Appendix C. Glossary

This section contains only those terms that are used in a specialized way in the knowledge base or in this User Guide. Terms that are used either according to their accepted dictionary definitions or according to commonly accepted definitions in the security community are not included.  When definitions are included, they are drawn from the CC or other authoritative sources where possible, and a reference to the source is provided.  Except where otherwise noted, such references are to the source document's Glossary.

Access (to a resource):  (1) A specific type of interaction between a subject and an object that results in the flow of information from one to the other [TCSEC].  (2) The ability and means to communicate with or otherwise interact with a system, in order to use system resources to either handle information or gain knowledge of the information the system contains [IETF99]. 

Access control:  (1) Restrictions controlling a subject's access to an object [ANDE72, NCSC87].  (2) The ability and the means necessary to store or retrieve data to communicate with or to make use of any resource of an ADP system [NCSC87].  (3) Protection of system resources against unauthorized access; a process by which use of system resources is regulated according to a security policy and is permitted by only authorized entities (users, programs, processes, or other systems) according to that policy [IETF99]. 

Access control information:  Information existing specifically for the enforcement of an access control security policy. 

Access Control List:  A mechanism that implements access control for a system resource by enumerating the identities of the system entities that are permitted to access the resource [IETF99]. 

Accountability:  Requirement that the actions of a system entity may be traced uniquely to that entity, which can be held responsible for its actions. 

Administrative Functions:  System functions made available to system administrators for the purpose of tailoring the system security policy. 

Adversary:  An entity that attacks or is a threat to a system [IETF99]. 

Alias:  A name that an entity uses in place of its real name, usually for the purpose of either anonymity or deception [IETF99]. 

Anonymity:  The condition of having a name that is unknown or concealed. 

Application:  Software that runs under the control of other "system" software and typically has different authorship. 

Assets:  Information or resources to be protected by the countermeasures of a TOE.  [CC]

Assignment:  The specification of an identified parameter in a component.  [CC]

Assumption:  A description of security aspects of the environment in which the TOE will be used or is intended to be used.  Assumptions include information about the intended usage of the TOE, including such aspects as the intended application, potential asset value, and possible limitations of use; as well as information about the environment of use of the TOE, including physical, personnel, and connectivity aspects [cf. CC Annex B.2.4]. 

Assurance:  Ground for confidence that an entity meets its security objectives [CC]. 

Assurance Maintenance:  Maintenance activities and management actions taken to ensure confidence that assurance established in a TOE is continued and that the TOE meet its security topics as changes are made to the TOE or its environment. 

Assurance Topics:  Topic whose satisfactions are intended to provide grounds for confidence that a TOE meets its objectives. [cf. CC, Part 3, Section 1.3.2]. 

Attack:  A procedure performed on (or with the assistance of) an IT system that, if successful, either provides advantage to the attacker or results in damage to the system, to the enterprise that employs the system, or to the enterprise's mission or people. 

Attacker/Adversary:  See Threat Agent

Audit Data/Audit Records:  Records of system activities that may be used to analyze system activities.  In a distributed system, audit records may not form a well-defined chronological record due to timing difficulties.  See Audit Trail.

Audit Logs:  See Audit Trail.

Audit Trail:  A chronological record of system activities that is sufficient to enable the reconstruction and examination of the sequence of environments and activities surrounding or leading to an operation, procedure, or event in a security-relevant transaction from inception to final results [NCSC88]. 

Augmentation:  The addition of one or more assurance component(s) from Part 3 to an Evaluated Assurance Level (EAL) or assurance package [CC]. 

Authentication data:  Information used to verify the claimed identity of a user [CC].

Authorized Personnel:  See Authorized User.

Authorized User:  A user who may, in accordance with the TOE Security Policy (TSP), perform an operation [CC].

Automated Information System (AIS):  An assembly of computer hardware, software, and/or firmware configured to collect, create, communicate, compute, disseminate, process, store, and/or control data or information [DOD88]. 

Availability:  (1) The presence of information or resources, when and where they are needed, in a usable form.  (2) The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system; i.e., a system is available if it provides services according to the system design whenever users request them [IETF99]. 

Back Door:  A hardware or software mechanism that (a) provides access to a system and its resources by other than the usual procedure, (b) was deliberately left in place by the system's designers or maintainers, and (c) usually is not publicly known (See: Trapdoor.) [IETF99]. 

Back Up:  To store data for the purpose of creating a backup copy [IETF99]. 

Backup:  (1) A reserve copy of data that is stored separately from the original, for use if the original becomes lost or damaged [IETF99].  (2) Alternate means to permit performance of system functions, despite a disaster to system resources [IETF99]. 

CC Extension (Component):  The addition to an ST or PP of functional requirements not contained in Part 2 and/or assurance requirements not contained in Part 3 of the CC [CC]. 

CC Extension:  A Class, Family, Component, or Element in the style of the CC but not belonging to Parts 2 or 3 of the CC.

CC ToolBox:  A software package developed to facilitate application of the Common Criteria to the development of Security Targets and Protection Profiles.

Certification:  The comprehensive evaluation of the technical and non-technical security features of an AIS and other safeguards, that establishes the extent to which a particular design and implementation meet a specified set of security features.

Ciphertext:  Data that has been transformed by encryption so that its semantic information content (i.e., its meaning) is no longer intelligible or directly available [IETF99]. 

Class:  A grouping of families that share a common focus [CC]. 

Classification:  (1) The act of assigning classification levels.  (2) A distribution into groups as classes, orders, families, etc., according to identified attributes.

Classification Level:  See Security Level

Common Criteria (CC):  Official criteria to be used for evaluation of security properties of IT products and systems.  Also the published Common Criteria for Information Technology Security Evaluation.  This documentation is organized into three parts. 

Part 1:  Introduction and General Model
Part 2:  Security Functional Requirements/Annexes
Part 3:  Security Assurance Requirements

Component:  The smallest selectable set of elements that may be included in a PP, an ST, or a package [CC]. 

Component Operation: The permitted alteration of a component when it is incorporated into a PP or ST.  According to the CC, the permitted operations are iteration, assignment, selection, and refinement [cf. CC, Part 1, Section].

Compromise:  See Data Compromise, Security Compromise

Confidentiality:  The protection of information from inappropriate or unauthorized release. 

Configuration Control:  The process of regulating changes to hardware, firmware, software, and documentation throughout the development and operational life of a system [IETF99]. 

Configuration Management (CM):  The management of security features and assurances through control of changes made to a system's hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the development and operational life of the system. 

Connectivity:  The property of the TOE that allows interaction with IT entities external to the TOE.  This includes exchange of data by wire or by wireless means, over any distance in any environment or configuration [CC]. 

Consumer:  An IT or security developer, evaluator, manager, or user of the Common Criteria or a product developed from the Common Criteria.

Control Tip: See Screen tip.

Correctness Integrity:  Correctness of information, specifically correctness of assertions and instructions.  A correct assertion is true. A correct instruction is legitimate in the context of the organization in which it is issued. 

Corruption:  See Data Corruption.

Countermeasure:  Any action, device procedure, technique, or other measure that reduces the expected loss resulting from a class of attacks. 

Cracker:  Someone who tries to break the security of, and gain access to, someone else's system without being invited to do so (See Hacker and Intruder) [IETF99]. 

Critical System Resource:  A condition of a service or other system resource such that denial of access to that resource would jeopardize a system user's ability to perform a primary function or would result in other serious consequences [IETF]. 

Cryptoanalysis:  The mathematical science that deals with analysis of a cryptographic system in order to gain knowledge needed to break or circumvent the protection that the system is designed to provide [IETF99]. 

Cryptographic Algorithm:  An algorithm that employs the science of cryptography, including encryption algorithms, cryptographic hash algorithms, digital signature algorithms, and key agreement algorithms [IETF99]. 

Cryptographic Key:  Usually shortened to just "key."  An input parameter that varies the transformation performed by a cryptographic algorithm [ITEF]. 

Cryptographic Operations:  Functions performed including data encryption and/or decryption, digital signature generation and/or verification, etc., to increase data security and reduce the risk of attack. 

Cryptography/Cryptographic Techniques:  The mathematical science that deals with transforming data to render its meaning unintelligible (i.e., to hide its semantic content), prevent its undetected alteration, or prevent its unauthorized use.  If the transformation is reversible, cryptography also deals with restoring encrypted data to intelligible form [IETF99]. 

Cryptology:  The science that includes both cryptography and cryptanalysis, and sometimes is said to include steganography. 

Data Compromise:  A security incident in which information is exposed to potential unauthorized access, such that unauthorized disclosure, alteration, or use of the information may have occurred [IETF99]. 

Data Corruption:  Loss of data integrity.

Data Integrity:  (1) The protection of data from inappropriate or unauthorized modification.  (2) The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner [IETF99]. 

Decrypt, Decryption:  See Encryption

Denial of Service:  The prevention of authorized access to a system resource or the delaying of system operations and functions. (See Availability, Critical System Resource) [IETF99]. 

Dependency:  A relationship between requirements such that the requirement that is depended upon must normally be satisfied for the other requirements to be able to meet their objectives [CC]. 

Discretionary Access Control:  (1) A means of restricting access to [[named]] objects based on the identity of [[named users or]] subjects and/or groups to which they belong.  The controls are [[often]] discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control) [NCSC85].  (2) An access control service that enforces a security policy based on the identity of system entities and their authorizations to access system resources [IETF99]. 

Developer:  IT personnel or companies defining, designing, or implementing software, hardware components, systems, or networks.

Element:  An indivisible security requirement [CC].

Emanation:  A signal (electromagnetic, acoustical, or other byproduct) that is emitted by a system (through radiation or conductance) as a consequence of its operation and that may contain information [IETF99]. 

Encryption:  The cryptographic transformation of data (called "plaintext") into a form (called "ciphertext") that conceals the data's original meaning to prevent it from being known or used.  If the transformation is reversible, then the corresponding reversal process is called "decryption," which is a transformation that restores [IETF99]. 

Environment (Security Environment)The environment in which an evaluated system is intended to be used, including (a) intended usage of the TOE (including physical, personnel, and connectivity aspects), (b) organizational security policy statements or rules with which the TOE must comply, and (c) threats to assets against which specific protection within the TOE or its environment is required [CC Part 1, Annex B]. 

Environment, IT:  See IT Environment

Environment, Non-IT: See Non-IT Environment.

Evaluation:  Assessment of a PP, an ST or a TOE against defined criteria [CC]. 

Evaluation Assurance Level (EAL):  A package consisting of assurance components from Part 3, that represents a point on the CC predefined assurance scale [CC]. 

Evaluation Authority:  A body that implements the CC for a specific community by means of an evaluation scheme and thereby sets the standards and monitors the quality of evaluations conducted by bodies within that community [CC]. 

Evaluation Scheme:  The administrative and regulatory framework under which the CC is applied by an evaluation authority within a specific community [CC]. 

Extension:  The addition to an ST or PP of functional requirements not contained in Part 2 and/or assurance requirements not contained in Part 3 of the CC [CC]. 

External IT Entity:  Any IT product or system, untrusted or trusted, outside of the TOE that interacts with the TOE [CC].

Family:  A grouping of components that share security objectives but may differ in emphasis or rigor [CC]. 

Form (MS Access Form):  A database-specific display box that can be used to view and enter data.  In addition, forms can also be used to make custom dialogue boxes and to make "switchboards" that provide links to other forms.

Formal:  Expressed in a restricted syntax language with defined semantics based on well-established mathematical concepts [CC].

Functional Requirements:  Functions or specifications within a TOE that are specifically in support of IT security and define the desired security behavior.  Examples include requirements for identification, authentication, security audit, and non-repudiation of origin. 

Hacker:  (1) Someone who is motivated to compromise the system.  (2) Someone with a strong interest in computers, who enjoys learning about them and experimenting with them (See Cracker), [IETF99]. 

Human User:  Any person who interacts with the TOE [CC]. 

Identification:  An act or process that presents an identifier to a system so that the system can recognize a system entity and distinguish it from other entities (See Authentication), [IETF99]. 

Identity:  A representation (e.g., a string) uniquely identifying an authorized user, which can either be the full or abbreviated name of that user or a pseudonym [CC]. 

Identifier: A string used as name.  Traditionally, and in this knowledge base, identifiers consist of a single word (i.e., begin with a letter and don't contain blanks or punctuation).

Informal:  Expressed in natural language [CC]. 

Information:  Facts and ideas, which can be represented (encoded) as various forms of data [IETF99]. 

Integrity:  See Data Integrity, Correctness Integrity, Source Integrity, System Integrity

Internal Communication Channel:  A communication channel between separated parts of the TOE [CC]. 

Internal TOE Transfer: Communicating data between separated parts of the TOE [CC]. 

Inter-TSF Transfers:  Communicating data between the TOE and the security functions of other trusted IT products [CC]. 

Intruder:  An entity that gains or attempts to gain access to a system (or system resource) without having authorization to do so (See: Cracker). 

Intrusion Detection:  A security service that monitors and analyzes system events for the purpose of noticing and providing real-time or near real-time warning of attempts to access system resources in an unauthorized manner [IETF99]. 

IT Environment (IT Security Environment):  That portion of the Environment which consists of IT equipment. 

Iteration:  The use of a component more than once with varying operations [CC]. 

Key Field:  In a typical record set, there will be a field (or more generally, a set of fields)  that never have the same value in two different records, and that can thus be used to uniquely identify a record.  In the knowledge base, key fields are normally identifiers.

Key Management:  The process of handling and controlling cryptographic keys and related material (such as initialization values) during their life cycle in a cryptographic system, including ordering, generating, distributing, storing, loading, escrowing, archiving, auditing, and destroying the material [IETF99]. 

Labels/Labeling:  See Security Label

Link: The two key fields in a knowledge base mapping table record.  The first key is the source identifier, and the second is the target identifier. The link is said to be from its source identifier to its target identifier.

Locked Form: A form is said to be locked if each text box or similar control on the form  is locked.  The Locked property for an individual control specifies whether you can use the control to edit data in the form's associated table or tables.

Loss of Confidentiality:  Potentially damaging disclosure of data to unauthorized or inappropriate recipients. 

Mapping Table:  A knowledge base table used to show relationship between two tables at different levels of abstraction.  See Link.

Mandatory Access Control:  (1) An access control service that enforces a security policy based on comparing (a) security labels that indicate how sensitive or critical system resources are with (b) security clearances that authorize system entities to access certain resources [IETF99].  (2) A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity [TCSEC]. 

Marking:  security attribute of an object that is stored with the object to facilitate secure processing (see Security Label). 

Masquerade Attack:  A type of attack in which one system entity illegitimately poses as (assumes the identity of) another entity (a.k.a., spoofing attack), [IETF99]. 

National Information Assurance Partnership (NIAP):  A U.S. government initiative originated to meet the security testing needs of both information technology (IT) consumers and producers.  NIAP is a collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA).  The goal of NIAP is to help increase the level of trust consumers have in their information systems and networks through the use of cost-effective security testing, evaluation, and validation programs.  In meeting this goal, NIAP seeks to:

National Institute of Standards and Technology (NIST):  A U.S. Department of Commerce agency that promotes U.S. economic growth by working with industry to develop and apply technology, measurements, and standards, and has primary government responsibility for INFOSEC standards for unclassified but sensitive information [IETF]. 

National Security Agency (NSA):  A U.S. Department of Defense intelligence agency that has primary government responsibility for INFOSEC for classified information and for unclassified but sensitive information handled by national security systems [IETF]. 

Need-to-Know:  The necessity for access to, knowledge of, or possession of, specific information required to carry out official duties [NCSC88].  This criterion is used in security procedures that require a custodian of sensitive information, prior to disclosing the information to someone else, to establish that the intended recipient has proper authorization to access the information [IETF99]. 

Non-IT Environment:  Normally, the human aspects of the Environment.

Object:  An entity within the TOE Scope of Control (TSC) that contains or receives information and upon which subjects perform operations [CC]. 

Object Reuse:  The reassignment and use of a storage medium (e.g., page frame, disk sector, magnetic tape) that once contained one or more objects [[or fragments thereof]].  To be securely reused and assigned to a new subject, storage media must contain no residual data (magnetic remanence) from the objects(s) previously contained in the media [NCSC88]. 

Objectives:  Statements that address all of the security environment aspects identified in a PP.  The security objectives reflect the stated intent of the PP and are suitable to counter all identified threats and cover all identified organizational security policies and assumptions [CC, Part 1, Annex B]. 

Organizational Security Policy:  One or more security rules, procedures, practices, or guidelines imposed by an organization upon its operations [CC]. 

Outsider:  Someone who is not authorized to use the TOE, i.e., not an authorized user. 

Package:  A reusable set of either functional or assurance components (e.g., an EAL) combined together to satisfy a set of identified security objectives [CC]. 

Password:  (1) A protected/private character string used to authenticate an identity [NCSC88].  (2) A secret data value, usually a character string that is used as authentication information [IETF99]. 

Physical Security:  Fences, walls, locks, vaults, human guards and guard dogs, sensors and alarms, and other tangible means of preventing unauthorized physical access to a system [NIST74]. 

Plaintext:  Data that is input to and transformed by an encryption process or that is output by a decryption process [IETF99]. 

Organizational Security Policies:  One or more security rules, procedures, practices, or guidelines imposed by an organization upon its operations [CC]. 

Policy Category:  Several Organizational security policies with similar characteristics that have been grouped together for convenience. 

Privacy:  The right of an entity (normally a person), acting in its own behalf, to determine the degree to which it will interact with its environment, including the degree to which the entity is willing to share information about itself with others.  Privacy is a reason for security rather than a kind of security [IETF99]. 

Privilege: An authorization or set of authorizations to perform security-relevant functions, especially in the context of a computer operating system [IETF99]. 

Profile Author's Assistant (PAA):  A module or subset of the Common Criteria Toolbox used to develop a draft or "Strawman" protection profile. 

Product:  A package of IT software, firmware, and/or hardware providing functionality designed for use or incorporation within a multiplicity of systems [CC].

Proprietary:  Refers to information (or other property) that is owned by an individual or organization and for which the use is restricted by that entity [IETF]. 

Protection Profile (PP):  An implementation-independent set of security requirements for a category of TOEs that meet specific consumer needs [CC]. 

Protocol:  A set of rules (i.e., formats and procedures) to implement and control some type of association (e.g., communication) between systems [IETF99]. 

Query (SQL Query): An expression whose value is a recordset. SQL provides a syntax and semantic for combining and filtering tables to produce new tables.

Record (Database Record):  Each row in a database table or similar recordset is traditionally referred to as a record.

Recordset:  The collective name given to tables and other similar collections of records.

Reference Monitor:  The concept of an abstract machine that enforces TOE access control policies [ANDE72, CC]. 

Reference Validation Mechanism:  An implementation of the reference monitor concept that possesses the following properties:  It is tamperproof, always invoked, and simple enough to be subjected to thorough analysis and testing [ANDE72, CC]. 

Refinement:  The addition of details to a component [CC]. 

Report (Database Report):  A textual representation of a table or query. MS Access provides a general mechanism for producing reports that may be saved in .rtf format and viewed in MS Word.  The knowledge base also includes VBA routines that dump all of is security information in HTML report format.

Repudiation:  Denial by a system entity that was involved in an association (especially an association that transfers information) of having participated in the relationship [IETF99]. 

Role:  A predefined set of rules establishing the allowed interactions between a user and the TOE [CC]. 

Screen Tip: A pop-up message box on a button or menu item that tells something about its purpose. To view the screen tip for a button, position the mouse over the button, and the tip will appear.

Secret:  (1) The condition of information being protected from being known by any system entities except those who are intended to know it; an item of information that is so protected [IETF99].  (2) Information that must be known only to authorized users and/or the TSF in order to enforce a specific SFP [CC]. 

Secure State:  A system condition in which no subject can access any object in an unauthorized manner [IERTF99]. 

Security Attribute:  Information associated with subjects, users and/or objects that is used for the enforcement of the TSP [CC]. 

Security Compromise:  A security violation in which a system resource is exposed, or is potentially exposed, to unauthorized access [IETF99]. 

Security Environment:  The aggregate of (a) external procedures, conditions, and objects that affects the development, operation, and maintenance of a system, (b) laws, organizational security policies, customs, expertise, and knowledge that are determined to be relevant to the system, and (c) the threats to security that are, or are held to be, present in the environment [CC, Part 1]. 

Security Function (SF):  A part or parts of the TOE that enforce a closely related subset of the rules from the TSP [CC].

Security Function Policy (SFP):  The security policy enforced by an SF [CC].

Security Functional Requirements: See Functional Requirements

Security Level:  The combination of a hierarchical classification and a set of nonhierarchical categories that represents the sensitivity of information [TCSEC].  In some contexts, this term is used more generally to mean a level in a partially ordered set of security attributes [NCSC92]. 

Security Objective:  A statement of intent to counter identified threats and/or satisfy identified organization security policies and assumptions [CC]. 

Security Perimeter:  The portion of a system and its environment where security objectives are actively addressed.  The security perimeter contains the TCB [[ or TSF]] and associated controlled entities [NCSC92]. 

Security Policy:  See Organizational Security Policy, Security Function Policy, and TOE Security Policy.

Security Requirements:  The types and levels of protection necessary for a system to maintain an acceptable level of security.  Security requirements can include both Functional Requirements and Assurance Requirements and are the refinement of security objectives into a set of requirements for a TOE. 

Security Target (ST):  A set of security requirements and specifications to be used as the basis for evaluation of an identified TOE [CC]. 

Security Violation: An act or event that disobeys or otherwise breaches security policy [IETF99]. 

Selection:  The specification of one or more items from a list in a component [CC]. 

Semiformal:  Expressed in a restricted syntax language with defined semantics [CC]. 

Social Engineering:  Security threats that exploit human vulnerabilities (as opposed to IT vulnerabilities).

Source Integrity:  The degree of confidence that can be placed in information based on the trustworthiness of its sources [IETF99]. 

Spoofing Attack:  See Masquerade Attack

Steganography:  Methods of hiding the existence of a message or other data.  This is different than cryptography, which hides the meaning in a message but does not hide the message itself [IETF99]. 

Strength of Function (SOF):  A qualification of a TOE security function expressing the minimum efforts assumed necessary to defeat its expected security behavior by directly attacking its underlying security mechanisms [CC]. 

SOF-Basic:  A level of the TOE strength of function where analysis shows that the function provides adequate protection against casual breach of TOE security by attackers possessing a low attack potential [CC]. 

SOF-Medium:  A level of the TOE strength of function where analysis shows that the function provides adequate protection against straightforward or intentional breach of TOE security by attackers possessing a moderate attack potential [CC]. 

SOF-High:  A level of the TOE strength of function where analysis shows that the function provides adequate protection against deliberately planned or organized breach of TOE security by attackers possessing a high attack potential [CC]. 

SPARTA:  SPARTA, Inc., the developer of the CC ToolBox. 

Subject:  An entity within the TSC that causes operations to be performed [CC]. 

System:  A specific IT installation, with a particular purpose and operational environment [CC].

System Component:  A software, hardware, and/or firmware item. 

System Data:  Data under the control of the system, including security relevant data maintained by the systems trusted security functions.

System Integrity: The quality that a system has when it can perform its intended function in a unimpaired manner, free from deliberate or inadvertent unauthorized manipulation [NCSC88].

Target Audience:  A person or group of persons with an interest in a subject presented.  The Common Criteria target audience consists of three groups interested in the evaluation of the security properties of IT products and systems:  TOE consumers, TOE developers, and TOE evaluators. 

Target of Evaluation (TOE):  An IT product or system and its associated administrator and user guidance documentation that is the subject of an evaluation [CC].

Technical Security Policy:  See TOE Security Policy

Threat:  An attack or class of attacks, together with associated classification attributes such as likely threat sources, exploited vulnerabilities, or affected resources [CC, Part 1, Annex B]. 

Threat Agent:  Person or other entity that either deliberately or inadvertently implements an attack, also referred to as a threat source.

TOE Evaluation:  The review of a TOE by an authorized evaluator in order to form judgments about the conformance of the TOEs to its security requirements. 

TOE Implementation:  The realization of the TOE based on its security functional requirements and the TOE summary specification contained in the ST. 

TOE Resource:  Anything useable or consumable in the TOE [CC]. 

TOE Security Functions (TSF):  A set consisting of all hardware, software, and firmware of the TOE that must be relied upon for the correct enforcement of the TSP [CC].

TOE Security Functions Interface (TSFI):  A set of interfaces, whether interactive (man-machine interface) or programmatic (application programming interface), through which TOE resources are accessed, mediated by the TSF, or information is obtained from the TSF [CC].

TOE Security Policy (TSP):  A set of rules that regulate how assets are managed, protected, and distributed within a TOE [CC]. 

TOE Security Policy Model:  A structured representation of the [TOE] security policy to be enforced by the TOE [CC]. 

TOE Summary Specification:  A portion of an ST that defines the instantiation of the security requirements for the TOE.  It provides a high-level definition of the security functions claimed to meet the functional requirements and assurance measures taken to meet the assurance requirements.

Transfers Outside TSF Control:  Communicating data to entities not under control of the TSF [CC]. 

Trapdoor:  A hidden computer flaw known to an intruder, or hidden computer mechanism (usually software) installed by an intruder, who can activate the mechanism to gain access to the computer without being blocked by security mechanisms (See Back Door, Trojan Horse) [IETF99]. 

Trojan Horse:  A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program [IETF99]. 

Trust:  The extent to which someone who relies on a system and has confidence that the system meets its specifications, i.e., that the system does what it claims to do and does not perform unwanted functions [cf. IETF99]. 

Trusted Channel:  A means by which a TSF and a remote trusted IT product can communicate with necessary confidence to support the TSP [CC]. 

Trusted Computing Base (TCB):  The totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a [[TOE]] security policy (Obsolescent), [NCSC88] Compare TOE Security Functions (TSF)

Trusted Path:  A means by which a user and a TSF can communicate with necessary confidence to support the TSP [CC]. 

TSF Data:  Data created by and for the TOE that might affect the operation of the TOE [CC].  Specifically, information used by the TSF in making TSP decisions.  Security attributes authentication data and access control list entries are examples of TSF data. 

TSF Scope of Control (TSC):  The set of interactions that can occur with or within a TOE and are subject to the rules of the TSP [CC]. 

TSP: See TOE Security Policy.

User Attributes:  Security-relevant information about users that is maintained by the TOE in order to enforce a TSP. 

User:  Any entity (human user or external IT entity) outside the TOE that interacts with the TOE [CC]. 

User Data:  Data created by and for the user that does not affect the operation of the TSF [CC]. 

User Session:  A period of interaction between a user and the TSF. 

User-Subject Binding:  Mapping that associates with each subject the user who is responsible for invoking that subject. 

Verification:  (1) System Verification:  The process of comparing two levels of system specification for proper correspondence, such as comparing a security policy with a top-level specification, a top-level specification with source code, or source code with object code [NCSC88].  (2) Identification Verification:  Presenting information to establish the truth of a claimed identity [IETF99]. 

Virus:  A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting, i.e., inserting a copy of itself into and becoming part of, another program.  A virus cannot run by itself.  It requires that its host program be run to make it active [IETF99]. 

Vulnerability:  A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy [IETF99]. 

Zeroize:  Use erasure or other means to render stored data, particularly a key stored in a cryptographic module or other device, unusable and unrecoverable [IETF99].