Transcription
Glossary of Terms and AcronymsVersion 3February 2018
ContentsCautionary Notes. 3Version History. 3List of Terms. 4List of Acronyms. 37Reference List. 43This document contains material copyrighted by HITRUST — refer to the Acknowledgments for more information.2
Cautionary NotesThis publication contains material from HITRUST and other authoritative sources, e.g., ITIL , and may be subject tomultiple copyrights. Source of a potential copyright is indicated for each term contained in this document. A separatelist of references to the sources cited is also provided.Note: Some definitions were altered slightly to make them more generally applicable, such as removing language from a NIST definition that is particular to the U.S. Government or otherwise modified to accommodate theHITRUST Risk Management Framework. Such definitions are indicated by the word, “adapted,” after the source.Definitions obtained from a discussion of the term rather than a glossary, or obtained from a similar term (or multipleterms) in a glossary, are indicated by the word, “derived,” after the source.Version HistoryVersion #1.0Date ReviewedDec 2009Reviewed ByBrief DescriptionHITRUSTSupported the initial release of theHITRUST CSF2.0Aug 2017HITRUSTExtensively expanded and updatedbased on a review of version 9 of theHITRUST CSF and the CSF AssuranceProgram3.0Feb 2018HITRUSTAdded terms from the additon of 23NYCRR 500 and the EU GDPR to theHITRUST CSF v9.1This document contains material copyrighted by HITRUST — refer to the Acknowledgments for more information.3
List of Terms2-Factor AuthenticationA type of multifactor authentication in which only two factors are used.Considered by NIST to be synonymous with multi-factor authentication,since “something you are” (biometrics) is not considered to be a validauthentication factor (Reference tor-authentication). See multi-factor authentication.[HITRUST]Access ControlThe process of granting or denying specific requests to: 1) obtain anduse information and related information processing services; and 2) enterspecific physical facilities. [NISTIR 7298 r2, adapted]Access Control List (ACL)A list of permissions associated with an object. The list specifies who orwhat is allowed to access the object and what operations are allowed tobe performed on the object. [NISTIR 7298 r2]AccountabilityThe security goal that generates the requirement for actions of an entityto be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-actionrecovery and legal action. [NISTIR 7298 r2, adapted]Accounting of DisclosuresA listing of organizations and individuals who have received access to anindividual’s protected health information. [HIPAA, adapted]Adequate SecuritySecurity commensurate with the risk and magnitude of harm resultingfrom the loss, misuse or unauthorized access to or modification of information. [NIST IR 7298 r2]AdversaryIndividual, group, organization or government that conducts or has theintent to conduct detrimental activities. [NIST IR 7298 r2]Alternate ControlA compensating control that has been submitted and approved for general use by the HITRUST Alternate Controls Committee. See Compensating Control. [HITRUST]Analysis ApproachThe approach used to define the orientation or starting point of the riskassessment, the level of detail in the assessment, and how risks due tosimilar threat scenarios are treated. [NIST SP 800-53 r4, derived]AperiodicOccurring without periodicity; of irregular occurrence. [Merriam-Webster]This document contains material copyrighted by HITRUST — refer to the Acknowledgments for more information.4
ApplicationA software program hosted by an information system, which performs aspecific function directly for a user and can be executed without access tosystem control, monitoring or administrative privileges. [NIST IR 7298 r2,adapted]AssessmentSee Security Control Assessment or Risk Assessment. [HITRUST]AssessorAn individual or organization that conducts control assessments; includesself-assessors or independent assessors (e.g., internal or external auditors or third-party assessors); includes HITRUST Approved Assessors.[HITRUST]AssetSomething of either tangible or intangible value that is worth protecting,including people, information, infrastructure, finances and reputation.[ISACA Glossary of Terms]Asset OwnerAn individual the organization designates as responsible for the operations and maintenance of an information system or other asset. Seeasset. [NIST IR 7298 r2, derived from Information System Owner]AssuranceMeasure of confidence that the security features, practices, procedures,and architecture of an information system accurately mediates and enforces the security policy. [NISTIR 7298 r2]AttackAny kind of malicious activity that attempts to collect, disrupt, deny, degrade or destroy information system resources or the information itself.[NIST IR 7298 r2]AuditIndependent review and examination of records and activities to assessthe adequacy of system controls, to ensure compliance with establishedpolicies and operational procedures, and to recommend necessarychanges in controls, policies, or procedures. [NISTIR 7298 r2]Audit LogA chronological record of system activities. Includes records of systemaccesses and operations performed in a given period. [NISTIR 7298 r2]AuthenticationVerifying the identity of a user, process, or device, often as a prerequisiteto allowing access to resources in an information system. [NISTIR 7298r2]Authentication DataSecurity-related information used to authenticate users and/or authorizeuser transactions (e.g., passwords and personal identification numbers,PINs). [PCI DSS Glossary v3.2, derived from Security AuthenticationData]This document contains material copyrighted by HITRUST — refer to the Acknowledgments for more information.5
Authentication ParameterVariables specified by an information system to authenticate a user orprocess (e.g., identity, role, clearance, operational need, risk and heuristics). [NISTIR 7298 r2, derived from Critical Security Parameter andPolicy-Based Access Control]AuthenticityThe property of being genuine and being able to be verified and trusted;confidence in the validity of a transmission, a message, or message originator. See Authentication. [NISTIR 7298 r2]AuthorizationAccess privileges granted to a user, program, or process or the act ofgranting those privileges. [NISTIR 7298 r2]AvailabilityEnsuring timely and reliable access to and use of information. [NISTIR7298 r2]Best PracticeA technique, method, process or procedure that has been shown by research and experience to produce optimal results and that is establishedor proposed as a standard suitable for widespread adoption. [Merriam-Webster, adapted]BreachThe unauthorized acquisition, access, use, or disclosure of sensitiveinformation (e.g., protected health information), which compromises thesecurity or privacy of such information. [HIPAA, adapted]Biometric DataPersonal data resulting from specific technical processing relating to thephysical, physiological or behavioral characteristics of a natural person,which allow or confirm the unique identification of that natural person,such as facial images or dactyloscopic data. [EU GDPR]Binding Corporate RulesPersonal data protection policies which are adhered to by a controller orprocessor established on the territory of a Member State for transfers ora set of transfers of personal data to a controller or processor in one ormore third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity; [EU GDPR]Business Associate (BA)A person or entity that performs certain functions or activities that involvethe use or disclosure of protected health information on behalf of, or provides services to, a covered entity, but is not part of the covered entity’sworkforce. A member of the covered entity’s workforce is not considereda business associate; however, a covered healthcare provider, healthplan, or healthcare clearinghouse can be a business associate of anothercovered entity. [HIPAA, adapted]Business ContinuityPreventing, mitigating and recovering from disruption. The terms ‘business resumption planning’, ‘disaster recovery planning’, and ‘contingencyplanning’ also may be used in this context; they all concentrate on therecovery aspects of continuity. [ISACA Glossary of Terms]This document contains material copyrighted by HITRUST — refer to the Acknowledgments for more information.6
Business Continuity Plan(BCP)The documentation of a predetermined set of instructions or proceduresthat describe how an organization’s mission/business functions will besustained during and after a significant disruption. [NISTIR 7298 r2]Business Impact Analysis(BIA)An analysis of an enterprise’s requirements, processes, and interdependencies used to characterize information system contingency requirements and priorities in the event of a significant disruption. [NIST IR 7298r2]Business ProcessA process that is owned and carried out by the business. A businessprocess contributes to the delivery of a product or service to a businesscustomer. For example, a retailer may have a purchasing process thathelps to deliver services to its business customers. [ITIL Glossary andAbbreviations]CapabilityThe ability of an organization, person, process, application, IT service orother configuration item to carry out an activity. Capabilities are intangibleassets of an organization. [ITIL Glossary and Abbreviations]CertificationA comprehensive assessment of the management, operational and technical security controls in an information system, to determine the extentto which the controls are implemented correctly, operating as intended,and producing the desired outcome with respect to meeting the securityrequirements for the system, and specific scoring criteria for the maturityof the controls’ implementation have been met under the HITRUST CSFAssurance Program. [NISTIR 7298 r2, adapted]ChangeThe addition, modification or removal of anything that could have aneffect on IT services. The scope should include changes to all architectures, processes, tools, metrics and documentation, as well as changesto IT services and other configuration items. [ITIL Glossary and Abbreviations]Change ControlProcesses and procedures to review, test, and approve changes to systems and software for impact before implementation. [PCI DSS Glossaryv3.2]Change ManagementThe process responsible for controlling the lifecycle of all changes,enabling beneficial changes to be made with minimum disruption to ITservices. [ITIL Glossary and Abbreviations]This document contains material copyrighted by HITRUST — refer to the Acknowledgments for more information.7
ChoiceAn individual’s ability to determine whether or how their personal information may be used or disclosed by the entity that collected the information.Also, the ability of an individual to limit certain uses of their personalinformation. For example; an individual may have choice about whetherto permit a company to contact them or share their data with third parties.Can be express or implied. [IAPP Glossary of Privacy Terms v2.0.0.2]ClassificationSee Data Classification. [HITRUST]CMS-defined level ofindependenceNo perceived or actual conflict of interest with respect to the developmental, operational, and/or management chain associated with theinformation system and the determination of security and privacy controleffectiveness. [CMS Framework for the Independent Assessment of Security and Privacy Controls v2]Common ControlA security control that is inherited by one or more organizational information systems. See Security Control Inheritance. [NISTIR 7298 r2]Compensating ControlSee Compensating Security Control. [HITRUST]Compensating SecurityControlA management, operational, and/or technical control (i.e., safeguard orcountermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that providesequivalent or comparable protection for an information system. Synonymous with Alternate Control. [NISTIR 7298 r2]Confidential InformationInformation that is not disclosed to unauthorized individuals, entities orprocesses. [NISTIR 7298 r2, derived from Confidentiality]ConfidentialityPreserving authorized restrictions on information access and disclosure,including means for protecting personal privacy and proprietary information. [NISTIR 7298 r2]ConfigurationA generic term used to describe a group of configuration items that worktogether to deliver an IT service, or a recognizable part of an IT service.Configuration is also used to describe the parameter settings for one ormore configuration items. [ITIL Glossary and Abbreviations]Configuration ManagementThe control of changes to a set of configuration items over a system lifecycle. [ISACA Glossary of Terms]This document contains material copyrighted by HITRUST — refer to the Acknowledgments for more information.8
ConsentIf an individual has choice (see Choice) about the use or disclosure of hisor her information, consent is the individuals’ way of giving permission forthe use or disclosure. Consent may be affirmative; i.e., opt-in; or implied;i.e., the individual didn’t opt out. (1) Explicit Consent: A requirement thatan individual “signifies” his or her agreement with a data controller bysome active communication between the parties. According to the EUData Protection Directive, explicit consent is required for processing ofsensitive information. Further, data controllers cannot infer consent fromnon-response to a communication. (2) Implicit Consent: Implied consentarises where consent may reasonably be inferred from the action or inaction of the individual. [IAPP Glossary of Privacy Terms v2.0.0.2]Continuous MonitoringMaintaining ongoing awareness to support organizational risk decisions.See Information Security Continuous Monitoring, Risk Monitoring, andStatus Monitoring. (Note: The terms “continuous” and “ongoing” in thiscontext mean that security controls and organizational risks are assessedand analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information.) [ISACA Glossaryof Terms]Control AssessmentSee Security Control Assessment. [HITRUST]Control ObjectiveA statement of the desired result or purpose to be achieved by one ormore controls within a HITRUST CSF Control Category. [ISACA Glossaryof Terms, adapted]Control ReferenceHITRUST CSF control number and title. [HITRUST]Control SpecificationThe policies, procedures, guidelines, practices or organizational structures specified in a control, which can be of administrative, technical,management, or legal nature, to meet a control objective. [HITRUST]Controlled AreaAny area or space for which the organization has confidence that thephysical and procedural protections provided are sufficient to meet therequirements established for protecting the information and/or informationsystem. [NISTIR 7298 r2]ControllerThe natural or legal person, public authority, agency or other body which,alone or jointly with others, determines the purposes and means of theprocessing of personal data; where the purposes and means of suchprocessing are determined by Union or Member State law, the controlleror the specific criteria for its nomination may be provided for by Union orMember State law. [EU GDPR]Covered EntityA health plan, a healthcare clearinghouse, or a healthcare provider whotransmits any health information in electronic form regarding a HIPAAtransaction. [HIPAA, adapted]This document contains material copyrighted by HITRUST — refer to the Acknowledgments for more information.9
Covered EntityA health plan, a healthcare clearinghouse, or a healthcare provider whotransmits any health information in electronic form regarding a HIPAAtransaction. [HIPAA, adapted] Any person operating under or required tooperate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Lawor the Financial Services Law. [Title 23 NYCRR 500]Covered InformationInformation to be secured from unauthorized access, use, disclosure,disruption, modification or destruction to maintain confidentiality, integrity,availability and/or privacy. [HITRUST]Critical Access RightsAn individual’s ability to access information supporting critical businessand/or clinical operations. The criticality of an information system is generally provided in the information system’s BIA. [HITRUST]CriticalityA measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. Criticality is often determined by the impact to the organization due to a loss of integrity or availability. [NISTIR 7298 r2]Cryptographic ControlsSafeguards that employ cryptography to achieve the protection desired.Examples include using encryption to protect confidentiality, and usingdigital signatures or message authentication codes to protect authenticityand integrity. [HITRUST]Cyber AttackAn attack, via cyberspace, targeting an enterprise’s use of cyberspacefor the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrityof the data or stealing controlled information. [NISTIR 7298 r2]Cyber IncidentActions taken through the use of computer networks that result in anactual or potentially adverse effect on an information system and/or theinformation residing therein. See Incident. [NISTIR 7298 r2]CybersecurityThe ability to protect or defend the use of cyberspace from cyber attacks.[Often spelled as two words, cyber security.] [NISTIR 7298 r2]CyberspaceA global domain within the information environment consisting of the interdependent network of information systems infrastructures including theInternet, telecommunications networks, computer systems, and embedded processors and controllers. [NISTIR 7298 r2]This document contains material copyrighted by HITRUST — refer to the Acknowledgments for more information.10
Data ClassificationThe assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levelsof sensitivity of data are assigned according to predefined categories asdata are created, amended, enhanced, stored or transmitted. The classification level is an indication of the value or importance of the data to theenterprise. [ISACA Glossary of Terms]Data Concerning HealthPersonal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. [EU GDPR] A subset of protectedhealth information (PHI) as defined under the Health Insurance Portabilityand Accountability Act (HIPAA). [HITRUST]Data Use AgreementAn agreement between a health provider, agency or organization and adesignated receiver of information to allow for the use of limited healthinformation for research, public health or healthcare operations. Theagreement assures that the information will be used only for specificpurposes. [HIPAA, adapted]Defense-in-BreadthA planned, systematic set of multidisciplinary activities that seek to identify, manage, and reduce risk of exploitable vulnerabilities at every stageof the system, network, or subcomponent life cycle (system, network, orproduct design and development; manufacturing; packaging; assembly;system integration; distribution; operations; maintenance; and retirement).[NISTIR 7298 r2]De-identificationThe process of anonymizing data so that the risk of re-identifying an individual is minimized to an acceptable level. [HITRUST]Detective ControlA control that is used to identify and report when errors, omissions andunauthorized uses or entries occur. [ISACA Glossary of Terms]Digital SignatureAn asymmetric key operation where the private key is used to digitallysign data and the public key is used to verify the signature. Digital signatures provide authenticity protection, integrity protection, and non-repudiation. [NISTIR 7298 r2]Direct Treatment RelationshipA treatment relationship between an individual and a health care provider that is not an indirect treatment relationship. (See indirect treatmentrelationship.) [HIPAA]DisasterA major hardware or software failure, destruction of facilities, or othermajor loss of enterprise capability. [NISTIR 7298 r2, derived from DisasterRecovery Plan]This document contains material copyrighted by HITRUST — refer to the Acknowledgments for more information.11
Disaster Recovery Plan (DRP)A written plan for recovering one or more information systems at analternate facility in response to a major hardware or software failure ordestruction of facilities. [NISTIR 7298 r2]DisclosureThe release, transfer, provision of access, to, or divulging in any othermanner, of information outside the entity holding the information. [HIPAA,adapted]Distributed Control System(DCS)Information technology used to control production systems within thesame geographic locations for industries such as oil refineries, water andwastewater treatment, electric power generation plants, chemical manufacturing plants, automotive production, and pharmaceutical processingfacilities. [NIST SP 800-82 r2, derived from the discussion on DCS]DowntimeTotal period that a service or component is disrupted (not operational).[NISTIR 7298 r2, derived from Maximum Tolerable Downtime]Due CareThe level of care expected from a reasonable person of similar competency under similar conditions. [ISACA Glossary of Terms]Due DiligenceThe performance of those actions that are generally regarded as prudent,responsible and necessary to conduct a thorough and objective investigation, review and/or analysis. [ISACA Glossary of Terms]Electronic Health Record(EHR)An electronic record of health-related information on an Individual that iscreated, gathered, managed, and consulted by authorized health careclinicians and staff. [HIPAA]Electronic SignatureThe process of applying any mark in electronic form with the intent tosign a data object. See also Digital Signature. [NISTIR 7298 r2]Embedded SystemInformation system that is an integral part of a larger system. [NISTIR7298 r2, derived from Embedded Computer]EncryptionConversion of plaintext to ciphertext through the use of a cryptographicalgorithm. [NISTIR 7298 r2]EnterpriseAn organization with a defined mission/goal and a defined boundary,using information systems to execute that mission, and with responsibilityfor managing its own risks and performance. An enterprise may consistof all or some of the following business aspects: acquisition, programmanagement, financial management (e.g., budgets), human resources,security, and information systems, information and mission management.[NISTIR 7298 r2]This document contains material copyrighted by HITRUST — refer to the Acknowledgments for more information.12
EntropyA measure of the amount of uncertainty that an attacker faces to determine the value of a secret. Entropy is usually stated in bits. [NISTIR 7298r2]EscalationIn incident management, the process of bringing an incident to someonewith more expertise/authority if it cannot be resolved by first-line supportwithin a pre-established period of time. [HITRUST]EventSee Security Event. [HITRUST]ExploitFull use of a vulnerability for the benefit of an attacker. [ISACA Glossary ofTerms]ExploitationThe process of taking advantage of a security vulnerability. [HITRUST]ExposureThe potential loss to an area [of business] due to the occurrence of an adverse event. [ISACA Glossary of Terms]External Information System(or Component)An information system or component of an information system that is outside of the accreditation boundary established by the organization and forwhich the organization typically has no direct control over the application ofrequired security controls or the assessment of security control effectiveness. [NISTIR 7298 r2]External Information SystemServiceAn information system service that is implemented outside of the accreditation boundary of the organizational information system (i.e., a service thatis used by, but not a part of, the organizational information system) and forwhich the organization typically has no direct control over the application ofrequired security controls or the assessment of security control effectiveness. [NISTIR 7298 r2]External PartiesContractors, vendors, business partners or other persons not directly employed by an organization. [HITRUST]FacilityA building or premise being used by an organization or its vendors andbusiness partners to conduct work on behalf of an organization. [HITRUST].FailureFailure is typically used to describe a disruption in service. Not all faultsresult in a service failure as there may be redundancy built into the infrastructure. [HITRUST]Full Disk Encryption (FDE)The process of encrypting all the data on the hard drive used to boot a computer, including the computer’s OS, and permitting access to the data onlyafter successful authentication to the FDE product. [NISTIR 7298 r2]This document contains material copyrighted by HITRUST — refer to the Acknowledgments for more information.13
Good Security PracticeSee Best Practice. [HITRUST]GuidelineA description of a particular way of accomplishing something that is lessprescriptive than a procedure. [ISACA Glossary of Terms]Health Care OperationsAny of the following activities of the covered entity to the extent that theactivities are related to covered functions, and any of the following activities of an organized health care arrangement in which the covered entityparticipates: (1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines,provided that the obtaining of generalizable knowledge is not the primarypurpose of any studies resulting from such activities; population-basedactivities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting ofhealth care providers and patients with information about treatment alternatives; and related functions that do not include treatment; (2) Reviewingthe competence or qualifications of health care professionals, evaluatingpractitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areasof health care learn under supervision to practice or improve their skills ashealth care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities; (3) Underwriting,premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding,securing, or placing a contract for reinsurance of risk relating to claims forhealth care (including stop-loss insurance and excess of loss insurance),provided that the requirements of § 164.514(g) are met, if applicable; (4)Conducting or arranging for medical review, legal services, and auditingfunctions, including fraud and abuse detection and compliance programs;(5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating theentity, including formulary development and administration, development orimprovement of methods of payment or coverage policies; and (6) Business management and general administrative activities of the entity, including, but not limited to: (i) Management activities relating to implementationof and compliance with the requirements of this subchapter; (ii) Customerservice, including the provision of data analyses for policy holders, plansponsors, or other customers, provided that protected health information isnot disclosed to such policy holder, plan sponsor, or customer. (iii) Resolution of internal grievances; (iv) Due diligence in connection with the saleor transfer of assets to a potential successor in interest, if the potentialsuccessor in interest is a covered entity or, following completion of the saleor transfer, will become a covered entity; and (v) Consistent with the applicable requirements of § 164.514, creating de-identified health information,fundraising for the benefit of the covered entity, and marketing for whichan individual authorization is not required as described in § 164.514(e)(2).This document contains material copyrighted by HITRUST — refer to the Acknowledgments for more information.14
Health Care ProviderA provider of services (as defined in section 1861(u) of the Act, 42 U.S.C.1395x(u)), a provider of medical or health services (as defined in section1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for hea
to IT services and other configuration items. [ITIL Glossary and Abbrevia-tions] Change Control Processes and procedures to review, test, and approve changes to sys-tems and software for impact before implementation. [PCI DSS Glossary v3.2] Change Management The process responsible for controlling the lifecycle of all changes,
