Glossary Of Computer Security Terms

Access
A specific type of interaction between a subject and an object that results in the flow of information from one to the other. (Source:
GCST).
Access Control
The process of limiting access to the resources of a system only to authorized programs, processes, or other systems (in a network). Synonymous with controlled access and limited access. (Source: GCST)
Accreditation
A formal declaration by the designated approving authority (DAA) that the automated information system (AIS) is approved to operate in a particular security mode using a prescribed sete of safeguards. Accreditation is the official management authorization for operation of an AIS and is based on the certification process as well as other management considerations. The accreditation
statement affixes security responsibility with the DAA and shows that due care has been taken for security. (Source: GCST)
Assurance
A measure of confidence that the security features and architecture of an AIS accurately mediate and enforce the security policy. Compare with trusted computer system. (Source: GCST)
Audit Trail
A chronological record of system activities that is sufficient to enable the reconstruction, reviewing, and examination of the sequence of environments and activities surrounding or leading to an operation, a procedure, or an event in a transaction from its inception to final results. (Source: GCST)
Authenticate
1.To verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.
2.To verify the integrity of data that have been stored, transmitted, or otherwise exposed to possible unauthorized modification.
(Source: GCST)
Authorization
The granting of acccess rights to a user, program, or process. (Source: GCST)
Automated Information System
An assembly of computer hardware, software, and/or firmware configured to collect, create, communicate, compute, disseminate, process, store, and/or control data or information. (Source: GCST)
Availability
The state when data is in the place needed by [or accessible to] the user, at the time the user needs them, and in the form needed by the user. (Source: GCST)
Certification
The comprehensive evaluation of the technical and nontechnical security features of an AIS and other safeguards, made in support of the accreditation process, that establishes the extent to which a  particular design and implementation meet a specified set of security requirements. (Source: GCST)
Compartmented Mode of Operation
An AIS is operating in the compartmented mode when each user with direct or indirect individual access to the AIS, its peripherals, remote terminals, or remote hosts, has all of the following:
A valid personnel clearance for the most restricted information on the system.
Formal access approval for, and has signed nondisclosure agreements for, that information to which the user is to have access.
A valid need-to-know for that information to which the user is to have access.
(Source: GCST)
Covert Channel
A communications channel that allows two cooperating processes
to transfer information in a manner that violates the system’s security policy. Synonymous with confinement channel. (Source: GCST)
Covert Storage Channel
A covert channel that involves the direct or indirect writing of a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channnels typically involve a finite resource (e.g., sectors on a disk) that is shared by two subjects at different security levels. (Source: GCST)
Covert Timing Channel
A covert channel in which one process signals information to another by modulating its own use of system resources (e.g., CPU time) in such a way that this manipulation affects the real response time observed by the second process. (Source: GCST)
Dedicated Mode of Operation
An AIS is operating in the dedicated mode when each user with
direct or indirect individual access to the AIS, its peripherals, remote terminals, or remote hosts, has all of the following:
A valid personnel clearance for all information on the system.
Formal access approval for, and has signed nondisclosure agreements for, all the information stored and/or processed (including all compartments, subcompartments, and/or special access programs).
A valid need-to-know for all information contained within the system.
(Source: GCST)
Denial of Service
Any action or series of actions that prevent any part of a system from functioning in accordance with its intended purpose. This includes any action that causes unauthorized destruction, modification, or delay of service. Synonymous with interdiction. (Source: GCST)
Designated Approving Authority (DAA)
The official who has the authority to decide on accepting the security safeguards prescribed for an AIS, or that official who may be responsible for issuing an accreditation statement that records the decision to accept those safeguards. (Source: GCST)
Discretionary Access Control (DAC)
A means of restricting access to objects based on the identity and need-to-know of the user, process, and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject. Compare mandatory access control. (Source: GCST)
Evaluation
An assessment of a product agains the Trusted Computer System Evaluation Criteria (The Orange Book).
Information Warfare
Information warfare is the activity by a hacker, terrorist, or other adversary to disrupt an information system. Traditional security addresses the protection of information. Information warfare is aimed at protecting the systems that collect, store, manipulate, and transport information so that they are not accessed by unauthorized persons and are available as needed. (Source: Defense Information Infrastructure Master Plan)
Mandatory Access Control (MAC)
A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity. Compare discretionary access control. (Source: GCST)
Multilevel Mode of Operation
An AIS is operating in the multilevel mode when all of the following statements are satisfied concerning the users with direct or indirect access to the AIS, its peripherals, remote terminals, or remote hosts:
Some do not have a valid personnel clearance for all of the information processed in the system.
All have the proper clearance and have the appropriate formal access approval for that information to which they are to have access.
All have a valid need-to-know for that information to which they are to have access.
(Source: GCST)
Multilevel Security (MLS)
An MLS system is a system containing information with different security classifications that simultaneously permits access by users with different security clearances and needs to know. This system prevents users from obtaining access to information for which they lack authorization. (Source: DOD Directive 5200.28)
Risk
The probability that a particular threat will exploit a particular vulnerability of the system. (Source: GCST)
Risk Analysis
The process of identifying security risks, determining their magnitude, and identifying areas needing safeguards. Risk analysis is a part of risk management. Synonymous with risk assessment. (Source: GCST)
Risk Management
The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. It includes risk analysis, cost/benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review. (Source: GCST)
Sensitive Compartmented Information
Information restricted to people who have been given formal access to the security program, called a compartment.
Security Policy
The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. (Source: GCST)
System-High Mode of Operation
An AIS is operating in the system-high mode when each user with direct or indirect access to the AIS, its peripherals, remote terminals, or remote hosts, has all of the following:
A valid personnel clearance for all information on the system.
Formal access approval for, and has signed nondisclosure agreements for, all the information stored and/or processed (including all compartments, subcompartments, and/or special access programs).
A valid need-to-know for some of the information contained within the system.
(Source: GCST)
Trusted Computer System
A system that employs sufficient hardware and software assurance measures to allow its use for simultaneous processing of a range of sensitive or classified information. (Source: GCST)
————————————————————————

Note: “GCST” means the Glossary of Computer Security Terms, NCSC-TG-004, 21 Oct 88 (the “Olive” Book).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s