Browse — Entity Type · Process
allDataSystemNetworkIdentityCredentialPhysicalProcessCapabilityOrganizationFrameworkEventMetricVulnerabilityThreatControlFindingRequirementRoleArtifactUnknown
626 terms
TermTypeDefinitionClassificationsUpdated
Access Management AccessnounManagement is the maintenance of access information which consists of four tasks: account administration, maintenance, monitoring, and revocation.ProcessRegulated
access revocation programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to revoke access privileges.ProcessRegulatedCDI
Account-To-Account Payment (A2A)nounPayment system that allows the consumer to direct transfer of funds from one account to another account at a different financial institution.ProcessRegulatedPCI
acquisitionnounThe purpose of this function is to manage the act of contracting, assuming, or acquiring possession of something.Process
Active Security TestingnounSecurity testing that involves direct interaction with a target, such as sending packets to a target.Process
ActivitiesnounAn assessment object that includes specific protection-related pursuits or actions supporting an information system that involve people (e.g., conducting system backup operations, monitoring network traffic).Process
activitynounActivities are the major tasks performed by the organization to accomplish each of its functions. Activities are usually defined as part of processes or plans, and are documented in procedures. Several activities may be associated with each function. An activity is identified by the name it is given and its scope (or definition). The scope of the activity encompasses all of the transactions that take place in relation to it. Depending on the nature of the transactions involved, an activity may be performed in relation to one function, or it may be performed in relation to many functions. In cost accounting, an activity is the actual work task or step performed in producing and delivering products and services. An aggregation of activities performed within an organization that is useful for purposes of activity-based costing.Process
administrative responsibilitynounThe day to day management of a system or process, including tasks like creating accounts, updating role assignments, tracking requests, and so forth.Process
AlgorithmnounA finite set of step-by-step instructions for a problem-solving or computation procedure, especially one that can be implemented by a computer.Process
AllocationnounThe process an organization employs to determine whether security controls are defined as system-specific, hybrid, or common. The process an organization employs to assign security controls to specific information system components responsible for providing a particular security capability (e.g., router, server, remote sensor).Process
Alternate processnounAutomatic or manual process designed and established to continue critical business processes from point-of- failure to return-to-normalProcessRegulated
Alternate Site Test / ExercisenounA business continuity testing activity that tests the capability of staff, systems, and facilities, located at sites other than those generally designated for primary processing and business functions, to effectively support production processing and workloads. During the exercise, business line staff located at recovery site(s) participate in testing business functions and the supporting systems by performing typical production activities, including accessing applications and completing pending transactions. Staff members participate in testing alternate site facilities through the use of PCs, phones, and other equipment needed to perform testing of business activities.ProcessInternal
AnalysisnounThe examination of acquired data for its significance and probative value to the case.Process
AnalyzenounTo examine methodically, typically for purposes of explanation and interpretation.Process
antivirus update processnounA particular series of actions or steps to bring about an antivirus update.Process
application developmentnounThe process of designing and building code to create a computer program (software) used for a particular type of job.Process
assessmentnounThe purpose of this task is to estimate or determine the nature, value, ability, or quality of someone or something.Process
Assessment MethodnounOne of three types of actions (i.e., examine, interview, test) taken by assessors in obtaining evidence during an assessment.Process
Asset IdentificationnounSecurity Content Automation Protocol (SCAP) constructs to uniquely identify assets (components) based on known identifiers and/or known information about the assets.Process
assistancenounThe activity of contributing to the fulfillment of a need or furtherance of an effort or purpose.Process
Asynchronous data replicationnounA process for copying data from one source to another while the application processing continues; an acknowledgement of the receipt of data at the copy location is not required for processing to continue. Consequently, the content of databases stored in alternate facilities may differ from those at the original storage site, and copies of data may not contain current information at the time of a disruption in processing as a result of the time (in fractions of a second) required to transmit the data over a communications network to the alternate facility. This technology is typically used to transfer data over greater distances than that allowed with synchronous data replication.Process
auditnounIndependent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.Process
audit activitynounThose activities and procedures through which information is obtained to verify conformance to regulatory or organizational requirementsProcessRegulated
audit cyclenounThe accounting process that auditors employ in the review of a company's financial information. The audit cycle includes the steps that an auditor will take to ensure that the company's financial information is valid and accurate before releasing any financial statements.ProcessRegulated
Audit programnounThe audit policies, procedures, and strategies that govern the audit function, including Information Technology (IT) audit.ProcessInternal
Audit ReviewnounThe assessment of an information system to evaluate the adequacy of implemented security controls, assure that they are functioning properly, identify vulnerabilities, and assist in implementation of new security controls where required. This assessment is conducted annually or whenever significant change has occurred and may lead to recertification of the information system.ProcessRegulatedCUI
AuditingnounAuditing is the information gathering and analysis of assets to ensure such things as policy compliance and security from vulnerabilities.Process
Authentication ProtocolnounA defined sequence of messages between a Claimant and a Verifier that demonstrates that the Claimant has possession and control of a valid token to establish his/her identity, and optionally, demonstrates to the Claimant that he or she is communicating with the intended Verifier.ProcessRegulated
Authorized Vendor ProgramnounProgram in which a vendor, producing an information systems security (INFOSEC) product under contract to NSA, is authorized to produce that product in numbers exceeding the contracted requirements for direct marketing and sale to eligible buyers. Eligible buyers are typically U.S. government organizations or U.S. government contractors. Products approved for marketing and sale through the AVP are placed on the Endorsed Cryptographic Products List (ECPL).ProcessRegulated
Automated Key TransportnounThe transport of cryptographic keys, usually in encrypted form, using electronic means such as a computer network (e.g., key transport/agreement protocols).ProcessRegulated
Automatic Remote RekeyingnounProcedure to rekey a distant crypto-equipment electronically without specific actions by the receiving terminal operator. See Manual Remote Rekeying.ProcessRegulatedCUI
Back Office Conversion (BOC)nounUnder NACHA rules, BOC allows retailers and billers that accept checks at the point-of-sale or at manned bill payment locations to convert eligible checks to ACH debits in the back-office.ProcessRegulatedPCI
Back-up GenerationsnounA tape rotation methodology that creates three sets of back-up tapes: daily incremental sets or "sons," weekly full sets or "fathers," and end-of-month tapes or "grandfathers." This back-up methodology is frequently used to refer to master files for financial applications.ProcessRegulated
Banner GrabbingnounThe process of capturing banner information—such as application type and version—that is transmitted by a remote port when a connection is initiated.Process
BaseliningnounMonitoring resources to determine typical utilization patterns so that significant deviations can be detected.Process
Basic TestingnounA test methodology that assumes no knowledge of the internal structure and implementation detail of the assessment object. Also known as black box testing.Process
Batch ProcessingnounThe transmission or processing of a group of related payment instructions.ProcessRegulatedPCI
BindingnounAn acknowledgement by a trusted third party that associates an entity’s identity with its public key. This may take place through (1) a certification authority’s generation of a public key certificate, (2) a security officer’s verification of an entity’s credentials and placement of the entity’s public key and identifier in a secure database, or (3) an analogous method.ProcessRegulated
BlacklistingnounThe process of the system invalidating a user ID based on the user’s inappropriate actions. A blacklisted user ID cannot be used to log on to the system, even with the correct authenticator. Blacklisting and lifting of a blacklisting are both security-relevant events. Blacklisting also applies to blocks placed against IP addresses to prevent inappropriate or unauthorized use of Internet resources.ProcessRegulated
BrowsingnounAct of searching through information system storage or active content to locate or acquire information, without necessarily knowing the existence or format of information being sought.Process
budget processnounThe process by which an organization or individual creates and manages a financial plan. Within a larger business, the budget process is typically performed by managers who often obtain projected spending requirements and suggestions from their staff.Process
business activitynounThe functions, processes, actions, and transactions of an organization and its employees.Process
business continuitynounThe providing of critical business functions to customers, suppliers, regulators, and other entities at acceptable predefined levels after incidents and business interruptions.ProcessRegulated
Business Continuity PlannounThe documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business functions will be sustained during and after a significant disruption.ProcessInternal
Business Continuity planningnounThe act of creating processes and procedures to put into place to ensure that essential organizational functions can continue during and after a disaster.ProcessRegulated
business continuity programnounA documented approach undertaken by an organization to implement business continuity.ProcessInternal
Business Continuity StrategynounComprehensive strategies to recover, resume, and maintain all critical business functions.ProcessInternal
business continuity testingnounThe act of performing a test to evaluate the effectiveness of an organization's business continuity plan.Process
business functionnounAn activity that is integral to operations or supporting operations within the entity, e.g. sales, marketing, manufacturing, accounting, etc.Process
Business Impact AnalysisnounAn analysis of an enterprise’s requirements, processes, and interdependencies used to characterize information system contingency requirements and priorities in the event of a significant disruption.ProcessInternal
Business Impact Analysis (BIA)nounThe process of identifying the potential impact of uncontrolled, non-specific events on an institution's business processes.ProcessInternal
Business impact analysis/assessmentnounEvaluating the criticality and sensitivity of information assets An exercise that determines the impact of losing the support of any resource to an enterprise, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and the supporting system Scope Note: This process also includes addressing: -Income loss -Unexpected expense -Legal issues (regulatory compliance or contractual) -Interdependent processes -Loss of public reputation or public confidenceProcessRestricted
business operationnounThe day-to-day execution, monitoring and management of business processes.Process
business processnounA collection of linked activities that takes one or more kinds of input and creates an output that is of value to an FMI’s stakeholders. A business process may comprise several assets, including information, ICT resources, personnel, logistics and organisational structure, which contribute either directly or indirectly to the added value of the service.Process
business resumption testingnounA form of testing designed to determine the effectiveness of an organization's in-place strategy for full recovery of business functions following a disaster or disruption.ProcessInternal
business strategynounA term used in business planning that implies a careful selection and application of resources to obtain a competitive advantage in anticipation of future events or trends.ProcessIP
Call BacknounProcedure for identifying and authenticating a remote information system terminal, whereby the host system disconnects the terminal and reestablishes contact.ProcessRegulated
Capacity TestingnounActivities structured to determine whether resources (human and IT) can support required processing volumes in recovery environments.Process
catalognounThe process of providing such access, plus additional work to prepare the materials for use, such as labeling, marking, and maintenance of authority files.Process
CertificationnounA comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.ProcessRegulated
Certification Test and EvaluationnounSoftware and hardware security tests conducted during development of an information system.ProcessRegulated
Chain of custodynounA process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.ProcessRegulated
Chain of EvidencenounA process and record that shows who obtained the evidence; where and when the evidence was obtained; who secured the evidence; and who had control or possession of the evidence. The “sequencing” of the chain of evidence follows this order: collection and identification; analysis; storage; preservation; presentation in court; return to owner.ProcessRegulatedCUI
Change managementnounThe broad processes for managing organizational change. Change management encompasses planning, oversight or governance, project management, testing, and implementation.Process
change management processnounActivities performed while following the change management procedures.Process
Check ClearingnounThe movement of a check from the depository institution where it was deposited to the institution on which it was written. The funds move in the opposite direction, with a corresponding credit and debit to the involved accounts.ProcessRegulated
Check TruncationnounThe practice of holding a check at the institution where it was deposited (or at an intermediary institution) and electronically forwarding the essential information on the check to the institution on which it was written. A truncated check is not returned to the writer.ProcessRegulatedPCI
Checklist ReviewnounA preliminary procedure to testing that employs information checklists to guide staff activities. For example, checklists can be used to verify staff procedures, hardware and software configurations, or alternate communication mechanisms.Process
classificationnounThe act of distributing things into classes or categories of the same type.Process
ClearingnounRemoval of data from an information system, its storage devices, and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using common system capabilities (i.e., through the keyboard); however, the data may be reconstructed using laboratory methods.ProcessRegulatedCUI
Collection OperationounIn the NICE Workforce Framework, cybersecurity work where a person: Executes collection using appropriate strategies and within the priorities established through the collection management process.Process
Commercial COMSEC Evaluation ProgramnounRelationship between NSA and industry in which NSA provides the COMSEC expertise (i.e., standards, algorithms, evaluations, and guidance) and industry provides design, development, and production capabilities to produce a type 1 or type 2 product. Products developed under the CCEP may include modules, subsystems, equipment, systems, and ancillary devices.ProcessRegulatedCUI
CompliancenounThe state of being in accordance with laws, regulations, industry codes, organizational standards, or contractual arrangements.Process
compliance plannounA compliance plan is a system of checks and balances through which a reasonable effort is made to identify potential non-compliance issues regarding applicable laws and regulations, and to eliminate or mitigate those issues.ProcessInternal
compliance programnounCompliance programs aim to prevent, and where necessary, identify and respond to, breaches of laws, regulations, codes or organizational standards occurring in the organization; and promote a culture of compliance within the organization.ProcessInternal
Component Test/ExercisenounA testing activity designed to validate the continuity of individual systems, processes, or functions, in isolation. For example, component tests may focus on recovering specific network devices, application restoration procedures, off-site tape storage, or proving the validity of data for a particular business line.Process
Comprehensive TestingnounA test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Also known as white box testing.Process
Computer forensicsnounThe practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.ProcessRegulated
computer operationnounThe function responsible for operating the computer and peripheral equipment, including providing the tape, disk, or paper resources as requested by the application systems.Process
COMSEC Account AuditnounExamination of the holdings, records, and procedures of a COMSEC account ensuring all accountable COMSEC material is properly handled and safeguarded.ProcessRegulatedCUI
COMSEC DemilitarizationnounProcess of preparing COMSEC equipment for disposal by extracting all CCI, classified, or cryptographic (CRYPTO) marked components for their secure destruction, as well as defacing and disposing of the remaining equipment hulk.ProcessRegulatedCUI
COMSEC MonitoringnounAct of listening to, copying, or recording transmissions of one's own official telecommunications to analyze the degree of security.ProcessRegulatedCUI
COMSEC TrainingnounTeaching of skills relating to COMSEC accounting, use of COMSEC aids, or installation, use, maintenance, and repair of COMSEC equipment.ProcessRegulatedCUI
configuration change control processnounAn action that is taken or performed to systematically manage all changes made to an asset's arrangement, system configuration, or security configuration in order to prevent unnecessary disruptions, vulnerabilities, and mitigate threats. Its purpose is to ensure that all changes to a complex system are performed with the knowledge and consent of management.ProcessRegulated
configuration change managementnounA process for managing configuration changes and variances in configurations.ProcessRegulated
Configuration ControlnounProcess of controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modification prior to, during, and after system implementation.ProcessRegulated
Configuration managementnounThe management of security features and assurances through control of changes made to a system's hardware, software, firmware, documentation, testing, test fixtures, and test documentation throughout the development and operational life of the system.Process
configure a systemnounThe setting of various switches and jumpers for hardware and the defining of values of parameters for software. Each parameter specifies a preferred or required setting or policy for a computer system, or a configuration control such as a particular registry key, file, or GPO setting. Every parameter includes descriptive elements in a human-understandable manner.Process
confirmnounEstablish the truth or correctness of something previously believed to be the case.Process
Connectivity TestingnounA testing activity designed to validate the continuity of network communications.Process
ContainmentnounActions taken to limit exposure after an incident has been identified and confirmedProcess
Contingency PlanningnounThe purpose of this task is to support the required actions for planning, responding, and mitigating damaging events.ProcessRegulated
Continuity of GovernmentnounA coordinated effort within the federal government's executive branch to ensure that national essential functions continue to be performed during a catastrophic emergency.ProcessRestrictedCUI
Continuity of Operations PlannounManagement policy and procedures used to guide an enterprise response to a major loss of enterprise capability or damage to its facilities. The COOP is the third plan needed by the enterprise risk managers and is used when the enterprise must recover (often at an alternate site) for a specified period of time. Defines the activities of individual departments and agencies and their sub-components to ensure that their essential functions are performed. This includes plans and procedures that delineate essential functions; specifies succession to office and the emergency delegation of authority; provide for the safekeeping of vital records and databases; identify alternate operating facilities; provide for interoperable communications, and validate the capability through tests, training, and exercises. See also Disaster Recovery Plan and Contingency Plan.ProcessRestricted
continuity plannounA step by step outline of management procedures designed to maintain and restore business operations in the event of an emergency or system failure.ProcessInternal
Continuous MonitoringnounThe process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends. The process includes: 1) The development of a strategy to regularly evaluate selected IA controls/metrics, 2) Recording and evaluating IA relevant events and the effectiveness of the enterprise in dealing with those events, 3) Recording changes to IA controls, or changes that affect IA risks, and 4) Publishing the current security status to enable information-sharing decisions involving the enterprise.ProcessRegulatedCUI
Control self-assessmentnounA technique used to internally assess the effectiveness of risk management and control processes.Process
Conversion plannounA plan that details transition planning and implementation issues in the period between the execution of an outsourcing agreement and the full production use of the outsourced services.ProcessRegulated
Cooperative Key GenerationnounElectronically exchanging functions of locally generated, random components, from which both terminals of a secure circuit construct traffic encryption key or key encryption key for use on that circuit. See Per-Call Key.ProcessRestricted
Cost Benefit AnalysisnounA cost benefit analysis compares the cost of implementing countermeasures with the value of the reduced risk.Process
Covert Channel AnalysisnounDetermination of the extent to which the security policy model and subsequent lower-level program descriptions may allow unauthorized access to information.ProcessRestrictedCUI
Covert TestingnounTesting performed using covert methods and without the knowledge of the organization’s IT staff, but with the full knowledge and permission of upper management.ProcessInternal
criminal records checknounThe purpose of this task is to determine if a person has been convicted of a crime.ProcessRegulatedPII
Crisis managementnounThe process of managing an institution's operations in response to an emergency or event that threatens business continuity. An institution's ability to communicate with employees, customers, and the media, using various communications devices and methods, is a key component of crisis management.Process
Crisis Management Test/ExercisenounA testing exercise that validates the capabilities of crisis management teams to respond to specific events. Crisis management exercises typically test the call tree notification process with employees, vendors, and key clients. Escalation procedures and disaster declaration criteria may also be validated.ProcessInternal
critical business processnounA business process that must be restored immediately after a disruption to ensure the affected firm's ability to protect its assets, meet its critical needs, and satisfy mandatory regulations and requirements.ProcessRegulated
critical operationsnounAny activity, function, process, or service, the loss of which, for even a short period of time, would materially affect the continued operation of an FMI, its participants, the market it serves, and/or the broader financial system.ProcessRegulated
Critical PathnounThe critical path represents the business processes or systems that must receive the highest priority during the recovery phase.ProcessRegulated
Criticality analysisnounAn analysis to evaluate resources or business functions to identify their importance to the enterprise, and the impact if a function cannot be completed or a resource is not availableProcess
CronnounCron is a Unix application that runs jobs for users and administrators at scheduled times of the day.Process
Cross-Market TestsnounCross-market tests are also called market-wide tests or "street tests" that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.ProcessInternal
Cryptographic InitializationnounFunction used to set the state of a cryptographic logic prior to key generation, encryption, or other operating mode.Process
Cryptographic SynchronizationnounProcess by which a receiving decrypting cryptographic logic attains the same internal state as the transmitting encrypting logic.ProcessRegulated
Cryptographic System AnalysisnounProcess of establishing the exploitability of a cryptographic system, normally by reviewing transmitted traffic protected or secured by the system under study.ProcessRegulatedCUI
Cryptographic System EvaluationnounProcess of determining vulnerabilities of a cryptographic system and recommending countermeasures.ProcessRegulated
Cryptographic System ReviewnounExamination of a cryptographic system by the controlling authority ensuring its adequacy of design and content, continued need, and proper distribution.ProcessRegulatedCUI
Cryptographic System SurveynounManagement technique in which actual holders of a cryptographic system express opinions on the system's suitability and provide usage information for technical evaluations.ProcessInternal
cyber exercisenounA planned event during which an organization simulates a cyber disruption to develop or test capabilities such as preventing, detecting, mitigating, responding to or recovering from the disruption.Process
cyber governancenounArrangements an organisation puts in place to establish, implement and review its approach to managing cyber risks.Process
cyber incident response plannounThe series of actions and processes associated with a security event associated with 'cyberspace' (i.e. the Internet, corporate networks, etc.).ProcessRegulated
cyber incident response roles and responsibilitiesnounThe functions and duties of personnel who are responsible for triaging, and resolving events regarding cybersecurity events that disrupt operations and alerting interested personnel and affected parties in conformance with pertinent standards.ProcessRegulated
Cyber Operations Planningnounin the NICE Workforce Framework, cybersecurity work where a person: Performs in-depth joint targeting and cyber planning process. Gathers information and develops detailed Operational Plans and Orders supporting requirements. Conducts strategic and operational-level planning across the full range of operations for integrated information and cyberspace operationsProcessRestrictedCUI
cyber resilience strategynounAn FMI’s high level principles and medium term plans to achieve its objective of managing cyber risks.ProcessInternal
cyber risk managementnounThe process used by an FMI to establish an enterprise-wide framework to manage the likelihood of a cyber attack and develop strategies to mitigate, respond to, learn from and coordinate its response to the impact of a cyber attack. The management of an FMI’s cyber risk should support the business processes and be integrated in the FMI’s overall risk management framework.ProcessRegulated
cyber supply chain risk assessment processnounThe foundational task in the cyber supply chain risk assessment process, cyber supply chain risk assessments are aimed at identifying and assessing applicable risk of Information and operational technology (IT/OT) outsourcing, diverse distribution routes, assorted technologies, laws, policies, procedures, and practices.ProcessRegulated
Cyber Supply Chain Risk Management PlannounA plan that includes confidentiality, integrity, and availability controls for mitigating the risks associated with the distributed and interconnected nature of IT/OT product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage.ProcessInternal
cyber supply chain risk management processnounA detailed description of the steps necessary to mitigating the risks associated with the distributed and interconnected nature of IT/OT product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage.ProcessRegulated
cyber system recovery plannounA step-by-step outline of the processes and procedures to be performed to bring a cyber system back to working order after an incident has occurred.ProcessRegulatedCUI
cyber threat response strategynounA plan of action designed to achieve a long-term or overall aim regarding how to resolve cyber incidents.ProcessInternal
cybersecurity incident responsenounThe process of managing and resolving cybersecurity events that disrupt the organization's operations and restoring services.ProcessRegulated
cybersecurity programnounAn integrated group of activities designed and managed to meet cybersecurity objectives for the organization and/or the function. A cybersecurity program may be implemented at either the organization or the function level, but a higher-level implementation and enterprise viewpoint may benefit the organization by integrating activities and leveraging resource investments across the entire enterprise.ProcessRegulated
cybersecurity risk managementnounThe process of identifying risks and vulnerabilities and applying administrative actions and comprehensive solutions to ensure that the organization is adequately protected.Process
cybersecurity trainingnounActivities that are used to teach people about tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets.ProcessInternal
data aggregationnounCompilation of individual data systems and data that could result in the totality of the information being classified, or classified at a higher level, or of beneficial use to an adversary.ProcessRegulatedCUI
data classificationnounThe assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levels of sensitivity of data are assigned according to predefined categories as data are created, amended, enhanced, stored or transmitted. The classification level is an indication of the value or importance of the data to the organization.Process
Data classification programnounA program that categorizes data to convey required safeguards for information confidentiality, integrity, and availability; establishes controls required based on value and level of sensitivity.ProcessInternal
data flownounThe path of data from input to output, which includes the traveling of data through the communication lines, routers, switches and firewalls as well as processing through various applications on servers that process the data from user input to storage in the organizations central database.Process
data governancenounA set of processes that ensures that important data assets are formally managed throughout the enterprise.Process
Data loss prevention (DLP) programnounA comprehensive approach (covering people, processes, and systems) of implementing policies and controls designed specifically to discover, monitor, and protect confidential data wherever it is stored, used, or in transit over the network and at the perimeter.ProcessRegulated
data miningnounThe process or techniques used to analyze large sets of existing information to discover previously unrevealed patterns or correlations.Process
Data mirroringnounA back-up process that involves writing the same data to two physical disks or servers simultaneously.Process
data preparationnounA process by which cardholder data is managed and processed by the vendor for subsequent use in the personalization process.Process
data recoverynounThe purpose of this task is to restore data that has been damaged, lost, or corrupted.Process
Data replicationnounThe process of copying data, usually with the objective of maintaining identical sets of data in separate locations. Two common data replication processes used for information systems are synchronous and asynchronous mirroring.Process
Data synchronizationnounThe comparison and reconciliation of interdependent data files at the same time so that they contain the same information.Process
DecapsulationnounDecapsulation is the process of stripping off one layer's headers and passing the rest of the packet up to the next higher layer on the protocol stack.Process
DecentralizationnounThe process of distributing computer processing to different locations within an enterpriseProcess
decision-makingnounThe action or process of reaching important conclusions or resolutions after consideration; action or process of making important decisions.Process
DecryptionnounThe process of changing ciphertext into plaintext using a cryptographic algorithm and key.Process
DegaussnounProcedure that reduces the magnetic flux to virtual zero by applying a reverse magnetizing field. Also called demagnetizing.ProcessRegulatedCUI
Delegated Development ProgramnounINFOSEC program in which the Director, NSA, delegates, on a case-by-case basis, the development and/or production of an entire telecommunications product, including the INFOSEC portion, to a lead department or agency.ProcessRegulatedCUI
dependencynounA relationship between processes or activities that directly or indirectly relies upon another process or activity to occur, begin, or finish.Process
deploymentnounThe purpose of this task is to bring new software or hardware up and running properly in its environment.Process
destructionnounThe purpose of this task is to remove an asset from existence and to ensure media cannot be reused as originally intended and information is virtually impossible to recover or prohibitively expensive to recover.ProcessRegulated
destruction of datanounThe complete physical destruction of data or of the data carrier containing them.ProcessRegulated
detective activitynounAn activity designed to identify undesirable events that do occur and alert management about what has happened. This enables management to take corrective action promptly.Process
device managementnounManaging the implementation, operation, and maintenance of a physical and/or virtual device. This includes the use of various administrative tools and processes for the maintenance and upkeep of a computing, network, mobile and/or virtual device.ProcessRegulated
Digital forensicsnounThe application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.ProcessRegulated
Direct data feednounA process used by information aggregators to gather information directly from a website operator rather than copying it from a displayed webpage.Process
Direct presentmentnounDepositary banks can present checks directly to the paying institution. The paying institution may be the depositary bank (no settlement is needed), or, if not, may settle on the books of the Federal Reserve, using the Federal Reserve's national settlement service.ProcessRegulated
Direct ShipmentnounShipment of COMSEC material directly from NSA to user COMSEC accounts.ProcessRegulatedCUI
Disaster recovery plannounManagement policy and procedures used to guide an enterprise response to a major loss of enterprise capability or damage to its facilities. The DRP is the second plan needed by the enterprise risk managers and is used when the enterprise must recover (at its original facilities) from a loss of capability over a period of hours or days. See Continuity of Operations Plan and Contingency Plan.ProcessInternal
Disk ImagingnounGenerating a bit-for-bit copy of the original media, including free space and slack space.ProcessRegulated
Disk shadowingnounA back-up process that involves writing images to two physical disks or servers simultaneously.Process
disposalnounThe purpose of this task is to address the final disposition of regulated data by discarding media with no other sanitization considerations or transferring records to their final state: either destruction or transfer to an archive.ProcessRegulatedCUI
Drop AccountabilitynounProcedure under which a COMSEC account custodian initially receipts for COMSEC material, and provides no further accounting for it to its central office of record. Local accountability of the COMSEC material may continue to be required. See Accounting Legend Code.ProcessRegulatedCUI
due diligencenounThe purpose of this task is to take reasonable action in order to comply with a law or industry standard.ProcessRegulated
Due diligence for service provider selectionnounTechnical, functional, and financial review to verify a third-party service provider's ability to deliver the requirements specified in its proposal. The intent is to verify that the service provider has a well-developed plan and adequate resources and experience to ensure acceptable service, controls, systems backup, availability, and continuity of service to its clients.ProcessInternal
due diligence processnounThe series of actions an organization takes to implement the steps needed to ensure they respect human rights and do not contribute to conflict.ProcessRegulated
E-commercenounThe processes by which enterprises conduct business electronically with their customers, suppliers and other external business partners, using the Internet as an enabling technology Scope Note: E-commerce encompasses both business-to-business (B2B) and business-to-consumer (B2C) e-commerce models, but does not include existing non-Internet e-commerce methods based on private networks such as electronic data interchange (EDI) and Society for Worldwide Interbank Financial Telecommunication (SWIFT).Process
educationnounThe process of receiving or giving systematic instruction, especially at a school or university.Process
Education and TrainingnounIn the NICE Workforce Framework, cybersecurity work where a person: Conducts training of personnel within pertinent subject domain; develop, plan, coordinate, deliver, and/or evaluate training courses, methods, and techniques as appropriate.Process
Electronic AuthenticationnounThe process of establishing confidence in user identities electronically presented to an information system.Process
Electronic check conversionnounThe process by which a check is used as a source of information for the check number, the customer's account number, and the number that identifies the financial institution. The information is used to make a one-time electronic payment from the customer's account -- an electronic fund transfer. The check itself is not the method of payment.ProcessRegulatedPII
Electronic check presentment (ECP)nounCheck truncation methodology in which the paper check's MICR line information is captured and stored electronically for presentment. The physical checks may or may not be presented after the electronic files are delivered, depending on the type of ECP service that is used.ProcessRegulatedPCI
Electronic commerce (E-Commerce)nounA broad term encompassing the remote procurement and payment by businesses or consumers of goods and services through electronic systems such as the Internet.Process
Electronic data capture (EDC)nounProcess used for capturing and transferring the encoded information on the magnetic strip from a bankcard or debit card at the point-of-sale to the processor's database.ProcessRegulatedPCI
electronic funds transfernounThe use of telecommunications networks to transfer funds from one financial institution, as a bank, to another, or to withdraw funds from one's own account to deposit in a creditor's.ProcessRegulatedPCI
Electronic funds transfer (EFT)nounA generic term describing any transfer of funds between parties or depository institutions through electronic data systems.ProcessRegulatedPCI
Electronic Key EntrynounThe entry of cryptographic keys into a cryptographic module using electronic methods such as a smart card or a key-loading device. (The operator of the key may have no knowledge of the value of the key being entered.)ProcessRegulatedCUI
Electronic vaultingnounA back-up procedure that copies changed files and transmits them to an off-site location using a batch process.ProcessRegulated
Emergency plannounThe steps to be followed during and immediately after an emergency such as a fire, tornado, bomb threat, etc.ProcessInternal
End-Item AccountingnounAccounting for all the accountable components of a COMSEC equipment configuration by a single short title.ProcessRegulatedCUI
End-to-end process flownounDocument that details the flow of the processes, considering automated and manual control points, hardware, databases, network protocols, and real-time versus periodic processing characteristics.Process
enterprise risk managementnounThe methods and processes used by an enterprise to manage risks to its mission and to establish the trust necessary for the enterprise to support shared missions. It involves the identification of mission dependencies on enterprise capabilities, the identification and prioritization of risks due to defined threats, the implementation of countermeasures to provide both a static risk posture and an effective dynamic response to active threats; and it assesses enterprise performance against threats and adjusts countermeasures as necessary.Process
EradicationnounWhen containment measures have been deployed after an incident occurs, the root cause of the incident must be identified and removed from the network. Scope Note: Eradication methods include: restoring backups to achieve a clean state of the system, removing the root cause, improving defenses and performing vulnerability analysis to find further potential damage from the same root cause.Process
ErasurenounProcess intended to render magnetically stored information irretrievable by normal means.Process
evaluationnounAct of ascertaining or making a judgment about the amount, number, value, or worth of something.Process
ExaminationnounA technical review that makes the evidence visible and suitable for analysis; tests performed on the evidence to determine the presence or absence of specific data.Process
ExaminenounA type of assessment method that is characterized by the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence, the results of which are used to support the determination of security control effectiveness over time.Process
Exploitation AnalysisnounIn the NICE Workforce Framework, cybersecurity work where a person: Analyzes collected information to identify vulnerabilities and potential for exploitation.Process
External Security TestingnounSecurity testing conducted from outside the organization’s security perimeter.Process
Flaw Hypothesis MethodologynounSystem analysis and penetration technique in which the specification and documentation for an information system are analyzed to produce a list of hypothetical flaws. This list is prioritized on the basis of the estimated probability that a flaw exists, on the ease of exploiting it, and on the extent of control or compromise it would provide. The prioritized list is used to perform penetration testing of a system.Process
Focused TestingnounA test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object. Also known as gray box testing.Process
Forensic examinationnounThe process of collecting, assessing, classifying and documenting digital evidence to assist in the identification of an offender and the method of compromiseProcessRegulated
forensic investigationnounThe application of investigative and analytical techniques to gather and preserve evidence from a digital device impacted by a cyber attack.ProcessRegulated
forensicsnounThe practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.ProcessRegulated
Formal Development MethodologynounSoftware development strategy that proves security design specifications.Process
FragmentationnounThe process of storing a data file in several "chunks" or fragments rather than in a single contiguous sequence of bits in one place on the storage medium.Process
Full MaintenancenounComplete diagnostic repair, modification, and overhaul of COMSEC equipment, including repair of defective assemblies by piece part replacement. See Limited Maintenance.ProcessRestrictedCUI
Full-interruption/full-scale test (IT and Staff)nounA business continuity test that activates all the components of the disaster recovery plan at the same time. Hardware, software, staff, communications, utilities, and alternate site processing should be thoroughly tested in this type of testing activity. The exercise should include the business line end users and the IT group to ensure that each business line tests its key applications and is prepared to recover and resume its business operations in the event of an emergency. The full test verifies that systems and staff can recover and resume business within established recovery time objectives. End users should verify the integrity of the data at the alternate site after the IT group has restored systems and applications needed for the staff to perform production activities.ProcessRegulated
Functional drill/parallel testnounThis test involves the actual mobilization of personnel at other sites in an attempt to establish communications and coordination as set forth in the BCP.ProcessInternal
Functional TestingnounSegment of security testing in which advertised security mechanisms of an information system are tested under operational conditions.Process
Functionality testingnounA test designed to validate that a business process or activity accomplishes expected results.Process
FuzzingnounThe use of special regression testing tools to generate out-of-spec input for an application in order to find security vulnerabilities. Also see "regression testing".Process
Gap analysisnounA comparison that identifies the difference between actual and desired outcomes.Process
gethostbyaddrnounThe gethostbyaddr DNS query is when the address of a machine is known and the name is needed.Process
gethostbynamenounThe gethostbyname DNS quest is when the name of a machine is known and the address is needed.Process
Grandfather-father-sonnounRetaining multiple versions of the back-up files off-site on a "grandfather-father-son" rotating basis is recommended. This tape methodology creates three sets of back-up tapes: daily incremental sets or "sons," weekly full sets or "fathers," and end-of-month tapes or "grandfathers."ProcessInternal
grant access to the systemnounThe purpose of this task is to permit a user to logically or physical gain entry to computer and/or network.ProcessRegulated
Handshaking ProceduresnounDialogue between two information systems for synchronizing, identifying, and authenticating themselves to one another.Process
HardeningnounConfiguring a host’s operating systems and applications to reduce the host’s security weaknesses.Process
HashingnounThe process of using a mathematical algorithm against data to produce a numeric value that is representative of that data.Process
Hot WashnounA debrief conducted immediately after an exercise or test with the staff and participants.Process
human resources processnounThe steps necessary to support the general management of the organizational workforce, including staffing, employee compensation and benefits, and defining/designing work.Process
IdentificationnounAn act or process that presents an identifier to a system so that the system can recognize a system entity (e.g., user, process, or device) and distinguish that entity from all others.Process
identify and documentnounEstablish, indicate, or verify who or what someone or something is and record that in detail through photography, writing, or other form.Process
Identity BindingnounBinding of the vetted claimed identity to the individual (through biometrics) according to the issuing authority.ProcessRegulatedPII
Identity ProofingnounThe process by which a Credentials Service Provider (CSP) and a Registration Authority (RA) collect and verify information about a person for the purpose of issuing credentials to that person.ProcessRegulatedPII
Identity RegistrationnounThe process of making a person’s identity known to the Personal Identity Verification (PIV) system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system.ProcessRegulatedPII
Identity VerificationnounThe process of confirming or denying that a claimed identity is correct by comparing the credentials (something you know, something you have, something you are) of a person requesting access with those previously proven and stored in the PIV Card of system and associated with the identity being claimed.ProcessRegulatedCUI
Image capture (Check 21)nounThe process of digitizing both sides of physical items and their assorted MICR information as they are processed at the Federal Reserve Bank. Also includes storage of the images for up to 60 days.ProcessRegulatedPII
Image exchange (Check 21)nounExchange of some or all of the digitized images of a check.ProcessRegulatedPCI
ImagingnounA process that allows one to obtain a bit-for-bit copy of data to avoid damage of original data or information when multiple analyses may be performed. Scope Note: The imaging process is made to obtain residual data, such as deleted files, fragments of deleted files and other information present, from the disk for analysis. This is possible because imaging duplicates the disk surface, sector by sector.Process
Impact analysisnounA study to prioritize the criticality of information resources for the enterprise based on costs (or consequences) of adverse events In an impact analysis, threats to assets are identified and potential business losses determined for different time periods. This assessment is used to justify the extent of safeguards that are required and recovery time frames. This analysis is the basis for establishing the recovery strategy.Process
incident containment processnounAn established or official method for implementing the policy for incident containment or performing the tasks, processes, or operations to limit and prevent further damage from happening after an incident occurs, along with ensuring that there is no destruction of forensic evidence that may be needed for future legal actions which must be executed in the same manner in order to obtain the same results in the same circumstances.ProcessRegulated
incident detectionnounThe process of identifying that an intrusion has been attempted, is occurring, or has occurred.ProcessInternal
Incident HandlingnounThe mitigation of violations of security policies and recommended practices.Process
incident managemenounThe management and coordination of activities associated with an actual or potential occurrence of an event that may result in adverse consequences to information or information systems.Process
incident managementnounThe process of identifying, analyzing, and correcting disruptions to operations and preventing future recurrences. The goal of incident management is to limit the disruption and restore operations as quickly as possible.Process
incident management processnounAn activity undertaken to direct personnel and resources to respond to an incident.Process
incident monitoring processnounAn established or official method for implementing the policy for incident monitoring or performing the tasks, processes, or operations to monitor for incidents which must be executed in the same manner in order to obtain the same results in the same circumstances.ProcessInternal
incident monitoring programnounThe documented activities, policies, and procedures within an organization for organizing and directing all activities undertaken to review, track, evaluate, and report on the status of incidents.ProcessRegulated
incident reportingnounThe purpose of this task is to use hotlines and emergency contacts to alert the appropriate individuals to the occurrence of a security event.ProcessRegulated
incident responsenounThe purpose of this task is to address and manage the aftermath of a disaster or other significant event that may affect the organization's people or ability to function productively.Process
incident response activitynounAny task performed by an organization in reaction to an incident.ProcessRegulated
incident response notification processnounA series of steps undertaken to detect, triage, and resolve events that disrupt operations and alert applicable personnel and clients in conformance with pertinent standards.ProcessRegulated
Incident response plannounThe documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s information system(s).ProcessRestricted
incident response processnounAn established or official method for implementing the policy for incident response or performing the tasks, processes, or operations to address and manage the aftermath of a disaster or other significant event that may affect the organization’s people or ability to function productively which must be executed in the same manner in order to obtain the same results in the same circumstances.Process
incident response programnounA documented approach for organizing and directing all activities undertaken to handle known security breaches or attacks in such a way as to limit damage and reduce the time it takes for the organization to recover time and costs.ProcessRegulated
incident response roles and responsibilitiesnounThe position and collection of tasks, duties, obligations that participants undertake to perform the daily and all special tasks associated with managing the aftermath of a disaster or other significant event that may affect the organization's people or ability to function productively..Process
Incremental BackupsnounIncremental backups only backup the files that have been modified since the last backup. If dump levels are used, incremental backups only backup files changed since last backup of a lower dump level.Process
independent reviewnounAn analysis of findings performed by a third party for an organization to provide impartiality.ProcessInternal
Independent Verification & ValidationnounA comprehensive review, analysis, and testing (software and/or hardware) performed by an objective third party to confirm (i.e., verify) that the requirements are correctly defined, and to confirm (i.e., validate) that the system correctly implements the required functionality and security requirements.Process
Industry testingnounA test designed to validate that business processes, integrated across firms and within the financial industry, which supports the business continuity objectives of the firms, both individually and collectively.ProcessInternal
Information ManagementnounThe planning, budgeting, manipulating, and controlling of information throughout its life cycle.Process
Information Resources ManagementnounThe planning, budgeting, organizing, directing, training, controlling, and management activities associated with the burden, collection, creation, use, and dissemination of information by agencies.Process
Information Security AwarenessnounActivities which seek to focus an individual’s attention on an (information security) issue or set of issues.Process
Information Security Continuous Monitoring ProcessnounA process to: • Define an ISCM strategy; • Establish an ISCM program; • Implement an ISCM program; • Analyze data and Report findings; • Respond to findings; and • Review and Update the ISCM strategy and program.ProcessRegulated
Information Security Continuous Monitoring ProgramnounA program established to collect information in accordance with pre-established metrics, utilizing information readily available in part through implemented security controls.ProcessRegulated
information security trainingnounTraining strives to produce relevant and needed (information) security skills and competencies.Process
information sharingnounThe requirements for information sharing by an IT system with one or more other IT systems or applications, for information sharing to support multiple internal or external organizations, missions, or public programs.Process
Information System Contingency PlannounManagement policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disasters.ProcessRegulatedCUI
Information System Life CyclenounThe phases through which an information system passes, typically characterized as initiation, development, operation, and termination (i.e., sanitization, disposal and/or destruction).Process
Information Systems Security EngineeringnounProcess of capturing and refining information protection requirements to ensure their integration into information systems acquisition and information systems development through purposeful security design or configuration.Process
Information Systems Security Equipment ModificationnounModification of any fielded hardware, firmware, software, or portion thereof, under NSA configuration control. There are three classes of modifications: mandatory (to include human safety); optional/special mission modifications; and repair actions. These classes apply to elements, subassemblies, equipment, systems, and software packages performing functions such as key generation, key distribution, message encryption, decryption, authentication, or those mechanisms necessary to satisfy security policy, labeling, identification, or accountability.ProcessRegulatedCUI
Information Technology auditnounAn examination of the controls within an Information technology (IT) infrastructure.ProcessRegulated
Information Technology Management programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to manage Information Technology resources of an organization in accordance with its needs and priorities. These resources may include tangible investments like computer hardware, software, data, networks and data center facilities, as well as the staff who are hired to maintain them.ProcessInternal
Information Technology operationnounThe activities and work involving Information Technology equipment and personnel.Process
information technology risk managementnounInformation Technology risk management is the application of the principles of risk management to an Information Technology organization in order to manage the risks associated with the field. Information Technology risk management aims to manage the risks that come with the ownership, involvement, operation, influence, adoption and use of Information Technology as part of a larger enterprise. Information Technology risk management is a component of a larger enterprise risk management system. This encompasses not only the risks and negative effects of service and operations that can degrade organizational value, but it also takes the potential benefits of risky ventures into account.Process
IngestionnounA process to convert information extracted to a format that can be understood by investigators. Scope Note: See also Normalization.Process
InitializenounSetting the state of a cryptographic logic prior to key generation, encryption, or other operating mode.Process
integrated risk managementnounThe structured approach that enables an enterprise or organization to share risk information and risk analysis and to synchronize independent yet complementary risk management strategies to unify efforts across the enterprise.Process
Integrated test/exercisenounThis integrated test/exercise incorporates more than one component or module, as well as external dependencies, to test the effectiveness of the continuity plans for a business line or major function.ProcessInternal
interactive remote accessnounUser-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity’s Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications.ProcessRegulatedCUI
interactive user accessnounUser access to an operating system by means of a log-in through a Graphical User Interface.ProcessRegulated
InterchangenounExchange of transactions between financial institutions participating in a bank card network, based on a common set of rules. Card interchange allows a financial institution's customers to use a bank credit card at any card honoring merchant and to gain access to multiple ATM systems from a single ATM.ProcessRegulatedPCI
InterdependenciesnounWhen two or more departments, processes, functions, or third-party providers support one another in some fashion.Process
internal auditnounAn audit that is performed for the management and other internal purposes by individuals who are employed by the organization.ProcessConfidential
internal audit programnounAn internal audit program defines the type of internal audit being conducted (IT, HR, financial, etc.), the specific subject(s) attended to, the roles and responsibilities of those involved, the method being used to conduct the audit, and the schedule of the audit.ProcessInternal
internal processnounAll the activities and key processes required in order for the company to excel at providing the value expected by the customers.ProcessInternal
internal risk managementnounInternal risk management involves all activities relating to the processes of analyzing exposure to risk and determining appropriate counter-measures.ProcessInternal
Internal Security TestingnounSecurity testing conducted from inside the organization’s security perimeter.Process
InterrogationnounUsed to obtain prior indicators or relationships, including telephone numbers, IP addresses and names of individuals, from extracted dataProcessRegulatedPII
InterviewnounA type of assessment method that is characterized by the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or lead to the location of evidence, the results of which are used to support the determination of security control effectiveness over time.Process
InvestigatenounTo carry out a formal or systematic inquiry to discover and examine the facts of an event, incident, etc. in order to establish the truth.Process
investigationnounThe purpose of this task is to discover and examine the facts of an incident or allegation to establish the truth.ProcessRegulated
IT governancenounAn integral part of governance that consists of the leadership and organizational structures and processes that ensure that the institution's IT sustains and extends the organization's strategies and objectives.Process
IT Security Awareness and Training ProgramnounExplains proper rules of behavior for the use of agency information systems and information. The program communicates IT security policies and procedures that need to be followed (i.e., NSTISSD 501, NIST SP 800-50).ProcessRegulatedCUI
IT Security EducationnounIT Security Education seeks to integrate all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multidisciplinary study of concepts, issues, and principles (technological and social), and strives to produce IT security specialists and professionals capable of vision and proactive response.Process
IT Security TrainingnounIT Security Training strives to produce relevant and needed security skills and competencies by practitioners of functional specialties other than IT security (e.g., management, systems design and development, acquisition, auditing). The most significant difference between training and awareness is that training seeks to teach skills, which allow a person to perform a specific function, while awareness seeks to focus an individual’s attention on an issue or set of issues. The skills acquired during training are built upon the awareness foundation, in particular, upon the security basics and literacy material.Process
IterativenounRepetitive or cyclical. Iterative software development involves the completion of project tasks or phases in repetitive cycles. Tasks and phase activities are repeated until a desired result is achieved.Process
Key Escrownoun1. The processes of managing (e.g., generating, storing, transferring, auditing) the two components of a cryptographic key by two key component holders. 2. A key recovery technique for storing knowledge of a cryptographic key, or parts thereof, in the custody of one or more third parties called "escrow agents," so that the key can be recovered and used in specified circumstances.ProcessRegulatedCUI
Key EstablishmentnounThe process by which cryptographic keys are securely established among cryptographic modules using manual transport methods (e.g., key loaders), automated methods (e.g., key transport and/or key agreement protocols), or a combination of automated and manual methods (consists of key transport plus key agreement).ProcessRestrictedCUI
Key ExchangenounProcess of exchanging public keys (and other information) in order to establish secure communications.Process
Key ExpansionnounRoutine used to generate a series of Round Keys from the Cipher Key.ProcessRegulated
Key ManagementnounThe activities involving the handling of cryptographic keys and other related security parameters (e.g., IVs and passwords) during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and zeroization.ProcessRegulatedCUI
Key RecoverynounMechanisms and processes that allow authorized parties to retrieve the cryptographic key used for data confidentiality.ProcessRestrictedCUI
Key TransportnounThe secure transport of cryptographic keys from one cryptographic module to another module.ProcessRegulated
Keystroke MonitoringnounThe process used to view or record both the keystrokes entered by a computer user and the computer’s response during an interactive session. Keystroke monitoring is usually considered a special case of audit trails.ProcessRegulatedCUI
Knowledge ManagementnounIn the NICE Workforce Framework, cybersecurity work where a person: Manages and administers processes and tools that enable the organization to identify, document, and access intellectual capital and information content.ProcessIP
Life-cycle processnounThe multi-step process that starts with the initiation, analysis, design, and implementation, and continues through the maintenance and disposal of the system.Process
Limited MaintenancenounCOMSEC maintenance restricted to fault isolation, removal, and replacement of plug-in assemblies. Soldering or unsoldering usually is prohibited in limited maintenance. See Full Maintenance.ProcessRestrictedCUI
log managementnounThe process for generating, transmitting, storing, analyzing, and disposing of log data.ProcessRegulated
logging operationnounThe process of collecting and interpreting logs within configured parameters.Process
maintenancenounThe process of making repairs and keeping components of an asset in good condition so that the asset may remain in operating condition and last its entire useful life.Process
Manual Key TransportnounA non-automated means of transporting cryptographic keys by physically moving a device, document, or person containing or possessing the key or key component.ProcessRegulatedCUI
Manual Remote RekeyingnounProcedure by which a distant crypto-equipment is rekeyed electronically, with specific actions required by the receiving terminal operator. Synonymous with cooperative remote rekeying. See also Automatic Remote Keying.ProcessRegulatedCUI
Market-wide testsnounMarket-wide tests are also called cross-market tests or "street tests" that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.ProcessInternal
Match/matchingnounThe process of comparing biometric information against a previously stored template(s) and scoring the level of similarity.ProcessRegulatedPII
MatchingnounWith respect to compared and non-compared transactions, the process of comparing the trade or settlement details provided by counterparties to ensure they agree with respect to the terms of the transaction. Also called comparison checking.ProcessRegulated
Media SanitizationnounA general term referring to the actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.ProcessRegulated
Merchant processingnounActivity for the acceptance and settlement of bankcard products and transactions from merchants through the payment system.ProcessRegulatedPCI
methodnounA means or particular procedure for accomplishing or approaching something.ProcessRegulated
methodologynounA particular way of performing an operation designed to produce precise deliverables at the end of each stage.Process
migrationnounThe purpose of this task is to move records from one system or storage medium to another while maintaining authenticity, integrity, reliability, and usability.ProcessRegulated
MirroringnounA process that copies data to multiple disks over a computer network in real time or close to real time. Mirroring reduces network traffic, ensures better availability of the website or files, or enables the site or downloaded files to arrive more quickly for users close to the mirror site.Process
ModelingnounThe process of abstracting information from tangible processes, systems and/or components to create a paper or computer-based representation of an enterprise-wide or business line activity.Process
Module test/exercisenounA test designed to verify the functionality of multiple components of a business line or supporting function at the same time.Process
monitornounTo watch and check the progress or quality of something over a period of time; keep under regular surveillance.Process
Multilevel ModenounMode of operation wherein all the following statements are satisfied concerning the users who have direct or indirect access to the system, its peripherals, remote terminals, or remote hosts: 1) some users do not have a valid security clearance for all the information processed in the information system; 2) all users have the proper security clearance and appropriate formal access approval for that information to which they have access; and 3) all users have a valid need-to-know only for information to which they have access.ProcessRegulatedCUI
Need To Know DeterminationnounDecision made by an authorized holder of official information that a prospective recipient requires access to specific official information to carry out official duties.ProcessRegulatedCUI
Needs Assessment for IT Security Awareness and TrainingnounA process that can be used to determine an organization’s awareness and training needs. The results of a needs assessment can provide justification to convince management to allocate adequate resources to meet the identified awareness and training needs.Process
Non-Local MaintenancenounMaintenance activities conducted by individuals communicating through a network; either an external network (e.g., the Internet) or an internal network.ProcessRegulated
offsite backupnounA backup process or facility that stores backup data or applications external to the organization or core IT environmentProcessRegulated
Offsite rotationnounUsed for backup and/or disaster recovery; moving a copy of the most current database, information, file, or tape to an offsite storage facility to be used only in an emergency.ProcessRegulated
Open market operationsnounThe buying and selling of government securities in the open market in order to expand or contract the amount of money in the banking system.Process
Operate & MaintainnounA NICE Workforce Framework category consisting of specialty areas responsible for providing the support, administration, and maintenance necessary to ensure effective and efficient IT system performance and security.Process
operating statenounDistinct operating modes (which typically include specific Information Technology and Operations Technology configurations as well as alternate or modified procedures) that have been designed and implemented for the function and can be invoked by a manual or automated process in response to an event, a changing risk environment, or other sensory and awareness data to provide greater safety, resiliency, reliability, and/or cybersecurity. For example, a shift from the normal state of operation to a high-security operating mode may be invoked in response to a declared cybersecurity incident of sufficient severity. The high-security operating state may trade off efficiency and ease of use in favor of increased security by blocking remote access and requiring a higher level of authentication and authorization for certain commands until a return to the normal state of operation is deemed safe.Process
operational exercisnounAn action-based exercise where personnel rehearse reactions to an incident scenario, drawing on their understanding of plans and procedures, roles, and responsibilities.Process
operational exercisenounAn action-based exercise where personnel rehearse reactions to an incident scenario, drawing on their understanding of plans and procedures, roles, and responsibilities.Process
Operational IT plannounTypically, the plans that are made by front-line, or low-level, IT managers. Operational IT plans are focused on the specific procedures and processes that implement the larger strategic plan.Process
Operations SecuritynounSystematic and proven process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities. The process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures.ProcessRegulatedCUI
origination functionnounAny of the processes required to initiate an automated clearing house transaction.ProcessRegulatedPCI
OutsourcingnounThe practice of contracting with another entity to perform services that might otherwise be conducted in-house. Contracted relationship with a third party to provide services, systems, or support.Process
outsourcing arrangementnounA contract between the institution and an audit services firm to provide internal audit services.ProcessRegulated
Over-The-Air Key DistributionnounProviding electronic key via over-the-air rekeying, over-the-air key transfer, or cooperative key generation.ProcessRestrictedCUI
Over-The-Air Key TransfernounElectronically distributing key without changing traffic encryption key used on the secured communications path over which the transfer is accomplished.ProcessRegulatedCUI
Over-The-Air RekeyingnounChanging traffic encryption key or transmission security key in remote cryptographic equipment by sending new key directly to the remote cryptographic equipment over the communications path it secures.ProcessRegulatedCUI
Overt TestingnounSecurity testing performed with the knowledge and consent of the organization’s IT staff.Process
Passive Security TestingnounSecurity testing that does not involve any direct interaction with the targets, such as sending packets to a target.Process
Patch managementnounThe systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions. These revisions are known as patches, hot fixes, and service packs.Process
patch management programnounA documented approach for organizing and directing all activities undertaken to manage patches or upgrades for software and hardware.Process
PatchingnounSoftware code that replaces or updates other code. Frequently patches are used to correct security flaws.Process
Peer Entity AuthenticationnounThe process of verifying that a peer entity in an association is as claimed.Process
Penetration testnounThe process of using approved, qualified personnel to conduct real-world attacks against a system to identify and correct security weaknesses before they are discovered and exploited by others.ProcessRestricted
Penetration testingnounSecurity testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.ProcessRegulated
performance reviewnounThe purpose of this task is to evaluate one's abilities to execute the required functions of a job and to analyze the system for performance against a known benchmark or design document.Process
Periods ProcessingnounThe processing of various levels of classified and unclassified information at distinctly different times. Under the concept of periods processing, the system must be purged of all information from one processing period before transitioning to the next.ProcessRegulatedCUI
Person-to-person (P2P) paymentnounOnline payments using electronic mail messages to invoke a transfer of value between the parties over existing proprietary networks as on-us transactions.ProcessRegulatedPCI
Personal Identity VerificationnounThe process of creating and using a governmentwide secure and reliable form of identification for federal employees and contractors, in support of HSPD 12, Policy for a Common Identification Standard for Federal Employees and Contractors.ProcessRegulatedCUI
Personal Identity Verification AccreditationnounThe official management decision to authorize operation of a PIV Card Issuer after determining that the Issuer’s reliability has satisfactorily been established through appropriate assessment and certification processes.ProcessRegulatedCUI
personnel risk assessmentnounThe purpose of this task is to determine the risk that personnel pose to the organization.ProcessRegulatedPII
personnel risk assessment programnounA documented listing of procedures and instructions to be performed to complete a personnel risk assessment.ProcessRegulated
Policy MappingnounRecognizing that, when a CA in one domain certifies a CA in another domain, a particular certificate policy in the second domain may be considered by the authority of the first domain to be equivalent (but not necessarily identical in all respects) to a particular certificate policy in the first domain.ProcessRegulated
preliminary examinationnounAn examination taken by graduate students to determine their fitness to continue.Process
PreparednessnounThe activities to build, sustain, and improve readiness capabilities to prevent, protect against, respond to, and recover from natural or manmade incidents.Process
Privilege ManagementnounThe definition and management of policies and processes that define the ways in which the user is provided access rights to enterprise systems. It governs the management of the data that constitutes the user’s privileges and other attributes, including the storage, organization and access to information in directories.Process
Privileged CommandnounA human-initiated command executed on an information system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information.ProcessRegulatedCUI
Privileged ProcessnounA computer process that is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary processes are not authorized to perform.Process
productionnounThe purpose of this task is to transform tangible inputs and intangible inputs into goods or services, to create output or deliverables (goods or services) for another party, and to retrieve documents and make them available for use in a legal proceeding, especially as part of discovery.ProcessRegulated
ProfilingnounMeasuring the characteristics of expected activity so that changes to it can be more easily identified.ProcessRegulatedPII
programnounA structured grouping of interdependent projects that includes the full scope of business, process, people, technology, and organizational activities that are required (both necessary and sufficient) to achieve a clearly specified business outcome.Process
ProjectnounA task involving the acquisition, development, or maintenance of a technology product.Process
Project managementnounThe application of processes, methods, knowledge, skills and experience to complete a project.Process
Qualitative AssessmentnounUse of a set of methods, principles, or rules for assessing risk based on nonnumeric categories or levels.Process
Quality AssurancenounThe purpose of this function is to review the software project activities and to test the software products throughout their life cycle in order to determine if they are meeting the functional specifications of the users and are following the established plans, standards, and procedures to maintain a desired level of quality for a service or product.Process
Quantitative AssessmentnounUse of a set of methods, principles, or rules for assessing risks based on the use of numbers where the meanings and proportionality of values are maintained inside and outside the context of the assessment.Process
Radiation MonitoringnounRadiation monitoring is the process of receiving images, data, or audio from an unprotected source by listening to radiation signals.ProcessRegulated
Real-Time ReactionnounImmediate response to a penetration attempt that is detected and diagnosed in time to prevent access.Process
ReciprocitynounMutual agreement among participating organizations to accept each other’s security assessments in order to reuse information system resources and/or to accept each other’s assessed security posture in order to share information.Process
reconcilementnounThe purpose of this task is to reestablish a close relationship or to settle or resolve something.ProcessInternal
Records ManagementnounThe process for tagging information for records-keeping requirements as mandated in the Federal Records Act and the National Archival and Records Requirements.ProcessRegulatedCUI
Recover FunctionnounDevelop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.ProcessRegulated
RecoverynounThe phase in the incident response plan that ensures that affected systems or services are restored to a condition specified in the service delivery objectives (SDOs) or business continuity plan (BCP)Process
recovery plannounThe written expression of a recovery process which consists of defining rules, processes, and disciplines to ensure that the critical business processes will continue to function if there is a failure of one or more of the information processing or telecommunications resources upon which their operations depends. The following are key elements to a disaster recovery plan: 1) Establish a planning group, 2) Perform risk assessment and audits, 3) Establish priorities for applications and networks, 4) Develop recovery strategies, 5) Prepare inventory and documentation of the plan, 6) Develop verification criteria and procedures, 5) Implement the plan.ProcessRegulated
recovery planningnounThe activities undertaken to define a recovery process which consists of defining rules, processes, and disciplines to ensure that the critical business processes will continue to function if there is a failure of one or more of the information processing or telecommunications resources upon which their operations depends.ProcessInternal
Recovery ProceduresnounActions necessary to restore data files of an information system and computational capability after a system failure.ProcessRegulatedCUI
recovery processnounThe steps taken to restore a service, configurable item, etc. to a working state.Process
recovery strategynounA strategy to resume the minimum set of critical services identified in the business impact analysis (e.g. use of another delivery channel to provide the same service.ProcessInternal
Red Team exercisenounAn exercise, reflecting real-world conditions, that is conducted as a simulated adversarial attempt to compromise organizational missions and/or business processes to provide a comprehensive assessment of the security capability of the information system and organization.ProcessRestricted
RegistrationnounThe process through which a party applies to become a subscriber of a Credentials Service Provider (CSP) and a Registration Authority validates the identity of that party on behalf of the CSP.ProcessRegulatedPII
regression analysisnounThe use of scripted tests which are used to test software for all possible input is should expect. Typically developers will create a set of regression tests that are executed before a new version of a software is released. Also see "fuzzing".Process
RemediationnounThe act of correcting a vulnerability or eliminating a threat. Three possible types of remediation are installing a patch, adjusting configuration settings, or uninstalling a software application.Process
Remote Diagnostics/MaintenancenounMaintenance activities conducted by authorized individuals communicating through an external network (e.g., the Internet).ProcessRegulated
Remote journalingnounProcess used to transmit journal or transaction logs in real time to a back-up location.ProcessRegulated
remote maintenancenounMaintenance activities conducted by individuals communicating external to an information system security perimeter.ProcessRegulated
Remote RekeyingnounProcedure by which a distant crypto-equipment is rekeyed electrically. See Automatic Remote Rekeying and Manual Remote Rekeying.ProcessRegulatedCUI
Resilience testingnounTesting of an institution's business continuity and disaster recovery resumption plans.ProcessInternal
Respond FunctionnounDevelop and implement the appropriate activities to take action regarding a detected cybersecurity event.Process
responsenounAn action taken that addresses an incident and assesses the level of containment and control activity required.ProcessRegulated
response and recovery strategynounA systematic plan of action consisting of documented procedures for mitigating and recovering from a disruptive event.ProcessInternal
response plannounA document detailing the steps that must be taken, or the activities that must be performed well, in response to risk assessment or audit findings.ProcessInternal
risk analysisnounThe process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with risk assessment.Process
risk assessmentnounThe process of identifying, prioritizing, and estimating risks. This includes determining the extent to which adverse circumstances or events could impact an enterprise. Uses the results of threat and vulnerability assessments to identify risk to organizational operations and evaluates those risks in terms of likelihood of occurrence and impacts if they occur. The product of a risk assessment is a list of estimated potential impacts and unmitigated vulnerabilities. Risk assessment is part of risk management and is conducted throughout the Risk Management Framework (RMF).ProcessRegulated
Risk Assessment MethodologynounA risk assessment process, together with a risk model, assessment approach, and analysis approach.Process
Risk avoidancenounThe process for systematically avoiding risk, constituting one approach to managing riskProcess
Risk identificationnounThe process of determining risks and existing safeguards. It generally includes inventories of systems and information necessary to operations and defines the potential threats to systems and operations.Process
Risk managementnounThe process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation resulting from the operation or use of an information system, and includes: (1) the conduct of a risk assessment; (2) the implementation of a risk mitigation strategy; (3) employment of techniques and procedures for the continuous monitoring of the security state of the information system; and (4) documenting the overall risk management program.Process
risk management processnounThe systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analyzing, evaluating, treating,monitoring and reviewing riskProcess
risk management programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to identify, control, and reduce or eliminate risks to operations, assets, or individuals that are inherent to system development and operations.ProcessRegulated
risk management strategynounA plan of action for analyzing and prioritizing risks to organizational operations, assets, and personal in alignment with the organization's mission and business objectives.Process
Risk measurementnounA process to determine the likelihood of an adverse event or threat occurring and the potential impact of such an event on the institution. The result of risk measurement leads to the prioritization of potential risks based on severity and likelihood of occurrence.ProcessInternal
Risk MonitoringnounMaintaining ongoing awareness of an organization’s risk environment, risk management program, and associated activities to support risk decisions.Process
Risk reductionnounThe implementation of controls or countermeasures to reduce the likelihood or impact of a risk to a level within the organization’s risk tolerance.Process
risk responsenounAccepting, avoiding, mitigating, sharing, or transferring risk to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation.Process
Risk transfernounThe process of assigning risk to another enterprise, usually through the purchase of an insurance policy or by outsourcing the serviceProcess
Risk treatmentnounThe process of selection and implementation of measures to modify risk (ISO/IEC Guide 73:2002)Process
risk-based approachnounAn approach whereby FMIs identify, assess and understand the risks to which they are exposed to and take measures commensurate with these risks.ProcessRegulated
risk-based auditingnounAn approach that focuses upon how an organization responds to the risks it faces in achieving its goals and objectives.Process
risk-based data managementnounA structured approach to managing risks to data and information by which an organization selects and applies appropriate security controls in compliance with policy and commensurate with the sensitivity and value of the data.Process
Root cause analysisnounA principle-based, systems approach for the identification of underlying causes associated with a particular set of risks.Process
SanitizationnounA general term referring to the actions taken to render data written on media unrecoverable by both ordinary and, for some forms of sanitization, extraordinary means.ProcessRegulated
Scenario analysisnounThe process of analyzing possible future events by considering alternative possible outcomes.Process
secure development practicenounA software development practice where the confidentiality, integrity, and availability of the software code is protected against threats and vulnerabilities.ProcessRegulatedIP
secure disposalnounThe process of erasing or overwriting data stored on media before relinquishing control of said media when no longer required, in a manner that ensures that no data can be recovered from the media.ProcessRegulated
Securely ProvisionnounA NICE Workforce Framework category consisting of specialty areas concerned with conceptualizing, designing, and building secure IT systems, with responsibility for some aspect of the systems' development.Process
Security auditnounAn independent review and examination of system records and activities to test for adequacy of system controls, ensure compliance with established policy and operational procedures, and recommend any indicated changes in control, policy, and procedures.ProcessRegulated
Security Awareness programnounThe documented plan and documented activities to create well-informed interest in being free from danger or threat.ProcessRegulatedCUI
security awareness trainingnounThe process of educating personnel on critical business processes.ProcessInternal
Security CategorizationnounThe process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS 199 for other than national security systems.ProcessRegulatedCUI
Security Fault AnalysisnounAn assessment, usually performed on information system hardware, to determine the security properties of a device when hardware fault is encountered.Process
Security Impact AnalysisnounThe analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system.ProcessInternal
security incident response plannounThe steps taken during an incident. An incident response plan brings together and organizes the resources for dealing with any event that harms or threatens the security of information assets. Such an event may be a malicious code attack, an unauthorized access to information or systems, the unauthorized use of services, a denial of service attack, or a hoax.ProcessRegulated
Security InspectionnounExamination of an information system to determine compliance with security policy, procedures, and practices.Process
security patchingnounThe purpose of this task is to distribute patches to apply security patches to organizational operating systems and applications.ProcessRegulated
security patching processnounThe series of steps taken to acquire, test, and distribute security patches to the appropriate administrators and users throughout the organization.ProcessRegulated
security practicenounThe actions an organization takes to initiate, implement, and maintain organizational security.ProcessRegulated
Security Program ManagementnounIn the NICE Workforce Framework, cybersecurity work where a person: Manages information security (e.g., information security) implications within the organization, specific program, or other area of responsibility, to include strategic, personnel, infrastructure, policy enforcement, emergency planning, security awareness, and other resources (e.g., the role of a Chief Information Security Officer).Process
security testnounThe purpose of this task is to determine if the security features of a system are implemented and functioning as designed. This process includes hands on functional testing, penetration testing and vulnerability scanning.Process
Security Test & EvaluationnounExamination and analysis of the safeguards required to protect an information system, as they have been applied in an operational environment, to determine the security posture of that system.ProcessRegulatedCUI
Security TestingnounProcess to determine that an information system protects data and maintains functionality as intended.Process
Security-Relevant ChangenounAny change to a system’s configuration, environment, information content, functionality, or users which has the potential to change the risk imposed upon its continued operations.Process
Semi-Quantitative AssessmentnounUse of a set of methods, principles, or rules for assessing risk based on bins, scales, or representative numbers whose values and meanings are not maintained in other contexts.Process
SettlementnounThe final step in the transfer of ownership involving the physical exchange of securities or payment. In a banking transaction, settlement is the process of recording the debit and credit positions of the parties involved in a transfer of funds. In a financial instrument transaction, settlement includes both the transfer of securities by the seller and the payment by the buyer. Settlements can be "gross" or "net." Gross settlement means each transaction is settled individually. Net settlement means parties exchanging payments will offset mutual obligations to deliver identical items (e.g., dollars or EUROS), at a specified time, after which only one net amount of each item is exchanged.ProcessRegulated
Signature GenerationnounThe process of using a digital signature algorithm and a private key to generate a digital signature on data.ProcessRegulated
Signature VerificationnounThe process of using a digital signature algorithm and a public key to verify a digital signature on data.Process
SimulationnounThe process of operating a model of an enterprise-wide or business line activity in order to test the functionality of the model. Computer systems may support the simulation of business models to aid in evaluating the BCP.Process
Single Point KeyingnounMeans of distributing key to multiple, local crypto equipment or devices from a single fill point.ProcessRegulatedCUI
Software System Test and Evaluation ProcessnounProcess that plans, develops, and documents the qualitative/quantitative demonstration of the fulfillment of all baseline functional performance, operational, and interface requirements.ProcessRegulated
Special Access ProgramnounA program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.ProcessRegulatedCUI
Spiral developmentnounAn iterative project management model that focuses on the identification of project and product risks and the selection of project management techniques that best control the identified risks.Process
Split ProcessingnounThe ongoing operational practice of dividing production processing between two or more geographically dispersed facilities.Process
SpotnounThe most common foreign exchange transaction. Spot or spot date refers to the spot transaction value date that requires settlement within two business days, subject to value date calculation.ProcessRegulated
Sreen scrapingnounA process used by information aggregators to gather information from a customer's website, whereby the aggregator accesses the target site by logging in as the customer, electronically reads and copies selected information from the displayed webpage(s), then redisplays the information on the aggregator's site. The process is analogous to "scraping" the information off the computer screen.ProcessRegulatedPII
Status MonitoringnounMonitoring the information security metrics defined by the organization in the information security ISCM strategy.Process
stepnounA measure or action, especially one of a series taken in order to deal with or achieve a particular thing.Process
strategic planningnounThe purpose of this task is to determine long-term goals and identify the best method to achieve these goals.Process
Strategic Planning and Policy DevelopmentnounIn the NICE Workforce Framework, cybersecurity work where a person: Applies knowledge of priorities to define an entity.Process
Street testsnounStreet tests are also called cross-market tests or market-wide tests that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.ProcessInternal
SuperencryptionnounProcess of encrypting encrypted information. Occurs when a message, encrypted off-line, is transmitted over a secured, online circuit, or when information encrypted by the originator is multiplexed onto a communications trunk, which is then bulk encrypted.ProcessRegulatedCUI
SupersessionnounScheduled or unscheduled replacement of COMSEC material with a different edition.ProcessRegulatedCUI
Supplementation Assessment ProceduresnounThe process of adding assessment procedures or assessment details to assessment procedures in order to adequately meet the organization’s risk management needs.Process
Supplementation Security ControlsnounThe process of adding security controls or control enhancements to a security control baseline from NIST Special Publication 800-53 or CNSS Instruction 1253 in order to adequately meet the organization’s risk management needs.ProcessInternal
supply chainnounA system of organizations, people, activities, information, and resources, possibly international in scope, that provides products or services to consumers.Process
Supply Chain Risk ManagementnounThe process of identifying, analyzing, and assessing supply chain risk and accepting, avoiding, transferring or controlling it to an acceptable level considering associated costs and benefits of any actions taken.ProcessRegulated
supply chain risk management processnounThe implementation through controls and structures of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity.ProcessRegulated
Synchronous data replicationnounA process for copying data from one source to another in which an acknowledgement of the receipt of data at the copy location is required for application processing to continue. Consequently, the content of databases stored in alternate facilities is identical to those at the original storage site, and copies of data contain current information at the time of a disruption in processing.ProcessRegulated
System AdministrationnounThe process of maintaining, configuring, and operating computer systems.Process
System Development Life CyclenounThe scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.Process
System Development MethodologiesnounMethodologies developed through software engineering to manage the complexity of system development. Development methodologies include software engineering aids and high-level design analysis tools.Process
system development methodologynounMethodologies developed through software engineering to manage the complexity of system development. Development methodologies include software engineering aids and high-level design analysis tools.Process
System hardeningnounConfiguring all configurable items within an entire system to reduce the host’s security weaknesses.ProcessRegulated
System High ModenounInformation systems security mode of operation wherein each user, with direct or indirect access to the information system, its peripherals, remote terminals, or remote hosts, has all of the following: a. valid security clearance for all information within an information system; b. formal access approval and signed nondisclosure agreements for all the information stored and/or processed (including all compartments, subcompartments and/or special access programs); and c. valid need-to-know for some of the information contained within the information system.ProcessRegulatedCUI
system implementationnounThe process of putting a planned system into action; the stage of systems development in which hardware and software are acquired, developed and installed, the system is tested and documented, people are trained to operate and used the system, and an organization converts to the use of a newly developed system.Process
system operationnounThe day to day processes of using a system according to its design and development criteria.Process
testnounA type of assessment method that is characterized by the process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior, the results of which are used to support the determination of security control effectiveness over time.Process
Test and EvaluationnounIn the NICE Workforce Framework, cybersecurity work where a person: Develops and conducts tests of systems to evaluate compliance with specifications and requirements by applying principles and methods for cost-effective planning, evaluating, verifying, and validating of technical, functional, and performance characteristics (including interoperability) of systems or elements of systems incorporating information technology.Process
Test strategynounTesting strategies establish expectations for individual business lines across the testing life cycle of planning, execution, measurement, reporting, and test process improvement. Testing strategies include the testing scope and objectives, which clearly define what functions, systems, or processes are going to be tested and what will constitute a successful test.ProcessInternal
The process of both entities involved in a transaction verifying each other.nounSource: CNSSI-4009ProcessRegulated
third party and supply chain managementnounSupply chain management is the oversight of materials, information, and finances as they move in a process from supplier to manufacturer to wholesaler to retailer to consumer. Supply chain management involves coordinating and integrating these flows both within and among companies, i.e., Third Parties. Third party management is the process whereby companies monitor and manage interactions with all external parties with which it has a relationship.ProcessRegulated
third party managementnounAn arrangement where a company will assume the day-to-day management of a property or package of properties it does not own for another company or institution in return for a fee.ProcessRegulated
third party risk assessmentnounThe process of identifying and determining the risk associated to a specific third party.ProcessInternal
Third-party relationshipnounAny business arrangement between a financial institution and another entity, by contract or otherwise.ProcessRegulated
Threat analysisnounThe examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment.Process
threat assessmentnounProcess of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat.Process
threat information sharingnounThe act of providing threat information between two or more parties for the mutual benefit to use such information to mitigate risks.ProcessInternal
threat monitoring processnounA particular series of actions or steps to analyze, assess and review audit trails and other information collected for the purpose of searching out system events that may constitute violations of system security.ProcessInternal
Traditional INFOSEC ProgramnounProgram in which NSA acts as the central procurement agency for the development and, in some cases, the production of INFOSEC items. This includes the Authorized Vendor Program. Modifications to the INFOSEC end-items used in products developed and/or produced under these programs must be approved by NSA.ProcessRegulatedCUI
trainnounTo teach a person or animal a particular skill or type of behavior through sustained practice and instruction.Process
trainingnounOrganized activity aimed at imparting information and/or instructions to improve the recipient's performance or to help him or her attain a required level of knowledge or skill.ProcessRegulated
Transaction testingnounA testing activity designed to validate the continuity of business transactions and the replication of associated data.Process
Trusted DistributionnounMethod for distributing trusted computing base (TCB) hardware, software, and firmware components that protects the TCB from modification during distribution.ProcessRegulatedCUI
Two-way pollingnounAn emergency notification system that allows management to ensure that all employees are contacted and have confirmed delivery of pertinent messages.ProcessInternal
Type AccreditationnounA form of accreditation that is used to authorize multiple instances of a major application or general support system for operation at approved locations with the same type of computing environment. In situations where a major application or general support system is installed at multiple locations, a type accreditation will satisfy C&A requirements only if the application or system consists of a common set of tested and approved hardware, software, and firmware.ProcessRegulated
Type CertificationnounThe certification acceptance of replica information systems based on the comprehensive evaluation of the technical and nontechnical security features of an information system and other safeguards, made as part of and in support of the formal approval process, to establish the extent to which a particular design and implementation meet a specified set of security requirements.ProcessRegulatedCUI
Untrusted ProcessnounProcess that has not been evaluated or examined for correctness and adherence to the security policy. It may include incorrect or malicious code that attempts to circumvent the security mechanisms.ProcessRegulated
updatingnounThe act of changing something to bring it up to date (usually by adding something).Process
user access reviewnounA process that an organization implements to actively monitor and verify the appropriateness of a users' access to systems and applications based on an understanding of the minimum necessary for users to perform or support business activities or functions. The responsibility for granting access and performing periodic verification of the appropriateness of that access rests with the system and/or business owner of the system or application.ProcessRegulated
User Account ManagementnounInvolves 1) the process of requesting, establishing, issuing, and closing user accounts; 2) tracking users and their respective access authorizations; and 3) managing these functions.Process
User Contingency PlannounUser contingency plan is the alternative methods of continuing business operations if IT systems are unavailable.ProcessInternal
User IdentificationnounThe process, control, or information by which a user identifies himself or herself to the system as a valid user (as opposed to authentication).ProcessRegulatedPII
User InitializationnounA function in the life cycle of keying material; the process whereby a user initializes its cryptographic application (e.g., installing and initializing software and hardware).ProcessRegulatedCUI
User Partnership ProgramnounPartnership between the NSA and a U.S. government agency to facilitate development of secure information system equipment incorporating NSA-approved cryptography. The result of this program is the authorization of the product or system to safeguard national security information in the user’s specific application.ProcessRegulatedCUI
User provisioningnounA process to create, modify, disable and delete user accounts and their profiles across IT infrastructure and business applicationsProcess
User RegistrationnounA function in the life cycle of keying material; a process whereby an entity becomes a member of a security domain.Process
ValidationnounConfirmation (through the provision of strong, sound, objective evidence) that requirements for a specific intended use or application have been fulfilled (e.g., a trustworthy credential has been presented, or data or information has been formatted in accordance with a defined set of rules, or a specific process has demonstrated that an entity under consideration meets, in all respects, its defined attributes or requirements).Process
VerificationnounConfirmation, through the provision of objective evidence, that specified requirements have been fulfilled (e.g., an entity’s requirements have been correctly defined, or an entity’s attributes have been correctly presented; or a procedure or function performs as intended and leads to the expected outcome).Process
VirtualizationnounThe process of adding a guest application and data onto a virtual server, recognizing that the guest application will ultimately part company from this physical serverProcess
visitor accessnounThe processes and mechanisms of ensuring visitors are allowed in specific areas and with specific permissions. Mechanisms such as guarded entries, logged entry, badges, and escorting of visitors are common.ProcessRegulated
visitor control programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to identify, control, and reduce or eliminate the risks inherent to visitors.ProcessRegulated
Walk-through drill/simulation testnounThis test represents a preliminary step in the overall testing process that may be used for training employees but not as a preferred testing methodology. During this test, participants choose a specific scenario and apply the BCP to it.Process
Web Risk AssessmentnounProcesses for ensuring Web sites are in compliance with applicable policies.Process
Work transfernounWork-transfer is a process whereby the staff located at a recovery site accepts the workload of staff located at a primary production site, and a data center located at a recovery site accepts the workload of the primary data processing site.ProcessRegulated