This list of definitions and acronyms is not exhaustive, and probably never will be. However, if there are terms you’d like to see added, please let me know. (For a much more detailed “techno-geek glossary” please see TechTarget’s awesome Web site.)

Also, if you are concerned with improving the security awareness in your organization or at home, please visit my “Security Awareness Shop” (click HERE) to find out about how you can buy articles and merchandise.

Or, why not head over the the “Security Views Polls Archive” (click HERE) to participate in some of the surveys I’m running regarding home and business security?


Accreditation - Formal acceptance by senior management of risk before operational system deployment.

(AA) Accreditation Authority - The role, usually a business owner, who accredits a system and accepts the risk.

Availability - A security service, usually described in a Statement of Sensitivity, that indicates a system’s requirement for information and systems to be available for a certain percentage of time, certain average lengths of time between failures, or with defined average lengths of time being continuously unavailable.

(CA) Certificate Authority - A role responsible for overseeing the issuance and management of digital certificates used in Public Key cryptography-based applications.

(CP) Certificate Policies - The policies defined for governing the issuance and use of digital certificates issued by a Certificate Authority.

(Security Certification aka) Certification - The evaluation of a system’s security posture against its security requirements.

Certification Authority - The organization or role-holder having the authority to assess the security posture of a system against its security requirements.

(C&A) Certification and Accreditation - The process of having a system’s security posture formally assessed (certified) and approved for operation (accreditated) by the appropriate authorities designated by the organization that owns the system.

(CPS) Certification Practice Statement - A document that describes the processes and procedures detailing how a Certificate Authority complies with its associated Certificate Policies.

(CISO) Corporate Information Security Officer (or CSO - Chief Security Officer) - The individual within an organization responsible for defining and maintaining the organization’s Information Security policies.

(CSO) Corporate Security Officer or Chief Security Officer - The individual within an organization responsible for defining and maintaining ALL security policies (including physical and personnel security). The CISO (for information security) usually reports to the CSO.

Confidentiality - One of the primary security services, usually identified in a Statement of Sensitivity, indicating the system’s requirement for protecting information from unauthorized disclosure.

Digital Certificate (or X.509 Certificate) - A data structure that securely binds an individual or entity to a Public Key used in cryptographic operations such as digital signatures or asymmetric encryption.

(DMZ) Demilitarized Zone (or Public Access Zone) - A semi-protected network area used to terminate connections from the Internet and forward them to systems in an Operations Zone without unduly exposing sensitive systems and information.

Integrity - One of the primary security services, usually identified in a Statement of Sensitivity, indicating the system’s requirement for protecting information or systems from being corrupted, changed or deleted.

(IS) Information System - A collection of hardware and software components and interconnections, as well as the information contained within that collection and the facilities that contain and protect them.

Operations Zone - A protected network area described in security architectures where sensitivie information is handled without being exposed to threats in less secure zones.

(OOB) Out of Band - A technique for passing secret information such as one-time passwords to another entity using a different communication channel than the primary network channel.

PEBKAC - Problem Exists Between Keyboard and Computer; A derogatory acronym sometimes used in contempt of unaware individuals, to indicate that the problem was caused by the user (closely related to the ID-10-T, or IDIOT error).

Privacy - The right of an individual to control the collection and handling of their own sensitive personal information, particularly important whether or not the information is offered with the individual’s consent (not necessarily implied by the security service “confidentiality”).

(PAZ) Public Access Zone (or DMZ) - See DMZ

(PKI) Public Key Infrastructure - A system of software and hardware components that enables electronic authentication, confidentiality, integrity, non-repudiation and access control services, using Public Key Certficiates (or Digital Certificates).

Residual Risk - The risk remaining after implementation of chosen safeguards.

Risk - The total resultant effect and expected loss associated with a Threat Event, dependent on the likelihood and impact of its occurrence.

Risk Management - The overall process of evaluating potential risks and choosing to a) Reduce, b) Transfer (insure), c) Avoid, or d) Ignore or Accept the resultant risk.

Risk Profile - The amount of risk exposure that an organization is willing to accept when deploying a system. For example, a medical or financial organization serving many people will probably have a Low risk profile. In contrast, some military organizations operating in hostile territory must sometime accept a higher risk exposure to accomplish their mission.

Safeguard - A mechanism (technology based or procedurally based), usually recommended by a Threat and Risk Assessment that provides for protection of an asset through security services such as Confidentiality, Integrity or Availability.

Security Posture - The assessed risk level of a certified system usually stated relative to its target risk profile.
(SLA) Service Level Agreement - An agreement between a provider and consumer stating the allowable response times and service availability.

Threat Agent - An individual, organization or naturally occurring event that could initiate an attack on an asset, or catastrophic failure or loss of an Information System or associated component.

Threat Event - The realization of a potential action by a Threat Agent.

Threat Scenario - The combination of a realized Threat Event on a particular Information System asset, the vulnerability being attacked and the associated impact.

Virus - A type of Malicious Code or unwanted software program designed to infect computer systems and replicate itself, sometimes causing damage to the infected systems.

(VPN) Virtual Private Network - A technological means of providing logical separation of network traffic such that recipients of traffic on one logical channel can not observer or effectively alter traffic on another logical channel, often implemented with encryption such as IPSEC (but not always).

Vulnerability - the potential for loss of an Information System asset.