Citations

Existing Citations

  • access (p. 1): Ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions. (†1673)
  • access control (p. 1): The process of granting or denying specific requests: 1) for obtaining and using information and related information processing services; and 2) to enter specific physical facilities (e.g., Federal buildings, military establishments, and border crossing entrances). (†1674)
  • access control (p. 2): access control mechanism ~ Security safeguards (i.e., hardware and software features, physical controls, operating procedures, management procedures, and various combinations of these) designed to detect and deny unauthorized access and permit authorized access to an information system. (†1675)
  • access control (p. 2): Security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. ¶ Note: This includes assuring that information systems operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls. (†1676)
  • accountability (p.2): Principle that an individual is entrusted to safeguard and control equipment, keying material, and information and is answerable to proper authority for the loss or misuse of that equipment or information. (†1723)
  • adequate security (p.2): Security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. Note: This includes assuring that information systems operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls. (†1722)
  • audit (p.4): Independent review and examination of records and activities to assess the adequacy of system controls and ensure compliance with established policies and operational procedures. (†1721)
  • authentication (p.4): The process of verifying the identity or other attributes claimed by or assumed of an entity (user, process, or device), or to verify the source and integrity of data. (†1720)
  • authenticity (p. 5): The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. (†1717)
  • availability (p. 6): The property of being accessible and useable upon demand by an authorized entity. (†1685)
  • backup (p.6): Copy of files and programs made to facilitate recovery, if necessary (†1724)
  • certification (systems) (p. 9): Comprehensive evaluation of the technical and non-technical security safeguards of an information system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements. See security control assessment. (†1689)
  • chain of custody (p. 10): A process and record that shows who obtained the evidence; where and when the evidence was obtained; who secured the evidence; and who had control or possession of the evidence. The “sequencing” of the chain of evidence follows this order: collection and identification; analysis; storage; preservation; presentation in court; return to owner. (†1690)
  • clearance (p. 11): Formal certification of authorization to have access to classified information other than that protected in a special access program (including SCI). Clearances are of three types: confidential, secret, and top secret. A top secret clearance permits access to top secret, secret, and confidential material; a secret clearance, to secret and confidential material; and a confidential clearance, to confidential material. (†1691)
  • cloud computing (p. 12): A model for enabling on-demand network access to a shared pool of configurable IT capabilities/ resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. It allows users to access technology-based services from the network cloud without knowledge of, expertise with, or control over the technology infrastructure that supports them. This cloud model is composed of five essential characteristics (on-demand self-service, ubiquitous network access, location independent resource pooling, rapid elasticity, and measured service); three service delivery models (Cloud Software as a Service (SaaS), Cloud Platform as a Service (PaaS), and Cloud Infrastructure as a Service (IaaS)); and four models for enterprise access (Private cloud, Community cloud, Public cloud and Hybrid cloud). (†1692)
  • confidence (p. 3): assurance ~ Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy. (†1716)
  • confidence (p. 5): authenticity ~ The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. (†1718)
  • confidentiality (p. 17): The property that information is not disclosed to system entities (users, processes, devices) unless they have been authorized to access the information. (†1693)
  • data (p.23): A subset of information in an electronic format that allows it to be retrieved or transmitted. (†1725)
  • denial of service (p.24): The prevention of authorized access to resources or the delaying of timecritical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.) (†1726)
  • disaster recovery plan (p.25): Management policy and procedures used to guide an enterprise response to a major loss of enterprise capability or damage to its facilities. The DRP is the second plan needed by the enterprise risk managers and is used when the enterprise must recover (at its original facilities) from a loss of capability over a period of hours or days. (†1727)
  • e-government (p. 26): The use by the U.S. Government of web-based Internet applications and other information technology. (†1695)
  • encryption (p.27): The process of changing plaintext into ciphertext for the purpose of security or privacy. (†1728)
  • enterprise risk management (p. 28): The methods and processes used by an enterprise to manage risks to its mission and to establish the trust necessary for the enterprise to support shared missions. It involves the identification of mission dependencies on enterprise capabilities, the identification and prioritization of risks due to defined threats, the implementation of countermeasures to provide both a static risk posture and an effective dynamic response to active threats; and it assesses enterprise performance against threats and adjusts countermeasures as necessary. (†1696)
  • forensics (p.31): The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data. (†1729)
  • identifier (p.34): A data object - often, a printable, non-blank character string - that definitively represents a specific identity of a system entity, distinguishing that identity from all others. (†1730)
  • identity (p.34): The set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within the scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity. (†1731)
  • impact (p.34): impact level - The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability. (†1732)
  • information (p.35): Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual. (†1733)
  • information assurance (p.35): Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. (†1734)
  • information management (p.36): The planning, budgeting, manipulating, and controlling of information throughout its life cycle. (†1735)
  • information security (p.37): The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. (†1736)
  • integrity (p.38): The property whereby an entity has not been modified in an unauthorized manner. (†1737)
  • internet (p.39): The Internet is the single, interconnected, worldwide system of commercial, governmental, educational, and other computer networks that share (a) the protocol suite specified by the IAB and (b) the name and address spaces managed by the Internet Corporation for Assigned Names and Numbers (ICANN). (†1738)
  • media sanitization (p.46): The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means. (†1739)
  • personally identifiable information (p.54): Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. (†1740)
  • record (p.59): records - The recordings (automated and/or manual) of evidence of activities performed or results achieved (e.g., forms, reports, test results), which serve as a basis for verifying that the organization and the information system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items). (†1741)
  • records management (p.59): The process for tagging information for records keeping requirements as mandated in the Federal Records Act and the National Archival and Records Requirements. (†1742)
  • residual risk (p.60): Portion of risk remaining after security measures have been applied. (†1743)
  • risk (p.61): A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence. Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. (†1744)
  • risk analysis (p.61): Examination of information to identify the risk to an information system. (†1745)
  • risk assessment (p.61): The process of identifying, prioritizing, and estimating risks. This includes determining the extent to which adverse circumstances or events could impact an enterprise. Uses the results of threat and vulnerability assessments to identify risk to organizational operations and evaluates those risks in terms of likelihood of occurrence and impacts if they occur. The product of a risk assessment is a list of estimated, potential impacts and unmitigated vulnerabilities. Risk assessment is part of risk management and is conducted throughout the Risk Management Framework (RMF). (†1746)
  • risk management (p.62): The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation resulting from the operation or use of an information system, and includes: 1) the conduct of a risk assessment; 2) the implementation of a risk mitigation strategy; 3) employment of techniques and procedures for the continuous monitoring of the security state of the information system; and 4) documenting the overall risk management program. (†1747)
  • risk mitigation (p.62): Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process. (†1748)
  • risk tolerance (p.62): The defined impacts to an enterprise’s information systems that an entity is willing to accept. (†1749)
  • security (p.64): A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach. (†1750)
  • sensitive data (p.68): sensitive information - Information, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. (Systems that are not national security systems, but contain sensitive information, are to be protected in accordance with the requirements of the Computer Security Act of 1987 (P.L.100-235).). (†1751)
  • service level agreement (p.68): Defines the specific responsibilities of the service provider and sets the customer expectations. (†1752)
  • system (p.72): Any organized assembly of resources and procedures united and regulated by interaction or interdependence to accomplish a set of specific functions. (†1753)
  • threat (p.75): Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. (†1754)
  • trustworthiness (p. 77): The attribute of a person or enterprise that provides confidence to others of the qualifications, capabilities, and reliability of that entity to perform specific tasks and fulfill assigned responsibilities. (†1719)
  • vulnerability (p.81): Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. (†1755)