Acceptable Interruption Window
Wā Whakararu Ka Taea
The amount of time a business process can be disrupted without causing significant harm to the organisation’s mission.1
Advanced persistent threat (APT)
Tuma pakepake arā atu anō
A well-resourced, highly skilled cyber actor or group that has the time, resources, and operational capability for long-term intrusion campaigns. Their goal is typically to covertly compromise a target, and they will persist until they are successful. They are very capable of compromising secured networks using both publicly disclosed and self-discovered vulnerabilities.
Accreditation
Whakamanatanga
A procedure by which an authoritative body gives formal recognition, approval and acceptance of the associated residual security risk with the operation of a system, and issues a formal approval to operate the system as laid out in the NZISM.
Asset
Rawa
Anything of value to an agency, such as IT equipment and software, information, personnel, documentation, reputation and public confidence.
Asset classification
Tautohu rawa
The identification and ascribing of value to an asset within the context of an organisation’s operating environment.
Baseline security
Haumarutanga paerewa
Information and controls that are used as a minimum implementation or starting point to provide a consistent minimum standard of systems security and information assurance.
Biometrics
Inekoiora
A measurable physical characteristic or personal behavioural trait used to recognise the identity, or verify the claimed identity, of an applicant. Facial images, fingerprints, and iris scan samples are all examples of biometrics.2
Botnet
Whatunga Pūwerewere
Normally networks of compromised personal or office devices such as internet modems, personal computers, or network attached storage. Malicious cyber actors use these as infrastructure to send spam, perform denial-of service activities, or attempt to obfuscate the origins of a malicious cyber campaign.
Business owner
Rangatira pakihi
An individual, role, or group responsible for the business or functional needs of an information system, focusing on the value, functionality, and data within the system, and ensuring security and privacy requirements are met.
Certification
Whakamana
The process by which the controls and management of an information system are formally evaluated against any specific risks identified, and with the requirements of the NZISM. A key output is a formal assurance statement that the system conforms to the requirements of the NZISM.
Chief Information Security Officer
Kaiārahi Haumaru Mōhiotanga Matua
A senior executive with overall responsibility for the governance and management of information risks within an agency. This may include coordination between security, ICT and business functions to ensure risks are properly identified and managed.
Cloud service
Ratonga kapua
Provides ubiquitous, convenient, on-demand access to shared pools of computing resources (such as servers, storage, or online applications).
Common vulnerabilities and exposures (CVE)
Whakaraeraetanga
A vulnerability is a weakness in software, hardware, or a network that can be exploited by an actor. The Common Vulnerabilities and Exposures (CVE) database is a publicly available register of known vulnerabilities; each assigned a unique identifier in the format of CVE-yyyy-xxxx.
Continuous monitoring
Aroturuki haere tonu
The ongoing ability to observe, track and report on any changes or deviations from baseline controls or agreed upon operating conditions.
Credentials
Whakatūturu pārongo
A user’s authentication information used to verify identity – typically a password, token or certificate.
Cryptocurrency miner
Maina moni whitirangi
Malicious software that co-opts computing resources for generating cryptocurrency. Many digital currencies require the solving of computationally intensive mathematical problems in order to generate digital assets
Cyberspace
Āteatāurungi
The global network of interdependent information technology infrastructures, telecommunication networks, and computer processing systems in which online communication takes place.
Cyber risk
Ngā mōrea ā-ipurangi
The risk of depending on cyber resources (i.e., the risk of depending on a system or system elements that exist in or intermittently have a presence in cyberspace).3
Cyber security
Whakahaumaru ā ipurangi
Measures to protect systems, data, and devices from unauthorised access, and ensuring the confidentiality, integrity, and availability of information.
Cyber security incident
Maiki haumarutanga ā-ipurangi
A cyber security incident is any event that jeopardises or may jeopardise the confidentiality, integrity, or availability of an information system, or the information a system processes, stores, or communicates.
Data breach
Raraunga wāwāhi&
The intentional or unintentional release of sensitive or private information into an unsecure environment.
Defence evasion
Karo kaupare
A tactic that describes a series of attempts to avoid network defenders discovering a malicious actor.
Denial of service (DoS)
Whakakore ratonga
An attempt to make an online service unavailable by overwhelming the service with more traffic than it can handle.
Digital asset inventory
Rārangi rawa matihiko
A list of assets (and their properties) possessed and maintained digitally by an organisation.
Disinformation
Ngā kōrero horihori
The deliberate, intentional spread of false and misleading information designed to achieve a strategic purpose.
Emerging threats
Ngā whakaraerae aranga
Event(s) that could potentially have adverse impact to operations, assets or individuals caused by factors including advances in technology, changes in tactics used by threat actors, or geopolitical events.
End-of-life
Wā mutu
Discontinuation of software or IT equipment that is no longer manufactured, sold or updated or maintained by the manufacturer.
End-of-support
Whakamutu tautoko
Discontinuation of features, updates, security patches or any further improvements for software or IT equipment.
Exfiltration
Tāhae
Where an actor has unauthorised access to private organisational data (for example, legitimate credentials or intellectual property) and copies it from a system.
Hardware
Pūmārō
A generic term for any physical component of information and communication technology, including peripheral equipment and media used to process information.
Hybrid threat
Tuma momorua
A mix of military, non-military, covert and overt activities by state- and non-state-sponsored actors that occur below the line of conventional warfare.
Hypervisor
Kaiwhakahaere pūrere marik
Software enabling the creation, management, and running of discretely hosted virtual machines (VMs) on the same hardware.
Information asset
Rawa mōhiohio
Any piece of information or related equipment that has value to an organisation. This includes equipment, facilities, patents, intellectual property, software, and hardware. Information assets also include services, information, and people, and characteristics such as reputation, brand, image, skills, capability, and knowledge.
Incident
Maiki
An occurrence or activity that appears to have degraded the confidentiality, integrity, or availability of a data system or network.
Incident response plan
Mahere urupare maiki
A plan for responding to information security incidents, as defined by an individual organisation.
Indicators of compromise (IoCs)
Paetohu whakamōrearea (ngā IoC)
Usually IP addresses, domain names, or files that may be shared publicly or in confidence. Together they suggest a computer system or network may be compromised.
Information Technology Security Manager
Kaiwhakahaere Haumaru Hangarau Mōhiohio
Information Technology Security Managers (ITSMs) are executives within an agency who act as a conduit between the strategic directions provided by the CISO and the technical efforts of systems administrators. The main responsibility of ITSMs is the administrative controls relating to information security within the organisation.
Living off the land
He ora nō te whenua
A technique using legitimate and pre-existing software on a victim network, in contrast to the installation of malicious software, to maintain network accesses. Use of legitimate software and accounts is less likely to raise alerts for defenders.
Malicious cyber actor
Nanakia tūkino mōhiohi
An individual or group of people who seek to exploit computer systems to steal, destroy, or degrade an organisation’s information. Actors may be individual computer hackers, part of an organised criminal group, or state-sponsored.
Malware
Pūmanawa kino
Malicious software or code intended to have an adverse impact on organisations’ or individuals’ data, such as viruses, Trojans, or worms.
Mandated agencies
Ngā tari whai mana
Agencies mandated under the GCISO authority are those set out in the Protective Security Requirements.
Mitigation
Ārai mōrea
Steps that organisations and individuals can take to minimise and address cyber security risks
Nationally significant organisation
Whakahaere hira ā-Motu
Organisations such as government agencies, key economic generators, niche exporters, research institutions, and operators of critical national infrastructure. If these organisations were affected by a cyber security incident, the impact could lead to national-level harm.
Opportunistic cyber activity
Ngohe ā-ipurangi tūpono
Occurs when malicious cyber actors select their victims based on the availability of a vector of compromise, regardless of victim location, sector, or intelligence value.
Personal information
Ngā mōhiohio whaiaro
Information about an individual, including name, date of birth, biometric records, medical, educational, financial, and employment information.
Protective Security Requirements
Ngā Whakaritenga Haumarutanga Whakamaru
The Protective Security Requirements (PSR) outlines the Government’s expectations for managing personnel security, physical security, and information security.
Phishing
Hītinihanga
The use of fake, deceptive, or alluring messages to solicit a behaviour from the recipient – such as clicking a link or divulging personal information or credentials.
Public attribution
Whakahuatia whānuitia nō hea
A tool used by governments and private-sector organisations to deliberately release information about the source of a cyber intrusion, primarily to uphold norms about what constitutes acceptable state behaviour in cyberspace.
Ransomware
Pūmanawa utu uruhi
A type of malware designed to disrupt the use of computer systems and files until a ransom is paid.
Recovery point objective
Whāinga wāhi whakaora
The point in time to which data must be recovered to after an outage.4
Recovery time objective
Whāinga wā whakaora
The overall length of time an information system’s components can be in the recovery phase before negatively impacting the organisation’s mission or mission/business processes.5
Risk
Mōrea
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.6
Risk owner
Kaipupuri mōrea
An individual or group accountable and authorised to manage a specific risk or group of risks identified within the organisation.
Risk tolerance
Rata ki te mōrea
The level of risk an entity is willing to assume in order to achieve a potential desired result.7
Rollback
Huriwhakamuri
A backup procedure whereby a system is restored back to a known good state prior to failure or disruption.
Secure by default
Hanga haumaru
A security concept whereby software or hardware products are resilient against prevalent exploitation techniques out of the box. 8
Security risk management plan
Mahere whakahaere mōrea haumarutanga
A plan that identifies the cyber risks and appropriate risk treatments including controls needed to meet organisational policy.
Software
Pūmanawa
Computer programs and associated data that may be dynamically written or modified during execution.9
Supply chain compromise
Poke ara ratonga
A form of attack that targets software, hardware, or an IT service provider, where the ultimate aim is exploit downstream customers.
Targeted cyber activity
Ngohe ā-ipurangi heipū
Occurs when malicious cyber actors demonstrate an intent or a tasking to compromise an organisation for its intelligence value, regardless of a specific access vector.
Third party
Kiritoru
An external entity such as a service provider, vendor, contractor, or partner that has a contractual or non-contractual relationship with an organisation.10
Threat
Tuma
Any circumstance or event with the potential to adversely impact organisational operations (including mission, functions, or reputation), organisational assets, or individuals through an information system via unauthorised access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.11
Threat landscape
Ngā mea whakamōrea
The dynamic nature of a threats caused by geopolitical events, emerging threats, threat actors, and vulnerabilities affecting the assets.
Virtual private server (VPS)
Tūmau tūmataiti mariko
A portion of a large physical server divided into virtual spaces available for temporary use.
Vulnerability
Whakaraeraetanga
A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Zero-day vulnerability
Whakaraeraetanga rā-kore
A software vulnerability for which there is currently no patch, and for which there is often no CVE number assigned. The term derives from the number of days for which defenders and developers have been aware of the vulnerability.
Footnotes:
1 https://csrc.nist.gov/glossary/term/maximum_tolerable_downtime External Link
2 https://csrc.nist.gov/glossary/term/biometrics External Link
3 https://csrc.nist.gov/glossary/term/cyber_risk External Link
4 https://csrc.nist.gov/glossary/term/recovery_point_objective External Link
5 https://csrc.nist.gov/glossary/term/recovery_time_objective External Link
6 https://csrc.nist.gov/glossary/term/risk) External Link
7 https://csrc.nist.gov/glossary/term/risk_tolerance External Link
9 https://csrc.nist.gov/glossary/term/software External Link
10 https://csrc.nist.gov/glossary/term/third_party_providers External Link
11 https://csrc.nist.gov/glossary/term/threat External Link
12 https://csrc.nist.gov/glossary/term/vulnerability External Link