ABack to top
Acceptable Use Policy
A set of guidelines outlining the dos and don'ts of using an company's computer systems. It highlights parts of the full security policy and details the consequences of not following the rules.
The process of interacting with data within a computer system, whether it's obtaining, changing, copying, or sharing it across various mediums such as paper, digital files, or screens.
The duty of a person or an company to explain their actions, accept the outcomes, and share the data openly and in a timely manner.
Acknowledgement of Acceptable Use
A written attestation from a user of an computer system indicating the user's acceptance and willingness to comply with the relevant computer systems control policies.
ACL (Access Control List)
A list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.
Anti-Tailgating / Anti-Piggybacking Mechanism
Two sets of doors whereby access to the second is not granted until the individual has passed through (and closed) the first, often referred to as a "man trap." A controlled turnstile is also considered an anti-tailgating/piggybacking mechanism.
Application program interface (API) is a set of routines, protocols, and tools for building software applications. An API specifies how software components should interact and APIs are used when programming graphical user interface (GUI) components.
Applicable Privacy Law
Relevant laws, enactments, regulations, binding industry codes, regulatory permits and licenses that are in effect and address the protection, handling and privacy of scoped privacy data, selected as being in scope for the assessment.
Application Inventory System
An asset-based approach that includes an itemized list of applications or application components, such that software versions, security testing results and additional attributes can be individually identified against such assets.
In response to the advent of borderless applications, application segmentation has evolved and should be applied consistently on the application no matter where it goes, which borders it crosses, or which siloes are carrying its traffic.
In enterprises where segmentation is oriented around applications instead of infrastructure, the security benefit is immediately apparent. If a hacker manages to compromise a user, then the hacker’s access is contained and limited to only the applications that the compromised user is allowed to access. They cannot move laterally or hop from application to application, browsing through the IT infrastructure until they find the most sensitive or valuable applications and data. The data breach is, by default, contained and cannot spread.
In computer security, a major application, general-support system, high-impact program, physical plant, mission-critical system, personnel, equipment, or a logically related group of systems.
Source: NIST: CNSSI-4009
The category or type assigned to an asset, which is derived from the asset classification policy. Asset classifications frequently vary from company to company.
Asset Control Tag
A unique identification number assigned to all inventoried assets.
Asset Management Program
A program for managing an company's assets which includes formalized governance, policies, and procedures.
Asset tracking refers to the method of tracking physical assets, either by scanning barcode labels attached to the assets or by using tags using GPS or RFID which broadcast their location.
Path or means by which an attacker can gain access to a system or network in order to deliver a payload or malicious outcome.
A property or field of a particular object.
The process of verifying the identity of a person user, machine, software component, or any other entity
Source: FFIEC Information Security Booklet
BBack to top
A benchmark by which subsequent items are measured.
An electrochemical cell (or enclosed and protected material) that can be charged electrically to provide a static potential for power or released electrical charge when needed.
A device that uses measurable biological characteristics such as fingerprints or iris patterns to assist in authenticating a person to an electronic system.
A business associate is a person or company, other than an employee of a covered entity, that performs certain functions on behalf of, or provides certain services to, a covered entity that involve access to PHI. A business associate can also be a subcontractor responsible for creating, receiving, maintaining, or transmitting PHI on behalf of another business associate. Business associates provide services to covered entities that include:
NOTE: A covered entity can be a business associate of another covered entity.
A set of planning, preparatory and related activities which are intended to ensure an company's critical business functions will either continue to operate despite serious incidents or disasters that might otherwise have interrupted them, or will be recovered to an operational state within a reasonably short period.
Business Continuity Plan
A process that defines exactly how, for which applications and for how long, a business plans to continue functioning after a disruptive event. The business continuity plan is usually an overarching plan that includes both operational and technology-related tasks.
Business Impact Analysis (BIA)
This term is applicable across Technology Risk Management, in both data security and business continuity planning domains. An impact analysis results in the differentiation between critical and non-critical business functions. A function may be considered critical if there is an unacceptable impact to stakeholders from damage to the function. The perception of the acceptability of disruption may be modified by the cost of establishing and maintaining appropriate business or technical recovery solutions. A function may also be considered critical if dictated by law.
An end-to-end service made available to internal or external parties that usually corresponds to standard service products that the Service Provider offers to clients.
The ability an company has to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets and overall brand equity. Business resilience is more than disaster recovery, it includes post-disaster strategies to avoid costly downtime, the identification and resolution of vulnerabilities and the ability to maintain business operations in the face of additional, unexpected breaches.
Business Resiliency Procedure
A process that defines exactly how, for which applications, and for how long a business plans to continue functioning after a disruptive event. The business resiliency procedure is usually an overarching procedure that includes both operational and technology-related tasks.
CBack to top
Also known as Change Management - The broad processes for managing companyal change. Change management encompasses planning, oversight or governance, project management, testing, and implementation. The purpose is to ensure that no unnecessary changes are made, that all changes are documented, that services are not unnecessarily disrupted and that resources are used efficiently.
Source: FFIEC Operations Booklet
Change Initiation Request (CIR)
A document (physical or electronic) used to track change requests, including new features, enhancement requests, defects, and changed requirements. The change initiation request document must contain:
- The name of the person initiating the change
- The system affected by the change
- A description of the change, including the file name(s) and file location(s)
- The date the change will occur
- An approval signature by someone other than the person initiating the change
- An approval date
A cipher lock is opened with a programmable keypad. The purpose of cipher locks is to control access, limiting either unannounced intrusions or unescorted entry to particular areas of a facility that are sensitive. A cipher lock may have four or five pushbuttons, depending on the manufacturer. Even with five pushbuttons, the code may be one to five digits. When the cipher lock unit is set up the code is programmed and shared with authorized personnel.
A network segment or subnet where data is sanitized for mobile devices access only.
A client is the individual and/or entity for whom services are being provided by the company.
Client Scoped Privacy Data
Data received from the company’s client that includes EU “sensitive personal data” (health, religion, criminal records, trade union membership, sexual orientation and race) and in the US, protected scoped privacy data includes name, address or telephone number in conjunction with Social Security number, driver’s license number, account number, credit or debit card number, personal identification number or user ID or password.
Climate Control System
A combination of sensors and equipment that monitors the temperature and humidity in a sensitive environment (such as a data center) and that automatically heats/cools/dehumidifies as needed to keep the atmosphere within acceptable tolerances.
Closed Circuit TV (CCTV)
CCTV is a TV system in which signals are not publicly distributed but are monitored, primarily for surveillance and security purposes. CCTV relies on strategic placement of cameras and private observation of the camera's input on monitors.
Cloud Computing - NIST Definition
Cloud Computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This Cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
Cloud Computing - NIST Definition of Deployment Models - Hybrid Cloud
The Cloud infrastructure is a composition of two or more Clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., Cloud bursting for load balancing between Clouds).
Cloud Computing - NIST Definition of Deployment Models - Private Cloud
The Cloud infrastructure is operated solely for the respondent. It may be managed by the company or a third party and may exist on premise or off premise.
Cloud Computing - NIST Definition of Deployment Models - Public Cloud
The Cloud infrastructure is made available to the general public or a large industry group and is owned by the Respondent selling Cloud services.
Cloud Computing - NIST Definition of Essential Characteristics - Broad Access Network
Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).
Cloud Computing - NIST Definition of Essential Characteristics - Measured Service
Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
Cloud Computing - NIST Definition of Essential Characteristics - On-Demand Self-Service
A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.
Cloud Computing - NIST Definition of Essential Characteristics - Rapid Elasticity
Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.
Cloud Computing - NIST Definition of Essential Characteristics - Resource Pooling
The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.
Cloud Computing - NIST Definition of Service Models - Cloud Infrastructure as a Service (IaaS)
The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying Cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
Cloud Computing - NIST Definition of Service Models - Cloud Platform as a Service (PaaS)
The capability provided to the consumer is to deploy onto the Cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying Cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.
Cloud Computing - NIST Definition of Service Models - Cloud Software as a Service (SaaS)
The capability provided to the consumer is to use the provider’s applications running on a Cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying Cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application.
Cloud Service Provider (CSP)
The business or entity providing Cloud services.
A colocation (colo) is a data center facility in which a business can rent space for servers and other computing hardware. Typically, a colo provides the building, cooling, power, bandwidth and physical security while the customer provides servers and storage.
A remote facility that provides the equipment necessary for data and process restoration.
A tool for communicating data on the considerations and implications of respondent business continuity to improve decision making.
A password that combines alphabetic and non-alphabetic characters, such as special or numeric characters.
Confidential data means any data and/or documents of the client or its affiliates to which the company has had access, whether in oral, written, graphic or machine-readable form, and includes, but is not limited to: (i) trade secrets and work product; (ii) data relating to business plans or practices, sales, pricing, financial data or marketing plans or methods; (iii) software, applications, systems and networks, including source code, object code and documentation and commentary related thereto; (iv) data relating to one or more customers of the subscriber or its affiliates, including, but not limited to, the following (collectively, “client data”): (1) personal data such as a customer’s name, address, telephone number, account relationships, account numbers, account balances and account histories, (2) data concerning such customers that would be considered “nonpublic personal data” within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) and its implementing regulations, as the same may be amended from time to time and (3) data concerning such customers that is protected from disclosure by other applicable federal or state laws and regulations regarding privacy; (v) confidential data of third parties in the subscriber’s or its affiliates’ possession; (vi) security procedures and measures; and (vii) all other data related to the subscriber’s and/or its affiliates’ business(es). Except with respect to customer data, “client confidential data” does not include data that (i) is at the time of its disclosure publicly known; (ii) was rightfully known by licensor at the time of disclosure; or (iii) is lawfully received by licensor from a third party not bound by confidentiality obligations to the owner of such client confidential data.
The protection of sensitive data from unauthorized disclosure and sensitive facilities due to physical, technical, or electronic penetration or exploitation.
Is the practice of handling changes systematically so that a system maintains its integrity over time.
The Information Technology Infrastructure Library (ITIL) specifies the use of a Configuration management system (CMS) or Configuration management database (CMDB) as a means of achieving industry best practices for Configuration Management. CMDBs are used to track Configuration Items (CIs) and the dependencies between them, where CIs represent the things in an enterprise that are worth tracking and managing, such as but not limited to computers, software, software licenses, racks, network devices, storage, and even the components within such items.
The benefits of a CMS/CMDB includes being able to perform functions like root cause analysis, impact analysis, change management, and current state assessment for future state strategy development.
An active employee or contractor.
A contracted professional with expertise in a particular domain or area.
A covered account is (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft. Each financial institution and creditor must periodically determine whether it offers or maintains a ‘‘covered account.’’
Source: Section 114 of the FACT Act
A. Red Flag Regulations and Guidelines
(As defined by the HIPAA Rules requirement) A covered entity can be an Individual, a business and/or an agency who must comply with HIPAA rules to protect the privacy and security of health data and must provide individuals with certain rights related to their health data (i.e. Doctors, Health Insurance Companies, healthcare clearing house).
Critical third party service provider
A service provider that is so vital that the incapacity or unavailability of such may have a debilitating impact on the business utilizing the service provider. Provides a product or performs a service for which there is no backup or alternate provider.
Cross Site Request Forgery (CSRF)
An attack which can occur when a malicious website, email, blog, instant message (IM) or program causes a user’s web browser to perform unwanted action on a trusted website. CSRF allows an attacker to access functionality in a target web application via the victim’s already authenticated browser.
Cross Site Scripting (XSS)
A computer-related security vulnerability typically found in website applications. This hacking technique can enable attackers to inject client-side script into web pages viewed by other users.
DBack to top
Any person (including a public authority, agency or any other body) which alone or jointly with others determines the purposes and means of processing scoped privacy data (EU Directive).
A flow describing and/or depicting the scoped privacy data for a given data subject for a given country or jurisdiction. The data flow defines the scoped privacy data and the protected scoped privacy data collected, stored, used, accessed, shared and transferred across borders of the country or jurisdiction that are secured, retained and retired.
Data segmentation and separation
(see also Network Segmentation ) Better security can be achieved by not mixing trusted and untrusted applications, data, and networks. Segmentation on a cloud-computing infrastructure must provide an equivalent level of isolation as that achievable through physical network separation. Mechanisms to ensure appropriate isolation may be required at the network, operating system, and application layers; and most importantly, there should be guaranteed isolation of data that is stored.
Any person who can be identified, directly or indirectly, by data that identifies one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. In certain countries (such as Austria, Luxembourg and Italy), this also includes data concerning legal entities/corporations.
Data Subject Category
Includes, for example, employees, clients, business partners, customers or users.
Demilitarized Zone (DMZ)
A controlled network space, delimited by firewalls or other policy-enforcing devices, which is neither inside an company's network nor directly part of the Internet. A DMZ is typically used to isolate the respondent's most highly secured data assets while allowing predefined access to those assets that must provide or receive data outside of the respondent. The access and services provided should be restricted to the absolute minimum required.
The process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to the respondent after a natural or human-induced disaster. Disaster recovery is a subset of business continuity
EBack to top
Electronic Health Records
An Electronic Health Record (EHR) is an electronic version of a patients medical history, that is maintained by the provider over time, and may include all of the key administrative clinical data relevant to that persons care under a particular provider, including demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data and radiology reports The EHR automates access to data and has the potential to streamline the clinician's workflow. The EHR also has the ability to support other care-related activities directly or indirectly through various interfaces, including evidence-based decision support, quality management, and outcomes reporting.
The combination of hardware and software used to manage electronic data. A system which stores data from internal and external sources to facilitate better decision making.
Duration of time when a client’s service provider is experiencing an emergency event that has an impact on the client.
Closed in, surrounded, or included within.
The process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext). Use of encryption protects data between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure
Source: ISACA CSX Fundamentals and pci_dss_glossary_v1-1
Enterprise Risk Governance Program
A program implemented, reviewed and maintained by an company’s Executive Board (if applicable) and Senior Management to govern the relevant factors of risks to the company. This risk factors can include but are not limited to the following:
IT and Infrastructure Risks
Any detectable or discernible occurrence that has significance for the management of the IT Infrastructure or the delivery of IT service and evaluation of the impact a deviation might cause to the services. Events are typically notifications created by an IT service, Configuration Item (CI) or monitoring tool.
A result that deviates from the norm or expectation.
An item not fully covered by the question.
Any entity other than the company providing responses to the SIG. Examples include (but are not limited to) service providers, contractors/consultants, vendors, etc.
External Vulnerability Scan
A systematic review process executed from a network address outside of the Scoped Systems and Data network that uses software tools designed to search for and map systems for weaknesses in an application, computer or network. The intent is to determine if there are points of weakness in the security control system that can be exploited from outside the network.
The network entry point that receives inbound traffic.
IBack to top
Events outside normal operations that disrupt normal operational processes. An incident can be a relatively minor event, such as running out of disk space on a server, or a major disruption, such as a breach of database security and the loss of private and confidential customer data.
A term describing the activities of an company to identify, analyze, and correct hazards to prevent a future re-occurrence. These incidents within a structured company are normally dealt with by either an Incident Response Team (IRT), or an Incident Management Team (IMT). These are often designated before hand, or during the event and are placed in control of the company whilst the incident is dealt with, to restore normal functions.
A ranking of an event’s significance that uses, at a minimum, a three-point scale: minor, moderately severe, and severe. For each level of severity, the respondent's IT department should define acceptable resolution times, escalation procedures, and reporting procedures.
Scoped target and/or system data utilized/owned by an company.
Smetimes shortened to InfoSec, is the practice of defending data from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical). An data security program should include all aspects of the sensitivity of corporate data, including confidentiality, integrity and availability.
Information Security Review
An data security assessment is a measurement of the security posture of a system or company. The security posture is the way data security is implemented. Security assessments are risk-based assessments, due to their focus on vulnerabilities and impact. Security assessments rely on assessment methods that can accurately assess the Technology, People, and Process elements of security.
Source: Scoping Security Assessments - A Project Management Approach (SANS Institute Reading Room site - SANS Institute May 2011)
Internal Vulnerability Scan
A systematic review process using software tools designed to search for and map systems for weaknesses in an application, computer or network, executed from a network address within the Scoped Systems and Data network. Internal vulnerability scans are used to determine whether points of weakness in the security control system exist that could be exploited by a user with access to the internal network.
A global network connecting millions of computers. More than 100 countries are linked into exchanges of data, news and opinions.
Internet Protocol (IP)
A networking standard that allows messages to be sent back and forth over the Internet or other IP networks.
An IP network that resides behind a firewall and is accessible only to people who are members of the same company.
Intrusion Detection Systems (IDS)
A security inspection system for computers and networks that can allow for the inspection of systems activity and inbound/outbound network activity. The IDS key function identifies suspicious activity or patterns that may indicate a network or system attack.
Intrusion Protection System (IPS)
A more sophisticated Intrusion Detection System (IDS) that allows administrators to configure predefined actions to be taken if suspicious activity is detected.
An itemized list of current assets.
MBack to top
Main Distribution Frame
A wiring rack that connects outside lines with internal lines. Main distribution frames are used to connect public or private lines entering the building to the respondent’s internal networks
Is designed to secretly access a computer system without the owner’s informed consent. The expression is a general term (short for malicious software) used to mean a variety of forms of hostile, intrusive, or annoying software or program code. Malware includes computer viruses, worms, Trojan horses, spyware, dishonest adware, ransomware, crimeware, most rootkits, and other malicious and unwanted software or programs.
Two sets of doors whereby access to the second is not granted until the individual has passed through (and closed) the first, often referred to as a "man trap." A controlled turnstile is also considered an anti-tailgating/piggybacking mechanism.
Map of Dependencies
A diagram that illustrates how a business process relates to its supporting capabilities. (“Supporting capabilities” include: people involved in the delivery of the business process, application software, middleware software, servers, storage, networking, physical facilities, and people involved in the IT and physical infrastructure management.)
Master Change Log
A document or database that contains a report of each change initiation request (CIR) (approved or rejected). The document or database must contain:
- Reference to a CIR
- Date submitted
- Date of change
- Name of affected system
- Approval status (approved or rejected)
A one-way cryptographic hash algorithm that produces a unique 128-bit alphanumeric fingerprint of its input.
Physical objects that store data, such as paper, hard disk drives, tapes, and compact disks (CDs).
smartphones, tablet computers, laptops; anyng that is not affixed to a desk or operates wirelessly
Mobile Device Management Solution
Mobile device management (MDM) is an industry term for the administration of mobile devices, such as smartphones, tablet computers, laptops and desktop computers. MDM is usually implemented with the use of a third party product that has management features for particular vendors of mobile devices. It can incorporate safeguards related to but not limited to password controls, remote wipe, remote lock, detection of jailbreak devices, encryption validation.
Mobile Device Policy
A device that allows a computer or terminal to transmit data over an analog telephone line.
Multifactor authentication requires the use of solutions from two or more of the three categories of factors:
• Something the user knows (e.g., password, PIN).
• Something the user has (e.g., ATM card, smart card).
• Something the user is (e.g., biometric characteristic, such as a fingerprint).
Using multiple solutions from the same category at different points in the process may be part of a layered security or other compensating control approach, but it would not constitute multifactor authentication.
NBack to top
N+1 redundancy is a form of resilience that ensures system availability in the event of component failure. Components (N) have at least one independent backup component (+1).
Network Address Translation (NAT)
A process of rewriting the source and/or destination addresses of IP packets as they pass through a network device.
Units that mediate data in a computer network. Computer networking devices are also called network equipment, Intermediate Systems (IS) or InterWorking Unit (IWU).
A portion of a computer network that is separated from the remainder of the network by a device such as a repeater, hub, bridge, switch or router. Each segment may contain one or multiple computers or other hosts. Network segments are typically established for throughput and/or security reasons.
Network time protocol (NTP)
A protocol designed to synchronize the clocks of computers over a network.
Any physical device with a unique network address.
Auditors, consultants, contractors, and vendors.
Non-Public Information (NPI)
Any personally identifiable or company proprietary data that is not publicly available. Non-public data includes but is not limited to: certain company proprietary data, such as internal policies and memorandums; and personal data such as a person’s name, address or telephone number. It also includes data requiring higher levels of protection according to the company’s security policy, such as company proprietary trade secrets or personal data that bundles a person’s name, address or telephone number with a Social Security number, driver’s license number, account number, credit or debit card number, personal identification number, health data, religious opinions or a user ID or password.
Non-Public Personal Information (NPPI)
Any personally identifiable data that is not publicly available. Non-public, personal data includes but is not limited to name, address, city, state, zip code, telephone number, Social Security number, credit card number, bank account number and financial history.
Notice Consent Language
Any data subject consent language in a privacy notice to be accepted by a data subject (expressly or by implication). The language may relate to consent to the entire privacy notice or to particular uses of the scoped privacy data where a data subject’s non-consent to this use of the scoped privacy data results in a data subject rejecting the privacy notice. Examples of uses include cross-border transfer of scoped privacy data, special use of the scoped privacy data or special local regulatory requirements.
PBack to top
A conventional security control and the one most widely used by software vendors.
Any data subject permission (opt in or opt out) required to use or share scoped privacy data that can be easily switched on and off, including for the following purposes: marketing, affiliate sharing, product use, promotions, newsletters, tailoring services to data subject’s particular requirements, behavioral and purchasing patterns, social networking and professional networking, excluding notice consent language.
Personal Health Records
A personal health record ( PHR ) is an electronic application used by patients to maintain and manage their health data in a private, secure, and confidential environment. PHRs are managed by patients.
Personal Identification Number (PIN)
A secret shared between a user and a system that can be used to authenticate the user to the system.
Personally Identifiable Informatin (PII)
NIST Special Publication 800-122 defines PII as "any data about a person maintained by an agency, including (1) any data that can be used to distinguish or trace a person's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other data that is linked or linkable to a person, such as medical, educational, financial, and employment data."
Source: Wikipedia and NIST 800-122
A systematic scan of a computer's ports that identifies open doors. Used in managing networks, port scanning also can be used maliciously to find a weakened access point from which to break into computer.
Post-Deployment Test Document
A document that provides evidence that the change was tested and approved in the production environment. The document must contain:
- Reference to a CIR
- Identified deployment resources
- Deployment start date
- Deployment end date
- Expected results
- Actual results
- Approval signature
- Approval date
Under ordinary circumstances, individuals that are not permitted access to Scoped Data are, however, in certain circumstances able or are permitted access to Scoped Data. For example: a senior executive who reviews Scoped Data in the course of an investigation, or a courier and truck driver who picks up documents in a locked shred bin and transports them in the locked shred bin to a warehouse for shredding.
Any type of power delivery mechanism that provides continuous power to connected systems in the event of a failure in the main delivery mechanism for electricity. Such mechanisms include multiple electric feeds, automatic failover generators, and uninterruptible power supplies.
Pre-Deployment Test Document
A document (electronic or paper) that provides evidence that the requested changes were tested prior to deployment in the production environment. A pre-deployment test document is inspected for:
- Reference to a CIR
- Identified testing resources
- Testing start date
- Testing end date
- Expected test results
- Actual test results
A privacy incident is the unauthorized collection, use, access, retention or disclosure of personal or otherwise sensitive data.
Privacy Inventory Flow
The current scoped privacy data inventory/list and flow by data subject category that has been approved by management of the company. A privacy inventory flow identifies the ownership of the scoped privacy data, its sources, collection methods, storage locations, uses (by who, where and for what purpose), sharing within the company and among its third parties, trans-border flows and adequacy mechanisms chosen to ensure the protection of such scoped privacy data, security, retention and deletion schedules and mechanisms.
Notice given to data subjects on the collection, use, storage, sharing, transfer, retention and destruction of their scoped privacy data in accordance with privacy applicable law and company policy.
An company’s internal policy adopted for the life cycle of the scoped privacy data.
Privacy Risk Assessment
A privacy risk/impact assessment states what personally identifiable data (PII) is collected and explains how that data is maintained, how it will be protected and how it will be shared.
A PIA should identify:
- Whether the data being collected complies with privacy-related legal and regulatory compliance requirements.
- The risks and effects of collecting, maintaining and disseminating PII.
- Protections and processes for handling data to alleviate any potential privacy risks.
- Options and methods for individuals to provide consent for the collection of their PII.
Generally Accepted Privacy Principles (GAPP) is a recognized framework for assessing privacy risk. GAPPoperationalizes complex privacy requirements into a single privacy objective that is supported by 10 privacy principles.
This access grants an employee access to more than usual company data or make changes to the company network. Companies need privileged users because they have access to source code, file systems and other assets that allow them to upgrade the systems or make other technical changes.
Source: 2016 AUP Glossary
Protected Health Information (PHI)
The Privacy Rule protects individually identifiable health data, called PHI, held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal. PHI includes data that relates to all of the following:
- The individualfs past, present, or future physical or mental health or condition
- The provision of health care to the individual
- The past, present, or future payment for the provision of health care to the individual PHI includes many common identifiers, such as name, address, birth date, and Social Security number.
Source: HIPAA BASICS FOR PROVIDERS: PRIVACY,
SECURITY, AND BREACH NOTIFICATION RULES
Protected Scoped data
Scoped data or any other data that requires a higher level of protection or special treatment due to its sensitivity under: security applicable law; company security policy; and/or as identified in the scope definition of protected scoped data of the Shared Assessments Standardized Information Gathering (SIG) questionnaire and Shared Assessments Agreed Upon Procedures (AUP), a tool for standardized onsite assessments. This may include: scoped data, such as name, address or telephone number in conjunction with Social Security number, driver’s license number, account number, credit or debit card number, personal identification number, user ID or password; a person’s health data; company trade secrets or certain confidential data. Data that falls under the definitions of both scoped data and protected scoped data (for example, credit card details).
Protected Scoped Privacy data
Any scoped privacy data required to have a higher level of protection or special treatment under privacy applicable law due to its sensitivity, e.g., encryption. This includes EU “sensitive personal data” (health, religion, criminal records, trade union membership, sexual orientation and race). In the US, protected scoped privacy data includes name, address or telephone number in conjunction with Social Security number, driver’s license number, account number, credit or debit card number, personal identification number or user ID or password.
A set of rules and formats that enable the proper exchange of data between different systems.
In networking terms, able to accept a connection originating from the public domain, e.g., the Internet.
RBack to top
Used in data center construction, a raised floor above the "true" floor allows air conditioning flow and wiring to pass freely under equipment. The space between the true and raised floors is accessed by removable floor tiles.
The company that has contracted with a service provider for a specific service.
Recovery Time Objective (RTO)
The targeted duration of time and a service level for which a business process must be restored after a disaster or disruption of service, in order to avoid unacceptable consequences, should a break occur in business continuity.
The Red Flags Rule requires many businesses and companys to implement a written identity theft prevention program designed to detect the “red flags” of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate its damage. A program can help businesses spot suspicious patterns and prevent the costly consequences of identity theft. The Federal Trade Commission (FTC) enforces the Red Flags Rule with several other agencies.
“Red Flags Rule" is formally known as the "Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule”.
The rule applies only to federally regulated financial institutions, and through the FTC, to certain creditors. The term Covered Accounts is contained in the rule.
Source: ftc.gov and Web Hull
Remote access refers to the ability to access a computer, such as a home computer or an office network computer, from a remote location. This allows employees to work offsite, such as at home or in another location, while still having access to a distant computer or network, such as the office network.
Removable devices are any type of storage device that can be removed from a computer while the system is running. Examples of removable media include CDs, DVDs and Blu-Ray disks, as well as diskettes and USB drives.
Residual Risk Rating Scoring Method
A calculation of the risk that remains after security controls have been applied.
The process of identifying variables that have the potential to negatively impact an company’s ability to conduct business. A prioritization of potential business disruptions based on severity and likelihood of occurrence. The risk assessment includes an analysis of threats based on the impact to the institution, its customers, and financial markets, rather than the nature of the threat.
Source: TechTarget and FFIEC IT Examination Handbook Glossary
Governance refers to the actions, processes, traditions and institutions by which authority is exercised and decisions are taken and implemented. Risk governance applies the principles of good governance to the identification, assessment, management and communication of risks
Effective risk governance should provide the operating model and decision-making framework needed to identify and respond to risks.
Risk Prioritization Scoring Method
A systematic approach that quantifies risk in terms of loss potential, then sequences individual risks to determine the order in which compensating controls should be implemented.
An IT risk scenario is a description of an IT related event that can lead to a business impact, when and if it should occur. A risk scenario is characterized by:
- a threat actor
- a threat type
- asset or resource affected
The risk scenario structure differentiates between loss events (events generating the negative impact), vulnerabilities or vulnerability events (events contributing to the magnitude or frequency of loss events occurring), and threat events (circumstances or events that can trigger loss events).
Role-Based User Access
Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise. Roles are defined according to job competency, authority and responsibility within the enterprise.
Root cause analysis
A root cause is a factor that caused a nonconformance and should be permanently eliminated through process improvement. Root Cause Analysis (RCA) describes a wide range of approaches, tools, and techniques used to uncover causes of problems. RCA is based on the basic idea that effective management requires more than merely “putting out fires” for problems that develop, but finding a way to prevent them.
SBack to top
Intended for U.S. companys that process personal data collected in the EU, the Safe Harbor Principles are designed to assist eligible companys to comply with the EU Data Protection Directive and maintain the privacy and integrity of that data. NOTE: The EU Privacy Shield program is the successor of the EU US Safe Harbor program. Announced in Feb 2016 it became operational on the 1st August 2016
In most countries, companys are prohibited by law from doing business with drugs and arms merchants and terrorist companys. Sanctions lists ranging from OFAC to the EU Consolidated Lists to the Interpol Most Wanted to the Hong Kong and Singapore Monetary Authority exist. Part of due diligence in vendor selection should include screening of the third party against sanctions lists.
Source: should this be removed from the questionnaire? P.3.5
A client’s non-public personal data (NPPI), protected health data (PHI), personal data (PI) or non-public data that is stored, transmitted or processed by the service provider. Scoped data may also include any data selected as being in scope by the company or client at the scoping of the engagement. Any reference to scoped data includes protected scoped data, where applicable.
Scoped Privacy Data
Any data relating to a data subject, who can be identified directly or indirectly, by that data, and in particular, by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. Examples of scoped privacy data include name, address, telephone number and email address. Scoped privacy data may exist in any media or format. Any reference to scoped privacy data includes protected scoped privacy data, where applicable.
Scoped Systems and Data
Computer hardware, software and/or Non-Public Personal Information that is stored, transmitted, or processed by the service provider in scope for the engagement.
A meeting held prior to commencement of a Shared Assessments engagement, to determine the Scoped Systems and Data to be included in a company's Standardized Information Gathering Questionnaire (SIG) and Agreed Upon Procedures (AUP) assessment.
Secure Code Review
The process of identifying whether software code meets the respondent's security requirements.
A space fully enclosed by walls that surround the immediate perimeter and that extend from floor to ceiling (beyond raised floors and ceilings), which is contained, and whose points of entry are secured.
Secure Socket Layer (SSL)
A protocol developed by Netscape for transmitting private documents via the Internet. SSL uses a cryptographic system with two keys to encrypt data: a public key known to everyone and a private or secret key known only to the recipient of the message.
An environment from where people work from their desks with the purpose of accessing, editing or inputting Scoped Systems and Data on a computer, telephone or physical media, e.g., a BPO or call center environment.
Secure Workspace Perimeter
A space fully enclosed by walls that surround the Secure Workspace which is contained, and whose points of entry and exit are secured.
Security Applicable Law
Applicable laws, enactments, regulations, binding industry codes, regulatory permits and licenses which are in effect that address the protection, handling and security of scoped data and protected scoped data and that are determined to be in scope by the company or client at the scoping of the engagement.
Security Architecture Risk Analysis
Defines concepts, methods, and techniques for analyzing the architecture and design of software systems for security flaws.
A published document or set of documents defining requirements for one or more aspects of data security.
Segmentation / Separation (of data)
see Data Segmentation / Separation
Sensitive customer financial information
A customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. Sensitive customer data also includes any combination of components of customer data that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number.
Source: Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice
Also known as “scoped data,” any customer data stored at the company’s facility. This data may be stored in the form of physical media, digital media or any other storage medium.
A computer that makes services, such as access to data files, programs, and peripheral devices, available to workstations on a network.
A service account is a user account that has been created to run a particular piece of software or service. The account belongs to the software application instead of to a person end user.
Service Level Agreement (SLA)
An agreement that details the responsibilities of an IT service provider, the rights of the service provider’s customers, and the penalties assessed when the service provider violates any element of the SLA. SLAs also identify and define the service, plus the supported products, evaluation criteria, and quality of service customers should expect. SLAs are typically measured in terms of metrics. Examples include processing completion times and systems availability times.
Source: FFIEC IT Examination Handbook Glossary
An subcontractor that provides outsourced services, such as data processing, business operations, applications, systems or staffing.
Service Set Identifier (SSID)
A 32-character unique identifier attached to the header of packets sent over a wide area network to identify each packet as part of that network.
Simple Mail Transfer Protocol (SMTP)
The de facto standard for email transmissions across the Internet.
A mechanical device that is sensitive to the presence of smoke or particulate material in the air that transmits a signal to a measuring or control instrument.
Vendor developed software code used for custom or commercial-off-the-shelf purposes.
The process of defining a structured software solution that meets all of the technical and operational requirements, while optimizing common quality attributes such as performance, security, and manageability.
Software Security Group
A group whose charter is to assist in the design, review and implementation of software that protects the data and resources contained in and controlled by that software.
Change to employment status that is recorded by human resources, such as promotions, demotions or departmental changes.
The act of managing and maintaining a given asset.
The physical location where target systems and data are stored.
Password length must be a minimum of seven (7) characters, must not to contain a common usage word or a word found in the English dictionary, may not contain user name, any part of a full name or access level of the user and must contain characters from at least three (3) of the following four (4) classes of characters:
• Upper case letters (A, B, C, ….Z)
• Lower case letters (a, b, c, ….z)
• Numbers (0,1, 2, …9)
• Non-alphanumeric ("special characters") such as punctuation symbols
is a business or a person that signs a contract to perform part or all of the obligations of another's contract.
The business unit that retains financial ownership or decision rights for the business use of the asset.
The primary assigned administrator responsible for maintenance and day-to-day tasks that support the business.
Systems Development Life Cycle (SDLC)
A process for planning, creating, developing, testing and deploying a software application or computer system.
TBack to top
Computer hardware and software in scope for the engagement that contains scoped data.
All entities or persons that work on behalf of the company but are not its employees, including consultants, contingent workers, clients, business partners, service providers, subcontractors, vendors, suppliers, affiliates and any other person or entity that accesses Scoped Systems and Data.
Threat Impact Calculation Method
A systematic method of determining the loss potential of a particular threat, based on the value of assets affected.
Threat modeling allows you to systematically identify and rate the threats that are most likely to affect your system. By identifying and rating threats based on a solid understanding of the architecture and implementation of your application, you can address threats with appropriate countermeasures in a logical order, starting with the threats that present the greatest risk.
Threat modeling has a structured approach that is far more cost efficient and effective than applying security features in a haphazard manner without knowing precisely what threats each feature is supposed to address.
Threat Probability Calculation Method
A systematic method of determining the potential for a particular threat to occur, based on the likelihood of the occurrence collected from internal staff, past records, and official security records.
Threats x Vulnerability x Asset Value = Total Risk
(Threats x Vulnerability x Asset Value) x Controls Gap = Residual Risk
A unique identifier generated on both a host and small, user-held device that allows the user to authenticate to the host.
Transmission Control Protocol (TCP)
A protocol of TCP/IP networks. TCP, the basic communication language (or protocol) of the Internet, enables two hosts to establish a connection and exchange streams of data.
The permanent overhead interior surface of a room, constructed of solid building materials offering resistance to and evidence of unauthorized entry.
The permanent bottom interior surface of a room, constructed of solid building materials offering resistance to and evidence of unauthorized entry.
(aka multi-factor authentication ) The process of using two or more factors to achieve authentication. Factors include something you know (e.g., password or personal identification number); something you have (e.g., cryptographic identification device or token); and something you are (e.g., biometric).