Protection from unauthorized access to information. Terms and definitions. Guidance document.
This guidance document establishes terms and definitions of concepts in the field of protection of computing equipment and automated systems from unauthorized access to information.
The established terms are mandatory for use in all types of documentation.
One term is established for each concept. The use of synonyms for a term is not allowed.
For individual terms, short forms are given (in brackets), which may be used in cases that exclude the possibility of their different interpretation.
For reference, foreign equivalents of Russian terms in English are provided, as well as alphabetical indexes of terms in Russian and English.
1. TERMS AND DEFINITIONS
|
Term |
Definition |
|
1. Access to information |
Familiarization with information, its processing, in particular, copying, modification or destruction of information |
|
2. Access control rules |
A set of rules governing the access rights of access subjects to access objects |
|
3. Authorized access to information |
Access to information that does not violate access control rules |
|
4. Unauthorized access to information |
Access to information that violates the rules for access control using standard tools provided by computer technology or automated systems Note. Standard tools are understood to be a set of software, firmware and hardware for computing equipment or automated systems. |
|
5. Protection from unauthorized access |
Prevention or significant hindrance of unauthorized access |
|
6. Access subject |
A person or process whose actions are regulated by access control rules |
|
7. Access object |
A unit of information resource of an automated system, access to which is regulated by access control rules |
|
8. Access matrix |
Table displaying access control rules |
|
9. Access subject authority level |
Aggregate of access rights of the access subject |
|
10. Violator of access control rules |
Access subject exercising unauthorized access to information |
|
11. Model of violator of access control rules |
Abstract (formalized or non-formalized) description of the violator of access control rules |
|
12. Complex of protection tools |
A set of software and hardware tools created and maintained to ensure the protection of computing equipment or automated systems from unauthorized access to information |
|
13. Access control system |
A set of implemented rules for access control in computing equipment or automated systems |
|
14. Access identifier |
Unique attribute of the access subject or object |
|
15. Identification |
Assigning an identifier to access subjects and objects and (or) comparing the presented identifier with the list of assigned identifiers |
|
16. Password |
The access subject's identifier, which is the subject's (the subject's) secret |
|
17. Authentication |
Checking that the access subject owns the identifier presented by him; confirming authenticity |
|
18. Trusted computer system (trusted automated system) |
Computer system (automated system) in which a set of security tools is implemented |
|
19. Unauthorized access protection facility |
Software, hardware, or software-hardware means designed to prevent or significantly hinder unauthorized access |
|
20. Protection model |
Abstract (formalized or non-formalized) description of a set of software-hardware means and (or) organizational measures to protect against unauthorized access |
|
21. Information security |
The state of security of information processed by means of computing equipment or an automated system from internal or external threats |
|
22. Information integrity |
The ability of a computer or automated system to ensure the immutability of information in the event of accidental and/or intentional distortion (destruction) |
|
23. Confidential information |
Information requiring protection |
|
24. Discretionary access control |
Access control between named subjects and named objects. A subject with a certain access right can delegate this right to any other subject |
|
25. Mandatory access control |
Access control of subjects to objects based on the information contained in the objects, characterized by a confidentiality label, and the official permission (admission) of subjects to access information of such confidentiality level |
|
26. Multilevel security |
Security that ensures access control of subjects with different access rights to objects of different confidentiality levels |
|
27. Reference Monitor Concept |
An access control concept that refers to an abstract machine that mediates all accesses from subjects to objects |
|
28. Access Manager (Security Kernel) |
Technical, software and firmware elements of a set of security tools that implement the concept of an access manager |
|
29. Security administrator |
Access subject responsible for protecting the automated system from unauthorized access to information |
|
30. Sensitivity Label |
An element of information that characterizes the confidentiality of information contained in an object |
|
31. Verification |
The process of comparing two specification levels of computing equipment or automated systems for proper compliance |
|
32. Protection class of computer equipment, automated system |
A certain set of requirements for the protection of computer equipment (automated system) from unauthorized access to information |
|
33. Security criterion of computer equipment |
Characteristic of computer equipment that affects security and is described by a specific group of requirements that vary in level and depth depending on the security class of the computer equipment |
|
34. Secret information security system (SISS) |
A set of organizational measures and software and hardware (including cryptographic) means of ensuring information security in automated systems |
|
35. System for protecting information from unauthorized access (SIS NSD) |
A set of organizational measures and software and hardware (including cryptographic) means of protection against unauthorized access to information in automated systems |
|
36. Cryptographic information protection facility |
A computer tool that performs cryptographic transformation of information to ensure its security |
|
37. Protection certificate |
A document certifying the compliance of a computing device or automated system with a set of specific requirements for protection against unauthorized access to information and giving the developer the right to use and (or) distribute them as protected |
|
38. Protection Level Certification |
The process of establishing the compliance of a computing device or automated system with a set of specific protection requirements |
| 2. ALPHABETICAL INDEX OF TERMS IN RUSSIAN |
No. | 3. ALPHABETICAL INDEX OF TERMS IN ENGLISH |
No. |
| Security Administrator | 29 | Access identifier | 14 |
| Authentication | 17 | Access matrix | 8 |
| Information security | 21 | Access object | 7 |
| Verification | 31 | Access subject | 6 |
| Discretionary access control | 24 | Access to information | 1 |
| Access manager (security core) | 28 | Authorized access to information | 3 |
| Access to information | 1 | Authentication | 17 |
| Protection from unauthorized access | 5 | Cryptographic information protection facility | 36 |
|
Protected computing facility (protected automated system) |
18 | Discretionary access control | 24 |
| Access identifier | 14 | Identification | 15 |
| Identification | 15 | Information integrity | 22 |
|
Security class of computing equipment of the automated system |
32 | Information security | 21 |
| Complex of protective equipment | 12 | Mandatory access control | 25 |
| Confidential information | 23 | Multilevel security | 26 |
| Access Manager Concept | 27 | Password | 16 |
| Mandatory access control | 25 | Protection certificate | 37 |
| Access matrix | 8 | Protection class of computer systems | 32 |
| Sensitivity label | 30 | Protection criterion of computer systems | 33 |
| Multi-level protection | 26 | Protection facility | 19 |
| Protection model | 20 | Protection from unauthorized access | 5 |
| Model of access control rule violator | 11 | Protection level certification | 38 |
| Violator of access control rules | 10 | Protection model | 20 |
| Unauthorized access to information | 4 | Reference monitor concept | 27 |
| Access object | 7 | Secret information security system | 34 |
| Password | 16 | Security administrator | 29 |
| Computer security index | 33 | Security kernel | 28 |
| Access control rules | 2 | Security policy | 2 |
| Authorized access to information | 3 | Security policy implementation | 13 |
| Security certificate | 37 | Security policy violator | 10 |
| Security Level Certification | 38 | Security policy violator’s model | 11 |
| System for protecting information from unauthorized access | 35 | Sensitive information | 23 |
| Secret information protection system | 34 | Sensitivity label | 30 |
| Access control system | 13 | Subject privilege | 9 |
| Unauthorized access protection | 19 | System of protection from unauthorized access to information | 35 |
| Cryptographic information protection tool | 36 | Trusted computing base | 12 |
| Access subject | 6 | Trusted computer system | 18 |
| Access subject authority level | 9 | Unauthorized access to information | 4 |
| Information integrity | 22 | Verification | 31 |