Account management, user

Involves (1) the process of requesting, establishing, issuing, and closing user accounts, (2) tracking users and their respective access authorizations, and (3) managing these functions.

Accountability

(1) The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. (2) The property that enables system activities to be traced to individuals who may then be held responsible for their actions. This is a management and preventive control.

Accountability principle

A principle that calls for holding individuals responsible for their actions. In computer systems, this is enabled through identification and authentication, the specifications of authorized actions, and the auditing of the user’s activity.

Accreditation

The official management decision given by a senior officer to authorize operation of an information system and to explicitly accept the risk to organizations (including mission, functions, image, or reputation), organization assets, or individuals, based on the implementation of an agreed-upon set of security controls.

Accreditation authority

Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organization operations, assets, or individuals. Synonymous with authorizing official or accrediting authority.

Accreditation boundary

All components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected.

Accreditation package

The evidence provided to the authorizing official to be used in the security accreditation decision process. Evidence includes, but is not limited to (1) the system security plan, (2) the assessment results from the security certification, and (3) the plan of actions and milestones.

Accuracy

A qualitative assessment of correctness or freedom from error.

Acoustic cryptanalysis attack

An exploitation of sound produced during a computation. It is a general class of a side channel attack (Wikipedia).

Activation data

Private data, other than keys, that is required to access cryptographic modules.

Active attack

An attack on the authentication protocol where the attacker transmits data to the claimant or verifier. Examples of active attacks include a man-in-the-middle (MitM), impersonation, and session hijacking. Active attacks can result in the disclosure or dissemination of data files, denial-of-service, or modification of data.

Active content

Electronic documents that can carry out or trigger actions automatically on a computer platform without the intervention of a user. Active content technologies allow enable mobile code associated with a document to execute as the document is rendered.

Active security testing

(1) Hands-on security testing of systems and networks to identity their security vulnerabilities. (2) Security testing that involves direct interaction with a target, such as sending packets to a target.

Active state

The cryptographic key lifecycle state in which a cryptographic key is available for use for a set of applications, algorithms, and security entities.

Active wiretapping

The attaching of an unauthorized device, such as a computer terminal, to a communications circuit for the purpose of obtaining access to data through the generation of false messages or control signals or by altering the communications of legitimate users.

Active-X

Software components downloaded automatically with a Web page and executed by a Web browser. A loosely defined set of technologies developed by Microsoft, Active-X is an outgrowth of two other Microsoft technologies called OLE (Object Linking and Embedding) and COM (Component Object Model). As a monitor, Active-X can be very confusing because it applies to a whole set of COM-based technologies. Most people, however, think only of Active-X controls, which represent a specific way of implementing Active-X technologies.

Adaptive maintenance

Any effort initiated as a result of environmental changes (e.g. laws and regulations) in which software must operate.

Address-based authentication

Access control is based on the IP address and/or hostname of the host requesting information. It is easy to implement for small groups of users, not practical for large groups of users. It is susceptible to attacks such as IP spoofing and DNS poisoning.

Address resolution protocol (ARP)

A protocol used to obtain a node’s physical address. A client station broadcasts an ARP request onto the network with the Internet Protocol (IP) address of the target node with which it wants to communicate, and with that address the node responds by sending back its physical address so that packets can be transmitted to it.

Add-on security

(1) A retrofitting of protection mechanisms implemented by hardware or software after the computer system becomes operational. (2) An incorporation of new hardware, software, or firmware safeguards in an operational information system.

Adequate security

This proposes that security should commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that systems and applications used operate effectively and provide appropriate confidentiality, integrity, and availability services through the use of cost-effective controls (i.e., management, operational, and technical controls).

Adj-routing information base (RIB)-in

Routes learned from inbound update messages from Border Gateway Protocol (BGP) peers.

Adj-routing information base (RIB)-out

Routes that the Border Gateway Protocol (BGP) router will advertise, based on its local policy, to its peers.

Administrative account

A user account with full privileges intended to be used only when performing personal computer (PC) management tasks, such as installing updates and application software, managing user accounts, and modifying operating system (OS) and application settings.

Administrative law

Law dealing with legal principles that apply to government agencies.

Administrative safeguards

Administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic health information (e.g., HIPAA) and to manage the conduct of the covered entity’s workforce in relation to protecting that information.

Administrative security

The management constraints, operational procedures, accountability procedures, and supplemental controls established to provide an acceptable level of protection for sensitive data, programs, equipment, and physical facilities. Synonymous with procedural security.

Admissible evidence

Evidence allowed in a court to be considered by the Trier of fact (such as, jury and/or judge) in making a legal opinion, decision, or conclusion. Admissible evidence must be relevant, competent, and material. “Sufficient” is not part of the concept of admissibility of evidence because it merely supports a legal finding.

Best evidence is admissible because it is the primary evidence (such as, written instruments, such as contracts or deeds). Business records are also admissible when they are properly authenticated as to their contents (that is, notarized or stamped with official seal).