Information Security Glossary of Terms

Edit Page

Quick start: We've fixed a glossary index toolbar to the bottom of the browser to save you scrolling up and down. Just click on the initial letter of the term you wish to look up, or click the arrows to go back to the top or bottom of the page.

About the Glossary

Confused by a data security acronym, abbreviation or expression? Mystified by 'cyber security' and other newfangled jargon and 'technobabble'? Or perhaps you're writing documentation and need some extra information assurance expressions to make your technical vocabulary more compelling?

Our Information Security Glossary of Terms is a useful reference you can use as a guide to help with discussing IA concepts. If you have a term in mind, simply click on the initial letter in the box below, and you'll be taken to a shortened list of security terms and meanings you can scroll through. Alternatively, if you prefer to pick up new terminology, Wendy and I have designed the Information Security Glossary to be as comfortable as possible to browse through. We hope you find our security dictionary helpful.

Something Missing?

If there is a security term or definition you feel should be listed in the Information Security Glossary of Terms, please drop us a line.

A

Access Control
A physical or technical control (or system) to ensure authorised access and to prevent unauthorised access to resources, premises or systems to enforce business or security requirements. This could include such things as a lock to which only authorised personnel have the key, a swipe-card entry system, PIN controls on ATMs, file permissions on a server or any other means of controlling usage.
Access Management
This describes the process responsible for permitting user access to information services, information or other protected assets. Access Management supports protective measures assuring the Confidentiality, Integrity and Availability of assets by ensuring that only authorised users are able to access or modify them. Access Management may also be referred to as Rights Management or Identity Management.
Accountability
Responsibility (and, often, culpability) for the effects of one's actions with an explanation of how and why the actions took place.
Accreditation
In the context of HMG security: formal declaration by a designated approving authority that a system is approved to operate in a particular security mode using a prescribed set of safeguards (which may include technical countermeasures, physical controls, personnel processes and operating procedures). In a more general context (e.g. for ISO27001), a procedure by which an authoritative body gives formal recognition that a body or person is competent to carry out specific tasks.
Accreditor
The designated approving authority (often a single individual, but frequently one of a team) that undertakes accreditation
Aggregation
Of particular relevance in considering the increased sensitivity/value of large volumes of personal data, but applies also to other information resources. Aggregation is the effect by which information may be combined with other information in order to increase its sensitivity or value. This may be due to:

  • Accumulation - whereby a large quantity of similar data elements (e.g. multiple individual's financial records) increase the value of the set as a whole.
  • Association - whereby differing information may be combined to increase value/sensitivity (e.g. combining anonymised usage data with details of the users themselves).
  • Inference/Omission - whereby sensitive or valuable inferences can be drawn by "reading between the lines", or perhaps by observing the anomalous omission of key aspects of data.
Administrative System(s)
See Management System(s)
Advisory
In the context of Information Security, and advisory is a report on vulnerabilities, weaknesses or flaws discovered (or existing, or predicted) in software, systems or services, often with advice for dealing with them or working around them.
Antivirus
A piece of software (or other service) that detects, and sometimes removes, viruses, Trojans and other malicious software that is detected. Antivirus software generally works using signatures to recognise malicious content, although may also contain hybrid functionality that allows it to detect suspicious behaviour in software or services, allowing it to assist in detecting unknown infections.
Architecture
In the context of IT systems, as opposed to buildings, "architecture" describes the approach to designing and constructing of systems, networks, applications or even information storage. A variety of formal methodologies exist to support information architecture development, and even more exist to help develop Security Architecture.
Asset
An asset is essentially anything of value, which therefore needs to be protected to some degree. In the context of Information Security, it is common to see the term information asset used when looking at information that needs to be protected.
Asset Protection
Describes the process(es) undertaken in order to protect assets, whether they are physical, procedural or technical.
Attack
In an Information Security context, an attack is an event where an unauthorised person (or group) attempts to breach the Confidentiality, Integrity or Availability of an information asset. An attack may be against the asset in general or against controls in place to protect it (e.g. privilege escalation).
Attack Potential
Often called "Risk Level" or "Likelihood", this is a measure of the perceived (or actual) potential for a successful attack, given a specific threat, their capability, motivation and the resources available to them.
Attack Surface
Normally applied to software or services exposed to untrusted or unauthenticated users, this indicates the amount of code, input fields, interfaces and the like that can be accessed by those users.
Audit
An audit is an official inspection of an organisation, a system, a network or anything that is required to comply with standards, policies or controls. An audit will generally consist of a systematic review of the target against the controls and objectives with which it is required to comply.
Audit Logging
This describes the practice of logging or recording events and activity in order to support audit requirements. This term may also refer to (or be part of) a Protective Monitoring regime.
Audit Trail
An audit trail is a documented set of evidence that proves how a transaction or event took place, whether electronic or not, which can be used to support later action (e.g. disciplinary measures for breaches of organisational policy).
Authentication
This is the act of confirming that an entity (e.g. person, process, organisation) is who or what it claims to be, generally by presentation of some shared knowledge (e.g. a password), a unique token (e.g. a passport) or evidence of some independent validation (e.g. an SSL certificate). It is generally accepted that there are three main 'factors' that can be used for authentication:
  1. Something you know - for example a password, your Mother's maiden name, a PIN, etc.
  2. Something you have - for example a key, a token, a swipe card, etc.
  3. Something you are - physical, biological or behavioural aspects such as your fingerprints, iris, facial image, etc. (see biometrics).
Authenticity
This refers to the truthfulness, or reliability, of something's origins or attributes.
Availability
See Confidentiality, Integrity & Availability

B

Back Door
This refers to an undocumented or maliciously added alternative means of access to a piece of software, a system or a service. For example, the developer of a telephone exchange could incorporate a means by which they can make free calls, or a software developer may include code allowing them to access information supposedly protected from unauthorised access by that software.
Baseline Personnel Security Standard (BPSS)
A standard issued under the Security Policy Framework that defines a baseline level of personnel vetting, allowing organisations to place a degree of trust in their staff. Consists primarily of verifying an individual's identity and a few years' worth of their residential and work history.
Best Practice
Since the definition of "Best" in this context is frequently the subject of academic debate, it is more common to use the term Good Practice.
BCP
See Business Continuity Plan(ning)
BIL
See Business Impact Level.
Biometrics
Biometrics is a term for processes and techniques that endeavour to uniquely identify individuals based on physical or behavioural traits. These may be:
  • Physiological - for example, fingerprints, iris patterns, facial images, DNA, etc. or
  • Behavioural - for example gait, vocal patterns, handwriting, etc.
Biometric Access Control
A system of Access Control that uses biometric factors to permit (or deny) access to protected facilities or systems. For example, fingerprint readers on doors or facial recognition on laptops.
Black Hat
A term used most frequently in relation to Information Technology or Information Security referring to a person (especially a hacker who uses their skills and resources for personal gain or malicious intent. Believed to come originally from old Western movies, where the "bad guy" would often wear a black hat!
BPSS
See Baseline Personnel Security Standard.
BS
Baseline Standard (clearan/vetting): see Baseline Personnel Security Standard.
Business Continuity (Management)
This is a term describing the discipline around Business Continuity Planning. Business Continuity does not only involve activities that take place during or after a disaster, but also those activities performed daily to maintain service, consistency, and recoverability.
Business Continuity Plan (and Business Continuity Planning)
The Business Continuity Plan (or BCP) is set of processes and plans that are activated during or following a disaster or other adverse event to ensure that critical business functions (technical or not) can continue and remain available to those that need to access them (whether this is internal personnel, customers, suppliers or regulatory bodies). The scope of the planning activities will vary widely, depending on the business, and may include simple day-to-day tasks such as project management, system backups, change control, etc.
Business Impact Level
When conducting Risk Assessments within UK Government, Business Impact Levels are used to quantify and document the level of impact (or criticality) of a breach of Confidentiality, Integrity or Availability of an Information Asset. As described in the Business Impact Levels tables published by CESG, there are 7 levels of impact, from 0 (no impact) to 6 (critical, including widespread loss of life). The impact concerned can be to individuals, organisations, the country or HMG itself, and can be financial, reputational or personal.

C

Capacity Planning
Of interest to Information Security professionals insofar as a failure to plan can cause a loss of Availability, capacity planning is the process by which a service provider ensures systems are able to cope with current and future demand, and upgrade them as and when required. Capacity may refer to disk storage, network bandwidth, processing power or any other aspect of a system or network that could be affected by high levels of demand.
CEng
See Chartered Engineer
Centre for the Protection of National Infrastructure
CPNI is a cross- and inter-departmental HMG organisation that provides security advice to commercial and Government organisations responsible for managing, maintaining and protecting the Critical National Infrastructure (including communications, power, food supply, transport, etc.). Advisers working through CPNI include the Security Service, CESG and key Central HMG departments.
Certification
The confirmation (and verification or attestation) of characteristics of an entity (person, organisation, system, process, etc.). In an Information Security context, certification is often used to signify that an entity has achieved certain defined objectives, or met certain compliance criteria (e.g. ISO/IEC27001 certification).
Certification Authority
A Certificate or Certification Authority (CA), in an Information Security context, is an entity that is authorised and trusted to issue digital certificates (e.g. for use in SSL/TLS applications), allowing other entities to infer trust (to a greater or lesser degree) in the authenticity of that entity. For example, a CA such as VeriSign or Entrust will issue certificates for use on Web servers once they have verified that the server and domain are owned and managed by the organisation or individual applying for the certificate.
CESG
Originally, this stood for Communications-Electronics Security Group, but in recent years no longer stands for anything, and has become the moniker for The National Technical Authority for Information Assurance. A subdivision of GCHQ, CESG advises HMG and CNI organisations on technical security threats, risks and mitigating countermeasures, as well as providing all cryptographic services for protection of Protectively Marked material.
CESG Listed Adviser Scheme
The CESG Listed Adviser Scheme (CLAS) is an initiative created and managed by CESG in order to provide a pool of approved advisers to UK Government, assessed and confirmed to be knowledgeable and experienced in applying HMG Security Policy and interpreting CESG guidance. For further detail, see my page on CLAS Consultancy.
Challenge And Response Authentication
This describes a variety of techniques of varying complexity whereby one entity (system, person, organisation) challenges another in order to validate its identity, expecting a known or calculable response to its challenge. The simplest form of Challenge/Response authentication is a request for a password, and then provision of that password. More complex techniques and protocols exist to protect against interception of challenge and response, replay of responses and the like.
Chartered Engineer
An internationally-recognised engineering qualification confirming that the holder has reached a high level of professional competence in an engineering- or technology-related discipline.
Chartered IT Professional
A qualification conferred by the British Computer Society (BCS) to denote that a professional working in IT has reached a high level of professional competence in their field.
CHECK
CHECK is a CESG initiative that provides a pool of assessed and tested organisations and individuals that have demonstrated competence in performing IT Health Checks (technical security testing) and can be used to undertake such testing on HMG systems of various classifications. In recent years, the CREST and TIGER scheme qualifications have been recognised as equivalent to CESG's original internal examinations.
Cipher
A cipher (or cypher) is an algorithm for encrypting or decrypting information. A cipher may be very simple (e.g. simple letter substitution) or mind-crushingly complex (e.g. Elliptic curve Diffie-Hellman, which I won't even try to explain here!), but the aim is the same - to prevent information being readable to anyone intercepting it.
CISSP
Certified Information Systems Security Professional - an independent, internationally-recognised security certification, confirming that an individual has an understanding of a defined "Common Body of Knowledge" relating to Information Security. The certificate can be achieved by working in a security-related role for 5 years and passing a 6-hour exam.
CITP
See Chartered IT Professional
CLAS
See CESG Listed Adviser Scheme
CLAS Consultant
An Information Security/Assurance consultant whose company is a member of the CESG Listed Adviser Scheme, authorised to advise on HMG security policies and CESG technical guidance. Occasionally erroneously referred to as a "Class Consultant". Please also see the article What is a CLAS Consultant?
Classified Information or Classification
"Classification" is a more internationally-recognised term for the UK's Protective Marking Scheme, and denotes a level of sensitivity. "Classified information" will generally denote that the information concerned is non-public and has some Need to Know aspect.
Clear Desk Policy
This described simple good practice, often formalised into organisational policy - at the end of the working day, or during extended periods of absence from one's work area, it is good practice to clear all sensitive or important material (generally paper-based) and store/lock it in appropriate cabinets, in order to minimise the risk of a breach of Confidentiality, Integrity or Availability of that material.
Clear Screen Policy
In a similar way to the Clear Desk Policy, this relates to the good practice of ensuring no information is exposed or breached when leaving a computer or other terminal unattended, by locking the screen, logging off or powering down.
Clearance
Generally refers to Security Clearance.
Cloud Computing
A term used in multiple different ways to describe the process of outsourcing computing to an external provider, normally one that offers massive shared online hosting facilities. Originally used to describe a grid-computing-style approach, it is now used to describe such technologies as virtual hosting, shared hosting, Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) or even simply "the Internet". From an Information Security perspective, many of these approaches introduce challenging security issues (e.g. data separation and governance).
CNI
See Critical National Infrastructure
Code(s) Of Connection
A set of rules or configuration requirements with which organisations must comply in order to connect to a network or system of networks. For example, the Government Secure intranet (GSi) and similar community networks in the Justice, Police and Defence arenas, rather than inspecting connecting systems in minute detail, require compliance with a Code of Connection that ensures connecting organisations do not introduce a greater threat (and risk) to the interconnected community as a whole.
Cold Site
A backup or secondary site (for reasons of Business Continuity or Disaster Recovery) that can be up and running to take over from a failed site (or system) in 1-2 days, usually by powering up secondary systems and restoring from the latest backup taken from the failed site or system. See also warm and hot sites.
Common Vulnerabilities and Exposures (CVE)
Through the use of unique identifiers, the CVE catalogues and documents known Information Security vulnerabilities in software, systems, protocols, etc. so that they can be referred to using a common terminology across the industry. The reference information is managed within a central system to which anyone can refer (maintained by MITRE with funding from US security authorities).
Communications Security
Refers to the discipline/industry relating to protection of communications from unauthorised intelligible interception. The term is generally used to refer to telecommunications (voice, data and video), whether wired or wireless, digital or analogue. Protective controls include encryption, physical security and TEMPEST countermeasures.
Compliance
The act or process of complying with policies, procedures, standards or mandatory controls or requirements. In the context of Information Security, this regularly refers to implementation of an ISO/IEC27001 Information Security Management System (ISMS), application of the Security Policy Framework, implementation of controls mandated in a Code of Connection, etc.
Computer Forensics
Also referred to as Computer Forensic Science, this refers to the branch of forensic science involving forensically-sound retrieval, analysis and preservation of digital information from hard disk storage, mobile devices or any other electronic source. Depending on the purpose of the retrieval, there may be requirements on how the information is collected in order to provide a legal audit trail, for example as described in the Police and Criminal Evidence Act (PACE). Forensic collection of data can be difficult with modern devices, given that accessing data through provided interfaces can result in it being modified (and therefore not usually legally admissible).
Computer Misuse
Often called Computer Abuse, this describes activities and behaviour whereby someone uses computer technology for purposes other than originally intended. This may cover attacks against networks, services and applications, breach of organisational Acceptable Use Policies (e.g. viewing or storing inappropriate material) or any other activity that involves using computers for unapproved purposes.
Computer-Telephony Integration
A description for any technology (or set of technologies) that allows computers and telephones to interact. Examples are electronic helpdesk systems that bring up customer information based on a caller's telephone number (screen popping), automatic dialling of numbers from a desktop address book, etc. Integration of two diverse technologies in this way can raise some interesting security issues, as telephony equipment and technology is not generally secured in the same way (or to the same degree) as networked computer equipment.
COMSEC
See Communications Security.
CONFIDENTIAL
See Protective Marking.
Confidentiality
See Confidentiality, Integrity & Availability.
Confidentiality, Integrity & Availability
Regularly referred to as the CIA triad (or C/I/A), these three security aspects have long been held as the fundamental principles of Information Security. There is regular discussion about adding additional aspects (such as Authenticity, Accountability, Non-Repudiation or Legality to the set, but in general these tend to be descriptive of means by which the C/I/A of information can be protected or assured. The terms are reasonably self-explanatory, but in summary:
  1. Confidentiality: describes the need for information to be accessible only to those that are authorised to view it (i.e. have a "Need to Know").
  2. Integrity: describes the need for information to be protected from modification by those that are not authorised to change it.
  3. Availability: describes the need for information to be available to those that require it, when they require it.
Contingency Plan
Any plan that lays down activities and processes to be enacted or followed when a particular event occurs. For instance, an organisation may put in place a contingency plan for a flu epidemic, for a specific building being inaccessible due to inclement weather, or for a key server being unavailable.
Countermeasure
A security measure implemented in order to mitigate an identified risk, or perhaps to maintain a baseline level of security (as, for example, in the case of the HMG Baseline Countermeasure Set).
Counter Terrorist Check
One of the levels of UK National Security Clearance, a CTC involves all aspects of the BPSS, plus additional checks on departmental/company records, with one of the criminal records agencies and with the Security Service.
Covert Channel
Any means by which unauthorised communication can take place unobserved through exploitation of flaws or inherent features of other technologies, or occasionally by use of malicious code inserted into an application. There are numerous ways covert communication can be achieved, and detection of covert channels is notoriously difficult. For example, messages could be included in the "dead space" within network packets, tagged on to the end of HTTP headers, or embedded in any other legitimate communication. More surreptitious channels could be developed by using the timing of other messages (e.g. Morse code used in blinking text in a Word document) or even by the omission or modification of other legitimate information (perhaps an occasional typo in a Web page inferring a hidden meaning).
CPNI
See Centre for the Protection of National Infrastructure.
Cracker
In this context, not a large criminal psychologist from Scotland, but a term used to mean "malicious hacker". In recent years, the term "hacker" is understood by the majority of the populace to mean "malicious attacker", whereas it was originally used to describe one who enjoys exploring the hidden details behind technology, in order to better understand it (rather than, necessarily, exploit it). The term "cracker" was coined in an attempt to redirect the negative association many have with the term "hacker". Unfortunately, this hasn't worked, and the media continue to use "hacker" interchangeably with "malicious hacker".
Crippleware
Any software (or service) that disables itself (or key functions) after a certain amount of time (perhaps after a 'trial' period), or until a fee is paid (e.g. an upgrade from a "Lite" version to the "Full" version).
Critical National Infrastructure
This is the set of national facilities, services, sites and systems on which normal daily life depends. This includes such industry sectors as:
  • Communications - traditionally intended to cover telecommunications, but increasingly expected to cover Internet and other electronic communications
  • Emergency Services - Police, Fire, Ambulance, Coastguard (but not, usually, the AA, RAC or Green Flag)
  • Energy - electricity, gas, nuclear power, etc.
  • Finance - banks and related financial services
  • Food - national and local food sources and retail mechanisms (farms, import/export, supermarkets)
  • Government - national and local
  • Health - hospitals, pharmaceutical supplies, etc.
  • Transport - trains, buses, roads, fuel supplies, etc.
  • Water - sources of fresh water, filtration/cleansing facilities, etc.
Cryptography
The study of mechanisms and techniques to protect the Confidentiality and Integrity of information traversing untrusted or open communication channels, by hiding, scrambling or encoding it by some means, with the aim being to ensure only authorised recipients are able to understand the original message, and/or are able to positively confirm that the message came from the expected sender, and was not modified in transit. Originally focusing almost exclusively on encryption and decryption, modern cryptography also covers digital signing, hashing and non-repudiation.
CREST
Standing for the Council of Registered Ethical Security Testers, this is one of two organisations in the UK (the other being TIGER that enable professionals in the security testing (or penetration testing) industry to prove their expertise, by paying to take theoretical examinations and practical tests. There are different flavours and levels of qualification, some of which enable testers to operate as part of a CHECK team.
CTC
See Counter Terrorist Check.
CTI
See Computer-Telephony Integration.
CVE
See Common Vulnerabilities and Exposures.
Cyber
Strictly, this is an adjective or prefix ("Of, relating to, or characteristic of the culture of computers, information technology, and virtual reality"). There is not yet any common or clear definition of this term used as a noun - it is understood to mean different things by different people/organisations, despite its prevalence in mainstream media and in national and international organisational statements. Given this ambiguity, it is strongly recommended that you find a more specific term if you need to discuss anything with clarity and common understanding. In general, though, the term is commonly understood to cover all things relating (even slightly) to electronics, communications and the Internet. Common terms you may encounter include:
  • Cybercrime - criminal activity taking place through exploitation of electronic mechanisms
  • Cyber Attack - a technical attack against the Confidentiality, Integrity or Availability of systems, networks or telecommunications
  • Cyber Security - Information Security, with a particular focus on interconnection and integration with untrusted internetworked systems
  • Cyberwar or Cyberwarfare - a general term describing ongoing offensive and defensive activity in the electronic realm

D

Data Classification
See Classification.
Data-Driven Attack
This form of attack takes place when malicious data is embedded in what appears to be a normal stream of data. When executed or otherwise processed, the malicious data causes unforeseen and often damaging events. A well-known example might be maliciously-crafted PDF documents exploiting flaws in the Acrobat Reader causing arbitrary code to be executed on the user's machine.
Data Encryption
See Encryption.
Data Handling, Data Handling Review (DHR), Data Handling Procedures
Although the general term "data handling" has wide applicability, in the UK Information Security arena it is usually used in the context of the Data Handling Review. Following the high-profile loss of ~25 million personal records by HM Revenue and Customs, the Cabinet Office instigated an independent national review of Data Handling Procedures in Government - the Data Handling Review. The outcome of this review was a series of recommendations to Government to improve the handling of data (primarily personal data), which later became a series of Mandatory Requirements in the Security Policy Framework, supported by HMG Information Assurance Standard No. 6.
Data Integrity
See Integrity.
Data Mining
Data Protection, Data Protection Act
Data Security
DDoS
See Distributed Denial of Service.
Defence
Demilitarized Zone
Denial Of Service
Developed Vetting
Dictionary Attack
Digital Certificate
Digital Signature
Disaster Recovery
Disaster Recovery Plan and Disaster Recovery Planning
Distributed Denial Of Service
DMZ
See Demilitarized Zone.
DoS
See Denial of Service.
DPA
See Data Protection Act.
DR
See Disaster Recovery.
DRP
See Disaster Recovery Plan/Planning.
DV
See Developed Vetting.

E

EBS
See Enhanced Baseline Standard.
Electronic Eavesdropping
Encryption
End-To-End Encryption
End-To-End Security
Enhanced Baseline Standard
Environmental Security
Exploit

F

Fail Safe
Fallback
Fallback Procedure
False Acceptance/Positive
False Rejection/Negative
Firewall
Fixed Telecommunications
Flooding
Form Grabbing
Functional Requirements Specification

G

GCSX
GCHQ
Ghost
Good Practice
Good Practice Guide
Good Practice Guide 13
Government Secure intranet (GSi)
GPG13
See Good Practice Guide 13
Grey Hat
GSE
GSi

H

Hacker
Hardening
HMG
HMG IAS1
HMG IAS2
HMG Information Assurance Standard No. 1
HMG Information Assurance Standard No. 2
HMG Information Assurance Standard No. 6
HMG Security Policy Framework
Honeypot
Hot Desking
Hot Site or Hot Standby

I

ICO
Information Commissioner's Office.
ICT
Identity-Based Access Control
Identity Hacking
Identity Management
Identity Product System
Identity Product Operation
Identity Theft
Identity Token
IDS
Intrusion Detection System.
IL
Impact Level - see Business Impact Level (BIL).
Impact
Impact Level
See Business Impact Level (BIL).
Incident
Incident Response Plan
Information Asset
Information Assurance
Information Assurance Professional
Information Assurance Standards
Information Commissioner's Office
Information Security
Information Security Incident
Information Security Incident Response Team
Information Security Management System
Information Security Plan
Information Security Policy
Information Technology Audit
Information Technology Security Audit
Information Warfare
InfoSec/Infosec
Infowar
Insider Threat
Inspectable Space
Integrity
See Confidentiality, Integrity & Availability
Interconnection
Internet Privacy
Intrusion
Intrusion Detection System
Intrusion Prevention System
IPS
Intrusion Prevention System.
ISIRT
Information Security Incident Response Team.
ISMS
Information Security Management System.
ISO
ISO27001
IT Risk
IT Risk Management
IT Security Health Check
ITSHC
IT Security Health Check.
IT Strategy

J

Jamming
JSP440

K

Key (cryptography)
See Public Key and Private Key
Key Logging
Keystroke Monitoring

L

Lockout
Logical Access
Logical Security

M

Malicious Code
Malware
Man-In-The-Middle (Attack)
Management System(s)
MBCS
Member of the British Computer Society.
Member of The British Computer Society
Member of the Institute of Information Security Professionals
M.Inst.ISP
Member of the Institute of Information Security Professionals.
Mitigation
MitM
Man-in-the-Middle (attack).
Mobile Telecommunications

N

NDPB
Non-Departmental Public Body.
Need-To-Know
Netwar
Network Sniffing
Non-Departmental Public Body

O

Obfuscation
Operational System
Operations Security
Outside Threat

P

Pan-Government Accreditation Authority
Pan-Government Accreditor
Passive Attack
Patch
PCI-DSS
Pen Test
Shorthand for Penetration Test.
Penetration Test
A more intrusive form of Vulnerability Assessment (see my Network Security services) in which any identified vulnerabilities in a system, application, server or service are actively exploited as far as possible. This may involve obtaining sensitive information via unauthorised mechanisms (Confidentiality), modifying or deleting information without appropriate credentials (Integrity) or denying service (Availability). Penetration Testing may also enable the tester to find further vulnerabilities beyond the outer boundaries of a system, using each exploit as a 'stepping stone' to others (e.g. taking control of a server may allow investigation, testing and exploitation of other devices and systems connected to it).
Personnel Security
PGA
Pan-Government Accreditor.
Physical (Information) Security
PIA
Privacy Impact Assessment.
PKI
Public Key Infrastructure.
Polymorphic Virus
Privacy
Privacy Impact Assessment
Private Key
Privilege Escalation
Proactive Cyber Defence
Probe
Procedural Security
Process-Oriented Security Requirements
Procurement
PROTECT
See Protective Marking.
Protective Marking
Protective Monitoring
Public Key
Public Key Infrastructure

Q

Quarantine

R

Recovery
Regression Testing
Regulatory Compliance
Residual Risk
Resilience
RESTRICTED
See Protective Marking.
RFID
Risk
Risk Acceptance
Risk Analysis
Risk Appetite
Risk Assessment
Risk Management
Risk Management and Accreditation Document Set
Risk Retention
Risk Tolerance
RMADS
Risk Management and Accreditation Document Set.
Robustness
Rootkit

S

Sarbanes-Oxley
SAS70
SC
Security Check.
SECRET
See Protective Marking.
Secure Coding
Security Architecture
Security Check
Security Clearance
Security Compliance
Security-Enforcing Functions
Security Objective
Security Policy
Security Policy Framework
Security Risk
Security Working Group
Senior Information Risk Owner
Sensitivity
Separation Of Protection And Security
Shared Service Centre
Security Information and Event Management
SIEM
Security Information and Event Management
SIRO
Senior Information Risk Owner.
Sniffer
Social Engineering
Social Networking
SOX
Sarbanes-Oxley.
SPF
Security Policy Framework.
Spoofing
Spyware
Strong Authentication
SWG
Security Working Group.
System Integrity

T

Technical Security
TEMPEST
Threat
Threat Assessment
Threat Management
Threat Monitoring
TIGER
Time Synchronous Authentication
Tolerance
TOP SECRET
See Protective Marking.
Traffic Padding
Transmission Security
Trojan
Trusted Channel
Trusted Process
Two-Factor Authentication

U

Untrusted Process

V

Validation
Verification
Virus
Vulnerability
Vulnerability Analysis
An alternative term for Vulnerability Assessment.
Vulnerability Assessment
The process of testing, enumerating and evaluating vulnerabilities in a system, server, application or service, which (if exploited) could result in a breach of Confidentiality, Integrity or Availability. This may take the form of a paper-based exercise (e.g. reviewing technical designs, source code or documentation), or an automated, semi-automated or manual technical test against implemented services (see my Network Security services for more information). This form of testing, analysis and enumeration does not normally attempt exploitation of identified vulnerabilities - that is the realm of Penetration Testing.
Vulnerability Management

W

Wardialling
Wardriving
Warm site
Weak Authentication
White Hat
Worm

X

X.509
xGSi

Y

I spy something beginning with 'y'... No, we can't do it. If you can think of an information security term beginning with 'y', please let us know!

Z

Zero-Day Attack
Zero-Day Exploit
Zombie
Zone Of Control
An alternative (primarily US) term for Inspectable Space.
Contact me now to discuss your consultancy needs
"I would have no hesitation in recommending Peter for work on any Government IT programme requiring accreditation. He was knowledgeable on all aspects of Information Assurance." — Pan Government Accreditor

Log InHelpContact   
Letters completed: A - C. Working on: D. Need a particular definition sooner? No problem! Just contact me.