A policy used to identify rules for using organization systems, including the use of e-mail, Internet, and social media platforms.

Documented policy that sets rules to control physical and logical access to information and information assets. Defines processes for managing different access control types including mandatory access control (MAC), role-based access control (RBAC) and attribute-based access control (ABAC).

Structured repository that lists all assets that an organization owns. Systems, hardware, software, and end-user devices (laptops, mobile devices) can be included.

The process of managing all information assets owned by an organization, including purchasing, monitoring, securing, and disposing/recycling of assets.

The act of verifying the identity of users, software, or other entities.

The act of giving approval to a user, software, or other entity, for accessing a system or service.

A set of specifications for an information system, or a configuration item within a system, that has been formally reviewed and agreed on.

Bring Your Own Device refers to the process of allowing employees to use their own personal devices (laptops, mobile phones, tablets) in the organization, including for accessing organization networks or systems.

Formal document that describes the organization approach to reacting to an unforeseen event or incident. Includes step processes for recovering systems, business functions and operations.

Formal process for identifying and quantifying the impact to processes, functions, and operations, from disruptive events.

Process for managing resource requirements for systems and IT technology resources. Capacity planning and monitoring includes disk space and memory utilization, and monitoring the storage of systems, network devices, cloud services and communication devices.

A management, operational, and/or technical control (e.g., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provide equivalent or comparable protection for a process or system.

An active employee or contractor.

Encapsulating an application into a separate operating environment for physical or virtual systems to gain the benefits of a virtual machine without the same dependencies. This method provides an alternative to full machine virtualization.

Formal plans used to help organizations respond to incidents or events. Can be used as part of risk management planning to address exceptional or high-impact risks.

A covered entity can be an individual, organization, and/or an agency who must comply with Health Insurance Portability and Accountability Act (HIPAA) rules to protect the privacy and security of health information.

Systems, infrastructure, and other assets defined as critical for the functioning of society and economies. Critical infrastructure includes road networks, transportation, energy, and utility infrastructure (power grids, water supplies).

Information systems deemed important to the organization, based on data or information held, and visibility or ownership of the systems (e.g., client-facing).

Information gathered from a single or multiple sources about new or emerging attacks. Threat intelligence can highlight external threats, and can include who is attacking, their capabilities and motivation.

Removal of data that is no longer in use, and placement into storage devices for long-term retention. Typically, any older data that is important to an organization, or which must be retained (for regulatory purposes).

The process of mapping the flow of information between systems, networks including where data input and data output exists.

A comprehensive approach (including people, processes, and systems) of implementing policies and controls that are designed specifically to discover, monitor, and protect confidential data while it is stored, used, or in transit over the network and at the perimeter.

The Data Protection Officer (DPO) role is tasked with monitoring the internal compliance of a company against data protection processes and practices. DPOs inform and advise companies on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and regulatory bodies.

Role responsible for the management and governance of organization data assets. Data stewards ensure the quality of data assets being used by the organization.

Data that is located on computer storage. Data stored in employee computers, on databases, servers, external devices (e.g., hard drives, back-up tapes) are all classed as ‘data-at-rest’. It can be referred to as any data held in any digital form.

Data that is sent from one system to another. This includes transfer of data between internal-facing systems, and external-facing systems (e.g., between a company and its suppliers, customers, or regulatory bodies).

Process of maintaining or re-establishing critical infrastructure and systems following natural or human-induced disasters.

Demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted, usually larger, network such as the Internet.

Virtual private networks (VPN) create secure connections between devices and networks. Use of end-to-end encryption means routing data through an encrypted tunnel, and can also hide IP addresses and locations.

Process of making selected ports on a device unavailable, and rending such ports inactive to access requests from external devices (e.g., USB drive).

Data captured by systems that allows organizations to monitor for:

a) Successful and rejected system access attempts

b) Successful and rejected data and other resource access attempts

c) Changes to system configuration

d) Use of privileges

e) Use of utility programs and applications

A process intended to eliminate a means of attack by patching vulnerabilities and turning off non-essential services.

A piece of software that provides abstraction of all physical resources (such as central processing units, memory, network, and storage) and thus enables multiple computing stacks (consisting of an operating system, middleware and application programs) called virtual machines to be run on a single physical host.

Process of taking actions to address and manage incidents or that have been raised, including security breaches and cyber-attacks. Policies and processes which define the steps taken to respond to and contain incidents, and communication to internal and external parties.

Physical and logical assets that contain information or data that is important to an organization. Assets can include hardware, software, data, people, and services.

Method used to determine level of protection given to information, based on its sensitivity, criticality, and purpose. Information classification typically considers information that can be considered public, confidential, and where additional restrictions are needed.

Combined use of resources, including hardware, software, and telecommunications networks, to collect, store, transfer and distribute information.

Formal document used to set out rules, procedures, and agreements to protect information in transit. Information transfer policies will typically include controls used to protect information in transit, set out transfer agreement requirements, and include electronic and physical transfer requirements.

Infrastructure as a Service is a category of cloud computing in which a third-party provide hosts servers, storage, and other infrastructure resources, and makes them available through a cloud environment (e.g., AWS, Microsoft Azure).

Process of ensuring that information or data has not been modified or destroyed, and can include ensuring information non-repudiation and authenticity.

Intangible assets created by the organization which include inventions, designs, names, symbols, and images. Use of patents, copyright, trademarks, and trade secrets are all methods of protecting intellectual property.

Software used to restrict or control content which a user can access. Particularly used when managing materials or information delivered through websites or mail.

A security inspection system for computers and networks that can allow for the inspection of systems activity and inbound/outbound network activity. The IDS key function identifies suspicious activity or patterns that may indicate a network or system attack.

Network security technology used to detect threats through actively examining network traffic flow, and taking steps to prevent malicious activity through blocking traffic, dropping identified packets, or alerting administrators.

Formal document that describes the processes for generating, storing, archiving, retrieving, distributing, retiring, and destroying cryptographic keys.

Method of attaching an identifier to information assets, based on defined classification levels. Examples include attaching a ‘classified’ label to external devices and attaching ‘confidential’ to an e-mail header.

Process of configuring information systems to provide only essential capabilities and to prohibit or restrict the use of non-essential functions.

Computer code developed to create vulnerabilities in systems and services. Malicious code includes viruses, spyware, worms and trojan horses.

Maximum allowable time that an organization's key products or services are made unavailable or cannot be delivered before the impact is deemed unacceptable.

The process of physically moving removable media devices from one location to the other.

Software used to help organizations manage and control enterprise applications on laptops, smartphones, tablets, and similar devices connected to the internal network. MAM allows for application configuration, updates, and version management.

Mobile code is any program, application, or content capable of movement while embedded in an email, document, or website.

Any handheld physical devices used by an organization. Mobile phones, tablets, laptops, and other portable devices fit into this category.

Software used to help organizations manage and enforce corporate policies on laptops, smartphones, tablets, and similar devices connected to the internal network.

Process of mapping multiple local private addresses to a public one before transferring information. NAT forms a part of firewall security. Use of NAT can ensure the security of private networks by hiding the internal addresses from external networks.

Non-deprecated algorithm is an algorithm that meets the minimum requirement for bit length in accordance with current industry best practice.

An open-ended term that expresses the concept that contractors (third parties) can have subcontractors.

Social engineering attack or threat, which tricks users into doing something which will result in downloading malicious threats (malware), or extracting personal or sensitive data (e.g., making large payments).

Platform as a Service is a category of cloud computing associated with providing organizations with hardware and software which is used for application development. The PaaS cloud provider hosts the hardware and software in their environment.

Formal assessment to determine the impact of data protection risks, when processing personal data. A DPIA will analyse, identify, and minimise data protection risks, and is used to demonstrate compliance to data protection obligations.

Record that highlights how personal data is used, the purpose of using personal data, and how long that data is kept. Contact details of the data protection officer are also displayed. Privacy notices are used internally, and on public-facing websites.

Privileged access ensures that only authorized users are granted access to certain systems, software components and services. It allows for the performance of activities that typical users or processes cannot perform.

Type of malware used to threaten the publishing of personal or sensitive data, or to block access to the data, unless a defined ransom is paid. Various types of ransomware include blocking access to data, and threats to delete or expose sensitive data.

Connection to IT systems, services, applications, or data from outside of locations belonging to an organization.

Storage devices which can be removed from computers, often to transfer data from one location to another. Removable media includes CDs, DVDs, Blu-Ray discs, USB keys/drives and SD cards.

Formal approach to identifying, quantifying, and mitigating risks, and continually monitoring risks based on defined risk acceptance criteria.

The degree to which the organization is willing to accept risk.

A method of regulating access to computer or network resources based on the roles of individual users within an enterprise. Roles are defined according to job competency, authority and responsibility within the enterprise.

A client’s non-public personal information (NPPI), protected health information (PHI), personal information (PI) and/or non-public information that is stored, transmitted or processed by the service provider. Scoped data may also include any data selected as being in scope by the organization or client at the scoping of the engagement. Any reference to scoped data includes protected scoped data, where applicable.

Computer hardware, software and/or Non-Public Personal Information (NPPI) that is stored, transmitted, or processed by the service provider in scope for an engagement.

Authentication information such as passwords, encryption keys used to access information systems.

Methods describing the process of disposing and/or destroying physical assets. Secure disposal refers to the process of ensuring data and information stored on assets is removed prior to the disposal or destruction.

Set of ideas, rules and requirements that are considered when developing an information system. Secure engineering principles include developing layered protections, ensuring secure system architecture, and ensuring that security is included throughout the development lifecycle.

Secure File Transfer Protocol is a network protocol used to access, transfer, and manage large files and/or sensitive data in a secure manner.

Secure Sockets Layer is security technology used to ensure an encrypted connection between servers and clients. (e.g., webservers). Use of SSL safeguards any sensitive data when sending between multiple systems.

The act of impersonating the actions and behaviours of skilled cyber threat actors to attack an organization's information technology or operational technology environment.

Software as a Service is a category of cloud computing where a third-party provider hosts applications or software, and makes them available through a cloud environment (e.g., Salesforce, Concur).

Formal process for planning, creating, testing, and deploying an information system. The process includes conducting a requirements analysis, planning and design, coding, and implementation, conducting security and user testing and deployment.

Specialist security forums or professional associations made up of multiple organizations or businesses, aiming to improve knowledge about security best practices, and raise awareness of new and emerging threats.

Strategic document used to identify and assess risks associated with the supply chain, and addresses the management, implementation, and monitoring of C-SCRM controls.

Data belonging to a cloud service providers’ customer, which includes an individual user, a group of users, or an entire department or company.

Process of granting access to systems or applications, by using two or more pieces of evidence to authenticate:

Something you know (password, passphrase, or personal identification number (PIN))

Something you have (token or smartcard)

Something you are (biometric (fingerprint, facial recognition))

A secured communication tunnel that is separate from but runs through a shared network, such as the Internet, to provide data privacy and integrity. A VPN uses encryption and other security mechanisms to secure securing data from interception or corruption and ensure that the data senders and receivers are authenticated.