Data Dictionary (DRAFT: Updated: 11/17/2017)
Search Data Dictionary
Dictionary Term |
Acronym |
Definition |
|---|---|---|
Access control |
A system to restrict the activities of users and processes based on the need to know. |
|
Access Control list (ACL) |
Mechanism implementing discretionary and/or mandatory access control between subjects and objects. |
|
Access Control Mechanism |
Security safeguard designed to detect and deny unauthorized access and permit authorized access in an Information System. |
|
Accreditation) |
The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls. | |
Accreditation Boundary |
All components of an information system to be accredited by an authorizing official and excludes separately accredited systems to which the information system is connected. Synonymous with the term security perimeter defined in CNSS Instruction 4009 and DCID 6/3. [NIST SP 800-37] | |
Accrediation Authority |
See Authorizing Official. | |
Adequate Security |
Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. [OMB Circular A-130, Appendix III] |
|
Agency |
Any executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include:
|
|
Agents |
A new type of software that performs special tasks on behalf of a user, such as searching multiple databases for designated information. | |
Algorithm |
A mathematical process for performing a certain calculation. In the information security field, it is generally used to refer to the process for performing encryption. | |
Attribute-Based Access Control |
Access control based on attributes associated with and about subjects, objects, targets, initiators, resources, or the environment. An access control rule set defines the combination of attributes under which an access may take place. | |
Authentication |
Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. [FIPS 200] | |
Authenticity |
The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. See authentication. | |
Authorization |
The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls. | |
Authorizing Official |
Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals. Synonymous with Accreditation Authority. [FIPS 200, NIST SP 800-37] | |
Availability |
The level of assurance that authorized users have access to information resources when required. | |
Badge reader |
A device that reads worker identity badges and interconnects with a physical access control system that may control locked doors. | |
Booting |
The process of initializing a computer system from a turned-off or powered-down state. |
|
Boundary protection |
Monitoring and control of communications at the external boundary of an information system to prevent and detect malicious and other unauthorized communications, through the use of boundary protection devices (e.g., proxies, gateways, routers, firewalls, guards, encrypted tunnels). |
|
Bridge |
A device that interconnects networks or that otherwise permits networking circuits to be connected. | |
Certification |
A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. [FIPS 200, NIST SP 800-37] |
|
Chief Information Officer (CIO) |
Agency official responsible for:
|
|
Chief Information Security Officer (CISO) |
See Senior Agency Information Security Officer. |
|
Command and Control |
The exercise of authority and direction by a properly designated commander over assigned and attached forces in the accomplishment of the mission. Command and control functions are performed through an arrangement of personnel, equipment, communications, facilities, and procedures employed by a commander in planning, directing, coordinating, and controlling forces and operations in the accomplishment of the mission. | |
Common carrier |
In a telecommunications context, a telecommunications company that holds itself out to the public for hire to provide communications transmission services. Note: In the United States, such companies are usually subject to regulation by federal and state regulatory commissions. |
|
Compensating security controls |
The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the low, moderate, or high security baselines (described for example in NIST Special Publication 800-53) that provide equivalent or comparable protection for an information system. |
|
Compliance statement |
A document used to obtain a promise from a computer user that such user will abide by system policies and procedures. |
|
Compromise |
Disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred. |
|
Confidentiality |
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., Sec. 3542] |
|
Confidential information |
A sensitivity designation for information, the disclosure of which is expected to damage University of New Mexico or its business affiliates. |
|
Contractor attributional/proprietary information |
Information that identifies the contractor(s), whether directly or indirectly, by the grouping of information that can be traced back to the contractor(s) (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company. |
|
Countermeasures |
Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards. |
|
Controlled technical information |
Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions. |
|
Covered contractor information system |
An unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information. |
|
Covered defense information |
Unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is— (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. |
|
Criticality |
A measure of the degree to which an organization depends on the information or information system for the success of a mission orof a business function. | |
Cryptographic challenge and response |
A process for identifying computer users involving the issuance of a random challenge to a remote workstation, which is then transformed using an encryption process and a response is returned to the connected computer system. | |
Cryptologic |
Of or pertaining to cryptology. | |
Cryptology |
The science that deals with hidden, disguised, or encrypted communications. It includes communications security and communications intelligence. | |
Cyber incident |
Actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. | |
Default file permission |
Access control file privileges, read, write, execute, and delete, granted to computer users without further involvement of either a security administrator or users. |
|
Default password |
An initial password issued when a new user ID is created, or an initial password provided by a computer vendor when hardware or software is delivered. |
|
Dynamic password |
A password that changes each time a user logs on to a computer system. | |
Encryption key |
A secret password or bit string used to control the algorithm governing an encryption process. |
|
Encryption |
A process involving data coding to achieve confidentiality, anonymity, time stamping, and other security objectives. |
|
End user |
A user who employs computers to support University of New Mexico business activities, who is acting as the source or destination of information flowing through a computer system. | |
Environment |
Aggregate of external procedures, conditions, and objects affecting the development, operation, and maintenance of an information system. [CNSS Instruction 4009] |
|
Extended user authentication technique |
Any of various processes used to bolster the user identification process typically achieved by user IDs and fixed passwords, such as hand-held tokens and dynamic passwords. |
|
Failover |
The capability to switch over automatically (typically without human intervention or warning) to a redundant or standby information system upon the failure or abnormal termination of the previously active system. |
|
Firewall |
A logical barrier stopping computer users or processes from going beyond a certain point in a network unless these users or processes have passed some security check, such as providing a password. | |
Front-end processor (FEP) |
A small computer used to handle communications interfacing for another computer. |
|
Forensic analysis |
The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data. |
|
Gateway |
A computer system used to link networks that can restrict the flow of information and that employ some access control method. | |
Gerneral Support System |
An interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people. [OMB Circular A-130, Appendix III] | |
Hand-held token |
A commercial dynamic password system that employs a smart card to generate one-time passwords that are different for each session. |
|
High-impact system |
An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of high. |
|
Identity-based access control |
Access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity. |
|
Impact |
The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability. | |
Incident |
An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. [FIPS 200]. | |
Individual |
A citizen of the United States or an alien lawfully admitted for permanent residence. Agencies may, consistent with individual practice, choose to extend the protections of the Privacy Act and E-Government Act to businesses, sole proprietors, aliens, etc. | |
Information |
An instance of an information type. [FIPS Publication 199]. |
|
Information Asset |
Data, system, computer, network device, document, or any other component of the university infrastructure which stores, processes or transmits data. | |
Information Owner |
An individual (role) with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. [CNSS Inst. 4009] | |
Information retention schedule |
A formal listing of the types of information that must be retained for archival purposes and the time frames that these types of information must be kept. | |
Information resources |
Information and related resources, such as personnel, equipment, funds, and information technology. [44 U.S.C., SEC. 3502]. |
|
Information security |
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. [44 U.S.C., Sec. 3542] | |
Information System Security Officer |
Individual assigned responsibility by the senior agency information security officer, authorizing official, management official, or information system owner for maintaining the appropriate operational security posture for an information system or program. [CNSS Inst. 4009, Adapted] | |
Information security policy |
Aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information. | |
Information System |
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. [44 U.S.C., SEC. 3502]. |
|
Information System Owner ( or Program Manager) |
Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system. [CNSS Inst. 4009, Adapted] | |
Information technology |
Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which:
|
|
Information type |
A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management), defined by an organization or, in some instances, by a specific law, Executive Order, directive, policy, or regulation. [FIPS Publication 199]. |
|
Integrity |
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. [44 U.S.C., Sec. 3542] | |
Isolated computer |
A computer that is not connected to a network or any other computer. For example, a stand-alone personal computer. | |
Local access |
Access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. |
|
Logon banner |
The initial message presented to a user when he or she makes connection with a computer. |
|
Logon script |
A set of stored commands that can log a user onto a computer automatically. |
|
Low-impact system |
An information system in which all three security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS 199 potential impact value of low. |
|
Management controls |
The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security. |
|
Malicious code (malware) |
Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code. |
|
Malicious software |
Computer software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. This definition includes a virus, worm, Trojan horse, or other code-based entity that infects a host, as well as spyware and some forms of adware. |
|
Master copies of software |
Copies of software that are retained in an archive and that are not used for normal business activities. | |
Media |
Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored, or printed within an information system. [FIPS 200]. |
|
Mission Critical |
Any telecommunications or information system that is defined as a national security system (FISMA) or processes any information the loss, misuse, disclosure, or unauthorized access to or modification of, would have a debilitating impact on the mission of an agency. | |
Mobile Code |
Portable cartridge/disk-based, removable storage media (e.g., floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain non-volatile memory) or portable computing and communications device with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices). | |
Mobile Device |
Portable cartridge/disk-based, removable storage media (e.g., floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain non-volatile memory) or portable computing and communications device with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices). |
|
Moderate-impact system |
An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of moderate, and no security objective is assigned a FIPS 199 potential impact value of high. |
|
Multi-user computer system |
Any computer that can support more than one user simultaneously. |
|
Network |
Two or more nodes interconnected by one or more communications links. | |
Network Access |
Access to an organizational information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet). |
|
Non-organizational user |
A user who is not an organizational user (including public users). | |
Non-repudiation |
Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information. [CNSS Inst. 4009 Adapted] |
|
Operational controls |
The security controls (i.e., safeguards or countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems). |
|
Operationally critical support |
Supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation. |
|
Organization |
A federal agency or, as appropriate, any of its operational elements. |
|
Organizational user |
An organizational employee or an individual the organization deems to have equivalent status of an employee (e.g., contractor, guest researcher, individual detailed from another organization, individual from allied nation). |
|
Password guessing attack |
A computerized or manual process whereby various possible passwords are provided to a computer in an effort to gain unauthorized access. |
|
Password reset |
The assignment of a temporary password when a user forgets or loses his or her password. |
|
Password-based access control |
Software that relies on passwords as the primary mechanism to control system privileges. |
|
Password |
Any secret string of characters used to positively identify a computer user or process. |
|
Penetration testing |
A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system. | |
Positive identification |
The process of definitively establishing the identity of a computer user. |
|
Potential impact |
The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect, a serious adverse effect, or a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. [FIPS Publication 199]. |
|
Privacy impact assessment |
An analysis of how information is handled:
|
|
Privilege |
An authorized ability to perform a certain action on a computer, such as read a specific computer file. |
|
Privileged command |
A human-initiated command executed on an information system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information. |
|
Privileged user ID |
User ID that has been granted the ability to perform special activities, such as shut down a multi-user system. A user ID that has been authorized to perform one or more privileged commands. |
|
Public Information |
Any information, regardless of form or format that an agency discloses, disseminates, or makes available to the public. | |
Rapidly report |
Within 72 hours of discovery of any cyber incident. | |
Records |
The recordings (automated and/or manual) of evidence of activities performed or results achieved (e.g., forms, reports, test results), which serve as a basis for verifying that the organization and the information system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items). |
|
Remote access |
Access to an organizational information system by a user (or a process acting on behalf of a user) communicating through an external network (e.g., the Internet). |
|
Risk |
The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring. |
|
Risk assessment |
The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, or other organizations resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. (Synonymous with “risk analysis”.) |
|
Role-based Access Control |
Access control based on user roles (i.e., a collection of access authorizations a user receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization. A given role may apply to a single individual or to several individuals. |
|
Router |
A device that interconnects networks using different layers of the Open Systems Interconnection (OSI) Reference Model. |
|
Safeguards |
Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. [CNSS Instruction 4009 Adapted] Synonymous with security controls and countermeasures. |
|
Sanitization |
Process to remove information from media such that information recovery is not possible. It includes removing all labels, markings, and activity logs. [CNSS Instruction 4009 Adapted] |
|
Screen blanker or screen saver |
A computer program that automatically blanks the screen of a computer monitor or screen after a certain period of inactivity. | |
Secret information |
Particularly sensitive information, the disclosure of which is expected to severely damage Company X or its business affiliates. | |
Security category |
The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals. [FIPS Publication 199]. | |
Security controls |
The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. [FIPS 199]. |
|
Security control baseline |
The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system. | |
Security functions |
The hardware, software, and firmware of the information system responsible for supporting and enforcing the system security policy and supporting the isolation of code and data on which the protection is based. | |
Security impact analysis |
The analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system. |
|
Security label |
The means used to associate a set of security attributes with a specific information object as part of the data structure for that object. |
|
Security marking |
Human-readable information affixed to information system components, removable media, or output indicating the distribution limitations, handling caveats and applicable security markings. (For example, a label of CONFIDENTIAL stamped on an envelope is a security marking based on a security label.) Also known as a “Sensitivity Label.&rdquo. |
|
Security objective |
Confidentiality, integrity, or availability. [FIPS Publication 199]. |
|
Security patch |
A software program used to remedy a security or other problem, commonly applied to operating systems, database management systems, and other systems software. | |
Security plan |
Formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. |
|
Security requirements |
Requirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted. [FIPS 200]. |
|
Security safeguards |
Protective measures prescribed to meet security requirements (i.e., confidentiality, integrity, availability) specified for an information asset or environment. Also called security controls or countermeasures. | |
Sensitive information |
Information whose unauthorized disclosure may have serious adverse effect on the University’s reputation, resources, services, or individuals. Information protected under federal or state regulations or due to proprietary, ethical, or privacy considerations will typically be classified as sensitive. | |
Sensitivity |
The degree to which information requires protection to ensure it is not exposed to unauthorized users. | |
Shared password |
A password known by or used by more than one individual. |
|
Software macro |
A computer program containing a set of procedural commands to achieve a certain result. |
|
Spam |
The abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages. | |
Spyware |
Software that is secretly or surreptitiously installed into an information system to gather information on individuals or organizations without their knowledge; a type of malicious code. |
|
Special system privilege |
Access system privileges permitting the involved user or process to perform activities that are not normally granted to other users. |
|
Supply chain |
A system of organizations, people, activities, information, and resources (possibly international in scope) that provides products or services to consumers and businesses. |
|
Suspending a user ID |
The process of revoking the privileges associated with a user ID. |
|
System |
See information system | |
System administrator |
A designated individual who has special privileges on a multi-user computer system, and who looks after security and other administrative matters. |
|
System security plan |
Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements. [NIST Special Publication 800-18, Revision 1] |
|
Technical controls |
The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. |
|
Technical information |
Technical data or computer software, as those terms are defined in the clause at DFARS 252.227-7013, Rights in Technical Data—Noncommercial Items, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code. |
|
Terminal function keys |
Special keys on a keyboard that can be defined to perform certain activities such as save a file. |
|
Threat |
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. [CNSS Inst. 4009, Adapted] |
|
Threat source |
The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. Synonymous with threat agent. |
|
Trusted path |
A mechanism by which a user (through an input device) can communicate directly with the security functions of the information system with the necessary confidence to support the system security policy. This mechanism can only be activated by the user or the security functions of the information system and cannot be imitated by un-trusted software. |
|
Unit |
Any organization across the University such as a school, college, department, or central office. The Health System as well as the Flint and Dearborn campuses are considered University units. | |
User IDs |
Also known as accounts, these are character strings that uniquely identify computer users or computer processes. |
|
Valuable information |
Information of significant financial value to University of New Mexico or another party. |
|
Verify security status |
The process by which controls are shown to be both properly installed and properly operating. |
|
Virus screening software |
Commercially-available software that searches for certain bit patterns or other evidence of computer virus infection. |
|
Vulnerability |
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. |
