Authority permitting an employee performing on government work and having need-to-know to have access to classified information at a stipulated level of classification. Authorization for access at one level of classified information automatically authorizes an

individual for lower levels.                                  SOURCE: www.dhra.mil/perserec/csg/s1class/glossary.htm

The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after action recovery and legal action.                                                                  SOURCE: SP 800-27

Principle that an individual is entrusted to safeguard and control equipment, keying material, and information and is answerable to proper authority for the loss or misuse of that equipment or information.    SOURCE: CNSSI-4009

Grounds for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. "Adequately met" includes

(1) functionality that performs correctly,

(2) sufficient protection against unintentional errors (by users or software), and

(3) sufficient resistance to intentional penetration or by-pass.                                                       SOURCE: SP 800-27

The grounds for confidence that the set of intended security controls in an information system are effective in their application.                                          SOURCE: SP 800-37; SP 800-53A

Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.                                         SOURCE: CNSSI-4009

The ISSO must determine what auditable events will be collected based on mode of operation and levels of trust to meet the requirements defined in the information systems security policy.                                     (Source: Panel of Experts, July 1994).                       Source: http://niatec.info/Glossary.aspx?term=294&alpha=|

1. Archive system data

2. Monitor system indicators for abnormal events; and

3. Alert you when anything untoward occurs. Source:http://www.engagent.com/products/SentryII/EvaluatingTools.htm

A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.                                                        SOURCE:  FIPS 200 

Certification –  The process of verifying the correctness of a statement or claim and issuing a certificate as to its correctness.                                               SOURCE:  FIPS 201 

Comprehensive evaluation of the technical and nontechnical security safeguards of an information system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.  See security control assessment. SOURCE:  CNSSI-4009

Formal declaration by a Designated Accrediting Authority (DAA) or Principal Accrediting Authority (PAA) that an information system is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. See authorization.                          SOURCE: CNSSI No. 4009

Change control within quality management systems (QMS) and information technology (IT) systems is a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. It reduces the possibility that unnecessary changes will be introduced to a system without forethought, introducing faults into the system or undoing changes made by other users of software. The goals of a change control procedure usually include minimal disruption to services, reduction in back-out activities, and cost-effective utilization of resources involved in implementing change.                   SOURCE: http://en.wikipedia.org/wiki/Change_Control

Classification Policies

Classifying data according to its sensitivity               SOURCE: ADAM SWAN

Computer crime refers to any crime that involves a computer and a network.[1] The computer may have been used in the commission of a crime, or it may be the target.                                                           SOURCE:http://en.wikipedia.org/wiki/Computer_crime#cite_note-moore-0

Process of controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modification prior to, during, and after system implementation.                SOURCE: CNSSI-4009; SP 800-37; SP 800-53

A predetermined set of instructions or procedures that describe how an organization’s mission-essential functions will be sustained within 12 hours and for up to 30 days as a result of a disaster event before returning to normal operations.                         SOURCE: SP 800-34

Management policy and procedures used to guide an enterprise response to a major loss of enterprise capability or damage to its facilities. The COOP is the third plan needed by the enterprise risk managers and is used when the enterprise must recover (often at an alternate site) for a specified period of time. Defines the activities of individual departments and agencies and their sub-components to ensure that their essential functions are performed. This includes plans and procedures that delineate essential functions; specifies succession to office and the emergency delegation of authority; provide for the safekeeping of vital records and databases; identify alternate operating facilities; provide for interoperable communications, and validate the capability through tests, training, and exercises. See also Disaster Recovery Plan and Contingency Plan.               SOURCE: CNSSI-4009

List alternative projects/programs. List stakeholders. Select measurement(s) and measure all cost/benefit elements. Predict outcome of cost and benefits over relevant time period. Convert all costs and benefits into a common currency. Apply discount rate. Calculate net present value of project options. Perform sensitivity analysis. Adopt recommended choice.                  Source:http://en.wikipedia.org/wiki/Cost%E2%80%93benefit_analysis#Process

A major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems.                                                        SOURCE: CNSSI-4009 (Definition for Asset)

An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources.                                                          SOURCE:  SP 800-61 

The prevention of authorized access to resources or the delaying of time-critical operations.  (Time-critical may be milliseconds or it may be hours, depending upon the service provided.)                                              SOURCE:  CNSSI-4009

Not formally defined by CNSS

(Incident Repsonse Plan)

The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization's information system(s).                     SOURCE: SP 800-34

The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of an incident against an organization's IT system(s).                                                             SOURCE: CNSSI-4009

1. Due diligence is the process of systematically researching and verifying the accuracy of a statement.                                            SOURCE:http://whatis.techtarget.com/definition/due-diligence

Not formally defined by CNSS

(Countermeasures)

Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards.                                                         SOURCE: SP 800-53; SP 800-37; FIPS 200

Hurricanes, Tornadoes, Rodent Infestation, Sewage Backup..

Evidence Collections

CHECK OUT:http://computer-forensics.sans.org/blog/2009/09/12/best-practices-in-digital-evidence-collection/

A statute (Title III, P.L. 107-347) that requires agencies to assess risk to information systems and provide information security protections commensurate with the risk. FISMA also requires that agencies integrate information security into their capital planning and enterprise architecture processes, conduct annual information systems security reviews of all programs and systems, and report the results of those reviews to OMB. SOURCE: CNSSI-4009

Unauthorized user who attempts to or gains access to an information system.                                             SOURCE:  CNSSI-4009

Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.    SOURCE: SP 800-59; CNSSI-4009

The property that data has not been altered in an unauthorized manner.  Data integrity covers data in storage, during processing, and while in transit.    SOURCE:  SP 800-27

The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner.  SOURCE:  CNSSI-4009

(Definition of Data Integrity)

Unauthorized act of bypassing the security mechanisms of a system.                                                   SOURCE: CNSSI-4009

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.                           SOURCE: SP 800-53; SP 800-53A; SP 800-18; SP 800-27; SP 800-37; SP 800-60; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542

The property that sensitive data has not been modified or deleted in an unauthorized and undetected manner. SOURCE: FIPS 140-2

The property whereby an entity has not been modified in an unauthorized manner.                             SOURCE: CNSSI-4009

A test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an information system.                                          SOURCE: SP 800-53A

A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system.                                            SOURCE: SP 800-53; CNSSI-4009

Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetrationtests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.                     SOURCE: SP 800-115

control personnel recruitment process

include security in your job descriptions

develop a disciplinary process

check the backgrounds of job applicants

use confidentiality or non‑disclosure agreements

use employment contracts to protect information

provide information security training

control your information security training

learn from your security incidents

control your software malfunctions

report security threats and weaknesses

report information security incidents

respond to information security incidents

SOURCE: http://www.praxiom.com/iso-17799-6.htm

Physical security is the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism.                          Source:http://searchsecurity.techtarget.com/definition/physical-security

The process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with risk assessment.                        SOURCE: SP 800-27

Examination of information to identify the risk to an information system. See risk assessment.           SOURCE: CNSSI-4009

The process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with risk assessment.                     SOURCE: SP 800-27

Examination of information to identify the risk to an information system. See riskassessment.           SOURCE: CNSSI-4009

(Risk Assessment) The process of identifying risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation, arising through the operation of an information system. Part of riskmanagement, incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.                                                      SOURCE: SP 800-53; SP 800-53A; SP 800-37

The process of identifying, prioritizing, and estimating risks. This includes determining the extent to which adverse circumstances or events could impact an enterprise. Uses the results of threat and vulnerability assessments to identify risk to organizational operations and evaluates those risks in terms of likelihood of occurrence and impacts if they occur. The product of a risk assessment is a list of estimated potential impacts and unmitigated vulnerabilities.Risk assessment is part of risk management and is conducted throughout the RiskManagement Framework (RMF).                                                            SOURCE: CNSSI-4009

The process of managing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system.                                             SOURCE: SP 800-53; SP 800-53A; SP 800-37

Risk Management – The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system, and includes: 1) the conduct of a risk assessment; 2) the implementation of a risk mitigation strategy; and 3) employment of techniques and procedures for the continuous monitoring of the security state of the information system.               SOURCE: FIPS 200

Risk Management – The process of managing risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system. It includes risk assessment; cost-benefit analysis; the selection, implementation, and assessment of security controls; and the formal authorization to operate the system. The process considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations.                                                       SOURCE: SP 800-82; SP 800-34

The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation resulting from the operation or use of an information system, and includes: (1) the conduct of a risk assessment; (2) the implementation of a risk mitigation strategy; (3) employment of techniques and procedures for the continuous monitoring of the security state of the information system; and (4) documenting the overall risk management program.                               SOURCE: CNSSI-4009

Securities Act of 1933

Securities Exchange Act of 1934

Trust Indenture Act of 1939

Investment Company Act of 1940

Investment Advisers Act of 1940

Sarbanes-Oxley Act of 2002

Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010

Jumpstart Our Business Startups Act of 2012                                                   Source: http://www.sec.gov/about/laws.shtml

The statement of required protection of the information objects.                                                            SOURCE: SP 800-27 Pg 173 NIST IR 7298 Revision 1, Glossary of Key Information Security Terms

Security Policy – A set of criteria for the provision of security services. It defines and constrains the activities of a data processing facility in order to maintain a condition of security for systems and data. SOURCE: FIPS 188

A set of criteria for the provision of security services. SOURCE: SP 800-37; SP 800-53; CNSSI-4009

Protective measures and controls prescribed to meet the security requirements specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices.                 SOURCE: CNSSI-4009

Examination and analysis of the safeguards required to protect an information system, as they have been applied in an operational environment, to determine the security posture of that system.                         SOURCE: CNSSI-4009

An attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks.                                                      SOURCE: SP 800-61

A general term for attackers trying to trick people into revealing sensitive information or performing certain actions, such as downloading and executing files that appear to be benign but are actually malicious. SOURCE: SP 800-114

The process of attempting to trick someone into revealing information (e.g., a password).          SOURCE: SP 800-115

An attempt to trick someone into revealing information (e.g., a password) that can be used to attack an enterprise.                                                     SOURCE: CNSSI-4009

Detailed security description of the physical structure, equipment component, location, relationships, and general operating environment of an information system. SOURCE: CNSSI-4009

Formal description and evaluation of the vulnerabilities in an information system.                                         SOURCE: SP 800-53; SP 800-37

Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.                                             SOURCE: SP 800-53A; CNSSI-4009

A person gains logical or physical access without permission to a network, system, application, data, or other IT resource.                                              SOURCE: SP 800-61

Unauthorized Access – Occurs when a user, legitimate or unauthorized, accesses a resource that the user is not permitted to use.                                          SOURCE: FIPS 191

Any access that violates the stated security policy. SOURCE: CNSSI-4009

Network Scanners

Host Scanners

Database Scanners

Web Application Scanners

Multilevel Scanners

Automated Penetration Test Tools

Vulnerability Scan Consolidators