It's Time to Standardize our Terminology

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
As a new year dawns, it brings with it all kinds of new adventures... andnew challenges.

There has been a lot of attention given to information assurance, and, inresponse to that, many new companies have entered the field, along withmany new security professionals. Admist all of this, I have joined a newcompany, which has new clients, peers and management. Despite all thechange, I figured the one constant in all this newness would be thesecurity terminology.

I was mistaken.

Information assurance, for example, has multiple definitions in thesecurity world. According to the National Institute of Standards andTechnology (NIST), information assurance is defined as ''measures thatprotect and defend information and information systems, ensuring theiravailability, integrity, authentication, confidentiality andnon-repudiation''. These measures include providing for restoration ofinformation systems by incorporating protection, detection, and reactioncapabilities. This definition covers many areas, but not all areas.

I have heard people say information assurance should be theresponsibility of the facility security officer (FSO). I've also heardthat only those technical engineers who can penetrate the operatingsystems of the various information systems are considered to beinformation assurance experts. But this one is my personal favorite... Ifa system has the mandatory three feet of security documentation, than itmeets all the IA requirements -- even if that documentation does notadequately address system operation or its security features.

We need to stop paperwhipping the accreditations.

Information assurance should not be just a buzz word. It should be anoverarching umbrella that covers and pulls together all the securitydisciplines. It shouldn't just address only those disciplines that areeasy to implement at the time. Information assurance needs to address allthe measures that will protect and defend the information, including allthe technical security features of the system/network, the personnel, thephysical environment and the policies that are implemented.

Another security terminology that often is misconstrued is riskassessment. Again, if we turn to the NIST glossary, risk assessment isthe ''process of analyzing threats to and vulnerabilities of aninformation system, and the potential impact resulting from the loss ofinformation or capabilities of a system. This analysis is used as a basisfor identifying appropriate and cost-effective securitycountermeasures.''

Risk Assessment has been referred to as the scans that are run on anoperating system or the results of penetration activity. The riskassessment of a system, however, is much more than the scripts and theirresults.

In addition to the vulnerability assessment, a risk assessment shouldinclude input from personnel, and information gathered throughquestionnaires. (The NIST Risk Assessment Questionnaire is highlyrecommended.) Then, by assessing all the information gathered through theinterviews, scans, tests and documentation reviews, a well-informeddecision can be made about the risk level.

And here are another couple of pieces of terminology that I see confusedon a regular basis -- certification and accreditation.

Certification is the process of conducting activities to determine if asystem's security features and the associated policies are implementedcorrectly.

Accreditation is the statement made by the designated approving authority(DAA) that allows the system to be operational. In other words, the DAAhas the authority to accept the risk the system has within thatparticular operational environment.

This often gets confused. Some will say the DAA has certified a system,when in reality the DAA has made an accreditation decision. And somemistakenly think a system has been certified, but actually the system hasundergone stringent testing. What gets really confusing is when asecurity official says his/her system is certified. Does that mean thesystem is at a certain EAL (level of assurance) or does it mean that thesystem has undergone the certification and has been accredited?

A misunderstanding could lead to serious consequences.

As more people, processes and polices are introduced into the securityarena, one of the first steps we need to make this year is to standardizeour terminology. Having clear definitions will allow us to better shareinformation... and understand each other. Using the NIST glossary may bea good method to baseline our terminology. And then we will be betterequipped to share our ideas with each other.

Submit a Comment

Loading Comments...