419

Number of a Nigerian penal code that is supposed to stop advance fee frauds originating in Nigeria but is patently ineffective.

Access, Access rights

Ability of a user or program to interact with an information asset e.g. to read or write data, send messages over the network etc. Also the ability of a person to enter a building, room, cupboard etc.

Access control

Type of control designed to restrict access to an information asset, permitting authorized access whilst preventing unauthorized access.

Access matrix

Table relating types of user rôle (on one axis) to the IT systems, application functions and/or classes of data (on the other axis), showing the types of access permitted within the body of the matrix.

Accident

Although we tend to think that security incidents result from deliberate acts by hackers, malware etc., most are in fact the result of chance events or accidents.

Accountable, accountability

A person who is held accountable for something is personally responsible for it and may be disciplined if they do not fulfill their obligations.  Unlike responsibility, however, accountability is similar to ownership in that it cannot be delegated from one person to another.  In short, ‘the buck stops here’.

ActiveX

Microsoft technology for interactive Web pages.  Malicious ActiveX controls (a form of malware) may potentially compromise the users’ systems: if the browser security settings allow, even unauthenticated (“unsigned”) ActiveX controls may access files on hard drives. 

Advance fee fraud

Type of fraud in which the fraudster persuades a naïve victim to send money as ‘advance fees’ supposedly to secure a payment which never actually materializes.  Commonly known as a 419 scam.

Adware

Annoying program that displays advertisements etc.  Considered by some to be a form of malware since it is often installed secretly and has undesirable effects that may compromise privacy.

Alarm

Audio/visual warning that a critical condition requiring an urgent high priority response (e.g. fire/smoke, intruder, flood) has occurred.  See also alert.

Alert

Warning that a critical system security event (e.g. audit file full, system shutdown initiated, user authentication failure) has occurred.  Alerts generally require less urgent responses than alarms and so are normally logged for later analysis and follow-up action.

Anonymity

A person’s ability to use systems and networks without disclosing the fact they it is them.  A form of privacy.

Antivirus [program]

Software designed to minimize the risk of malware by detecting, preventing and/or removing various forms of malware infection such as viruses, worms, Trojans etc.

Asset

Something of value to the organization.  May be tangible (e.g. a building, computer hardware) or intangible (e.g. knowledge, experience, know-how, information, software, data).

Attack

Type of information security incident actively and deliberately perpetrated by someone (cf. accident or Act of God).

Attribution

The act of openly acknowledging the originator or owner of IP to avoid claims of plagiarism and copyright abuse.

Audit

Structured process of examination, review, assessment and reporting by one or more competent people who are independent of the situation, system, process, function etc. being audited.

Audit trail

Chronological record of information documenting important events or stages in a business or IT process, such as the system security log typically configured to record successful and failed logons etc.

Authentic

Genuine, verifiable.  The real thing, not counterfeit.

Authentication, authenticate

Process by which an individual user, system etc. is positively identified by another, typically on the basis of something they know (e.g. a password) and sometimes something they have (e.g. a security token) or something they are (biometrics).

Authorization, authorize

Permitted, accepted and/or agreed by management as being in the organization's best interests.

Availability

One of the three core elements of information security, along with confidentiality and integrity. Availability concerns the requirement for information, IT systems, people and processes to be operational and accessible when needed by the organization.

Axiom

A fundamental information security policy requirement, architectural principle or rule.  39 axioms derived from the 39 control objectives defined in ISO/IEC 27002 underpin the organization’s information security policy statements, standards, procedures, guidelines and controls.

Backdoor

Secret function or userID allowing hackers to access a system without proper authorization, bypassing most defenses. Often includes keyloggers and rootkit functions as well.

Backup

Snapshot copy of data and/or programs from an IT system at a given point in time.  Backups provide the ability to restore a system to a known state after an incident.

BHO (Browser Helper Object)

Program that is loaded and runs automatically when the browser is launched.  Malicious BHOs may be spyware.

Biometric

Measurable physical characteristic of a person, such as a fingerprint, iris pattern, retinal pattern, facial shape or voice pattern, that can be used to authenticate and identify the person positively.

Bluetooth

Wireless networking protocol intended for short-range use over a few meters but may be capable of unauthorized interception over longer distances.

Board of Directors
(the Board)

The most senior level of management within the organization with overarching accountability for protecting information assets on behalf of the stakeholders.  The Board delegates responsibility for corporate governance including information security to the Executive Directors.

Bot

Short for ‘robot’.  Networked computer under the remote control of hackers, often compromised using a Trojan.  Also known as zombie.

Botnet

Networks of bots that are used for illegal activities such as spamming, carrying out DoS attacks or as launch pads for hacking other systems.  Botnets comprising up to tens of thousands of compromised machines may be rented on the black market.

Breach

Form of information security incident normally involving deliberate action or inaction by someone, as opposed to accidental causes.

Business critical

Class of information asset that is vitally important to the organization.  A serious information security incident affecting such an asset would probably cause grave impacts e.g. significant financial losses, marked loss of customer/market confidence in the organization, regulatory or legal action against the organization or its directors, often in short order.  See also Tier 1, 2  or 3

Business Impact Assessment (BIA)

Risk analysis process for reviewing the potential business impacts of more or less serious information security incidents affecting IT systems supporting critical business processes, in order to determine the associated availability requirements.

Certification Authority (CA)

Trusted body that digitally signs and issues digital certificates to authenticated users or systems in a PKI.

Certification Practice Statement (CPS)

Formal document defining a given PKI.

Certificate Revocation List (CRL)

A published list of digital certificates that have been revoked by the Certification Authority and are therefore invalid.

Change control

Management process for proposing, reviewing and accepting or rejecting changes to a process, system and/or the associated documentation.

Change management

The totality of activities used to control, direct and document changes to the organization and its associated IT systems, processes etc.

Checkpoint

A static record or snapshot of the state of a computer system, program, database etc. at one point in time to which the system may be rolled-back if necessary.  See also backup.

Chief Security Officer (CSO)

Director with overall responsibility for security, including information and physical security.  Chairs the Security Committee and reports to the Executive Directors.

Class, Classify, Classification

Convenient grouping of similar or related information assets that are likely to share similar information security risks and control requirements.  Classification reduces the need individually to risk assess and identify security controls needed to protect every single asset in each class.  Classification typically relies on confidentiality criteria but more complex schemes may also take account of integrity and availability requirements.

Commit point

Point at which a new, altered or deleted record is actually recorded in a database.  Well-designed database systems incorporate controls such as locks, journaling and checkpoints to maintain data integrity despite incidents that occur before, during or after the commit point.

 Competitive or competitor intelligence

Some people explicitly define these terms to distinguish authentic and ethical means of gathering information on competitors (such as analyzing their public websites) from more illicit ones (such as hacking their websites or other forms of industrial espionage), but there is no clear consensus on the definitions.  Many people use the terms loosely and interchangeably.

Compliance

State of conformance with information security objectives, controls etc. defined internally by the organization in policies etc. and/or externally by third parties (e.g. laws, industry regulations and contractual terms).

Compromise

Verb: to undermine or attack.  Noun: see incident.

CONFIDENTIAL

Class of information that is sensitive and/or business critical and therefore needs to be protected to a reasonable extent.  It is intended for limited distribution within the organization or to specially designated third parties, on a need-to-know (‘default deny’) basis.

Confidentiality

One of the three core elements of information security, along with availability and integrity. Confidentiality essentially concerns secrecy or privacy.

Configuration management

A subset of change management activities specifically relating to changes to IT systems configurations e.g. the implementation of new programs, new versions or altered parameters.

Contingency

Inherently unexpected or unpredictable situation such as a physical disaster (a bomb, plane crash, flood or fire), a serious fraud, virus/worm outbreak etc., which other controls have failed to prevent.  The outcome is contingent (dependent) on the exact nature of the incident and the situation at the time it occurs.

Contingency plan

Forward-thinking approach for managing and organizing resources to cope as well as possible with a contingency situation.  Whereas the nature of the process to be followed during/after an incident depends on the specific situation, contingency plans support the efficient coordination and management of resources under any circumstances.

Control

Something which prevents or reduces the probability of an information security incident (preventive or deterrent control), indicates that an incident has occurred (detective control) and/or minimizes the damage caused by an incident i.e. reduces or limits the impact (corrective control).  An administrative/procedural, technical, managerial, physical or legal means of managing risk.  Controls may reduce information security threats or impacts, although most reduce vulnerabilities.

Control objective

Describes the anticipated business purpose or benefit of an information security control.  Encapsulates the risk in business terms.

Control Self Assessment (CSA)

Regular management review process to assess the status of governance across the organization, including information security and other forms of risk management and control.  Alternatively, a rigorous, highly structured but essentially pointless method for giving auditors the answers they expect to hear whilst at the same time appearing to be Doing Something Positive About Governance.  J

Control total

A value (such as a numeric total or the number of items) that can be used as a simple check for integrity failures, for example to confirm when a data file is transmitted across a system interface or processed that all records sent were received and processed.

Cookie

Small text file sent by a Website to your browser and later retrieved to track your Web browsing habits.  With insecure browser settings, different Websites may share the information in cookies, raising privacy issues.

Copy protection

Technique to restrict the ability of users to copy or use software and other IP except on the original distribution media e.g. using a dongle or other forms of encryption.

Copyright

Legal protection giving the originator/owner of original materials rights over the copying and use of the materials, for example through software licenses.  A form of intellectual property rights.

COTS (Commercial Off The Shelf)

Refers to standard as opposed to bespoke software, typically distributed to the general public through retail outlets in shrink-wrapped packages with generic license agreements.

Counterfeit

Pirated or fake copy of an original asset.  Mass-produced counterfeit software, music CDs and video DVDs are in circulation, many of which appear so authentic that even experts sometimes have difficulty telling them apart from the genuine articles. 

Cracker

Hacker with malicious intent who breaks into networks and systems without the owners’ permission or consent.

Credential

Something a user or system presents to prove (authenticate) their true identity e.g. a passport, password or security token.

Cross Site Scripting (“XSS”)

Web hacking technique in which badly-designed websites (e.g. some bulletin-board systems) with inadequate data entry validation are made to return malicious URLs, HTML, JavaScript or other executable code (malware) to the user’s browser for execution (e.g. to manipulate or disclose their supposedly private cookies or other local data).  Abbreviated to “XSS” to distinguish it from CSS meaning Cascading Style Sheet.

Cryptography, cryptographic, ‘crypto’

The mathematical science behind ‘secret writing’ involving the use of mathematical algorithms to transform readable plaintext into unreadable cyphertext and vice versa.

Cyphertext

Encoded/scrambled string such as HbAKhBsaao)X]*AX551&*S66 that makes no sense to a human reader but which can be transformed into the corresponding plaintext using a cryptographic algorithm and encryption key.

Data

Electronic representations of information within a computer system.  In digital computers, data (and indeed software) are represented by sequences of logical ones and zeros known as bits.

Database (db)

Structured and managed collection of data.  The structure and accumulation of data, along with the software functions to manage, manipulate and report them, usually make databases far more valuable than plain, unmanaged “flat files”.  The most important computer systems are normally databases, hence database security controls such as those protecting data integrity are a vital element of information security.

Data dictionary

Formal description of the data fields of records in a database, ideally including their information security characteristics.

Data miner

Form of malware that covertly collects information on Web users, for example secretly recording data submitted on forms.

DBA Database Administrator

Privileged user who administers (manages) one or more databases.  Normally responsible for configuring, maintaining and tuning databases e.g. setting up user rôles, defining access rights to tables and cells, monitoring security logs etc.

DDoS (Distributed Denial of Service)

Type of DoS attack using numerous attacking systems to amplify the amount of network traffic, thereby flooding and perhaps swamping the target systems or networks.

Deception, deceit

Lying, lie, or deliberate concealment of the truth.

Default deny

Access control principle stating that information should only be released to authenticated individuals if they have a legitimate purpose or reason for using the information, and are authorized to do so.  Also known as need-to-know.

Defense-in-depth

Control principle whereby multiple overlapping or complementary ‘layers’ of control are applied, all of which would have to be breached in order to impact the protected information assets.

Development

Computer environment comprising systems, networks, devices, data and supporting processes that are used by software developers for developing new application systems (cf. production or test environments).

Device

An item of computing or networking equipment, a piece of hardware.

Dialer

Form of malware which tries silently to connect to a premium rate phone number using the computer’s modem.  See also war dialer.

Digital certificate

File containing information about a user or system along with their public key plus a digital signature from the Certification Authority to authenticate the whole certificate.

Digital signature

Cryptographic hash of a message, constructed with the sender’s private key, used to ‘seal’ the document thus revealing any subsequent changes and authenticating it.

Discretionary

Optional i.e. provided or used at someone’s discretion.  Refers to information security controls that are not absolutely mandated by the information security architecture. 

Division of responsibilities

Control requiring the involvement of more than one individual to complete a business process e.g. data entry performed by a member of staff with review and authorization performed by a supervisor or manager.  Normally reinforced by controlled access to the corresponding system functions.  Reduces the possibility of fraud, barring collusion between the individuals, and data entry errors.  Also known as separation or segregation of duties.

DMCA (Digital Millennium Copyright Act)

US law prohibiting technologies/devices used to bypass or defeat software/data copy protection mechanisms.

DMZ
(De-Militarized Zone)

Special network segment between the outer network perimeter and the inner organization network, within which proxy servers and firewalls help to isolate the internal and external networks.

Documented, documentation

Written down, reviewed and approved by management, and used.  Most other documents referenced in the Information Security Policy Manual are relatively formal in nature and are assumed to be under change control, like the manual itself.

Dongle

Copy protection device used to ‘unlock’ (allow access to) software for use on the particular computer into which it is plugged.

DoS (Denial of Service)

Type of information security incident in which availability is impacted, for example by deliberately or accidentally overloading the system or network, thereby interfering with legitimate business processing.  See also DDoS.

DR (Disaster Recovery)

Arrangements to restore IT systems and data supporting critical business functions, often from an alternate location, following a major incident affecting the primary production systems and data.

DRM (Digital Rights Management)

Technological controls using encryption to permit or deny certain types of use of IP according to the copyright owner’s wishes.

Dual-control

Form of control requiring the actions of more than one person, for example when two soldiers have to insert and turn their keys at the same moment to launch a missile.

Emergency intervention

Situation in which a competent support person is specifically authorized by management to modify a system directly, typically through a privileged emergency userID, bypassing the normal system access controls and code migration processes in order to resolve an urgent production issue.

Encryption

Application of cryptography to make information unintelligible to anyone without access to the correct key.

Ethical

Behavior broadly accepted as right and proper, at least in the culture in which it occurs.  Ethical beliefs vary from culture to culture, however.  A practice considered ethical within the hacker community, for example, may not be OK to an ISM.

Exemption

Temporary management-approved relaxation of security policy requirements, provided that compensating controls are implemented (where possible).  The person requesting an exemption remains formally accountable for the residual risk resulting from non-compliance with policy.

Exploit

To take advantage of or use.  A risk is the chance that a threat may exploit a vulnerability causing an impact.

External

Outside the organization’s physical, organizational and network boundary (cf. internal).

Failover

Manual or automated process for transferring resilient IT services between redundant equipment, campuses and/or network routes, providing high availability.

Failsafe

Concept used heavily in safety-critical or high-security system and process designs whereby a control failure leaves the system/process in an inherently safe or secure condition, even if that impairs availability.

Fair use

Copyright laws generally permit limited use of copyright materials without the copyright owner’s explicit permission.  Such fair use exceptions typically allow quoting and summarizing of non-substantial parts of copyright materials and small-scale copying for research and educational purposes.

Fault

Problem with information processing or communications systems including definite or suspected security incident, system failure, program error/bug, virus, other undesirable system operation etc.

Fault tolerance

High-availability design goal that system should survive incidents that would otherwise cause a system failure or unplanned outage.

Firewall

Specialized router specifically configured as a gateway to control logical access to the attached network segments, nodes and devices.

Firmware

Software embedded in a hardware device, typically an EEPROM (Electrically Erasable Programmable Read Only Memory) chip.  A computer’s BIOS (Basic Input Output System) is an example: BIOS firmware normally checks the machine’s hardware for faults and loads the boot loader part of the main operating system.  Any malware in firmware is likely to have complete control of the system since it is inherently trusted by the operating system and other software.

FMEA (Failure Mode
and Effects Analysis)

Engineering method to analyze potential failure modes, and the effects of such failures, on a system.  Used to identify potential reliability problems early in the software or hardware development lifecycle and identify options to mitigate the failures.  Helps design more resilient systems.

Fraud

Theft or similar crime involving deliberate deception by a fraudster, for example assuming someone else’s name (identity theft) or promising a large payout on receipt of an advance fee.

Fraudster

Deceitful person who commits fraud.  Sometimes incorrectly known as “the fraud”.

Governance

Comprises the entire management framework or structure for controlling and directing the organization, including information security and other controls.

Guideline

Written guidance explaining how certain information security controls operate.  Despite the name, many of the controls noted in guidelines directly support security axioms and policy statements and are therefore mandatory.  Guidelines also contain supplementary information to help employees apply the controls properly.

Hacker

Originally the term simply meant someone who was obsessively fascinated by technology.  In common use, hacker has gradually come to mean someone who deliberately breaks into networks and systems although cracker is technically more accurate.

Hardware

Tangible IT asset.  Hardware has a financial book value, generally less than its replacement cost due to depreciation (wear and tear).  Hardware typically has even greater value to its owner thanks to supporting/enabling important business processes. cf. software, firmware, data.

Hash

Characteristic value produced by passing a string or file through a so-called ‘one-way encryption’ function.  The original string or file cannot be recreated with any certainty from the hash value but its validity can be verified by recalculating and comparing the hash against a previously calculated and securely stored hash value.

Hold file

Transactions that fail integrity or other checks are commonly flagged or placed in this special holding area for manual inspection, instead of being processed.  Also known as a suspense file.

Identity theft

Type of fraud in which the fraudster falsely assumes the victim’s identity, typically as a prelude to stealing financial or other assets.  Often involves theft or falsification of credentials used to assert the holder’s identity.

Impact

An adverse event caused by an information security incident, leading to direct or indirect losses or costs to the organization.  A measure or description of the effect or outcome of an incident.

In the wild

Describes malware that is being actively and widely exploited for real, as opposed to that which has only ever been seen in the laboratory or in very limited-scope incidents.

Incident

Situation in which an information security risk materializes i.e. an information security threat exploits an information security vulnerability (typically a weak or missing information security control) to cause a business impact.  Includes the result of deliberate breaches or compromises plus accidents and acts of God.  If adequate detective controls are in place, incidents should generate alarms or alerts and log entries.

Industrial espionage

The use of unethical, illicit, surreptitious and often illegal “spying” techniques to gather sensitive information from competitors, either directly or via common business partners or other third parties.  An extreme form of competitive intelligence.

Information asset

Computer system, data, database, proprietary knowledge, experience, insight etc. i.e. valuable IT technology equipment and/or information content that requires protection against information security risks.  May legally belong to the organization, or to a third party but placed in the organization’s care (e.g. personal data).

Information Asset Owner (IAO)

Manager held accountable for the proper protection of one or more information assets such as business applications and data sets.  They approve and fund appropriate information security controls for the assets, authorize access and monitor the effectiveness of the controls.

Information security (infosec)

General term for the risk management activity involving the implementation, operation and maintenance of controls designed to meet business requirements for confidentiality, integrity and availability of information assets by preventing incidents and/or minimizing impacts.

Information security architecture

The complete set of information security (confidentiality, integrity and availability) controls limiting the risks associated with a given IT system or infrastructure.  Should ideally be documented in the security design.

Information security design

Documentation describing the key information security risks, control objectives and controls required in a computer system, in other words the information security architecture.  May comprise one or more dedicated security design documents or may be distributed across various system architecture, design, development and operations documents, policies, procedures, change records etc.

Information Security Policy Manual

The organization’s overarching policy defining the overall objectives and structure for information security management, also known as the ISMS.

Information Security Management

The function responsible for day-to-day management of information security, managing technical, procedural and physical controls, systems, processes, standards etc.  Led by the ISM.

Information Security Management System (ISMS)

The overall management system comprising governance, policies, procedures etc. through which information security is directed and controlled.

Information Security Manager (ISM)

Manager of the Information Security Management function.  Reports to the CSO.

Insider threat

Information security threat arising from workers or their associates.

Integrity

Property of completeness and accuracy of data, IT systems etc. Protected through controls such as referential integrity, data entry validation, honesty, ethics and trust.  One of the three core elements of information security, along with confidentiality and availability.

Intellectual Property (IP)

Proprietary information (typically) that legally belongs to someone and may be protected by IPR.

Intellectual Property Rights (IPR)

Rights of the legal owner of intellectual property to determine how the information is used and/or copied by others, for example through software licensing/copyright, patent, trademark or contract law.

Internal

Within the organization’s physical, organizational and/or network boundary (cf. external).

INTERNAL USE

Class of information that is intended for general use by the organization workers and, if necessary, by selected third parties such as clients, suppliers or contractors.

ISO/IEC 27000-family (“ISO27k”)

A growing collection of ISMS international best practice standards being produced under the auspices of a joint ISO/IEC committee.

ISO/IEC 27001:2005
(“ISO 27001”)

International standard “Specification for an Information Security Management System”, originally known as BS 7799 Part 2.  This is the standard against which ISO/IEC 27002 users may choose to have their ISMS certified.

ISO/IEC 27002:2005
(“ISO 27002”)

International standard "Code of Practice for Information Security Management", originally known as BS 7799 Part 1 and then ISO/IEC 17799.  Proposes a reasonably comprehensive set of information security control objectives and a selection of best practice information security controls.

IT (Information Technology Department)

Department responsible for providing computing and telecommunications services to the organization.

Journaling

Database security/control method in which steps leading up to a commit point are saved temporarily until the commit is complete, enabling the sequence to be reversed or recreated if interrupted by an incident, for instance a power failure or coincident change.

Keylogger

Malware that secretly records the user’s keystrokes.  There are hardware and software types.  Hardware keyloggers are inserted into the keyboard cable or connector where they may appear to be interference suppressors, or are fitted inside the keyboard or PC.  Software keyloggers are typically installed by Trojans.

Least privilege

Information security principle involving restrictions in the level of privileges or rights assigned to an individual person, function or system, consistent with their authorized and intended purpose.

License

Permission optionally granted by the owner of copyright materials (such as software) for someone to copy and/or use them within certain constraints.

Local Security Committee (LSC)

Committee responsible for directing and coordinating physical and information security within an individual business unit or site.

Lock

Physical security device requiring a physical key, electronic key card, PIN code or similar to release a door etc.  Also a database integrity control which essentially prevents simultaneous data changes being made by different computer processes or users.

Log

An historical record of events, recorded in a data file for subsequent review and analysis.  Logs should be secured against unauthorized modification (tampering) or access (if confidential) and retained for as long as is necessary to complete the review and analysis, or according to legal and/or business requirements identified in the Information Retention Policy.  See also audit trail.

Logic bomb

Form of malware designed to lay dormant but self-activate at some point e.g. at a certain time (i.e. a time bomb), when a certain user logs in, when a particular combination of events occurs (e.g. the programmer is removed from the payroll) and cause some malicious action (e.g. shutdown the system, modify or delete data).

Logical access control

Automated information security control protecting electronic information assets (data/software, directories, disks, tapes etc.) against access by unauthorized users, programs or systems.

Malware

Contraction of "malicious software" meaning programs written and circulated with malicious intent such as viruses, worms, Trojans, rootkits, logic bombs etc.

Manager

Line manager for one or more members of staff.  The Executive Directors delegate responsibility for implementation of the organization’s information security principles, axioms and the Policy Manual via the Security Committee and CSO, through Information Security Management and the ISM, to managers, and through them, to their subordinates.  In this manner, information security is everyone’s responsibility (itself one of the principles).

Mandatory

The opposite of discretionary.  Systems, procedures and workers must comply with mandatory policy statements unless they have been granted a legitimate exemption by senior management, or if compliance would fall foul of legal or health and safety obligations.

Mobile code

Programs that transfer between systems and execute, performing specific functions with little or no user interaction.

Multifactor authentication

Form of user authentication in which different types of credential are required (e.g. a secret password plus a security token plus a biometric).  Multiple passwords recalled and entered by single person do not qualify as multifactor authentication, whereas passwords recalled and entered by more than one person (one form of dual-control) do.

Need-to-know

Alternative name for the principle of default deny (cf. ‘need-to-withhold’).

Network

Collection of data communications links or connections, plus the nodes or devices and the networked services they provide. 

Network node/device

Computing/networking equipment with one or more network connections.  Examples include routers, firewalls, application systems, file servers, Webservers, mail servers and network management systems.

Networked service

Application running on a server or other network node/device that is offered over the network.

Non-interactive userID

Type of userID intended for automated system logons and file ownership by computers and applications, rather than by people.

Outage

IT service interruption caused either by a planned activity (such as scheduled maintenance) or an unplanned incident.

Passphrase

A secret phrase or saying that is either used directly as a long and hence strong password, or is used to recall one (e.g. using initial letters of the words to a song or poem).

Password

A secret string of characters that should only be known by one person and can therefore be used to authenticate them.  A type of credential.

Patent

Legal protection for novel inventions that have been properly registered with the relevant patent authorities.  A form of IPR.

Payload

The destructive function – the “business end” - of malware that performs unauthorized functions such as deleting or modifying files etc.

Penetration test

Officially authorized/sanctioned/requested test of an organization’s information security controls by competent and trustworthy experts.  The scope may include network, physical and/or other information security controls and specific systems or locations.

Perimeter

The outermost physical and/or logical boundary around a collection of assets, such as the network perimeter dividing the organization’s internal network from the Internet and other external networks.

Personal data, personal information

[Normally] Data or information associated with an identifiable individual person.  This term is explicitly defined in national data protection laws with minor but important differences between countries.

PIN (Personal Identification Number)

Numeric password used on systems with numeric keypads instead of full alphanumeric keyboards.

Pirate

Someone who commits piracy e.g. by making, using, selling or otherwise distributing illegal copies of copyright material, whether deliberately or inadvertently.  Seldom wears an eye patch.

PKI (Public Key Infrastructure)

Asymmetric cryptographic system using public and private key pairs.

Plagiarism

Theft (copying and using) of another person’s IP without properly acknowledging or attributing it to them.

Plaintext

Text that is human readable and makes sense, like this sentence cf. cyphertext.

Policy

Overriding statement of authority by management such as the Information Security Policy Manual, defining, at a high level, how workers must behave in certain circumstances.  States management’s definition of the business objectives, expanding on the broad policy statements (axioms), and supported by more detailed standards, procedures and guidelines that explain how the objectives are to be fulfilled.

Polymorphic virus

Type of computer virus which changes (morphs or mutates) as it infects successive systems/files, making detection and disinfection somewhat challenging.

Principle

Fundamental or philosophical basis on which our information security controls are based.  Typically encapsulated by phrases such as ‘default deny’, ‘defense in depth’, ‘shared responsibility’ and ‘least privilege’. 

Privacy

A person’s right to confidentiality regarding what they consider to be sensitive information about themselves.

Private key

The secret member of a public-private key pair in an asymmetric cryptography system or PKI.

Privilege

Attribute of certain userIDs, programs etc. that allows the users or programs to bypass logical access controls and execute functions that are normally forbidden to ordinary (non-privileged) userID, for example data backups need to copy all the files to be backed up, even if they are not owned by the backup user.

Privileged User Rôle

Whereas nonprivileged User Rôles define minimal rights of access to networks, systems and data for most users, Privileged User Rôles define more powerful access rights that can bypass normal security controls and are therefore only allocated to highly trustworthy workers with additional procedural and/or technical controls.

Procedure

Document formally or informally describing a process.  Procedures are normally written to explain processes to those who perform them, and are formalized for management approval and/or to improve control and repeatability of the process.

Process

A sequence of manual and/or automated activities to fulfill a specific objective or function, normally as described in a procedure.

Production

Computer environment comprising systems, networks, devices, data and supporting processes that are in operation supporting live business processes (cf. development or test).  Also known as operational or live systems.

Program library

Controlled directory or database containing machine-readable executable programs cf. program source library.

Program Source Library (PSL)

Controlled directory or database containing human-readable source code files cf. program library.

Program-to-program

Type of balancing control used to ensure integrity of information passed between programs.

Proprietary

Valuable and normally sensitive commercial information such as trade secrets, customer lists and competitive information.

Proxy server

Network server running software that disassembles network packets to obtain the data content and then (possibly after applying access rules) repackages them for onward transmission.  Helps to segregate internal from external network segments.

PUBLIC

Class of information that has been officially sanctioned by the organization for external publication to select groups or the general public (e.g. press releases, marketing materials) or is already in the public domain (e.g. newspapers, Internet Websites).

Public key

The non-secret member of a public-private key pair in an asymmetric cryptography system or PKI, normally published on a digital certificate.

PVLAN(Private Virtual
Local Area Network)

VLAN that is isolated from others through the use of traffic encryption.

RBAC (Rôle Based Access Control)

Access control scheme whereby users are granted certain system access rights according to the rôles they are required to perform, the idea being that rôles change less frequently than users.

Redundant, redundancy

Resilience technique in which vital systems, network links, rôles etc. are duplicated and diversified, such that failure in any one will not jeopardize the entire business process.

Referential integrity

Set of integrity controls incorporated into relational database management systems to help prevent inconsistencies for example in the links between related tables.

Remote Diagnostic Port

Dedicated console or management port giving privileged access for technical support to a device such as a telephone exchange, server, storage subsystem, router, firewall, gateway etc.

Resilience

The ability for IT systems and business processes to continue operating more-or-less unaffected by security incidents, providing high availability.  May involve the use of multiple redundant facilities with automated or manual failover, fault tolerance and “over-engineering”, and the minimization of single points or common modes of failure.

Responsibility

An obligation placed on an individual by management, the law/regulations or by society to ensure that an information asset is protected i.e.  a duty of care. Unlike accountability, responsibility can be delegated from one person to another.

Risk

Combination of the likelihood of an information security threat exploiting an information security vulnerability, and the impact that results.  [In other contexts, risks can be commercial, regulatory/legal, market, personal, environmental etc. but herein “risk” relates specifically to information security.] 

Risk assessment,
Risk analysis

Structured process for examining information security threats, vulnerabilities and impacts relating to a given system or situation, in order to determine whether additional controls are required.  The specific terms risk assessment or risk analysis may refer to different extents of examination (‘analysis’ normally implies more depth).

Risk management

Process for assessing and actively minimizing information security threats, vulnerabilities and/or impacts, usually by improving controls but sometimes by transferring risk to third parties (e.g. insurers).  Also the name of a common business function responsible for promoting good practices in the management of all forms of risk.

Rootkit

Hacker toolset typically containing Trojans and utilities to take and keep control of a compromised computer system.  Often includes hacked versions of normal system programs with backdoors and other covert functions.  Usually hidden deep in the system “kernel” or device drivers, hence hard to detect and eradicate.

RPO (Recovery Point Objective)

Following a serious incident requiring the invocation of disaster recovery arrangements, defines the point prior to which all data should have been restored (e.g. previous hour, previous working day, previous week etc.).

RTO (Recovery Time Objective)

Defines the absolute maximum (‘worst case’) acceptable duration of non-availability of systems due to incidents, which therefore determines the corresponding need for suitable resilience and disaster recovery arrangements.

Run-to-run

Type of balancing control used to ensure integrity of information saved between executions of a particular program (e.g. an identifier for the last transaction processed on the previous run is checked when the next run starts to ensure no transactions were missed).

Sabotage

Deliberate, willful and unauthorized damage to IT facilities, systems, network devices/connections, deletion, insertion or disclosure of data etc. in order to cause a Denial of Service or other impact.

SECRET

Class of information that is extremely sensitive and/or business critical and therefore needs to be protected as strongly as possible against unauthorized access.  Examples include the organization’s strategies, plans, Board minutes, system security information (e.g. passwords, firewall rules) and price-sensitive information destined for a company’s annual report prior to its publication.

Security Administration

Information security function responsible for administering userIDs, passwords, access to applications etc.

Security Committee (SC)

Senior management body responsible for security including physical and information security.  Directs and coordinates all security activities across the organization.  Works with the direct authority of the Executive Directors, liaising as necessary with the ISM, Local Security Committees, Internal Audit, Risk Management, Compliance etc.

Security token

Hardware device used as a credential, for example a smart card or key fob containing a cryptographic processor and display.

Separation or
segregation of duties

See division of responsibilities

Sensitive

Information asset considered to be at especially high risk of unauthorized disclosure or modification (e.g. a system containing personal data or secret proprietary information).

Shared responsibility

Information security principle stating that we are all collectively responsible for maintaining adequate security measures.

Shrink-wrapped

Refers to the practice of packaging COTS in clear plastic film through which the marketing blurb and copyright notice or license may be read and accepted prior to purchasing or opening the box.

Significant Information Asset

Information asset or related group/set of information assets having an aggregate replacement value of at least $50,000 (this value is reviewed annually by the Executive Directors).   [This is clearly an organization-specific definition!]

Social engineering

Hacking/scamming technique involving the manipulation of people through a combination of deception and persuasive or assertive behavior (‘bravado’).

Software

Computer program cf. hardware, firmware and data.  Programs written or abused by someone with malicious intent are called malware.

Spam

Unsolicited bulk commercial email (n.b. "SPAM" in capitals is the trademarked name of a processed meat product).

Spyware

Type of malware which ‘spies’ on the user, for example sending information about the programs run, Websites visited or data submitted, to a remote system or user.

Standard

Statement of information security objectives and controls, endorsed and supported by management.  Describes particular security controls that have been chosen to comply with the principles and axioms defined in this Information Security Policy Manual.

Standing data

Reference items that are relatively static and unchanging (e.g. bank account numbers) compared to more volatile user data (e.g. bank account balances).

Stealth virus

Virus that hides by intercepting disk access requests. When a basic antivirus program tries to search the disk, the virus conceals itself by removing or changing program names, file names etc. in the information fed to the antivirus program.

Suspense file

See hold file.

System Development Life Cycle (SDLC)

The entire cradle-to-grave process through which an application system is conceived, specified, developed, tested, implemented, operated, managed, maintained and eventually retired from service.

System files

Primarily executable files comprising the operating system but can include the associated configuration files, startup and login scripts, and even application program executables.  Excludes user data files.

Technical standard

Standard establishing the information security parameters required on a particular technical.  Interprets control requirements outlined in ISO/IEC 27002 and the Information Security Policy Manual for the specific platform or situation at hand.

Test environment

Computer environment comprising systems, networks, devices, data and supporting processes that are used for testing (checking and/or exercising) application systems prior to being released for use in production (see also development).

Third party

Independent person or external organization not directly employed by the organization.

Threat

A person, situation or event (whether deliberate or accidental in nature) that is capable of causing an information security incident.   Sometimes known as ‘threat source’.

Tier 1, 2 or 3

Classification label relating to the availability requirements or business criticality of a business process and any supporting information systems.  Tier 1 is the top/most critical class.

Time bomb

See logic bomb.

Timeout

Function that automatically suspends and password-locks a computer session after ten minutes without user activity.

Trademark

Legal protection for words, images and associated characteristics of brand names etc.  A form of IPR.

Trojan

Contraction of “Trojan horse program” that may appear to the user to offer a useful function or to do nothing, but in fact contains hidden malicious functions, typically allowing remote control of the system by hackers.  A form of malware.

Two Factor Authentication (“2FA”)

Simplest form of multifactor authentication, for example requiring a password plus the current value displayed on a security token to authenticate a computer user.

Unauthorized

Not permitted, accepted or agreed by management as being in the organization's best interests (cf. authorized).

User

Person who uses computer and/or communications technology.

UserID (User IDentifier
or User IDentity)

Label used to tag a user and their activities on an IT system so that they may be controlled by logical access controls, recorded in log files etc.  Also known as a username, login name, computer account etc.

User Rôle

Logical access rights are standardized by defining and assigning the minimal rights necessary for users in certain job functions to perform their rôles within the organization (see also Privileged User Rôle).

Valid

State of being true, accurate, complete, authentic etc.

Validation

Process to check whether something is valid.

Virus

Computer program that self-replicates and automatically spreads between systems.  Usually contains a payload.  A form of malware.

Virus hoax

Chain letter spreading a false virus warning.  Hoaxes can cause alarm and waste time but are not normally harmful, although some that advise users to delete, rename or replace files can cause problems (a form of social engineering).

VLAN (Virtual Local Area Network)

Broadcast LAN domain containing one or more workstations and/or servers, usually associated according to the specific ports on LAN switches to which they are connected (see also PVLAN).

VPN (Virtual Private Network)

Application of cryptography to create a secure “tunnel” between IT systems over an insecure or untrustworthy network (such as the Internet).

Vulnerability

Weak or missing information security control, or an inherent weakness in an information asset, system or process.

War dialer

Hacking or penetration testing software that automatically calls a range of phone numbers in an attempt to locate vulnerable modems, FAX machines, voicemail systems etc.

Web bug

Tracking hyperlink within a Web page that refers the user’s browser to a particular file on the Web, typically a tiny one-pixel image.  When the user’s browser reads the page, interprets the code and retrieves the file, the Webserver records the network access by the user’s IP address in its log, potentially compromising the user’s privacy.

Worker

A permanent or temporary employee of the organization (whether a member of staff or a manager), or someone self-employed or employed by a third party such as a consultant or contractor but acting in a similar capacity i.e. working on behalf of and to a large extent controlled by the organization.

Worm

Networking program that exploits network connections to spread between systems and often performs unauthorized functions such as sending unsavory emails or spam, DoS attacks etc.  A form of malware.

Zombie

See bot. 

* * *   E n d   o f   g l o s s a r y   * * *