A

Acceptable use policy – an acceptable use policy sets out what the organisation considers acceptable behaviour on, and acceptable use of, e-mail and Internet access systems. A number of legal and employment (Human Rights Act and Regulation of Investigatory Powers Act in the UK) issues affect the development and deployment of acceptable use policies, but this should not deter organisations from putting them in place.

Access – the opportunity (physical or logical or both) to use any information processing facilities or any component of them (e.g. a piece of data, an application, etc.).

Access agreement – this is an agreement, between an organisation and each of its employees, issued prior to release of a specific user name, in which the employee accepts the access rights and privileges attached to that user name and agrees to follow a series of procedures and requirements in respect of the use of that user name. This usually includes agreement to comply with the acceptable use policy.

Access control – the means to ensure that access to assets is authorised and restricted based on business and security requirements (#); in practical terms, this is the policy of controlling access to information processing facilities through a combination of access agreements and technological security measures that implement the policy guidelines. These controls therefore restrict the rights of individual users to access information processing facilities. User access rights reflect user access controls: the user has the right to do those things that the controls allow.

Access control list (ACL) – a formal (preferably approved) list of users who have defined access rights to an asset within information processing facilities: in other words, they should ensure that only legitimate users can access the asset.

Access point (AP) – a wireless hub that enables wireless computers to access a wired (or fixed) network.

Access rights – are usually determined by a policy that users should only have access to those systems and assets that they need in order to do their jobs and that everything else is expressly forbidden to them. These access rights are usually enforced through the user agreement and the configuration of the systems.

Accreditation – the procedure through which an authoritative body formally recognises a person’s or organisation’s competence to carry out specified tasks. Not to be confused with certification. Third party certification (auditing) bodies become accredited and those they audit, subject to a successful outcome, become certificated.

Accountability – not obviously a computer-related term, but fundamental to effective information security … and is the concept that any activity within an information system should be traceable to an individual who can be held responsible for the action (or inaction) and its consequences. It is the notion that the ‘buck stops somewhere’ and is defined in ISO27000 as ‘responsibility of an entity for its actions and decisions’.

ACL – see Access control list.

ActiveX – a Microsoft ActiveX control is a ‘component object model technology’ designed to enable software components to communicate. It allows users to quickly and easily download added functionality to Internet Explorer and can be exploited by spyware.

Ad hoc mode – is a method of connecting up to nine wireless clients directly to one another, without the use of a wireless AP.

Administrator – this is the user role responsible for installation, configuration, updating, amendment or deletion of a system, usually a software system. An administrator can do anything, usually untraceably, and therefore administrator user names should only be issued to people of proven competence who have been successfully screened to ensure there is no history of malicious computer-related activity.

Advance fee fraud – any fraud that involves the victim paying money up front in exchange for the false hope of a payback later. Also known as ‘419’, named after the Nigerian legal code that covers the crime, as this is where it originated.

Advanced encryption standard (AES) – (also known as ‘Rijndael’, a portmanteau formed from the names of its two inventors) this US government 128-bit encryption standard superseded DES in November 2001 and is widely deployed.

Advisory – an assessment of significant new information security trends or developments that may relate to broad trends or specific threats and technologies. Issued by organisations such as CERT (CERT is a centre of Internet security expertise, located at the Software Engineering Institute, a US government-funded research and development centre operated by Carnegie Mellon University).

Adware – advertising that is integrated into software and which is usually provided as a download to a computer in combination with another application, provided at no charge, provided the adware is run. Adware is sometimes malicious.

AES – see Advanced encryption standard.

Ajax – Asynchronous JavaScript and XML – is a set of software techniques that help create interactive web applications.

Airborne viruses – are viruses that use short-range wireless connections (e.g. Bluetooth) for propagation. Mobile phones and PDAs are the targets of this sort of virus.

Analogue – ‘relating to or using information represented by a continuously variable physical quality (such as spatial position, voltage, etc.) rather than digitally’ is the definition provided in the OED (Concise, 11th edn); if the computer world of bits and bytes is the digital one, the physical world in which we live, eat and breathe is the analogue one.

Anti-malware software – this is software specifically developed to deal with malware: adware, spam, spim, spyware, Trojans, viruses, worms, and most automated exploits, irrespective of their attack vector. This term should not be seen as synonymous with anti-virus software, not all of which adequately reflects the range of ways in which individuals and organisations connect to the Internet. A good anti-virus software package will deal with all aspects of malware except for adware and spyware, which will need their own solutions.

Anti-spyware – software that will identify spyware packages installed on a computer and, if given the instruction by the user, will then remove all instances of them from the computer, wherever they may be hiding.

Anti-virus software:

• Anti-virus software is software that is specifically designed to detect and halt viruses, worms and Trojans in e-mail. It is not necessarily designed to deal with spyware, adware, spam, or anything coming through Instant Messenger software.

• Anti-virus software tackles viruses at three points: it examines incoming e-mail (particularly attachments) at your e-mail gateway for known viruses; it scans the hard disk and all the files for any viruses that may have bypassed the gateway virus checker; and it scans outgoing e-mails to ensure they are not carrying an infection.

• There are two types of virus detection. The first relies on identifying precise characteristics of viruses (by searching for their ‘signatures’ and comparing them with its database of known viruses) and the second (heuristic detection) searches for types of misbehaving programs. New worms are more likely to be detected by heuristic checks.

• Normal viruses are only going to be detected if your anti-virus software has an up-to-date database of signatures. This means regular updates – daily is better than weekly.

• Tip: allow the automatic update service to run the moment it alerts you; a large proportion of viruses and other exploits propagate themselves via computers that don’t yet have the latest updates installed.

• Installing more than one anti-virus software package will not increase your protection – it may even decrease your protection if the packages conflict.

• Windows XP Service Pack 2 does not contain anti-virus software. It will alert you if your anti-virus software is not running, or is not up to date, but that is all.

• Today’s blended threats mean that your anti-virus software must integrate with your firewall and other anti-malware software (anti-spam, anti-spyware, Instant Message protection, etc.): unless you are a sophisticated user, you are better off finding and installing a package that covers all the bases rather than attempting to configure a number of different packages from a number of different suppliers to work together; if your current supplier hasn’t worked out how to do it, you might look for one who can.

AP – see Access point.

Applet – is a small Java program that runs in a browser. Applets are designed so that they cannot read or write to the browser’s computer file system or open any other network connections.

Application (or application software) – this is the software that users actually use, e.g. Microsoft Office or SAP.

Application layer – the standard TCP/IP model’s top layer, providing protocols for services such as e-mail, file transfer, etc.

Application Service Provider (ASP) – an organisation which provides application software on an outsourced, or rental, basis.

Architecture – the broad outline of a network (or a computer, or a software program) into which the detailed processes will be placed. An open architecture is one which allows for easy connection by devices from other manufacturers, while a proprietary architecture is designed to make this difficult.

Archive – see Auto-archive.

ARP – Address Resolution Protocol.

ARP poisoning – a common method of ‘Man in the Middle Attack’ that exploits weakness in ARP.

Arpanet – the Advanced Research Project Agency ran the first computer network in the 1970s. The Internet evolved from Arpanet, which was switched off in 1990.

ASCII – American Standard Code for Information Interchange: a widely used code that represents typed characters.

ASP – see Application Service Provider.

Asset – anything that has value to the organisation (# and *). This is not the same definition used by the financial team, and the corporate asset register will not list all the corporate information assets and, in particular, it will not value correctly those information assets which it does list. Information assets are likely to be of the following types:

• Information: databases and data files, other files and copies of plans, system documentation, original user manuals, original training material, operational and other support procedures, continuity plans and other fallback arrangements, archived information, financial and accounting information.

• Software: application software, operating and system software, development tools and utilities, e-learning assets, network tools and utilities.

• Physical assets: computer equipment (including workstations, notebooks, PDAs, monitors, scanning machines, modems, printers), communications equipment (routers, cell phones, PABXs, fax machines, answering machines, voice conferencing units, etc.), magnetic media (tapes and disks), other technical equipment (power supplies, air conditioning units), furniture, lighting, other equipment.

• Services: ‘groups of assets which act together to provide a particular function’, such as computing and communications services, general utilities e.g. heating, lighting, power, air-conditioning.

• Intangibles: including intellectual property, reputation, brand, copyrights, image, etc.

• People: particularly those who have key roles to play in the organisation, and on whom the organisation may be overly dependent, may also be assets in the ISMS.

ASV – Approved Scanning Vendor – an ASV has been approved by PCI SSC to carry out data security scans; you can find an ASV online: www.pcisecuritystandards.org/qsa_asv/find_one.shtml.

Asymmetric encryption – also known as public key encryption, is a system under which an organisation has two keys, one private and one public. Anyone can use the public key to encrypt a message for the organisation, knowing that only the possessor of the private key will be able to decrypt it. Equally, anything that decrypts properly using the public key must have been encrypted using the complementary private key. A critical issue in public key cryptography is to attest the validity of the key pair and, in particular, that the named public key really is the organisation’s public key. This is done with a digital certificate, issued by a certificate authority.

Attachment – programs or documents that are attached to an e-mail.

Attack – an attempt to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset. #

Audit – systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which agreed criteria are fulfilled (ISO19011, section 3.1).

Audit criteria – a set of policies, procedures or requirements (used as a reference against which audit evidence is compared).

Audit evidence – records, statements of fact, or other information which is relevant to the audit criteria and verifiable.

Auditor – person with the demonstrated personal attributes and competence to conduct an audit. (For third party certification audits the auditor(s) are often called assessor(s).)

Authentication – the process of establishing that users are who they claim to be. The ISO27000 definition is: ‘provision of assurance that a claimed characteristic of an entity is correct’. An authentication process requires users to provide a combination of a user name and one or more credentials: something known (a password), something possessed (digital signatures, smart cards), or a physical feature (biometrics). Weak authentication requires just a password; strong authentication (‘two factor’ authentication) requires at least two of these three types of credential. ‘Authenticity’ is a description of an authenticated user.

Authenticity – is helpfully defined in ISO27001 as the ‘property that an entity is what it claims to be’.

Authorisation – once a user has been authenticated, authorisation to use the information, computer services or other system can be granted. Authorisation also applies to the step prior to granting a user name, when an organisation authorises an individual to have specific access rights.

Auto-archive – an automated process of archiving old digital material, particularly e-mail.

Auto-diallers – small software programs that automatically dial designated telephone numbers in order to connect users to their ISPs. This might be set up by design through Windows, or it might be an option offered while visiting a website. The latter are usually premium rate numbers and the cost of the calls is automatically added to the user’s ISP or telephone bill. There are Trojans that change your autodial settings to the more expensive ones.

Automated hacking script – a method of exploiting a vulnerability in software that has been turned into a piece of autonomous code and released onto the Internet.

Automatic updates – a software provider’s automated process for issuing updates (patches, fixes and upgrades) to their installed base of users, such that the update is executed with a minimum of user involvement.

Availability – this, with ‘confidentiality’ and ‘integrity’, is one of the three legs of any information security management system. Everyone in the standards world agrees on that. It’s a pity then that definitions of this term vary. The CISSP CBK (2^nd edition) says that availability ‘refers to efforts made to prevent disruption of service and productivity’ but doesn’t explicitly define the term. Take your pick from those below.

Availability – property of being accessible and usable upon demand by an authorised entity. #

Availability – ensuring that authorised users have access to information and associated assets when required. **

Availability – ability of a component or service to perform its required function at a stated instant or over a stated period of time. ****

Awareness training – all employees of any organisation that uses computers need to be trained in their safe use, and kept aware of threats and responses to them.