Information Security Glossary

 A  |  B  |  C  |  D  |  E  |  F  |  G  |  H  |  I  |  J  |  K  |  L  |  M  |  N  |  O  |  P  |  Q  |  R  |  S  |  T  |  U  |  V  |  W  |  X  |  Y  |  Z

AAD: See Azure Active Directory.

Access Control:  a physical or technical control (or system) to ensure authorized access and to prevent unauthorized access to resources, premises or systems to enforce business or security requirements. Examples include a lock to which only authorized personnel have the key, a swipe-card entry system, PIN controls on bank cards, file permissions on a server or any other means of controlling usage.

Accreditation: the final approval to authorize operation of an information system and to explicitly accept the risk to Ministry operations (including mission, functions, image, or reputation), assets, or individuals, based on the implementation of an agreed upon set of security controls.

ActiveX:  a set of technologies that allows software components to interact with one another in a networked environment, regardless of the language in which the components were created. ActiveX controls can be embedded in web pages to produce animation and other multimedia effects.

Ad-hoc telework: occasional telework. (See: Telework).

Advanced Persistent Threat (APT):  an adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). The APT adversary pursues its objectives repeatedly over an extended period of time, adapts to the defender’s efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives.

Adware:  a form of spyware that enters a computer from an internet download, it monitors the computer use, such as what Web sites are visited. Adware gets its name from launching numerous pop-up ads in the infected computer browser.

AES-GCM (Advanced Encryption Standard-Galois/Counter Mode): a block cipher of mode of operation that provides high speed of authenticated encryption and data integrity.

Algorithm:  a sequence of steps needed to solve logical or mathematical problems. Certain cryptographic algorithms are used to encrypt or decrypt data files and messages and to sign documents digitally.

Anti-Virus Program:  software designed to detect, and potentially eliminate, viruses before they have had a chance to wreak havoc within the system, as well as repair or quarantine files which have already been infected by virus activity.

Applet:  is any miniature application transported over the internet, especially as an enhancement to a web page. Authors often embed applets within the HTML page as a foreign program type. Java applets are usually only allowed to access certain areas of the user's system - computer programmers often refer to this area as the sandbox.

Application Architecture:  a graphical representation of a system showing the process, data, hardware, software and communications components of the system.

Application/ business application:  a collection of computer hardware, computer programs, databases, procedures and knowledge workers that work together to perform a related group of services or business processes.

Application owner: is the individual or group with the responsibility to ensure that the program or programs, which make up the application, accomplish the specified objective or set of user requirements established for that application, including appropriate security safeguards. An application owner assumes the Information Custodian role when the application collects, hosts, processes, or transfers information.The Information Owner role is also assumed if they own the information the application collects, hosts, processes, or transmits.

Architecture:  in the context of IT systems, as opposed to buildings, "architecture" describes the approach to designing and constructing systems, networks, applications or even information storage. A variety of formal methodologies are available to support information architecture development, and others exist to help develop security architecture.

Assets: for the purposes of information security policy, information in all forms and media, networks, hardware, software and application systems.

Attack surface: set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from that system, system element, or environment.

Audit: an examination of the facts to render an opinion and would include testing evidence to support the opinion.

Audit logs: includes all types of event logs including (but not limited to) security, audit, application, access and network across all operating system platforms. Failing to produce an audit log means that the activities on the system are 'lost'.

Authentication:  a security measure designed to verify the identity of a transmission, user, user device, entity, or data. For example, a user name and password authenticates a user.

Availability:  assurance that the systems responsible for delivering, storing and processing information, and the information itself, are accessible and usable when needed, by those who need them, to support business functions. A goal of information security is to ensure availability.

Azure Active Directory (AAD or Azure AD): A cloud-based identity and access management service.

Back Door:  a back door is a feature programmers often build into programs to allow special privileges normally denied to users of the program. Often programmers build back doors so they can fix bugs. If hackers or others learn about a back door, the feature may pose a security risk.

Bandwidth:  commonly used to mean the capacity of a communication channel to pass data through the channel in a given amount of time.

Blog:  a web site where users regularly post up-to-date journal entries of their thoughts on any subject they choose. It is readable by anyone on the web.

Botnet:  a collection of compromised computers that, although their owners are unaware of it, have been set up for malicious purposes such as sending spam or viruses to other computers on the Internet, or flooding a network with denial of service attacks. Any such computer is referred to as a zombie – in effect, a computer “robot” or “bot” that serves the wishes of a master Spam or virus originator. Botnets are often installed because the user responds to a fraudulent request received via e-mail, or opens an e-mail attachment.

Breach:  a breach of privacy legislation, privacy policy or other suspicious activity that may affect the confidentiality and integrity of personal information controlled or in the custodianship of a government, business or other organization. Includes security breaches involving system compromises and theft of personal information or assets.

Browser Hijacker:  a type of spyware that allows the hacker to spy on the infected PC’s browsing activity, to deliver pop-up ads, to reset the browser homepage, and to redirect the browser to other unexpected sites.

Business Continuity Plan (BCP):  the procedures and information necessary for the timely recovery of essential services, programs and operations, within a predefined timeframe. The BCP includes the recovery following an emergency or a disaster that interrupts an operation or affects service or program delivery.

Business information systems: internal administrative and productivity information systems that support the organization such as e-mail, calendars and financial systems.

Capacity management: the process of determining the system capacity needed to deliver specific performance levels through quantification and analysis of current and projected workload.

CAPTCHA:  a security technique that ensures that a human has made the transaction online rather than a computer. It is also known as "Automated Turing Tests" and was originally developed at Carnegie Mellon University. Random words or letters are displayed in a distorted fashion so that they can be deciphered by people, but not by software. This usually involves the use of graphic images of characters and numbers. Users are asked to type in what they see on screen to verify human involvement.

Card Skimmers:  a means of electronically capturing information from credit or debit card readers, such as ATMs (automated teller machines) or other payment devices.

Certification: See: Security certification

Chief Information Security Officer: a role that is responsible for protecting the confidentiality, integrity and availability of government information. See: Security Roles and Responsibilities for more information about the responsibilities for this role.

CISSP:  stands for the highly specialized information security certification: Certified Information Systems Security Professional. This level of professional recognition or certification is offered by the International Information Systems Security Certification Consortium, Inc. and attests that an individual possesses a high level of skills and knowledge. The certification is recognized worldwide.

Clickjacking:  also called clickjack or clickjack attack, it is a vulnerability that is used by an attacker to "collect" an infected user's clicks. The attacker can force the user to do all sort of things from adjusting the user's computer settings to unwittingly sending the user to Web sites that might have malicious code.

Cloud Computing: a term used in multiple diverse ways to describe the process of outsourcing computing to an external provider, normally one that offers massive shared online hosting facilities. Originally used to describe a grid-computing-style approach, it is now used to describe  on-demand resource pooling, rapid elasticity and measured services with broad network access (e.g., Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS)) (based on the NIST definition).

Cloud Service Type – IaaS: Infrastructure as a Service: virtualized infrastructure resources such as servers, storage and network are provisioned and managed over a wide area network (WAN) to the consumer. The consumer does not manage or control the underlying cloud infrastructure but has control over and is responsible for their provisioned resources where they are able to deploy and run software. This can include operating systems and applications.

Cloud Service Type – PaaS: Platform as a Service: the service provider manages the infrastructure (as in IaaS) and also the operating system, middleware and runtime. PaaS products are designed for developers, enabling them to develop, run and manage their applications without having to build and maintain the infrastructure and platform. Data and the user access/identity management and applications scope are the responsibility of the consumer.

Cloud Service Type – SaaS: Software as a Service: software licensed on a subscription basis (or free), typically requires no installation and minimal management. As recommended in the Hosting and Application Development Strategy, adoption of a SaaS product must fully respect the SaaS delivery model, whereby the vendor/Cloud Service Provider is responsible for application patches and upgrades, and must be able to implement these, on their schedule, without impacting users of the application. Data and the user access/identity management are the responsibility of the consumer.

Commercial-Off-The-Shelf (COTS): commercially available products that can be purchased and integrated with little or no customization.

Common Criteria (CC): an international standard (ISO/IEC 15408) for computer security certification. It is a framework that provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous, consistent, and repeatable manner at a level that is matches the target environment for use.

Compliance:  the act or process of complying with policies, procedures, standards or mandatory controls or requirements.

Compliance checking: in the context of the Information Security Standard, includes an audit; risk and controls review; security review; and monitoring of an information system.

Confidentiality, Integrity and Availability (CIA):  a central goal of information security is to preserve the confidentiality, integrity and availability of an organisation's information. Loss of one or more of these attributes can threaten the continued existence of even the largest corporate entities.

Confidentiality:  assurance that information is shared only among authorised persons or organisations. Breaches of confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality of the information concerned. Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating documents and other data etc. The classification of the information should determine its confidentiality and hence the appropriate safeguards.

Configuration Management:   is an information security concept that relates to establishing and maintaining settings and characteristics associated with the hardware and software of an information system. Foreknowledge, maintenance and monitoring of a system’s settings as a baseline is a fundamental information assurance concept. Any deviation from the known settings, unless properly authorized, is a potential security breach.

Connection strings: a connection string is a string of computing code that specifies information about a data source and the means of connecting to it.

Control balances: computational aids for data verification (e.g., record counts, row and column counts, subtotals, and etc.).

Cookies:  cookies are blocks of text placed in a file on your computer's hard disk. Web sites use cookies to identify users who revisit their site. Cookies might contain login or registration information, "shopping cart" information or user preferences. When a server receives a browser request that includes a cookie, the server can use the information stored in the cookie to customize the web site for the user. Cookies can be used to gather more information about a user than would be possible without them.

Credentials:  for a BC government employee, credentials are their IDIR account - an abbreviation of their name, which in combination with their password provides a secure single sign-on that is unique to that individual.

Crimeware:  malicious software that is covertly installed on computers and has the ability to ‘steal’ confidential information and send it back to cyber criminals. One form of crimeware is ransomware, which is software that denies access to a person’s files until they pay a ransom.

Critical: processes that, should they not be performed, could lead to loss of life (“safety”), personal hardship to citizens, major damage to the environment, or significant loss in revenue and/or assets.

Cryptographic Keys:  a piece of information that controls the operation of a cryptography algorithm. In encryption, a key specifies the particular transformation of data into encrypted data and the transformation of encrypted data into data during decryption. The cryptographic algorithm ensures that only someone with knowledge of the key can reproduce or reverse the transformation of data.

Cryptography:  the discipline which embodies principles, means and methods for the transformation of data in order to hide its information content, prevent its undetected modification, or prevent its unauthorized use.

Custody: (of a record) means having physical possession of a record, even though the public body does not necessarily have responsibility for the record. Physical possession normally includes responsibility for access, managing, maintaining, preserving, disposing and providing security.

Cyberattack:  a technical attack against the Confidentiality, Integrity or Availability of systems, networks or telecommunications, usually for illegal purposes such as theft, espionage or destructive motives.

Cybercrime:  criminal activity taking place through exploitation of electronic mechanisms - a lucrative world‐wide illegal business, operating in “the Underground Economy”, it is no longer solely a hobby for individual hackers seeking new computer challenges. The threats posed by cyber criminals apply to work and home computers, and increasingly to mobile devices.

Cybersecurity:  information security, with a particular focus on interconnection and integration with untrusted internetworked systems.

Cyberwarfare:  a general term describing ongoing offensive and defensive activity in the electronic realm of the Internet.

Data: an individual fact (datum) or multiple facts (data), or a value, or a set of values, not significant to a business in and of itself. Data is the raw material stored in a structured manner that, given context, turns into information.

Database system(s): a collection of organized information in a regular structure, in a machine-readable format accessible by a computer. Also: “Database Management System (DBMS)” or simply “database”.

Data-Driven Attack:  this form of attack takes place when malicious data is embedded in what appears to be a normal stream of data. When executed or otherwise processed, the malicious data causes unforeseen and often damaging events. An example might be maliciously-crafted PDF documents exploiting flaws in the Acrobat Reader causing arbitrary code to be executed on the user's machine.

Data Loss:  the unauthorized use and or transmission of confidential information, it typically refers to information leaving the control of the owning organization, for example on portable devices or via email.

Data Loss Prevention (DLP):  processes or automated systems designed to stop data loss.

Defense In-Depth:  is the approach of using multiple layers of security to guard against failure of a single security component.

De-identify (verb): removing or altering personal identifiable information from a record or dataset to protect an individual's identity.

De-identification (noun): process of removing or altering personal identifiable information from a record or dataset to protect an individual's identity. See also de-identify.

Denial of Service (DOS):  the prevention of authorized access to a system resource or the delaying of system operations and functions. An overwhelming number of requests for services is sent to the target computer or device - so many requests for service are sent that the device is unable to respond in a timely manner, thus the function the server is supposed to perform is nullified. Physical harm to systems and people can result from the denial of a needed service.

Diagnostic ports: ports, services and systems used for diagnostic, maintenance and monitoring activities for managing information system performance, function or capacity. Examples include physical network switch diagnostic ports, logical management services such as Simple Network Management Protocol (SNMP) and modems for remote maintenance.

Digital signing: refers to an attempt to mimic the offline act of a person applying their signature to a paper document. Involves applying a mathematical algorithm, usually stored on and as part of the users’ private key, to the contents of a body of text. This results in an encrypted version of the document (referred to as the 'digitally signed' document) that can only be decrypted by applying the user’s public key. (Also digitally signing, digital signature).

Disaster Recovery Plan (DRP): the procedures and information necessary to recover critical IT functions from any event that may interrupt an operation, or affect service or program delivery, within the timeframes determined in the Business Impact Assessment. The DRP is part of a ministry's overall business continuity plan (Business Continuity Plan or BCP).

Disposition: the actions taken to support on-going administrative and operational activities in accordance with an approved Records Management Schedule regarding information that is no longer needed. Directions may include destroy, transfer to the government archives, transfer to inactive records storage space, or retain permanently within unit.

Distributed-Denial-of-Service (DDoS) Attack:  is one of the most harmful attacks that can be launched against an information infrastructure. The anatomy of a DDoS assault begins with the enlistment of a large number of computers (i.e. Zombies, bot armies, etc.) that have been co-opted by hackers or organized crime. Hundreds of thousands of computers can be directed against a particular computer network target. The intended target is simply overwhelmed and unable to respond to legitimate requests for service. The network or information resource is made unavailable by the sheer force of traffic.

Domain Name:  an address of a network connection that identifies the owner of that address, e.g., www.microsoft.com identifies a Web server at Microsoft Corporation, which is a commercial organization.

Domain Name System (DNS):  the domain name system (DNS) is the way that Internet domain names are located and translated into Internet Protocol addresses.

DTS (Desktop Terminal Service):  remote access, for example, BC government employees with a DTS account can access their work files online from another location (such as their home).

Dumpster Diving:  is obtaining personal or corporate information, account names and passwords by searching through discarded media. It includes searching for and removing items from waste receptacles or recycle containers, such as bank statements, credit card offers, or any other items deemed of value by the ‘diver’.

Electronic agent: a computer program, or other electronic means, used to initiate an activity or to respond to electronic information, records or activities in whole or in part without review by an individual at the time of the response or activity.

Electronic commerce: the exchange of information between government and internal and external stakeholders independently of either participant’s computer system (e.g., electronically accessing forms, obtaining payments, sending invoices, receiving tax returns, placing orders and receiving transaction acknowledgements).

Electronic messages: includes all forms of electronic messaging such as e-mail, voice mail, instant or text messaging, and etc.

Employee: within the context of information security, it is an individual working for the Government of British Columbia, including service providers, contractors or volunteers.

Encryption - Data Encryption Standard (DES):  a widely-used method of data encryption using a private (secret) key. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys that can be used. For each given message, the key is chosen at random from among this enormous number of keys. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key. Encryption is the cryptographic transformation of data (called "plaintext") into a form (called "cipher text") that conceals the data's original meaning to prevent it from being known or used.

End User License Agreement (EULA):  is a legally binding contract between the developer or publisher of a software program or application and the purchaser of that software. Unlike the purchase of goods or services, the EULA is, as its name implies, a license agreement. In other words, the purchaser does not own the software, they merely have a right to use it in accordance with the licence agreement. During the install of package software, the purchaser is shown the contents of the EULA and is often required to scroll down through the EULA, at the bottom of which, one may Accept or Refuse the terms of the EULA. By enforcing the need to scroll through the EULA, a user would be unlikely to succeed in any action to deny acceptance of the terms of the EULA.

Equipment: See: Hardware

Essential services: essential business processes are those processes defined as critical and business-priority and essential to delivery of outputs and achievement of business objectives. Business activities and resources are the essential elements that combine to make up each essential business process.

Exploit kit:  a toolkit that automates the exploitation of vulnerable devices through vulnerabilities in the operating system, browser or program. These toolkits are often sold in the cyber criminal underground to those without significant cyber knowledge who can then operate as hackers.

External party: a person external to “government” as defined within the Financial Administration Act.

Fault: an error or failure in either software or hardware.

Federated Identity: A federated identity is a single user identity that can be used to access a group of web sites bound by the ties of federation. Without federated identity, users are forced to manage different credentials for every site they use. This collection of IDs and passwords becomes difficult to manage and control over time, offering inroads for identity theft. Federated identity management builds on a trust relationship established between an organization and a person.

File Sharing Software:  software programs that allow users to share music and/or videos.

Firewall:  hardware or software that prevents unauthorized access to data or resources while enabling the protected network to access networks outside of the firewall, and logs attempted intrusions.

Firmware: a type of software that is etched directly into programmable read-only memory hardware that is a permanent part of a computing device.

Forensics:  is a process that concentrates on gathering evidence in a systematic manner and establishing the attribution of a security incident. When applied to information technology, the process is deliberate, well-ordered and precise. The same would apply to any crime scene in which electronic devices, media and information is stored. Log-files pertaining to data packets that have traveled into and through computers and networks are examined, IP addresses are studied and data integrity is checked. The evidence that is gathered and stabilized can be used to prosecute individuals who attacked the system. Establishing a profile of the damage or breach that has occurred is essential.

Gateway:  a network point that acts as an entrance to another network.

Government information: all recorded information relating to government business that any ministry, agency, board, or commission reporting or responsible to the Government of British Columbia receives, creates, deposits or holds, regardless of format.

Government network: See: Network infrastructure.

Government records: See: Government information

Hacker:  is a person who creates and modifies computer software and hardware, including computer programming, administration, and security-related items. A truly skilled hacker can penetrate the security defences of large, sophisticated, computer systems to the core, and withdraw again, without leaving a trace of the activity. White Hat hackers perform hacking for legitimate reasons, e.g., IT security technicians and researchers testing their systems and the limits of systems. Black Hat hackers are those who perform clandestine hacking for malicious reasons.

Hacktivism:  some groups of computer hackers are not motivated by financial gain and instead are driven by economic, political, or religious interests that generally go beyond their nation’s borders. Their actions are called hacktivism, which is a merger of hacker and political activism. Hacktivists infiltrate networks and put their talents to work for their beliefs by organizing computer attacks, including piracy, hijacking servers, and replacing homepages with ideological messages.

Hardening: practice of reducing a system’s vulnerability by reducing its attack surface.

Hardware: includes (but not limited to) servers, desktop computers, printers, scanners, fax machines, photocopiers, multi-function devices, routers, communications and mobile equipment, cell phones, mobile devices and removable media.

Hijacking:  describes several kinds of attacks where the attacker takes control of the session between a browser and a web server. A browser hijack often shows up when someone’s home page, the page they see when they open their browser, is not the one that they configured. A web page hijack is where the attacker manages to redirect the traffic from search engines. When someone does a search and clicks on a search result of interest, instead of reaching the legitimate site, they will reach the attacker’s web page.

Hoax:  hoaxes transmitted via the Internet are not viruses but are often emails warning people about a virus or other malicious software program. These emails are successful because they are very manipulative and prey upon the trusting emotions of the victims. They can contain stories that are dramatic in impact and demand that the reader forward the email to many others. Some hoaxes cause as much trouble as viruses by causing massive amounts of unnecessary email.

Honey Pot:  programs that simulate one or more network services that you designate on your computer's ports. An attacker assumes you are running vulnerable services that can be used to break into the machine. A honey pot can be used to log access attempts to those ports including the attacker's keystrokes, which could give advanced warning of a more concerted attack.

HTTP (HyperText Transfer Protocol): communications protocol used to connect to web servers on the internet or on a local network (intranet).

Identity Management (IDIM) or Identity and Access Management (IAM):  identity and access management refers to all of the policies, processes, procedures and applications that help an organization manage access to information. Large organizations need to tie risk analysis and policy development to sophisticated applications that can help them empower employees, investors, customers, partners and many others. Specific concepts, standards and applications that help with identity and access management include authentication, user life-cycle maintenance, federated identity, single sign-on, provisioning and role based access control.

Identity Theft/ Identity Fraud:  Identity theft is fraud. It occurs when someone else uses your personal information without your knowledge or consent to commit a crime. The fraud may involve using your credit card for a few transactions, selling your information in the underground economy, or actually setting up a separate identity that can involve taking out loans, buying homes, buying goods and services or travelling over a period of time, in your name and without your knowledge.

IM/IT: Information Management / Information Technology.

Inappropriate Use of Resources:  any activity that violates acceptable computing use policies.

Information: the data in context, the meaning given to data or the interpretation of data, based on its context, for purposes of decision making, the finished product as a result of the interpretation of the data. (See: Government information).

Information asset: any collection of data that is processed, analyzed, interpreted, classified, or communicated in order to serve a useful purpose, present fact, or represent knowledge in any medium or form, which may have financial value and/or is essential in providing a service or decision making that has recognizable and manageable value, risk, content, and lifecycle. It includes software and services including computer and communication services, cloud-based services and general utilities that involve sensitive and confidential information, information and data assets in the cloud, information in the personal information directory, database and data files, contracts, agreements, system documentation, research information, user manuals, training material, operational or support procedures, continuity plans, fallback arrangements and archived information.

Information Custodian: a role assigned to a person or organization that maintains or administers information esources on behalf of the Information Owner. Custodianship includes responsibility for accessing, managing, maintaining, preserving, disposing and providing security for the information resource. In contrast, information custody means having physical possession of information without necessarily having responsibility for the information. See: Security Roles and Responsibilities for more information about the responsibilities for this role.

Information Incident:  an information incident is a single or a series of unwanted or unexpected events that threaten privacy or information security. Information incidents include the collection, use, disclosure, access, disposal, or storage of information, whether accidental or deliberate, that is not authorized by the business owner of that information. Information incidents include privacy breaches, whether accidental or deliberate, that is not authorized by the Freedom of Information and Protection of Privacy Act.

Information Incident Management Process:  documentation of the structure, roles and responsibilities, process and procedures aimed to minimize the impact of an information incident, including reporting procedures and any required forms.

Information labelling: affixing a physical or electronic label identifying the security category of a document, file or records series in order to alert those who handle it that it requires protection at the applicable level. From the confidentiality perspective, this would be a label from the IMIT 6.11 Information Security Classification Standard. From the criticality perspective, the label would be “LOW”,  “MEDIUM” or “HIGH”.

Information Management (IM):  the function of managing information as an enterprise resource, including planning, organizing and staffing, and leading, directing and controlling information. This includes managing data as enterprise knowledge, managing technology as the enterprise technical infrastructure, and managing applications across business needs.

Information Owner:  a role assigned to a person or organization that has he responsibility and decision-making authority for information throughout its life cycle, including creating, classifying, restricting, regulating and administering its use or disclosure. Within the Government of British Columbia, information ownership flows from the Crown to government Ministers to Deputy Ministers (or equivalent). The Deputy Minister may further delegate information ownership. See: Security Roles and Responsibilities for more information about the responsibilities for this role.

Information processing facilities: the physical location housing any information processing system, service or infrastructure; this includes storage facilities for equipment not yet deployed or awaiting disposal.

Information Security: the preservation of confidentiality, integrity and availability of information. Other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved. This requires protecting information, software, and equipment from problems related to disclosure, modification, interruption and disposal.

Information security activities: management and technology programs to protect government information assets.

Information Security Architecture:  a strategy that consists of layers of policy, standards and procedures and the way they are linked to create an environment in which security controls can be easily established.

Information security classification: a process of designating a confidentiality label to a set of information based on its value and sensitivity using the IMIT 6.18 Information Security Classification Standard.

Information security classification label: a designation indicating the information security classification (e.g., “Public”, “Protected A”, “Protected B”, “Protected C”) for the information. See the IMIT 6.18 Information Security Classification Standard for more information.

Information security classification system: a system of assigning a security category label for information and information systems based on their sensitivity and value is one of the critical components of sound information security practices, because it assists in determining the value and sensitivity of information as well as the protective measures to be applied.

Information security event: an identified occurrence of a system or service state indicating a possible breach of information security or failure of safeguards, or a previously unknown situation that may be security relevant.

Information security incident: a single or a series of unwanted or unexpected events that threatenprivacy or information security, including a privacy breach or the collection, use, disclosure, access, disposal, or storage of information, whether accidental or deliberate, unauthorized by the owner of that information. 

Information Security Policy: a policy that provides the foundation for the information security governance program, which includes standards, procedures, training and awareness material used to protect government information and information systems. All employees need to be aware of their responsibilities to safeguard government information. The Information Security Policy supports security requirements in the Freedom of Information and Protection of Privacy Act and the Information Management Act. With the introduction of version 4 of the Information Security Policy, the document is shorter, less technical, and provides direction with regards to government’s information security practices. It applies to all government staff, particularly those with responsibility and decision-making authority to manage government information and information technology.

Information security program: a documented, approved, executed, reviewed, and regularly updated program that is aligned with an organization’s mission, vision, and goals, and provides direction on security strategy.

Information system: any equipment or interconnected system or subsystems of equipment that is used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data. It includes computers, computer software, firmware, IT hardware, word processing systems, networks, or other electronic information handling systems and associated equipment.

Information system contingency planning: a coordinated strategy involving plans, procedures and technical measures that can enable the recovery of a system as quickly and effectively as possible following a service disruption. Contingency planning is unique to each system, providing preventive measures, recovery strategies, and technical considerations appropriate to the system’s information confidentiality, integrity, and availability requirements and the system impact level. It includes one or more of the following approaches to restore disrupted services: a) restoring information system using alternate equipment; b) performing some or all of the affected business processes using alternate processing (manual) means (typically acceptable for only short-term disruptions); c) recovering information systems operations at an alternate location (typically acceptable for only long–term disruptions or those physically impacting the facility); and, d) implementing of appropriate contingency planning controls based on the information system’s security impact level (based on NIST 800-34).

Information Security Standard :the Information Security Standard provides specific direction to ministries and the managers of information infrastructure for government.

Information technology asset: Information Technology (IT) asset is any software or hardware component that contains or stores sensitive data and contributes to the delivery of an IT product or service. It includes owned and leased technology hardware (i.e. physical items), owned or licensed software and related or supporting services.

Information technology resources: information and communications technologies, including data, information systems, network services (e.g., Web services; messaging services); computers (e.g., hardware, software); telecommunications networks and associated assets (e.g., telephones, facsimiles, cell phones, laptops, personal digital assistants).

Information type: information classes or groupings based on function, usage, attributes or other commonality (e.g., employees records, invoices, or system documentation are information types). Address, name, or birth date are examples of discrete data elements.

Instant Messaging (IM) or Text Messaging:  instant messaging rivals e-mail as the most popular form of online communication. IM allows users to relay messages to each other in real time for a "conversation" between two or more people. IM is also becoming the quickest new threat to network security. Because many IM systems have been slow to add security features, hackers have found IM a useful means of spreading viruses, spyware, phishing scams, and a wide variety of worms. Typically, these threats have infiltrated systems through attachments or contaminated messages.

Integrity:  the characteristic of information being authentic, accurate and complete and the preservation of accuracy and completeness by protecting the information from unauthorized, unanticipated, or unintentional modification. The integrity of data is not only whether the data is 'correct', but whether it can be trusted and relied upon.

Intellectual property: refers to the category of intangible (non-physical) property consisting primarily of rights related to copyrighted materials, trademark, patent and industrial design. Intellectual property rights are associated with a wide range of products of the human intellect, such as training manuals, publications, map products, videos and computer software. It is important to keep clear the distinction between the items that give rise to intellectual property, such as the manuals and software, and the intellectual property itself, which is the set of rights arising from the creation and development of the items. Simply put, the items are the copies of a particular book, whereas the intellectual property is the copyright in that book.

International Organization for Standardization:  is a group of standards bodies from approximately 130 countries whose aim is to establish, promote and manage standards to facilitate the international exchange of goods and services. (The term 'ISO' is not an acronym for the IOS, it is a word derived from the Greek word 'isos' which means 'equal', which is the root of the prefix 'iso-'.) The BC government’s Information Security Policy is based on ISO 27002:2005.

Internet of Things (IoT): A network of physical devices, vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators, and connectivity which enables these things to connect, collect, and exchange data via the Internet.

Intrusion Detection System (IDS):  a security management system for computers and networks. An IDS gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization). It provides the capability to review larger quantities of data, and generate reports and automated alerts as required.

Intrusion Prevention System:  an automated system similar to an Intrusion Detection System but with the capability to react in real-time to block or prevent malicious or unwanted activity.

IP (Internet Protocol): a unique address that identifies a device on the internet or local network.

JavaScript:  a scripting language that can be used to add functionality to or enhance the look of a Web page or a web site, and can run on any type of client or server computer.

Keylogger:  a hardware device or small program, sometimes called a keystroke logger or system monitor, that monitors each keystroke a user types on a specific computer keyboard (or an ATM or Interac/debit keypad), records everything that is typed (including passwords) and passes that information to outsiders (usually using Bluetooth or similar technology).

Key Management: involves the processes for the generation, exchange, storage, safeguarding, use, vetting and replacement of cryptographic keys.

Least privilege: a security principle that requires each subject in a system to be granted the most restrictive set of privileges (or lowest clearance) needed to perform their assigned tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.

Logical isolation: a configuration that prevents devices that share a physical network infrastructure from being able to communicate with each other.

Macro:  a series of instructions designed to simplify repetitive tasks within a program such as Microsoft Word, Excel, or Access. Macros execute when a user opens the associated file. Macros are in mini-programs and can be infected by viruses.

Malicious code or malware: a piece of computing code that is designed, employed, distributed, or activated with the intention of compromising the performance or security of information systems and computers, increasing access to those systems, disclosing unauthorized information, corrupting information, denying service, or stealing resources. It includes computer viruses, worms, Trojans, rootkits, spyware, dishonest adware, denial of service attacks, and other unwanted software.

Media: from the information security perspective, material used to store information. See: Record.

Message integrity: the assurance of unaltered transmission and receipt of a message from the sender to the intended recipient to maintain the completeness, accuracy and validity of the information contained in the message.

Ministry Information Security Officer:  a role assigned to an employee who is responsible for co-ordinating the ministry security program for protecting the confidentiality, integrity and availability of government information. See: Security Roles and Responsibilities for more information about the responsibilities for this role.

Mobile Code:  multiplatform computer code that can be downloaded or transmitted across a network that runs automatically on a computer with little or no user interaction.

Mobile Code Technology:  software technologies that provide the mechanisms for the production and use of mobile code (e.g., Java, JavaScript, VBScript, ActiveX).

Mobile Devices:  portable self-contained electronic devices, including portable computers (e.g., laptops and tablets), personal digital assistants (PDAs), smartphones, cell phones, and digital cameras.

Mobile Device Management:  a plan for enforcing policies and maintaining the desired level of IT control across multiple platforms (e.g., BlackBerry, Apple, Android) for a range of products and services that enables organizations to deploy and support corporate applications to mobile devices, such as smartphones and tablets.

Monitoring: a regular/ongoing check on aspects of operations to identify and correct deviations from policies and standards.

Multi-Factor Authentication:  this combines authentication techniques together to form a stronger or more reliable level of authentication. This usually includes combining two or more of the following types: Secret - something the person knows, Token - something the person has, and Biometric - something the person is.

Need-to-know principle: a privacy principle where access to information or system is restricted to authorized employees that require it to conduct their work, and is not only based on their status, rank, or office.

Network address spoofing: forging or faking source network addresses with the intent to obscure, hide or impersonate the actual source device.

Network infrastructure: the equipment, information systems and cabling systems used to establish a communication network between Information Systems. Includes routers, switches, hubs, firewalls, transmitters, fibre optic cable and copper cable.

Network management information: the information used to manage network infrastructure, including traffic statistics, counters and logs.

Network pathways and routes: the physical and logical pathways that comprise the connections within the network infrastructure.

Network security boundary: the logical or physical boundary between networks of differing security protection requirements. Network access control devices demark the network security boundaries.

Network security zone: a logical entity containing one or more types of services and entities of similar security requirements and risk levels.

Network segregation: the separation of groups of users, information systems and services with similar business functions by control of network traffic flow (e.g., by use of security gateways, physically separate networks or access controls).

Network service agreement: The contract or agreement between a service provider and a service consumer that defines the services to be delivered and the terms and conditions of delivery.

Network service provider: a provider of network services to government which may be internal or external to government.

Non-retrievable:  a state in which data is rendered permanently unrecoverable from any media in any form.

Non-repudiation:  assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.

Outside authorities: include law enforcement, fire departments, other emergency response authorities, utilities and telecommunications providers.

Password or Passcode (or PIN):  a password or its numerical form, sometimes called a passcode or PIN, is one of the simplest authentication methods. It is usually used with an identifier (account number or user name), as a shared secret between the person who wants access and the system that’s protected.

Password management system: an automated process which enforces password rules.

Patch:  a small piece of software designed to fix problems with or update computer programs. The patch is an actual piece of object code that is inserted into (patched into) an executable program.

Payment Card Industry (PCI) Data Security Standard (DSS):  is an industry regulation developed by VISA, MasterCard and other bank card distributors. It requires organizations that handle bank cards to conform to security standards and follow certain leveled requirements for testing and reporting. MasterCard markets the program as their Site Data Protection (SDP) Program and VISA markets it as their Cardholder Information Security Program (CISP). The Standards rely on the merchant banks to enforce them and they may do so with penalties for non-compliance and disclosures caused by non-compliance.

Peer-to-peer (P2P):  P2P technology allows two computers on a network, typically called nodes, to communicate directly with each other without going through a centralized server. This is how malicious code and files can so easily be spread via P2P; they avoid going through the server that does the scan for the malicious code.

Penetration:  gaining unauthorized logical access to sensitive data by circumventing a system's protections.

Penetration Testing: is used to test the external perimeter security of a network or facility.

Personal Information:  any recorded information about an identifiable individual other than their business contact information. Personal information includes information that can be used to identify an individual through association or inference. See Personal Information for more information.

Pharming:  a practice in which malicious code, such as a virus or other form of malware, redirects users from a legitimate website to a fraudulent one without their knowledge.

Phishing:  a digital form of social engineering that uses authentic-looking, but fake, emails to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication and urging users to click on a link or open an attachment. These actions can result in downloading malware as well as identity theft.

Physical security:  the application of control procedures as measures to prevent or deter attackers from accessing a facility, resource, or information. It can include items such as physical barriers to gaining access, electronic security and alarm systems, video monitoring, staffed security or other response.

Portable Storage Devices:  are compact devices with storage capacity that can be attached to a computer and temporarily or permanently store data in an electronic format. Laptops and notebook computers, tablets and smartphones, removable hard drives, USB storage devices (flash drives, jump drives, memory sticks, memory cards, thumb drives, MP3 players, CDs, DVDs, tapes and diskettes are portable storage devices.

Positional user identifier (user ID): is a unique system user ID assigned to a persistent function or job in circumstances where the employees filling the job are transitional. Positional user IDs are issued to a Supervisor who is accountable for the day-to-day management and assignment of the user ID to individuals. For example, a positional user ID could be used for a receptionist position that is temporarily filled by short term employees from an employment agency. In these limited circumstances, use of positional user IDs can avoid the need to create new user IDs for short term employees.

Privacy:  is the practice of protecting our personal information, or those of our customers, from being accessed or given away, either by accident or from direct theft, to parties not authorized to view this information.

Privacy Impact Assessment (PIA):  an assessment that is conducted to determine if a new enactment, system, project or program meets the requirement of Part 3 of the Freedom of Information and Protection of Privacy Act.

Privileged identity management (PIM): A service in Azure Active Directory (Azure AD) that enables organizations to manage, control, and monitor access to important resources.

Privileged operations: operations that have high-level permissions to alter access rights and structures of information systems and/or services.

Privileged Users:  users with permissions to alter access rights and structures of information systems. This includes (but is not limited to) system administrators, network administrators, database administrators, security administrators, web site administrators, system operators and network operators.

Privileges: See: Systems privileges.

Proxy Server:  a server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service. A proxy server is associated with or part of a gateway server that separates the enterprise network from the outside network and a firewall server that protects the enterprise network from outside intrusion.

Public-Key Infrastructure (PKI):  is the infrastructure needed to support asymmetric cryptography. At a minimum, this includes the structure and services needed to do the following: Register and verify identities, Build and store credentials, Certify the credentials (issue digital certificates), Disseminate the public key, and Secure the private key and yet make it available for use. A PKI enables users of a basically unsecured public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates.

QR (Quick Response) Code:  a QR code is a type of two-dimensional (2D) barcode that can be read using a QR barcode reader or camera-enabled smartphone. It looks like a square with blotches inside and appears on posters, marketing materials and websites. QR Codes are a popular marketing tool because the barcode can store phone numbers, addresses, URLs and other details.

Radio Frequency Identification (RFID):  uses radio waves to uniquely identify objects/ tags, that can be active, containing a power source, or passive, simply bouncing a signal using the energy of the RFID reader. Passive tags may be so small that they are hard to see. They are used in inventory control to uniquely identify each unit and can be read through most types of packaging. The fact that RFID can be so easily read at some distance, up to 30 feet for passive devices and much longer for active ones, has raised issues about privacy. RFID also is inserted under the skin to identify pets and link them to their medical records.

Ransomware: Malware that restricts access to a compromised system until the ransom is met.

Reception Zone: an area where access to restricted zones is controlled, and the initial contact between the public and the ministry occurs, services are provided, or information exchanged.

Record: anything that is recorded or stored by graphic, electronic, mechanical or other means. This includes books, documents, maps, drawings, photographs, letters, vouchers, and papers.

Remote Access:  the act of using a remote access service to connect to the government network or government systems. It provides an effective way for mobile workers, telecommuters and non-government users on external networks to access the shared B.C. provincial government network (SPAN/BC). Access can be from a remote location or facility, or from within a local site but external to the particular resource accessed.

Remote access service: a service that provides network access to the government network or government systems from a remote location (e.g., the government VPN service).

Requirements phase: a component of the System Development Life Cycle. Functional user requirements are formally defined and the requirements for the system are delineated in terms of data, system performance, security and maintainability requirements. All requirements are defined in sufficient detail for systems design to proceed. All requirements need to be measurable, testable and related to the business need or opportunity.

Restricted Access Operations Zone: a designated controlled physical area where access is limited to persons who work there and to escorted visitors. It is usually a standard working area and offices.

Restricted Access Security Zone: a strictly controlled area where access is limited to authorized persons and to properly escorted visitors.

RF (Radio Frequency): oscillation rate of an alternating electric current or voltage or of a magnetic, electric, or electromagnetic field or mechanical system.

Risk:  the potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets. Risk is the product of the level of threat with the level of vulnerability. It establishes the likelihood of a successful attack.

Risk and controls review: an independent and objective assessment of an information system to determine whether the business/system framework has adequate controls to mitigate business, financial, security and general privacy risks.

Risk-based access policies: Specific access control policies that can be applied to protect organizations when a sign-in or user is detected to be at risk.

Risk-based digital enablement: Prioritizing digital service investments using a risk-based decision process or framework. Also known as risk-based approach to funding.

Risk-based security: Prioritizing security investments and implementing security controls using a risk-based decision process or framework.

Root Directory:  in a computer's filing system on the hard disk, the root directory is the directory (or folder) from which all other directories will be created.

Rootkit: a Trojan horse software that captures passwords and message traffic to and from a computer, a rootkit is a collection of tools (programs) that enables administrator-level access to a computer or computer network, and controls, attacks or gathers your information. They are used by a hacker to mask intrusion and obtain administrator-level access to a computer or computer network. Often running silently on computer systems and generally not detected by anti-virus or anti-spyware software.

SCADA:  is an acronym that stands for “Supervisory Control and Data Acquisition. The protocols were mainly established to work with computers in industrial settings. The purpose of the system is to control processes such as the regulation of pumps, manufacturing equipment and other real-time sensors (i.e. on pipelines and temperature controls). Prior to the advent of the Internet this control structure was relatively safe. Today, however, the assurance data is less reliable and the communication between the computer and the process is mitigated over the Internet.

Screening: a process to verify facts about individuals related to their identity, professional credentials, previous employment, education and skills.

Secured Path: a network path that is protected from eavesdropping, intrusion and data tampering.

Security Awareness:  the extent to which every member of an organization understands security and the levels of security appropriate to the organization, the importance of security and consequences of a lack of security, and their individual responsibilities regarding security. Includes a clearly and formally defined plan, structured approach, and set of related activities and procedures with the objective of realizing and maintaining a security-aware organizational culture.

Security by design: An approach to software and hardware that has been designed from the foundation to be secure through measures like continuous testing, authentication safeguards, and adherence to best programming practices.

Security certification: a comprehensive assessment of the management, operational and technical security controls in an information system, to determine the extent to which the controls have been implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Security Infrastructure:  the complete set of information security-related systems, policies, standards, guidelines, procedures, resources and physical implementations of information security administration.

Security management systems: systems that collect, store and manage configuration and operational information about network devices. Includes configuration management databases and log management systems.

Security Policy:  a set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources - a senior leadership directive that indicates the direction or intent of its established goals, and assign responsibilities for, addressing security risks to an organization. The B.C government has adopted the Information Security Policy which undergoes a regular review.

Security posture: the security status of the technical infrastructure and information systems to known vulnerabilities and attacks.

Security review: an independent review with the scope focused on the security framework over the business processes, application and operating environment. Reviews are distinguishable from audits in that the scope of a review is less than that of an audit and therefore the level of assurance provided is lower.

Security Threat and Risk Assessment (STRA): a component of a risk analysis specifically aimed at identifying security exposures, and the potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. STRAs include, but are not limited to, vulnerability testing, ethical hacking, audit reviews.

Security weakness: a weakness in an application, procedure or process that may result in a security incident.

Security zone: See: Reception Zone, Restricted Access Operations Zone, Restricted Access Security Zone.

Segregation of Duties:  a method of working whereby tasks are apportioned between different members of staff in order to reduce the scope for error and fraud. For example, users who create data are not permitted to authorise processing; and systems development staff are not allowed to be involved with live operations. This approach will not eliminate collusion between members of staff in different areas, but is a deterrent. In addition, the segregation of duties provides a safeguard to the staff and contractors against the possibility of unintentional damage through accident or incompetence - 'what they are not able to do (on the system) they cannot be blamed for'.

Sensitive information: Any information that, if disclosed, could cause harm to an individual, organization, or government.

Serverless: Also known as Abstracted Services. Involves no server management for consumer/end user. Usually automatic scaling and availability are part of this. Typically, event driven functions would be included. Data and the user access/identity management are the responsibility of the consumer. For example, an application is deployed by the user, but the backend infrastructure (setup, patching, maintenance, scalability, etc.) is abstracted from the user and happens behind the scenes transparently.

Service Oriented Architecture (SOA):  is a design or a plan that describes a theoretical software system. This architecture describes services that are discrete, re-useable and independent of the programming or networking environment where they are used. These services have simple interfaces and since they are tools-independent, can be used by many different service consumers.

Service owner: person or organization having responsibility for the operations and delivery of a government service. A service owner could be an application owner or a system owner. See: Application owner; System owner.

Service provider: a person or organization retained under contract to perform service for the Government of British Columbia.

Shoulder Surfing:  the act of looking over a user's shoulder as they enter a password, this is one of the easiest ways of obtaining a password to breach system security. The practice is not restricted to office computers, public Internet cafés, or Wi-Fi access areas - it is used wherever passwords, PINs, or other ID codes are used. Shoulder surfing has also been used just to see if any information of interest can be obtained.

Social Engineering:  is the practice of obtaining information or access by tricking legitimate innocent users. Social engineers use shoulder-surfing, in person conversation, telephone calls, email or text messages to obtain personal sensitive details, exploiting the natural tendency of a person to trust others. Generally, it is easier to take advantage of a person in this way, rather than trying to exploit computer security vulnerabilities.

Software: includes (but not limited to) application and system software, development tools, utilities.

Source Code:  the actual program - as written by the programmer - which is compiled into machine code (object code) which the computer can understand. Source code is the intellectual property of the developer(s) and for many years commercial source code was never released to users, only licensed for use. Possession of Source Code is essential if an organisation is to maintain and/or modify the software without being reliant upon the original developer.

Spam:  spam emails represent the vast majority of emails sent world-wide on any given day. Internet hoax emails are spam, as are mass marketing emails trying to sell goods at great prices that are counterfeit (e.g., prescription drugs without a prescription, designer goods such as purses, shoes and jewellery, and even anti-virus software and college diplomas). Spam emails almost always contain offers that are “too good to be true”, which should serve as a warning in itself.

Spoofing:  impersonating another person or computer, usually by providing a false email name, URL, domain name server, or IP address. Attackers will change information in an e-mail header or in packets of information being sent over the Internet to make it look like the information came from another source. One of the more common methods used to get a person to open a mail message containing a virus or Trojan is to spoof the address that appears in the "from" field. Spoofing can also be done with phone numbers, caller identification (ID), and text numbers, using free technology available on the Internet.

Spyware:  on the Internet, spyware is programming that is put into a person’s computer to secretly gather information about the user (such as what sites are visited) and relay it to advertisers or other interested parties. Spyware can be installed in a computer as a software virus or as the result of installing a new program on the computer.

SQL Injection:  an input validation attack specific to database-driven applications, SQL code is inserted into application queries to manipulate the database.

SSL (Secure Sockets Layer):  a standard, developed by Netscape Communications, for encrypting information and transmitting it over the Internet more securely. A secure site URL appears as https:, and the web page often has a small yellow lock symbol in the bottom bar.

SSL-VPN:  although the Secure Sockets Layer (SSL) is a protocol designed specifically for web browsers to securely access web-based applications, the fact that it encrypts information and that it authenticates at least one of the parties, also makes it a Virtual Private Network (VPN).

Standards of Conduct:  employees will exhibit the highest standards of conduct - their conduct must instill confidence and trust and not bring the BC Public Service into disrepute. The honesty and integrity of the BC Public Service demands the impartiality of employees in the conduct of their duties. The requirement to comply with these Standards of Conduct is a condition of employment.

Status accounting: a comparison of configuration data stored in a configuration database to actual device configuration. Used to ensure that recorded configuration data matches actual device configuration.

Steganography:  methods of hiding the existence of a message or other data. This is different than cryptography, which hides the meaning of a message but does not hide the message itself. An example of a steganographic method is "invisible" ink.

Supervisor: an assigned role that is accountable for human resource leadership and management within their business unit. See: Security Roles and Responsibilities for more information about the responsibilities for this role.

System owner: person or organization having responsibility for the development, procurement, integration, modification, operation, and maintenance, and/or final disposition of an information system. A system owner assumes the Information Custodian role when the system collects, hosts, processes, or transfers information.  The Information Owner role is also assumed if they own the information the system collects, hosts, processes, or transmits. A system owner may be also known as an application owner when having responsibility for the program or programs that make up an application. See: Application owner.

System security plan:  a repository of documented security information and controls (management, operational and technical) regarding an application system. See IMIT 6.29 System Acquisition Development and Maintenance Security Standard for more details.

System utility programs: tools that when misused can subvert system, access and application controls (e.g., network sniffers, password crackers, port scanners, root kits and vulnerability assessment scanners).

Systems certificate: a formal methodology for comprehensive testing and documentation of information system security safeguards, both technical and nontechnical, in a given environment by using established evaluation criteria (the Common Criteria international standard).

Systems documentation: detailed information about a system's design specifications, its internal workings, and its functionality including schematics, architectures, data structures, procedures and authorization processes.

Systems hardening: a process of securing a computer system or server to eliminate the means of attack by patching security vulnerabilities, turning off non-essential services and closing off unnecessary network entry points in the computer system or server.

Systems privileges: permissions which allow the user to alter access rights and structures of information systems.

Telework: a working arrangement where employees work away from their official workplace for a portion of their regular work week (BC Public Service Agency, Flexible Work Options).

Third party: includes external party and includes a person outside the direct reporting structure of the Information Owner or Information Custodian (e.g., an individual, a business or organization, employees from another branch of government, or another level of government).

Thought leaders: Individuals or organizations that are recognized as an authority in a specialized field.

Threat: in the security context, any potential event or act that could cause one or more of the following to occur: unauthorized disclosure, disposal, destruction, removal, modification or interruption of sensitive information, assets or services, or injury to people. A threat may be deliberate, accidental or of natural origin. See: Vulnerability and Information security event.

Threat Vector:  the method a threat uses to get to the target.

TLS (Transport Layer Security): a cryptographic protocol designed to provide communications security over a computer network.

Trojan Horse:  a non-replicating program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do damage by installing a “backdoor”, allowing outsiders to access and control your computer. Some Trojan horses replace existing files with malicious versions, while others add another application to a computing device without overwriting existing files. They can be difficult to detect as they often appear to be providing a beneficial purpose.

Trusted path: See: secured path

Two-person access control: a system of requiring the presence of two authorized persons to perform an action, each capable of detecting incorrect or unauthorized security procedures with respect to the task being performed. For example, a locked cabinet or safe which has two locks requiring action by two persons, each with a unique key or code and which requires the presence of two persons to access or open.

Unauthorized Access:  category of incident where an individual gains logical or physical access without permission to a network, system, application, data, or other resource.

Uninterruptible power supply (UPS): a backup power source for computers and computer networks to insure on-going operation in the event of a power failure.

URL (Uniform Resource Locator): address of a web page.

User: a person authorized to access an electronic service or information system.

User Identifier:  is the unique personal identifier that is authorized to access the government's computer and information systems. Your IDIR account is your government User IDentifier which in combination with your password provides a secure single sign-on that is unique to you. It is essential that you protect your IDIR/password combination.

Virus:  self-replicating, malicious code that attaches itself to an application program or other executable system component and distributes the copies of itself to other files, programs, or computing devices, but leaves no obvious signs of its presence. Viruses insert themselves into host programs and spread when the infected program is executed (e.g., opening a file, running a program, or clicking on a file attachment).

VOIP Security (Voice Over Internet Protocol):  voice communications can be transmitted as data over the Internet in packets. A completely different set of infrastructure components are utilized than with traditional verbal communications. Many of the same challenges exist with the security of audio communications on the Internet as those that exist with the web and computer networks.

VPN (Virtual Private Network):  using a public network - usually the Internet - to connect securely to a private network, such as a company's network is the basis of a VPN or virtual private network. Companies and organizations will use a VPN to communicate confidentially over a public network and to send voice, video or data. It is also an excellent option for remote workers and organizations with global offices and partners to share data in a private manner.

Vulnerability: in the security context, a flaw or weakness in security design, implementation, system, organization, processes, procedures, or controls that could be triggered or intentionally exploited by a threat to gain unauthorized access to information or to disrupt critical processing, resulting in a security incident or breach.

Wireless Local Area Network (LAN): a Local Area Network that uses wireless transmission media, such as 802.11a/b/g/n or WiMax.

Worm:  a computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. Worms waste system and network resources and may damage systems by performing malicious acts such as installing backdoors and performing DoS attacks.

Zero Day:  the zero-day attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability.

Zombies:  a zombie computer (often shortened as zombie) is a computer connected to the Internet that has been compromised by a hacker, a computer virus, or a trojan horse. Generally, a compromised machine is only one of many in a botnet, and will be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies.

Zone: See: Reception Zone, Restricted Access Operations Zone, Restricted Access Security Zone.

Searchable Sites for Tech Terms:  http://www.webopedia.com/ & http://whatis.techtarget.com/