This snapshot taken on 05/09/2007, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
This document uses the security terminology in ISO/IEC 17799 as a primary reference, then ISO 13335 (Draft) and finally ISO/IEC JTCI/SC27 standing document SD6. This glossary is in line with these sources so far as is practicable, and also with the available HMG references such as the General IA Products and Services Initiative (GIPSI) standard definitions.
Asset –anything that has value to the organisation, its business operations and its continuity.
Assured products –IT products which have been approved by government as having a recognised level of security effectiveness.
Authentication –ensuring that the identity of a subject or resource is the one claimed.
Availability –ensuring that authorised users have access to information and associated assets when required.
Business Continuity Planning –outline of the action to be taken in the event of serious disruption and priorities for recovery, in order to keep an organisation running as normally as possible at all times, even in an emergency.
Confidentiality –ensuring that information is accessible only to those authorised to have access.
Corporate Governance –the process used to manage the business affairs of the company towards enhancing business prosperity and corporate accountability with the objective of realising long term shareholder value, while taking into account the interests of the other shareholders.
Critical National Infrastructure (CNI) –the most important elements of the nation’s infrastructure involving vital systems and services, such as communications and utilities. The Security Service web site defines the CNI as:
‘...those assets, services and systems that support the economic, political and social life of the UK whose importance is such that any entire or partial loss or compromise could: cause large scale loss of life; have a serious impact on the national economy; have other grave social consequences for the community, or any substantial part of the community; or be of immediate concern to the national government’
The definition is followed by a list of sectors where there is likely to be a CNI aspect.
Disaster Recovery – the process of recovering from an emergency, including the immediate aftermath and the priorities for the critical business functions which need to be resumed.
Firewall – a piece of hardware or software designed to limit access between two ICT systems such as a computer and the Internet.
Governance – a very widely used term with a number of context-specific interpretations. For the purposes of this paper we take the term to refer to ‘the set of policies and internal controls by which organisations are directed and managed, in order to ensure an appropriate level of responsibility and accountability’.
GSi – Government Secure Intranet. The GSi (with a lower case ‘i’) is the collection of networks and services offered by Energis under a contract with OGC buying solutions, and encompasses the GSI and GSE.
IA Governance – ensuring stakeholder confidence that IS risk is managed pragmatically, appropriately and cost-effectively.
IEC – International Electrotechnical Commission.
Impact – the result of an information security incident, caused by a threat, which affects assets.
Information Asset – information of value which is owned and/or used by an organisation.
Information Assurance – the confidence that information systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users.
Information Security – security preservation of confidentiality, integrity and availability of information.
Information Systems – information technology or telecommunications systems, services and networks.
Infosec – Information Security. The preservation of confidentiality, integrity and availability of information. Also refers to the discipline of information security.
Integrity – safeguarding the accuracy and completeness of information and processing methods.
ISMS – Information Security Management System (that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review,maintain and improve, information security).
ISO – International Standards Organisation.
ISO/IEC 17799 – a set of best practice rules and methods for information security management defined by the British Standards Institution and the International Standards Organisation.
IS – Information Systems.
IT Health Check – an analysis of a system to ensure correct implementation of security functions and identify vulnerabilities which may compromise the confidentiality, integrity or availability of information.
ITsec – United Kingdom Information Technology Security Evaluation and Certification Scheme.
IWS – Information Warfare Site.
Mitigation – Limitation of the negative consequences of a particular event.
Non-repudiation – the ability to prove an action or event has taken place, so that this event or action cannot be repudiated later.
PFI – Private Finance Initiative.
Protection Profile – the set of countermeasures implemented on an information system to meet the identified risks.
Residual Risk – Risk remaining after risk treatment.
Risk – the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.
Risk Appetite – The acceptable level of risk at corporate level.
Risk Assessment – assessment of the threats to, impacts on and vulnerabilities of information and information processing facilities and the likelihood of their occurrence.
Risk Management – the process of identifying, controlling and minimising or eliminating security risks that may affect information systems, for an acceptable cost.
RMADS – Risk Management and Accreditation Documentation Set.
SIRO – Senior Information Risk Owner: an individual identified within each department as being responsible for information risks and for influencing the board in managing these risks properly.
Threat – a potential cause of an incident that may result in harm to a system or organisation.
Virus – a computer program designed to run on one computer (often with undesirable effects such as deleting files or sending unsolicited e-mails).
Vulnerability – a weakness of an asset or group of assets that can be exploited by one or more threats.