ISC2 CAP Definitions

Adequate Security

Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.

Agency

Any executive department, military department, government corporation, government-controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include: 1) the Government Accountability Office; 2) the Federal Election Commission; 3) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or 4) government-owned contractor operated facilities, including laboratories engaged in national defense research and production activities.

Availability

Ensuring timely and reliable access to and use of information

Confidentiality

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Criticality

A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function.

Continuous monitoring

Maintaining ongoing awareness to support organizational risk decisions.

Environment of Operation

The physical surroundings in which an information system processes, stores, and transmits information.

Executive Agency

An executive department specified in 5 U.S.C, Section 101; a military department specified in 5 U.S.C, Section 102; an independent establishment as defined in 5 U.S.C, Section 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

External Information System Service Provider

A provider of external information system services to an organization through a variety of consumer producer relationships, including but not limited to: joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements), licensing agreements, and or supply chain arrangements.

Federal Information System

An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.

Impact

The magnitude of harm that can be expected to result from the consequences of unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

Individual

A citizen of the United States or an alien lawfully admitted for permanent residence. Agencies may, consistent with individual practice, choose to extend the protections of the Privacy Act and E-Government Act to business, sole proprietors, aliens, etc.

Information Security

The protection of information and information systems from unauthorized access use, disclosure, disruption, modification, or destruction in order to provide for integrity, confidentiality, and availability.

Information

An instance of an information type.

Information System

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Integrity

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

Mission/Business Segment

Elements of organizations describing mission areas, common/shared business services, and organizations-wide services. Mission/business segments can be identified with one or more information systems which collectively support a mission/business process.

National Security Information

Information that has been determined pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to required protection against unauthorized disclosure and is marked to indicate its classified status.

Orgainization

An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency, or as appropriate, any of its operational elements).

Personally Identifiable Information (PII)

Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Reciprocity

Mutual agreement among participating organizations to accept each other's security assessments in order to reuse information system resources and/or to accept each other's assessed security posture in order to share information.

Residual Risk

The remaining potential risk after all IT security measures are applied. There is a residual risk associated with each threat.

Risk

The level of impact on organizational operations (including mission, functions, image or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.

Risk Assessment

The process of identifying risks to organizational operations (including mission, functions, image, or reputation), organizational assets individuals, other organizations, and the Nation arising through the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses and considered mitigation provided by security controls planned or in place. Synonymous with risk analysis.

Risk Assessment Report (RAR)

The report contains the results of performing risk assessment of the formal output from the process of assessing risk.

Risk Management

The process of managing risks to organizational operations (including mission, functions, image and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operations of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system.

Risk Mitigation

Prioritizing, evaluating, and implementing the appropriate risk‐ reducing controls/countermeasures recommended from the risk management process.

Risk Response

Accepting, avoiding, mitigating, sharing, or transferring risk to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation.

Risk Tolerance

The level of risk an entity is willing to assume in order to achieve a potential desired result.

Security Objective

Confidentiality, integrity, and availability.

FIPS 199; FIPS 200; SP 800‐53; SP 800‐53A; SP 800‐60; SP 800‐37

Security Requirements

Requirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.

FIPS 200; SP 800‐53; SP 800‐53A; SP 800‐37; CNSSI‐4009

Sensitive Information

Information, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

Subsystem

A major subdivision or component of an information system consisting of information, information technology, and personnel that performs one or more specific functions.

System Development Life Cycle (SDLC)

The scope of activities associated with a system, encompassing the system's initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.

System of Record

A group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.

System of Records Notice

An official public notice of an organization's system(s) of records, as required by the Privacy Act of 1974, that identifies: (i) the purpose for the system of records; (ii) the individuals covered by information in the system or records; (iii) the categories of records maintained about individuals; and (iv) the ways in which the information is shared.

System Security Plan

Formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements. (Security Plan)

FIPS 200; SP 800‐53; SP 800‐53A; SP 800‐37; SP 800‐18

Threat

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modifications of information, and/or denial of service.

Threat Assesment

Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat.

Threat Event

An event or situation that has the potential for causing undesirable consequences or impact.

Threat Scenario

A set of discrete threat events, associated with a specific threat source or multiple threat sources, partially ordered in time.

Threat Source

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. Synonymous with Threat Agent.

Trustworthiness

The attribute of a person or enterprise that provides confidence to others of the qualifications, capabilities, and reliability of that entity to perform specific tasks and fulfill assigned responsibilities.

Vulnerability

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Authorization Boundary

All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected. (Information System Boundary)

Federal Enterprise Architecture

A business‐based framework for government wide improvement developed by the Office of Management and

Budget that is intended to facilitate efforts to transform the federal government to one that is citizen‐ centered, results‐oriented, and market‐based.

High Impact

The loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizations, or the national security interests of the United State. For example, it (1) causes severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (2) results in major damage to organizational assets; (3) results in major financial loss; or (4) results in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.

Impact Value

The assessed potential impact resulting from a compromise of the confidentiality, integrity, or availability of an information type, expressed as a value of low, moderate, or high.

Intellectual Property

Useful artistic, technical, and/or industrial information, knowledge or ideas that convey ownership and control of tangible or virtual usage and/or representation.

Mission Critical

Any telecommunications or information system that is defined as a national security system (Federal Information Security Management Act of 2002 ‐ FISMA) or processes any information the loss, misuse, disclosure, or unauthorized access to or modification of, would have a

debilitating impact on the mission of an agency.

National Security System

Any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency. that (i) the function, operation, or use of which involve intelligence activities; involves cyrptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapon systems; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be for routine administrative and business applications, for example, payroll, finance, logistics, and personnel management applications); or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

PII Confidentiality Impact Level

The PII confidentiality impact level—low, moderate, or high— indicates the potential harm that could result to the subject individuals and/or the organization if PII were inappropriately accessed, used, or disclosed.

Potential Impact

The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect; a serious

adverse effect, or a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Privacy Impact Assessment (PIA)

An analysis of how information is handled: 1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 2) to determine the risks and effects of collecting, maintaining, and

disseminating information in identifiable form in an electronic information system; and 3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.

SP 800‐53; SP 800‐53A; SP 800‐18; SP 800‐122; CNSSI‐4009; OMB M 03‐22

Risk Managment

The process of managing risks to organizational operations (including mission, functions, image reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system, and includes: (i) the conduct of risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) the employment of techniques and procedures for the continuous monitoring of the security state of the information system.

Security Categorization

The process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS 199 for other than national security systems.

Security Category

The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, individuals, other organizations, and the Nation.

Assurance

Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediate and enforce the security policy.

Baseline Configuration

A set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.

Common Control

A security control that is inherited by one or more organizational information systems. See Security Control Inheritance.

Common Control Provider

An organizational official responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls inherited by information systems).

Compensating Security Controls

The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the baselines described in NIST Special Publication 800‐53 and CNSS Instruction 1253, that provide equivalent or comparable protection for an information system.

Countermeasures

Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards.

Course of Action

A time‐phased or situation‐dependent combination of risk response measures.

Defense-in-Depth

Information Security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organizations.

Defense-in-Breadth

A planned Systematic set of multidisciplinary activities that seek to identify, manage, and reduce risk of exploitable vulnerabilities at every state of the system, network, or subcomponent life cycle (system, network, or product design and development; manufacturing; packaging; assembly; system integration; distribution; operations; maintenance; and retirement).

Hybrid Security Control

A security control that is implemented in an information system in part as a common control and in part as a

system‐specific control. See also Common Control and System‐Specific Security Control.

Information Security Continuous Monitoring (ISCM) Program

A program established to collect information in accordance with pre-established metrics, utilizing information readily available in part through implemented security controls.

Management Control

The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security.

Operational Controls

The security controls (i.e., safeguards or countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems).

Overlay

A specification of security controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process that is intended to complement (and further refine) security control baselines. The overlay specification may be more stringent or less stringent than the original security control baseline specification and can be applied to multiple information systems.

Resilience

The ability to quickly adapt and recover from any know or unknown changes to the environment through holistic implementation of risk management, contingency, and continuity planning.

Safeguards

Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.

Scoping Guidance

A part of tailoring guidance providing organizations with specific policy/regulatory-related, technology-related, system component allocation-related, operational/environmental-related, physical infrastructure-related, public access-related, scalability-related, common control related, and security objective-related considerations on the applicability and implementation of individual security controls in the security control baseline.

Security Control Baseline

The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.

Security Control Enhancments

Statements of security capability to: (i) build in additional but related, functionality to a security control; and/or (ii) increase the strength of the control.

Security Control Inheritance

A situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application. These entities can be either internal or external to the organization where the system or application resides. See common Control.

Security Controls

The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its informaion.

System-Specific Security Control

A security control for an information system that has not been designated as a common security control or the portion of a hybrid control that is to be implemented within an information system.

Tailored Security Control Baseline

A set of security controls resulting from the application of tailoring guidance to the security control baseline. See Tailoring

Tailoring

The process by which a security control baseline is modified based on: (i) the application of scoping guidance; (ii) the specification of compensating security controls, if needed; and (iii) the specification of organization-defined parameters in the security controls via explicit assignment and selection statements.

Technical Controls

The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.

Backup

A copy of files and programs made to facilitate recovery if necessary.

Business Impact Analysis (BIA)

An analysis of an information system's requirements, functions, and interdependencies that is used to characterize system contingency requirements and priorities in the event of a significant disruption.

Business Continuity Plan (BCP)

The documentation of a predetermined set of instructions or procedures that describe how an organization's mission/business function will be sustained during and after a significant disruption.

Business Recovery/Disruption Plan (BRP)

The documentation of a predetermined set of instructions or procedures that describe how business processes will be restored after a significant disruption has occurred.

Cold Site

A backup location of a predetermined set of instruction or procedures that describe how business processes will be restored after a significant disruption has occurred.