OMNISTREAM Retail Solutions Security and Compliance (Glossary of Terms) Author: Wendy Chen Document Version: 21.0 Document Management Document Control Document Owner Chief Executive Officer Review Period Annual Document Version Date Version Author Alterations 01 July 2022 21.0 Wendy Chen Ready for release About This Document This document has been drafted for the express purpose of providing the Glossary of Terms for Omnistream. Disclaimer © 2022 Omnistream Pte Ltd. All Rights Reserved. No part of this material may be reproduced, distributed or transmitted in any form or by any means, without the prior written consent of Omnistream Pte Ltd Table of Contents 1 Document Management 2 1.1 Document Control 2 1.2 Document Version 2 1.3 About This Document 2 2 Overview 4 2.1 Purpose and audience 4 2.2 Related Documents 4 3 Terms, Acronyms and Abbreviations 5 Overview Purpose and audience This document provides a common glossary of terms for all of the documents that supports Omnistream Security and Compliance Obligations. See Ref [1] for more details. Related Documents The documents related or referred to in this document are listed in the table below. Reference Number Document Name 1. Omnistream Security and Compliance (Documentation Overview) Terms, Acronyms and Abbreviations This section describes common terms, acronyms and abbreviations used in this document and across all Omnistream security and compliance documentation. Term Meaning Access Violation A known (or suspected) breach of an Omnistream Asset that has the potential to compromise the system or the data therein. Examples include (but are not limited to): Loss of service, equipment or facilities. System malfunctions or overloads. Human errors. Non-compliances with policies or guidelines. Breaches of physical security arrangements. Uncontrolled system changes. Malfunctions of software or hardware. Unauthorised access to any system or asset Administrator A role that manages IT systems that has been authorised by the organisation with management responsibilities to IT systems operations. See Privileged Access AES Advanced Encryption Standard AJAX Ajax is a set of web development techniques using many web technologies on the client-side to create asynchronous web applications. With Ajax, web applications can send and retrieve data from a server asynchronously without interfering with the display and behaviour of the existing page. API Application Programming Interface APP Alternative Processing Plan ASA Agency Security Advisor Asset/s Hardware – includes all infrastructure such as firewalls, servers, desktop machines etc. Cloud Services – includes Amazon Web Services, Google Cloud and other cloud service providers. Software and Services – includes SAS based deployments. This includes Notion, Whimsical, JIRA, BitBucket, StatusPage, SalesForce and other such services being utilised by the business as well as Omnistream source code. Intellectual Property – including key documentation and configuration relating to the above asset categories Human Resources – includes all Omnistream staff and contractors. Authentication Process of verifying identity of an individual, device, or process. Authentication typically occurs through the use of one or more authentication factors such as: Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric AWS Amazon Web Services. BCP Business Continuity Plan. BYOD Bring Your Own Device. Refers to the concept where Omnistream staff member or contractor access Omnistream systems and services through a device that has not been issued exclusively by Omnistream to that staff member or contractor. In these cases, the staff or contractor has been given permission by Omnistream to use their device to access Omnistream systems and services. CCB Change Control Board Certificate Certificate-In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual. CFO Chief Financial Officer of Omnistream. Change A request to implement a modification to existing behaviour. Note. Excludes project related changes which are managed by / through the Project office. CI Configuration Item – a component of an infrastructure that currently is, or soon will be under configuration management. CIs may be a single module such as a monitor or tape drive, or more complex items, such as a complete system. CIO Chief Information Officer of Omnistream. CMDB Configuration Management Database – a repository that acts as a data warehouse for information technology. Company Omnistream Pte Ltd (or a related entity). Commercial in Confidence Data Information, which is commercially sensitive and where unauthorised disclosure, would cause harm to the interests of Omnistream, or to its partners or customers. This would normally be through financial loss, embarrassment or loss of reputation (partners and customers may also suffer through unwarranted distress, inconvenience, etc.). Consumer The person for whom an Omnistream Order is processed, either through a webbased transaction or In-Store transaction. Contact An unsolicited encounter with people or organisations that may be an attempt to obtain security or official information they do not have a need to know. COO Chief Operating Officer of Omnistream. COTS Commercial off the shelf. Cryptography Discipline of mathematics and computer science concerned with information security, particularly encryption and authentication. In applications and network security, it is a tool for access control, information confidentiality, and integrity. CSIR Cyber Security Incident Reporting. CTO Chief Technology Officer of Omnistream. Cyber-incident The types of cyber security incidents agencies should report to relevant authorities in each jurisdiction include, but may not be limited to: suspicious or seemingly targeted emails with attachments or links any compromise or corruption of information unauthorised access or intrusion into an ICT system data spills intentional or accidental introduction of viruses to a network denial of service attacks Suspicious or unauthorised network activity. Data Spill A cyber security incident that occurs when information is transferred between two security domains by an unauthorised means. This can include from a classified network to a less classified network or between two areas with different need to know requirements. Database Server A database server is a computer program that provides database services to other computer programs or computers, as defined by the client–server model. The term may also refer to a computer dedicated to running such a program. Database management systems frequently provide database server functionality, and some DBMSs (e.g., MySQL) rely exclusively on the client–server model for database access. Devices Includes any and all electronic equipment (e.g., computers, mobile phones, iPads and Tablets etc.) or storage media (e.g., USB and thumb drives, CDs, DVDs, iPods / MP3 devices having capability to store Information, etc.). DRP Disaster Recovery Plan. DSS Data Security Standard. Encryption Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure. See Strong Cryptography. ERP Emergency Response Plan. Event An information security event is an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant. GUI Graphical User Interface. HA High Availability Architecture. HDD Hard Disk Drive. Omnistream network The network that supports the Omnistream host processing environment. Omnistream office Omnistream premises: Head Office: 8 Eu Tong Sen Street, #13-83 Office 2, Singapore 059818 Omnistream System The servers, applications and communications infrastructure developed and operated by Omnistream for the processing of Transactions in the production / end-user environment. Host The component of the Omnistream System whose primary role is to fulfil Transaction requests for service received from customers. HR Human Resources. ICT Information Communications Technology. ICTSP ICT Security Policy Incident An information security incident is indicated by a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security. A known (or suspected) breach of an Omnistream system that has the potential to compromise the system or the data therein. Examples include (but are not limited to): Loss of service, equipment or facilities. System malfunctions or overloads. Human errors. Non-compliances with policies or guidelines. Breaches of physical security arrangements. Uncontrolled system changes. Malfunctions of software or hardware. Access violations. Information Includes electronically stored, non-public, proprietary, confidential or personal data, facts, processes, procedures or other materials. IPS Intrusion Protection System. IPSEC Abbreviation for “Internet Protocol Security.” Standard for securing IP communications by encrypting and/or authenticating all IP packets. IPSEC provides security at the network layer. IRP Incident Response Plan. ISIRT Information Security Incident Response Team. ISMF Information Security Management Forum. The ISMF is a management group of Omnistream staff comprising technical security and management roles. ISMS Information Security Management System Issue A request to investigate behaviour that is inconsistent with standard / expected behaviour. IP Intellectual Property. IT Information Technology. ITSA IT Security Adviser. ITSM IT Security Manager. ITS Information Technology Security. ITSO IT Security Officer. ITSP Information Technology Security Policy. JSON JSON is an open standard file format, and data interchange format, that uses human-readable text to store and transmit data objects consisting of attribute– value pairs and array data types. It is a very common data format, with a diverse range of applications, such as serving as a replacement for XML in AJAX systems. LDAP Lightweight Directory Access Protocol. Linux Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of Linux is the Linux kernel, an operating system kernel first released 5 October 1991 by Linus Torvalds Log Management Server The intermediary server collecting all raw logs from Omnistream networks environment for distribution to the log analysis system. Log Analysis System The Splunk environment providing a platform to analyse and gain intelligence from log-based data. LVM Logical Volume Management. Major Security incident An information security incident defined by the Cyber Security Incident Reporting (CSIR) scheme. Malicious Software Software that poses a security threat. Media Includes any hardware or paper-based asset containing sensitive data or Commercial in Confidence data. Media includes: Hard Disk Drives Laser Disks (CD/DVD/Blue ray) Solid state drives Paper Merchant The entity / business where a Service Device is installed. Minor security incident An information security incident defined by the Cyber Security Incident Reporting (CSIR) scheme. Network device Infrastructure equipment used in the Omnistream network, for example: Firewall Load balancer Switch Router Network Segmentation Network segmentation isolates system components that store, process, or transmit data from systems that do not. OHS Occupational Health & Safety. OVF Open virtualization format. Paper Any paper document containing sensitive data. PC Personal Computer. PDPA Personal Data Protection Act 2012 (Singapore). Penetration Test Penetration tests attempt to exploit vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing includes network and application testing as well as controls and processes around the networks and applications, and occurs from both outside the network trying to come in (external testing) and from inside the network. PGP Pretty Good Privacy PIR Post Implementation Review. Privileged Access Privileged access is granted to particular roles to manage or administer IT components. It provides rights and access that others hierarchically within the organization do not have access to. This is typically given to manage the IT systems and the access does not give rights to use the information pertained within those systems. QA Quality Assurance. RA Risk Assessment. REST or RESTful Representational state transfer is a software architectural style which uses a subset of HTTP. It is commonly used to create interactive applications that use Web services. A Web service that follows these guidelines is called RESTful. RMP Risk Management Plan. RRMP Response and Recovery Management Plan. RTP Risk Treatment Plan. Sampling The process of selecting a cross-section of a group that is representative of the entire group. SDLC Software Development Life Cycle. Security incident Refers to a minor security incident, a major security incident or security contact from those seeking unauthorised access to official resources, or any other occurrence that results in negative consequences. Security Patch Application component designed to repair or cover a known issue that impacts security. SFTP Secure File Transfer Protocol. SME Subject Matter Expert. SOE Standard Operating Environment. SOP Standard Operating Procedure. SSD Solid State Drive. SSP System Security Plan. STP Spanning Tree Protocol. Strong Cryptography Cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is not reversible, or “one way”). Examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher). See NIST Special Publication 800-57 (https://csrc.nist.gov/publications/detail/sp/800-57-part1/revised/archive/2007-03-01) for more information. Supplier The Supplier of e-products and and/or e-services that are available to be processed on a transacting device Technology Includes any and all computer programs or systems used to access, transmit, store, or exchange Information. Templates Deployable system (OS) images. TLS Transaction Layer Security protocol. Two-Factor Authentication Method of authenticating a user whereby two or more factors are verified. These factors include something the user has (such as hardware or software token), something the user knows (such as a password, passphrase, or PIN) or something the user is or does (such as fingerprints or other forms of biometrics). Unclassified Data Information not containing any material that warrants a security classification, but for which unauthorised disclosure, particularly outside Omnistream, would be inappropriate. URI Universal Resource Indicator. VPN Virtual private network - is a secure way of connecting to a private Local Area Network at a remote location, using the Internet or any insecure public network to transport the network data packets privately, using encryption. The VPN uses authentication to deny access to unauthorized users, and encryption to prevent unauthorized users from reading the private network packets. XML eXtensible Markup Language. Workstation A desktop computer or laptop (Windows or MAC).