These definitions have been established to
standardize the use of ITS terminology and to help non-ITS personnel
to better understand the various concepts.
- A person or event that has the potential for impacting a valuable
resource in a negative manner. See the "Information Technology
Threats and Vulnerabilities" document for more detail.
- That quality of a resource or its environment that allows a
threat to be realized. See the "Information Technology Threats
and Vulnerabilities" document for more detail.
- Any effort to prevent a threat from having a negative impact,
or to limit the damage where total prevention is not possible,
or to improve the speed or effectiveness of the recovery effort.
See the "Information Technology Threats and Vulnerabilities"
document for more detail.
- A potential threat making its presence known, without negative
impact. More specifically, security activities are commonplace,
do not violate policy, and are not likely to lead directly to
compromise or denial of service. A virus detected and eradicated
without damage falls into this category. In the interest of security
auditing and risk assessment, certain security activities by HQ
users will be sanctioned by Code CI, without prior general notice.
- A threat having a negative impact on HQ resources or violating
HQ policy. More specifically, security incidents involve unauthorized
access to an HQ system, unauthorized activity on an HQ system,
denial of service, non-trivial probing for an extended period
of time, or other activities that could be expected to lead directly
to any of the above. Damage caused by a virus or other malicious
software falls into this category. A security incident requires
a response governed by the Incident Response Process and may require
that an ADP/T Security Incident Report form (NHQ FORM 187) be
filed by a member of the Security Team. A written report is not
required for a virus incident unless the damage is wide-spread.
- A security incident or unsanctioned security activity attributable
to a NASA user or contractor. A security infraction requires that
NASA Management be notified immediately.
Security Exception - A security activity, incident, infraction, outage or anomaly worthy of reporting at the HQ Daily Tag-up for the purpose of proper reaction, coordination or general awareness. NOTE: Per the NASA Chief of the Support Services Branch, events involving an ongoing investigation or response are not to be reported at Tag-up; once resolved, they may be summarized for general benefit.
- A brief but formal process overseen by the Security Team that
results in a brief report (2-3 page database printout) indicating
the extent to which a planned change complies with HQ policy and
best practices and meets any security requirements established
for the affected systems and services. A Security Review may be
requested at any stage of a project including the conceptual planning
stage. Updates may be requested multiple times over the life of
a project (SRR, PDR, CDR, DRR, TRR, ORR, MRR, CCB, etc.). A standardized
hardware and software review questionnaire is used as input. The
resulting database printout should be included in any related
- A lengthy, formal process conducted by the Security Team that
results in a written report (3-20 pages) indicating the extent
to which a valuable resource or collection of resources is/are
susceptible to loss or degradation due to a certain threat or
collection of threats. A generic list of threats and vulnerabilities
that may apply to HQ IT resources is maintained as a separate
document ("Information Technology Threats and Vulnerabilities")
which serves as the basis for risk assessments.
- A formal written report (20-75 pages) produced by the Security
Team, based on a risk assessment, that details the appropriate
mitigations for all vulnerabilities identified and addresses life-cycle
security. In the case of a general support system or major application
that falls under the purview of the Office of Management and Budget
(OMB), a security plan in a prescribed format is mandated.
- Data that fails the "newspaper test" should be considered
sensitive (i.e. would anyone be upset if the information appeared
in tomorrow's newspaper?). More specifically, NASA defines sensitive
information as "unclassified information that requires protection
due to the risk and magnitude of loss or harm that could result
from inadvertent or deliberate disclosure, alteration, or destruction
of the information. This includes information whose improper use
or disclosure could adversely affect the ability of an agency
to accomplish its mission, proprietary information, records about
individuals requiring protection under the Privacy Act, and information
not releasable under the Freedom of Information Act. (Reference
OMB Circular A-130.) This is not the same as the NSA term
"sensitive, but unclassified information."" [from
NASA Automated Information Security Handbook, NHB 2410.9A]
- "Reasonable and due care" must be exercised when handling
sensitive information. More specifically, sensitive information
must never be left unattended unless stored in an area physically
and logically accessible only by authorized individuals, or in
a physically or logically locked container that is reasonably
resistant to casual browsing.
- A firewall is a device or collection of devices able to log,
monitor and control the flow of communications between two networks.
It is used to implement a network security policy. To be effective,
it must be located at a single point on the network through which
all communications between the secure internal network and an
outside untrusted network must pass. NOTE: HQ is implementing
an HQ-wide firewall.
Scanning / Monitoring - "Scanning" is the electronic auditing of a system or service for the purpose of finding (and then hopefully correcting) security weaknesses before they can be exploited; this is a snapshot that only "sees" what is up and running at the time the scan is conducted. "Monitoring" is the reviewing of traffic on the network for the purpose of finding unwanted activity that may constitute or lead to an attack or indirectly indicate a security weakness; this process can raise alerts in real time, but more commonly the data is captured over a period of time and then later reviewed. HQ currently uses several automated scanning and monitoring tools in order to maintain good system and service security (the firewall is not a panacea - it does nothing to protect against the "inside" threat, and eventually the firewall will be beached).