Glossary

When you are done, you can return to where you left off in the course Return.

There are no terms starting with 0 through 9.

Terms beginning with A

Accreditation - An official management decision to accept the security environment and authorize the operation of an information system; this decision is based on the results of the certification process.

Adware - Advertising on the Internet, usually in the form of pop-up advertisements that can appear even when not using a Web browser.

Anti-Virus Software - Software that scans computer systems for viruses, worms, and other types of malware.

Availability - Ensuring that information and information systems are obtainable when needed.

Terms beginning with B

Background Investigations - A screening process that helps determine whether an individual is suitable for employment at a specified level of trust. Background Investigation may involve checking criminal history, fingerprint records, and other federal indices.

Backups - Copies of files that are prepared on a regular basis in case the original files become corrupt or lost.

Baseline - Documented configuration of a system established at a specific point in time that captures the structure and details of its settings. It serves as a reference for further activities. An application or software baseline provides the ability to change or to rebuild a specific version at a later date.

Business Resumption Plan - A contingency plan that documents how to restore business operations after a significant disruption.

Terms beginning with C

Certification - An evaluation of the security controls of an information system and a prerequisite for accreditation.

Chief Information Officer (CIO) - An executive who is responsible for the overall management of an information technology program.

Confidentiality - Ensuring that access to and disclosure of information is restricted to those with a verified need-to-know.

Configuration Management - Control policies and activities applied to the information technology environment of an organization or Agency that ensures system components are well defined and cannot be changed without proper authorization and justification.

Contingency Planning - A plan to lessen the risk of disruptions affecting IT systems, business processes, and facilities. At a minimum, FHFA requires that each Agency and staff office develop two plans: Business Resumption Plan and Disaster Recovery Plan.

Contractor - Any business or individual who has a contract to do work with a Federal government Agency. It does not matter whether the work is done onsite or in the contractor's office.

Cookie - A file that a Web site stores on a hard drive and retrieves whenever the site is revisited.

Critical Infrastructure Protection - A national program to protect physical and information-based systems essential to the minimum operations of the economy and government.

Terms beginning with D

Denial of Service - An attack that involves bombarding a computer system with huge amounts of data from many different machines and locations in an effort to bring down the computer and deny its availability.

Disaster Recovery Plan - A contingency plan that documents how to restore a system, applications, or facility operations locally or at an alternate site.

Document - A record, whether electronic or hard copy that contains information which may need to be protected from disclosure.

Terms beginning with E

There are no terms starting with E.

Terms beginning with F

Federal Record - Records include all recorded information, regardless of form or characteristics, made or received by a Federal agency under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations or other activities of the United States Government or because of the informational value of the data in them (44 U.S.C. 3301).

Federal Register - The official publication for final rules, proposed rules, notices, and supporting documents of Federal agencies and organizations.

FISMA - Federal Information Security Management Act.

Freedom of Information Act (FOIA) - A law that was enacted in 1966 to provide public access, through the submissions of requests, to Federal government records in order to shed light on the running of the Federal government and the interworkings of the Federal government agencies. In 1996, the Electronic Freedom of Information Act Amendments (E-FOIA) was signed into law, which allows electronic access to certain information without having to make a formal FOIA request.

Terms beginning with G

GAO - Government Accountability Office. The GAO is the investigative arm of Congress charged with examining matters relating to the receipt and payment of public funds.

General Support System - Interconnected information resources under the same direct management control which share common functionality and normally include hardware, software, information, applications, communications, facilities, and people.

Government Information Systems - A set of processes, communications, storage, and related resources, whose elements are under the same direct management control, have the same function or mission objective, and have essentially the same operating characteristics and security needs.

Terms beginning with H

Hacker - A person who attempts to compromise the security of an information technology system, especially one whose intention is to cause disruption or obtain unauthorized access to data.

Hardware The physical components or the equipment of a computer system, such as a computer, a monitor, or a server.

Hoaxes - Email messages sent to as many people as possible to slow down the Internet and email service by clogging the networks with extra traffic. The emails may appear legitimate, come from known senders, warn about something or promote a great deal, or be in the form of chain letters.

Human Threat - A threat caused through unintentional or intentional actions.

Terms beginning with I

Identity Theft - Copying or assuming another person's identity for the purposes of committing fraud or some other crime. Identity theft occurs by using someone else's name, address, social security number, or other information without the individual's knowledge.

Information Security - The policies, procedures, guidance, and logical, physical and personnel controls that protect the confidentiality, integrity, and availability of information systems. It also includes those measures necessary to detect, document, and counter information security threats.

Information System - A set of processes, communications, storage, and related resources, whose elements are under the same direct management control, have the same function or mission objective, and have essentially the same operating characteristics and security needs.

Information Technology - Information Technology refers to the computer services group that helps manage the computers, network, and infrastructure to protect the privacy of data.

Information Technology Security Officer (ITSO) - A person who is responsible for the overall security program of an FHFA Agency or office. This person ensures that all federal laws, Agency policies, and security practices are implemented across all information technology programs.

Insider Threats - Threats from employees, contractors, and others who have legitimate access to the computer system.

Integrity - Ensuring that entered and stored information is correct and complete.

Internet - The world-wide network of computers and systems that communicate information to computers, systems, and users.

Internet Threats - Security risks associated with using the Internet, such as cookie misuse, secret monitoring, hacking, denial of service, and malicious code.

Intruder - A person who alters, deletes, or steals data; or who shuts down the system. An intruder could be internal, such as a disgruntled employee, or external, such as a hacker.

Terms beginning with J -

There are no terms starting with J.

Terms beginning with K -

There are no terms starting with K.

Terms beginning with L -

Laws (Security) - Federal government documents that mandate requirements and standards for the management and protection of information technology resources.

Terms beginning with M -

Major Application - A system that performs clearly defined functions for which there are readily identifiable security considerations and needs, and may be comprised of many hardware, software, and telecommunications components.

Malicious Code - A hostile program or file that can disclose protected information, or can damage and interfere with a computer's normal operation.

Management Controls - Management includes policies. It also involves incorporating security into the SDLC and developing and maintaining system documentation (e.g., the System Security Plan). Some management controls are Security Planning, System and Services Acquisition, Security Control Review, and Processing Authorization.

Terms beginning with N

Natural Threat - A threat whose source is either from nature or a system's environment.

Terms beginning with O

Office of Management and Budget (OMB) - The White House Office responsible for devising and submitting the President's annual budgeting proposal to Congress.

Office of the Inspector General (OIG) - Performs audits and investigations of the Agency's programs and operations; works with the Agency's management team in activities that promote economy, efficiency, and effectiveness or that prevent and detect fraud and abuse in programs and operations, both within FHFA and in non-Federal entities that receive FHFA assistance.

Operating System - A computer's major program that allows all the other programs and input/output devices to function.

Operational Controls - Operational controls are those safeguards and countermeasures employed by an organization to support the management and technical controls in an information system. Some operational controls are Personnel Security and Hardware and Software Maintenance.

Terms beginning with P -

Password - A combination of letters, numbers, and/or symbols that allows a user access to a network, sensitive data, or any system/information.

Peer-to-Peer Software - Software that uses the Internet to bypass the traditional client/server network relationship that exists in business and government offices, such as some online music and video sharing programs. A number of peer-to-peer software programs even allow the sharing of computers.

Personnel Resource - The human component of information security.

Personnel Security - A process that agencies use to review and identify their public trust and sensitive positions and ensure that personnel in or selected for those positions undergo the appropriate background investigations, suitability determinations, or clearances.

Physical Resource - The equipment/building component of information security.

POA&M - Plan of Action and Milestones

Policy (Computer Security) - Senior management's directives to create a computer security program, establish its goals, and assign responsibilities. The term policy is also used to refer to the specific security rules for particular systems. Additionally, policy may refer to entirely different matters, such as the specific managerial decisions setting an organization's email privacy policy or fax security policy.

Privacy Act of 1974 - A law passed by the Congress in 1974 for the purpose of protecting, through regulation, personal information that is collected, maintained, and disseminated by any Federal government entity. The Act protects the information of individuals who are either United States citizens or aliens lawfully admitted for permanent residence.

Privacy Act Statement - A statement that informs an individual of the authority, purpose, and routine use of the data being collected from him or her. This statement must be given to the individual BEFORE taking any information.

Privacy Impact Assessment (PIA) - A process for determining how personal information is handled, the security of the information, and the impact of information disclosure on an individual. Privacy Impact Assessments are mandated by the E-Government Act of 2002.

Terms beginning with Q

There are no terms starting with Q.

Terms beginning with R

Ransomware - A type of malware that infects a computer and then restricts access to the files on the computer, or the computer itself. The operators of the malware then require the user to pay a ransom in order for the restrictions to be removed.

Regulations - A principle, rule, or law designed to control or govern behavior or a governmental order having the force of law.

Risk -The likelihood of a threat source exercising a vulnerability and resulting in an adverse impact.

Risk Assumption - To accept risk.

Risk Avoidance - To eliminate risk (i.e., add controls).

Risk Limitation - To limit risk (i.e., implement controls to minimize impact, such as restricting access to systems after normal hours).

Risk Management - Program, policies, procedures, and activities which lessen the possibility that risks and vulnerabilities can be exploited.

Risk Transference - To transfer risk to compensate for loss (e.g., purchase insurance).

Terms beginning with S

Safeguards - Safeguards are actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system or the threats to that information system.

Security Guidance - Documents designed and issued to control or govern security behavior. Guidance also provides policies and procedures to be used until a subject-specific regulation is published.

Sensitive Data - Data for which loss, unauthorized modification, or unauthorized disclosure would be detrimental to individuals, the agency or national security or Department operations.

Sensitive Data Retention - Retaining sensitive data in a secure place and for a specified period of time.

Social Engineering - Relying on weaknesses in human nature rather than software to trick people into revealing passwords and other information that can be used to compromise the security of information systems. It can also lead to fraud and identity theft.

Software - The nonphysical components of a computer system, such as the programs or instructions that are contained within the hardware and allow it to function.

Spam - The email version of "junk mail".

Spyware - A program that is similar to a non-destructive Trojan horse in that it collects information and sends it to its author. It is generally installed on a computer when shareware or some similar and usually free software is installed.

System - Poor building wiring, insufficient cooling for the systems.

System Development Life Cycle - The SDLC has five phases: Initiation, Development/Acquisition, Implementation, Operations/Maintenance, and Disposition.

System of Records - A group of records where an individual's information is retrieved by name or some other type of identifier, such as a social security number, any identifying number, a fingerprint, a voiceprint, or a photograph. It does not matter whether these records are on paper or in a computerized database.

System of Records Notice - A notice published in the Federal Register, which includes a description of the system and the information to be collected, why it is needed, where it is located, Agency practices protecting Privacy information, and how individuals can access and amend their records. This notice allows for public comment or question.

Terms beginning with T

Technical Controls - Technical controls are those safeguards and countermeasures employed within the information system's hardware, software, or firmware to protect the system and its information from unauthorized access, use, disclosure, disruption, modification, or destruction. You can think of technical controls as those that are executed by the system. Technical control categories include Logical Access Controls, Accountability/Audit Trails, and System and Communications Protection.

Telecommunications - Transmitting data or communicating by voice or video to one site or multiple sites.

Telecommuting/Teleworking - Performing official duties at an alternative work site (i.e., home, telecenter, or other satellite work location).

Threat - A circumstance or event with the potential to cause unauthorized loss, modification, or disclosure of information; or the potential to cause damage to a computer or any part of the IT system.

Trojan Horse - A program that allows the unauthorized collection, exploitation, falsification, or destruction of data. Some Trojan horses allow remote and unauthorized access to a computer.

Terms beginning with U

There are no terms starting with U.

Terms beginning with V

Virus - A small piece of code that attaches itself to another program. It does not run on its own, but executes when the host program is run.

Vulnerability - A weakness in an information system and/or its components that could accidentally or intentionally allow the system to be compromised.

Terms beginning with W

Wireless networking/computing - The ability to connect your computer to a network without using a physical connection. Often, Internet wireless connections can be found in coffee shops, hotel rooms, Internet cafes, or at home.

Worm - An independent program that usually "worms" its way from system to system throughout a network and has the potential for major system outages.

Terms beginning with X

There are no terms starting with X.

Terms beginning with Y

There are no terms starting with Y.

Terms beginning with Z

There are no terms starting with Z.


When you are done, you can return to where you left off in the course Return.