Application controls

Preventive, detective, and corrective controls designed to ensure the completeness and accuracy of transaction processing, authorization, and data validity.

Application firewall

(1) A firewall that uses stateful protocol analysis to analyze network traffic for one or more applications. (2) A firewall system in which service is provided by processes that maintain complete Transmission Control Protocol (TCP) connection-state and sequencing. It often re-addresses traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host. In contrast to packet filtering firewalls, this firewall must have knowledge of the application data transfer protocol and often has rules about what may be transmitted.

Application layer

(1) That portion of an open system interconnection (OSI) system ultimately responsible for managing communication between application processes. (2) Provides security at the layer responsible for data that is sent and received for particular applications such as DNS, HTTP, and SMTP.

Application programming interface (API)

An interface between an application and software service module or operating system component. It is defined as a subroutine library.

Application-proxy gateway

(1) A firewall capability that combines lower-layer access control with upper- layer functionality, and includes a proxy agent that acts as an intermediary between two hosts that wish to communicate with each other. (2) An application system that forwards application traffic through a firewall. It is also called proxy server. Proxies tend to be specific to the protocol they are designed to forward and may provide increased access control or audit.

Application service provider (ASP)

An external organization provides online business application systems to customers for a fee to ensure continuity of business. ASP operates with a B2B e-commerce model.

Application software

Programs that perform specific tasks, such as word processing, database management, or payroll. Software that interacts directly with some non-software system (e.g., human or robot). A program or system intended to serve a business or non-business function, which has a specific input, processing, and output activities (e.g., accounts receivable and general ledger systems).

Application system partitioning

The information system should separate user functionality, including user interface services, from information system management functionality, including databases, network components, workstations, or servers. This separation is achieved through physical or logical methods using different computers, different CPUs, different instances of the operating system, different network addresses, or combination of these methods.

Application translation

A function that converts information from one protocol to another.

Architecture

A description of all functional activities performed to achieve the desired mission, the system elements needed to perform the functions, and the designation of performance levels of those system elements. Architecture also includes information on the technologies, interfaces, and location of functions and is considered an evolving description of an approach to achieving a desired mission.

Archiving

Moving electronic files no longer being used to less accessible and usually less expensive storage media for safekeeping. The practice of moving seldom used data or programs from the active database to secondary storage media such as magnetic tape or cartridge.

Assertion

A statement from a verifier to a relying party that contains identity information about a subscriber. Assertions may also contain verified attributes. Assertions may be digitally signed objects or they may be obtained from a trusted source by a secure protocol.

Assessment method

One of three types of actions (i.e., examine, interview, and test) taken by assessors in obtaining evidence during an assessment.

Assessment procedure

(1) A set of assessment objectives and an associated set of assessment methods and assessment objects. (2) A set of activities or actions employed by an assessor to determine the extent to which a security control is implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Asset

A major application, general support system, high impact program, physical plant, mission critical system or a logically related group of systems. Any software, data, hardware, administrative, physical, communications, or personnel resource within an IT system or activity.

Asset Valuation

IT assets include computers, business-oriented applications, system-oriented applications, security-oriented applications, operating systems, database systems, telecommunications systems, data center facilities, hardware, computer networks, and data and information residing in these assets. Assets can also be classified as tangible (physical such as equipment) and intangible (non-physical, such as copyrights and patents). Each type of asset has its own valuation methods.

The value of data and information can be measured by using two methods: book value and current value. A relevant question to ask is what is the worth of particular data to an insider (such as an owner, sponsor, management employee, or non-management employee) and an outsider (such as a customer, supplier, intruder, or competitor)? This means, the value of information is measured by its value to others.

Sensitive criteria for computer systems are defined in terms of the value of having, or the cost of not having, an application system or needed information. The concept of information economics (that is, cost and benefit) should be used here. Organizations should modernize inefficient business processes to maximize the value and minimize the risk of IT investments. The value of IT assets is determined by their replacement cost, recovery cost, and penalty cost.

Information and data are collected and analyzed using several methods for determining their value. Examples of data collection techniques include checklists, questionnaires, interviews, and meetings. Examples of data analysis techniques include both quantitative methods (objective methods using net present value and internal rate of return calculations) and qualitative methods (subjective methods using Delphi techniques and focus groups).

Assurance

(1) The grounds for confidence that the set of intended security controls in an information system are effective in their application. (2) It is one of the five security goals. (3) It involves support for our confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (i) functionality that performs correctly, (ii) sufficient protection against unintentional errors (by users or software), and (iii) sufficient resistance to intentional penetration or bypass. (4) It is the grounds for confidence that an entity meets its security objectives.

Assurance testing

A process used to determine that the system’s security features are implemented as designed and that they are adequate for the proposed environment. This process may include hands-on functional testing, penetration testing, and/or verification.

Asymmetric key algorithm

An encryption algorithm that requires two different keys for encryption and decryption. These keys are commonly referred to as the public and private keys. Asymmetric algorithms are slower than symmetric algorithms. Furthermore, speed of encryption may be different from the speed of decryption. Generally, asymmetric algorithms are either used to exchange symmetric session keys or to digitally sign a message (e.g., RSA). Cryptography that uses separate keys for encryption and decryption; also known as public-key cryptography.