Security audit

An examination of security procedures and measures for the purpose of evaluating their adequacy and compliance with established policy. This is a management and detective control.

Security authorization

The official management decision to authorize operation of an information system and to explicitly accept the risk to an organization’s operations and assets based on the implementation of an agreed-upon set of security controls.

Security banner

It is a banner at the top or bottom of a computer screen that states the overall classification of the system in large, bold type. It can also refer to the opening screen that informs users of the security implications of accessing a computer resource (i.e., conditions and restrictions on system and/or data use).

Security boundaries

The process of uniquely assigning information resources to an information system defines the security boundary for that system. Information resources consist of information and related resources, such as personnel, equipment, funds, and information technology. The scope of security boundaries includes (1) both internal and external systems, (2) both logical and physical access security controls, and (3) both interior and exterior perimeter security controls.

Security breach

A violation of controls of a particular information system such that information assets or system components are unduly exposed.

Security categorization

The process of determining the security category (the restrictive label applied to classified or unclassified information to limit access) for information or an information system.

Security category

The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, employees and other individuals, and other organizations.

Security clearances

Formal authorization is required for subjects to access information contained in objects.

Security control assessment

The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system (i.e., confidentiality, integrity, and availability).

Security control baseline

The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.

Security control effectiveness

The measure of correctness of implementation (i.e., how consistently the control implementation complies with the security plan) and how well the security plan meets organizational needs in accordance with current risk tolerance.

Security control enhancements

Statements of security capability to (1) build in additional, but related, functionality to a basic control, and/or (2) increase the strength of a basic control.

Security control inheritance

A situation in which an information system or application receives protection from security controls that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application. These entities can be either internal or external to the organization where the system or application resides. Common controls are inherited.

Security controls

The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

Security domain

(1) Implements a security policy and administered by a single authority. (2) A set of subjects, their information objects, and a common security policy.

Security evaluation

An evaluation to assess the degree of trust that can be placed in systems for the secure handling of sensitive information. It is a major step in the certification and accreditation process.

Security event management tools (SEM)

A type of centralized logging software that can facilitate aggregation and consolidation of logs from multiple information system components. The SEM tools help an organization to integrate the analysis of vulnerability scanning information, performance data, network monitoring, and system audit record information, and provide the ability to identify inappropriate or unusual activity. For example, the SEM tools can facilitate audit record correlation and analysis with vulnerability scanning information to determine the veracity of the vulnerability scans and correlating attack detection events with scanning results. The sources of audit record information include operating systems, application servers (for example, Web servers and e-mail servers), security software, and physical security devices such as badge readers.

Security failure

Any event that is a violation of a particular system’s explicit or implicit security policy.

Security fault analysis

A security analysis, usually performed on hardware at gate level, to determine the security properties of a device when a hardware fault is detected.

Security fault injection test

Involves data perturbation (i.e., alteration of the type of data the execution environment components pass to the application, or that the application’s components pass to one another). Fault injection can reveal the effects of security defects on the behavior of the components themselves and on the application as a whole.

Security features

The security-relevant functions, mechanisms, and characteristics of system hardware and software. Security features are a subset of system security safeguards.

Security filter

A set of software routines and techniques employed in a computer system to prevent automatic forwarding of specified data over unprotected links or to unauthorized persons.

Security flaw

An error of commission or omission in a computer system that may allow protection mechanisms to be bypassed.

Security functions

The hardware, software, and firmware of the information system responsible for supporting and enforcing the system security policy and supporting the isolation of code and data on which the protection is based.

Security goals

The five security goals are confidentiality, availability, integrity, accountability, and assurance.

Security governance

Information security governance are defined as the process of establishing and maintaining a framework and supporting management structure and processes. They provide assurance that information security strategies are aligned with and are supportive of business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk. Note that information security governance is a part of information technology governance, which, in turn, is a part of corporate governance.

The information security management should integrate its information security governance activities with the overall organization structure and activities by ensuring appropriate participation of management officials in overseeing implementation of information security controls throughout the organization. The key activities that facilitate such integration are information security strategic planning, information security governance structures (that is, centralized, decentralized, and hybrid), establishment of roles and responsibilities, integration with the enterprise architecture, documentation of security objectives (such as, confidentiality, integrity, availability, accountability, and assurance) in policies and guidance, and ongoing monitoring.