view release on metacpan or  search on metacpan

factpacks/security.fact  view on Meta::CPAN

compromising emanations => Unintentional data-related or intelligence-bearing signals that, if intercepted and analyzed, disclose the information transmission received, handled, or otherwise processed by any information processing equipment.  See TEM...
CSTVRP => Computer Security Technical Vulnerability Reporting Program - A program that focuses on technical vulnerabilities in commercially available hardware, firmware and software products acquired by DoD.  CSTVRP provides for the reporting, catalo...
abuse => The misuse, alteration, disruption or destruction of data processing resources.  The key aspect is that it is intentional and improper.
architecture => The set of layers and protocols (including formats and standards that different hardware/software must comply with to achieve stated objectives) which define a computer system. Computer architecture features can be available to applic...
cryptography => The use of a crypto-algorithm in a computer, microprocessor, or microcomputer to perform encryption or decryption in order to protect information or to authenticate users, sources, or information.
fraud => Computer-related crimes involving deliberate misrepresentation, alteration or disclosure of data in order to obtain something of value (usually for monetary gain).  A computer system must have been involved in the perpetration or coverup of ...
security => Synonymous with automated information systems security.
security subsystem => A device designed to provide limited computer security features in a larger system environment.
concealment system => A method of achieving confidentiality in which sensitive information is hidden by embedding it in irrelevant data.
confidentiality => (1) The assurance that information is not disclosed to inappropriate entities or processes. (2) The property that information is not made available or disclosed to unauthorized entities. (3) The prevention of the unauthorized discl...
configuration => the selection of one of the sets of possible combinations of features of a Target of Evaluation.
configuration control => management of changes made to a system's hardware, software, firmware, and documentation throughout the development and operational life of the system.
configuration management => The management of security features and assurances through control of changes made to a system's hardware, software, firmware, documentation, test, test fixtures and test documentation throughout the development and operat...
confinement => The prevention of the leaking of sensitive data from a program.
confinement channel => Synonymous with covert channel.
confinement property => Synonymous with star property (*-property).
connection => a liaison, in the sense of a network interrelationship, between two hosts for a period of time. The liaison is established (by an initiating host) for the purpose of information transfer (with the associated host); the period of time is...
constrained => A qualifier implying: within the TSF Scope of Control
construction => the process of creating a Target of Evaluation.
consumers => Individuals or groups responsible for specifying requirements for IT product security (e.g., policy makers and regulatory officials, system architects, integrators, acquisition managers, product purchasers, and end users.
contamination => The intermixing of data at different sensitivity and need-to-know levels.  The lower level data is said to be contaminated by the higher level data; thus, the contaminating (higher level) data may not receive the required level of pr...
content-dependent access control => Access control in which access is determined by the value of the data to be accessed.
context-dependent access control => Access control in which access is determined by the specific circumstances under which the data is being accessed.
contingency plan => A plan for emergency response, backup operations, and post-disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of oper...
control objective => Required result of protecting information within an IT product and its immediate environment.
control zone => The space, expressed in feet of radius, surrounding equipment processing sensitive information, that is under sufficient physical and technical control to preclude an unauthorized entry or compromise.
controlled access => See access control.
controlled sharing => The condition that exists when access control is applied to all users and components of a system.
corporate security policy => The set of laws, rules and practices that regulate how assets including sensitive information are managed, protected and distributed within a user organisation.
correctness => In security evaluation, the preservation of relevant properties between successive levels of representations. Examples of representations could be: top-level functional specification, detailed design specification, actual implementatio...
cost-risk analysis => The assessment of the costs of providing data protection for a system versus the cost of losing or compromising the data.
countermeasure => Action, device, procedure, technique, or other measure that reduces the vulnerability of an AIS.
covert channel => A communication channel that allows a process to transfer information in a manner that violates the system's security policy.  See also: Covert Storage Channel, Covert Timing Channel.
covert storage channel => A covert channel that involves the direct or indirect writing of a storage location by one process and the direct or indirect reading of the storage location by another process.  Covert storage channels typically involve a f...
covert timing channel => A covert channel in which one process signals information to another by modulating its own use of system resources (e.g=2E, CPU time) in such a way that this manipulation affects the real response time observed by the second ...
criteria => See DoD Trusted Computer System Evaluation Criteria. Examples of other criteria are the Information Technology Security Evaluation Criteria (Europe), Canadian Trusted Computer Product Evaluation Criteria, Federal Criteria for Information ...
critical mechanism => a mechanism within a Target of Evaluation whose failure would create a security weakness. Customer - the person or organisation that purchases a Target of Evaluation.
cryptoalgorithm => A well-defined procedure or sequence of rules or steps used to produce a key stream or ciphertext from plaintext and vice versa.
cryptography => (1) The principles, means, and methods for rendering information unintelligible, and for restoring encrypted information to intelligible form. (2) The transformation of ordinary text, or "plaintext," into coded form by encryption and ...
cryptosecurity => The security or protection resulting from the proper use of technically sound cryptosystems. 
data => Information with a specific physical representation.
data confidentiality => the state that exists when data is held in confidence and is protected from unauthorized disclosure.
DES => Data Encryption Standard - (1) A cryptographic algorithm for the protection of unclassified data, published in US Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the US National Institute of Standards and Tech...
data integrity => (1) The state that exists when computerized data is the same as that in the source documents and has not been exposed to accidental or malicious alteration or destruction. (2) The property that data has not been exposed to accidenta...
data flow control => Synonymous with  information flow control.
data security => The protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure.
database management system => A computer system whose main function is to facilitate the sharing of a common set of data among many different users. It may or may not maintain semantic relationships among the data items.
DBMS => Abbreviation for "database management system."
decomposition => Requirement in a protection profile that spans several components. Note: The decomposition of a specific requirement becomes necessary when that requirement must be assigned to multiple components of the generic product requirements ...
dedicated security mode => the mode of operation in which the system is specifically and exclusively dedicated to and controlled for the processing of one particular type or classification of information, either for full-time operation or for a speci...
default classification => A temporary classification reflecting the highest classification being processed in a system.  The default classification is included in the caution statement affixed to the object.
degauss => To reduce magnetic flux density to zero by applying a reverse magnetizing field.
DPL => Degausser Products List - A list of commercially produced degaussers that meet US National Security Agency (NSA) specifications. This list is included in NSA's "Information Systems Security Products and Services Catalogue," available through t...
degausser => An electrical device that can generate a magnetic field for the purpose of degaussing magnetic storage media.  Degausser Products List (DPL) A list of commercially produced degaussers that meet National Security Agency specifications.  T...
delivery => the process whereby a copy of the Target of Evaluation is transferred from the developer to a customer.
DOS => Denial Of Service - (1) The prevention of authorized access to system assets or services or the delaying of time-critical operations. (2) Any action or series of actions that prevents any part of a system from functioning in accordance with it...
dependency => Condition in which the correctness of one TCB subset is contingent (depends for its correctness) on the correctness of another TCB subset. Note: A TCB subset A depends for its correctness on TCB subset B if and only if the (engineering)...
depends => A TCB subset A depends (for its correctness) on TCB subset B if and only if the (engineering) arguments of the correct implementation of A with respect to its specification assume, wholly or in part, that the specification of B has been im...
DTLS => Descriptive Top-Level Specification - A top-level specification that is written in a natural language (e.g., English), an informal design notation, or a combination of the two.
DAA => Designated Approving Authority - Official with the authority to formally assume responsibility for operating an IT product, an AIS, or network at an acceptable level of risk.
detailed design => a phase of the Development Process wherein the top level definition and design of a Target of Evaluation is refined and expanded to a level of detail that can be used as a basis for implementation.
developer => the person or organisation that manufactures a Target of Evaluation.
developer security => the physical, procedural and personnel security controls imposed by a developer on his Development Environment.
development assurance => Sources of IT product assurance ranging from how a product was designed and implemented to how it is tested, operated and maintained.
development assurance component => Fundamental building block, specifying how an IT product is developed, from which development assurance requirements are assembled.
development assurance package => Grouping of development assurance components assembled to ease specification and common understanding of how an IT product is developed.
development assurance requirements => Requirements in a protection profile which address how each conforming IT product is developed including the production of ap- propriate supporting developmental process evidence and how that product will be main...
development environment => the organisational measures, procedures and standards used whilst constructing a Target of Evaluation.
development process => The set of phases and tasks whereby a Target of Evaluation is constructed, translating requirements into actual hardware and software.
dial back => Synonymous with call back.
dialup => The service whereby a computer terminal can use the telephone to initiate and effect communication with a computer.
digital signature => A cryptographic method, provided by public key cryptography, used by a message's recipient and any third party to verify the identity of the message's sender. It can also be used to verify the authenticity of the message. A sende...
DSS => Digital Signature Standard - A US Federal Information Processing Standard proposed by NIST (National Institute of Standards and Technology) to support digital signature.
digital telephony => Telephone systems that use digital communications technology.
disaster plan => Synonymous with contingency plan.
DAC => Discretionary Access Control - a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that: (a) A subject with a certain access permission is c...
documentation => the written (or otherwise recorded) information about a Target of Evaluation required for an evaluation. This information may, but need not, be contained within a single document produced for the specified purpose.
TCSEC => DoD Trusted Computer System Evaluation Criteria - A document published by the National Computer Security Center containing a uniform set of basic requirements and evaluation classes for assessing degrees of assurance in the effectiveness of ...
domain => The unique context (for example, access control parameters) in which a program is operating - in effect, the set of objects that a subject has the ability to access. Note: A subject's domain determines which access control attributes an obj...
dominate => Security level S1 is said to dominate security level S2 if the hierarchical classification of S1 is greater than or equal to that of S2 and the non-hierarchical categories of S1 include all those of S2 as a subset.
ease of use => an aspect of the assessment of the effectiveness of a Target of Evaluation, namely that it cannot be configured or used in a manner which is insecure but which an administrator or end-user would reasonably believe to be secure.
effectiveness => In security evaluations, an aspect of assurance assessing how well the applied security functions and mechanisms working together will actually satisfy the security requirements.
element => An indivisible security requirement which is to be satisfied during an evaluation.
emanations => See compromising emanations.
embedded system => A system that performs or controls a function, either in whole or in part, as an integral element of a larger system or subsystem.
emergency plan => Synonymous with contingency plan.
emission security => The protection resulting from all measures taken to deny unauthorized persons information of value that might be derived from intercept and from an analysis of compromising emanations from systems=2E
encryption => The process of making information indecipherable to protect it from unauthorized viewing or use, especially during transmission or storage. Encryption is based on an algorithm and at least one key. Even if the algorithm is known, the in...
end user => A person in contact with a target of evaluation who makes use only of its operational capability.
end to end encryption => The protection of information passed in a telecommunications system by cryptographic means, from point of origin to point of destination.
ETL => Endorsed Tools List - The list of formal verification tools endorsed by the NCSC for the development of systems with high levels of trust=2E
environment => (1) All entities - users, procedures, conditions, objects, AISs (automated information systems), and other IT (information technology) products - that interact with (affect the development, operation, and maintenance of) an IT product....
erasure => A process by which a signal recorded on magnetic media is removed. Erasure is accomplished in two ways: (1) by alternating current erasure, by which the information is destroyed by applying an alternating high and low magnetic field to the...
evaluation => Technical assessment of a component's, product's, subsystem's, or system's security properties that establishes whether or not the component, product, subsystem, or system meets a specific set of requirements. Note: Evaluation is a term...
evaluation assurance => Source of IT product assurance based on the kind and intensity of the evaluation analysis performed on the product.
ealuation assurance Component => Fundamental building block, specifying the type and the rigor of required evaluation activities, from which evaluation assurance requirements are assembled.
evaluation assurance package => Grouping of evaluation assurance components assembled to ease specification and common understanding of the type and the rigor of re- quired evaluation activities.
evaluation assurance requirements => Requirements in a protection profile which address both the type and the rigor of activities that must occur during product evaluation.
evaluation criteria => A set of requirements defining the conditions under which an evaluation is performed. These requirements can also be used in specification and development of systems and products.
evaluator => the independent person or organisation that performs an evaluation.
evaluator actions => a component of the evaluation criteria for a particular phase or aspect of evaluation, identifying what the evaluator must do to check the information supplied by the sponsor of the evaluator, and the additional activities he mus...
evaluators => Individuals or groups responsible for the independent assessment of IT product security (e.g., product evaluators, system security officers, system certifiers, and system accreditors).
executive state => (1) One of several states in which a system may operate and the only one in which certain privileged instructions may be executed. Such instructions cannot be executed when the system is operating in other (for example, user) state...
explain => Give required information and show that it satisfies all relevant requirements.
exploitable channel => Covert channel that is usable or detectable by subjects external to the AIS's trusted computing base and can be used to violate the AIS's technical security policy. (See covert channel.)
external security controls => Measures which include physical, personnel, procedural, and administrative security requirements and a separate certification and accreditation process that govern physical access to an IT product. <br><br>Note: These me...
fail safe => Pertaining to the automatic protection of programs and/or processing systems to maintain safety when a hardware or software failure is detected in a system.
fail soft => Pertaining to the selective termination of affected nonessential processing when a hardware or software failure is detected in a system.
failure access => An unauthorized and usually inadvertent access to data resulting from a hardware or software failure in the system.
failure control => The methodology used to detect and provide fail-safe or fail-soft recovery from hardware and software failures in a system.
family => Grouping of related components that all address the same type of
fault => A condition that causes a device or system component to fail to perform in a required manner.
fetch protection => (1) A system-provided restriction to prevent a program from accessing data in another user's segment of storage. (2) The aggregate of all processes and procedures in a system designed to inhibit unauthorized access, contamination,...
file protection => The aggregate of all processes and procedures in a system designed to inhibit unauthorized access, contamination, or elimination of a file.
file security => The means by which access to computer files is limited to authorized users only.
flaw => An error of commission, omission, or oversight in a system that allows protection mechanisms to be bypassed.
flaw hypothesis methodology => A system analysis and penetration technique where specifications and documentation for the system are analyzed and then flaws in the system are hypothesized.  The list of hypothesized flaws is then prioritized on the ba...
formal => Based upon precise and unambiguous syntax and semantics. -  Human user - A person who interacts with the TOE.
formal development methodology => A collection of languages and tools that enforces a rigorous method of verification.  This methodology uses the Ina Jo specification language for successive stages of system development, including identification and ...
formal model of security policy => an underlying model of security policy expressed in a formal style, i.e. an abstract statement of the important principles of security that a TOE will enforce. 
formal proof => A complete and convincing mathematical argument, presenting the full logical justification for each proof step, for the truth of a theorem or set of theorems.  The formal verification process uses formal proofs to show the truth of ce...