C cache RAM A process by that takes data from slower devices and temporarily stores it in higher-performance devices when its repeated use is expected. campus area network CAN A network that spans a college, university, or a multi-building office complex. capabilities list A list that maintains a row of security attributes for each controlled object. Although not as flexible as the token approach, capabilities lists generally offer quicker lookups when a subject requests access to an object. capability list Each row of an access control matrix is a capability list. A capability list is tied to the subject; it lists valid actions that can be taken on each object. cardinality The number of rows in a relational database. cell suppression The act of suppressing or hiding individual data items inside a database to prevent aggregation or inference attacks. centralized access control Method of control in which all authorization verification is per- formed by a single entity within a system. centralized alarm system An alarm system that signals a remote or centralized monitoring station when the alarm is triggered. certificate authority An agency that authenticates and distributes digital certificates. certificate revocation list CRL The list of certificates that have been revoked by a certificate authority before the lifetimes of the certificates have expired. certificates Endorsed copies of an individual’s public key that verifies their identity. certification The comprehensive evaluation, made in support of the accreditation process, of the technical and nontechnical security features of an IT system and other safeguards to estab- lish the extent to which a particular design and implementation meets a set of specified security requirements. chain of evidence The process by which an object is uniquely identified in a court of law. Challenge Handshake Authentication Protocol CHAP One of the authentication protocols used over PPP links. CHAP encrypts usernames and passwords. challenge-response token A token device that generates passwords or responses based on instructions from the authentication system. The authentication system displays a challenge in the form of a code or pass phrase. This challenge is entered into the token device. The token gen- erates a response based on the challenge, and then the response is entered into the system for authentication. change control See change management.