Term             ‫حٌّقطٍق‬                  Definition                 ‫طؼش٠ف حٌّقطٍق‬                                    ...
and prevention, and after-        ‫ح٨عظشؿخع رؼذ طٕف١ز‬                                     action recovery and legal      ...
ٚ‫رخ٦مخفش اٌٝ أفٌٛٙخ أ‬                                                                            .‫ِٕغٛر١ٙخ‬            ...
can process data blocks of          ٟ٘ٚ "ً٠‫"س٠ـٕذح‬                                      128 bits, using cipher keys     ...
ً١‫٠مَٛ حِؾ ٚو‬                                                                                ْ‫رش‬                      ...
Function –        ‫ِٛحفمش‬              cryptographic key            ‫هش٠مش ادحسس ِفظخف‬                                 m...
met‖ includes              ٟ‫هش٠مش ِلذدس ف‬                                        (1) functionality that          ّٓ‫حٌظٕ...
Chronological record of      ‫عـً طخس٠خٟ ٤ٔؾطش‬                                     system activities to enable     ‫حٌٕظخ...
process that establishes the       ‫ٚحٌظلمك ِٓ ِقذس‬                                         origin of information or     ...
A pair of bit strings         ً‫صٚؿ١ٓ ِٓ حٌغ٩ع‬Authentication                  ‫ػ٩ِش حٌظقذ٠ك‬    associated to data to pro...
The transport of        ‫ٔمً ِفخط١ق حٌظؾف١ش‬                                      cryptographic keys, usually in )‫(ػخدس ر...
What an individual who has          ‫ِخ ٠ظٛلغ ِٓ ؽخـ‬                                   completed the specific         ٕٗ‫...
An automated system             :ٍٝ‫ٔظخَ آٌٟ لخدس ػ‬                                             capable of:             ‫...
function maps bit strings of a ‫طؾف١ش ك١غ طمَٛ حٌذحٌش‬                                  fixed length to bit strings of ‫رظ...
.َ‫حٌلشٚف ٚ/أٚ ح٤سلخ‬                                                                  ‫ؽشه فٟ لٕخس ح٨طقخي‬               ...
Resumption                            instructions or procedures        ‫حٌّلذدس عٍفخً طقف‬ Plan – (BRP)                  ...
electronic transactions       ‫اٌىظشٚٔ١ش طُطزك أػٕخء‬                                    performed during certificate .‫اد...
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
مفاهيم
Upcoming SlideShare
Loading in...5
×

مفاهيم

774

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
774
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

مفاهيم

  1. 1. Term ‫حٌّقطٍق‬ Definition ‫طؼش٠ف حٌّقطٍق‬ Ability to make use of any ‫حٌمذسس ػٍٝ ح٨عظفخدس‬ Access ‫حٌٛفٛي / حٌذخٛي‬ information system (IS) ‫ِٓ أٞ ِٛسد ِٓ ِٛحسد‬ resource. .ٓ١‫ٔظخَ ِؼٍِٛخص ِؼ‬ An entity responsible for ٓ‫حٌى١خْ حٌّغئٚي ػ‬ monitoring and granting ‫ِشحلزش ِٕٚق ف٩ك١خص‬Access Authority ‫٘١جش حٌٛفٛي‬ access privileges for other ‫حٌٛفٛي ٌٍـٙخص حٌُّقشَّف‬ authorized entities. .‫ٌٙخ‬ ‫لزٛي أٚ سفل هٍزخص‬ The process of granting or ‫ِؼ١ٕش طخظـ رـ‬ denying specific requests: ٍٝ‫1) حٌلقٛي ػ‬ 1) for obtaining and using ‫(ك١خصس) ِؼٍِٛخص‬ information and related ‫ٚحعظخذحِٙخ ٚ وزٌه‬ information processing ٟ‫حٌظلىُ ف‬ ‫حٌلقٛي ػٍٝ خذِخص‬Access Control services; and ‫حٌٛفٛي‬ ‫طظؼٍك رّؼخٌـظٙخ‬ 2) to enter specific physical ‫2) حٌذخٛي اٌٝ ِٕؾآص‬ facilities (e.g., Federal ً‫ِخد٠ش ِلذدس ِؼ‬ buildings, military ‫حٌّزخٟٔ حٌلىِٛ١ش‬ establishments, and border ‫ٚحٌّئعغخص حٌؼغىش٠ش‬ crossing entrances). .‫ٚٔمخه حٌؼزٛس حٌلذٚد٠ش‬ : ُ‫عـً ٠ن‬ A register of: ٓ١ِ‫1) ر١خٔخص حٌّغظخذ‬ 1) users (including groups, ‫( ؽخٍِشً حٌّـّٛػخص‬ machines, processes) who )‫ٚحٌّؼذحص ٚحٌؼٍّ١خص‬Access Control ُ‫لٛحثُ حٌظلى‬ have been given permission ْ‫حٌّّٕٛك١ٓ ار‬Lists - (ACLs) ‫فٟ حٌٛفٛي‬ to use a particular system َ‫رخعظخذحَ ِٛسد ٔظخ‬ resource, and ٚ ٓ١‫ِؼ‬ 2) the types of access they ‫2) أٔٛحع حٌٛفٛي حٌُّقشَّف‬ have been permitted. .ٌُٙ Involves ّٓ‫طظن‬ 1) the process of requesting, ‫1) ػٍّ١ش هٍذ ٚأؾخء‬ establishing, issuing, and ‫ٚافذحس ٚاغ٩ق كغخرخص‬ User Account ‫ادحسس كغخد‬ closing user accounts; َ‫حٌّغظخذ‬ Management َ‫حٌّغظخذ‬ 2) tracking users and their ٓ١ِ‫2) طظزغ حٌّغظخذ‬ respective access ‫ٚطقخس٠ق حٌٛفٛي حٌخخفش‬ authorizations; and ُٙ‫ر‬ 3) managing these functions. .‫3) ادحسس ٘زٖ حٌٛظخثف‬ The security goal that ‫حٌٙذف ح٤ِٕٟ حٌزٞ ٠ٌٛذ‬ generates the requirement ‫حٌلخؿش ٌظظزغ أػّخي‬ for actions of an entity to be ‫ؿٙش رؼ١ٕٙخ. ٠ذػُ رٌه‬Accountability – ‫حٌّغئٌٚ١ش‬ traced uniquely to that entity. ، ‫ػذَ ح٦ٔىخس ، حٌشدع‬ This supports non- ، ‫طؾخ١ـ حٌخهؤ‬ repudiation, deterrence, fault ‫حوظؾخف ِٕٚغ ح٨خظشحق‬ isolation, intrusion detection ٍٝ‫، حٌمذسس ػ‬
  2. 2. and prevention, and after- ‫ح٨عظشؿخع رؼذ طٕف١ز‬ action recovery and legal ‫حٌفؼً ، ح٦ؿشحء‬ action. .ٟٔٛٔ‫حٌمخ‬ ‫لشحس ح٦دحسس حٌشعّ١ش‬ ‫فخدس ِٓ أكذ حٌىٛحدس‬ The official management ‫حٌؼٍ١خ ٌٙ١جش ِخ ٌٍظقش٠ق‬ decision given by a senior ً١‫رخٌّٛحفمش ػٍٝ طؾغ‬ agency official to authorize ‫ٔظخَ ِؼٍِٛخص ٚحٌمزٛي‬ operation of an system and ‫فشحكشً رظؼش٠ل ػٍّ١خص‬ to explicitly accept the risk to ‫افذحس/حػظّخد‬ ‫طٍه حٌٙ١جش ٌٍّخخهشس‬Accreditation – agency operations (including ‫ِٛحفمش‬‫حي‬ ٚ‫(رّخ فٟ رٌه سعخٌظٙخ أ‬ mission, functions, image, or ٚ‫ٚظخثفٙخ أٚ ِقذحل١ظٙخ أ‬ reputation), agency assets, or ٚ‫عّؼظٙخ) أٚ أفٌٛٙخ أ‬ individuals, based on the ٍٝ‫ِٕغٛر١ٙخ رٕخءً ػ‬ implementation of an agreed- ‫ططز١ك ِـّٛػش ػٕخفش‬ upon set of security controls. ‫حٌظلىُ ح٤ِٕٟ حٌّظفك‬ ‫ػٍ١ٙخ‬ All components of an ‫وً ِخ ٠مَٛ "ِٛظف‬ information system to be "‫افذحس حٌظقش٠ق‬ accredited by an authorizing ِٓ ٗ١ٍ‫رخٌّٛحفمش ػ‬Accreditation official and excludes ‫ِىٛٔخص ٔظخَ ِؼٍِٛخص‬ ‫كذٚد ح٨ػظّخد‬ Boundary – separately accredited ‫رخعظؼٕخء ِخ طُ حٌّٛحفمش‬ systems, to which the ِٓ ً‫ػٍ١ٗ رؾىً ِٕفق‬ information system is َ‫أٔظّش ٠ظقً رٙخ ٔظخ‬ connected. .‫حٌّؼٍِٛخص‬ The evidence provided to the ٌٝ‫ح٤دٌش حٌّمذِش ا‬ authorizing official to be used "‫ِٛظف "افذحس حٌظقش٠ق‬ in the security accreditation ‫٨عظخذحِٙخ فٟ ػٍّ١ش‬ decision process. Evidence ‫افذحس لشحس حٌّٛحفمش‬ includes, but is not limited to: ‫ح٤ِٕ١ش. طظنّٓ طٍه‬Accreditation ‫ )1 ك١ؼ١خص ح٨ػظّخد‬the system security plan; ً١‫ح٤دٌش ػٍٝ عز‬ Package – 2) the assessment results :‫حٌّؼخي ٌٚ١ظ حٌلقش‬ from the security َ‫1) حٌخطش ح٤ِٕ١ش ٌٍٕظخ‬ certification; and ‫2) ٔظخثؾ حٌظم١١ُ حٌقخدسس‬ 3) the plan of action and ِٟٕ٤‫ػٓ حٌظٛػ١ك ح‬ milestones. .ٍٗ‫3) خطش حٌؼًّ ِٚشحك‬ ‫حٌـٙش حٌّخٛي ٌٙخ‬ Official with the authority to ْٛ‫سعّ١خً عٍطش أْ طى‬ formally assume responsibility ً١‫ِغجٌٛش ػٓ طؾغ‬ for operating an information ٓ١‫ٔظخَ ِؼٍِٛخص ِؼ‬ Accrediting system at an acceptable level ‫ؿٙش ح٨ػظّخد‬ ِٓ ‫مّٓ كذ ِمزٛي‬ Authority – of risk to agency operations ‫حٌّخخهشس رؼٍّ١خص ٘١جش‬ (including mission, functions, ًّ‫ِؼ١ٕش رّخ ٠ؾ‬ image, or reputation), agency ‫سعخٌظٙخ ٚٚظخثفٙخ‬ assets, or individuals. ‫ِٚقذحل١ظٙخ ٚعّؼظٙخ‬
  3. 3. ٚ‫رخ٦مخفش اٌٝ أفٌٛٙخ أ‬ .‫ِٕغٛر١ٙخ‬ ‫ٟ٘ طٍه حٌز١خٔخص‬ Private data, other than keys, ‫حٌخخفش حٌّطٍٛرش‬Activation Data ‫ر١خٔخص حٌظٕؾ١و‬ that are required to access ‫ٌٍٛفٛي اٌٝ ٚكذحص‬ – cryptographic modules. ‫حٌظؾف١ش حٌّٕط١ش‬ .‫رخعظؼٕخء حٌّفخط١ق‬ ‫٠ؾ١ش حٌّلظٜٛ حٌٕؾو‬ Active content refers to ‫اٌٝ حٌٛػخثك ح٨ٌىظشٚٔ١ش‬ electronic documents that are ٚ‫حٌظٟ ٠ّىٕٙخ طٕف١ز أ‬ able to automatically carryActive Content – ‫حٌّلظٜٛ حٌٕؾو‬ ٍٝ‫طؾغ١ً أػّخي ػ‬ out or trigger actions on a ً‫ِٕقش حٌلخعٛد آٌ١خ‬ computer platform without ِٓ ً‫رذْٚ طذخ‬ the intervention of a user. .َ‫حٌّغظخذ‬ Security commensurate with ‫ح٤ِٓ حٌزٞ ٠ظٕخعذ ِغ‬ the risk and the magnitude of ‫ِذٜ حٌّخخهشس ٚحٌنشس‬ Adequate harm resulting from the loss, ‫حٌٕخطؾ ِٓ طؼشك‬ ٟ‫ح٤ِٓ حٌىخف‬ Security – misuse, or unauthorized ٚ‫حٌّؼٍِٛخص اٌٝ حٌفمذ أ‬ access to or modification of ‫حٌؼزغ أٚ حٌٛفٛي غ١ش‬ information. .‫حٌّقشف رٗ أٚ حٌظغ١١ش‬ Administrative actions, policies, and procedures to ‫أػّخي ٚع١خعخص‬ manage the selection, ُ‫ٚاؿشحءحص ادحس٠ش ٌٍظلى‬ development, ‫فٟ حخظ١خس ٚططٛ٠ش‬ implementation, and ‫ٚططز١ك ٚف١خٔش ِؼخ٠١ش‬ Administrative ‫ح٦ؿشحءحص ح٦دحس٠ش‬ maintenance of security ‫ح٤ِٓ رغشك كّخ٠ش‬ Safeguards – ‫حٌٛلخث١ش‬ measures to protect ‫حٌّؼٍِٛخص ح٨ٌىظشٚٔ١ش‬ electronic health information ٓ١ٍِ‫ٚمزو طقشفخص حٌؼخ‬ and to manage the conduct ‫دحخً حٌـٙش حٌّئََِّٕش‬ of the covered entitys ‫ف١ّخ ٠خظـ رلّخ٠ش‬ workforce in relation to .‫حٌّؼٍِٛخص‬ protecting that information. The Advanced Encryption َ‫٠لذد حٌّؼ١خس حٌّظمذ‬ Standard specifies a U.S. ‫ٌٍظؾف١ش خٛحسصِ١ش‬ Government-approved ‫حٌظؾف١ش حٌقخدس رؾؤٔٙخ‬ cryptographic algorithm that ‫ِٛحفمش ِٓ حٌلىِٛش‬ can be used to protect ٓ‫ح٤ِش٠ى١ش حٌظٟ ٠ّى‬ Advanced electronic data. The AES ‫حعظخذحِٙخ ٌلّخ٠ش‬ Encryption َ‫حٌّؼ١خس حٌّظمذ‬ algorithm is a symmetric .‫حٌز١خٔخص ح٨ٌىظشٚٔ١ش‬Standard (AES) ‫ٌٍظؾف١ش‬ block cipher that can encrypt ‫ٚطّؼً خٛحسصِ١ش حٌّؼ١خس‬ – (encipher) and decrypt ‫حٌّظمذَ ٌٍظؾف١ش لخٌذ‬ (decipher) information. This ‫ِظٕخظش ِٓ حٌظشِ١ض‬ standard specifies the ‫٠ّىٕٗ طؾف١ش ٚفه‬ Rijndael algorithm, a ‫طؾف١ش حٌّؼٍِٛخص. ٠لذد‬ symmetric block cipher that ‫٘زح حٌّؼ١خس خٛحسصِ١ش‬
  4. 4. can process data blocks of ٟ٘ٚ "ً٠‫"س٠ـٕذح‬ 128 bits, using cipher keys ‫طؾف١ش لخٌذ ِظٕخظش‬ with lengths of 128, 192, and ‫٠ّىٕٙخ ِؼخٌـش لٛحٌذ‬ 256 bits. ‫ر١خٔخص رطٛي 821 رض‬ ‫رخعظخذحَ ِفخط١ق طشِ١ض‬ 256 ٚ 192 ٚ 128 ‫هٌٛٙخ‬ .‫رض‬ ًّ‫٘١جش طقذ٠ك طؼ‬ A CA that acts on behalf of an Agency ‫رخٌٕ١خرش ػٓ ٚوخٌش ِؼ١ٕش‬ ‫٘١جش حٌظٛػ١ك‬ Agency, and is under the Certification ‫رل١غ طىْٛ خخمؼش‬ ‫حٌظخرؼش ٌٛوخٌش‬ operational control of anAuthority – (CA) ‫ٌٍشلخرش حٌظؾغ١ٍ١ش ٌظٍه‬ Agency. ‫حٌٛوخٌش‬ ٟ‫رشٔخِؾ ٠غظخذَ ف‬ ‫٘ـّخص كـذ حٌخذِش‬ A program used in distributed ً‫حٌّٛصَّػّش حٌظٟ طشع‬ denial of service (DDoS) ‫ع١ً ِٓ حٌز١خٔخص‬ Agent – ً١ّ‫حٌؼ‬ attacks that sends malicious ٌٝ‫حٌخز١ؼش ٠ظذفك ا‬ traffic to hosts based on the ٍٝ‫حٌّن١ف رٕخءحً ػ‬ instructions of a handler. ِٓ ‫طؼٍ١ّخص فخدسس‬ .ُ‫ِؼخٌؾ طلى‬ The examination of acquired ‫فلـ ر١خٔخص ُِـِّّؼش‬ Analysis – ً١ٍ‫طل‬ data for its significance and ‫ٔظشحً ٤ّ٘١ظٙخ ٚد٨ٌظٙخ‬ probative value to the case. .‫ٌٍلخٌش ِٛمغ حٌٕمخػ‬ ‫رشٔخِؾ ٠مَٛ رّشحلزش‬ A program that monitors a ‫حٌلخعٛد أٚ حٌؾزىش‬ computer or network to ‫ٌٍظؼشف ػٍٝ وً أٔٛحع‬ Antivirus ‫رشحِؾ ِىخفلش‬ identify all major types of ‫حٌزشِـ١خص حٌخز١ؼش ِٕٚغ‬ Software – ‫حٌف١شٚعخص‬ malware and prevent or ِٓ ‫أٚ ػضي ِخ ٠ظٙش‬ contain malware incidents. ‫كخ٨ص (أػشحك) طٍه‬ .‫حٌزشِـ١خص حٌخز١ؼش‬ ‫فٟ رؼل ح٤ك١خْ ٠طٍك‬ The subscriber is sometimes ُ‫ػٍٝ حٌّؾظشن حع‬ called an ―applicant‖ after ‫"ِمذَ حٌطٍذ" رؼذ‬ / ‫ُِمَذَِ حٌطٍذ‬ applying to a certification ‫طمذ٠ّٗ هٍزخً اٌٝ ٘١جش‬ Applicant – ‫ِؾظَشِن‬ authority for a certificate, but ٍٝ‫حٌظٛػ١ك ٌٍلقٛي ػ‬ before the certificate issuance ْٛ‫ؽٙخدس ػٍٝ أْ ٠ى‬ procedure is completed. ‫رٌه لزً حٔظٙخء اؿشحءحص‬ .‫افذحس طٍه حٌؾٙخدس‬ ‫حعظخذحَ حٌّٛحسد‬ The use of information ‫حٌّؼٍِٛخط١ش (حٌّؼٍِٛخص‬ resources (information and )‫ٚطمٕ١ش حٌّؼٍِٛخص‬ Application – ‫ططز١ك‬ information technology) to ‫ٌظٍز١ش ِـّٛػش ِلذدس‬ satisfy a specific set of user ‫ِٓ ِظطٍزخص‬ requirements. .َ‫حٌّغظخذ‬
  5. 5. ً١‫٠مَٛ حِؾ ٚو‬ ْ‫رش‬ ‫رظقف١ش ِلظٜٛ حٌظطز١ك‬ Application content filtering is ‫٦صحٌش أٚ ػضي حٌف١شٚعخص‬ performed by a software ٟ‫حٌظٟ سرّخ طشد ف‬ proxy agent to remove or ‫ِشفمخص حٌزش٠ذ‬ quarantine viruses that may ‫ح٨ٌىظشٟٚٔ أٚ كـض أٔٛحع‬ Application be contained in email ٜٛ‫طقف١ش ِلظ‬ ‫ِؼ١ٕش ِٓ حِظذحدحص رش٠ذ‬Content Filtering attachments, to block specific ‫حٌظطز١ك‬ ‫ح٨ٔظشٔض حٌّظؼذدس‬ – Multipurpose Internet Mail ‫ح٤غشحك أٚ ٌظقف١ش أٔٛحع‬ Extensions (MIME) types, or ٜٛ‫أخشٜ ِٓ حٌّلظ‬ to filter other active content ٚ ‫حٌٕؾو ِؼً ؿخفخ‬ such as Java, JavaScript, and ‫ؿخفخعىش٠زض ٚػٕخفش‬ ActiveX® Controls. ‫حٌظلىُ ِٓ ٔٛع حوظف‬ .‫اوظ‬ ‫ِخ ٠ظفك ِغ حٌّؼ١خس‬ ‫حٌف١ذسحٌٟ ٌّؼخٌـش‬ ‫حٌّؼٍِٛخص أٚ ِخ ٠قذس‬ ِٓ ٗ١‫رؾؤٔٗ طٛف‬ Federal Information ٟٕ‫حٌّؼٙذ حٌٛه‬ Processing Standard (FIPS) ‫ٌّمخ٠١ظ ٚحٌظمٕ١ش‬‫ي‬ approved or National Institute ٚ‫رّؼٕٝ أخش خٛحسصِ١ش أ‬ of Standards and Technology ‫هش٠مش‬ (NIST) recommended. An ٗٔ‫فخدس رؾؤ‬ ‫1) ِلذدس فٟ حٌّؼ١خس‬ Approved – algorithm or technique that is ‫ِٛحفمش‬ ‫حٌف١ذسحٌٟ ٌّؼخٌـش‬ either ٟ‫حٌّؼٍِٛخص أٚ ف‬ 1) specified in a FIPS or NIST ٟٕ‫طٛف١خص حٌّؼٙذ حٌٛه‬ Recommendation, or ٚ‫ٌٍّمخ٠١ظ ٚحٌظمٕ١ش أ‬ 2) adopted in a FIPS or NIST ‫2) ِطزمش فٟ حٌّؼ١خس‬ Recommendation. ‫حٌف١ذسحٌٟ ٌّؼخٌـش‬ ‫حٌّؼٍِٛخص أٚ طٛف١خص‬ ٟٕ‫حٌّؼٙذ حٌٛه‬ .‫ٌٍّمخ٠١ظ ٚحٌظمٕ١ش‬ ‫ٚمؼ١ش ِؼ١ٕش ٌٛكذس‬ ٟ‫حٌظؾف١ش حٌّٕط١ش حٌظ‬ A mode of the cryptographic ‫طمَٛ رظؾغ١ً ٚظخثف‬ module that employs only ‫ح٤ِٓ حٌقخدس رؾؤٔٙخ‬ approved security functions ‫ِٛحفمش فمو ( ٨ ٠ـذ‬ ً١‫ٚمؼ١ش حٌظؾغ‬ (not to be confused with aApproved Mode ‫حٌخٍو ر١ٕٙخ ٚر١ٓ ٚمؼ١ش‬ ‫ حٌقخدس رؾؤٔٙخ‬specific mode of an approvedof Operation – ‫ِلذدس ٌٛظ١فش إِٔ١ش‬ ‫ِٛحفمش‬ security function, e.g., Data ‫فخدس رؾؤٔٙخ ِٛحفمش‬ Encryption Standard (DES) ‫ِؼً ٚمؼ١ش ِؼ١خس‬ Cipher Block Chaining (CBC) ‫طؾف١ش حٌز١خٔخص ٚٚمؼ١ش‬ mode). ‫لخٌذ حٌظشِ١ض‬ . )ً‫حٌّغٍغ‬ Approved ‫ٚظ١فش إِٔ١ش‬ A security function (e.g., ً‫ٚظ١فش إِٔ١ش (ِؼ‬ Security ‫فخدس رؾؤٔٙخ‬ cryptographic algorithm, ٚ‫خٛحسصِ١ش حٌظؾف١ش أ‬
  6. 6. Function – ‫ِٛحفمش‬ cryptographic key ‫هش٠مش ادحسس ِفظخف‬ management technique, or ‫حٌظؾف١ش أٚ هش٠مش‬ authentication technique) ْٛ‫حٌظقذ٠ك) ٚحٌظٟ طى‬ that is either ‫اِخ‬ a) specified in an approved ‫أ) ِلذدس فٟ ِؼ١خس‬ standard, ‫فخدس رؾؤٔٗ ِٛحفمش‬ b) adopted in an approved ٟ‫د) أٚ ُِغظخذَِش ف‬ standard and specified either ٗٔ‫ِؼ١خس فخدس رؾؤ‬ in an appendix of the ٟ‫ِٛحفمش ِٚزوٛسس ف‬ approved standard or in a ‫ٍِلك خخؿ رزٌه‬ document referenced by the ‫حٌّؼ١خس أٚ فٟ ٚػ١مش‬ approved standard, or ٍٗ‫ِؾخس اٌ١ٙخ دحخ‬ c) specified in the list of ّٓ‫ؽ) أٚ ِلذدس م‬ approved security functions. ‫لخثّش ِٓ ٚظخثف إِٔ١ش‬ .‫ِقذِّق ػٍ١ٙخ‬ A focused activity or action ‫ٔؾخه أٚ ػًّ ُِشوَّض‬Assessment employed by an assessor for ‫٠ززٌٗ حٌُّم١ُِّ ٌم١خط‬ ُ١١‫أعٍٛد حٌظم‬ Method – evaluating a particular ‫خخف١ش ِؼ١ٕش ِٓ خٛحؿ‬ attribute of a security control. .‫حٌشلخرش ح٤ِٕ١ش‬ ‫ِـّٛػش ِٓ ح٤ٔؾطش‬ A set of activities or actions ‫أٚ ح٤ػّخي ٠مَٛ رٙخ‬ employed by an assessor to ٜ‫حٌُّم١ُِّ ٌظلذ٠ذ ِذ‬ determine the extent to ‫ططز١ك حٌشلخرش ح٤ِٕ١ش‬ which a security control is ‫رؾىً فل١ق ٚطؾغ١ٍٙخ‬Assessment implemented correctly, ُ١١‫اؿشحءحص حٌظم‬ ‫كغذ حٌّطٍٛد‬Procedure – operating as intended, and ‫ٚطلم١مٙخ ٌٍٕظخثؾ‬ producing the desired ‫حٌّشؿٛس ِٕٙخ ف١ّخ‬ outcome with respect to ‫٠خظـ رخعظ١فخء‬ meeting the security ‫حٌّظطٍزخص ح٤ِٕ١ش‬ requirements for the system. .َ‫ٌٍٕظخ‬ َ‫ططز١ك سث١غٟ أٚ ٔظخ‬ A major application, general ٌٗ ‫دػُ ػخَ أٚ رشٔخِؾ‬ support system, high impact ‫طؤػ١ش رخٌغ أٚ ِٕؾؤس‬ ‫أفً / (ِٛسد‬ program, physical plant, Asset – ًِ‫ِخد٠ش أٚ ٔظخَ ٌٍظؼخ‬ ٟ‫)سث١غ‬ mission critical system, or a ٚ‫ِغ حٌُ٘خَ حٌلشؿش أ‬ logically related group of ‫ِـّٛػش ِٓ ح٤ٔظّش‬ systems. .ً‫حٌّشطزطش ِٕطم١خ‬ One of the five ―Security ‫أكذ ح٤٘ذحف حٌخّغش‬ Goals.‖ It involves support for ّٓ‫ٌ٥ِٓ حٌظٟ طظن‬ our confidence that the other ‫دػّخً ٌؼمظٕخ رخعظ١فخء‬ four security goals (integrity, ٜ‫ح٤سرغ أ٘ذحف ح٤خش‬Assurance – ْ‫طؤِ١ٓ / مّخ‬ availability, confidentiality, ، ًِ‫ٌ٥ِٓ (حٌظىخ‬ and accountability) have been ‫حعظّشحس٠ش طٛفش حٌخذِش‬ adequately met by a specific )‫، حٌغش٠ش ، حٌّغئٌٚ١ش‬ implementation. ―Adequately ‫رؾىً وخفٍ ِٓ خ٩ي‬
  7. 7. met‖ includes ٟ‫هش٠مش ِلذدس ف‬ (1) functionality that ّٓ‫حٌظٕف١ز. ٠ظن‬ performs correctly, ‫ح٨عظ١فخء حٌىخًِ ٌظٍه‬ (2) sufficient protection ‫حٌؼٕخفش‬ against unintentional errors ‫1) ع٩ِش ح٤دحء‬ (by users or software), and ‫ٌٍٕٛحكٟ حٌٛظ١ف١ش‬ (3) sufficient resistance to ‫2) مّخْ كّخ٠ش وخف١ش‬ intentional penetration or by- ‫مذ ح٤خطخء غ١ش‬ pass. ِٓ( ‫حٌّظؼّذس‬ ٚ‫حٌّغظخذِ١ٓ أ‬ )‫حٌزشحِؾ‬ ‫3) ٚحٌّمخِٚش حٌىخف١ش‬ ‫ٌّلخٚ٨ص ح٨خظشحق‬ .‫ٚحٌظخطٟ حٌّظؼّذس‬ Two related keys, a public ٓ١‫ِفظخك١ٓ ِشطزط‬ key and a private key that are َ‫أكذّ٘خ ِفظخف ػخ‬ used to perform ُ‫ٚح٤خش خخؿ ٠ظ‬ Asymmetric ‫ِفخط١ق غ١ش‬ complementary operations, ‫حعظخذِّٙخ ٤دحء‬ Keys ‫ِظٕخظشس‬ such as encryption and ً‫ػٍّ١خص ِظىخٍِش ِؼ‬ decryption or signature ٚ‫حٌظؾف١ش ٚفه حٌظؾف١ش أ‬ generation and signature ‫افذحس حٌظٛل١غ ٚحٌظلمك‬ verification. .‫ِٓ فلش حٌظٛل١غ‬ ِٓ ‫ِـّٛػش ِظغٍغٍش‬ A specific sequence of eventsAttack Signature ٌٝ‫ح٤كذحع طؾ١ش ا‬ َٛ‫رقّش ٘ـ‬ indicative of an unauthorized – ‫ٚؿٛد ِلخٌٚش ٚفٛي غ١ش‬ access attempt. .‫ِقشف رٙخ‬ An entity, recognized by the ‫ؿٙش طلذد٘خ ٘١جش‬ Federal Public Key ‫حٌغ١خعخص حٌف١ذسحٌ١ش‬ Infrastructure (PKI) Policy ‫ٌغ١خعخص حٌزٕ١ش‬ ‫٘١جش حٌظلمك‬ Attribute Authority or comparable ٚ‫حٌظلظ١ش ٌٍّفظخف حٌؼخَ أ‬ ‫ِٓ خقخثـ‬ Authority – Agency body as having the ‫ٚوخٌش ِّخػٍش رل١غ‬ ‫حٌٙٛ٠ش‬ authority to verify the ‫٠ىْٛ ٌٙخ عٍطش حٌظلمك‬ association of attributes to an ‫ِٓ طٛحفك خقخثـ ِغ‬ ‫حي‬ identity. .‫٘ٛ٠ش ِؼ١ٕش‬ ‫ِشحؿؼش ِغظمٍش ٚفلـ‬ Independent review and ‫ٌٍغـ٩ص ٚح٤ٔؾطش‬ examination of records and ‫ٌظم١١ُ وفخ٠ش ػٕخفش‬ activities to assess the ِٓ ‫طلىُ حٌٕظخَ ٌٍظؤوذ‬ adequacy of system controls, ‫ِٛحفمظٙخ ٌٍغ١خعخص‬ to ensure compliance with Audit – ‫حٌظذل١ك ٚحٌفلـ‬ ً١‫ٚاؿشحءحص حٌظؾغ‬ established policies and ‫حٌّمشسس، ٚافذحس‬ operational procedures, and ٛ٘ ‫حٌظٛف١خص كٛي ِخ‬ to recommend necessary ٟ‫مشٚسٞ ِٓ طغ١١شحص ف‬ changes in controls, policies, ٚ‫ػٕخفش حٌظلىُ أ‬ or procedures .‫حٌغ١خعخص أٚ ح٦ؿشحءحص‬
  8. 8. Chronological record of ‫عـً طخس٠خٟ ٤ٔؾطش‬ system activities to enable ‫حٌٕظخَ ٌظٛف١ش اِىخٔ١ش‬ ‫ر١خٔخص حٌظذل١ك‬ the reconstruction and ‫اػخدس رٕخء ٚفلـ‬ Audit Data – ‫ٚحٌفلـ‬ examination of the sequence ٚ ‫عٍغٍش ِٓ ح٤كذحع‬ of events and changes in an ‫حٌظغ١١شحص حٌظٟ ؽٙذ٘خ‬ event. .ٓ١‫كذع ِؼ‬ ‫ِؼخٌـخص طُ اػذحد٘خ‬ ُ‫ِغزمخً ٌخفل كـ‬ ‫عـ٩ص حٌفلـ‬ Preprocessors designed to ً١ٙ‫ٚحٌظذل١ك رغشك طغ‬ reduce the volume of audit ً‫حٌّشحؿؼش حٌ١ذٚ٠ش. لز‬ records to facilitate manual ‫اؿشحء حٌّشحؿؼش ح٤ِٕ١ش‬ review. Before a security ‫طغظط١غ ٘زٖ ح٤دٚحص‬ review, these tools can ‫اصحٌش حٌؼذ٠ذ ِٓ عـ٩ص‬ remove many audit records ‫حٌظذل١ك ٚحٌفلـ‬Audit Reduction ‫أدٚحص ط١غ١ش‬ known to have little security ‫حٌّؼشٚفش رخٔخفخك‬ Tools – ‫حٌظذل١ك ٚحٌفلـ‬ significance. These tools َٛ‫أّ٘١ظٙخ ح٤ِٕ١ش. طم‬ generally remove records ً‫٘زٖ ح٤دٚحص ػِّٛخ‬ generated by specified ِٓ ‫ربصحٌش أٔٛحع ِلذدس‬ classes of events, such as ‫ح٤كذحع ِؼً طٍه‬ records generated by nightly ٓ‫حٌغـ٩ص حٌٕخطـش ػ‬ backups. ‫ػٍّ١خص حٌٕغخ‬ ٟ‫ح٨كظ١خهٟ حٌذٚس٠ش حٌظ‬ ً‫طلذع فٟ ٔٙخ٠ش و‬ .‫ٌ١ٍش‬ A record showing who has َ‫عـً ٠ٛمق ِٓ لخ‬ accessed an Information ‫رخٌذخٛي اٌٝ ٔظخَ طمٕ١ش‬ ٚ ‫عـً حٌفلـ‬ Technology (IT) system and Audit Trail – ‫ِؼٍِٛخص ٚ حٌؼٍّ١خص‬ ‫حٌّشحؿؼش‬ what operations the user has ‫حٌظٟ لخَ رظٕف١ز٘خ أػٕخء‬ performed during a given .‫فظشس ِؼ١ٕش‬ period. To confirm the identity of an ‫حٌظؤوذ ِٓ ٘ٛ٠ش ؿٙش‬ / ٍٝ‫٠قذِّق ػ‬Authenticate – entity when that identity is ‫ِؼ١ٕش ػٕذ طمذ٠ُ طٍه‬ ‫٠ظلمك ِٓ ٘ٛ٠ش‬ presented. .‫حٌٙٛ٠ش‬ Verifying the identity of a ‫حٌظؤوذ ِٓ فلش ٘ٛ٠ش‬ user, process, or device, ‫حٌخخفش رؤكذ‬ often as a prerequisite to ٚ‫حٌّغظخذِ١ٓ أ‬ allowing access to resources .‫حٌؼٍّ١خص أٚ ح٤ؿٙضس‬ / ‫حٌظقذ٠ك‬ in an information system. The ‫٠ىْٛ رٌه ػخدس وؤكذ‬Authentication – ِٓ ‫حٌظلمك‬ process of establishing ‫ِظطٍزخص حٌغّخف‬ ‫حٌٙٛ٠ش‬ confidence of authenticity. ‫رخٌٛفٛي اٌٝ حٌّٛحسد‬ Encompasses identity َ‫حٌّٛؿٛدس فٟ ٔظخ‬ verification, message origin ‫ِؼٍِٛخص ِؼ١ٓ. ػٍّ١ش‬ authentication, and message ًّ‫طؤع١ظ حٌؼمش ٚطؾ‬ content authentication. A ‫حٌظلمك ِٓ فلش حٌٙٛ٠ش‬
  9. 9. process that establishes the ‫ٚحٌظلمك ِٓ ِقذس‬ origin of information or .‫حٌشعخٌش ِٚلظٛح٘خ‬ determines an entity‘s ‫ػٍّ١ش طٙذف اٌٝ طلذ٠ذ‬ identity. ٚ‫ِقذس حٌّؼٍِٛخص أ‬ .‫٘ٛ٠ش ؿٙش ِخ‬ ‫ِؼخدٌش طؾف١ش كغخر١ش‬ A cryptographic checksum ‫طؼظّذ ػٍٝ ٚظ١فش‬ based on an approvedAuthentication ‫ؽفشس حٌظلمك‬ ‫إِٔ١ش فخدس رؾؤٔٙخ‬ security function (also known Code – ‫ِٓ حٌٙٛ٠ش‬ ً‫ِٛحفمش (طؼشف أ٠نخ‬ as a Message Authentication ‫رخعُ ؽفشس سعخٌش‬ Code (MAC)). . )‫حٌظقذ٠ك‬ The process of establishing ٟ‫ػٍّ١ش اػزخص حٌؼمش ف‬ Electronic ِٓ ‫حٌظلمك‬ confidence in user identities ٓ١ِ‫٘ٛ٠خص حٌّغظخذ‬Authentication – ً‫حٌٙٛ٠ش حٌىظشٚٔ١خ‬ electronically presented to an ً‫حٌظٟ طمذَ حٌىظشٚٔ١خ‬ information system. .‫ٌٕظخَ ِؼٍِٛخص‬ ٍٝ‫آٌ١خص طؼظّذ ػ‬ ‫ح٤ؿٙضس أٚ حٌزشحِؾ رل١غ‬ Hardware or software-based ٓ١ِ‫طُـزِش حٌّغظخذ‬Authentication ِٓ ‫آٌ١ش حٌظلمك‬ mechanisms that force users ً‫ػٍٝ اػزخص ٘ٛ٠خطُٙ لز‬Mechanism – ‫حٌٙٛ٠ش‬ to prove their identity before ‫حٌٛفٛي ٌٍز١خٔخص‬ accessing data on a device. ‫حٌّٛؿٛدس ػٍٝ أكذ‬ .‫ح٤ؿٙضس‬ A block cipher mode of َ‫ٚمؼ١ش طؾغ١ً طغظخذ‬ operation that can provide ‫لخٌذ طشِ١ض ِؼ١ٓ ٠ّىٕٙخ‬Authentication ‫ٚمؼ١ش حٌظلمك‬ assurance of the authenticity ‫طؤِ١ٓ حٌؼمش فٟ ٘ٛ٠ش‬ Mode – ‫ِٓ حٌٙٛ٠ش‬ and, therefore, the integrity ٟ‫حٌّغظخذَ ٚرخٌظخٌٟ ف‬ of data. .‫طىخًِ حٌز١خٔخص‬ ً‫ػٍّ١ش طزخدي ٌٍشعخث‬ ٞ‫ِلذدس رذلش ٠ـش‬ ِٓ ‫خ٩ٌٙخ حٌظلمك‬ A well specified message ‫فلش حِظ٩ن حكذ حٌشِٛص‬ exchange process that ‫حٌّّ١ضس رغشك حٌظلمك‬ verifies possession of a token ‫ػٓ رؼذ ِٓ ٘ٛ٠ش‬ to remotely authenticate a ‫حٌؾخـ حٌزٞ ٠طٍذ‬ claimant. Some .ٓ١‫حٌظؼخًِ ِغ ٔظخَ ِؼ‬Authentication ‫رشطٛوٛي حٌظلمك‬ authentication protocols also ‫رؼل رشطٛوٛ٨ص‬ Protocol – ‫ِٓ حٌٙٛ٠ش‬ generate cryptographic keys ‫حٌظقذ٠ك طمَٛ ربٔؾخء‬ that are used to protect an ََ‫ِفخط١ق طؾف١ش طُغظخذ‬ entire session, so that the ‫ٌظٛف١ش حٌلّخ٠ش هٛحي‬ data transferred in the َ‫فظشس حٌظؼخًِ ِغ حٌٕظخ‬ session is cryptographically ‫ٌٚزٌه طىْٛ حٌز١خٔخص‬ protected. ‫لٌٛش خ٩ي طٍه‬ ٌّٓ‫ح‬ ً‫حٌفظشس ِلّ١ش رفن‬ .‫طؾف١ش٘خ‬
  10. 10. A pair of bit strings ً‫صٚؿ١ٓ ِٓ حٌغ٩ع‬Authentication ‫ػ٩ِش حٌظقذ٠ك‬ associated to data to provide ‫حٌٕق١ش ِشطزطش رخٌز١خٔخص‬ Tag – assurance of its authenticity. .‫ٌٍظؤوذ ِٓ ِقذحل١ظٙخ‬ ‫حٌشِض حٌّّ١ض‬ Authentication information ‫ِؼٍِٛخص حٌظلمك‬Authentication ِٓ ‫ٌٍظلمك‬ conveyed during an ‫حٌّظزخدٌش أػٕخء حٌظلمك‬ Token – ‫حٌٙٛ٠ش‬ authentication exchange. ‫ِٓ فلش حٌٙٛ٠ش‬ The property of being ً‫خخف١ش أْ طىْٛ أفٍ١خ‬ genuine and being able to be ِٓ ‫ٚلخرً ٌٍظلمك‬ ‫خخف١ش‬ verified and trusted; ِٓ ‫٘ٛ٠ظه ٚحٌٛػٛق رٙخ‬Authenticity – ‫حٌّقذحل١ش‬ confidence in the validity of a ٟ‫خ٩ي ِٕق حٌؼمش ف‬ transmission, a message, or ‫فلش ح٦سعخي ٚحٌشعخٌش‬ message originator. .‫ِٚشعٍٙخ‬ ‫لشحس ح٦دحسس حٌشعّ١ش‬ The official management ‫حٌقخدس ِٓ أكذ حٌىٛحدس‬ decision given by a senior ‫حٌؼٍ١خ ٌٙ١جش ِخ ٨ػظّخد‬ agency official to authorize ً١‫حٌّٛحفمش ػٍٝ طؾغ‬ operation of an information ‫ٔظخَ ِؼٍِٛخص ٚحٌمزٛي‬ system and to explicitly ‫ػ٩ٔ١شً رظؼش٠ل ػٍّ١خص‬ accept the risk to agency ‫طٍه حٌٙ١جش ٌٍّخخهشس‬Authorization – ‫طقش٠ق‬ operations (including mission, ‫(رّخ فٟ رٌه سعخٌظٙخ‬ functions, image, or ‫ٚٚظخثفٙخ ِٚقذحل١ظٙخ‬ reputation), agency assets, or ٚ‫ٚعّؼظٙخ) أٚ أفٌٛٙخ أ‬ individuals, based on the ٍٝ‫ِٕغٛر١ٙخ رٕخءحً ػ‬ implementation of an agreed- ِٓ ‫طٕف١ز ِـّٛػش‬ upon set of security controls. ِٟٕ٤‫ػٕخفش حٌظلىُ ح‬ .‫حٌّظفك ػٍ١ٙخ‬ Official with the authority to )ْ‫حٌّٛظف (حٌى١خ‬ formally assume responsibility ٓ‫حٌّغجٛي سعّ١خً ػ‬ for operating an information ‫طؾغ١ً ٔظخَ َػٍِٛخص‬ system at an acceptable level ‫ِؼ١ٓ مّٓ كذ ِمزٛي‬ Authorizing ‫ِٛظف افذحس‬ of risk to agency operations ‫ِٓ حٌّخخهشس رؼٍّ١خص‬ Official – ‫حٌظقش٠ق‬ (including mission, functions, ًّ‫٘١جش ِؼ١ٕش (رّخ ٠ؾ‬ image, or reputation), agency ‫سعخٌظٙخ ٚٚظخثفٙخ‬ assets, or individuals. )‫ِٚقذحل١ظٙخ ٚعّؼظٙخ‬ Synonymous with ٚ‫رخ٦مخفش اٌٝ أفٌٛٙخ أ‬ Accreditation Authority. .‫ِٕغٛر١ٙخ‬ Individual selected by an ‫ؽخـ ٠خظخسٖ ِٛظف‬ authorizing official to act on ًّ‫افذحس حٌظقش٠ق ٌٍؼ‬ Authorizing their behalf in coordinating ‫ٔ١خرش ػٕٗ فٟ طٕغ١ك‬ Official – ‫ِٕذٚد افذحس‬ and carrying out the ‫ٚطٕف١ز ح٤ٔؾطش‬ Designated ‫حٌظقش٠ق‬ necessary activities required ‫حٌنشٚس٠ش حٌّطٍٛرش أػٕخء‬Representative during the security ‫حٌظٛػ١ك ٚ ح٨ػظّخد‬ – certification and accreditation ‫ح٤ِٕٟ ٤كذ أٔظّش‬ of an information system. .‫حٌّؼٍِٛخص‬
  11. 11. The transport of ‫ٔمً ِفخط١ق حٌظؾف١ش‬ cryptographic keys, usually in )‫(ػخدس رطش٠مش ِؾفشس‬ encrypted form, using ً‫رخعظخذحَ ٚعخث‬Automated Key ٌٟ٢‫حٌٕمً ح‬ electronic means such as a ‫حٌىظشٚٔ١ش ِؼً ؽزىخص‬ Transport – ‫ٌٍّفظخف‬ computer network (e.g., key ‫حٌلخعٛد وّخ ٘ٛ حٌلخي‬ transport/agreement ً‫فٟ رشٚطٛوٛ٨ص ٔم‬ protocols). .ٌٗٛ‫ِفظخف حٌظؾف١ش ٚلز‬ An algorithm which creates ‫خٛحسصِ١ش طمَٛ ربٔؾخء‬ Automated ‫ ٌِٛذ وٍّش حٌّشٚس‬random passwords that have ‫وٍّخص ِشٚس حٌؼؾٛحث١ش‬ Password ٌٟ٢‫ح‬ no association with a َ‫غ١ش ِشطزطش رّغظخذ‬ Generator – particular user. .ٓ١‫ِؼ‬ ‫حٌظؤوذ ِٓ اِىخٔ١ش‬ Ensuring timely and reliable ‫حٌٛفٛي اٌٝ حٌّؼٍِٛخص‬ ‫حعظّشحس٠ش طٛفش‬ Availability – access to and use of ‫ٚحعظخذحِٙخ فٟ حٌٛلض‬ ‫حٌخذِش‬ information. ‫حٌّٕخعذ ٚرؾىً ٠ُؼظَّذ‬ .ٗ١ٍ‫ػ‬ ٝ‫ح٤ٔؾطش حٌظٟ طغؼ‬ Activities which seek to focus Information ٌٝ‫ٌـزد حٔظزخٖ ح٤فشحد ا‬ ِٓ‫حٌٛػٟ رؤ‬ an individual‘s attention on an Security ِٓ ‫ِٛمٛع أٚ ِـّٛػش‬ ‫حٌّؼٍِٛخص‬ (information security) issue or Awareness – ِٓ‫حٌّٛمٛػخص فٟ أ‬ set of issues. .‫حٌّؼٍِٛخص‬ ‫ٔغخش ِٓ حٌٍّفخص‬ A copy of files and programs ‫ٚحٌزشحِؾ ٌظغٙ١ً ػٍّ١ش‬ Backup – ‫ٔغخش حكظ١خه١ش‬ made to facilitate recovery if ‫ح٨عظشؿخع فٟ كخٌش‬ necessary. .‫حٌنشٚسس‬ ‫حٌلذ ح٤دٔٝ ِٓ ػٕخفش‬ The minimum security ‫حٌظلىُ ح٤ِٕ١ش حٌّطٍٛرش‬ controls required for ‫ٌلّخ٠ش ٔظخَ ِؼٍِٛخص‬ Baseline ِٓ ٝٔ‫حٌلذ ح٤د‬ safeguarding an IT system ٍٝ‫ِؼ١ٓ رٕخءحً ػ‬ Security – ِٓ٤‫ح‬ based on its identified needs ‫ح٨كظ١خؿخص حٌّلذدس‬ for confidentiality, integrity ًِ‫ٌلّخ٠ش عش٠ش ٚطىخ‬ and/or availability protection. ‫ٚ/أٚ حعظّشحس٠ش طٛفش‬ .َ‫خذِش ٘زح حٌٕظخ‬ Monitoring resources to ‫ِشحلزش حٌّٛحسد ٌظلذ٠ذ‬ ‫حٌشلخرش ٚحٌّظخرؼش‬ determine typical utilization ً‫ّٔخرؽ ح٨عظخذحَ ح٤ِؼ‬ Baselining – ‫ٚحٌنزو‬ patterns so that significant ‫رٙذف وؾف ح٨ٔلشحفخص‬ deviations can be detected. .‫حٌخط١شس‬ A bastion host is typically a ‫٘ٛ ؿذحس كّخ٠ش‬ firewall implemented on top ٗ‫ّٔٛرؿٟ ٠ـشٜ طٕق١ز‬ ‫ؿٙخص حٌّن١ف‬ of an operating system thatBastion Host – ٜ‫ػٍٝ ٔظخَ طؾغ١ً ؿش‬ ٓ‫حٌّلق‬ has been specially configured ً‫اػذحدٖ ٚطمٛ٠ظٗ خق١قخ‬ and hardened to be resistant .‫ٌ١ىْٛ ِمخَٚ ٌٍٙـّخص‬ to attack.
  12. 12. What an individual who has ‫ِخ ٠ظٛلغ ِٓ ؽخـ‬ completed the specific ٕٗ‫طٍمٝ طذس٠زخً خخفخً ٠ِّّى‬ Behavioral ‫حٌّلقٍش‬ training module is expected ‫ِٓ اظٙخس ِشدٚد ِخ‬ Outcome – ‫حٌغٍٛو١ش‬ to be able to accomplish in ِٓ‫طؼٍّٗ ػٓ أ‬ terms of IT security-related ‫حٌّؼٍِٛخص ِٓ خ٩ي‬ job performance. .ٟ‫أدحءٖ حٌٛظ١ف‬ ٓ٠‫ػٍّ١ش مُ ػٕقش‬ ‫ِشطزط١ٓ ِٓ ػٕخفش‬ Process of associating two ِٓ ‫حٌّؼٍِٛخص. حػظشحف‬ related elements of َٛ‫هشف ػخٌغ ِٛػٛق ٠م‬ information. An ‫رشرو ٘ٛ٠ش ؿٙش ِؼ١ٕش‬ acknowledgement by a َ‫رّفظخف حٌظؾف١ش حٌؼخ‬ trusted third party that ْ‫ٌظٍه حٌـٙش. ٠ّىٓ أ‬ associates an entity‘s identity ِٓ ‫٠ظُ ططز١ك رٌه‬ with its public key. This may ‫خ٩ي‬ take place through ‫1) ل١خَ ٘١جش طٛػ١ك‬ (1) a certification authority‘s Binding – ‫حٌشرو‬ ‫ربفذحس ؽٙخدس ِفظخف‬ generation of a public key َ‫حٌظؾف١ش حٌؼخ‬ certificate, ِٓ‫2) ل١خَ ِٛظف أ‬ (2) a security officer‘s ‫رخٌظلمك ِٓ ر١خٔخص‬ verification of an entity‘s ‫دخٛي طٍه حٌـٙش ٚٚمغ‬ credentials and placement of َ‫ِفظخف حٌظؾف١ش حٌؼخ‬ the entity‘s public key and ُ‫ٌظٍه حٌـٙش ِغ سل‬ identifier in a secure ‫ِّ١ض فٟ لخػذس ر١خٔخص‬ database, or ٚ‫إِٓش أ‬ (3) an analogous method. ‫3) اطزخع ح٤عٍٛد‬ .ٞ‫حٌظٕخظش‬ A physical or behavioral ٚ‫ِ١ضس ؿغذ٠ش أ‬ characteristic of a human ‫عٍٛو١ش ِٓ ِّ١ضحص‬ being. A measurable, physical ‫ح٦ٔغخْ. ِ١ضس ؿغذ٠ش‬ characteristic or personal ‫أٚ ففش عٍٛن‬ behavioral trait used to ‫حٌؾخقٟ لخرٍش ٌٍم١خط‬ Biometric – ٞٛ١‫ل١خط ك‬ recognize the identity, or ‫طُغظخذََ فٟ طؼش٠ف‬ verify the claimed identity, of ٚ‫ؽخق١ش ِمذَ حٌطٍذ أ‬ an applicant. Facial images, ‫حٌظلمك ِٕٙخ. طؼذ فٛس‬ fingerprints, and handwriting ‫حٌٛؿٗ ٚرقّخص ح٤فخرغ‬ samples are all examples of ‫ّٚٔخرؽ حٌىظخرش ِٓ أِؼٍش‬ biometrics. .‫حٌم١خعخص حٌل١ٛ٠ش‬ The stored electronic ‫ٟ٘ طٍه حٌّؼٍِٛخص‬ information pertaining to a ‫ح٨ٌىظشٚٔ١ش حٌّخضٔش‬ biometric. This information ٞٛ١‫رخقٛؿ ِم١خط ك‬ Biometric ‫ِؼٍِٛخص حٌم١خط‬ can be in terms of raw or ً‫ِؼ١ٓ ٚ طىْٛ فٟ ؽى‬Information – ٞٛ١‫حٌل‬ compressed pixels or in terms ٚ‫ٔمخه خخَ أٚ ِنغٛهش أ‬ of some characteristic (e.g. ‫فٟ ؽىً ٌٗ رؼل‬ patterns.) .‫حٌخقخثـ ِؼً حٌّٕخرؽ‬
  13. 13. An automated system :ٍٝ‫ٔظخَ آٌٟ لخدس ػ‬ capable of: ‫1) حٌلقٛي ػٍٝ ػ١ٕش‬ 1) capturing a biometric ِٓ ‫ل١خط ك١ٛ٠ش‬ sample from an end user; ٟ‫حٌّغظخذَ حٌٕٙخث‬ 2) extracting biometric data ‫2) حعظخ٩ؿ ر١خٔخص‬ from that sample; ‫حٌم١خط حٌل١ٛٞ ِٓ طٍه‬ 3) comparing the biometric ‫حٌؼ١ٕش‬ Biometric ‫ٔظخَ ل١خط‬ data with that contained in ‫3) ِمخسٔش ر١خٔخص حٌم١خط‬ System – ٞٛ١‫ك‬ one or more reference ‫حٌل١ٛٞ رظٍه حٌّٛؿٛدس‬ templates; ‫فٟ ّٔٛرؽ أٚ أوؼش‬ 4) deciding how well they ً‫4) طمذ٠ش ِذٜ حٌظّخػ‬ match; and ٚ ‫ر١ّٕٙخ‬ 5) indicating whether or not ‫5) ح٦ؽخسس اٌٝ ِخ ارح‬ an identification or ‫وخْ حٌظؼشف أٚ حٌظلمك‬ verification of identity has ‫ِٓ فلش حٌؾخق١ش لذ‬ been achieved. .٨ َ‫طُ أـخصٖ أ‬ A characteristic of biometric ‫أكذ خٛحؿ ِؼٍِٛخص‬ Biometric ‫ّٔٛرؽ ل١خط‬ information (e.g. minutiae or ( ٞٛ١‫حٌم١خط حٌل‬ Template – ٞٛ١‫ك‬ patterns.) .)ً ٩‫طفخف١ً أٚ ؽىً ِؼ‬ ‫ؽفشس رشِـ١ش خز١ؼش‬Blended Attack Malicious code that uses ‫حٌٙـَٛ حٌّخظٍََو‬ ‫طغظخذَ ػذس أعخٌ١ذ‬ – multiple methods to spread. .ٖ‫وٟ طذػُ حٔظؾخس‬ ‫طغٍغً ِٓ ٚكذحص‬ ً‫حٌزض حٌؼٕخث١ش ٠ؾى‬ Sequence of binary bits that ‫حٌّذخ٩ص ٚحٌّخشؿخص‬ comprise the input, output, ‫ٚحٌلخٌش ٚحٌّفخط١ق‬ State, and Round Key. The ‫حٌّظؼخلزش. هٛي رٌه‬ Block – ‫لخٌذ‬ length of a sequence is the ‫حٌظغٍغً ٘ٛ ػذد‬ number of bits it contains. ٟ‫ٚكذحص حٌزض حٌظ‬ Blocks are also interpreted as ‫٠ظنّٕٙخ. طُفغش حٌمٛحٌذ‬ arrays of bytes. ‫أ٠نخً ٜ أٔٙخ ِقفٛفش‬ ً‫ػ‬ .‫ِٓ ٚكذحص حٌزخ٠ض‬ A symmetric key ‫خٛحسصِ١ش طؾف١ش‬ cryptographic algorithm that ِٓ ‫ِظٕخظشس طُلِّٛي لخٌذ‬ transforms a block of ‫حٌّؼٍِٛخص فٟ ٚلض‬ information at a time using a ‫ٚحكذ ِغظخذِش ِفظخف‬Block Cipher – ‫طؾف١ش حٌمخٌذ‬ cryptographic key. For a ‫طؾف١ش. ِٓ ففخص طٍه‬ block cipher algorithm, the ‫حٌخٛحسصِ١ش أْ هٛي لخٌذ‬ length of the input block is ‫حٌّذخ٩ص ٘ٛ ٔفظ‬ the same as the length of the .‫هٛي لخٌذ حٌّخشؿخص‬ output block. A family of functions and ‫ِـّٛػش ِٓ حٌذٚحي‬ Block Cipher ‫خٛحسصِ١ش طؾف١ش‬ their inverses that is ‫حٌلغخر١ش ِٚؼىٛعخطٙخ‬ Algorithm – ‫حٌمخٌذ‬ parameterized by a ً‫٠ـشٞ طٛك١ذ٘خ ِؼ١خس٠خ‬ cryptographic key; the ‫رخعظخذحَ ِفظخف‬
  14. 14. function maps bit strings of a ‫طؾف١ش ك١غ طمَٛ حٌذحٌش‬ fixed length to bit strings of ‫رظلٛ٠ً عٍغٍش رحص‬ the same length. ‫هٛي ِلذد ِٓ ٚكذحص‬ ِٓ ‫حٌزض اٌٝ عٍغٍش‬ ‫ٚكذحص حٌزض ٌٙخ ٔفظ‬ .‫حٌطٛي‬ ‫ف١شٚط ٠مَٛ رضسحػش‬ A virus that plants itself in a ‫ٔفغٗ دحخً لطخع‬ Boot Sector ‫ف١شٚط لطخع‬ system‘s boot sector and ُ‫طؾغ١ً ٔظخَ ِؼ١ٓ ػ‬ Virus – ً١‫حٌظؾغ‬ infects the master boot ً١‫٠ق١ذ عـً حٌظؾغ‬ record. .ٟ‫حٌشث١غ‬ ُ‫فشك حٌشلخرش ٚحٌظلى‬ Monitoring and control of ٍٝ‫فٟ ح٨طقخ٨ص ػ‬ communications at the ٓ١‫حٌلذٚد حٌخخسؿ١ش ر‬ external boundary between ‫أٔظّش حٌّؼٍِٛخص‬ information systems ‫حٌخخمؼش رخٌىخًِ ٦دحسس‬ completely under the ‫ٚسلخرش ِٕظّش ِؼ١ٕش‬ management and control of ٨ ٟ‫ٚطٍه ح٤ٔظّش حٌظ‬ the organization and ‫طخنغ ٦دحسطٙخ ٚسلخرظٙخ‬ information systems not ‫رؾىً وخًِ، رخ٦مخفش‬ completely under the ٍٝ‫اٌٝ فشمّٙخ ػ‬ management and control of ‫حٌلذٚد حٌذحخٍ١ش‬ Boundary ‫كّخ٠ش كذٚد‬ the organization, and at key ُ‫حٌشث١غ١ش ر١ٓ ٔظ‬ Protection – َ‫حٌٕظخ‬ internal boundaries between ‫حٌّؼٍِٛخص حٌظٟ طخنغ‬ information systems ‫رؤوٍّٙخ ٦دحسس ٚسلخرش‬ completely under the ‫طٍه حٌّٕظّش رغشك ِٕغ‬ management and control of ‫ٚحوظؾخف ِلخٚ٨ص‬ the organization, to prevent ‫ح٨طقخي حٌخز١ؼش ٚغ١ش‬ and detect malicious and ‫حٌّقشف رٙخ ٚوزٌه‬ other unauthorized ‫حعظؼّخي ٚعخثً حطقخي‬ communication, employing ً‫٠ّىٓ حٌظلىُ رٙخ ِؼ‬ controlled interfaces (e.g., ‫حٌٛو١ً ٚرٛحرخص حٌٛفٛي‬ proxies, gateways, routers, ْ‫ٚحٌّٛؿٙخص ٚؿذسح‬ firewalls, encrypted tunnels). ‫حٌلّخ٠ش ٚحٌمٕٛحص‬ .‫حٌّؾفشس‬ ‫ِٛؿٗ خخسؿٟ ٠ٛمغ‬ A boundary router is located Boundary ‫ِٛؿٗ حطقخي‬ ‫ػٍٝ ٔمخه حطقخي‬ at the organizations boundary Router – ٟ‫خخسؿ‬ ‫حٌّٕظّخص ِغ ؽزىش‬ to an external network. .‫خخسؿ١ش‬ A method of accessing an ‫أعٍٛد ٌّلخٌٚش حٌذخٛي‬ ‫هش٠مش‬ obstructed device through ٟ‫ػٍٝ أكذ ح٤ؿٙضس حٌظ‬ Brute Force ٟ‫ح٨عظمقخء ف‬ attempting multiple ‫طّؼً ػخثمخً ِٓ خ٩ي‬Password Attack ٍٝ‫حٌٙـَٛ ػ‬ combinations of numeric ‫اؿشحء حٌّلخٚ٨ص‬ – ‫وٍّش حٌّشٚس‬ and/or alphanumeric ‫رخعظخذحَ وٍّخص َسٚس‬ passwords. ِٓ ‫ِظٕٛػش طـّغ ػذد‬
  15. 15. .َ‫حٌلشٚف ٚ/أٚ ح٤سلخ‬ ‫ؽشه فٟ لٕخس ح٨طقخي‬ ‫٠ّىٓ ِٓ خ٩ٌٗ ٚمغ‬ ‫ػذد حوزش ِٓ حٌّذخ٩ص‬ A condition at an interface ‫فٟ ِٕطمش ِخققش‬ under which more input can ‫٨كظـخص حٌز١خٔخص رّخ‬ be placed into a buffer or ‫٠فٛق لذسطٙخ‬ data holding area than the ِٓ ‫ح٨عظ١ؼخر١ش ٌزٌه‬ capacity allocated, ‫خ٩ي حعظزذحي‬Buffer Overflow ‫اغشحق رحوشس‬ overwriting other information. ‫حٌّؼٍِٛخص حٌّٛؿٛدس‬ – ‫حٌظخض٠ٓ حٌّئلض‬ Attackers exploit such a َ‫رخٌىظخرش ػٍ١ٙخ. ٠غظخذ‬ condition to crash a system ‫حٌّٙخؿّْٛ رٌه حٌؾشه‬ or to insert specially crafted ‫٦عمخه حٌٕظخَ أٚ ادخخي‬ code that allows them to gain ُ‫ؽفشحص خخفش ط‬ control of the system. ‫اػذحد٘خ رّٙخسس ػخٌ١ش‬ ‫طغّق ٌُٙ رخٌغ١طشس‬ ُ‫ػٍٝ حٌٕظخَ ٚحٌظلى‬ .ٗ١‫ف‬ ‫أعٍٛد حٌظلّ١ً حٌضحثذ‬ ‫ٌٍز١خٔخص دحخً ِغخكش‬ A method of overloading a ٟ‫ِلذدس عٍفخً ف‬ ‫حٌٙـَٛ ربغشحق‬ predefined amount of spaceBuffer Overflow ‫ِٕطمش كفع حٌز١خٔخص‬ ٓ٠‫رحوشس حٌظخض‬ in a buffer, which can Attack – ‫ِّخ ٠ئدٜ اٌٝ حكظّخٌ١ش‬ ‫حٌّئلض‬ potentially overwrite and ‫حٌىظخرش ػٍٝ حٌىظخرش‬ corrupt data in memory. ٚ‫حٌّٛؿٛدس فٟ حٌزحوشس أ‬ .‫طخش٠زٙخ‬ The documentation of a ِٓ ‫طٛػ١ك ِـّٛػش‬ predetermined set of ‫حٌظؼٍ١ّخص ٚح٦ؿشحءحص‬ instructions or procedures Business ‫خطش حٌلفخظ‬ ‫حٌُّؼَذِّس عٍفخً ٌٛفف‬ that describe how anContinuity Plan ‫ػٍٝ حعظّشحس٠ش‬ ٍٝ‫و١ف١ش حٌلفخظ ػ‬ organization‘s business (BCP) – ًّ‫حٌؼ‬ ً‫ٚظخثف حٌؼًّ دحخ‬ functions will be sustained ‫ِٕظّش ِؼ١ٕش أػٕخء ٚرؼذ‬ during and after a significant .‫كذٚع خًٍ خط١ش‬ disruption. َ‫طلٍ١ً ٌّخ ٠خـ ٔظخ‬ An analysis of an information ِٓ ‫طمٕ١ش حٌّؼٍِٛخص‬ technology (IT) system‘s ‫ِظطٍزخص ٚػٍّ١خص‬ requirements, processes, and ‫ٚػ٩لخص ِظزخدٌش‬Business Impact ‫طلٍ١ً ِظطٍزخص‬ interdependencies used to ‫طُغظخذََ فٟ طٛف١ف ِخ‬Analysis (BIA) – ‫حٌطٛحسة‬ characterize system ِٓ َ‫٠خـ حٌٕظخ‬ contingency requirements ‫ِظطٍزخص هخسثش ٚأٌٚٛ٠خص‬ and priorities in the event of ًٍ‫فٟ كخٌش كذٚع خ‬ a significant disruption. .‫خط١ش‬ Business ‫خطش حعظؼخدس‬ The documentation of a ِٓ ‫طٛػ١ك ٌّـّٛػش‬ Recovery- ًّ‫كشوش حٌؼ‬ predetermined set of ‫حٌظؼٍ١ّخص ٚح٦ؿشحءحص‬
  16. 16. Resumption instructions or procedures ‫حٌّلذدس عٍفخً طقف‬ Plan – (BRP) that describe how business ‫و١ف١ش حعظؼخدس كشوش‬ processes will be restored ًٍ‫حٌؼًّ رؼذ كذٚع خ‬ after a significant disruption .‫خط١ش‬ has occurred. The method of taking a ٍٝ‫أعٍٛد حٌلقٛي ػ‬ Capture – ‫حٌظمخه‬ biometric sample from an end ِٓ ٞٛ١‫ػ١ٕش ل١خط ك‬ user. .ٟ‫ِغظخذَ ٔٙخث‬ An individual possessing an ‫ؽخـ ِؼ١ٓ ٠ّظٍه‬ Cardholder – ‫كخًِ حٌزطخلش‬ issued Personal Identity ‫رطخلش ؽخق١ش ٌظلذ٠ذ‬ Verification (PIV) card. .‫حٌٙٛ٠ش‬ ‫ؽىً سلّٟ ٌٍز١خٔخص‬ ٍٟ٠ ‫٠ٛفش ػٍٝ ح٤لً ِخ‬ ‫1) طلذ٠ذ ٘١جش حٌظٛػ١ك‬ ‫حٌظٟ أفذسص حٌؾٙخدس‬ A digital representation of ٓ١‫2) أعّخء حٌّؾظشو‬ information which at least ‫ف١ٙخ‬ 1) identifies the certification َ‫3) حٌّفظخف حٌؼخ‬ authority issuing it, ‫ٌٍّؾظشن‬ 2) names or identifies its ٟ‫4) ٠لذد حٌفظشس حٌظ‬ subscriber, ‫طىْٛ خ٩ٌٙخ طٍه‬ 3) contains the subscribers ًّ‫حٌؾٙخدس فخٌلش ٌٍؼ‬ public key, ‫5) ٠لًّ حٌظٛل١غ‬ 4) identifies its operational ‫ح٨ٌىظشٟٚٔ ٌٙ١جش‬ period, and ‫حٌظٛػ١ك حٌظٟ أفذسص‬ 5) is digitally signed by the ِٓ ‫حٌؾٙخدس. ِـّٛػش‬ Certificate – ‫ؽٙخدس سلّ١ش‬ certification authority issuing ‫حٌز١خٔخص حٌظٟ طؾ١ش‬ it. A set of data that uniquely ْ‫رؾىً ِٕفشد اٌٝ و١خ‬ identifies an entity, contains ٍٝ‫ٚحكذ رل١غ طلظٜٛ ػ‬ the entity‘s public key and ‫حٌّفظخف حٌؼخَ ٌزٌه‬ possibly other information, ‫حٌى١خْ ٚأٞ ِؼٍِٛخص‬ and is digitally signed by a ْٛ‫أخشٜ ِّىٕش. طى‬ trusted party, thereby binding ‫حٌشعخٌش ُِقَذق ػٍ١ٙخ‬ the public key to the entity. ‫سلّ١خً ِٓ هشف ػخٌغ‬ Additional information in the ‫ِٛػٛق رٗ ٚػٍ١ٗ ٠ظُ سرو‬ certificate could specify how ‫حٌّفظخف حٌؼخَ رزٌه‬ the key is used and its ‫حٌى١خْ. ٕ٘خن ِؼٍِٛخص‬ cryptoperiod. ‫امخف١ش فٟ حٌؾٙخدس‬ ِٓ ٓ‫حٌشلّ١ش ٠ّى‬ ‫خ٩ٌٙخ طلذ٠ذ و١ف١ش‬ ‫حعظخذحَ حٌّفظخف ِٚذس‬ .ٖ‫طؾف١ش‬ A Certificate Policy is a ِٓ ‫ؽىً خخؿ‬Certificate Policy ‫ع١خعش‬ specialized form of ‫حٌغ١خعخص ح٦دحس٠ش‬ (CP) – ‫حٌؾٙخدس حٌشلّ١ش‬ administrative policy tuned to ‫٠ظٛحءَ ِغ ِؼخِ٩ص‬
  17. 17. electronic transactions ‫اٌىظشٚٔ١ش طُطزك أػٕخء‬ performed during certificate .‫ادحسس حٌؾٙخدس حٌشلّ١ش‬ management. A Certificate ‫طؼخٌؾ ع١خعش حٌؾٙخدس‬ Policy addresses all aspects ٝ‫حٌشلّ١ش وً حٌٕٛحك‬ associated with the ‫حٌّشطزطش رخفذحس٘خ‬ generation, production, ‫ٚحعظخشحؿٙخ ٚطٛص٠ؼٙخ‬ distribution, accounting, ‫ٚكغخرخطٙخ ٚحعظؼخدطٙخ‬ compromise recovery and ً‫ٚوزٌه ادحسطٙخ. ٚرؾى‬ administration of digital ٓ‫غ١ش ِزخؽش ٠ّى‬ certificates. Indirectly, a ‫ٌغ١خعش حٌؾٙخدس‬ certificate policy can also ٝ‫حٌشلّ١ش أْ طظلىُ ف‬ govern the transactions ‫حٌّؼخِ٩ص حٌُّٕـضس‬ conducted using a ٌٗ ‫رٕظخَ حطقخ٨ص طظٛفش‬ communications system َ‫حٌلّخ٠ش ِٓ خ٩ي ٔظخ‬ protected by a certificate- ٍٝ‫أِٓ ٠ؼظّذ ػ‬ based security system. By ِٓ .‫حٌؾٙخدس حٌشلّ١ش‬ controlling certificate ٟ‫خ٩ي حٌظلىُ ف‬ extensions, such policies and ‫ح٨ِظذحدحص حٌخخفش‬ associated enforcement ‫رخٌؾٙخدحص حٌشلّ١ش‬ technology can support ‫حٌلشؿش ٠ّىٓ ٌظٍه‬ provision of the security ‫حٌغ١خعخص ِٚخ ٠قخكزٙخ‬ services required by ‫ِٓ طمٕ١ش حٌّظخرؼش‬ particular applications. ‫ٚحٌنزو دػُ طذحر١ش‬ ٟ‫حٌخذِخص ح٤ِٕ١ش حٌظ‬ .‫ططٍزٙخ ططز١مخص ِؼ١ٕش‬ Certificate ‫٘١جش ادحسس‬ A Certification Authority (CA) Management ‫٘١جش طٛػ١ك أٚ ٘١جش‬ ‫حٌؾٙخدحص‬ or a Registration AuthorityAuthority (CMA) .ً١‫طغـ‬ ‫حٌشلّ١ش‬ (RA). – ‫ِؼٍِٛخص غ١ش ِنخفش‬ Information, such as a ً‫ٌٍؾٙخدس حٌشلّ١ش ِؼ‬ subscribers postal address, Certificate- ‫ِؼٍِٛخص ِشطزطش‬ ٞ‫حٌؼٕٛحْ حٌزش٠ذ‬ that is not included in a Related ‫رخٌؾٙخدحص‬ ‫ٌٍّؾظشن. سرّخ‬ certificate. May be used by a Information – ‫حٌشلّ١ش‬ ‫طغظخذَ ٘١جش طٛػ١ك‬ Certification Authority (CA) ‫ِؼ١ٓ طٍه حٌز١خٔخص ٦دحسس‬ managing certificates. .‫حٌؾٙخدحص حٌشلّ١ش‬ ‫لخثّش ؽٙخدحص حٌّفظخف‬ A list of revoked public key Certificate ‫حٌؼخَ حٌٍّغ١ش. ٠ظُ افذحس‬ ‫لخثّش حٌؾٙخدحص‬ certificates created andRevocation List ‫طٍه حٌمخثّش ٚحٌظٛل١غ‬ ‫حٌشلّ١ش حٌٍّغخس‬ digitally signed by a (CRL) – ‫ػٍ١ٙخ سلّ١خً رٛحعطش‬ Certification Authority. .‫٘١جش طٛػ١ك‬ A trusted entity that provides ‫و١خْ ِٛػٛق ف١ٗ طٛفش‬ Certificate ‫٘١جش طلذ٠ذ كخٌش‬ on-line verification to a ‫رؾىً ِزخؽش ٌطشف‬Status Authority ‫حٌؾٙخدس حٌشلّ١ش‬ Relying Party of a subject ِٓ ‫طخرغ حِىخٔ١ش حٌظلمك‬ – certificates trustworthiness, ‫ِقذحل١ش ؽٙخدس سلّ١ش‬

×