TERM MEANING
access control Enabling the authorised use of a resource while preventing unauthorised use or use in an unauthorised manner.
accreditation
A procedure by which an authoritative body gives formal recognition, approval and acceptance of the associated residual security risk with the operation of a system.
accreditation authority
The authoritative body associated with accreditation
activities. Advice on who should be recognised as an agency's accreditation authority can be found in the Conducting Accreditation section of the ISM Controls manual.
agency
Includes all Australian government departments, authorities, agencies or other bodies established in relation to public purposes, including departments and authorities staffed under the Public Service Act 1999 and the Public Governance, Performance and Accountability Act 2013.
agency head
The government employee with ultimate responsibly for the secure operation of agency functions, whether performed in–house or outsourced.
application whitelisting
An approach in which all executables and applications are prevented from running by default, with an explicitly defined set of executables allowed to execute.
audit
An independent review of validity, accuracy and reliability of information contained on a system. In the context of conducting system accreditations, an audit is an examination and
verification of an agency’s systems and procedures, measured against predetermined standards.
Australiasian Information Security Evaluation
Program (AISEP)
A program under which evaluations are performed by impartial companies against the Common Criteria. The results of these evaluations are then certified by ASD, which is responsible for the overall operation of the program.
authentication verifying the identity of a user, process or device as a prerequisite to allowing access to resources in a system.
availability The assurance that systems are available and accessible by authorised entities when required.
certification A procedure by which a formal assurance statement is given that a deliverable conforms to a specified standard.
SUPP ORTING INFORMAT ION
TERM MEANING
certification authority An official with the authority to assert that a system complies with prescribed controls in a standard.
classification The categorisation of information or systems according to the business impact level associated with information or a system.
classified information Government information that requires protection from unauthorised disclosure.
confidentiality The assurance that information is disclosed only to authorised entities.
cross domain solution
An information security system capable of implementing comprehensive data flow security policies with a high level of trust between two or more differing security domains.
cryptographic algorithm
An algorithm used to perform cryptographic functions such as encryption, integrity, authentication, digital signatures or key establishment.
cryptographic protocol
An agreed standard for secure communication between two or more entities to provide confidentiality, integrity, authentication and non–repudiation of information.
cyber security
Security measures relating to the confidentiality, availability and integrity of information that is processed, stored and communicated by electronic or similar means.
cyber security event
An identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant.
cyber security incident
A single or a series of unwanted or unexpected cyber security events that have a significant probability of compromising business operations and threatening information security.
Cyber Security Incident Reporting scheme
A scheme established by ASD to collect information on cyber security incidents that affect government systems.
data spill
The accidental or deliberate exposure of classified, sensitive or official information into an uncontrolled or unauthorised environment or to persons without a need–to–know.
emanation security
The countermeasure employed to reduce classified emanations from a facility and its systems to an acceptable level. Emanations can be in the form of radio frequency energy, sound waves or optical signals.
declassification
A process whereby information is reduced to an unclassified state and an administrative decision is made to formally authorise its release into the public domain.
SUPPORT ING INFORMAT ION
TERM MEANING
firewall A system designed to prevent unauthorised access to or from a network or system.
gateway
Gateways securely manage data flows between connected networks from different security domains. Refer to the Cross Domain Security chapter of ISM Controls manual for further information.
handling requirements
An agreed standard for the storage and dissemination of classified or sensitive information to ensure its protection. This can include electronic information, paper–based information or media containing information.
hardware A generic term for any physical component of information and communication technology.
ICT system
A related set of hardware and software used for the processing, storage or communication of information and the governance framework in which it operates.
infrared device Devices such as mice, keyboards, pointing devices and mobile devices that have an infrared communications capability.
information security
The protection of information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity
and availability.
Information Security Registered Assessor Program
An ASD initiative designed to register suitably qualified information security assessors to carry out specific types of security assessments, including for gateways and information systems up to the SECRET classification level.
integrity The assurance that information is unmodified.
malware
Malicious software used to gain unauthorised access to computers, steal information and disrupt or disable networks.
Types of malware include logic bombs, trapdoors, Trojans, viruses and worms.
media A generic term for hardware that is used to store information, such as USB sticks, portable hard drives, CDs and DvDs.
media destruction
The process of physically damaging the media with the objective of making the data stored on it inaccessible. To destroy media effectively, only the actual material in which the data is stored needs to be destroyed.
media disposal
The process of relinquishing control of media when no longer required, in a manner that ensures that no data can be recovered from the media.
media sanitisation The process of erasing or overwriting data stored on media so the data cannot be retrieved or reconstructed.
SUPP ORTING INFORMAT ION
TERM MEANING
metadata
Information that describes data. This can include how the data was created, the time and date of creation, the author of the data and the location on a network where the data was created.
mobile device
A portable computing or communications device with information storage capability that can be used from a non–fixed location.
Mobile devices include mobile phones, smartphones, portable electronic devices, personal digital assistants, laptops, netbooks, tablet computers and other portable Internet–connected devices.
multifunction devices
The class of devices that combines printing, scanning, copying, faxing or voice messaging functionality in the one device.
These devices are often designed to connect to computer and telephone networks simultaneously.
need–to–know The principle of telling a person only the information they require to fulfil their role.
network device
Any device designed to facilitate the communication of information destined for multiple users. For example:
cryptographic devices, firewalls, routers, switches and hubs.
network infrastructure The infrastructure used to carry information between workstations and servers or other network devices.
patch
A piece of software designed to fix problems with, or update, a computer program or its supporting data. This includes fixing security vulnerabilities and other program deficiencies and improving the usability or performance of the software.
Protective Security Policy Framework (PSPF)
Produced by the Attorney–General’s Department, the Australian Government Protective Security Policy Framework sets out the Australian Government’s protective security requirements for the protection of its people, information and assets (replaced the PSM).
product
Technology, whether hardware or software, which enables the electronic storage, retrieval, manipulation, transmission or receipt of information in a digital form.
reaccreditation
A procedure by which an authoritative body gives formal recognition, approval and acceptance of the associated residual security risk with the continued operation of a system.
risk The chance of something happening that will affect objectives—it is measured in terms of event likelihood and consequence.
risk acceptance An informed decision to accept risk.
risk analysis The systematic process to understand the nature, and deduce the level, of risk.
SUPPORT ING INFORMAT ION
TERM MEANING
risk appetite
Statements that communicate the expectations of an agency’s senior management about the agency’s risk tolerance—these criteria help an agency identify risk and prepare appropriate treatments, and provide a benchmark against which the success of mitigations can be measured.
risk management The process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.
risk mitigation Actions taken to lessen the likelihood, negative consequences, or both, associated with a risk.
residual risk The remaining level of risk after risk treatments have been implemented.
security domain(s)
A security domain is a system or collection of systems operating under a security policy that defines the security to be applied to information on the system or systems. That security may be represented by a classification, caveat or releasability marking with or across classifications.
sensitive information
Either unclassified or classified information identified as requiring extra protections (e.g. compartmented or Dissemination Limiting Marker information).
softphone
A software application that allows a workstation to act as a voice over Internet Protocol (voIP) phone, using either a built–in or an externally connected microphone and speaker (e.g. Skype).
system
A related set of hardware and software used for the processing, storage or communication of information and the governance framework in which it operates.
threat
Any circumstance or event with the potential to harm an information system through unauthorised access, destruction, disclosure, modification of data, and/or denial of service. Threats arise from human actions and natural events.
user An entity authorised to access an information system.
vulnerability
In the context of information security, a vulnerability is a weakness in system security requirements, design,
implementation or operation that could be accidentally triggered or intentionally exploited and result in a violation of the system’s security policy.
wireless access point
A device which enables communications between wireless clients.
It is typically also the device which connects the wireless local area network to the wired local area network.
workstation A stand–alone or networked single–user computer.