Professional Documents
Culture Documents
Group
Information Management
Information Security Terms and Definitions
Document owner: Philip Colby
Reviewed by: IM Governance
Approved by: ISSG
Release status: draft
Security classification: Unclassified
This document is uncontrolled when printed.
Document reference: none
Document version: 1.4
Last review date: 20061012
Next review date: 20070901
Change history
Information Security Terms and Definitions Version: 1.4
ã 2006 BG Group Page 1 of 6 Date: 20061012
BG Group
Information Management
Purpose
This document provides explanatory definitions of terms used in BG’s information
security documentation.
Scope
The terms and definitions apply to all of BG’s ISO 17799 standards documents.
Audience
This standard applies to all of BG Group and subsidiaries, and to jointly owned
assets where BG is the operator. In nonoperated assets it has advisory status.
Terms and Definitions
For the purposes of information security documentation, the following definitions
apply.
Access point (AP): A router that connects wired and wireless networks.
Authentication: Proving the identity of a person when accessing a system. Such
proof is usually based on a combination of something the user knows (a password),
something the user has (a card or key), something the user is (a fingerprint or other
biometric feature), and something the user does (a signature).
Availability: Ensuring that authorised users have access to information and
associated assets when required.
Bluetooth: An open standard for short range wireless communication, developed by
a consortium of mobile communications and computing vendors.
Business Continuity Plan: An effective plan to minimise the impact of any failure of
IT services by providing alternative ways to keep the business operating.
Business Critical System: An application, database or service, including the
software and hardware required to run it, which is essential to the Company’s ability
to perform necessary business functions. Any system whose loss or unavailability
would result in a serious negative impact upon the Company, e.g.
Inability to perform legal or regulatory obligations.
Inability to meet contractual obligations.
Negative impact on health and safety of Company staff or JV staff.
Negative impact on customers, or standards of service.
Negative impact on the Company’s public image.
Significant financial loss.
Challengehandshake systems: A method of validating a remote user, using a
hardware encryption key. A challenge is issued from the host, and the user responds
with an answer that is generated by the portable key.
Company (with a capital): BG Group and its wholly owned subsidiaries.
Confidentiality: Ensuring that information is accessible only to those authorised to
have access.
Information Security Terms and Definitions Version: 1.4
ã 2006 BG Group Page 2 of 6 Date: 20061012
BG Group
Information Management
Contingency Plan: An effective plan designed to be followed in the event of an
outage to restore service. Contingency plans typically are implemented on the site
where the failure occurs.
Data: All information, in whatever form, including the spoken word where appropriate.
Data Owner: The manager who is ultimately responsible and accountable for a body
of data and its security.
Data Steward: A person nominated by the data owner to take daytoday
responsibility for the management of the data on behalf of the Company. Data
Stewards, of appropriate seniority, are appointed for all types of data. For some
applications, the data and software will be entirely owned by a single Data Steward,
while for others, responsibility will be partitioned between a number of Data
Stewards. Stewardship is retained for the life of the information unless an agreed
transfer of responsibility takes place.
Denialofservice attack (DoS): An attack that is designed to cause a system or
service to fail or become unavailable. A distributed denial of service attack (DDoS) is
a variation of this in which a system is rendered unusable by attacking it from many
different computers simultaneously. DoS attacks are sometimes used as a blackmail
threat against companies that do business over the Internet.
Disaster: An unplanned event that causes an organisation to be unable to perform
its critical business functions for a specified period of time.
Disaster Recovery Plan: An effective plan designed to be followed in the event of a
disaster, with a view to minimising loss and restoring critical business functions.
Disaster Recovery plans typically involve employing alternative facilities on a remote
site.
Encryption: A security technique used to protect data from unauthorised inspection or
alteration through use of a mathematical algorithm to transform the data into a form
that is indecipherable without the use of one or more keys.
Enforced path: The configuration of network facilities to control the route that
information may take, making it possible to prevent users from roaming the network.
Firewall: A combination of software and hardware that sits as a barrier between two
networks, either internal or external. Typically a firewall reduces the risk of
unauthorised network access and the use of unauthorised facilities such as file
transfer.
Hardware: Physical equipment.
InCountry Support Personnel (ICSP): A person appointed to provide local support.
Such a person may also be responsible for providing local security advice, co
ordinating submission of access requests and undertaking decentralised security
administration tasks.
Information security: The preservation of confidentiality, possession, integrity,
authenticity, availability and utility of information.
Integrity: Safeguarding the accuracy and completeness of information and
processing methods.
Intrusion Detection System (IDS): A system designed to try to identify attempts to
penetrate a network.
Lightweight Extensible Authentication Protocol (LEAP): A Cisco protocol
designed to improve the security of wireless communications.
Malware: Malicious software. Includes viruses, trojans, worms and spyware.
Information Security Terms and Definitions Version: 1.4
ã 2006 BG Group Page 3 of 6 Date: 20061012
BG Group
Information Management
Mobile code: Software that installs and executes automatically on a computer, with
little or no user interaction. Common examples of mobile code are ActiveX controls,
Java applets, and scripts.
Modem: A device that allows a computer to communicate over an analogue
telephone line. For the purposes of this document, modem also includes an ISDN
Terminal Adapter.
Network Analysers: Hardware and software that allows the user to examine any or
all data on a part of the network.
Network Infrastructure: The hardware and software (telephone lines, microwave
links, switches, routers, etc.) that make up a computer network.
Network Management Systems: Software (and/or hardware) that allows network
administrators to monitor and control computer networks.
Network monitoring tools: Software or hardware used to diagnose problems,
configure networks, or monitor performance of computer networks.
Network protocols: The communication rules and methods used by different
hardware or software vendors.
Network spoofing: A system masquerading as a different system, usually in order to
obtain information or perform tasks that it would not otherwise have permission to do.
Nonrepudiability: The property of an action by which satisfactory proof exists that
the action occurred and that the party or parties to the action are genuine. By
extension, a system or service can be said to be nonrepudiable if it is capable of
processing nonrepudiable actions and providing the appropriate proof.
Outage: A disruption to the operation of a service, but falling short of the criteria for a
disaster.
Packet sniffing: The activity of eavesdropping on network traffic in order to obtain
sensitive data, or passwords, etc.
Packet replay: Recording and retransmission of message packets in a network.
Packet replay is a security threat, because it could be used to replay authentication
messages or other sensitive transactions.
Packet modification: Intercepting and modifying network traffic in transit.
Password: A unique character string associated with a userid that validates that the
user is the owner of the userid.
Password cracking: A technique for discovering passwords, either by making
guesses at commonly used passwords, or by using a dictionary as a source of
guesses, or by attempting to use all possible combinations of characters in a
password. Password cracking exploits the fact that many passwords are weak and
easily guessed. Password cracking is usually automated by the use of programs or
scripts.
Personal Digital Assistant (PDA): A handheld computer.
RADIUS (Remote Authentication DialIn User Service): A clientserver protocol
that enables remote access servers to communicate with a central server to
authenticate dialin users and authorise their access to a requested system or
service.
Records: Data that the company is required to keep, either because of legal or
regulatory obligations, or because the data constitutes evidence of business
transactions.
Information Security Terms and Definitions Version: 1.4
ã 2006 BG Group Page 4 of 6 Date: 20061012
BG Group
Information Management
Reliability: The probability of a system or component performing to specification for
a specified period of time. Reliability may also be expressed as a percentage of
uptime, or as a mean time between failures.
Resilience: The ability of a system or process to continue to operate satisfactorily in
the event of some failure of its components. This is generally achieved by building in
appropriate alternative or redundant facilities so as to eliminate single points of
failure.
Risk: The potential for loss of any kind, for example, loss of life, health, physical
assets, financial value, company data, company reputation, or of damage to the
environment. Risk may be expressed quantitatively as the product of the probability
of a particular form of loss and some measure of the consequence of that loss.
Risk assessment: The process of identifying, evaluating, and where appropriate
quantifying risks. This includes enumerating the vulnerabilities and threats to systems
and establishing their consequences.
Risk management: The process of establishing an acceptable level of overall risk,
and of controlling, reducing and eliminating risks in order to achieve that level.
Robustness: The degree to which a system or component can function correctly in
the presence of invalid inputs or stressful environmental conditions.
SecurID token: A device providing a onetime password, often used for
authenticating remote users. SecurID is a trademark of RSA.
Security Administrator: A person responsible for operating an access control
mechanism and thereby maintaining the structure of userids, access groups, security
parameters, etc. The Security Administrator will also be responsible for resetting
passwords, resolving issues, monitoring security and supporting any local staff, to
whom these functions have been devolved.
Security Incident: An event that results, or could result, in loss of or damage to
organisational assets or an action that is in breach of Company security policies and
procedures.
Security Weakness: A vulnerability within a system or service that may result in a
security incident.
Service Set Identifier (SSID): A network name used to identify a wireless network or
a series of wireless access points.
Social engineering: The use of deception to persuade someone to do something
they shouldn’t do or wouldn’t normally choose to do. E.g. persuading someone to
reveal a password or other security information by pretending to be a service
engineer or a VIP.
Software: Computer programs, either written within the Company or purchased from
suppliers. Also, other electronic information such as databases, graphics images,
spreadsheets, etc.
Software Malfunction: A system or service that is not functioning correctly and
adversely affects the business.
Spyware: An unauthorised program that logs a user’s activities. Such programs are
usually installed without the user’s knowledge or consent, and often have malicious
intent.
Third Party Access: Access to Company information systems by staff who are not
directly managed by Company managers. This does not include access by
Information Security Terms and Definitions Version: 1.4
ã 2006 BG Group Page 5 of 6 Date: 20061012
BG Group
Information Management
contractors, consultants or temporary staff on Company premises under direct
Company management.
Trojan: A malicious program that is executed covertly. Trojans are often concealed
by masquerading as other programs, or by being hidden inside other programs. They
are commonly spread as email attachments. They are distinguished from viruses and
worms in that they do not selfreplicate.
Userid: The unique personal identifier used by an individual to gain access to
computer systems.
Virtual Private Network (VPN): A mechanism to allow two private networks or
devices to communicate securely across a public or untrusted network.
Virus: A selfreplicating program that attaches itself to other programs, so that it is
executed whenever the other programs run. As well as replicating themselves,
viruses may perform destructive actions.
Worm: A selfreplicating program. Worms can spread through networks, e.g. by
email, or through storage media. They are distinguished from viruses in that they run
independently rather than piggybacking on other programs.
Information Security Terms and Definitions Version: 1.4
ã 2006 BG Group Page 6 of 6 Date: 20061012