Glossary
Term Description
(ISC)2

International Information Systems Security Certification Consortium

Code of Ethics Preamble:
1. The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
2. Therefore, strict adherence to this Code is a condition of certification.

Code of Ethics Canons:
1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.

Abstraction
The collection of similar elements into groups, classes, or roles for the assignment of security controls, restrictions, or permissions as a collective. The process of identifying the characteristics that distinguish a collection of similar objects; the result of the process of abstraction is a type.
Acceptable Use Policy (AUP)
A policy that a user must agree to follow to gain access to a network or to the Internet. A policy that defines a level of acceptable performance and expectation of behavior and activity for employees. Failure to comply with the policy may result in job action warnings, penalties, or termination.
Acceptance Testing
A form of testing that attempts to verify that a system satisfies the stated criteria for functionality and possibly also for security capabilities of a product. It is used to determine whether end users or customers will accept the completed product. The formal testing conducted to determine whether a software system satisfies its acceptance criteria, enabling the customer to determine whether to accept the system.
Access
Opportunity to make use of an information system (IS) resource. The ability of a subject to view, change, or communicate with an object. Typically, access involves a flow of information between the subject and the object. The transfer of information from an object to a subject.
Access Control
Limiting access to information system resources only to authorized users, programs, processes, or other systems. The mechanism by which subjects are granted or restricted access to objects. It includes hardware, software, and organizational policies or procedures that identify and authenticate subjects, verify authorization to objects, and monitor or record access attempts. The process of allowing only authorized users, programs, or other computer system (i. e. , networks) to access the resources of a computer system. A mechanism for limiting the use of some resource (system) to authorized users.
Access Control List (ACL)
An access control list is the usual means by which access to, and denial of, service is controlled. It is simply a list of the services available, each with a list of the hosts permitted to use the services. Most network security systems operate by allowing selective use of services. Mechanism implementing discretionary and/or mandatory access control between subjects and objects. The column of an access control matrix that specifies what level of access each subject has over an object.
Access List
(IS) Compilation of users, programs, or processes and the access levels and types to which each is authorized. (COMSEC) Roster of individuals authorized admittance to a controlled area. A catalog of users, programs, or processes and the specifications of the access categories to which each is assigned.
Access type
Privilege to perform action on an object. Read, write, execute, append, modify, delete, and create are examples of access types. The nature of access granted to a particular device, program, or file (e. g. , read, write, execute, append, modify, delete, or create).
Accountability

(1) A security principle stating that individuals must be able to be identified. With accountability, violations or attempted violations can be traced to individuals who can be held responsible for their actions.

(2) The ability to map a given activity or event back to the responsible party; the property that ensures that the actions of an entity can be traced to that entity.

(IS) Process of tracing information system activities to a responsible source.

(COMSEC) Principle that an individual is entrusted to safeguard and control equipment, keying material, and information and is answerable to proper authority for the loss or misuse of that equipment or information.

The process of holding someone responsible (accountable) for something. In this context, accountability is possible if a subject’s identity and actions can be tracked and verified.