The ability to use, modify, or affect an IT system or to gain entry to a physical area or location.
The process of granting or denying specific requests to
Security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.
General content changes like an organization, name, phone number, mailbox or URL in a policy or standard or a clarification or other revision that does not change the effect of the policy or standard.
State office, department, division, bureau, board, commission, including offices headed by a statewide elected official.
A computer program or set of programs that meet a defined set of business needs. See also Application System.
An interconnected set of IT resources under the same direct management control that meets a defined set of business needs.
The approver is responsible for deciding whether a change if fit to proceed to implementation by examining the evidence in the change request.
See Information Technology (IT) Assets/Resources
An attempt to bypass security controls on an IT system to compromise the data
Independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures and to recommend any indicated changes in controls, policy, or procedures.
A chronological record of system activities, including records of system accesses and operations performed in a discrete period.
An individual entry in an audit log related to an audited event.
A process that manipulates collected audit information and organizes it into a summary format that is more meaningful to analysts.
Security measures designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorization to receive specific categories of information.
Access privileges granted to a user, program, application, or process or the act of granting such privileges.
Property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.
The timely, reliable access to data and information services for authorized users.
Measurable physical characteristics or personal behavioral traits used to identify, or verify the claimed identity, of an individual.
Loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where: a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for another than authorized purpose.
An application or system which has a direct impact on the delivery of services to department/agency employees, clients or consumers.
The activities performed by the agency to ensure critical functions are available to entities needing access to those functions. Business continuity is related to restoring normal day-to-day functions in the event of service disruptions. Business continuity planning is different than disaster recovery planning.
A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. Agencies self-define application criticality:
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Services available via a remote cloud computing service provider rather than an on-site system. These scalable solutions are managed by a third party and provide access to computing services such as analytics or networking via the Internet.
The exchange or sharing of data including, but not limited to, text, IM, email, voice records and other records.
See also Data Classification Standard
Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.
A set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.
Process for controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modifications before, during, and after system implementation.
The effort to ensure that mission-essential functions continue to be performed during a wide range of emergencies which could be localized or widespread.
Includes any firm, provider, organization, individual, or other entity performing the business activities of the agency. It will also include any subcontractor retained by Contractor as permitted under the terms of the Contract. Also: third-party.
The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management, or legal nature. See Also: Security Control
The basic financial groupings of cost data. The smaller list simplifies reporting and provides a finance view of IT spend and represents the logical accounting buckets for IT charges. Cost Pools are mapped on the Chart of Accounts. For the State of Washington, Cost Pool mapping is generally done by mapping Objects, Sub-Objects, and/or Sub-Sub-Objects to a Cost Pool.
All public-facing content, including websites, applications, documents and media, blog posts, and social media content. Certain non-public-facing content that must also comply. Examples include: All electronic content used for official business to communicate: emergency notifications, initial or final decisions adjudicating administrative claims or proceedings, internal or external program or policy announcements, notices of benefits, program eligibility, employment opportunities or personnel actions, formal acknowledgements or receipts, questionnaires or surveys, templates or forms, educational or training materials, and web-based intranets.
A known system defect or enhancement request that if left unresolved could significantly impact business operations, compliance with statute or policy, the integrity of the system or data or otherwise create a public health, safety or other significant risk areas.
Any information system whose "failure" could threaten the system’s environment or the existence of the agency which operates the system. "Failure" in this context does not mean failure to conform to a specification but means any potentially threatening system behavior.
A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. See also: Business Criticality
Consolidated Technology Services: WaTech
Agency head, or third-party organization manager if processing is outsourced, who processes personal information according to the instructions provided by the Owner.
A subset of Information. A representation of information, knowledge, facts, concepts, computer software, or computer programs or instructions. Data may be in any form, in storage media, or as stored in the memory of the computer or in transit or presented on a display device.
Data that is not being accessed and is stored on a physical or logical medium. Examples may be files stored on file servers, records in databases, documents on flash drives, hard disks etc. See also Media
NOTE: these are the definitions used in the TBM program and also reside in Standard 113.30: TBM Taxonomy.
Data Centers are facilities that house and protect critical IT equipment supporting delivery of government services including the space, power, environment controls, racks, cabling and external labor.
We distinguish between Agency Data Centers, and the State Data Centers because by statute we are directed to migrate TO the State Data Center and away from Agency Data Centers.
State Data Centers include:
Data that travels through an email, web, collaborative work applications such as Microsoft Teams or any other type of private or public communication channel.
Data while actively in use by one or more applications for its treatment or and consumed or accessed by users.
Has policy-level responsibility for establishing rules and use of data based on applied classification.Responsible for the day-to-day management of data assets; this includes electronic and hard-copy information.
The collective set of data actions (i.e., the complete data life cycle, including, but not limited to collection, retention, logging, generation, transformation, use, disclosure, sharing, transmission, and disposal).
A key part of the lifecycle of information or data. Such a policy (or schedule) describes how long an agency needs to keep a piece of information (record), where it’s stored and how to dispose of the record when its time.
Restarting technology operations after an outage using processes, policies and procedures prepared for recovery or continuation of mission-essential technology infrastructure after a disaster.
These processes are found in a DR Plan. DR is a subset of business continuity and COOP.
The three principal goals of DR are to:
Other Facilities such as Computer rooms and MDF/IDF/telco closets that house IT equipment primarily supporting local building operations in corporate headquarters, call centers or other general purpose office buildings.
A perimeter network or screened subnet separating an internal network that is more trusted from an external network that is less trusted. Can be a network created by connecting two firewalls. Systems that are externally accessible but need some protections are usually located on DMZ networks.
Establises a standard for cross-domain resource description and has been standardized as the ISO Standard 15836:2009.
Any device or application that will provide the capability of exchanging digital communication between two or more parties. Examples are email, electronic messaging, instant messaging, and text messaging.
The process of changing plaintext into ciphertext for security, integrity and privacy.
For the purpose of this policy, this is defined is the latest date a manufacturer will provide security patches. Some manufacturers have an end of mainstream support date and an extended end-of support date. In these cases, after the end of mainstream support, no additional software feature/function enhancements or fixes are issued but security patches are until the end of extended support. The recommended best practice is to migrate before end of mainstream support.
A computer or other device connected to a computer network. An endpoint may offer information resources, services and applications to users or other endpoints on the Network. Endpoints can include, but may not be limited to, desktop computers, laptop computers, network servers, portable computing devices (Android/iOS tablets and smart phones), embedded control systems and Internet of Things (IoT) devices. See also: Mobile Device.
Software that allows agency support staff to not only manage a container on the mobile device, but also control the flow of information between the mobile device and agency computing resources such as collaboration software, cloud storage, shared applications. Additional functions may include: issuance, inventory tracking, policy enforcement on the device.
An Enterprise service is a service that all state government agencies with a certain business need or process are required to use. Agencies must not adopt a similar service unless they have an approved waiver. Enterprise Services can support common administrative business processes such as accounting, payroll, etc., or they can include Information Technology applications or services commonly used by agencies.
The agency accountable and/or responsible to make policy or business decisions regarding an Enterprise Service. Some Enterprise Services also have a service owner.
The enterprise service owner is the agency that implements the business owner’s decisions and plans and performs many of the service’s implementation and operational activities.
Physical protection against damage from fire, flood, wind, earthquake, explosion, civil unrest, and other forms of natural and man-made risk.
Providing users with disabilities with content and interaction that is similar or identical to that provided to users without disabilities, in a form that produces a similar user experience. Users should be provided direct access to the same content unless providing direct access to that content is not possible due to technical or legal limitations.
Any observable occurrence in a system and/or network. Events sometimes provide indication that an incident is occurring.
The senior executive responsible to the agency and the State CIO/OCIO for the project.
A computer network that an organization uses for application data traffic between the organization and its business partners.
A Quality Assurance (QA) provider's assessment of the project's use of project management best practices, as well as their assessment of deficiencies or gaps in the application of those best practices that may have an adverse impact on the project. Findings are assumed to require corrective actions.
An inter-network connection device that restricts data communication traffic between two connected networks. A firewall may be either an application installed on a general-purpose computer or a dedicated platform (appliance), which forwards or rejects/drops packets on a network. Typically, firewalls are used to define zone borders. Firewalls generally have rules restricting which ports are open.
The processes, groups and activities an agency takes to ensure compliance with its Information Technology policies, standards and procedures with the goal of meeting business requirements.
A guideline is a compilation of best practice offered in support of a policy or standard.
A collection of tools, techniques, and best practices to protect technology, applications, systems, infrastructure, firmware, etc. with the goal of reducing security risk by eliminating potential attack vectors and condensing the system’s attack surface.
The process of verifying the identity of a user, process, or device, usually as a prerequisite for granting access to resources in an IT system.
Data that can only be written, not modified or deleted.
The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.
The implementer deploys the change into production. The implementer is the person who records the implementation results.
Any attempted, successful, or imminent threat of unauthorized electronic and/or physical access, use, exposure, disclosure, breach, modification, loss, or destruction of information; interference with Information Technology operations; or significant violation of agency or State policy.
The mitigation of violations of security policies and recommended practices.
The work of one or more professionals responsible for monitoring and assessing the health and effectiveness of project management plans and processes as well as an overall assessment of a projects's short and longer term risks. To preserve independence, the QA provider(s) report outside the project management organizational structure, generally to the project's Executive Sponsor and the State CIO. In Washington state government, independent Project QA is considered different than product or technical quality assurance which might include testing and other independent verification and validation activities.
Formalized Information Security Policies, standards and procedures that are documented describing the program management safeguards and common controls in place or those planned for meeting the Agency’s information security requirements.
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Per RCW 43.105.020, "Information Technology" includes, but is not limited to, all electronic technology systems and services, automated information handling, system design and analysis, conversion of data, computer programming, information storage and retrieval, telecommunications, requisite system controls, simulation, electronic commerce, radio technologies, and all related interactions between people and machines.
Anything that has value to an organization, including, but not limited to, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards).
An asset owner is a person responsible for the day-to-day management of assets. This includes electronic and hard-copy information and hardware, software, services, people, and facilities.
Within the TBM Program, the source financial information used for identifying IT expenditures is from the statewide Agency Financial Reporting System (AFRS) and based on these components:
NOTE: AFRS Sub-Object EL is defined in the OFM State Administrative and Accounting Manual (SAAM) 75.70.20 as "Charges by state agencies for information technology services. Examples include computing services, hosting services, network services, web services, statewide systems (AFRS, HRMS, etc.), and planning and policy assessment by agencies such as the Department Enterprise Services, the Office of Financial Management, Office of the Chief Information Officer and Consolidated Technology Services."
IT infrastructure consists of the equipment, systems, software, and services used in common across an organization, regardless of mission/program/project.
IT Resource Towers (ITRT) are functional IT groupings that can be used to benchmark to industry. They can be split into more granular ITRT Sub-Towers to gain visibility into specific functions within a tower. They also map up to utilization data in Accelerators, as well as to Applications and Services. The translation of financial information into functional IT towers (ITRTs) involves mapping from Cost Centers, and combining GL, Labor and Asset allocations.
Inherent risk is the impact and likelihood of a risk in the absence of controls
Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.
An IT system or network designed and intended for use only by state of Washington employees, contractors, and business partners. A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
The International Organization for Standardization develops and publishes international standards.
Security service that monitors and analyzes network or system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.
System that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its targets.
A high-speed, high-capacity network that connects colleges, universities, K-12 school districts and libraries across Washington state. K-12 schools and educational organizations rely on the K-20 network to run hundreds of data-based applications that support school administration, distance learning and operations.
Activities involving the handling of cryptographic keys and other related security parameters (e.g., initialization vectors) during the entire lifecycle of the keys, including their generation, storage, establishment, entry and output, use and destruction.
The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.
A temporary suspension of the Agency’s document retention/destruction policies for the documents that may be, or are reasonably anticipated to be, relevant to a lawsuit. It is a stipulation requiring the Agency to preserve all data, information and records (files, both electronic and physical, email and instant messages, voice recordings, video recordings, etc.) that may relate to a legal action involving the Agency. A litigation hold ensures that the documents relating to the litigation are not destroyed and are available for the discovery process prior to litigation.
A project subject to State CIO/OCIO oversight based on the IT Project Assessment tool, a statute or some other factor as determined by the State CIO.
Software (such as a Trojan horse) that appears to perform a useful or desirable function but gains unauthorized access to system resources or tricks a user into executing other malicious logic.
Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.
Retrievable retention of data. Electronic, electrostatic, or electrical hardware or other elements (media) into which data may be entered, and from which data may be retrieved. This includes but is not limited to: Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.
The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means. There are four methods:
Data about data. Metadata is a summary document providing content, quality, type, creation and spatial information about a dataset or other resource (for example, MP3 files, books, reports, websites, satellite images or DIS dataset).
A portable computing device that:
Examples include smart phones, tablets, and e-readers. This policy is not meant to apply to: cars, boats, airplanes, laptop computers, desktop computers, unpiloted aerial vehicles (drones), gps receivers, radios.
Software that allows agency support staff to manage a "sandbox" or container on a mobile device where state data and applications can be added, deleted, or monitored. Additional functions may include: issuance, inventory tracking, policy enforcement on the device.
An authentication system or an authenticator that requires more than one authentication factor for successful authentication. Multi-factor authentication can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors.
Information system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.
A device available to other computers on a network. Examples include servers, firewalls, routers, switches, workstations, networked Supervisory Control and Data Acquisition (SCADA) systems, and networked printers (multifunction devices).
Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.
A unique string of characters that, in conjunction with a logon ID, authenticates a user’s identity.
The systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions. These revisions are known as patches, hot fixes, and service packs.
A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system. Also: Pen Test
Physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media in an IT facility.
High level statements of intention and direction of an organization as formally expressed by its top management. A policy expresses what must to be accomplished or achieved and the roles and responsibilities of the various entities.
Electronic devices having the capability to store, record, and/or transmit text, images/video, or audio data. Examples of such devices include, but are not limited to: pagers, laptops, cellular telephones, radios, compact disc and cassette players/recorders, portable digital assistant, audio devices, watches with input capability, and reminder recorders. Also: Mobile Device
An established or official way of doing something.
See Data Processing
A document that describes how the QA Practitioner will deliver its service.
A Request for Proposal, a Request for Quote and Qualification, an interagency agreement proposal or an agency recruitment or any other effort that is intended to result in the acquisition or hire of a QA resource.
A type of malware that attempts to deny a user or organization access to data or systems, usually through encryption, until a sum of money or other currency is paid, or forcing the user or organization to take an action
The QA Practitioners suggested course of action to address a negative Finding.
Recordings of evidence of activities performed or results achieved (e.g., forms, reports, test results), which serve as a basis for verifying that the organization and the information system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items).
The point in time to which data must be recovered after an outage.
The maximum tolerable length of time that a computer, system, network or application can be down after a failure or disaster occurs.
Access to an organizational system by a user (or a process acting on behalf of a user) communicating through an external network.
The requestor submits the change request.
The potential for the occurrence of an adverse event after adjusting for the impact of all in-place controls.
The capability of remaining or returning to a normal situation after an event by having multiple ways of performing a function. This may include people, processes or technology. Generally speaking, this means there would be no single point of failure that could stop a process.
Refers to any objects of interests such as books, reports, datasets, services, applications, websites, satellite images, videos, etc.
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of:
The level of Residual Risk that has been determined to be a reasonable level of potential loss/disruption for a specific IT system.
The types and amount of risk, on a broad level, a business unit or organization is willing to accept in its pursuit of value.
The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, the assessment incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
The program and supporting processes to manage information security risk levels to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, and includes:
A decision, action, or practice intended to reduce the level of risk associated with one or more threat events, threat scenarios, or vulnerabilities.
A prioritized inventory of the most significant risks identified and assessed through the risk assessment process versus a complete inventory of risks.
A repository that contains the information about identified risks, results of Risk Analysis (impact, probability, effects), as well as Risk Response Plans. Used to monitor and control risks associated with a system, application or asset lifecycle.
The agency’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives. Note: Risk tolerance can be influenced by legal or regulatory requirements.
Process to modify risk
A mechanism (software, hardware, configuration, etc.) that protects something, such as information.
The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.
Secure segmentation is defined as implementing methods that allow for secure communication between various levels of segmented environments. These environments typically involve 4 basic segment groups:
The methods for securing these segments may include but are not limited to firewall and switch/router configurations and router/switch ACLs.
A condition that results from the establishment and maintenance of protective measures that enable an organization to perform its mission or critical functions despite risks posed by threats to its use of systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the organization’s risk management approach.
A safeguard or countermeasure prescribed for an information system, or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements including but not limited those defined in the OCIO IT security standards.
A domain within which behaviors, interactions, and outcomes occur and that is defined by a governing security policy. Note: A security domain is defined by rules for users, processes, systems, and services that apply to activity within the domain and activity with similar entities in other domains.
A security change that may have an impact on organizational operations (including mission, capabilities, or reputation).
The degree to which an IT system or application requires protection (to ensure confidentiality, integrity, and availability) which is determined by an evaluation of the nature and criticality of the data processed, the relation of the system to the organization missions and the economic value of the system components.
Represents a commitment between a service provider and one or more customers and addresses specific aspects of the service, such as responsibilities, details on the type of service, expected performance level (e.g., reliability, acceptable quality, and response times), and requirements for reporting, resolution, and termination.
An unplanned event that causes an information system to be inoperable for a period of time.
SMART is a mnemonic for Specific, Measurable, Achievable, Relevant and Time bound. These characteristics are helpful to remember when identifying project objectives.
The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, except for limited user-specific application configuration settings.
Documents that support policies and indicate how and what kind of technology and business processes must be implemented, used and maintained to meet policy objectives.
For the purposes of project investment, approval, oversight and quality assurance, the start of the project is at the beginning of planning.
The shared, internal enterprise network bounded by a CTS-managed security layer. The CTS-managed security layer is defined as firewalls, proxy servers, security appliances, secure gateways, and other centrally managed security services.
A mandatory periodic review of a technical policy and standard that:
Sunset reviews may occur ahead of the published sunset review date if needed.
An interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.
A portable general-purpose computer contained within a single small form factor LCD display sized to approximately match that of a traditional writing paper tablet. A tablet PC utilizes a touch screen as the primary input source. Typically, either wireless (802.11) or mobile (4G) networks are used for connectivity with limited physical port options. Examples of Tablet PC’s include iPad, Motorola Xoom, HP Elitebook, Samsung Galaxy, Sony Tablet S, Toshiba Thrive, Acer Iconia, Kindle Fire, Nook tablet, etc.
A set of best practices for running IT like a business - and more importantly for effectively and consistently (using a data-driven agreed upon framework) communicating not just the cost of IT, but also attributing that cost to business services. Key to TBM is the ability of IT and business leaders to have data-driven discussions about cost and value of IT to best support business goals.
Within the TBM Program, agencies are responsible for categorizing and documenting their costs to the program taxonomies. The TBM Program provides templates that agencies use to capture and submit categorization to the program.
The cost center used in the TBM program is agency defined. Agencies can select up to three fields coded in the statewide Agency Financial Reporting System (AFRS) for their TBM Cost Center.
This term, as used in TBM policy and accompanying standards is defined per our current TBM product. A ‘project’ is a discrete area within the product in which datasets, models, metrics and reports reside; these are configured according to specific business rules defined by the project administrator. Agency-specific projects allow for greater reporting accuracy than the multi-agency project, which allows less granularity and customization of business rules.
This is an updated industry term for IT Resource Towers (ITRT). The ITRT are functional IT groupings that can be used to benchmark to industry. They can be split into more granular ITRT Sub-Towers to gain visibility into specific functions within a tower. They also map up to utilization data in Accelerators, as well as to Applications and Services. The translation of financial information into functional IT towers (ITRTs) involves mapping from Cost Centers, and combining GL, Labor and Asset allocations.
Any circumstance or event (human, physical, or environmental) with the potential to cause harm to an IT system in the form of destruction, disclosure, adverse modification of data, and/or denial of service by exploiting vulnerability.
Information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.
The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability.
Is something that the claimant possesses and controls (such as a key or password) that is used to authenticate a claim.
System or network that in which there exists a level of confidence (based on rigorous analysis and testing) that the security principals and mechanisms (e.g., separation, isolation, least privilege, discretionary and non-discretionary access control, trusted path, authentication, and security policy enforcement) are correctly implemented and operate as intended even in the presence of adversarial activity.
In determining whether an action would result in an undue burden, an agency shall consider all agency resources available to the program or component for which the covered technology is being developed, procured, maintained, or used.
System, network, or process that has not been evaluated or examined for correctness and adherence to the security policy. Characterized by absence of trusted status. Assumed to be unreliable, untruthful, and inaccurate unless proven otherwise.
Commercial supplier of software or hardware, or services.
The process of determining whether the requirements for a system or component are complete and correct, the products of each development phase fulfill the requirements or conditions imposed by the previous phase, and the final system or component complies with specified requirements.
A virtual network built on top of existing networks that can provide a secure communications mechanism for data and IP information transmitted between networks.
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
A systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
An Information System Continuous Monitoring (ISCM) capability that identifies vulnerabilities [Common Vulnerabilities and Exposures (CVEs)] on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.
A technique used to identify hosts/host attributes and associated vulnerabilities.
An ad hoc or standing group of subject matter experts who support the development and maintenance of policies, standards and/or guidelines.