A |
B |
C |
D |
E |
F |
G |
H |
I |
J |
K |
L |
M |
N |
O |
P |
Q |
R |
S |
T |
U |
V |
W |
X |
Y |
Z
A
Access
In respect to privacy, an individual's ability to view, modify and contest the accuracy and completeness of personally identifiable information collected about him or her. Access is an element of the Fair Information Practices.
See also: Fair Information Practices
American National Standards Institute (ANSI)
A not-for-profit organization that oversees the development of standards for products, services, processes and systems in the United States. The organization also coordinates U.S. standards with international standards so that American products can be used worldwide.
ANSI
See definition for: American National Standards Institute (ANSI)
Authorization
To convey official sanction, access or legal power to an entity.
Availability
The property of a system or a system resource that ensures it is accessible and usable upon demand by an authorized system user. Availability is one of the core characteristics of a secure system.
See also: Secure system
Back to Top
b
Basel II
A revised framework for international convergence of capital measurement and capital standards. Based on work done by the Basel Committee on Banking Supervision, Basel II was designed to strengthen the soundness and stability of the international banking system while maintaining sufficient consistency that capital adequacy regulation will not be a significant source of competitive inequality among internationally active banks. The Basel Committee believes that the revised framework promotes the adoption of stronger risk management practices by the banking industry.
Back to Top
C
California Senate Bill 1386 (SB-1386)
A California state law requiring organizations that maintain personal information about individuals to inform California residents when and if a security breach involving their sensitive personal information has occurred. Commonly referred to as “SB 1386” or the “ California Security Breach Information Act.” Went into affect July 1st, 2003. Text of law provided foundation for similar and identical state laws in more than half of all states in the country.
certification
Endorsement of information by a trusted entity.
CFR 21, Part 11
See definition for: Code of Federal Regulations Title 21, Part 11
Code of Federal Regulations Title 21, Part 11
Federal regulation that sets forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.
Common Criteria
The Common Criteria is an international standard (ISO 15408) for information security that was developed by the United States, Canada, France, Germany, the United Kingdom, and the Netherlands (and additionally recognized by numerous other countries and non-governmental agencies, such as BITS, a non-profit consortium of 100 of the largest financial institutions in the United States). In the US, the program is managed by the National Information Assurance Partnership (NIAP), a joint activity of the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA).
See also: International Standards Organization (ISO)
Computer Emergency Response Team (CERT)
Security clearinghouse that promotes security awareness. CERT provides 24-hour technical assistance for computer and network security incidents. CERT is located at the Software Engineering Institute at Carnegie Mellon University in Pittsburgh, PA.
Back to Top
d
Data broker
In legal terms, a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purposes of providing such information to nonaffiliated third parties on an interstate basis.
data integrity
A method of ensuring information has not been altered by unauthorized or unknown means.
Data Privacy and Security Act of 2005
See definition for: United States Senate Bill 1789, 109th Congress
data protection
The implementation of administrative, technical or physical measures to guard against the unauthorized access to data (definition developed by ATIS Alliance for Telecommunications Industry Solutions).
Data Protection Act (UK)
digital signature
An electronic identification of a person or thing created by using a public key algorithm. Intended to verify to a recipient the integrity of data and identity of the sender of the data.
Digital Signature Standard (DSS)
A U.S. Federal Information Processing Standard (FIPS) for digital signatures.
Back to Top
E
E-Government Act of 2002
A Federal law designed to enhance the management and promotion of electronic government services and processes by establishing a Federal Chief Information Officer within the Office of Management and Budget, and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to government information and services.
enforcement
A privacy principle which provides mechanisms for assuring compliance with the Fair Information Practices, recourse for individuals affected by noncompliance, and consequences for noncompliant organizations.
EU Data Protection Directive
A European Union (EU) law stating that personal data from EU countries can only be transferred to non-EU countries that provide an acceptable level of privacy protection. An organization must inform individuals why information about them is collected, how to contact the organization with inquiries and complaints, the types of third parties to which the organization will disclose, and the options an organization provides to limit the disclosure of certain information. Proper notice and choice must be offered to allow an individual to opt in or opt out of providing specific information the organization plans on tracking. See also Safe Harbor Agreement.
Back to Top
F
FACTA
See definition for: Fair and Accurate Credit Transactions Act
Fair and Accurate Credit Transactions Act of 2003 (FACTA)
Federal law that added new sections to the federal Fair Credit Reporting Act (FCRA, 15 U.S.C. 1681 et seq.), intended primarily to help consumers fight the growing crime of identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in FACTA.
Fair Credit Reporting Act (FCRA)
Federal law designed to promote accuracy and ensure the privacy of the information used in consumer reports. FCRA was amended by the Fair and Accurate Credit Transactions Act of 2003 to address the growing problem of identity theft.
Fair Information Practices
The basis for privacy best practices, both online and offline. The Practices originated in the Privacy Act of 1974, the legislation that protects personal information collected and maintained by the U.S. government. In 1980, these principles were adopted by the Organization for Economic Cooperation and Development and incorporated in its Guidelines for the Protection of Personal Data and Transborder Data Flows. They were adopted later in the EU Data Protection Directive of 1995, with modifications. The Fair Information Practices include notice, choice, access, onward transfer, security, data integrity, and remedy.
FCRA
See definition for: Fair Credit Reporting Act
Federal Information Processing Standard (FIPS)
A U.S. government standard published by the National Institute of Standards & Technology (NIST).
See also: National Institute of Standards & Technology (NIST)
Federal Information Processing Standard 140-2 (FIPS 140-2)
The NIST standard dealing with cryptographic modules FIPS 140-2, "Security Requirements for Cryptographic Modules."
See also: Federal Information Processing Standard (FIPS)
Federal Information Security Management Act of 2002
A Federal law that provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets. Also known as “FISMA”. Passed as part of the Homeland Security Act of 2002 and the E-Government Act of 2002. The act requires every government agency to secure the information and information systems that support its operations and assets, including those provided or managed by another agency, contractor, or other source.
See also: E-Government Act of 2002
Financial Modernization Act of 1999
See definition for: Gramm-Leach-Bliley Act (GLBA)
FIPS
See definition for: Federal Information Processing Standard (FIPS)
FIPS 140-2
See definition for: Federal Information Processing Standard 140-2 (FIPS 140-2)
FISMA
See definition for: Federal Information Security Management Act (FISMA)
Back to Top
G
GLBA
See definition for: Gramm-Leach-Bliley Act (GLBA)
Gramm-Leach-Bliley Act (GLBA)
A U.S. law containing provisions that require all financial institutions to disclose to consumers and customers their policies and practices for protecting the privacy of nonpublic personal information. Nonpublic personal information includes any personally identifiable information provided by a customer, resulting from transactions with the financial institution or obtained by a financial institution through providing products or services. Also known as the Financial Modernization Act of 1999.
Back to Top
H
Health Insurance Portability and Accountability Act (HIPAA)
A U.S. regulation that gives patients greater access to their own medical records and more control over how their personally identifiable health information is used. The regulation also addresses the obligations of healthcare providers and health plans to protect health information.
HIPAA
See definition for: Health Insurance Portability and Accountability Act
HR.3997
See definition for: United States House of Representatives Bill 3997
HR.4127
See definition for: United States House of Representatives Bill 4127
Back to Top
I
identity theft
A crime in which an imposter obtains key pieces of information such as Social Security and driver's license numbers and uses it for the purpose of committing fraud.
integrity
Assurance that data is not modified (by unauthorized persons) during storage or transmittal.
International Standards Organization (ISO)
ISO is the world’s leading developer of international standards. ISO standards specify the requirements for state-of-the-art products, services, processes, materials and systems, and for good conformity assessment, managerial and organizational practice. ISO standards are designed to be implemented worldwide.
See also: ANSI
Internet Engineering Task Force (IETF)
The main standards organization for the Internet. The IETF is an open, international community of network designers, operators, vendors, and researchers who coordinate the operation, management, and evolution of the Internet. They also resolve short- and mid-range protocol and architectural issues and are a major source of proposals for protocol standards.
Back to Top
L
Log
To record an action; to enter a record into a log file. A file that lists actions that have occurred. For example, Web servers maintain log files listing every request made to the server.
See also: timestamp
Back to Top
m
Malicious code
Software that fulfills the deliberately harmful intent of an attacker when run. For example, viruses, worms, and Trojan horses are malicious code.
Malicious user
A user who intentionally accesses a system with the intent to cause harm to the system or to use it in an unauthorized manner.
Back to Top
n
National Institute for Standards and Technology (NIST)
A division of the U.S. Dept. of Commerce that publishes open, interoperability standards called Federal Information Processing Standards (FIPS).
Non-repudiation
A technique used to ensure that someone performing an action on a computer cannot falsely deny that they performed that action. Non-repudiation provides undeniable proof that a user took a specific action such as transferring money, authorizing a purchase, or sending a message.
Back to Top
P
Personal data
See definition for: personally identifiable information
Personal electronic record
Data associated with an individual contained in a database, networked or integrated databases, or other data system that holds sensitive personally identifiable information of that individual and is provided to nonaffiliated third parties. Does not include any data related to an individual's past purchases of consumer goods; or any proprietary assessment or evaluation of an individual or any proprietary assessment or evaluation of information about an individual.
Personal identification number (PIN)
A secret identification code similar to a password that is assigned to an authorized user. A PIN is used in combination with an ATM card or smart card, for example, to unlock an authorized functionality such as access to a bank account.
Personally identifiable information
See definition for: sensitive personally identifiable information
Personal information
See definition for: sensitive personally identifiable information
PIN
See definition for: Personal identification number (PIN)
President’s Management Agenda
A strategy developed for improving the management of the Federal government. It focuses on five areas of management weakness across the government where improvements and the most progress can be made.
See also: E-Government Act, Federal Information Security Management Act
Public Key Crypto Standards (PKCS)
A set of de facto standards for public key cryptography developed in cooperation with an informal consortium (Apple, DEC, Lotus, Microsoft, MIT, RSA, and Sun) that includes algorithm-specific and algorithm-independent implementation standards. Specifications defining message syntax and other protocols controlled by RSA Data Security Inc.
Back to Top
R
Revocation
Retraction of certification or authorization.
Back to Top
S
S.1326
See definition for: United States Senate Bill 1326, 109th Congress
S.1408
See definition for: United States Senate Bill 1408, 109th Congress
S.1789
See definition for: United States Senate Bill 1789, 109th Congress
Safe Harbor Agreement
An agreement between the United States and the European Union (EU) regarding the transfer of personally identifiable information from the EU to the United States, which is consistent with Fair Information Practices. Companies that register for Safe Harbor with the U.S. Department of Commerce and abide by the agreement are deemed by the EU to provide adequate data protection for personally identifiable information transferred from the EU to the United States.
Safe Harbor Principles
Seven principles agreed to by the United States and the European Union (EU) for the transfer of personally identifiable information from the EU to the United States to which a company must adhere if it registers for Safe Harbor. The seven principles are categorized into the following subjects: notice; choice; access; onward transfer; security; data integrity; and enforcement. See also Safe Harbor Agreement.
Safeguard
A technology, policy, or procedure that counters a threat or protects assets.
Sarbanes-Oxley Act of 2002
A federal law that changed the rules for disclosing financial and accounting information. Also known as the “Public Company Accounting Reform and Investor Protection Act of 2002” (and commonly called “SOX” or “SarbOx”). Named after sponsors Senator Paul Sarbanes (D., MD) and Representative Michael G. Oxley (R., OH).
SB 1386
See definition for: California Senate Bill 1386
Security breach
Compromise of the security, confidentiality, or integrity of computerized data through misrepresentation or actions that result in, or there is a reasonable basis to conclude has resulted in, acquisition of or access to sensitive personally identifiable information that is unauthorized or in excess of authorization.
Sensitive personally identifiable information
As defined by SB-1386, any information or compilation of information, in electronic or digital form that includes:
an individual's first and last name or first initial and last name in combination with any one (1) of the following data elements:
a non-truncated social security number, driver's license number, passport number, or alien registration number.
any two (2) of the following:
home address or telephone number
mother's maiden name, if identified as such
month, day, and year of birth
Unique biometric data such as a finger print, voice print, a retina or iris image, or any other unique physical representation
A unique account identifier, electronic identification number, user name, or routing code in combination with any associated security code, access code, or password that is required for an individual to obtain money, goods, services or any other thing of value
A financial account number or credit or debit card number in combination with any security code, access code or password that is required for an individual to obtain money, goods, services or any other thing of value.
See also: California Senate Bill 1386 (SB-1386)
Signature
See definition for: digital signature
SOX
See definition for: Sarbanes-Oxley Act of 2002
Specter-Leahy bill
See definition for: United States Senate Bill 1789, 109th Congress
Back to Top
T
Timestamp
A time code or to a digital signature whose signer vouches for the existence of the signed document or content at the time given as part of the digital signature. Timestamps are very useful for logging events.
See also: log
Trusted Computing Group (TCG)
A not-for-profit organization formed to develop, define and promote open standards for hardware-enabled "trusted" computing and security technologies, including hardware building blocks and software interfaces, across multiple platforms, peripherals, and devices. TCG claims that its specifications will enable more secure computing environments without compromising functional integrity, privacy or individual rights. The primary goal is to help users protect their information assets (data, passwords, keys, etc.) from compromise due to external software attack and physical theft.
Back to Top
U
United States House of Representatives Bill 3997
A Federal legislative bill that amends the Fair Credit Reporting Act to provide for secure financial data, and for other purposes.
Also known as “HR.3997” or the “Financial Data Protection Act of 2005”. Sponsored by Rep. Steve LaTourrette (R-OH) et al.
United States House of Representatives Bill 4127
A Federal legislative bill designed to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach.
Also known as “HR.4127” or the “Data Accountability and Trust Act”. Sponsored by Rep. Cliff Stearns (R-FL).
United States Senate Bill 1326, 109th Congress (1st Session)
A Federal legislative bill designed to require agencies and persons in possession of computerized data containing sensitive personal information, to disclose security breaches where such breach poses a significant risk of identity theft.
Also known as “S.1326” or the “Notification of Risk to Personal Data Act”. Sponsored by Sen. Jeff Sessions (R-AL) et al.
United States Senate Bill 1408, 109th Congress (1st Session)
A Federal legislative bill designed to strengthen data protection and safeguards, require data breach notification, and further prevent identity theft. Sponsored by Sen. Gordon Smith (R-OR), Sen. Bill Nelson (D-FL), Sen. Ted Stevens (R-AK), Sen. Daniel Inouye, Sen. John McCain (R-AZ), and Sen. Pryor (D-AR).
United States Senate Bill 1789, 109th Congress (1st Session)
A Federal legislative bill designed to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.
Also known as “S.1789”, the “Specter-Leahy” bill (Senators Specter and Leahy were the original sponsors) or the “Personal Data Privacy and Security Act of 2005’’. Current sponsors are Sen. Arlen Specter (R-PA), Patrick Leahy (D-VT), Dianne Feinstein (D-CA) and Russell Feingold (D-WI).
U.S. Senate Bill 1789 impose new rules and regulations on “data brokers” and other business entities that collect, access, transmit, use, store or dispose of sensitive personally identifiable information in electronic or digital form on 10,000 or more United States persons.
In addition, the bill proposes harsher punishment for crimes related to identity theft, such as fraud intentional concealment of security breaches. The bill also sets forth new rules for government access to and use of commercial data, including mandatory audits for contracts awarded to so-called data brokers.
Back to Top