Terminology

Active Directory
Active Directory is Microsoft’s trademarked directory service, an integral part of the architecture. Active Directory is a centralized and standardized system that automates network management of user data, security, and distributed resources, and enables interoperation with other directories. Active Directory is designed especially for distributed networking environments.
Automated Benchmark
A document that specifies settings and option selections that minimize the security risks associated with a computer hardware or software system. An automated benchmark is written using the XCCDF language and one or more checking languages and is intended to contain the information needed to evaluate compliance.
Benchmark
A document that specifies settings and option selections that minimize the security risks associated with a computer hardware or software system. Written using the XCCDF language but does not include compliance checks. A benchmark could be read, translated, and presented by checking tools, but does not contain information needed to evaluate compliance.
Center for Internet Security (CIS)
The CIS is a non-profit enterprise whose mission is to help organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls.

http://www.cisecurity.org/

Common Configuration Enumeration (CCE™)
CCE provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. For example, CCE identifiers can be used to associate checks in configuration assessment tools with statements in configuration best-practice documents.

http://cce.mitre.org/

Common Platform Enumeration (CPE™)
CPE is a structured naming scheme for information technology systems, platforms, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method for checking names against a system, and a description format for binding text and tests to a name.

http://cpe.mitre.org/

Defense Information Systems Agency (DISA)
DISA provides real time IT and communications support to the President, Vice President, Secretary of Defense, the military services, and the combatant commands.

http://www.disa.mil/

DISA STIG
Defense Information Systems Agency Security Technical Implementation Guides. DISA STIGS are checklists that present the known security configuration items, vulnerabilities, and issues required to be addressed by DOD policy.
Extensible Configuration Checklist Description Format (XCCDF)
XCCDF is a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices.

http://scap.nist.gov/specifications/xccdf/

Federal Desktop Core Configuration (FDCC)
The FDCC, an OMB (U.S. Office of Management and Budget) mandate, requires that all Federal Agencies standardize the configuration of approximately 300 settings on each of their Windows XP and Vista Computer.

http://fdcc.nist.gov/

National Institute of Standards and Technology (NIST)
NIST is a unit of the U.S. Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards. It also has active programs for encouraging and assisting industry and science to develop and use these standards.

http://www.nist.gov/

NIST SP 800-53
National Institute of Standards and Technology Special Publication 800-53: Recommended Security Controls for Federal Information Systems

http://csrc.nist.gov/publications/PubsSPs.html

NIST SP 800-68
National Institute of Standards and Technology Special Publication 800-68: Guidance for Securing Microsoft XP Systems for IT Professionals: A NIST Security Configuration Checklist

http://csrc.nist.gov/publications/PubsSPs.html

Open Checklist Interactive Language (OCIL)
The OCIL defines a framework for expressing a set of questions to be presented to a user and procedures to interpret responses to these questions for the purpose of developing security checklists.

http://scap.nist.gov/specifications/ocil/

Open Vulnerability and Assessment Language (OVAL®)
OVAL is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community.

http://oval.mitre.org/

Recommendation Tracker™ (RT)
A tool developed to facilitate consistent guidance authorizing through an established standardized format for creating, developing, tracking, and producing all information pertinent to security guide and benchmark generation.

https://sourceforge.net/projects/rectracker/

Registry
The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows.
Rule
The unit of a benchmark containing the recommendation, rationale, and how to. In the case of an automated benchmark, a Rule consists of the recommendation, rationale, how-to, and compliance check.
Recommendation
The component of a Rule which explains what security-relevant action to take.
Rationale
The component of a Rule which explains why a certain action should be taken.
How-To
The component of a Rule within a benchmark which details how to carry out a specific action.
Compliance Check
A Boolean check used to determine compliance with a desired state. Ideally expressed in a standardized format to ensure guidance is easily consumed by a broad audience. Standardized formats currently include OVAL.
Rule Categories
Description of what categories are and why they are applied.
Check Category
A category applied to a Rule that indicates that a tool can run a test and determine a true or false result indicating that the system is in compliance or not.
Question Category
A category applied to a Rule which indicates that a question must be asked of a user to determine compliance.
Report Category
A category applied to a Rule which indicates that a report is needed for further analysis to determine compliance.
The Security Content Automation Protocol (SCAP)
SCAP is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance).

http://nvd.nist.gove/scap.cfm

Windows Investigator Tool (WIT)
A tool developed to assist in locating configuration data required to produce OVAL and XCCDF documents. This tool has the ability to monitor multiple underlying repositories on Windows, specifically the WMI and Active Directory and report in real-time all modified properties.
Windows Management Instrumentation (WMI)
WMI is the infrastructure for management data and operations on Windows-based operating systems.
XML
Extensible Markup Language

http://www.w3.org/XML/

BACK TO TOP

Page Last Updated: August 30, 2011