Act of searching through information system storage to locate or acquire information, without necessarily knowing the existence or format of information being sought. The searching of computer storage to locate or acquire information, without necessarily knowing whether it exists or in what format.

An attack pattern characterized by a mechanical series of sequential or combinatorial inputs utilized in an automated attempt to identify security properties (usually passwords) in a given system (. See brute-force attack). The name given to a class of algorithms that repeatedly try all possible combinations until a solution is found.

An exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting systems. See business impact assessment (BIA).

A set of information that at least: identifies the certification authority issuing the certificate; unambiguously names or identifies its owner; contains the owner’s public key and is digitally signed by the certification authority issuing it. Digitally signed document that binds a public key with an identity. The certificate contains, at a minimum, the identity of the issuing Certification Authority, the user identification information, and the user’s public key. Endorsed copy of an individual’s public key that verifies their identity.

A trusted third party that associates a public key with proof of identity by producing a digitally signed certificate. A CA provides to users a digital certificate that links the public key with some assertion about the user, such as identity, credit payment card number etc. Certification authorities may offer other services such as timestamping, key management services, and certificate revocation services. It can also be defined as an independent trusted source that attests to some factual element of information for the purposes of certifying information in the electronic environment. An agency that authenticates and distributes digital certificates.

List of invalid certificates (as defined above) that have been revoked by the issuer. The list of certificates that have been revoked by a certificate authority before the lifetimes of the certificates have expired.

Comprehensive evaluation of the technical and nontechnical security safeguards of an information system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements. The acceptance of software by an authorized agent, usually after the software has been validated by the agent or its validity has been demonstrated to the agent. The comprehensive evaluation, made in support of the accreditation process, of the technical and nontechnical security features of an IT system and other safeguards to establish the extent to which a particular design and implementation meet a set of specified security requirements.

Product of the certification effort documenting the detailed results of the certification activities. Product of the certification effort documenting the detailed results of the certification activities. The certification package includes the security plan, developmental or operational certification test reports, risk assessment report, and certifier’s statement.

Software and hardware security tests conducted during development of an information system. Software and hardware security tests conducted during development of an IS.

Individual responsible for making a technical judgment of the system’s compliance with stated requirements, identifying and assessing the risks associated with operating the system, coordinating the certification activities, and consolidating the final certification and accreditation packages. See Certification Authority; certification agent