Access control

Certifying that only authorized access is given to assets (both physical and electronic). For physical assets, access control may be required for a facility or restricted area (e.g. screening visitors and materials at entry points, escorting visitors). For IT assets, access controls may be required for networks, systems, and information (e.g. restricting users on specific systems, limiting account privileges).

Accountable COMSEC material

COMSEC material requiring control and accountability within the National COMSEC Material Control System (NCMCS) as directed by its Accounting Legend Code (ALC). Control and accountability is required because transfer or disclosure of this material could be detrimental to Canada's national interest. Also known as ACM.

Administrative privileges

The permissions that allow a user to perform certain functions on a system or network, such as installing software and changing configuration settings.

Allow list

An access control list that identifies who or what is allowed access, in order to provide protection from harm.

Anti-virus software

Software that defends against viruses, Trojans, worms, and spyware. Anti-virus software uses a scanner to identify programs that may be malicious. Scanners can detect known viruses, previously unknown viruses, and suspicious files.

Artificial intelligence

A subfield of computer science that develops intelligent computer programs to behave in a way that would be considered intelligent if observed in a human (e.g. solve problems, learn from experience, understand language, interpret visual scenes).

Asymmetric key

Two related keys (a public key and a private key) that perform complementary operations, such as encrypt and decrypt or generate signatures.


A process or measure used to verify a users identity.


Access privileges granted to a user, program, or process.


The ability for the right people to access the right information or systems when needed. Availability is applied to information assets, software, and hardware (infrastructure and its components). Implied in its definition is that availability includes the protection of assets from unauthorized access and compromise.



An undocumented, private, or less-detectable way of gaining remote access to a computer, bypassing authentication measures, and obtaining access to plaintext.

Baseline security controls

The minimum mandatory protective mechanisms outlined by Treasury Board of Canada Secretariat (TBS) policy instruments to be used in interdepartmental IT security functions and information systems.


A common technique in which a threat actor uses malware to connect infrastructure to another system or network, bypassing firewall restrictions on incoming traffic.


A blockchain is a write-only database, dispersed over a network of interconnected computers, that uses cryptography to create a tamper-proof public record of transactions. Because blockchain technology is transparent, secure and decentralized, a central actor cannot alter the public record.

Boundary interface

A network-layer interface between two zone interface points (ZIPs).

Browser-based exploitation

A misuse of legitimate browser components to execute malicious code. Simply visiting a website with hidden malicious code can result in exploitation.



A cryptography term for encrypted information.

Classified information

A Government of Canada label for specific types of sensitive data that, if compromised, could cause harm to the national interest (e.g. national defence, relationships with other countries, economic interests).


Applying logical techniques to sanitize data in all user-addressable storage locations to protect against simple ways of recovering data. This is done by overwriting data with a new value, or if overwriting is not supported, by using a menu option to reset the device to factory settings.

Cloud computing

The use of remote servers hosted on the Internet. Cloud computing allows users to access a shared pool of computing resources (such as networks, servers, applications, or services) on demand and from anywhere. Users access these resources via a computer network instead of storing and maintaining all resources on their local computer.

Code injection

Introducing malicious code into a computer program by taking advantage of a flaw in the program, or in the way it interprets data input by users.


The intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability.

Compromising emanations

Unintentional signals that, if intercepted and analyzed, would disclose the information emanating from any information processing system or equipment.


Communications security (COMSEC) is the discipline of preventing unauthorized access to telecommunications information in readable form, while still delivering the information to the intended recipients. COMSEC is comprised of multiple disciplines such as Cryptographic security, EMSEC (Emission security), Transmission security, and Physical security.

COMSEC account custodian

The person responsible for the receipt, storage, access, distribution, accounting, disposal, and destruction of all COMSEC material charged to the COMSEC account. The custodian is appointed by the organization's COMSEC authority.

COMSEC incident

An occurrence that threatens, or potentially threatens, the security of classified or protected Government of Canada information as it is being stored, processed, transmitted, or received.

COMSEC material

An item designed to secure or authenticate telecommunications information (e.g. cryptographic keys, equipment, modules, devices, documents, hardware, firmware, or software that includes or describes cryptographic logic and other items that perform COMSEC functions).


The ability to protect sensitive information from being accessed by unauthorized people.

Controlled cryptographic item

An unclassified secure telecommunications or information system, or any associated cryptographic component, governed by a set of control requirements in the National COMSEC Material Control System (NCMCS). The type of item is labelled in the NCMCS as a "controlled cryptographic item" or "CCI".

Critical infrastructure

Processes, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence.

Cryptographic key

A numerical value used in cryptographic processes, such as encryption, decryption, signature generation, and signature verification.

Cryptographic material

All material, including documents, devices, and equipment, that contains cryptographic information and is essential to encrypting, decrypting, or authenticating communications.

Cryptographic material

All material, including documents, devices, and equipment, that contains cryptographic information and is essential to encrypting, decrypting, or authenticating communications.


The study of techniques used to make plain information unreadable, as well as to convert it back to a readable form.

Cyber attack

The use of electronic means to interrupt, manipulate, destroy, or gain unauthorized access to a computer system, network, or device. 

Cyber incident

Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete, or render unavailable any computer network or system resource.

Cyber security

The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Cyber threat

A threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries.



An administrative process to remove classification markings, security designations, and handling conditions when information is no longer considered to be sensitive.


An IT security concept (also known as the castle approach) in which multiple layers of security are used to protect the integrity of information. These layers can include anti-virus and anti-spyware software, firewalls, hierarchical passwords, intrusion detection, and biometric identification.

Demilitarized zone

Also refered to as a perimeter network, the (Demilitarized Zone) DMZ is a less-secure portion of a network, which is located between any two policy-enforcing components of the network (e.g. between the internet and internal networks). An organization uses a DMZ to host its own internet services without risking unauthorized access to its private network.

Denial-of-Service attack

Any activity that makes a service unavailable for use by legitimate users, or that delays system operations and functions.

Deny list

An access control list used to deny specific items (e.g. applications, email addresses, domain names, IP addresses) known to be harmful.

Departmental security control profile

A set of security controls that establishes an organization's minimum mandatory IT security requirements.

Departmental security officer

The individual responsible for a department’s or organization’s security program.

Departmental security requirement

Any security requirements prescribed by senior officials of a department that applies generally to its information systems.


The monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources.

Digital signature

A cryptologic mechanism used to validate an item's (e.g. document, software) authenticity and integrity.

Distributed Denial-of-Service attack

An attack in which multiple compromised systems are used to attack a single target. The flood of incoming messages to the target system forces it to shut down and denies service to legitimate users.


Edge interface

A network-layer service interface point that attaches an end system, internal boundary system, or zone interface point to a zone internetwork.

Emission security

The measures taken to reduce the risk of unauthorized interception of unintentional emissions from information technology equipment that processes classified data.


Converting information from one form to another to hide its content and prevent unauthorized access.


A network connected computer that, for a communication, is the end source or destination of a communication.

End-to-end encryption

A confidentiality service provided by encrypting data at the source end-system, with corresponding decryption occurring only at the destination end-system.

End-user systems

End systems for human use, such as a desktop with a personal computer (display, keyboard, mouse, and operating system).

Equipment emanation

An electric field radiation that comes from the equipment as a result of processing or generating information.


The unauthorized removal of data or files from a system by an intruder.



A security barrier placed between two networks that controls the amount and kinds of traffic that may pass between the two. This protects local system resources from being accessed from the outside.



An intermediate system that is the interface between two computer networks. A gateway can be a server, firewall, router, or other device that enables data to flow through a network.


A gateway that is placed between two networks, computers, or other information systems that operate at different security levels. The guard mediates all information transfers between the two levels so that no sensitive information from the higher security level is disclosed to the lower level. It also protects the integrity of data on the higher level.



Someone who uses computers and the internet to access computers and servers without permission.



The damage to the national interests and non-national interests that business activities serve resulting from the compromise of IT assets.

Injury level

The severity of an injury, which is defined in five levels: very low, low, medium, high, very high.


The ability to protect information from being modified or deleted unintentionally or when it’s not supposed to be. Integrity helps determine that information is what it claims to be. Integrity also applies to business processes, software application logic, hardware, and personnel.

Intellectual property

Legal rights that result from intellectual activity in the industrial, scientific, literary, and artistic fields. Examples of types of intellectual property include an author's copyright, trademark, and patents.


A boundary across which two systems communicate. An interface might be a hardware connector used to link to other devices, or it might be a convention used to allow communication between two software systems.


The network of everyday web-enabled devices that are capable of connecting and exchanging information between each other.

Intrusion detection

A security service that monitors and analyzes network or system events to warn of unauthorized access attempts. The findings are provided in real-time (or near real-time).

IT asset

The components of an information system, including business applications, data, hardware, and software.

IT threat

Any potential event or act (deliberate or accidental) or natural hazard that could compromise IT assets.



Key management

The procedures and mechanisms for generating, disseminating, replacing, storing, archiving, and destroying cryptographic keys.

Keystroke logger

Software or hardware designed to capture a user's keystrokes on a compromised system. The keystrokes are stored or transmitted so that they may be used to collect valued information.


Least privilege

The principle of giving an individual only the set of privileges that are essential to performing authorized tasks. This principle limits the damage that can result from the accidental, incorrect, or unauthorized use of an information system.



Malicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware.

Management security control

A security control that focuses on the management of IT security and IT security risks.

Multi-factor authentication

A tactic that can add an additional layer of security to your devices and account. Multi-factor authentication requires additional verification (like a PIN or fingerprint) to access your devices or accounts. Two-factor authentication is a type of multi-factor authentication.


Network security zone

A networking environment with a well-defined boundary, a Network Security Zone Authority, and a standard level of weakness to network threats. Types of zones are distinguished by security requirements for interfaces, traffic control, data protection, host configuration control, and network configuration control.


A connection point that can receive, create, store, or send data along distributed network routes. Each network node, whether it's an endpoint for data transmissions or a redistribution point, has either a programmed or engineered capability to recognize, process, and forward transmissions to other network nodes.


Operational security control

A security control primarily implemented and executed by people and typically supported by the use of technology (e.g. supporting software).


To write or copy new data over existing data. The data that was overwritten cannot be retrieved.



The boundary between two network security zones through which traffic is routed.


An attempt by a third party to solicit confidential information from an individual, group, or organization by mimicking or spoofing a specific, usually well-known brand, usually for financial gain. Phishers attempt to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which they may then use to commit fraudulent acts.


Unencrypted information.

Point of presence

An access point, location, or facility at which two or more different networks or communication devices connect with each other and the internet. Also referred to as PoP.


Quantum computing

A quantum computer can process a vast number of calculations simultaneously. Whereas a classical computer works with ones and zeros, a quantum computer will have the advantage of using ones, zeros and “superpositions” of ones and zeros. Certain difficult tasks that have long been thought impossible for classical computers will be achieved quickly and efficiently by a quantum computer.



A type of malware that denies a user's access to a system or data until a sum of money is paid.


Activity conducted by a threat actor to obtain information and identify vulnerabilities to facilitate future compromise(s).


A form of data sanitization for selected data-file elements (not to be confused with media sanitization, which addresses all data on media).

Remote exploitation

Exploitation of a victim machine by sending specially crafted commands from a remote network to a service running on that machine to manipulate it for the purpose of gaining access or information.

Residual risk

The likelihood and impact of a threat that remains after security controls are implemented.

Residual risk assessment

An assessment, which is performed at the end of the system development life cycle, to determine the remaining likelihood and impact of a threat.

Residual risk level

The degree of residual risk (e.g. high, medium, low).

Risk level

The degree of risk (e.g. high, medium, low).



Sanitization is a process through which data is irreversibly removed from media. The storage media is left in a re-usable condition in accordance with IT security policy, but the data that was previously on it cannot be recovered or accessed.

Secure destruction

The destruction of information assets through one or more approved methods, carried out alone or in combination with erasing, to ensure that information cannot be retrieved.

Secure erasure

A digital sanitization process that uses tools and industry-standard commands (e.g. ATA security erase) to erase all accessible memory locations of a data storage device.

Security control

A management, operational, or technical high-level security requirement needed for an information system to protect the confidentiality, integrity, and availability of its IT assets. Security controls can be applied by using a variety of security solutions that can include security products, security policies, security practices, and security procedures.

Separation of duties

A security principle stating that sensitive or critical responsibilities should be shared by multiple entities (e.g. staff or processes), rather than a single entity, to prevent a security breach.

Social engineering

The practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or internet to trick people into revealing sensitive information. For example, phishing is a type of social engineering.

Spear phishing

The use of spoofed emails to persuade people within an organization to reveal their usernames or passwords. Unlike phishing, which involves mass mailing, spear phishing is small-scale and well targeted.

Symmetric key

A cryptographic key used to perform the cryptographic operation and its inverse operation (e.g. encrypt and decrypt, create a message authentication code and verify the code).



The name for specifications and standards for limiting the strength of electromagnetic emanations from electrical and electronic equipment which lead to reduced vulnerability to eavesdropping. This term originated in the U.S. Department of Defense.

Threat and risk assessment

A process of identifying system assets and how these assets can be compromised, assessing the level of risk that threats pose to assets, and recommending security measures to mitigate threats.

Threat event

An actual incident in which a threat agent exploits a vulnerability of an IT asset of value.


A malicious program that is disguised as or embedded within legitimate software.

Two-factor authentication

A type of multi-factor authentication used to confirm the identity of a user. Authentication is validated by using a combination of two different factors including: something you know (e.g. a password), something you have (e.g. a physical token), or something you are (a biometric).

Two-step verification

A process requiring two different authentication methods, which are applied one after the other, to access a specific device or system. Unlike two-factor authentication, two-step verification can be of the same type (e.g. two passwords, two physical keys, or two biometrics). Also known as Two-step authentication.


Unpatched application

A supported application that does not have the latest security updates and/or patches installed.


Virtual private network

A private communications network usually used within a company, or by several different companies or organisations to communicate over a wider network. VPN communications are typically encrypted or encoded to protect the traffic from other users on the public network carrying the VPN.


A computer program that can spread by making copies of itself. Computer viruses spread from one computer to another, usually without the knowledge of the user. Viruses can have harmful effects, ranging from displaying irritating messages to stealing data or giving other users control over the infected computer.


A flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations.

Vulnerability assessment

A process to determine existing weaknesses or gaps in an information system's protection efforts.



A malicious program that executes independently and self-replicates, usually through network connections, to cause damage (e.g. deleting files, sending documents via email, or taking up bandwidth).




Zero day

A zero-day vulnerability is a software vulnerability that is not yet known by the vendor, and therefore has not been mitigated. A zero-day exploit is an attack directed at a zero-day vulnerability.