1. Term ‫حٌّقطٍق‬ Definition ‫طؼش٠ف حٌّقطٍق‬
Ability to make use of any ‫حٌمذسس ػٍٝ ح٨عظفخدس‬
Access ‫حٌٛفٛي / حٌذخٛي‬ information system (IS) ‫ِٓ أٞ ِٛسد ِٓ ِٛحسد‬
resource. .ٓ١‫ٔظخَ ِؼٍِٛخص ِؼ‬
An entity responsible for ٓ‫حٌى١خْ حٌّغئٚي ػ‬
monitoring and granting ‫ِشحلزش ِٕٚق ف٩ك١خص‬
Access Authority ‫٘١جش حٌٛفٛي‬
access privileges for other ‫حٌٛفٛي ٌٍـٙخص حٌُّقشَّف‬
authorized entities. .‫ٌٙخ‬
‫لزٛي أٚ سفل هٍزخص‬
The process of granting or
‫ِؼ١ٕش طخظـ رـ‬
denying specific requests:
ٍٝ‫1) حٌلقٛي ػ‬
1) for obtaining and using
‫(ك١خصس) ِؼٍِٛخص‬
information and related
‫ٚحعظخذحِٙخ ٚ وزٌه‬
information processing
ٟ‫حٌظلىُ ف‬ ‫حٌلقٛي ػٍٝ خذِخص‬
Access Control services; and
‫حٌٛفٛي‬ ‫طظؼٍك رّؼخٌـظٙخ‬
2) to enter specific physical
‫2) حٌذخٛي اٌٝ ِٕؾآص‬
facilities (e.g., Federal
ً‫ِخد٠ش ِلذدس ِؼ‬
buildings, military
‫حٌّزخٟٔ حٌلىِٛ١ش‬
establishments, and border
‫ٚحٌّئعغخص حٌؼغىش٠ش‬
crossing entrances).
.‫ٚٔمخه حٌؼزٛس حٌلذٚد٠ش‬
: ُ‫عـً ٠ن‬
A register of:
ٓ١ِ‫1) ر١خٔخص حٌّغظخذ‬
1) users (including groups,
‫( ؽخٍِشً حٌّـّٛػخص‬
machines, processes) who
)‫ٚحٌّؼذحص ٚحٌؼٍّ١خص‬
Access Control ُ‫لٛحثُ حٌظلى‬ have been given permission
ْ‫حٌّّٕٛك١ٓ ار‬
Lists - (ACLs) ‫فٟ حٌٛفٛي‬ to use a particular system
َ‫رخعظخذحَ ِٛسد ٔظخ‬
resource, and
ٚ ٓ١‫ِؼ‬
2) the types of access they
‫2) أٔٛحع حٌٛفٛي حٌُّقشَّف‬
have been permitted.
.ٌُٙ
Involves ّٓ‫طظن‬
1) the process of requesting, ‫1) ػٍّ١ش هٍذ ٚأؾخء‬
establishing, issuing, and ‫ٚافذحس ٚاغ٩ق كغخرخص‬
User Account ‫ادحسس كغخد‬ closing user accounts; َ‫حٌّغظخذ‬
Management َ‫حٌّغظخذ‬ 2) tracking users and their ٓ١ِ‫2) طظزغ حٌّغظخذ‬
respective access ‫ٚطقخس٠ق حٌٛفٛي حٌخخفش‬
authorizations; and ُٙ‫ر‬
3) managing these functions. .‫3) ادحسس ٘زٖ حٌٛظخثف‬
The security goal that ‫حٌٙذف ح٤ِٕٟ حٌزٞ ٠ٌٛذ‬
generates the requirement ‫حٌلخؿش ٌظظزغ أػّخي‬
for actions of an entity to be ‫ؿٙش رؼ١ٕٙخ. ٠ذػُ رٌه‬
Accountability – ‫حٌّغئٌٚ١ش‬ traced uniquely to that entity. ، ‫ػذَ ح٦ٔىخس ، حٌشدع‬
This supports non- ، ‫طؾخ١ـ حٌخهؤ‬
repudiation, deterrence, fault ‫حوظؾخف ِٕٚغ ح٨خظشحق‬
isolation, intrusion detection ٍٝ‫، حٌمذسس ػ‬

2. and prevention, and after- ‫ح٨عظشؿخع رؼذ طٕف١ز‬
action recovery and legal ‫حٌفؼً ، ح٦ؿشحء‬
action. .ٟٔٛٔ‫حٌمخ‬
‫لشحس ح٦دحسس حٌشعّ١ش‬
‫فخدس ِٓ أكذ حٌىٛحدس‬
The official management
‫حٌؼٍ١خ ٌٙ١جش ِخ ٌٍظقش٠ق‬
decision given by a senior
ً١‫رخٌّٛحفمش ػٍٝ طؾغ‬
agency official to authorize
‫ٔظخَ ِؼٍِٛخص ٚحٌمزٛي‬
operation of an system and
‫فشحكشً رظؼش٠ل ػٍّ١خص‬
to explicitly accept the risk to
‫افذحس/حػظّخد‬ ‫طٍه حٌٙ١جش ٌٍّخخهشس‬
Accreditation – agency operations (including
‫ِٛحفمش‬‫حي‬ ٚ‫(رّخ فٟ رٌه سعخٌظٙخ أ‬
mission, functions, image, or
ٚ‫ٚظخثفٙخ أٚ ِقذحل١ظٙخ أ‬
reputation), agency assets, or
ٚ‫عّؼظٙخ) أٚ أفٌٛٙخ أ‬
individuals, based on the
ٍٝ‫ِٕغٛر١ٙخ رٕخءً ػ‬
implementation of an agreed-
‫ططز١ك ِـّٛػش ػٕخفش‬
upon set of security controls.
‫حٌظلىُ ح٤ِٕٟ حٌّظفك‬
‫ػٍ١ٙخ‬
All components of an ‫وً ِخ ٠مَٛ "ِٛظف‬
information system to be "‫افذحس حٌظقش٠ق‬
accredited by an authorizing ِٓ ٗ١ٍ‫رخٌّٛحفمش ػ‬
Accreditation official and excludes ‫ِىٛٔخص ٔظخَ ِؼٍِٛخص‬
‫كذٚد ح٨ػظّخد‬
Boundary – separately accredited ‫رخعظؼٕخء ِخ طُ حٌّٛحفمش‬
systems, to which the ِٓ ً‫ػٍ١ٗ رؾىً ِٕفق‬
information system is َ‫أٔظّش ٠ظقً رٙخ ٔظخ‬
connected. .‫حٌّؼٍِٛخص‬
The evidence provided to the ٌٝ‫ح٤دٌش حٌّمذِش ا‬
authorizing official to be used "‫ِٛظف "افذحس حٌظقش٠ق‬
in the security accreditation ‫٨عظخذحِٙخ فٟ ػٍّ١ش‬
decision process. Evidence ‫افذحس لشحس حٌّٛحفمش‬
includes, but is not limited to: ‫ح٤ِٕ١ش. طظنّٓ طٍه‬
Accreditation
‫ )1 ك١ؼ١خص ح٨ػظّخد‬the system security plan; ً١‫ح٤دٌش ػٍٝ عز‬
Package –
2) the assessment results :‫حٌّؼخي ٌٚ١ظ حٌلقش‬
from the security َ‫1) حٌخطش ح٤ِٕ١ش ٌٍٕظخ‬
certification; and ‫2) ٔظخثؾ حٌظم١١ُ حٌقخدسس‬
3) the plan of action and ِٟٕ٤‫ػٓ حٌظٛػ١ك ح‬
milestones. .ٍٗ‫3) خطش حٌؼًّ ِٚشحك‬
‫حٌـٙش حٌّخٛي ٌٙخ‬
Official with the authority to
ْٛ‫سعّ١خً عٍطش أْ طى‬
formally assume responsibility
ً١‫ِغجٌٛش ػٓ طؾغ‬
for operating an information
ٓ١‫ٔظخَ ِؼٍِٛخص ِؼ‬
Accrediting system at an acceptable level
‫ؿٙش ح٨ػظّخد‬ ِٓ ‫مّٓ كذ ِمزٛي‬
Authority – of risk to agency operations
‫حٌّخخهشس رؼٍّ١خص ٘١جش‬
(including mission, functions,
ًّ‫ِؼ١ٕش رّخ ٠ؾ‬
image, or reputation), agency
‫سعخٌظٙخ ٚٚظخثفٙخ‬
assets, or individuals.
‫ِٚقذحل١ظٙخ ٚعّؼظٙخ‬

3. ٚ‫رخ٦مخفش اٌٝ أفٌٛٙخ أ‬
.‫ِٕغٛر١ٙخ‬
‫ٟ٘ طٍه حٌز١خٔخص‬
Private data, other than keys, ‫حٌخخفش حٌّطٍٛرش‬
Activation Data
‫ر١خٔخص حٌظٕؾ١و‬ that are required to access ‫ٌٍٛفٛي اٌٝ ٚكذحص‬
–
cryptographic modules. ‫حٌظؾف١ش حٌّٕط١ش‬
.‫رخعظؼٕخء حٌّفخط١ق‬
‫٠ؾ١ش حٌّلظٜٛ حٌٕؾو‬
Active content refers to
‫اٌٝ حٌٛػخثك ح٨ٌىظشٚٔ١ش‬
electronic documents that are
ٚ‫حٌظٟ ٠ّىٕٙخ طٕف١ز أ‬
able to automatically carry
Active Content – ‫حٌّلظٜٛ حٌٕؾو‬ ٍٝ‫طؾغ١ً أػّخي ػ‬
out or trigger actions on a
ً‫ِٕقش حٌلخعٛد آٌ١خ‬
computer platform without
ِٓ ً‫رذْٚ طذخ‬
the intervention of a user.
.َ‫حٌّغظخذ‬
Security commensurate with ‫ح٤ِٓ حٌزٞ ٠ظٕخعذ ِغ‬
the risk and the magnitude of ‫ِذٜ حٌّخخهشس ٚحٌنشس‬
Adequate harm resulting from the loss, ‫حٌٕخطؾ ِٓ طؼشك‬
ٟ‫ح٤ِٓ حٌىخف‬
Security – misuse, or unauthorized ٚ‫حٌّؼٍِٛخص اٌٝ حٌفمذ أ‬
access to or modification of ‫حٌؼزغ أٚ حٌٛفٛي غ١ش‬
information. .‫حٌّقشف رٗ أٚ حٌظغ١١ش‬
Administrative actions,
policies, and procedures to ‫أػّخي ٚع١خعخص‬
manage the selection, ُ‫ٚاؿشحءحص ادحس٠ش ٌٍظلى‬
development, ‫فٟ حخظ١خس ٚططٛ٠ش‬
implementation, and ‫ٚططز١ك ٚف١خٔش ِؼخ٠١ش‬
Administrative ‫ح٦ؿشحءحص ح٦دحس٠ش‬ maintenance of security ‫ح٤ِٓ رغشك كّخ٠ش‬
Safeguards – ‫حٌٛلخث١ش‬ measures to protect ‫حٌّؼٍِٛخص ح٨ٌىظشٚٔ١ش‬
electronic health information ٓ١ٍِ‫ٚمزو طقشفخص حٌؼخ‬
and to manage the conduct ‫دحخً حٌـٙش حٌّئََِّٕش‬
of the covered entity's ‫ف١ّخ ٠خظـ رلّخ٠ش‬
workforce in relation to .‫حٌّؼٍِٛخص‬
protecting that information.
The Advanced Encryption َ‫٠لذد حٌّؼ١خس حٌّظمذ‬
Standard specifies a U.S. ‫ٌٍظؾف١ش خٛحسصِ١ش‬
Government-approved ‫حٌظؾف١ش حٌقخدس رؾؤٔٙخ‬
cryptographic algorithm that ‫ِٛحفمش ِٓ حٌلىِٛش‬
can be used to protect ٓ‫ح٤ِش٠ى١ش حٌظٟ ٠ّى‬
Advanced
electronic data. The AES ‫حعظخذحِٙخ ٌلّخ٠ش‬
Encryption َ‫حٌّؼ١خس حٌّظمذ‬
algorithm is a symmetric .‫حٌز١خٔخص ح٨ٌىظشٚٔ١ش‬
Standard (AES) ‫ٌٍظؾف١ش‬
block cipher that can encrypt ‫ٚطّؼً خٛحسصِ١ش حٌّؼ١خس‬
–
(encipher) and decrypt ‫حٌّظمذَ ٌٍظؾف١ش لخٌذ‬
(decipher) information. This ‫ِظٕخظش ِٓ حٌظشِ١ض‬
standard specifies the ‫٠ّىٕٗ طؾف١ش ٚفه‬
Rijndael algorithm, a ‫طؾف١ش حٌّؼٍِٛخص. ٠لذد‬
symmetric block cipher that ‫٘زح حٌّؼ١خس خٛحسصِ١ش‬

4. can process data blocks of ٟ٘ٚ "ً٠‫"س٠ـٕذح‬
128 bits, using cipher keys ‫طؾف١ش لخٌذ ِظٕخظش‬
with lengths of 128, 192, and ‫٠ّىٕٙخ ِؼخٌـش لٛحٌذ‬
256 bits. ‫ر١خٔخص رطٛي 821 رض‬
‫رخعظخذحَ ِفخط١ق طشِ١ض‬
256 ٚ 192 ٚ 128 ‫هٌٛٙخ‬
.‫رض‬
ًّ‫٘١جش طقذ٠ك طؼ‬
A CA that acts on behalf of an
Agency ‫رخٌٕ١خرش ػٓ ٚوخٌش ِؼ١ٕش‬
‫٘١جش حٌظٛػ١ك‬ Agency, and is under the
Certification ‫رل١غ طىْٛ خخمؼش‬
‫حٌظخرؼش ٌٛوخٌش‬ operational control of an
Authority – (CA) ‫ٌٍشلخرش حٌظؾغ١ٍ١ش ٌظٍه‬
Agency.
‫حٌٛوخٌش‬
ٟ‫رشٔخِؾ ٠غظخذَ ف‬
‫٘ـّخص كـذ حٌخذِش‬
A program used in distributed
ً‫حٌّٛصَّػّش حٌظٟ طشع‬
denial of service (DDoS)
‫ع١ً ِٓ حٌز١خٔخص‬
Agent – ً١ّ‫حٌؼ‬ attacks that sends malicious
ٌٝ‫حٌخز١ؼش ٠ظذفك ا‬
traffic to hosts based on the
ٍٝ‫حٌّن١ف رٕخءحً ػ‬
instructions of a handler.
ِٓ ‫طؼٍ١ّخص فخدسس‬
.ُ‫ِؼخٌؾ طلى‬
The examination of acquired ‫فلـ ر١خٔخص ُِـِّّؼش‬
Analysis – ً١ٍ‫طل‬ data for its significance and ‫ٔظشحً ٤ّ٘١ظٙخ ٚد٨ٌظٙخ‬
probative value to the case. .‫ٌٍلخٌش ِٛمغ حٌٕمخػ‬
‫رشٔخِؾ ٠مَٛ رّشحلزش‬
A program that monitors a ‫حٌلخعٛد أٚ حٌؾزىش‬
computer or network to ‫ٌٍظؼشف ػٍٝ وً أٔٛحع‬
Antivirus ‫رشحِؾ ِىخفلش‬
identify all major types of ‫حٌزشِـ١خص حٌخز١ؼش ِٕٚغ‬
Software – ‫حٌف١شٚعخص‬
malware and prevent or ِٓ ‫أٚ ػضي ِخ ٠ظٙش‬
contain malware incidents. ‫كخ٨ص (أػشحك) طٍه‬
.‫حٌزشِـ١خص حٌخز١ؼش‬
‫فٟ رؼل ح٤ك١خْ ٠طٍك‬
The subscriber is sometimes ُ‫ػٍٝ حٌّؾظشن حع‬
called an ―applicant‖ after ‫"ِمذَ حٌطٍذ" رؼذ‬
/ ‫ُِمَذَِ حٌطٍذ‬ applying to a certification ‫طمذ٠ّٗ هٍزخً اٌٝ ٘١جش‬
Applicant –
‫ِؾظَشِن‬ authority for a certificate, but ٍٝ‫حٌظٛػ١ك ٌٍلقٛي ػ‬
before the certificate issuance ْٛ‫ؽٙخدس ػٍٝ أْ ٠ى‬
procedure is completed. ‫رٌه لزً حٔظٙخء اؿشحءحص‬
.‫افذحس طٍه حٌؾٙخدس‬
‫حعظخذحَ حٌّٛحسد‬
The use of information
‫حٌّؼٍِٛخط١ش (حٌّؼٍِٛخص‬
resources (information and
)‫ٚطمٕ١ش حٌّؼٍِٛخص‬
Application – ‫ططز١ك‬ information technology) to
‫ٌظٍز١ش ِـّٛػش ِلذدس‬
satisfy a specific set of user
‫ِٓ ِظطٍزخص‬
requirements.
.َ‫حٌّغظخذ‬

5. ً١‫٠مَٛ حِؾ ٚو‬
ْ‫رش‬
‫رظقف١ش ِلظٜٛ حٌظطز١ك‬
Application content filtering is
‫٦صحٌش أٚ ػضي حٌف١شٚعخص‬
performed by a software
ٟ‫حٌظٟ سرّخ طشد ف‬
proxy agent to remove or
‫ِشفمخص حٌزش٠ذ‬
quarantine viruses that may
‫ح٨ٌىظشٟٚٔ أٚ كـض أٔٛحع‬
Application be contained in email
ٜٛ‫طقف١ش ِلظ‬ ‫ِؼ١ٕش ِٓ حِظذحدحص رش٠ذ‬
Content Filtering attachments, to block specific
‫حٌظطز١ك‬ ‫ح٨ٔظشٔض حٌّظؼذدس‬
– Multipurpose Internet Mail
‫ح٤غشحك أٚ ٌظقف١ش أٔٛحع‬
Extensions (MIME) types, or
ٜٛ‫أخشٜ ِٓ حٌّلظ‬
to filter other active content
ٚ ‫حٌٕؾو ِؼً ؿخفخ‬
such as Java, JavaScript, and
‫ؿخفخعىش٠زض ٚػٕخفش‬
ActiveX® Controls.
‫حٌظلىُ ِٓ ٔٛع حوظف‬
.‫اوظ‬
‫ِخ ٠ظفك ِغ حٌّؼ١خس‬
‫حٌف١ذسحٌٟ ٌّؼخٌـش‬
‫حٌّؼٍِٛخص أٚ ِخ ٠قذس‬
ِٓ ٗ١‫رؾؤٔٗ طٛف‬
Federal Information
ٟٕ‫حٌّؼٙذ حٌٛه‬
Processing Standard (FIPS)
‫ٌّمخ٠١ظ ٚحٌظمٕ١ش‬‫ي‬
approved or National Institute
ٚ‫رّؼٕٝ أخش خٛحسصِ١ش أ‬
of Standards and Technology
‫هش٠مش‬
(NIST) recommended. An
ٗٔ‫فخدس رؾؤ‬ ‫1) ِلذدس فٟ حٌّؼ١خس‬
Approved – algorithm or technique that is
‫ِٛحفمش‬ ‫حٌف١ذسحٌٟ ٌّؼخٌـش‬
either
ٟ‫حٌّؼٍِٛخص أٚ ف‬
1) specified in a FIPS or NIST
ٟٕ‫طٛف١خص حٌّؼٙذ حٌٛه‬
Recommendation, or
ٚ‫ٌٍّمخ٠١ظ ٚحٌظمٕ١ش أ‬
2) adopted in a FIPS or NIST
‫2) ِطزمش فٟ حٌّؼ١خس‬
Recommendation.
‫حٌف١ذسحٌٟ ٌّؼخٌـش‬
‫حٌّؼٍِٛخص أٚ طٛف١خص‬
ٟٕ‫حٌّؼٙذ حٌٛه‬
.‫ٌٍّمخ٠١ظ ٚحٌظمٕ١ش‬
‫ٚمؼ١ش ِؼ١ٕش ٌٛكذس‬
ٟ‫حٌظؾف١ش حٌّٕط١ش حٌظ‬
A mode of the cryptographic
‫طمَٛ رظؾغ١ً ٚظخثف‬
module that employs only
‫ح٤ِٓ حٌقخدس رؾؤٔٙخ‬
approved security functions
‫ِٛحفمش فمو ( ٨ ٠ـذ‬
ً١‫ٚمؼ١ش حٌظؾغ‬ (not to be confused with a
Approved Mode ‫حٌخٍو ر١ٕٙخ ٚر١ٓ ٚمؼ١ش‬
‫ حٌقخدس رؾؤٔٙخ‬specific mode of an approved
of Operation – ‫ِلذدس ٌٛظ١فش إِٔ١ش‬
‫ِٛحفمش‬ security function, e.g., Data
‫فخدس رؾؤٔٙخ ِٛحفمش‬
Encryption Standard (DES)
‫ِؼً ٚمؼ١ش ِؼ١خس‬
Cipher Block Chaining (CBC)
‫طؾف١ش حٌز١خٔخص ٚٚمؼ١ش‬
mode).
‫لخٌذ حٌظشِ١ض‬
. )ً‫حٌّغٍغ‬
Approved ‫ٚظ١فش إِٔ١ش‬ A security function (e.g., ً‫ٚظ١فش إِٔ١ش (ِؼ‬
Security ‫فخدس رؾؤٔٙخ‬ cryptographic algorithm, ٚ‫خٛحسصِ١ش حٌظؾف١ش أ‬

6. Function – ‫ِٛحفمش‬ cryptographic key ‫هش٠مش ادحسس ِفظخف‬
management technique, or ‫حٌظؾف١ش أٚ هش٠مش‬
authentication technique) ْٛ‫حٌظقذ٠ك) ٚحٌظٟ طى‬
that is either ‫اِخ‬
a) specified in an approved ‫أ) ِلذدس فٟ ِؼ١خس‬
standard, ‫فخدس رؾؤٔٗ ِٛحفمش‬
b) adopted in an approved ٟ‫د) أٚ ُِغظخذَِش ف‬
standard and specified either ٗٔ‫ِؼ١خس فخدس رؾؤ‬
in an appendix of the ٟ‫ِٛحفمش ِٚزوٛسس ف‬
approved standard or in a ‫ٍِلك خخؿ رزٌه‬
document referenced by the ‫حٌّؼ١خس أٚ فٟ ٚػ١مش‬
approved standard, or ٍٗ‫ِؾخس اٌ١ٙخ دحخ‬
c) specified in the list of ّٓ‫ؽ) أٚ ِلذدس م‬
approved security functions. ‫لخثّش ِٓ ٚظخثف إِٔ١ش‬
.‫ِقذِّق ػٍ١ٙخ‬
A focused activity or action ‫ٔؾخه أٚ ػًّ ُِشوَّض‬
Assessment employed by an assessor for ‫٠ززٌٗ حٌُّم١ُِّ ٌم١خط‬
ُ١١‫أعٍٛد حٌظم‬
Method – evaluating a particular ‫خخف١ش ِؼ١ٕش ِٓ خٛحؿ‬
attribute of a security control. .‫حٌشلخرش ح٤ِٕ١ش‬
‫ِـّٛػش ِٓ ح٤ٔؾطش‬
A set of activities or actions
‫أٚ ح٤ػّخي ٠مَٛ رٙخ‬
employed by an assessor to
ٜ‫حٌُّم١ُِّ ٌظلذ٠ذ ِذ‬
determine the extent to
‫ططز١ك حٌشلخرش ح٤ِٕ١ش‬
which a security control is
‫رؾىً فل١ق ٚطؾغ١ٍٙخ‬
Assessment implemented correctly,
ُ١١‫اؿشحءحص حٌظم‬ ‫كغذ حٌّطٍٛد‬
Procedure – operating as intended, and
‫ٚطلم١مٙخ ٌٍٕظخثؾ‬
producing the desired
‫حٌّشؿٛس ِٕٙخ ف١ّخ‬
outcome with respect to
‫٠خظـ رخعظ١فخء‬
meeting the security
‫حٌّظطٍزخص ح٤ِٕ١ش‬
requirements for the system.
.َ‫ٌٍٕظخ‬
َ‫ططز١ك سث١غٟ أٚ ٔظخ‬
A major application, general
ٌٗ ‫دػُ ػخَ أٚ رشٔخِؾ‬
support system, high impact
‫طؤػ١ش رخٌغ أٚ ِٕؾؤس‬
‫أفً / (ِٛسد‬ program, physical plant,
Asset – ًِ‫ِخد٠ش أٚ ٔظخَ ٌٍظؼخ‬
ٟ‫)سث١غ‬ mission critical system, or a
ٚ‫ِغ حٌُ٘خَ حٌلشؿش أ‬
logically related group of
‫ِـّٛػش ِٓ ح٤ٔظّش‬
systems.
.ً‫حٌّشطزطش ِٕطم١خ‬
One of the five ―Security ‫أكذ ح٤٘ذحف حٌخّغش‬
Goals.‖ It involves support for ّٓ‫ٌ٥ِٓ حٌظٟ طظن‬
our confidence that the other ‫دػّخً ٌؼمظٕخ رخعظ١فخء‬
four security goals (integrity, ٜ‫ح٤سرغ أ٘ذحف ح٤خش‬
Assurance – ْ‫طؤِ١ٓ / مّخ‬
availability, confidentiality, ، ًِ‫ٌ٥ِٓ (حٌظىخ‬
and accountability) have been ‫حعظّشحس٠ش طٛفش حٌخذِش‬
adequately met by a specific )‫، حٌغش٠ش ، حٌّغئٌٚ١ش‬
implementation. ―Adequately ‫رؾىً وخفٍ ِٓ خ٩ي‬

7. met‖ includes ٟ‫هش٠مش ِلذدس ف‬
(1) functionality that ّٓ‫حٌظٕف١ز. ٠ظن‬
performs correctly, ‫ح٨عظ١فخء حٌىخًِ ٌظٍه‬
(2) sufficient protection ‫حٌؼٕخفش‬
against unintentional errors ‫1) ع٩ِش ح٤دحء‬
(by users or software), and ‫ٌٍٕٛحكٟ حٌٛظ١ف١ش‬
(3) sufficient resistance to ‫2) مّخْ كّخ٠ش وخف١ش‬
intentional penetration or by- ‫مذ ح٤خطخء غ١ش‬
pass. ِٓ( ‫حٌّظؼّذس‬
ٚ‫حٌّغظخذِ١ٓ أ‬
)‫حٌزشحِؾ‬
‫3) ٚحٌّمخِٚش حٌىخف١ش‬
‫ٌّلخٚ٨ص ح٨خظشحق‬
.‫ٚحٌظخطٟ حٌّظؼّذس‬
Two related keys, a public ٓ١‫ِفظخك١ٓ ِشطزط‬
key and a private key that are َ‫أكذّ٘خ ِفظخف ػخ‬
used to perform ُ‫ٚح٤خش خخؿ ٠ظ‬
Asymmetric ‫ِفخط١ق غ١ش‬ complementary operations, ‫حعظخذِّٙخ ٤دحء‬
Keys ‫ِظٕخظشس‬ such as encryption and ً‫ػٍّ١خص ِظىخٍِش ِؼ‬
decryption or signature ٚ‫حٌظؾف١ش ٚفه حٌظؾف١ش أ‬
generation and signature ‫افذحس حٌظٛل١غ ٚحٌظلمك‬
verification. .‫ِٓ فلش حٌظٛل١غ‬
ِٓ ‫ِـّٛػش ِظغٍغٍش‬
A specific sequence of events
Attack Signature ٌٝ‫ح٤كذحع طؾ١ش ا‬
َٛ‫رقّش ٘ـ‬ indicative of an unauthorized
– ‫ٚؿٛد ِلخٌٚش ٚفٛي غ١ش‬
access attempt.
.‫ِقشف رٙخ‬
An entity, recognized by the ‫ؿٙش طلذد٘خ ٘١جش‬
Federal Public Key ‫حٌغ١خعخص حٌف١ذسحٌ١ش‬
Infrastructure (PKI) Policy ‫ٌغ١خعخص حٌزٕ١ش‬
‫٘١جش حٌظلمك‬
Attribute Authority or comparable ٚ‫حٌظلظ١ش ٌٍّفظخف حٌؼخَ أ‬
‫ِٓ خقخثـ‬
Authority – Agency body as having the ‫ٚوخٌش ِّخػٍش رل١غ‬
‫حٌٙٛ٠ش‬
authority to verify the ‫٠ىْٛ ٌٙخ عٍطش حٌظلمك‬
association of attributes to an ‫ِٓ طٛحفك خقخثـ ِغ‬
‫حي‬
identity. .‫٘ٛ٠ش ِؼ١ٕش‬
‫ِشحؿؼش ِغظمٍش ٚفلـ‬
Independent review and
‫ٌٍغـ٩ص ٚح٤ٔؾطش‬
examination of records and
‫ٌظم١١ُ وفخ٠ش ػٕخفش‬
activities to assess the
ِٓ ‫طلىُ حٌٕظخَ ٌٍظؤوذ‬
adequacy of system controls,
‫ِٛحفمظٙخ ٌٍغ١خعخص‬
to ensure compliance with
Audit – ‫حٌظذل١ك ٚحٌفلـ‬ ً١‫ٚاؿشحءحص حٌظؾغ‬
established policies and
‫حٌّمشسس، ٚافذحس‬
operational procedures, and
ٛ٘ ‫حٌظٛف١خص كٛي ِخ‬
to recommend necessary
ٟ‫مشٚسٞ ِٓ طغ١١شحص ف‬
changes in controls, policies,
ٚ‫ػٕخفش حٌظلىُ أ‬
or procedures
.‫حٌغ١خعخص أٚ ح٦ؿشحءحص‬

8. Chronological record of ‫عـً طخس٠خٟ ٤ٔؾطش‬
system activities to enable ‫حٌٕظخَ ٌظٛف١ش اِىخٔ١ش‬
‫ر١خٔخص حٌظذل١ك‬ the reconstruction and ‫اػخدس رٕخء ٚفلـ‬
Audit Data –
‫ٚحٌفلـ‬ examination of the sequence ٚ ‫عٍغٍش ِٓ ح٤كذحع‬
of events and changes in an ‫حٌظغ١١شحص حٌظٟ ؽٙذ٘خ‬
event. .ٓ١‫كذع ِؼ‬
‫ِؼخٌـخص طُ اػذحد٘خ‬
ُ‫ِغزمخً ٌخفل كـ‬
‫عـ٩ص حٌفلـ‬
Preprocessors designed to ً١ٙ‫ٚحٌظذل١ك رغشك طغ‬
reduce the volume of audit ً‫حٌّشحؿؼش حٌ١ذٚ٠ش. لز‬
records to facilitate manual ‫اؿشحء حٌّشحؿؼش ح٤ِٕ١ش‬
review. Before a security ‫طغظط١غ ٘زٖ ح٤دٚحص‬
review, these tools can ‫اصحٌش حٌؼذ٠ذ ِٓ عـ٩ص‬
remove many audit records ‫حٌظذل١ك ٚحٌفلـ‬
Audit Reduction ‫أدٚحص ط١غ١ش‬
known to have little security ‫حٌّؼشٚفش رخٔخفخك‬
Tools – ‫حٌظذل١ك ٚحٌفلـ‬
significance. These tools َٛ‫أّ٘١ظٙخ ح٤ِٕ١ش. طم‬
generally remove records ً‫٘زٖ ح٤دٚحص ػِّٛخ‬
generated by specified ِٓ ‫ربصحٌش أٔٛحع ِلذدس‬
classes of events, such as ‫ح٤كذحع ِؼً طٍه‬
records generated by nightly ٓ‫حٌغـ٩ص حٌٕخطـش ػ‬
backups. ‫ػٍّ١خص حٌٕغخ‬
ٟ‫ح٨كظ١خهٟ حٌذٚس٠ش حٌظ‬
ً‫طلذع فٟ ٔٙخ٠ش و‬
.‫ٌ١ٍش‬
A record showing who has
َ‫عـً ٠ٛمق ِٓ لخ‬
accessed an Information
‫رخٌذخٛي اٌٝ ٔظخَ طمٕ١ش‬
ٚ ‫عـً حٌفلـ‬ Technology (IT) system and
Audit Trail – ‫ِؼٍِٛخص ٚ حٌؼٍّ١خص‬
‫حٌّشحؿؼش‬ what operations the user has
‫حٌظٟ لخَ رظٕف١ز٘خ أػٕخء‬
performed during a given
.‫فظشس ِؼ١ٕش‬
period.
To confirm the identity of an ‫حٌظؤوذ ِٓ ٘ٛ٠ش ؿٙش‬
/ ٍٝ‫٠قذِّق ػ‬
Authenticate – entity when that identity is ‫ِؼ١ٕش ػٕذ طمذ٠ُ طٍه‬
‫٠ظلمك ِٓ ٘ٛ٠ش‬
presented. .‫حٌٙٛ٠ش‬
Verifying the identity of a ‫حٌظؤوذ ِٓ فلش ٘ٛ٠ش‬
user, process, or device, ‫حٌخخفش رؤكذ‬
often as a prerequisite to ٚ‫حٌّغظخذِ١ٓ أ‬
allowing access to resources .‫حٌؼٍّ١خص أٚ ح٤ؿٙضس‬
/ ‫حٌظقذ٠ك‬ in an information system. The ‫٠ىْٛ رٌه ػخدس وؤكذ‬
Authentication – ِٓ ‫حٌظلمك‬ process of establishing ‫ِظطٍزخص حٌغّخف‬
‫حٌٙٛ٠ش‬ confidence of authenticity. ‫رخٌٛفٛي اٌٝ حٌّٛحسد‬
Encompasses identity َ‫حٌّٛؿٛدس فٟ ٔظخ‬
verification, message origin ‫ِؼٍِٛخص ِؼ١ٓ. ػٍّ١ش‬
authentication, and message ًّ‫طؤع١ظ حٌؼمش ٚطؾ‬
content authentication. A ‫حٌظلمك ِٓ فلش حٌٙٛ٠ش‬

9. process that establishes the ‫ٚحٌظلمك ِٓ ِقذس‬
origin of information or .‫حٌشعخٌش ِٚلظٛح٘خ‬
determines an entity‘s ‫ػٍّ١ش طٙذف اٌٝ طلذ٠ذ‬
identity. ٚ‫ِقذس حٌّؼٍِٛخص أ‬
.‫٘ٛ٠ش ؿٙش ِخ‬
‫ِؼخدٌش طؾف١ش كغخر١ش‬
A cryptographic checksum
‫طؼظّذ ػٍٝ ٚظ١فش‬
based on an approved
Authentication ‫ؽفشس حٌظلمك‬ ‫إِٔ١ش فخدس رؾؤٔٙخ‬
security function (also known
Code – ‫ِٓ حٌٙٛ٠ش‬ ً‫ِٛحفمش (طؼشف أ٠نخ‬
as a Message Authentication
‫رخعُ ؽفشس سعخٌش‬
Code (MAC)).
. )‫حٌظقذ٠ك‬
The process of establishing ٟ‫ػٍّ١ش اػزخص حٌؼمش ف‬
Electronic ِٓ ‫حٌظلمك‬ confidence in user identities ٓ١ِ‫٘ٛ٠خص حٌّغظخذ‬
Authentication – ً‫حٌٙٛ٠ش حٌىظشٚٔ١خ‬ electronically presented to an ً‫حٌظٟ طمذَ حٌىظشٚٔ١خ‬
information system. .‫ٌٕظخَ ِؼٍِٛخص‬
ٍٝ‫آٌ١خص طؼظّذ ػ‬
‫ح٤ؿٙضس أٚ حٌزشحِؾ رل١غ‬
Hardware or software-based
ٓ١ِ‫طُـزِش حٌّغظخذ‬
Authentication ِٓ ‫آٌ١ش حٌظلمك‬ mechanisms that force users
ً‫ػٍٝ اػزخص ٘ٛ٠خطُٙ لز‬
Mechanism – ‫حٌٙٛ٠ش‬ to prove their identity before
‫حٌٛفٛي ٌٍز١خٔخص‬
accessing data on a device.
‫حٌّٛؿٛدس ػٍٝ أكذ‬
.‫ح٤ؿٙضس‬
A block cipher mode of َ‫ٚمؼ١ش طؾغ١ً طغظخذ‬
operation that can provide ‫لخٌذ طشِ١ض ِؼ١ٓ ٠ّىٕٙخ‬
Authentication ‫ٚمؼ١ش حٌظلمك‬
assurance of the authenticity ‫طؤِ١ٓ حٌؼمش فٟ ٘ٛ٠ش‬
Mode – ‫ِٓ حٌٙٛ٠ش‬
and, therefore, the integrity ٟ‫حٌّغظخذَ ٚرخٌظخٌٟ ف‬
of data. .‫طىخًِ حٌز١خٔخص‬
ً‫ػٍّ١ش طزخدي ٌٍشعخث‬
ٞ‫ِلذدس رذلش ٠ـش‬
ِٓ ‫خ٩ٌٙخ حٌظلمك‬
A well specified message
‫فلش حِظ٩ن حكذ حٌشِٛص‬
exchange process that
‫حٌّّ١ضس رغشك حٌظلمك‬
verifies possession of a token
‫ػٓ رؼذ ِٓ ٘ٛ٠ش‬
to remotely authenticate a
‫حٌؾخـ حٌزٞ ٠طٍذ‬
claimant. Some
.ٓ١‫حٌظؼخًِ ِغ ٔظخَ ِؼ‬
Authentication ‫رشطٛوٛي حٌظلمك‬ authentication protocols also
‫رؼل رشطٛوٛ٨ص‬
Protocol – ‫ِٓ حٌٙٛ٠ش‬ generate cryptographic keys
‫حٌظقذ٠ك طمَٛ ربٔؾخء‬
that are used to protect an
ََ‫ِفخط١ق طؾف١ش طُغظخذ‬
entire session, so that the
‫ٌظٛف١ش حٌلّخ٠ش هٛحي‬
data transferred in the
َ‫فظشس حٌظؼخًِ ِغ حٌٕظخ‬
session is cryptographically
‫ٌٚزٌه طىْٛ حٌز١خٔخص‬
protected.
‫لٌٛش خ٩ي طٍه‬ ٌّٓ‫ح‬
ً‫حٌفظشس ِلّ١ش رفن‬
.‫طؾف١ش٘خ‬

10. A pair of bit strings ً‫صٚؿ١ٓ ِٓ حٌغ٩ع‬
Authentication
‫ػ٩ِش حٌظقذ٠ك‬ associated to data to provide ‫حٌٕق١ش ِشطزطش رخٌز١خٔخص‬
Tag –
assurance of its authenticity. .‫ٌٍظؤوذ ِٓ ِقذحل١ظٙخ‬
‫حٌشِض حٌّّ١ض‬ Authentication information ‫ِؼٍِٛخص حٌظلمك‬
Authentication
ِٓ ‫ٌٍظلمك‬ conveyed during an ‫حٌّظزخدٌش أػٕخء حٌظلمك‬
Token –
‫حٌٙٛ٠ش‬ authentication exchange. ‫ِٓ فلش حٌٙٛ٠ش‬
The property of being ً‫خخف١ش أْ طىْٛ أفٍ١خ‬
genuine and being able to be ِٓ ‫ٚلخرً ٌٍظلمك‬
‫خخف١ش‬ verified and trusted; ِٓ ‫٘ٛ٠ظه ٚحٌٛػٛق رٙخ‬
Authenticity –
‫حٌّقذحل١ش‬ confidence in the validity of a ٟ‫خ٩ي ِٕق حٌؼمش ف‬
transmission, a message, or ‫فلش ح٦سعخي ٚحٌشعخٌش‬
message originator. .‫ِٚشعٍٙخ‬
‫لشحس ح٦دحسس حٌشعّ١ش‬
The official management ‫حٌقخدس ِٓ أكذ حٌىٛحدس‬
decision given by a senior ‫حٌؼٍ١خ ٌٙ١جش ِخ ٨ػظّخد‬
agency official to authorize ً١‫حٌّٛحفمش ػٍٝ طؾغ‬
operation of an information ‫ٔظخَ ِؼٍِٛخص ٚحٌمزٛي‬
system and to explicitly ‫ػ٩ٔ١شً رظؼش٠ل ػٍّ١خص‬
accept the risk to agency ‫طٍه حٌٙ١جش ٌٍّخخهشس‬
Authorization – ‫طقش٠ق‬
operations (including mission, ‫(رّخ فٟ رٌه سعخٌظٙخ‬
functions, image, or ‫ٚٚظخثفٙخ ِٚقذحل١ظٙخ‬
reputation), agency assets, or ٚ‫ٚعّؼظٙخ) أٚ أفٌٛٙخ أ‬
individuals, based on the ٍٝ‫ِٕغٛر١ٙخ رٕخءحً ػ‬
implementation of an agreed- ِٓ ‫طٕف١ز ِـّٛػش‬
upon set of security controls. ِٟٕ٤‫ػٕخفش حٌظلىُ ح‬
.‫حٌّظفك ػٍ١ٙخ‬
Official with the authority to )ْ‫حٌّٛظف (حٌى١خ‬
formally assume responsibility ٓ‫حٌّغجٛي سعّ١خً ػ‬
for operating an information ‫طؾغ١ً ٔظخَ َػٍِٛخص‬
system at an acceptable level ‫ِؼ١ٓ مّٓ كذ ِمزٛي‬
Authorizing ‫ِٛظف افذحس‬ of risk to agency operations ‫ِٓ حٌّخخهشس رؼٍّ١خص‬
Official – ‫حٌظقش٠ق‬ (including mission, functions, ًّ‫٘١جش ِؼ١ٕش (رّخ ٠ؾ‬
image, or reputation), agency ‫سعخٌظٙخ ٚٚظخثفٙخ‬
assets, or individuals. )‫ِٚقذحل١ظٙخ ٚعّؼظٙخ‬
Synonymous with ٚ‫رخ٦مخفش اٌٝ أفٌٛٙخ أ‬
Accreditation Authority. .‫ِٕغٛر١ٙخ‬
Individual selected by an ‫ؽخـ ٠خظخسٖ ِٛظف‬
authorizing official to act on ًّ‫افذحس حٌظقش٠ق ٌٍؼ‬
Authorizing
their behalf in coordinating ‫ٔ١خرش ػٕٗ فٟ طٕغ١ك‬
Official –
‫ِٕذٚد افذحس‬ and carrying out the ‫ٚطٕف١ز ح٤ٔؾطش‬
Designated
‫حٌظقش٠ق‬ necessary activities required ‫حٌنشٚس٠ش حٌّطٍٛرش أػٕخء‬
Representative
during the security ‫حٌظٛػ١ك ٚ ح٨ػظّخد‬
–
certification and accreditation ‫ح٤ِٕٟ ٤كذ أٔظّش‬
of an information system. .‫حٌّؼٍِٛخص‬

11. The transport of ‫ٔمً ِفخط١ق حٌظؾف١ش‬
cryptographic keys, usually in )‫(ػخدس رطش٠مش ِؾفشس‬
encrypted form, using ً‫رخعظخذحَ ٚعخث‬
Automated Key ٌٟ٢‫حٌٕمً ح‬
electronic means such as a ‫حٌىظشٚٔ١ش ِؼً ؽزىخص‬
Transport – ‫ٌٍّفظخف‬
computer network (e.g., key ‫حٌلخعٛد وّخ ٘ٛ حٌلخي‬
transport/agreement ً‫فٟ رشٚطٛوٛ٨ص ٔم‬
protocols). .ٌٗٛ‫ِفظخف حٌظؾف١ش ٚلز‬
An algorithm which creates ‫خٛحسصِ١ش طمَٛ ربٔؾخء‬
Automated
‫ ٌِٛذ وٍّش حٌّشٚس‬random passwords that have ‫وٍّخص ِشٚس حٌؼؾٛحث١ش‬
Password
ٌٟ٢‫ح‬ no association with a َ‫غ١ش ِشطزطش رّغظخذ‬
Generator –
particular user. .ٓ١‫ِؼ‬
‫حٌظؤوذ ِٓ اِىخٔ١ش‬
Ensuring timely and reliable ‫حٌٛفٛي اٌٝ حٌّؼٍِٛخص‬
‫حعظّشحس٠ش طٛفش‬
Availability – access to and use of ‫ٚحعظخذحِٙخ فٟ حٌٛلض‬
‫حٌخذِش‬
information. ‫حٌّٕخعذ ٚرؾىً ٠ُؼظَّذ‬
.ٗ١ٍ‫ػ‬
ٝ‫ح٤ٔؾطش حٌظٟ طغؼ‬
Activities which seek to focus
Information ٌٝ‫ٌـزد حٔظزخٖ ح٤فشحد ا‬
ِٓ‫حٌٛػٟ رؤ‬ an individual‘s attention on an
Security ِٓ ‫ِٛمٛع أٚ ِـّٛػش‬
‫حٌّؼٍِٛخص‬ (information security) issue or
Awareness – ِٓ‫حٌّٛمٛػخص فٟ أ‬
set of issues.
.‫حٌّؼٍِٛخص‬
‫ٔغخش ِٓ حٌٍّفخص‬
A copy of files and programs
‫ٚحٌزشحِؾ ٌظغٙ١ً ػٍّ١ش‬
Backup – ‫ٔغخش حكظ١خه١ش‬ made to facilitate recovery if
‫ح٨عظشؿخع فٟ كخٌش‬
necessary.
.‫حٌنشٚسس‬
‫حٌلذ ح٤دٔٝ ِٓ ػٕخفش‬
The minimum security ‫حٌظلىُ ح٤ِٕ١ش حٌّطٍٛرش‬
controls required for ‫ٌلّخ٠ش ٔظخَ ِؼٍِٛخص‬
Baseline ِٓ ٝٔ‫حٌلذ ح٤د‬ safeguarding an IT system ٍٝ‫ِؼ١ٓ رٕخءحً ػ‬
Security – ِٓ٤‫ح‬ based on its identified needs ‫ح٨كظ١خؿخص حٌّلذدس‬
for confidentiality, integrity ًِ‫ٌلّخ٠ش عش٠ش ٚطىخ‬
and/or availability protection. ‫ٚ/أٚ حعظّشحس٠ش طٛفش‬
.َ‫خذِش ٘زح حٌٕظخ‬
Monitoring resources to ‫ِشحلزش حٌّٛحسد ٌظلذ٠ذ‬
‫حٌشلخرش ٚحٌّظخرؼش‬ determine typical utilization ً‫ّٔخرؽ ح٨عظخذحَ ح٤ِؼ‬
Baselining –
‫ٚحٌنزو‬ patterns so that significant ‫رٙذف وؾف ح٨ٔلشحفخص‬
deviations can be detected. .‫حٌخط١شس‬
A bastion host is typically a
‫٘ٛ ؿذحس كّخ٠ش‬
firewall implemented on top
ٗ‫ّٔٛرؿٟ ٠ـشٜ طٕق١ز‬
‫ؿٙخص حٌّن١ف‬ of an operating system that
Bastion Host – ٜ‫ػٍٝ ٔظخَ طؾغ١ً ؿش‬
ٓ‫حٌّلق‬ has been specially configured
ً‫اػذحدٖ ٚطمٛ٠ظٗ خق١قخ‬
and hardened to be resistant
.‫ٌ١ىْٛ ِمخَٚ ٌٍٙـّخص‬
to attack.

12. What an individual who has ‫ِخ ٠ظٛلغ ِٓ ؽخـ‬
completed the specific ٕٗ‫طٍمٝ طذس٠زخً خخفخً ٠ِّّى‬
Behavioral ‫حٌّلقٍش‬ training module is expected ‫ِٓ اظٙخس ِشدٚد ِخ‬
Outcome – ‫حٌغٍٛو١ش‬ to be able to accomplish in ِٓ‫طؼٍّٗ ػٓ أ‬
terms of IT security-related ‫حٌّؼٍِٛخص ِٓ خ٩ي‬
job performance. .ٟ‫أدحءٖ حٌٛظ١ف‬
ٓ٠‫ػٍّ١ش مُ ػٕقش‬
‫ِشطزط١ٓ ِٓ ػٕخفش‬
Process of associating two
ِٓ ‫حٌّؼٍِٛخص. حػظشحف‬
related elements of
َٛ‫هشف ػخٌغ ِٛػٛق ٠م‬
information. An
‫رشرو ٘ٛ٠ش ؿٙش ِؼ١ٕش‬
acknowledgement by a
َ‫رّفظخف حٌظؾف١ش حٌؼخ‬
trusted third party that
ْ‫ٌظٍه حٌـٙش. ٠ّىٓ أ‬
associates an entity‘s identity
ِٓ ‫٠ظُ ططز١ك رٌه‬
with its public key. This may
‫خ٩ي‬
take place through
‫1) ل١خَ ٘١جش طٛػ١ك‬
(1) a certification authority‘s
Binding – ‫حٌشرو‬ ‫ربفذحس ؽٙخدس ِفظخف‬
generation of a public key
َ‫حٌظؾف١ش حٌؼخ‬
certificate,
ِٓ‫2) ل١خَ ِٛظف أ‬
(2) a security officer‘s
‫رخٌظلمك ِٓ ر١خٔخص‬
verification of an entity‘s
‫دخٛي طٍه حٌـٙش ٚٚمغ‬
credentials and placement of
َ‫ِفظخف حٌظؾف١ش حٌؼخ‬
the entity‘s public key and
ُ‫ٌظٍه حٌـٙش ِغ سل‬
identifier in a secure
‫ِّ١ض فٟ لخػذس ر١خٔخص‬
database, or
ٚ‫إِٓش أ‬
(3) an analogous method.
‫3) اطزخع ح٤عٍٛد‬
.ٞ‫حٌظٕخظش‬
A physical or behavioral ٚ‫ِ١ضس ؿغذ٠ش أ‬
characteristic of a human ‫عٍٛو١ش ِٓ ِّ١ضحص‬
being. A measurable, physical ‫ح٦ٔغخْ. ِ١ضس ؿغذ٠ش‬
characteristic or personal ‫أٚ ففش عٍٛن‬
behavioral trait used to ‫حٌؾخقٟ لخرٍش ٌٍم١خط‬
Biometric – ٞٛ١‫ل١خط ك‬ recognize the identity, or ‫طُغظخذََ فٟ طؼش٠ف‬
verify the claimed identity, of ٚ‫ؽخق١ش ِمذَ حٌطٍذ أ‬
an applicant. Facial images, ‫حٌظلمك ِٕٙخ. طؼذ فٛس‬
fingerprints, and handwriting ‫حٌٛؿٗ ٚرقّخص ح٤فخرغ‬
samples are all examples of ‫ّٚٔخرؽ حٌىظخرش ِٓ أِؼٍش‬
biometrics. .‫حٌم١خعخص حٌل١ٛ٠ش‬
The stored electronic ‫ٟ٘ طٍه حٌّؼٍِٛخص‬
information pertaining to a ‫ح٨ٌىظشٚٔ١ش حٌّخضٔش‬
biometric. This information ٞٛ١‫رخقٛؿ ِم١خط ك‬
Biometric ‫ِؼٍِٛخص حٌم١خط‬
can be in terms of raw or ً‫ِؼ١ٓ ٚ طىْٛ فٟ ؽى‬
Information – ٞٛ١‫حٌل‬
compressed pixels or in terms ٚ‫ٔمخه خخَ أٚ ِنغٛهش أ‬
of some characteristic (e.g. ‫فٟ ؽىً ٌٗ رؼل‬
patterns.) .‫حٌخقخثـ ِؼً حٌّٕخرؽ‬

13. An automated system :ٍٝ‫ٔظخَ آٌٟ لخدس ػ‬
capable of: ‫1) حٌلقٛي ػٍٝ ػ١ٕش‬
1) capturing a biometric ِٓ ‫ل١خط ك١ٛ٠ش‬
sample from an end user; ٟ‫حٌّغظخذَ حٌٕٙخث‬
2) extracting biometric data ‫2) حعظخ٩ؿ ر١خٔخص‬
from that sample; ‫حٌم١خط حٌل١ٛٞ ِٓ طٍه‬
3) comparing the biometric ‫حٌؼ١ٕش‬
Biometric ‫ٔظخَ ل١خط‬ data with that contained in ‫3) ِمخسٔش ر١خٔخص حٌم١خط‬
System – ٞٛ١‫ك‬ one or more reference ‫حٌل١ٛٞ رظٍه حٌّٛؿٛدس‬
templates; ‫فٟ ّٔٛرؽ أٚ أوؼش‬
4) deciding how well they ً‫4) طمذ٠ش ِذٜ حٌظّخػ‬
match; and ٚ ‫ر١ّٕٙخ‬
5) indicating whether or not ‫5) ح٦ؽخسس اٌٝ ِخ ارح‬
an identification or ‫وخْ حٌظؼشف أٚ حٌظلمك‬
verification of identity has ‫ِٓ فلش حٌؾخق١ش لذ‬
been achieved. .٨ َ‫طُ أـخصٖ أ‬
A characteristic of biometric ‫أكذ خٛحؿ ِؼٍِٛخص‬
Biometric ‫ّٔٛرؽ ل١خط‬
information (e.g. minutiae or ( ٞٛ١‫حٌم١خط حٌل‬
Template – ٞٛ١‫ك‬
patterns.) .)ً ٩‫طفخف١ً أٚ ؽىً ِؼ‬
‫ؽفشس رشِـ١ش خز١ؼش‬
Blended Attack Malicious code that uses
‫حٌٙـَٛ حٌّخظٍََو‬ ‫طغظخذَ ػذس أعخٌ١ذ‬
– multiple methods to spread.
.ٖ‫وٟ طذػُ حٔظؾخس‬
‫طغٍغً ِٓ ٚكذحص‬
ً‫حٌزض حٌؼٕخث١ش ٠ؾى‬
Sequence of binary bits that
‫حٌّذخ٩ص ٚحٌّخشؿخص‬
comprise the input, output,
‫ٚحٌلخٌش ٚحٌّفخط١ق‬
State, and Round Key. The
‫حٌّظؼخلزش. هٛي رٌه‬
Block – ‫لخٌذ‬ length of a sequence is the
‫حٌظغٍغً ٘ٛ ػذد‬
number of bits it contains.
ٟ‫ٚكذحص حٌزض حٌظ‬
Blocks are also interpreted as
‫٠ظنّٕٙخ. طُفغش حٌمٛحٌذ‬
arrays of bytes.
‫أ٠نخً ٜ أٔٙخ ِقفٛفش‬
ً‫ػ‬
.‫ِٓ ٚكذحص حٌزخ٠ض‬
A symmetric key
‫خٛحسصِ١ش طؾف١ش‬
cryptographic algorithm that
ِٓ ‫ِظٕخظشس طُلِّٛي لخٌذ‬
transforms a block of
‫حٌّؼٍِٛخص فٟ ٚلض‬
information at a time using a
‫ٚحكذ ِغظخذِش ِفظخف‬
Block Cipher – ‫طؾف١ش حٌمخٌذ‬ cryptographic key. For a
‫طؾف١ش. ِٓ ففخص طٍه‬
block cipher algorithm, the
‫حٌخٛحسصِ١ش أْ هٛي لخٌذ‬
length of the input block is
‫حٌّذخ٩ص ٘ٛ ٔفظ‬
the same as the length of the
.‫هٛي لخٌذ حٌّخشؿخص‬
output block.
A family of functions and ‫ِـّٛػش ِٓ حٌذٚحي‬
Block Cipher ‫خٛحسصِ١ش طؾف١ش‬ their inverses that is ‫حٌلغخر١ش ِٚؼىٛعخطٙخ‬
Algorithm – ‫حٌمخٌذ‬ parameterized by a ً‫٠ـشٞ طٛك١ذ٘خ ِؼ١خس٠خ‬
cryptographic key; the ‫رخعظخذحَ ِفظخف‬

14. function maps bit strings of a ‫طؾف١ش ك١غ طمَٛ حٌذحٌش‬
fixed length to bit strings of ‫رظلٛ٠ً عٍغٍش رحص‬
the same length. ‫هٛي ِلذد ِٓ ٚكذحص‬
ِٓ ‫حٌزض اٌٝ عٍغٍش‬
‫ٚكذحص حٌزض ٌٙخ ٔفظ‬
.‫حٌطٛي‬
‫ف١شٚط ٠مَٛ رضسحػش‬
A virus that plants itself in a
‫ٔفغٗ دحخً لطخع‬
Boot Sector ‫ف١شٚط لطخع‬ system‘s boot sector and
ُ‫طؾغ١ً ٔظخَ ِؼ١ٓ ػ‬
Virus – ً١‫حٌظؾغ‬ infects the master boot
ً١‫٠ق١ذ عـً حٌظؾغ‬
record.
.ٟ‫حٌشث١غ‬
ُ‫فشك حٌشلخرش ٚحٌظلى‬
Monitoring and control of ٍٝ‫فٟ ح٨طقخ٨ص ػ‬
communications at the ٓ١‫حٌلذٚد حٌخخسؿ١ش ر‬
external boundary between ‫أٔظّش حٌّؼٍِٛخص‬
information systems ‫حٌخخمؼش رخٌىخًِ ٦دحسس‬
completely under the ‫ٚسلخرش ِٕظّش ِؼ١ٕش‬
management and control of ٨ ٟ‫ٚطٍه ح٤ٔظّش حٌظ‬
the organization and ‫طخنغ ٦دحسطٙخ ٚسلخرظٙخ‬
information systems not ‫رؾىً وخًِ، رخ٦مخفش‬
completely under the ٍٝ‫اٌٝ فشمّٙخ ػ‬
management and control of ‫حٌلذٚد حٌذحخٍ١ش‬
Boundary ‫كّخ٠ش كذٚد‬ the organization, and at key ُ‫حٌشث١غ١ش ر١ٓ ٔظ‬
Protection – َ‫حٌٕظخ‬ internal boundaries between ‫حٌّؼٍِٛخص حٌظٟ طخنغ‬
information systems ‫رؤوٍّٙخ ٦دحسس ٚسلخرش‬
completely under the ‫طٍه حٌّٕظّش رغشك ِٕغ‬
management and control of ‫ٚحوظؾخف ِلخٚ٨ص‬
the organization, to prevent ‫ح٨طقخي حٌخز١ؼش ٚغ١ش‬
and detect malicious and ‫حٌّقشف رٙخ ٚوزٌه‬
other unauthorized ‫حعظؼّخي ٚعخثً حطقخي‬
communication, employing ً‫٠ّىٓ حٌظلىُ رٙخ ِؼ‬
controlled interfaces (e.g., ‫حٌٛو١ً ٚرٛحرخص حٌٛفٛي‬
proxies, gateways, routers, ْ‫ٚحٌّٛؿٙخص ٚؿذسح‬
firewalls, encrypted tunnels). ‫حٌلّخ٠ش ٚحٌمٕٛحص‬
.‫حٌّؾفشس‬
‫ِٛؿٗ خخسؿٟ ٠ٛمغ‬
A boundary router is located
Boundary ‫ِٛؿٗ حطقخي‬ ‫ػٍٝ ٔمخه حطقخي‬
at the organizations boundary
Router – ٟ‫خخسؿ‬ ‫حٌّٕظّخص ِغ ؽزىش‬
to an external network.
.‫خخسؿ١ش‬
A method of accessing an ‫أعٍٛد ٌّلخٌٚش حٌذخٛي‬
‫هش٠مش‬ obstructed device through ٟ‫ػٍٝ أكذ ح٤ؿٙضس حٌظ‬
Brute Force
ٟ‫ح٨عظمقخء ف‬ attempting multiple ‫طّؼً ػخثمخً ِٓ خ٩ي‬
Password Attack
ٍٝ‫حٌٙـَٛ ػ‬ combinations of numeric ‫اؿشحء حٌّلخٚ٨ص‬
–
‫وٍّش حٌّشٚس‬ and/or alphanumeric ‫رخعظخذحَ وٍّخص َسٚس‬
passwords. ِٓ ‫ِظٕٛػش طـّغ ػذد‬

15. .َ‫حٌلشٚف ٚ/أٚ ح٤سلخ‬
‫ؽشه فٟ لٕخس ح٨طقخي‬
‫٠ّىٓ ِٓ خ٩ٌٗ ٚمغ‬
‫ػذد حوزش ِٓ حٌّذخ٩ص‬
A condition at an interface ‫فٟ ِٕطمش ِخققش‬
under which more input can ‫٨كظـخص حٌز١خٔخص رّخ‬
be placed into a buffer or ‫٠فٛق لذسطٙخ‬
data holding area than the ِٓ ‫ح٨عظ١ؼخر١ش ٌزٌه‬
capacity allocated, ‫خ٩ي حعظزذحي‬
Buffer Overflow ‫اغشحق رحوشس‬
overwriting other information. ‫حٌّؼٍِٛخص حٌّٛؿٛدس‬
– ‫حٌظخض٠ٓ حٌّئلض‬
Attackers exploit such a َ‫رخٌىظخرش ػٍ١ٙخ. ٠غظخذ‬
condition to crash a system ‫حٌّٙخؿّْٛ رٌه حٌؾشه‬
or to insert specially crafted ‫٦عمخه حٌٕظخَ أٚ ادخخي‬
code that allows them to gain ُ‫ؽفشحص خخفش ط‬
control of the system. ‫اػذحد٘خ رّٙخسس ػخٌ١ش‬
‫طغّق ٌُٙ رخٌغ١طشس‬
ُ‫ػٍٝ حٌٕظخَ ٚحٌظلى‬
.ٗ١‫ف‬
‫أعٍٛد حٌظلّ١ً حٌضحثذ‬
‫ٌٍز١خٔخص دحخً ِغخكش‬
A method of overloading a
ٟ‫ِلذدس عٍفخً ف‬
‫حٌٙـَٛ ربغشحق‬ predefined amount of space
Buffer Overflow ‫ِٕطمش كفع حٌز١خٔخص‬
ٓ٠‫رحوشس حٌظخض‬ in a buffer, which can
Attack – ‫ِّخ ٠ئدٜ اٌٝ حكظّخٌ١ش‬
‫حٌّئلض‬ potentially overwrite and
‫حٌىظخرش ػٍٝ حٌىظخرش‬
corrupt data in memory.
ٚ‫حٌّٛؿٛدس فٟ حٌزحوشس أ‬
.‫طخش٠زٙخ‬
The documentation of a
ِٓ ‫طٛػ١ك ِـّٛػش‬
predetermined set of
‫حٌظؼٍ١ّخص ٚح٦ؿشحءحص‬
instructions or procedures
Business ‫خطش حٌلفخظ‬ ‫حٌُّؼَذِّس عٍفخً ٌٛفف‬
that describe how an
Continuity Plan ‫ػٍٝ حعظّشحس٠ش‬ ٍٝ‫و١ف١ش حٌلفخظ ػ‬
organization‘s business
(BCP) – ًّ‫حٌؼ‬ ً‫ٚظخثف حٌؼًّ دحخ‬
functions will be sustained
‫ِٕظّش ِؼ١ٕش أػٕخء ٚرؼذ‬
during and after a significant
.‫كذٚع خًٍ خط١ش‬
disruption.
َ‫طلٍ١ً ٌّخ ٠خـ ٔظخ‬
An analysis of an information
ِٓ ‫طمٕ١ش حٌّؼٍِٛخص‬
technology (IT) system‘s
‫ِظطٍزخص ٚػٍّ١خص‬
requirements, processes, and
‫ٚػ٩لخص ِظزخدٌش‬
Business Impact ‫طلٍ١ً ِظطٍزخص‬ interdependencies used to
‫طُغظخذََ فٟ طٛف١ف ِخ‬
Analysis (BIA) – ‫حٌطٛحسة‬ characterize system
ِٓ َ‫٠خـ حٌٕظخ‬
contingency requirements
‫ِظطٍزخص هخسثش ٚأٌٚٛ٠خص‬
and priorities in the event of
ًٍ‫فٟ كخٌش كذٚع خ‬
a significant disruption.
.‫خط١ش‬
Business ‫خطش حعظؼخدس‬ The documentation of a ِٓ ‫طٛػ١ك ٌّـّٛػش‬
Recovery- ًّ‫كشوش حٌؼ‬ predetermined set of ‫حٌظؼٍ١ّخص ٚح٦ؿشحءحص‬

16. Resumption instructions or procedures ‫حٌّلذدس عٍفخً طقف‬
Plan – (BRP) that describe how business ‫و١ف١ش حعظؼخدس كشوش‬
processes will be restored ًٍ‫حٌؼًّ رؼذ كذٚع خ‬
after a significant disruption .‫خط١ش‬
has occurred.
The method of taking a ٍٝ‫أعٍٛد حٌلقٛي ػ‬
Capture – ‫حٌظمخه‬ biometric sample from an end ِٓ ٞٛ١‫ػ١ٕش ل١خط ك‬
user. .ٟ‫ِغظخذَ ٔٙخث‬
An individual possessing an ‫ؽخـ ِؼ١ٓ ٠ّظٍه‬
Cardholder – ‫كخًِ حٌزطخلش‬ issued Personal Identity ‫رطخلش ؽخق١ش ٌظلذ٠ذ‬
Verification (PIV) card. .‫حٌٙٛ٠ش‬
‫ؽىً سلّٟ ٌٍز١خٔخص‬
ٍٟ٠ ‫٠ٛفش ػٍٝ ح٤لً ِخ‬
‫1) طلذ٠ذ ٘١جش حٌظٛػ١ك‬
‫حٌظٟ أفذسص حٌؾٙخدس‬
A digital representation of ٓ١‫2) أعّخء حٌّؾظشو‬
information which at least ‫ف١ٙخ‬
1) identifies the certification َ‫3) حٌّفظخف حٌؼخ‬
authority issuing it, ‫ٌٍّؾظشن‬
2) names or identifies its ٟ‫4) ٠لذد حٌفظشس حٌظ‬
subscriber, ‫طىْٛ خ٩ٌٙخ طٍه‬
3) contains the subscriber's ًّ‫حٌؾٙخدس فخٌلش ٌٍؼ‬
public key, ‫5) ٠لًّ حٌظٛل١غ‬
4) identifies its operational ‫ح٨ٌىظشٟٚٔ ٌٙ١جش‬
period, and ‫حٌظٛػ١ك حٌظٟ أفذسص‬
5) is digitally signed by the ِٓ ‫حٌؾٙخدس. ِـّٛػش‬
Certificate – ‫ؽٙخدس سلّ١ش‬ certification authority issuing ‫حٌز١خٔخص حٌظٟ طؾ١ش‬
it. A set of data that uniquely ْ‫رؾىً ِٕفشد اٌٝ و١خ‬
identifies an entity, contains ٍٝ‫ٚحكذ رل١غ طلظٜٛ ػ‬
the entity‘s public key and ‫حٌّفظخف حٌؼخَ ٌزٌه‬
possibly other information, ‫حٌى١خْ ٚأٞ ِؼٍِٛخص‬
and is digitally signed by a ْٛ‫أخشٜ ِّىٕش. طى‬
trusted party, thereby binding ‫حٌشعخٌش ُِقَذق ػٍ١ٙخ‬
the public key to the entity. ‫سلّ١خً ِٓ هشف ػخٌغ‬
Additional information in the ‫ِٛػٛق رٗ ٚػٍ١ٗ ٠ظُ سرو‬
certificate could specify how ‫حٌّفظخف حٌؼخَ رزٌه‬
the key is used and its ‫حٌى١خْ. ٕ٘خن ِؼٍِٛخص‬
cryptoperiod. ‫امخف١ش فٟ حٌؾٙخدس‬
ِٓ ٓ‫حٌشلّ١ش ٠ّى‬
‫خ٩ٌٙخ طلذ٠ذ و١ف١ش‬
‫حعظخذحَ حٌّفظخف ِٚذس‬
.ٖ‫طؾف١ش‬
A Certificate Policy is a ِٓ ‫ؽىً خخؿ‬
Certificate Policy ‫ع١خعش‬
specialized form of ‫حٌغ١خعخص ح٦دحس٠ش‬
(CP) – ‫حٌؾٙخدس حٌشلّ١ش‬
administrative policy tuned to ‫٠ظٛحءَ ِغ ِؼخِ٩ص‬

17. electronic transactions ‫اٌىظشٚٔ١ش طُطزك أػٕخء‬
performed during certificate .‫ادحسس حٌؾٙخدس حٌشلّ١ش‬
management. A Certificate ‫طؼخٌؾ ع١خعش حٌؾٙخدس‬
Policy addresses all aspects ٝ‫حٌشلّ١ش وً حٌٕٛحك‬
associated with the ‫حٌّشطزطش رخفذحس٘خ‬
generation, production, ‫ٚحعظخشحؿٙخ ٚطٛص٠ؼٙخ‬
distribution, accounting, ‫ٚكغخرخطٙخ ٚحعظؼخدطٙخ‬
compromise recovery and ً‫ٚوزٌه ادحسطٙخ. ٚرؾى‬
administration of digital ٓ‫غ١ش ِزخؽش ٠ّى‬
certificates. Indirectly, a ‫ٌغ١خعش حٌؾٙخدس‬
certificate policy can also ٝ‫حٌشلّ١ش أْ طظلىُ ف‬
govern the transactions ‫حٌّؼخِ٩ص حٌُّٕـضس‬
conducted using a ٌٗ ‫رٕظخَ حطقخ٨ص طظٛفش‬
communications system َ‫حٌلّخ٠ش ِٓ خ٩ي ٔظخ‬
protected by a certificate- ٍٝ‫أِٓ ٠ؼظّذ ػ‬
based security system. By ِٓ .‫حٌؾٙخدس حٌشلّ١ش‬
controlling certificate ٟ‫خ٩ي حٌظلىُ ف‬
extensions, such policies and ‫ح٨ِظذحدحص حٌخخفش‬
associated enforcement ‫رخٌؾٙخدحص حٌشلّ١ش‬
technology can support ‫حٌلشؿش ٠ّىٓ ٌظٍه‬
provision of the security ‫حٌغ١خعخص ِٚخ ٠قخكزٙخ‬
services required by ‫ِٓ طمٕ١ش حٌّظخرؼش‬
particular applications. ‫ٚحٌنزو دػُ طذحر١ش‬
ٟ‫حٌخذِخص ح٤ِٕ١ش حٌظ‬
.‫ططٍزٙخ ططز١مخص ِؼ١ٕش‬
Certificate
‫٘١جش ادحسس‬ A Certification Authority (CA)
Management ‫٘١جش طٛػ١ك أٚ ٘١جش‬
‫حٌؾٙخدحص‬ or a Registration Authority
Authority (CMA) .ً١‫طغـ‬
‫حٌشلّ١ش‬ (RA).
–
‫ِؼٍِٛخص غ١ش ِنخفش‬
Information, such as a
ً‫ٌٍؾٙخدس حٌشلّ١ش ِؼ‬
subscriber's postal address,
Certificate- ‫ِؼٍِٛخص ِشطزطش‬ ٞ‫حٌؼٕٛحْ حٌزش٠ذ‬
that is not included in a
Related ‫رخٌؾٙخدحص‬ ‫ٌٍّؾظشن. سرّخ‬
certificate. May be used by a
Information – ‫حٌشلّ١ش‬ ‫طغظخذَ ٘١جش طٛػ١ك‬
Certification Authority (CA)
‫ِؼ١ٓ طٍه حٌز١خٔخص ٦دحسس‬
managing certificates.
.‫حٌؾٙخدحص حٌشلّ١ش‬
‫لخثّش ؽٙخدحص حٌّفظخف‬
A list of revoked public key
Certificate ‫حٌؼخَ حٌٍّغ١ش. ٠ظُ افذحس‬
‫لخثّش حٌؾٙخدحص‬ certificates created and
Revocation List ‫طٍه حٌمخثّش ٚحٌظٛل١غ‬
‫حٌشلّ١ش حٌٍّغخس‬ digitally signed by a
(CRL) – ‫ػٍ١ٙخ سلّ١خً رٛحعطش‬
Certification Authority.
.‫٘١جش طٛػ١ك‬
A trusted entity that provides ‫و١خْ ِٛػٛق ف١ٗ طٛفش‬
Certificate
‫٘١جش طلذ٠ذ كخٌش‬ on-line verification to a ‫رؾىً ِزخؽش ٌطشف‬
Status Authority
‫حٌؾٙخدس حٌشلّ١ش‬ Relying Party of a subject ِٓ ‫طخرغ حِىخٔ١ش حٌظلمك‬
–
certificate's trustworthiness, ‫ِقذحل١ش ؽٙخدس سلّ١ش‬