Informed Control, Inc. Defending Identity Management™










Web Design by
Kristen Lanum

Valid CSS!
Valid HTML 4.01

Glossary of terms

Application Vulnerability Description Language (AVDL)

AVDL is an OASIS standard XML definition for exchanging information about the vulnerabilities of web applications (those using HTTP protocols). The AVDL description document is available from the list of OASIS Standards.


There are several definitions of the term attribute:

  • In XML, an attribute is a parameter to an XML element.
  • In CIM, an attribute is the type of a property defined by a class. Instance objects of a class can contain properties for the attributes of that class.
  • In a directory service, an attribute is a property of an entry. The object class specifies what types of attributes can be present in an entry of that object class.
Authentication Assurance level

An Authentication Assurance Level defines the degree of confidence in an authentication credential. The US Federal Government Office of Management and Budget Memorandum M-04-04 describes four levels, which are further illustrated in the NIST bulletin Electronic Authentication: Guidance for Selecting Secure Techniques.

Common Criteria

The Common Criteria are an international effort to define standards for consistent security evaluation of IT infrastructure products.


A dataset is a bulk collection of structured information, such as in a database or directory service.

Defense in Depth

The approach of Defense in Depth, developed by the US Department of Defense, is to create "layered, defensive mechanisms and practices, which achieve the required level of Information Assurance".

Directory information tree (DIT)

A Directory information tree (DIT) is the hierarchical arrangement of entries represented within a directory service. Typically the root or top-level entries in a DIT corresponds to a large-scale concept, such as the world, or a country, and middle layers of the DIT correspond to geographic, political or organizational divisions, and the lowest layers of the DIT represent individual people, groups, and devices.

Enterprise Privacy Authorization Language (EPAL)

The Enterprise Privacy Authorization Language is an XML specification authored by IBM for the exchange of privacy policies between applications.

Enterprise Risk Management

Enterprise risk management is defined by The Committee of Sponsoring Organizations of the Treadway Commission as

"a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
Evaluation Assurance Level

An Evaluation Assurance Level is a requirement set defined by the Common Criteria, which establishes the minimum level of security services provided by implementations evaluated to that level.


Federation is the process of establishing an association between entities, typically within distinct organizations, for sharing Identity Management capabilities. In a Liberty Alliance context, federation typically occurs between an Identity Provider entity and a Service Provider entity within a Circle of Trust, where there are operational agreements in place between the organizations.

Federal Financial Institutions Examination Council (FFIEC)

The FFIEC is a US federal government organization which establishes standards for the examination of financial institutions.

Intrusion Detection Message Exchange Format (IDMEF)

IDMEF is an XML specification being developed by the IETF Intrusion Detection Exchange Format working group.

Identity Threat Management Architecture (ITMA)

The Identity Threat Management Architecture defines procedures for the development and review of reference and deployment identity service architectures, which incorporate best practice for addressing threats, vulnerabilities and security requirements for identity services.

Information Assurance

Information Assurance is defined as

"the set of measures intended to protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities."

An inventory is a document specifying the networked data processing elements and their interconnections, which can be used to trace the flows of specific kinds of information throughout the network.

ISO 17799

ISO 17799, Code of practice for information security management, can be ordered from the ISO, from a national standards body, or from a standards printing service.

Generally Accepted Information Security Principles (GAISP)

The Generally Accepted Information Security Principles (GAISP) is an activity by the Information Systems Security Association to collect and document information security principles.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Financial Modernization Act of 1999 requires financial institutions to "protect against unauthorized access to or use of customer information".

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act enacted by the US Congress in 1996 sets out privacy and security provisions for the exchange of health data in the US.


Kerberos is a network authentication protocol developed by the Massachusetts Institute of Technology. It is widely available for UNIX platforms and integrated in Windows 2000 networking.

Liberty Alliance

The Liberty Alliance Project is a consortium of organizations developing a standard for identity federation.

Lightweight Directory Access Protocol (LDAP)

LDAP is set of IETF standards-track specifications for a directory access protocol derived from X.500.


Metadata is any data about or in addition to other primary data. Metadata may contain tags, labels or conditions that are attached to the underlying data.

For example, the Dublin Core metadata for documents specifies XML elements for representing the document's author, publisher, intended audience, and other parameters.


A metaschema is a data model in which a schema is represented.

For example, the metaschema for an LDAP directory schema is described in RFC 2252, and consists of the definition of attributeTypes and objectClasses, among others.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®)

OCTAVE is an information security risk analysis and planning methodology promoted by Carnegie Mellon University.

Object Class

In directory services, the object class of an entry specifies which attributes can and must be present in that entry, and typically indicates the real-world object modeled by the entry, such as person or organization.


In knowledge management, an ontology is a specification of the concepts used for representing knowledge, and typically consists of rules and definitions of entities, their attributes and relationships in a particular domain.

Operational Risk

The FFIEC defines operational risk in the Risk overview section of the management booklet of the FFIEC Information Technology Examination Handbook as risk of occuring financial loss due to human or technical errors and fraud.


A perspective is the pattern of interactions with a service available to a particular community of users.

Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act sets standards for privacy practices for Canadian organizations.

Platform for Privacy Preferences (P3P)

The P3P specification is a W3C Recommendation published in April 2002, defining how web sites can publish their privacy policies in a software-parsable form.

More information is at

Protection Posture Assessment

A protection posture assessment for information technology is a report which compares a specific organizations' information protection policy with industry standards and best practices for information protection.

See for examples of information protection posture assessments.

Recovery-Oriented Computing

Recovery-Oriented Computing is a research project sponsored by the University of California Berkeley and Stanford University to develop techniques to increase availability by decreasing recovery time.

Sarbanes-Oxley Act of 2002

The Public Company Accounting Reform and Investor Protection Act of 2002, commonly known as the Sarbanes-Oxley Act, expands the audit and reporting requirements of publicly-traded companies. Section 404 of the Act requires the corporation assess the effectiveness of internal controls to their financial information systems.

SB 1386

California SB 1386 requires any organization that conducts business in California to disclose if a breach of security could have resulted in a California resident's personal information being disclosed.


A schema is a collection of data definitions which specify how objects are represented in a data model, such as for use in a directory service.

Secure Sockets Layer (SSL)

The Secure Sockets Layer is an Internet session-layer protocol for authentication and protection of data in transit. The latest version of SSL, TLS 1.0, is defined in RFC 2246.

Security Assertion Markup Language (SAML)

SAML is an OASIS standard developed by the OASIS Security Services TC for exchanging authentication, access rights and attribute information.

Sensitivity label

A sensitivity label is a part of the metadata for a document or dataset which indicates the level of protection against disclosure which should be applied to the document.

For example, the UK Department of Trade and Industry defines one possible labeling scheme for data sensitivity, in order to encourage the proper handling of information shared between organizations in Protecting Business Information Keeping It Confidential.


A threat is the potential for a threat source, such as an individual or a situation, to exploit a vulnerability.

Tiger team attack

Organizations which manage highly sensitive information that is of great value to attackers to steal or modify, or at risk of sabotage, may wish to consider having a tiger team attack performed against their Identity Management infrastructure. The tiger team will investigate the system from the perspective of an attacker, either internal or external to the organization, and attempt to find unorthodox or unanticipated approaches to violating the security of the targeted system. Where the Identity Management system already is a production deployment, the tiger team may be required to target a simulated copy of the production infrastructure hosted independently, in order to ensure that the tiger team does not cause real damage or trigger responses which would be inappropriate for a simulation.

Trojan horse

A trojan horse is a malicious program that appears to have a useful function.


A vulnerability is a flaw or weakness in a system or process, which, if exploited, could have an impact.