Scoping guidance
Scoping guidance is a part of tailoring guidance providing organizations with specific policy/regulatory-related, technology-related, system component allocation-related, operational/environmental-related, physical infrastructure-related, public access-related, scalability-related, common control-related, and security objective-related considerations on the applicability and implementation of individual security controls in the security control baseline. Scoping guidance is also specific factors related to technology, infrastructure, public access, scalability, common security controls, and risk that can be considered by organizations in the applicability and implementation of individual security controls in the security control baseline.
Safeguarding statement
A safeguarding statement is a statement affixed to a computer output or printout that states the highest classification being processed at the time the product was produced and requires control of the product, at that level, until determination of the true classification by an authorized individual. Synonymous with banners.
Safeguards
Safeguards are protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.
Safety
Safety is defined as the requirement to ensure that the individuals involved with an organization, including employees, customers, and visitors, are safeguarded from any kind of malicious act or attack.
Salt
Salt is a non-secret value that is used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.
Sandboxing
Sandboxing is a method of isolating application modules into distinct fault domains enforced by software. Sandboxing is a technique which allows untrusted programs written in an unsafe language, such as c, to be executed safely within the single virtual address space of an application. Untrusted machine interpretable code modules are transformed so that all memory accesses are confined to code and data segments within their fault domain. Access to system resources can also be controlled through a unique identifier associated with each domain. A restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized.
Sanitization
Sanitization is the process to remove information from media such that information recovery is not possible. It includes removing all labels, markings, and activity logs. A general term referring to the actions taken to render data written on media unrecoverable by both ordinary and, for some forms of sanitization, extraordinary means.
S box
A s-box is a nonlinear substitution table used in several byte substitution transformations and in the key expansion routine to perform a one-for-one substitution of a byte value.
Scanning
Scanning is sending packets or requests to another system to gain information to be used in a subsequent attack.
Scatternet
Scatternet is a chain of piconets created by allowing one or more bluetooth devices to each be a slave in one piconet and act as the master for another piconet simultaneously. A scatternet allows several devices to be networked over an extended distance.
Scavenging
Scavenging is the process of searching through data residue in a system or a network to gain unauthorized knowledge of sensitive information.
Secret key symmetric cryptographic algorithm
Secret key (symmetric) cryptographic algorithm is a cryptographic algorithm that uses a single secret key for both encryption and decryption. A cryptographic algorithm that uses a single key (i.e., a secret key) for both encryption and decryption.
Secret key
A secret key is a cryptographic key that is used with a secret-key (symmetric) cryptographic algorithm that is uniquely associated with one or more entities and is not made public. The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key from disclosure. A secret key is also a cryptographic key that is used with a symmetric cryptographic algorithm that is uniquely associated with one or more entities and is not made public. The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key from disclosure. A secret key is also a cryptographic key that must be protected from unauthorized disclosure to protect data encrypted with the key. The use of the term “secret” in this context does not imply a classification level; rather, the term implies the need to protect the key from disclosure or substitution. A secret key is also a cryptographic key that is uniquely associated with one or more entities. The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key from disclosure or substitution. Secret key – a cryptographic key, used with a secret key cryptographic algorithm, that is uniquely associated with one or more entities and should not be made public.
Secret seed
A secret seed is a secret value used to initialize a pseudorandom number generator.
Secure communication protocol
Secure communication protocol is a communication protocol that provides the appropriate confidentiality, authentication, and content-integrity protection.
Secure communications
Secure communications are telecommunications deriving security through use of nsa-approved products and/or protected distribution systems. Configuring and operating dns servers so that the security goals of data integrity and source authentication are achieved and maintained.
Secure electronic transactions set
A secure electronic transaction (set) is a communications protocol standard for securing credit card transactions over insecure networks. Set ensures that all parties (customers, merchant, and bank) are authenticated using digital signatures, encryption protects the message and provides integrity, and provides end-to-end security for credit card transactions online.
Secure erase
Secure erase is an overwrite technology using a firmware-based process to overwrite a hard drive. Is a drive command defined in the ansi ata and scsi disk drive interface specifications, which runs inside drive hardware. It completes in about 1/8 the time of 5220 block erasure.
Secure hash algorithm sha
Secure hash algorithm (sha) is a hash algorithm with the property that is computationally infeasible 1) to find a message that corresponds to a given message digest, or 2) to find two different messages that produce the same message digest.
Secure hash standard
The secure hash standard specifies secure hash algorithms -sha-1, sha-224, sha-256, sha-384, sha-512, sha-512/224 and sha-512/256 -for computing a condensed representation of electronic data (message). When a message of any length less than 2 64 bits (for sha-1, sha224 and sha-256) or less than 2 128 bits (for sha-384, sha-512, sha-512/224 and sha-512/256) is input to a hash algorithm, the result is an output called a message digest. The message digests range in length from 160 to 512 bits, depending on the algorithm. Secure hash algorithms are typically used with other cryptographic algorithms, such as digital signature algorithms and keyed-hash message authentication codes, or in the generation of random numbers (bits). The hash algorithms specified in this standard are called secure because, for a given algorithm, it is computationally infeasible 1) to find a message that corresponds to a given message digest, or 2) to find two different messages that produce the same message digest. Any change to a message will, with a very high probability, result in a different message digest. This will result in a verification failure when the secure hash algorithm is used with a digital signature algorithm or a keyed-hash message authentication algorithm. In addition, a secure hash standard is a specification for a secure hash algorithm that can generate a condensed message representation called a message digest.
Secure shell ssh
A secure shell (ssh) is also known as a secure socket shell. Ssh is a unix-based command interface and protocol used to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another.
Secure sockets layer ssl
A secure sockets layer (ssl) is the standard security technology for establishing an encrypted link between a web server and a browser. Ssl was developed by netscape for transmitting private documents via the internet.
Secure state
Secure state is a condition in which no subject can access any object in an unauthorized manner.
Secure subsystem
A secure subsystem is a subsystem containing its own implementation of the reference monitor concept for those resources it controls. Secure subsystem must depend on other controls and the base operating system for the control of subjects and the more primitive system objects
Security assertion markup language saml
Security assertion markup language (saml) is an xml-based security specification developed by the organization for the advancement of structured information standards (oasis) for exchanging authentication (and authorization) information between trusted entities over the internet. A framework for exchanging authentication and authorization information. Security typically involves checking the credentials presented by a party for authentication and authorization. Saml standardizes the representation of these credentials in an xml format called “assertions,” enhancing the interoperability between disparate applications. A protocol consisting of xml-based request and response message formats for exchanging security information, expressed in the form of assertions about subjects, between online business partners.
Security association
A security association is a relationship established between two or more entities to enable them to protect data they exchange.
Security attribute
A security attribute is a security-related quality of an object. Security attributes may be represented as hierarchical levels, bits in a bit map, or numbers. Compartments, caveats, and release markings are examples of security attributes. A security attribute is also an abstraction representing the basic properties or characteristics of an entity with respect to safeguarding information; typically associated with internal data structures (e.g., records, buffers, files) within the information system which are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.
Security authorization boundary
A security authorization boundary is an information security area that includes a grouping of tools, technologies, and data.
Security banner
A security banner is a banner at the top or bottom of a computer screen that states the overall classification of the system in large, bold type. A security banner can also refer to the opening screen that informs users of the security implications of accessing a computer resource.
Security categorization
Security categorization is the process of determining the security category for information or an information system. The process of determining the security category for information or an information system. Security categorization methodologies are described in cnss instruction 1253 for national security systems and in fips 199 for other than national security systems.
Security category
Security category is the characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals. It is also the characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, individuals, other organizations, and the nation.
Security concept operations
Security concept of operations is a security-focused description of an information system, its operational policies, classes of users, interactions between the system and its users, and the system’s contribution to the operational mission.
Security content automation protocol scap
Security content automation protocol (scap) is a method for using specific standardized testing methods to enable automated vulnerability management, measurement, and policy compliance evaluation against a standardized set of security requirements.
Security control assessment
Security control assessment is the testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Security control assessment is the testing and/or evaluation of the management, operational, and technical security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system and/or enterprise.
Security control assessor
A security control assessor is the individual, group, or organization responsible for conducting a security control assessment.
Security control baseline
A security control baseline is the set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system. One of the sets of minimum security controls defined for federal information systems in nist special publication 800-53 and cnss instruction 1253.
Security control effectiveness
Security control effectiveness is the measure of correctness of implementation (i.e., how consistently the control implementation complies with the security plan) and how well the security plan meets organizational needs in accordance with current risk tolerance.
Security control enhancements
Security control enhancements are statements of security capability to 1) build in additional, but related, functionality to a basic control; and/or 2) increase the strength of a basic control. Statements of security capability to: (i) build in additional, but related, functionality to a security control; and/or (ii) increase the strength of the control.
Security control inheritance
Security control inheritance is a situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides. See common control.
Security controls baseline
Security controls baseline is the set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.
Security controls
Security controls are the management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
Security domain
A security domain is a set of subjects, their information objects, and a common security policy; it is also a collection of entities to which applies a single security policy executed by a single authority. A domain that implements a security policy and is administered by a single authority.
Security engineering
Security engineering is an interdisciplinary approach and means to enable the realization of secure systems. It focuses on defining customer needs, security protection requirements, and required functionality early in the systems development life cycle, documenting requirements, and then proceeding with design, synthesis, and system validation while considering the complete problem.
Security fault analysis sfa
Security fault analysis is an assessment, usually performed on information system hardware, to determine the security properties of a device when hardware fault is encountered.
Security features user's guide
(sfug) a security features users guide is a guide or manual explaining how the security mechanisms in a specific system work.
Security filter
Security filter is a secure subsystem of an information system that enforces security policy on the data passing through it.
Security functions
Security functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.
Security goals
Security goals are the five security goals are confidentiality, availability, integrity, accountability, and assurance.
Security impact analysis
Security impact analysis is the analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system.
Security information event management siem tool
Security information and event management (siem) tool is an application that provides the ability to gather security data from information system components and present that data as actionable information via a single interface.
Security inspection
A security inspection is the examination of an information system to determine compliance with security policy, procedures, and practices.
Security kernel
A security kernel is the hardware, firmware, and software elements of a trusted computing base implementing the reference monitor concept. A security kernel must mediate all accesses, be protected from modification, and be verifiable as correct.
Security label
A security label is a marking bound to a resource (which may be a data unit) that names or designates the security attributes of that resource. Information that represents or designates the value of one or more security relevant-attributes (e.g., classification) of a system resource.
Security level
A security level is a hierarchical indicator of the degree of sensitivity to a certain threat. It implies, according to the security policy being enforced, a specific level of protection.
Security management dashboard
A security management dashboard is a tool that consolidates and communicates information relevant to the organizational security posture in near real-time to security management stakeholders. Security marking – human-readable information affixed to information system components, removable media, or output indicating the distribution limitations, handling caveats, and applicable security markings
Security markings
Security markings are human-readable indicators applied to a document, storage media, or hardware component to designate security classification, categorization, and/or handling restrictions applicable to the information contained therein. For intelligence information, security markings could include compartment and sub-compartment indicators and handling restrictions.
Security mechanism
A security mechanism is a device designed to provide one or more security services usually rated in terms of strength of service and assurance of the design.
Security net control station
A security net control system is a management system overseeing and controlling implementation of network security policy.
Security objective
A security objective pertains to confidentiality, integrity, or availability.
Security perimeter
A security perimeter is a physical or logical boundary that is defined for a system, domain, or enclave, within which a specified security policy or security architecture is applied.
Security plan
A security plan is a formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements.
Security policy
Security policy is a set of rules and practices that specify how a system or organization delivers security services to protect sensitive and critical information.
Security posture
The security status of an enterprise’s networks, information, and systems based on resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.
Security program plan
A security management plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management security controls and common security controls in place or planned for meeting those requirements.
Security range
A security range is the highest and lowest security levels that are permitted in or on an information system, system component, subsystem, or network.
Security relevant change
A security relevant change is any change to a system’s configuration, environment, information content, functionality, or users which has the potential to change the risk imposed upon its continued operations.
Security relevant event
A security relevant event is an occurrence (e.g., an auditable event or flag) considered to have potential security implications to the system or its environment that may require further action (noting, investigating, or reacting).