RFC 4949
Internet Security Glossary, Version 2
$ phreaking
(D) A contraction of "telephone breaking". An attack on or
penetration of a telephone system or, by extension, any other
communication or information system. [Raym]
Deprecated Term: IDOCs SHOULD NOT use this contraction; it is not
listed in most dictionaries and could confuse international
readers. (See: Deprecated Usage under "Green Book".)
$ physical destruction
(I) /threat action/ See: secondary definition under
"incapacitation".
$ physical security
(I) Tangible means of preventing unauthorized physical access to a
system. Examples: Fences, walls, and other barriers; locks, safes,
and vaults; dogs and armed guards; sensors and alarm bells.
[FP031, R1455] (See: security architecture.)
$ piggyback attack
(I) A form of active wiretapping in which the attacker gains
access to a system via intervals of inactivity in another user's
legitimate communication connection. Sometimes called a "between-
the-lines" attack. (See: hijack attack, man-in-the-middle attack.)
Deprecated Usage: IDOCs that use this term SHOULD state a
definition for it because the term could confuse international
readers.
$ PIN
(I) See: personal identification number.
$ ping of death
(D) A denial-of-service attack that sends an improperly large ICMP
echo request packet (a "ping") with the intent of causing the
destination system to fail. (See: ping sweep, teardrop.)
Deprecated Term: IDOCs SHOULD NOT use this term; instead, use
"ping packet overflow attack" or some other term that is specific
with regard to the attack mechanism.
Tutorial: This attack seeks to exploit an implementation
vulnerability. The IP specification requires hosts to be prepared
to accept datagrams of up to 576 octets, but also permits IP
datagrams to be up to 65,535 octets long. If an IP implementation
does not properly handle very long IP packets, the ping packet may
overflow the input buffer and cause a fatal system error.
$ ping sweep
(I) An attack that sends ICMP echo requests ("pings") to a range
of IP addresses, with the goal of finding hosts that can be probed
for vulnerabilities. (See: ping of death. Compare: port scan.)
$ PKCS
(N) See: Public-Key Cryptography Standards.
$ PKCS #5
(N) A standard [PKC05] (see: RFC 2898) from the PKCS series;
defines a method for encrypting an octet string with a secret key
derived from a password.
Tutorial: Although the method can be used for arbitrary octet
strings, its intended primary application in public-key
cryptography is for encrypting private keys when transferring them
from one computer system to another, as described in PKCS #8.
$ PKCS #7
(N) A standard [PKC07] (see: RFC 2315) from the PKCS series;
defines a syntax for data that may have cryptography applied to
it, such as for digital signatures and digital envelopes. (See:
CMS.)
$ PKCS #10
(N) A standard [PKC10] (see: RFC 2986) from the PKCS series;
defines a syntax for certification requests. (See: certification
request.)
Tutorial: A PKCS #10 request contains a DN and a public key, and
may contain other attributes, and is signed by the entity making
the request. The request is sent to a CA, who converts it to an
X.509 public-key certificate (or some other form), and returns it,
possibly in PKCS #7 format.
$ PKCS #11
(N) A standard [PKC11] from the PKCS series; defines CAPI called
"Cryptoki" for devices that hold cryptographic information and
perform cryptographic functions.
$ PKI
(I) See: public-key infrastructure.
$ PKINIT
(I) Abbreviation for "Public Key Cryptography for Initial
Authentication in Kerberos" (RFC 4556). (See: Tutorial under
"Kerberos".)
$ PKIX
1a. (I) A contraction of "Public-Key Infrastructure (X.509)", the
name of the IETF working group that is specifying an architecture
[R3280] and set of protocols [R4210] to provide X.509-based PKI
services for the Internet.
1b. (I) A collective name for that Internet PKI architecture and
associated set of protocols.
Tutorial: The goal of PKIX is to facilitate the use of X.509
public-key certificates in multiple Internet applications and to
promote interoperability between different implementations that
use those certificates. The resulting PKI is intended to provide a
framework that supports a range of trust and hierarchy
environments and a range of usage environments. PKIX specifies (a)
profiles of the v3 X.509 public-key certificate standards and the
v2 X.509 CRL standards for the Internet, (b) operational protocols
used by relying parties to obtain information such as certificates
or certificate status, (c) management protocols used by system
entities to exchange information needed for proper management of
the PKI, and (d) information about certificate policies and CPSs,
covering the areas of PKI security not directly addressed in the
rest of PKIX.
$ plain text
1. (I) /noun/ Data that is input to an encryption process. (See:
plaintext. Compare: cipher text, clear text.)
2. (D) /noun/ Synonym for "clear text".
Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym
for "clear text". Sometimes plain text that is input to an
encryption operation is clear text, but other times plain text is
cipher text that was output from a previous encryption operation.
(See: superencryption.)
$ plaintext
1. (O) /noun/ Synonym for "plain text".
2. (I) /adjective/ Referring to plain text. Usage: Commonly used
instead of "plain-text". (Compare: ciphertext, cleartext.)
3. (D) /noun/ Synonym for "cleartext".
Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym
for "cleartext". Cleartext data is, by definition, not encrypted;
but plaintext data that is input to an encryption operation may be
cleartext data or may be ciphertext data that was output from a
previous encryption operation. (See: superencryption.)
$ PLI
(I) See: Private Line Interface.
$ PMA
(N) See: policy management authority.
$ Point-to-Point Protocol (PPP)
(I) An Internet Standard protocol (RFC 1661) for encapsulation and
full-duplex transportation of protocol data packets in OSIRM Layer
3 over an OSIRM Layer 2 link between two peers, and for
multiplexing different Layer 3 protocols over the same link.
Includes optional negotiation to select and use a peer entity
authentication protocol to authenticate the peers to each other
before they exchange Layer 3 data. (See: CHAP, EAP, PAP.)
$ Point-to-Point Tunneling Protocol (PPTP)
(I) An Internet client-server protocol (RFC 2637) (originally
developed by Ascend and Microsoft) that enables a dial-up user to
create a virtual extension of the dial-up link across a network by
tunneling PPP over IP. (See: L2TP.)
Tutorial: PPP can encapsulate any IPS Network Interface Layer
protocol or OSIRM Layer 3 protocol. Therefore, PPTP does not
specify security services; it depends on protocols above and below
it to provide any needed security. PPTP makes it possible to
divorce the location of the initial dial-up server (i.e., the PPTP
Access Concentrator, the client, which runs on a special-purpose
host) from the location at which the dial-up protocol (PPP)
connection is terminated and access to the network is provided
(i.e., at the PPTP Network Server, which runs on a general-purpose
host).
$ policy
1a. (I) A plan or course of action that is stated for a system or
organization and is intended to affect and direct the decisions
and deeds of that entity's components or members. (See: security
policy.)
1b. (O) A definite goal, course, or method of action to guide and
determine present and future decisions, that is implemented or
executed within a particular context, such as within a business
unit. [R3198]
Deprecated Abbreviation: IDOCs SHOULD NOT use "policy" as an
abbreviation of either "security policy" or "certificate policy".
Instead, to avoid misunderstanding, use a fully qualified term, at
least at the point of first usage.
Tutorial: The introduction of new technology to replace
traditional systems can result in new systems being deployed
without adequate policy definition and before the implications of
the new technology are fully understand. In some cases, it can be
difficult to establish policies for new technology before the
technology has been operationally tested and evaluated. Thus,
policy changes tend to lag behind technological changes, such that
either old policies impede the technical innovation, or the new
technology is deployed without adequate policies to govern its
use.
When new technology changes the ways that things are done, new
"procedures" must be defined to establish operational guidelines
for using the technology and achieving satisfactory results, and
new "practices" must be established for managing new systems and
monitoring results. Practices and procedures are more directly
coupled to actual systems and business operations than are
polices, which tend to be more abstract.
- "Practices" define how a system is to be managed and what
controls are in place to monitor the system and detect abnormal
behavior or quality problems. Practices are established to
ensure that a system is managed in compliance with stated
policies. System audits are primarily concerned with whether or
not practices are being followed. Auditors evaluate the
controls to make sure they conform to accepted industry
standards, and then confirm that controls are in place and that
control measurements are being gathered. Audit trails are
examples of control measurements that are recorded as part of
system operations.
- "Procedures" define how a system is operated, and relate
closely to issues of what technology is used, who the operators
are, and how the system is deployed physically. Procedures
define both normal and abnormal operating circumstances.
- For every control defined by a practice statement, there should
be corresponding procedures to implement the control and
provide ongoing measurement of the control parameters.
Conversely, procedures require management practices to insure
consistent and correct operational behavior.
$ policy approval authority
(D) /PKI/ Synonym for "policy management authority". [PAG]
Deprecated Term: IDOCs SHOULD NOT use this term as synonym for
"policy management authority". The term suggests a limited,
passive role that is not typical of PMAs.
$ policy approving authority (PAA)
(O) /MISSI/ The top-level signing authority of a MISSI
certification hierarchy. The term refers both to that
authoritative office or role and to the person who plays that
role. (See: policy management authority, root registry.)
Tutorial: A MISSI PAA (a) registers MISSI PCAs and signs their
X.509 public-key certificates, (b) issues CRLs but does not issue
a CKL, and (c) may issue cross-certificates to other PAAs.
$ policy authority
(D) /PKI/ Synonym for "policy management authority". [PAG]
Deprecated Term: IDOCs SHOULD NOT use this term as synonym for
"policy management authority". The term is unnecessarily vague and
thus may be confused with other PKI entities, such as CAs and RAs,
that enforce of apply various aspects of PKI policy.
$ policy certification authority (Internet PCA)
(I) An X.509-compliant CA at the second level of the Internet
certification hierarchy, under the IPRA. Each PCA operates under
its published security policy (see: certificate policy, CPS) and
within constraints established by the IPRA for all PCAs. [R1422].
(See: policy creation authority.)
$ policy creation authority (MISSI PCA)
(O) /MISSI/ The second level of a MISSI certification hierarchy;
the administrative root of a security policy domain of MISSI users
and other, subsidiary authorities. The term refers both to that
authoritative office or role and to the person who fills that
office. (See: policy certification authority.)
Tutorial: A MISSI PCA's certificate is issued by a PAA. The PCA
registers the CAs in its domain, defines their configurations, and
issues their X.509 public-key certificates. (The PCA may also
issue certificates for SCAs, ORAs, and other end entities, but a
PCA does not usually do this.) The PCA periodically issues CRLs
and CKLs for its domain.
$ policy management authority (PMA)
(I) /PKI/ A person, role, or organization within a PKI that is
responsible for (a) creating or approving the content of the
certificate policies and CPSs that are used in the PKI; (b)
ensuring the administration of those policies; and (c) approving
any cross-certification or interoperability agreements with CAs
external to the PKI and any related policy mappings. The PMA may
also be the accreditor for the PKI as a whole or for some of its
components or applications. [DoD9, PAG] (See: policy approving
authority.)
Example: In the U.S. Department of Defense, an organization called
the Policy Management Authority is responsible for DoD PKI [DoD9].
$ policy mapping
(I) "Recognizing that, when a CA in one domain certifies a CA in
another domain, a particular certificate policy in the second
domain may be considered by the authority of the first domain to
be equivalent (but not necessarily identical in all respects) to a
particular certificate policy in the first domain." [X509]
$ policy rule
(I) A building block of a security policy; it (a) defines a set of
system conditions and (b) specifies a set of system actions that
are to be performed if those conditions occur. [R3198]
$ POP3
(I) See: Post Office Protocol, version 3.
$ POP3 APOP
(I) A POP3 command (better described as a transaction type, or
subprotocol) by which a POP3 client optionally uses a keyed hash
(based on MD5) to authenticate itself to a POP3 server and,
depending on the server implementation, to protect against replay
attacks. (See: CRAM, POP3 AUTH, IMAP4 AUTHENTICATE.)
Tutorial: The server includes a unique time stamp in its greeting
to the client. The subsequent APOP command sent by the client to
the server contains the client's name and the hash result of
applying MD5 to a string formed from both the time stamp and a
shared secret value that is known only to the client and the
server. APOP was designed to provide an alternative to using
POP3's USER and PASS (i.e., password) command pair, in which the
client sends a cleartext password to the server.
$ POP3 AUTH
(I) A POP3 command [R1734] (better described as a transaction
type, or subprotocol) by which a POP3 client optionally proposes a
mechanism to a POP3 server to authenticate the client to the
server and provide other security services. (See: POP3 APOP, IMAP4
AUTHENTICATE.)
Tutorial: If the server accepts the proposal, the command is
followed by performing a challenge-response authentication
protocol and, optionally, negotiating a protection mechanism for
subsequent POP3 interactions. The security mechanisms used by POP3
AUTH are those used by IMAP4.
$ port scan
(I) A technique that sends client requests to a range of service
port addresses on a host. (See: probe. Compare: ping sweep.)
Tutorial: A port scan can be used for pre-attack surveillance,
with the goal of finding an active port and subsequently
exploiting a known vulnerability of that port's service. A port
scan can also be used as a flooding attack.
$ positive authorization
(I) The principle that a security architecture should be designed
so that access to system resources is permitted only when
explicitly granted; i.e., in the absence of an explicit
authorization that grants access, the default action shall be to
refuse access. (See: authorization, access.)
$ POSIX
(N) Portable Operating System Interface for Computer Environments,
a standard [FP151, I9945] (originally IEEE Standard P1003.1) that
defines an operating system interface and environment to support
application portability at the source code level. It is intended
to be used by both application developers and system implementers.
Tutorial: P1003.1 supports security functionality like that on
most UNIX systems, including discretionary access control and
privileges. IEEE Draft Standard P1003.6 specifies additional
functionality not provided in the base standard, including (a)
discretionary access control, (b) audit trail mechanisms, (c)
privilege mechanisms, (d) mandatory access control, and (e)
information label mechanisms.
$ Post Office Protocol, version 3 (POP3)
(I) An Internet Standard protocol (RFC 1939) by which a client
workstation can dynamically access a mailbox on a server host to
retrieve mail messages that the server has received and is holding
for the client. (See: IMAP4.)
Tutorial: POP3 has mechanisms for optionally authenticating a
client to a server and providing other security services. (See:
POP3 APOP, POP3 AUTH.)
$ PPP
(I) See: Point-to-Point Protocol.
$ PPTP
(I) See: Point-to-Point Tunneling Protocol.
$ preauthorization
(N) /PKI/ A CAW feature that enables certification requests to be
automatically validated against data provided in advance to the CA
by an authorizing entity.
$ precedence
1. (I) /information system/ A ranking assigned to events or data
objects that determines the relative order in which they are
processed.
2. (N) /communication system/ A designation assigned to a
communication (i.e., packet, message, data stream, connection,
etc.) by the originator to state the importance or urgency of that
communication versus other communications, and thus indicate to
the transmission system the relative order of handling, and
indicate to the receiver the order in which the communication is
to be noted. [F1037] (See: availability, critical, preemption.)
Example: The "Precedence" subfield of the "Type of Service" field
of the IPv4 header supports the following designations (in
descending order of importance): 111 Network Control, 110
Internetwork Control, 101 CRITIC/ECP (Critical Intelligence
Communication/Emergency Command Precedence), 100 Flash Override,
011 Flash, 010 Immediate, 001 Priority, and 000 Routine. These
designations were adopted from U.S. DoD systems that existed
before ARPANET.
$ preemption
(N) The seizure, usually automatic, of system resources that are
being used to serve a lower-precedence communication, in order to
serve immediately a higher-precedence communication. [F1037]
$ Pretty Good Privacy(trademark) (PGP(trademark))
(O) Trademarks of Network Associates, Inc., referring to a
computer program (and related protocols) that uses cryptography to
provide data security for electronic mail and other applications
on the Internet. (Compare: DKIM, MOSS, MSP, PEM, S/MIME.)
Tutorial: PGP encrypts messages with a symmetric algorithm
(originally, IDEA in CFB mode), distributes the symmetric keys by
encrypting them with an asymmetric algorithm (originally, RSA),
and creates digital signatures on messages with a cryptographic
hash and an asymmetric encryption algorithm (originally, MD5 and
RSA). To establish ownership of public keys, PGP depends on the
"web of trust".
$ prevention
(I) See: secondary definition under "security".
$ primary account number (PAN)
(O) /SET/ "The assigned number that identifies the card issuer and
cardholder. This account number is composed of an issuer
identification number, an individual account number
identification, and an accompanying check digit as defined by ISO
7812-1985." [SET2, I7812] (See: bank identification number.)
Tutorial: The PAN is embossed, encoded, or both on a magnetic-
strip-based credit card. The PAN identifies the issuer to which a
transaction is to be routed and the account to which it is to be
applied unless specific instructions indicate otherwise. The
authority that assigns the BIN part of the PAN is the American
Bankers Association.
$ principal
(I) A specific identity claimed by a user when accessing a system.
Usage: Usually understood to be an identity that is registered in
and authenticated by the system; equivalent to the notion of login
account identifier. Each principal is normally assigned to a
single user, but a single user may be assigned (or attempt to use)
more than one principal. Each principal can spawn one or more
subjects, but each subject is associated with only one principal.
(Compare: role, subject, user.)
(I) /Kerberos/ A uniquely identified (i.e., uniquely named) client
or server instance that participates in a network communication.
$ priority
(I) /information system/ Precedence for processing an event or
data object, determined by security importance or other factors.
(See: precedence.)
$ privacy
1. (I) The right of an entity (normally a person), acting in its
own behalf, to determine the degree to which it will interact with
its environment, including the degree to which the entity is
willing to share its personal information with others. (See:
HIPAA, personal information, Privacy Act of 1974. Compare:
anonymity, data confidentiality.) [FP041]
2. (O) "The right of individuals to control or influence what
information related to them may be collected and stored and by
whom and to whom that information may be disclosed." [I7498-2]
3. (D) Synonym for "data confidentiality".
Deprecated Definition: IDOCs SHOULD NOT use this term as a synonym
for "data confidentiality" or "data confidentiality service",
which are different concepts. Privacy is a reason for security
rather than a kind of security. For example, a system that stores
personal data needs to protect the data to prevent harm,
embarrassment, inconvenience, or unfairness to any person about
whom data is maintained, and to protect the person's privacy. For
that reason, the system may need to provide data confidentiality
service.
Tutorial: The term "privacy" is used for various separate but
related concepts, including bodily privacy, territorial privacy,
personal information privacy, and communication privacy. IDOCs are
expected to address only communication privacy, which in this
Glossary is defined primarily by "data confidentiality" and
secondarily by "data integrity".
IDOCs are not expected to address information privacy, but this
Glossary provides definition 1 for that concept because personal
information privacy is often confused with communication privacy.
IDOCs are not expected to address bodily privacy or territorial
privacy, and this Glossary does not define those concepts because
they are not easily confused with communication privacy.
$ Privacy Act of 1974
(O) A U.S. Federal law (Section 552a of Title 5, United States
Code) that seeks to balance the U.S. Government's need to maintain
data about individuals with the rights of individuals to be
protected against unwarranted invasions of their privacy stemming
from federal agencies' collection, maintenance, use, and
disclosure of personal data. (See: privacy.)
Tutorial: In 1974, the U.S. Congress was concerned with the
potential for abuses that could arise from the Government's
increasing use of computers to store and retrieve personal data.
Therefore, the Act has four basic policy objectives:
- To restrict disclosure of personally identifiable records
maintained by Federal agencies.
- To grant individuals increased rights of access to Federal
agency records maintained on themselves.
- To grant individuals the right to seek amendment of agency
records maintained on themselves upon a showing that the
records are not accurate, relevant, timely, or complete.
- To establish a code of "fair information practices" that
requires agencies to comply with statutory norms for
collection, maintenance, and dissemination of records.
$ Privacy Enhanced Mail (PEM)
(I) An Internet protocol to provide data confidentiality, data
integrity, and data origin authentication for electronic mail.
[R1421, R1422]. (Compare: DKIM, MOSS, MSP, PGP, S/MIME.)
Tutorial: PEM encrypts messages with a symmetric algorithm
(originally, DES in CBC mode), provides distribution for the
symmetric keys by encrypting them with an asymmetric algorithm
(originally, RSA), and signs messages with an asymmetric
encryption algorithm over a cryptographic hash (originally, RSA
over either MD2 or MD5). To establish ownership of public keys,
PEM uses a certification hierarchy, with X.509 public-key
certificates and X.509 CRLs that are signed with an asymmetric
encryption algorithm over a cryptographic hash (originally, RSA
over MD2).
PEM is designed to be compatible with a wide range of key
management methods, but is limited to specifying security services
only for text messages and, like MOSS, has not been widely
implemented in the Internet.
$ private component
(I) Synonym for "private key".
Deprecated Usage: In most cases, IDOCs SHOULD NOT use this term;
instead, to avoid confusing readers, use "private key". However,
the term MAY be used when discussing a key pair; e.g., "A key pair
has a public component and a private component."
$ private extension
(I) See: secondary definition under "extension".
$ private key
1. (I) The secret component of a pair of cryptographic keys used
for asymmetric cryptography. (See: key pair, public key, secret
key.)
2. (O) In a public key cryptosystem, "that key of a user's key
pair which is known only by that user." [X509]
$ Private Line Interface (PLI)
(I) The first end-to-end packet encryption system for a computer
network, developed by BBN starting in 1975 for the U.S. DoD,
incorporating U.S. Government-furnished, military-grade COMSEC
equipment (TSEC/KG-34). [B1822] (Compare: IPLI.)
$ privilege
1a. (I) /access control/ A synonym for "authorization". (See
authorization. Compare: permission.)
1b. (I) /computer platform/ An authorization to perform a
security-relevant function in the context of a computer's
operating system.
$ privilege management infrastructure
(O) "The infrastructure able to support the management of
privileges in support of a comprehensive authorization service and
in relationship with a" PKI; i.e., processes concerned with
attribute certificates. [X509]
Deprecated Usage: IDOCs SHOULD NOT use this term with this
definition. This definition is vague, and there is no consensus on
a more specific one.
$ privileged process
(I) A computer process that is authorized (and, therefore,
trusted) to perform some security-relevant functions that ordinary
processes are not. (See: privilege, trusted process.)
$ privileged user
(I) An user that has access to system control, monitoring, or
administration functions. (See: privilege, /UNIX/ under "root",
superuser, user.)
Tutorial: Privileged users include the following types:
- Users with near or complete control of a system, who are
authorized to set up and administer user accounts, identifiers,
and authentication information, or are authorized to assign or
change other users' access to system resources.
- Users that are authorized to change control parameters (e.g.,
network addresses, routing tables, processing priorities) on
routers, multiplexers, and other important equipment.
- Users that are authorized to monitor or perform troubleshooting
for a system's security functions, typically using special
tools and features that are not available to ordinary users.
$ probe
(I) /verb/ A technique that attempts to access a system to learn
something about the system. (See: port scan.)
Tutorial: The purpose of a probe may be offensive, e.g., an
attempt to gather information for circumventing the system's
protections; or the purpose may be defensive, e.g., to verify that
the system is working properly.
$ procedural security
(D) Synonym for "administrative security".
Deprecated Term: IDOCs SHOULD NOT use this term as a synonym for
"administrative security". The term may be misleading because any
type of security may involve procedures, and procedures may be
either external to the system or internal. Instead, use
"administrative security", "communication security", "computer
security", "emanations security", "personnel security", "physical
security", or whatever specific type is meant. (See: security
architecture.)
$ profile
See: certificate profile, protection profile.
$ proof-of-possession protocol
(I) A protocol whereby a system entity proves to another that it
possesses and controls a cryptographic key or other secret
information. (See: zero-knowledge proof.)
$ proprietary
(I) Refers to information (or other property) that is owned by an
individual or organization and for which the use is restricted by
that entity.
$ protected checksum
(I) A checksum that is computed for a data object by means that
protect against active attacks that would attempt to change the
checksum to make it match changes made to the data object. (See:
digital signature, keyed hash, Tutorial under "checksum".)
$ protective packaging
(N) "Packaging techniques for COMSEC material that discourage
penetration, reveal a penetration has occurred or was attempted,
or inhibit viewing or copying of keying material prior to the time
it is exposed for use." [C4009] (See: tamper-evident, tamper-
resistant. Compare: QUADRANT.)
$ protection authority
(I) See: secondary definition under "Internet Protocol Security
Option".
$ protection level
(N) /U.S. Government/ An indication of the trust that is needed in
a system's technical ability to enforce security policy for
confidentiality. (Compare: /system operation/ under "mode of
operation".)
Tutorial: An organization's security policy could define
protection levels that are based on comparing (a) the sensitivity
of information handled by a system to (b) the authorizations of
users that receive information from the system without manual
intervention and reliable human review. For each level, the policy
could specify security features and assurances that must be
included in any system that was intended to operate at that level.
Example: Given some set of data objects that are classified at one
or more hierarchical levels and in one or more non-hierarchical
categories, the following table defines five protection levels for
systems that would handle that data. Beginning with PL1 and
evolving to PL5, each successive level would require stronger
features and assurances to handle the dataset. (See: clearance,
formal access approval, and need-to-know.)
Lowest Clearance Formal Access Need-To-Know
Among All Users Approval of Users of Users
+-------------------+-------------------+-------------------+
PL5 | Some user has no | [Does not matter.]| [Does not matter.]|
High | clearance at all. | | |
+-------------------+-------------------+-------------------+
PL4 | All are cleared | [Does not matter.]| [Does not matter.]|
| for some data. | | |
+-------------------+-------------------+-------------------+
PL3 | All are cleared | Some not approved | [Does not matter.]|
| for all data. | for all data. | |
+-------------------+-------------------+-------------------+
PL2 | All are cleared | All are approved | Some don't need to|
| for all data. | for all data. | to know all data. |
+-------------------+-------------------+-------------------+
PL1 | All are cleared | All are approved | All have a need |
Low | for all data. | for all data. | to know all data. |
+-------------------+-------------------+-------------------+
Each of these protection levels can be viewed as being equivalent to
one or more modes of system operation defined in this Glossary:
- PL5 is equivalent to multilevel security mode.
- PL4 is equivalent to either multilevel or compartmented
security mode, depending on the details of users' clearances.
- PL3 is equivalent to partitioned security mode.
- PL2 is equivalent to system-high security mode.
- PL1 is equivalent to dedicated security mode.
$ protection profile
(N) /Common Criteria/ An implementation-independent set of
security requirements for a category of targets of evaluation that
meet specific consumer needs. [CCIB] Example: [IDSAN]. (See:
target of evaluation. Compare: certificate profile, package.)
Tutorial: A protection profile (PP) is the kind of document used
by consumers to specify functional requirements they want in a
product, and a security target (ST) is the kind of document used
by vendors to make functional claims about a product.
A PP is intended to be a reusable statement of product security
needs, which are known to be useful and effective, for a set of
information technology security products that could be built. A PP
contains a set of security requirements, preferably taken from the
catalogs in Parts 2 and 3 of the Common Criteria, and should
include an EAL. A PP could be developed by user communities,
product developers, or any other parties interested in defining a
common set of requirements.
$ protection ring
(I) One of a hierarchy of privileged operation modes of a system
that gives certain access rights to processes authorized to
operate in that mode. (See: Multics.)
$ protective distribution system (PDS)
(N) A wireline or fiber-optic communication system used to
transmit cleartext classified information through an area of
lesser classification or control. [N7003]
$ protocol
1a. (I) A set of rules (i.e., formats and procedures) to implement
and control some type of association (e.g., communication) between
systems. Example: Internet Protocol.
1b. (I) A series of ordered computing and communication steps that
are performed by two or more system entities to achieve a joint
objective. [A9042]
$ protocol control information (PCI)
(N) See: secondary definition under "protocol data unit".
$ protocol data unit (PDU)
(N) A data packet that is defined for peer-to-peer transfers in a
protocol layer.
Tutorial: A PDU consists of two disjoint subsets of data: the SDU
and the PCI. (Although these terms -- PDU, SDU, and PCI --
originated in the OSIRM, they are also useful and permissible in
an IPS context.)
- The "service data unit" (SDU) in a packet is data that the
protocol transfers between peer protocol entities on behalf of
the users of that layer's services. For Layers 1 through 6, the
layer's users are peer protocol entities at a higher layer; for
Layer 7, the users are application entities outside the scope
of the OSIRM.
- The "protocol control information" (PCI) in a packet is data
that peer protocol entities exchange between themselves to
control their joint operation of the layer.
$ protocol suite
(I) A complementary collection of communication protocols used in
a computer network. (See: IPS, OSI.)
$ proxy
1. (I) A computer process that acts on behalf of a user or client.
2. (I) A computer process -- often used as, or as part of, a
firewall -- that relays application transactions or a protocol
between client and server computer systems, by appearing to the
client to be the server and appearing to the server to be the
client. (See: SOCKS.)
Tutorial: In a firewall, a proxy server usually runs on a bastion
host, which may support proxies for several applications and
protocols (e.g., FTP, HTTP, and TELNET). Instead of a client in
the protected enclave connecting directly to an external server,
the internal client connects to the proxy server, which in turn
connects to the external server. The proxy server waits for a
request from inside the firewall, forwards the request to the
server outside the firewall, gets the response, then sends the
response back to the client. The proxy may be transparent to the
clients, or they may need to connect first to the proxy server,
and then use that association to also initiate a connection to the
real server.
Proxies are generally preferred over SOCKS for their ability to
perform caching, high-level logging, and access control. A proxy
can provide security service beyond that which is normally part of
the relayed protocol, such as access control based on peer entity
authentication of clients, or peer entity authentication of
servers when clients do not have that ability. A proxy at OSIRM
Layer 7 can also provide finer-grained security service than can a
filtering router at Layer 3. For example, an FTP proxy could
permit transfers out of, but not into, a protected network.
$ proxy certificate
(I) An X.509 public-key certificate derived from an end-entity
certificate, or from another proxy certificate, for the purpose of
establishing proxies and delegating authorizations in the context
of a PKI-based authentication system. [R3820]
Tutorial: A proxy certificate has the following properties:
- It contains a critical extension that (a) identifies it as a
proxy certificate and (b) may contain a certification path
length constraint and policy constraints.
- It contains the public component of a key pair that is distinct
from that associated with any other certificate.
- It is signed by the private component of a key pair that is
associated with an end-entity certificate or another proxy
certificate.
- Its associated private key can be used to sign only other proxy
certificates (not end-entity certificates).
- Its "subject" DN is derived from its "issuer" DN and is unique.
- Its "issuer" DN is the "subject" DN of an end-entity
certificate or another proxy certificate.
$ pseudorandom
(I) A sequence of values that appears to be random (i.e.,
unpredictable) but is actually generated by a deterministic
algorithm. (See: compression, random, random number generator.)
$ pseudorandom number generator
(I) See: secondary definition under "random number generator".
$ public component
(I) Synonym for "public key".
Deprecated Usage: In most cases, IDOCs SHOULD NOT use this term;
to avoid confusing readers, use "private key" instead. However,
the term MAY be used when discussing a key pair; e.g., "A key pair
has a public component and a private component."
$ public key
1. (I) The publicly disclosable component of a pair of
cryptographic keys used for asymmetric cryptography. (See: key
pair. Compare: private key.)
2. (O) In a public key cryptosystem, "that key of a user's key
pair which is publicly known." [X509]
$ public-key certificate
1. (I) A digital certificate that binds a system entity's
identifier to a public key value, and possibly to additional,
secondary data items; i.e., a digitally signed data structure that
attests to the ownership of a public key. (See: X.509 public-key
certificate.)
2. (O) "The public key of a user, together with some other
information, rendered unforgeable by encipherment with the private
key of the certification authority which issued it." [X509]
Tutorial: The digital signature on a public-key certificate is
unforgeable. Thus, the certificate can be published, such as by
posting it in a directory, without the directory having to protect
the certificate's data integrity.
$ public-key cryptography
(I) Synonym for "asymmetric cryptography".
$ Public-Key Cryptography Standards (PKCS)
(N) A series of specifications published by RSA Laboratories for
data structures and algorithms used in basic applications of
asymmetric cryptography. [PKCS] (See: PKCS #5 through PKCS #11.)
Tutorial: The PKCS were begun in 1991 in cooperation with industry
and academia, originally including Apple, Digital, Lotus,
Microsoft, Northern Telecom, Sun, and MIT. Today, the
specifications are widely used, but they are not sanctioned by an
official standards organization, such as ANSI, ITU-T, or IETF. RSA
Laboratories retains sole decision-making authority over the PKCS.
$ public-key forward secrecy (PFS)
(I) For a key-agreement protocol based on asymmetric cryptography,
the property that ensures that a session key derived from a set of
long-term public and private keys will not be compromised if one
of the private keys is compromised in the future. (See: Usage note
and other discussion under "perfect forward secrecy".)
$ public-key Kerberos
(I) See: Tutorial under "Kerberos", PKINIT.
$ public-key infrastructure (PKI)
1. (I) A system of CAs (and, optionally, RAs and other supporting
servers and agents) that perform some set of certificate
management, archive management, key management, and token
management functions for a community of users in an application of
asymmetric cryptography. (See: hierarchical PKI, mesh PKI,
security management infrastructure, trust-file PKI.)
2. (I) /PKIX/ The set of hardware, software, people, policies, and
procedures needed to create, manage, store, distribute, and revoke
digital certificates based on asymmetric cryptography.
Tutorial: The core PKI functions are (a) to register users and
issue their public-key certificates, (b) to revoke certificates
when required, and (c) to archive data needed to validate
certificates at a much later time. Key pairs for data
confidentiality may be generated (and perhaps escrowed) by CAs or
RAs, but requiring a PKI client to generate its own digital
signature key pair helps maintain system integrity of the
cryptographic system, because then only the client ever possesses
the private key it uses. Also, an authority may be established to
approve or coordinate CPSs, which are security policies under
which components of a PKI operate.
A number of other servers and agents may support the core PKI, and
PKI clients may obtain services from them, such as certificate
validation services. The full range of such services is not yet
fully understood and is evolving, but supporting roles may include
archive agent, certified delivery agent, confirmation agent,
digital notary, directory, key escrow agent, key generation agent,
naming agent who ensures that issuers and subjects have unique
identifiers within the PKI, repository, ticket-granting agent,
time-stamp agent, and validation agent.
$ purge
1. (I) Synonym for "erase".
2. (O) /U.S. Government/ Use degaussing or other methods to render
magnetically stored data unusable and irrecoverable by any means,
including laboratory methods. [C4009] (Compare: /U.S. Government/
erase.)
$ QUADRANT
(O) /U.S. Government/ Short name for technology and methods that
protect cryptographic equipment by making the equipment tamper-
resistant. [C4009] (Compare: protective packaging, TEMPEST.)
Tutorial: Equipment cannot be made completely tamper-proof, but it
can be made tamper-resistant or tamper-evident.
$ qualified certificate
(I) A public-key certificate that has the primary purpose of
identifying a person with a high level of assurance, where the
certificate meets some qualification requirements defined by an
applicable legal framework, such as the European Directive on
Electronic Signature. [R3739]
$ quick mode
(I) See: /IKE/ under "mode".
$ RA
(I) See: registration authority.
$ RA domains
(I) A feature of a CAW that allows a CA to divide the
responsibility for certificate requests among multiple RAs.
Tutorial: This ability might be used to restrict access to private
authorization data that is provided with a certificate request,
and to distribute the responsibility to review and approve
certificate requests in high-volume environments. RA domains might
segregate certificate requests according to an attribute of the
certificate's subject, such as an organizational unit.
$ RADIUS
(I) See: Remote Authentication Dial-In User Service.
$ Rainbow Series
(O) /COMPUSEC/ A set of more than 30 technical and policy
documents with colored covers, issued by the NCSC, that discuss in
detail the TCSEC and provide guidance for meeting and applying the
criteria. (See: Green Book, Orange Book, Red Book, Yellow Book.)
$ random
(I) In essence, "random" means "unpredictable". [SP22, Knut,
R4086] (See: cryptographic key, pseudorandom.)
- "Random sequence": A sequence in which each successive value is
obtained merely by chance and does not depend on the preceding
values of the sequence. In a random sequence of bits, each bit
is unpredictable; i.e., (a) the probability of each bit being a
"0" or "1" is 1/2, and (b) the value of each bit is independent
of any other bit in the sequence.
- "Random value": An individual value that is unpredictable;
i.e., each value in the total population of possibilities has
equal probability of being selected.
$ random number generator
(I) A process that is invoked to generate a random sequence of
values (usually a sequence of bits) or an individual random value.
Tutorial: There are two basic types of generators. [SP22]
- "(True) random number generator": It uses one or more non-
deterministic bit sources (e.g., electrical circuit noise,
timing of human processes such as key strokes or mouse
movements, semiconductor quantum effects, and other physical
phenomena) and a processing function that formats the bits, and
it outputs a sequence of values that is unpredictable and
uniformly distributed.
- "Pseudorandom number generator": It uses a deterministic
computational process (usually implemented by software) that
has one or more inputs called "seeds", and it outputs a
sequence of values that appears to be random according to
specified statistical tests.
$ RBAC
(N) See: role-based access control, rule-based access control.
Deprecated Usage: IDOCs that use this term SHOULD state a
definition for it because the abbreviation is ambiguous.
$ RC2, RC4, RC6
(N) See: Rivest Cipher #2, #4, #6.
$ read
(I) /security model/ A system operation that causes a flow of
information from an object to a subject. (See: access mode.
Compare: write.)
$ realm
(I) /Kerberos/ A domain consisting of a set of Kerberized clients,
Kerberized application servers, and one or more Kerberos
authentication servers and ticket-granting servers that support
the clients and applications, all operating under the same
security policy. (See: domain.)
$ recovery
1. (I) /cryptography/ The process of learning or obtaining
cryptographic data or plain text through cryptanalysis. (See: key
recovery, data recovery.)
2a. (I) /system integrity/ The process of restoring a secure state
in a system after there has been an accidental failure or a
successful attack. (See: secondary definition under "security",
system integrity.)
2b. (I) /system integrity/ The process of restoring an information
system's assets and operation following damage or destruction.
(See: contingency plan.)
$ RED
1. (N) Designation for data that consists only of clear text, and
for information system equipment items and facilities that handle
clear text. Example: "RED key". (See: BCR, color change, RED/BLACK
separation. Compare: BLACK.)
Derivation: From the practice of marking equipment with colors to
prevent operational errors.
2. (O) /U.S. Government/ Designation applied to information
systems, and to associated areas, circuits, components, and
equipment, "in which unencrypted national security information is
being processed." [C4009]
$ RED/BLACK separation
(N) An architectural concept for cryptographic systems that
strictly separates the parts of a system that handle plain text
(i.e., RED information) from the parts that handle cipher text
(i.e., BLACK information). (See: BLACK, RED.)
$ Red Book
(D) /slang/ Synonym for "Trusted Network Interpretation of the
Trusted Computer System Evaluation Criteria" [NCS05].
Deprecated Term: IDOCs SHOULD NOT use this term. Instead, use the
full proper name of the document or, in subsequent references, a
more conventional abbreviation, e.g., TNI-TCSEC. (See: TCSEC,
Rainbow Series, Deprecated Usage under "Green Book".)
$ RED key
(N) A cleartext key, which is usable in its present form (i.e., it
does not need to be decrypted before being used). (See: RED.
Compare: BLACK key.)
$ reference monitor
(I) "An access control concept that refers to an abstract machine
that mediates all accesses to objects by subjects." [NCS04] (See:
security kernel.)
Tutorial: This concept was described in the Anderson report. A
reference monitor should be (a) complete (i.e., it mediates every
access), (b) isolated (i.e., it cannot be modified by other system
entities), and (c) verifiable (i.e., small enough to be subjected
to analysis and tests to ensure that it is correct).
$ reflection attack
(I) An attack in which a valid data transmission is replayed to
the originator by an attacker who intercepts the original
transmission. (Compare: indirect attack, replay attack.)
$ reflector attack
(D) Synonym for "indirect attack".
Deprecated Term: IDOCs SHOULD NOT use this term; it could be
confused with "reflection attack", which is a different concept.
$ registered user
(I) A system entity that is authorized to receive a system's
products and services or otherwise access system resources. (See:
registration, user.)
$ registration
1. (I) /information system/ A system process that (a) initializes
an identity (of a system entity) in the system, (b) establishes an
identifier for that identity, (c) may associate authentication
information with that identifier, and (d) may issue an identifier
credential (depending on the type of authentication mechanism
being used). (See: authentication information, credential,
identifier, identity, identity proofing.)
2. (I) /PKI/ An administrative act or process whereby an entity's
name and other attributes are established for the first time at a
CA, prior to the CA issuing a digital certificate that has the
entity's name as the subject. (See: registration authority.)
Tutorial: Registration may be accomplished either directly, by the
CA, or indirectly, by a separate RA. An entity is presented to the
CA or RA, and the authority either records the name(s) claimed for
the entity or assigns the entity's name(s). The authority also
determines and records other attributes of the entity that are to
be bound in a certificate (such as a public key or authorizations)
or maintained in the authority's database (such as street address
and telephone number). The authority is responsible, possibly
assisted by an RA, for verifying the entity's identity and vetting
the other attributes, in accordance with the CA's CPS.
Among the registration issues that a CPS may address are the
following [R3647]:
- How a claimed identity and other attributes are verified.
- How organization affiliation or representation is verified.
- What forms of names are permitted, such as X.500 DN, domain
name, or IP address.
- Whether names are required to be meaningful or unique, and
within what domain.
- How naming disputes are resolved, including the role of
trademarks.
- Whether certificates are issued to entities that are not
persons.
- Whether a person is required to appear before the CA or RA, or
can instead be represented by an agent.
- Whether and how an entity proves possession of the private key
matching a public key.
$ registration authority (RA)
1. (I) An optional PKI entity (separate from the CAs) that does
not sign either digital certificates or CRLs but has
responsibility for recording or verifying some or all of the
information (particularly the identities of subjects) needed by a
CA to issue certificates and CRLs and to perform other certificate
management functions. (See: ORA, registration.)
2. (I) /PKIX/ An optional PKI component, separate from the CA(s).
The functions that the RA performs will vary from case to case but
may include identity authentication and name assignment, key
generation and archiving of key pairs, token distribution, and
revocation reporting. [R4210]
Tutorial: Sometimes, a CA may perform all certificate management
functions for all end users for which the CA signs certificates.
Other times, such as in a large or geographically dispersed
community, it may be necessary or desirable to offload secondary
CA functions and delegate them to an assistant, while the CA
retains the primary functions (signing certificates and CRLs). The
tasks that are delegated to an RA by a CA may include personal
authentication, name assignment, token distribution, revocation
reporting, key generation, and archiving.
An RA is an optional PKI entity, separate from the CA, that is
assigned secondary functions. The duties assigned to RAs vary from
case to case but may include the following:
- Verifying a subject's identity, i.e., performing personal
authentication functions.
- Assigning a name to a subject. (See: distinguished name.)
- Verifying that a subject is entitled to have the attributes
requested for a certificate.
- Verifying that a subject possesses the private key that matches
the public key requested for a certificate.
- Performing functions beyond mere registration, such as
generating key pairs, distributing tokens, handling revocation
reports, and archiving data. (Such functions may be assigned to
a PKI component that is separate from both the CA and the RA.)
3. (O) /SET/ "An independent third-party organization that
processes payment card applications for multiple payment card
brands and forwards applications to the appropriate financial
institutions." [SET2]
$ regrade
(I) Deliberately change the security level (especially the
hierarchical classification level) of information in an authorized
manner. (See: downgrade, upgrade.)
$ rekey
(I) Change the value of a cryptographic key that is being used in
an application of a cryptographic system. (See: certificate
rekey.)
Tutorial: Rekey is required at the end of a cryptoperiod or key
lifetime.
$ reliability
(I) The ability of a system to perform a required function under
stated conditions for a specified period of time. (Compare:
availability, survivability.)
$ reliable human review
(I) Any manual, automated, or hybrid process or procedure that
ensures that a human examines a digital object, such as text or an
image, to determine whether the object may be permitted, according
to some security policy, to be transferred across a controlled
interface. (See: guard.)
$ relying party
(I) Synonym for "certificate user".
Usage: Used in a legal context to mean a recipient of a
certificate who acts in reliance on that certificate. (See: ABA
Guidelines.)
$ remanence
(I) Residual information that can be recovered from a storage
medium after clearing. (See: clear, magnetic remanence, purge.)
$ Remote Authentication Dial-In User Service (RADIUS)
(I) An Internet protocol [R2865] for carrying dial-in users'
authentication information and configuration information between a
shared, centralized authentication server (the RADIUS server) and
a network access server (the RADIUS client) that needs to
authenticate the users of its network access ports. (See: TACACS.)
User presents authentication and possibly other information to the
RADIUS client (e.g., health information regarding the user
device).
Tutorial: A user presents authentication information and possibly
other information to the RADIUS client, and the client passes that
information to the RADIUS server. The server authenticates the
client using a shared secret value and checks the presented
information, and then returns to the client all authorization and
configuration information needed by the client to serve the user.
$ renew
See: certificate renewal.
$ reordering
(I) /packet/ See: secondary definition under "stream integrity
service".
$ replay attack
(I) An attack in which a valid data transmission is maliciously or
fraudulently repeated, either by the originator or by a third
party who intercepts the data and retransmits it, possibly as part
of a masquerade attack. (See: active wiretapping, fresh, liveness,
nonce. Compare: indirect attack, reflection attack.)
$ repository
1. (I) A system for storing and distributing digital certificates
and related information (including CRLs, CPSs, and certificate
policies) to certificate users. (Compare: archive, directory.)
2. (O) "A trustworthy system for storing and retrieving
certificates or other information relevant to certificates." [DSG]
Tutorial: A certificate is published to those who might need it by
putting it in a repository. The repository usually is a publicly
accessible, on-line server. In the FPKI, for example, the expected
repository is a directory that uses LDAP, but also may be an X.500
Directory that uses DAP, or an HTTP server, or an FTP server that
permits anonymous login.
$ repudiation
1. (I) Denial by a system entity that was involved in an
association (especially a communication association that transfers
data) of having participated in the relationship. (See:
accountability, non-repudiation service.)
2. (I) A type of threat action whereby an entity deceives another
by falsely denying responsibility for an act. (See: deception.)
Usage: This type of threat action includes the following subtypes:
- False denial of origin: Action whereby an originator denies
responsibility for sending data.
- False denial of receipt: Action whereby a recipient denies
receiving and possessing data.
3. (O) /OSIRM/ "Denial by one of the entities involved in a
communication of having participated in all or part of the
communication." [I7498-2]
$ Request for Comment (RFC)
1. (I) One of the documents in the archival series that is the
official channel for IDOCs and other publications of the Internet
Engineering Steering Group, the Internet Architecture Board, and
the Internet community in general. (RFC 2026, 2223) (See: Internet
Standard.)
2. (D) A popularly misused synonym for a document on the Internet
Standards Track, i.e., an Internet Standard, Draft Standard, or
Proposed Standard. (See: Internet Standard.)
Deprecated Definition: IDOCs SHOULD NOT use this term with
definition 2 because many other types of documents also are
published as RFCs.
$ residual risk
(I) The portion of an original risk or set of risks that remains
after countermeasures have been applied. (Compare: acceptable
risk, risk analysis.)
$ restore
See: card restore.
$ reverse engineering
(I) /threat action/ See: secondary definition under "intrusion".
$ revocation
See: certificate revocation.
$ revocation date
(N) /X.509/ In a CRL entry, a date-time field that states when the
certificate revocation occurred, i.e., when the CA declared the
digital certificate to be invalid. (See: invalidity date.)
Tutorial: The revocation date may not resolve some disputes
because, in the worst case, all signatures made during the
validity period of the certificate may have to be considered
invalid. However, it may be desirable to treat a digital signature
as valid even though the private key used to sign was compromised
after the signing. If more is known about when the compromise
actually occurred, a second date-time, an "invalidity date", can
be included in an extension of the CRL entry.
$ revocation list
See: certificate revocation list.
$ revoke
(I) See: certificate revocation.
$ RFC
(I) See: Request for Comment.
$ Rijndael
(N) A symmetric, block cipher that was designed by Joan Daemen and
Vincent Rijmen as a candidate for the AES, and that won that
competition. [Daem] (See: Advanced Encryption Standard.)
$ risk
1. (I) An expectation of loss expressed as the probability that a
particular threat will exploit a particular vulnerability with a
particular harmful result. (See: residual risk.)
2. (O) /SET/ "The possibility of loss because of one or more
threats to information (not to be confused with financial or
business risk)." [SET2]
Tutorial: There are four basic ways to deal with a risk [SP30]:
- "Risk avoidance": Eliminate the risk by either countering the
threat or removing the vulnerability. (Compare: "avoidance"
under "security".)
- "Risk transference": Shift the risk to another system or
entity; e.g., buy insurance to compensate for potential loss.
- "Risk limitation": Limit the risk by implementing controls that
minimize resulting loss.
- "Risk assumption": Accept the potential for loss and continue
operating the system.
$ risk analysis
(I) An assessment process that systematically (a) identifies
valuable system resources and threats to those resources, (b)
quantifies loss exposures (i.e., loss potential) based on
estimated frequencies and costs of occurrence, and (c)
(optionally) recommends how to allocate available resources to
countermeasures so as to minimize total exposure. (See: risk
management, business-case analysis. Compare: threat analysis.)
Tutorial: Usually, it is financially and technically infeasible to
avoid or transfer all risks (see: "first corollary" of "second
law" under "Courtney's laws"), and some residual risks will
remain, even after all available countermeasures have been
deployed (see: "second corollary" of "second law" under
"Courtney's laws"). Thus, a risk analysis typically lists risks in
order of cost and criticality, thereby determining where
countermeasures should be applied first. [FP031, R2196]
In some contexts, it is infeasible or inadvisable to attempt a
complete or quantitative risk analysis because needed data, time,
and expertise are not available. Instead, basic answers to
questions about threats and risks may be already built into
institutional security policies. For example, U.S. DoD policies
for data confidentiality "do not explicitly itemize the range of
expected threats" but instead "reflect an operational approach ...
by stating the particular management controls that must be used to
achieve [confidentiality] ... Thus, they avoid listing threats,
which would represent a severe risk in itself, and avoid the risk
of poor security design implicit in taking a fresh approach to
each new problem". [NRC91]
$ risk assumption
(I) See: secondary definition under "risk".
$ risk avoidance
(I) See: secondary definition under "risk".
$ risk limitation
(I) See: secondary definition under "risk".
$ risk management
1. (I) The process of identifying, measuring, and controlling
(i.e., mitigating) risks in information systems so as to reduce
the risks to a level commensurate with the value of the assets
protected. (See: risk analysis.)
2. (I) The process of controlling uncertain events that may affect
information system resources.
3. (O) "The total process of identifying, controlling, and
mitigating information system-related risks. It includes risk
assessment; cost-benefit analysis; and the selection,
implementation, test, and security evaluation of safeguards. This
overall system security review considers both effectiveness and
efficiency, including impact on the mission and constraints due to
policy, regulations, and laws." [SP30]
(next page on part 10)
