A backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event that the user has to move from their main computing location to an alternate site.

Collision

A condition in which two data packets are transmitted over a medium at the same time from two or more stations. Two or more distinct inputs produce the same output.

Collision detection

When a collision is detected, the message is retransmitted after a random interval.

Commercial software

Software available through lease or purchase in the commercial market from an organization representing itself to have ownership of marketing rights in the software.

Common criteria (CC)

The Common Criteria represents the outcome of a series of efforts to develop criteria for evaluation of IT security that is broadly useful within the international community. It is a catalog of security functionality and assurance requirements.

Common data security architecture (CDSA)

It is a set of layered security services that address communications and data security problems in the emerging Internet and Intranet application space. CDSA focuses on security in peer-to-peer (P2P) distributed systems with homogeneous and heterogeneous platform environments, and applies to the components of a client/server application. CDSA supports existing, secure protocols, such as SSL, S/MIME, and SET.

Common gateway interface (CGI) scripts

These are insecure programs that allow the Web server to execute an external program when particular URLs are accessed.

Common law (case law)

Law based on preceding cases.

Common security control

A security control that is inherited by one or more organization’s information systems and has the following properties (1) the development, implementation, and assessment of the control can be assigned to a responsible official or organizational element (other than the information system owner); and (2) the results from the assessment of the control can be used to support the security certification and accreditation processes of an organization‘s information system where that control has been applied.

Common vulnerabilities and exposures (CVE)

A dictionary of common names for publicly known IT system vulnerabilities.

Communications protocol

A set of rules or standards designed to enable computers to connect with one another and to exchange information with as little error as possible.

Communications security

It defines measures that are taken to deny unauthorized persons information derived from telecommunications facilities.

Comparison

The process of comparing a biometric with a previously stored reference template or templates.

Compartmentalization

The isolation of the operating system, user programs, and data files from one another in main storage in order to provide protection against unauthorized or concurrent access by other users or programs. This term also refers to the division of sensitive data into small, isolated blocks for the purpose of reducing risk to the data.

Compensating control (general)

A concept that states that the total environment should be considered when determining whether a specific policy, procedure, or control is violated or a specific risk is present. If controls in one area are weak, they should be compensated or mitigated for in another area. Some examples of compensating controls are: strict personnel hiring procedures, bonding employees, information system risk insurance, increased supervision, rotation of duties, review of computer logs, user sign-off procedures, mandatory vacations, batch controls, user review of input and output, system activity reconciliations, and system access security controls.

Compensating security controls

The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the low, moderate, or high security baseline controls that provide equivalent or comparable protection for an information system. In other words, compensating controls are applied when baseline controls are not available, applicable, or cost-effective.

Compiled virus

A virus that has had its source code converted by a compiler program into a format that can be directly executed by an operating system.

Compiler

Software used to translate a program written in a high-level programming language (source code) into a machine language for execution and outputs into a complete binary object code. The availability of diagnostic aids, compatibility with the operating system, and the difficulty of implementation are the most important factors to consider when selecting a compiler.

Complementary control

A complementary control can enhance the effectiveness of two or more controls when applied to a function, program, or operation. Here, two controls working together can strengthen the overall control environment.

Complete mediation

The principle of complete mediation stresses that every access request to every object must be checked for authority. This requirement forces a global perspective for access control, during all functional phases (e.g., normal operation and maintenance). Also stressed are reliable identification access request sources and reliable maintenance of changes in authority.

Completeness

The degree to which all of the software’s required functions and design constraints are present and fully developed in the software requirements, software design, and code.

Compliance

An activity of verifying that both manual and computer processing of transactions or events are in accordance with the organization’s policies and procedures, generally accepted security principles, governmental laws, and regulatory agency rules and requirements.

Compliance review

A review and examination of records, procedures, and review activities at a site in order to assess the unclassified computer security posture and to ensure compliance with established, explicit criteria.

Comprehensive testing

A test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Comprehensive testing is also known as white box testing.

Compression

The process of reducing the number of bits required to represent some information, usually to reduce the time or cost of storing or transmitting it.

Compromise

The unauthorized disclosure, modification, substitution, or use of sensitive data (including keys, key metadata, and other security-related information) and loss of, or unauthorized intrusion into, an entity containing sensitive data and the conversion of a trusted entity to an adversary.

Compromise recording

Records and logs should be maintained so that if a compromise does occur, evidence of the attack is available to the organization in identifying and prosecuting attackers.

Compromised state

A cryptographic key life cycle state in which a key is designated as compromised and not used to apply cryptographic protection to data. Under certain circumstances, the key may be used to process already protected data.

Computer crime

Fraud, embezzlement, unauthorized access, and other “white collar” crimes committed with the aid of or directly involving a computer system and/or network.