Dictionary · FFIEC Cybersecurity Assessment Tool, Baseline, May 2017

To make, or become different; alter.

To deal with an issue.

To act according to the instruction or example.

To assess something and evaluate it for quality, performance, or reliability.

To embody or represent something in a way that is true to the original or appropriate.

To warn or give notice of potential danger, threats, or issues.

To modernize or bring up to date.

To return to a normal state.

To keep possession of something or have in ones possession.

To put into action.

To establish, indicate, or verify who or what someone or something is.

To provide access.

To retain records in identifiable record keeping systems over time in accordance with appraisal decisions.

To officially accept as satisfactory.

To make or become better; enhance in value or quantity.

To put a plan, policy, decision, agreement, etc. into action or effect.

To specify as compulsory or obligatory.

To appoint someone to a job, duty, task, or organization; allocate a job, duty, or task.

To run a business, organization, or undertaking; direct; administer; be in charge of.

To retain or enter information for future electronic retrieval.

To specify and designate roles and responsibilities for functions within an organization.

To state or describe exactly the nature, scope, or meaning of something.

To give official permission or approval for an undertaking; sanction; empower.

To lessen or to try to lessen the severity, pain, seriousness, extent, or gravity of.

To put into use or make use of.

To bring to an end; form a conclusion; close.

To serve as a foundation, underlying support, or starting point for something.

To send or cause something to pass on from one place or person to another.

To isolate, set apart, or divide from the rest or each other.

To be able to be used or obtained.

To make something or someone ready for use or consideration.

To keep in possession.

To record something in detail through photography, writing, or other form.

To determine the order for dealing with a series of items or tasks according to their relative importance.

To keep something from happening or stop someone from doing something.

To make greater in value, beauty, effectiveness, quality, etc.; augment; increase; intensify.

To observe something and examine it for correctness.

To identify or state clearly, definitely, and in detail.

To act or behave in reaction to someone or something.

To forbid something by authority, law, or other rule.

To give someone facts or information about something, typically in an official or formal manner.

To assess or form an idea of the nature, quality, ability, amount, number, or value of something.

To compel obedience to, observance of, or compliance with laws, rules, duties, or commitments.

To arrange a device so it performs a particular operation.

To arrange information, things, or a group of people in classes or categories according to shared qualities or characteristics.

To work together, especially in a joint intellectual effort.

To merge two things or one thing with another to form a whole.

To start something that will last for a long time, or to create or set something in a particular way.

To manage, control, or organize and carry out.

To act in accordance with a wish, command, law, standard, or contractual obligation.

To lay the groundwork for something and uphold it or ensure continuation by requiring maintenance.

To have something in common or use jointly.

To confine or put a limit on; keep under control; restrain.

To carry out an action, task, or function.

To communicate with someone.

To cause a process to happen or a mechanism to take place.

To exercise authority over; direct; regulate. This include exercising authority over the processesses of issuance and revocation, management, and auditing.

To include someone or something in an activity or situation, or as a necessary part.

To shield or defend from danger, harm, injury, loss, destruction, or damage.

To bring the different elements of a complex activity into a relationship that will ensure efficiency.

To have the power to direct or operate something in a certain way and regularly observe it.

To check or prove the accuracy or logical soundness of something; verify; confirm.

To restrict or assign boundaries to something.

To supply or make something available for use.

To write one's name on something, or to provide some other mark to identify oneself or give authorization.

To examine or evaluate formally with the intent of making changes if necessary.

To fasten or secure something with a mechanical device used for keeping things fastened.

Authentication using two or more factors to achieve authentication. Factors include: • something you know (e.g. password/PIN); • something you have (e.g., cryptographic identification device, token); or • something you are (e.g., biometric).

The ability, right, or permission to approach, enter, speak with someone, or use something.

A system or measures that limit the retrieving, obtaining, or examining of information, or information processing resources, to persons or applications authorized by the system or data classification.

A log that lists who has been permitted to physically or logically gain access.

The fact or condition of being required or expected to justify actions or decisions; responsibility.

Specialized system software used to perform a particular function or system maintenance that requires the ability to bypass, modify, or disable the technical or operational system security controls.

Make adequate preparation for something.

A compilation of all protocols, ports, applications, and services that are available.

The legal right to demand compensation or payment.

A written document describing the findings of some individual or group.

A person or body that supervises a particular industry, business activity, or legal body.

Any documented (in print or electronic format) notice used to inform affected parties regarding regulatory issues.

Access to an organization's nonpublic information system by an authorized user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet).

Portable electronic storage media such as magnetic, optical, and solid-state devices, which can be inserted into and removed from a computing device, and that is used to store text, video, audio, and image information. Such devices have no independent processing capabilities. Examples include hard disks, floppy disks, zip drives, compact disks (CDs), thumb drives, pen drives, and similar USB storage devices.

A formal statement of a necessary condition; something needed.

The beliefs, opinion, or social evaluation of the public about someone or something.

Response teams include business, IT, emergency management, public affairs, communications, and continuity personnel.

The ability of a network, system, business function, or organization to recover automatically or quickly from a disruption, typically with minimal recognizable effect. For example, an armored cable will resist failure when put under stress.

Controls associated with instruments that introduce risks that require effective adherence to the relevant clearing house, association, interchange, and regulatory requirements.

A postulated sequence or development of events.

A method used as part of the software development life cycle risk management so that software applications are designed and implemented with appropriate security requirements.

Any form of notification or alert structure that something is amiss with the system's configuration, settings, etc.

Any published finding of security component audits such as a vulnerability assessment.

A safeguard or countermeasure to avoid, counteract or minimize security risks relating to personal property, or any company property. For business-to-business facing organizations whose service may affect the financial statements of the other company, the prospect may require successful audit reports of policy controls.

This record contains records of any security-related and auditing-related events.

A necessary condition that must be met to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.

The purpose of this task is to determine if the security features of a system are implemented and functioning as designed. This process includes hands on functional testing, penetration testing and vulnerability scanning.

A business that provides its customers with a service.

Practice of dividing steps in a function among different individuals, so as to keep a single individual from being able to subvert the process.

A session is an encounter between an end-user interface device (e.g., computer, terminal, process) and an application, including a network logon. One user session is the time between starting the application and quitting.

The state of being firmly established; unlikely to change or fail.

The relative position of state of something.

A program that analyzes e-mails to look for characteristics of spam, and typically places messages that appear to be spam in a separate e-mail folder.

The software and procedures used to assist in the protection of information systems and the files created, communicated and stored by individuals and organization.

Computer programs and associated data, within the cryptographic boundary and usually stored on erasable media, that may be dynamically written or modified during execution. (e.g., Erasable media may include but are not limited to hard drives.).

Cryptographic techniques that make it almost impossible to decrypt without having the key. The strength relies on the cryptographic key used. Effective size of the key should meet the minimum key size of comparable strengths recommendations based on industry-tested and accepted algorithms and strong key lengths. Examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher). See NIST Special Publication 800-57 (http://csrc.nist.gov/publications/) for more information.

Receive or obtain regularly.

Having enough information to meet the needs of the user.

The process of putting a planned system into action; the stage of systems development in which hardware and software are acquired, developed and installed, the system is tested and documented, people are trained to operate and used the system, and an organization converts to the use of a newly developed system.

An interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.

The setting of various switches and jumpers for hardware and the defining of values of parameters for software.

A series of stages that the process of system development goes through in order to design and produce a system.

Equipment and machinery developed from the practical application of scientific knowledge to commerce or industry.

The purpose of this task is to determine if and how well something works.

A particular series of actions or steps to analyze, assess and review audit trails and other information collected for the purpose of searching out system events that may constitute violations of system security.

A coming to an end of a contract period.

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.

As quickly as is reasonable in a particular situation.

A person or group besides the two primarily involved in a situation, agreement, business, etc.

The act of providing threat information between two or more parties for the mutual benefit to use such information to mitigate risks.

A third party that may have no interest in an organization's project or operations, but can can have an impact on them.

An arrangement where a company will assume the day-to-day management of a property or package of properties it does not own for another company or institution in return for a fee.

The process of identifying and determining the risk associated to a specific third party.

This record contains lists of all third party service providers and their contacts within each organization.

A service that provides threat intelligence so that organizations can mitigate threats and remediate vulnerabilities.

Information about a potential source of danger or undesirable event.

The purpose of this task is to teach a person or animal a skill or behavior.

In Computing: data and operations related to a specific task that must be processed completely or rejected.

Follow the course, trail, or progress of.

An application or device driver who use is not been permitted by the controlling authority.

Occurs when a user, legitimate or unauthorized, accesses a resource that the user is not permitted to use.

Access to a building, room, site, etc that is not permitted.

Unexpected or extraordinary behavior.

This role focuses on the use or operation of a system, having an account on a system, accessing a cryptographic module to obtain cryptographic services, or receiving or using services from an automated information system facility. Any individual or organization that uses or operates a system, has an account on a system, accesses cryptographic modules to obtain cryptographic services, or uses or receives services from an automated information system facility should be assigned to this role.

Default accounts that are not necessary to be installed on the system.

The ability of an end-user to obtain, examine, or retrieve data or a file.

A process that an organization implements to actively monitor and verify the appropriateness of a users' access to systems and applications based on an understanding of the minimum necessary for users to perform or support business activities or functions. The responsibility for granting access and performing periodic verification of the appropriateness of that access rests with the system and/or business owner of the system or application.

A weakness in an information system, administrative controls, internal controls, system security practices and procedures, implementation, or physical layout that could be accidentally triggered or intentionally exploited by a threat in order to gain unauthorized access to information or disrupt processing.

Justify or necessitate a course of action.

This limits a Control or Mandate's secondary verb to be put into play as something is happening.

A computer network that is not connected by cables of any kind.

A system that is necessary and crucial to the organization.

The day to day management of a system or process, including tasks like creating accounts, updating role assignments, tracking requests, and so forth.

This role is focused on contracting parties who are affected by organizational activities. Any individual who is in a contract and is affected by organizational activities should be assigned to this role.

This limits a Control or Mandate's secondary verb to be put into play once the event taking place has concluded.

A parameter that is used to determine when an alert is triggered.

Any actions that are outside of what is expected, as measured against what "normally" should be happening, occur.

A transaction that deviates from the standards, procedures, and processes used to create a transaction.

A program that monitors a computer or network to identify all major types of malware: virus, trojan horse, spyware, Adware, worms, rootkits, etc.

A computer program designed to help people perform a certain type of work, including specific functions, such as payroll, inventory control, accounting, and mission support. Depending on the work for which it was designed, an application can manipulate text, numbers, graphics, or a combination of these elements. An application contrasts with systems program, such as an operating system or network control program, and with utility programs, such as copy or sort.

Bring or put into operation or practical use.

The suitable or proper person or persons employed in an organization.

The purpose of this task is to estimate or determine the nature, value, ability, or quality of someone or something.

In Information Technology: the combination of logical and physical components and resources and are grouped into the specific classes (information, systems, software, hardware, people).

A complete list of all the resources owned by an organization that is used in operations or used to support operations.

A security-relevant chronological record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, or event.

In Computing: any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.

The task of reviewing and examining records and activities to assess the adequacy of controls, to ensure compliance with established policies and operational procedures or other applicable contractual and licensing requirements, and to recommend necessary changes in controls, policies, or procedures. May be carried out by internal or external groups. The most common forms are compliance, operational, or vulnerability.

One of several systems which restrict user access to a network.

The documented steps necessary to authenticate the identity of an entity through the use of credentials in order to gain access to the system.

This role is focused on employees who are granted access to the organizations assets, information, and/or certain areas, or permitted to conduct certain work. Any individual who is sanctioned by management should be assigned to this role.

Have an obligation to do something, or have control over or care for someone, as part of one’s job or role.

This limits a Control or Mandate's secondary verb to be put into play prior to the event taking place.

A persons previous experience, education, or social circumstances.

The level of impact an interruption in service or exposure will have on an organization. (CMS)

A process that is necessary for a business to perform.

A business process that must be restored immediately after a disruption to ensure the affected firm's ability to protect its assets, meet its critical needs, and satisfy mandatory regulations and requirements.

A necessary third party that is vital to an organization's operations.

The process by which an organization or individual creates and manages a financial plan. Within a larger business, the budget process is typically performed by managers who often obtain projected spending requirements and suggestions from their staff.

Is the corporate board of directors or any other oversight authority for the organization.

A group consisting of the members of a board of directors that is mandated to carry out specified functions, programs, or projects assigned by the board.

A device with appropriate mechanisms that: (i) facilitates the adjudication of different interconnected system security policies (e.g., controlling the flow of information into or out of an interconnected system); and/or (ii) provides information system boundary protection.

The providing of critical business functions to customers, suppliers, regulators, and other entities at acceptable predefined levels after incidents and business interruptions.

A proposal detailing the processes and procedures to put into place to ensure that essential organizational functions can continue during and after a disaster.

The act of performing a test to evaluate the effectiveness of an organization's business continuity plan.

A documented approach undertaken by an organization to implement business continuity.

How much a business is worth. Business value is a highly subjective measure because it involves estimating the value of intangible assets like trade secrets and brand recognition. It adds to this the value of tangible assets like machinery and stockholder equity. Business value is especially important for potential investors or buyers.

Activities performed while following the change management procedures.

In Computing: a set of symbols used to communicate instructions for performing operations; a character set.

A medium over which data is transferred between remote devices.

A document that records the terms and conditions of a legally binding agreement.

This record category contains standards used as a comparison for checking and verifying results of a survey or experiment or contains policies, procedures, practices, and organizational structures designed to provide reasonable assurance that the business objectives will be achieved and undesired events will be prevented or detected.

Data or records that are private or proprietary.

A particular state of a person or thing.

Information usually containing the person's telephone number(s), fax number, address, and electronic mail address(es).

A step by step outline of management procedures designed to maintain and restore business operations in the event of an emergency or system failure.

Cancellation of an entire contract or of its most significant part.

Action that is taken in order to rectify errors that were made.

Educational materials used to inform customers about topics regarding the products and/or services that they use.

A potential cyber attack, which may be assigned a probability of occurrence that can be used for cyber risk assessment.

A term used in the Information Security Standards to mean any record containing non-public personal information about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of a financial institution.

Any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.

Activities that are used to teach people about tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets.

The purpose of this function is to provide and manage information delivery and support to an organization's clients regarding its products and/or services.

A customer’s ability and means to communicate or interact with a system, use system resources or to control system components and functions.

Actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.

For purposes of the Information Security Standards, “customer information systems” means any methods used to access, collect, store, use, transmit, protect, or dispose of customer information.

Detrimental effects; physical harm or injury that impairs value or usefulness.

The functions and duties of personnel who are responsible for triaging, and resolving events regarding cybersecurity events that disrupt operations and alerting interested personnel and affected parties in conformance with pertinent standards.

Training strives to produce relevant and needed (information) security skills and competencies.

A documented approach for organizing and directing all activities undertaken to ensure the confidentiality, integrity, and availability of the information held by the organization.

A subset of information in an electronic format that allows it to be retrieved or transmitted. (CNSSI-4009)

The combination of the probability and severity of impact that results from a threat successfully breaking through a vulnerability in security and attacking the organization's information.

The position and collection of tasks, duties, obligations that participants undertake to perform the daily and all special tasks in the role of information security.

The assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levels of sensitivity of data are assigned according to predefined categories as data are created, amended, enhanced, stored or transmitted. The classification level is an indication of the value or importance of the data to the organization.

A simplified drawing of how data moves throughout an application, system, or network.

The purpose of this task is to restore data that has been damaged, lost, or corrupted.

Password on system administration, user, or service accounts predefined in a system, application, or device; usually associated with default account. Default accounts and passwords are published and well known, and therefore easily guessed.

Talk about (something) with another person or group of people.

The purpose of this task is to remove an asset from existence and to ensure media cannot be reused as originally intended and information is virtually impossible to recover or prohibitively expensive to recover.

The complete physical destruction of data or of the data carrier containing them.

Discover, investigate, or discern the existence or presence of something.

A plan to mitigate risks while complying with legal, statutory, contractual, and internally developed requirements.

Any circumstance or event with the potential to adversely impact the measures taken so that information and information systems are protected from unauthorized access, use, disclosure, disruption, modification, or destruction.

Information Technology risk management is the application of the principles of risk management to an Information Technology organization in order to manage the risks associated with the field. Information Technology risk management aims to manage the risks that come with the ownership, involvement, operation, influence, adoption and use of Information Technology as part of a larger enterprise. Information Technology risk management is a component of a larger enterprise risk management system. This encompasses not only the risks and negative effects of service and operations that can degrade organizational value, but it also takes the potential benefits of risky ventures into account.

The purpose of this task is to take reasonable action in order to comply with a law or industry standard.

Roles or permissions that, if misused or compromised, could allow a person to exploit the system for his or her own gain or illicit purpose.

This role focuses on individuals who work directly for an organization, e.g. university, government, company. Any individual who works directly for an organization and is paid a wage or salary for their work should be assigned to this role.

The privileges to gain entry to somewhere or to use something given only to employees.

A connection between a computer and another computer where the traffic between the two systems have been encrypted.

A known topic or problem that is changing or a topic or problem that most people are not aware of.

Convert data or information into a cipher or code; encipher; encode; conceal.

The cost required for something; the money spent on something.

A deed, a bond, money, or a piece of property held in trust by a third party to be turned over to the grantee only upon fulfillment of a condition.

Any observable occurrence in a system and/or network. Events sometimes provide indication that an incident is occurring. (CNSSI-4009).

A basic resource that helps provide information about network traffic, usage and other conditions. An event log stores these data for retrieval by security professionals or automated security systems to help network administrators manage various aspects such as security, performance and transparency.

Skill or knowledge in a particular area.

Have objective reality or being.

A link between a system within the organizational boundaries and a secondary (or multiple) system(s) outside of the organizational boundaries.

A computer or network connection to an outside, uncontrolled network that is unprotected by perimeter security, e.g., a modem connection to a network computer.

In Computing: a piece of software that transforms data in some way, such as removing unwanted spaces from text or formats it for use in another application.

The status of a firm's assets, liabilities and equity positions at a specific point in time, often described in a financial statement.

Hardware and/or software gateway technology that protects network resources from unauthorized access. A firewall permits or denies computer traffic between networks with different security levels based upon a set of rules and other criteria.

Firewall rules examine the control information in individual packets. The rules either block or allow those packets based on rules that are defined on these pages. Firewall rules are assigned directly to computers or to policies that are in turn assigned to a computer or collection of computers.

An officially recognized agreement between two or more parties.

Bring together and take in from scattered places or sources.

The purpose of this task is to permit a user to logically or physical gain entry to computer and/or network.

Physical, mechanical, and electrical components of a system, especially a computer.

A state, county, or federal government organizations that enforce laws, rules, or regulations.

The purpose of this function is to verify the identity of an entity through the use of specific credentials as a prerequisite for granting access to resources in an IT system.

The tools (software and otherwise), reports, and processes used to input, process, and close incident reports from input through resolution.

This limits a Control or Mandate's secondary verb to be put into play should the event occur.

The process of identifying that an intrusion has been attempted, is occurring, or has occurred.

The documented rules and guidelines on how an organization should address and manage the aftermath of a disaster or other significant event that may affect the organization's people or ability to function productively.

An established or official method for implementing the policy for incident response or performing the tasks, processes, or operations to address and manage the aftermath of a disaster or other significant event that may affect the organization’s people or ability to function productively which must be executed in the same manner in order to obtain the same results in the same circumstances.

An assessed occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system; or the information the system processes, stores, or transmits; or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

Make part of a whole or set.

A record containing the details of an incident. Each incident record documents the lifecycle of a single incident.

A detailed description of the steps necessary to tell interested personnel and affected parties about disruptions in service and operations in conformance with applicable standards.

The purpose of this task is to address and manage the aftermath of a disaster or other significant event that may affect the organization's people or ability to function productively.

A series of steps undertaken to detect, triage, and resolve events that disrupt operations and alert applicable personnel and clients in conformance with pertinent standards.

Personnel assigned by an organization to manage or engage in incident response tasks.

Practices and procedures established to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.

A documented approach for organizing and directing all activities undertaken to handle known security breaches or attacks in such a way as to limit damage and reduce the time it takes for the organization to recover time and costs.

The functions and duties of individuals who are suppose to return service or operations back to normal after a disruption has occurred.

A norm or requirement established within an industry; it is typically a formal document establishing uniform technical or engineering, processes, processes, or criteria.

Identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant.

The path data takes from its original source to the end user.

Set up for use.

The measures taken so that information and information systems are protected from unauthorized access, use, disclosure, disruption, modification, or destruction.

A single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.

Creations of the mind such as musical, literary, and artistic works; inventions; and symbols, names, images, and designs used in commerce, including copyrights, trademarks, patents, and related rights. Under intellectual property law, the holder of one of these abstract 'properties' has certain exclusive rights to the creative work, commercial symbol, or invention by which it is covered.

Internal risk management involves all activities relating to the processes of analyzing exposure to risk and determining appropriate counter-measures.

The purpose of this task is to discover and examine the facts of an incident or allegation to establish the truth.

An important question, point, or problem to be disputed, discussed, or decided.

The tasks and duties required of a particular employment position.

The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.

The purpose of this function is to protect people, places, and things from criminal activity due to noncompliance with applicable laws, including patrols, undercover operations, responses to emergency calls, as well as arrests, raids, and seizures of property.

The state or fact of something's being likely; probability.

An act of going or coming back again to a place, person, condition, or activity.

The purpose of this task is to record events or transactions in record-keeping systems.

The process for generating, transmitting, storing, analyzing, and disposing of log data.

The process of collecting and interpreting logs within configured parameters.

The ability to interact with data through access control procedures such as identification, authentication, and authorization.

The action of using something again or more than once.

This role focuses on administering, organizing, and overseeing the organization. Any individuals who are involved in the administration, organization, supervision, and oversight of the organization should be assigned to this role.

Fulfill or satisfy (a need, requirement, or condition).

Move software or hardware to a different computer system.

The social act of assembling for some common purpose.

Includes notebook computers, personal digital assistants, cellular telephones; and other computing and communications devices with network connectivity and the capability of periodically operating in different physical locations.

A security update that has not been implemented.

A description of the steps that are necessary to watch and check the progress or quality of something over a period of time according to standards.

An action taken by an organization to reduce the impact of a possible problem or incident.

The purpose of this task is to regularly assess IT processes or systems over time for quality and compliance with control requirements.

A diagram showing system components and connections within a networked environment.

Something that is not needed anymore for business, regulatory, or legal reasons.

Establishing a trusted baseline document involves identifying the following: - network data points of interest - length of the baseline data collection period - methods and tools used to collect and store data Suggested network data points of interest include the following: - a list of predetermined devices a given workstation or server should communicate with - VPN usage, including access times, bandwidth and resources used, source IP addresses, and geolocation information - the known set of ports and protocols in use by the network - firewall and intrusion detection system logs - normal traffic patterns and flows.

A test environment that simulates the setup in which the system will be deployed.

A report that details the findings of a performance review of a business's operations.

An active process; a discharge of a function.

A string of characters that allows access to a computer, interface, or system.

An effort to input a password to gain access to a system.

A set of rules that defines what set of characters and the amount of characters a password must contain.

A documented approach for organizing and directing all activities undertaken to manage patches or upgrades for software and hardware.

A prioritization of potential business disruptions based on severity and likelihood of occurrence. The risk assessment includes an analysis of threats based on the impact to the institution, its customers, and financial markets, rather than the nature of the threat.

A file containing software or operating system code that is intended to correct a vulnerability, a defect, or to improve the functioning of code.

A list that shows patches that been installed and need to be installed to update software.

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: • the adverse impacts that would arise if the circumstance or event occurs; and • the likelihood of occurrence. Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and consider the adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.

The planned or actual time an operation is not engaged in run time, or the active production of a product. Idle time is typically scheduled, for setup, maintenance or other activities, or unscheduled due to lack of a required resource such as material.

Devices that relies on the proper application of physical barriers and deterrents to control behavior. It's through the use of physical controls that an organization controls physical access to facilities and systems. They also assist in maintaining the operating environments necessary to continue information processing and delivery activities.

An official expression of principles that direct an organization's operations.

A record of who has accessed something.

A physical entry or exit point of a cryptographic module that provides access to the module for physical signals, represented by logical information flows (physically separated ports do not share the same physical pin or wire).

A particular series of actions or steps to bring about a certain outcome; series of procedures.

A set of policies are principles, rules, and guidelines formulated or adopted by an organization to reach its long-term goals and typically published in a booklet or other form that is widely accessible. Policies and procedures are designed to influence and determine all major decisions and actions, and all activities take place within the boundaries set by them. Procedures are the specific methods employed to express policies in action in day-to-day operations of the organization. Together, policies and procedures ensure that a point of view held by the governing body of an organization is translated into steps that result in an outcome compatible with that view.

The activity of keeping someone or something safe from harm or injury.

An established or official method for implementing a policy or performing a task or operation which must be executed in the same manner in order to obtain the same results in the same circumstances.

A person who is certified or licensed to work in a specific field; competent person.

In Computing: to request input from a user.

Code that is currently used in a production environment.

Production environment is a term used mostly by developers to describe the setting where software and other products are actually put into operation for their intended uses by end users. A production environment can be thought of as a real-time setting where programs are run and hardware setups are installed and relied on for organization or commercial daily operations.