U
U.S. citizen or a permanent resident alien, an unincorporated association substantially composed of U.S. citizens or permanent resident aliens, or a corporation incorporated in U.S., except for a corporation directed and controlled by a foreign government or governments. [US National Information Assurance (IA) Glossary]
Base or building to which access is physically controlled by U.S. individuals who are authorized U.S. Government or U.S. Government contractor employees. [US National Information Assurance (IA) Glossary]
Room or floor within a facility that is not a U.S.-controlled facility, access to which is physically controlled by U.S. individuals who are authorized U.S. Government or U.S. Government contractor employees. Keys or combinations to locks controlling entrance to U.S.-controlled spaces must be under the exclusive control of U.S. individuals who are U.S. Government or U.S. Government contractor employees. [US National Information Assurance (IA) Glossary]
Microfiche which can hold 1,000 documents/sheet as opposed to the normal 270. [Sedona Conference]
Indirect cost of providing an IT service, which cannot be fairly allocated to specific customers. For example, cost of providing an IT service manager, or other shared resource which is not measured. Unabsorbed overhead is normally recovered by applying a percentage uplift to the cost of all IT services. See also direct cost, indirect cost, absorbed overhead. [ITIL]
The area of computer media, such as a hard drive, that does not contain normally accessible data. Unallocated space is usually the result of a file being deleted. When a file is deleted, it is not actually erased, but is simply no longer accessible through normal means. The space that it occupied becomes unallocated space, i.e., space on the drive that can be reused to store new information. Until portions of the unallocated space are used for new data storage, in most instances, the old data remains and can be retrieved using forensic techniques. [Sedona Conference]
A person gains logical or physical access without permission to a network, system, application, data, or other resource. [NIST 800 series, FIPS Pubs]
Exposure of information to individuals not authorized to receive it. [Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, US National Information Assurance (IA) Glossary, NIST 800 Series]
This term characterizes the degree, expressed as a percent, from 0% to 100%, to which there is less than complete confidence in the value of any element of the risk assessment. Uncertainty is typically measured inversely with respect to confidence, i.e., if confidence is low, uncertainty is high. [Centers for Medicare & Medicaid Services (CMS)]
Information that is designated as neither sensitive nor classified. The public release of this information does not violate national security interests. Information that has not been determined pursuant to the United States E.O. 12958 or any predecessor order to require protection against unauthorized disclosure and that is not designated as classified. See also regulated data. [Centers for Medicare & Medicaid Services (CMS), US National Information Assurance (IA) Glossary]
A contract with an external third party that supports delivery of an IT service by the IT service provider to a customer. The third party provides goods or services that are required by the IT service provider to meet agreed service level targets in the SLA with their customer. [ITIL]
A pattern matching technique used by the authors of the Unified Compliance Framework when determining which controls were in common with others and which were specific and should be listed as such. The pattern matching method that the authors used is fully described in many of the UCF books and papers under the title “what is the Unified Compliance Framework?”. [Network Frontiers]
The Unified Compliance Framework is original research conducted by Network Frontiers and Latham Watkins. The goal of the UCF is to harmonize or unify all information technology and information services related controls into a single body of work, thus making it immensely easier to be “compliant” in today’s over-regulated world. [Network Frontiers]
The IT Compliance Institute, through their association with Network Frontiers, provides complimentary research, publishing media, and financial support for the Unified Compliance Framework. [de facto]
A URL is a URI. [Sedona Conference]
The addressing system used in the World Wide Web and other Internet resources. The URL contains information about the method of access, the server to be accessed and the path of any file to be accessed. A URL looks like this: http://thesedonaconference.org/ publications_html. See also Address. [Sedona Conference]
Provides short-term backup power from batteries for a computer system when the electrical power fails, rises, or drops to an unacceptable voltage level. [ISACA]
The cost of providing a single item. For example, if a box of paper with 1,000 sheets costs $10, then each sheet costs 1 cent. Similarly if a CPU costs $1m a year and performs 1,000 jobs in a year, the unit cost for each job is $1,000. [ITIL]
Testing individual program modules to determine if they perform to specification. The testing technique is used to test program logic within a particular program or module. The purpose of the test is to ensure that the program meets system development guidelines and does not abnormally end during processing. [FISCAM, ISACA]
The assembly of individually scanned pages into documents. Physical Unitization utilizes actual objects such as staples, paper clips and folders to determine pages that belong together as documents for archival and retrieval purposes. Logical unitization is the process of human review of each individual page in an image collection using logical cues to determine pages that belong together as documents. Such cues can be consecutive page numbering, report titles, similar headers and footers and other logical indicators. This process should also capture document relationships, such as parent and child attachments. See also Attachment. [Sedona Conference]
A web-based version of the traditional phone book’s yellow and white pages enabling businesses to be publicly listed in promoting greater e-commerce activities. [ISACA]
[Sedona Conference]
See population. [GAO/PCIE Financial Audit Manual]
A multitasking operating system originally designed for scientific purposes which has subsequently become a standard for midrange computer systems with the traditional terminal/host architecture. UNIX is also a major server operating system in the client/server environment. [FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS), Sedona Conference]
Unix File System is the file system that the UNIX operating system uses for storing and retrieving files on storage media. Every item in a UNIX file system can be defined as belonging to one of four possible types: ordinary files, directories, special files, or links. See also UNIX. [de facto]
A seemingly valid credit card that has not been duly signed by the legitimate cardholder. Merchants cannot accept an unsigned card until the cardholder has signed it, and the signature has been checked against valid government identification, such as a driver's license or passport. [VISA Glossary of Terms]
Data included in an authentication token, in addition to a digital signature. [NIST 800 series, FIPS Pubs]
Users who can choose whether to use the services provided by an internal service provider or to purchase services from another source. See also tied users. [ITIL]
Process that has not been evaluated or examined for adherence to the security policy. It may include incorrect or malicious code that attempts to circumvent the security mechanisms. [US National Information Assurance (IA) Glossary]
To the basic border firewall, add a host that resides on an untrusted network where the firewall cannot protect it. That host is minimally configured and carefully managed to be as secure as possible. The firewall is configured to require incoming and outgoing traffic to go through the untrustworthy host. The host is referred to as untrustworthy because it cannot be protected by the firewall; therefore, hosts on the trusted networks can place only limited trust in it. [ISACA]
The act or process by which data items bound in an existing public key certificate, especially authorizations granted to the subject, are changed by issuing a new certificate. [NIST 800 series]
This access level includes the ability to change data or a software program. [FISCAM, Centers for Medicare & Medicaid Services (CMS)]
Automatic or manual cryptographic process that irreversibly modifies the state of a COMSEC key, equipment, device, or system. [US National Information Assurance (IA) Glossary]
New or better version of some hardware or software. [Sedona Conference]
The process of transferring a copy of a file from a local computer to a remote computer by means of a modem or network. With a modem-based communications link, the process generally involves the requesting computer instructing the remote computer to prepare to receive the file on its disk and wait for the transmission to begin. [FISCAM, ISACA, Sedona Conference]
A measure of how long it will be until an incident, problem or change has a significant impact on the business. For example, a high impact incident may have low urgency, if the impact will not affect the business until the end of the financial year. Impact and urgency are used to assign priority. [ITIL]
A computer that houses software that allows you to manage and restrict user access from select Web sites and content in compliance with your organization’s policies. [Network Frontiers]
The ease with which an application, product, or IT service can be used. Usability requirements are often included in a statement of requirements. [ITIL]
Audit evidence is useful if it assists the IS auditors in meeting their audit objectives. [ISACA]
The person who uses a computer system and its application programs to perform tasks and produce results. Any organizational or programmatic entity that utilizes or receives service from an automated information system facility. A user may be either internal or external to the agency organization responsible for the facility, but normally does not report to either the manager or director of the facility or to the same immediate supervisor. [FISCAM, Centers for Medicare & Medicaid Services (CMS), OMB Circular A-130, FIPS Pubs, ITIL, US National Information Assurance (IA) Glossary, NIST 800 Series]
Involves 1) the process of requesting, establishing, issuing, and closing user accounts; 2) tracking users and their respective access authorizations; and 3) managing these functions. [NIST 800 series]
Manual comparisons of computer output (generally totals) to source documents or other input (including control totals). [GAO/PCIE Financial Audit Manual]
A connectionless Internet protocol that is designed for network efficiency and speed at the expense of reliability. A data request by the client is served by sending packets without testing to verify if they actually arrive at the destination, not if they were corrupted in transit. It is up to the application to determine these factors and request retransmissions. [ISACA, PCI-DSS]
See user identification. [PCI-DSS, US National Information Assurance (IA) Glossary]
A unique identifier (character string) assigned to each authorized computer user. [Centers for Medicare & Medicaid Services (CMS)]
A stage in the lifecycle of keying material; the process whereby a user initializes its cryptographic application (e.g., installing and initializing software and hardware). [NIST 800 series]
Partnership between the NSA and a U.S. Government agency to facilitate development of secure IS equipment incorporating NSA-approved cryptography. The result of this program is the authorization of the product or system to safeguard national security information in the user’s specific application. [US National Information Assurance (IA) Glossary]
A set of rules that describes the nature and extent of access to each resource that is available to each user. [FISCAM, Centers for Medicare & Medicaid Services (CMS)]
A stage in the lifecycle of keying material; a process whereby an entity becomes a member of a security domain. [NIST 800 series]
Individual authorized by an organization to order COMSEC keying material and interface with the keying system, provide information to key users, and ensure the correct type of key is ordered. [US National Information Assurance (IA) Glossary]
Data or work product created by a user while reviewing a document, including annotations and subjective coding information. [Sedona Conference]
Generally considered to be system software designed to perform a particular function (e.g., an editor or debugger) or system maintenance (e.g., file backup and recovery). Examples include sorting, backing up, and erasing data. [FISCAM, ISACA]
Computer programs provided by a computer hardware manufacturer or software vendor and used in running the system. This technique can be used to examine processing activities; to test programs, system activities and operational procedures; to evaluate data file activity; and to analyze job accounting data. See also utility program. [ISACA]
Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.