Information Security Glossary - General Terms
This glossary has been put together from various sources, with many definitions rewritten to clarify them. If you require explanation, want to challenge a definition, or wish to suggest an addition, please contact info@janainformation.com
Getting in person by both regular and irregular ways and means into a site, area, room or installation, getting at the (physical) components or controls of a system of any kind, or gaining hold of a Document.
Access (Systems)
The ability to use Applications, Documents or support/maintenance functions within information management systems available for executing tasks, reading or modifying information; by both regular and irregular ways and means.
Access Control
The enforcement of specified authorisation rules based on positive identification of users and the systems, data or physical environments they are permitted to access, i.e. the process of ensuring that systems are only accessed by those authorised to do so, and only in a manner for which they have been authorised. For systems this means control of Users and Passwords, for physical areas this means installation of locks, control of keys, access cards, etc.
Access Control System
Hardware and/or software used for controlling access to computer systems’ resources.
An attack on a system which either injects false information into the system, or corrupts information already present in the system. See also Passive Attack.
Adequacy
The state or quality of being sufficient for the required purpose.
Administrative Security
The management constraints and supplemental controls established to provide an acceptable level of protection for data.
Automated Information System - any equipment of an interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, control, display, transmission, or reception of data and includes software, firmware, and hardware.
A set of rules which specifies a method of carrying out a task (e.g. Encryption algorithm)Program designed to detect, notify and remove Computer Viruses and other malicious software. Mandatory to be installed on all personal computers used in the Company. Must be regularly updated in order to keep up with the ongoing release of new types of computer viruses. Recommended to also install on private computers, especially if data exchange is taking place with the workplace.
Totality of (Information Management) processes and procedures for fulfilling a defined task and the related information for their use. The complete application will also include manual processes and storage of paper documents, so will also be subject to general security measures that are not IT-related, e.g. Clear Desk Policy.
Application Gateway
A firewall that uses Proxies to provide security.
Asset
An Information, Data or IT Resource that has a non-negligible value.
Assurance
The confidence, based on some form of analysis, that an objective is being achieved. It is usually expressed in statistical terms, i.e. the level of confidence a specific Security Breach has not occurred or will not occur.
Encryption methodology that uses different keys for encryption and decryption. Asymmetric encryption is nowadays the preferred method of encryption because there is no need to share secret information with the accompanying risks, i.e. of loss or exposure during transportation. Asymmetric or Public Key encryption requires two separate keys for each participant, the Public Key and the Private Key. Encryption of a document/data file is accomplished by combining the private key of the sender with the public key of the recipient (for a distribution list, this process is carried out for each intended recipient). Decryption is carried out using the private key of the recipient and the public key of the sender. It is not possible with current computer technology and strong encryption Algorithms to derive a private key from a public key.
Asymmetric Key Management
Key management based upon Asymmetric or Public Key cryptographic techniques.
Attack
An attempt to gain unauthorised access to information resources.
Audit
Examining and evaluating the security of an entity (e.g. company. system, application, network): verification of appropriateness for the intended purpose of a process or installation and of its compliance with the related legislation, guidelines, instructions etc.
Audit Log/Trail
A date and time stamped record of the usage of a system. It records what a computer was used for, allowing a security manager to monitor the actions of every user, and can help in establishing an alleged fraud or security violation.
Authentication (Document)
Process for proving the Authenticity of a document or request.
The process that verifies or corroborates the claimed identity of a station, originator, or individual as established by an identification process. There are three levels of personal authentication, in order of strength and expense:
A written signature, which is frequently not difficult to forge, falls into the first category.
Property of an information resource indicating its quality is as required or expected, in other words that no unauthorised modification has taken place, and that it is not incomplete, inaccurate or bogus. See also Integrity.
Authorisation
Positive determination by the owner of an information resource that a specific individual is trusted for a specified purpose and may access that information resource for that purpose. After Authentication, the process of allowing a positively identified user, who has permission from the resource Owner, to access the requested information resource.
The property that ensures that information or resources are at the users’ disposal at the time and to the extent required by the business, both by means of business continuity planning, and by the implementation of security measures to prevent unauthorised withholding of information or resources from the user, either in terms of an unacceptable delay to access, or permanent deprivation.
Awareness
The state of being on one’s guard against potential threats and security breaches, being able to identify potential vulnerabilities, and also knowing how to report such an occurrence.
Back Door
See Trapdoor
Backup
A copy of computer data that is used to recreate data that has been lost, mislaid, corrupted or erased.
Method of selecting security measures for implementation within a company based upon the common measures used in other similar companies that are generally accepted to be well-run. In this way the common threats to a company’s computer systems and networks are countered with prudence without the requirement for detailed Risk Analysis or even more broad-brush Risk Assessment. These latter techniques can of course be used in addition to determine company-specific vulnerabilities and threats and the additional measures required to counter them. Implementation of Baseline Security throughout a company provides a common basis for units to develop, implement and measure effective information security management and practice, and also provides confidence in inter-unit/inter-company trading. The British Standard for Information Security Management, BS7799 (now ISO 1-7799) provides a list of baseline controls which should be implemented in all circumstances, and it is salutary to see how many of these basic principles apply to the smallest of organisations, not just large companies.
Biometrics, Biometrical Verification
Variety of methods using unique biological distinctive marks tied to the legitimate user for identification purposes, such as fingerprints, face or voice recognition etc., for granting access to protected sites / buildings, systems, (electronic) transactions.
Business Continuity Planning
Prepared (and tested) measures for protection of critical business operations from the effects of a loss, damage or other failure of operational facilities providing crucial functions (e.g. programs and data) to them. In terms of Information Security this comprises e.g. backups and archiving, stand-in hardware etc.
A digital identifier linking an entity and a trusted third party able to confirm the entity’s identity.
An trusted authority licensed to issue certificates for Digital Signatures and to validate that they are being used legitimately by reputable organisations. CAs can be internal or external to an organisation. CAs themselves have a certificate that is issued to them by other CAs.
Means of protection of sensitive information by allocation to one of the Company defined Classification Categories and thus of communicating the need and required level of Security protection for a specific piece of information. See also "Need to know" - Principle.
Set of rules for Security protection to which a specific piece of sensitive information or an entire business process with all the related information is subject following an assessment of the potential damage in case of leakage or other compromising action. Available classification categories and their associated security rules are usually defined in the company’s Information Security Manual.
Policy according to which accidental or purposeful Access to information in a room by unauthorised persons is hindered by keeping business-related documents locked away (classified information in accordance with related handling rules) outside working hours even behind locked room entrance / locking room entrance during the day when room is unattended for some time respectively. Comprises in a wider sense also the obligation of having the computer screen saver set to self-activation with a prescribed maximum delay and with password protection.
Making information in any form (data, voice, script etc.) available to others. See also Transmission. Computer Virus
Computer program designed for performing effects ranging from simple screen jokes through to data corruption / destruction to completely incapacitating the computer or the entire network. Usually hidden within unsuspicious, even commercially distributed, programs and data files and spread via e.g. software media, attachments to e-mail messages or Internet downloads. Unlike a Trojan Horse, a virus is capable of self-propagating and often becomes active only after a delay (e.g. certain date, after a fixed number of start-up cycles of the system or a specific software etc.). See also Anti-Virus Software, Trojan Horse, Virus Hoax and Worm.
Classification Category for information which is of significance to a company, the disclosure to unauthorised persons or organisations, loss or alteration of which could prejudice the interests and objectives of any business unit or corporate department, inhibit the performance of duties by any employee or cause someone personal harm or embarrassment. Limitation of access and distribution.
The process of ensuring that sensitive information is only disclosed to those authorised to see it at authorised times, and that unauthorised disclosur eis prevented. Also known as secrecy.
Legal document (contract) binding the recipient of business information to use such information solely for the purpose of the related (named) business process, to keep it secure from unauthorised access by others and not to pass it further without consent of the information Owner. Normally also to contain procedures to be followed upon termination of the relevant business process.
Contractor
Organisation or person from outside the Company or from other departments of the Company providing services.
Cookies
Pieces of information that a web site stores on and reads from an Internet user’s computer. Temporary cookies only last as long as the browser is running, but persistent cookies remain on the computer’s hard disk and are used to identify repeat visitors, etc. Cookies can also be used by web-sites on behalf of third parties, such as Internet Marketing organisations, to build up a profile of the browsing/buying habits of an Internet user, and are therefore regarded by many as a breach of privacy. Company browsers should normally have the cookie security option set to "Disable all cookie use" or "Prompt before accepting cookies".
Corporate Information Security Policy
A short non-technical statement setting out the basic rules upon which a company’s information security infrastructure will be built.
Cost
The amount of resources expended in a course of action, expressed in financial terms, or in terms which can easily be converted to financial terms.
Cracker
See Hacker
Critical Information Resource
A resource determined by management to be essential to the Company's critical mission and functions, the loss of which would have an unacceptable impact.
Cryptographic Key
A mathematical term or other parameter used to define how a given Algorithm would transform data into Ciphertext.
Cryptography
The mathematical process of transforming clear, meaningful information into an enciphered, unintelligible form using an Algorithm and a Key.
Custodian (of an Information Resource)
Guardian or caretaker; the holder of data; the agent charged with the resource owner's requirements for processing, telecommunications, protection controls, and output distribution for the resource. The custodian is normally a provider of services, internal or external.
A representation of facts or concepts in an organised manner in order that it may be stored, communicated, interpreted, or processed by automated means. Data becomes Information when presented together with its assigned meaning.
Data Processing Area
Computing Centre or similar area.
Data Protection Requirements
Definition of IT Security Controls to ensure data security within the company's IT environment.
Data Safe
Containment for safe storage of data storage media with primary purpose to prevent fire damage to its contents (defined by maximum allowable inside temperature after given exposure time and for different media such as paper, tapes, disks), normally offers only limited resistance against forced access (recent models combine strengths of "ordinary safes" with fire protection).
Deciphering
See Decryption
The process of transforming ciphered (encrypted) text back into plain text. It is the reverse of Encryption. Also known as Deciphering.
Demilitarised Zone (DMZ)
A computer or network located outside the secure network but still protected from the unsecured network or Internet.Denial Of Service Attack
An attack on a company’s Internet web-site by hackers, many of whom are strongly politically motivated to disrupt Internet commerce, that bombards it with meaningless data to create a "virtual traffic jam" so that it cannot respond to legitimate requests and genuine users cannot gain access. This is the Internet equivalent of thousands of bogus callers ringing a mail order company’s sales line so that genuine callers will find it constantly engaged. The objective of this type of attack is not to gain access to the site or retrieve information, but to disrupt the company’s business.
Dial-in Service
Remote access service for direct access from outside to the company network infrastructure and its resources within the company network (such as servers, databases, etc).
A method of ensuring the authenticity and origination of any message - the digital signature ensures that a communication has not been amended and that it originates from the person it purports to come from. Digital signatures from previously unknown sources can be validated by Certification Authorities.
Document containing a set of company-issued security measures which must be implemented under all circumstances, i.e. they are mandatory. Directive measures usually use the word “must”. Company Units will be audited against Directives. A decision not to implement a Directive measure for any reason, e.g. operational or legal, must be carried out in accordance with an agreed Exceptions procedure, and must be documented and authorised at site management level. Exceptions must be put in place for defined periods only and will be challenged during audits. Directives are often supplemented by Guidelines, which are recommended to be implemented to comply with good practice, but which are not mandatory.
Disaster
A condition by which an information resource becomes unavailable, as a result of a natural or man-made occurrence, that is of sufficient duration to cause significant disruption in the accomplishment of business objectives, as determined by Company management.
Disclosure
Unauthorised access to and revelation of Confidential or sensitive information.
Something written, inscribed, engraved, etc., which provides evidence or information or serves as a record. For information security purposes a document can be in non-computerised form (not only paper records but also microfilm, microfiche, taped messages, etc) or in computerised form (any discrete entity created by an office application: word processing , spreadsheet, presentation, database, drawing, etc.).
Eavesdropping
Procuring of information by clandestine listening, usually by technical means such as wire-tapping, implanted ("bugs") or remote listening devices, interception of stray radiation from computer monitors etc. or by visual or technically assisted observation (of e.g. projection screens in conference rooms or offices). Illegal in many jurisdictions unless carried out by an official agency (police or intelligence service).
EDI
Electronic Data Interchange - the transfer of structured commercial data between the computer systems of different organisations using agreed message formats which conform to proprietary or international standards such as EDIFACT. Examples of agreed message formats are purchase orders and salary payments. EDI has been extremely successfully in streamlining the supply chains and payment procedures of all major companies for the past twenty years. However, it requires complicated transaction formats and relatively high-cost specialised software. An extranet implements the same processes using the ubiquitous HTTP and TCP/IP protocols, removing the entry barriers for small firms, and widely extending the reach and reducing costs for larger organisations.
Electronic Authentication
Hidden mark (usually a sophisticated Algorithm) in an electronic document ensuring the integrity of the original content by raising an alarm upon even insignificant alterations. See also Digital Signature.
Electronic Signature
An alternative name for Digital Signature
Method of making a message unreadable for anyone except the intended recipient, i.e. with a cipher Algorithm and Keys so that anyone not in possession of the proper key cannot read the information. Also known as Enciphering. In electronic storage or transmission of information cryptographic methods (sophisticated mathematical operations) are used in order to make it impossible to have the contents revealed by coincidence and to make it at or beyond the limits of available computer power to de-cipher the contents within reasonable time (required de-ciphering capacity for state-of-the-art encryption keys measures in multitudes of millions of processor-hours). Prevents scanning for keywords by automated surveillance systems. Today Asymmetric Encryption is most common, based on separate Public Keys and Private Keys. In some jurisdictions the use of encryption is restricted, subject to notification to government agencies, or entirely forbidden.
End-to-End Security
Application of security measures consistently across a whole data system or process, leaving no weak points.
A person using an IT system. Each End User is assigned User Identification.
End User Data
Data belonging to an End User and stored on a server or an End User Machine.
End User Machine
A computer at an End User’s desk.
Exhaustive Key Search
Testing all possible keys in turn. Finding out which key was actually used by and encryption system by testing all possible keys in turn. Also known as "brute force".
Expected Loss/Exposure
Vulnerability to loss resulting from accidental or intentional disclosure, modification, or destruction of information resources. Can be expressed as:
Extranet
An extended private network that uses Internet protocols and the public telecommunication system to share part of a business's information or operations (such as a company’s Intranet) securely with suppliers, vendors, partners, customers, or other businesses. Various levels of accessibility are provided to authorised outsiders, dependent upon their identity. An extranet accelerates business between business partners and even individual customers, but requires state-of-the-art security measures including firewall server management, the issuance and use of digital certificates, tokens or similar means of user authentication, Encryption of messages/transactions, and the use of virtual private networks (VPNs) that tunnel through the public network.
The principle that states that in the event of an unexpected failure or shutdown, a system should be left in a secure and protected state.
Firewall
A system or group of systems designed to prevent unauthorised access to or from a private network or a component of it. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorised external users from accessing private networks connected to the Internet, especially the intranet. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified access criteria. A firewall can also be used wholly internally, to prevent unauthorised internal users from accessing a network resource of special sensitivity (e.g. an executive or human resources server).
A device positioned between two networks, either hardware, or hardware and software, through which all communications between two networks must pass.
Gateway Service
Services provided by a Gateway to connect from one network to another.
Document containing a set of security measures which are recommended to be implemented in order to comply with best practice. Guideline measures usually use the word “should”. Guidelines frequently supplement Directives, which are mandatory and must be implemented. Even though Guidelines are not mandatory, auditors will take them into account when assessing the effectiveness of a unit.
A person who carries out one or more of the following activities:
Some people who call themselves "hackers" claim they only break into computer systems for intellectual challenge, and never commit theft, vandalism, or breach Confidentiality - they refer to the persons above as "crackers". However, both groups represent a serious threat to computer systems - if a "hacker" can gain entry so can a "cracker".
Hardware
Any component of a computer system that has physical form. It is a term used to draw a distinction between the computer itself and the programs that are executed on the computer Software.
Holder (Information- / Document-)
Person in possession of a piece of information or document and therefore obliged to comply with the rules for its adequate protection, but not necessarily being the Owner of it The holder is especially submit to possible restrictions (imposed by the owner) for further disclosure and distribution.
ICE (Intrusion Countermeasure Electronics)
Term coined by Tom Maddox and popularised in the "cyberpunk" science fiction novels of William Gibson. Combination of security hardware and software that responds to intrusion by attempting to trap the hacker.
The loss of Value, increased Costs, or other damage that would occur as a consequence of a particular Security Breach.
In the context of Information Security, an event with undesired or threatening effect on processing and/or Transmission of information or on information itself and/or its Confidentiality, Integrity or Availability. An Incident can also be defined as the materialisation or potential materialisation of a Threat.
Incident Reporting
All staff in an organisation of whatever status have a duty to report Incidents and suspicious events in accordance with the procedures and reporting lines that must be described in the company's Information Security Manual (which today will usually be situated on the company's Intranet) and corresponding documents issued by a company's Security or IT departments.
Comprises amongst others policies, facts, procedures, correspondence, data and know-how at all of the Company’s hierarchical levels and in all of its activity areas. Can take on a wide variety of forms: information can be stored on computers, transmitted across networks, printed out or written on paper (from notepad to flip-charts), sent by e.g. fax or electronic mail, stored on magnetic or optical media or spoken in conversations or over the telephone, etc. It can also consist of work-knowledge or ideas; or it can be present in material goods and substances. In the Information Technology sense, Information, as opposed to Data, is that which is extracted from a compilation of data in response to a specific need, in other words it has meaning and usefulness, while raw data is difficult to interpret.
Information Assets
Resources used to capture, process, store, archive, transport, present and/or destroy information.
Information Resources
The procedures, equipment, facilities, software and data which are designed, built, operated and maintained to collect, record, process, store, retrieve, display and transmit information within an IT System.
Information Security
Those measures, procedures, or controls which provide an acceptable degree of safety of Company information resources from accidental or intentional disclosure, modification, or destruction.
Information Security Responsibility
The responsibility for Information Security as assigned to a special individual or job function such as IT Security Manager or Data Centre Manager. Allocating responsibility for Information Security is a key measure of BS7799 (ISO-17799).
Information Security Review
Comprehensive review of current and proposed computer system and networks, including environmental and personnel aspects, with respect to the entire range of possible data security vulnerabilities. The Information Security Review will identify potential security problems in computer systems and networks, together with analysis of best solutions for current and anticipated needs.
Information System
A specific IT System and the information handled by it, together with their operational environment.
Insider
A person who has knowledge of a information system gained from (legally) working with the system.
Integrated Circuit
Electronic device containing many discrete electronic components such as transistors, resistors and the wire links which interconnect them. Usually made in very large numbers, in miniaturised form, on a common base or substrate of silicon.
(1) That element of information protection concerned with ensuring that information cannot be deleted, modified, duplicated or forged in transmission or during processing without detection.
(2) Property of a document or data element (record, file, application) indicating either that its contents entirely (100%) match the original input (for example showing that it has not been modified during transmission, etc.). Integrity of a document or data element that has been changed from its original state exists only if any changes that have taken place are verifiable as being by authorised persons or processes (document revisions, auditable updates, transactions, etc.) - rolling back the known changes will yield the original document/data record. See also Authenticity.
Intermediate Materials
Material used in creation of a Document and obsolete after this process, e.g. rough notes, drafts, typewriter/printer ribbon cassettes, floppy disks, recorder tapes etc.
Internal Auditing
Controlling organisation on behalf of an organisation's top management for operational processes and systems.
Internet
A global public network consisting of millions of interconnected computers all linked together using the so-called Internet Protocols (TCP/IP, HTTP, File Transfer Protocol (FTP), Telnet etc.)
A closed network of computers based on Internet technology, namely the HTTP and TCP/IP protocols, accessible only by a controlled group of users, e.g. company employees and other authorised personnel working within the organisation. An industry-standard web browser is normally the client software and web servers provide information and applications. An intranet is protected by a firewall from unauthorised access. The main purpose of an intranet is to share company information and computing resources among employees. An intranet can also be used to facilitate working in groups and for teleconferences.
Intrusion Detection
Detection of break-ins or attempted break-ins via manual means or software expert systems operating on logs or other information available on the network.
When used in the context of Encryption, a (unique) number series which is used by an encryption Algorithm to transform plain text data into encrypted (cipher text) data, or vice versa. In Asymmetric Encryption, there are two types of keys, Public Keys and Private Keys. Public keys can be revealed freely as it is not possible to derive the corresponding Private key from them, Private keys must be kept secret.
A system whereby encryption keys used in electronic commerce are held in trust by a neutral agency such as a Trusted Third Party (TTP) under an escrow agreement allowing for release of the keys to allow recovery of encrypted information under agreed conditions. This could be to law enforcement agencies, tax authorities, parties involved in litigation, a receiver, etc.
Key Management
Processes associated with the secure generation, transport, storage and destruction of Encryption keys
Key Recovery
A key management process associated with the retrieval of a key lost by the key holder so as to ensure access to ciphertext created with the key in question.
Least Privilege
Designing operational aspects of a system to operate with a minimum amount of system privilege. This reduces the authorisation level at which various actions are performed and decreases the chance that a process or user with high privileges may be caused to perform unauthorised activity resulting in a security breach.Log
Recording of activities for a specific resource.
Logging
The process of storing information about events that occurred on an information system such as an application server, a firewall or a wide area network.
Mechanism
Something that implements a Security Measure or Safeguard - it can be a combination of hardware, software, physical security, or procedures.
Message Authentication
A check to ensure that a message has not been tampered with during storage or transmission.
Microprocessor
An integrated circuit which has the essential elements of a computer condensed into a single device.
Principle according to which any company information is intended only to be disclosed to persons or organisations who need this information for fulfilling their task ("internal use only" or "business use only", without explicit Classification mark), unless otherwise stated. Sometimes also referred to as the "Need to Withhold" principle
Communication infrastructure for transport of information in any form (data, voice, video signals) by various means (cable, fibre-optics, radio, directed beam etc.) between input/output and/or processing/control/routing devices. Examples: Telephone network, LAN (Local Area Network), WWW (World Wide Web), CCTV (Closed Circuit Television).
Method by which the sender of data is provided with proof of delivery and the recipient is assured of the sender's identity, so that neither can later deny having processed the data. See Repudiation
Objective
The definition by an Owner of the level of security required to safeguard the Availability/Utility, Integrity/Authenticity and Confidentiality of an information resource. This defines the security measures required to be put in place.
Owner (Information/Document) [Data Owner]
Person bearing the responsibility for a piece of information, a document, or an information database/system, especially also for its proper Classification and appropriate protection. Usually the information originator or her/his superior in the business function to which the information relates.
Owner (Information Technology resource) [IT Owner]
Person responsible for the definition, implementation and maintenance of an adequate security level to protect a given IT resource. All IT resources must be assigned an Owner, who will normally be a senior manager responsible for the IT infrastructure within that business function. The owner has to specify clearly security needs for each IT resource regarding Availability/Utility, Integrity/Authenticity and Confidentiality. The security needs should then be categorised by the type of the IT resource and the business importance. IT resources such as a network or even an individual server can contain information systems belonging to more than one Data Owner.
Packet Filter
A type of firewall that examines packets at the network layers, typically routers.An attack on a system that extracts information and makes use of it, but does not inject false information or corrupt any information. See also Active Attack.
Unique and personal identification in form of an alpha-numerical or numerical sequence of characters for access to locations or electronic devices, parts of them, single files or transactions on such equipment. Can be used stand-alone or in conjunction with other means of identification (e.g. verification of ID-badges or similar). Although they are supposed to be unique, experience has shown that most people’s choices are highly insecure. Humans tend to choose short words such as names, which are easy to guess. Passwords are therefore unsuitable for sensitive applications which requires strong authentication using hardware tokens or smartcards (such as the SecurID card) or biometric identification of the authorised user.
Perimeter-based Security
The technique of securing a network by controlling access to all entry and exit points of the network."Personal"
Marking for information that is to be shared only by sender and named receiver. If used stand-alone this is not a Classification Category, but rather a "postal instruction". It may, however, be applied together with "Confidential", in which case the classification rules for the latter fully apply, with the exception of opening of accordingly marked mail by a deputy being excluded.Personal Identification Number (PIN)
A sequence of digits used to verify the identity of the holder of a token or smartcard such as a SecurID card.
PKI
Plaintext
Data before the application of a cryptographic Algorithm
Policy
Organisation-level rules governing acceptable use of computing resources, security practices, and operational procedures. Usually natural language descriptions of desired system behaviour. Policies may be defined for particular requirements, such as Confidentiality, Integrity, Availability, safety etc.
Polling (Telefax)
Facility where the recipient can call a message from the memory of the sender's fax machine and thus is able to receive it under his direct supervision.
Preventive Measure
A measure put in place to counter a Threat or threats.
In Asymmetric Encryption systems, a cryptographic key "known" only to its owner and used in:
Matching pairs of Private and Public Keys are required for different authorisation groups.
Processor
A unit of hardware that is capable of executing instructions contained in a computer program.
Program
A precise sequence of instructions that specifies what action a computer should perform. "Software" is often used to describe a computer program.
Protection Requirements
Definition of IT Security Controls to ensure security of a resource within a company environment.
A software agent that acts on behalf of a user. Typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, may perform additional authentication, and then complete a connection on behalf of the user to a remote destination.
In Asymmetric Encryption systems the owner’s cryptographic key given to authorised recipients and used by them in:
It can be published without revealing the owner's corresponding private key. Matching pairs of Private and Public keys are required for different authorisation groups.
Public Key Cryptography
An Asymmetric Encryption system where each party possesses a pair of keys, one Private (secret) and one Public, for use in encryption and digital signing of data.
Public Key Infrastructure (PKI)
The total system (a combination of hardware, software, encryption technologies and services) used in verifying, enrolling and certifying users of a security application. A PKI enables an enterprise to protect the security of its internal communications and business transactions; and together with its business partners and Trusted Third Parties, protect the security of its external communications and business transactions also.
Recovery
The restoration of a system to normal operations following an interruption of service.
Registration Authority (RA)
That part of a PKI involved in verifying and enrolling users
Remote Access
Communication with a computer from a location other than the computer or its directly-connected network. Remote Access usually occurs over public lines (PSTN or Internet) rather than private (WAN).
Denial by one of the entities involved in a communication of having participated in all or part of the communication. See Non-Repudiation
Requirement
A statement of the system behaviour needed to enforce a given policy. Requirements are used to derive the technical specification of a system.
Residual Risk
The Risk remaining after all relevant Safeguards are in place.
Resource
Hardware or software facility to which explicit access is possible (including data files and databases).
Responsibility
Obligation of all staff to observe legal and contractual provisions.
The likelihood or probability that a loss of information resources or breach of security will occur.
An evaluation of system assets and their vulnerabilities to threats. Risk Analysis estimates potential losses that may result from threats. Current Risk Analysis methodology is computer software-based (CRAMM, MARION, L-3 Expert 3.0, etc.) and uses very sophisticated mathematical techniques and precise probabilities, often based on regularly-updated insurance company statistics (MARION especially). The principle of Baseline Security is on the other hand to counter Risk by implementing the commonly-used controls that are found in companies accepted to be well-run, and to confine Risk Analysis to company-specific situations not protected by those controls. You don't spent £10,000 on Risk Analysis consultancy to see if you need a lock on the computer room door, you just ring the locksmith!
Identification of the potential vulnerabilities to the continued reliable operation of networks and systems, and identifies controls and/or actions which can be implemented to minimise these risks. All the key stakeholders in the operation of the network or system, both from the customer and others such as partners or third party software suppliers should help to identify all potential risks to the system. Risks are then classified both by probability of occurrence and impact. Controls to address each of these risks are identified. By ranking the probabilities of occurrence and their impact, informed business decisions can then be made as to the benefit of the controls as opposed to the risks. Whereas Risk Analysis uses sophisticated mathematical techniques and specialised computer software to produce very precise figures, Risk Assessment is more broad-brush and intuitive, usually classifying risks as High, Medium or Low, for example.
Risk Management
Decisions to accept exposure or to reduce vulnerabilities by either mitigating the risks or applying cost effective controls.
The Public Key Encryption Algorithm invented by Rivest, Shamir and Adleman in 1976. It uses different keys for Encryption and for Decryption. See also Public Key, and Asymmetric Encryption.
RSA Keys
The encryption keys employed in the RSA cryptography system
A measure designed to prevent a Security Incident or limit its effect.
Scrambling
Alternative term for simpler methods of Encryption.Secrecy Undertaking
See Confidentiality Agreement.
Secret Key
A key used to encrypt and decrypt data that must not be disclosed. If it is revealed, the security offered by its Encryption Algorithm is compromised. Not all encryption keys have to be kept secret, see Public Key.Secure System
A computer, network or IT environment that is secured against attack, either accidental or malicious.
Security
Protection against unwanted events. The most widely used definition of (computer) security is:
Confidentiality + Integrity + AvailabilitySecurity =
Some add Utility and Authenticity to this equation.
Security Administrator
The person charged with monitoring and implementing security controls and procedures for a system.
Security Breach
See Security Incident.
Hardware, programs, procedures, policies, and physical safeguards which are put in place to assure the integrity and protection of information and the means of processing it.
An event that results in unauthorised access, loss, disclosure, modification or destruction of information resources whether accidental or deliberate, and a loss of Confidentiality, Integrity or Availability to an information resource.
Security Manager
Member of staff charged with the setting up and subsequent monitoring of a security system. They often have special rights of access, and can introduce and remove users; therefore they must be trusted to carry out their job.
Security Requirement
Definition of requirements in the area of IT Security, which are covered by IT Security Controls.
Security Standard
A required procedure or management control.
Security Violation
An event where established Information Security Controls are intentionally bypassed, in order to gain unauthorised access to an information resource, or to cause disclosure, modification or destruction of that resource.
Sensitive Information
Information that requires special precautions to protect it from unauthorised disclosure, modification, withholding or deletion. Sensitive information may be either public or Confidential. It is information that requires a higher than normal assurance of accuracy, completeness and Confidentiality. Examples are those personnel file characteristics defined as sensitive by data privacy legislation, e.g. an employee’s race.
Sensitivity
A measure of importance assigned to Sensitive Information by its Owner to denote its need for protection.
Service
A set of functions provided to a User by an IT System or by the persons operating it (who may be internal or external).
Session Key
An encryption key employed in a single session, after electronic generation between a sender and recipient in a given process
SET (Secure Electronic Transaction)
A mechanism for securely and automatically routing payment information among users, merchants, and their banks over the Internet. SET is a protocol for securing bank card transactions on the Internet or other open networks using cryptographic services.Smart Card
See Token.
That part of a computer system which is not tangible, made up the entirety of computer programs (precise sequences of instructions that specifies what action a computer should perform to carry out specific tasks) running on that system. Software consists of operating systems (servers, networks, etc.) and application software (desktop, financial, etc.).
Solicitation Mailer
A PIN mailer used by a cardholder to return a selected PIN to the issuer.
Spoofing
Pretending to be someone or something else (e.g. using someone else’s password).
Steganography
Hiding of (sensitive) information within an unsuspicious file (e.g. a letter or data in a picture file).
Subject
The name given to a user of a public key security system.
Symmetric Algorithm
An
Algorithm in which the key used for Encryption is identical to the key used for Decryption. DES is the best-known Symmetric Encryption Algorithm.Symmetric Encryption
Symmetric encryption, where both parties have a single key, which they share and use for both Encryption and Decryption, is by far the simpler and faster method. Nowadays, however, Asymmetric Encryption is preferred because there is no need to share secret information with the accompanying risks, i.e. of loss or exposure during transportation.
System Security Data
Data files such as programs, password files, security tables, authorisation tables, etc., which, if not adequately protected, could permit unauthorised access to information resources.
Tamper Resistance
Equipment property that provides facilities for detecting attempts to tamper with the equipment, and ensures that an appropriate response is made. For data security equipment this is normally the destruction of any stored secret values.
Tamper Resistant Module
Hardware that exhibits tamper resistant properties.
An unwanted event that will cause damage or disruption to information systems or services if vulnerabilities exist. It could be natural (e.g. a flood or an earthquake), deliberate (e.g. a bomb or a hacking attack) or accidental (e.g. a program or data entry error)
"Tiger Team"
In military parlance, a tiger team is a group that is given the job of trying to break through security around a military base or special restricted area. In computer security terms, the name is given to a group of technical specialists who are hired to expose errors or security holes in new software/applications or to attempt to break into a company’s computer network. Although hackers or ex-hackers often offer themselves to carry out such activities, their employment is not recommended, because their previous history means there is always the possibility that they will be tempted to disable application or network security, or compromise it by installing "trapdoors".
A physical object, sometimes containing sophisticated electronics, which is required to gain access to a system. Some tokens contain a microprocessor, and are called intelligent tokens, or smart cards.
A key management scheme designed to automatically change the DES data keys, used to protect transactions to and from a terminal, after every transaction.
Technical process of transferring information in any form (data, voice, script etc.) from sender to receiver, e.g. via a Network or by post. See also Communication.
A hidden mechanism that allows normal system protection to be circumvented. Trapdoors are often planted by system developers to allow them to test programs without having to follow security procedures or other user interfaces. They are typically activated in some non-obvious way (e.g., by typing a particular sequence of keys). If a hacker penetrates a computer network or system they will often install a trapdoor to enable them to revisit the site at will.
Program that causes unexpected and usually undesirable effects when willingly installed or run by an unsuspecting user. These effects may be immediate or wait for some predetermined time or condition before being triggered. See also Computer Virus and Worm. Unlike a Computer Virus or a Worm, a Trojan Horse is not self-propagating, but relies on user action to spread itself.
Trust
A person or system in whom/which confidence or faith is placed.
An agency providing security-related services and activities to one or more entities in a given security infrastructure, usually a Public Key Infrastructure (PKI). Trusted Third Parties may also be legally required to hold encryption keys under a Key Escrow arrangement. Banks particularly are seeking to take on this role in future.
The establishment of a secure data path across an insecure or public network such as the Internet or the Public Switched Telephone Network. Tunnelling software uses a secure protocol such as PPTP (Point-to-Point Tunnelling Protocol), authentication, encryption, and a method of controlling access privileges. It can be used to link a single user or an entire private network to another private network, thus creating a Virtual Private Network (VPN)
Tunnelling Router
A router or system capable of routing traffic by encrypting it and encapsulating it for transmission across an untrusted network for eventual de-encapsulation and decryption.
User (of an Information Resource)
An individual or automated application that is authorised access to the resource by the owner, in accordance with the owner's procedures and rules. Each User must be assigned a unique User Identification.
User Authentication
Determining that a User truly is authentic. See Authentication.
A unique real name, character string or numeric value used by a system to identify a specific User.
User Identification, Privileged
A User Identification with more access rights than are associated with an End User; such additional access rights can be the access to Operating System Resources and the right of configuration of Operating System Resources.
User Access Rights
A User’s rights associated with User Identification to access certain resources and data within defined functions such as read, change, insert or delete.
User Profile
The collection of User access rights associated with one or more User Identifications.
The condition, quality, or fact of being useful or beneficial; usefulness, profit; serviceability, practicality. In security terms, a resource's utility is destroyed or reduced if its Confidentiality is compromised, its Integrity is not known (or known to be damaged), or if its Availability is temporarily or permanently removed.
Importance expressed on a comparative scale, usually in financial terms or other terms convertible to financial terms (e.g. human lives at risk, environmental impact, loss of goodwill).
Veiled language
Circumscribing of object and occurrence in a manner not recognisable for the uninitiated in conversation or correspondence between partners already familiar with the matter concerned; of comparably low security level.
A secure network that connects together entirely or in part over insecure public links (the Internet or dial-up via the PSTN) using Tunnelling technology (encryption). Establishment of a VPN allows remote offices, mobile company employees, contractors, business partners and customers to connect to the company’s network securely and cost-effectively.
Virus
See Computer Virus
Message, usually on Electronic Mail or Internet, describing the imminent threat of a new Computer Virus and asking for immediate notification of as many colleagues as possible by forwarding the message. Aims at bringing the messaging system to the edge of or beyond its capacity. Form of (illegal) chain-letter. Do not forward such messages, but immediately notify your responsible IT Security Officer and/or System Manager.
Vulnerability
Weakness in security that could exploited by an attacker or lead to a loss of service. There may be security, integrity, availability and other vulnerabilities. The act of exploiting a vulnerability represents a Threat.
Like a Computer Virus, a Worm is a self-propagating computer program designed for performing effects ranging from simple screen jokes through to data corruption / destruction to completely incapacitating the computer or the entire network. A Worm does not infect computer media, programs or documents as a Virus does, but replicates itself from computer to computer as a self-contained, stand-alone file, often via email. Like a Virus, a Worm often becomes active only after a delay (e.g. certain date, after a fixed number of start-up cycles of the system or a specific software etc.). Also Anti-Virus Software, Computer Virus, Trojan Horse, and Virus Hoax.
ZIP-Drive
Disk drive for disks similar to Floppy Disks, but with a capacity of (currently) 100/250 MB and with a speed sufficient to run many programs directly from the disk. Drive can be installed internally or externally and connected to the printer port (LPT). Suitable means for keeping sensitive files locked away separately from IT hardware. Less costly than true removable hard disks. Other, similar devices are available, some with even bigger capacity.
