Terms

The significance level.

See: Tutorial under "Trusted Computer System Evaluation Criteria". (Compare: beyond A1.)

"American Bar Association (ABA) Digital Signature Guidelines" [DSG], a framework of legal principles for using digital signatures and digital certificates in electronic commerce.

phone book entries kept on the SIM.

The absolute difference between the noisy and unaltered versions of a query’s output.

View of an object that focuses on the information relevant to a particular purpose and ignores the remainder of the information.

A standard for describing data objects. [Larm, X680] (See: CMS.)

Adversaries may abuse accessibility features in Android devices to steal sensitive data and to spread malware to other devices. Accessibility features in Android are designed to assist users with disabilities, performing a variety of tasks, such as using Action Blocks to control lightbulbs, and changing the device’s user interface, such as changing the font size and adjusting contract or colors.(Citation: Google AndroidAcsOverview)

Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built in control mechanisms in order to escalate privileges on a system.

Level of residual risk to the organization’s operations, assets, or individuals that falls within the defined risk appetite and risk tolerance by the organization.

See user agreement.

The ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions.

See user agreement.

An entity responsible for monitoring and granting access privileges for other authorized entities.

A PKI operated by the U.S. Government's General Services Administration in cooperation with industry partners. (See: CAM.)

reflects the complexity of the attack required to exploit the software feature misuse vulnerability.

Access control is the set of mechanisms and policies used to restrict access to resources and enforce authorization decisions.

A computer that maintains a database (possibly in the form of an access control matrix) defining the security policy for an access control service, and that acts as a server for clients requesting access control decisions.

A mechanism that implements access control for a system resource by enumerating the identities of the system entities that are permitted to access the resources.

A table in which each row represents a subject, each column represents an object, and each entry is the set of access rights for that subject to that object.

Implementations of formal AC policy such as AC model. Access control mechanisms can be designed to adhere to the properties of the model by machine implementation using protocols, architecture, or formal languages such as program code.

Formal presentations of the security policies enforced by AC systems, and are useful for proving theoretical limitations of systems. AC models bridge the gap in abstraction between policy and mechanism.

an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes (user attributes, resource attributes, environment attribute etc.

A security service that protects against a system entity using a system resource in a way not authorized by the system's security policy. (See: access control, discretionary access control, identity based security policy, mandatory access control, rule based security policy.)

A set of procedures and/or processes, normally automated, which allows access to a controlled area or to information to be controlled, in accordance with pre established policies and rules.

A type of transfer cross domain solution (CDS) that provides access to a computing platform, application, or data residing in different security domains without transfer of user data between the domains.

A category within a given security classification limiting entry or system connectivity to only authorized persons.

Roster of individuals authorized admittance to a controlled area.

Access Management is the set of practices that enables only those permitted the ability to perform an action on a particular resource. The three most common Access Management services you encounter every day perhaps without realizing it are: Policy Administration, Authentication, and Authorization.

A distinct type of data processing operation (e.g., read, write, append, or execute, or a combination of operations) that a subject can potentially perform on an object in an information system. [Huff] (See: read, write.)

Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass)

A device that logically connects wireless client devices operating in infrastructure to one another and provides access to a distribution system, if connected, which is typically an organization’s enterprise wired network.

A kind of "security policy". (See: access, access control.)

Association of a user with a list of protected objects the user may access.

A program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.

Synonym for "authorization"; emphasizes the possession of the authorization by a system entity.

Privilege to perform action on an object. Read, write, execute, append, modify, delete, and create are examples of access types.

reflects the access required to exploit the vulnerability.

An entity in a blockchain that is identified with an address and can send transactions to the blockchain.

The principle that an individual is entrusted to safeguard and control equipment, keying material, and information and is answerable to proper authority for the loss or misuse of that equipment or information.

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts.

A numeric code used to indicate the minimum accounting controls required for items of accountable COMSEC material within the COMSEC material control system (CMCS).

A number assigned to an individual item of COMSEC material at its point of origin to facilitate its handling and accounting.

The association of multiple federated identifiers with a single RP subscriber account or the management of those associations.

The ability to regain ownership of a subscriber account and its associated information and privileges.

The association of an RP subscriber account with information that is already held by the RP prior to the federation transaction and outside of a trust agreement.

Adversaries may utilize standard operating system APIs to gather account data. On Android, this can be accomplished by using the AccountManager API. For example, adversaries may use the method to list all accounts.(Citation: Android AccountManager Feb2025) On iOS, this can be accomplished by using the Keychain services.

The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed upon set of security controls.

All components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected. Synonymous with the term security perimeter defined in CNSS Instruction 4009 and DCID 6/3.

A senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.