Glossary
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Aβ
Access Controlβ
All processes and control associated with determining and granting or denying access to a resource (logical or physical). Incorporates both Privilege Management and Authorisation.
Access Control Decisionβ
The output of an authorisation process.
Access Rightsβ
Privilege to perform action on an object. Read, write, execute, append, modify, delete, and create are examples of access types.
Attributeβ
A distinct, physical or abstract, named property of a subject or an object.
Attribute-Based Access Controlβ
Access control based on attributes associated with and about subjects, objects, targets, initiators, resources, or the environment. An access control rule set defines the combination of attributes under which an access may take place.
Attribute-Based Authorisationβ
A structured process that determines when a user is authorised to access information, systems, or services based on attributes of the user and of the information, system, or service.
Auditβ
An independent review of event logs and related activities performed to determine the adequacy of current security measures, to identify the degree of conformance with established policy or to develop recommendations for improvements to the security measures currently applied.
Audit Trailβ
A chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security relevant transaction from inception to final result.
Authenticateβ
To verify the validity of a claim - eg. identity of an entity, or the integrity of data stored, transmitted, or otherwise exposed to unauthorized modification in an IS, or to establish the validity of a transmission.
Authenticationβ
The process used to Authenticate a claim.
Authentication Mechanismβ
Hardware or software-based algorithm that forces users, devices, or processes to prove their identity before accessing data on an information system.
Authentication Periodβ
The maximum acceptable period between any initial authentication process and subsequent re-authentication processes during a single terminal session or during the period data is being accessed.
Authentication Protocolβ
A well specified message exchange process between a claimant and a verifier that enables the verifier to confirm the claimantβs identity.
Authoritative [..] Sourceβ
The official source that originates and maintains [..] - eg. Identities, attributes, etc. Is equivalent to [..] Manager.
Authorisationβ
The processes that determine an access decision based on all prevailing conditions.
Authorisation Boundaryβ
All components and objects to which an Access Control Decision applies.
Authorisation Decisionβ
(see Access Control Decision)
Authorityβ
Permission to perform a specified act, eg: access and/or modify data; approve the registration and/or enrolment of users. This is then controlled by Authorisation systems. See also: Authorisation
Availabilityβ
The property of being accessible and useable upon demand by an authorised entity.
Bβ
Basic Enterprise Authorisation Attributeβ
An attribute available via an attribute service that is populated and managed in accordance with enterprise guidance.
Biometrics / Attributesβ
Measurable physical characteristics or personal behavioral traits used to identify, or verify the claimed identity, of an individual. Facial images, fingerprints, and handwriting samples are all examples of attributes.
Boundaryβ
Physical or logical perimeter of a system.
Browser-Based Authenticationβ
A browser-based authentication mechanism is one that makes use of the web browser and its inbuilt functionality or plug-ins/add-ons to do the authentication processes.
Cβ
Categoryβ
Restrictive label applied to classified or unclassified information to limit access.
Certificateβ
An electronic document signed by the Certification Authority which:
(a) Identifies an entity
(b) specifies the Public Key of a bound Key Pair
(c) contains additional information as required by the Certificate Profile.
Challenge Responseβ
An authentication technique whereby a System does not permit access by a user, until the user has given the correct answer ('response') to a question (or 'challenge').
Cipherβ
Any cryptographic system in which arbitrary symbols or groups of symbols, represent units of plain text, or in which units of plain text are rearranged, or both.
Claimβ
A statement made that purports to be true. This is the claim being made that the relying party wishes to authenticate and authorise.
Claimantβ
An entity (user, device or process) whose assertion (Claim) is to be verified using an authentication protocol and an access decision applied.
Clearanceβ
Formal certification of authorisation to have access to classified information.
Clearance Levelβ
The formal security classification associated with a person - eg cleared to 'Secret' level.
Cybersecurityβ
The ability to protect or defend the use of cyberspace from cyber attacks.
Cyberspaceβ
A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.
Dβ
Dataβ
A subset of information in an electronic format that allows it to be retrieved or transmitted.
Data at Restβ
Information residing on media or a system that is not powered or is
Data Aggregationβ
Compilation of individual data systems and data that could result in the totality of the information being classified, or classified at a higher level, or of beneficial use to an adversary.
Data Classificationβ
Classification of data (eg documents, computer records) according to defined 'security' rules. This enables access to such data to be provided or refused based upon the 'security' classification of the party seeking access.
Data Elementβ
A basic unit of information that has a unique meaning and subcategories (data items) of distinct value. Examples of data elements include gender, race, and geographic location.
Data in Transitβ
Information that is being communicated across a communication medium.
Data in Useβ
Information that has been decrypted for processing by a system.
Data Integrityβ
The condition that exists when data is unchanged from its source and has not been accidentally or maliciously modified, altered, or destroyed.
Delegateβ
A person or group of people to whom the authority to authorise variations from agreed requirements has been devolved by the Organisation head.
Demilitarized Zone (DMZ)β
A small network with one or more servers that is kept separate from an Organisationβs core network, either on the outside of the Organisationβs firewall, or as a separate network protected by the Organisationβs firewall. Demilitarised zones usually provide public domain information to less trusted networks, such as the Internet.
De-provisioningβ
The withdrawing of access permissions by the alteration of 'control' records on systems relating to the authentication credentials and/or access permissions of users.
Deviceβ
Computer hardware AND OR SOFTWARE onto which a Device Certificate may be installed.
Digital Policyβ
Hierarchical rule sets that control digital resource management, utilization, and protection.
Digital Signatureβ
Cryptographic process used to assure data object originator authenticity, data integrity, and time stamping for prevention of replay.
Distinguished Name (DN)β
A unique name or character string that unambiguously identifies an entity according to the hierarchical naming conventions of X.500 directory service.
Distinguishing Identifierβ
Information which unambiguously distinguishes an entity in the authentication process.
Domainβ
An environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy, security model, or security architecture.
Eβ
Enclaveβ
Collection of information systems connected by one or more internal networks under the control of a single authority and security policy. The systems may be structured by physical proximity or by function, independent of location.
Enclave Boundaryβ
Point at which an enclaveβs internal network service layer connects to an external networkβs service layer, i.e., to another enclave or to a Wide Area Network (WAN).
Encryptionβ
Encryption, which forms part of cryptography, is the process of transforming information using an algorithm (formula) to make it unreadable to anyone except those possessing the key (cipher) used by the algorithm, or a matching/complimentary key. Two forms of encryption are commonly used for information security, symmetrical encryption and public key-based encryption (PKI). The latter is most commonly used for e-authentication.
Encryption Algorithmβ
Set of mathematically expressed rules for rendering data unintelligible by executing a series of conversions controlled by a key.
End-To-End Encryptionβ
Encryption of information at its origin and decryption at its intended destination without intermediate decryption.
Enrolmentβ
The act of binding of a credential to an entity.
Entityβ
An entity is the individual or device or βsubjectβ represented by a digital identity. Within the IDAM, it is expected that an entity would only have one digital identity unless specifically authorised for an alias. This could be an individual (a Person Entity β PE) or a resource (a Non-person Entity β NPE).
Entitlementβ
A specific permission or privilege granted to a user or entity within a system. It represents the access rights or resources that a user is entitled to based on their role, responsibilities, or specific authorization.
Entitlement Managementβ
Mechanisms for managing entitlements. This includes defining and assigning entitlements to users, reviewing and modifying access rights, and ensuring that users have the appropriate entitlements based on their roles or organizational changes.
Eventβ
Any observable occurrence in a system and/or network. Events sometimes provide indication that an incident is occurring.
Evidence of Identityβ
Evidence (e.g. in the form of documents/credentials) issued to enable the validation of an assertion of identity. They are usually presented at the time of Registration to verify the biographic data associated with the digital identity being created.
External Networkβ
A network not controlled by the Organisation.
Fβ
Gβ
Gatewayβ
Interface providing compatibility between networks by converting transmission speeds, protocols, codes, or security measures.
Hβ
Iβ
Identificationβ
An act or process that presents an identifier to a system so that the system can recognize a system entity (e.g., user, process, or device) and distinguish that entity from all others.
Identifierβ
A data object that uniquely represents the digital identity of an entity within the context of its intended use.
Identityβ
The set of attribute values (i.e., characteristics) by which an entity is recognizable and are sufficient enough to distinguish that entity from any other entity within the domain of use of the identity.
Identity Providerβ
In a federation, denotes the point of contact in an external Organisation that will provide credential authentication and /or Identity confirmation/attributes to enable an Authentication to be undertaken. This may be equivalent to the Identity Manager for that Organisation.
Identity-Based Access Controlβ
Access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorisations to specific objects are assigned based on user identity.
Internal Networkβ
A network where the establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors.
Issuanceβ
The process involved in providing a user with an authentication credential. This will be undertaken in conjunction with or following the Registration process, or in a service delivery context it will occur when eligibility is determined.
Jβ
Kβ
Lβ
Least Privilegeβ
The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorisations that the entity needs to perform its function.
Least Trustβ
The principal that a security architecture should be designed in a way that minimizes 1) the number of components that require trust and 2) the extent to which each component is trusted.
Local Accessβ
Access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.
Mβ
Match / Matchingβ
The process of comparing attribute information against a previously stored template(s) and scoring the level of similarity.
Multi-factor Authenticationβ
An Authentication process in which multiple forms of Evidence of Identity are used, in order to increase the level of confidence in the Assertion.
Mutual Authenticationβ
The process of both entities involved in a transaction verifying each other.
Nβ
Need-To-Knowβ
A method of isolating information resources based on a userβs need to have access to that resource in order to perform their job but no more. The terms βneed-to knowβ and βleast privilegeβ express the same idea. Need-to-know is generally applied to people, while least privilege is generally applied to processes.
Network Accessβ
Access to an organizational information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).
Network Deviceβ
Any device designed to facilitate the communication of information destined for multiple system users. For example: cryptographic devices, firewalls, routers, switches and hubs.
Nonceβ
A random or non-repeating value that is included in data exchanged by a protocol, usually for the purpose of guaranteeing the transmittal of live data rather than replayed data, thus detecting and protecting against replay attacks.
Non-repudiationβ
Strong and substantial evidence of the identity of the signer of a message and of message integrity, sufficient to prevent a party from successfully denying the origin, submission or delivery of the message or the integrity of its contents.
Paper signatures are the traditional means of providing Non-Repudiation. Digital Signatures are a strong electronic means of providing Non-Repudiation.
Source: American Bar Association Digital Signature Guidelines, ISO Non-repudiation Framework
Oβ
Objectβ
Passive information system-related entity (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information. Access to an object implies access to the information it contains.
Pβ
Permissionsβ
see Entitlements
Personal Informationβ
Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about a natural person whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
Policyβ
A function to be evaluated, plus an action to take if the function is true. The Applicable Policy Function determines the policy to be applied to a given request.
Policy Based Access Control (PBAC)β
A form of access control that uses an authorisation policy that is flexible in the types of evaluated parameters (e.g., identity, role, clearance, operational need, risk, heuristics).
Privilegeβ
Privilege refers to the level of access and permissions granted to users within a system. It determines what actions, resources, or data they can access or modify. Privileges are assigned based on roles or authorization, ensuring users have the necessary access rights while maintaining security and compliance.
Privilege Managementβ
Security controls for managing and monitoring privileged access, such as administrative accounts, within an organization. It includes practices like enforcing least privilege, implementing privileged identity management, using multi-factor authentication, and conducting regular access reviews. Privileged management ensures accountability, mitigates the risk of unauthorized access, and protects critical systems and sensitive data.
Privileged Accessβ
Privileged access refers to elevated levels of access and permissions granted to certain users or accounts within a system. These privileges allow users to perform administrative tasks, access critical systems, and manipulate sensitive data, requiring strict management and monitoring to ensure security and prevent misuse.
Protocolβ
Set of rules and formats, semantic and syntactic, permitting information systems to exchange information.
Proxyβ
An entity authorized to act for another.
Qβ
Rβ
Remote Accessβ
Access to an Organisation's nonpublic information system by an authorised entity (or an information system) communicating through an external, non-Organisation-controlled network (e.g., the Internet).
Repositoryβ
A place where information of a particular type is stored - a database or directory.
Revocationβ
The process of removing a user's access rights. This will always involve changes to the system files that hold user's authentication records and details of access permissions. It may also involve having similar records amended by trusted third parties (eg CAs) and retrieval or destruction of a physical authentication token (eg smartcard).
Revokeβ
To terminate a Certificate prior to the end of its operational period.
Riskβ
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of
- the adverse impacts that would arise if the circumstance or event occurs
- the likelihood of occurrence.
Risk Adaptable Access Control (RAdAC)β
A form of access control that uses an authorisation policy that takes into account operational need, risk, and heuristics.
Risk Appetiteβ
The amount and type of risk an Agency is prepared to pursue or take.
Robustnessβ
The ability of an Information Assurance entity to operate correctly and reliably across a wide range of operational conditions, and to fail gracefully outside of that operational range.
Roleβ
A group attribute that ties membership to function. When an entity assumes a role, the entity is given certain rights that belong to that role. When the entity leaves the role, those rights are removed. The rights given are consistent with the functionality that the entity needs to perform the expected tasks.
Role-Based Access Control (RBAC)β
A model for controlling access to resources where permitted actions on resources are identified with roles rather than with individual subject identities.
Rule-Based Security Policyβ
A security policy based on global rules imposed for all subjects. These rules usually rely on a comparison of the sensitivity of the objects being accessed and the possession of corresponding attributes by the subjects requesting access. Also known as discretionary access control (DAC).
Sβ
Security Assertion Markup Language (SAML)β
A protocol consisting of XML-based request and response message formats for exchanging security information, expressed in the form of assertions about subjects, between on-line business partners.
SAML Attribute Assertionβ
An assertion that contains an Intelligence Community set of approved, shareable user authorisation attributes associated with a specific subject of a received query that is in a specific SAML construct and is generated by the AP.
Security Controlsβ
The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
Security Domainβ
An environment or context that is defined by security models and security architecture, including a set of resources and set of system entities that are authorized to access the resources. One or more security domains may reside in a single administrative domain.
Security Perimeterβ
A physical or logical boundary that is defined for a system, domain, or enclave; within which a particular security policy or security architecture is applied.
Security Policyβ
A set of policy rules (or principles) that direct how a system (or an organization) provides security services to protect sensitive and critical system resources.
Security Requirementsβ
Requirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.
Sensitive Informationβ
Information such that, the loss, misuse, or unauthorised access to or modification of, could adversely affect the national interest or the conduct of government programs, or an individual's privacy
Serviceβ
A mechanism providing access to one or more capabilities - an interface. For example: an Attribute Service is an interface that has been exposed by the Attribute Manager to the Attribute Management processes.
Standard Operating Environmentβ
A standardised build of an operating system and associated software that is deployed on multiple devices. A SOE can be used for servers, workstations, laptops and mobile devices.
Standard Operating Proceduresβ
Instructions for complying with a SSP. For example, how to update virus signature files.
Strong Authenticationβ
The requirement to use multiple factors for authentication and advanced technology, such as dynamic passwords or digital certificates, to verify an entityβs identity.
Subjectβ
An active entity (generally an individual, process, or device) that causes information to flow among objects or changes the system state. See also object.
Subscriberβ
A party who receives a credential or token from a Credentials Service Provider (CSP) and becomes a claimant in an authentication protocol.
Systemβ
A related set of hardware and software used for the processing, storage or communication of information and the governance framework in which it operates.
System Ownerβ
Person or organization having responsibility for the development, procurement, integration, modification, operation and maintenance, and/or final disposition of an information system.
System Security Plan (SSP)β
The formal document prepared by the information system owner (or common security controls owner for inherited controls) that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements. The plan can also contain as supporting appendices or as references, other key security-related documents such as a risk assessment, privacy impact assessment, system interconnection agreements, contingency plan, security configurations, configuration management plan, and incident response plan.
Tβ
Technical Security Controlsβ
Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.
Time Stampβ
A record that indicates (at least) the correct date and time of an action (expressly or implicitly) and the identity of the person or device that created the notation.
Tokenβ
A digital representation of an authenticated session, containing identity credentials and associated attributes. (For example a JWT, SAML token, or a Kerberos Token)
Trustβ
Trust is qualified reliance on information, based on factors independent of that information.
Uβ
Vβ
Validationβ
Confirmation (through the provision of strong, sound, objective evidence) that requirements for a specific intended use or application have been fulfilled (e.g., a trustworthy credential has been presented, or data or information has been formatted in accordance with a defined set of rules, or a specific process has demonstrated that an entity under consideration meets, in all respects, its defined attributes or requirements).
Verificationβ
Confirmation, through the provision of objective evidence, that specified requirements have been fulfilled (e.g., an entityβs requirements have been correctly defined, or an entityβs attributes have been correctly presented; or a procedure or function performs as intended and leads to the expected outcome.
Verifyβ
To determine or test the accuracy of EOI documentation submitted by an applicant in accordance with procedures set forth. Process of establishing the veracity of an assertion to a specified or understood level of assurance.
Vulnerabilityβ
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.
Vulnerability Assessmentβ
Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.