Cybersecurity

Adequate Security

Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse or unauthorized access to or modification of information

Administrative Controls

Controls implemented through policy and procedures. ex access control processes and requiring multiple personnel to conduct a specific operation. Administrative controls in modern environments are often enforced in conjunction with physical and/or technical controls such as an access-granting policy for new users that requires login and approval by the hiring manager.

Artificial Inteligence

The ability of computers and robots to simulate human intelligence and behavior.

Asset

Anything of value that is owned by an organization. Assets include both tangible items such as information systems and physical property and intangible assets such as intellectual property.

Authentication

Access control process validating that the identity being claimed by a user or entity is known to the system, by comparing one (single-factor or SFA) or more (multifactor authentication or MFA) factors of identification.

Authorization

The right permission thaT is granted to a system entity to access a system resource.

Availability

Ensuring timely and reliable access to and use of information by authorized users.

Baseline

A documented, lowest level of security configuration allowed by a standard or organization.

Biometric

Biological characteristics of an individual, such as a fingerprint, hand geometry, voice, or iris patterns.

Bot

Malicious code that acts like a remotely controlled "robot" for an attacker, with other Trojan and worm capabilities.

Classified or Sensitive Information

Information that has been determined to require protection against unauthorized disclosure that is marked to indicate its classified status and classification level when in documentary form.

Confidentiality

The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes.

Criticality

A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function.

Data Integrity

The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing and while in transit.

Encryption

The process and act of converting the message from its plaintext to cipher text. Sometimes it is also referred to as enciphering. The two terms are sometimes used interchangeably in literature and have similar meanings.

General Data Protection Regulation (GDPR)

In 2016, the European Union passed comprehensive legislation that addresses personal privacy, deeming it an individual human right.

Governance

The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles and procedures the organization uses to make those decisions.

Health Insurance Portability and Accountability Act (HIPAA)

This US federal law is the most important healthcare information regulation in the United States. It directs the adoption of national standards for electronic healthcare transactions while protecting the privacy of individual’s health information. Other provisions address fraud reduction, protections for individuals with health insurance and a wide range of other healthcare-related activities. est 1996

Impact

The magnitude of harm that could be caused by a threat’s exercise of a vulnerability.

Information Security Risk

The potential adverse impacts to an organization’s operations (including its mission, functions and image and reputation), assets, individuals, other organizations, and even the nations, which results from the possibility of unauthorized access, use, disclosure, disruption, modification or destruction of information and/or information systems.

Institute of Electrical and Electronic Engineers

IEEE is a professional organization that sets standards for telecommunications, computer engineering and similar disciplines.

Integrity

The property of information whereby it is recorded, used and maintained in a way that ensures its completeness, accuracy, internal consistency and usefulness for a stated purpose.

International Organization of Standards (ISO)

The ISO develops voluntary international standards in collaboration with its partners in international standardization, the International Electro-technical Commission (IEC) and the International Telecommunication Union (ITU), particularly in the field of information and communication technologies.

Internet Engineering Task Force (IETF)

The internet standards organization, made up of network designers, operators, vendors and researchers, the defines protocol standards (eg IP TCP DNS) through a process of collaboration and consensus.

Likelihood

The probability that a potential vulnerability may be exercised within the construct of the associated threat environment.

Likelihood of Occurrence

A weighted factor based on a subjective analysis of the probability that a given threat is capable exploiting a given vulnerability or set of vulnerabilities.

Multi-Factor Authentication

Using two or more distinct instances of the three factors of authentication (something you know, something you have, something you are) for identity verification.

National Institutes of Standards and Technology (NIST)

The NIST is part of the US Department of Commerce and addresses the measurement of infrastructure within science and technology efforts within the US federal government. NIST sets standards in several areas, including information security within the Computer Security Resource Center of the Computer Security Divisions.

Non-repudiation

The inability to deny taking an action such as creating information, approving information and sending or receiving a message.

Personally Identifiable Information

The National Institute of Standards and Technology, known as NIST, in its Special Publication 800-122 defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, data and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information”.

Physical Controls

Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks.

Privacy

The right of an individual to control the distribution of information about themselves.

Probability

The chances, or likelihood, that a given threat is a capable of exploiting a given vulnerability or a set of vulnerabilities.

Protected Health Information (PHI)

Information regarding health status, the provision of healthcare or payment for healthcare as defined in HIPAA (Health Insurance Portability and Accountability Act).

Qualitative Risk Analysis

A method for risk analysis where numerical values are assigned to both impact and likelihood based on statistical probabilities and monetarized valuation of loss or gain.

Risk

A possible event which can have a negative impact upon the organization.

Risk Acceptance

Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.

Risk Assessment

The process of identifying and analyzing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals and other organizations. The analysis performed as part of risk management which incorporates threat and vulnerability analyses and considers mitigation provided by security controls planned or in place.

Risk Avoidance

Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination

Risk Management

The process of identifying, evaluating and controlling threats, including all the phases of risk context (or frame), risk assessment, risk treatment and risk monitoring.

Risk Management Framework

A structured approach used to oversee and manage risk for an enterprise.

Risk Mitigation

Putting security controls in place to reduce the possible impact and/or likelihood of a specific risk.

Risk Tolerance

The level of risk an entity is willing to assume in order to achieve a potential desired result. Source: NIST SP 800-32. Risk threshold, risk appetite and acceptable risk are also terms used synonymously with risk tolerance.

Risk Transference

Paying an external party to accept the financial impact of a given risk.

Risk Treatment

The determination of the best way to address an identified risk.

Security Controls

The management, operational and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information.

Source: FIPS PUB 199

Sensitivity

A measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection.

State

The condition an entity is in at a point in time.

System Integrity

The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental.

Technical Controls

Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.

Threat

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image or reputation), organizational assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service.

Threat Actor

An individual or a group that attempts to exploit vulnerabilities to cause or force a threat to occur.

Threat Vector

The means by which a threat actor carries out their objectives.

Token

A physical object a user possesses and controls that is used to authenticate the users identity.

Vulnerability

Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source.

Adverse Events

Events with a negative consequence, such as system crashes, network packet floods, unauthorized use of system privileges, defacement of a web page, or execution of malicious code that destroys data.

Breach

The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for other than an authorized purpose.

Business Continuity

Actions, processes, and tools for ensuring an organization can continue critical operations during a contingency.

Business Continuity Plan

The documentation of a predetermined set of instructions or procedures that describe how an organizations mission/business processes will be sustained during and after a significant disruption.

Business Impact Analysis

An analysis of an information system's requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.

Disaster Recovery

In terms of information systems, the activities necessary to restore IT and communications services to an organization during and after an outage, disruption or disturbance of any kind or scale.

Disaster Recovery Plan

The processes, policies, and procedures related to preparing for recovery or continuation of an organization's critical business functions, technology infrastructure, systems, and applications after the organization experiences a disaster. A disaster is when an organizations critical business functions) cannot be performed at an acceptable level within a predetermined period following a disruption.

Event

Any observable occurrence in a network or system.

Exploit

A particular attack. It is so named because these attacks exploit system vulnerabilities.

Incident

An event that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.

Incident Handling

The mitigation of violations of security policies and recommended practices.

Incident Response

A process aimed at reducing the impact of an incident so the organization can resume the interrupted operations as soon as possible.

Incident Response Plan

The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyberattack against an organization's information systems(s).

Intrusion

A security event, or combination of security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without authorization.

Security Operations Center

A centralized organizational function fulfilled by an information security team that monitors, detects, and analyzes events on the network or system to prevent and resolve issues before they result in business disruptions.

Threat

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service.

Vulnerability

Weakness in an information system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat source.

Zero Day

A previously unknown system vulnerability with the potential of exploitation without risk of detection or prevention because it does not, in general, fit recognized patterns, signatures or methods.

Audit

Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.

Crime Prevention through Environmental Design

An architectural approach to the design of buildings and spaces which emphasizes passive features to reduce the likelihood of criminal activity.

Defense in Depth

Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.

Discretionary Access Control (DAC)

A certain amount of access control is left to the discretion of the objects owner, or anyone else who is authorized to control the objects access. The owner can determine who should have access rights to an object and what those rights should be.

Encrypt

To protect private information by putting it into a form that can only be read by people who have permission to do so.

Firewalls

Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules.

Insider Threat

An entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service.

iOS

An operating system manufactured by Apple Inc. Used for mobile devices.

Layered Defense

The use of multiple controls arranged in series to provide several consecutive controls to protect an asset; also called defense in depth.

Linux

An operating system that is open source, making its source code legally available to end users.

Log Anomaly

A system irregularity that is identified when studying log entries which could represent events of interest for further surveillance.

Logging

Collecting and storing user activities in a log, which is a record of the events occurring within an organization's systems and networks.

Logical Access Control Systems

An automated system that controls an individuals ability to access one or more computer system resources, such as a workstation, network, application or database. A logical access control system requires the validation of an individuals identity through some mechanism, such as a PIN, card, biometric or other token. It has the capability to assign different access privileges to different individuals depending on their roles and responsibilities in an organization.

Mandatory Access Control

Access control that requires the system itself to manage access controls in accordance with the organizations security policies.

Mantrap

An entrance to a building or an area that requires people to pass through two doors with only one door opened at a time.

Object

Passive information system-related entity (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information. Access to an object (by a subject) implies access to the information it contains. See subject.

Physical Access Controls

Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks.

Principle of Least Privileged Account

The principle that users and programs should have only the minimum privileges necessary to complete their tasks.

Privileged Account

An information system account with approved authorizations of a privileged user.

Application programming inteface

A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or web tool.

Bit

The most essential representation of data (zero or one) at Layer 1 of the Open Systems Interconnection (OSI) model.

Broadcast

Broadcast transmission is a one-to-many (one-to-everyone) form of sending internet traffic.

Byte

The byte is a unit of digital information that most commonly consists of eight bits.

Cloud Computing

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (eg networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Community cloud

A system in which the cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (mission, security requirements, policy and compliance considerations). It may be owned, managed and operated by one or more of the organizations in the community, a third party or some combination of them, and it may exist on or off premises.

De-encapsulation

The opposite process encapsulation, in which bundles of data are unpacked or revealed.

Denial-of-Service

The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.)