Glossaries
Information security and related jargon

Like all other specialist disciplines, information security has its own jargon. Here are some glossaries that are authoritative or that I’ve found useful or entertaining. (RFC 2828 scores a hat trick here!)

This page also introduces “my own” Glossary of Information Security Terms – or Ant’s GIST for short.

This is a huge glossary, based primarily on Section 3 of RFC 2828, and incorporating other canonical and specialist security glossaries – such as ISO/IEC 2382-8:1998 – together with annotations and links to other “Security Matters” pages.

Canonical security glossaries

NIST IR 7298
Glossary of Key Information Security Terms
edited by Richard Kissel (25 April 2006)

“…this glossary of basic security terms has been extracted from NIST Federal Information Processing Standards (FIPS) and the Special Publication (SP) 800 series. The terms included are not all inclusive of terms found in these publications, but are a subset of basic terms that are most frequently used.”

SAML Glossary
Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0
OASIS Standard (15 March 2005)

“This specification defines terms used throughout the OASIS Security Assertion Markup Language (SAML) specifications and related documents.”

RFC 2828
Internet Security Glossary (May 2000)

A very thorough, well-formatted glossary aimed at authors of Internet Standards Documents (ISDs) but more generally useful. The usage notes – especially for deprecated terms (I suppose I should call these “non-usage” notes) – are very helpful.

SC 27 Standing Document no 6
Glossary of IT Security Terminology (SD 6, SC 27 N 1954) (March 1998 )

In the field of information technology, ISO and IEC have established a Joint Technical Committee 1: ISO/IEC JTC 1. ISO/IEC JTC 1 SC 27 is a subcommittee of this JTC; its title is “Security techniques” and its area of work is standardization of generic methods and techniques for IT security.

ISO/IEC 2382-8:1998
Information technology – Vocabulary – Part 8: Security (Second Edition) (1998)

This glossary is another ISO/IEC document, but an International Standard rather than a “standing document”. You can get a print or an Adobe PDF version of this from ISO.

AR 380-19
Information Systems Security Glossary (February 1998)

From US Army Regulation 380-19, Information Systems Security.

NCSC-TG-004
Glossary of Computer Security Terms – “Teal Green Book” (October 1988)

“This publication [...] is issued by the National Computer Security Center (NCSC) under the authority of and in accordance with Department of Defense (DoD) Directive 5215.1, Computer Security Evaluation Center. The definitions in this glossary are intended for use by U.S. Government agencies or contractors that apply the criteria of DoD Directive 5200.28-STD, DoD Trusted Computer System Evaluation Criteria [q.v.], in the use of their computer systems.”

Part of the NCSC Rainbow Series.

Other canonical publications that contain security glossaries

XACML
eXtensible Access Control Markup Language (XACML) Version 2.0
OASIS Standard (1 Feb 2005)

The “XACML glossary” is presented in §1.1 of this specification.

Common Criteria Version 2.2
Part 1: Introduction & General Model (January 2004)

Chapter 2 contains definitions of terms peculiar to Common Criteria product evaluations.

5200.28-STD
U.S. Department of Defense Trusted Computer System Evaluation Criteria (TCSEC) – “Orange Book” (December 1985)

“This publication [...] is issued under the authority of an in accordance with DoD Directive 5200.28, Security Requirements for Automatic Data Processing (ADP) Systems, [...] Its purpose is to provide technical hardware/firmware/software security criteria and associated technical evaluation methodologies in support of the overall ADP system security policy, evaluation and approval/accreditation responsibilities promulgated by DoD Directive 5200.28.”

Part of the NCSC Rainbow Series.

Other security glossaries

Security Glossary and Security Taxonomy
compiled by Lynn Wheeler – December 2002

“Terms merged from: AFSEC, AJP, CC1, CC2, CC21 (CC site), CIAO, FCv1, FIPS140, IATF V3 (IATF site), IEEE610, ITSEC, Intel, JTC1/SC27 (SC27 site), KeyAll, MSC, NIST 800-37, NCSC/TG004, NIAP, NSA Intrusion, NSTISSC/CNSS, online security study, RFC1983, RFC2504, RFC2647, RFC2828, TCSEC, TDI, TNI, and misc. Updated 20021108 with terms from CIAO. Updated 20021205 with terms from 800-37 glossary.”

Glossary: The Convoluted Terminology of Information Warfare
compiled by Randall Whitaker, Ph.D. – May 1998

“This glossary contains a summary collection of some of the terminology encountered in the IW literature. For IW-specific terminology, the criteria for inclusion in this listing include (1) opacity to the lay audience and/or (2) crucial usage in military IW discussions. In addition, I've included canonical definitions for more generic military terms as they are currently defined by the U.S. Department of Defense.”

Security Glossary
Center for Secure Information Systems, George Mason University (August 1997)

A listing of terms and jargon relating to computer and information security compiled from a number of canonical sources, including Common Criteria for Information Technology Security Evaluation, Preliminary DRAFT Version 0.9 (cf. CC 2.1), Trusted Network, Glossary of Computer Security Terms, NCSC-TG-004, and Department of Defense Trusted Computer System Evaluation Criteria (TCSEC), DOD 5200.28-STD.