glossary infosec

Click here to load reader

Post on 06-Mar-2015




3 download

Embed Size (px)



2009 by Taylor & Francis Group, LLC

Glossary45 CFRCode of Federal Regulations Title 45 Public Welfare. 802.11Family of IEEE standards for wireless LANS first introduced in 1997. The first standard to be implemented, 802.11b, specifies from 1 to 11 Mbps in the unlicensed band using DSSS direct sequence spread spectrum technology. The Wireless Ethernet Compatibility Association (WECA) brands it as Wireless Fidelity (Wi-Fi). 802.1XAn IEEE standard for port based layer two authentications in 802 standard networks. Wireless LANS often use 802.1X for authentication of a user before the user has the ability to access the network. A/S, A.S., or ASUnder HIPAA, see administrative simplification. AALATM adaptation layer. AARPAppleTalk Address Resolution Protocol. AbductionA form of inference that generates plausible conclusions (which may not necessarily be true). As an example, knowing that if it is night, then a movie is on television and that a movie is on television, then abductive reasoning allows the inference that it is night. AbendAcronym for abnormal end of a task. It generally means a software crash. The abnormal termination of a computer application or job because of a non-system condition or failure that causes a program to halt. AbilityCapacity, fitness, or tendency to act in specified or desired manner. Skill, especially the physical, mental, or legal power to perform a task. ABRArea border router. AbstractionThe process of identifying the characteristics that distinguish a collection of similar objects; the result of the process of abstraction is a type. ACAccess Control (Token Ring). ACCAudio Communications Controller. Acceptable riskThe level of residual risk that has been determined to be a reasonable level of potential loss/disruption for a specific IT system. See also total risk, residual risk, and minimum level of protection. Acceptable use policyA policy that a user must agree to follow to gain access to a network or to the Internet. Acceptance confidence levelThe degree of certainty in a statement of probabilities that a conclusion is correct. In sampling, a specified confidence level is expressed as a percentage of certainty. Acceptance InspectionThe final inspection to determine whether or not a facility or system meets the specified technical and performance standards. Note: This inspection is held immediately after facility and software testing and is the basis for commissioning or accepting the information system. Acceptance TestingThe formal testing conducted to determine whether a software system satisfies its acceptance criteria, enabling the customer to determine whether to accept the system. AccessThe ability of a subject to view, change, or communicate with an object. Typically, access involves a flow of information between the subject and the object. Access ControlThe process of allowing only authorized users, programs, or other computer system (i.e., networks) to access the resources of a computer system. A mechanism for limiting use of some resource (system) to authorized users. Access control certificateADI in the form of a security certificate. Access control checkThe security function that decides whether a subjects request to perform an action on a protected resource should be granted or denied. Access Control Decision Function (ADF)A specialized function that makes access control decisions by applying access control policy rules to a requested action, ACI (of initiators, targets, actions, or that retained from prior actions), and the context in which the request is made.

2009 by Taylor & Francis Group, LLC

Access Control Decision Information (ADI)The portion (possibly all) of the ACI made available to the ADF in making a particular access control decision. Access Control Enforcement Function (AEF)A specialized function that is part of the access path between an initiator and a target on each access that enforces the decisions made by the ADF. Access Control Information (ACI)Any information used for access control purposes, including contextual information. Access Control List (ACL)An access control list is the usual means by which access to, and denial of, service is controlled. It is simply a list of the services available, each with a list of the hosts permitted to use the services. Most network security systems operate by allowing selective use of services. Access Control MechanismsHardware, software, or firmware features and operating and management procedures in various combinations designed to detect and prevent unauthorized access and to permit authorized access to a computer system. Access control policyThe set of rules that define the conditions under which an access may take place. Access ControlsThe management of permission for logging on to a computer or network. Access listA catalog of users, programs, or processes and the specifications of the access categories to which each is assigned. Access PathThe logical route that an end user takes to access computerized information. Typically, it includes a route through the operating system, telecommunications software, selected application software and the access control system. Access PeriodA segment of time, generally expressed on a daily or weekly basis, during which access rights prevail. Access protocolA defined set of procedures that is adopted at an interface at a specified reference point between a user and a network to enable the user to employ the services or facilities of that network. Access Provider (AP)Provides a user of some network with access from the users terminal to that network. This definition applies specifically for the present document. In a particular case, the AP and network operator (NWO) may be a common commercial entity. Access RightsAlso called permissions or privileges, these are the right granted to users by the administrator or supervisor. These permissions can be read, write, execute, create, delete, etc. Access TypeThe nature of access granted to a particular device, program, or file (e.g., read, write, execute, append, modify, delete, or create). Accident(1) Technical any unplanned or unintended event, sequence, or combination of events that results in death, injury, or illness to personnel or damage to or loss of equipment or property (including data, intellectual property, etc.), or damage to the environment. (2) Legal any unpleasant or unfortunate occurrence that causes injury, loss, suffering, or death; an event that takes place without ones foresight or expectation. AccountabilityA security principle stating that individuals must be able to be identified. With accountability, violations or attempted violations can be traced to individuals who can be held responsible for their actions. AccountabilityThe ability to map a given activity or event back to the responsible party; the property that ensures that the actions of an entity may be traced to that entity. AccountingThe process of apportioning charges between the home environment, serving network, and user. AccreditationA program whereby a laboratory demonstrates that something is operating under accepted standards to ensure quality assurance. Accreditation(1) A management or administrative process of accepting a specific site installation/implementation for operational use based upon evaluations and certifications. (2) A formal declaration by a Designated Approving Authority (DAA) that the AIS is approved to

2009 by Taylor & Francis Group, LLC

operate in a particular security mode using a prescribed set of safeguards. Accreditation is the official management authorization for operation of an AIS and is based on the certification process as well as other management considerations. The accreditation statement affixes security responsibility with the DAA and shows that due care has been taken for security. (3) Formal declaration by a (DAA) that an information system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. Accreditation AuthoritySynonymous with Designated Approving Authority (DAA). Accreditation boundaryAll components of an information system to be accredited by designated approving authority and excluding separately accredited systems, to which the information system is connected. . Accreditation letterThe accreditation letter documents the decision of the authorizing official and the rationale for the accreditation decision and is documented in the final accreditation package, which consists of the accreditation letter and supporting documentation. . Accreditation PackageA product of the certification effort and the main basis for the accreditation decision. Note: The accreditation package, at a minimum, will include a recommendation for the accreditation decision and a statement of residual risk in operating the system in its environment. Other information included may vary depending on the system and the DAA. AccreditedFormally confirmed by an accreditation body as meeting a predetermined standard of impartiality and general technical, methodological, and procedural competence. Accredited Standards Committee (ASC) An organization that has been accredited by ANSI for the development of American National Standards. Accrediting AuthoritySynonymous with Designated Approving Authority (DAA). AccumulatorAn area of storage in memory used to develop totals of units or items being computed. AccuracyA performance criterion that describes the degree of correctness with which a function is performed. ACFUser data protection access control functions. ACGAmbulatory Care Group. ACHSee Automated Clearinghouse. ACIAccess control information. ACKAcknowledgment. Acknowledgment (ACK)A type of message sent to indicate that a block of data arrived at its destination without error. A negative acknowledgment is called a NAK.. ACLSee access control list. ACMConfiguration management assurance class