Three-dimensional space (expressed in feet of radius) surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is considered not practical. It also means legal authorities can identify and remove a potential TEMPEST exploitation. Control zone deals with physical security over sensitive equipment containing sensitive information. It is synonymous with zone of control.
Consists of a minimum set of security functions that enforces access control on individual users and makes them accountable for their actions through login procedures, auditing of security-relevant events, and resource isolation.
A boundary with a set of mechanisms that enforces the security policies and controls the flow of information between interconnected information systems. It also controls the flow of information into or out of an interconnected system. Controlled interfaces, along with managed interfaces, use boundary protection devices, such as proxies, gateways, routers, firewalls, hardware/software guards, and encrypted tunnels (e.g., routers protecting firewalls and application gateways residing on a protected demilitarized zone). These devices prevent and detect malicious and other unauthorized communications.
A controller is a hardware device that coordinates and manages the operation of one or more input/output devices, such as computer terminals, workstations, disks, and printers.
Part or all of an environment where all types and aspects of an access are checked and controlled.
(1) A small file that stores information for a website on a user’s computer. (2) A piece of state information supplied by a Web server to a browser, in a response for a requested resource, for the browser to store temporarily and return to the server on any subsequent visits or requests. Cookies have two mandatory parameters such as name and value, and have four optional parameters such as expiration date, path, domain, and secure. Four types of cookies exist: persistent, session, tracking, and encrypted.
Actions taken to correct undesirable events and incidents that have occurred. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment.
Changes to software necessitated by actual errors in a system.
The degree to which software or its components are free from faults and/or meet specified requirements and/or user needs. Correctness is not an absolute property of a system; rather it implies the mutual consistency of a specification and its implementation. The property of being consistent with a correctness criterion, such as a program being correct with respect to its system specification or a specification being consistent with its requirements.
A mathematical proof of consistency between a specification and its implementation. It may apply at the security model-to-formal specification level, at the formal specification-to-higher order language code level, at the compiler level, or at the hardware level. For example, if a system has a verified design and implementation, then its overall correctness rests with the correctness of the compiler and hardware. When a system is proved correct, it can be expected to perform as specified but not necessarily as anticipated if the specifications are incomplete or inappropriate. It is also known as proof of correctness.
A criterion for comparing programs and alternatives when benefits can be valued in dollars. Also referred to as benefit/cost ratio, which is a function of equivalent benefits and equivalent costs.
The assessment of the costs of potential risk of loss or compromise without data protection versus the cost of providing data protection.
Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards.
