GIST v0.7 ― I
“I&A” to “IV”

I

- I&A n.

See: identification and authentication under authentication.

- IAB n.

See: Government Smart Card Interagency Advisory Board, Internet Architecture Board.

- IAEG

See: Identity Assurance Expert Group.

- IAEG assessor n.

IAEG LIAF (2008)

An organization that has agreed to the IAEG Rules and that has been accredited to conduct assessments of credential service providers.

- IAEG-branded credential n.

IAEG LIAF (2008)

Information indicating the individual identity of a natural person, according to a CSP certified by the IAEG to issue, process, validate or otherwise purvey such credential.

- IAEG credential service provider (IAEG CSP) n.

IAEG LIAF (2008)

Organization that has agreed to the IAEG Operating Rules and other applicable Rules, and that has been certified to issue, process, validate, etc., an IAEG-branded credential.

- IAEG-recognized assessor n.

IAEG LIAF (2008)

A body that has been granted an accreditation to perform assessments against service assessment criteria, at the specified assuranceLevel(s).

- IAEG-recognized certification body n.

IAEG LIAF (2008)

A certification body which has been accredited by, or whose qualifications have been otherwise established by, a scheme which the IAEG Board has deemed to be appropriate for the purposes of determining a CSP’s competence to perform assessments against IAEG’s criteria.

- IANA n.

See: Internet Assigned Numbers Authority.

- ICANN n.

See: Internet Corporation for Assigned Names and Numbers.

- ICAO MRTD n.

See: International Civil Aviation Organization Machine Readable Travel Document.

- ICC n.

See: integrated circuit card.

- ICMP n.

See: Internet Control Message Protocol.

- ICMP flood n.

RFC 2828 (2000)

(I) A denial of service attack that sends a host more ICMP echo request (ping) packets than the protocol implementation can handle. (See: flooding, smurf.)

- ICRL n.

See: indirect certificate revocation list.

- ID n.

See: user ID.

- IDEA n.

See: International Data Encryption Algorithm.

- identifiable entity n.

See: principal.

- identification n.

RFC 2828 (2000)

(I) An act or process that presents an identifier to a system so that the system can recognize a system entity and distinguish it from other entities. (See: authentication.)

SC 27 SD 6 (2002)

ISO/IEC TR 13335-4: 1999

Process of uniquely determining the unique identity of an entity.

modonis^IDM (2005)

Definition: Identification is the process of using claimed or observed attributes of an entity to deduce who the entity is.

The term “identification” is also referred to as entity authentication. The identification of an entity within a certain context enables another entity to distinguish between the entities it interacts with.

This definition seems to conflate two distinct concepts: identification – this person is Nancy Negroponte – and (entity) authentication (or identity verification) – this person is Nancy Negroponte.

(See also: (discussion under) biometric identification.)

NIST IR 7298 (2006)

SP 800-47

The process of verifying the identity of a user, process, or device, usually as a prerequisite for granting access to resources in an IT system.

! This is a definition of authentication, not identification.

FIPS 201

The process of discovering the true identity (i.e., origin, initial history) of a person or item from the entire collection of similar persons or items.

SCA ISCTAG (2007)

The process of using claimed or observed attributes of an entity to deduce who the entity is.
The evidence of identity or fact of proof showing the attributes of the individual presenting the identification.

! Para. (b) is a definition of authentication, not identification.

IAEG LIAF (2008)

Process of using claimed or observed attributes of an individual to infer who the individual is.

See also: biometric identification. And, in the sense of “an identifier”: user identification.

- identification and authentication (I&A) n.

See: authentication, identification.

- identification card n.

SCA ISCTAG (2007)

Card identifying its holder and issuer which may carry data required as input for the intended use of the card and for transactions based thereon.

- identification data n.

SC 27 SD 6 (2002)

ISO/IEC 9798-5: 1999

Sequence of data items, including the distinguishing identifier for an entity, assigned to an entity and used to identify it. Note: Examples of data items which may be included in the identification data include: an account number, expiry date, serial number, etc.

ISO/IEC 14888-1: 1998

A sequence of data items, including the distinguishing identifier for an entity, assigned to an entity and used to identify it. Note: The identification data may additionally contain data items such as identifier of the signature process, identifier of the signature key, validity period of the signature key, restrictions on key usage, associated security policy parameters, key serial number, or domain parameters.

- Identification Protocol n.

RFC 2828 (2000)

(I) A client-server Internet protocol [R1413] for learning the identity of a user of a particular TCP connection.

(C) Given a TCP port number pair, the server returns a character string that identifies the owner of that connection on the server’s system. The protocol is not intended for authorization or access control. At best, it provides additional auditing information with respect to TCP.

- identification system n.

See: biometric identification application.

- identified entity n.

modonis^IDM (2005)

Definition: An identified entity is an identifiable entity the identity of which has been corroborated.

The term “identified entity” is also referred to as an “authenticated identity”.

~~As indicated below, c~~Corroboration entails that a given element has been proven to the extent required by the identity management system. As such, there are no fixed rules or criteria to meet before an entity can be considered identified. The only criterion is the acceptance of the identification by the IMS.

I’m at all not sure about this… To my mind, an identified entity is quite simply an (identifiable) entity that has been identified – that is, one that has been individuated, distinguished from other entities of the same kind. (See: (discussion under) identification.) Equating “identified entity” with “authenticated identity” also misleadingly conflates entity and identity. What this definition describes is an authenticated entity.

- identifier n.

OASIS SAML 2.0 (2005)

This term is used in two senses in SAML:

One that identifies [Merriam].
A data object (for example, a string) mapped to a system entity that uniquely refers to the system entity. A system entity may have multiple distinct identifiers referring to it. An identifier is essentially a “distinguished attribute” of an entity. See also attribute.

modonis^IDM (2005)

Definition: An identifier is an attribute or a set of attributes of an entity which uniquely identifies the entity within a certain context.

For the sake of clarity, identifiers consisting of one attribute are also characteristics; they distinguish an entity from other entities.

An entity may have multiple distinct identifiers referring to it. Identifiers uniquely identify an entity, while characteristics do not need to. However, it should be noted that identifiers can consist of a combination of attributes, whereas characteristics are always one single attribute.

NIST IR 7298 (2006)

FIPS 201

A unique data string used as a key in the biometric system to name a person’s identity and its associated attributes.

This is a very narrow definition of identifier and should probably have some modifier!

SCA ISCTAG (2007)

Unique data used to represent a person’s identity and associated attributes. Names and card numbers are examples of identifiers.

unique identifier

Any element or value which is guaranteed to be unique among a given group.

IAEG LIAF (2008)

Something that points to an individual, such as a name, a serial number, or some other pointer to the party being identified.

See also: user identifier.

- identify vb.

JTC 1/SC 37 (2006⇒2008)

identify (biometrics)

The act of making a series of comparisons Biometric search against an biometric enrolment database to find and return the biometric reference identifier(s) attributable to a single individual.

As a definition of a verb, this should probably begin, “Perform a…”; as it is, it reads more like a definition of identification.

- identity n.

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

A representation (e.g. a string) uniquely identifying an authorised user, which can either be the full or abbreviated name of that user or a pseudonym.

! This is a definition of identifier, not identity; see comments below.

OASIS SAML 2.0 (2005)

The essence of an entity [Merriam]. One’s identity is often described by one’s characteristics, among which may be any number of identifiers. See also identifier, attribute.

modonis^IDM (2005)

Definition: The identity of an entity is the dynamic collection of all of the entity’s attributes. An entity has only one identity.

An entity has only one identity, consisting of a number of attributes that need not necessarily be unique for that entity, but which are nonetheless useful when attempting to distinguish several entities. Common examples of such attributes include name, date and place of birth, address, the identity of parents, etc.

As such, the identity is a fluid and evolving philosophical concept, rather than a practical one: as it is impossible for any one IDM system to gather all attributes of any specific entity, IDM systems must focus on a specific subset of relevant attributes.

As a rule of thumb, when people refer to the identity of an entity, they are referring to the essence of the entity as defined above. In contrast, when they refer to an identity of an entity, they are referring to the concept of partial identity~~, as defined below~~.

~~This brings us to the following concepts.~~

NIST IR 7298 (2006)

FIPS 201

The set of physical and behavioral characteristics by which an individual is uniquely recognizable.

SCA ISCTAG (2007)

The subset of physical and/or behavioral characteristics by which an individual is uniquely recognizable. Identity is information concerning the person, not the actual person.

IAEG LIAF (2008)

A unique name for single person. Because a person’s legal name is not necessarily unique, identity must include enough additional information (for example, an address or some unique identifier such as an employee or account number) to make a unique name.

! This is a definition of identifier, not identity; see comments below.

NIST SP 800-63-1 DRAFT (2008)

A unique name of an individual person. Since the legal names of persons are not necessarily unique, the identity of a person must include sufficient additional information (for example an address, or some unique identifier such as an employee or account number) to make the complete name unique.

! This is a definition of identifier, not identity; see comments below.

In Security Engineering (2001; Wiley; ISBN 0-471-38922-6), Ross Anderson says ―

The word identity is controversial. When I am being careful, I will use it to mean a correspondence between the names of two principals signifying that they refer to the same person or equipment. For example, it may be important to know that the Bob acting in “Alice acting as Bob’s manager” is the same Bob as in “Bob acting as Charlie’s manager” and in “Bob as branch manager signing a bank draft jointly with David.” Often, the term “identity” is abused to mean simply “name,” an abuse entrenched in such phrases as “user identity” and “citizen’s identity card.”

- identity and access management (IAM) n.

SCA ISCTAG (2007)

The combination of processes, technologies, and policies to manage digital identities and specify how digital identities are used to access resources.

- identity authentication n.

See: authentication.

- identity assurance

1. The combined confidence in the processes used (a) to establish the civil identity of the individual to whom a credential was issued (i.e., identity proofing) and (b) to confirm that the individual who uses that credential is the individual to whom the credential was issued (i.e., authentication). (Back formation from the IAEG LIAF definition of assurance level.)

2. “A framework of technical, management, policy and regulatory initiatives aimed at preserving the confidentiality, integrity and privacy of identity related data, as well as the availability of information infrastructures and supporting identity management systems.” – IAAC Position Paper on Identity Assurance (IdA): Towards a Policy Framework for Electronic Identity

This might be better termed identity information assurance.

- Identity Assurance Expert Group (IAEG) n.

IAEG LIAF (2008)

The multi-industry Liberty Alliance partnership working on enabling interoperability among public and private electronic identity authentication systems.

- Identity Assurance Framework (IAF) n.

IAEG LIAF (2008)

The body of work that collectively defines the industry-led self-regulatory framework for electronic trust services in the United States and around the globe, as operated by the IAEG.

The Identity Assurance Framework includes descriptions of criteria, rules, procedures, processes, and other documents.

- identity-based security policy n.

RFC 2828 (2000)

(I) “A security policy based on the identities and/or attributes of users, a group of users, or entities acting on behalf of the users and the resources/objects being accessed.” [I7498 Part 2] (See: rule-based security policy.)

NIST IR 7298 (2006)

SP 800-33

A security policy based on the identities and/or attributes of the object (system resource) being accessed and of the subject (user, group of users, process, or device) requesting access.

- identity binding n.

NIST IR 7298 (2006)

FIPS 201

Binding of the vetted claimed identity to the individual (through biometrics) according to the issuing authority.

IAEG LIAF (2008)

The extent to which an electronic credential can be trusted to be a proxy for the entity named in it.

- identity concealer n.

JTC 1/SC 37 (2008) – 3.4.2.3.1.2

Subversive biometric capture subject who attempts to avoid being matched to their own biometric reference.

Note: Oxford defines conceal as: alter the appearance, sound, taste or smell of so as to conceal the identity. [An “editor’s note” impugns that.]

- identity data n.

SCA ISCTAG (2007)

The data associated with an individual’s identity within a specific system and used by that system to verify the individual’s identity.

Not all of the data associated with an individual’s identity is used to verify their identity… but what do call the rest? Perhaps identity data should have the broader sense; what this definition defines is really authentication data (or identity-verification data).

Perhaps what the definition is groping for is the data that can be used to uniquely identify an individual – identification data. Latanya Sweeney Ph.D. noted (here

) that 87% of the population in the United States is likely to be uniquely identified by only gender, date of birth and ZIP code! (See: PII.)

- identity defederation n.

OASIS SAML 2.0 (2005)

The action occurring when providers agree to stop referring to a principal via a certain set of identifiers and/or attributes.

- identity document n.

SCA ISCTAG (2007)

A piece of documentation designed to verify aspects of a person’s identity. (See also breeder document.)

- identity federation n.

OASIS SAML 2.0 (2005)

The act of creating a federated identity on behalf of a principal.

- identity management (IDM, IdM) n.

modonis^IDM (2005)

Definition: Identity management is the managing of partial identities of entities, i.e., definition, designation and administration of identity attributes as well as choice of the partial identity to be (re‑)used in a specific context.

SCA ISCTAG (2007)

In information systems, the management of the identity life cycle of entities. Identity management is sometimes used in conjunction with authorization in the IT industry. Within the life cycle:

The identity is established: a name (or number) is connected to the subject.
The identity is re-established: a new or additional name (or number) is connected to the subject.
The identity is described: one or more attributes which are applicable to this particular subject may be assigned to the identity.
The identity is newly described: one or more attributes which are applicable to this particular subject may be changed.
The identity is destroyed.

See: IAM, user account management.

- identity management application n.

modonis^IDM (2005)

Definition: An identity management application is a tool used by an entity to manage partial identities.

In general, the identity management application is used to manage partial identities, e.g., for their creation, updating, revocation, etc.

- identity management system (IDMS, IdMS, IMS) n.

modonis^IDM (2005)

Definition: An identity management system is the organisational and technical infrastructure used for the definition, designation and administration of identity attributes.

SCA ISCTAG (2007)

System composed of one or more computer systems or applications that manage the identity registration, verification, validation, and issuance process, as well as the provisioning and deprovisioning of identity credentials.

- identity proofing n.

NIST IR 7298 (2006)

FIPS 201

The process of providing sufficient information (e.g., identity history, credentials, documents) to a personal identity verification registrar when attempting to establish an identity.

SCA ISCTAG (2007)

The process of providing sufficient information (e.g., breeder documents, identity history, credentials, documents) to establish an identity to an organization that can issue identity credentials.

IAEG LIAF (2008)

The process by which identity-related information is validated so as to identify a person with a degree of uniqueness and certitude sufficient for the purposes for which that identity is to be used.

Of course, “uniqueness” and “certitude” are absolutes, and so cannot have degrees – they’re all or nothing!

NIST SP 800-63-1 DRAFT (2008)

The process by which a CSP and a RA validate sufficient information to uniquely identify a person.

In both IAEG LIAF and NIST SP 800-63, “validate” should be “verify” ; see: (usage note under) validate.

- identity proofing policy n.

IAEG LIAF (2008)

A set of rules that defines identity proofing requirements (required evidence, format, manner of presentation, validation), records actions required of the registrar, and describes any other salient aspects of the identity proofing function that are applicable to a particular community or class of applications with common security requirements.

An identity proofing policy is designed to accomplish a stated assurance level.

- identity proofing service provider n.

IAEG LIAF (2008)

An electronic trust service provider which offers, as a standalone service, the specific electronic trust service of identity proofing

This service provider is sometimes referred to as a registration agent/authority (RA).

- identity proofing practice statement n.

IAEG LIAF (2008)

A statement of the practices that an identity proofing service provider employs in providing its services in accordance with the applicable identity proofing policy.

- identity provider n.

OASIS SAML 2.0 (2005)

A kind of service provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles.

- identity registration n.

See: registration.

- identity theft n.

SCA ISCTAG (2007)

The appropriation of another’s personal information to commit fraud, steal the person’s assets, or pretend to be the person.

- identity token n.

See: token.

- identity validation n.

See: authentication.

- identity verification n.

NIST IR 7298 (2006)

FIPS 201

identity verification, verification

The process of affirming that a claimed identity is correct by comparing the offered claims of identity with previously proven information stored in the identity card or PIV system.

SP 800-79

The process of confirming or denying that a claimed identity is correct by comparing the credentials (something you know, something you have, something you are) of a person requesting access with those previously proven and stored in the PIV card or system and associated with the identity being claimed.

SCA ISCTAG (2007)

The process of confirming or denying that a claimed identity is correct by comparing the credentials (something you know, something you have, something you are) of a person requesting access with those previously proven and stored in an ID card or system and associated with the identity being claimed.

These could quite easily be definitions of authentication, but some FIPS documents use this term strictly for user authentication.

- IDS, - IDS – host-based, - IDS – network-based n.

See: intrusion detection system.

- IEC n.

See: International Electrotechnical Commission.

- IEEE n.

See: Institute of Electrical and Electronics Engineers, Inc..

- IEEE 802.10

RFC 2828 (2000)

(N) An IEEE committee developing security standards for local area networks. (See: SILS.)

- IEEE P1363 n.

RFC 2828 (2000)

(N) An IEEE working group, Standard for Public-Key Cryptography, developing a comprehensive reference standard for asymmetric cryptography. Covers discrete logarithm (e.g., DSA), elliptic curve, and integer factorization (e.g., RSA); and covers key agreement, digital signature, and encryption.

- IESG n.

See: Internet Engineering Steering Group.

- IETF n.

See: Internet Engineering Task Force.

- IFD n.

See: interface device.

- IKE n.

See: IPsec Key Exchange.

- image n.

NIST IR 7298 (2006)

SP 800-72

An exact bit-stream copy of all electronic data on a device, performed in a manner that ensures the information is not altered.

- IMAP4 n.

See: Internet Message Access Protocol, version 4.

- IMAP4 AUTHENTICATE n.

RFC 2828 (2000)

(I) An IMAP4 “command” (better described as a transaction type, or a protocol-within-a-protocol) by which an IMAP4 client optionally proposes a mechanism to an IMAP4 server to authenticate the client to the server and provide other security services. (See: POP3.)

(C) If the server accepts the proposal, the command is followed by performing a challenge-response authentication protocol and, optionally, negotiating a protection mechanism for subsequent POP3 interactions. The security mechanisms that are used by IMAP4 AUTHENTICATE – including Kerberos, GSSAPI, and S/Key – are described in [R1731].

- impact n.

SC 27 SD 6 (2002)

ISO/IEC PDTR 13335-1 (11/2001)

The result of an unwanted incident.

NIST IR 7298 (2006)

SP 800-60

The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

- implicit key authentication from A to B n.

SC 27 SD 6 (2002)

ISO/IEC 11770-3: 1999, ISO/IEC FDIS 15946-3 (02/2001)

The assurance for entity B that A is the only another entity can possibly be in possession of the correct key.

- impostor n.

iAfB-ICSA 1999

A person who submits a biometric sample in either an intentional or inadvertent attempt to pass him/herself off as another person who is an enrolee.

Note: An impostor can sumbit a fraudulent biometric characteristic – e.g., a gelatin fingerprint – but not a fraudulent sample. A person could attempt a masquerade attack against a biometric system by submitting a fraudulent sample – e.g., a captured sample from an enrollee’s previous use – but this requires programmatic interaction with the biometric system. Related definitions make it clear that an imposter is an attacker who is interacting with the system as a legitimate user would, i.e., through an acquisition device.

BEM 2002

A person making a false claim about identity to the biometric system.

JTC 1/SC 37 (2008) – 3.4.2.3.1.1

Subversive biometric capture subject who attempts to be matched to someone else’s biometric reference.

Note: Oxford defines impostor as: person who assumes a false identity in order to deceive or defraud.

- imprint n.

SC 27 SD 6 (2002)

ISO/IEC WD 13888-1 (11/2001)

A string of bits, either the hash-code of a data string or the data string itself.

- inappropriate usage n.

NIST IR 7298 (2006)

SP 800-61

A person who violates acceptable computing use policies.

Well… “inappropriate usage” isn’t a person, it’s what the person does…

- in-house test n.

iAfB-ICSA 1999

A test carried out entirely within the environs of the biometric system developer which may or may not involve external user participation.

- in the clear n.

RFC 2828 (2000)

(I) Not encrypted. (See: cleartext.)

- incident n.

NIST IR 7298 (2006)

SP 800-61

A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.

FIPS 200

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

- incident handling n.

NIST IR 7298 (2006)

SP 800-61

The mitigation of violations of security policies and recommended practices.

- incident response plan n.

NIST IR 7298 (2006)

SP 800-34

The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s IT systems(s).

- inculpatory evidence n.

NIST IR 7298 (2006)

SP 800-72

Evidence that tends to increase the likelihood of fault or guilt.

- indication n.

NIST IR 7298 (2006)

SP 800-61

A sign that an incident may have occurred or may be currently occurring.

- individual n., adj.

NIST IR 7298 (2006)

SP 800-60

A citizen of the United States or an alien lawfully admitted for permanent residence. Agencies may, consistent with individual practice, choose to extend the protections of the Privacy Act and E-Government Act to businesses, sole proprietors, aliens, etc.

Clearly, other people can be individuals too…

“We’re all individuals!”
“I’m not!”

― Monty Python and the Holy Grail

JTC 1/SC 37 (2008)

Of or for a particular person; single human being or item as distinct from a group.

Note 1: Definition source: Oxford dictionary.

Note 2: “Individual” is restricted in scope by SC37 to humans.

- indirect certificate revocation list (ICRL) n.

RFC 2828 (2000)

(I) In X.509, a CRL that may contain certificate revocation notifications for certificates issued by CAs other than the issuer of the ICRL.

- indistinguishability n.

RFC 2828 (2000)

(I) An attribute of an encryption algorithm that is a formalization of the notion that the encryption of some string is indistinguishable from the encryption of an equal-length string of nonsense.

- informal n.

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

Expressed in natural language.

- information n.

RFC 2828 (2000)

(I) Facts and ideas, which can be represented (encoded) as various forms of data.

NIST IR 7298 (2006)

FIPS 200

An instance of an information type.

- information assurance n.

NIST IR 7298 (2006)

SP 800-59; CNSSI-4009

Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.

- information owner n.

NIST IR 7298 (2006)

SP 800-53; CNSSI-4009

Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.

- information resource n.

NIST IR 7298 (2006)

SP 800-53; 44 U.S.C., Sec. 3502

information resources

Information and related resources, such as personnel, equipment, funds, and information technology.

FIPS 200; FIPS 199

information resources

Information and related resources, such as personnel, equipment, funds, and information technology.

- information security n.

SC 27 SD 6 (2002)

ISO/IEC 17799: 2000

The preservation of confidentiality, integrity and availability of information. Note: Confidentiality is defined as ensuring that information is accessible only to those authorized to have access. Integrity is defined as safeguarding the accuracy and completeness of information and processing methods. Availability is defined as ensuring that authorised users have access to information and associated assets when required.

NIST IR 7298 (2006)

SP 800-53; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542

The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

SP 800-66; 44 U.S.C., Sec 3541

Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide —

integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
availability, which means ensuring timely and reliable access to and use of information.

- information security management system (ISMS) n.

IAEG LIAF (2008)

A system of management concerned with information security.

The key concept of ISMS is the design, implementation, and maintainance of a coherent suite of processes and systems for effectively managing information security, thus ensuring the confidentiality, integrity, and availability of information assets and minimizing information security risks.

- information security policy n.

See: security policy.

- information sharing n.

NIST IR 7298 (2006)

SP 800-16

The requirements for information sharing by an IT system with one or more other IT systems or applications, for information sharing to support multiple internal or external organizations, missions, or public programs.

- information system n.

RFC 2828 (2000)

automated information system

(I) An organized assembly of resources and procedures – i.e., computing and communications equipment and services, with their supporting facilities and personnel – that collect, record, process, store, transport, retrieve, or display information to accomplish a specified set of functions.

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999, ISO/IEC WD 15443-1 (11/2001)

system

A specific IT installation, with a particular purpose and operational environment.

NIST IR 7298 (2006)

SP 800-53; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3502; OMB Circular A-130, App. III

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

- information system owner n.

NIST IR 7298 (2006)

SP 800-53; CNSSI-4009 Adapted

information system owner, program manager

Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.

FIPS 200; CNSSI-4009 Adapted

Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.

- information system security officer (ISSO) n.

NIST IR 7298 (2006)

SP 800-53; CNSSI-4009 Adapted

Individual assigned responsibility by the senior agency information security officer, authorizing official, management official, or information system owner for ensuring the appropriate operational security posture is maintained for an information system or program.

- information technology n.

NIST IR 7298 (2006)

SP 800-53; FIPS 200; FIPS 199; 40 U.S.C., Sec. 11101

Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which —

requires the use of such equipment; or
requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product.

The term information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.

- Information Technology Security Evaluation Criteria (ITSEC) n.

RFC 2828 (2000)

(N) Standard developed for use in the European Union; accommodates a wider range of security assurance and functionality combinations than the TCSEC. Superseded by the Common Criteria. [ITSEC]

- information type n.

NIST IR 7298 (2006)

SP 800-53; FIPS 200; FIPS 199

A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management), defined by an organization or in some instances, by a specific law, executive order, directive, policy, or regulation.

- INFOSEC n.

RFC 2828 (2000)

(I) Abbreviation for information security, referring to security measures that implement and assure security services in computer systems (i.e., COMPUSEC) and communication systems (i.e., COMSEC).

- ingress filtering n.

NIST IR 7298 (2006)

SP 800-61

The process of blocking incoming packets that use obviously false IP addresses, such as reserved source addresses.

- initial SOAP sender n.

OASIS SAML 2.0 (2005)

The SOAP sender that originates a SOAP message at the starting point of a SOAP message path. [WSGloss]

- initial transformation n.

SC 27 SD 6 (2002)

ISO/IEC 9797-1: 1999

A function that is applied at the beginning of a MAC algorithm.

- initialization value (IV) n.

RFC 2828 (2000)

(I) An input parameter that sets the starting state of a cryptographic algorithm or mode. (Sometimes called initialization vector or message indicator.)

(C) An IV can be used to introduce cryptographic variance in addition to that provided by a key (see: salt), and to synchronize one cryptographic process with another. For an example of the latter, cipher block chaining mode requires an IV. [R2405]

SC 27 SD 6 (2002)

ISO/IEC 10118-1: 2000

initializing value

A value used in defining the starting point of a hash-function.

ISO/IEC FDIS 9797-2 (09/2000)

Value used in defining the starting point of a hash-function.

ISO 8372: 1987, ISO/IEC CD 10116 (12/2001)

Value used in defining the starting point of an encipherment process.

NIST IR 7298 (2006)

SP 800-57; FIPS 140-2

initialization vector

A vector used in defining the starting point of an encryption process within a cryptographic algorithm.

- initialization vector n.

RFC 2828 (2000)

(D) For consistency, ISDs SHOULD NOT use this term as a synonym for initialization value.

… but SP 800-57 and FIPS 140-2 do!

- initializing value n.

See: initialization value.

- initiator n.

See: subject.

- insider attack n.

See: (secondary definition under) attack.

- inside threat n.

NIST IR 7298 (2006)

SP 800-32

An entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service.

- Institute of Electrical and Electronics Engineers, Inc. (IEEE)

RFC 2828 (2000)

(N) The IEEE is a not-for-profit association of more than 330,000 individual members in 150 countries. The IEEE produces 30 percent of the world’s published literature in electrical engineering, computers, and control technology; holds annually more than 300 major conferences; and has more than 800 active standards with 700 under development. (See: Standards for Interoperable LAN/MAN Security.)

- integrated circuit n.

SCA ISCTAG (2007)

Electronic component(s) designed to perform processing and/or memory functions. See chip.

- integrated circuit card (ICC) n.

SCA ISCTAG (2007)

ICC typically refers to a plastic (or other material) card containing an integrated circuit which is compatible to ISO/IEC 7816.

- integrity n.

RFC 2828 (2000)

See: data integrity, correctness integrity, source integrity, system integrity.

SC 27 SD 6 (2002)

ISO/IEC PDTR 13335-1 (11/2001)

The property of safeguarding the accuracy and completeness of assets.

- integrity check n.

RFC 2828 (2000)

(D) ISDs SHOULD NOT use this term as a synonym for cryptographic hash (see: (secondary definition under) hash function) or protected checksum, because this term unnecessarily duplicates the meaning of other, well-established terms.

- intellectual property n.

NIST IR 7298 (2006)

SP 800-32

Useful artistic, technical, and/or industrial information, knowledge or ideas that convey ownership and control of tangible or virtual usage and/or representation.

- intelligent threat n.

RFC 2828 (2000)

(I) A circumstance in which an adversary has the technical and operational capability to detect and exploit a vulnerability and also has the demonstrated, presumed, or inferred intent to do so. (See: threat.)

- interconnection, system n.

See: system interconnection.

- interconnection security agreement (ISA) n.

NIST IR 7298 (2006)

SP 800-47

An agreement established between the organizations that own and operate connected IT systems to document the technical requirements of the interconnection. The ISA also supports a Memorandum of Understanding or Agreement (MOU/A) between the organizations.

- interface device (IFD) n.

In general, a hardware component or system of components that allows a human being to interact with an information system. Also called: human interface device (HID).

See: reader, smart-card interface device.

- interleaving attack n.

SC 27 SD 6 (2002)

A masquerade which involves use of information derived from one or more ongoing or previous authentication exchanges. [ISO/IEC 9798-1: 1997]

- intermediate biometric sample n.

JTC 1/SC 37 (2006⇒2008)

Biometric sample that is output of intermediate biometric sample processing.

Example: Intermediate biometric samples may have been enhanced for biometric feature extraction, compressed for compact storage purposes, etc.

- intermediate biometric sample processing n.

JTC 1/SC 37 (2006⇒2008)

Any manipulation of a biometric sample that does not produce biometric features.

Example: Examples of intermediate biometric sample processing include cropping, down-sampling, compression, conversion to data interchange formats standard and image enhancement.

- intermediate certification authority, - intermediate CA n.

NIST IR 7298 (2006)

SP 800-32

A certification authority that is subordinate to another CA, and has a CA subordinate to itself.

- internal communication channel n.

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

A communication channel between separated parts of TOE.

- internal TOE transfer n.

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

Communicating data between separated parts of the TOE.

- International Civil Aviation Organization Machine Readable Travel Document (ICAO MRTD) n.

SCA ISCTAG (2007)

ICAO establishes international standards for travel documents. An MRTD is an international travel document (e.g., a passport or visa) containing eye- and machine-readable data. ICAO Document 9303 is the international standard for MRTDs.

- International Data Encryption Algorithm (IDEA) n.

RFC 2828 (2000)

(N) A patented, symmetric block cipher that uses a 128-bit key and operates on 64-bit blocks. [Schn] (See: symmetric cryptography.)

- International Electrotechnical Commission (IEC) n.

???

- International Standard n.

See: (secondary definition under) ISO.

- International Traffic in Arms Regulations (ITAR) n.

RFC 2828 (2000)

(N) Rules issued by the U.S. State Department, by authority of the Arms Export Control Act (22 U.S.C. 2778), to control export and import of defense articles and defense services, including information security systems, such as cryptographic systems, and TEMPEST suppression technology. (See: Wassenaar Arrangement.)

- internet n.

Compare with Internet

RFC 2828 (2000)

(I) A popular abbreviation for internetwork.

- Internet n.

Compare with internet, and see note below.

RFC 2828 (2000)

(I) The Internet is the single, interconnected, worldwide system of commercial, government, educational, and other computer networks that share the set of protocols specified by the IAB [R2026] and the name and address spaces managed by the ICANN.

(C) The protocol set is named the Internet Protocol Suite. It also is popularly known as TCP/IP, because TCP and IP are two of its fundamental components. These protocols enable a user of any one of the networks in the Internet to communicate with, or use services located on, any of the other networks.

(C) Although the Internet does have architectural principles [R1958], no Internet Standard formally defines a layered reference model for the IPS that is similar to the OSIRM. However, Internet community documents do refer (inconsistently) to layers: application, socket, transport, internetwork, network, data link, and physical. In this Glossary, Internet layers are referred to by name to avoid confusing them with OSIRM layers, which are referred to by number.

Do you put an initial capital letter on “Internet”, or the related words “Net” and “Web”? This may seem a fussy, not to say pedantic, question. But it’s one that copy editors and those charged with creating the house styles for publishing firms must wrestle with in order to create text that looks consistent, avoids annoying or confusing readers, and quietly states that it forms part of a unified publication, whoever wrote the words. This came into the news this week because Wired magazine, the house magazine of Net geeks, publicised a change of policy (see It’s Just the 'internet' Now). From now on, it says, all three words will be written in lower case. “Why?”, writes Tony Long, the copy chief. “The simple answer is because there is no earthly reason to capitalize any of these words. Actually, there never was.”

Hm. There are arguments for following the magazine’s lead, as we shall see, but Tony Long’s comment ignores the historical evidence. The Internet was originally, in the late 1960s, a US Department of Defense project called ARPAnet (after the Department’s Advanced Research Projects Agency). It was designed to permit its academic researchers to talk to each other more effectively by linking their individual computer networks. So it was an “inter-network”, or “internet”. The latter word, in lower-case, seems to have been first used in 1974, in a standards document written by Vint Cerf; references to it in memoranda and technical specifications in the following years were also usually lower case. The first example in the Oxford English Dictionary’s entry with an initial capital letter is from the magazine Network World in 1986, though by then it had become common in standards documents, too. Virtually all publications adopted this style into and through the 1990s.

The reasoning behind capitalising it was that there was just one entity that was called by this title, that it was a specific thing with a proper name, and that by the usual rules that name ought to be capitalised. In the USA, an initial capital is still the norm and is recommended in style guides. But we’ve begun to see a shift away from the use of an initial capital letter in all three words, especially in the UK, where the Daily Telegraph, the Independent, the Guardian, and the New Scientist have all lower-cased “Internet” for several years.

The reason is hinted at in Tony Long’s piece: in public perception the Internet has changed from a device to a process. It’s becoming regarded as a communications medium and most people don’t think of themselves as Internet users. Instead, their mental focus is on what they’re doing - they’re getting information, sending e-mails to their friends, or downloading music - in just the same way that they think of the telephone. You don’t call it “The Telephone”, you regard it as a generalised mechanism with which to get in touch with a friend or order a pizza. And just as we don’t capitalise the words for media such as “television”, “radio”, “mail”, “telephone”, or “newspaper”, why should we capitalise “Internet”? The change, though minor in itself, is a cultural marker for a shift in public perception and a further sign that the Internet is becoming a mature medium. I’ve no doubt myself that the lower-case forms will eventually prevail.

So what do I do now? My personal house style says the words should have initial caps. As with everybody else in the business of words, the decision by Wired magazine is another indication that at some point I may have to rethink.

[Michael Quinion, World Wide Words (newsletter), 21 August 2004]

Several subscribers pointed out that in the early days of networking several other internets existed, such as BITNET, so that the capitalisation of “Internet” distinguished it from the others. With the loss of many of these other networks, or their subsumption within the Internet, the need to mark the latter this way is less acute. Some technically minded readers argued it’s worth retaining a distinction between “an internet”, any set of networks that might exist within a large organisation (such as a telecoms company or an academic network such as JANET in Britain), and “The Internet”, the publicly available federated network. However, I suspect this will cut little ice with the general public, which is generally unaware there is any other internetwork apart from the Internet.

[Michael Quinion, World Wide Words (newsletter), 28 August 2004]

- Internet Architecture Board (IAB) n.

RFC 2828 (2000)

(I) A technical advisory group of the ISOC, chartered by the ISOC Trustees to provide oversight of Internet architecture and protocols and, in the context of Internet Standards, a body to which decisions of the IESG may be appealed. Responsible for approving appointments to the IESG from among nominees submitted by the IETF nominating committee. [R2026]

- Internet Assigned Numbers Authority (IANA) n.

RFC 2828 (2000)

(I) From the early days of the Internet, the IANA was chartered by the ISOC and the U.S. Government’s Federal Network Council to be the central coordination, allocation, and registration body for parameters for Internet protocols. Superseded by ICANN.

- Internet Control Message Protocol (ICMP) n.

RFC 2828 (2000)

(I) An Internet Standard protocol [R0792] that is used to report error conditions during IP datagram processing and to exchange other information concerning the state of the IP network.

- Internet Corporation for Assigned Names and Numbers (ICANN) n.

RFC 2828 (2000)

(I) The non-profit, private corporation that has assumed responsibility for the IP address space allocation, protocol parameter assignment, domain name system management, and root server system management functions formerly performed under U.S. Government contract by IANA and other entities.

(C) The Internet Protocol Suite, as defined by the IETF and the IESG, contains numerous parameters, such as internet addresses, domain names, autonomous system numbers, protocol numbers, port numbers, management information base object identifiers, including private enterprise numbers, and many others. The Internet community requires that the values used in these parameter fields be assigned uniquely. ICANN makes those assignments as requested and maintains a registry of the current values.

(C) ICANN was formed in October 1998, by a coalition of the Internet’s business, technical, and academic communities. The U.S. Government designated ICANN to serve as the global consensus entity with responsibility for coordinating four key functions for the Internet: the allocation of IP address space, the assignment of protocol parameters, the management of the DNS, and the management of the DNS root server system.

- Internet Draft n.

RFC 2828 (2000)

(I) A working document of the IETF, its areas, and its working groups. (Other groups may also distribute working documents as Internet Drafts.) An Internet Draft is not an archival document like an RFC is. Instead, an Internet Draft is a preliminary or working document that is valid for a maximum of six months and may be updated, replaced, or made obsolete by other documents at any time. It is inappropriate to use an Internet Draft as reference material or to cite it other than as “work in progress”.

- Internet Engineering Steering Group (IESG) n.

RFC 2828 (2000)

(I) The part of the ISOC responsible for technical management of IETF activities and administration of the Internet Standards Process according to procedures approved by the ISOC Trustees. Directly responsible for actions along the standards track, including final approval of specifications as Internet Standards. Composed of IETF Area Directors and the IETF chairperson, who also chairs the IESG. [R2026]

- Internet Engineering Task Force (IETF) n.

RFC 2828 (2000)

(I) A self-organized group of people who make contributions to the development of Internet technology. The principal body engaged in developing Internet Standards, although not itself a part of the ISOC. Composed of Working Groups, which are arranged into Areas (such as the Security Area), each coordinated by one or more Area Directors. Nominations to the IAB and the IESG are made by a committee selected at random from regular IETF meeting attendees who have volunteered. [R2026, R2323]

- Internet Message Access Protocol, version 4 (IMAP4) n.

RFC 2828 (2000)

(I) An Internet protocol [R2060] by which a client workstation can dynamically access a mailbox on a server host to manipulate and retrieve mail messages that the server has received and is holding for the client. (See: POP3.)

(C) IMAP4 has mechanisms for optionally authenticating a client to a server and providing other security services. (See: IMAP4 AUTHENTICATE.)

- Internet Policy Certification Authority (IPCA) n.

No such heading in RFC 2828, although it is cross-referenced.

- Internet Policy Registration Authority (IPRA) n.

RFC 2828 (2000)

(I) An X.509-compliant CA that is the top CA of the Internet certification hierarchy operated under the auspices of the ISOC [R1422]. (See: (PEM usage under) certification hierarchy.) This looks like the definition of IPCA (missing), not IPRA.

- Internet Protocol (IP) n.

RFC 2828 (2000)

(I) A Internet Standard protocol (version 4 [R0791] and version 6 [R2460]) that moves datagrams (discrete sets of bits) from one computer to another across an internetwork but does not provide reliable delivery, flow control, sequencing, or other end-to-end services that TCP provides. (See: IP address, TCP/IP.)

- Internet Protocol security (IPsec) n.

RFC 2828 (2000)

(I) 1. The name of the IETF working group that is specifying a security architecture [R2401] and protocols to provide security services for Internet Protocol traffic. 2. A collective name for that architecture and set of protocols. (Implementation of IPsec protocols is optional for IP version 4, but mandatory for IP version 6.) (See: Internet Protocol Security Option.)

(C) The IPsec architecture specifies (a) security protocols (AH and ESP), (b) security associations (what they are, how they work, how they are managed, and associated processing), (c) key management (IKE), and (d) algorithms for authentication and encryption. The set of security services include access control service, connectionless data integrity service, data origin authentication service, protection against replays (detection of the arrival of duplicate datagrams, within a constrained window), data confidentiality service, and limited traffic flow confidentiality.

NIST IR 7298 (2006)

SP 800-46

IP security (IPsec)

An Institute of Electrical and Electronic Engineers (IEEE) standard, Request For Comments (RFC) 2411, protocol that provides security capabilities at the Internet Protocol (IP) layer of communications. IPsec’s key management protocol is used to negotiate the secret keys that protect Virtual Private Network (VPN) communications, and the level and type of security protections that will characterize the VPN. The most widely used key management protocol is the Internet Key Exchange (IKE) protocol.

- Internet Protocol Security Option (IPSO) n.

RFC 2828 (2000)

(I) Refers to one of three types of IP security options, which are fields that may be added to an IP datagram for the purpose of carrying security information about the datagram. (See: IPsec.)

(D) ISDs SHOULD NOT use this term without a modifier to indicate which of the three types is meant.

DoD Basic Security Option (IP option type 130): Defined for use on U.S. Department of Defense common user data networks. Identifies the Defense classification level at which the datagram is to be protected and the protection authorities whose rules apply to the datagram. [R1108] A protection authority is a National Access Program (e.g., GENSER, SIOP-ESI, SCI, NSA, Department of Energy) or Special Access Program that specifies protection rules for transmission and processing of the information contained in the datagram. [R1108]
DoD Extended Security Option (IP option type 133): Permits additional security labeling information, beyond that present in the Basic Security Option, to be supplied in the datagram to meet the needs of registered authorities. [R1108]
Common IP Security Option (CIPSO) (IP option type 134): Designed by TSIG to carry hierarchic and non-hierarchic security labels. (Formerly called Commercial IP Security Option.) Was published as Internet-Draft [CIPSO]; not advanced to RFC.

- Internet Protocol Suite n.

See: (secondary definition under) Internet.

- Internet Security Association and Key Management Protocol (ISAKMP) n.

RFC 2828 (2000)

(I) An Internet IPsec protocol [R2408] to negotiate, establish, modify, and delete security associations, and to exchange key generation and authentication data, independent of the details of any specific key generation technique, key establishment protocol, encryption algorithm, or authentication mechanism.

(C) ISAKMP supports negotiation of security associations for protocols at all TCP/IP layers. By centralizing management of security associations, ISAKMP reduces duplicated functionality within each protocol. ISAKMP can also reduce connection setup time, by negotiating a whole stack of services at once. Strong authentication is required on ISAKMP exchanges, and a digital signature algorithm based on asymmetric cryptography is used within ISAKMP’s authentication component.

- Internet Society (ISOC) n.

RFC 2828 (2000)

(I) A professional society concerned with Internet development (including technical Internet Standards); with how the Internet is and can be used; and with social, political, and technical issues that result. The ISOC Board of Trustees approves appointments to the IAB from among nominees submitted by the IETF nominating committee. [R2026]

- Internet Standard n.

RFC 2828 (2000)

(I) A specification, approved by the IESG and published as an RFC, that is stable and well-understood, is technically competent, has multiple, independent, and interoperable implementations with substantial operational experience, enjoys significant public support, and is recognizably useful in some or all parts of the Internet. [R2026] (See: RFC.)

(C) The Internet Standards Process is an activity of the ISOC and is organized and managed by the IAB and the IESG. The process is concerned with all protocols, procedures, and conventions used in or by the Internet, whether or not they are part of the Internet Protocol Suite. The Internet Standards Track has three levels of increasing maturity:

Proposed Standard,
Draft Standard, and
Standard.

(See: (standards levels under) ISO.)

- Internet Standards document (ISD) n.

RFC 2828 (2000)

(C) In this Glossary, this term refers to an RFC, Internet-Draft, or other item that is produced as part of the Internet Standards Process [R2026]. However, neither the term nor the abbreviation is widely accepted and, therefore, SHOULD NOT be used in an ISD unless it is accompanied by an explanation like this. (See: Internet Standard.)

- internetwork n.

RFC 2828 (2000)

(I) A system of interconnected networks; a network of networks. Usually shortened to internet. (Contrast: Internet.)

(C) An internet is usually built using OSI layer 3 gateways to connect a set of subnetworks. When the subnetworks differ in the OSI layer 3 protocol service they provide, the gateways sometimes implement a uniform internetwork protocol (e.g., IP) that operates at the top of layer 3 and hides the underlying heterogeneity from hosts that use communication services provided by the internet. (See: router.)

- interoperability n.

NIST IR 7298 (2006)

FIPS 201

In FIPS 201, interoperability allows any Government facility or information system, regardless of the cardholder’s parent organization, to authenticate cardholder’s identity using the credentials stored on the personal identity verification (PIV) card.

SCA ISCTAG (2007)

a. The ability of two or more systems or components to exchange information and to use the information that has been exchanged.

b. For the purposes of FIPS 201, the ability for any government facility or information system, regardless of the PIV issuer, to verify a cardholder’s identity using the credentials on the PIV card.

- inter-TSF transfers n.

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

Communicating data between the TOE and the security functions of other trusted IT products.

- intranet n.

RFC 2828 (2000)

(I) A computer network, especially one based on Internet technology, that an organization uses for its own internal, and usually private, purposes and that is closed to outsiders. (See: extranet, virtual private network.)

- intruder n.

RFC 2828 (2000)

(I) An entity that gains or attempts to gain access to a system or system resource without having authorization to do so. (See: cracker.)

- intrusion n.

RFC 2828 (2000)

security intrusion

(I) A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.

SC 27 SD 6 (2002)

ISO/IEC DTR 15947 (10/2001)

A deliberate or accidental set of events that potentially causes unauthorized access to, activity against, and/or activity in, an information technology (IT) system.

- intrusion detection n.

RFC 2828 (2000)

(I) A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.

SC 27 SD 6 (2002)

ISO/IEC DTR 15947 (10/2001)

The process of identifying that an intrusion has been attempted, is occurring, or has occurred.

- intrusion detection system (IDS) n.

SC 27 SD 6 (2002)

ISO/IEC DTR 15947 (10/2001)

A technical system that is used to identify and respond to intrusions in IT systems.

NIST IR 7298 (2006)

SP 800-61

Software that looks for suspicious activity and alerts administrators.

An IDS may be of one of two types:

- host-based IDS (HIDS): NIST IR 7298 (2006); SP 800-36; IDS – host-based; IDSs which operate on information collected from within an individual computer system. This vantage point allows host-based IDSs to determine exactly which processes and user accounts are involved in a particular attack on the operating system. Furthermore, unlike network-based IDSs, host-based IDSs can more readily “see” the intended outcome of an attempted attack, because they can directly access and monitor the data files and system processes usually targeted by attacks.
- network-based IDS (NIDS): NIST IR 7298 (2006); SP 800-36; IDS – network-based; IDSs which detect attacks by capturing and analyzing network packets. Listening on a network segment or switch, one network-based IDS can monitor the network traffic affecting multiple hosts that are connected to the network segment.

Gartner’s Richard Stiennon “killed” IDSs in 2003. They’ve been superseded by…

- intrusion prevention system (IPS) n.

NIST IR 7298 (2006)

SP 800-36

intrusion prevention systems

Systems which can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its targets.

- invalidity date n.

RFC 2828 (2000)

(N) An X.509 CRL entry extension that “indicates the date at which it is known or suspected that the [revoked certificate’s private key] was compromised or that the certificate should otherwise be considered invalid” [X509].

(C) This date may be earlier than the revocation date in the CRL entry, and may even be earlier than the date of issue of earlier CRLs. However, the invalidity date is not, by itself, sufficient for purposes of non-repudiation service. For example, to fraudulently repudiate a validly-generated signature, a private key holder may falsely claim that the key was compromised at some time in the past.

- inverse cipher n.

NIST IR 7298 (2006)

FIPS 197

Series of transformations that converts ciphertext to plaintext using the cipher key.

- IP n.

See: Internet Protocol.

- IP address n.

RFC 2828 (2000)

(I) A computer’s internetwork address that is assigned for use by the Internet Protocol and other protocols.

(C) An IP version 4 [R0791] address is written as a series of four 8-bit numbers separated by periods. For example, the address of the host named rosslyn.bbn.com is 192.1.7.10.

(C) An IP version 6 [R2373] address is written as x:x:x:x:x:x:x:x, where each x is the hexadecimal value of one of the eight 16-bit parts of the address. For example, 1080:0:0:0:8:800:200C:417A and FEDC:BA98:7654:3210:FEDC:BA98:7654:3210.

NIST IR 7298 (2006)

SP 800-46

An IP address is a unique number for a computer that is used to determine where messages transmitted on the Internet should be delivered. The IP address is analogous to a house number for ordinary postal mail.

- IP Security Option n.

See: Internet Protocol Security Option.

- IPRA n.

See: Internet Policy Registration Authority.

- IPsec n.

See: Internet Protocol security.

- IPsec Key Exchange (IKE) n.

RFC 2828 (2000)

(I) An Internet, IPsec, key-establishment protocol [R2409] (partly based on OAKLEY) that is intended for putting in place authenticated keying material for use with ISAKMP and for other security associations, such as in AH and ESP.

- IPSO n.

See: Internet Protocol Security Option.

- IrisCode n.

iAfB-ICSA 1999

The biometric data that is generated for each live iris presented. The code is a mathematical representation of the features of the iris.

- iris features n.

iAfB-ICSA 1999

A number of features can be found in the iris. These are named corona, crypts, filaments, freckles, pits, radial furrows and striations.

- iris recognition n.

iAfB-ICSA 1999

A physical biometric that analyses iris features, found in the coloured ring of tissue that surrounds the pupil.

- irreversible encipherment, - irreversible encryption n.

See: one-way encryption.

- ISAKMP n.

See: Internet Security Association and Key Management Protocol.

- ISD n.

See: Internet Standards document.

- ISO n.

RFC 2828 (2000)

(I) International Organization for Standardization, a voluntary, non-treaty, non-government organization, established in 1947, with voting members that are designated standards bodies of participating nations and non-voting observer organizations. (See: ANSI, ITU-T.)

(C) Legally, ISO is a Swiss, non-profit, private organization. ISO and the IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in developing international standards through ISO and IEC technical committees that deal with particular fields of activity. Other international governmental and non-governmental organizations, in liaison with ISO and IEC, also take part. (ANSI is the U.S. voting member of ISO. ISO is a class D member of ITU-T.)

(C) The ISO standards development process has four levels of increasing maturity: Working Draft (WD), Committee Draft (CD), Draft International Standard (DIS), and International Standard (IS). (See: (standards track levels under) Internet Standard.) In information technology, ISO and IEC have a joint technical committee, ISO/IEC JTC 1. DISs adopted by JTC 1 are circulated to national bodies for voting, and publication as an IS requires approval by at least 75% of the national bodies casting a vote.

- ISOC n.

See: Internet Society.

- ISO/IEC 7810 n.

SCA ISCTAG (2007)

The series of international standards describing the characteristics of identification cards, including physical characteristics, sizes, thickness, dimensions, construction, materials and other requirements.

ISO/IEC 7810:2003 “Identification cards -- Physical characteristics”

- ISO/IEC 7812 n.

SCA ISCTAG (2007)

The governing international standard for magnetic-stripe identification cards, such as door entry cards, automated teller machine (ATM) cards, and credit cards.

ISO/IEC 7812-1:2006 “Identification cards -- Identification of issuers -- Part 1: Numbering system”

ISO/IEC 7812-2:2007 “Identification cards -- Identification of issuers -- Part 2: Application and registration procedures”

- ISO/IEC 7816 n.

SCA ISCTAG (2007)

The international standard for integrated circuit cards with contacts, as well as the command set for all smart cards.

ISO/IEC 7816-1:1998: “Identification cards -- Integrated circuit(s) cards with contacts -- Part 1: Physical characteristics”

ISO/IEC 7816-2:1999: “Identification cards -- Integrated circuit cards -- Part 2: Cards with contacts -- Dimensions and location of the contacts”

ISO/IEC 7816-3:1997: “Identification cards -- Integrated circuit(s) cards with contacts -- Part 3: Electronic signals and transmission protocols”

ISO/IEC 7816-4:2005: “Identification cards -- Integrated circuit cards -- Part 4: Organization, security and commands for interchange”

ISO/IEC 7816-5:2004: “Identification cards -- Integrated circuit cards -- Part 5: Registration of application providers”

ISO/IEC 7816-6:2004: “Identification cards -- Integrated circuit cards -- Part 6: Interindustry data elements for interchange”

ISO/IEC 7816-7:1999: “Identification cards -- Integrated circuit(s) cards with contacts -- Part 7: Interindustry commands for Structured Card Query Language (SCQL)”

ISO/IEC 7816-8:2004:“ Identification cards -- Integrated circuit cards -- Part 8: Commands for security operations”

ISO/IEC 7816-9:2004: “Identification cards -- Integrated circuit cards -- Part 9: Commands for card management”

ISO/IEC 7816-10:1999: “Identification cards -- Integrated circuit(s) cards with contacts -- Part 10: Electronic signals and answer to reset for synchronous cards”

ISO/IEC 7816-11:2004: “Identification cards -- Integrated circuit cards -- Part 11: Personal verification through biometric methods”

ISO/IEC 7816-12:2005: “Identification cards -- Integrated circuit cards -- Part 12: Cards with contacts -- USB electrical interface and operating procedures”

ISO/IEC 7816-15:2004: “Identification cards -- Integrated circuit cards -- Part 15: Cryptographic information application”

- ISO/IEC 14443 n.

SCA ISCTAG (2007)

The international standard, “Identification Cards - Contactless Integrated Circuit(s) Cards - Proximity Cards”, for contactless smart chips and cards that operate (i.e., can be read from or written to) at a distance of less than 10 centimeters (4 inches). This standard operates at 13.56 MHz.

ISO/IEC 14443-1:2008 “Identification cards -- Contactless integrated circuit cards -- Proximity cards -- Part 1: Physical characteristics”

ISO/IEC 14443-2:2001 “Identification cards -- Contactless integrated circuit(s) cards -- Proximity cards -- Part 2: Radio frequency power and signal interface”

ISO/IEC 14443-3:2001 “Identification cards -- Contactless integrated circuit(s) cards -- Proximity cards -- Part 3: Initialization and anticollision”

ISO/IEC 14443-4:2008 “Identification cards -- Contactless integrated circuit cards -- Proximity cards -- Part 4: Transmission protocol”

- ISO/IEC 15693 n.

SCA ISCTAG (2007)

The international standard, “Identification Cards - Contactless Integrated Circuit(s) Cards - Vicinity Cards”, for cards operating at the 13.56 MHz frequency which can be read from a greater distance as compared to proximity cards. (See ISO/IEC 14443.)

ISO/IEC 15693-1:2000 “Identification cards -- Contactless integrated circuit(s) cards -- Vicinity cards -- Part 1: Physical characteristics”

ISO/IEC 15693-2:2006 “Identification cards -- Contactless integrated circuit cards -- Vicinity cards -- Part 2: Air interface and initialization”

ISO/IEC 15693-3:2001 “Identification cards - Contactless integrated circuit(s) cards - Vicinity cards -- Part 3: Anticollision and transmission protocol”

- ISO/IEC 17799 n.

See: ISO/IEC 27000.

- ISO/IEC 24727 n.

SCA ISCTAG (2007)

A set of programming interfaces for interactions between integrated circuit cards and external applications to include generic services for multi-sector use.

ISO/IEC 24727-1:2007 “Identification cards -- Integrated circuit card programming interfaces -- Part 1: Architecture”

ISO/IEC 24727-2:2008 “Identification cards -- Integrated circuit card programming interfaces -- Part 2: Generic card interface”

ISO/IEC 24727-3:2008 “Identification cards -- Integrated circuit card programming interfaces -- Part 3: Application interface”

ISO/IEC 24727-4:2008 “Identification cards -- Integrated circuit card programming interfaces -- Part 4: Application programming interface (API) administration”

- ISO/IEC 27000 n.

A series of International Standards covering aspects of information security management systems.

ISO/IEC FCD 27000 “Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary” (under development)

ISO/IEC 27001:2005 “Information technology -- Security techniques -- Information security management systems -- Requirements”

ISO/IEC 27002:2005 “Information technology -- Security techniques -- Code of practice for information security management”

ISO/IEC FCD 27003 Information technology -- Information security management system implementation guidance (under development)

ISO/IEC FCD 27004.2 “Information technology -- Security techniques -- Information security management -- Measurement” (under development)

ISO/IEC 27005:2008 “Information technology -- Security techniques -- Information security risk management”

ISO/IEC 27006:2007 “Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems”

ISO/IEC WD 27007 “Guidelines for Information security management systems auditing”

ISO/IEC FDIS 27011 “Information technology -- Information security management guidelines for telecommunications organizations based on ISO/IEC 27002” (under development)

ISO 27799:2008 “Health informatics -- Information security management in health using ISO/IEC 27002”

- issue vb.

… a digital certificate or CRL

RFC 2828 (2000)

(I) Generate and sign a digital certificate (or CRL) and, usually, distribute it and make it available to potential certificate users (or CRL users). (See: certificate creation.)

(C) The ABA Guidelines [ABA] explicitly limit this term to certificate creation, and exclude the act of publishing. In general usage, however, issuing a digital certificate (or CRL) includes not only certificate creation but also making it available to potential users, such as by storing it in a repository or other directory or otherwise publishing it.

- issuer, - issuing authority n.

RFC 2828 (2000)

issuer

1. (I) issuer of a certificate or CRL: The CA that signs the digital certificate or CRL.

2. (N) issuer of a payment card: SET usage: “The financial institution or its agent that issues the unique primary account number to the cardholder for the payment card brand.” [SET2]

(C) The institution that establishes the account for a cardholder and issues the payment card also guarantees payment for authorized transactions that use the card in accordance with card brand regulations and local legislation. [SET1]

SCA ISCTAG (2007)

issuer (or issuing authority)

The organization that issues an identity card to an individual after identity proofing, background checks and related approvals have been completed. Typically this is an organization for which the individual is working.

IAEG LIAF (2008)

issuer (or issuing authority)

Somebody or something that supplies or distributes something officially.

- ITAR n.

See: International Traffic in Arms Regulations.

- IT-related risk n.

NIST IR 7298 (2006)

SP 800-27A

The net mission/business impact considering

the likelihood that a particular threat source will exploit, or trigger, a particular information system vulnerability, and
the resulting impact if this should occur. IT-related risks arise from legal liability or mission/business loss due to, but not limited to:
- Unauthorized (malicious, non-malicious, or accidental) disclosure, modification, or destruction of information.
- Non-malicious errors and omissions.
- IT disruptions due to natural or man-made disasters.
- Failure to exercise due care and diligence in the implementation and operation of the IT.

- ITSEC n.

See: Information Technology Security Evaluation Criteria.

- IT security n.

SC 27 SD 6 (2002)

ISO/IEC PDTR 13335-1 (11/2001)

All aspects related to defining, achieving, and maintaining confidentiality, integrity, availability, non-repudiation, accountability, authenticity, and reliability.

Compare: information security.

- IT security architecture n.

NIST IR 7298 (2006)

SP 800-27A

A description of security principles and an overall approach for complying with the principles that drive the system design; i.e., guidelines on the placement and implementation of specific security services within various distributed computing environments.

- IT security awareness n.

See: awareness.

- IT security awareness and training program n.

See: awareness and training program.

- IT security education n.

See: education.

- IT security goal n.

See: security goal.

- IT security investment n.

NIST IR 7298 (2006)

SP 800-65

An IT application or system that is solely devoted to security. For instance, intrusion detection systems (IDS) and public key infrastructure (PKI) are examples of IT security investments.

- IT security metrics n.

NIST IR 7298 (2006)

SP 800-55

Metrics based on IT security performance goals and objectives.

- IT security policy n.

See: security policy.

- IT security product n.

SC 27 SD 6 (2002)

ISO/IEC WD 15443-1 (11/2001)

A package of IT software, firmware and/or hardware, providing functionality designed for use or incorporation within a multiplicity of systems.

- IT security training n.

See: training.

- iteration n.

SC 27 SD 6 (2002)

ISO/IEC 15408-1: 1999

The use of a component more than once with varying operations.

- ITU-T n.

RFC 2828 (2000)

(N) International Telecommunications Union, Telecommunication Standardization Sector (formerly CCITT), a United Nations treaty organization that is composed mainly of postal, telephone, and telegraph authorities of the member countries and that publishes standards called Recommendations. (See: X.400, X.500.)

(C) The Department of State represents the United States. ITU-T works on many kinds of communication systems. ITU-T cooperates with ISO on communication protocol standards, and many Recommendations in that area are also published as an ISO standard with an ISO name and number.

- IV n.

See: initialization value.

The originals sources of these definitions may be protected by copyright. The definitions are republished here for review and commentary.
Copyleft & Creative Commons (cc) 2000–2008 Ant: This XHTML encoding and antnotations are dual-licensed under both ―
	The GNU Free Documentation License	A Creative Commons Attribution-Noncommercial-Share Alike 3.0 License
	http://homepage.mac.com/antallan/gisti.html	Last updated Wednesday 10 December 2008

Ant’s HomePage ⇧ Security Matters ⇧ GIST ⇧ I

GIST v0.7 ― I “I&A” to “IV”

I

Ant’s HomePage
⇧ Security Matters
⇧ GIST
⇧ I

GIST v0.7 ― I
“I&A” to “IV”