Security Terminology Definitions

  • Assessment – the process of testing the effectiveness of security controls to discover the level of protection they offer and any weaknesses.
  • Assessment and Authorization – formerly known as C&A. The combination of the Assessment process and the Authorization process that together allow an information system to operate as safely as possible.
    SEE ALSO: Assessment, Authorization
  • Authorization – the process of accepting risk as it has been assessed and authorizing an information system to operate. This usually follows a formal assessment of the effectiveness of security control protections and the decision is usually made by senior management. (formerly known as C&A)
  • Authorization boundary – the limit of a defined information system. Used in the Assessment and Authorization process to define which components are inside the scope of inspection. System components and other information systems outside the boundary but with connections to the inside must have those connections assessed for security risk.
    SEE ALSO: Interconnection Security Agreement
  • Certification and Accreditation (aka C&A) – see Authorization, Assessment and Authorization
  • Common control – a security control that is common to several systems or subsystems. Common controls are often controls that are operated centrally by an organization and can be “inherited” by subsystems. Responsibility for operating, maintaining, assessing and reporting on the control must be assigned.
    SEE ALSO: System specific control, Hybrid control
  • Compensating control – security controls that are used in place of controls that don’t fit well with the operating environment. These are usually controls that were not required by the impact level selected baseline, but that can offer security protection where the normal control is failing.
  • Controls – see Security controls
  • FIPS validated encryption – encryption technology may be called FIPS “compliant” merely because it uses AES encryption. In order to be considered FIPS “validated”, it must have passed testing by an accredited security testing lab and been issued a validation certificate by NIST.
  • FISMA – Federal Information Security Management Act of 2002, passed as Title III of the E-Government Act (Public Law 107-347). This is the foundational law that requires federal agencies to develop information security programs that follow guidance published by NIST.
  • Hybrid control – a security control that is neither fully a common control or a system specific control, but some of each. Responsibility for each part of the control must be assigned and documented.
    SEE ALSO: Common control, System specific control
  • Interconnection Security Agreement – when two information systems are connected, it becomes necessary to evaluate the risk involved in the connection. The Interconnection Security Agreement (ISA) documents the process of considering any extra risk involved and the measures taken to assure the safety of the systems. A Memorandum of Understanding (MOU) is often attached to the ISA or incorporated into the ISA.
  • Malware – malicious software designed to have a negative impact on system security. Viruses, trojans, backdoors, rootkits and more are considered to be malware.
  • Organizationally Defined Parameters (ODPs) – parameters in security controls that can be defined by an organization in order to make the control fit the operating environment better.

    example: AC-11 SESSION LOCK – screen saver lock should be set to activate after XX mins of inactivity. The XX is an ODP and is often set to 15 mins but can be changed according to the needs of the system.

  • POAM – Plan Of Action and Milestones – when a security assessment finds weaknesses in the security protections, a POAM item must be composed and recorded and updated as progress is made toward fixing the problem.
  • Scoping guidance – in the Tailoring process, scoping guidance offers areas where security controls may be altered or deleted because they do not fit the operating environment or cannot be implemented. Any changes must be thoroughly documented.
  • Security controls – countermeasures, safeguards and other protections for an information system.
  • System security Plan (SSP) – the master document outlining how security protections work for an information system. The SSP may contain or reference a series of sub-documents such as: Risk Assessment, Contingency Plan, Security Controls, Configuration Management Plan, Security Assessment Report, POAMs and many more.
  • System specific control – a security control that is not common to several systems, but specific to a single system. Any controls that is not declared a common control is either a system specific control or a hybrid of both types. Responsibility for operating, maintaining, assessing and reporting on the control must be assigned.
    SEE ALSO: Common control, Hybrid control
  • Tailoring – once a baseline of security controls has been selected by designating the impact level of the system, these controls can be tweaked to fit the environment by tailoring them. This involves applying scoping guidance, adjusting Organizationally Defined Parameters (ODPs) and determining the need for any compensating controls. The tailoring process is followed by Supplementing.
    SEE ALSO: Scoping guidance, ODPs, Compensating controls, Supplementing

Comments are closed.