Appendix B: Glossary

A  B  C  D  E  F  G  H  I  L  M  N  O  P  R  S  T  U  V  W  Z  


Acceptable use policyA document that establishes an agreement between users and the enterprise and defines for all parties the ranges of use that are approved before users can gain access to a network or the Internet.
AccessThe ability to physically or logically enter or make use of an IT system or area (secured or unsecured). The process of interacting with a system.
Administrator privilegesComputer system access to resources that are unavailable to most users. Administrator privileges permit execution of actions that would otherwise be restricted.
Air-gapped environmentSecurity measure that isolates a secure network from unsecure networks physically, electrically, and electromagnetically.
Anomalous activityActivity that deviates from normal. The result of the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations.
Antivirus/anti-malware softwareA program that monitors a computer or network to identify all types of malware and prevent or contain malware incidents.
AssetIn computer security, a major application, general-support system, high-impact program, physical plant, mission-critical system, personnel, equipment, or a logically-related group of systems.
Attack signatureA specific sequence of events indicative of an unauthorized access attempt.
AuthenticationThe process of verifying the identity of an individual user, machine, software component, or any other entity.
AvailabilityWhether or how often a system is available for use by its intended users. Because downtime is usually costly, availability is an integral component of security.


Baseline configurationA set of specifications for a system, or configuration item (CI) within a system, that has been formally reviewed and agreed on at a given point in time and that can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, or changes.
Black holingA method typically used by ISPs to stop a DDoS attack on one of its customers. This approach to block DDoS attacks makes the site in question completely inaccessible to all traffic, both malicious attack traffic and legitimate user traffic.
Border routerA device located at the organization's boundary to an external network.


Change managementThe broad processes for managing organizational change. Change management encompasses planning, oversight or governance, project management, testing, and implementation.
ChecksumA mathematical value that is assigned to a file and used to “test” the file at a later date to verify that the data contained in the file has not been maliciously or erroneously changed.
ClassificationCategorization (e.g., "confidential," "sensitive," or "public") of the information processed by the service provider on behalf of the receiver company.
Cloud computingGenerally a migration from owned resources to shared resources in which client users receive information technology services on demand from third-party service providers via the Internet "cloud." In cloud environments, a client or customer relocates its resources — such as data, applications, and services — to computing facilities outside the corporate firewall, which the end user then accesses via the Internet.
Cloud storageA model of data storage in which the digital data is stored in logical pools, the physical storage spans multiple servers (and often locations), and the physical environment is typically owned and managed by a hosting company.
Compensating controlA management, operational, and/or technical control (e.g., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.
Computer securityTechnological and managerial procedures applied to computer systems to ensure the availability, integrity, and confidentiality of information managed by the computer system.
ConfidentialityAssuring information will be kept secret, with access limited to appropriate persons.
Configuration managementThe management of security features and assurances through control of changes made to a system's hardware, software, firmware, documentation, testing, test fixtures, and test documentation throughout the development and operational life of the system.
Consumer informationFor purposes of the Information Security Standards, “consumer information” means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report that is maintained by or on behalf of a financial institution for a business purpose, such as information that an institution obtains about a loan applicant or a prospective employee from a consumer report.
ControlThe means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management, or legal nature.
Control requirementsProcess used to document and/or track internal processes to determine that those established procedures and/or physical security policies are being followed.
Control self-assessmentA technique used to internally assess the effectiveness of risk management and control processes.
Corrective controlA mitigating technique designed to lessen the impact to the institution when adverse events occur.
Crisis managementThe process of managing an entity’s preparedness, mitigation response, continuity, or recovery in the event of an unexpected significant disruption, incident, or emergency.FFIEC Developed for Supervisory Purposes
Critical system (infrastructure)The systems and assets, whether physical or virtual, that are so vital that the incapacity or destruction of such may have a debilitating impact.
CustomerFor purposes of the Information Security Standards, “customer” means a consumer with whom a financial institution has a continuing relationship under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. In the case of a credit union, a customer relationship will exist between a credit union and certain consumers that are not the credit union’s members.
Customer informationA term used in the Information Security Standards to mean any record containing non-public personal information about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of a financial institution.
Customer information systemsFor purposes of the Information Security Standards, “customer information systems” means any methods used to access, collect, store, use, transmit, protect, or dispose of customer information.
Cyber attackAn attempt to damage, disrupt, or gain unauthorized access to a computer, computer system, or electronic communications network. An attack, via cyberspace, targeting an institution for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.
Cyber eventA cybersecurity change or occurrence that may have an impact on organizational operations (including mission, capabilities, or reputation).
Cyber incidentActions taken through the use of computer networks that result in an actual or potentially-adverse effect on an information system or the information residing therein.
Cyber resilienceThe ability of a system or domain to withstand cyber attacks or failures and, in such events, to reestablish itself quickly.
Cyber threatAn internal or external circumstance, event, action, occurrence, or person with the potential to exploit technology-based vulnerabilities and to adversely impact (create adverse consequences for) organizational operations, organizational assets (including information and information systems), individuals, other organizations, or society.
CybersecurityThe process of protecting consumer and bank information by preventing, detecting, and responding to attacks.


Data classification programA program that categorizes data to convey required safeguards for information confidentiality, integrity, and availability; establishes controls required based on value and level of sensitivity.
Data corruptionErrors in computer data that occur during writing, reading, storage, transmission, or processing, which introduce unintended changes to the original data.
Data integrityThe property that data has not been destroyed or corrupted in an unauthorized manner; Maintaining and assuring the accuracy and consistency of data over its entire life-cycle.
Data loss prevention (DLP) programA comprehensive approach (covering people, processes, and systems) of implementing policies and controls designed specifically to discover, monitor, and protect confidential data wherever it is stored, used, or in transit over the network and at the perimeter.
DatabaseA repository of information or data, which may or may not be a traditional relational database system.NIST Glossary
A repository of information or data organized to be accessed, managed, and updated.FFIEC Adapted for Supervisory Purposes
Defense-in-depthInformation security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.
Demilitarized zone (DMZ)A computer or small subnetwork that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet.
Detection deviceA device designed to recognize an event and alert management when events occur.
Detective controlA mitigating technique designed to recognize an event and alert management when events occur.
DeviceA generic term for any machine or component that attaches to a computer or connects to a network.
Distributed denial of service (DDoS)A type of attack that makes a computer resource or resources unavailable to its intended users. Although the means to carry out, motives for, and targets of a DDoS attack may vary, it generally consists of the concerted efforts of a group that intends to affect an institution's reputation by preventing an Internet site, service, or application from functioning efficiently.
Due diligence for service provider selectionTechnical, functional, and financial review to verify a third-party service provider's ability to deliver the requirements specified in its proposal. The intent is to verify that the service provider has a well-developed plan and adequate resources and experience to ensure acceptable service, controls, systems backup, availability, and continuity of service to its clients.


End-of-lifeAll software products have life cycles. End-of-life refers to the date when a software development company no longer provides automatic fixes, updates, or online technical assistance for the product.
End-point securityRefers to a methodology of protecting the corporate network when accessed with remote devices, such as laptops, or other wireless and mobile devices. Each device with a remote connection to the network creates a potential entry (or exit) point for security threats.
End-to-end process flowDocument that details the flow of the processes, considering automated and manual control points, hardware, databases, network protocols, and real-time versus periodic processing characteristics.
Enterprise-wideAcross an entire organization, rather than a single business department or function.
ExploitA technique or code that uses a vulnerability to provide system access to the attacker. An exploit is an intentional attack to impact an operating system or application program.
External connectionsAn information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.


File transfer protocol (FTP)A standard high-level protocol for transferring files from one computer to another, usually implemented as an application level program.
Financial Services Information Sharing and Analysis Center (FS-ISAC)A nonprofit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors' sharing of physical and cybersecurity threat and vulnerability information.
FirewallA hardware or software link in a network that relays only data packets clearly intended and authorized to reach the other side.
Frame relayA high-performance wide area network protocol that operates at the physical and data link layers of the Open Systems Interconnect (OSI) reference model. Frame Relay is an example of a packet-switched technology. Packet-switched networks enable end stations to dynamically share the network medium and the available bandwidth. Frame relay uses existing T-1 and T-3 lines and provides connection speeds from 56 Kbps to T-1.


GovernanceIn computer security, governance means setting clear expectations for the conduct (behaviors and actions) of the entity being governed and directing, controlling, and strongly influencing the entity to achieve these expectations. Governance includes specifying a framework for decision making, with assigned decision rights and accountability, intended to consistently produce desired behaviors and actions.
Gramm-Leach-Bliley Act (GLBA)The act, also known as the Financial Services Modernization Act of 1999, (Pub.L. 106-102, 113 Stat. 1338, enacted November 12, 1999), required the federal banking agencies to establish information security standards for financial institutions.


HardeningThe process of securing a computer's administrative functions or inactivating those features not needed for the computer's intended business purpose.
HardwareThe physical elements of a computer system; the computer equipment as opposed to the programs or information stored in a machine.
HashA fixed length cryptographic output of variables, such as a message, being operated on by a formula or cryptographic algorithm.
HijackingThe use of an authenticated user's communication session to communicate with system components.
Homing beaconsDevices that send messages to the institution when they connect to a network and that enable recovery of the device.
HostA computer that is accessed by a user from a remote location.


Incident managementThe process of identifying, analyzing, and correcting disruptions to operations and preventing future recurrences. The goal of incident management is to limit the disruption and restore operations as quickly as possible.FFIEC Developed for Supervisory Purposes
Incident response planA plan that defines the action steps, involved resources, and communication strategy upon identification of a threat or potential threat event, such as a breach in security protocol, power or telecommunications outage, severe weather, or workplace violence.
Information securityThe process by which an organization protects the creation, collection, storage, use, transmission, and disposal of information.
Information systemsElectronic systems and physical components used to access, store, transmit, protect, and eventually dispose of information. Information systems can include networks (computer systems, connections to business partners and the Internet, and the interconnections between internal and external systems). Other examples are backup tapes, mobile devices, and other media.
Information technologyAny services or equipment, or interconnected system(s) or subsystem(s) of equipment that comprise the institution's IT architecture or infrastructure. It can include computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including cloud computing and help-desk services or other professional services which support any point of the life cycle of the equipment or service), and related resources.
InfrastructureSystem of facilities, equipment, and services needed for the operation of an organization.ISO 22300:2018(en)
IntegrityAssurance that information is trustworthy and accurate; ensuring that information will not be accidentally or maliciously altered or destroyed (see “Data integrity”).
InterconnectivityThe state or quality of being connected together. The interaction of a financial institution's internal and external systems and applications and the entities with which they are linked.
InterdependenciesWhen two or more departments, processes, functions, or third-party providers interact to successfully complete a task, business function, or process.FFIEC Developed for Supervisory Purposes
Internal "trusted" zoneA channel in which the end points are known and data integrity is protected in transit. Depending on the communications protocol used, data privacy may be protected in transit. Examples include SSLIP security and a secure physical connection.
International Organization for Standardization (ISO)An independent, non-governmental, international organization that brings together experts to share knowledge and develop voluntary, consensus-based, market-relevant international standards.
InternetThe global system of interconnected computer networks that use the Internet protocol suite (TCP/IP) to link billions of devices worldwide.
Internet service provider (ISP)A company that provides its customers with access to the Internet (e.g., AT&T, Verizon, CenturyLink).
Intrusion detectionTechniques that attempt to detect unauthorized entry or access into a computer or network by observation of actions, security logs, or audit data; detection of break-ins or attempts, either manually or via software expert systems that operate on logs or other information available on the network.
Intrusion detection system (IDS)Software or hardware product that detects and logs inappropriate, incorrect, or anomalous activity. It gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organizations) and misuse (attacks from within the organizations). IDS are typically characterized based on the source of the data they monitor: host or network. A host-based IDS uses system log files and other electronic audit data to identify suspicious activity. A network-based IDS uses a sensor to monitor packets on the network to which it is attached.
Intrusion prevention systems (IPS)A system that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its target.
IT system inventoryA list containing information about the information resources owned or operated by an organization.


Life-cycle processThe multi-step process that starts with the initiation, analysis, design, and implementation, and continues through the maintenance and disposal of the system.
LogA record of information or events in an organized system, usually sequenced in the order in which the events occurred.
Logical accessAbility to interact with computer resources granted using identification, authentication, and authorization.
Logical access controlsThe policies, procedures, organizational structure, and electronic access controls designed to restrict access to computer software and data files.


MalwareSoftware designed to secretly access a computer system without the owner’s informed consent. The expression is a general term (short for malicious software) used to mean a variety of forms of hostile, intrusive, or annoying software or program code. Malware includes computer viruses, worms, Trojan horses, spyware, dishonest adware, ransomware, crimeware, most rootkits, and other malicious and unwanted software or programs.
MediaPhysical objects that store data, such as paper, hard disk drives, tapes, and compact disks (CDs).
MetricA quantitative measurement.
MiddlewareSoftware that connects two or more software components or applications. It is another term for an application programmer interface or API, and it allows programmers to access lower- or higher-level services by providing an intermediary layer that includes function calls to the services.
Mobile deviceA portable computing and communications device with information-storage capability. Examples include notebook and laptop computers, cellular telephones and smart phones, tablets, digital cameras, and audio recording devices.
Multi-factor authenticationThe process of using two or more factors to achieve authentication. Factors include something you know (e.g., password or personal identification number); something you have (e.g., cryptographic identification device or token); and something you are (e.g., biometric).


National Institute of Standards and Technology (NIST)An agency of the U.S. Department of Commerce that works to develop and apply technology, measurements, and standards. NIST developed a voluntary cybersecurity framework based on existing standards, guidelines, and practices for reducing cyber risks to critical infrastructures.
NetworkTwo or more computer systems grouped together to share information, software, and hardware.
Network activity baselineA base for determining typical utilization patterns so that significant deviations can be detected.
Network administratorThe individual responsible for the installation, management, and control of a network.
Network diagramA description of any kind of locality in terms of its physical layout. In the context of communication networks, a topology describes pictorially the configuration or arrangement of a network, including its nodes and connecting communication lines.
Network securityThe protection of computer networks and their services from unauthorized entry, modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and that there are no harmful side effects. Network security includes providing for data integrity.
Non-public personal informationFor purposes of the Information Security Standards, non-public personal information means (i) “personally identifiable financial information”; and (ii) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any “personally identifiable financial information” that is not publicly available.
Non-repudiationEnsuring that a transferred message has been sent and received by the parties claiming to have sent and received the message. Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.


Operating systemA system that supports and manages software applications. Operating systems allocate system resources, provide access and security controls, maintain file systems, and manage communications between end users and hardware devices.
Out-of-bandActivity outside of the primary means of interfacing with the customer. For example, if a user is performing activity online, he or she may be authenticated through a one-time password sent via text message.
OutsourcingThe practice of contracting through a formal agreement with a third-party(ies) to perform services, functions, or support that might otherwise be conducted in-house.FFIEC Developed for Supervisory Purposes


PacketThe data unit that is routed from source to destination in a packet-switched network.
PatchSoftware code that replaces or updates other code. Frequently patches are used to correct security flaws.
Penetration testThe process of using approved, qualified personnel to conduct real-world attacks against a system to identify and correct security weaknesses before they are discovered and exploited by others.
Personally identifiable financial informationFor purposes of the Information Security Standards, personally identifiable financial information means information (i) a consumer provides to a financial institution to obtain a financial product or service; (ii) about a consumer resulting from any transaction involving a financial product or service between the financial institution and a consumer; or (iii) that a financial institution otherwise obtains about a consumer in connection with providing a financial product or service, such as account balance information, payment history, overdraft history, and credit or debit card purchase information; or the fact that an individual is one of the financial institution’s customers.
PhishingA digital form of social engineering that uses authentic-looking—but bogus—e-mail to request information from users or direct them to fake websites that request information.
PolicyA document that records a high-level principle or an agreed-upon course of action; overall intention and direction as formally expressed by management.
PortEither an endpoint to a logical connection or a physical connection to a computer.
Positive payA technique that can reduce check fraud by requesting businesses to send electronic files of information to the financial institution on all checks the business has issued.
Preventive controlA mitigating technique designed to prevent an event from occurring.
Principle of least privilegeThe security objective of granting users only the access needed to perform official duties.
PrivilegeThe level of trust with which a system object is imbued.
Privileged accessIndividuals with the ability to override system or application controls.
ProtocolA format for transmitting data between devices.


Real-time network monitoringImmediate response to a penetration attempt that is detected and diagnosed in time to prevent access.
Remote accessAccess to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet).NIST Glossary
Remote deletionsUse of a technology to remove data from a portable device without touching the device.
Removable mediaPortable electronic storage media, such as magnetic, optical, and solid-state devices, which can be inserted into and removed from a computing device and which is used to store text, video, audio, and image information. Such devices have no independent processing capabilities. Examples include hard disks, floppy disks, zip drives, compact disks (CD), thumb drives, pen drives, and similar storage devices.
ResourceAny enterprise asset that can help the organization achieve its objectives.
Retention requirementRequirement established by a company or by regulation for the length of time and/or for the amount of information that should be retained.
Rogue wireless accessAn unauthorized wireless node on a network.
RoutingThe process of moving information from its source to the destination.


SandboxA restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized.
Scenario analysisThe process of analyzing possible future events by considering alternative possible outcomes.
Secure shellNetwork protocol that uses cryptography to secure communication, remote command line log-in, and remote command execution between two networked computers.
Secure Socket Layer (SSL)A protocol that is used to transmit private documents through the Internet.
Security architectureA detailed description of all aspects of the system that relate to security, along with a set of principles to guide the design. A security architecture describes how the system is put together to satisfy the security requirements.
Security auditAn independent review and examination of system records and activities to test for adequacy of system controls, ensure compliance with established policy and operational procedures, and recommend any indicated changes in control, policy, and procedures.
Security breachA security event that results in unauthorized access of data, applications, services, networks, or devices by bypassing underlying security mechanisms.
Security eventAn event that potentially compromises the confidentiality, integrity, availability, or accountability of an information system.
Security logA record that contains log-in and logout activity and other security-related events and that is used to track security-related information on a computer system.
Security postureThe security status of an enterprise's networks, information, and systems based on information security and assurance resources (e.g., people, hardware, software, and policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.
Security violationAn instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information or system resources.
Sensitive customer informationA customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log into or access the customer’s account, such as user name and password or password and account number.
ServerA computer or other device that manages a network service. An example is a print server, which is a device that manages network printing.
Service level agreementDefines the specific responsibilities of the service provider and sets the customer expectations.NIST Glossary
A formal agreement between two parties that records: a common understanding about products or services to be delivered, priorities, responsibilities, guarantees, and warranties between the parties. In addition, the agreement describes the nature, quality, security, availability, scope, and timeliness of delivery and response of the parties, the point(s) of contact for end-user problems, and the metrics by which the effectiveness of the process is monitored and approved, and may include other measurable objectives. The agreement should cover not only expected day-to-day situations, but also unexpected or adverse events, as the need for the service may vary.FFIEC Adapted for Supervisory Purposes
Service providerFor purposes of the Information Security Standards, service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through its provision of services directly to a financial institution.
Shadow ITA term used to describe IT systems or applications used inside institutions without explicit approval.
SniffingThe passive interception of data transmissions.
Social engineeringA general term for trying to trick people into revealing confidential information or performing certain actions.
Spear phishingAn attack targeting a specific user or group of users, and attempts to deceive the user into performing an action that launches an attack, such as opening a document or clicking a link. Spear phishers rely on knowing some personal piece of information about their target, such as an event, interest, travel plans, or current issues. Sometimes this information is gathered by hacking into the targeted network.
SpoofingA form of masquerading where a trusted IP address is used instead of the true IP address as a means of gaining access to a computer system.
SQL injection attackAn exploit of target software that constructs structure query language (SQL) statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database.
Stateful inspectionA firewall inspection technique that examines the claimed purpose of a communication for validity. For example, a communication claiming to respond to a request is compared to a table of outstanding requests.
System administrationThe process of maintaining, configuring, and operating computer systems.
System resourcesCapabilities that can be accessed by a user or program either on the user's machine or across the network. Capabilities can be services, such as file or print services, or devices, such as routers.


Third-party relationshipAny business arrangement between a financial institution and another entity, by contract or otherwise.
Third-party service providerAny third party to whom a financial institution outsources activities that the institution itself is authorized to perform, including a technology service provider.
Threat intelligenceThreat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.NIST Glossary
Trojan horseMalicious code that is hidden in software that has an apparently beneficial or harmless use.
Trusted zoneA channel in which the end points are known and data integrity is protected in transit. Depending on the communications protocol used, data privacy may be protected in transit. Examples include secure socket layer, internet protocol security and a secure physical connection.
TunnelThe path that encapsulated packets follow in an Internet VPN.


U.S. Computer Emergency Readiness Team (US-CERT)US-CERT is part of the U.S. Department of Homeland Security's National Cybersecurity and Communications Integration Center. US-CERT is a partnership between the Department of Homeland Security and the public and private sectors, established to protect the nation's Internet infrastructure. US-CERT coordinates defense against and responses to cyber attacks across the nation.
User IdentificationThe process, control, or information by which a user identifies himself or herself to the system as a valid user (as opposed to authentication).
UtilityA program used to configure or maintain systems, or to make changes to stored or transmitted data.


Virtual local area network (VLAN)Logical segmentation of a LAN into different broadcast domains.
Virtual machineA software emulation of a physical computing environment.
Virtual private network (VPN)A computer network that uses public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network.
VirusMalicious code that replicates itself within a computer.
VulnerabilityA hardware, firmware, or software flaw that leaves an information system open to potential exploitation; a weakness in automated system security procedures, administrative controls, physical layout, internal controls, etc., that could be exploited to gain unauthorized access to information or to disrupt critical processing.
Vulnerability AnalysisSystematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
Vulnerability AssessmentSystematic examination of systems to identify, quantify, and prioritize the security deficiencies of the systems.


WormA self-replicating malware computer program. It uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is primarily because of security vulnerabilities on the target computers.


Zero-day attackAn attack on a piece of software that has a vulnerability for which there is no known patch.


Previous Section
Appendix A: Examination Procedures
Next Section
Appendix C: Laws, Regulations, and Guidance