation of an identity and credentials. Examples of types of credentials are passwords, one-time tokens, digital certificates, and phone numbers (calling/called). Authorization refers to the granting of specific types of service (including "no service") to a user, based on their authentication, what services they are requesting, and the current system state. Authorization may be based on restrictions, for example time-of-day restrictions, or physical location restrictions, or restrictions against multiple logins by the same user. Authorization determines the nature of the service which is granted to a user. Examples of types of service include, but are not limited to: IP address filtering, address assignment, route assignment, QoS/differential services, bandwidth control/traffic management, compulsory tunneling to a specific endpoint, and encryption. Accounting refers to the tracking of the consumption of network resources by users. This information may be used for management, planning, billing, or other purposes. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources. Batch accounting refers to accounting information that is saved until it is delivered at a later time. Typical information that is gathered in accounting is the identity of the user, the nature of the service delivered, when the service began, and when it ended. [PCI-DSS, Wikipedia]

Authenticator

Means used to confirm the identity of a station, originator, or individual. [US National Information Assurance (IA) Glossary]

Authenticity

(for records) An authentic record is one that can be proven: 1) to be what it purports to be, 2) to have been created or sent by the person purported to have created or sent it, and 3) to have been created or sent at the time purported. To ensure the authenticity of records, organizations should implement and document policies and procedures which control the creation, receipt, transmission, maintenance, and disposition of records to ensure that records creators are authorized and identified and that records are protected against unauthorized addition, deletion, alteration, use, and concealment. See also nonrepudiation. [ISO 15489, NIST 800 series]

Author

The author of a document is the person, office or designated position responsible for its creation or issuance. In the case of a document in the form of a letter, the author or originator is usually indicated on the letterhead or by signature. In some cases, the software application producing the document may capture the author’s identity and associate it with the document. For records management purposes, the author or originator may be designated as a person, official title, office symbol, or code. [Sedona Conference]

Authority

An authority is the source by which rules are drawn, they are the convincing force behind an argument to do something. Two common forms of authority are governmental agencies and institutional authorities. Within the world of compliance, local and national governments create laws and regulations that provide the authority necessary to enforce compliance. However, institutions such as VISA and MasterCard have banded together to form the Payment Card Industry standards act as institutional authorities behind their compliance standard, the PCI-DSS. [de facto]

Authorization

This term has two uses, one for information assurance, and another for the Payment Card Industry. 1) In terms of Information Technology security, authorization is the process of determining what types of activities are permitted and the granting of access for those activities. After the authentication process has identified the person, program, or process accessing the system and authenticated the claimed identity, an authorization mechanism needs to determine what data the user is allowed to access and what functions may be performed. The mechanism can be based on a role a person fulfills in the organization and use technologies such as LDAP. Authorization has to be implemented at the lowest level possible to ensure that all access to all regulated data is correctly managed. It must be non-bypassable to ensure that all access attempts are controlled and that no one can circumvent it. At the same time, in the case of a documented crisis, a procedure for emergency override access has to be provided. 2) For the payment card industry, this is the process by which a card issuer approves or declines a Visa card purchase. Authorization occurs automatically when you swipe the magnetic stripe of a payment card through a card reader. See also Voice Authorization Center. [HIPAA, NIST 800 series, ISACA, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, PCI-DSS, US National Information Assurance (IA) Glossary, VISA Glossary of Terms]

Authorize processing

The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls. [NIST 800 series]

Authorized examination center

A body authorized by an examination board to host examinations. The authorized examination center provides a place where examinations may be taken and may also provide exam supervision and automated marking. [ITIL]

Authorized program facility (APF)

An operating system facility that controls which programs are allowed to use restricted system functions. [FISCAM]

Authorized vendor

Manufacturer of INFOSEC equipment authorized to produce quantities in excess of contractual requirements for direct sale to eligible buyers. Eligible buyers are typically U.S. Government organizations or U.S. Government contractors. [US National Information Assurance (IA) Glossary]

Authorized Vendor Program (AVP)

Program in which a vendor, producing an (AVP) INFOSEC product under contract to NSA, is authorized to produce that product in numbers exceeding the contracted requirements for direct marketing and sale to eligible buyers. Eligible buyers are typically U.S. Government organizations or U.S. Government contractors. Products approved for marketing and sale through the AVP are placed on the Endorsed Cryptographic Products List (ECPL). [US National Information Assurance (IA) Glossary]

Authorizing official

Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals. See also accreditation authority. [FIPS Pubs, NIST 800 Series]

Automated controls

Electronic mechanisms to automate the protection of digital assets, such as log readers, intrusion prevention and detection systems, etc. [Network Frontiers]

Automated information

Automated information is information that is held in any electronic state, locally, centrally, or in transit. See also Automated Information System. [Workgroup for Electronic Data Interchange]

Automated information security

See automated controls. [Centers for Medicare & Medicaid Services (CMS)]

Automated Information System (AIS)

An assembly of computer hardware, software, and/or firmware that is configured to collect, create, communicate, compute, disseminate, process, store, and/or control data or information. [Centers for Medicare & Medicaid Services (CMS)]

Automated key transport

The transport of cryptographic keys, usually in encrypted form, using electronic means such as a computer network (e.g., key transport/agreement protocols). [NIST 800 series, FIPS Pubs]

Automated password generator

An algorithm which creates random passwords that have no association with a particular user. [NIST 800 series, FIPS Pubs]

Automated security monitoring

Use of automated procedures to ensure security controls are not circumvented or the use of these tools to track actions taken by subjects suspected of misusing the IS. [US National Information Assurance (IA) Glossary]

Automated Teller Machine (ATM)

A 24-hour, stand-alone mini-bank, located outside branch bank offices or in public places such as shopping malls. Through ATMs, clients can make deposits, withdrawals, account inquiries, and transfers. Typically, the ATM network is comprised of two spheres; a proprietary sphere, in which the bank manages the transactions of its clients, and the public or shared domain, in which a client of one financial institution can use another’s ATMs. [ISACA]

Automatic Call Distribution (ACD)

Part of the service desk, this is the use of information technology to direct an incoming telephone call to the most appropriate person in the shortest possible time. ACD is sometimes called automated call distribution. [ITIL]

Automatic Document Feeder (ADF)

Automatic Document Feeder. This is the means by which a scanner feeds the paper document. [Sedona Conference]

Automatic remote rekeying

Procedure to rekey a distant crypto-equipment electronically without specific actions by the receiving terminal operator. See also manual remote rekeying. [US National Information Assurance (IA) Glossary]

Availability

Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. This requirement is intended to assure that systems work promptly and service is not denied to authorized users. Therefore this is the security objective that generates the requirement for protection against intentional or accidental attempts to perform unauthorized deletion of data or otherwise cause a denial of service or data. You could also think of this as when or how often an asset must be present or ready for use, thus, it also concerns the safeguarding of necessary resources and associated capabilities. Availability is determined by reliability, maintainability, serviceability, performance, and security. Availability is usually calculated as a percentage. This calculation is often based on agreed service time and downtime. It is best practice to calculate availability using measurements of the business output of the IT service. See also security principle. [NIST 800 series, CERT OCTAVE, CobiT, ISACA, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, ISO/IEC 13335-1:2004, FIPS Pubs, ITIL, US National Information Assurance (IA) Glossary]

Availability management

The process responsible for defining, analyzing, planning, measuring and improving all aspects of the availability of IT services. Availability management is responsible for ensuring that all IT infrastructure, processes, tools, roles etc. are appropriate for the agreed service level targets for availability. [ITIL]

Availability Management Database (AMDB)

A database containing all data needed to support availability management. The AMDB may be part of the configuration management database. [ITIL]

Availability plan

A plan to ensure that existing and future availability requirements for IT services can be provided cost effectively. [ITIL]

Awareness

Owners, providers, and users of information systems should readily be able (consistent with maintaining security) to gain appropriate knowledge of and be informed about the existence and general extent of measures for the continuity of information systems. [NIST 800 series, ISO/IEC 27001:2005]

Awareness principle

Participants should be aware of the need for security of information systems and networks and what they can do to enhance security. [OECD Guidelines for the Security of Information Systems and Networks]


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.