قاموس أمن المعلومات

Ability to make use of any information system (IS) resource.

An entity responsible for monitoring and granting access privileges for other authorized entities.

The process of granting or denying specific requests:

1) for obtaining and using information and related information processing services; and

2) to enter specific physical facilities (e.g., Federal buildings, military establishments, and border crossing entrances).

A register of:

1) users (including groups, machines, processes) who have been given permission to use a particular system resource, and

2) the types of access they have been permitted.

Involves

1) the process of requesting, establishing, issuing, and closing user accounts;

2) tracking users and their respective access authorizations; and

3) managing these functions.

The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

The official management decision given by a senior agency official to authorize operation of an system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

All components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected.

The evidence provided to the authorizing official to be used in the security accreditation decision process. Evidence includes, but is not limited to:

1) the system security plan;

2) the assessment results from the security certification; and

3) the plan of action and milestones.

Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.

Private data, other than keys, that are required to access cryptographic modules.

Active content refers to electronic documents that are able to automatically carry out or trigger actions on a computer platform without the intervention of a user.

Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.

Administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic health information and to manage the conduct of the covered entity's workforce in relation to protecting that information.

The Advanced Encryption Standard specifies a U.S. Government-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. This standard specifies the Rijndael algorithm, a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits.

A CA that acts on behalf of an Agency, and is under the operational control of an Agency.

A program used in distributed denial of service (DDoS) attacks that sends malicious traffic to hosts based on the instructions of a handler.

The examination of acquired data for its significance and probative value to the case.

A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents.

The subscriber is sometimes called an “applicant” after applying to a certification authority for a certificate, but before the certificate issuance procedure is completed.

The use of information resources (information and information technology) to satisfy a specific set of user requirements.

Application content filtering is performed by a software proxy agent to remove or quarantine viruses that may be contained in email attachments, to block specific Multipurpose Internet Mail Extensions (MIME) types, or to filter other active content such as Java, JavaScript, and ActiveX® Controls.

Federal Information Processing Standard (FIPS) approved or National Institute of Standards and Technology (NIST) recommended. An algorithm or technique that is either

1) specified in a FIPS or NIST Recommendation, or

2) adopted in a FIPS or NIST Recommendation.

A mode of the cryptographic module that employs only approved security functions (not to be confused with a specific mode of an approved security function, e.g., Data Encryption Standard (DES) Cipher Block Chaining (CBC) mode).

A security function (e.g., cryptographic algorithm, cryptographic key management technique, or authentication technique) that is either

a) specified in an approved standard,

b) adopted in an approved standard and specified either in an appendix of the approved standard or in a document referenced by the approved standard, or

c) specified in the list of approved security functions.

A focused activity or action employed by an assessor for evaluating a particular attribute of a security control.

A set of activities or actions employed by an assessor to determine the extent to which a security control is implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

A major application, general support system, high impact program, physical plant, mission critical system, or a logically related group of systems.

One of the five “Security Goals.” It involves support for our confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes

(1) functionality that performs correctly,

(2) sufficient protection against unintentional errors (by users or software), and

(3) sufficient resistance to intentional penetration or by-pass.

Two related keys, a public key and a private key that are used to perform complementary operations, such as encryption and decryption or signature generation and signature verification.

A specific sequence of events indicative of an unauthorized access attempt.

An entity, recognized by the Federal Public Key Infrastructure (PKI) Policy Authority or comparable Agency body as having the authority to verify the association of attributes to an identity.

Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures

Chronological record of system activities to enable the reconstruction and examination of the sequence of events and changes in an event.

Preprocessors designed to reduce the volume of audit records to facilitate manual review. Before a security review, these tools can remove many audit records known to have little security significance. These tools generally remove records generated by specified classes of events, such as records generated by nightly backups.

A record showing who has accessed an Information Technology (IT) system and what operations the user has performed during a given period.

To confirm the identity of an entity when that identity is presented.

Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. The process of establishing confidence of authenticity. Encompasses identity verification, message origin authentication, and message content authentication. A process that establishes the origin of information or determines an entity’s identity.

A cryptographic checksum based on an approved security function (also known as a Message Authentication Code (MAC)).

The process of establishing confidence in user identities electronically presented to an information system.

Hardware or software-based mechanisms that force users to prove their identity before accessing data on a device.

A block cipher mode of operation that can provide assurance of the authenticity and, therefore, the integrity of data.

A well specified message exchange process that verifies possession of a token to remotely authenticate a claimant. Some authentication protocols also generate cryptographic keys that are used to protect an entire session, so that the data transferred in the session is cryptographically protected.

A pair of bit strings associated to data to provide assurance of its authenticity.

Authentication information conveyed during an authentication exchange.

The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.

The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals. Synonymous with Accreditation Authority.

Individual selected by an authorizing official to act on their behalf in coordinating and carrying out the necessary activities required during the security certification and accreditation of an information system.

The transport of cryptographic keys, usually in encrypted form, using electronic means such as a computer network (e.g., key transport/agreement protocols).

An algorithm which creates random passwords that have no association with a particular user.

Ensuring timely and reliable access to and use of information.

Activities which seek to focus an individual’s attention on an (information security) issue or set of issues.

A copy of files and programs made to facilitate recovery if necessary.

The minimum security controls required for safeguarding an IT system based on its identified needs for confidentiality, integrity and/or availability protection.

Monitoring resources to determine typical utilization patterns so that significant deviations can be detected.

A bastion host is typically a firewall implemented on top of an operating system that has been specially configured and hardened to be resistant to attack.

What an individual who has completed the specific training module is expected to be able to accomplish in terms of IT security-related job performance.

Process of associating two related elements of information. An acknowledgement by a trusted third party that associates an entity’s identity with its public key. This may take place through

(1) a certification authority’s generation of a public key certificate,

(2) a security officer’s verification of an entity’s credentials and placement of the entity’s public key and identifier in a secure database, or

(3) an analogous method.

A physical or behavioral characteristic of a human being. A measurable, physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity, of an applicant. Facial images, fingerprints, and handwriting samples are all examples of biometrics.

The stored electronic information pertaining to a biometric. This information can be in terms of raw or compressed pixels or in terms of some characteristic (e.g. patterns.)

An automated system capable of:

1) capturing a biometric sample from an end user;

2) extracting biometric data from that sample;

3) comparing the biometric data with that contained in one or more reference templates;

4) deciding how well they match; and

5) indicating whether or not an identification or verification of identity has been achieved.

A characteristic of biometric information (e.g. minutiae or patterns.)

Malicious code that uses multiple methods to spread.

Sequence of binary bits that comprise the input, output, State, and Round Key. The length of a sequence is the number of bits it contains. Blocks are also interpreted as arrays of bytes.

A symmetric key cryptographic algorithm that transforms a block of information at a time using a cryptographic key. For a block cipher algorithm, the length of the input block is the same as the length of the output block.

A family of functions and their inverses that is parameterized by a cryptographic key; the function maps bit strings of a fixed length to bit strings of the same length.

A virus that plants itself in a system’s boot sector and infects the master boot record.

Monitoring and control of communications at the external boundary between information systems completely under the management and control of the organization and information systems not completely under the management and control of the organization, and at key internal boundaries between information systems completely under the management and control of the organization, to prevent and detect malicious and other unauthorized communication, employing controlled interfaces (e.g., proxies, gateways, routers, firewalls, encrypted tunnels).

A boundary router is located at the organizations boundary to an external network.

A method of accessing an obstructed device through attempting multiple combinations of numeric and/or alphanumeric passwords.

A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.

A method of overloading a predefined amount of space in a buffer, which can potentially overwrite and corrupt data in memory.

The documentation of a predetermined set of instructions or procedures that describe how an organization’s business functions will be sustained during and after a significant disruption.

An analysis of an information technology (IT) system’s requirements, processes, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.

The documentation of a predetermined set of instructions or procedures that describe how business processes will be restored after a significant disruption has occurred.

The method of taking a biometric sample from an end user.

An individual possessing an issued Personal Identity Verification (PIV) card.

A digital representation of information which at least

1) identifies the certification authority issuing it,

2) names or identifies its subscriber,

3) contains the subscriber's public key,

4) identifies its operational period, and

5) is digitally signed by the certification authority issuing it. A set of data that uniquely identifies an entity, contains the entity’s public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity. Additional information in the certificate could specify how the key is used and its cryptoperiod.

A Certificate Policy is a specialized form of administrative policy tuned to electronic transactions performed during certificate management. A Certificate Policy addresses all aspects associated with the generation, production, distribution, accounting, compromise recovery and administration of digital certificates. Indirectly, a certificate policy can also govern the transactions conducted using a communications system protected by a certificate-based security system. By controlling certificate extensions, such policies and associated enforcement technology can support provision of the security services required by particular applications.

A Certification Authority (CA) or a Registration Authority (RA).

Information, such as a subscriber's postal address, that is not included in a certificate. May be used by a Certification Authority (CA) managing certificates.

A list of revoked public key certificates created and digitally signed by a Certification Authority.

A trusted entity that provides on-line verification to a Relying Party of a subject certificate's trustworthiness, and may also provide additional attribute information for the subject certificate.

A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

The individual, group, or organization responsible for conducting a security certification.

A trusted entity that issues and revokes public key certificates. The entity in a public key infrastructure (PKI) that is responsible for issuing certificates and exacting compliance to a PKI policy.

The collection of equipment, personnel, procedures and structures that are used by a Certification Authority to perform certificate issuance and revocation.

A statement of the practices that a Certification Authority employs in issuing, suspending, revoking and renewing certificates and providing access to them, in accordance with specific requirements (i.e., requirements specified in this Certificate Policy, or requirements specified in a contract for services).

A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.

An authentication protocol where the verifier sends the claimant a challenge (usually a random value or a nonce) that the claimant combines with a shared secret (often by hashing the challenge and secret together) to generate a response that is sent to the verifier. The verifier knows the shared secret and can independently compute the response and compare it with the response generated by the claimant. If the two are the same, the claimant is considered to have successfully authenticated himself. When the shared secret is a cryptographic key, such protocols are generally secure against eavesdroppers. When the shared secret is a password, an eavesdropper does not directly intercept the password itself, but the eavesdropper may be able to find the password with an off-line password guessing attack

Agency official responsible for:

1) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, executive orders, directives, policies, regulations, and priorities established by the head of the agency;

2) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency.

Series of transformations that converts plaintext to ciphertext using the Cipher Key.

A secret-key block-cipher algorithm used to encrypt data and to generate a Message Authentication Code (MAC) to provide assurance that the payload and the associated data are authentic.

Secret, cryptographic key that is used by the Key Expansion routine to generate a set of Round Keys; can be pictured as a rectangular array of bytes, having four rows and Nk columns.

Negotiated algorithm identifiers. Cipher suites are identified in human readable form using a pneumonic code.

Data output from the Cipher or input to the Inverse Cipher.

A party whose identity is to be verified using an authentication protocol. An entity which is or represents a principal for the purposes of authentication, together with the functions involved in an authentication exchange on behalf of that entity. A claimant acting on behalf of a principal must include the functions necessary for engaging in an authentication exchange. (e.g., a smartcard (claimant) can act on behalf of a human user (principal))

Information that has been determined pursuant to Executive Order (E.O.) 13292 or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.

A system entity, usually a computer process acting on behalf of a human user, that makes use of a service provided by a server.