TERMS AND DEFINITIONS

Tentacle is designed to help demystify the information security landscape for our users. As part of that effort, we compiled definitions for terms and acronyms that are often used within this space. These definitions are integrated into the appropriate question blocks within our application, and a full list can be found below.
Accepted external authenticators
Authenticators from outside organizations that meet National Institute of Standards and Technology (NIST) standards.
Access agreements
The formal document identifying the rules a user must follow in order to obtain and maintain permissions to information systems, as well as the user's signature indicating intent to follow these rules.
Access authorization
The permissions granted to enter facilities or to view, read, modify, delete, or perform other activities in an information system.
Access Control Mechanisms
Standardized manual or automated processes that manage how permissions are granted to enter facilities or to view, read, modify, delete, or perform other activities in an information system.
Access Control Policy
A set of documented and mandatory objectives, rules, and practices that describes the high-level requirements for the appropriate provisioning of permissions to technology assets, programs, and facilities.
Access Control Procedure(s)
The detailed processes for granting, provisioning, modifying, monitoring, and revoking permissions to systems and data based on the minimum need for a user to perform necessary duties.
Access Control Vestibules
A space between two sets of interlocking doors designed to prevent unauthorized individuals from following authorized individuals into facilities with controlled access.
Access Logs
The documentation showing a history of visitors who have requested access to and/or accessed a facility or secure area, as well as important visitor information such as affiliated organization and point of contact within the organization.
Access Points
A method of gaining access or entrance, such as a device that allows a connection between a wireless device and a wired network.
Account identifiers
The username for a system account.
Account recovery
The process of logging into an account using alternative means when a user forgets an ID, password, or is otherwise unable to access the account.
Accuracy
The quality of information represented as its true or correct nature or value.
Acquisition
The process by which hardware, software, supplies, or other resources are obtained through purchasing processes, contractual agreements, or other methods.
Acquisition Process
The process by which hardware, software, supplies, or other resources are obtained through purchasing processes, contractual agreements, or other methods.
Acquisition Strategies
The organization's approach to obtain hardware, software, supplies, or other resources while also providing protection against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle.
Activation
The process of enabling the functionality or execution of a process or device, such as the activation of a contingency plan.
Active discovery tool
An application or software that actively pings devices across the network to identify technology assets.
Active Ports
A communication endpoint that has not been disabled and can accept connections.
Activities
Actions performed to achieve an objective.
Ad Hoc
As needed.
Address of record
The physical address of a person as documented by an organization.
Address Space Layout Randomization (ASLR)
A memory protection technique that guards against buffer overflow attack.
Adequacy Decision
A concept in the General Data Protection Regulation where the European Commission (EC) has decided that a third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection of personal data.
Administrative account access
Access with administrative privileges, such as: privileges for disabling, overriding, circumventing, or modifying security or privacy controls; creating or changing privileges for system accounts; performing system integrity checks; and administering cryptographic key management activities.
Administrative Costs
A fee or an expense for administrative activities, such as the fee charged to address the cost of personal data processing when a data subject request is made.
Administrative privileges
System capabilities that require enhanced authorization, such as: privileges for disabling, overriding, circumventing, or modifying security or privacy controls; creating or changing privileges for system accounts; performing system integrity checks; and administering cryptographic key management activities.
Advanced Data Encryption Standard (AES)
A method of encoding digital information using a 28-bit, 192-bit, or 256-bit symmetric encryption algorithm.
Advanced persisten threat
A person or group, typically associated with another nation, that works to execute (or does execute) malicious attacks against an organization's systems, data, or network -- often over an extended period of time and without detection.
Advanced persistent threat
A person or group, typically associated with another nation, that works to execute (or does execute) malicious attacks against an organization's systems, data, or network -- often over an extended period of time and without detection.
Affected Parties
Organizations which must abide by a law, regulation, policy, procedure, or other mandatory guidance due to the applicability of the guidance to the organization.
After-the-Fact Investigations
An in-depth examination of who was involved in an event after the event has occurred (as well as how, where, when, why, the event occurred), often using audit records.
Alarm
A sound or message indicating that a problem has occurred.
Alternate Configuration management
A process for managing configuration settings and changes to systems when a developer is not performing configuration management.
Alternate Power Supply
A source of power other than the main source, such as an uninterruptible power supply (UPS).
Alternate Work Sites
Facilities other than the organization's main facilities where employees conduct business, such as a home office.
Anomalous Adversarial Behavior
Changes in system performance, usage patterns, or user behavior.
Anomalous behavior
Activities occurring in the operating environment that do not fall within normal thresholds or patterns.
anti-exploitation features
Mechanisms configured or installed on a machine to make it more resistant to attack.
Anti-Malware Administration Tools
A management tool or centralized function that allows administrators to track: deployment of anti-malware software, computers not recently updated, an inventory of protected devices, and other information.
Anti-Spoofing Measures
Techniques that detect and block forged source IP addresses from entering the network, such as deep packet inspection, encrypted protocols, and spoofing detection software.
Anti-Spoofing Mechanisms
Techniques that detect and block forged source IP addresses from entering the network, such as deep packet inspection, encrypted protocols, and spoofing detection software.
Anti-Tamper Technologies
A form of physical access control where mechanisms are applied to a tangible device to prevent unintended use or damage, such as tamper-detection seals and anti-tamper coatings.
Applicable Laws
The set of rules enacted through legislation that are binding for a person or organization based on geographic location, type of operations, or other characteristics.
Application Firewalls
A device that can control communications to and from applications or services.
Application Upgrade
Modifications to existing applications that enhance or update existing functionality or security.
Appropriate protection
The defense of systems and data that meets requirements.
Approved
Officially accepted by designated personnel/processes as satisfactory or as meeting requirements.
Approved Automated Mechanisms
Automated tools which are permitted by the organization.
Approved List
A list of documents, technologies, or other items that are officially accepted as satisfactory or as meeting requirements.
Approved Scanning Vendor
An organization that is approved by the Payment Card Industry Security Standards Council (PCI SSC) to conduct quarterly external vulnerability scans.
Archive
To store records; or, a repository of stored records.
Assess
To evaluate the character, quality, or attributes of someone or something.
Assessed Component Configurations
The specific components that have been assessed to determine compliance with the required configuration settings.
Assessment
An examination of processes, controls, or programs that results in a judgment about performance, effectiveness, or compliance.
Asset Location Technologies
Wireless, cellular, Global Positioning System (GPS), and other tracking tools that ensure critical assets -- including vehicles, equipment, and system components -- remain in authorized locations.
Asset owners
The personnel responsible for either the financial or operational management of an asset, typically assigned in a configuration management database (CMDB).
Assigned roles and responsibilities
The positions within an organization, as well as their associated duties, which have been designated to specific individuals for execution.
Assignment of access rights
The granting of privileges and permissions in a system.
Association
A group of people that work together in pursuit of a common goal.
At Rest
Stationary; not in the process of moving or being transmitted from one location to another, such as data at rest on a database.
Attack Surface Reviews
Developer reviews of design and implementation changes to identify mitigation actions to address attack vectors and flaws generated by the changes.
Attack Surfaces
Exposed weaknesses and deficiencies in hardware, software, and firmware components that make those systems more vulnerable to attacks.
Attestation
A process that provides evidence for or certainty of something.
Attribute assignments
The attributes, such as user attributes or resource attributes, that dictate which type of system access and privileges are granted in an attribute-based access scheme.
Attribute associations
The mapping of data to specific qualities that describe that data's security or privacy properties, such as labels for the sensitivity of a particular type of data.
Attribute-based access control policy
Guidance for assigning permissions to data based on detailed attributes of the user (such as whether they are in a management role, whether they have approval to access sensitive data, etc.).
Attribute-based access model
Guidance for assigning permissions to data based on detailed attributes of the user (such as whether they are in a management role, whether they have approval to access sensitive data, etc.).
Atypical usage
Incidents occurring in the operating environment that do not fall within normal thresholds or patterns.
Audit and accountability policy
This policy provides guidance on recording, reviewing, alerting, transmitting, rotating, retaining, and storing data that detail historical events and outcomes in information systems.
Audit events
The set of all available records which document the detailed events occurring within an information system (i.e., event logs, account login information, packet information, etc.).
Audit Record Reduction
A process that manipulates collected audit information and organizes it into a summary format that is more meaningful to analysts.
Audit records
The set of all available records which documents the detailed events occurring within an information system (i.e., event logs, account login information, packet information, etc.).
Audit Requirements
The criteria or conditions the organization must meet to produce and obtain the evidence required for audits.
Audit Trail Entries
The set of all available records which documents the detailed events occurring within an information system (i.e., visitor logs, event logs, account login information, packet information, etc.).
Audit Trail Entries (this is the same thing as audit trails that we defined in B51, it's just PCI-DSS' way of saying it instead of NIST's)
The set of all available records which documents the detailed events occurring within an information system (i.e., event logs, account login information, packet information, etc.).
Audit trails
The set of all available records which documents the detailed events occurring within an information system (i.e., event logs, account login information, packet information, etc.).
Audited override
To use authority to change or cancel a transaction or operation.
Augmentation
The enhancement of a system design through additional features or components.
Authenticated Application Layer Proxy
A firewall between an application server and its clients that controls outgoing communications from the internal network and incoming communications to the internal network.
Authenticated Proxy Servers
A server sitting between a private network and the outside world that controls outgoing communications from the internal network and incoming communications to the internal network.
Authenticated Vulnerability Scanning
The state of using an authenticated, logged-in user to run a program to identify weaknesses in a technology environment.
Authentication credentials
The specific pieces of information required for logging into a system, such as user ID and password.
Authentication factors
The credentials that can be used to access a system.
Authentication System
The technology used to assist users in gaining entry to information systems, such as a single sign-on (SSO) application.
Authenticators
Any attribute -- such as a password or access card -- that identifies and verifies a user and grants said user access to a system or location.
Authority
A person or organization that determines and/or approves the rights, privileges, and/or compliance requirements for individuals and entities.
Authorization Credentials
The identifying information (such as a badge, biometric scan, or key card) showing that an individual is authorized to enter a facility.
Authorize
The formal granting of permission to operate under specified conditions, assume privileges, or perform tasks.
Authorized Processing Conditions
The approved criteria that must be met in order to process or manipulate personally identifiable information (PII) and personal data.
Authorized Wireless Access Points
An officially approved method of gaining access, such as a device that allows a connection between a wireless device and a wired network.
Authorizing official
A senior official or executive, typically in the federal government, that formally takes responsibility for the operation of an information system at a certain risk level by performing specific actions -- e.g., signing off on appropriate documentation prior to system deployment, approving control assessment plans, and accepting certain risks.
autocomplete
A predictive technology that can fill in a phrase or email address, which may result in sending an email to an unintended recipient.
Automated access control mechanisms
Tools that do not require manual intervention to facilitate the provisioning of permissions to technology assets, programs, and facilities.
Automated Mechanisms
Standardized processes in the technology environment that are processed by a service or machine and do not require manual processing to function.
Automated Mechanisms (we define "mechanisms" in B10)
Standardized processes in the technology environment that are processed by a service or machine and do not require manual processing to function.
Automated tools
Standardized processes in the technology environment that are processed by a service or machine and do not require manual processing to function.
Automated Vulnerability Analysis
Automated tools for analyzing exploitable weaknesses or deficiencies in large and complex systems, prioritizing vulnerabilities by severity, and providing recommendations for risk mitigations.
Automatic Fire Suppression
Systems that can detect and extinguish fires (e.g., sprinklers, condensed aerosol, and gaseous suppression).
Automatic Voltage Controls
Equipment that can monitor and control voltage (e.g., voltage regulators, voltage conditioners, and voltage stabilizers).
Automatically
Without manual intervention.
Automatically Disable
To revoke the functionality of an item or process using a mechanism that does not require human intervention, such as script for disabling inactive accounts.
Availability
The reliability, uptime, and accessibility of data and systems to authorized users.
Awareness and Training Policy
Guidance on identifying workforce security and privacy training objectives and implementing role-based, security-based, and skills-based training programs to support these objectives.
Awareness techniques
Training that elevates the security and privacy protection skills of the workforce.
Back-Out Procedures
Procedures that return software and applications to a known and stable state, such as after an unsuccessful deployment of a change.
Background
A person's past experience, employment history, and criminal history.
Background verification checks
An investigation of a person's past experience, employment history, and criminal history (typically prior to an offer of employment).
Badge
A physical card showing identity and employment status.
Baseline Education Roadmap
A strategy and timeline for building foundational cybersecurity skills in the workforce.
Batch job scheduling
The predetermined times at which a program or series of commands are set to run to complete a task.
Benign Code
An executable program that was not written with malicious intent and which does not result in a negative impact to the organization.
Bi-directional authentication
Two parties that authenticate each other at the same time.
Bind
The labeling of subjects (such as a user or process) and objects (such as a database) by a system with attributes that contain information that allow policy enforcement -- for example: permitted uses of Personally identifiable Information (PII), data retention limits by data type, and other information.
Biometric logon
Any method of gaining entry to a location or system that uses biological data, such as retina scans, finger prints, or facial scans.
biometric-based authentication
Any method of gaining entry to a location or system that uses biological data, such as retina scans, finger prints, or facial scans.
Blended Attacks
A combination of different types of penetration exercises, such as a mix of viruses, malicious code, or trojan horses.
Boundary Protection Device
Any device that can control communications in to and out of the network (e.g., firewalls, routers, gateways, proxies, and tunnels).
Boundary Proxy
An application or device that acts as an intermediary for requests between clients and servers.
Breach
An incident resulting in the unauthorized access and/or disclosure of systems and/or data.
Breadth
The extent of coverage of certain topics or activities.
Breadth and Depth
The extent of coverage of certain topics or activities, as well as the extent to which these topics or activities are addressed.
Broken Authentication
A scenario in which a malicious actor has captured information from or circumvented an authentication process.
Browsing
Viewing web pages on a computer.
Buffer Overflow Vulnerabilities
A vulnerability that is caused by writing too much data in a fixed length block of memory, which can result in code injection by a malicious actor.
Build Phases
The development stage where code is written.
Business As Usual
Normal business operations.
Business continuity plan
A roadmap for how the organization will continue operating during an unplanned disruption in service.
Business Impact Assessment
A formal process that evaluates business risks to the organization.
Business Need
The state of requiring a particular process or technology to address the goals of a commercial or government organization.
Business Process Level
Written in a manner that addresses organizational business processes.
Business Recovery
The processes that allow a business to continue operating during an unplanned disruption in service.
Business Risk Assessment
A formal process that evaluates the business and other risks of changes to the operating environment.
bypass
To circumvent or avoid.
Cached authenticators
Authenticators used to authenticate the local machine when the network is not available.
Capital Planning
Budgeting and planning for long-term business goals
Cardholder data
Any information either printed on or contained in digital format within the magnetic stripe or chip on a credit card -- for example: Primary Account Number (PAN), cardholder name, card expiration date, and service code.
Cardholder data environment
The set of technology assets and processes that stores, transmits, or processes a cardholder's Primary Account Number (PAN), name, expiration date, and/or service code.
Cardholder Data Environment (CDE)
The set of technology assets and processes that stores, transmits, or processes a cardholder's Primary Account Number (PAN), name, expiration date, and/or service code.
Cardholder Data Environment (CDE) (defined in B36)
The set of technology assets and processes that stores, transmits, or processes a cardholder's Primary Account Number (PAN), name, expiration date, and/or service code.
Categories
Groupings or classifications of something.
Central Log Management System
A single repository for managing and monitoring log events.
Centralized Log Server
A single server for aggregating, managing, and monitoring log events.
Centralized Repository
A single archive for data and information.
Certificate Authorities
An organization that issues digital certificates.
Certification
Achieving something at a certain standard or level of attainment.
Certification Mechanisms
A means for certifying the quality of or compliance with something.
Change
The introduction of, modification to, or disposition of: hardware, software, applications, or configurations in the technology environment.
Change Management Procedure
The detailed processes for proposing, approving, testing, and deploying changes and configurations to the organization's systems.
Change-Detection Mechanism
A tool that can identify when modifications are made to systems and/or data.
Change-Detection Solution
A tool that can identify when modifications are made to systems and/or data.
Changes
Minor or major modifications to technology assets, configurations, processes, or personnel.
CHD
Cardholder data, which is any information either printed on or contained in digital format within the magnetic stripe or chip on a credit card -- for example: Primary Account Number (PAN), cardholder name, card expiration date, and service code.
Circumvent Controls
To avoid the processes in place that safeguard the security of systems and data.
Citizen requirements
The criteria or conditions that must be met for being, or becoming, a citizen of a country.
Class of users
Certain types of information system users, such as standard users or administrators.
Classes of Incidents
Certain types of incidents, such as ransomware incidents or data breach incidents.
Classification Level
A ranking system for the sensitivity of information pertaining to systems, data, and documents in the United States government.
Classification scheme
A way to organize or label something, such as data classification.
Clear Abstractions
When a system has simple, well-defined interfaces and functions that provide a consistent and intuitive view of the data and how it is managed.
Clear Desk Policy
Guidance for maintaining a work space that is free of sensitive information or equipment that could be misappropriated or misused by passersby.
Clear-text
Readable data that has not been encoded by an encryption algorithm.
Cleared
The quality of having obtained a security clearance.
Codes of Conduct
The accepted rules of behavior.
Collection
The process of obtaining an item from a source, such as the collection of personal data from a data subject.
Command-Line Audit Logging
Recording audit trails of the arguments, or instructions, given in the command line interface (CLI).
Commencing
Beginning.
Commercial Off-The-Shelf Information Assurance
Commercially available information technology products used to protect classified information by cryptographic means.
Commercially Available
A product or service that is available to buy at a market price.
Commission
The European Commission (EC), an executive arm of the European Union (EU).
Common Set
A shared collection of requirements that different developers must meet.
Commonly Used Electronic Form
A routinely used electronic format, such as email.
Communication
The transmission of information or data by verbal or electronic means.
communications path diversity
Establishing alternate communications paths for command and control purposes, including designating alternative decision makers if primary decision makers are unavailable, to continue operation and take appropriate actions during an incident.
communications sessions
The continuous interval of time that two entities spend communicating, i.e., the set of interactions between a user's computer and a website -- or the identifying attributes of this interval.
Communications Traffic
The packets of data -- including a header, a source address, and a destination address -- that are sent and received by computers, servers, routers, and other equipment over a digital communication link (such as a network).
Company-Approved Products
Technologies deemed acceptable by the organization.
Competence
Adequacy of skills and knowledge to complete job duties.
Complaint
A formal communication to a person or organization that describes unacceptable treatment or behavior received or observed, such as a complaint about data collection and privacy practices.
Complaint Management Process
A formal communication process that allows a person or organization to provide feedback about unacceptable behavior received or observed (such as a complaint about data collection and privacy practices).
Complexity and composition rules
Rules for strong passwords, such as using a variety of alphanumeric characters and avoiding commonly guessed passwords.
Compromise
The unauthorized or unintended use, disclosure, or exploitation of systems or data.
compromised
The condition of being lost, altered, misused, created, destroyed, disclosed, or leveraged in a way that negatively impacts the interests of the organization -- for example: a database compromised by a breach; a server compromised by a natural disaster; or a person compromised by blackmail.
Concealment
The practice of hiding something.
Concept of Operations
A document describing the technical characteristics of an information system.
Conceptually Simple Protection Mechanism
A tool that is designed with reduced complexity in mind to lower the potential for vulnerabilities.
Concurrent sessions
More than one session occuring at the same time, such as a user logged into an application at the same time from both a laptop and a mobile device.
Confidentiality
The quality of systems, data, or information that is protected from unauthorized access, use, and disclosure.
Configurable Capability
A mechanism for responding to system events that has customizable parameters.
Configuration Change Management
The set of processes for securely proposing, approving, developing, testing, and deploying configurations, systems, and system changes.
Configuration Management
The processes by which implementation of or modifications to systems or settings are designed, documented, approved, tested, and deployed.
Configuration Management Plan
A plan that details how the organization will identify, control, record, track, audit, and report on configuration changes to a specific system or set of systems.
Configuration requirements
The settings a system must have implemented in order to comply with security and privacy requirements.
Configuration Standards
The technical specifications that must be adhered to when selecting and developing system settings.
Configuration-Controlled
The quality of requiring adherence to the configuration management process for documenting, proposing, approving, testing, and deploying changes (such as normal or emergency changes).
Conflict Of Interests
A scenario where a person or organization has personal or private incentives that conflict with an assigned purpose or mission, such as an auditor that is auditing a family member's company.
Conflicting duties
Tasks which, when assigned to one person in aggregate, jeopardize the security of the system due to an ability to complete the full life cycle of a process or transaction without review, approval, or override.
Congressional Committee
A legislative group that proposes legislative solutions for a specific topical area of public interest.
Connection requirements
Specification of the types of communication protocols and ports that must be used for specific types of connections.
Consent
Permission to do something, such as consent to collect personal data.
Consent Mechanisms
The processes and tools used by an organization that allow it to obtain the initial and ongoing consent for use of data from data subjects.
Consistency Mechanism
A concept in the General Data Protection Regulation (GDPR) wherein a mechanism standardizes cooperation between supervisory authorities.
Constituent System components
The discrete hardware, software, equipment, and other items that comprise an information system.
Container-based encryption
A mode of encryption where files can be stored in an encrypted mechanism, such as a .zip file.
Content Filter Orchestration Engines
Software that manages the coordination of several types of content filtering, which restrict or control the content an Internet user may access.
Content filtering
Programs that restrict dangerous and/or inappropriate Internet content from users.
Content Filtering Actions
Activities that restrict or control the content an Internet user may access.
Context
The circumstances or background surrounding an item or matter that can provide clarity in meaning or intention.
Contingency Personnel
The individuals assigned to execute the organization's Contingency Plan.
Contingency Plan
The set of actions designed to account for a future (likely adverse) event that will allow the organization to continue normal operations and limit possible disruption (e.g., in the event of a natural disaster, loss of technology resources, or cyber attack).
Contingency Plan Knowledge
The comprehension and understanding of a proactive strategy designed to account for a future (likely adverse) event that will allow the organization to continue normal operations and limit possible disruption (e.g., in the event of a natural disaster, loss of technology resources, or cyber attack).
Contingency Planning
The act of developing and executing a proactive strategy designed to account for a future (likely adverse) event that will allow the organization to continue normal operations and limit possible disruption (e.g., in the event of a natural disaster, loss of technology resources, or cyber attack).
Contingency Processes
The steps needed to execute the organization's Contingency Plan.
Contingency Training
The practice of increasing the workforce's skills and knowledge of the contingency plan that will allow the organization to continue normal operations and limit possible disruption during an adverse event (e.g., natural disaster, loss of technology resources, or cyber attack).
Continuous and engaging
Ongoing and stimulating.
Contractors
A person directed to perform official duties for an organization, typically through a legal agreement, who is not an employee of the organization.
Contractual Agreements
A legally enforceable document creating obligations for the named persons or parties.
Contractual Requirement
An activity (or abstaining from an activity) that must be performed as dictated in a contractual agreement.
Control
A process designed to achieve a financial, reporting, compliance, or security objective.
Control Assessment Plan
A roadmap for evaluating or testing the design and effectiveness of security controls.
Control Assessment Report
A written evaluation of how controls are implemented and operating in the technology environment.
Control Assessment Team
Professionals possessing the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls (as appropriate).
Control Assessor
A professional possessing the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls (as appropriate).
Control Baselines
A collection of security controls that are tailored to information systems based on the security categorization of those systems.
Control Deficiencies
A shortcoming in the design or operation of a control that does not allow it to meet objectives.
Control Effectiveness
The state of a security control performing as it is designed and intended.
Control Networks
To appropriately safeguard communications across a network.
Control Performance
The execution of the processes that support controls.
Control Plane Traffic
Data flowing through the control plane, or the processes and functions that determine how information is routed on the network.
Controlled areas
The facilities or areas within a facility with enhanced security requirements to protect critical and/or sensitive systems and data.
Controlled unclassified information
A United States (US) government classification for the sensitivity of, and security requirements for, data.
Controller Confirmation
Positive assent of something, such as confirmation as to whether or not personal data concerning a data subject is being processed.
Controlling Access
To appropriately safeguard the ability to access systems and data.
Convincing Argument
A formal model.
Corrected
The state of having changed data or information to reflect accuracy.
Correlate
To identify characteristics of one item that relate to or affect another item -- for example: correlating a suspicious port scan with a suspicious login, using a single Internet Protocol (IP) address that performed the actions.
Counterfeit Components
Parts or products procured for a system that have been falsely represented as a trusted component.
Coverage
The extent to which something is addressed.
Covert Channel Analysis
The process used to identify the potential for unauthorized information flows across security domains, such as an exfiltration of data that violates security policy.
Crisis Situations
Scenarios where normal operations have experienced a significant negative disruption, such as in the event of a natural or man-made disaster.
Criteria
The basis, often in the form of detailed requirements, on which a decision or determination is made.
Critical Information
Data, files, or information which, when compromised, would cause a major negative impact to the organization.
Critical Servers
Servers which, when compromised, would cause a major negative impact to the organization.
Critical System Components
Equipment, hardware, software, firmware, applications, databases, and other information technology assets which, when compromised, significantly and negatively impact the achievement of the organization's objectives.
Critical Technologies
The application of knowledge, processes, and tools -- such as applications, systems, software, and other mechanisms -- to complete specific functions that are essential for key business operations.
Criticality Analysis
A process for assigning assets a level of importance to the organization based on associated risks.
Cross-Discipline Insider Threat Handling Team (should be cross-discipline insider threat incident handling team)
An integrated group of people across teams and groups that is equipped to respond to potential attacks and adverse events originating from personnel and sources inside the organization.
Cross-organization management
The integration of activities -- such as identifier management activities -- across organizations.
Cross-Site Scripting
An attack where malicious code is included in a legitimate web page or web application, leading to execution of malicious scripts in the browser.
Cryptographic
The quality of a mechanism that securely encodes and decodes information configured in the system -- for example: security protocol, such as Transport Layer Security (TLS); symmetric key encryption, such as the Advanced Encryption Standard (AES); public key algorithms, such as Rivest–Shamir–Adleman (RSA); or cryptographic hash functions, such as Message Digest Algorithm 5 (MDA5).
Cryptographic controls
Processes that securely encode and decode information configured in the system -- for example: security protocol, such as Transport Layer Security (TLS); symmetric key encryption, such as the Advanced Encryption Standard (AES); public key algorithms, such as Rivest–Shamir–Adleman (RSA); or cryptographic hash functions, such as Message Digest Algorithm 5 (MDA5).
Cryptographic Key Management
The detailed processes for securely exchanging, storing, rotating, and using cryptographic keys.
Cryptographic Mechanisms
Standardized processes for securely encoding and decoding information that are configured in the system and do not need manual intervention to function -- for example: security protocol, such as Transport Layer Security (TLS); symmetric key encryption, such as the Advanced Encryption Standard (AES); public key algorithms, such as Rivest–Shamir–Adleman (RSA); or cryptographic hash functions, such as Message Digest Algorithm 5 (MDA5).
Cryptographic Mechanisms (we defined "mechanisms" in B17)
Standardized processes for securely encoding and decoding information that are configured in the system and do not need manual intervention to function -- for example: security protocol, such as Transport Layer Security (TLS); symmetric key encryption, such as the Advanced Encryption Standard (AES); public key algorithms, such as Rivest–Shamir–Adleman (RSA); or cryptographic hash functions, such as Message Digest Algorithm 5 (MDA5).
Cryptographic modules
The hardware, software, or firmware implementing cryptographic functions such as: decryption, encryption, authentication, random number generation, and digital signatures.
Cryptographic Protection
Any process using cryptographic functions (e.g., decryption, encryption, digital signatures, etc.) to safeguard systems and data.
Cryptoperiod
The duration of time during which a particular cryptographic key can be used.
Currency
The quality of reflecting the current state of something.
Custodial responsibilities
The duties required to steward, control, transfer, and/or dispose of a specific item.
Custody
The state of physically having something in one's possession or guardianship.
Customer Premises
Organizational facilities that buy or receive goods or services.
Cyber threat environment
The potential for adverse malicious attacks, as well as an understanding of actors who could perpetrate these attacks.
Cyber threat information
Information regarding the potential for adverse malicious attacks, as well as an understanding of actors who could perpetrate these attacks.
Daemons
Continuously running background programs that are not under the control of the user.
Damage
The impairment of the value, quality, or function of something due to physical harm.
Data
The information transmitted, stored, and processed by a computer.
Data Action
System operations that process personally identifiable information (PII).
Data Backup Processes
The procedures used to produce and store copies of system-level and user-level data that can be used to restore the system in case of data loss.
Data discovery
A method for identifying organizational data and insights about that data.
Data Execution Prevention (DEP)
A memory protection technique that guards against the execution of code from a non-executable memory location.
Data Governance Body
A formally established group within the organization that initiates policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidances.
Data governance program
An initiative within the organization that establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidances.
Data in transit
Data moving from one location to another, such as data sent across the network.
Data Integrity Board
A board of senior officials designated by the head of a federal agency that is responsible for, among other things, reviewing the agency's proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated.
Data Integrity Verification
The process of checking for unauthorized or unintended changes to data.
Data leaks
The unauthorized or unintended disclosure or release of data.
Data Loss Prevention
The controls used to prevent data from unauthorized or unintended release, disclosure, or exfiltration.
Data Origin Authentication
A security service that can identify the specific entity that is the source of a piece of data.
Data Portability
The right of a data subject to receive the personal data concerning them (which they have provided to a controller) in a structured, commonly used, and machine-readable format -- as well as the right to transmit this data to another controller.
Data Protection Impact Assessment
A formal process that evaluates the data protection risks of changes to the operating environment.
Data Protection Officer
The person responsible for informing the workforce of data protection obligations, monitoring compliance with data protection requirements, and serving as a point of contact for data protection and privacy inquiries from data subjects.
Data Protection Provisions
Legal mechanisms for protecting data.
Data sensitivity
The quality of data or documentation that must be protected from unauthorized access, use, modification, and disclosure to avoid violations of law and/or negative impact to the organization -- for example: electronic Protected Health Information (ePHI); personally identifiable information (PII); or business Confidential Information (CI) regarding an organization's customers.
Data Subject
The individual to whom collected, transmitted, or stored personal data or personally identifiable information pertains.
Data Type Identifiers
Labels for identifying a type of data, such as a label identifying personally identifiable information (PII).
Data-discovery methodology
A disciplined approach for identifying organizational data and insights about that data.
Database-Specific Access Control
The practice of granting privileges and permissions to databases.
de-registration
To revocate or disable access permissions.
Deactivate
To end the viability and usability of something, such as a system account.
Decryption Tools
Automated mechanisms used to decode information.
Dedicated account
An account that is used for only one specific function, like a dedicated administrative account for vulnerability scanning that is not used for other administrative tasks.
Default accounts
An account provided by the vendor for the initial login and set-up of the equipment or software.
Default authenticators
Passwords provided by the vendor for the initial login and set-up of the equipment or software.
Default passwords
A password provided by the vendor for the initial login and set-up of the equipment or software.
Defense
To protect against attack.
Deficiencies
The quality of having areas which lack (on some level) an expected quality or function, such as deficiencies of security controls.
Define
To formally establish and/or specify through documentation, configurations, or other explicit and verifiable means.
Defined concealment
Techniques that the organization has determined it will use to hide something.
Defined Personnel
The employees or contractors identified by the organization to perform specific tasks or activities.
Defined restrictions
The established limitations for a policy or concept.
Defined Roles
The job functions explicitly designated through verbal communication or written documentation.
Definition
A description of the meaning of something, such as website category definitions.
Delegated Acts
Provisions that can be adopted by the European Commission (EC).
Deliver The System
To formally hand off software, applications, or other programs from a developer to a customer.
Delivered Vulnerabilities
Exploitable weaknesses that are included in the product delivered by a developer.
Delivery method
The manner in which an item is taken to its intended destination.
Demilitarized Zone
A subnetwork that serves as a buffer between an organization's internal network and any external networks, often involving the placement of certain public-facing services outside of the internal network firewall.
Democratic Society
Government through elected representatives.
Denial of Service Attacks
An attack whereby a website or system is overwhelmed with requests, preventing legitimate users from accessing it.
Denial of Service Events
An attack whereby a website or system is overwhelmed with requests, preventing legitimate users from accessing it.
Denial of Service Protection
Practices and tools which safeguard systems against denial of service attacks, such as packet filtering to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks, increasing network capacity and bandwidth, and service redundancy.
Denied Communications
Traffic that the organization deems suspicious or prohibited.
Deny-all
The quality of blocking all network traffic, typically of a firewall rule.
Description
A detailed explanation of something, such as a system, application, process, or program.
Descriptive Top-Level Specification
An informal but descriptive explanation of something.
Design modification
Changes to how the system is constructed.
Design Specification
The engineering attributes that meet system requirements.
Designated Automated Mechanisms
Standardized manual or automated processes in the technology environment.
Designated registration authority
A Registration Authority (RA) is an organization that receives and validates requests for digital certificates and public/private key pairs.
Destination points
The target endpoints for information.
Destroy
To terminate the functionality of an object through physical or other damage.
Detailed Processes
The specific activities or procedures (usually including "who, what, where, why, when") performed to achieve a desired outcome for the organization.
Detonation chamber capability
A mechanism that allows organizations to open email attachments, execute untrusted or suspicious applications, and execute Universal Resource Locator requests in the safety of an isolated environment or a virtualized sandbox.
Develop
To create, evolve, or mature a process or technology.
Developer
An employee or contractor that researches, designs, tests, writes code, or performs other tasks related to the creation of software, website(s), or other content that is implemented in an operating environment.
Development and improvement program
A program that identifies skills required for security and privacy roles; provides role-based training programs for individuals assigned security and privacy roles and responsibilities; and identifies standards of performance for personnel with these responsibilities.
Development Environment
Specific environments (e.g., specific servers or applications) that are used to develop software and applications for the production environment.
Device
A piece of hardware performing a computing or communications function.
Device access
The ability of hardware or equipment to use a particular network.
Diagnostic activities
The tasks performed when assessing technical issues, problems, and the health of information systems.
Different Security Domains
Two or more groupings of technology resources (i.e., servers, routers, and/or websites) that abide by a different set of protocols (i.e., a web server, directory service, or Secret Internet Protocol Router Network [SIPRNet]) to protect the assets.
Different Security Domains (we defined "security domain" in B50 - do we need to define it again? we'd essentially just be saying the same thing and indicating that we are looking at differences, not sure "different" needs to be defined)
Two or more groupings of technology resources (i.e., servers, routers, and/or websites) that abide by a different set of protocols (i.e., a web server, directory service, or Secret Internet Protocol Router Network [SIPRNet]) to protect the assets.
Digital media
A device that can store data in magnetic, optical, or solid state format (e.g., an external hard drive, flash drive, tape, or disk).
Dips
The insertion of a credit card into a device, such as a Point of Sale (POS) terminal or Automated Teller Machine (ATM).
Direct Marketing
Marketing communications directly to individual customers.
Direct Public Access
The ability of public internet users to access the organization's technology.
Directive 2002/58/EC
Privacy and Electronic Communications Directive 2002 or the ePrivacy Directive, which protects confidentiality of electronic communications in the European Union (EU).
Directives
The official, documented guidelines (often developed to identify potential actions for achieving results) established by an authoritative organization.
Disable
To revoke the functionality of an item or process, such as account permissions.
Disciplinary Action
A formal corrective action performed for personnel who do not meet expected standards for performance or behavior.
Disciplinary process
The formal steps for sanctioning an individual or organization due to unacceptable behavior.
Disclosed
Released to another party or organization, as in disclosed information.
Disclosure
The unauthorized or unintended release of data or information.
Discovery
To reveal something using procedures (e.g., revealing devices on a network by using passive discovery techniques to listen to traffic and identify components).
Display banner
A communication shown to the user notifying them of acceptable and conditions for use of the system, as well as monitoring of activities.
Disposal
The process of destroying, throwing away, or transferring something (e.g., a computer or system).
Disseminate
The communication of relevant information to an individual, group, organization, or other desired parties.
Disseminated
The communication of relevant information to an individual, group, organization, or other desired parties.
Dissemination (defined in B14)
The communication of relevant information to an individual, group, organization, or other desired parties.
Distribution limitation
Restrictions on disclosure or handling of data or media.
Diverse information technologies
The use of a variety of technologies to improve security posture.
Diversity of operating systems
The use of a variety of operating systems to improve security posture.
DNS
Domain Name System (DNS), a system that supports the Internet by providing a way to match website names with Internet Protocol (IP) addresses for websites.
Document
A written, printed, or electronic record that captures and defines information (such as a policy, procedure, process, diagram, training manual, etc.).
Documented
Information that is captured and defined through written, printed, or electronic records.
Documented Acknowledgement
Written, signed, or electronic agreement or assent to rules or conditions.
Documented Development Process
A written set of instructions for how software and applications should be designed, tested, and implemented.
DoD
The Department of Defense (DoD), an executive branch of the United States (US) responsible for military operations and national security.
Domain Keys Identified Mail (DKIM)
A cryptographic method for validating the sender and content of a communication.
Domain Name System
Domain Name System (DNS), a system that supports the Internet by providing a way to match website names with Internet Protocol (IP) addresses for websites.
Domain-based Message Authentication, Reporting and Conformance (DMARC)
A policy that helps the receiver of a communication to validate its sender, as well as the next steps to take with the communication (i.e., quarantine the message, reject the message, etc.).
Domains
A grouping of technology resources (i.e., servers, routers, and/or websites) that abides by the same set of protocols (i.e., a web server, directory service, or Secret Internet Protocol Router Network [SIPRNet]) to protect the assets.
Dormant accounts
Inactive accounts.
Downgraded information
Information that has been approved for use in accordance with a less rigorous set of requirements.
Downgrading
To facilitate the ability of a device or information to be used in accordance with a less rigorous set of requirements -- for example, the downgrading of media from use in a classified environment to use in an unclassified environment.
Downgrading mechanisms
Tools that facilitate the ability of a device or information to be used in accordance with a less rigorous set of requirements, such as redaction.
Downstream Information Exchanges
Information exchanges occurring in systems that are dependent on other systems for the exchanged information.
Draft Code
A draft code of conduct pursuant to the General Data Protection Regulation (GDPR).
Dual Authorization
A security procedure where two mechanisms of granting permission to do or access something is required.
Due Diligence
The process of adequately researching and understanding the impact of a task, project, or partnership prior to initiating it.
Dynamic address allocation
The temporary assignment of an Internet Protocol (IP) address to a client.
Dynamic Code Analysis Tools
Mechanisms to test code for vulnerabilities while it is running.
Dynamic identifier policy
A policy for creating identifiers that change, such as a one-time password (OTP).
Dynamic Reconfiguration
Changes to: router rules; access control lists; intrusion detection or prevention system parameters; and filter rules for guards or firewalls.
Dynamic Response Capabilities
The ability to quickly deploy new or replacement organizational capabilities in response to incidents.
Dynamically
In a manner that changes based on new information, such as dynamic assignment of Internet Protocol (IP) addresses.
Dynamically relocate
To move either in response to information or on a random basis, such as periodically relocating sensors.
Effectiveness
The measured quality of something operating in the manner in which it is intended.
Effects
A condition or situation that results from a preceding process or event, such as adverse effects from a denial-of-service (DoS) attack.
Electromagnetic Pulse Damage
Damage caused by an electromagnetic pulse (EMP), a short burst of electromagnetic energy spread over a range of frequencies that may be disruptive or damaging to electronic equipment.
Electronic Means
Using electronic communications, such as email.
Elements
Data attributes or components of systems.
Elevated tasks
Administrative activities.
Email Attachments
A file sent with an email.
Embedding data types
Inserting files as objects within other files, and using compressed or archived data types that may include multiple embedded data types.
Emergency accounts
Accounts with a temporary duration that are used to perform critical activities.
Emergency Lighting
Lighting systems that are intended to be activated during disruptive or emergency events.
Emergency Shutoff Switches
Mechanisms to shut off power in emergency situations.
Employ
To use or implement in the technology environment.
Encrypted Channels
Communication methods that are protected from listening and tampering through cryptography.
Encryption
The practice of securely encoding and decoding information that is configured in the system and does not need manual intervention to function -- for example: security protocol, such as Transport Layer Security (TLS); symmetric key encryption, such as the Advanced Encryption Standard (AES); public key algorithms, such as Rivest–Shamir–Adleman (RSA); or cryptographic hash functions, such as Message Digest Algorithm 5 (MDA5).
Enforceable Commitments
Legal obligations with which the organization must comply.
Enforcement mechanism
Standardized manual or automated processes that ensure implementation is aligned with policy.
Enterprise architecture
The strategy and system components that support the alignment of business objectives with technology objectives.
Enterprise Risk Management process
Practices used to pinpoint the detailed processes for identifying threats and vulnerabilities to the organization; risk appetite; tools to find and control risk; measurement; reporting; appropriate controls; and methods to respond to risk.
Enterprise Structure
The objectives of the organization and the arrangement of the people, processes, and tools that support these objectives.
Enterprise Systems
Information systems managed by the organization.
Entities
A set of persons, places, or things.
Entry Controls
Physical security controls for managing access to facilities (e.g., visitor areas, locked doors, guards, turnstiles, etc.).
Environment
The set of systems, hardware, software, data, equipment, and other components that supports the technology operations of the business.
Environmental Changes
Changes in background conditions that may affect an organization (e.g., a natural disaster affecting the supply chain).
Environmental Control Levels
Measurements for conditions that must be regulated in the physical environment of a facility or system (i.e., humidity, power, lighting, etc.).
Environmental controls
Conditions that must be regulated in the physical environment of a facility or system (e.g., humidity, power, lighting, etc.).
Environmental Protection
The process of controlling the physical access to and safety of facilities, facility perimeters, secure areas, and resources through: surveillance, ingress and egress control, personnel and visitor records, access badges, monitoring, and environmental controls.
Environmental Support
Background conditions that support contingency operations, such as the availability of conference rooms.
Environmental Threats
Potential negative impacts to the surrounding environment of a system or system (e.g., humidity, power, lighting, etc.).
Envisaged
Conceived or described.
Envisaged Consequences
Conceived or described results of something.
Equivalent Functionality
Capabilities that are equal in value or outcome.
Erasure
To remove or delete something.
Error Messages
A notification that is sent or displayed as an output when a problem arises during a computer operation, such as an error message that is displayed when a login fails.
Escalation Procedures
The detailed processes for notifying successively more senior personnel in the organization of an event, usually in the case of an incident.
Escort
The person assigned to accompany a visitor to a facility as a safeguard security measure.
Essential functions
Critical processes for the organization.
Establish
To set up and approve a definite structure for a specific activity through the use of documentation and/or processes.
Established Reporting Requirements
The criteria or conditions that must be met for evaluating, summarizing, and communicating information to people and groups in the organization.
Establishment
The setting up of a definite structure by developing documentation and/or processes.
Evacuation
The movement of people or objects from one location to another, safer location.
Event
A significant security-related occurrence that takes place within an organization's information system -- e.g., account logon/creation/deletion, object access, privilege usage, policy changes, and/or other similar security-related events.
Event Logging
Recording the audit trails of security-related occurrences in an information system, such as an account logon, account creation, account deletion, object access, privilege uses, policy changes, and other security-related incidents.
event monitoring
The observation of events and metrics in the technology environment, often through real-time data, to identify anomalous or suspicious behavior.
Event types
A category for significant security-related occurrences that take place within an organization's information system -- e.g., account logon/creation/deletion, object access, privilege usage, policy changes, and/or other similar security-related events.
Events (we identify "event" in B6)
A significant security-related occurrence that takes place within an organization's information system -- e.g., account logon/creation/deletion, object access, privilege usage, policy changes, and/or other similar security-related events.
Evolve
The act of changing over time.
Examination
A thorough inspection to obtain reasonable assurance of something.
Exceptions
An activity, outcome, or entity that does not follow an established set of rules and which may require documented acceptance.
Executed
A task, activity, or operation that has been performed.
Executing code
Running a program.
Executing system process
Running a program.
Execution
The implementation and/or performance of an activity.
Execution of duties
Performing required tasks.
Executive Orders
A legally binding directive (that does not need congressional approval) issued by a United States President to provide details on how a law shall be enforced.
Exemption
An exception case in which a certain required activity is not required, such as an exemption from the standard rules for removing equipment from a facility.
Exercise
A process performed to achieve a specific result, such as an incident response exercise.
Exfiltration
The unauthorized or unintended disclosure or release of data.
Exfiltration Tests
Techniques used to assess the system's ability to prevent the unauthorized or unintended disclosure, release, or misappropriation of information from systems.
Exit Interviews
Formal meetings that occur after termination of employment, in which employer and employee feedback is given and next steps for employment termination as well as post-employment obligations are discussed.
Expenditure
The act of spending money.
Expiration date
The point in time at which something is no longer active or useful, such as the expiration date of an emergency account.
Expired accounts (recommend changing to "expired" as "expired accounts" does not appear in the data set)
Accounts for which a predetermined expiration period has elapsed.
Expires
The act of being or becoming no longer valid or useful.
Explicit indication
A clear notification to a user that a device is in use.
Exploitation
The act of taking advantage of a bug or vulnerability to cause negative or unintended impacts to systems and/or data.
Exploits
The acts of taking advantage of a bug or vulnerability to cause negative or unintended impacts to systems and/or data.
Extensible Authentication Protocol-Transport Layer Security (EAP/TLS)
An authentication framework that uses certificate-based and mutual authentication of the client and the network.
External Developer
An outside organization that designs and creates software, applications, or systems.
External Interfaces
Any program or device that facilitates a connection to a network outside of the organization.
External Networks
Any program or device that facilitates a connection to a network outside of the organization.
External Organizations
Legal entities or groups with a common purpose that are not a part of the organization.
External Providers
Suppliers that are not a part of the organization.
External Providers of System Protection
Outside organizations that provide information security services to safeguard systems and data.
External security and privacy groups
Outside organizations or associations that support, publish, and promote cybersecurity industry knowledge.
External security or privacy incidents
Events negatively impacting the security or privacy of an outside organization's systems or data, often serving as an educational example.
External security providers
Outside organizations that contract with the organization to provide security personnel and other security services.
External Services
Work performed by an outside vendor.
External Systems
The set of equipment, hardware, software, firmware, applications, databases, and other information technology assets owned by entities outside of the organization.
External Telecommunication Service
An outside organization that provides data or voice communications services.
External-Facing Technologies
Technologies such as wireless, firewalls, Domain Name Systems (DNS), and mail servers.
Externally-proofed identities
Accepting the identities of users that have been proofed by another organization.
Facilities
The buildings or physical locations where a business, group, or organization conducts operations.
Faults
Any incorrect processes or specifications in a computer program or technology environment that cause required functions to perform in an unanticipated or unintended way.
Federal Register
An official publication of the United States (US) government that documents rules, proposed rules, and notices of Federal agencies and organizations, as well as executive orders and other presidential documents.
Federate
To enable a single system to perform an authentication task which then allows access to systems across multiple security domains, trust boundaries, and/or enterprises.
Feedback
A response to a product, activity, program, task, or input, often provided for improvement purposes.
Field maintenance
The type of maintenance, such as repairs or updates, conducted on a system or system component after the system or component has been deployed to a specific site (i.e., operational environment).
File Integrity
The quality of a file containing data that has not been tampered with or changed in an unauthorized or unintended manner.
File Integrity Monitoring
Closely observing file data to ensure it has not been tampered with or changed in an unauthorized or unintended manner.
Filter Pipelines
Mechanisms for filtering content to meet a predefined policy that cannot be bypassed.
Filter Processing Failure
When a security or privacy filter does not operate as intended.
Financial applications
Systems that process, transmit, and store the data, reports, transactions, accounts, and disclosures which support the organization's financial statements.
Financial Data Backup
An archive of stored data from financial systems, reports, transactions, and other data supporting the financial statements that can be used to restore data after a disruptive event.
Finer-grained allocation
The ability to assign permissions to data based on detailed attributes of the user (such as whether they are in a management role, whether they have approval to access sensitive data, etc.).
FIPS-Validated
A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-3.
Fire Detection Systems
Systems that identify the presence of fires and notify personnel, such as fire alarms.
Fire Protection
The equipment and tools that safeguard systems and data against fire damage.
FIre Protection Inspections
A formal examination of environmental conditions that may predispose an organization to fires.
Firewall Configuration Standards
Technical specifications for a firewall that identify network security zones and the types of traffic which will be allowed or denied access to these zones.
Flaw Identification
The process of finding and documenting defects in software design and/or implementation.
Flaw Remediation
The processes used to address defects in software design and/or implementation.
Flaw Resolution
The remediation of system defects.
Fluctuations
Changes in the qualitative or quantitative measure of something.
Foreign nationals
A person who is not a naturalized citizen of a specific country.
Forged Source IP Addresses
A false source address that incorrectly indicates where a network packet originated from.
Formal
Officially recognized or accepted.
Formal Indoctrination
An official training program.
Formal Methods
A mathematical approach for showing that system implementation meets design specifications.
Formal Policy Model
A formal description of how the design of a system supports security and privacy policies -- especially those intended for specific areas of interest (e.g., non discretionary access control policies) -- using formal languages such as mathematics.
Formal procedures
An official, standardized set of practices, such as formal procedures for reviewing users' access rights.
Formal Sanctions
Official disciplinary actions against a person, organization, or nation.
Fragment
To divide information into disparate elements and distribute those elements across multiple systems or system components and locations; or, a piece of those elements.
Framework
A detailed approach and/or structure for something, such as a framework for security controls.
Freedom of Expression
The ability to speak or articulate thoughts without retribution.
Freedom of Information (recommend changing to freedom of information act)
The Freedom of Information Act (FOIA) is a United States (US) law passed in 1967 that mandates disclosure of information controlled by the government under certain conditions.
Freedoms
The ability to speak or act in certain ways without restrictions.
Frequency
The time interval at which an activity (for example, a control) is performed. Typically occurring continuously, daily, weekly, monthly, quarterly, annually, bi-annually, or within another specified time period.
Full-device encryption
Encryption of hardware, whereby data is converted into unreadable code and the hardware is made inaccessible to those without appropriate authentication mechanisms.
Full-Text Analysis
Analysis that considers the full text of privileged commands (i.e., commands and parameters) as opposed to analysis that considers only the name of the command -- and includes the use of pattern matching and heuristics.
Fully-Enumerated Formats
The formats for filtering types of data, such as single and multivalued, that restrict data structures include restricting file sizes and field lengths.
Functional Properties
The functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.
Fundamental Rights
The obligations of a government towards every one of its citizens, often as dictated by law.
Gaps
The variance between a current state and a desired state.
Gateways
Hardware or software that connects networks with different transmission protocols.
General Services Administration
The General Services Administration is a United States (US) government agency established in 1949 that provides centralized procurement for the government.
Generic accounts
System accounts which may be used by more than one person and that also require enhanced scrutiny due to the potential for misuse.
Government Duties
Tasks assigned to or performed by government personnel.
Government Off-The-Shelf Information Assurance
Information technology produced by the private sector and used by the government to protect classified information by cryptographic means.
Group accounts
System accounts which may be used by more than one person and that also require enhanced scrutiny due to the potential for misuse.
Group and role membership
The state of a user being assigned to a security grouping or a specific role, which may dictate permissions in a system.
Group Assigned Administrative Privileges
Any role or bulk-assigned collection of privileges in a system that includes administrative permissions (i.e., the ability to change security settings, create accounts, view logs, etc.).
Group of Undertakings
A collection of entities engaged in an economic activity regardless of the legal status of the entity or the way in which it is financed, such as companies within a corporate group.
Guarantees
A formal assurance or promise of something.
Guidelines
A set of voluntary actions that users can implement to meet the organization's objectives.
Handling caveats
The procedures that must be used when physically handling media with a specific security or sensitivity designation.
Hardened
The quality of having stricter configuration settings applied to hardware or software to enhance security.
Hardening
To implement stricter configuration settings to enhance security.
Hardware Asset Management
The practice of identifying, documenting, maintaining data attributes for, and managing hardware and equipment.
Hardware Schematics
A diagram or technical description of hardware.
Hardware separation mechanisms
Hardware ring architectures that are implemented within microprocessors and hardware-enforced address segmentation used to support logically distinct storage objects with separate attributes (i.e., readable, writeable).
Hardware-Protected Key Store
A piece of hardware or a device that supports encryption processes, such as a Trusted Platform Module (TPM) that can be used to protect cryptographic keys.
Hash and salt
To perform a one-way encryption technique (hash), and adding a unique value to the plaintext to increase the security of the encryption prior to hashing (salt).
Hierarchical Namespace
A system that enforces the unique names of objects within different directories or objects, such as files that are organized in separate directories.
High-Level
The quality of being in aggregate or at a summarized level, especially of goals, tasks, or activities.
High-Level Contingency Planning
Aggregated or summarized goals for contingency planning.
High-Level Logging
Aggregate or summarized goals for logging.
High-Level Objectives
A set of specific, actionable targets at an organizational level that the organization seeks to achieve within a defined time frame.
High-Level Objectives (we identify "objectives" in B1(
A set of specific, actionable targets at an organizational level that the organization seeks to achieve within a defined time frame.
High-Risk Vulnerabilities
Weaknesses in the technology environment that have a high potential negative impact to the organization.
Higher layers
The higher level core functions of a system as they relate to security, including application domain, application, and temporal (as opposed to the lower layers, such as distribution, data, and resource).
Historical
Of or relating to events that have happened in the past.
Historical Research
Research relating to events that have happened in the past.
Host-Based Firewalls
Firewall software that runs on an individual computer or network-connected device.
Host-Based Monitoring
Monitoring that collects information about the host (or system in which it resides), such as servers, notebook computers, and mobile devices.
Hosted Environment
The off-site physical servers supporting organizational operations, which are managed by an external provider.
Hosted Merchant
A credit card merchant that uses the infrastructure of a service provider.
Hosting
The practice of running an organization's hardware, software, applications, and/or data processes on systems owned by external organizations.
Human reviews
A thorough analysis conducted by a human being.
Human-Readable Form
A way of representing data such that is can be read by humans (e.g., the conversion of binary data to American Standard Code for Information Interchange [ASCII]).
Identifiable owner
A person responsible for the risks and operation of a device, such as the owner of a portable storage device.
Identification and authentication controls
Processes for validating the identity and access privileges of users and processes seeking access to systems and data.
Identification and authentication policy
Guidance for validating the identity and access privileges of users and processes seeking access to systems and data.
Identification and authentication procedures
The detailed processes for validating the identity and access privileges of users and processes seeking access to systems and data.
Identified custodian
A person who serves as an accountable point of contact during the media transport process.
Identified Entities
Parts of the organization that have been identified to take action, such as specific people, groups, or divisions.
Identifier objects
User IDs, credentials, badges, and other items that confirm the identity of a system user.
Identify
To clearly establish the character, quality, or attributes of someone or something.
Identity assurance level
The organization's level of certainty that a user is who they say they are.
Identity evidence
Information used to verify an individual's identity, such as documentary evidence or a combination of documents and biometrics.
Identity Management Profiles
An outline of specific characteristics for identity management based on open identity management standards.
Identity verification
The process of making sure that a user, device, or process actually is who or what it claims to be.
Identity-proof
To confirm the identity of a user by way of documentation or other evidence.
Idle
Not working, active, or in use (such as an idle laptop).
Impact
The qualitative or quantitative effect of something on something else.
Impact Assessments
A formal process that evaluates the business and other risks of changes to the operating environment.
Impact Level
A security categorization for an information system based on the potential impact of a lack of confidentiality, integrity, and availability of that system.
Impact-Level Prioritization
A further prioritization of the systems that have a single security categorization as established by Federal Information Processing Standards Publication (FIPS 199), such as the division of the "moderate" categorization of systems into "low-moderate", "moderate-moderate", and "high-moderate" to further prioritize the application of resources.
Impersonation Calls
Telephonic communications in which a malicious actor pretends to be a legitimate caller in order to exploit an individual.
Implement
To put (a decision, plan, process, etc.) into operation.
Implementation guidance
Directions on how to deploy systems and configuration settings.
Implementation Information
Technical data required to effectively deploy the system.
Improper Access Control Vulnerabilities
Weaknesses in the processes for granting, maintaining, monitoring, and revoking access that may allow a malicious actor to gain access.
Improper Error Handling Vulnerabilities
Weaknesses in the operation of errors/exceptions that allow a malicious actor to obtain sensitive data.
Improvement Program
A program that identifies skills required for security and privacy roles; provides role-based training programs for individuals assigned security and privacy roles and responsibilities; and identifies standards of performance for personnel with these responsibilities.
In Paragraph
Located in the referenced paragraph.
In Scope
Within the boundaries of a concept that is applicable to something, such as a system that is in-scope for PCI DSS requirements.
In Transit
The quality of moving from one location to another, such as data being sent across the network.
In-band channels
In a format similar to the currently used format, such as an in-band, email communication of a password to open an encrypted file that has been sent by email to a recipient.
In-person
Occurring face-to-face between two or more people at the same location and time.
Inactive user accounts
A system account that is no longer active.
Incident Handling Lifecycle
The steps from start to finish for managing events that are disruptive to operations, such as the process followed from the moment a help ticket is submitted to the resolution of the incident.
Incident Response Information
Information provided by help desks, assistance groups, and/or automated ticketing systems to open and track incident response tickets, as well as grant access to forensics services or consumer redress services (when required).
Incident Response Personnel
The personnel who prepare for, detect, analyze, contain, eradicate, recover from, and conduct post-event actions for technology events that are disruptive and/or harmful to the organization's operations and/or interests.
Incident Response Plan
The documentation describing how the organization prepares for, detects, analyzes, contains, eradicates, recovers from, and conducts post-event actions for technology events that are disruptive and/or harmful to its operations and/or interests.
Incident Response Procedures
The activities identifying the detailed processes for how the organization prepares for, detects, analyzes, contains, eradicates, recovers from, and conducts post-event actions for technology events that are disruptive and/or harmful to its operations and/or interests.
Incident Response Training
The activities performed to increase the workforce's skill and knowledge to prepare for, detect, analyze, contain, eradicate, recover from, and conduct post-event actions for technology events that are disruptive and/or harmful to the organization's operations and/or interests.
Incident Scoring
A method of ranking incidents with respect to their impact on the organization.
Increased privilege
Privileges that are granted with an "administrator" or "root" account which have the potential to greatly impact the security or operational functionality of a system.
Independence Criteria
The standards used to decide whether an entity is independent and free from conflict(s) of interest, typically of an auditor or assessor.
Independent Agent
A person or organization separate from the developer of the system.
Indicators
A firewall that allows organizational users to safely use the internet by controlling outgoing communications from the internal network and incoming communications to the internal network.
Individual Identity
The identity of a specific person, typically of someone who has used and can be linked to the output produced from a device (such as a document printed from a printer or facsimile machine).
Individual Intrusion Detection Tools
Software that monitors network communications for malicious activity and is installed on a specific piece of equipment.
Individuals
Can refer to persons both inside and outside the organization.
Informal Demonstration
Correspondence, presentations, or other assurances that show that the system implementation is an accurate transformation of the formal policy model.
Informal Descriptive Top-Level Specification
A written document explaining the technical features of a system in simple and clear terms.
Information Asset Management
The processes for identifying, maintaining, retaining, correcting, and securely disposing of information assets, such as data, documentation, and other information.
Information classification
A framework for how to manage, handle, release, transfer, and dispose of information based on its sensitivity and security requirements (such as public, internal, confidential, or restricted).
Information Exchange Security Agreements
Agreements governing how information is exchanged and processed between systems.
Information Flooding
An attack where server resources are overwhelmed by illegitimate requests in order to make the server unavailable to legitimate traffic.
Information Flow Control
The processes which specify how data is transmitted to protect the confidentiality and integrity of the information and which also comply with applicable security policies (such as the creation and implementation of rules for how sensitive information is processed).
Information flow control mechanisms
Content checking, security policy filters, and data type identifiers.
Information flow control policies
Guidance to ensure that information transfers within a system or organization are not made in violation of the security policy.
Information Integrity Procedures
The practices of making sure that systems, data, and configuration settings are not changed or deleted in an unauthorized manner.
Information Management
Procedures for addressing the full life cycle of information (data, policies, plans, reports, etc.), such as collection, correction, retention, disposal, and other management practices.
Information Processing Facilities
Any building or geographic property that performs operations on data (i.e., data centers, network centers, or other locations).
Information Producer
The person or program that produced specific information, typically used to identify the source of information in the event of a data transfer.
Information Retention
The practice of keeping data and information for the defined time period necessary to meet legal and regulatory requirements.
Information Security
The state of protecting systems and data against unauthorized, accidental, and malicious use, disclosure, modification, or deletion.
Information security breach
An incident resulting in the unauthorized access and/or disclosure of systems and/or data.
Information Security Management System
The set of internal controls that an organization employs to protect the confidentiality, integrity, and availability of systems and data.
Information Security Monitoring
The observation of events and metrics in the technology environment, often through real-time data, to identify anomalous or suspicious behavior.
Information security performance
Outputs from tasks, such as effectiveness benchmarks, that show the state of the information security program.
Information Security Policy
The set of objectives, rules, and practices for information system access and use that safeguards minimum security and privacy requirements.
Information Security Requirements
The conditions or criteria the organization must achieve to meet objectives for protecting systems and data.
Information Spills
The transfer or release of information from a classified system to an unauthorized and/or unclassified system.
Information Technology
The processes and tools for developing and maintaining applications, software, and hardware, as well as storing, transmitting, and processing data.
Information types
Data with specific characteristics that can only be accessed by appropriate personnel.
Inherited
The quality of deriving something from something else, such as the inheritance of common controls for an organization that must apply to all systems.
Initial authenticator content
The actual content of the authenticator (such as an initial password).
Initial installation
When a software package or code deployment is first implemented.
Initial System Access
The first time a user is allowed to log into a system.
Input/Output Devices
Scanners, copiers, printers, or other devices that send information to a computer or produce information from computer data.
Insecure Communication Vulnerabilities
Weaknesses in an application due to the lack of encryption of communications traffic, such as the use of Hypertext Transfer Protocol (HTTP) instead of Hypertext Transfer Protocol Secure (HTTPS).
Insecure Cryptographic Storage Vulnerabilities
Weaknesses that occur when sensitive data is not stored securely, such as insecure key storage.
insider threat
The potential for attacks and adverse events originating from personnel and sources inside the organization.
Insider Threats
The potential for attacks and adverse events that originate from personnel and sources inside the organization.
Institutionalize Relationships
To create formal processes that incorporate industry expertise into organizational practice, such as institutionalizing relationships with security groups and associations.
Integrate
To combine elements of one thing with another to create a new whole.
Integrated Incident Response Team
The group of organizational persons, teams, and divisions that are tasked with executing the Incident Response Plan (IRP).
Integration Testing
Testing individual software modules as a group.
Integrity
The state of being consistent and accurate, such as for data or a process.
Integrity Monitoring Tools
Mechanisms that check for unauthorized or unintended changes to systems or data.
Integrity Verification
The process of checking for unauthorized or unintended changes to something.
Integrity Verification Tools
Automated mechanisms that are used to detect unauthorized or unintended changes in systems or data.
Intended use
The planned manner of operating information technology.
Interception
The stopping of data or objects in transit, preventing them from reaching an intended destination.
Interconnection Security Agreements
Agreements governing how information is exchanged and processed between systems.
Interests
The concerns of a person or organization.
Interface Characteristics
The technical specifications of a mechanism that facilitate the exchange of information between two systems.
Interior Points
Destinations for communications or data that reside within a system's boundaries.
Internal cohesiveness
The degree to which all elements of a single task are contained in the software component.
Internal Composition
The material make-up of components or of open-source and proprietary code, including the version of the component at a given point in time.
Internal Source Address
A local Internet Protocol (IP) address assigned by a local network router.
Internal sources
People, processes, or tools within the organization.
Internal System Connections
Connections between organizational systems and separate constituent system components, such as connections with: mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers.
Internally defined
A term used to indicate that a specific concept has been agreed upon and documented by qualified personnel within the organization.
Internally Defined Frequency
The management-determined time interval at which an activity (for example, a control) is performed. Typically occurring continuously, daily, weekly, monthly, quarterly, annually, bi-annually, or within another specified time period.
Internally Defined Information Types
A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor-sensitive, security management) defined by an organization or, in some instances, by a specific law, Executive Order, directive, policy, or regulation.
Internally Defined Security Controls
The processes which the organization designs and implements to protect the confidentiality, availability, and integrity of systems and data.
Internally Defined Systems
A management-defined collection of specific sets of equipment, hardware, software, firmware, applications, databases, and other information technology assets that is managed and/or used by the organization to collect, maintain, use, share, disseminate, and dispose of information to achieve a specific set of functions.
Internally Defined Systems (we define internally defined in B2 and organizational systems in B61 - do we need this one?)
A management-defined collection of specific sets of equipment, hardware, software, firmware, applications, databases, and other information technology assets that is managed and/or used by the organization to collect, maintain, use, share, disseminate, and dispose of information to achieve a specific set of functions.
Internally Specified
A descriptor indicating that a specific concept is documented or defined by organizational personnel.
Internally Structure
To arrange within a system.
Interpretation
An explanation or common format, such as an interpretation of security attributes that should be used across multiple systems (i.e., a designation for sensitive data).
Intrusion Detection
Programs and devices that monitor network and systems communications for malicious activity, and send alerts when such activity is detected.
Intrusion Detection Systems
Programs and devices that monitor network and systems communications for malicious activity, and send alerts when such activity is detected.
Intrusion Prevention
Programs and devices that monitor network and systems for malicious activity, and initiate defensive actions (such as denying traffic) when such activity is detected.
Invalid Logical Access Attempts
Failed attempts to log into a system.
Invalid logon attempts
Failed efforts to gain access to an information system, such as through the entry of invalid passwords.
Inventory logs
A detailed listing of the attributes of hardware, software, and/or other assets.
Investment Budget Cycles
The process an organization follows for proposing, requesting, and receiving funds for expenditure.
IP Address
A numerical address, represented by a string of four numbers separated by periods, which identifies a device on a network.
Isolate
To separate by geographical distance or configurations, such as isolating a virus-infected computer by disconnecting it from the network.
Isolation boundary
The partitions and domains that separate security functions from nonsecurity functions.
Isolation Valves
A water shutoff system in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting the entire organization.
Job classification
The category of role assigned to an employee or contractor.
Job Function
A specific role that is carried out by performing assigned tasks, duties, and responsibilities.
Joint Authorization Process
A process performed by multiple officials which formally grants permission for a system to operate.
Joint Controllers
Where two or more natural or legal persons, public authorities, agencies, or other bodies jointly determine the purposes and means of the processing of personal data.
Judicial Capacity
Within the bounds of a person or organization's role or abilities.
Judicial Remedy
A legal means of enforcing a right or imposing a penalty.
Key custodians
The personnel entrusted with secure key management.
Key-management processes and procedures
The detailed processes for securely exchanging, storing, rotating, and using cryptographic keys.
Keyed hash
An algorithm that uses a cryptographic key and a cryptographic hash function to create a message authentication code (MAC) that is keyed and hashed.
keys
A piece of data (i.e., a string of numbers, letters, or numbers and letters combined) that can be used to cryptographically disguise or decode text.
Lawfulness of Processing
The quality of data processing which: has received consent from the data subject for one or more specific purposes; is necessary for the performance of a contract; is necessary for compliance with a legal obligation of the data subject; is necessary to protect the vital interests of the data subject or other natural person; is necessary for the performance of a task carried out in the public interest; or is necessary for the purposes of legitimate interests pursued by a controller or third party.
Layered structure
The core functions of a system as they relate to security, including: application domain, application, temporal, distribution, data, and resource.
Learning capability
Bayesian filters that respond to user inputs that identify specific traffic as spam or legitimate by updating algorithm parameters and thereby more accurately separating types of traffic.
Lease information
Information (e.g., the lease obtained and lease expiration date) about time duration for which a network device can use an Internet protocol (IP) address in a network, after which the reservation expires.
Legal Basis
The legal reason or justification for something.
Legal Ground
The legal reason or justification for something.
Legal Requirements
Criteria or conditions that must be established to meet obligations under the law.
Legislative Measure
Terms embracing a legislative bill or other legislative matter.
Legitimate Interests
A concept in the General Data Protection Regulation (GDPR) wherein a condition indicates that data may be processed in a manner the data subject expects and that does not harm the individual (among other conditions), such as a company keeping potential candidate data beyond a retention period so that it may consider said candidate for future employment.
Lessons Learned
Insights gained for how to improve an exercise after it is performed, such as lessons learned after a contingency plan test.
Licensed software
A legal instrument that dictates how organizations who have software may use and license it.
Lists
A documented description of more than one related items.
Literacy Training (Awareness)
A program for identifying workforce security and privacy training objectives, and implementing role-based, security-based, and skills-based training programs to support these objectives.
Literacy Training (Awareness) (recommend changing to "literacy training" as this term does not appear in the data set as written)
A program for identifying workforce security and privacy training objectives, and implementing role-based, security-based, and skills-based training programs to support these objectives.
Local logging
Audit records that show events that have occurred on specific hardware and devices, such as specific servers and routers.
Log Events
Specific types of occurrences or incidents that take place in (and are recorded in) an information system, such as logon events.
Logged Privileged Commands
The audit records for commands that are used to make significant administrative changes to a system, such as commands that require sudo or root privileges.
Logging Capabilities
The functions of a system allowing the recording of audit trails.
Logical access
The quality of entering or obtaining entry to data systems by way of digital instead of physical means.
Logical Access Control
A framework for provisioning system privileges that allows users to create, view, read, modify, and/or delete information or settings (as opposed to physical access control, which concerns entry into facilities or locations).
Logical Control
Recording audit trails of the arguments, or instructions, given in the command line interface (CLI).
Logical separation
Separation enforced by configurations, as opposed to separation enforced by geographic location.
Logically
The quality of occurring as a result of digital configurations.
Logically Separate Subnetworks
A subdivision of a local area network (LAN) that is applying a subnet mask to network Internet Protocol (IP) addresses.
Logically Separated
Digitally separated using configurations and settings.
logically separated communications paths
Use of configuration to separate sessions, such as through cryptography.
Logs
A digital or physical record of events that have occurred in a system or facility.
Lower layers
The lower level core functions of a system as they relate to security, including distribution, data, and resource -- as opposed to the higher layers, which include application domain, application, and temporal.
Machine-Readable Format
In a format that can be processed by a computer, such as a digital file.
machine-readable icons
Visual abstractions of concepts that can be translated by a computer (such as a picture indicating what type of data a website collects) .
Maintain
To keep a document, system, or configuration aligned with required standards.
Maintaining Currency
Keeping something up to date, such as bringing organizational practices in line with industry standards.
Maintenance
The tasks performed on hardware, equipment, software, and other services to keep them in working order and/or aligned with required standards.
Maintenance activities
The tasks performed on hardware, equipment, software, and other services that keep them in working order.
Maintenance controls
The processes followed for securely conducting repairs, implementing updates, and keeping equipment, software, and other components in working order.
Maintenance personnel
The people tasked with keeping a document, system, hardware, equipment, facility, and/or configuration aligned with required standards.
Maintenance policy
These procedures identify the detailed processes for maintaining relevant hardware and software throughout the organization.
Maintenance procedures
The detailed processes for keeping the organization's equipment in reliable working order.
Maintenance records
The audit trail of maintenance activities performed for a system component or facility.
Maintenance tools
The devices, software, or applications used to perform tasks on hardware, equipment, software, and other services to keep them in working order.
Malicious code
A harmful written program that, when executed, can negatively impact an organization's assets, resources, and/or personnel.
Malicious code augmentation
The progressively larger negative impact and operation (such as lateral movement) of malicious code intended to harm the organization.
Malicious Websites
A website that is designed to be harmful by installing malware on computers that visit it.
Malware Detection Events
The identification of malware in the operating environment.
Managed Interfaces
Devices that protect system and network boundaries, such as: firewalls, routers, gateways, guards, network-based malicious code analyses, virtualization systems, or encrypted tunnels.
Management Activities
The tasks performed by those supervising the organization's day-to-day operations.
Management Commitment
The expressed understanding and agreement by an organization's management to support and achieve specific goals and/or milestones.
Management Requirements
The criteria or conditions that must be met by those supervising the organization's day-to-day operations.
Mandatory access control policy
A system for provisioning privileges and allowing users to create, view, read, modify, and/or delete information based on an automated mechanism that examines the appropriateness of these requests with respect to organizational guidelines -- for example, a request by a user to access sensitive data in a database that is denied due to ineligibility to view that specific data.
Manifestly Unfounded
Obviously not justified.
Manipulative Communications Deception
Disguise of the true nature of malicious communications through false traffic levels, false traffic peaks, traffic padding, routing, and other methods.
Manual clear-text
The direct management, by personnel, of a cryptographic key's clear-text string.
Manually
Performed by a human without automated tools or systems.
Mark
To label something, such as labeling distribution limitations, handling caveats, and applicable security markings of information for media.
Marking
The labeling of something, such as labeling distribution limitations, handling caveats, and applicable security markings of information for media.
Master Build Data
Hardware drawings and software/firmware code that describe and support the current version of security-relevant hardware, software, and firmware .
Master Copies
The original version of something, from which copies can be made.
Master Shutoff
A mechanism that shuts off water to an entire area or facility, such as a master shutoff for water.
Matching program
A program where one organization queries and/or uses the information of another organization to complete a process that requires such information -- typically from federal benefits, federal payroll, or federal personnel programs.
Mean Time To Failure
The predicted elapsed time between inherent failures of a system or device during normal operations.
Measures
The estimation of quantitative units of something, such as performance or uptime measures.
measures of performance
Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of its information security and privacy programs and the controls employed in support of these programs.
Mechanisms
Standardized manual or automated processes in the technology and/or overall information security system/environment.
Media
A device that can store data in magnetic, optical, or solid state format (such as an external hard drive, flash drive, tape, or disk).
Media access
Access to a device that can store data in magnetic, optical, or solid state format (i.e., an external hard drive, flash drive, tape, or disk).
Media protection policy
Guidance on securely handling, transporting, and storing media.
Media protection procedures
The detailed processes for securely labeling, handling, transporting, and storing media.
Member State Law
The laws of a country that is a Member State of the European Union (EU) or the European Economic Area (EEA).
Member States
The nations that are part of the European Union (EU).
Memoranda of Agreements
A written agreement between multiple parties that outlines a common approach to a program, initiative, or technology.
Memoranda of Understanding or Agreement
A written agreement between multiple parties that outlines a common approach to a program, initiative, or technology.
Methods
An approach to performing a process to achieve a specific outcome.
Metrics
The estimation of quantitative units of something, such as performance or uptime measures.
Micro segmentation
The practice of further dividing a network by creating zones to isolate and secure functions and devices.
Milestones
Specific points in time at which a specific achievement is reached.
Minimum privileges
The concept of only granting the minimum system privileges that are required to complete assigned job duties.
Mission
The central purpose of a company, government entity, or other organization.
Mission/Business Process Level
Written in a manner that addresses organizational missions or business processes.
Mobile Code Technologies
Any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system, such as Java applets, JavaScript, HTML5, WebGL, and VBScript.
Modification
A change made to an existing configuration, system account, document, or other item.
Modify
To change something, such as changing access permissions or configuration settings.
Monitor
To observe (and keep track of) events and metrics in the technology environment.
Monitoring of Compliance
To carefully observe whether events and activities adhere to a given set of requirements.
Monitoring of Metrics
The continuous observation of the quantitative units of something in order to assess performance and evaluate security (such as number of systems with known vulnerabilities).
Monitoring Programs
The set of related activities used to observe security events and performance indicators over time.
Monitoring Strategy
A plan for observing various types of events and metrics in the technology environment, such as a risk monitoring or log monitoring roadmap.
Multifactor Authentication
A process for verifying the identity of a user before granting access to systems or data where more than one form of verification is used, where the forms of verification are something a user is (such as biometric data), something a user has (such as a security card), and/or something a user knows (such as a password).
Name
The identifying title of an entity, often referring to domain names or host names, such as the name of a website or server.
National Emissions Security Policies
Emissions Security (EMSER) policies that provide guidance on emissions, such as the TEMPEST policies.
National Information Assurance Partnership
A United States (US) government organization that certifies commercial technology or products which will be used to handle sensitive data.
Nature
The inherent characteristics or quality of something.
Need-to-know
The state of disseminating information based on a hierarchy of discretion.
Neighboring systems
Any system that is accessible from another system -- for example: a workstation that can be accessed from another system due to a command allowing a remote connection to another machine in the domain.
Netflow
Cisco router functionality that collects IP network traffic at entry to and exit from an interface.
Network
A collection of equipment, hardware, software, and/or applications enabled to exchange information over a communication channel.
Network Boundaries
The machines and devices connected by a local area network (LAN) or other type of network, beyond which a device that is not connected to this network cannot be contacted.
Network connection termination
The end of a session with a network.
Network Jacks
An Ethernet port.
Network Packets
The blocks of data -- including a header, a source address, and a destination address -- that are sent and received by computers, servers, routers, and other equipment over a digital communication link (such as a network).
Network Perimeters
The devices within control of the organization that support its internal networks and Demilitarized Zones (DMZs).
Network security policy
Guidance for securely architecting, configuring, accessing, and using technology resources on the network.
Network services
Applications that allow data to be communicated, manipulated, and presented across a network.
Network Traffic
The packets of data -- including a header, a source address, and a destination address -- sent and received by computers, servers, routers, and other equipment over a digital communication link (such as a network).
Network Vulnerability Scanning Tools
An automated mechanism that detects exploitable weaknesses in a technology environment.
NIST-Compliant
Adhering to National Institute of Standards and Technology (NIST) guidelines.
Non-administrative activities
Standard use of systems that does not include provisioning users, managing security settings, modifying job schedules, or other administrative tasks.
non-console administrative
Administrative access that occurs remotely.
Non-Console Administrative Access
All remote administrative access to the network.
Non-destructive
The quality of not causing damage or harm, such as data erasure, cryptographic erasure, data masking, or other method as a non-destructive technique for sanitization.
Non-digital media
Any object that stores information that is not in a digital format, such as paper documents or microfilm.
Non-local Maintenance
The remote tasks -- performed from a geographical distance on hardware, equipment, software, and other services -- that keep them in working order.
Non-National Security Systems
Information systems that are not designated National Security Systems (NSS).
Non-Releasable
Something that cannot be disclosed outside of the organization.
Non-security functions
Standard use of systems -- such as browsing, viewing information, pulling reports, or other tasks -- that does not include provisioning users, managing security settings, modifying job schedules, or other administrative tasks.
Non-Solicitation Agreement
This agreement establishes binding contractual obligations for one or more parties with respect to business practices with other parties, specifically the prohibition of a former employee approaching a former employers' clients for business purposes.
Nondisclosure agreement
This agreement establishes binding contractual obligations for one or more parties with respect to the release of information to other parties.
Nondisclosure Agreements
Agreements that establish binding contractual obligations for one or more parties with respect to the release of information to other parties.
Nontechnical Sources
Nontechnical sources include records that document organizational policy violations related to harassment incidents and the improper use of information assets.
Normalized Format
A format determined by the organization to be the standard in order to better identify and protect data (such as converting all Social Security Numbers [SSNs] with dashes into a single string of numbers to facilitate encryption).
Notice
A written communication to a system user that typically discloses conditions for user access, data collection practices, privacy practices, and/or monitoring practices.
Notice of "proofing"
A communication to a user that their identity, as well as associated data (such as address), is being or has been verified.
Notification
A communication, typically to a system user, administrator, or data subject.
NSA
The National Security Agency, a United States intelligence organization that collects and analyzes data to assist the security posture of the nation, and releases approved products complying with specific security requirements.
NSA Approved
Products that have been reviewed and approved for appropriateness by the National Security Agency (NSA), a United States (US) government agency established in 1952 that protects national security.
Object Code
Code that has been translated from source code into machine language by a compiler.
Objectives
A set of specific, actionable targets that the organization seeks to achieve within a defined time frame.
Objects
A resource that a user or process can access and/or process (e.g., data, data attributes, or data characteristics).
Off-load
To transfer to another area of responsibility or location, such as off-load of audit logs from a system with limited audit log storage capacity to an alternate storage system for retention purposes.
Official
An individual within an organization (at any level or function) that has been authorized to make key decisions and/or approvals related to the organization's information security program.
Official Authority
A person of power within an organization; or, processes, activities, and responsibilities authorized by such a person or group of persons.
Offline
Not connected to a network.
OMB
The United States Office of Management and Budget (OMB), an office within the Executive Office of the President of the United States which prepares the President's Budget (PB).
On-site
Occurring at an organizational facility (instead of occurring, for example, at a third-party facility).
One-Way Hashes
A method of encoding data with a mathematical function such that the initial input is difficult to calculate (e.g., MD5 message-digest algorithm).
One-Way Information Flows
A unidirectional network, unidirectional security gateway, or data diode that is used to prevent data from being exported from a higher impact or classified domain/system while permitting data from a lower impact or unclassified domain/system to be imported.
Onsite Personnel
Individuals who typically conduct day-to-day duties at the organization's facilities.
Open-Source Information
Public platforms for sharing data and information, such as social networking sites, code-sharing sites, and research repositories.
Open-Source Software
Software that is publicly accessible and can be viewed, modified, or distributed by the general public.
Operation
The application of resources, such as personnel or systems, to achieve objectives.
Operation Baseline Configuration (recommend changing to "baseline configuration" as this term does not appear in the data set as written)
The approved versions of the items that are deployed and configured in the operating environment, such as hardware settings, application and software versions, network device settings, and other agreed-upon configurations.
Operational Environment
The people, processes, and technology that support the organization's activities.
Operational Needs
System account access with administrative privileges, such as privileges for disabling, overriding, circumventing, or modifying security or privacy controls, creating or changing privileges for system accounts, performing system integrity checks, and administering cryptographic key management activities.
Operational Procedures
A set of documented and mandatory activities that supports business processes.
Operator activities
The activities of a standard user in an information system.
Organization
A person or group of persons, often defined through a formal legal structure, that shares and works toward an established purpose.
Organization Defined
Indicating that a specific concept is documented or determined by organizational personnel.
Organization Level
Written in a manner that addresses organizational processes.
Organization-Controlled Portable Storage Devices
Any data storage device -- i.e., something that can be inserted in to or taken out of a system, such as flash drives, external hard drives, magnetic devices, smart phones, etc. -- that is managed or recorded by the organization.
Organization-defined conditions
Circumstances defined by the organization.
Organization-Defined Tools
The devices, software, or applications which the organization has chosen to perform automated processes or achieve a specific result.
Organization-Level
The quality of applying to or being relevant to an entire group with a common purpose or legal structure (e.g., an organizational-level policy).
Organization-Wide Perspective
A viewpoint that is informed by integrating observations from across the organization.
Organizational Assets
Any person, group of people, process, or technologies that can provide the organization value at a future point in time.
Organizational Changes
Reorganizations, acquisitions, personnel transfers, or other significant modifications to or within the organization.
Organizational Credentials
System privileges, badges, or other items allowing authentication to systems or facilities.
Organizational Data Ownership Requirements
Conditions about which party owns data, as written in a contract agreement.
Organizational Elements
Groups, divisions, or roles within an organization.
Organizational Entities
A specific sub-group within a group of persons that share a common purpose, such as different departments or teams within a company.
Organizational information
Data or information belonging to a person group of persons that share a common purpose, such as proprietary data.
Organizational Mission
The central purpose of an organization.
Organizational Policies & Procedures (should be "organizational policies and procedures" as that is how it appears in the data set)
The high-level rules and objectives for the organization (policies), as well as the detailed processes that implement these rules and objectives (procedures).
Organizational requirements
The detailed criteria that must be followed to meet the objectives of a particular group or legal entity serving a common purpose.
Organizational Resources
Anything having value to the organization, such as funding, technology assets, and people.
Organizational Risk
The threats to and vulnerabilities of information systems that could result in negative impacts to the organization.
Organizational Risk Management Strategy
Organizational goals for identifying: threats and vulnerabilities to the organization; risk appetite; tools to identify and control risk; measurement; reporting methods; appropriate controls; and methods to respond to risk.
Organizational Security Measures
Mechanisms to ensure security and privacy, and that demonstrate compliance.
Organizational Security Policy
Guidance on information system access and use that safeguards minimum security and privacy requirements.
Organizational systems
The collection of specific sets of equipment, hardware, software, firmware, applications, databases, and other information technology assets that are managed and/or used by the organization to collect, maintain, use, share, disseminate, and dispose of information to achieve a specific set of functions.
Out Of Scope
Outside of the boundaries of a concept that is applicable to something, such as a system that is out-of-scope for PCI DSS requirements.
Out-Of-Band
In a format other than the currently used format -- for example: an out-of-band, telephonic communication of a password to open an encrypted file that has been sent by email to a recipient.
Out-of-band channel
In a format other than the currently used format -- for example: an out-of-band, telephonic communication of a password to open an encrypted file that has been sent by email to a recipient.
Out-of-band channels
In a format other than the currently used format -- for example: an out-of-band, telephonic communication of a password to open an encrypted file that has been sent by email to a recipient.
outbound communications traffic
Requests originating from inside the network that are intended to be sent outside the network.
Output Devices
Equipment that translates raw data that cannot be read, viewed, or heard into a consumable format (e.g., printers, speakers, projectors, sound and video cards, etc).
Outsourced Processes
Services that are performed by vendors or external providers.
overlays
A specific selection of controls based on special circumstances, such as the sensitivity of an information system.
Pairwise pseudonymous identifiers
An opaque, unguessable subscriber identifier generated by an identity provider for use at a specific individual relying party.
Parse
The transformation of data from one format to another, often the transformation of unstructured and/or unreadable data into structured and readable data.
Passive Discovery Tool
An application or software that passively listens to communications across the network to identify technology assets.
Password managers
A tool used to manage the complexity, uniqueness, and storage of passwords by generating and storing strong and different passwords for various accounts.
Password reuse
Use of the same password after password expiration or reset.
Patch Management Tools
Automated mechanisms to identify and apply code or updates released by a vendor to the required hardware, software, databases, or applications.
Patches
Code or updates released by a vendor which are deployed to update the functionality and security of software or applications.
Payment Brands
The financial institutions (i.e., VISA, American Express, Mastercard, etc.) that support and promote the Payment Card Industry Data Security Standard (PCI DSS).
Payment Card Industry Security Standards
The Payment Card Industry Data Security Standard (PCI DSS) is a framework of requirements for companies that process, transmit, or store credit cardholder data.
PCI DSS
The Payment Card Industry Data Security Standard, a set of standard practices required for organizations that transmit, store, or process credit card data.
PCI DSS Compliance Responsibilities
The job duties to implement the Payment Card Industry Data Security Standard (PCI DSS), which is a set of rules governing how companies who transmit, process, or store credit card information must operate and perform activities to achieve minimum security objectives.
PCI-DSS
The Payment Card Industry Data Security Standard, a set of standard practices required for organizations that transmit, store, or process credit card data.
PCI-DSS training
A formal program to increase the knowledge and skills of personnel with respect to PCI DSS responsibilities.
Penetration Testing
The practice of performing or outsourcing periodic, simulated cyberattacks on the organization's systems to identify security weaknesses in the system.
Penetration Testing Agent
A person who performs periodic, simulated cyberattacks on the organization's systems to identify security weaknesses in the system.
Perceived risks
The potential threats and vulnerabilities that an organization anticipates may arise.
Performance
The process of carrying out a task or activity in accordance with requirements.
Perimeter Firewalls
A firewall placed between the public and private networks.
Personal Data Breach
An incident resulting in the unauthorized access and/or disclosure of personal data.
Personal Identity Verification
Pursuant to United States (US) Federal Information Processing Standard 201 (FIPS 201), which covers identity proofing and enrollment activities to issue a card that verifies personal identity.
Personal Identity Verification-Compliant
Pursuant to United States (US) Federal Information Processing Standard 201 (FIPS 201), which covers identity proofing and enrollment activities to issue a card that verifies personal identity.
Personally Identifiable Information
Any information that can directly or indirectly identify a person, such as: birth location/date; Social Security Number (SSN); family names; biometric data; medical records; criminal history; employment performance; financial information; bank account/credit card numbers; or other relevant identifiers.
Personally Identifiable Information (PII)
Any information that can directly or indirectly identify a person, such as: birth location/date; Social Security Number (SSN); family names; biometric data; medical records; criminal history; employment performance; financial information; bank account/credit card numbers; or other relevant identifiers.
Personally Identifiable Information (PII) (we have also identified this in B12).
Any information that can directly or indirectly identify a person, such as: birth location/date; Social Security Number (SSN); family names; biometric data; medical records; criminal history; employment performance; financial information; bank account/credit card numbers; or other relevant identifiers.
Personally identifiable information processing and transparency controls
The processes used to safeguard personally identifiable information (PII), as well as notify subjects to whom the data pertains of specific actions with respect to this data.
Personally identifiable information processing and transparency policy
The policy stipulating the processing and transparency parameters regarding any information that can directly or indirectly identify a person, such as: birth location/date; Social Security Number (SSN); family names; biometric data; medical records; criminal history; employment performance; financial information; bank account/credit card numbers; or other relevant identifiers.
Personally identifiable information processing and transparency procedures
The processes used to safeguard personally identifiable information (PII), as well as notify subjects to whom the data pertains of specific actions with respect to this data.
Personnel
The people employed or contracted by an organization to perform specific job duties.
Personnel competence
The state of a person's skills and knowledge being adequate to complete job duties.
Personnel Screening Criteria
The standards for evaluating the background, behavior, and suitability of employment candidates or current employees.
Personnel Security (Policy)
Guidance for performing employee and contractor background checks, and evaluating onboarding, asset provisioning, and asset deprovisioning.
Personnel Security Procedures
The detailed processes for performing employee and contractor background checks, evaluating onboarding, asset provisioning, and asset deprovisioning.
Phishing
A form of social engineering where a malicious actor pretends to be a legitimate person or organization, often using email, to fraudulently obtain information.
Phone Scams
A form of social engineering where a malicious actor pretends to be a legitimate person or organization, often using phone communications, to fraudulently obtain information.
Physical Access
The ability to enter or gain entrance to a specific building or site in a geographic location, such as an office or a server room.
Physical Access Audit Logs
The documentation showing a history of visitors who have requested access to and/or accessed a facility or secure area, as well as important visitor information such as affiliated organization and point of contact within the organization.
Physical Access Authorizations
The formal records granting permission to enter a facility or secure area.
Physical Access Privileges
The permissions granted to personnel for entrance to facilities or secured areas, such as privileges to enter certain buildings without an escort.
Physical Access Restriction Mechanisms
Physical security controls for managing access to facilities (i.e., visitor areas, locked doors, guards, turnstiles, etc.).
Physical Audit Trail
A notation, typically in paper form, of information recorded for visitors to a facility, such as: visitor name, date of visit, visitor organization, person visited, and visitor time in/out.
Physical Barriers
Any object that prevents a person or vehicle from entering an area (i.e., walls, fences, bollards, turnstiles, gates, etc.).
Physical Connections
Any shared spaces or shared components of systems that may pose a risk to different security requirements (i.e., shared data centers, wiring closets, and cable distribution paths).
Physical Control
A process and/or tool designed and implemented to achieve a physical security objective (e.g., fences, barriers, visitor entrance areas, locked doors, camera systems, guards, alarms, or other mechanisms).
Physical Intrusion Alarms
Devices that alert security personnel when unauthorized access to the facility is attempted (i.e., motion sensors, contact sensors, and broken glass sensors).
Physical Protection
A method of defending a physical object from tampering, theft, modification, or damage.
Physical Security
The practice of controlling physical access to facilities, facility perimeters, secure areas, and resources through: surveillance, ingress and egress control, personnel and visitor records, access badges, and monitoring.
Physical security controls
Processes for managing access to facilities (i.e., visitor areas, locked doors, guards, turnstiles, etc.).
Physical Security Reviews
Reviews of physical access logs to identify suspicious activity, anomalous events, or potential threats.
Physically
Of or relating to tangible objects that require management or reside within a specific and defined geographical location.
Physically (do we need to define this one??)
Of or relating to tangible objects that require management or reside within a specific and defined geographical location.
Physically Separate Subnetworks
Subdivisions of a local area network (LAN) that are separated by managed interfaces, such as separate routers.
Physically Separated
In different physical locations.
physically separated communications paths
Use of separate devices or machines for separate sessions.
Plan of Action and Milestones
A document that identifies tasks that need to be accomplished (often remediation items to address control deficiencies), the resources to accomplish them, the milestones for achieving the tasks, and scheduled completion dates for these milestones.
Planning controls
The processes designed to meet the organization's objectives for funding, designing, implementing, and deploying systems that meet privacy and security requirements.
Planning procedures
Detailed processes on how the organization: plans for, budgets for, develops, tests, deploys, and implements security controls; assesses compliance; and measures the performance of its technology environment and the supporting workforce.
Point-Of-Sale
The place where a product or service is purchased and a payment transaction is completed.
Policies
A set of documented objectives, rules, and practices that outline required actions for the organization.
Policy
A set of documented and mandatory objectives, rules, and practices that outlines required actions for the organization.
Policy and Supporting Security Measures
A set of high-level objectives and tactical techniques.
Polling techniques
Polling identifies potential faults, compromises, or errors in the distributed processing and storage components by comparing the processing results and/or storage content to the distributed components and subsequently voting on the outcomes.
Port Scans
A process that sends network requests to connect to ports on a host and records the response to determine which ports are open. (Note: ports align to specific protocols and services.)
Port-Filtering Tools
Mechanisms that block or allow network packets in to or out of a device or network based on port number.
Port-level access (should be listed as "port level access control" as that is how it appears in the data set)
An authentication protocol that blocks unauthorized clients from connecting to a local area network (LAN) through publicly accessible ports.
Portable storage devices
Any data storage device that can be inserted in to or taken out of a system (e.g., flash drives, external hard drives, magnetic devices, smart phones, etc.).
Ports
The identifier (often a commonly used number) that serves as both a source and destination for routing communication protocols for specific processes between devices, such as port 443 for Hyper Text Transfer Protocol Secure (HTTPS) communications.
POS POI Terminals
The initial point from which data is read from a credit card when a product or service is purchased and a payment transaction is completed.
Position assignments
The job duties designated to an individual.
Post-Design Stages
Phases of the configuration management process that occur after the design and approval of technology requirements.
Post-employment requirements
Binding requirements that an employee must uphold after departure from the organization, such as a non-compete or non-disclosure agreement.
Power Outage
Resulting in loss of data equipment functionality.
Power Supplies
Devices that provide or produce electrical power.
Practical exercises
Exercises for teaching security tactics, which may include: social engineering attempts to obtain information; attempts to gain unauthorized access; the simulation of malicious email and web attacks; and/or other types of exercises.
Predetermined conditions
Criteria established ahead of time.
Presentation attack detection
Mechanisms that mitigate the risk of hacking biometric-based authentication by making it difficult to produce artifacts intended to defeat the biometric sensor, such as liveness detection.
preventive maintenance
The proactive care and servicing of system components to maintain organizational equipment and facilities in satisfactory operating condition, such as systematic inspection, tests, measurements, adjustments, parts replacement, detection, and correction of incipient failures either before they occur or before they develop into major defects.
Previous Versions
The versions of software or applications that were applied to systems before the current version.
Primary Account Numbers
The 14-, 15-, or 16-digit number on the front of a credit card that identifies the funding account and the card issuer, and is used for the routing of a payment transaction.
Primary Account Numbers (PAN)
The 14-, 15-, or 16-digit number on the front of a credit card that identifies the funding account and the card issuer, and is used for the routing of a payment transaction.
Primary function
The main function of a system component, such as servers that perform separate primary functions like web servers, database servers, and Domain Name System (DNS) servers.
Prime Contractors
Vendors that have a direct contract agreement with a government or organization (as opposed to a subcontractor).
Principle of least privilege
The concept of only granting the minimum system privileges that are required to complete assigned job duties.
Printable characters
Alphanumeric characters and special characters.
Prioritize
To create a hierarchy of importance, such as prioritizing the remediation of a critical-severity vulnerability over a low-severity one.
Privacy Act
A 1974 United States federal law that governs how personally identifiable information (PII) must be collected, maintained, used by, and communicated by federal agencies.
Privacy Architecture
A National Institute of Standards and Technology (NIST) term that includes the following: an architectural description; the allocation of security and privacy functionality (including controls); security- and privacy-related information for external interfaces; information that is exchanged across the interfaces; and the protection mechanisms associated with each interface.
Privacy attributes
The basic properties or characteristics of data or information that assist the organization in classifying and managing personally identifiable information.
Privacy Compliance Checks
Verification of the baseline configuration settings that support privacy requirements.
Privacy Engineering Principles
The technical concepts used to design systems that meet privacy requirements.
Privacy Functions
The capabilities developed to conduct privacy-related tasks or protect privacy-related information (e.g., a data collection function).
Privacy Impact Assessments
A formal process that evaluates privacy risks of changes to the operating environment.
Privacy incidents
Events that negatively impact the organization's ability to protect personally identifiable information (PII) and personal data, such as a data breach.
Privacy Measures of Performance
Outcome-based metrics used by an organization to measure its privacy program's effectiveness or efficiency, as well as the controls employed in support of this program.
Privacy Mechanisms
Tools that support privacy controls and requirements.
Privacy Personnel
Individuals that have assigned job duties for managing privacy program requirements.
Privacy Plan
The roadmap to achieve privacy program objectives through a description of privacy roles, responsibilities, requirements, compliance, and coordination between groups.
Privacy Policies
Policies that provide guidance on protecting both personal data and personally identifiable information (PII), as well as guidance on communicating with and processing the requests of subjects to whom personal information pertains.
Privacy policy filters
Hardware settings or software that performs content verification to ensure that the organization complies with rules for accessing and transmitting privacy-related data such as personally identifiable information (PII).
Privacy Principle of Minimization
A principle dictating that only the minimum amount of personally identifiable information (PII) -- which is directly relevant and necessary to accomplish an authorized purpose -- should be collected and maintained, and should only be maintained for as long as is necessary to accomplish its purpose.
Privacy Requirements
The detailed criteria for behaviors and system functionality the organization must follow to comply with internal and external controls and processes that safeguard personal data and personally identifiable information.
Privacy Risk Assessment
A formal evaluation of threats to and vulnerabilities of systems and processes that support privacy requirements, as well as methods to address these risks.
Privacy risks
The threats to and vulnerabilities of systems and processes that support privacy requirements.
Privacy Roles
Positions within an organization that require specific responsibilities and skills for protecting privacy.
Privacy Tracking Tools
Automated mechanisms for tracking privacy requirements during the development process.
Private IP Addresses
Internet Protocol (IP) addresses that identify devices in the internal network.
Private key
A piece of data (e.g., a string of numbers, letters, or numbers and letters combined) known only to its owner that can be used to cryptographically disguise or decode readable text.
Privilege levels
A point on a scale of privilege elevation.
Privileged Access
System access with administrative privileges -- such as privileges to make changes to the system, change security settings, and add system accounts.
Privileged access rights
System access with administrative privileges -- such as privileges to make changes to the system, change security settings, and add system accounts.
Privileged Account Access
System account access with administrative privileges, such as: privileges for disabling, overriding, circumventing, or modifying security or privacy controls; creating or changing privileges for system accounts; performing system integrity checks; and administering cryptographic key management activities.
Privileged accounts
System accounts with administrative privileges, such as: privileges for disabling, overriding, circumventing, or modifying security or privacy controls; creating or changing privileges for system accounts; performing system integrity checks; and administering cryptographic key management activities.
Privileged Administrators
Organizational personnel who have system account access with administrative privileges, such as: privileges for disabling, overriding, circumventing, or modifying security or privacy controls; creating or changing privileges for system accounts; performing system integrity checks; and administering cryptographic key management activities.
Privileged commands
System commands not enabled for a standard user that allow a user to make significant administrative changes to a system, such as commands that require sudo or root privileges.
Privileged functions
System capabilities that are enabled using administrative privileges, such as: disabling, overriding, circumventing, or modifying security or privacy controls; creating or changing privileges for system accounts; performing system integrity checks; and administering cryptographic key management activities.
Privileged system administration
System accounts with administrative privileges, such as: privileges for disabling, overriding, circumventing, or modifying security or privacy controls; creating or changing privileges for system accounts; performing system integrity checks; and administering cryptographic key management activities.
Problem Management Policy
Guidance on all approved procedures to be used when handling service disruptions to technology operations.
Problem Management Procedures
The detailed processes used to address incidents affecting systems, such as help desk ticket procedures.
Procedures
A set of documented processes that defines the personnel responsible for tasks and outlines the detailed activities for implementing organizational policies.
Process gaps
The difference between a current state and a desired state.
Process isolation
Limiting the access of potentially untrusted software to other system resources by maintaining separate execution domains for each executing process, by way of separate address spaces for each process (such as the use of sandboxing or virtualization).
Processed
The quality of having an operative task performed on something to achieve a specific result, such as data processed by extraction for migration to another database.
Processes for termination
The practices followed by human resources and assisting employees when an employee is terminated (such as notifying the employee, requesting equipment, etc.).
Processing
The performance of specific operations to achieve a specific result.
Processing domains
The processing spaces that have controlled interactions with other processing spaces, enabling control of information flows between these spaces and to/from information objects (such as through domain and type enforcement).
Processing Exception
Any method for performing an operation on data that does not meet processing requirements, such as a processing exception in a system for personally identifiable information (PII).
Processing Permissions
The requirements for how a certain type of data can be processed, or the conditions under which that type of data can be processed.
Processor
A natural or legal person, public authority, agency or other body which processes (collects, records, structures, disposes, etc.) personal data on behalf of the controller.
Production
The set of approved and controlled technology assets and programs that is used for the primary functions within operations, including the delivery of products and services.
Production software
Software in the operating environment.
Professional Secrecy
An obligation to secrecy due to a specific profession.
Profiling
The automated processing of data to analyze or to make predictions about individuals.
Program Goals
A set of desired and measurable results for a program; or, a set of related activities with long-term aims.
Programmatic Methods
By way of computer programs, queries, or other automated means.
Programming Language
A formal language that is used by developers to create software, scripts, or other types of instructions that can be executed by a computer.
Programs
A set of activities for achieving long-term goals, often categorized into projects.
Promulgated
Communicated or made widely known.
Proof
To validate something; or, the validation of something.
Protect Equipment
Establishing physical controls to prevent damage to hardware, devices, cabling, and other items.
Protected processing domains
Processing spaces that have controlled interactions with other processing spaces, enabling control of information flows between these spaces and to/from information objects such as that enabled by implementing domain and type enforcement.
Protecting credentials
Methods for safeguarding passwords and other credentials, such as not sharing passwords.
Protection
The use of specific measures to defend technology or human resources against negative effects.
Protection Profile
A set of standards for a particular type of security product.
Protocol
The rules and formats used to exchange packets of data between a source and destination, such as Transmission Control Protocol (TCP), Internet Protocol (IP), or Hyper Text Transfer Protocol Secure (HTTPS).
Protocol Format Validation Failure
The inability to validate protocol formats, such as those enforced by deep packet inspection firewalls.
Protocol Formats
Protocol specifications, such as from the Institute of Electrical and Electronics Engineers (IEEE).
Provenance
The chronology of the origin, development, ownership, location, and changes to a system or system component and associated data.
Provision of Personal Data
The act of a data subject giving personal data to another party.
Pseudonymization
Replacing data fields that can be used to identify a data subject with pseudonyms (such as codes, tokens, or false data strings) to decrease the risk of identification.
Public Authorities
Authorities created by a nation to promote and protect public interest.
Public Authority
Authorities created by a nation to promote and protect public interest.
Public Bodies
Organizations created by a nation to promote and protect public interest.
Public Body
An organization created by a nation to promote and protect public interest.
Public Health
The discipline of promoting and protecting health concerns of the general public.
Public identifiers
Any publicly disclosed account identifier used for communication, such as the individual identifier section of an email address.
Public Interest
The discipline of promoting and protecting the welfare of the general public.
Public Key Infrastructure (PKI)
A method of securely encoding data and validating senders and receivers of data to ensure confidentiality and integrity of communications.
Public Network
A network that is accessible upon request by any person in range of, or connected to it.
Public Relations
The practices and personnel employed by an organization to maintain its image and reputation in the eyes of the general public.
Public release
A communication releasing organizational information from that organization to the general public.
Publicly Accessible Ports
Identifiers (often a commonly used number) that serve as both a source and destination for routing communication protocols for specific processes between devices, and which can be accessed by the public.
Publicly Accessible Protocols
Specific rules for communication, often running on ports, that can be accessed by the public.
Publicly Accessible Services
Any public-facing services, typically outside of the internal network firewall.
Publicly Available
Data or information that anyone is allowed to access upon request.
Publish
To formally develop and release a document to appropriate parties, often within an organization.
Pulp hard-copy
To destroy hard copy materials by dissolution.
Purge
To permanently erase or remove, as in purging data.
Purpose
The central reason for the existence or use of something.
Qualitative Data
Data that is expressed in descriptive, as opposed to numerical (quantitative) format.
Quality Control Processes
Practices to standardize the level of input attainment in production of a service or good.
Quality Metrics
Units of measurement that allow an organization to gauge the achievement of a desired result.
Quantitative Data
Data that can be measured in numeric format.
Radio antennas
The metal interface between radio waves and electric currents in conductors.
Randomness
A concept employed in generating a unique session ID to protect against brute-force attacks that attempt to predict session IDs.
Rationale
A reason or justification for something, such as the security categorization of an information system.
Read-Only Access
Permissions that only allow a user to view information, and not to modify or delete it.
Realistic
The quality of being believable or accurate.
Reassignment
The transfer of an individual from one set of job duties to another.
Reconfiguration
Dynamic reconfiguration, which includes changes to: router rules; access control lists; intrusion detection or prevention system parameters; and filter rules for guards or firewalls.
Reconstitution
To restore to a normal operating state, including the ability to process current and backlog transactions.
Reconstruct Events
To examine audit trails and develop a timeline for and description of events that have occurred in the technology environment, especially after an incident.
Reconstructed
To put back together, make whole, or make readable after being damaged or rendered unreadable.
Rectification
The correction of inaccurate or incomplete data.
Red Team
A team that simulates an attempt to compromise organizational facilities or systems in order to assess the security capabilities of an organization and its technology.
Redundant Power
An additional source of power that can be relied upon if the primary source should fail.
Reference Monitor
A set of design requirements on a reference validation mechanism that, as a key component of an operating system, enforces an access control policy over all subjects and objects.
Refresh
To change periodically to address updated requirements.
Registration authority
A Registration Authority (RA) is an organization that receives and validates requests for digital certificates and public/private key pairs that can identify the qualified certificate requester in a face-to-face procedure.
Regrading Mechanisms
A trusted process authorized to re-classify and re-label data in accordance with a defined policy exception.
Regression Testing
Testing a program by re-running tests to ensure a change didn't break its functionality.
Regular intervals
A set frequency at which something repeats (such as weekly, biweekly, or monthly).
Regulation
The official, documented, and binding rules (often developed for implementing laws) established by an authoritative organization.
Regulations
The official, documented, and binding rules (often developed for implementing laws) established by an authoritative organization.
Regulatory Measure
An enforceable legal act.
Remote access
The practice of a user gaining entrance/access to a system or component that is geographically separated from the location of the user.
Remote Devices
Devices that are not located at an organizational facility.
Remote maintenance
The repair and upkeep of software, hardware, applications, and other system components that are geographically separated from the location of the user, performed through an internet connection.
Remote service provider
External organizations that provide hosting, processing, or other services to the organization.
Remote-Access Technologies
Mechanisms that support the ability of users to access systems from a location outside an organizational facility, such as a Virtual Private Network (VPN).
Removable Media
Any data storage device that can be inserted in to or taken out of a system (e.g., flash drives, external hard drives, magnetic devices, smart phones, or other storage devices).
Removed
To move to an alternate location, delete, or permanently disable something (e.g., removing a particular port on a switch).
Replay-Resistant
The quality of being resistant to replay attacks (listening to and intentionally delaying or otherwise tampering with network traffic) by using protocols that use nonces or challenges, such as time synchronous or cryptographic authenticators.
Replay-resistant authenticators
Authenticators that are resistant to replay attacks (listening to and intentionally delaying or otherwise tampering with network traffic) by using protocols that use nonces or challenges, such as time synchronous or cryptographic authenticators.
Report
A verbal communication or documented record that presents metrics, data, analysis, or other information.
Reportable Incidents
Events that should be escalated to a designated official when discovered due to potential risk posed to the organization.
Repository
A centralized archive for data and information.
Reputation
The generally held opinion about a person, company, or other entity.
Rescreen
A periodic reexamination of an employee's background, suitability, experience, credentials, and criminal history.
Resolution Queries
The operations for mapping easily remembered names to associated numeric values, such as mapping of a domain name to an Internet Protocol (IP) address.
Resource availability
A concept that prevents lower-priority processes from delaying or interfering with the system that services higher-priority processes.
Resources
Any item or items (such as technology, people, or funding) that provide value to an organization.
Response
The actions taken to address an incident, alert, or other event that impacts the organization.
Response Actions
The activities performed to address a risk, incident, intrusion, or other event.
Response procedures
The activities performed to prepare for, detect, analyze, contain, eradicate, recover from, and conduct post-event actions for technology events that are disruptive and/or harmful to the organization's operations and/or interests.
Response procedures (this is the same as incident response procedures, I will add this at the bottom of the list)
The activities performed to prepare for, detect, analyze, contain, eradicate, recover from, and conduct post-event actions for technology events that are disruptive and/or harmful to the organization's operations and/or interests.
Responsibility
The duties required of and assigned to an individual, role, group, or organization.
Restoration
The process of returning a system to its normal operational state through or incident response activities.
Results
The output from a manual or automated process, such as an assessment or computer operation.
Retaining
Continuing to have something.
Retention period
The duration of time for which data and information must be retained due to legal and regulatory requirements.
Returned
To go or send to back to a place.
Review
To examine carefully and evaluate for accuracy and appropriateness.
Review and Update
To thoroughly examine the appropriateness of and make required or desired changes to an existing document, process, or configuration.
Reviewer or Releaser Credentials
The authentication mechanisms for personnel to review or release information that must be maintained in order to preserve information about a chain of custody.
Revocation
To permanently disable, remove, or take away (e.g., revocation of access privileges in an information system).
Revocation data
A list of revoked certificates and associated data.
Rick Management Program (chnange to risk management program)
A set of related activities for identifying: threats and vulnerabilities to the organization; risk appetite; tools to identify and control risk; measurement; reporting methods; appropriate controls; and methods to respond to risk.
Rights
Entitlements to certain privileges as dictated by convention or law, such as data privacy rights.
Rigor
The strictness with which rules are applied.
Risk Appetite
The amount and type of risk an organization is prepared to pursue, retain, or take.
Risk assessment policy
Guidance on conducting a formal evaluation to identify threats and vulnerabilities to the organization, measure their likelihood and impact, and rank risks -- as well as developing methods to address these risks.
Risk Determinations
The level of risk associated with a specific system design decision.
Risk Management Strategy
The plan of action to actively address threats to and vulnerabilities of a person, group, or organization.
Risk Mitigation
Taking steps to make a risk less likely or severe.
Risk tolerance
The maximum level of risk an organization is willing to accept for a specific type of risk.
Rogue Wireless Devices
Unauthorized wireless access points or peer devices.
Role accounts
Accounts that support a specific role in the organization.
Role memberships
A particular job function in a system which, when granted to a user in a system, dictates the granular permissions granted to a user.
Role-based access model (should be changed to role-based access)
A role-based access scheme organizes permitted system access and privileges by roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes.
Role-based training
Programs that increase the skills and knowledge of personnel with respect to their job duties and responsibilities.
Roles
Positions within an organization that require specific responsibilities and skills.
Roles of Personnel
Positions within an organization that require specific responsibilities and skills.
Rollback Strategy
To return software and applications to a known and stable state, (e.g., following an unsuccessful deployment of a change).
Root privileges (should be just "root", the phrase "root privileges" does not appear in the data set)
Full access to change the system, such as read and write any files, perform operations as any user, change system configurations, install software, and remove software.
Router Configuration Files
The files used to establish security parameters and settings for a router.
Router Configuration Standards
Technical specifications for a router that identify services that should be enabled, disabled, and configured.
Routine Uses
As identified in the Privacy Act of 1974, a disclosure of personally identifiable information (PII) from a system of record (authoritative repository) to a recipient outside of the Department of Defense (DoD).
Rules of Behavior
The methods of using resources and technologies that are acceptable to the organization.
SAD
Sensitive Authentication Data (SAD), which includes the full track data of a credit card, the security code on a credit card, and Personal Identification Numbers (PINs) for a credit card.
Safe Mode
A mode that restricts the operations that systems can execute to identify potential issues in the system.
Safeguard
To protect people, systems, infrastructure, and/or data.
Sanctions process
The practice of formally disciplining a person, organization, or nation.
Sandboxing
A mechanism that allows organizations to open email attachments, execute untrusted or suspicious applications, and execute Universal Resource Locator requests in the safety of an isolated environment or a virtualized sandbox.
Sanitization
The process of clearing, purging, and/or destroying media (e.g., overwriting data, cryptographic erasure, or industrial crushing of a hard drive) to render data unrecoverable.
Sanitize
The process of clearing, purging, and/or destroying media (e.g., overwriting data, cryptographic erasure, or industrial crushing of a hard drive) to render data unrecoverable.
Scientific
Of or relating to the study of the physical and natural world through experimentation.
Scientific Research
Research relating to the study of the physical and natural world through experimentation.
Scope
The parameters that define the overall relevancy of a process or change (e.g., the scope of a document, system modification, or compliance program).
Scope of Testing
The extent to which testing is conducted, such as the decision to test only critical features of a software product.
Scoped
To be pulled into the parameters of an initiative, such as a system that is scoped into PCI DSS compliance.
Scoring
Quantifying the performance of something.
Screen
To scrutinize closely; alternatively, the visual interface on a computing device that displays information.
Scripting Language
A programming language that allows the automated execution of written tasks (i.e., Bash, PowerShell, or Python).
Scripting tools
A programming mechanism that allows the automated execution of written tasks (i.e., Bash, PowerShell, or Python).
Secondary account
An additional account beyond a primary account that is used for specific purposes, such as a secondary account for administrators with which they can perform standard system tasks.
Secret authentication information
Credentials used to authenticate systems, such as passwords.
Secure Areas
A location within a physical facility that requires enhanced security due to sensitive components or data, typically protected with additional physical controls such as locks or cameras.
Secure Authentication
Guidance on the secure validation of the identity and access privileges of users and processes seeking access to systems and data.
Secure Authenticaton
Guidance on the secure validation of the identity and access privileges of users and processes seeking access to systems and data.
Secure Code
Code that is written from the perspective of avoiding commonly known vulnerabilities.
Secured courier
A person or service that transports an item using enhanced controls, such as background checks, global positioning system (GPS) tracking, and deadlocked vehicles.
Security Architecture
The design and implementation of applications, software, hardware, and equipment that protect the organization's systems and data.
Security attributes
The basic properties of a user or object with respect to safeguarding information, such as a security label for data in a database.
Security Awareness
The quality and practice of understanding risks to the security environment and how to address them, while incorporating an understanding of: social engineering, phishing, account takeover, and other attacks.
Security Awareness Program
A program for identifying workforce security and privacy training objectives, and implementing role-based, security-based, and skills-based training programs to support these objectives.
Security behavior
The practices used to prepare for, address, and respond to threats against systems and data.
Security Breach Response Responsibilities
The activities personnel must perform in the event of unauthorized access and/or disclosure of systems and/or data.
Security Categorization
A high, moderate, or low designation for an information system based on the potential impact of a lack of confidentiality, integrity, and availability of that system.
Security Consideration
Requirements or criteria that must be satisfied to achieve the organization's objectives in protecting systems and data.
Security Content Automation Protocol
A method for evaluating and addressing system vulnerabilities by scanning systems for adherence to a predetermined security baseline.
Security controls
The processes designed and implemented to protect the confidentiality, availability, and integrity of systems and data.
Security Design Principle of Acceptable Security
A system design concept that aims to ensure that the level of privacy and performance the system provides is consistent with the users' expectations.
Security Design Principle of Accountability and Traceability
A system design concept that aims to facilitate the tracking of which users have taken certain actions in a system through recording audit trails that are protected from unauthorized modification.
Security Design Principle of Clear Abstractions
A system design concept that aims to develop clear and well-defined interfaces and functions through avoidance of redundant interfaces, information hiding, and semantic overloading of interfaces or parameters.
Security Design Principle of Continuous Protection
A system design concept that aims to ensure that components and data used to enforce the security policy have uninterrupted protection that is consistent with the security policy and the security architecture assumptions.
Security Design Principle of Economic Security
A system design concept that aims to ensure that security mechanisms are not more costly than the potential damage that could occur from a security breach.
Security Design Principle of Efficiently Mediated Access
A system design concept that aims to ensure that policy enforcement mechanisms utilize the least common mechanism available while satisfying stakeholder requirements within expressed constraints.
Security Design Principle of Hierarchical Protection
A system design concept that aims to make certain that resources are not spent to ensure that components are not protected from more trustworthy components.
Security Design Principle of Hierarchical Trust
A system design concept that aims to ensure that security dependencies form a partial ordering if they preserve the principle of trusted components, and that that partial ordering provides the basis for trustworthiness reasoning or an assurance case (assurance argument) when composing a secure system from heterogeneously trustworthy components.
Security Design Principle of Human Factored Security
A system design concept that aims to ensure that user interfaces for security functions and supporting services are intuitive, user-friendly, and provide feedback for user actions through meaningful, clear, and relevant feedback/warnings when insecure choices are being made.
Security Design Principle of Inverse Modification Threshold
A system design concept that aims to ensure that the degree of protection provided to a component is commensurate with its trustworthiness -- and that as the trust placed in a component increases, the protection against unauthorized modification of the component also increases to the same degree.
Security Design Principle of Least Common Mechanism
A system design concept that aims to enforce the concept that a mechanism common to more than one user and depended on by all users is minimized by refraining from using the same mechanism to access a system resource.
Security Design Principle of Least Privilege
A system design concept that aims to ensure that only the minimum system privileges required to complete assigned job duties are granted.
Security Design Principle of Minimized Security Elements
A system design concept that aims to enforce the concept that no computer resource is shared between system components (e.g., subjects, processes, functions) unless it is absolutely necessary to do so.
Security Design Principle of Minimized Sharing
A system design concept that aims to ensure that no computer resource is shared between system components (e.g., subjects, processes, functions) unless it is absolutely necessary to do so.
Security Design Principle of Modularity and Layering
A system design concept that aims to ensure that modular decomposition serves to isolate functions and related data structures into well-defined logical units, and that layering allows the relationships of these units to be better understood so that dependencies are clear and undesired complexity can be avoided.
Security Design Principle of Partially Ordered Dependencies
A system design concept that aims to ensure that synchronization, calling, and other dependencies in the system are partially ordered.
Security Design Principle of Performance Security
A system design concept that aims to ensure that security mechanisms are constructed so that they do not degrade system performance unnecessarily.
Security Design Principle of Predicate Permission
A system design concept that aims to ensure that system designers consider requiring multiple authorized entities to provide consent before a highly critical operation -- or access to highly sensitive data, information, or resources -- is allowed to proceed
Security Design Principle of Procedural Rigor
A system design concept that aims to ensure that the system is correct and free of unintended functionality through preventing unspecified functionality, such as that which may be interpreted from the implementation and source code of the system, as opposed to the specifications for the system.
Security Design Principle of Reduced Complexity
A system design concept that aims to ensure that the system design is as simple and small as possible.
Security Design Principle of Repeatable and Documented Procedures
A system design concept that aims to ensure that the techniques and methods employed to construct a system component permit the same component to be completely and correctly reconstructed at a later time.
Security Design Principle of Secure Defaults
A system design concept that aims to ensure that the default configuration of a system (including its constituent subsystems, components, and mechanisms) reflects a restrictive and conservative enforcement of security policy.
Security Design Principle of Secure Distributed Composition
A system design concept that aims to ensure that composition of distributed components that enforce the same system security policy result in a system which enforces that policy at least as well as the individual components do.
Security Design Principle of Secure Evolvability
A system design concept that aims to developed to facilitate the maintenance of its security properties when there are changes to the system's structure, interfaces, interconnections (i.e., system architecture), functionality, or configuration (i.e., security policy enforcement)
Security Design Principle of Secure Failure and Recovery
A system design concept that aims to ensure that a system is capable of detecting (within limits) actual and impending failure at any stage of its operation (i.e., initialization, normal operation, shutdown, and maintenance) -- and take appropriate steps to ensure that security policies are not violated.
Security Design Principle of Secure Metadata Management
A system design concept that aims to ensure that metadata management is driven by the recognition that a system, subsystem, or component cannot achieve self-protection unless it protects the data it relies on for correct execution.
Security Design Principle of Secure System Modification
A system design concept that aims to ensure that the same rigor for risk and security requirements that was applied to its initial development is applied to any system changes.
Security Design Principle of Self-Analysis
A system design concept that aims to ensure that a system can assess its internal state and functionality to a limited extent at various stages of execution, and that this self-analysis capability is commensurate with the level of trustworthiness invested in the system.
Security Design Principle of Self-Reliant Trustworthiness
A system design concept that aims to ensure that systems minimize their reliance on other systems for their own trustworthiness.
Security Design Principle of Sufficient Documentation
A system design concept that aims to ensure that organizational personnel with responsibilities to interact with the system are provided with adequate documentation and other information such that the personnel contribute to, rather than detract from, system security.
Security Design Principle of Trusted Communications Channels
A system design concept that aims to reflect in the system that when composing a system where there is a potential threat to communications between components (i.e., the interconnections between components), each communication channel is trustworthy to a level commensurate with the security dependencies it supports (i.e., how much it is trusted by other components to perform its security functions).
Security Design Principle of Trusted Components
A system design concept that aims to reflect in the system that a component is trustworthy to at least a level commensurate with the security dependencies it supports (i.e., how much it is trusted to perform its security functions by other components).
Security domains
A grouping of technology resources (i.e., servers, routers, and/or websites) that abides by the same set of protocols (i.e., a web server, directory service, or Secret Internet Protocol Router Network [SIPRNet]) to protect the assets.
Security Engineering Principles
Specific design concepts used to fundamentally improve the quality of hardware, software, and firmware components that will be integrated into organizational information systems or the critical infrastructure.
Security Flaws
Security defects in design and/or implementation.
Security Functionality
The capabilities of the system that assist in protecting systems and data.
Security Information and Event Management
Software that supports log monitoring, consolidation from multiple system components, and log correlation and analysis to identify anomalous and suspicious events.
Security Information Monitoring
The observation of events and metrics in the technology environment to identify anomalous or suspicious behavior.
Security markings
The labeling of something, such as a security marking for media, that indicates how it should be handled.
Security Mechanisms
Standardized manual or automated processes used to protect systems and data.
Security Operations Center
The organization's lead team for security operations and computer network defense, which is tasked with defending and monitoring the organization's systems and networks (i.e., cyber infrastructure) on an ongoing basis -- and with detecting, analyzing, and responding to cybersecurity incidents in a timely manner.
Security parameters
Configuration settings that protect systems and data.
Security Patches
Code or updates released by a vendor which are deployed to update the security posture of software or applications and correct vulnerabilities.
Security Plan
A formal document both outlining the security requirements for an information system (or an information security program) and identifying the security controls that will be implemented to meet these requirements.
Security Policies
A set of documented and mandatory objectives, rules, and practices that outlines required actions to protect systems and data.
Security Policy and Procedure
The guidance and detailed processes for granting and monitoring information system access and use that safeguards minimum security and privacy requirements.
Security policy filters
Hardware settings or software that performs content verification to ensure that the organization complies with rules for the security of systems and data.
Security Procedures
The detailed processes indicating activities that support security requirements.
Security Requirements
The criteria that people, processes, and technology must meet to adequately protect the confidentiality, availability, and integrity of systems and data.
Security Risk Assessment Process
The activities performed to identify threats and vulnerabilities to the organization, measure their likelihood and impact, and rank risks.
Security Risk Treatment
The chosen method an organization uses to address threats and vulnerabilities -- for example: mitigating the risk through control implementation, accepting the risk, transferring the risk, or avoiding the risk.
Security Roles
Security positions within an organization that require specific responsibilities and skills.
Security-related characteristics
Any attributes of a user account that are related to security settings -- for example: privacy controls, multi-factor authentication, password changes, or other security-related information.
Security-Relevant External System Interfaces
Connections between organizational systems and systems outside the organization which may have security implications, such as a call for sensitive data from an external system.
Segmentation
The practice of geographically dividing or configuring an item separately from another item, such as segmenting portions of a network through the creation of multiple subnets.
Selectable event criteria
The options for recording event types and attributes of those event types (e.g., logons, account creations, etc.) that facilitate audit reduction, analysis, and reporting.
Self-Contained
Having all the components supporting core functionality without external integration (i.e., with another component), such as a self-contained power supply.
Sender Policy Framework (SPF)
An email authentication technique that can detect forged sender addresses, thereby protecting senders and recipients from spam and spoofing.
Senior Official
A person of elevated authority within an organization who is responsible for day-to-day operations.
Sensitive Areas
A location within a physical facility that requires enhanced security due to sensitive components or data, typically protected with additional physical controls such as locks or cameras.
Sensitive information
Data or documentation that must be protected from unauthorized access, use, modification, and disclosure to avoid violations of law and/or negative impact to the organization -- for example: electronic Protected Health Information (ePHI); personally identifiable information (PII); or business Confidential Information (CI) regarding an organization's customers.
Sensitive information inventory
A list of data or documentation that must be protected from unauthorized access, use, modification, and disclosure to avoid violations of law and/or negative impact to the organization -- for example: electronic Protected Health Information (ePHI), personally identifiable information (PII), or business Confidential Information (CI) regarding an organization's customers.
Sensitive job requests
The automated sequence of instructions (such as batch jobs, reports, and online transactions) that allow access to update data, run interfaces, view sensitive data, and change financial data.
Sensor capabilities
Electronic devices -- such as microphones, cameras, Global Positioning System (GPS) mechanisms, and accelerometers -- that are embedded in mobile and other electronic devices and can track motion, location, altitude, and other data.
Sensor use
When an electronic device tracking environmental stimuli (such as movement) is active.
Separation
The condition of one thing either residing or being placed physically or conceptually apart from another -- for example: separation of conflicting duties between personnel; separation of a primary operating site and an alternate site; or separation of networks by using both a trusted user network and a guest network.
Service Agreements
An agreement that specifies qualitative and quantitative metrics that a service provider must meet to satisfy contractual obligations, and the penalties for failure to meet these expectations.
Service Level Agreements
An agreement that specifies qualitative and quantitative metrics that a service provider must meet to satisfy contractual obligations, and the penalties for failure to meet these expectations.
Service Levels
Specific metrics identified in a service level agreement (SLA) that indicate a level of attainment the contracted provider must achieve, such as availability, uptime, and downtime per year.
Service Provider
A person, company, or other group unaffiliated with the organization that performs specified, and often contractually documented, activities for the organization.
Services Acquisition Policy
Guidance for incorporating security considerations into the procurement, design, creation, testing, and implementation of organizational systems.
Session
The continuous interval of time that two entities spend communicating (e.g., the set of interactions between a user's computer and a website) -- or identifying attributes of this interval.
Session Authenticity
The quality of a session occurring between appropriately authenticated parties, as opposed to situations where session authenticity is challenged, such as "man-in-the-middle" attacks, session hijacking, and the insertion of false information.
Session Identifiers
A piece of data, such as a text string, that uniquely labels the continuous interval of time that two entities spend communicating (e.g., the set of interactions between a user's computer and a website).
Session Integrity
The quality of a session occurring between appropriately authenticated parties, as opposed to situations where session authenticity is challenged, such as "man-in-the-middle" attacks, session hijacking, and the insertion of false information.
Session Management Vulnerabilities
Weaknesses exposing information in a session, such as "man-in-the-middle" attacks, session hijacking, and the insertion of false information.
Shared accounts
System accounts which may be used by more than one person, and also require enhanced scrutiny due to the potential for misuse.
SI-6a
A control that verifies the correct operation of organization-defined security and privacy functions.
Signal Parameter
Any characteristics of a wireless signal that may be used to identify it, such as: amplitude, frequency, magnitude, phase, duration, shape, polarization, modulation, level, or irradiance.
Significant Information Resources
Technology assets that support critical business operations.
Significant risk
A threat or vulnerability that could cause a major negative impact to an organization.
Simulated Events
Scenarios that mimic real-life crisis situations.
Single Sign-On
An authentication system that allows a user to log into the single sign-on capability with one set of credentials, yet still access other systems (which accept those credentials).
skills gap analysis
An evaluation of the current skills of the workforce, the desired skills of the workforce, and the difference between the two.
Social Engineering
The use of plausible scenarios to fraudulently and maliciously obtain monetary resources, obtain information, and/or attack information systems.
Social Mining
An attempt to gather information about the organization that may be used to support future attacks.
Social Protection
The defense of the social welfare of society at large.
Software Packages
A collection of files that can be implemented in the production environment to install and update software and applications.
Source code
The readable set of instructions that are written by a programmer to create a computer program.
Sources
The points of origin of equipment, data, information, or other items.
Special Categories of Data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership -- and the processing of genetic data, biometric data -- for the purpose of uniquely identifying a natural person. Also, data concerning health or data concerning a natural person's sex life or sexual orientation.
Special protection
The safeguarding procedures required for controlled unclassified information, collateral information, Special Access Program (SAP) information, Sensitive Compartmented Information (SCI), and other specifically designated classification types.
Split Tunneling
Split tunneling is the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network.
Sponsor authorization
A person, typically other than a supervisor, who can vouch for the business justification of and need for a user's access.
spoofed
An Internet Protocol (IP) packet with a source address that has been modified to make a recipient think it is from a trusted source.
Standardized Contract Language
A template or common language for contract agreements.
Standardized Format
Common standards for audit records which promote interoperability and information exchange between devices and systems.
Standards
A set of accepted criteria, characteristics, or processes -- or the document that defines the specific attributes of these items.
State of The Art
The quality of being state of the art or leading technology, which may be interpreted as best-in-class products, rigorously tested products, or other products having superior qualities.
Statement of Applicability
An output of a risk assessment, which typically documents specific controls -- i.e., whether they have been implemented by the organization, the justification for implementing or not implementing, and a reference to the procedure where the control procedures are located.
Static Code Analysis
Reviews of the security of and weaknesses in code that is not being executed.
Statistical
Of or relating to the science of scientifically analyzing numerical data.
Statistical Purposes
Of or relating to reasons which are related to the science of analyzing numerical data.
Steganography-encoded data
Data that is hidden in other data, such as hidden files within image files.
Storage media
Any data storage device that can be inserted in to or taken out of a system (e.g., flash drives, external hard drives, magnetic devices, smart phones, etc.).
Store
To possess and maintain physical assets or electronic data.
Storing media
Practices for securely keeping and maintaining media.
Strength of Binding
The strength the binding of security attributes between information producer and the information produced based on the security category of the information and other relevant risk factors.
Strong authenticators
Sufficiently long and complex authenticators (such as passwords) that identify users, confirm their identities, and grant them access to a system or location.
Strong credentials
Authentication mechanisms (such as passwords) with a length and complexity that make the credential difficult to guess or crack.
Structure
To purposefully arrange an object, data point, or system component -- or any entity purposefully arranged.
Subcontractors
An external organization that contracts with a prime contractor, who then provides services directly to the government or organization.
Subnetworks
A subdivision of an Internet Protocol (IP) network.
Sufficient
The quality of adequately meeting a set of requirements or criteria.
Suitability
The quality of meeting requirements.
Supervisor authorization
The permissions granted by a supervisor to enter facilities or to view, read, modify, delete, or perform other activities in an information system.
Supervisory Authority
An independent public authority that is established by a Member State of the European Union and is responsible for monitoring the application of and compliance with the General Data Protection Regulation (GDPR).
Supplemental authentication techniques
Additional authentication required by the organization when pre-established conditions or triggers indicating suspicious behavior occur.
Supplementary Statement
An additional, explanatory document.
Supply Chain Compromises
Problems arising in the supply chain that may affect an organization's products or services.
Supply Chain Events
Disruptive incidents that affect any vendors or partners that provide components of the organization's service or product.
Supply Chain Governance
The rules and policies dictating the management of the procurement of goods and services from external sources.
Supply Chain Risk
Threats and vulnerabilities arising from the outsourcing or procurement of goods and services from external sources.
Supply Chain Risk Management Plan
A documented roadmap that outlines the steps addressing threats to and vulnerabilities of the vendors, service providers, and partners who provide products and services required for organizational operations.
Supply Chain Risk Management Policy
A documented roadmap that outlines the steps addressing threats to and vulnerabilities of the vendors, service providers, and partners who provide products and services required for organizational operations.
Supporting rationale
A reason or justification for something, such as the security categorization of an information system.
Surrender
To give back, such as to surrender a badge to the organization.
Surveillance Equipment
Any equipment designed to record and observe activity, such as video cameras installed at strategic locations throughout the facility.
Suspected Adversarial Behavior
Patterns of activity that indicate potential malicious intent.
Swipes
The motion of a credit card being run at a point of sale (POS).
Synchronize duplicate systems
Integration of systems performing similar functions in disparate locations to ensure that information contained in the distributed locations can be used in the mission or business functions of organizations, as needed.
System access authorization
The permissions granted to enter facilities or to view, read, modify, delete, or perform other activities in an information system.
System accounts
A configuration that uniquely identifies a user, allows a user to perform activities, and identifies a user's activities in a technology environment that has a group of hardware, software, equipment, applications, data, and/or other items working together to perform a specific set of functions.
System and communications protection policy
Procedures which identify the detailed processes for securely architecting, configuring, accessing, monitoring, and using technology resources on the network.
System Assessments
Formal evaluations of the design and implementation of a system and/or its controls.
System authorization process
The process by which an information system is evaluated and approved for initial and ongoing implementation.
System Authorizations
The permissions granted to enter facilities or to view, read, modify, delete, or perform other activities in an information system.
System Commands
Instructions from a user to an operating system.
System Component
A specific piece of equipment, hardware, software, firmware, applications, databases, or other information technology assets that processes, transmits, and/or stores information in concert with other components to achieve a specific set of functions.
System components
The set of specific equipment, hardware, software, firmware, applications, databases, and other information technology assets that collects, maintains, uses, shares, disseminates, and disposes of information to achieve a specific set of functions.
System data actions
System operations that process personally identifiable information (PII).
System Design
The way in which information systems are engineered to meet requirements.
System Development Life Cycle
The set of processes for securely proposing, approving, developing, testing, and deploying configurations, systems, and system changes.
System identifiers
The text strings (numeric, alphanumeric, and/or special characters) that uniquely identify a person or service, such as a user ID or account name.
System Inventory
A complete and accurate listing of the applications, servers, switches, routers, laptops, databases, and all other technology components in the operating environment.
System level
The set of processes or configurations related to the equipment, hardware, software, firmware, applications, databases, and other information technology assets that collects, maintains, uses, shares, disseminates, and disposes of information to achieve a specific set of functions.
System media
Devices that can store data in magnetic, optical, or solid state format, such as an external hard drive, flash drive, tape, or disk.
System media downgrading
To facilitate the ability of media to be used in accordance with a less rigorous set of requirements, such as the downgrading of media from use in a classified environment to use in an unclassified environment.
System memory
Memory in a computer that is available for use by the operating system.
System notice display
A communication shown to the user notifying them of acceptable and conditions for use of the system, as well as monitoring of activities.
System of Records
An authoritative or official source for obtaining a certain type of data or information.
System operations
The environment in which applications, software, equipment, and databases operate, as well as the metrics and indicators showing the health of operations.
System partitioning
The separation of system components through one or more of the following means: physically distinct components in separate racks in the same room; critical components in separate rooms; geographical separation of critical components; or managed interfaces that restrict or prohibit network access and information flow among partitioned system components.
System privileges
The permissions granted to a user in an information system.
System Processes (this is usually part of the phrase "information security management system processes" - recommend separating into "information security management system" and "processes")
The activities performed to achieve a specific result while operating under specific rules.
System property
Hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes.
System protection
Mechanisms that safeguard systems and data.
system security parameteres
The configuration settings in a system that affect security.
System Security Parameters
Configuration settings that change the capabilities to protect systems and data.
System security plan
A formal document that provides an overview of the security requirements for an information system or an information security program -- and describes the security controls in place (or planned) for meeting those requirements.
System Service
A data transmission, processing, or storage task performed by software or applications.
System Testing
Testing of the system as a whole.
System users
A person or automated process that uses the equipment, hardware, software, firmware, applications, databases, and other information technology assets that collect, maintain, use, share, disseminate, and dispose of information to achieve a specific set of functions.
System Vulnerabilities
Weaknesses in a system that can be exploited by a malicious actor.
System-Level
The set of processes or configurations related to the equipment, hardware, software, firmware, applications, databases, and other information technology assets that collects, maintains, uses, shares, disseminates, and disposes of information to achieve a specific set of functions.
system-level risk
Threats to and vulnerabilities of an information system, either as a whole or of its components.
Systematic Monitoring
The observation of events and metrics in the technology environment, often through real-time data, to identify anomalous or suspicious behavior.
Systems
A specific set of equipment, hardware, software, firmware, applications, databases, and other information technology assets that processes, transmits, and/or stores information to achieve a specific set of functions.
Tasks and Duties
The assignment of an action, obligation, or responsibility that is binding to an individual or group.
Technical competence
The state of a person's in-depth knowledge of specific subjects as being adequate to complete job duties.
Technical Measures
In-depth methods relating to a specific area of expertise.
Technical Surveillance Countermeasures Survey
A service provided by qualified personnel to detect the presence of technical surveillance devices and hazards -- and to identify technical security weaknesses that could be used in the conduct of a technical penetration of the surveyed facility.
Technical Vulnerability
Exploitable weaknesses in the technology environment.
Techniques
The specific way that activities are performed -- often influenced by ability, skill, or tools -- when completing a task.
Technologies
The application of knowledge, processes, and tools to complete specific functions, typically through hardware, software, and applications.
Technology assets
Any system component (i.e., software, applications, hardware, data, equipment, etc.) that can provide the organization value at a future point in time.
Technology Type
A genre or category of technology (e.g., software, storage, encryption, etc.).
Telework
The performance of business activities by an employee that occurs outside of an organizational facility.
Temporary employees
Employees hired on a limited or short-term basis to address gaps in the workforce.
Terminal
A hardware device for inputting and reading data, such as a computer.
Terminate
To end the duration of something, such as access privileges or employment.
Terminated Users
System accounts that have been permanently disabled or removed.
Termination
The act of ending the duration of something, such as access privileges or employment.
Termination process
The practices followed by human resources and assisting employees when an employee is terminated (such as notifying the employee, requesting equipment, etc.).
Test Bed
A lower environment that mimics the production environment and is used for testing exploits.
Test environments
Specific environments (e.g., specific servers or applications) developed to mimic the configuration of the production environment in order to test potential changes to it.
Test programs
Programs to test the functionality of equipment.
Testing
The use of techniques and scenarios to validate whether the functionality of an application or software program meets requirements.
Thid-party personnel
Spelling error and we already have third-party personnel - recommend for deletion.
Third Country
A country that is not a Member State of the European Union (EU), nor a country within the European Economic Area (EEA), but has adopted a national law to implement the General Data Protection Regulation (GDPR).
Third Party
A person or group outside of the organization.
Third Party Risk (recommend adding "Third-Party Risk" as well b/c we have both)
The threats and vulnerabilities introduced due to partnerships with vendors.
Third-party personnel
Personnel that work for an external organization.
Threat
A potential or existing situation that may negatively impact an organization's assets, resources, or personnel -- e.g., unauthorized access to technology, unauthorized transmission of data, or ransomware attack.
Threat Hunting
Proactive methods to search for undetected activities that, when executed, may negatively exploit the organization's systems.
Threat Intelligence Information
Knowledge about potential adverse malicious attacks, as well as an understanding of actors who could perpetrate these attacks.
Threat Modeling
A standardized process to identify vulnerabilities that pose danger to the organization.
Thresholds
Quantifiable benchmarks which, when reached, prompt the organization to take predetermined actions.
Time interval
The frequency at which a certain activity is performed (every week, every two weeks, every month, etc.).
Timeliness
The quality of being completed within an expected or useful time frame.
tokens
Something you have -- either tangible (hard) or intangible (soft) -- that proves your identity, such as a security card or one-time password (OTP).
Tool Configurations
The settings for development tools, which include programming languages and computer-aided design systems.
Tool Options
The chosen functionality for development tools, which include programming languages and computer-aided design systems.
Tools
The devices, software, or applications used to perform automated processes or achieve specific results.
top-level specification
An informal but descriptive explanation of something.
Track
To identify a metric, indicator, process, or activity and evaluate changes to and/or progress of these items over time.
Traffic Flow Policy
The set of rules applied to communications traffic at managed interfaces that dictates how traffic is routed on the network.
Training Objectives
The goals of a program that aim to increase the skills and knowledge of the workforce.
Training Records
The evidence showing that personnel have completed required trainings.
Transfer
The movement of an asset, object, or person from one place or role to another (e.g., hardware, data, personnel, etc.).
Transfer or Release Points
The movement of data between different security domains.
Transfer policies
Guidance for transmitting data to other parties inside and outside the organization.
Transferred
The state of having moved an asset, object, or person from one place or role to another (e.g., hardware, data, personnel, etc.).
Transfers
The movement of an asset, object, or person from one place or role to another (e.g., hardware, data, personnel, etc.).
transitive (or downstream) information exchanges
Transitive or "downstream" information exchanges are information exchanges between the system or systems with which the organizational system usually exchanges information and other systems.
Transmission Lines
Any equipment that transmits data, such as jacks, cables, and wiring.
Transmission power levels
The signal strength of a transmission device, such as an antenna or wireless device.
Transmit
To pass an object or information from one entity to another.
Transmitted
To send data or information from one geographic or digital location to another, such as the transmission of data over a network from a client to a server.
Transparency Controls
The processes performed to achieve organizational objectives for adequately disclosing how personally identifiable information (PII) and personal data is collected, maintained, corrected, and managed.
Trust Anchors
An authoritative source (i.e., a certificate authority) for which trust is assumed and not derived.
Trust relationship
A relationship between an organization and an external service provider reflecting confidence that the level of risk involved in using their external services is acceptable.
Trusted Communications Path
A mechanism for sharing information in which the user can be sure of the data's confidentiality, integrity, and availability.
Trusted maintenance facilities
Organizational locations where repairs can be made reliably and with a predictable level of quality.
Tune
To make minute enhancements to better meet objectives.
Unattended equipment
Devices, hardware, cabling, or other property which are not actively watched or monitored by a person present at their location.
Unauthorized Access
The forbidden and/or unapproved use of privileges for creating, viewing, modifying, or deleting systems and data.
Unauthorized Components
Hardware, software, applications, databases, devices, or other equipment which has not been granted permission to operate in the production environment.
Unauthorized Disclosure
The release of data or information to a person, group, or organization that is not permitted and/or has not been approved.
Unauthorized Flows
Transfer of data across security domains for which approval or permission has not been granted.
Unauthorized Modification
A change to a system, configuration, or data that has not been granted or approved.
unauthorized modifications
Any changes to systems or data for which permission has not been granted.
Unauthorized Outbound Traffic
Requests that originate from inside the network that are intended to be sent outside the network, but which are not permitted by the organization.
Unauthorized subjects
A user or process that has not been approved to access or modify a particular object or resource.
Unclassified mobile device
A portable electronic device (such as a phone or tablet) that is not appropriately procured, hardened, and configured for the access, use, modification, and transmission of classified data (a federally determined categorization of sensitive data).
Unclassified mobile device(s)
A portable electronic device (such as a phone or tablet) that is not appropriately procured, hardened, and configured for the access, use, modification, and transmission of classified data (a federally determined categorization of sensitive data).
Unclassified National Security System
A national security system that does not contain or transmit sensitive data.
Undue Delay
A postponement that cannot be justified.
Unintentional Data Exposure
The unauthorized or unintended release of information to another person or organization.
Uninterrupted Power Supply
An electrical system or mechanism that provides emergency power when there is a failure or unanticipated power interruption of the main power source by providing energy stored in batteries, supercapacitors, or flywheels.
Union
The European Union (EU).
Union Law
European Union (EU) law.
Unit Testing
A test of a single section of an application to determine whether it is operating as designed.
Unlawfully Processed
The quality of data that has been processed in a manner that violates the law.
Unprotected System Information
Technical specifications, diagrams, configuration files, or other information that indicates the security posture of a system.
Unreadable
Cannot be read by a human without translation into another format.
Unrecoverable
Something that is not able to be restored to its former state, such as data from a severely damaged hard drive.
Unsanctioned Information
Malicious code; information that is inappropriate for release from the source network; or executable code that could disrupt or harm the services or systems on the destination network.
Untrusted Networks
Networks that are not known or have not been validated to meet the organization's security requirements.
Update
To make changes to a document, system, or configuration that align content with the current environment in order to meet organizational objectives.
URL Requests
Requests sent to a website, such as a request sent from a user's computer to browse a website.
URL-Categorization Services
A tool that groups websites into different categories of acceptable and unacceptable content -- and allows or denies access to users.
Usage Policies
Rules of behavior or acceptable use policies for using and implementing systems.
Usage Restrictions
Conditions under which something must be used.
USB Devices
A peripheral device that can store data in flash memory and plugs into a Universal Serial Bus (USB) port.
Use conditions
The rules of acceptable behavior which must be followed when using an information system.
User access provisioning process
The process through which a user's system access is requested, approved, and implemented in the system.
User Agreements
An agreement signed by a prospective system user that specifies the conditions a user must follow to obtain and maintain system access.
User discretion
The ability of a system user to exercise personal judgment when determining the appropriateness of a task.
User interface services
Any service that affects how a user interacts with an application (e.g., graphical, display, window management, etc.).
User privileges
The permissions that have been granted to a user in an information system (i.e., read, write, execute, or access to certain functionality based on role).
User-initiated communications sessions
The continuous interval of time that a user spends communicating with an application, such as the time from login to logout.
Utility programs
Software programs that implement or maintain the functionality of a computer (e.g., disk repair, backup, file management, antivirus, security, and networking).
Valid approval
The formal agreement by an authorized official that something proposed meets a set of standards or level of quality, such as a valid approval for system access.
Validate
To confirm that data, information, or a product is accurate and/or meets a required standard for end use.
Vectors
Methods by which malicious actors can gain access to a system and deliver a payload.
Vendor defaults
A password provided by the vendor for the initial login and set-up of the equipment or software.
Vendor-supplied defaults
Passwords provided by the vendor for the initial login and set-up of the equipment or software.
Verification
Confirmation that data, information, or a product meets an established objective.
Verification Process
The steps taken to demonstrate or conclude that something is true or accurate.
Verify
To establish that something is accurate, complete, or aligns with requirements.
Version Control Procedure
A set of practices to maintain former versions of code packages to allow for recovery in the event of a problem.
Vested
A person or group that has a personal stake or involvement in something.
Video Surveillance
Any equipment designed to record video/audio and observe activity, such as a closed-circuit television (CCTV) system installed at strategic locations throughout the facility.
Virtual LANs
A virtual Local Area Network (LAN), which is a subnetwork that groups together devices from separate physical LANs.
Virtual Local Area Networks
A virtual Local Area Network (LAN), which is a subnetwork that groups together devices from separate physical LANs.
Virtual Machine Environments
Applications or software environments that are installed on software but imitate hardware.
Visitor Access Records
The documentation showing a history of visitors who have requested access to and/or accessed a facility or secure area, as well as important visitor information such as organization and point of contact within the organization.
Visitor Identification
The process of verifying the identity of personnel who are not authorized to work on-site (often employees from other companies) without enhanced security controls.
Visitors
Any employees, contractors, members of the public, maintenance workers, or other individuals who seek to gain entrance to a facility to which they do not already have authorization to enter.
Vulnerability Analysis
A review and assessment of exploitable weaknesses in the technology environment which prioritizes vulnerabilities by severity and provides recommendations for risk mitigation.
Vulnerability Scanning
An automated test that detects exploitable weaknesses in a technology environment.
Water Protection
Mechanisms that safeguard equipment from water damage.
Whitelisting
Explicitly defining and allowing something, such as whitelisting a list of acceptable websites that can be accessed on a network.
Wipe
To render data unreadable.
Wireless Access Points
A method of gaining access, such as a device that allows a connection between a wireless device and a wired network.
Wireless Intrusion Detection
A network device which monitors for unauthorized access points and alerts an administrator.
Wireless Intrusion Detection System
A network device which monitors for unauthorized access points and alerts an administrator.
Wireless Links
Any method of accessing a wireless network, such as an SSID (Service Set Identifier), that may be visible to individuals who are not authorized system users.
Wireless Network Capabilities
The ability to support a network of computer devices and hardware that can communicate data without cabling, instead using radio frequencies within the wireless bands.
Wireless Peripheral Access
Wireless access that is activated by device proximity, such as Bluetooth or Near-Field Communication (NFC).
Withdraw Consent
When the permission to do something is rescinded or withdrawn.
Workforce
The personnel (i.e., employees and contractors) under the direction of the organization who perform duties on its behalf.
Write-Once Media
Write-once, read-many (WORM) media includes Compact Disc-Recordable (CD-R), Blu-Ray Disc Recordable (BD-R), and Digital Versatile Disc-Recordable (DVD-R).
XSS
Cross-site scripting, or a specific type of vulnerability that allows code injection into websites using vulnerabilities in the website.
submit-question