Security priorities

Security priorities need to be developed so that investments on those areas of highest sensitivity or risk can be allocated.

Security program assessment

An assessment of an organization’s information security program to ensure that information and information system assets are adequately secured.

Security protections

Measures against threats that are intended to compensate for a computer’s security weaknesses.

Security requirements

(1) The types and levels of protection necessary for equipment, data, information, applications, and facilities to meet security policy. (2) Requirements levied on an information system that are derived from laws, executive orders, directives, policies, procedures, standards, instructions, regulations, organizational mission or business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.

Security safeguards

The protective measures and controls prescribed to meet the security requirements specified for a computer system. Those safeguards may include but are not necessarily limited to hardware and software security features; operating procedures; accountability procedures; access and distribution controls; management constraints; personnel security; and physical security, which cover structures, areas, and devices.

Security service

(1) A processing or communication service that is provided by a system to give a specific kind of protection to resources, where said resources reside with said system or reside with other systems, for example, an authentication service or a PKI-based document attribution and authentication service. A security service is a superset of authentication, authorization, and accounting (AAA) services. Security services typically implement portions of security policies and are implemented via security mechanisms. (2) A service, provided by a layer of communicating open systems, that ensures adequate security of the systems or of data transfers. (3) A capability that supports one, or many, of the security goals. Examples of security services are key management, access control, and authentication.

Security specification

A detailed description of countermeasures (safeguards) required to protect a computer system or network from unauthorized (accidental or unintentional) disclosure, modification, and destruction of data or denial of service.

Security strength

(1) A measure of the computational complexity associated with recovering certain secret and/or security-critical information concerning a given cryptographic algorithm from known data (e.g., plaintext/ciphertext pairs for a given encryption algorithm). (2) A number associated with the amount of work (that is, the number of operations) that is required to break a cryptographic algorithm or module. The average amount of work needed is 2 raised to the power of (security strength minus 1). The security strength, sometimes, is referred to as a security level.

Security tag

An information unit containing a representation of certain security-related information (e.g., a restrictive attribute bit map).

Security target (ST)

A set of security requirements and specifications drawn from the Common Criteria (CC) for IT security evaluation to be used as the basis for evaluation of an identified target of evaluation (TOE). It is an implementation-dependent statement of security needs for a specific identified TOE.

Security test & evaluation (ST&E)

It is an examination and analysis of the safeguards required to protect an information system, as they have been applied in an operational environment, to determine the security posture of that system.

Security testing

The major goal is to determine that an information system protects data and maintains functionality as intended. It is a process used to determine that the security features of a computer system are implemented as designed and that they are adequate for a proposed application environment. This process includes hands-on functional testing, penetration testing, and verification. The purpose is to assess the robustness of the system and to identify security vulnerabilities. This is a management and preventive control.

Security vulnerability

A property of system requirements, design, implementation, or operation that could be accidentally triggered or intentionally exploited and result in a security failure.

Security zone (WMAN/WiMAX)

A security zone (SZ) is a set of trusted relationships between a base station (BS) and a group of relay stations (RSs) in WiMAX architecture. An RS can only forward traffic to RSs or subscriber stations (SSs) within its security zone.

Seed key

It is the initial key used to start an updating or key generation process.

Seed RNG

Seed is a secret value that is used once to initialize a deterministic random bit generator in order to generate random numbers and then is destroyed.

Seeding model

A seeding model can be used as an indication of software reliability (i.e., error detection power) of a set of test cases.

Seepage

The accidental flow to unauthorized individuals of data or information, access to which is presumed to be controlled by computer security safeguards.

Self-signed certificate

A public key certificate whose digital signature may be verified by the public key contained within the certificate. The signature on a self-signed certificate protects the integrity of the data, but does not guarantee authenticity of the information. The trust of self-signed certificates is based on the secure procedures used to distribute them.

Sendmail attack

Involves sending thousands of e-mail messages in a single day to unwitting e-mail receivers. It takes a long time to read through the subject lines to find the desired e-mail, thus wasting the receiver’s valuable time. This is a form of spamming attack. Recent sendmail attacks fall into the categories of remote penetration, local penetration, and remote DoS.

Sensitive data

Data that require a degree of protection due to the risk and magnitude of loss or harm which could result from inadvertent or deliberate disclosure, alteration, or destruction of the data (e.g., personal or proprietary data). It includes both classified and sensitive unclassified data.

Sensitive label

A piece of information that represents the security level of an object. It is the basis for mandatory access control decisions. Compare with security label.

Sensitive levels

A graduated system of marking (e.g., low, moderate, and high) information and information processing systems based on threats and risks that result if a threat is successfully conducted.

Sensitive security parameter (SSP)

Sensitive security parameter (SSP) contains both critical security parameter (CSP) and public security parameter (PSP). In other words, SSP = CSP + PSP.

Sensitive system

A computer system that requires a degree of protection because it processes sensitive data or because of the risk and magnitude of loss or harm that could result from improper operation or deliberate manipulation of the application system.

Sensitivity analysis

Sensitivity analysis is based on a fault-failure model of software and is based on the premise that software testability can predict the probability that failure will occur when a fault exists given a particular input distribution. A sensitive location is one in which faults cannot hide during testing. The internal states are perturbed to determine sensitivity. This technique requires instrumentation of the code and produces a count of the total executions through an operation, an infection rate estimate, and a propagation analysis.