Version: Angophra

Glossary

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A

Access Control

All processes and control associated with determining and granting or denying access to a resource (logical or physical). Incorporates both Privilege Management and Authorisation.

Access Control Decision

The output of an authorisation process.

Access Rights

Privilege to perform action on an object. Read, write, execute, append, modify, delete, and create are examples of access types.

Attribute

A distinct, physical or abstract, named property of a subject or an object.

Attribute-Based Access Control

Access control based on attributes associated with and about subjects, objects, targets, initiators, resources, or the environment. An access control rule set defines the combination of attributes under which an access may take place.

Attribute-Based Authorisation

A structured process that determines when a user is authorised to access information, systems, or services based on attributes of the user and of the information, system, or service.

Audit

An independent review of event logs and related activities performed to determine the adequacy of current security measures, to identify the degree of conformance with established policy or to develop recommendations for improvements to the security measures currently applied.

Audit Trail

A chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security relevant transaction from inception to final result.

Authenticate

To verify the validity of a claim - eg. identity of an entity, or the integrity of data stored, transmitted, or otherwise exposed to unauthorized modification in an IS, or to establish the validity of a transmission.

Authentication

The process used to Authenticate a claim.

Authentication Mechanism

Hardware or software-based algorithm that forces users, devices, or processes to prove their identity before accessing data on an information system.

Authentication Period

The maximum acceptable period between any initial authentication process and subsequent re-authentication processes during a single terminal session or during the period data is being accessed.

Authentication Protocol

A well specified message exchange process between a claimant and a verifier that enables the verifier to confirm the claimant’s identity.

Authoritative [..] Source

The official source that originates and maintains [..] - eg. Identities, attributes, etc. Is equivalent to [..] Manager.

Authorisation

The processes that determine an access decision based on all prevailing conditions.

Authorisation Boundary

All components and objects to which an Access Control Decision applies.

Authorisation Decision

(see Access Control Decision)

Authority

Permission to perform a specified act, eg: access and/or modify data; approve the registration and/or enrolment of users. This is then controlled by Authorisation systems. See also: Authorisation

Availability

The property of being accessible and useable upon demand by an authorised entity.

B

Basic Enterprise Authorisation Attribute

An attribute available via an attribute service that is populated and managed in accordance with enterprise guidance.

Biometrics / Attributes

Measurable physical characteristics or personal behavioral traits used to identify, or verify the claimed identity, of an individual. Facial images, fingerprints, and handwriting samples are all examples of attributes.

Boundary

Physical or logical perimeter of a system.

Browser-Based Authentication

A browser-based authentication mechanism is one that makes use of the web browser and its inbuilt functionality or plug-ins/add-ons to do the authentication processes.

C

Certificate

An electronic document signed by the Certification Authority which:

(a) Identifies an entity

(b) specifies the Public Key of a bound Key Pair

Challenge Response

An authentication technique whereby a System does not permit access by a user, until the user has given the correct answer ('response') to a question (or 'challenge').

Cipher

Any cryptographic system in which arbitrary symbols or groups of symbols, represent units of plain text, or in which units of plain text are rearranged, or both.

Claim

A statement made that purports to be true. This is the claim being made that the relying party wishes to authenticate and authorise.

Claimant

An entity (user, device or process) whose assertion (Claim) is to be verified using an authentication protocol and an access decision applied.

Clearance

Formal certification of authorisation to have access to classified information.

Clearance Level

The formal security classification associated with a person - eg cleared to 'Secret' level.

Cybersecurity

The ability to protect or defend the use of cyberspace from cyber attacks.

Cyberspace

A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.

D

Data

A subset of information in an electronic format that allows it to be retrieved or transmitted.

Data at Rest

Information residing on media or a system that is not powered or is

Data Aggregation

Compilation of individual data systems and data that could result in the totality of the information being classified, or classified at a higher level, or of beneficial use to an adversary.

Data Classification

Classification of data (eg documents, computer records) according to defined 'security' rules. This enables access to such data to be provided or refused based upon the 'security' classification of the party seeking access.

Data Element

A basic unit of information that has a unique meaning and subcategories (data items) of distinct value. Examples of data elements include gender, race, and geographic location.

Data in Transit

Information that is being communicated across a communication medium.

Data in Use

Information that has been decrypted for processing by a system.

Data Integrity

The condition that exists when data is unchanged from its source and has not been accidentally or maliciously modified, altered, or destroyed.

Delegate

A person or group of people to whom the authority to authorise variations from agreed requirements has been devolved by the Organisation head.

Demilitarized Zone (DMZ)

A small network with one or more servers that is kept separate from an Organisation’s core network, either on the outside of the Organisation’s firewall, or as a separate network protected by the Organisation’s firewall. Demilitarised zones usually provide public domain information to less trusted networks, such as the Internet.

De-provisioning

The withdrawing of access permissions by the alteration of 'control' records on systems relating to the authentication credentials and/or access permissions of users.

Device

Computer hardware AND OR SOFTWARE onto which a Device Certificate may be installed.

Digital Policy

Hierarchical rule sets that control digital resource management, utilization, and protection.

Digital Signature

Cryptographic process used to assure data object originator authenticity, data integrity, and time stamping for prevention of replay.

Distinguished Name (DN)

A unique name or character string that unambiguously identifies an entity according to the hierarchical naming conventions of X.500 directory service.

Distinguishing Identifier

Information which unambiguously distinguishes an entity in the authentication process.

Domain

An environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy, security model, or security architecture.

E

Enclave

Collection of information systems connected by one or more internal networks under the control of a single authority and security policy. The systems may be structured by physical proximity or by function, independent of location.

Enclave Boundary

Point at which an enclave’s internal network service layer connects to an external network’s service layer, i.e., to another enclave or to a Wide Area Network (WAN).

Encryption

Encryption, which forms part of cryptography, is the process of transforming information using an algorithm (formula) to make it unreadable to anyone except those possessing the key (cipher) used by the algorithm, or a matching/complimentary key. Two forms of encryption are commonly used for information security, symmetrical encryption and public key-based encryption (PKI). The latter is most commonly used for e-authentication.

Encryption Algorithm

Set of mathematically expressed rules for rendering data unintelligible by executing a series of conversions controlled by a key.

End-To-End Encryption

Encryption of information at its origin and decryption at its intended destination without intermediate decryption.

Enrolment

The act of binding of a credential to an entity.

Entity

An entity is the individual or device or ‘subject’ represented by a digital identity. Within the IDAM, it is expected that an entity would only have one digital identity unless specifically authorised for an alias. This could be an individual (a Person Entity – PE) or a resource (a Non-person Entity – NPE).

Entitlement

A specific permission or privilege granted to a user or entity within a system. It represents the access rights or resources that a user is entitled to based on their role, responsibilities, or specific authorization.

Entitlement Management

Mechanisms for managing entitlements. This includes defining and assigning entitlements to users, reviewing and modifying access rights, and ensuring that users have the appropriate entitlements based on their roles or organizational changes.

Event

Any observable occurrence in a system and/or network. Events sometimes provide indication that an incident is occurring.

Evidence of Identity

Evidence (e.g. in the form of documents/credentials) issued to enable the validation of an assertion of identity. They are usually presented at the time of Registration to verify the biographic data associated with the digital identity being created.

External Network

A network not controlled by the Organisation.

F

G

Gateway

Interface providing compatibility between networks by converting transmission speeds, protocols, codes, or security measures.

H

I

Identification

An act or process that presents an identifier to a system so that the system can recognize a system entity (e.g., user, process, or device) and distinguish that entity from all others.

Identifier

A data object that uniquely represents the digital identity of an entity within the context of its intended use.

Identity

The set of attribute values (i.e., characteristics) by which an entity is recognizable and are sufficient enough to distinguish that entity from any other entity within the domain of use of the identity.

Identity Provider

In a federation, denotes the point of contact in an external Organisation that will provide credential authentication and /or Identity confirmation/attributes to enable an Authentication to be undertaken. This may be equivalent to the Identity Manager for that Organisation.

Identity-Based Access Control

Access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorisations to specific objects are assigned based on user identity.

Internal Network

A network where the establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors.

Issuance

The process involved in providing a user with an authentication credential. This will be undertaken in conjunction with or following the Registration process, or in a service delivery context it will occur when eligibility is determined.

J

K

L

Least Privilege

The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorisations that the entity needs to perform its function.

Least Trust

The principal that a security architecture should be designed in a way that minimizes 1) the number of components that require trust and 2) the extent to which each component is trusted.

Local Access

Access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.

M

Match / Matching

The process of comparing attribute information against a previously stored template(s) and scoring the level of similarity.

Multi-factor Authentication

An Authentication process in which multiple forms of Evidence of Identity are used, in order to increase the level of confidence in the Assertion.

Mutual Authentication

The process of both entities involved in a transaction verifying each other.

N

Need-To-Know

A method of isolating information resources based on a user’s need to have access to that resource in order to perform their job but no more. The terms ‘need-to know” and “least privilege” express the same idea. Need-to-know is generally applied to people, while least privilege is generally applied to processes.

Network Access

Access to an organizational information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).

Network Device

Any device designed to facilitate the communication of information destined for multiple system users. For example: cryptographic devices, firewalls, routers, switches and hubs.

Nonce

A random or non-repeating value that is included in data exchanged by a protocol, usually for the purpose of guaranteeing the transmittal of live data rather than replayed data, thus detecting and protecting against replay attacks.

Non-repudiation

Strong and substantial evidence of the identity of the signer of a message and of message integrity, sufficient to prevent a party from successfully denying the origin, submission or delivery of the message or the integrity of its contents. Paper signatures are the traditional means of providing Non-Repudiation. Digital Signatures are a strong electronic means of providing Non-Repudiation.
Source: American Bar Association Digital Signature Guidelines, ISO Non-repudiation Framework

O

Object

Passive information system-related entity (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information. Access to an object implies access to the information it contains.

P

Permissions

see Entitlements

Personal Information

Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about a natural person whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Policy

A function to be evaluated, plus an action to take if the function is true. The Applicable Policy Function determines the policy to be applied to a given request.

Policy Based Access Control (PBAC)

A form of access control that uses an authorisation policy that is flexible in the types of evaluated parameters (e.g., identity, role, clearance, operational need, risk, heuristics).

Privilege

Privilege refers to the level of access and permissions granted to users within a system. It determines what actions, resources, or data they can access or modify. Privileges are assigned based on roles or authorization, ensuring users have the necessary access rights while maintaining security and compliance.

Privilege Management

Security controls for managing and monitoring privileged access, such as administrative accounts, within an organization. It includes practices like enforcing least privilege, implementing privileged identity management, using multi-factor authentication, and conducting regular access reviews. Privileged management ensures accountability, mitigates the risk of unauthorized access, and protects critical systems and sensitive data.

Privileged Access

Privileged access refers to elevated levels of access and permissions granted to certain users or accounts within a system. These privileges allow users to perform administrative tasks, access critical systems, and manipulate sensitive data, requiring strict management and monitoring to ensure security and prevent misuse.

Protocol

Set of rules and formats, semantic and syntactic, permitting information systems to exchange information.

Proxy

An entity authorized to act for another.

Q

R

Remote Access

Access to an Organisation's nonpublic information system by an authorised entity (or an information system) communicating through an external, non-Organisation-controlled network (e.g., the Internet).

Repository

A place where information of a particular type is stored - a database or directory.

Revocation

The process of removing a user's access rights. This will always involve changes to the system files that hold user's authentication records and details of access permissions. It may also involve having similar records amended by trusted third parties (eg CAs) and retrieval or destruction of a physical authentication token (eg smartcard).

Revoke

To terminate a Certificate prior to the end of its operational period.

Risk

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of

the adverse impacts that would arise if the circumstance or event occurs
the likelihood of occurrence.

Risk Adaptable Access Control (RAdAC)

A form of access control that uses an authorisation policy that takes into account operational need, risk, and heuristics.

Risk Appetite

The amount and type of risk an Agency is prepared to pursue or take.

Robustness

The ability of an Information Assurance entity to operate correctly and reliably across a wide range of operational conditions, and to fail gracefully outside of that operational range.

Role

A group attribute that ties membership to function. When an entity assumes a role, the entity is given certain rights that belong to that role. When the entity leaves the role, those rights are removed. The rights given are consistent with the functionality that the entity needs to perform the expected tasks.

Role-Based Access Control (RBAC)

A model for controlling access to resources where permitted actions on resources are identified with roles rather than with individual subject identities.

Rule-Based Security Policy

A security policy based on global rules imposed for all subjects. These rules usually rely on a comparison of the sensitivity of the objects being accessed and the possession of corresponding attributes by the subjects requesting access. Also known as discretionary access control (DAC).

S

Security Assertion Markup Language (SAML)

A protocol consisting of XML-based request and response message formats for exchanging security information, expressed in the form of assertions about subjects, between on-line business partners.

SAML Attribute Assertion

An assertion that contains an Intelligence Community set of approved, shareable user authorisation attributes associated with a specific subject of a received query that is in a specific SAML construct and is generated by the AP.

Security Controls

The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

Security Domain

An environment or context that is defined by security models and security architecture, including a set of resources and set of system entities that are authorized to access the resources. One or more security domains may reside in a single administrative domain.

Security Perimeter

A physical or logical boundary that is defined for a system, domain, or enclave; within which a particular security policy or security architecture is applied.

Security Policy

A set of policy rules (or principles) that direct how a system (or an organization) provides security services to protect sensitive and critical system resources.

Security Requirements

Requirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.

Sensitive Information

Information such that, the loss, misuse, or unauthorised access to or modification of, could adversely affect the national interest or the conduct of government programs, or an individual's privacy

Service

A mechanism providing access to one or more capabilities - an interface. For example: an Attribute Service is an interface that has been exposed by the Attribute Manager to the Attribute Management processes.

Standard Operating Environment

A standardised build of an operating system and associated software that is deployed on multiple devices. A SOE can be used for servers, workstations, laptops and mobile devices.

Standard Operating Procedures

Instructions for complying with a SSP. For example, how to update virus signature files.

Strong Authentication

The requirement to use multiple factors for authentication and advanced technology, such as dynamic passwords or digital certificates, to verify an entity’s identity.

Subject

An active entity (generally an individual, process, or device) that causes information to flow among objects or changes the system state. See also object.

Subscriber

A party who receives a credential or token from a Credentials Service Provider (CSP) and becomes a claimant in an authentication protocol.

System

A related set of hardware and software used for the processing, storage or communication of information and the governance framework in which it operates.

System Owner

Person or organization having responsibility for the development, procurement, integration, modification, operation and maintenance, and/or final disposition of an information system.

System Security Plan (SSP)

The formal document prepared by the information system owner (or common security controls owner for inherited controls) that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements. The plan can also contain as supporting appendices or as references, other key security-related documents such as a risk assessment, privacy impact assessment, system interconnection agreements, contingency plan, security configurations, configuration management plan, and incident response plan.

T

Technical Security Controls

Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.

Time Stamp

A record that indicates (at least) the correct date and time of an action (expressly or implicitly) and the identity of the person or device that created the notation.

Token

A digital representation of an authenticated session, containing identity credentials and associated attributes. (For example a JWT, SAML token, or a Kerberos Token)

Trust

Trust is qualified reliance on information, based on factors independent of that information.

U

V

Validation

Confirmation (through the provision of strong, sound, objective evidence) that requirements for a specific intended use or application have been fulfilled (e.g., a trustworthy credential has been presented, or data or information has been formatted in accordance with a defined set of rules, or a specific process has demonstrated that an entity under consideration meets, in all respects, its defined attributes or requirements).

Verification

Confirmation, through the provision of objective evidence, that specified requirements have been fulfilled (e.g., an entity’s requirements have been correctly defined, or an entity’s attributes have been correctly presented; or a procedure or function performs as intended and leads to the expected outcome.

Verify

To determine or test the accuracy of EOI documentation submitted by an applicant in accordance with procedures set forth. Process of establishing the veracity of an assertion to a specified or understood level of assurance.

Vulnerability

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.

Vulnerability Assessment

Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.

A​

Access Control​

Access Control Decision​

Access Rights​

Attribute​

Attribute-Based Access Control​

Attribute-Based Authorisation​

Audit​

Audit Trail​

Authenticate​

Authentication​

Authentication Mechanism​

Authentication Period​

Authentication Protocol​

Authoritative [..] Source​

Authorisation​

Authorisation Boundary​

Authorisation Decision​

Authority​

Availability​

B​

Basic Enterprise Authorisation Attribute​

Biometrics / Attributes​

Boundary​

Browser-Based Authentication​

C​

Category​

Certificate​

Challenge Response​

Cipher​

Claim​

Claimant​

Clearance​

Clearance Level​

Cybersecurity​

Cyberspace​

D​

Data​

Data at Rest​

Data Aggregation​

Data Classification​

Data Element​

Data in Transit​

Data in Use​

Data Integrity​

Delegate​

Demilitarized Zone (DMZ)​

De-provisioning​

Device​

Digital Policy​

Digital Signature​

Distinguished Name (DN)​

Distinguishing Identifier​

Domain​

E​

Enclave​

Enclave Boundary​

Encryption​

Encryption Algorithm​

End-To-End Encryption​

Enrolment​

Entity​

Entitlement​

Entitlement Management​

Event​

Evidence of Identity​

External Network​

F​

G​

Gateway​

H​

I​

Identification​

Identifier​

Identity​

Identity Provider​

Identity-Based Access Control​

Internal Network​

Issuance​

J​

A