Dictionary · NY DFS Part 500 (NYCRR Title 23, Chapter 1, Part 500)

To consent to receive (something given or offered).

To modernize or bring up to date.

To establish or ascertain exactly as a result of research or calculation.

To deal with an issue.

To look over again and alter something in the light of further evidence.

To take up and follow a course or method.

To make or work out a plan for a specific purpose; devise.

To deploy or employ something for some purpose.

To officially accept as satisfactory.

To appoint someone to a post, duty, office, etc.

To estimate or determine the nature, value, ability, or quality of someone or something; evaluate.

To examine or evaluate formally with the intent of making changes if necessary.

To assess and change something if necessary and keep it up to date based on pertinent criteria.

To give support or aid to someone, typically by doing a share of the work; help.

To provide aid or give assistance to.

To put into use or make use of.

To serve as a foundation, underlying support, or starting point for something.

To record something in detail through photography, writing, or other form.

To keep in possession.

To be inactive or not in motion.

The act of altering something secretly or improperly.

To protect against danger, harm or threats; safeguard.

To present a proposal, application, or document to a person or body for approval, consideration, or judgment.

To make a passage through or across an area.

To assess or form an idea of the nature, quality, ability, amount, number, or value of something.

The act or process of making or becoming different; altering.

To perform a task or operation.

In Computing: to limit access to or the use of data, primary storage memory, memory address, etc.

To recognize as having met certain standards or possessing certain qualifications.

To compel obedience to, observance of, or compliance with laws, rules, duties, or commitments.

To manage, control, or organize and carry out.

To make something accessible, or make accessible an endeavor someone is to undertake.

To start something that will last for a long time, or to create or set something in a particular way.

To act in accordance with a wish, command, law, standard, or contractual obligation.

To lay the groundwork for something and uphold it or ensure continuation by requiring maintenance.

To supply or make something available for use.

To provide access.

To restrict or assign boundaries to something.

To answer or say something in reply.

To keep up; continue a condition or situation; carry on.

Practices and procedures established to create business value and minimize risk.

To run a business, organization, or undertaking; direct; administer; be in charge of.

To lessen or to try to lessen the severity, pain, seriousness, extent, or gravity of.

To act according to the instruction or example.

To build or form something again after damage or destruction.

To damage or injure physically or mentally.

To send or cause something to pass on from one place or person to another.

To keep away or remove.

To return to a normal state.

To give someone facts or information about something, typically in an official or formal manner.

To bring back to previous or normal condition, place, or position; re-establish; repair; renovate; rehabilitate.

To establish, indicate, or verify who or what someone or something is.

To keep possession of something or have in ones possession.

To specify as compulsory or obligatory.

To design something again or in a different manner.

To embody or represent something in a way that is true to the original or appropriate.

To carry out an action, task, or function.

To put a new system into effect.

To supervise a person or their work.

Authentication using two or more factors to achieve authentication. Factors include: • something you know (e.g. password/PIN); • something you have (e.g., cryptographic identification device, token); or • something you are (e.g., biometric).

The day-to-day functions of the business.

An application that is contracted out to an external provider for the development, deployment, and management.

Something determined in relation to something that includes it.

The action of supervising something.

The purpose of this task is to determine the effectiveness of security defenses by mimicking the actions of real-life attackers.

The act of doing a job, an activity, etc.

An assessment that is conducted on a regular interval.

People who are employed by and work directly within an organization.

The protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism.

A particular series of actions or steps to bring about a certain outcome; series of procedures.

A set of policies are principles, rules, and guidelines formulated or adopted by an organization to reach its long-term goals and typically published in a booklet or other form that is widely accessible. Policies and procedures are designed to influence and determine all major decisions and actions, and all activities take place within the boundaries set by them. Procedures are the specific methods employed to express policies in action in day-to-day operations of the organization. Together, policies and procedures ensure that a point of view held by the governing body of an organization is translated into steps that result in an outcome compatible with that view.

Something provided or supplied.

The purpose of this function is to review the software project activities and to test the software products throughout their life cycle in order to determine if they are meeting the functional specifications of the users and are following the established plans, standards, and procedures to maintain a desired level of quality for a service or product.

Any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.

To give a spoken or written account of something that has been seen, done etc.

Action taken to implement long-term restoration of environmental quality.

The purpose of this task is to correct a vulnerability or eliminate a threat.

An act of politely or formally expressing a need or desire for something; inquiry.

A formal statement of a necessary condition; something needed.

An asset available for use.

The action of providing an account of something.

Set by the organization, this requires third parties to provide certain update and other status reports, such as work status, Service Level Agreement status, etc.

A description or portrayal of someone or something.

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: • the adverse impacts that would arise if the circumstance or event occurs; and • the likelihood of occurrence. Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and consider the adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.

The state or fact of having control over someone.

The purpose of this task is to support the identification, prioritization, and estimation of risks to organizational operations, organizational assets, individuals, other organizations, and the Nation through the operation of an information system and assign a value to assets, threat frequency, and consequences.

Any risk-based system of authentication that detects anomalies or changes in the normal use patterns of a Person and require s additional verification of the Person’s identity when such deviations or changes are detected, such as through the use of challenge questions.

The position and collection of tasks, duties, obligations that participants undertake to complete a project.

A software development practice where the confidentiality, integrity, and availability of the software code is protected against threats and vulnerabilities.

The process of erasing or overwriting data stored on media before relinquishing control of said media when no longer required, in a manner that ensures that no data can be recovered from the media.

This record category contains ordered lists of times at which things are planned to occur.

The protection of computer facilities, computer systems, and data stored on computer systems or transmitted via computer networks from loss, misuse, or unauthorized access. Computer security, as defined by Appendix III to OMB Circular A-130, involves the use of management, personnel, operational, and technical controls to ensure that systems and applications operate effectively and provide confidentiality, integrity, and availability.

A manager who has responsibilities and authority broader in scope than a front-line manager and typically reports into a director or general manager level role. They manage the day-to-day activities of the business by setting direction in-line with the overall business strategy, setting goals and objectives and managing communication throughout their group.

An organization that exercises some degree of regulatory authority over an industry or profession.

Something of value provided to a customer such as banking, legal support, IT support, etc. that is not a physical thing with material value.

A written clear or definite expression of something.

A high ranking police officer.

This role focuses on the examination or auditing of financial records of financial institutions. Any state authority that is required by law to examine or audit financial records should be assigned to this role.

System and Network Monitoring supports all activities related to the real-time monitoring of systems and networks for optimal performance. System and network monitoring describes the use of tools and observation to determine the performance and status of information systems and is closely tied to other Information and Technology Management sub-functions.

An interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.

The process of designing and producing a system.

The day to day processes of using a system according to its design and development criteria.

A procedure, method, or process meant to ascertain the performance, reliability, or quality of something.

The protection of Bulk Electronic System (BES) Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electronic System (BES).

Every time that.

A person or group besides the two primarily involved in a situation, agreement, business, etc.

Supply chain management is the oversight of materials, information, and finances as they move in a process from supplier to manufacturer to wholesaler to retailer to consumer. Supply chain management involves coordinating and integrating these flows both within and among companies, i.e., Third Parties. Third party management is the process whereby companies monitor and manage interactions with all external parties with which it has a relationship.

The guidelines and rules on how an organization should to direct and supervise business activities and relations with a third party.

As defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms, a service provider is a business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. There are many types of businesses that could fall into the category of “service provider,” dependent on the services provided. Most commonly, a TPSP could be a legally separate entity; but it can also be a separate business unit or component of the entity under assessment—for example, an internal service provider—where the provider is outside the direct management control of the entity assessed.

The purpose of this task is to teach a person or animal a skill or behavior.

Use of an asset for a person's own purpose without the consent of the owner.

Occurs when a user, legitimate or unauthorized, accesses a resource that the user is not permitted to use.

The act of changing something to bring it up to date (usually by adding something).

This limits a Control or Mandate's secondary verb to be put into play upon the occasion of the event not taking place.

An identified entitlement that an end-user has to a particular system resource, such as a file folder, the use of certain system commands, or an amount of storage.

All events and processes executed including logons and logouts associated with a system user account.

An exception noted in tests of properly designed internal controls that may indicate ineffectiveness. Management must consider the extent of a weakness in such cases. Weaknesses can be classified as a simple deficiency, significant deficiency, or a material weakness.

The purpose of this task is to systematically examine an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.

A written guarantee, issued to the purchaser of a product or service by its manufacturer, that promises the good condition of the product or service and to repair or replace it within a specified period of time.

The ability, right, or permission to approach, enter, speak with someone, or use something.

A system or measures that limit the retrieving, obtaining, or examining of information, or information processing resources, to persons or applications authorized by the system or data classification.

Sufficient to satisfy a requirement or meet a need.

This role focuses on persons who are affiliated with other persons or organizations or on organizations or individuals that control or are controlled by a third party. Any person associated with another person or organization or any organization or individual being controlled by or controlling a third party should be assigned to this role.

The process during which a team creates a software program for a customer.

A region or part of a town, a country, or the world.

The purpose of this task is to estimate or determine the nature, value, ability, or quality of someone or something.

A complete list of all the resources owned by an organization that is used in operations or used to support operations.

This record contains chronological records that enables one to trace information back to the original input source, who changed what and when for accountability, allowing for the reconstruction and examination of the sequence of activities surrounding or leading to specific operations, procedures, or events in a security relevant transaction from inception to final result, including source documents, electronic logs, and records of access to restricted files.

A person who has the authority or permission to manage access or make changes to an account.

A group of persons chosen to govern the affairs of a corporation or other large institution.

Availability requirement relates to the need for information to be available when required.

Be something that is not adapted for use or action; not sensible or realistic.

Any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.

A principle or standard by which something may be judged or decided.

The day-to-day execution, monitoring and management of business processes.

The act of creating processes and procedures to put into place to ensure that essential organizational functions can continue during and after a disaster.

An established category.

The person in an organization responsible for: • Developing and implementing an information system security training and orientation program in accordance with FISMA requirements; • Developing, evaluating and providing information about the CMS Information Security (IS) Program, and communicating CMS IS Program requirements and concerns to CMS management and personnel; • Ensuring that System Security Plans (SSPs) are developed, reviewed, implemented, and revised; • Maintaining documentation used to establish systems security level designations for all SSPs within CMS; • Ensuring that IS Risk Assessments (RAs) are developed, reviewed, and implemented for the SSP process; • Providing leadership & participating in IS incident response and reporting IS incidents in accordance with reporting procedures developed and implemented by Federal mandates, DHHS, and CMS; • Mediating and resolving systems security issues that arise between two CMS organizations, CMS and other federal organizations, or CMS and States or contractors; • Assuring that CMS business Component Information System Security Officers (ISSOs) are appointed and trained; • Assisting CMS business Component ISSOs in developing local systems security; and • Researching state-of-the-art systems security technology and disseminating information material in a timely fashion.

The state of being in accordance with laws, regulations, industry codes, organizational standards, or contractual arrangements.

An internal control that reduces the risk of an existing or potential control weakness that could result in errors or omissions. Compensating controls may be considered when an organization does not wish to meet a requirement explicitly as stated, due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must • meet the intent and rigor of the original stated requirement; • repel a compromise attempt with similar force; • be above and beyond other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and • be commensurate with the additional risk imposed by not adhering to the originally stated requirement.

The circumstances and conditions that surround an event or environment.

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. The loss of confidentiality is the unauthorized disclosure of information.

A triad of security practices that: (1) prohibit an unauthorized entity from accessing, creating, modifying, disclosing or destroying information; and (2) require information systems are operational when needed by authorized users.

The purpose of this task is to maintain ongoing awareness of information security, vulnerabilities, and threats in order to support organizational risk decisions and to assess, analyze, and report on security controls and organizational risks at a frequency that sufficiently supports risk-based security decisions and adequately protects an organization's information.

A measure in a contract intended to shield an individual or entity from harm, injury, or liability.

Actions and system controls present or undertaken to reduce or moderate the effect of specific vulnerabilities. A synonym for control. The term countermeasure can be used to refer to any type of control, but it is most often used when referring to measures that increase resilience, fault tolerance, or reliability of an IT service.

The ability an organization or individual has to determine what customer data in a computer system can be shared with third parties.

A potential cyber attack, which may be assigned a probability of occurrence that can be used for cyber risk assessment.

Any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.

An activity that is integral to the operation of the cybersecurity program.

A flaw in a organization's system which leaves it exposed to and defenseless against a cyberthreat.

Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment. The general security objectives comprise the following: - Availability - Integrity, which may include authenticity and non-repudiation - Confidentiality

All people who are employed by an organization to perform cybersecurity activities.

An integrated group of activities designed and managed to meet cybersecurity objectives for the organization and/or the function. A cybersecurity program may be implemented at either the organization or the function level, but a higher-level implementation and enterprise viewpoint may benefit the organization by integrating activities and leveraging resource investments across the entire enterprise.

Requirements levied on an Information Technology and Operations Technology that are derived from organizational mission and business case needs (in the context of applicable legislation, Executive Orders, directives, policies, standards, instructions, regulations, procedures) to ensure the confidentiality, integrity, and availability of the services being provided by the organization and the information being processed, stored, or transmitted.

A risk to organizational operations, (including mission, functions, image, and reputation), resources, and other organizations due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information, Information Technology, and/or Operations Technology.

A set of criteria for the provision of security services.

A detailed description of the steps necessary to implement cybersecurity in conformance with applicable standards.

The exchange of data among different technologies, organizations, or persons.

Activities that are used to teach people about tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets.

A widely released fix for a cybersecurity related vulnerability.

A subset of information in an electronic format that allows it to be retrieved or transmitted. (CNSSI-4009)

The assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levels of sensitivity of data are assigned according to predefined categories as data are created, amended, enhanced, stored or transmitted. The classification level is an indication of the value or importance of the data to the organization.

A set of processes that ensures that important data assets are formally managed throughout the enterprise.

The person in the organization that makes organizational decisions.

A concise statement of the meaning of a word, phrase, or symbol.

Discover, investigate, or discern the existence or presence of something.

Managing the implementation, operation, and maintenance of a physical and/or virtual device. This includes the use of various administrative tools and processes for the maintenance and upkeep of a computing, network, mobile and/or virtual device.

The management or guidance of someone or something.

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.

Materials created or collected to provide facts for reference, especially when created to substantiate decisions, actions, or events.

Measures regarded as prudent, responsible, and necessary to conduct a thorough and objective investigation, review, or analysis.

The series of actions an organization takes to implement the steps needed to ensure they respect human rights and do not contribute to conflict.

The degree to which information is relevant and pertinent to the business process as well as delivered in a timely, correct, consistent, and usable manner.

The process of rendering plaintext unintelligible by converting it to ciphertext that can be read only by those with the knowledge to decode the plaintext from the ciphertext. (SAA: Glossary of Archival and Records Terminology).

Act of ascertaining or making a judgment about the amount, number, value, or worth of something.

A person or thing equal to another in value or measure or force or effect or significance etc.

A mechanism that prevents or mitigates damage to facilities and interruptions in service. Smoke detectors, fire alarms and extinguishers, and uninterruptible power supplies are some examples of environmental controls.

Controls that are already present in an organization to protect against the identified threats and vulnerabilities.

A message that originates from outside the organization.

The state or degree of being easily or conveniently done.

A network not controlled by the organization.

An event or agreement carried out between a buyer and a seller to exchange an asset for payment.

Satisfy or meet a requirement or condition.

The object of a person or processes' ambition or effort; the aim or desired result.

The government of any country or of any political subdivision of any country,including: any instrumentality of any such government; any other person or organization authorized by law to perform any executive, legislative, judicial, regulatory, administrative, military, or police functions of any such government, and; any intergovernmental organization.

Recommendations suggesting, but not requiring, practices that produce similar, but not identical, results.

An observed threat to a process or asset.

The purpose of this task is to implement a set of functions and capabilities used for assurance of identity information (e.g., identifiers, credentials, attributes).

A change for the better; progress in development.

Have reference to; concern.

The process or act of establishing who or what someone or something is.

An application that has been developed within the organization.

To come into contact with another object forcibly.

Make part of a whole or set.

A human being.

Give someone facts or information.

Any task performed by an organization in reaction to an incident.

The purpose of this task is to address and manage the aftermath of a disaster or other significant event that may affect the organization's people or ability to function productively.

The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization's IT systems(s).

Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.

The measures taken so that information and information systems are protected from unauthorized access, use, disclosure, disruption, modification, or destruction.

The rules and guidelines of an organization on how to ensure the confidentiality, integrity, and availability of the organization's information.

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

A network where: • the establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or • cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints provides the same effect (at least with regard to confidentiality and integrity). An internal network is typically organization-owned, yet may be organization-controlled while not being organization-owned.

All the activities and key processes required in order for the company to excel at providing the value expected by the customers.

A message that is sent from within an organization.

Facts, information, and skills acquired by a person through experience or education; the theoretical or practical understanding of a subject.

The state or fact of something's being likely; probability.

An intentional, wrongful act performed against another without legal justification or excuse.

To watch and check the progress or quality of something over a period of time; keep under regular surveillance.

A measure, expressed as a function of the likelihood that an event may occur, how fast the event may impact objectives and the estimated negative impact that an event may have on objectives or the impact that an event had on objectives.

The protection of computer networks and their services from unauthorized entry, modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and that there are no harmful side effects. Network security includes providing for data integrity.

Any documented (in print or electronic format) notice or notification to another person by taking such steps as may be reasonably required to inform the other person in ordinary course, whether or not the other person actually comes to know of it.

A binding agreement committing a person to an immediate or future payment or other action.

Any personally identifiable or company proprietary information that is not publicly available. Non-Public Information includes but is not limited to: certain company proprietary information, such as internal policies and memorandums; and personal information such as an individual’s name, address or telephone number. It also includes information requiring higher levels of protection according to the company’s security policy, such as company proprietary trade secrets or personal information that bundles an individual’s name, address or telephone number with a Social Security number, driver’s license number, account number, credit or debit card number, personal identification number, health information, religious opinions or a user ID or password.