A

Shorthand for the system controls authentication, authorization, and accountability.

A process of viewing an application from its highest-level functions, which makes lower-level functions abstract.

The ability to permit or deny the use of an object (a passive entity such as a system or file) by a subject (an active entity such as a person or process).

Provides object access rights (read/write/execute, or R/W/X) to subjects in a discretionary access control (DAC) system. An access matrix consists of access control lists (ACLs) and capability lists. See also DAC, ACL.

The ability to associate users and processes with their actions (what a subject did).

An official, written approval for the operation of a specific system in a specific environment as documented in a certification report.

Lists the specific rights and permissions assigned to a subject for a given object.

Specifies where memory is located in a computer system.

The policies and procedures that an organization implements as part of its overall information security strategy.

Define standards of performance and conduct for major industries (such as banking, energy, and healthcare), organizations, and officials.

Legitimate, albeit annoying, software that is commonly installed with a freeware or shareware program. It provides a source of revenue for the software developer and only runs when you are using the associated program or until you purchase the program (in the case of shareware).

A block cipher based on the Rijndael cipher, which is expected to eventually replace DES. See also DES.

A software component that performs a particular service.

A database security issue that describes the act of obtaining information classified at a higher sensitivity level by combining lower sensitivity information.

In IPSec, provides integrity, authentication, and non-repudiation. See also IPSec.

Provides a standard, quantifiable measure of the impact that a realized threat will have on an organization’s assets. ALE is determined by the formula

SLÉ ARO = ALE

SLE (Single Loss Expectancy) is a measure - Asset Value ($) ´ Exposure Factor (EF) - of the loss incurred from a single realized threat or event, expressed in dollars.

EF (Exposure Factor) is a measure, expressed as a percentage, of the negative effect or impact that a realized threat or event would have on a specific asset.

ARO (Annualized Rate of Occurrence) is the estimated annual frequency of occurrence for a specific threat or event.

American National Standards Institute.

Software that is designed to detect and prevent computer viruses and other malware from entering and harming a system.

A component in a distributed environment that is downloaded into, and executed by, another program such as a Web browser.

A type of firewall that transfers a copy of permitted data packets from one network to another.

A test used to identify weaknesses in a software application.

Computer software that a person uses to accomplish a specific task.

In a PKI infrastructure, an archive is responsible for long-term storage of archived information from the CA. See also PKI, CA.

The network protocol used to query and discover the MAC address of a device on a LAN.

A resource, process, product, system, and so on that has some value to an organization and must therefore be protected. Assets can be hard goods such as computers and equipment, but can also be information and intellectual property.

A cryptographic system that uses two separate keys: one key to encrypt and a different key to decrypt information. These keys are known as public and private key pairs.

A very high-speed, low-latency, packet-switched communications protocol.

The independent verification of any activity or process.

The auxiliary records that document transactions and other events.

The process of verifying a subject’s claimed identity in an access control system.

Defines the rights and permissions granted to a subject (what you can do).

Controls that are automatically performed by information systems.

Ensuring that systems and data are accessible to authorized users when they need it.