The process or action of verifying the identity of a user or process.


The process of assigning approved access to specific data to an authenticated user.

Discretionary Access Control (DAC)

A system that uses discretionary access controls and allows the owner, creator or data custodian of an object to control and define access to that object.

Distributed Control System (DCS)

Systems that are typically used to control and monitor industrial processes and production systems within the same physical location. They are used in industrial sites such as oil refineries, power plants, automobile manufacturing plants and many others.

Demilitarized Zone (DMZ)

Sometimes referred to as a perimeter network, it is a physical or logical subnetwork that contains an organization’s external-facing services and allows connections from them to an untrusted network, usually a larger network such as the internet. Security measures, and access controls in particular, on devices within a DMZ are typically stronger than in any other area of a network.


Used in the protection of data, it is a process of transforming data (in storage or in transit in data communications) in a way that results in it being unreadable by unauthorized users. Mathematical algorithms are used to transform ‘plaintext’ (normal) data into ‘ciphertext’, which can only read if it decrypted.


A network security device that monitors incoming and outgoing network traffic and allows or blocks specific traffic based on a defined set of security parameters, or rules. Usually the first line of defense in a network.

Human Machine Interface (HMI)

The hardware, software or graphical user interface that allows a person to interact with a control system. It may display monitoring information such as alarm or alert conditions and trends.

Identity and Access Management (IAM)

The framework for business processes that facilitate the management of electronic or digital identities. The framework includes the organizational policies for managing digital identity as well as the technologies needed to support identity management.

Intrusion Detection System (IDS)

Technology that alerts organizations to adverse or unwanted activity; a real-time monitoring of events as they happen in a computer system or network, using audit trail records and network traffic and analyzing events to detect potential intrusion attempts.

Intrusion Prevention System (IPS)

Technology that monitors activity like an IDS, but can automatically take proactive, preventive action if it detects unacceptable activity; any hardware or software mechanism that can detect and stop attacks in progress.

Mandatory Access Controls (MAC)

An access control method that is prohibitive rather than permissive. It uses an implicit ‘deny’ principle; if users are not specifically granted access to data, the system denies them access to the associated data. MAC controls rely on data labels, whereas Role-based Access Control (listed on page 22) are based on users’ job functions.

Multi-Factor Authentication (MFA)

A method of computer access control that requires two or more ways of establishing identity. It is based on the concepts of something you know, something you are and something you have.

Network Access Control (NAC)

Security solutions that use a set of protocols to implement policies for secure access to networks, using a set of checks against and actions on any device attempting to connect. Checks may include verifying antivirus and endpoint security measures functioning properly on the device attempting to connect. Actions may include quarantining devices that do not meet security standards or forcing the installation or updating of endpoint security software.

Role-Based Access Control (RBAC)

An access control model that bases access control authorizations on the roles (or job functions) that the user is assigned within an organization.

Rule-Based Access Control

An access control model that allows or denies requests to resource objects based on a set of rules defined by a system administrator.