Dictionary · NERC CIP-010-2 (Config Change Management & Vulnerability) v2

To join something to something else to increase the size, number, amount, or degree.

To have an effect on someone or something; make a difference to someone or something.

To lessen or to try to lessen the severity, pain, seriousness, extent, or gravity of.

The act of modernizing or bringing someone or something up to date.

To think of as or regard in a specified way; consider.

To make certain or prove that something is true or accurate; confirm; substantiate.

To create or produce.; bring into activity; generate.

To have or maintain possession of something.

To restrict or assign boundaries to something.

To establish or ascertain exactly as a result of research or calculation.

To provide and record official approval.

To give official permission or approval for an undertaking; sanction; empower.

To keep in possession.

To record something in detail through photography, writing, or other form.

To make certain that something shall occur or be the case.

To specify as compulsory or obligatory.

To correct or make right a problem or undesirable situation, especially in regards to stopping or reversing environmental damage.

The addition, modification or removal of anything that could have an effect on IT services. The scope should include all IT services, configuration items, processes, documentation, etc.

To run a business, organization, or undertaking; direct; administer; be in charge of.

To carry out an action, task, or function.

To examine or evaluate formally with the intent of making changes if necessary.

To put a new system into effect.

To manage, control, or organize and carry out.

To join so that a real or perceived link is established.

To confine or put a limit on; keep under control; restrain.

The action of employing something or the state of being put into action for some purpose.

Authentication using two or more factors to achieve authentication. Factors include: • something you know (e.g. password/PIN); • something you have (e.g., cryptographic identification device, token); or • something you are (e.g., biometric).

A documented event, task or action that needs to take place. Action items are discreet units that can be handled by a single person.

Steps that must be taken, or activities that must be performed well, for a strategy to succeed. An action plan has three major elements: (1) Specific tasks: what will be done and by whom. (2) Time horizon: when will it be done. (3) Resource allocation: what specific funds are available for specific activities.

A formal statement of a necessary condition; something needed.

Any group or even individual with an organization that has been given a particular responsibility for a particular process.

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: • the adverse impacts that would arise if the circumstance or event occurs; and • the likelihood of occurrence. Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and consider the adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.

A consequence, effect, or outcome of something.

A set of responsibilities defined in a process and assigned to a person or team.

Computer code intended to repair or lessen the impact of vulnerabilities within application software.

The series of steps taken to acquire, test, and distribute security patches to the appropriate administrators and users throughout the organization.

The purpose of this task is to distribute patches to apply security patches to organizational operating systems and applications.

Give expression to.

A recognizable, distinguishing pattern associated with an attack, such as a binary string in a virus or a particular set of keystrokes used to gain unauthorized access to a system.

Computer programs and associated data, within the cryptographic boundary and usually stored on erasable media, that may be dynamically written or modified during execution. (e.g., Erasable media may include but are not limited to hard drives.).

Configuring all configurable items within an entire system to reduce the host’s security weaknesses.

To ascertain the performance, reliability, or quality of something.

A controlled environment in which tests will be run on configuration items, builds, processes, IT services, etc.

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.

The Roman numeral of the cardinal number three.

A Cyber Asset that (i) is capable of transmitting or transferring executable code, (ii) is not included in a BES Cyber System, (iii) is not a Protected Cyber Asset (PCA), and (iv) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless, including near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a PCA. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.

Use of an asset for a person's own purpose without the consent of the owner.

A purposeful and perhaps unlawful modification of financial data to hide wrong-doing, loss or other disclosure.

Software which has not undergone a vulnerability correction, a defect correction, or an improvement of code function.

This role focuses on the use or operation of a system, having an account on a system, accessing a cryptographic module to obtain cryptographic services, or receiving or using services from an automated information system facility. Any individual or organization that uses or operates a system, has an account on a system, accesses cryptographic modules to obtain cryptographic services, or uses or receives services from an automated information system facility should be assigned to this role.

The process of establishing the truth, accuracy, or validity of something.

A weakness in an information system, administrative controls, internal controls, system security practices and procedures, implementation, or physical layout that could be accidentally triggered or intentionally exploited by a threat in order to gain unauthorized access to information or disrupt processing.

The purpose of this task is to systematically examine an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.

The purpose of this task is to prioritize, evaluate, and implement measures and controls to counteract a weakness or vulnerability.

A period of time equal to roughly 365 days.

A program that monitors a computer or network to identify all viruses and prevent or contain virus incidents.

The level or version of antivirus software.

A particular series of actions or steps to bring about an antivirus update.

The relevant or appropriate necessary condition or conditions.

Application whitelisting is a computer administration practice used to prevent unauthorized programs from running. The purpose is primarily to protect computers and networks from harmful applications, and, to a lesser extent, to prevent unnecessary demand for resources. The whitelist is a simple list of applications that have been granted permission by the user or an administrator. When an application tries to execute, it is automatically checked against the list and, if found, allowed to run. An integrity check measure, such as hashing, is generally added to ensure that the application is in fact the authorized program and not a malicious or otherwise inappropriate one with the same name.

Bring or put into operation or practical use.

The purpose of this task is to estimate or determine the nature, value, ability, or quality of someone or something.

An individual entry in an audit log related to an audited event.

A documented set of specifications for an information system, or a configuration item within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures.

This limits a Control or Mandate's secondary verb to be put into play prior to the event taking place.

An activity that is integral to operations or supporting operations within the entity, e.g. sales, marketing, manufacturing, accounting, etc.

One or more Bulk Electric System (BES) Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.

This record category contains a document organized chronologically, especially in tabular form, indicating the day of week, date, and month or contains a chronological listing of documents in a collection, which may be comprehensive or selective, and which may include details about the writer, recipient, date, place, summary of content, type of document, and page or leaf count.

The state of being in accordance with laws, regulations, industry codes, organizational standards, or contractual arrangements.

A date when something will be finished, especially the date when a new building, road, etc. will be finished according to a contract the date when the ownership of a property legally passes from one person to another.

The North American Electric Reliability Corporation (NERC) or the Regional Entity in their respective roles of monitoring and enforcing compliance with the NERC Reliability Standards.

The state of being linked physically or notionally.

Programmable electronic devices and communication networks including hardware, software and data.

Software developed for a specific use, user, or organization.

Practices and procedures established to protect organizational assets, user assets, and the cyber environment from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.

A subset of information in an electronic format that allows it to be retrieved or transmitted. (CNSSI-4009)

A period of time that consists of twenty-four hours.

A statement that represents something in words.

Turn aside; turn away from.

Discover, investigate, or discern the existence or presence of something.

The quality of being unlike or dissimilar.

The status of the implementation or enactment of a plan, order, or course of action.

Information used to establish facts.

A file or program that can be run by a computer.

The process of encrypting all the data on the hard disk drive used to boot a computer, including the computer’s operating system, and permitting access to the data only after successful authentication with the full disk encryption product.

A term referring to a grouping of users.

To come into contact with another object forcibly.

Make part of a whole or set.

A human being.

Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.

The act of starting something for the first time; introducing something new.

To carry out a formal or systematic inquiry to discover and examine the facts of an event, incident, etc. in order to establish the truth.

A live CD or live disk is a self-contained bootable and fully operational operating system (OS) on a disk, typically a CD or DVD or even a USB drive, depending on the size of the OS. This version of an OS can boot and run on a PC without ever needing to be installed on the computer's hard drive or changing the PC settings, allowing a user to recover files on a computer with a corrupted OS or to simply experiment on different things without fear of corrupting any files on the disk or the OS installation. Some versions of Linux are small and portable enough to function in a live CD.

A particular point or position in space.

Software or firmware designed to infiltrate or damage a computer system without the owner's knowledge or consent, with the intent of compromising the confidentiality, integrity, or availability of the owner’s data, applications, or operating system. Such software typically enters a network during many business-approved activities, which results in the exploitation of system vulnerabilities. Examples include viruses, worms, Trojans (or Trojan horses), spyware, adware, and rootkits.

A plan or course of action taken to achieve a particular purpose.

A means or particular procedure for accomplishing or approaching something.

Each of the twelve named periods into which a year is divided.

An action taken by an organization to reduce the impact of a possible problem or incident.

To watch and check the progress or quality of something over a period of time; keep under regular surveillance.

A network port is a process-specific or an application-specific software construct serving as a communication endpoint, which is used by the Transport Layer protocols of Internet Protocol suite, such as User Diagram Protocol (UDP) and Transmission Control Protocol (TCP).

The failure to achieve performance criteria of a regulation or authority.

Data processing in which the result is completely specified by a rule (especially the processing that results from a single instruction).

The software 'master control application' that runs the computer. It is the first program loaded when the computer is turned on, and its principal component, the kernel, resides in memory at all times. The OS sets the standards for all application programs (such as the mail server) that run in the computer. The applications communicate with the OS for most user interface and file management operations.

The ability of people to physically gain access to a computer system or facility.

Existing or coming before in time, order, or importance.

This limits a Control or Mandate's secondary verb to be put into play before the event takes place.

Production environment is a term used mostly by developers to describe the setting where software and other products are actually put into operation for their intended uses by end users. A production environment can be thought of as a real-time setting where programs are run and hardware setups are installed and relied on for organization or commercial daily operations.

Media that can only be written to once.

Portable electronic storage media such as magnetic, optical, and solid-state devices, which can be inserted into and removed from a computing device, and that is used to store text, video, audio, and image information. Such devices have no independent processing capabilities. Examples include hard disks, floppy disks, zip drives, compact disks (CDs), thumb drives, pen drives, and similar USB storage devices.