Accreditation - The official management decision given by a senior officer or BLE to authorize the operation of an information system and to explicitly accept the risk to the organization's operations, assets, or personnel based on the implementation of an agreed-upon set of controls. By accrediting an information system, senior management accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the organization if a breach of security occurs.

Authorization to operate - See accreditation.

Availability - Timely, reliable access to data and information services for authorized users [CNSS 01]

Boundary (system) - Determined by the IT resources assigned to a particular system [Swanson 06]. System boundaries are usually determined during the inventory process.

Certification - A detailed security review of a system that results in the information and supporting evidence (artifacts) needed for security accreditation.

Confidentiality - Assurance that information is not disclosed to unauthorized individuals, processes, or devices [CNSS 01]

Convergence - The identification of security risks and interdependencies between business functions and processes within the enterprise and the development of managed business process solutions to address those risks and interdependencies [AESRM 05].

Cybercrime Convention - See the Council of Europe Convention on Cybercrime description at

Data flows - When data is transmitted from one user to another or from one physical location to another, it is called a data flow, (i.e., the data flows from one person or place to another). With respect to location, data could flow from one server to another or from one state or country to another. Such flows of data raise numerous security considerations, such as compliance with different laws from jurisdiction to jurisdiction; the policies and procedures required to ensure that security requirements are passed from one user or location to the next; and the technical software and tools that must follow the data to ensure security is effectively deployed and maintained.

Enterprise governance - The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the organization's resources are used responsibly [IFAC 04].

Governing for enterprise security - Directing and controlling an organization to establish and sustain a culture of security in the organization's conduct (beliefs, behaviors, capabilities, and actions); Treating adequate security as a non-negotiable requirement of being in business [Allen 05].

Information security governance -  . . . the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies " are aligned with and support business objectives; " are consistent with applicable laws and regulations through adherence to policies and internal controls; and " provide assignment of responsibility all in an effort to manage risk [Bowen 06]

Integrity (data integrity) - Data is unchanged from its source and has not been accidentally or maliciously modified, altered, or destroyed. (integrity) protection against unauthorized modification or destruction of information [CNSS 01]

IT governance - An integral part of enterprise governance. It consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives [ITGI 03].

Key performance indicator - Financial and non-financial metrics used to quantify objectives to reflect strategic performance of an organization. []

Letter rogatory - a formal request from a court in one country to "the appropriate judicial authorities" in another country requesting compulsion of testimony or documentary or other evidence or effect service of process.

Operational criteria - Determined by business line executives (BLEs) and include the baseline IT requirements for the operation of their business unit, such as network availability, interconnectivity requirements, use of portable devices, and number of users requiring software licenses. Operational criteria can also include business continuity and disaster recovery parameters and details regarding the working environment, such as heavy traffic flow within the operational area, physical layout considerations, and extreme climate conditions.

Resilience - an organization's ability to adaptively respond to disruptive events and tolerate being affected by them

Risk - "a function of the likelihood of a given threat-source's exercising a particular vulnerability, and the resulting impact of that adverse event on the organization." [Stoneburner 02]

System - "a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information" [Ross 04]. Information resources include networks, applications, and data. C&As are performed on systems, and security requirements apply throughout the system development life cycle (SDLC).

System architecture - The technical network and system components (hardware and firmware), operating platforms and application software, and other hardware or software components used within the IT environment. System architecture differs from "enterprise architecture," which describes the alignment between business functions and IT assets.

System description - Includes the purpose of the system, the information resources (or assets) that comprise it, how the assets are used, the asset owners and custodians, any special protections required, etc. [Ross 04]

Table of Authorities - Listing of all applicable laws, regulations, directives, contracts, and other legal requirements applicable to the organization's assets and systems.

Top-level policies - Broad, umbrella-type statements governing operations and the use of technology, such as the use of email and wireless devices; remote access to systems; the protection of intellectual property; business continuity; and critical security controls.