Browse — Entity Type · Framework
allDataSystemNetworkIdentityCredentialPhysicalProcessCapabilityOrganizationFrameworkEventMetricVulnerabilityThreatControlFindingRequirementRoleArtifactUnknown
57 terms
TermTypeDefinitionClassificationsUpdated
ArchitecturenounDescription of the fundamental underlying design of the components of the business system, or of one element of the business system (e.g., technology), the relationships among them, and the manner in which they support enterprise objectivesFramework
audit standardnounRules prescribed for auditors by various national and international organizations such as the Auditing Practices Board (in the UK) and the Auditing Standards Board (in the US).FrameworkRegulated
Bank Secrecy ActnounThe Currency and Foreign Transactions Reporting Act, also known as the Bank Secrecy Act (BSA), and its implementing regulation, 31 CFR 103, is a tool the U.S. government uses to fight drug trafficking, money laundering, and other crimes. Congress enacted the BSA to prevent banks and other financial service providers from being used as intermediaries for, or to hide the transfer or deposit of money derived from, criminal activity.FrameworkRegulated
British Standard 7799nounA standard code of practice and provides guidance on how to secure an information system. It includes the management framework, objectives, and control requirements for information security management systems.Framework
Check 21 ActnounFormally known as the Check Clearing for the 21st Century Act. Creates a new document, the IRD (image replacement document or substitute check) that is the legal equivalent of the original check and should be accepted as such. The act does not require institutions to accept electronic images instead of checks or IRDs, but does require the acceptance of IRDs instead of paper checks. The exchange of electronic images is optional and will be done by agreements between individual institutions, groups of institutions, or clearinghouses.FrameworkRegulatedPCI
Common Attack Pattern Enumeration and ClassificationnounA catalogue of attack patterns as an abstraction mechanism for helping describe how an attack against vulnerable systems or networks is executed published by the MITRE CorporationFrameworkPublicPublicInfo
confidentiality, integrity, and availabilitynounA triad of security practices that: (1) prohibit an unauthorized entity from accessing, creating, modifying, disclosing or destroying information; and (2) require information systems are operational when needed by authorized users.Framework
cyber maturity modelnounA mechanism to have cyber resilience controls, methods and processes assessed according to management best practice, against a clear set of external benchmarks.Framework
cyber resilience frameworknounConsists of the policies, procedures and controls an FMI has established to identify, protect, detect, respond to and recover from the plausible sources of cyber risks it faces.FrameworkRegulated
Cybersecurity CategorynounThe subdivision of a Function into groups of cybersecurity outcomes, closely tied to programmatic needs and particular activities. Examples of Cybersecurity Categories include “Asset Management,” “Identity Management and Access Control,” and “Detection Processes.”.Framework
Cybersecurity Framework CorenounA set of cybersecurity activities and references that are common across critical infrastructure sectors and are organized around particular outcomes. The Framework Core comprises four types of elements: Functions, Categories, Subcategories, and Informative References.FrameworkPublic
Cybersecurity Framework Implementation TiernounA lens through which to view the characteristics of an organization’s approach to risk—how an organization views cybersecurity risk and the processes in place to manage that risk.FrameworkInternal
Cybersecurity SubcategorynounThe subdivision of a Cybersecurity Category into specific outcomes of technical and/or management activities. Examples of Subcategories include “External information systems are catalogued,” “Data-at-rest is protected,” and “Notifications from detection systems are investigated.”.Framework
Digital Signature StandardnounThe US Government standard that specifies the Digital Signature Algorithm (DSA), which involves asymmetric cryptography.FrameworkRegulated
Electronic Funds Transfer Act (EFTA)nounThe Electronic Funds Transfer Act and Regulation E are designed to ensure adequate disclosure of basic terms, costs, and rights relating to electronic fund transfer (EFT) services provided to consumers. Institutions offering EFT services must disclose to consumers certain information, including: initial and updated EFT terms, transaction information, periodic statements of activity, the consumer's potential liability for unauthorized transfers, and error resolution rights and procedures. EFT services include automated teller machines, telephone bill payment, point-of-sale transfers in retail stores, fund transfers initiated through the Internet, and pre-authorized transfers to or from a consumer's account.FrameworkRegulated
Enterprise ArchitecturenounThe description of an enterprise’s entire set of information systems: how they are configured, how they are integrated, how they interface to the external environment at the enterprise’s boundary, how they are operated to support the enterprise mission, and how they contribute to the enterprise’s overall security posture.Framework
Extensible Configuration Checklist Description FormatnounSCAP language for specifying checklists and reporting checklist results.FrameworkInternal
Federal Enterprise ArchitecturenounA business-based framework for governmentwide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal government to one that is citizen-centered, results-oriented, and market-based.FrameworkInternal
Federal Information Processing StandardnounA standard for adoption and use by federal departments and agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology in order to achieve a common level of quality or some level of interoperability.FrameworkRegulatedCUI
Federal Information Security Management ActnounA statute (Title III, P.L. 107-347) that requires agencies to assess risk to information systems and provide information security protections commensurate with the risk. FISMA also requires that agencies integrate information security into their capital planning and enterprise architecture processes, conduct annual information systems security reviews of all programs and systems, and report the results of those reviews to OMB.FrameworkRegulated
federal securities lawnounConsists of a handful of laws passed between 1933 and 1940, as well as legislation enacted in 1970. The federal laws stem from Congress's power to regulate interstate commerce. Therefore the laws are generally limited to transactions involving transportation or communication using interstate commerce or the mail.FrameworkRegulated
FIPS PUBnounAn acronym for Federal Information Processing Standards Publication. FIPS publications (PUB) are issued by NIST after approval by the Secretary of Commerce.FrameworkRegulatedCUI
Governance, Risk Management and CompliancenounA business term used to group the three close-related disciplines responsible for the protection of assets, and operationsFramework
Governance, Risk, and Compliance frameworknounThe overall structure of procedures of how an organization is controlled and directed , how an organization identifies and mitigates risk, and how the organization adheres to pertinent rules, standards, and regulations that defines the scope, objectives, and activities regrading such procedures.FrameworkInternal
Graduated SecuritynounA security system that provides several levels (e.g., low, moderate, high) of protection based on threats, risks, available technology, support services, time, human concerns, and economics.Framework
Gramm-Leach-Bliley Act (GLBA)nounThe act, also known as the Financial Services Modernization Act of 1999, (Pub.L. 106-102, 113 Stat. 1338, enacted November 12, 1999), required the federal banking agencies to establish information security standards for financial institutions.FrameworkRegulatedPII
IA ArchitecturenounA description of the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.Framework
Information DomainnounA three-part concept for information sharing, independent of, and across information systems and security domains that 1) identifies information sharing participants as individual members, 2) contains shared information objects, and 3) provides a security policy that identifies the roles and privileges of the members and the protections required for the information objects.Framework
Information Security ArchitecturenounAn embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.Framework
Internet StandardnounA specification, approved by the IESG and published as an RFC, that is stable and well-understood, is technically competent, has multiple, independent, and interoperable implementations with substantial operational experience, enjoys significant public support, and is recognizably useful in some or all parts of the Internet.FrameworkPublic
IT architecturenounA subset of enterprise architecture, with detail to support data processing and access, including fundamental requirements for centralized or distributed computing, real or virtual servers, devices and workstations, and networking design. Architecture plans may also exist for data (information), security, and applications.Framework
IT Security ArchitecturenounA description of security principles and an overall approach for complying with the principles that drive the system design; i.e., guidelines on the placement and implementation of specific security services within various distributed computing environments.Framework
leading standards, guidelines and practicesnounStandards, guidelines and practices which reflect industry best approaches to managing cyber threats, and which incorporate what are generally regarded as the most effective cyber resilience solutions.Framework
Open Checklist Interactive LanguagenounSCAP language for expressing security checks that cannot be evaluated without some human interaction or feedback.Framework
Open Systems InterconnectnounA model for the design of a network. The open systems interconnect (OSI) model defines groups of functionality required to network computers into layers. Each layer implements a standard protocol to implement its functionality. There are seven layers in the OSI model.Framework
Open Systems InterconnectionnounOSI (Open Systems Interconnection) is a standard description or "reference model" for how messages should be transmitted between any two points in a telecommunication network. Its purpose is to guide product implementers so that their products will consistently work with other products. The reference model defines seven layers of functions that take place at each end of a communication. Although OSI is not always strictly adhered to in terms of keeping related functions together in a well-defined layer, many if not most products involved in telecommunication make an attempt to describe themselves in relation to the OSI model. It is also valuable as a single reference view of communication that furnishes everyone a common ground for education and discussion.Framework
OSI layersnounThe main idea in OSI is that the process of communication between two end points in a telecommunication network can be divided into layers, with each layer adding its own set of special, related functions. Each communicating user or program is at a computer equipped with these seven layers of function. So, in a given message between users, there will be a flow of data through each layer at one end down through the layers in that computer and, at the other end, when the message arrives, another flow of data up through the layers in the receiving computer and ultimately to the end user or program. The actual programming and hardware that furnishes these seven layers of function is usually a combination of the computer operating system, applications (such as your Web browser), TCP/IP or alternative transport and network protocols, and the software and hardware that enable you to put a signal on one of the lines attached to your computer. OSI divides telecommunication into seven layers. The layers are in two groups. The upper four layers are used whenever a message passes from or to a user. The lower three layers (up to the network layer) are used when any message passes through the host computer or router. Messages intended for this computer pass to the upper layers. Messages destined for some other host are not passed up to the upper layers but are forwarded to another host. The seven layers are: Layer 7: The application layer...This is the layer at which communication partners are identified, quality of service is identified, user authentication and privacy are considered, and any constraints on data syntax are identified. (This layer is not the application itself, although some applications may perform application layer functions.) Layer 6: The presentation layer...This is a layer, usually part of an operating system, that converts incoming and outgoing data from one presentation format to another (for example, from a text stream into a popup window with the newly arrived text). Sometimes called the syntax layer. Layer 5: The session layer...This layer sets up, coordinates, and terminates conversations, exchanges, and dialogs between the applications at each end. It deals with session and connection coordination. Layer 4: The transport layer...This layer manages the end-to-end control (for example, determining whether all packets have arrived) and error-checking. It ensures complete data transfer. Layer 3: The network layer...This layer handles the routing of the data (sending it in the right direction to the right destination on outgoing transmissions and receiving incoming transmissions at the packet level). The network layer does routing and forwarding. Layer 2: The data-link layer...This layer provides synchronization for the physical level and does bit-stuffing for strings of 1's in excess of 5. It furnishes transmission protocol knowledge and management. Layer 1: The physical layer...This layer conveys the bit stream through the network at the electrical and mechanical level. It provides the hardware means of sending and receiving data on a carrier.Framework
Performance Reference ModelnounFramework for performance measurement providing common output measurements throughout the federal government. It allows agencies to better manage the business of government at a strategic level by providing a means for using an agency’s EA to measure the success of information systems investments and their impact on strategic outcomes.FrameworkInternal
Protection ProfilenounCommon Criteria specification that represents an implementation-independent set of security requirements for a category of Target of Evaluations (TOE) that meets specific consumer needs.FrameworkInternal
Risk Management FrameworknounA structured approach used to oversee and manage risk for an enterprise.Framework
Risk ModelnounA key component of a risk assessment methodology (in addition to assessment approach and analysis approach) that defines key terms and assessable risk factors.Framework
Secure Electronic TransactionnounA standard that will ensure that credit card and associated payment order information travels safely and securely between the various involved parties on the Internet.FrameworkRegulatedPCI
Secure Hash StandardnounThis Standard specifies secure hash algorithms -SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256 -for computing a condensed representation of electronic data (message). When a message of any length less than 264 bits (for SHA-1, SHA-224 and SHA-256) or less than 2128 bits (for SHA-384, SHA-512, SHA-512/224 and SHA-512/256) is input to a hash algorithm, the result is an output called a message digest. The message digests range in length from 160 to 512 bits, depending on the algorithm. Secure hash algorithms are typically used with other cryptographic algorithms, such as digital signature algorithms and keyed-hash message authentication codes, or in the generation of random numbers (bits). The hash algorithms specified in this Standard are called secure because, for a given algorithm, it is computationally infeasible 1) to find a message that corresponds to a given message digest, or 2) to find two different messages that produce the same message digest. Any change to a message will, with a very high probability, result in a different message digest. This will result in a verification failure when the secure hash algorithm is used with a digital signature algorithm or a keyed-hash message authentication algorithm.FrameworkPublic
Security architecturenounA detailed description of all aspects of the system that relate to security, along with a set of principles to guide the design. A security architecture describes how the system is put together to satisfy the security requirements.Framework
Security Assertion Markup LanguagenounA framework for exchanging authentication and authorization information. Security typically involves checking the credentials presented by a party for authentication and authorization. SAML standardizes the representation of these credentials in an XML format called “assertions,” enhancing the interoperability between disparate applications.Framework
Security Content Automation ProtocolnounA method for using specific standardized testing methods to enable automated vulnerability management, measurement, and policy compliance evaluation against a standardized set of security requirements.Framework
Security DomainnounA collection of entities to which applies a single security policy executed by a single authority.Framework
TSEC NomenclaturenounSystem for identifying the type and purpose of certain items of COMSEC material.FrameworkRestrictedCUI
Uniform Rating System For Information TechnologynounAn internal rating system used by federal and state regulators to uniformly assess financial institution and service provider risks introduced by IT.FrameworkRegulated
United States Government Configuration BaselinenounThe United States Government Configuration Baseline (USGCB) provides security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the federal Desktop Core Configuration mandate. The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security.FrameworkRegulatedCUI