Security Principles

Adequate Security
Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse
or unauthorized access to or modification of information. Source: OMB Circular A-130

Administrative Controls
Controls implemented through policy and procedures. Examples include access control
processes and requiring multiple personnel to conduct a specific operation. Administrative
controls in modern environments are often enforced in conjunction with physical and/or
technical controls, such as an access-granting policy for new users that requires login and
approval by the hiring manager.

Artificial Intelligence
The ability of computers and robots to simulate human intelligence and behavior.

Asset
Anything of value that is owned by an organization. Assets include both tangible items such as
information systems and physical property and intangible assets such as intellectual property.

Authentication
The act of identifying or verifying the eligibility of a station, originator, or individual to access
specific categories of information. Typically, a measure designed to protect against fraudulent
transmissions by establishing the validity of a transmission, message, station or originator.

Authorization
The right or a permission that is granted to a system entity to access a system resource. NIST
800-82 Rev.2.

Availability
Ensuring timely and reliable access to and use of information by authorized users.]

Baseline
A documented, lowest level of security configuration allowed by a standard or organization.

Biometric
Biological characteristics of an individual, such as a fingerprint, hand geometry, voice, or iris
patterns.
Bot
Malicious code that acts like a remotely controlled "robot" for an attacker, with other Trojan and
worm capabilities.

Classified or Sensitive Information

Information that has been determined to require protection against unauthorized disclosure and
is marked to indicate its classified status and classification level when in documentary form.

Confidentiality
The characteristic of data or information when it is not made available or disclosed to
unauthorized persons or processes. NIST 800-66

Criticality
A measure of the degree to which an organization depends on the information or information
system for the success of a mission or of a business function. NIST SP 800-60 Vol. 1, Rev. 1

Data Integrity
The property that data has not been altered in an unauthorized manner. Data integrity covers
data in storage, during processing and while in transit. Source: NIST SP 800-27 Rev A

Encryption
The process and act of converting the message from its plaintext to ciphertext. Sometimes it is
also referred to as enciphering. The two terms are sometimes used interchangeably in literature
and have similar meanings.

General Data Protection Regulation (GDPR)

In 2016, the European Union passed comprehensive legislation that addresses personal
privacy, deeming it an individual human right.

Governance
The process of how an organization is managed; usually includes all aspects of how decisions
are made for that organization, such as policies, roles, and procedures the organization uses to
make those decisions.

Health Insurance Portability and Accountability Act (HIPAA)

This U.S. federal law is the most important healthcare information regulation in the United
States. It directs the adoption of national standards for electronic healthcare transactions while
protecting the privacy of individual's health information. Other provisions address fraud
reduction, protections for individuals with health insurance and a wide range of other healthcare-
related activities. Est. 1996.

Impact
The magnitude of harm that could be caused by a threat's exercise of a vulnerability.

Information Security Risk

The potential adverse impacts to an organization's operations (including its mission, functions
and image and reputation), assets, individuals, other organizations, and even the nation, which
results from the possibility of unauthorized access, use, disclosure, disruption, modification or
destruction of information and/or information systems.

Integrity
The property of information whereby it is recorded, used and maintained in a way that ensures
its completeness, accuracy, internal consistency and usefulness for a stated purpose.

International Organization of Standards (ISO)

The ISO develops voluntary international standards in collaboration with its partners in
international standardization, the International Electro-technical Commission (IEC) and the
International Telecommunication Union (ITU), particularly in the field of information and
communication technologies.

Internet Engineering Task Force (IETF)

The internet standards organization, made up of network designers, operators, vendors and
researchers, that defines protocol standards (e.g., IP, TCP, DNS) through a process of
collaboration and consensus. Source: NIST SP 1800-16B

Institute of Electrical and Electronics Engineers

IEEE is a professional organization that sets standards for telecommunications, computer
engineering and similar disciplines.

Likelihood
The probability that a potential vulnerability may be exercised within the construct of the
associated threat environment.

Likelihood of Occurrence
A weighted factor based on a subjective analysis of the probability that a given threat is capable
of exploiting a given vulnerability or set of vulnerabilities.
Multi-Factor Authentication
Using two or more distinct instances of the three factors of authentication (something you know,
something you have, something you are) for identity verification.

National Institutes of Standards and Technology (NIST)

The NIST is part of the U.S. Department of Commerce and addresses the measurement
infrastructure within science and technology efforts within the U.S. federal government. NIST
sets standards in a number of areas, including information security within the Computer Security
Resource Center of the Computer Security Divisions.

Non-repudiation
The inability to deny taking an action such as creating information, approving information and
sending or receiving a message.

Personally Identifiable Information (PII)

The National Institute of Standards and Technology (NIST) defines Personally Identifiable
Information (PII) as any data that can distinguish or trace an individual's identity, including
common identifiers like name and Social Security number, as well as other information linked to
an individual such as biometric records, medical, educational, financial, and employment
information.

Physical Controls
Controls implemented through a tangible mechanism. Examples include walls, fences, guards,
locks, etc. In modern organizations, many physical control systems are linked to
technical/logical systems, such as badge readers connected to door locks.

Privacy
The right of an individual to control the distribution of information about themselves.

Probability
The chances, or likelihood, that a given threat is capable of exploiting a given vulnerability or a
set of vulnerabilities. Source: NIST SP 800-30 Rev. 1

Protected Health Information (PHI)

Information regarding health status, the provision of healthcare or payment for healthcare as
defined in HIPAA (Health Insurance Portability and Accountability Act).

Qualitative Risk Analysis

A method for risk analysis that is based on the assignment of a descriptor such as low, medium
or high. Source: NISTIR 8286
Quantitative Risk Analysis
A method for risk analysis where numerical values are assigned to both impact and likelihood
based on statistical probabilities and monetarized valuation of loss or gain. Source: NISTIR
8286

Risk
A measure of the extent to which an entity is threatened by a potential circumstance or event.

Risk Acceptance
Determining that the potential benefits of a business function outweigh the possible risk
impact/likelihood and performing that business function with no other action.

Risk Assessment
The process of identifying and analyzing risks to organizational operations (including mission,
functions, image, or reputation), organizational assets, individuals and other organizations. The
analysis performed as part of risk management which incorporates threat and vulnerability
analyses and considers mitigations provided by security controls planned or in place.

Risk Avoidance
Determining that the impact and/or likelihood of a specific risk is too great to be offset by the
potential benefits and not performing a certain business function because of that determination.

Risk Management
The process of identifying, evaluating and controlling threats, including all the phases of risk
context (or frame), risk assessment, risk treatment and risk monitoring.

Risk Management Framework

A structured approach used to oversee and manage risk for an enterprise. Source: CNSSI 4009

Risk Mitigation
Putting security controls in place to reduce the possible impact and/or likelihood of a specific
risk.

Risk Tolerance
The level of risk an entity is willing to assume in order to achieve a potential desired result.
Source: NIST SP 800-32. Risk threshold, risk appetite and acceptable risk are also terms used
synonymously with risk tolerance.

Risk Transference
Paying an external party to accept the financial impact of a given risk.

Risk Treatment
The determination of the best way to address an identified risk.

Security Controls
The management, operational and technical controls (i.e., safeguards or countermeasures)
prescribed for an information system to protect the confidentiality, integrity and availability of the
system and its information. Source: FIPS PUB 199

Sensitivity
A measure of the importance assigned to information by its owner, for the purpose of denoting
its need for protection. Source: NIST SP 800-60 Vol 1 Rev 1

Single-Factor Authentication
Use of just one of the three available factors (something you know, something you have,
something you are) to carry out the authentication process being requested.

State
The condition an entity is in at a point in time.

System Integrity
The quality that a system has when it performs its intended function in an unimpaired manner,
free from unauthorized manipulation of the system, whether intentional or accidental. Source:
NIST SP 800-27 Rev. A

Technical Controls
Security controls (i.e., safeguards or countermeasures) for an information system that are
primarily implemented and executed by the information system through mechanisms contained
in the hardware, software or firmware components of the system.

Threat
Any circumstance or event with the potential to adversely impact organizational operations
(including mission, functions, image or reputation), organizational assets, individuals, other
organizations or the nation through an information system via unauthorized access, destruction,
disclosure, modification of information and/or denial of service. Source: NIST SP 800-30 Rev 1

Threat Actor
An individual or a group that attempts to exploit vulnerabilities to cause or force a threat to
occur.

Threat Vector
The means by which a threat actor carries out their objectives.

Token
A physical object a user possesses and controls that is used to authenticate the user's identity.
Source: NISTIR 7711

Vulnerability
Weakness in an information system, system security procedures, internal controls or
implementation that could be exploited by a threat source. Source: NIST SP 800-30 Rev 1
Tab 2