Adware, a threat that is similar to spyware, is defined by Anti-Spyware Coalition (ASC) as "a type of Advertising Display Software that delivers advertising content potentially in a manner or context that may be unexpected and unwanted by users. In addition to displaying numerous annoying ads, many adware applications also perform tracking functions."


An Account is a combination of a username and password that allows the user to log on to a network, computer system, or application.

Administrative User

A user assigned to supervise all or a portion of an application/system.


Software that protects your computer from various types of malware.


To conduct the independent review and examination of system records and activities.

Audit Trail

A chronological record of system activities that is sufficient to enable the reconstruction, reviewing and examination of the sequence of environments and activities surrounding or leading to an operation, a procedure, or an event in a transaction from its inception to final results.


An authorized individual or role, with administrative duties, which include selecting the events to be audited on the system, setting up the audit flags that enable the recording of those events, and analyzing the trail of audit events.


To verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system. (2) To verify the integrity of data that have been stored, transmitted, or otherwise exposed to possible unauthorized modification.

Authenticated User

A user who has accessed an application/system with a valid identifier and authentication combination.


The granting of access rights to a user, program, or process.


Business Impact Analysis identifies the organization's critical applications/systems and the estimated outage time that can be tolerated. Risk assessment and qualitative and quantitative analysis are performed to evaluate all potential threats and the amount of potential loss.


Refers to a number of methods used for permanent high speed access to the Internet.  DSL, cable modems, fiber optics, and mobile wireless are some of the examples of broadband methods.


A program that allows a person to access the Internet to locate content.   See Web Browser Attacks

Browser Hijacker

A piece of spyware or malwarethat changes various web pages  such as browser home pages, search pages or error pages, with its own pages. This is done to force hits to a website.


The word BOTNET is short for the combination of the word robot and network .  The term often applies to groups of computer systems that have had malicious software installed by worms, Trojan horses or other malicious software  that allows the "botnet herder " or botnet's originator to control the group remotely.  For more information read What you really need to know about BOTNETs .

Business Continuity Plan

BCP) All encompassing term covering both disaster recovery planning and business resumption planning. This umbrella term also refers to other aspects of disaster recovery, such as emergency management, human resources, media or press relations, etc. From the National Institute of Standards and Technology perspective - BCP identifies procedures for sustaining essential business operations while recovering from a significant disruption. This plan addresses the business processes and is Information Technology based only in its support for the business processes.

Business Resumption Plan

BRP is the operations piece of business continuity planning and provides procedures for recovering business operations immediately following a disaster. This plan requires the existence of documentation of critical business functions that need to be recovered for business processes to continue and addresses the business processes. It is not Information Technology based. The IT focus only supports the business processes

Chat Room

An online service that allows people to type messages which are displayed almost instantly on the screens of others who are in the "chat room"

Classification of Data

data that is identified by sensitivity levels. The data
owner classifies the data and is responsible for ensuring the security controls are commensurate with each classification level. Business classification levels are usually divided into levels of public, sensitive, private, or confidential.

Public If disclosed, it will not cause harm to the organization, environment, or personnel
Sensitive Any information, the disclosure of which could damage the organization, environment, business partners, customers, or other third parties (e.g. social security numbers, credit card numbers, etc.)

Private Any information, the disclosure of which could cause serious damage to the organization, environment, business partners, customers, or other third parties (e.g. salary information, medical records, etc.)

Confidential Any information, the disclosure of which could cause grave damage to the organization, environment, business partners, customers, or other third parties (e.g. trade secrets, high-clearance security information, etc.)


A small text file that is placed on your computer's hard drive by a website  in order to allow the site to remember information about you and your activities on the site.


The "Computer Crime and Security Survey" is conducted by CSI (Computer Security Institute) with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad. The aim of this effort is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States.


Information with a specific physical representation. Data can exist in a variety of forms -- as numbers or text on pieces of paper, as bits and bytes stored in electronic computer memory, or as facts stored in a person's mind.

See: Safe Guarding Your Data .

Data Custodian

Role delegated by the data owner that has the responsibility of the maintenance and protection of the organization's data.

Data Breach

Data breach generally refers to instances where information has been subject to unauthorized access, often where the information is lost, stolen or hacked into.


  Identity Theft Protection Act 452

  What is a data breach?

  SOM Video

  Safe Guarding Your Data .

Degree of Criticality

The standard five-category criticality classification scheme is comprised of: highly critical, critical, priority, required, and deferrable. Each of these categories has a time period during which the application or system must be recovered within. The business requirements should determine which category the application or system belongs to.

Data Owner

Usually a member of senior management of an organization that is ultimately responsible for ensuring the protection and use of the organization's data.

Dial-up access

is a temporary, as opposed to dedicated, connection between two computers (Internet or network) established over a standard phone line, using a modem at each end of the telephone circuit.

Disaster Recovery

(DR) is a coordinated activity to enable the recovery of IT/business systems due to a disruption. DR can be achieved by restoring IT/business operations at an alternate location, recovering IT/business operations using alternate equipment, and/or performing some or all of the affected business processes using manual methods.


Permitting access, release, transfer, or other communication of confidential, private, or sensitive information, either orally, in writing, by electronic means, or by any other means to any party.

Discretionary Access Control

(DAC) A means of restricting access to objects based on the identity and need-to-know o the user, process and/or groups to which they belong. The controls are discretionary in the sense that a subject with certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject.


The process of copying files between computers on a network.


When you go to a website and software (usually malware) is downloaded and installed on your computer without your knowledge.


An acronym that stands for Digital Subscriber Line.  It is a type of high speed Internet access using standard phone lines and the local telephone network.

Due Care

Organization has taken the necessary steps to protect resources and personnel from possible risks. This is usually implemented through the development of security policies, procedures, and standards. If an organization does not practice due care pertaining to the security of its resources and personnel it can be legally liable for negligence and held accountable for the ramifications of that negligence.

Due Diligence

Implementing security policies and the mechanisms that support them demonstrates due diligence. The security mechanisms are continually maintained and operational. If an organization does not practice due diligence pertaining to the security of its assets it can be legally liable for negligence and held accountable for the ramifications of that negligence.


The transformation of plaintext (also called cleartext or that which is in an understandable format) into ciphertext (unreadable format). Encryption is accomplished using an algorithm (set of mathematical functions) and an encryption "key" (secret sequence of bits and instructions).

See: Using Encryption to Protect Data .


End User Licensing Agreement.  A software provider's legal terms for using their software.


A state in a computing system (or set of systems) which is not a universal vulnerability


Hardware or software that filters traffic to and/or from your computer in an attempt to prevent unauthorized access to your computer system from another computer system.  See Hardware Firewall vs Software Firewall.

Formal Security Policy Model

A mathematically precise statement of a security policy. Such a model must represent the initial state of a system, the way in which the system progresses from one state to another state, and a definition of a "secure" state of the system


is the unauthorized use, or attempts to circumvent or bypass the security mechanisms of an information system or network. The term "hacker" refers to individuals who gain unauthorized access to computer systems for the purpose of stealing and corrupting data. Hackers, themselves, maintain that the proper term for such individuals is cracker.


The physical or mechanical devices that comprise a computer system, such as the central processing unit, monitor, keyboard, and mouse, as well as other equipment like printers and speakers. The physical components of a computing system, as contrasted to software -- the logical instructions that manipulate the hardware and work on the data.


Stands for Hypertext Markup Language.  This is a coding language used to create documents and websites.


Stands for Hypertext Transfer Protocol.  It is an application layer standard used by Web browsers and servers to communicate over TCP/IP.


Stands for Hypertext Transfer Protocol over Security Socket Layer (SSL). It is an application layer standard used by Web browsers and servers to securely communicates over TCP/IP by encrypteddata before it is transported over the network. 


The process that enables recognition of an entity by a system, generally by the use of unique machine-readable user names.

Identity Theft

Identity theft is the deliberate assumption of another person's identity, usually to gain access to their credit or frame them for some crime. It can also be used to enable illegal immigration, terrorism, espionage, or change identity permanently. It may be a means of blackmail, especially if medical privacy or political privacy has been breached, and revealing the activities undertaken by the thief under the name of the victim would have serious consequences (e.g. loss of job or marriage). Identity theft is usually the result of serious breaches of privacy.

See: Preventing and Responding to Identity Theft


An event that has caused or has the potential to cause damage to an organization's business systems, facilities, or personnel.

Incident Handling

Primary goal is to contain and repair any damage caused by an event and to prevent any further damage.

Instant Messaging

A form of text communication that happens in real time.


Sound, unimpaired or perfect condition

Internal Security Controls

Hardware, firmware and software features within a system that restrict access to resources (hardware, software, and data) to authorized subjects only (persons, programs, or devices).

Keystroke Logger

A software program that records the keystrokes entered by a  user on a particular computer.

Least Privilege

This principle requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.


Software that can destroy your data,  effect your computer's performance, cause a crash, or even allow spammers to send email through your account.

Mandatory Access Control

(MAC) A means for restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subject to access information.


A computer network is a group of computers that are linked so that information can travel between the computers. The computers could be in the same room and linked via copper cables, or located in different countries, linked by satellites, phone lines or fiber optic cables. The Internet is one of the world's largest networks. Wireless networks transmit information over public airwaves (the same used by television, radio, and cell phones).


Office of Enterprise Security. A division in the Technology responsible for Information Security in state government.

Parental Controls

Tools used by parents to prevent their children from accessing inappropriate contents on the Internet. See Protect Your Children Onlineor Dealing with Cyberbullies

Personal Information

Information that identifies you.  It can include such things as your Social Security Number, your name, your credit card numbers, you bank numbers, etc.



The successful act of bypassing the security mechanisms of a system.

Peer-to-Peer File Sharing

Peer-to-Peer (P2P) is software that allows computer users, utilizing the same software, to connect with each other and directly access files from one another's hard drives.

See:   Security Concerns with Peer to Peer (P2P) File Sharing.


Abbreviation for the Payment Card Industry.


The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, and procedures.



involves Trojans programs, worms, or other virus technologies that attack the Internet browser address bar and is much more sophisticated than phishing. When users type in a valid URL they are redirected to the criminals' websites instead of the intended valid website.


is the act of tricking someone into giving them confidential information or tricking them into doing something that they normally wouldn't do or shouldn't do. For example: sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.  See: What is Phishing?

Physical Security Controls:

Key Pads are usually placed near a door to let you operate your system and can function as an input device to allow the user to enter a code for physical access to a secured area. Most often, the keypad informs you of the status of the system (e.g. armed, disarmed, etc.).

Proximity badges are cards/badges that identify individuals to a physical area or computer system using the access control system. If authenticated, access is allowed.

Biometric devices are security devices that verify personal characteristics such as fingerprints, hand size, signatures, voiceprints, or eye pictures for authentication to the access control system.


A test application or system that is used to determine requirements or issues that may arise when implemented in a production environment. A pilot system is a test system, not a production system.


Wikipedia defines as "the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively. "

See Personal Privacy. How to Protect Your Information .

Portable Devices

Also know as mobile devices are small and lightweight devices including such devices as laptops, PDS, hand-held-computers, TabletPCs, and cell phones to name a few.

See:  Protecting Portable Devices, Securing your Laptop

Production Environment

Where an application or system resides that hosts actual / real data (as opposed to test data) or is available on a publicly accessible network or server.


A program in execution.


Possibility of something damaging happening (i.e. threat agent exploiting vulnerability) to a system, environment, or personnel.

Risk Management

Process of identifying, assessing, and reducing the risk to an acceptable level and implementing the right mechanisms to maintain that level of risk.

Risk Assessment/Analysis

A method of identifying risks and determining the possible damage that could be caused in order to justify security safeguards. The 3 main goals are: identify risks, quantify the impact of the potential threats and provide an economic balance between the impact of risk and the cost of the safeguard.


A device that connects two or more networks.

Safeguard Security

countermeasure that operates as a protection mechanism to a threat


Systems Development Life Cycle is a detailed and specific set of procedures, steps, and documents that carry a project through its technical development. It includes an Initiation Phase, Planning Phase, Functional Design Phase, System Design Phase, Development Phase, Integration and Testing Phase, Installation and Acceptance Phase, and Maintenance Phase.

Security Level

The combination of a hierarchical classification and a set of non-hierarchical categories that represents the sensitivity of information.

Security Policy

The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.

Security-Relevant Event

Any event that attempts to change the security state of the system, (e.g., change discretionary access controls, change the security level of the subject, change user password). Also, any event that attempts to violate the security policy of the system (e.g., too many attempts to log in, attempts to violate the mandatory access control limits of a device, attempts to downgrade a file).

Security Testing

A process used to determine that the security features of a system are implemented as designed. This includes hands-on functional testing, penetration testing, and verification.

Separation of duties  "...refers to dividing roles and responsibilities so that a single individual cannot
subvert a critical process. For example, in financial systems, no single individual should normally
be given authority to issue checks. Rather, one person initiates a request for a payment and
another authorizes that same payment. In effect, checks and balances need to be designed into
both the process as well as the specific, individual positions of personnel who will implement the
process. Ensuring that such duties are well defined is the responsibility of management." - NIST 800-12 Page 109

Social Engineering

Social engineering refers to an approach to gain access to information, primarily through misrepresentation, and often relies on the trusting nature of most individuals.

See Social Engineering? Are You at Risk?

Social Networking Sites

Are websites that allow users to build on-line profiles, share information, pictures, blog entries, music clips, etc. See Staying Safe on Social Networking Sites


is any data, information, designs, or ideas, which were, are, or will become, computer files, programs, systems of programs, or related input or output data. It may be recorded in any form, including electronically, magnetically, optically, or on paper, and may or may not be located inside a computer system


State of Michigan


Unsolicited e-mail normally sent in bulk.


Some one that sent SPAM.


An attempt to gain access to a system by posing as an authorized user. Synonymous with impersonating, masquerading or mimicking


The Anti-Spyware Coalition (ASC) defines "spyware and other potentially unwanted technologies as technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:

- Material changes that affect their user experience, privacy or system security;

- Use of their system resources, including what programs are installed on their computers; and/or

- Collection, use and distribution of their personal or other sensitive information."

See: Recognizing Spyware

Test Plan

A document or a section of a document that describes the test conditions, data, and coverage of a particular test or group of tests

Test Program

A program which implements the test conditions when initialized with the test data and which collects the results produced by the program being tested.


Possibility that vulnerability may be exploited to cause harm to a system, environment, or personnel.

Trojan Horse

A program that neither replicates nor copies itself, but performs some illicit activity when it is run. It stays in the computer doing its damage or allows somebody from a remote site to take control of the computer.

Unauthorized access

is gaining access into any computer, network, storage medium, system, program, file, user area, or other private repository, without the express permission of the owner. Unauthorized access is the same as theft.


The process of comparing two levels of system specification for proper correspondence (e.g., security policy model with top-level specification, top-level specification with source code, or source code with object code). This process may or may not be automated.


A virus is a program or code that attaches itself to a legitimate, executable program, and then reproduces itself when that program is run.


Any fact about a computer system that is a legitimate security concern


A method of communication that uses electromagnetic waves to transport data.  See Securing a Wireless Network.


A self-contained program (or set of programs) that is able to spread copies of itself to other computer systems. Usually takes place through network connections or email attachments.