Me Tarzan, You Jane is my way of reminding everyone that we can't get far without some common language. This month, GDPR and NIST 171 are top of mind around our office. Here's what we found helpful.
In order to map concerns related to General Data Protection Regulation and NIST SP 800-171 guidance for Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, I frequently need to remind myself of the exact meaning of words from both documents. Here's some information to help the entire community out.
First, let's review the mean of words in the GDPR or Regulation:
- 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- 'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- 'restriction of processing' means the marking of stored personal data with the aim of limiting their processing in the future;
- 'profiling' means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- 'pseudonymisation' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
- 'filing system' means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
- 'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- 'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- 'recipient' means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
- 'third party' means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- 'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- 'genetic data' means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
- 'biometric data' means personal data resulting from specific technical processing relating to the physical, physioÂ logical or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
- 'data concerning health' means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
- 'main establishment' means:
- as regards a controller with establishments in more than one Member State, the place of its central adminisÂ tration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
- as regards a processor with establishments in more than one Member State, the place of its central adminisÂ tration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
- 'representative' means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
- 'enterprise' means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
- 'group of undertakings' means a controlling undertaking and its controlled undertakings;
- 'binding corporate rules' means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
- 'supervisory authority' means an independent public authority which is established by a Member State pursuant to Article 51;
- 'supervisory authority concerned' means a supervisory authority which is concerned by the processing of personal data because:
- the controller or processor is established on the territory of the Member State of that supervisory authority;
- data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
- a complaint has been lodged with that supervisory authority;
- 'cross-border processing' means either:
- processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
- processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
- 'relevant and reasoned objection' means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;
- 'information society service' means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (1);
- 'international organisation' means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
Now, let's refresh on language used within NIST 171
Appendix B provides definitions for security terminology used within Special Publication 800-171. Unless specifically defined in this glossary, all terms used in this publication are consistent with the definitions contained in
GLOSSARY - COMMON TERMS AND DEFINITIONS
|agency||See executive agency.|
|assessment||See Security Control Assessment.|
|assessor||See Security Control Assessor.|
|A chronological record of information system activities, including records of system accesses and operations performed in a given period.|
|audit record||An individual entry in an audit log related to an audited event.|
|Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.|
[44 U.S.C., Sec. 3542]
|Ensuring timely and reliable access to and use of information.|
|baseline configuration||A documented set of specifications for an information system, or a configuration item within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures.|
|blacklisting||The process used to identify: (i) software programs that are not authorized to execute on an information system; or (ii) prohibited Universal Resource Locators (URL)/websites.|
[44 U.S.C., Sec. 3542]
|Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.|
|configuration management||A collection of activities focused on establishing and maintaining the integrity of information technology products and information systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.|
|configuration settings||The set of parameters that can be changed in hardware, software,
or firmware that affect the security posture and/or functionality of the information system.
|Any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or information system.|
|controlled unclassified information
|Information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.|
|CUI categories or subcategories||Those types of information for which law, regulation, or governmentwide policy requires safeguarding or disseminating controls, and which the CUI Executive Agent has approved and listed in the CUI Registry.|
|CUI Executive Agent||The National Archives and Records Administration (NARA), which implements the executive branch-wide CUI Program and oversees federal agency actions to comply with Executive Order 13556. NARA has delegated this authority to the Director of the Information Security Oversight Office (ISOO).|
|CUI program||The executive branch-wide program to standardize CUI handling by federal agencies. The program includes the rules, organization, and procedures for CUI, established by Executive Order 13556, 32 CFR Part 2002, and the CUI Registry.|
|CUI registry||The online repository for all information, guidance, policy, and requirements on handling CUI, including all issuances by the CUI Executive Agent. Among other information, the CUI Registry identifies approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, and sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, reusing, and disposing of the information.|
|environment of operation
[NIST SP 800-37]
|The physical surroundings in which an information system processes, stores, and transmits information.|
[41 U.S.C., Sec. 403]
|An executive department specified in 5 U.S.C., Sec. 105; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.|
|external information system (or component)||An information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no
direct control over the application of required security controls or the assessment of security control effectiveness.
|external information system service||An information system service that is implemented outside of the authorization boundary of the organizational information system (i.e., a service that is used by, but not a part of, the organizational information system) and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.|
|external information system service provider||A provider of external information system services to an organization through a variety of consumer-producer relationships including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges.|
|external network||A network not controlled by the organization.|
|federal agency||See executive agency.|
|federal information system
[40 U.S.C., Sec. 11331]
|An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.|
|FIPS-validated cryptography||A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module is required to employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-Approved Cryptography.|
|Computer programs and data stored in hardware - typically in read-only memory (ROM) or programmable read-only memory (PROM) - such that the programs and data cannot be dynamically written or modified during execution of the programs.|
|The physical components of an information system. See Software
|impact||The effect on organizational operations, organizational assets, individuals, other organizations, or the Nation (including the national security interests of the United States) of a loss of confidentiality, integrity, or availability of information or an information system.|
|impact value||The assessed potential impact resulting from a compromise of the confidentiality of information (e.g., CUI) expressed as a value of low, moderate, or high.|
|An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or
that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
|Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.|
[44 U.S.C., Sec. 3502]
|Information and related resources, such as personnel, equipment, funds, and information technology.|
[44 U.S.C., Sec. 3542]
|The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.|
[44 U.S.C., Sec. 3502]
|A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.|
|information system component
[NIST SP 800-128, Adapted]
|A discrete, identifiable information technology asset (e.g., hardware, software, firmware) that represents a building block of an information system. Information system components include commercial information technology products.|
|information system service||A capability provided by an information system that facilitates information processing, storage, or transmission.|
[40 U.S.C., Sec. 1401]
|Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which:
(i) requires the use of such equipment; or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware, and similar procedures, services (including support services), and related resources.
[44 U.S.C., Sec. 3542]
|Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.|
|internal network||A network where: (i) the establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or (ii) cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints, provides the same effect (at least with regard to confidentiality and integrity). An
internal network is typically organization-owned, yet may be organization-controlled while not being organization-owned.
|local access||Access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.|
|malicious code||Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host.
Spyware and some forms of adware are also examples of malicious code.
|Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored or printed within an information system.|
|mobile code||Software programs or parts of programs obtained from remote information systems, transmitted across a network, and executed on a local information system without explicit installation or execution by the recipient.|
|mobile device||A portable computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, nonremovable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, onboard sensors that allow the devices to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smartphones, tablets, and E-readers.|
|multifactor authentication||Authentication using two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., a cryptographic identification device, token); or (iii) something you are (e.g., biometric). See Authenticator.|
|nonfederal information system||An information system that does not meet the criteria for a federal information system.|
|nonfederal organization||An entity that owns operates, or maintains a nonfederal information system.|
|Information system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.|
|network access||Access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, the Internet).|
|nonlocal maintenance||Maintenance activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network.|
[FIPS 200, Adapted]
|An entity of any size, complexity, or positioning within an organizational structure.|
|portable storage device||An information system component that can be inserted into and removed from an information system, and that is used to store data or information (e.g., text, video, audio, and/or image data). Such components are typically implemented on magnetic, optical, or solid state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, and flash memory cards/drives that contain nonvolatile memory).|
|The loss of confidentiality, integrity, or availability could be expected to have: (i) a limited adverse effect (FIPS Publication 199 low); (ii) a serious adverse effect (FIPS Publication 199 moderate); or (iii) a severe or catastrophic adverse effect (FIPS Publication 199 high) on organizational operations, organizational assets, or individuals.|
|privileged account||An information system account with authorizations of a privileged user.|
|A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.|
|records||The recordings (automated and/or manual) of evidence of activities performed or results achieved (e.g., forms, reports, test results), which serve as a basis for verifying that the organization and the information system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items).|
|remote access||Access to an organizational information system by a user (or a process acting on behalf of a user) communicating through an external network (e.g., the Internet).|
|remote maintenance||Maintenance activities conducted by individuals communicating through an external network (e.g., the Internet).|
[FIPS 200, Adapted]
|A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission,
functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.
|risk assessment||The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system.
Part of risk management incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
|sanitization||Actions taken to render data written on media unrecoverable by both ordinary and, for some forms of sanitization, extraordinary means.
The process to remove information from media such that data recovery is not possible. It includes removing all classified labels, markings, and activity logs.
|A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach.|
|security assessment||See Security Control Assessment.|
[FIPS 199, Adapted]
|A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.|
|security control assessment
[CNSSI 4009, Adapted]
|The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.|
|security functionality||The security-related features, functions, mechanisms, services, procedures, and architectures implemented within organizational information systems or the environments in which those systems operate.|
|security functions||The hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.|
|supplemental guidance||Statements used to provide additional explanatory information for security controls or security control enhancements.|
|system||See Information System.|
[CNSSI 4009, Adapted]
|Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.|
[CNSSI 4009, adapted]
|Individual, or (system) process acting on behalf of an individual, authorized to access an information system.|
|whitelisting||The process used to identify: (i) software programs that are authorized to execute on an information system; or (ii) authorized
Universal Resource Locators (URL)/websites.