P
P2P – see Peer-to-peer.
Packets – these are the standard unit(s) for data sent across the Internet. Data is broken up into packets, which allows multiple transmissions to share the same line. They are routed back together again at the destination and are placed back in their original order.
PA-DSS – Payment Application Data Security Standard – this standard sets out requirements for all payment applications (e.g. e-commerce shopping carts) to ensure that they are secure and that they do not store prohibited data, such as the full magnetic stripe, CVV2 or PIN data. The standard and a list of validated payment applications is available at www.pcisecuritystandards.org/security_standards/pa_dss.shtml.
Pairing – when two Bluetooth devices establish a secure, trusted relationship.
PAN – Personal Account Number – the 16-digit number across the face of most payment cards; an Amex card has a 15-digit PAN.
PAP – Password Authentication Protocol is a log-in security protocol that is less secure than CHAP because the password is sent to the client as clear text. See CHAP.
PA-QSA – is a QSA that has been assessed by the PCI SSC as being qualified to assess compliance to the PA-DSS standard. There is an annual re-certification process.
Parental control – this is software that is designed to enable parents to scan, filter and control the websites visited by their children, to protect them from objectionable content. Another form of parental control is the imposition of rules around the amount of time that may be spent online.
PAS – Publicly Available Specifications were originally documents written by BSI in conjunction with external organisations, with a view to supporting certification schemes. The designation has since been widened to include privately commissioned ‘standards’ published by BSI as part of its Professional Standards Service. See website at: www.bsiglobal.com.
Passwords – a string of characters entered into a computer, an application or a network by a user, to verify their identity as the owner of a specific username.
Password cracking – is, on balance, very easy. Most users do not set up passwords or, if they do, they use very simple passwords that they can easily remember, like ‘secret’ or ‘password’, or their children’s names, or birthdays, sports teams, or particular anniversaries, or family names. While some hackers can quickly identify particular user’s passwords, software is now available on the Internet that will apply ‘brute force’ to automatically, and at high speed, try every theoretically possible alphanumeric combination of user name and password and, usually aided by a dictionary (a ‘dictionary attack’) of common passwords, this can quickly enable a hacker to gain access to a system. Once a hacker locates the list of encrypted user passwords on the security server, he can use Internet-available software tools to decrypt it.
Patch – an update to a file that replaces only parts of the file, rather than the whole file.
Payload – the damage or other malicious activity that a virus, worm or spam causes.
Payment card – one of those pieces of plastic that are said to have contributed to the recent financial crisis. Payment cards are issued by payment brands such as Amex, Discover, JCB, MasterCard and Visa.
PCI – Payment Card Industry.
PCI DSS – the Payment Card Industry Data Security Standard (at version 1.2 in February 2010) sets out mandatory security standards for all organisations that accept payment cards for payment. The standard is available from www.pcisecuritystandards.org.
PCI SSC – the Payment Card Industry Security Standards Council is the independent organisation founded by the payment card brands to improve protection of payment card data.
PDA – a Personal Digital Assistant is a device that stores digital contact, diary and other data; it may also store e-mail and be capable of communicating (either wired or wirelessly) with a computer or a network. A Blackberry is a form of PDA that has mobile phone connectivity and exists specifically to handle e-mail while on the move.
PDCA – Plan – Do – Check – Act – the PDCA cycle is the basic approach to quality management, originated after WW2 by W. Edwards Deming and initially espoused by Japan rather than America. The basic idea is that you should plan what you’re going to do, then you should do it, then you should check to see whether it worked the way you planned it to work, then you should take action to correct any deviations. The correction should be addressed by following the PDCA cycle. All management systems explicitly require management to adopt a PDCA approach in designing and implementing the management system.
PDF – Portable Document Format is a file extension indicating that a document has been saved in Adobe’s proprietary format.
Peer-to-peer – a network connecting two or more computers directly to one another, without using a central file server.
Penetration testing – this is the organised process of assessing the full range of threats to an organisation and setting out deliberately to infiltrate and penetrate its systems, using any and all methods, from technological hacking through to social engineering. Also see Ethical hacking.
Perimeter – the organisation’s boundary has both physical and logical aspects. In information security terms, the perimeter is where you draw the line, the line beyond which only authorised and authenticated users may go. In today’s business environment, that perimeter is increasingly a mobile one.
Personal data – that information about a living person (i.e. not an organisation) that is protected by legislation and regulation.
Personal Digital Assistants – see PDA.
PGP – Pretty Good Privacy is a public key encryption program that enables files or messages to be exchanged with confidentiality and authentication.
Pharming – criminal activity resulting in users being redirected from an entered, correct website address, to a fake website.
Phishing – sending e-mails that falsely claim to come from a legitimate company in an attempt to scam users into surrendering information that can be used for identity theft.
Physical security – is security that is effective in the analogue world.
PIN – Personal Identity Number.
Piracy – illegal use or duplication of material covered by copyright or other intellectual property rights.
PKI – Public Key Infrastructure is the combination of standards, protocols and software that supports public key encryption.
PKIX – the Public Key Infrastructure (PKIX) working group of IETF has been taking forward work on the definition of a standard, interoperable Public Key Infrastructure and on fostering usage of public key security services.
Platforms – a hardware and software combination (e.g. Windows XP on an Intel PC).
Policy – overall intention and direction as formally expressed by management (# and *).
Pop-ups and pop-downs – small windows that appear when users visit some websites; pop-ups are the windows that pop up, pop-downs do it in the other direction.
Ports – hardware ports are connection points for cables; logical (or virtual) ports are access points for protocols.
PowerPoint – Microsoft’s slide presentation application.
PPTP – the Point-To-Point Tunnelling Protocol provides security for transmission of sensitive information over unprotected networks.
Preventive action – action to eliminate the cause of a potential nonconformity or other undesirable potential situation (ISO9000:2005).
Privacy – the control that individuals have over the collection, use and distribution of their personal, private information.
Private key – one of two keys used in public key encryption. This key is kept private and secret, and is used to encrypt data prior to transmission, or to decrypt data that has been encrypted with the corresponding public key. See Public key.
Privileges – a privilege is any facility in a multi-user system that enables one user to override system or application controls. Inadequate control of privileges invariably leads to their inappropriate use; equally invariably, this abuse leads to system security breaches and is a major contributory factor in system failures. The most critical privileges are those which enable system administrators to do their jobs.
Problem – unknown underlying cause of one or more incidents. ****
Procedure – a set of specific, sequential steps; a specified way to carry out an activity or a process (ISO9000:2005).
Process – a series of interrelated or interacting activities which transform inputs into outputs (ISO9000:2005); a process might consist of a series of procedures.
Project governance – the framework and rules for controlling how project decisions are made and project activity is monitored.
Protective Marking – the UK Government Protective Marking System (‘GPMS’) is Security Policy No 2 within the SPF, and sets out how information assets must be marked to ensure that they are appropriately secured at all stages in their lifecycle.
Protective security – is the term used by the UK Cabinet Office to ‘encapsulate the mitigating actions/policies required to meet the prevailing threat to an organisation and to protect its assets from compromise’. It consists of three interdependent disciplines: physical security, information security and personnel security.
Protocol – a set of rules that govern an activity or process.
Proxy server – this is a server that sits between a client (e.g. a browser) and a real server, or between an organisation and the Internet. It improves performance by filling a request directly, rather than forwarding the user to the Internet if the necessary information is available. Proxy servers can also block unauthorised activity, whether outgoing or incoming (see Firewall).
Public key – one of two keys used in public key encryption (see Asymmetric encryption). The public key is released to the public, and used to encrypt data prior to transmission to the holder of the private key or to decrypt data that has been encrypted with the corresponding private key. It can also be used to verify the user’s digital signature. See Private key.
Public key encryption – see Asymmetric encryption.
Public terminals – computer terminals that are in a public area and are designed for access by non-specific users.