Browsers that can not handle javascript will not be able to access some features of this site.
Skip Navigation
Internet Security for Government and CitizensMichigan.gov
Michigan.gov Home Cyber Security Home | Contact Us
Printer Friendly Version Printer Friendly   Text Only Version Text Version Email this page Email Page
Definitions

  • Account is a combination of a username and password that allows the user to log on to a network, computer system, or application.
  • Administrative User A user assigned to supervise all or a portion of an application/system.
  • Audit To conduct the independent review and examination of system records and activities.
  • Audit Trail A chronological record of system activities that is sufficient to enable the reconstruction, reviewing and examination of the sequence of environments and activities surrounding or leading to an operation, a procedure, or an event in a transaction from its inception to final results.
  • Auditor An authorized individual or role, with administrative duties, which include selecting the events to be audited on the system, setting up the audit flags that enable the recording of those events, and analyzing the trail of audit events.
  • Authenticate To verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system. (2) To verify the integrity of data that have been stored, transmitted, or otherwise exposed to possible unauthorized modification.
  • Authenticated User A user who has accessed an application/system with a valid identifier and authentication combination.
  • Authorization The granting of access rights to a user, program, or process.
  • BIA - Business Impact Analysis identifies the organization's critical applications/systems and the estimated outage time that can be tolerated. Risk assessment and qualitative and quantitative analysis are performed to evaluate all potential threats and the amount of potential loss.
  • Business Continuity Plan - (BCP) All encompassing term covering both disaster recovery planning and business resumption planning. This umbrella term also refers to other aspects of disaster recovery, such as emergency management, human resources, media or press relations, etc. From the National Institute of Standards and Technology perspective - BCP identifies procedures for sustaining essential business operations while recovering from a significant disruption. This plan addresses the business processes and is Information Technology based only in its support for the business processes.
  • Business Resumption Plan - BRP is the operations piece of business continuity planning and provides procedures for recovering business operations immediately following a disaster. This plan requires the existence of documentation of critical business functions that need to be recovered for business processes to continue and addresses the business processes. It is not Information Technology based. The IT focus only supports the business processes.
  • Classification of Data - data that is identified by sensitivity levels. The data
    owner classifies the data and is responsible for ensuring the security controls are commensurate with each classification level. Business classification levels are usually divided into levels of public, sensitive, private, or confidential.
    • Public If disclosed, it will not cause harm to the organization, environment, or personnel
      Sensitive Any information, the disclosure of which could damage the organization, environment, business partners, customers, or other third parties (e.g. social security numbers, credit card numbers, etc.)
    • Private Any information, the disclosure of which could cause serious damage to the organization, environment, business partners, customers, or other third parties (e.g. salary information, medical records, etc.)
    • Confidential Any information, the disclosure of which could cause grave damage to the organization, environment, business partners, customers, or other third parties (e.g. trade secrets, high-clearance security information, etc.)
  • CSI/FBI The "Computer Crime and Security Survey" is conducted by CSI (Computer Security Institute) with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad. The aim of this effort is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States.
  • Data Information with a specific physical representation. Data can exist in a variety of forms -- as numbers or text on pieces of paper, as bits and bytes stored in electronic computer memory, or as facts stored in a person's mind.
  • Data Integrity The property that data meet an a priori expectation of quality.
  • Data Owner Usually a member of senior management of an organization that is ultimately responsible for ensuring the protection and use of the organization's data.
  • Data Custodian Role delegated by the data owner that has the responsibility of the maintenance and protection of the organization's data.
  • Degree of Criticality The standard five-category criticality classification scheme is comprised of: highly critical, critical, priority, required, and deferrable. Each of these categories has a time period during which the application or system must be recovered within. The business requirements should determine which category the application or system belongs to.
  • Dial-up access is a temporary, as opposed to dedicated, connection between two computers (Internet or network) established over a standard phone line, using a modem at each end of the telephone circuit.
  • Disaster Recovery (DR) is a coordinated activity to enable the recovery of IT/business systems due to a disruption. DR can be achieved by restoring IT/business operations at an alternate location, recovering IT/business operations using alternate equipment, and/or performing some or all of the affected business processes using manual methods.
  • Disclosure Permitting access, release, transfer, or other communication of confidential, private, or sensitive information, either orally, in writing, by electronic means, or by any other means to any party.
  • Discretionary Access Control (DAC) A means of restricting access to objects based on the identity and need-to-know o the user, process and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject.
  • Due Care Organization has taken the necessary steps to protect resources and personnel from possible risks. This is usually implemented through the development of security policies, procedures, and standards. If an organization does not practice due care pertaining to the security of its resources and personnel it can be legally liable for negligence and held accountable for the ramifications of that negligence.
  • Due Diligence Implementing security policies and the mechanisms that support them demonstrates due diligence. The security mechanisms are continually maintained and operational. If an organization does not practice due diligence pertaining to the security of its assets it can be legally liable for negligence and held accountable for the ramifications of that negligence.
  • Encryption The transformation of plaintext (also called cleartext or that which is in an understandable format) into ciphertext (unreadable format). Encryption is accomplished using an algorithm (set of mathematical functions) and an encryption "key" (secret sequence of bits and instructions).
  • Exposure A state in a computing system (or set of systems) which is not a universal vulnerability
  • Formal Security Policy Model A mathematically precise statement of a security policy. Such a model must represent the initial state of a system, the way in which the system progresses from one state to another state, and a definition of a "secure" state of the system.
  • Hacking is the unauthorized use, or attempts to circumvent or bypass the security mechanisms of an information system or network. The term "hacker" refers to individuals who gain unauthorized access to computer systems for the purpose of stealing and corrupting data. Hackers, themselves, maintain that the proper term for such individuals is cracker.
  • Hardware The physical or mechanical devices that comprise a computer system, such as the central processing unit, monitor, keyboard, and mouse, as well as other equipment like printers and speakers. The physical components of a computing system, as contrasted to software -- the logical instructions that manipulate the hardware and work on the data.
  • Identification The process that enables recognition of an entity by a system, generally by the use of unique machine-readable user names.
  • Identity Theft Identity theft is the deliberate assumption of another person's identity, usually to gain access to their credit or frame them for some crime. It can also be used to enable illegal immigration, terrorism, espionage, or change identity permanently. It may be a means of blackmail, especially if medical privacy or political privacy has been breached, and revealing the activities undertaken by the thief under the name of the victim would have serious consequences (e.g. loss of job or marriage). Identity theft is usually the result of serious breaches of privacy.
  • Incident An event that has caused or has the potential to cause damage to an organization's business systems, facilities, or personnel.
  • Incident Handling Primary goal is to contain and repair any damage caused by an event and to prevent any further damage.
  • Integrity Sound, unimpaired or perfect condition.
  • Internal Security Controls Hardware, firmware and software features within a system that restrict access to resources (hardware, software, and data) to authorized subjects only (persons, programs, or devices).
  • Least Privilege This principle requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.
  • Mandatory Access Control (MAC) A means for restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subject to access information.
  • Networks A computer network is a group of computers that are linked so that information can travel between the computers. The computers could be in the same room and linked via copper cables, or located in different countries, linked by satellites, phone lines or fibre optic cables. The Internet is one of the world's largest networks. Wireless networks transmit information over public airwaves (the same used by television, radio, and cell phones).
  • OES Office of Enterprise Security.
  • Penetration The successful act of bypassing the security mechanisms of a system.
  • Pharming involves Trojans programs, worms, or other virus technologies that attack the Internet browser address bar and is much more sophisticated than phishing. When users type in a valid URL they are redirected to the criminals' websites instead of the intended valid website.
  • Phishing is the act of tricking someone into giving them confidential information or tricking them into doing something that they normally wouldn't do or shouldn't do. For example: sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.
  • Physical Security Controls:
    • Key Pads are usually placed near a door to let you operate your system and can function as an input device to allow the user to enter a code for physical access to a secured area. Most often, the keypad informs you of the status of the system (e.g. armed, disarmed, etc.).
    • Proximity badges are cards/badges that identify individuals to a physical area or computer system using the access control system. If authenticated, access is allowed.
    • Biometric devices are security devices that verify personal characteristics such as fingerprints, hand size, signatures, voiceprints, or eye pictures for authentication to the access control system.
  • Pilot A test application or system that is used to determine requirements or issues that may arise when implemented in a production environment. A pilot system is a test system, not a production system.
  • Production Environment Where an application or system resides that hosts actual / real data (as opposed to test data) or is available on a publicly accessible network or server.
  • Process A program in execution.
  • Risk Possibility of something damaging happening (i.e. threat agent exploiting a vulnerability) to a system, environment, or personnel.
  • Risk Management Process of identifying, assessing, and reducing the risk to an acceptable level and implementing the right mechanisms to maintain that level of risk.
  • Risk Assessment/Analysis A method of identifying risks and determining the possible damage that could be caused in order to justify security safeguards. The 3 main goals are: identify risks, quantify the impact of the potential threats and provide an economic balance between the impact of risk and the cost of the safeguard.
  • Safeguard Security countermeasure that operates as a protection mechanism to a threat
  • SDLC Systems Development Life Cycle is a detailed and specific set of procedures, steps, and documents that carry a project through its technical development. It includes an Initiation Phase, Planning Phase, Functional Design Phase, System Design Phase, Development Phase, Integration and Testing Phase, Installation and Acceptance Phase, and Maintenance Phase.
  • Security Level The combination of a hierarchical classification and a set of non-hierarchical categories that represents the sensitivity of information.
  • Security Policy The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.
  • Security-Relevant Event Any event that attempts to change the security state of the system, (e.g., change discretionary access controls, change the security level of the subject, change user password). Also, any event that attempts to violate the security policy of the system (e.g., too many attempts to log in, attempts to violate the mandatory access control limits of a device, attempts to downgrade a file).
  • Security Testing A process used to determine that the security features of a system are implemented as designed. This includes hands-on functional testing, penetration testing, and verification.
  • Software is any data, information, designs, or ideas, which were, are, or will become, computer files, programs, systems of programs, or related input or output data. It may be recorded in any form, including electronically, magnetically, optically, or on paper, and may or may not be located inside a computer system
  • SOM State of Michigan
  • Spoofing An attempt to gain access to a system by posing as an authorized user. Synonymous with impersonating, masquerading or mimicking.
  • Test Plan A document or a section of a document that describes the test conditions, data, and coverage of a particular test or group of tests.
  • Test Program A program which implements the test conditions when initialized with the test data and which collects the results produced by the program being tested.
  • Threat Possibility that vulnerability may be exploited to cause harm to a system, environment, or personnel.
  • Unauthorized access is gaining access into any computer, network, storage medium, system, program, file, user area, or other private repository, without the express permission of the owner. Unauthorized access is the same as theft.
  • Verification The process of comparing two levels of system specification for proper correspondence (e.g., security policy model with top-level specification, top-level specification with source code, or source code with object code). This process may or may not be automated.
  • Viruses
    • Virus: A virus is a program or code that attaches itself to a legitimate, executable program, and then reproduces itself when that program is run.
    • Worm: A self-contained program (or set of programs) that is able to spread copies of itself to other computer systems. Usually takes place through network connections or email attachments. Worm Loves Emily.
    • Trojan Program: A program that neither replicates nor copies itself, but performs some illicit activity when it is run. It stays in the computer doing its damage or allows somebody from a remote site to take control of the computer.
  • Vulnerability Any fact about a computer system that is a legitimate security concern

Link to Department and Agencies Web Site Index
Link to Statewide Online Services Index
Link to Statewide Web-based Surveys
Link to RSS feeds available on this site
Related Web Sites
 •  Michigan Identity Theft Unit
 •  Protect MI Child Registry
 •  Security for Kids
 •  Privacy for Consumers
 •  More Security Websites
 •  FTC Identity Theft Site
Security News
 • News Archives
 • US-Cert Cyber Alerts
 • This Month's Security News
 • Virus Alerts
 • More Security News
 • MI-ISAC

Michigan.gov Home | Cyber Security Home | Liability Limitation
 | Security Policy | Accessibility Policy | Link Policy | Privacy Policy | Michigan News | Michigan.gov Survey

Copyright © 2001-2007 State of Michigan