Dictionary · NIST SP 800-27

The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

Grounds for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or by-pass.

Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

Ensuring timely and reliable access to and use of information.

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit.

A set of subjects, their information objects, and a common security policy.

Either a subject (an active element that operates on information or the system state) or an object (a passive element that contains or receives information).

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

A description of security principles and an overall approach for complying with the principles that drive the system design; i.e., guidelines on the placement and implementation of specific security services within various distributed computing environments.

The net mission/business impact considering 1) the likelihood that a particular threat source will exploit, or trigger, a particular information system vulnerability, and 2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission/business loss due to, but not limited to: - Unauthorized (malicious, non-malicious, or accidental) disclosure, modification, or destruction of information; - Non-malicious errors and omissions; - IT disruptions due to natural or man-made disasters; or - Failure to exercise due care and diligence in the implementation and operation of the IT.

The process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with risk assessment.

A passive entity that contains or receives information.

The five security goals are confidentiality, availability, integrity, accountability, and assurance.

A set of subjects, their information objects, and a common security policy.

A capability that supports one, or many, of the security goals. Examples of security services are key management, access control, and authentication.

The statement of required protection of the information objects.

The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental.

The examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment.

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.