Glossary of Terms

Access Control
Access Control ensures that resources are only granted to those users who are entitled to them.

Auditing
Auditing is the information gathering and analysis of assets to ensure such things as policy compliance and security from vulnerabilities.

Authentication
Authentication is the process of confirming the correctness of the claimed identity.

Authenticity
Authenticity is the validity and conformance of the original information.

Authorization
Authorization is the approval, permission, or empowerment for someone or something to do something.

Availability
Availability is the need to ensure that the business purpose of the system can be met and that it is accessible to those who need to use it.

Browser
A client computer program that can retrieve and display information from servers on the World Wide Web.

Business Continuity Plan (BCP)
A Business Continuity Plan is the plan for emergency response, backup operations, and post-disaster recovery steps that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation.

Business Impact Analysis (BIA)
A Business Impact Analysis determines what levels of impact to a system are tolerable.

Confidentiality
Confidentiality is the need to ensure that information is disclosed only to those who are authorized to view it.

Data Owner
A Data Owner is the entity having responsibility and authority for the data.

Defense In-Depth
Defense In-Depth is the approach of using multiple layers of security to guard against failure of a single security component.

Disaster Recovery Plan (DRP)
A Disaster Recovery Plan is the process of recovery of IT systems in the event of a disruption or disaster.

Due Care
Due care ensures that a minimal level of protection is in place in accordance with the best practice in the industry.

Due Diligence
Due diligence is the requirement that organizations must develop and deploy a protection plan to prevent fraud, abuse, and additional deploy a means to detect them if they occur.

Event
An event is an observable occurrence in a system or network.

Exposure
A threat action whereby sensitive data is directly released to an unauthorized entity.

Firewall
A logical or physical discontinuity in a network to prevent unauthorized access to data or resources.

Hardening
Hardening is the process of identifying and fixing vulnerabilities on a system.

Hypertext Transfer Protocol (HTTP)
The protocol in the Internet Protocol (IP) family used to transport hypertext documents across an internet.

Identity
Identity is whom someone or what something is, for example, the name by which something is known.

Incident
An incident is an adverse network event in an information system or network or the threat of the occurrence of such an event.

Incident Handling
Incident Handling is an action plan for dealing with intrusions, cyber-theft, denial of service, fire, floods, and other security-related events. It is comprised of a six step process: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

Integrity
Integrity is the need to ensure that information has not been changed accidentally or deliberately, and that it is accurate and complete.

IP Address
A computer's inter-network address that is assigned for use by the Internet Protocol and other protocols. An IP version 4 address is written as a series of four 8-bit numbers separated by periods.

Malware
A generic term for a number of different types of malicious code.

National Institute of Standards and Technology (NIST)
National Institute of Standards and Technology, a unit of the US Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards. It also has active programs for encouraging and assisting industry and science to develop and use these standards.

Natural Disaster
Any "act of God" (e.g., fire, flood, earthquake, lightning, or wind) that disables a system component.

Patch
A patch is a small update released by a software manufacturer to fix bugs in existing programs.

Patching
Patching is the process of updating software to a different version.

Penetration
Gaining unauthorized logical access to sensitive data by circumventing a system's protections.

Penetration Testing
Penetration testing is used to test the external perimeter security of a network or facility.

Personal Firewalls
Personal firewalls are those firewalls that are installed and run on individual PCs.

Risk
Risk is the product of the level of threat with the level of vulnerability. It establishes the likelihood of a successful attack.

Risk Assessment
A Risk Assessment is the process by which risks are identified and the impact of those risks determined.

Security Policy
A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.

Sensitive Information
Sensitive information, as defined by the federal government, is any unclassified information that, if compromised, could adversely affect the interest or conduct of the institution’s initiatives.

Spam
Electronic junk mail or junk newsgroup postings.

Vulnerability
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy.