Browse — Entity Type · Requirement
allDataSystemNetworkIdentityCredentialPhysicalProcessCapabilityOrganizationFrameworkEventMetricVulnerabilityThreatControlFindingRequirementRoleArtifactUnknown
225 terms
TermTypeDefinitionClassificationsUpdated
Acceptable interruption windownounThe maximum period of time that a system can be unavailable before compromising the achievement of the enterprise's business objectivesRequirementInternal
Acceptable use policynounA document that establishes an agreement between users and the enterprise and defines for all parties the ranges of use that are approved before users can gain access to a network or the Internet.RequirementInternal
Acceptance CriterianounPre-established standards or requirements a product or project must meet.Requirement
Access TypenounPrivilege to perform action on an object. Read, write, execute, append, modify, delete, and create are examples of access types. See Write.Requirement
accountabilitynounThe security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.Requirement
Accounting Legend CodenounNumeric code used to indicate the minimum accounting controls required for items of accountable communications security (COMSEC) material within the COMSEC Material Control System.RequirementRegulatedCUI
Acquirer FeenounFee paid to the acquirer of the merchant sales draft. The acquirer of the sales draft collects a merchant discount fee (or processing fee) from the merchant for the costs associated with processing the transaction.RequirementRegulatedPCI
Adequate SecuritynounSecurity commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. Note: This includes assuring that information systems operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls.RequirementRegulated
Aggregate Short Position LimitnounIn respect of a Settlement Member, the maximum aggregate short position that such Settlement Member is permitted to incur at any time.RequirementRegulated
agreementnounThis record category contains records of mutual understandings, written or verbal, made by two or more parties regarding a matter of opinion or their rights and obligations toward each other.RequirementRegulated
alternate network communications procedurenounA specifically laid out course of action to ensure that communication is not disrupted if the main network is inaccessible; must include access to a secondary communication network.Requirement
applicable requirementnounThe relevant or appropriate necessary condition or conditions.RequirementRegulated
ApprovednounFederal Information Processing Standard (FIPS)-approved or National Institute of Standards and Technology (NIST)-recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation.RequirementRegulated
Assessment ObjectivenounA set of determination statements that expresses the desired outcome for the assessment of a security control or control enhancement.RequirementRegulated
Assessment ProcedurenounA set of assessment objectives and an associated set of assessment methods and assessment objects.Requirement
audit policynounA description of the standards and guidelines an organization uses for going through external audits or conducting internal audits.RequirementInternal
audit procedurenounA detailed description of the steps necessary to implement an audit in conformance with applicable standards.Requirement
audit scopenounDetermination of the range of the activities and the period (months or years) of records that are to be subjected to an audit examination.RequirementInternal
Authentication PeriodnounThe maximum acceptable period between any initial authentication process and subsequent reauthentication processes during a single terminal session or during the period data is being accessed.RequirementRegulatedCUI
authentication procedurenounThe documented steps necessary to authenticate the identity of an entity through the use of credentials in order to gain access to the system.Requirement
Authorization (ACH)nounA written or oral agreement between the originator and a receiver that allows payments processed through the ACH network to be deposited in, or withdrawn from, the receiver's account at a financial institution.RequirementRegulatedPCI
Authorization BoundarynounAll components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected.RequirementRegulated
AvailabilitynounThe property of being accessible and useable upon demand by an authorized entity.Requirement
availability requirementnounAvailability requirement relates to the need for information to be available when required.RequirementRegulated
baseline configurationnounA set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.Requirement
Baseline SecuritynounThe minimum security controls required for safeguarding an IT system based on its identified needs for confidentiality, integrity, and/or availability protection.Requirement
best practicenounProcedures and guidelines that are widely accepted because experience and research has demonstrated that they are optimal and efficient means to produce a desired result.Requirement
Bring your own devicenounAn enterprise policy used to permit partial or full integration of user-owned mobile devices for business purposesRequirement
Capstone PoliciesnounThose policies that are developed by governing or coordinating institutions of Health Information Exchanges (HIEs). They provide overall requirements and guidance for protecting health information within those HIEs. Capstone Policies must address the requirements imposed by: (1) all laws, regulations, and guidelines at the federal, state, and local levels; (2) business needs; and (3) policies at the institutional and HIE levels.RequirementRegulatedPHI
CategorynounRestrictive label applied to classified or unclassified information to limit access.RequirementRegulatedCUI
CIP exceptional circumstancenounA situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or Bulk Electric System (BES) reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability.RequirementRegulatedCUI
claritynounFree from obscurity and easy to understand; the comprehensibility of clear expression.Requirement
Clinger-Cohen Act of 1996nounAlso known as Information Technology Management Reform Act. A statute that substantially revised the way that IT resources are managed and procured, including a requirement that each agency design and implement a process for maximizing the value and assessing and managing the risks of IT investments.RequirementRegulated
coding standardnounA set of standards and guidelines which are/should be used when writing the source code for a program.RequirementIP
Commercially ReasonablenounPractices and procedures in widespread use in the business community generally considered to represent prudent and reasonable business methods.Requirement
compliance policynounAn official expression of principles that direct an organization's approach to compliance.RequirementInternal
compliance procedurenounA detailed description of the steps necessary to implement or perform something in conformance with applicable standards.Requirement
compliance requirementnounThe various legal, contractual, and service level requirements that an organization must follow.RequirementRegulated
ConfidentialitynounThe property that information is not disclosed to system entities (users, processes, devices) unless they have been authorized to access the information.Requirement
constitutenounGive legal or constitutional form to (an institution); establish by law.RequirementRegulated
Contingency PlannounManagement policy and procedures used to guide an enterprise response to a perceived loss of mission capability. The Contingency Plan is the first plan used by the enterprise risk managers to determine what happened, why, and what to do. It may point to the Continuity of Operations Plan (COOP) or Disaster Recovery Plan for major disruptions.RequirementRestrictedCUI
contractual obligationnounA course of action or conditions that someone is legally bound to because they signed a contract.RequirementRestricted
contractual requirementnounWritten and signed stipulations (within the said contract) employed in controlling, directing, or managing an activity, organization, or system.RequirementConfidential
Control requirementsnounProcess used to document and/or track internal processes to determine that those established procedures and/or physical security policies are being followed.RequirementRegulated
Controlled Unclassified InformationnounA categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is (i) pertinent to the national interests of the United States or to the important interests of entities outside the federal government, and (ii) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. Henceforth, the designation CUI replaces "Sensitive But Unclassified" (SBU).RequirementRegulatedCUI
credit policynounA company's policy on when its customers should pay for goods or services they have ordered a government's policy at a particular time on how easy or difficult it should be for people and businesses to borrow and how much it should cost. The government influences this through changes in interest rates.RequirementRegulated
Cryptographic Module Security PolicynounA precise specification of the security rules under which a cryptographic module will operate, including the rules derived from the requirements of this standard (FIPS 140-2) and additional rules imposed by the vendor.Requirement
customer data privacynounThe ability an organization or individual has to determine what customer data in a computer system can be shared with third parties.RequirementRegulatedPII
cyber incident response procedurenounA documented series of steps that are taken to detect, triage, and resolve events regarding cybersecurity that disrupt operations and alert applicable personnel and clients in conformance with pertinent standards.Requirement
cybersecurity law, rule, or regulationnounAny federal, state, or local statute or ordinance or any rule or regulation adopted according to any federal, state, or local statute or ordinance that deals specifically with the topic of protecting or defending computerized environments, organizational computerized assets, and user’s computerized assets.RequirementRegulated
Cybersecurity outcomenounA Cybersecurity outcome is the business need defined and tiered implementation of the outcomes listed in either the Categories or Subcategories section of Table 2 in the NIST Cybersecurity Framework.RequirementRegulated
cybersecurity plannounFormal document that provides an overview of the cybersecurity requirements for an Information Technology and industrial control system and describes the cybersecurity controls in place or planned for meeting those requirements.RequirementRegulatedCUI
cybersecurity policynounA set of criteria for the provision of security services.RequirementRegulated
cybersecurity procedurenounA detailed description of the steps necessary to implement cybersecurity in conformance with applicable standards.Requirement
cybersecurity requirementnounRequirements levied on an Information Technology and Operations Technology that are derived from organizational mission and business case needs (in the context of applicable legislation, Executive Orders, directives, policies, standards, instructions, regulations, procedures) to ensure the confidentiality, integrity, and availability of the services being provided by the organization and the information being processed, stored, or transmitted.RequirementRegulated
data integritynounThe property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit.Requirement
Data retentionnounRefers to the policies that govern data and records management for meeting internal, legal and regulatory data archival requirementsRequirementRegulated
Dedicated ModenounInformation systems security mode of operation wherein each user, with direct or indirect access to the system, its peripherals, remote terminals, or remote hosts, has all of the following: 1. valid security clearance for all information within the system, 2. formal access approval and signed nondisclosure agreements for all the information stored and/or processed (including all compartments, subcompartments, and/or special access programs), and 3. valid need-to-know for all information contained within the information system. When in the dedicated security mode, a system is specifically and exclusively dedicated to and controlled for the processing of one particular type or classification of information, either for full-time operation or for a specified period of time.RequirementRegulatedCUI
Default ClassificationnounClassification reflecting the highest classification being processed in an information system. Default classification is included in the caution statement affixed to an object.RequirementRegulatedCUI
delegation procedurenounA detailed description of the steps necessary to assign a task or responsibility to another role in conformance with applicable standards.Requirement
Descriptive Top-Level SpecificationnounA natural language descriptive of a system’s security requirements, an informal design notation, or a combination of the two.RequirementRegulatedCUI
DiversitynounA description of financial services sectors in which primary and back-up telecommunications capabilities do not share a single point of failure.Requirement
Due carenounThe level of care expected from a reasonable person of similar competency under similar conditionsRequirementRegulated
End-of-lifenounAll software products have life cycles. End-of-life refers to the date when a software development company no longer provides automatic fixes, updates, or online technical assistance for the product.Requirement
Evaluation Assurance LevelnounSet of assurance requirements that represent a point on the Common Criteria predefined assurance scale.RequirementRegulated
Exposure limitnounIn reference to the settlement of operating services, this is the maximum amount an ACH originator is allowed to originate. This amount can be based on the originator's credit rating, historical or predicted funding requirements, and the type of obligation.RequirementRegulated
external requirementnounAny law, contractual obligation, code of connection, service level agreement, or even international agreement.RequirementRegulated
FinalitynounIrrevocable and unconditional transfer of payment during settlement.RequirementRegulatedPCI
formal contractnounAn officially recognized agreement between two or more parties.RequirementConfidentialIP
Functional requirementsnounThe business, operational, and security features an organization wants included in a program.Requirement
goalnounThe object of a person or processes' ambition or effort; the aim or desired result.Requirement
guidancenounInformation that provides direction or advice as to a decision or course of action.Requirement
GuidelinenounA description of a particular way of accomplishing something that is less prescriptive than a procedureRequirement
Identity-Based Security PolicynounA security policy based on the identities and/or attributes of the object (system resource) being accessed and of the subject (user, group of users, process, or device) requesting access.Requirement
ifnounThis limits a Control or Mandate's secondary verb to be put into play should the event occur.Requirement
in response tonounThis limits a Control or Mandate's secondary verb to be put into play precisely because the event has taken place.Requirement
incident management procedurenounA detailed description of the steps necessary to identify, analyze, and correct incidents in order to return service back to normal as quickly as possible and in conformance with applicable standards.Requirement
incident response notification procedurenounA detailed description of the steps necessary to tell interested personnel and affected parties about disruptions in service and operations in conformance with applicable standards.Requirement
incident response policynounThe documented rules and guidelines on how an organization should address and manage the aftermath of a disaster or other significant event that may affect the organization's people or ability to function productively.RequirementInternal
IndependencenounSelf-governance, freedom from conflict of interest and undue influence. The IT auditor should be free to make his or her own decisions, not influenced by the organization being audited, or by its managers and employees.Requirement
independence standardsnounThe ability, without the service of others, or with a reduced level of the services of others, to function within the community.RequirementRegulated
Individual AccountabilitynounAbility to associate positively the identity of a user with the time, method, and degree of access to an information system.RequirementRegulated
industry standardnounA norm or requirement established within an industry; it is typically a formal document establishing uniform technical or engineering, processes, processes, or criteria.Requirement
Informal Security PolicynounNatural language description, possibly supplemented by mathematical arguments, demonstrating the correspondence of the functional specification to the high-level design.Requirement
information neednounInsight necessary to manage objectives, goals, risks and problems.RequirementRegulated
information security policynounThe rules and guidelines of an organization on how to ensure the confidentiality, integrity, and availability of the organization's information.Requirement
information security strategynounA plan to mitigate risks while complying with legal, statutory, contractual, and internally developed requirements.RequirementInternal
Information TypenounA specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management), defined by an organization or in some instances, by a specific law, Executive Order, directive, policy, or regulation.RequirementRegulated
InstructionnounMeans (i) any instruction submitted by a Member through the submission process directing CLS Bank to settle certain payment entitlements and obligations arising pursuant to an FX transaction eligible for settlement in CLS Bank and (ii) any instructions resulting from the split of Settlement Eligible Instructions.RequirementRegulated
insurance coveragenounThe amount of risk or liability covered for an individual or entity by way of insurance services. Insurance coverage is issued by an insurer in the event of an unforeseen or unwanted occurrences.RequirementRegulated
insurance ridernounAn add-on provision to a basic insurance policy that provides additional benefits to the policyholder at an additional cost. Standard policies usually leave little room for modification or customization beyond choosing deductibles and coverage amounts.RequirementRegulated
Interchange feesnounFees paid by one financial institution to another to cover handling costs and credit risk in a financial institution card transaction. Interchange fees generally flow toward the institution funding the transaction and assuming the risk. In a credit card transaction, the interchange fee is paid by the merchant acquirer accepting the merchant's sales draft to the card-issuing institution, which, in turn, passes the fee to its merchants. In EFT/POS transactions, interchange flows in the opposite direction: the card-issuing institution (or customer) pays the fee to the terminal-owning institution. When a transaction is an off-line debit sale, the card-issuing institution collects an interchange fee from the merchant, rather than from the customer, unlike in an EFT/POS transaction, where the customer pays the interchange fee. Interchange revenue is derived from fees set by the card associations. Depending on the card association, fees can range from 1% to 3% of the value of the transaction. Interchange revenue is recognized as a card issuer's second largest revenue line item.RequirementRegulated
Interconnection Security AgreementnounA document that regulates security-relevant aspects of an intended connection between an agency and an external system. It regulates the security interface between any two systems operating under two different distinct authorities. It includes a variety of descriptive, technical, procedural, and planning information. It is usually preceded by a formal MOA/MOU that defines high-level roles and responsibilities in management of a cross-domain connection.RequirementRegulatedCUI
Interim Approval to TestnounTemporary authorization to test an information system in a specified operational information environment within the time frame and under the conditions or constraints enumerated in the written authorization.RequirementRegulatedCUI
Interoperability standards/protocolsnounCommonly agreed on standards that enable different computers or programs to share information. Example: HTTP (Hypertext Transfer Protocol) is a standard method of publishing information as hypertext in HTML format on the Internet.Requirement
Issue-Specific PolicynounAn Issue-Specific Policy is intended to address specific needs within an organization, such as a password policy.Requirement
IT Security PolicynounThe “documentation of IT security decisions” in an organization. NIST SP 800-12 categorizes IT Security Policy into three basic types: 1) Program Policy—high-level policy used to create an organization’s IT security program, define its scope within the organization, assign implementation responsibilities, establish strategic direction, and assign resources for implementation. 2) Issue-Specific Policies—address specific issues of concern to the organization, such as contingency planning, the use of a particular methodology for systems risk management, and implementation of new regulations or law. These policies are likely to require more frequent revision as changes in technology and related factors take place. 3) System-Specific Policies—address individual systems, such as establishing an access control list or in training users as to what system actions are permitted. These policies may vary from system to system within the same organization. In addition, policy may refer to entirely different matters, such as the specific managerial decisions setting an organization’s electronic mail (email) policy or fax security policy.Requirement
least functionality principlenounIn information security, computer science, and configuration management the limiting of access to only that information and resources that are necessary for its legitimate purpose.Requirement
least privilegenounThe principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.Requirement
Least TrustnounThe principal that a security architecture should be designed in a way that minimizes 1) the number of components that require trust, and 2) the extent to which each component is trusted.Requirement
Level of ProtectionnounExtent to which protective measures, techniques, and procedures must be applied to information systems and networks based on risk, threat, vulnerability, system interconnectivity considerations, and information assurance needs. Levels of protection are: 1. Basic: information systems and networks requiring implementation of standard minimum security countermeasures. 2. Medium: information systems and networks requiring layering of additional safeguards above the standard minimum security countermeasures. 3. High: information systems and networks requiring the most stringent protection and rigorous security countermeasures.RequirementRegulatedCUI
Low ImpactnounThe loss of confidentiality, integrity, or availability that could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; 2) results in minor damage to organizational assets; 3) results in minor financial loss; or 4) results in minor harm to individuals).RequirementRegulated
management authorizationnounOfficial permission or approval given by the senior executives of an organization.RequirementRegulated
Mission Assurance CategorynounA Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) term primarily used to determine the requirements for availability and integrity.RequirementRegulatedCDI
Mission CriticalnounAny telecommunications or information system that is defined as a national security system (Federal Information Security Management Act of 2002 - FISMA) or processes any information the loss, misuse, disclosure, or unauthorized access to or modification of, would have a debilitating impact on the mission of an agency.RequirementRegulatedCUI
Mode of OperationnounDescription of the conditions under which an information system operates based on the sensitivity of information processed and the clearance levels, formal access approvals, and need-to-know of its users. Four modes of operation are authorized for processing or transmitting information: dedicated mode, system high mode, compartmented/partitioned mode, and multilevel mode.RequirementRegulatedCUI
Monitoring policynounRules outlining or delineating the way in which information about the use of computers, networks, applications and information is captured and interpretedRequirement
monitoring procedurenounA description of the steps that are necessary to watch and check the progress or quality of something over a period of time according to standards.Requirement
Multi-ReleasablenounA characteristic of an information domain where access control mechanisms enforce policy-based release of information to authorized users within the information domain.RequirementRegulatedCUI
need to knownounAn administrative action officially declaring a particular individual requires access to specified sensitive or classified information in order to perform their assigned duties.RequirementRegulatedCUI
Net debit capnounThe maximum dollar amount of uncollateralized daylight overdrafts that an institution is authorized to incur in its Federal Reserve account. The net debit cap is generally equal to an institution's capital times the cap multiple for its cap category.RequirementRegulated
no longer needed for legal, regulatory, or business reasonnounSomething that is not needed anymore for business, regulatory, or legal reasons.RequirementRegulated
notification procedurenounA plan of action adopted by the organization for how and when the appropriate individuals are notified.Requirement
notification requirementnounThe obligation to officially inform a party of something important.RequirementRegulated
objectivenounA projected state of affairs that a person or a system plans or intends to achieve a personal or organizational desired end-point in some sort of assumed development. Many people endeavor to reach goals within a finite time by setting deadlines.Requirement
objectivitynounThe quality of being not influenced by personal feelings or opinions in considering and representing facts.Requirement
obligationnounA binding agreement committing a person to an immediate or future payment or other action.Requirement
Operational WaivernounAuthority for continued use of unmodified COMSEC end-items pending the completion of a mandatory modification.RequirementRegulatedCUI
outsourcing contractnounThe outsourcing contract is one of the most important document in an outsourcing relationship. The contract, terms and the quality of the contract will largely influence the outsourcing relations, governance and overall the success of the outsourcing venture.RequirementConfidential
Overwrite ProcedurenounA software process that replaces data previously stored on storage media with a predetermined set of meaningless data or random patterns.Requirement
Partitioned Security ModenounInformation systems security mode of operation wherein all personnel have the clearance, but not necessarily formal access approval and need-to-know, for all information handled by an information system.RequirementRegulatedCUI
Payments System Risk Policy (PSR)nounThe Federal Reserve's Payments System Risk (PSR) policy addressing the risks that payment systems present to the Federal Reserve Banks, the banking system, and to other sectors of the economy.RequirementRegulated
personnel policynounA set of rules that define the manner in which an organization deals with a human resources or personnel-related matter.RequirementInternal
physical operating environment authority documentnounStatutes, regulations, safe harbors, audit guidelines, best practices, Service Level Agreements, Contractual Obligations, organizational policies and procedures, and any other documents that defines the temperatures, humidity levels, electromagnetic levels, vibration levels, power levels, and space required for any device to operate properly.RequirementInternal
policy and procedurenounA set of policies are principles, rules, and guidelines formulated or adopted by an organization to reach its long-term goals and typically published in a booklet or other form that is widely accessible. Policies and procedures are designed to influence and determine all major decisions and actions, and all activities take place within the boundaries set by them. Procedures are the specific methods employed to express policies in action in day-to-day operations of the organization. Together, policies and procedures ensure that a point of view held by the governing body of an organization is translated into steps that result in an outcome compatible with that view.Requirement
Presentment feenounA fee that an institution receiving a check may impose on the institution that presents the check for payment. No presentment fee may be charged for checks presented by 8 a.m. local time.RequirementRegulated
Principle of least privilegenounThe security objective of granting users only the access needed to perform official duties.Requirement
prior tonounThis limits a Control or Mandate's secondary verb to be put into play before the event takes place.RequirementRegulated
PrivacynounRestricting access to subscriber or Relying Party information in accordance with federal law and agency policy.RequirementRegulated
procedurenounAn established or official method for implementing a policy or performing a task or operation which must be executed in the same manner in order to obtain the same results in the same circumstances.Requirement
processing requirementnounA condition that must be fulfilled in order for something to be processed.RequirementRegulated
Program PolicynounA program policy is a high-level policy that sets the overall tone of an organization's security approach.RequirementInternal
Protection PhilosophynounInformal description of the overall design of an information system delineating each of the protection mechanisms employed. Combination of formal and informal techniques, appropriate to the evaluation class, used to show the mechanisms are adequate to enforce the security policy.Requirement
Reciprocal agreementnounAn agreement whereby two organizations with similar computer systems agree to provide computer processing time for the other in the event one of the systems is rendered inoperable. Processing time may be provided on a "best effort" or as "time available" basis; therefore, reciprocal agreements are not usually acceptable as a primary recovery option.RequirementInternal
records management procedurenounA detailed description of the steps necessary to systematically and administratively control records throughout their life cycle in conformance with applicable standards.Requirement
Recovery service levelsnounCollectively, terms that define the speed, quality, and quantity of recovery capability in response to a disaster, including recovery time objective, recovery point objective, timely notification, percentage of normal production service level agreements (SLAs) that will be delivered during recovery mode, etc.RequirementRegulated
RegulationnounA documented rule or directive created and maintained by a governing authority.Requirement
Regulation CCnounA regulation (12 CFR 229) promulgated by the Board of Governors of the Federal Reserve System regarding the availability of funds and the collection of checks. The regulation governs the availability of funds deposited in checking accounts and the collection and return of checks.RequirementRegulated
Regulation EnounA regulation (12 CFR 205) promulgated by the Board of Governors of the Federal Reserve System to ensure consumers a minimum level of protection in disputes arising from electronic fund transfers.RequirementRegulated
Regulation ZnounRegulation Z, the Truth in Lending Act (TILA) (12 CFR 226) promulgated by the Board of Governors of the Federal Reserve System. The regulation prescribes uniform methods for computing the cost of credit, disclosing credit terms, and resolving errors on certain types of credit accounts.RequirementRegulated
Regulatory requirementsnounRules or laws that regulate conduct and that the enterprise must obey to become compliantRequirementRegulated
reporting requirementnounSet by the organization, this requires third parties to provide certain update and other status reports, such as work status, Service Level Agreement status, etc.RequirementRegulated
RepudiationnounThe denial by one of the parties to a transaction of participation in all or part of that transaction or of the content of the communication.RequirementRegulated
Reserve requirementsnounThe percentage of deposits that a depository institution may not lend out or invest and must hold either as vault cash or on deposit at a Federal Reserve Bank. Reserve requirements affect the potential of the banking system to create transaction deposits.RequirementRegulated
resilience by designnounThe embedding of security in technology and system development from the earliest stages of conceptualisation and design.RequirementRegulated
Responsibility to ProvidenounAn information distribution approach whereby relevant essential information is made readily available and discoverable to the broadest possible pool of potential users.Requirement
Retention requirementnounRequirement established by a company or by regulation for the length of time and/or for the amount of information that should be retained.RequirementRegulated
Risk AversenounAvoiding risk even if this leads to the loss of opportunity. For example, using a (more expensive) phone call vs. sending an e-mail in order to avoid risks associated with e-mail may be considered "Risk Averse"Requirement
roles and responsibilitiesnounThe position and collection of tasks, duties, obligations that participants undertake to complete a project.Requirement
rulenounA principle, condition, or regulation that customarily governs behavior or procedure within a particular area of activity.RequirementRegulated
Rule-Based Security PolicynounA security policy based on global rules imposed for all subjects. These rules usually rely on a comparison of the sensitivity of the objects being accessed and the possession of corresponding attributes by the subjects requesting access. Also known as discretionary access control (DAC).Requirement
Rules of EngagementnounDetailed guidelines and constraints regarding the execution of information security testing. The ROE is established before the start of a security test, and gives the test team authority to conduct defined activities without the need for additional permissions.RequirementInternal
SafetynounSafety is the need to ensure that the people involved with the company, including employees, customers, and visitors, are protected from harm.Requirement
scopenounThe extent or boundary to which a process, configuration item, application, contract, etc. applies.Requirement
Scoping GuidancenounA part of tailoring guidance providing organizations with specific policy/regulatory-related, technology-related, system component allocation-related, operational/environmental-related, physical infrastructure-related, public access-related, scalability-related, common control-related, and security objective-related considerations on the applicability and implementation of individual security controls in the security control baseline.RequirementRegulatedCUI
Security CategorynounThe characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, individuals, other organizations, and the Nation.RequirementRegulated
Security Controls BaselinenounThe set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.RequirementRegulatedCUI
Security GoalsnounThe five security goals are confidentiality, availability, integrity, accountability, and assurance.Requirement
security policynounA set of criteria for the provision of security services. It defines and constrains the activities of a data processing facility in order to maintain a condition of security for systems and data.Requirement
Security procedure agreementnounAn agreement between a financial institution and a Federal Reserve Bank whereby the financial institution agrees to certain security procedures if it uses an encrypted communications line with access controls for the transmission or receipt of a payment order to or from a Federal Reserve Bank.Requirement
Security RangenounHighest and lowest security levels that are permitted in or on an information system, system component, subsystem, or network.RequirementRegulatedCUI
security requirementnounA necessary condition that must be met to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.RequirementRegulated
Security Requirements BaselinenounDescription of the minimum requirements necessary for an information system to maintain an acceptable level of risk.RequirementRegulated
Security Requirements RequirementsnounRequirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.RequirementRegulated
Security SpecificationnounDetailed description of the safeguards required to protect an information system.Requirement
Security TargetnounCommon Criteria specification that represents a set of security requirements to be used as the basis of an evaluation of an identified Target of Evaluation (TOE).RequirementRegulated
service contractnounA formal agreement between a service provider and consumer that specifies the details of the service performed by the provider.RequirementInternal
Service delivery objectivenounDirectly related to the business needs, SDO is the level of services to be reached during the alternate process mode until the normal situation is restoredRequirement
Service level agreementnounAn agreement, preferably documented, between a service provider and the customer(s)/user(s) that defines minimum performance targets for a service and how they will be measuredRequirement
Service Level Agreement (SLA)nounFormal documents between an institution and its third-party service provider that outline an institution’s predetermined requirements for a service and establish incentives to meet, or penalties for failure to meet, the requirements. SLAs should specify and clarify performance expectations, establish accountability, and detail remedies or consequences if performance or service quality standards are not met.RequirementInternal
Short position limitnounIn respect of an eligible currency, the maximum short position a Settlement Member may have at any time in that eligible currency and, unless otherwise reduced pursuant to the CLS Bank Rules, shall equal (i) the total amount of all available committed liquidity facilities in such eligible currency (or such lesser amount that CLS Bank may determine from time to time) minus (ii) the amount of the largest available committed liquidity facility among such liquidity facilities (after taking into account any amounts already drawn.RequirementRegulated
Simple Security PropertynounIn Simple Security Property a user cannot read data of a higher classification than their own.Requirement
Sound practicesnounDefined in the "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System," which was issued by the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Securities and Exchange Commission.RequirementRegulated
Special CharacternounAny non-alphanumeric character that can be rendered on a standard American-English keyboard. Use of a specific special character may be application-dependent. The list of special characters follows: ` ~ ! @ # $ % ^ & * ( ) _ + | } { “ : ? [ ] \ ; ’ , . / - =Requirement
StandardnounA published statement on a topic specifying characteristics, usually measurable, that must be satisfied or achieved in order to comply with the standard.RequirementInternal
Strong Star PropertynounIn Strong Star Property, a user cannot write data to higher or lower classifications levels than their own.RequirementRegulated
Suite AnounA specific set of classified cryptographic algorithms used for the protection of some categories of restricted mission-critical information.RequirementRegulatedCUI
Suite BnounA specific set of cryptographic algorithms suitable for protecting national security systems and information throughout the U.S. government and to support interoperability with allies and coalition partners.RequirementRegulatedCUI
system integritynounThe quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental.Requirement
third party contractnounMeans a contract or purchase order awarded by the Recipient or subrecipient to a vendor or contractor.RequirementConfidential
third party dependencynounA third party that may have no interest in an organization's project or operations, but can can have an impact on them.RequirementRegulated
third party management policynounThe guidelines and rules on how an organization should to direct and supervise business activities and relations with a third party.RequirementRegulated
time framenounA specified period of time for something to be done or take place.RequirementRegulated
Time-Compliance DatenounDate by which a mandatory modification to a COMSEC end-item must be incorporated if the item is to remain approved for operational use.RequirementRegulatedCUI
timelinessnounPublic and private parties, nationally and internationally, should act in a timely coordinately manner to prevent and respond to breaches of security of information systems.RequirementRegulated
TOE Security PolicynounSet of rules that regulate how assets are managed, protected, and distributed within the TOE.Requirement
UnclassifiednounInformation that has not been determined pursuant to E.O. 12958, as amended, or any predecessor order, to require protection against unauthorized disclosure and that is not designated as classified.RequirementRegulatedCUI
USA Patriot ActnounThe USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Public Law Pub.L. 107-56), commonly known as the "Patriot Act", was enacted by Congress to deter and punish terrorist acts in the United States and around the world by enhancing the law enforcement investigatory tools of both domestic law enforcement and foreign intelligence agencies.RequirementRegulatedCUI
warrantynounA written guarantee, issued to the purchaser of a product or service by its manufacturer, that promises the good condition of the product or service and to repair or replace it within a specified period of time.Requirement
whennounThis limits a Control or Mandate's secondary verb to be put into play as something is happening.Requirement