Citations

Existing Citations

  • adequate security (p. B-1): Security commensurate with the risk resulting from the loss, misuse, or unauthorized access to or modification of information. [OMB Circular A-130, Appendix III, Adapted] (†1844)
  • adequate security (p. E-2): Achieving adequate security for organizational information systems requires the correct combination of both functionality- and assurance-related security controls. (†1847)
  • authentication (p. B-2): Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. [FIPS 200] (†1843)
  • authenticity (p. B-2): The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. (†1842)
  • availability (p. B-2): Ensuring timely and reliable access to and use of information. [Citing 44 USC 3542] (†1684)
  • availability (p. B-2): Ensuring timely and reliable access to and use of information. [44 U.S.C., Sec. 3542] (†1841)
  • chain of custody (p. F-50): Chain of custody is a process that tracks the movement of evidence through its collection, safeguarding, and analysis life cycle by documenting each person who handled the evidence, the date and time it was collected or transferred, and the purpose for the transfer. (†1845)
  • compliance (p. x): Compliance is not about adhering to static checklists or generating unnecessary FISMA reporting paperwork. Rather, compliance necessitates organizations executing due diligence with regard to information security and risk management. (†1846)
  • confidentiality (p. B-5): Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. (†1694)
  • confidentiality (p. B-5): Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., Sec. 3542] (†1840)
  • data mining (p. B-6): Data Mining/Harvesting - An analytical process that attempts to find correlations or patterns in large data sets for the purpose of data or knowledge discovery. (†1839)
  • data obfuscation (p. F-180): Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations employ obfuscation and self-checking, for example, to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. (†1829)
  • harm (p. F-10): Harm includes potential adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation. (†1837)
  • impact (p. B-9): The effect on organizational operations, organizational assets, individuals, other organizations, or the Nation (including the national security interests of the United States) of a loss of confidentiality, integrity, or availability of information or an information system. (†1835)
  • information (p. B-9): Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual. [CNSSI 4009] (†1834)
  • information security (p. B-10): The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. [44 U.S.C., Sec. 3542] (†1833)
  • integrity (p. B-12): Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. [44 U.S.C., Sec. 3542] (†1832)
  • leakage (p. B-9): Information Leakage - The intentional or unintentional release of information to an untrusted environment. (†1831)
  • metadata (p. B-13): Information describing the characteristics of data including, for example, structural metadata describing data structures (e.g., data format, syntax, and semantics) and descriptive metadata describing data contents (e.g., information security labels). (†1830)
  • open source (p. F-76): Open source software refers to software that is available in source code form. Certain software rights normally reserved for copyright holders are routinely provided under software license agreements that permit individuals to study, change, and improve the software. From a security perspective, the major advantage of open source software is that it provides organizations with the ability to examine the source code. However, there are also various licensing issues associated with open source software including, for example, the constraints on derivative use of such software. (†1828)
  • organization (p. B-16): An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements). [FIPS 200, Adapted] (†1827)
  • personally identifiable information (p. B-16): Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.). [OMB Memorandum 07-16] (†1826)
  • privacy (p. J-1): Privacy, with respect to personally identifiable information (PII), is a core value that can be obtained only with appropriate legislation, policies, procedures, and associated controls to ensure compliance with requirements. Protecting the privacy of individuals and their PII that is collected, used, maintained, shared, and disposed of by programs and information systems, is a fundamental responsibility of federal organizations. Privacy also involves each individual’s right to decide when and whether to share personal information, how much information to share, and the particular circumstances under which that information can be shared. In today’s digital world, effective privacy for individuals depends on the safeguards employed within the information systems that are processing, storing, and transmitting PII and the environments in which those systems operate. Organizations cannot have effective privacy without a basic foundation of information security. Privacy is more than security, however, and includes, for example, the principles of transparency, notice, and choice. (†1825)
  • provenance (p. B-17): The records describing the possession of, and changes to, components, component processes, information, systems, organization, and organizational processes. Provenance enables all changes to the baselines of components, component processes, information, systems, organizations, and organizational processes, to be reported to specific actors, functions, locales, or activities. (†1824)
  • record (p. B-18): Records - The recordings (automated and/or manual) of evidence of activities performed or results achieved (e.g., forms, reports, test results), which serve as a basis for verifying that the organization and the information system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items). (†1823)
  • resilience (p. B-11): Information System Resilience - The ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs. (†1822)
  • resilience (p.B-11): Information System Resilience - The ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs. (†1836)
  • risk assessment (p. B-19): The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis. (†1821)
  • risk management (p. B-19): The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, and includes: (i) establishing the context for risk-related activities; (ii) assessing risk; (iii) responding to risk once determined; and (iv) monitoring risk over time. [CNSSI 4009, adapted] (†1816)
  • risk mitigation (p. B-19): Prioritizing, evaluating, and implementing the appropriate riskreducing controls/countermeasures recommended from the risk management process. [CNSSI 4009] (†1815)
  • security (p. B-20): A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach. [CNSSI 4009] (†1817)
  • structured data (p. F-16): Structured data permits the interpretation of data content by applications. (†1814)
  • system (p. B-10): Information System - A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems. [44 U.S.C., Sec. 3502] (†1818)
  • threat (p. B-25): Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. [CNSSI 4009, Adapted] (†1819)
  • trust (p.19-20): Ultimately, the responsibility for adequately mitigating unacceptable risks arising from the use of external information system services remains with authorizing officials. Organizations require that appropriate chains of trust be established with external service providers when dealing with the many issues associated with information system security. Organizations establish and retain a level of trust that participating service providers in the potentially complex consumer-provider relationship provide adequate protection for the services rendered to organizations. The chain of trust can be complicated due to the number of entities participating in the consumer-provider relationship and the types of relationships between the parties. External service providers may also outsource selected services to other external entities, making the chain of trust more difficult and complicated to manage. Depending on the nature of the services, organizations may find it impossible to place significant trust in external providers. This situation is due not to any inherent untrustworthiness on the part of providers, but to the intrinsic level of risk in the services. Where a sufficient level of trust cannot be established in the external services and/or providers, organizations can: (i) mitigate the risk by employing compensating controls; (ii) accept the risk within the level of organizational risk tolerance; (iii) transfer risk by obtaining insurance to cover potential losses; or (iv) avoid risk by choosing not to obtain the services from certain providers (resulting in performance of missions/business operations with reduced levels of functionality or possibly no functionality at all). For example, in the case of cloud-based information systems and/or services, organizations might require as a compensating control, that all information stored in the cloud be encrypted for added security of the information. Alternatively, organizations may require encrypting some of the information stored in the cloud (depending on the criticality or sensitivity of such information)—accepting additional risk but limiting the risk of not storing all information in an unencrypted form. (†1848)
  • trust relationship (p. F-163): The degree of confidence that the risk from using external services is at an acceptable level depends on the trust that organizations place in the external providers, individually or in combination. Trust relationships can help organization to gain increased levels of confidence that participating service providers are providing adequate protection for the services rendered. Such relationships can be complicated due to the number of potential entities participating in the consumer-provider interactions, subordinate relationships and levels of trust, and the types of interactions between the parties. In some cases, the degree of trust is based on the amount of direct control organizations are able to exert on external service providers with regard to employment of security controls necessary for the protection of the service/information and the evidence brought forth as to the effectiveness of those controls. The level of control is typically established by the terms and conditions of the contracts or service-level agreements and can range from extensive control (e.g., negotiating contracts or agreements that specify security requirements for the providers) to very limited control (e.g., using contracts or service-level agreements to obtain commodity servicessuch as commercial telecommunications services). (†1813)
  • trustworthiness (p.20-21): Trustworthiness with respect to information systems, expresses the degree to which the systems can be expected to preserve with some degree of confidence, the confidentiality, integrity, and availability of the information that is being processed, stored, or transmitted by the systems across a range of threats. Trustworthy information systems are systems that are believed to be capable of operating within a defined risk tolerance despite the environmental disruptions, human errors, structural failures, and purposeful attacks that are expected to occur in the environments in which the systems operate—systems that have the trustworthiness to successfully carry out assigned missions/business functions under conditions of stress and uncertainty. (†1811)
  • trustworthiness (p. B-25): The attribute of a person or enterprise that provides confidence to others of the qualifications, capabilities, and reliability of that entity to perform specific tasks and fulfill assigned responsibilities. [CNSSI 4009] (†1812)
  • unstructured data (p. F-16): Unstructured data typically refers to digital information without a particular data structure or with a data structure that does not facilitate the development of rule sets to address the particular sensitivity of the information conveyed by the data or the associated flow enforcement decisions. Unstructured data consists of: (i) bitmap objects that are inherently non language-based (i.e., image, video, or audio files); and (ii) textual objects that are based on written or printed languages (e.g., commercial off-the-shelf word processing documents, spreadsheets, or emails). (†1810)
  • vulnerability (p. B-26): Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. (†1820)