It’s Time to Standardize our Terminology

As a new year dawns, it brings with it all kinds of new adventures… and new challenges.
There has been a lot of attention given to information assurance, and, in response to that, many new companies have entered the field, along with many new security professionals. Admist all of this, I have joined a new company, which has new clients, peers and management. Despite all the change, I figured the one constant in all this newness would be the security terminology.
I was mistaken.
Information assurance, for example, has multiple definitions in the security world. According to the National Institute of Standards and Technology (NIST), information assurance is defined as ”measures that protect and defend information and information systems, ensuring their availability, integrity, authentication, confidentiality and non-repudiation”. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. This definition covers many areas, but not all areas.
I have heard people say information assurance should be the responsibility of the facility security officer (FSO). I’ve also heard that only those technical engineers who can penetrate the operating systems of the various information systems are considered to be information assurance experts. But this one is my personal favorite… If a system has the mandatory three feet of security documentation, than it meets all the IA requirements — even if that documentation does not adequately address system operation or its security features.
We need to stop paperwhipping the accreditations.

Information assurance should not be just a buzz word. It should be an overarching umbrella that covers and pulls together all the security disciplines. It shouldn’t just address only those disciplines that are easy to implement at the time. Information assurance needs to address all the measures that will protect and defend the information, including all the technical security features of the system/network, the personnel, the physical environment and the policies that are implemented.
Another security terminology that often is misconstrued is risk assessment. Again, if we turn to the NIST glossary, risk assessment is the ”process of analyzing threats to and vulnerabilities of an information system, and the potential impact resulting from the loss of information or capabilities of a system. This analysis is used as a basis for identifying appropriate and cost-effective security countermeasures.”
Risk Assessment has been referred to as the scans that are run on an operating system or the results of penetration activity. The risk assessment of a system, however, is much more than the scripts and their results.
In addition to the vulnerability assessment, a risk assessment should include input from personnel, and information gathered through questionnaires. (The NIST Risk Assessment Questionnaire is highly recommended.) Then, by assessing all the information gathered through the interviews, scans, tests and documentation reviews, a well-informed decision can be made about the risk level.
And here are another couple of pieces of terminology that I see confused on a regular basis — certification and accreditation.
Certification is the process of conducting activities to determine if a system’s security features and the associated policies are implemented correctly.
Accreditation is the statement made by the designated approving authority (DAA) that allows the system to be operational. In other words, the DAA has the authority to accept the risk the system has within that particular operational environment.
This often gets confused. Some will say the DAA has certified a system, when in reality the DAA has made an accreditation decision. And some mistakenly think a system has been certified, but actually the system has undergone stringent testing. What gets really confusing is when a security official says his/her system is certified. Does that mean the system is at a certain EAL (level of assurance) or does it mean that the system has undergone the certification and has been accredited?
A misunderstanding could lead to serious consequences.
As more people, processes and polices are introduced into the security arena, one of the first steps we need to make this year is to standardize our terminology. Having clear definitions will allow us to better share information… and understand each other. Using the NIST glossary may be a good method to baseline our terminology. And then we will be better equipped to share our ideas with each other.

Article originally published Jan 24, 2006