Welcome » IT Booklets » Information Security » Appendix B: Glossary
A C D E F G H I M N P R S T U V W
AAccess - The ability to physically or logically enter or make use of an IT system or area (secured or unsecured); the process of interacting with a system.ACL - Access control list.Aggregation (1) - Consolidation of digital information from multiple sources. Automated tools allow aggregators to access and consolidate a customer’s online accounts (financial and nonfinancial) through the Internet, using customer-provided account numbers, user IDs, and personal identification numbers (PINs). The method of obtaining a customer’s account information from multiple websites is called “screen scrapingApplet - A small program that typically is transmitted with a Web page.AUP - An acceptable use policy. It documents permitted system uses and activities for a specific user and the consequences of noncompliance.Authentication - The process of verifying the identity of an individual user, machine, software component, or any other entity.Authorization - The process of giving access to parts of a system, typically based on the business needs and the role of the individual within the business.Availability - Whether or how often a system is available for use by its intended users. Because downtime is usually costly, availability is an integral component of security.CCertificate Authority (CA) - The entity or organization that attests using a digital certificate that a particular electronic message comes from a specific individual or system.Classification - Categorization (e.g., “confidential,” “sensitive,” or “public”) of the information processed by the service provider on behalf of the receiver company.Computer Security - Technological and managerial procedures applied to computer systems to ensure the availability, integrity, and confidentiality of information managed by the computer system.Confidentiality - Assuring information will be kept secret, with access limited to appropriate persons.Configuration Management - The management of security features and assurances through control of changes made to a system’s hardware, software, firmware, documentation, testing, test fixtures, and test documentation throughout the development and operational life of the system.Control Requirements - Process used to document and/or track internal processes to determine that those established procedures and/or physical security policies are being followed.Cookie - A message given by a Web server to a Web browser, stored by the Web browser, and returned to the Web server when requested.Cyber Attack - An attempt to damage, disrupt, or gain unauthorized access to a computer, computer system, or electronic communications network; An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.Cyber Resilience - The ability of a system or domain to withstand cyber attacks or failures, and in such events, to reestablish itself quickly.DData Corruption - Errors in computer data that occur during writing, reading, storage, transmission, or processing, which introduce unintended changes to the original data. Data Integrity - The property that data has not been destroyed or corrupted in an unauthorized manner; Maintaining and assuring the accuracy and consistency of data over its entire life-cycle.Dictionary Attack - Discovery of authenticators by encrypting likely authenticators and comparing the actual encrypted authenticator with the newly encrypted possible authenticators.Distributed Denial of Service (DDoS) - A type of attack that makes a computer resource or resources unavailable to its intended users. Although the means to carry out, motives for, and targets of a DDoS attack may vary, it generally consists of the concerted efforts of a group that intends to affect an institution’s reputation by preventing an Internet site, service, or application from functioning efficiently.Due Diligence - Technical, functional, and financial review to verify a service provider’s ability to deliver the requirements specified in its proposal. The intent is to verify that the service provider has a well-developed plan and adequate resources and experience to ensure acceptable service, controls, systems backup, availability, and continuity of service to its clients.EEnd-to-End Process Flow - Document that details the flow of the processes, considering automated and manual control points, hardware, databases, network protocols, and real-time versus periodic processing characteristics.Exploit - A technique or code that uses a vulnerability to provide system access to the attacker.FFS/ISAC - Financial Services Information Sharing and Analysis Center.Full-Duplex - A communications channel that carries data in both directions.GGovernance - In computer security, governance means setting clear expectations for the conduct (behaviors and actions) of the entity being governed and directing, controlling, and strongly influencing the entity to achieve these expectations. It includes specifying a framework for decision making, with assigned decision rights and accountability, intended to consistently produce desired behaviors and actions.HHardening - The process of securing a computer’s administrative functions or inactivating those features not needed for the computer’s intended business purpose. Hardware - The physical elements of a computer system; the computer equipment as opposed to the programs or information stored in a machine.Hash - A fixed length cryptographic output of variables, such as a message, being operated on by a formula or cryptographic algorithm.Hijacking - The use of an authenticated user’s communication session to communicate with system components.Host - A computer that is accessed by a user from a remote location.II/O - Input/output.IDS - Intrusion Detection System.Incident Response Plan - A plan that defines the action steps, involved resources, and communication strategy upon identification of a threat or potential threat event, such as a breach in security protocol, power or telecommunications outage, severe weather, or workplace violence.Information Security - The result of any system of policies and/or procedures for identifying, controlling, and protecting information from unauthorized disclosure; The process by which an organization protects and secures its systems, media, and facilities that process and maintain information vital to its operations.Information Technology - Systems technologies, including operations such as central computer processing, distributed processing, end-user computing, local area networking, and telecommunications. These operations often represent critical services to financial institutions and their customers.Integrity - Assurance that information is trustworthy and accurate; Ensuring that information will not be accidentally or maliciously altered or destroyed (see “Data Integrity”).Intrusion Detection - Techniques that attempt to detect unauthorized entry or access into a computer or network by observation of actions, security logs, or audit data; detection of break-ins or attempts, either manually or via software expert systems that operate on logs or other information available on the network. IPS - Intrusion Prevention System.IPv6 - Version 6 of the Internet Protocol.ISAC - Information Sharing and Analysis Center.ISO - International Organization for Standards.MMalware - Short for malicious software, malware is designed to secretly access a computer system without the owner’s informed consent. The expression is a general term used to mean a variety of forms of hostile, intrusive, or annoying software or program code. Malware includes computer viruses, worms, trojan horses, spyware, dishonest adware, ransomware, crimeware, most rootkits, and other malicious and unwanted software or programs.Man-In-The-Middle Attack - A man-in-the-middle attack places the attacker’s computer in the communication line between the server and the client. The attacker’s machine can monitor and change communications.Media - Physical objects that store data, such as paper, hard disk drives, tapes, and compact disks (CDs).NNetwork Security - The protection of computer networks and their services from unauthorized entry, modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and that there are no harmful side effects. Network security includes providing for data integrity.Non-Repudiation - Ensuring that a transferred message has been sent and received by the parties claiming to have sent and received the message. Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.PP2P - Peer-to-peer communication, the communications that travel from one user’s computer to another user’s computer without being stored for later access on a server. E-mail is not a P2P communication since it travels from the sender to a server, and is retrieved by the recipient from the server. On-line chat, however, is a P2P communication since messages travel directly from one user to another.Patch - Software code that replaces or updates other code. Frequently patches are used to correct security flaws.Port - Either an endpoint to a logical connection or a physical connection to a computer.Protocol - A format for transmitting data between devices.RReplay Attack - The interception of communications, such as an authentication communication, and subsequently impersonation of the sender by retransmitting the intercepted communication.Retention Requirement - Requirement established by a company or by regulation for the length of time and/or for the amount of information that should be retained.Risk Analysis - The process of identifying risks, determining their probability and impact, and identifying areas needing safeguards; Risk analysis is an integral part of risk management.Risk Assessment - A prioritization of potential business disruptions based on severity and likelihood of occurrence. The risk assessment includes an analysis of threats based on the impact to the institution, its customers, and financial markets, rather than the nature of the threat. Risk Assessment (1) - A prioritization of potential business disruptions based on severity and likelihood of occurrence. The risk assessment includes an analysis of threats based on the impact to the institution, its customers, and financial markets, rather than the nature of the threat.Risk Management - The total process required to identify, control, and minimize the impact of uncertain events. The objective of a risk management program is to reduce risk and obtain and maintain appropriate management approval.Routing - The process of moving information from its source to the destination.SSecurity Architecture - A detailed description of all aspects of the system that relate to security, along with a set of principles to guide the design. A security architecture describes how the system is put together to satisfy the security requirements.Security Audit - An independent review and examination of system records and activities to test for adequacy of system controls, ensure compliance with established policy and operational procedures, and recommend any indicated changes in control, policy, and procedures.Security Event - An event that compromises the confidentiality, integrity, availability, or accountability of an information system.Security Violation - An instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information or system resources.Server - A computer or other device that manages a network service. An example is a print server, which is a device that manages network printing.Service Level Agreement (SLA) - Formal documents that outline the institution's predetermined requirements for the service and establish incentives to meet, or penalties for failure to meet, the requirements. They should specify and clarify performance expectations, establish accountability, and detail remedies or consequences if performance or service quality standards are not met.Service Provider - Also referred to as a technology service provider (TSP). Among a broad range of entities, including affiliated entities, non-affiliated entities, and alliances of companies providing products and services. Other terms used to describe service providers include vendors, subcontractors, external service providers, application service providers, and outsourcers.Sniffing - The passive interception of data transmissions.Social Engineering - Obtaining information from individuals by trickery.Spoofing - A form of masquerading where a trusted IP address is used instead of the true IP address as a means of gaining access to a computer system.Stateful Inspection - A firewall inspection technique that examines the claimed purpose of a communication for validity. For example, a communication claiming to respond to a request is compared to a table of outstanding requests.System Resources - Capabilities that can be accessed by a user or program either on the user’s machine or across the network. Capabilities can be services, such as file or print services, or devices, such as routers.TTrojan Horse - Malicious code that is hidden in software that has an apparently beneficial or harmless use.UUser Identification - The process, control, or information by which a user identifies himself or herself to the system as a valid user (as opposed to authentication).Utility - A program used to configure or maintain systems, or to make changes to stored or transmitted data.VVirus - Malicious code that replicates itself within a computer.VLAN - Virtual local area network.Vulnerability - Hardware, firmware, or software flaw that leaves an information system open to potential exploitation; a weakness in automated system security procedures, administrative controls, physical layout, internal controls, etc., that could be exploited to gain unauthorized access to information or to disrupt critical processing. Vulnerability Analysis - Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.Vulnerability Scanning - Systematic examination of systems to determine the adequacy of security measures, identify security deficiencies, and provide data from which to predict the effectiveness of proposed security measures.WWarehouse Attack - The compromise of systems that store authenticators.Worm - A self-replicating malware computer program. It uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is primarily because of security vulnerabilities on the target computers.