In addition, security governance committee should ensure that appropriate security staff represents in the acquisitions and divestitures of new business assets or units, performing due diligence reviews.

Organizations can use a variety of data originating from the ongoing information security program activities to monitor performance of programs under their purview, including plans of action and milestones, performance measurement and metrics, continuous assessment, configuration management and control, network monitoring, and incident and event statistics.

Security impact analysis (SIA)

The analysis conducted by an organization official, often during the continuous monitoring phase of the security certification and accreditation process, to determine the extent to which changes to the information system have affected the security state of the system.

Security incident

Any incident involving classified information in which there is a deviation from the requirements of governing security regulations. Compromise, inadvertent disclosure, need-to-know violation, planting of malicious code, and administrative deviation are examples of a security incident.

Security incident triad

Includes three elements such as detect, respond, and recover. An organization should have the ability to detect an attack, respond to an attack, and recover from an attack by limiting consequences or impacts from an attack.

Security-in-depth

See Defense-in-depth.

Security kernel

The central part of a computer system (software and hardware) that implements the fundamental security procedures for controlling access to system resources. A most trusted portion of a system that enforces a fundamental property and on which the other portions of the system depend.

Security label

(1) The means used to associate a set of security attributes with a specific information object as part of the data structure for that object. Labels could be designated as proprietary data or public data. (2) A marking bound to a resource (which may be a data unit) that names or designates the security attributes of that resource. (3) Explicit or implicit marking of a data structure or output media associated with an information system representing the security category, or distribution limitations or handling caveats of the information contained therein.

Security level

A hierarchical indicator of the degree of sensitivity to a certain threat. It implies, according to the security policy being enforced, a specific level of protection. A clearance level associated with a subject or a classification level (or sensitivity label) associated with an object.

Security life of data

The time period during which data has security value.

Security management

The process of monitoring and controlling access to network resources. This includes monitoring usage of network resources, recording information about usage of resources, detecting attempted or successful violations, and reporting such violations.

Security management dashboard

A tool that consolidates and communicates information relevant to the organizational security posture in near-real time to security management stakeholders.

Security management infrastructure (SMI)

A set of interrelated activities providing security services needed by other security features and mechanisms. SMI functions include registration, ordering, key generation, certificate generation, distribution, accounting, compromise recovery, re-key, destruction, data recovery, and administration.

Security marking

Human-readable information affixed to information system components, removable media, or system outputs indicating the distribution limitations, handling caveats and applicable security markings.

Security measures

Elements of software, firmware, hardware, or procedures included in a system for the satisfaction of security specifications.

Security mechanism

A device designed to provide one or more security services usually rated in terms of strength of service and assurance of the design.

Security metrics

Security metrics strive to offer a quantitative and objective basis for security assurance.

Security model

A formal presentation of the security policy enforced by the system. It must identify the set of rules and practices that regulate how a system manages, protects, and distributes sensitive information.

Security objectives

The five security objectives are confidentiality, availability, integrity, accountability, and assurance. Some use only three objectives such as confidentiality, integrity, and availability.

Security-by-obscurity

A countermeasure principle that does not work in practice because attackers can compromise the security of any system at any time. The meaning of this principle is that trying to keep something secret when it is not does more harm than good.

Security-oriented code review

A code review, or audit, investigates the coding practices used in the application. The main objective of such reviews is to discover security defects and potentially identify solutions.

Security parameters

The variable secret components that control security processes; examples include passwords, encryption keys, encryption initialization vectors, pseudo-random number generator seeds, and biometrics identity parameters.

Security parameters index

Randomly chosen value that acts as an identifier for an IPsec connection.

Security perimeter

A physical or logical boundary that is defined for a system, domain, or enclave, within which a particular security policy, security control, or security architecture is applied to protect assets. A security perimeter typically includes a security kernel, some trusted-code facilities, hardware, and possibly some communications channels.

Security plan

A formal document providing an overview of the security requirements for an information system or an information security program and describing the security controls in place or planned for meeting those requirements.

Security policy

Refers to the conventional security services (e.g., confidentiality, integrity, and availability) and underlying mechanisms and functions. (2) The set of laws, rules, criteria, and practices that regulate how an organization manages, protects, and distributes sensitive information and critical systems. (3) The statement of required protection for the information objects.

Security policy filter

A secure subsystem of an information system that enforces security policy on the data passing through it.

Security posture

The security status of an enterprise’s networks, information, and systems based on information assurance resources (e.g., people, hardware, software, and policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.