Browse — Sensitivity · Internal
148 terms
TermTypeDefinitionClassificationsUpdated
Acceptable interruption windownounThe maximum period of time that a system can be unavailable before compromising the achievement of the enterprise's business objectivesRequirementInternal
Acceptable use policynounA document that establishes an agreement between users and the enterprise and defines for all parties the ranges of use that are approved before users can gain access to a network or the Internet.RequirementInternal
AdvisorynounNotification of significant new trends or developments regarding the threat to the information systems of an organization. This notification may include analytical insights into trends, intentions, technologies, or tactics of an adversary targeting information systems.ArtifactInternal
Alternate Site Test / ExercisenounA business continuity testing activity that tests the capability of staff, systems, and facilities, located at sites other than those generally designated for primary processing and business functions, to effectively support production processing and workloads. During the exercise, business line staff located at recovery site(s) participate in testing business functions and the supporting systems by performing typical production activities, including accessing applications and completing pending transactions. Staff members participate in testing alternate site facilities through the use of PCs, phones, and other equipment needed to perform testing of business activities.ProcessInternal
asset inventorynounA complete list of all the resources owned by an organization that is used in operations or used to support operations.ArtifactInternal
attack signaturenounA characteristic byte pattern used in malicious code or an indicator, or set of indicators, that allows the identification of malicious network activities.ArtifactInternal
Audit charternounA document approved by the board of directors that defines the IT audit function's responsibility, authority to review records, and accountability.ArtifactInternal
audit manualnounA compilation of current audit policies, procedures, and guidelines.ArtifactInternal
Audit plannounA high level description of the audit work to be performed in a certain period of time (ordinarily a year). It includes the areas to be audited, the type of work planned, the high level objectives and scope of the work, and topics such as budget, resource allocation, schedule dates, type of report, and its intended audience and other general aspects of the work.ArtifactInternal
audit policynounA description of the standards and guidelines an organization uses for going through external audits or conducting internal audits.RequirementInternal
Audit programnounThe audit policies, procedures, and strategies that govern the audit function, including Information Technology (IT) audit.ProcessInternal
audit schedulenounThe dates on which a planned, official examination of a system or equipment will be performed.ArtifactInternal
audit scopenounDetermination of the range of the activities and the period (months or years) of records that are to be subjected to an audit examination.RequirementInternal
audit universenounAn inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process.ArtifactInternal
Bankcard CompaniesnounVisa and MasterCard International, Inc. are bankcard companies established as bank service companies. Financial institutions must be members of a bankcard company in order to offer their credit card services. The companies have established membership rights and obligations, and membership is limited to financial institutions.OrganizationInternalPCI
Business Continuity PlannounThe documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business functions will be sustained during and after a significant disruption.ProcessInternal
Business Continuity Plan (BCP)nounA comprehensive written plan to maintain or resume business in the event of a disruption. BCP includes both the technology recovery capability (often referred to as disaster recovery) and the business unit(s) recovery capability.ArtifactInternal
business continuity programnounA documented approach undertaken by an organization to implement business continuity.ProcessInternal
Business Continuity StrategynounComprehensive strategies to recover, resume, and maintain all critical business functions.ProcessInternal
Business Impact AnalysisnounAn analysis of an enterprise’s requirements, processes, and interdependencies used to characterize information system contingency requirements and priorities in the event of a significant disruption.ProcessInternal
Business Impact Analysis (BIA)nounThe process of identifying the potential impact of uncontrolled, non-specific events on an institution's business processes.ProcessInternal
business resumption testingnounA form of testing designed to determine the effectiveness of an organization's in-place strategy for full recovery of business functions following a disaster or disruption.ProcessInternal
Call TreenounA documented list of employees and external entities that should be contacted in the event of an emergency declaration.ArtifactInternalPII
Certification Practice StatementnounA statement of the practices that a Certification Authority employs in issuing, suspending, revoking, and renewing certificates and providing access to them, in accordance with specific requirements (i.e., requirements specified in this Certificate Policy, or requirements specified in a contract for services).ArtifactInternal
Commodity ServicenounAn information system service (e.g., telecommunications service) provided by a commercial service provider typically to a large and diverse set of consumers. The organization acquiring and/or receiving the commodity service possesses limited visibility into the management structure and operations of the provider, and while the organization may be able to negotiate service-level agreements, the organization is typically not in a position to require that the provider implement specific security controls.CapabilityInternal
Compliance documentsnounPolicies, standard and procedures that document the actions that are required or prohibited. Violations may be subject to disciplinary actions.ArtifactInternal
compliance plannounA compliance plan is a system of checks and balances through which a reasonable effort is made to identify potential non-compliance issues regarding applicable laws and regulations, and to eliminate or mitigate those issues.ProcessInternal
compliance policynounAn official expression of principles that direct an organization's approach to compliance.RequirementInternal
compliance programnounCompliance programs aim to prevent, and where necessary, identify and respond to, breaches of laws, regulations, codes or organizational standards occurring in the organization; and promote a culture of compliance within the organization.ProcessInternal
Computer Security Objects RegisternounA collection of Computer Security Object names and definitions kept by a registration authority.ArtifactInternal
continuity plannounA step by step outline of management procedures designed to maintain and restore business operations in the event of an emergency or system failure.ProcessInternal
Covert TestingnounTesting performed using covert methods and without the knowledge of the organization’s IT staff, but with the full knowledge and permission of upper management.ProcessInternal
Crisis Management Test/ExercisenounA testing exercise that validates the capabilities of crisis management teams to respond to specific events. Crisis management exercises typically test the call tree notification process with employees, vendors, and key clients. Escalation procedures and disaster declaration criteria may also be validated.ProcessInternal
Cross-Market TestsnounCross-market tests are also called market-wide tests or "street tests" that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.ProcessInternal
Cryptographic System SurveynounManagement technique in which actual holders of a cryptographic system express opinions on the system's suitability and provide usage information for technical evaluations.ProcessInternal
Custom redirect servicenounThis service enables control over the location of incoming calls or the redirection of calls to various locations or pre-established phone numbers to ensure customer service continuity.CapabilityInternal
customer educational materialnounEducational materials used to inform customers about topics regarding the products and/or services that they use.ArtifactInternal
cyber resilience strategynounAn FMI’s high level principles and medium term plans to achieve its objective of managing cyber risks.ProcessInternal
cyber risk profilenounThe cyber risk actually assumed, measured at a given point in time.MetricInternal
cyber risk tolerancenounThe propensity to incur cyber risk, being the level of cyber risk that an FMI intends to assume in pursuing its strategic objectives.MetricInternal
Cyber Supply Chain Risk Management PlannounA plan that includes confidentiality, integrity, and availability controls for mitigating the risks associated with the distributed and interconnected nature of IT/OT product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage.ProcessInternal
cyber threat response strategynounA plan of action designed to achieve a long-term or overall aim regarding how to resolve cyber incidents.ProcessInternal
cybersecurity awarenessnounThe extent to which individuals of an organization or those who have access to an organizations information understand their individual responsibilities regarding cybersecurity risks and the need to identify, assess, and mitigate these risks in light of the increasing volume and sophistication of cyber threats.CapabilityInternal
Cybersecurity Framework Implementation TiernounA lens through which to view the characteristics of an organization’s approach to risk—how an organization views cybersecurity risk and the processes in place to manage that risk.FrameworkInternal
Cybersecurity ProfilenounA representation of the outcomes that a particular system or organization has selected from the Framework Categories and Subcategories.ArtifactInternal
cybersecurity trainingnounActivities that are used to teach people about tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets.ProcessInternal
Data classification programnounA program that categorizes data to convey required safeguards for information confidentiality, integrity, and availability; establishes controls required based on value and level of sensitivity.ProcessInternal
Disaster recovery plannounManagement policy and procedures used to guide an enterprise response to a major loss of enterprise capability or damage to its facilities. The DRP is the second plan needed by the enterprise risk managers and is used when the enterprise must recover (at its original facilities) from a loss of capability over a period of hours or days. See Continuity of Operations Plan and Contingency Plan.ProcessInternal
Due diligence for service provider selectionnounTechnical, functional, and financial review to verify a third-party service provider's ability to deliver the requirements specified in its proposal. The intent is to verify that the service provider has a well-developed plan and adequate resources and experience to ensure acceptable service, controls, systems backup, availability, and continuity of service to its clients.ProcessInternal
Emergency plannounThe steps to be followed during and immediately after an emergency such as a fire, tornado, bomb threat, etc.ProcessInternal
entrance of a visitornounThis Triggering Event takes place when a visitor enters the organization's facility.EventInternal
Expected OutputnounAny data collected from monitoring and assessments as part of the Information Security Continuous Monitoring (ISCM) strategy.DataInternalCUI
Extensible Configuration Checklist Description FormatnounSCAP language for specifying checklists and reporting checklist results.FrameworkInternal
Federal Enterprise ArchitecturenounA business-based framework for governmentwide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal government to one that is citizen-centered, results-oriented, and market-based.FrameworkInternal
Federal Information Systems Security Educators’ AssociationnounAn organization whose members come from federal agencies, industry, and academic institutions devoted to improving the IT security awareness and knowledge within the federal government and its related external workforce.OrganizationInternal
Functional drill/parallel testnounThis test involves the actual mobilization of personnel at other sites in an attempt to establish communications and coordination as set forth in the BCP.ProcessInternal
governance structurenounSpecifies the distribution of rights and responsibilities among different participants in the corporation, such as the board, managers, shareholders and other stakeholders, and spells out the rules and procedures for making decisions on corporate affairs.OrganizationInternal
Governance, Risk, and Compliance frameworknounThe overall structure of procedures of how an organization is controlled and directed , how an organization identifies and mitigates risk, and how the organization adheres to pertinent rules, standards, and regulations that defines the scope, objectives, and activities regrading such procedures.FrameworkInternal
government agencynounA state, county, or federal government organizations that enforce laws, rules, or regulations.OrganizationInternal
Grandfather-father-sonnounRetaining multiple versions of the back-up files off-site on a "grandfather-father-son" rotating basis is recommended. This tape methodology creates three sets of back-up tapes: daily incremental sets or "sons," weekly full sets or "fathers," and end-of-month tapes or "grandfathers."ProcessInternal
Implementation plannounA plan that details project management requirements and issues to be addressed during the period between the execution of an outsourcing agreement and the full production use of the outsourced services.ArtifactInternal
incident detectionnounThe process of identifying that an intrusion has been attempted, is occurring, or has occurred.ProcessInternal
incident monitoring processnounAn established or official method for implementing the policy for incident monitoring or performing the tasks, processes, or operations to monitor for incidents which must be executed in the same manner in order to obtain the same results in the same circumstances.ProcessInternal
incident response policynounThe documented rules and guidelines on how an organization should address and manage the aftermath of a disaster or other significant event that may affect the organization's people or ability to function productively.RequirementInternal
independent reviewnounAn analysis of findings performed by a third party for an organization to provide impartiality.ProcessInternal
Industry testingnounA test designed to validate that business processes, integrated across firms and within the financial industry, which supports the business continuity objectives of the firms, both individually and collectively.ProcessInternal
information security strategynounA plan to mitigate risks while complying with legal, statutory, contractual, and internally developed requirements.RequirementInternal
Information Technology Management programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to manage Information Technology resources of an organization in accordance with its needs and priorities. These resources may include tangible investments like computer hardware, software, data, networks and data center facilities, as well as the staff who are hired to maintain them.ProcessInternal
Integrated test/exercisenounThis integrated test/exercise incorporates more than one component or module, as well as external dependencies, to test the effectiveness of the continuity plans for a business line or major function.ProcessInternal
Internal "trusted" zonenounA channel in which the end points are known and data integrity is protected in transit. Depending on the communications protocol used, data privacy may be protected in transit. Examples include SSLIP security and a secure physical connection.NetworkInternal
internal audit functionnounAn appraisal activity established or provided as a service to the entity. Its functions include, amongst other things, examining, evaluating and monitoring the adequacy and effectiveness of internal control.CapabilityInternal
internal audit managernounMonitors the audit scope and risk assessments to ensure that audit coverage remains adequate.RoleInternal
internal audit programnounAn internal audit program defines the type of internal audit being conducted (IT, HR, financial, etc.), the specific subject(s) attended to, the roles and responsibilities of those involved, the method being used to conduct the audit, and the schedule of the audit.ProcessInternal
Internal NetworknounA network where 1) the establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or 2) cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints provides the same effect (at least with regard to confidentiality and integrity). An internal network is typically organization-owned, yet may be organization-controlled while not being organization-owned.NetworkInternal
internal processnounAll the activities and key processes required in order for the company to excel at providing the value expected by the customers.ProcessInternal
internal risk managementnounInternal risk management involves all activities relating to the processes of analyzing exposure to risk and determining appropriate counter-measures.ProcessInternal
internet accessnounInternet access refers to the means by which users connect to the Internet, and includes the following components: (1) The transmission of information as common carriage; (2) The transmission of information as part of a gateway to an information service, when that transmission does not involve the generation or alteration of the content of information, but may include data transmission, address translation, protocol conversion, billing management, introductory information content, and navigational systems that enable users to access information services, and that do not affect the presentation of such information to users; and (3) Electronic mail services (e-mail).NetworkInternal
IntranetnounA private network that is employed within the confines of a given enterprise (e.g., internal to a business or agency).NetworkInternal
IT strategic plannounA comprehensive blueprint that guides the organization's technology management and contains high-level goals and plans for all areas of information technology that affect the business, not just the infrastructure. The plan should include areas that impact technology management, including cost management, human capital management, hardware and software management, third-party management, risk management, and all other considerations in the enterprise IT environment.ArtifactInternal
IT system inventorynounA list containing information about the information resources owned or operated by an organization.ArtifactInternal
KiosknounA publicly accessible computer terminal that permits customers to directly communicate with the financial institution via a network.SystemInternalPCI
manualnounA book of instructions, especially for operating a machine or learning a subject.ArtifactInternal
Market-wide testsnounMarket-wide tests are also called cross-market tests or "street tests" that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.ProcessInternal
Memorandum of Understanding/AgreementnounA document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission. In this guide, an MOU/A defines the responsibilities of two or more organizations in establishing, operating, and securing a system interconnection.ArtifactInternalCUI
network activity baselinenounEstablishing a trusted baseline document involves identifying the following: - network data points of interest - length of the baseline data collection period - methods and tools used to collect and store data Suggested network data points of interest include the following: - a list of predetermined devices a given workstation or server should communicate with - VPN usage, including access times, bandwidth and resources used, source IP addresses, and geolocation information - the known set of ports and protocols in use by the network - firewall and intrusion detection system logs - normal traffic patterns and flows.ArtifactInternalCUI
operational performance reportnounA report that details the findings of a performance review of a business's operations.ArtifactInternal
patch lognounA list that shows patches that been installed and need to be installed to update software.ArtifactInternal
Path HistoriesnounMaintaining an authenticatable record of the prior platforms visited by a mobile software agent, so that a newly visited platform can determine whether to process the agent and what resource constraints to apply.ArtifactInternalCUI
Performance Reference ModelnounFramework for performance measurement providing common output measurements throughout the federal government. It allows agencies to better manage the business of government at a strategic level by providing a means for using an agency’s EA to measure the success of information systems investments and their impact on strategic outcomes.FrameworkInternal
personnel policynounA set of rules that define the manner in which an organization deals with a human resources or personnel-related matter.RequirementInternal
physical operating environment authority documentnounStatutes, regulations, safe harbors, audit guidelines, best practices, Service Level Agreements, Contractual Obligations, organizational policies and procedures, and any other documents that defines the temperatures, humidity levels, electromagnetic levels, vibration levels, power levels, and space required for any device to operate properly.RequirementInternal
Practice StatementnounA formal statement of the practices followed by an authentication entity (e.g., RA, CSP, or Verifier). It usually describes the policies and practices of the parties and can become legally binding.ArtifactInternal
Program PolicynounA program policy is a high-level policy that sets the overall tone of an organization's security approach.RequirementInternal
Protection ProfilenounCommon Criteria specification that represents an implementation-independent set of security requirements for a category of Target of Evaluations (TOE) that meets specific consumer needs.FrameworkInternal
protocols, ports, applications, and services listnounA compilation of all protocols, ports, applications, and services that are available.ArtifactInternal
receiptnounA written or printed acknowledgment that something has been paid for or that goods have been received.ArtifactInternal
Reciprocal agreementnounAn agreement whereby two organizations with similar computer systems agree to provide computer processing time for the other in the event one of the systems is rendered inoperable. Processing time may be provided on a "best effort" or as "time available" basis; therefore, reciprocal agreements are not usually acceptable as a primary recovery option.RequirementInternal
reconcilementnounThe purpose of this task is to reestablish a close relationship or to settle or resolve something.ProcessInternal
recovery planningnounThe activities undertaken to define a recovery process which consists of defining rules, processes, and disciplines to ensure that the critical business processes will continue to function if there is a failure of one or more of the information processing or telecommunications resources upon which their operations depends.ProcessInternal
Recovery point objective (RPO)nounThe amount of data that can be lost without severely impacting the recovery of operations or the point in time in which systems and data must be recovered (e.g., the date and time of a business disruption).MetricInternal
Recovery sitenounAn alternate location for processing information (and possibly conducting business) in an emergency. Usually distinguished as "hot" sites that are fully configured centers with compatible computer equipment and "cold" sites that are operational computer centers without the computer equipment.PhysicalInternal
recovery strategynounA strategy to resume the minimum set of critical services identified in the business impact analysis (e.g. use of another delivery channel to provide the same service.ProcessInternal
Recovery time objective (RTO)nounThe maximum allowable downtime that can occur without severely impacting the recovery of operations or the time in which systems, applications, or business functions must be recovered after an outage (e.g. the point in time that a process can no longer be inoperable).MetricInternal
regulatory agencynounGovernment body formed or mandated under the terms of a legislative act to ensure compliance with the provisions of the act, and in carrying out its purpose.OrganizationInternal
Remediation PlannounA plan to perform the remediation of one or more threats or vulnerabilities facing an organization’s systems. The plan typically includes options to remove threats and vulnerabilities and priorities for performing the remediation.ArtifactInternal
Resilience testingnounTesting of an institution's business continuity and disaster recovery resumption plans.ProcessInternal
response and recovery strategynounA systematic plan of action consisting of documented procedures for mitigating and recovering from a disruptive event.ProcessInternal
response plannounA document detailing the steps that must be taken, or the activities that must be performed well, in response to risk assessment or audit findings.ProcessInternal
Risk measurementnounA process to determine the likelihood of an adverse event or threat occurring and the potential impact of such an event on the institution. The result of risk measurement leads to the prioritization of potential risks based on severity and likelihood of occurrence.ProcessInternal
Rules of EngagementnounDetailed guidelines and constraints regarding the execution of information security testing. The ROE is established before the start of a security test, and gives the test team authority to conduct defined activities without the need for additional permissions.RequirementInternal
SandboxnounA restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized.SystemInternal
SchedulesnounThis record category contains ordered lists of times at which things are planned to occur.ArtifactInternal
security awareness trainingnounThe process of educating personnel on critical business processes.ProcessInternal
Security Features Users GuidenounGuide or manual explaining how the security mechanisms in a specific system work.ArtifactInternal
Security Impact AnalysisnounThe analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system.ProcessInternal
Security PosturenounThe security status of an enterprise’s networks, information, and systems based on IA resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.MetricInternal
service contractnounA formal agreement between a service provider and consumer that specifies the details of the service performed by the provider.RequirementInternal
Service Level Agreement (SLA)nounFormal documents between an institution and its third-party service provider that outline an institution’s predetermined requirements for a service and establish incentives to meet, or penalties for failure to meet, the requirements. SLAs should specify and clarify performance expectations, establish accountability, and detail remedies or consequences if performance or service quality standards are not met.RequirementInternal
Shadow ITnounA term used to describe IT systems or applications used inside institutions without explicit approval.SystemInternal
Simulated loss of data center site(s) test/exercisenounA type of disaster recovery test that involves the simulation of the loss of the primary, alternate, and/or tertiary data processing sites to verify that the institution can continue its data processing activities.PhysicalInternal
StandardnounA published statement on a topic specifying characteristics, usually measurable, that must be satisfied or achieved in order to comply with the standard.RequirementInternal
Street testsnounStreet tests are also called cross-market tests or market-wide tests that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.ProcessInternal
Supplementation Security ControlsnounThe process of adding security controls or control enhancements to a security control baseline from NIST Special Publication 800-53 or CNSS Instruction 1253 in order to adequately meet the organization’s risk management needs.ProcessInternal
suppliernounProduct and service providers used for an organization’s internal purposes (e.g., IT infrastructure) or integrated into the products of services provided to that organization’s Buyers.OrganizationInternal
system documentationnounDetailed information about a computer system its architecture, design, data flow, and programming logic.ArtifactInternalIP
Test plannounA document that is based on the institution's test scope and objectives and includes various testing methods.ArtifactInternal
Test scenarionounA potential event, identified as the operating environment for a business continuity or disaster recovery test, which the institution's recovery and resumption plan must address.ArtifactInternal
Test strategynounTesting strategies establish expectations for individual business lines across the testing life cycle of planning, execution, measurement, reporting, and test process improvement. Testing strategies include the testing scope and objectives, which clearly define what functions, systems, or processes are going to be tested and what will constitute a successful test.ProcessInternal
third party risk assessmentnounThe process of identifying and determining the risk associated to a specific third party.ProcessInternal
Third Party Service Provider ListnounThis record contains lists of all third party service providers and their contacts within each organization.ArtifactInternal
threat informationnounInformation about a potential source of danger or undesirable event.ThreatInternal
threat information sharingnounThe act of providing threat information between two or more parties for the mutual benefit to use such information to mitigate risks.ProcessInternal
threat monitoring processnounA particular series of actions or steps to analyze, assess and review audit trails and other information collected for the purpose of searching out system events that may constitute violations of system security.ProcessInternal
Training Effectiveness EvaluationnounInformation collected to assist employees and their supervisors in assessing individual students’ subsequent on-the-job performance, to provide trend data to assist trainers in improving both learning and teaching, and to be used in return-on-investment statistics to enable responsible officials to allocate limited resources in a thoughtful, strategic manner among the spectrum of IT security awareness, security literacy, training, and education options for optimal results among the workforce as a whole.MetricInternalPII
Two-way pollingnounAn emergency notification system that allows management to ensure that all employees are contacted and have confirmed delivery of pertinent messages.ProcessInternal
Ultra forward servicenounThis service allows control over the re-routing of incoming phone calls to pre-determined alternate locations in the event of a telecommunications outage.CapabilityInternal
User Contingency PlannounUser contingency plan is the alternative methods of continuing business operations if IT systems are unavailable.ProcessInternal
Vulnerability Management plannounThis purpose of this plan is to establish the organization's assessment and testing process to ensure systems are less susceptible to cyber attack.VulnerabilityInternal
Wallet cardnounPortable information cards that provide emergency communications information for customers and employees.PhysicalInternal
Warm sitenounBackup site which typically contains the data links and preconfigured equipment necessary to rapidly start operations, but does not contain live data. Thus commencing operations at a warm site will (at a minimum) require the restoration of current data.PhysicalInternal