Information Technology Security Definitions

These definitions have been established to standardize the use of ITS terminology and to help non-ITS personnel to better understand the various concepts.

Security Threat - A person or event that has the potential for impacting a valuable resource in a negative manner. See the "Information Technology Threats and Vulnerabilities" document for more detail.

Security Vulnerability - That quality of a resource or its environment that allows a threat to be realized. See the "Information Technology Threats and Vulnerabilities" document for more detail.

Security Mitigation - Any effort to prevent a threat from having a negative impact, or to limit the damage where total prevention is not possible, or to improve the speed or effectiveness of the recovery effort. See the "Information Technology Threats and Vulnerabilities" document for more detail.

Security Activity - A potential threat making its presence known, without negative impact. More specifically, security activities are commonplace, do not violate policy, and are not likely to lead directly to compromise or denial of service. A virus detected and eradicated without damage falls into this category. In the interest of security auditing and risk assessment, certain security activities by HQ users will be sanctioned by Code CI, without prior general notice.

Security Incident - A threat having a negative impact on HQ resources or violating HQ policy. More specifically, security incidents involve unauthorized access to an HQ system, unauthorized activity on an HQ system, denial of service, non-trivial probing for an extended period of time, or other activities that could be expected to lead directly to any of the above. Damage caused by a virus or other malicious software falls into this category. A security incident requires a response governed by the Incident Response Process and may require that an ADP/T Security Incident Report form (NHQ FORM 187) be filed by a member of the Security Team. A written report is not required for a virus incident unless the damage is wide-spread.

Security Infraction - A security incident or unsanctioned security activity attributable to a NASA user or contractor. A security infraction requires that NASA Management be notified immediately.

Security Exception - A security activity, incident, infraction, outage or anomaly worthy of reporting at the HQ Daily Tag-up for the purpose of proper reaction, coordination or general awareness. NOTE: Per the NASA Chief of the Support Services Branch, events involving an ongoing investigation or response are not to be reported at Tag-up; once resolved, they may be summarized for general benefit.

Security Review - A brief but formal process overseen by the Security Team that results in a brief report (2-3 page database printout) indicating the extent to which a planned change complies with HQ policy and best practices and meets any security requirements established for the affected systems and services. A Security Review may be requested at any stage of a project including the conceptual planning stage. Updates may be requested multiple times over the life of a project (SRR, PDR, CDR, DRR, TRR, ORR, MRR, CCB, etc.). A standardized hardware and software review questionnaire is used as input. The resulting database printout should be included in any related presentation.

Risk Assessment - A lengthy, formal process conducted by the Security Team that results in a written report (3-20 pages) indicating the extent to which a valuable resource or collection of resources is/are susceptible to loss or degradation due to a certain threat or collection of threats. A generic list of threats and vulnerabilities that may apply to HQ IT resources is maintained as a separate document ("Information Technology Threats and Vulnerabilities") which serves as the basis for risk assessments.

Security Plan - A formal written report (20-75 pages) produced by the Security Team, based on a risk assessment, that details the appropriate mitigations for all vulnerabilities identified and addresses life-cycle security. In the case of a general support system or major application that falls under the purview of the Office of Management and Budget (OMB), a security plan in a prescribed format is mandated.

Sensitive Information - Data that fails the "newspaper test" should be considered sensitive (i.e. would anyone be upset if the information appeared in tomorrow's newspaper?). More specifically, NASA defines sensitive information as "unclassified information that requires protection due to the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information. This includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, records about individuals requiring protection under the Privacy Act, and information not releasable under the Freedom of Information Act. (Reference OMB Circular A-130.) This is not the same as the NSA term "sensitive, but unclassified information."" [from NASA Automated Information Security Handbook, NHB 2410.9A]

Handling Procedures - "Reasonable and due care" must be exercised when handling sensitive information. More specifically, sensitive information must never be left unattended unless stored in an area physically and logically accessible only by authorized individuals, or in a physically or logically locked container that is reasonably resistant to casual browsing.

Firewall - A firewall is a device or collection of devices able to log, monitor and control the flow of communications between two networks. It is used to implement a network security policy. To be effective, it must be located at a single point on the network through which all communications between the secure internal network and an outside untrusted network must pass. NOTE: HQ is implementing an HQ-wide firewall.

Scanning / Monitoring - "Scanning" is the electronic auditing of a system or service for the purpose of finding (and then hopefully correcting) security weaknesses before they can be exploited; this is a snapshot that only "sees" what is up and running at the time the scan is conducted. "Monitoring" is the reviewing of traffic on the network for the purpose of finding unwanted activity that may constitute or lead to an attack or indirectly indicate a security weakness; this process can raise alerts in real time, but more commonly the data is captured over a period of time and then later reviewed. HQ currently uses several automated scanning and monitoring tools in order to maintain good system and service security (the firewall is not a panacea - it does nothing to protect against the "inside" threat, and eventually the firewall will be beached).