Glossary & Terms

American National Standards Institute (ANSI)  A private non-profit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States.

Certification Authority (CA) is an entity that issues digital certificates for use by other parties. It is an example of a trusted third party. CAs are characteristic of many public key infrastructure (PKI) schemes.

CISA (Certified Information Systems Auditor) is a professional certification for Information technology audit professionals sponsored by the Information Systems Audit and Control Association (ISACA). Candidates for the certification must meet requirements set by ISACA.

CobIT4  CobIT4 is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996.  COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.

Federal Information Security Management Act  -- This is a United States Federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107-347, 116 Stat. 2899). The act recognized the importance of information security to the economic and national security interests of the United States.  The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

IETF RFC 3647 or 2527 This is Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework.

ISO 21188 ISO 21188 sets out a framework of requirements to manage a PKI through certificate policies and certification practice statements and to enable the use of public key certificates in the financial services industry. It also defines control objectives and supporting procedures to manage risks.  It is derived from the X9.29, IETF RFC 2527, and IETF RFC 3647 frameworks.

ISO 27001 ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements.  Organizations that claim to have adopted ISO 27001 can therefore be formally audited and certified compliant with the standard.

NIST 800-53 The purpose of the NIST 800-53 guidelines are for selecting and specifying security controls for information systems supporting the agencies of the Federal US government.

PKI The Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

Privacy Laws and Guidance

The Privacy Act of 1974 (5 U.S.C. 552a), as amended, regulates the Federal Government’s collection, use, maintenance, and dissemination of information about individuals.

Section 208 of the E-Government Act of 2002 (44 U.S.C. 3601 et seq.) establishes procedures to ensure the privacy of personal information in electronic records.

The Paperwork Reduction Act (PRA) of 1995 (44 U.S.C. 3501 et seq.) is designed to reduce the public’s burden of answering unnecessary, duplicative, and burdensome government surveys.

The Trade Secret Act (18 U.S.C. 1905) provides criminal penalties for the theft of trade secrets and other business identifiable information.

The Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501-06) regulates the online collection and use of personal information provided by and relating to children under the age of 13.

OMB Circular A-130, “Management of Federal Information Resources,” establishes a policy for the management of Federal information resources, including automated information systems.

OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 26, 2003, provides specific guidance to agencies for implementing Section 208 of the E-Government Act.

OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, establishes requirements to review and reduce the volume of PII; eliminate the unnecessary use of social security numbers (SSN); and log all computer-readable data extracts from databases holding sensitive information and verify each extract, including whether sensitive data has been erased within 90 days or its use is still required (pages 6-8).

OMB Memorandum M-06-16, Protection of Agency Sensitive Information, provides guidance for encrypting sensitive data on mobile computers and devices; allowing remote access only with two-factor authentication; using a time-out function for remote access; and logging all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required.

OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information, requires that agencies conduct a review of their policies and processes, and take corrective action as appropriate to ensure adequate safeguards to prevent the intentional or negligent misuse of, or unauthorized access to, personally identifiable information.

Registration Authority  A registration authority or maintenance agency is a body given the responsibility of maintaining lists of codes under international standards and issuing new codes to those wishing to register them.