CA - (Certificate Authority) - An entity trusted by one or more users as an authority that issues, revokes, and manages digitcal certificates to bind individuals and entities to their public keys.
callback - A procedure for identifying a system that accessed an environment remotely. In a callback, the host system disconnects the caller and then dials the authorized telephone number of the remote terminal in order to reestablish the connection. Synonymous with dialback.
capability - A capability outlines the objects a subject can access and the operations the subject can carry out on the different objects. It indicates the access rights for a specific subject
capability maturity model integration - A process model that captures the organization\'s maturity and fosters continuous improvement.
CDMA - (Code-Division Multiple Access) - Every call\'s data is encoded with a unique key, then the calls are all transmitted at once.
cellular network - A radio network distributed over land areas called cells, each served by at least one fixed-location transceiver, known as a cell site or base station.
CER - (Crossover Error Rate) - This is achieved when the type I and type II error rates are equal.
certificate authority - An entity trusted by one or more users as an authority that issues, revokes, and manages digitcal certificates to bind individuals and entities to their public keys.
certification - The technical evaluation of the security components and their compliance for the purpose of accreditation. A certification process can use safeguard evaluation, risk analysis, verification, testing, and auditing techniques to assess the appropriateness of a specific system processing a certain level of information within a particular environment. The certification is the testing of the security component or system, and the accreditation is the approval from management of the security component or system.
challenge/response method - A method used to verify the identity of a subject by sending the subject an unpredictable or random value. If the subject responds with the expected value in return, the subject is authenticated.
change management - A business process aimed at deliberately regulating the changing nature of business activities such as projects.
change management - A formal, methodical, comprehensive process for requesting, reviewing, and approving changes to the baseline of the IT environment.
ciphertext - Data that has been encrypted and is unreadable until it has been converted into plaintext.
Clark-Wilson model - An integrity model that addresses all three integrity goals: prevent unauthorized users from making modifications, prevent authorized users from making improper modifications, and maintain internal and external consistency through auditing.
classification - A systematic arrangement of objects into groups or categories according to a set of established criteria. Data and resources can be assigned a level of sensitivity as they are being created, amended, enhanced, stored, or transmitted. The classification level then determines the extent to which the resource needs to be controlled and secured, and is indicative of its value in terms of information assets.
classification - Arrangement of assets into categories.
clearing - THe removal of sensitive data from storage devices in such a way that there is assurance that the data may not be reconstructed using normal system functions or software recovery utilities.
cleartext - In data communications, cleartext is the form of a message or data, which is transferred or stored without cryptographic protection.
cloud computing - The use of shared remote computing devices for the purpose of providing improved efficiencies, performance, reliability, scalability, and security.
CMMI - (Capability Maturity Model Integration) - A process model that captures the organization\'s maturity and fosters continuous improvement.
code-division multiple access - Every call\'s data is encoded with a unique key, then the calls are all transmitted at once.
collusion - Two or more people working together to carry out a fraudulent activity. More than one person would need to work together to cause some type of destruction or fraud
common object request broker architecture - A set of standards that addresses the need for interoperability between hardware and software products.
communications security - Controls in place to protect information as it is being transmitted, especially by telecommunications mechanisms.
compartment - A class of information that has need-to-know access controls beyond those normally provided for access to confidential, secret, or top-secret information. A compartment is the same thing as a category within a security label. Just because a subject has the proper clearance does not mean it has a need to know. The category, or compartment, of the security label enforces the subject\'s need to know.
compensating controls - Controls that are alternative procedures designed to reduce the risk. They are used to
compliance - Adherence to a mandate
compromise - A violation of the security policy of a system or an organization such that unauthorized disclosure or modification of sensitive information occurs.
computer fraud - Computer-related crimes involving deliberate misrepresentation, modification, or disclosure of data in order to compromise a system or obtain something of value.
computer virus - A program written with functions and intent to copy and disperse itself without the knowledge and cooperation of the owner or user of the computer.
concentrators - Multiplex connected devices into one signal to be transmitted on a network.
condition coverage - This criterion requires sufficient test cases for each condition in a program decision to take on all possible outcomes at least once. It differs from branch coverage only when multiple conditions must be evaluated to reach a decision.
confidentiality - A security principle that works to ensure that information is not disclosed to unauthorized subjects.
configuration management - An operational process aimed at ensuring that systems and controls are configured correctly and are responsive to the current threat and operational environments.
confinement - Controlling information in a manner that prevents sensitive data from being leaked from a program to another program, subject, or object in an unauthorized manner.
confusion - Provided by mixing (changing) the key values used during the repeated rounds of encryption. When the key is modified for each round, it provides added complexity that the attacker would encounter.
content distribution network - Multiple servers distributed across a large region, each of which provides content that is optimized for users closest to it. These networks are not only used to improve the user experience but also to mitigate the risk of denial-of-service attacks.
contingency plan - A plan put in place before any potential emergencies, with the mission of dealing with possible future emergencies. It pertains to training personnel, performing backups, preparing critical facilities, and recovering from an emergency or disaster so that business operations can continue.
continuous monitoring - Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
control zone - The space within a facility that is used to protect sensitive processing equipment. Controls are in place to protect equipment from physical or technical unauthorized entry or compromise. The zone can also be used to prevent electrical waves carrying sensitive data from leaving the area.
converged protocol - Protocols that started off independent and distinct from one another but over time converged to become one.
copyright - A legal right that protects the expression of ideas.
CORBA - (Common Object Request Broker Architecture) - A set of standards that addresses the need for interoperability between hardware and software products.
cost/benefit analysis - An assessment that is performed to ensure that the cost of a safeguard does not outweigh the benefit of the safeguard. Spending more to protect an asset than the asset is actually worth does not make good business sense. All possible safeguards must be evaluated to ensure that the most security-effective and cost-effective choice is made.
countermeasure - A control, method, technique, or procedure that is put into place to prevent a threat agent from exploiting a vulnerability. A countermeasure is put into place to mitigate risk. Also called a safeguard or control.
covert channel - A communications path that enables a process to transmit information in a way that violates the system\'s security policy.
covert security testing - Performed to simulate the threats that are associated with external adversaries. While the security staff has no knowledge of the covert test, the organization management is fully aware and consents to the test.
covert storage channel - A covert channel that involves writing to a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channels typically involve a resource (for example, sectors on a disk) that is shared by two subjects at different security levels.
covert timing channel - A covert channel in which one process modulates its system resource (for example, CPU cycles), which is interpreted by a second process as some type of communication.
crossover error rate - This is achieved when the type I and type II error rates are equal.