Initial Computer Security Briefing : Glossary

	: Initial Computer Security Briefing

Glossary

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A

accreditation—The written formal management decision to approve and authorize an organization to operate a classified information system (IS) to process, store, transfer, or provide access to classified information.

audit capability—The ability to recognize, record, store, and analyze information related to security-relevant activities on a system in such a way that the resulting records can be used to determine which activities occurred and which user was responsible for them.

audit trail—The record of security-relevant activities on a system.

authenticator—A method of authenticating a classified information system (IS) in the form of knowledge or possession (for example, password, token card, key).

automated information systems (AIS)—The infrastructure, organization, personnel, and components for the collection, processing, storage, transmission, display, dissemination, and disposition of information.

B

backup and restoration of data—The regular copying of data to separate media and the recovery from a loss of information.

C

certification—Certification provides documentation stating that the classified IS and its environment implements requirements of the DOE Classified IS Security Program as specified in the approved Classified IS Security Plan.

classified distributive information network (CDIN)—Any cable, wire, or other approved transmission media used for the clear text transmission of classified information in certain DOE access controlled environments. Excluded is any system used solely for the clear text transmission and reception of intrusion/fire alarm or control signaling.

classified information system (CIS)—A discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of classified information, in accordance with defined procedures, whether automated or manual. Guidance Note: For the purposes of this document, an IS may be a stand-alone, single- or multi-user system or a network comprised of multiple systems and ancillary supporting communications devices, cabling, and equipment.

Classified Information Systems Security Plan (ISSP)—The basic classified system protection document and evidence that the proposed system, or update to an existing system, meets the specified protection requirements. The Classified ISSP describes the classified IS, any interconnections, and the security protections and countermeasures. This plan is used throughout the certification, approval, and accreditation process and serves for the lifetime of the classified system as the formal record of the system and its environment as approved for operation. It also serves as the basis for inspections of the system.

Classified Information Systems Security Program—The Classified Information Systems Security Program provides for the protection of classified information on information systems at LANL.

Classified Information Systems Security Site Manager (ISSM)—The manager responsible for the LANL Classified Information Systems Security Program.

clearing— Removal of data from a computer, its storage devices, and other peripheral devices with storage capacity in such a way that the data may not be reconstructed using common system capabilities (that is, keyboard strokes); however, the data may be reconstructed using laboratory methods.
Contrast with “sanitization”. Guidance Note: Clearing of classified information from media does not permit the reuse of that media at a lower classification level or in an unclassified mode.

collaborator—A person not employed by the Laboratory who (1) is authorized to remotely access a LANL unclassified computer system located on the site or (2) uses a LANL system located off the site. Guidance Note: A collaborator does not have an active Employee Information System record.

computer security incident—any event or condition having actual or potentially adverse effects on an information system. See the Cyber Security Handbook.

confidentiality—A component of information protection involving the control of who has access to the information.

contingency plan—A plan maintained for emergency response, backup operations, and postdisaster recovery for a system or network, to ensure the availability of critical resources and to facilitate the continuity of operations in an emergency situation.

cyber security program—The program mandated to ensure that the confidentiality, integrity, and availability of electronic data, networks and computer systems are maintained to include protecting data, networks and computing systems from unauthorized access, alteration, modification, disclosure, destruction, transmission, denial of service, subversion of security measures, and improper use.

D

data custodian—The person who ensures that information is reviewed to determine if it is classified or sensitive unclassified. This person is responsible for generation, handling and protection, management, and destruction of the information. Guidance Note: An alternative name for the data custodian is classified information systems application owner.

discretionary access controls—Controls that limit access to information on a system on an individual basis.

designated accrediting authority (DAA)—A DOE official with the authority to formally grant approval for operating a classified information system; the person who determines the acceptability of the residual risk in a system that is prepared to process classified information and either accredits or denies operation of the system.

G

general support system (GSS)—A general support system includes hardware, software, information, data, applications, communications, and personnel.

green network—See “open network.”

H

hostmaster database—A relational database maintained by the Network Engineering Group (CCN-5) that contains information about every device connected to the Laboratory unclassified yellow and green networks.

Top

I

information system (IS)—The entire infrastructure, organizations, personnel and components for the collection, processing, storage, transmission, display, dissemination and disposition of information.

Information System Security Officer (ISSO)—The worker responsible for ensuring that protection measures are installed and operational security is maintained for one or more specific classified information systems and/or networks.

integrated computing network (ICN)—LANL's primary institutional network.

integrity—A component of information protection that involves ensuring that the information is accurate, to include controlling “write access” to the information.

L

LANL unclassified network—The LANL unclassified network that consists of two internal networks: the unclassified protected network (Yellow Network) and the open network (Green Network).

least privilege—The principle requiring that each user be granted the most restrictive set of privileges needed for the performance of authorized tasks. Application of this principle limits the damage that can result from accident, error, or unauthorized use of an information system (IS).

M

major application (MA)—A computer application that requires special management attention because of its importance to an organization’s mission; its high development, operating, and/or maintenance costs; or its significant role in the administration of an organization’s programs, finances, property, or other resources.

multiuser systems—Any system capable of supporting more than one user in a concurrent mode of operation.

N

National Institute of Standards and Technology (NIST)—The federal organization that develops and promotes measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.

need-to-know—Access to information based on clearly identified need to know the information to perform official job duties.

network—Two or more interconnected information systems. Guidance Note: Networks may be internal to a building or technical area, local to LANL, local to a municipal area, or global in nature, and may provide external connections to various non-LANL systems.

O

open network—A network within the LANL Unclassified Network that supports LANL’s public Internet presence and external collaborations. See LANL unclassified network.

Organizational Computer Security Representative (OCSR)—A LANL person who has oversight responsibilities for one or more single-user, stand-alone classified or unclassified systems.

P

pass code—A one-time-use “authenticator” that is generated by a token card after a user inputs his or her personal identification number (PIN) and that is subsequently used to authenticate a system user to an authentication server or workstation.

password—A protected word, phrase, or string of symbols used to authenticate a user’s identity to a system or network. Guidance Note: One-time pass codes are valid only for a single authentication of a user to a system; reusable passwords are valid for repeated authentication of a user to a system.

personal identification number (PIN)—A number known only to the owner of the token card and which, once entered, generates a one-time pass-code.

protected distribution system (PDS)—A type of protected conduit system used for the protection of certain levels of information. PDS is the highest level of protection and is used in public domain areas for SRD and lower.

protected transmission system—A cable, wire, conduit, or other carrier system used for the clear text transmission of classified information in certain DOE environments. Protected transmission systems comprise protected distribution systems (PDSs) and classified distributive information networks (CDINs). A wire-line or fiber-optic telecommunications system that includes the acoustical, electrical, electromagnetic, and physical safeguards required to permit its use for the transmission of unencrypted classified information.

R

residual risk—The risk of operating a classified information system that remains after the application of mitigating factors. Such mitigating factors include, but are not limited to minimizing initial risk by selecting a system known to have fewer vulnerabilities, reducing vulnerabilities by implementing countermeasures, reducing consequence by limiting the amounts and kinds of information on the system, and using classification and compartmentation to lessen the threat by limiting the adversaries' knowledge of the system.

S
sanitization—Sanitization permits the reuse of the media on classified ISs operating at another classification level and/or classification category or at an unclassified level.

sanitization (unclassified)—Eliminating information from an unclassified computer system or medium associated with an unclassified computer system to ensure that information may not be readily recovered from the media or equipment by any known means.

secure integrated computing network (Secure ICN)—LANL’s primary institutional classified network.

security-significant change—A change in the protection of the classified information system’s environment, change in protection requirements, or change in implementation of the protection requirements.

Sensitive Compartmented Information Facility (SCIF)—An accredited area, room, group of rooms, or installation where it is permissible to store, use, discuss, and/or electronically process Sensitive Compartmented Information.

sensitive unclassified information—Information for which disclosure, loss, misuse, alteration, or destruction could adversely affect national security or other federal government interests. Guidance Note: National security interests are those unclassified matters that relate to the national defense or to United States (US) foreign relations. Other government interests are those related to, but not limited to, a wide range of government or government-derived economic, human, financial, industrial, agricultural, technological, and law-enforcement information, and to the privacy or confidentiality of personal or commercial proprietary information provided to the U.S. government by its citizens. Examples are Unclassified Controlled Nuclear Information (UCNI), Official Use Only (OUO) information, Naval Nuclear Propulsion Information (NNPI), Export Controlled Information (ECI), In Confidence information, Privacy Act information (such as personal/medical information), proprietary information, for example, from a cooperative research and development agreement (CRADA), State Department Limited Official Use (LOU) information, and Department of Defense For Official Use Only (FOUO) information.

sensitivity level—Sensitivity level is the highest classification level and classification category of information to be processed on an information system.

separation of duties—The dissemination of tasks and associated privileges for a specific computing process among multiple users to prevent fraud and errors.

system—An organized hierarchy of components (hardware, software, data, personnel, and communications, for example) having a specified purpose and performance requirements.

system administrator—The individual responsible for the installation and maintenance of an information system, providing effective information system utilization, required security parameters, and implementation of established requirements.

system failure—an event or condition that results in a system failing to perform its required function.

system owner—The person, team, group, or division that has been assigned and accepted responsibility for Laboratory computer assets, according to Laboratory Administrative Manual, Section 701.

system recovery—Actions necessary to restore a system’s operational and computational capabilities, and its security support structure, after a system failure or penetration.

system user—An individual who can receive information from, input information to, or modify information on a LANL information system without an independent review. Guidance Note: This term is equivalent to computer information system user, or computer user, found in other Laboratory documentation. System users may be both LANL workers and collaborators. For desktop systems, a single individual may be a system user and system owner.

T

token card—A device used in conjunction with a unique PIN to generate a one-time pass code (for example, CRYPTOCard® or SecureID®).

U

Unclassified Cyber Security Program Plan—A plan that provides a single source of unclassified computer security program information, and specifies the minimum protections and controls and references the detailed source material that pertains to the program. This detailed source material includes the following:

The Cyber Security Handbook—A website handbook that details the Cyber Security requirements required by system users,system administrators, and SRLMs who access electronic information;
The Computer Security Plans for General Support Systems (GSS) and Major Applications (MA)—Plans that detail the specific protection requirements for major applications and general support systems;

Computing, Communications, and Networking (CCN) Division websites—describes network services and their use by system users; and

CIO-Cyber web site—provides training modules for Cyber Security subjects.

unclassified information systems security site manager— The manager responsible for the LANL Unclassified Information Systems Security Program.

unclassified protected network—A network within the LANL unclassified network that is designed to protect the resident systems from unauthorized access and is separated from the Internet by a firewall that controls external access to the network. See also LANL unclassified network.

Y

yellow network—see LANL unclassified network.

Menu
Introduction
Responsibilities
Computer User Training
Computer User Registration
Use of Lab Resources
Minimum Computer Protections
Protecting Hardware
Protecting Data
Networks & Connectivity
System Authorization
Incidents
Your Keys to Cyber Security Knowledge
Quiz
Finally

Questions about this course? Contact cybersecurity@lanl.gov.