Chapter 1 GLOSSARY

 Adequate Security - Security commensurate with the risk and the

magnitude of harm resulting from the loss, misuse or unauthorized
access to or modification of information. Source: OMB Circular A-130
 Administrative Controls - Controls implemented through policy
and procedures. Examples include access control processes and
requiring multiple personnel to conduct a specific operation.
Administrative controls in modern environments are often enforced
in conjunction with physical and/or technical controls, such as an
access-granting policy for new users that requires login and
approval by the hiring manager.
 Artificial Intelligence - The ability of computers and robots to
simulate human intelligence and behavior.
 Asset - Anything of value that is owned by an organization. Assets
include both tangible items such as information systems and
physical property and intangible assets such as intellectual
property.
 Authentication - Access control process validating that the identity
being claimed by a user or entity is known to the system, by
comparing one (single factor or SFA) or more (multi-factor
authentication or MFA) factors of identification.
 Authorization - The right or a permission that is granted to a
system entity to access a system resource. NIST 800-82 Rev.2
 Availability - Ensuring timely and reliable access to and use of
information by authorized users.
 Baseline - A documented, lowest level of security configuration
allowed by a standard or organization.
 Bot - Malicious code that acts like a remotely controlled “robot” for
an attacker, with other Trojan and worm capabilities.
 Classified or Sensitive Information - Information that has been
determined to require protection against unauthorized disclosure
and is marked to indicate its classified status and classification level
when in documentary form.
 Confidentiality - The characteristic of data or information when it
is not made available or disclosed to unauthorized persons or
processes. NIST 800-66
 Criticality - A measure of the degree to which an organization
depends on the information or information system for the success of
a mission or of a business function. NIST SP 800-60 Vol. 1, Rev. 1
 Data Integrity - The property that data has not been altered in an
unauthorized manner. Data integrity covers data in storage, during
processing and while in transit. Source: NIST SP 800-27 Rev A
 Encryption - The process and act of converting the message from
its plaintext to ciphertext. Sometimes it is also referred to as
enciphering. The two terms are sometimes used interchangeably in
literature and have similar meanings.
 General Data Protection Regulation (GDPR) - In 2016, the
European Union passed comprehensive legislation that addresses
personal privacy, deeming it an individual human right.
 Governance -The process of how an organization is managed;
usually includes all aspects of how decisions are made for that
organization, such as policies, roles, and procedures the
organization uses to make those decisions.
 Health Insurance Portability and Accountability Act (HIPAA) -
This U.S. federal law is the most important healthcare information
regulation in the United States. It directs the adoption of national
standards for electronic healthcare transactions while protecting the
privacy of individual's health information. Other provisions address
fraud reduction, protections for individuals with health insurance
and a wide range of other healthcare-related activities. Est. 1996.
 Impact - The magnitude of harm that could be caused by a threat’s
exercise of a vulnerability.
 Information Security Risk - The potential adverse impacts to an
organization’s operations (including its mission, functions and image
and reputation), assets, individuals, other organizations, and even
the nation, which results from the possibility of unauthorized access,
use, disclosure, disruption, modification or destruction of
information and/or information systems.
 Institute of Electrical and Electronics Engineers - IEEE is a
professional organization that sets standards for
telecommunications, computer engineering and similar disciplines.
 Integrity - The property of information whereby it is recorded, used
and maintained in a way that ensures its completeness, accuracy,
internal consistency and usefulness for a stated purpose.
 International Organization of Standards (ISO) - The ISO
develops voluntary international standards in collaboration with its
partners in international standardization, the International Electro-
technical Commission (IEC) and the International
Telecommunication Union (ITU), particularly in the field of
information and communication technologies.
 Internet Engineering Task Force (IETF) - The internet standards
organization, made up of network designers, operators, vendors and
researchers, that defines protocol standards (e.g., IP, TCP, DNS)
through a process of collaboration and consensus. Source: NIST SP
1800-16B
 Likelihood - The probability that a potential vulnerability may be
exercised within the construct of the associated threat environment.
 Likelihood of Occurrence - A weighted factor based on a
subjective analysis of the probability that a given threat is capable
of exploiting a given vulnerability or set of vulnerabilities.
 Multi-Factor Authentication - Using two or more distinct
instances of the three factors of authentication (something you
know, something you have, something you are) for identity
verification.
 National Institutes of Standards and Technology (NIST) - The
NIST is part of the U.S. Department of Commerce and addresses the
measurement infrastructure within science and technology efforts
within the U.S. federal government. NIST sets standards in a number
of areas, including information security within the Computer
Security Resource Center of the Computer Security Divisions.
 Non-repudiation - The inability to deny taking an action such as
creating information, approving information and sending or
receiving a message.
 Personally Identifiable Information (PII) - The National Institute
of Standards and Technology, known as NIST, in its Special
Publication 800-122 defines PII as “any information about an
individual maintained by an agency, including (1) any information
that can be used to distinguish or trace an individual’s identity, such
as name, Social Security number, date and place of birth, mother’s
maiden name, or biometric records; and (2) any other information
that is linked or linkable to an individual, such as medical,
educational, financial and employment information.”
 Physical Controls - Controls implemented through a tangible
mechanism. Examples include walls, fences, guards, locks, etc. In
modern organizations, many physical control systems are linked to
technical/logical systems, such as badge readers connected to door
locks.
 Privacy - The right of an individual to control the distribution of
information about themselves.
 Probability - The chances, or likelihood, that a given threat is
capable of exploiting a given vulnerability or a set of vulnerabilities.
Source: NIST SP 800-30 Rev. 1
 Protected Health Information (PHI) - Information regarding
health status, the provision of healthcare or payment for healthcare
as defined in HIPAA (Health Insurance Portability and Accountability
Act).
 Qualitative Risk Analysis - A method for risk analysis that is
based on the assignment of a descriptor such as low, medium or
high. Source: NISTIR 8286
 Quantitative Risk Analysis - A method for risk analysis where
numerical values are assigned to both impact and likelihood based
on statistical probabilities and monetarized valuation of loss or gain.
Source: NISTIR 8286
 Risk - A possible event which can have a negative impact upon the
organization.
 Risk Acceptance - Determining that the potential benefits of a
business function outweigh the possible risk impact/likelihood and
performing that business function with no other action.
 Risk Assessment - The process of identifying and analyzing risks
to organizational operations (including mission, functions, image, or
reputation), organizational assets, individuals and other
organizations. The analysis performed as part of risk management
 which incorporates threat and vulnerability analyses and considers
mitigations provided by security controls planned or in place.
 Risk Avoidance - Determining that the impact and/or likelihood of
a specific risk is too great to be offset by the potential benefits and
not performing a certain business function because of that
determination.
 Risk Management - The process of identifying, evaluating and
controlling threats, including all the phases of risk context (or
frame), risk assessment, risk treatment and risk monitoring.
 Risk Management Framework - A structured approach used to
oversee and manage risk for an enterprise. Source: CNSSI 4009
 Risk Mitigation - Putting security controls in place to reduce the
possible impact and/or likelihood of a specific risk.
 Risk Tolerance - The level of risk an entity is willing to assume in
order to achieve a potential desired result. Source: NIST SP 800-32.
Risk threshold, risk appetite and acceptable risk are also terms used
synonymously with risk tolerance.
 Risk Transference - Paying an external party to accept the
financial impact of a given risk.
 Risk Treatment - The determination of the best way to address an
identified risk.
 Security Controls - The management, operational and technical
controls (i.e., safeguards or countermeasures) prescribed for an
information system to protect the confidentiality, integrity and
availability of the system and its information. Source: FIPS PUB 199
 Sensitivity - A measure of the importance assigned to information
by its owner, for the purpose of denoting its need for protection.
Source: NIST SP 800-60 Vol 1 Rev 1
 Single-Factor Authentication - Use of just one of the three
available factors (something you know, something you have,
something you are) to carry out the authentication process being
requested.
 State - The condition an entity is in at a point in time.
 System Integrity - The quality that a system has when it performs
its intended function in an unimpaired manner, free from
unauthorized manipulation of the system, whether intentional or
accidental. Source: NIST SP 800-27 Rev. A
 Technical Controls - Security controls (i.e., safeguards or
countermeasures) for an information system that are primarily
implemented and executed by the information system through
mechanisms contained in the hardware, software or firmware
components of the system.
 Threat- Any circumstance or event with the potential to adversely
impact organizational operations (including mission, functions,
image or reputation), organizational assets, individuals, other
organizations or the nation through an information system via
unauthorized access, destruction, disclosure, modification of
information and/or denial of service.
 Threat Actor - An individual or a group that attempts to exploit
vulnerabilities to cause or force a threat to occur.
 Threat Vector - The means by which a threat actor carries out their
objectives.
 Token- A physical object a user possesses and controls that is used
to authenticate the user’s identity. Source: NISTIR 7711
 Vulnerability - Weakness in an information system, system
security procedures, internal controls or implementation that could
be exploited by a threat source. Source: NIST SP 800-30 Rev 1