Compliance & Governance Glossary

Security considerations and measures for protecting fifth-generation mobile network infrastructure, devices, and services from cyber threats.

The principle that organizations and individuals should be answerable for the outcomes and impacts of AI systems they develop or deploy.

The challenge of ensuring that AI systems pursue goals and behaviors that are aligned with human values, intentions, and ethical principles.

Processes and methods for providing confidence that AI systems operate as intended, producing reliable, fair, and safe outcomes.

A systematic examination of AI systems to evaluate their fairness, transparency, safety, security, and compliance with applicable regulations.

Systematic errors in AI system outputs that result from biased assumptions in the machine learning process or biased training data. AI bias can lead to unfair or discriminatory outcomes and is a key concern of AI governance frameworks.

The categorization of AI systems based on their risk level, capability, or application domain, as defined by regulations like the EU AI Act.

Adherence to emerging regulations governing the development, deployment, and use of artificial intelligence systems, including the EU AI Act.

A structured set of requirements and guidelines for ensuring AI systems are developed and deployed in compliance with applicable regulations.

Policies and processes for managing the data used to train and operate AI systems, ensuring quality, privacy, and regulatory compliance.

Records describing AI system design, training data, performance metrics, limitations, and intended use, supporting transparency and accountability.

The branch of ethics that examines the moral implications of artificial intelligence systems, including issues of fairness, transparency, accountability, privacy, and the societal impact of AI decision-making.

The ability to understand and describe how an AI model reaches its decisions or predictions, supporting transparency, trust, and regulatory compliance.

The principle and practice of ensuring AI systems do not produce discriminatory outcomes or perpetuate biases against any group of individuals.

The framework of policies, processes, and organisational structures that ensure AI systems are developed and deployed responsibly, ethically, and in compliance with applicable laws and regulations.

A systematic evaluation of the potential effects of an AI system on individuals, groups, and society. AI impact assessments examine risks related to fairness, privacy, safety, transparency, and human rights.

An event involving an AI system that causes or could cause harm to individuals, organizations, or society, requiring investigation and response.

The governance of AI systems throughout their entire lifecycle from conception and development through deployment, monitoring, and retirement.

The processes and controls for managing AI models throughout their lifecycle, including development, validation, deployment, monitoring, and retirement. Model governance ensures accuracy, fairness, and compliance.

The potential for adverse consequences arising from decisions based on AI models that are incorrect, misused, or produce unintended outcomes.

The continuous observation and evaluation of AI system performance, behavior, and outputs to detect drift, bias, errors, or security issues.

Organizational or governmental policies that define principles, requirements, and guidelines for the development, deployment, and use of AI systems.

Structured testing of AI systems by dedicated teams to identify safety risks, vulnerabilities, biases, and unintended behaviors before deployment.

Laws and regulatory frameworks governing the development, deployment, and use of artificial intelligence systems to ensure safety and protect rights.

A systematic evaluation of the potential harms and risks associated with an AI system, including bias, safety, security, and societal impacts.

The process of identifying, assessing, and mitigating risks associated with AI systems. The NIST AI Risk Management Framework provides a structured approach organised around four functions: Govern, Map, Measure, and Manage.

A structured approach for identifying, assessing, and mitigating risks associated with AI systems throughout their lifecycle.

Research and practices aimed at ensuring AI systems operate safely, reliably, and without causing unintended harm to individuals or society.

Measures to protect AI systems from adversarial attacks, data poisoning, model theft, and other threats specific to machine learning systems.

Risks arising from dependencies on third-party AI models, training data, cloud services, and components used in AI system development.

Methods for evaluating AI systems including functional testing, bias testing, adversarial testing, and performance benchmarking.

The principle that AI system operations and decisions should be understandable and open to examination. Transparency includes documenting data sources, model architecture, training processes, and decision-making logic.

Techniques for embedding identifiable markers in AI-generated content to enable detection and attribution of synthetically produced media.

The American Institute of Certified Public Accountants, which develops auditing standards and the SOC reporting framework for service organizations.

Laws, regulations, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income.

Practices and technologies for protecting application programming interfaces from attacks, abuse, and unauthorized access while ensuring proper authentication and data protection.

The Australian Prudential Regulation Authority's standard requiring regulated financial entities to maintain information security capabilities.

An attack where a malicious actor sends falsified ARP messages to link their MAC address with a legitimate IP address on a local network.

A security testing technique that identifies ways a system could be misused by threat actors, complementing traditional use case analysis.

A risk that has been evaluated and determined to be within the organization's risk tolerance, requiring no additional mitigation.

The amount of risk that an organization is prepared to accept, tolerate, or be exposed to at any point in time.

The agreed-upon rules governing how users may utilize an organization's IT resources, including internet, email, and software.

A document that outlines the rules and guidelines for using an organization's IT resources, defining permitted and prohibited activities for users.

Predefined conditions that a risk, control, or deliverable must meet to be formally accepted, serving as a benchmark for risk-based decision-making.

A physical credential such as a smart card or proximity badge used to control entry to secure areas and track personnel movements.

A threat actor who specializes in gaining initial access to organizations and selling that access to other cybercriminals for further exploitation.

The periodic review and validation of user access rights to ensure that permissions remain appropriate for each user's current role and responsibilities.

Security measures that regulate who can view or use resources in a computing environment. Access controls include authentication, authorisation, and audit mechanisms.

A list of rules that specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.

A table that defines the access permissions of subjects to objects in a system, mapping users and roles to specific resource permissions.

Policies and processes for ensuring that user access rights are appropriately granted, reviewed, and revoked based on organizational requirements.

A record of all access attempts to a system or resource, including successful and failed attempts, used for security monitoring and audit purposes.

The set of processes and technologies used to manage and control user access to systems, applications, and data based on defined policies.

A physical location or network device where users connect to an organization's network, requiring security controls to prevent unauthorized access.

A documented set of rules defining who is authorized to access specific resources, under what conditions, and with what level of permission.

The process of granting users the appropriate access rights and permissions to systems and resources based on their role and business need.

A periodic review process where managers verify that existing user access rights remain appropriate and revoke any unnecessary permissions.

A formal request by a data subject to obtain information about what personal data an organization holds about them and how it is processed.

A periodic evaluation of user access rights and permissions to verify they remain appropriate, required by most compliance frameworks.

A digital credential that represents the authorization granted to a user or application to access specific resources or perform specific operations.

Adherence to laws and standards requiring digital content and services to be accessible to people with disabilities, such as WCAG and ADA requirements.

A security feature that temporarily disables a user account after a specified number of failed authentication attempts to prevent brute force attacks.

The processes for creating, modifying, monitoring, and removing user accounts throughout their lifecycle.

The obligation of an individual or organization to account for their activities, accept responsibility for outcomes, and disclose results transparently.

Formal recognition by an authoritative body that an organisation is competent to carry out specific tasks, such as certification audits or testing.

An organization that evaluates and confirms the competence of certification bodies, laboratories, and inspection bodies to perform specific conformity assessments.

An organisation that has been formally recognised by an accreditation body (such as UKAS or ANAB) as competent to conduct certification audits against specific standards such as ISO 27001 or ISO 9001.

Security strategies that proactively seek to detect, respond to, and counter adversary actions rather than relying solely on passive preventive measures.

Security measures and configurations applied to Microsoft Active Directory to protect identity management, authentication, and authorization services from unauthorized access and attacks.

Privacy concerns and regulations related to advertising technology including behavioral tracking, targeted advertising, and real-time bidding of user data.

An authentication approach that dynamically adjusts security requirements based on contextual risk factors such as location, device, and user behavior.

A memory protection technique that randomizes the positions of key data areas in a process address space to prevent exploitation of memory corruption vulnerabilities.

A determination by the European Commission that a non-EU country provides an adequate level of data protection. Adequacy decisions enable the free flow of personal data to the third country without additional safeguards.

Elevated system privileges that allow users to perform configuration changes, install software, and manage other user accounts on a system.

A symmetric block cipher algorithm (AES) adopted as an encryption standard, using key sizes of 128, 192, or 256 bits to protect classified and sensitive data.

A prolonged and targeted cyber attack in which an intruder gains access to a network and remains undetected for an extended period. APTs typically target high-value organisations such as governments and large enterprises.

Security testing that emulates the tactics, techniques, and procedures of real-world threat actors to evaluate an organization's detection and response capabilities.

Adherence to laws and regulations governing advertising practices, including truth in advertising, disclosure requirements, and sector-specific restrictions.

Software that automatically displays or downloads advertising material when a user is online, often bundled with free programs and potentially compromising privacy.

Regulatory requirements specific to the aerospace industry including safety standards, export controls, and quality management systems like AS9100.

Mechanisms used to verify the age of users accessing online services, particularly relevant for protecting children's privacy and complying with age-based regulations.

A technique where individually non-sensitive pieces of information are combined to derive sensitive data, bypassing classification controls.

Regulations governing agricultural practices including food safety, pesticide use, environmental protection, and animal welfare standards.

A security measure that physically isolates a computer or network from unsecured networks, including the internet. Air-gapped systems are used in high-security environments to prevent remote cyber attacks.

A network physically isolated from other networks and the internet, providing maximum security for highly sensitive systems.

A security system designed to detect and alert on unauthorized entry, environmental hazards, or other security-relevant events at physical locations.

The process of linking related security alerts from multiple sources to identify patterns that indicate a coordinated attack or significant incident.

A condition where security analysts become desensitized to alerts due to high volumes of false positives, potentially causing real threats to be overlooked.

The process of evaluating and prioritizing security alerts to determine which require immediate investigation and response.

The examination and evaluation of algorithms and automated decision-making systems for bias, fairness, accuracy, and compliance with regulations.

The principle that organisations developing or deploying algorithms are responsible for the outcomes those algorithms produce. Algorithmic accountability requires monitoring for bias, errors, and unintended consequences.

An evaluation of the potential effects of an automated decision-making system on individuals and groups, particularly regarding fairness and discrimination.

The practice of making the logic, data, and decision processes of algorithms understandable and accessible to affected parties.

A cybersecurity approach that permits only pre-approved applications, IP addresses, or entities to access a system while blocking all others by default.

A facility separate from the primary location where an organization can continue critical operations during a disruption to the main site.

The section of ISO 27001 that contains the reference set of information security controls. The 2022 revision organises 93 controls into four themes: Organisational, People, Physical, and Technological.

A comprehensive yearly evaluation of an organization's compliance program effectiveness, regulatory changes, and areas requiring improvement.

The identification of patterns in data that deviate from expected behavior, used in security to detect intrusions, fraud, and other threats.

The irreversible process of altering personal data so that the individual can no longer be identified, directly or indirectly. Properly anonymised data falls outside the scope of data protection regulations such as GDPR.

The state of being unidentifiable within a group of subjects, where personal data cannot be linked to a specific individual by any means.

The irreversible process of altering personal data so that individuals can no longer be identified directly or indirectly, removing it from data protection regulations.

Laws, regulations, and organizational policies designed to prevent bribery, corruption, and unethical business practices in domestic and international operations.

Software designed to detect, prevent, and remove malicious software such as viruses, worms, trojans, and ransomware from computer systems and networks.

Regulations, policies, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income through the financial system.

Technologies, policies, and training programs designed to detect and prevent phishing attacks that attempt to steal credentials or deliver malware through deceptive communications.

Security measures designed to prevent or detect unauthorized modification of hardware, software, or data to maintain system integrity.

Security measures for protecting dedicated hardware devices used for specific functions such as firewalls, load balancers, and storage systems.

A security practice that permits only pre-approved applications to execute on a system while blocking all other software from running.

Security measures that restrict which applications can execute on systems, preventing unauthorized or malicious software from running.

Authorized security testing focused specifically on web, mobile, or desktop applications to identify vulnerabilities in application logic and security controls.

The practice of finding, fixing, and preventing security vulnerabilities in software applications throughout the development lifecycle. Includes code review, penetration testing, and security architecture design.

The process of evaluating software applications for security vulnerabilities using techniques such as static analysis, dynamic analysis, and interactive testing.

The process of categorising information assets based on their sensitivity, criticality, and value to the organisation. Classification levels typically include public, internal, confidential, and restricted.

The process of identifying and cataloging all hardware, software, and data assets within an organization's IT environment to maintain an accurate inventory.

A comprehensive and up-to-date register of all hardware, software, data, and network resources owned or managed by an organisation. Required by most security frameworks including CIS Controls and ISO 27001.

The systematic process of identifying, classifying, tracking, and managing an organization's information assets throughout their lifecycle to ensure proper protection.

An evaluation of the risks associated with specific information assets, considering their value, threats, vulnerabilities, and existing controls.

An engagement in which an auditor expresses a conclusion about the reliability of a subject matter against defined criteria to enhance stakeholder confidence.

A formal document presenting the auditor's findings, conclusions, and opinion on the subject matter examined during an assurance engagement.

A cryptographic method using a pair of mathematically related keys where one key encrypts data and the other decrypts it, enabling secure key exchange.

Automated security testing that replicates real-world attack scenarios against an organization's defenses to validate security control effectiveness.

The total number of possible entry points for unauthorised access to a system. Reducing the attack surface through hardening, patching, and removing unnecessary services is a core security practice.

The continuous discovery, classification, prioritization, and monitoring of an organization's external-facing digital assets to reduce exposure to threats.

The method or pathway used by a threat actor to gain unauthorised access to a target system. Common attack vectors include phishing emails, unpatched software vulnerabilities, and compromised credentials.

A formal declaration by an independent party (such as a CPA firm) that an organisation's controls or processes meet specified criteria. SOC reports are a form of attestation, distinct from certification.

A formal declaration by a qualified security assessor or the organization itself confirming compliance with a specific standard such as PCI DSS.

An access control paradigm that grants or denies access based on policies evaluating attributes of users, resources, actions, and the environment.

A systematic, independent examination of an organisation's activities, processes, or financial records to verify compliance with standards, regulations, or internal policies.

A formal document that defines the audit function's purpose, authority, responsibility, and position within an organization's governance structure.

A committee of the board of directors responsible for overseeing financial reporting, internal controls, and audit activities. Audit committees are required for publicly listed companies and play a key role in corporate governance.

Records, statements of fact, or other information that is relevant and verifiable, used by an auditor to determine whether audit criteria are being fulfilled. Audit evidence can be qualitative or quantitative.

The results of evaluating collected audit evidence against audit criteria. Findings can indicate conformity or nonconformity with the criteria and may include observations or opportunities for improvement.

The defined schedule for conducting internal and external audits based on risk levels, regulatory requirements, and organizational needs.

The requirement that auditors maintain objectivity and freedom from conflicts of interest that could influence their professional judgment.

A chronological record of system activities that provides documentary evidence of the sequence of activities affecting a specific operation, procedure, or event. Audit logs are essential for security monitoring, incident investigation, and compliance.

The administration and coordination of audit activities including planning, scheduling, resource allocation, and tracking of findings and remediation.

The systematic approach and procedures used by auditors to plan, execute, and report on audits, ensuring consistency and thoroughness.

The formal communication to an auditee informing them of an upcoming audit, including scope, timing, and information requirements.

The specific goals and scope of an audit engagement, defining what the audit seeks to evaluate, verify, or assess.

The auditor's formal conclusion about whether the subject matter conforms to applicable criteria, expressed as unqualified, qualified, adverse, or disclaimer.

A document that describes the activities and arrangements for an audit, including scope, objectives, timing, and resource requirements. Audit plans ensure systematic and efficient audit execution.

The activities undertaken by an organization to ready itself for an upcoming audit, including evidence gathering and documentation review.

A scheduled series of audits planned for a specific period, prioritized based on risk assessment and covering key areas of the organization.

A set of one or more audits planned for a specific time frame and directed towards a specific purpose. Audit programmes define the overall approach, scheduling, and resourcing for audit activities over a defined period.

The state of preparedness an organization achieves through proactive measures to ensure successful outcomes when formal audits are conducted.

The formal documentation of audit findings, conclusions, and recommendations presented at the end of an audit engagement. Audit reports communicate the results to stakeholders and management.

The formal communication of audit results including findings, conclusions, and recommendations to management and relevant stakeholders.

The formal reply from audited parties addressing audit findings, including planned corrective actions, responsible parties, and implementation timelines.

The risk that an auditor expresses an inappropriate opinion when the subject matter is materially misstated. Audit risk comprises inherent risk, control risk, and detection risk.

The application of audit procedures to less than 100% of items within a population to draw conclusions about the entire population.

A planned timetable of audit activities across an organization for a defined period, typically one year, based on risk priorities.

The extent and boundaries of an audit, including the locations, organisational units, activities, and processes to be audited, as well as the time period covered by the audit.

Published guidelines and requirements that define how audits should be conducted to ensure quality, consistency, and professional practice.

A chronological record of system activities that enables the reconstruction and examination of events. Essential for forensic analysis and regulatory compliance.

The comprehensive list of all auditable entities, processes, systems, and locations within an organization that the audit function may review.

The documentation of audit procedures performed, evidence obtained, and conclusions reached that support the auditor's report and findings.

The process of verifying the identity of a user, device, or system. Common methods include passwords, biometrics, tokens, and multi-factor authentication (MFA).

A category of credential used to verify identity, including knowledge factors, possession factors, and inherence factors like biometrics.

A set of rules governing the exchange of information for verifying the identity of a user, device, or system in a communication.

The process of determining what actions an authenticated user or system is permitted to perform. Typically enforced through access control lists or role-based access control.

A formal authorisation granted by a senior official to operate a federal information system at an acceptable level of risk. ATO is required under FISMA and FedRAMP and is based on the assessment of security controls.

The process of determining whether a user, program, or device is permitted to access a resource, perform an operation, or execute a command.

Decisions made by algorithms or AI systems without significant human involvement. Under GDPR Article 22, individuals have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

Systems that automatically detect, download, test, and deploy software patches across an organization's IT environment to reduce vulnerability exposure.

Pre-configured actions that are automatically triggered when specific security events or conditions are detected, reducing response time.

Security standards and practices for protecting connected vehicles, automotive systems, and vehicle-to-everything communications from cyber threats.

Systems that can perform tasks and make decisions without human intervention, raising governance questions about accountability, safety, and oversight.

The property of being accessible and usable upon demand by authorized users, one of the three pillars of information security along with confidentiality and integrity.

Regulatory requirements and security measures for protecting civil aviation systems, infrastructure, and operations from threats.

An organized effort to educate employees about specific security threats and best practices through multiple communication channels.

An attack that maliciously reroutes internet traffic by corrupting Border Gateway Protocol routing tables to redirect traffic through attacker-controlled networks.

A process that identifies critical business functions and determines the impact of disruption. Used to set recovery time objectives (RTO) and recovery point objectives (RPO).

Security policies and controls for managing risks associated with employees using personal devices to access corporate networks, data, and applications.

A hidden method for bypassing normal authentication or encryption in a computer system, often installed by attackers or built into software for maintenance.

The application of encryption to backup data to protect it from unauthorized access even if backup media is lost, stolen, or compromised.

A documented policy defining requirements for data backup including frequency, scope, retention, encryption, and testing procedures.

A documented plan defining what data is backed up, how frequently, where backups are stored, and how they are tested and restored.

The process of testing backup data to confirm it is complete, intact, and can be successfully restored when needed.

The processes and technologies for creating copies of data and systems so they can be restored after data loss, corruption, or disaster. Backup frequency and retention policies are defined by business requirements and regulatory obligations.

A social engineering attack that lures victims with something enticing, such as a USB drive left in a public area loaded with malware.

The allocation and control of network bandwidth to ensure optimal performance and prevent network abuse or congestion.

A network management technique that limits the data transfer rate to prevent network congestion or mitigate denial-of-service attack impacts.

The framework of laws and rules governing banking operations including capital requirements, lending practices, consumer protection, and risk management.

A technique used to gather information about a computer system on a network by reading the banner messages displayed by services running on the target. Often used in vulnerability scanning and reconnaissance.

An international regulatory framework developed by the Basel Committee on Banking Supervision that sets minimum capital requirements, leverage ratios, and liquidity requirements for banks to strengthen regulation, supervision, and risk management.

A minimum set of security controls or configurations established as a starting point. Baselines can be tailored based on an organisation's risk profile and operating environment.

A specially hardened computer on a network designed to withstand attacks and serve as a single point of entry to internal resources. Bastion hosts are typically placed in a DMZ and run minimal services.

The use of machine learning and statistical analysis to identify unusual patterns in user or entity behavior that may indicate security threats.

The process of comparing an organization's practices, processes, and performance metrics to industry best practices or peer organizations.

The process of identifying and measuring systematic biases in AI models and their outputs. Bias detection involves statistical testing across protected characteristics such as race, gender, age, and disability.

The examination of compiled executable files to understand their functionality, identify vulnerabilities, and detect malicious code without source code.

Internal policies adopted by multinational corporations for transferring personal data within the group across international borders in compliance with data protection laws.

Internal rules adopted by a multinational group of companies that define their global policy regarding international transfers of personal data within the group. BCRs must be approved by the relevant data protection authority.

Physical access control systems that use biological characteristics such as fingerprints, iris scans, or facial recognition to verify identity.

The use of unique biological characteristics such as fingerprints, facial recognition, iris scans, or voice patterns to verify the identity of a user. Considered a strong form of authentication.

Personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, such as facial images or fingerprint data. Classified as special category data under GDPR.

A full disk encryption feature included with Microsoft Windows that protects data by encrypting the entire operating system drive.

A security testing approach where the tester has no prior knowledge of the target system's internal workings, simulating an external attacker.

A security approach that blocks known malicious entities such as IP addresses, domains, or file hashes while allowing everything else by default.

A symmetric encryption algorithm that operates on fixed-size blocks of data. Common block ciphers include AES (Advanced Encryption Standard) and 3DES.

A distributed, immutable ledger technology that records transactions across multiple computers, providing transparency, security, and verification without central authority.

Security measures for protecting blockchain networks, smart contracts, wallets, and decentralized applications from attacks and vulnerabilities.

A symmetric block cipher algorithm designed as a fast, free alternative to existing encryption methods. While once popular, it has largely been superseded by AES for most applications.

The defensive security team responsible for maintaining and improving an organization's security posture by detecting, responding to, and mitigating threats.

Security protocols and practices for protecting wireless communications over Bluetooth connections from eavesdropping, unauthorized pairing, and data theft.

The responsibility of a board of directors to supervise management activities, ensure accountability, and provide strategic direction. Board oversight of cybersecurity and compliance has become a regulatory expectation under NIST CSF 2.0, SEC rules, and corporate governance codes.

A committee of the board of directors specifically responsible for overseeing the organization's risk management framework and risk appetite.

Security mechanisms that verify the integrity of the boot process, ensuring that only authenticated and unmodified code executes during system startup.

Malware that infects the boot sector of a storage device, activating during the system startup process before the operating system loads.

A network of compromised computers (bots) controlled remotely by a threat actor to perform coordinated malicious activities such as distributed denial-of-service attacks, spam distribution, or cryptocurrency mining.

Security controls deployed at network boundaries to monitor, filter, and protect traffic entering and leaving the organization's network.

Security measures implemented at the boundaries between network zones to monitor and control communications, preventing unauthorized access between segments.

A risk analysis method that visually maps the pathways from causes to consequences of a risk event, showing preventive and mitigating controls.

The evaluation of a security incident to determine the scope, severity, and impact of a data breach on affected individuals and the organization.

Immediate actions taken to limit the spread and impact of a data breach, including isolating affected systems and blocking malicious access.

The legal requirement to inform affected individuals, regulators, or other parties when personal data has been compromised. GDPR requires notification within 72 hours.

Financial sanctions imposed by regulators on organizations that fail to comply with data breach notification requirements or other regulatory obligations.

A documented log of all personal data breaches including their nature, affected individuals, consequences, and remedial actions taken.

The coordinated set of actions taken by an organization following the discovery of a data breach, including investigation, notification, and remediation.

Automated platforms that continuously simulate attacks across the kill chain to validate the effectiveness of security controls and detection capabilities.

An emergency access account that bypasses normal access controls during critical situations, with strict monitoring and post-use review procedures.

Security measures and configurations for web browsers to protect against web-based threats including malicious websites, extensions, and exploits.

An attack method that systematically tries every possible combination of passwords or encryption keys until the correct one is found. Mitigated by account lockout policies, rate limiting, and strong password requirements.

A software vulnerability that occurs when a program writes more data to a buffer than it can hold, potentially allowing an attacker to execute arbitrary code. Buffer overflows are among the most common and dangerous security flaws.

A crowdsourced security initiative that rewards external researchers for discovering and responsibly disclosing software vulnerabilities to the organization.

The process of logging, categorizing, prioritizing, and managing software bugs and security vulnerabilities from discovery through resolution.

Physical security measures protecting an organization's buildings and facilities from unauthorized access, theft, vandalism, and environmental threats.

The description of an organization's structure, capabilities, and value streams that aligns business strategy with tactical execution.

Under HIPAA, a person or entity that performs certain functions or activities involving the use or disclosure of Protected Health Information on behalf of a covered entity. Business associates must comply with HIPAA Security and Breach Notification Rules.

A HIPAA-required contract between a covered entity and a business associate that establishes permissible uses and disclosures of PHI.

A legally binding contract between a HIPAA covered entity and a business associate that establishes the permitted and required uses and disclosures of Protected Health Information. BAAs are mandatory under HIPAA.

The capability of an organisation to continue delivering products or services at acceptable levels following a disruptive incident. Governed by frameworks like ISO 22301.

A holistic management process that identifies potential threats and their impacts, providing a framework for building organizational resilience.

A documented strategy defining how an organization will continue to operate during and after a significant disruption to its normal business operations.

A high-level statement of an organization's commitment to maintaining operational continuity and defining the scope and objectives of its BCM program.

Exercises and tests conducted to validate that business continuity plans are effective, current, and capable of achieving recovery objectives.

A sophisticated scam targeting organisations that conduct wire transfers or handle sensitive financial data. Attackers impersonate executives or trusted partners to trick employees into transferring funds or disclosing confidential information.

A systematic process for identifying and evaluating the potential effects of disruptions to critical business operations and processes.

The discipline of managing and optimizing an organization's business processes to improve efficiency, effectiveness, and adaptability.

The process of returning to normal business operations after a disruption, including verification that all critical functions are restored.

The potential for events or conditions to adversely affect an organization's ability to achieve its business objectives and maintain operations.

US federal law that establishes requirements for commercial email messages, gives recipients the right to opt out of receiving them, and imposes penalties for violations. CAN-SPAM does not require prior consent for commercial emails.

A challenge-response test used to determine whether a user is human or an automated bot. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart.

A security policy enforcement point placed between cloud service consumers and providers to combine and interject enterprise security policies as cloud resources are accessed. CASBs provide visibility, compliance, data security, and threat protection.

The California Consumer Privacy Act gives California residents rights over their personal information including the right to know, delete, and opt out of sale.

California's consumer privacy law, amended by CPRA in 2023. Gives consumers rights over their personal information including the right to know, delete, opt-out, and non-discrimination.

The right of California consumers under the CCPA to direct a business that sells their personal information to stop selling it. Businesses must provide a clear 'Do Not Sell My Personal Information' link on their website.

The three core principles of information security: Confidentiality, Integrity, and Availability, forming the foundation of security program design.

Consensus-based configuration guidelines developed by the Center for Internet Security for securely configuring IT systems and applications.

A prioritized set of cybersecurity best practices developed by the Center for Internet Security to help organizations defend against common cyber threats.

The Cybersecurity and Infrastructure Security Agency, a US government agency responsible for protecting critical infrastructure from cyber and physical threats.

Certified Information Systems Auditor, an ISACA certification for professionals who audit, control, monitor, and assess IT and business systems.

Certified Information Security Manager, an ISACA certification for professionals who manage, design, and oversee enterprise information security.

The Chief Information Security Officer is the senior executive responsible for establishing and maintaining an organization's information security strategy, policies, and operations.

The senior executive responsible for an organisation's information security strategy, policies, and operations. Reports to the CEO, CIO, or board depending on the organisation.

Certified Information Systems Security Professional, a widely recognized certification for experienced security practitioners, managers, and executives.

The Cybersecurity Maturity Model Certification is a US Department of Defense framework requiring defense contractors to implement cybersecurity practices at specified maturity levels.

A US Department of Defense framework requiring defence contractors to demonstrate cybersecurity maturity across five levels. Based on NIST 800-171 controls.

Control Objectives for Information and Related Technologies, an IT governance framework by ISACA. COBIT 2019 provides 40 governance and management objectives across five domains.

The internal control framework developed by the Committee of Sponsoring Organizations of the Treadway Commission. COSO defines five components: control environment, risk assessment, control activities, information and communication, and monitoring activities.

An Australian Prudential Regulation Authority (APRA) standard that requires regulated entities to maintain an information security capability commensurate with information security vulnerabilities and threats.

Certified in Risk and Information Systems Control, an ISACA certification for professionals who identify and manage IT and enterprise risk.

The Cloud Security Alliance Security Trust Assurance and Risk program, a framework for assessing the security posture of cloud service providers.

Common Vulnerabilities and Exposures, a catalog of publicly known cybersecurity vulnerabilities identified by unique CVE ID numbers.

The Common Vulnerability Scoring System provides a standardized method for rating the severity of security vulnerabilities on a scale of 0 to 10.

Measures to protect network cabling from physical tampering, interception, and accidental damage that could compromise data confidentiality or availability.

An attack that corrupts cached data to redirect users to malicious destinations, commonly targeting DNS caches and web application caches.

A California state law that gives consumers more control over the personal information that businesses collect about them. CCPA provides rights to know, delete, opt-out of sale, and non-discrimination.

A California state law (CPRA) that amends and expands the CCPA, establishing the California Privacy Protection Agency and adding new consumer privacy rights.

An amendment to the CCPA that expanded consumer privacy rights, created the California Privacy Protection Agency, and introduced new concepts such as sensitive personal information and the right to correction.

A social engineering technique where phishing emails instruct victims to call a phone number controlled by the attacker for further manipulation.

A digital tripwire deployed within a network or data set that triggers an alert when accessed, providing early detection of unauthorized activity.

A framework for assessing and improving an organization's processes and capabilities across defined maturity levels from initial to optimized.

The process of ensuring that IT resources and infrastructure are sufficient to meet current and future business requirements.

The process of determining the production capacity needed by an organization to meet changing demands for its products and services.

A risk event with the potential for severe, widespread, and potentially irreversible damage to an organization's operations, reputation, or survival.

A trusted entity that issues digital certificates used to verify the identity of individuals, organisations, or devices. Certificate Authorities form the basis of the Public Key Infrastructure (PKI) trust model.

The processes for managing the lifecycle of digital certificates including issuance, renewal, revocation, and key storage.

A security technique that associates a host with its expected public key or certificate, preventing man-in-the-middle attacks by rejecting certificates that do not match the pinned values.

The invalidation of a digital certificate before its scheduled expiration date, typically due to key compromise or change of entity information.

A list published by a certificate authority of digital certificates that have been revoked before their expiration date.

A formal document certifying that an organization, product, or process meets specified regulatory or standard requirements.

Formal attestation by an accredited body that an organisation's management system meets the requirements of a specific standard (e.g., ISO 27001, ISO 9001).

A formal assessment conducted by an accredited certification body to determine whether an organisation's management system meets the requirements of a standard such as ISO 27001, ISO 9001, or ISO 22301.

An accredited organization authorized to conduct audits and issue certifications confirming that management systems meet international standards.

The complete sequence of initial certification audit, surveillance audits, and recertification audit, typically spanning a three-year period.

The ongoing activities required to keep a certification valid, including surveillance audits, continuous improvement, and management reviews.

A voluntary process under GDPR through which organizations demonstrate compliance with data protection requirements through approved certification bodies.

The defined boundaries of what a certification covers, including the organizational units, processes, locations, and standards included.

A certification demonstrating competency in ethical hacking techniques, penetration testing, and vulnerability assessment methodologies.

The documented process of maintaining and tracking evidence from collection through presentation. In digital forensics, chain of custody ensures that evidence is admissible and has not been tampered with.

A group of stakeholders that evaluates and approves or rejects proposed changes to IT systems and infrastructure based on risk assessment.

A body that exists to approve changes and assist in the assessment and prioritisation of changes. CABs are a core component of ITIL change management and help balance the need for change with the risk of disruption.

A formal process for managing changes to systems, processes, and configurations to minimize disruption and maintain system integrity.

The processes, tools, and techniques for managing the people side of change to achieve required business outcomes, or the IT process for controlling modifications to hardware, software, and documentation to protect the environment from unintended consequences.

The senior executive responsible for overseeing and managing compliance issues within an organisation, ensuring that the company and its employees comply with all regulatory requirements and internal policies.

The senior executive responsible for managing an organisation's privacy programme, ensuring compliance with privacy laws and regulations, and establishing privacy policies and procedures.

The senior executive responsible for identifying, analysing, and mitigating internal and external events that could threaten an organisation. The CRO oversees the enterprise risk management function.

Legal frameworks and practices for protecting the personal information of children collected online, including COPPA requirements for parental consent.

A US federal law that imposes requirements on operators of websites or online services directed at children under 13 years of age. COPPA requires parental consent before collecting personal information from children.

China's comprehensive cybersecurity legislation that imposes requirements on network operators for data protection, security assessments, and data localization.

An algorithm for performing encryption or decryption of data. Ciphers transform plaintext into ciphertext (encryption) and back again (decryption) using a key.

The result of encryption performed on plaintext using an algorithm (cipher) and a key. Ciphertext is designed to be unintelligible without the corresponding decryption key.

A policy requiring employees to secure sensitive documents and removable media when leaving their workspace to prevent unauthorized access to information.

A web-based attack where a malicious site tricks a user into clicking on something different from what the user perceives, potentially revealing confidential information or taking control of their computer.

Video surveillance systems used for physical security monitoring of facilities, access points, and sensitive areas with recording capabilities.

A security policy enforcement point positioned between cloud service consumers and providers to monitor activity, enforce policies, and protect data.

A security policy enforcement point positioned between cloud service consumers and cloud providers. CASBs provide visibility into cloud application usage, data protection, threat detection, and compliance monitoring.

US legislation that allows law enforcement to compel US-based cloud providers to provide stored data regardless of where the data is physically located.

An entity that manages the use, performance, and delivery of cloud services, negotiating relationships between cloud providers and consumers.

The process of ensuring that cloud computing environments meet regulatory requirements, industry standards, and internal policies. Cloud compliance involves shared responsibility between the cloud provider and customer.

Processes and tools for maintaining secure and compliant configurations of cloud resources, preventing misconfigurations that lead to data exposure.

Security measures for protecting data stored, processed, and transmitted in cloud environments, including encryption, access controls, and data loss prevention.

The use of cryptographic algorithms to protect data at rest, in transit, and in use within cloud computing environments and services.

Digital forensic investigation techniques adapted for cloud computing environments, addressing unique challenges of multi-tenant and distributed systems.

Policies, processes, and controls for managing cloud adoption, usage, security, and compliance across an organization's cloud environments.

The management of user identities, authentication, and authorization across cloud services to ensure secure access to cloud resources.

Security practices for protecting the underlying infrastructure of cloud environments including virtual machines, networks, storage, and orchestration platforms.

Services and practices for managing cryptographic keys in cloud environments, including generation, storage, rotation, and access control of encryption keys.

The process of moving data, applications, and workloads from on-premises infrastructure to cloud computing environments.

Security planning and controls for safely transferring applications, data, and workloads from on-premises environments to cloud platforms.

The continuous observation of cloud resources, services, and applications to detect performance issues, security threats, and compliance violations.

Security practices and tools designed specifically for cloud-native architectures including containers, microservices, and serverless computing. Cloud native security shifts protection closer to the workload and incorporates security into the CI/CD pipeline.

Authorized security testing of cloud environments and applications to identify vulnerabilities, with specific considerations for cloud provider policies.

The set of policies, controls, procedures, and technologies that protect cloud-based systems, data, and infrastructure. Governed by the shared responsibility model between cloud provider and customer.

An industry organization dedicated to defining and raising awareness of best practices for securing cloud computing through research and education.

A non-profit organisation dedicated to defining and raising awareness of best practices for a secure cloud computing environment. CSA publishes the Cloud Controls Matrix and the STAR certification programme.

The design and implementation of security controls, policies, and technologies specifically for protecting cloud computing environments and services.

A category of security tools that continuously monitor cloud infrastructure for gaps in security policy enforcement. CSPM solutions identify misconfigurations, compliance violations, and security risks across multi-cloud environments.

Tools and practices that continuously monitor cloud environments for security misconfigurations, compliance violations, and risks. CSPM automates the identification and remediation of cloud security issues.

A contract defining the performance, availability, security, and support commitments between a cloud service provider and its customer.

A framework that delineates security responsibilities between cloud service providers and customers based on the type of cloud service used.

Security solutions that protect workloads running in cloud environments from vulnerabilities, malware, and unauthorized access across their lifecycle.

A security solution that protects server workloads across cloud, hybrid, and on-premises environments. CWPPs provide capabilities including vulnerability management, network segmentation, system integrity monitoring, and application control.

The systematic examination of source code to identify security vulnerabilities, coding errors, and deviations from secure coding standards before deployment.

The process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed.

A set of rules outlining the norms, responsibilities, and proper practices for an individual or organisation. Codes of conduct set ethical standards and are required by many regulatory frameworks including SOX and industry regulations.

A document establishing ethical principles and expected behaviors for professionals in a field, particularly in cybersecurity and auditing.

A backup facility that has the basic infrastructure (power, networking, cooling) but no pre-installed hardware or data. Cold sites are the least expensive disaster recovery option but have the longest recovery time.

An approach where organizations share threat intelligence, best practices, and resources to collectively improve their security posture.

Database encryption applied to specific columns containing sensitive data, protecting individual data fields while allowing queries on unencrypted columns.

An approach that coordinates various assurance providers to optimize risk and control coverage while minimizing duplication of effort.

The infrastructure and communication channels used by attackers to maintain remote control over compromised systems within a target network.

The infrastructure and communication channels used by attackers to maintain control over compromised systems. C2 servers issue commands to malware or botnets and receive exfiltrated data.

A formal document that defines a committee's purpose, authority, composition, meeting frequency, and responsibilities within the governance structure.

An international standard (ISO/IEC 15408) for computer security certification that provides a framework for evaluating the security properties of IT products. Common Criteria evaluations are mutually recognised by 31 countries.

A documented strategy for communicating with internal and external stakeholders during security incidents, including templates and escalation procedures.

The restoration of communication systems and channels following a disruption, ensuring stakeholders can be reached and information can flow.

An industry certification validating baseline cybersecurity skills including threat assessment, security operations, and incident response.

The principle of restricting information access so that individuals only know what they need for their specific responsibilities.

An alternative security measure employed when a primary control cannot be implemented. Must provide an equivalent level of protection and be documented with justification.

Processes for receiving, investigating, and resolving complaints from data subjects about the handling of their personal information.

The state of conforming to laws, regulations, standards, or internal policies. In information security, compliance is typically demonstrated through audits, certifications, and continuous monitoring.

The structural design of an organization's compliance program, including technology, processes, and roles that support regulatory adherence.

A formal evaluation of an organization's adherence to specific regulatory requirements, standards, or internal policies.

A formal document presenting the results of a compliance evaluation including findings, evidence, and recommendations.

An examination that evaluates whether an organization adheres to applicable laws, regulations, standards, and internal policies.

The use of technology to automate compliance monitoring, evidence collection, control testing, and reporting activities. Compliance automation platforms reduce manual effort and provide continuous compliance visibility.

Programs and activities designed to educate employees about compliance obligations, ethical standards, and the consequences of non-compliance.

The minimum set of compliance requirements that an organization must meet, serving as a starting point for building a comprehensive compliance program.

The financial resources allocated to compliance activities including assessments, technology, training, and remediation.

A tool for tracking regulatory deadlines, filing dates, audit schedules, and compliance milestones to ensure timely fulfillment of all obligations.

A formal document issued upon successful completion of a compliance assessment, confirming that an organization meets specific requirements.

A defined point in a business process where compliance with relevant regulations and policies is verified before proceeding.

Specific measures implemented to ensure adherence to regulatory requirements, including technical controls, policies, and procedures.

An individual responsible for coordinating compliance activities across departments and ensuring consistent adherence to regulatory requirements.

An organizational environment where employees at all levels understand, value, and actively support compliance with laws, regulations, and ethical standards.

A visual display providing real-time status of an organization's compliance posture across multiple regulations, standards, and internal policies.

The collection of policies, procedures, records, and evidence maintained to demonstrate adherence to regulatory and standard requirements.

Documentation and records that demonstrate an organization's adherence to specific regulatory requirements or standards.

A structured set of guidelines, best practices, and standards that organisations follow to meet regulatory requirements, manage risks, and demonstrate compliance. Examples include ISO 27001, SOC 2, NIST CSF, and GDPR.

The process of identifying correspondences between requirements across different compliance frameworks to enable efficient multi-standard adherence.

A deficiency identified between an organization's current practices and the requirements of a specific regulation, standard, or framework.

A confidential reporting channel for employees and stakeholders to report suspected compliance violations, fraud, or ethical concerns.

A formal inquiry into suspected violations of laws, regulations, or organizational policies to determine facts and appropriate corrective actions.

The ongoing cycle of identifying requirements, implementing controls, monitoring compliance, reporting, and continuously improving the compliance program.

An integrated set of policies, processes, and tools used to systematically manage an organization's compliance with legal and regulatory requirements.

The level of sophistication and effectiveness of an organization's compliance program, measured against defined capability levels.

The use of metrics and indicators to quantitatively assess an organization's level of compliance with applicable requirements.

The ongoing process of verifying that an organisation continues to meet its compliance obligations. Compliance monitoring includes regular assessments, control testing, policy reviews, and metrics tracking.

A legal or regulatory requirement that an organization must fulfill to avoid penalties, sanctions, or other adverse consequences.

A designated individual responsible for overseeing and managing an organization's compliance program, ensuring adherence to laws and regulations.

The governance function responsible for monitoring, evaluating, and reporting on the effectiveness of an organization's compliance activities.

A formal document establishing an organization's commitment to compliance and defining the principles, responsibilities, and expectations for regulatory adherence.

A comprehensive system of policies, procedures, training, and oversight designed to ensure an organization meets all applicable legal and regulatory requirements.

A structured set of internal policies, procedures, training, and monitoring activities designed to ensure an organisation adheres to applicable laws, regulations, and industry standards.

A comprehensive inventory of all applicable laws, regulations, standards, and contractual obligations relevant to an organization.

The process of generating and submitting reports to regulatory bodies, management, or stakeholders demonstrating adherence to compliance requirements.

A systematic examination of an organization's practices, controls, and documentation to verify adherence to applicable compliance requirements.

The potential for legal penalties, financial loss, or reputational damage arising from an organization's failure to comply with laws, regulations, or standards.

An evaluation of the risks associated with failing to comply with applicable laws, regulations, and standards.

A strategic plan outlining the steps, timeline, and milestones for achieving and maintaining compliance with specific regulations or standards.

The defined boundaries of what a compliance program covers, including applicable regulations, organizational units, and geographic locations.

The process of verifying that systems, processes, and controls function as intended and meet the requirements of applicable regulations and standards.

Educational programs designed to ensure employees understand their compliance obligations and can fulfill their roles in maintaining regulatory adherence.

The process of confirming through evidence and testing that an organization meets specific compliance requirements.

The defined sequence of activities and approvals required to complete a compliance-related task or process.

The practice of defining compliance policies and controls as machine-readable code that can be automatically tested and enforced.

An organization that handles cybersecurity incidents and coordinates responses, providing technical guidance and threat intelligence.

The application of investigation and analysis techniques to gather and preserve evidence from a computer system in a way that is suitable for presentation in a court of law.

An event that actually or potentially jeopardizes the confidentiality, integrity, or availability of a computer system or the data it processes.

A field of artificial intelligence that enables machines to interpret and understand visual information from the world. Computer vision applications raise privacy concerns when used for facial recognition and surveillance.

The use of software tools and data analytics by auditors to analyze large data sets, test controls, and improve audit efficiency.

Software tools and techniques used by auditors to automate audit procedures such as data extraction, analysis, sampling, and control testing. CAATs improve audit efficiency and enable analysis of larger data sets.

The risk arising from overexposure to a single counterparty, sector, region, or system dependency that could amplify the impact of adverse events.

A security paradigm that protects data in use by performing computation in a hardware-based trusted execution environment. Confidential computing prevents unauthorised access to data even from the infrastructure provider.

The principle of ensuring that information is accessible only to authorised individuals, entities, or processes. One of the three pillars of information security (CIA triad).

An examination of system configurations to verify they comply with security baselines, standards, and organizational requirements.

A documented and agreed-upon specification of a system's configuration at a specific point in time, used as a reference for managing changes.

The adherence of system configurations to defined security baselines and hardening standards.

A component of IT infrastructure that needs to be managed to deliver services, tracked and maintained through configuration management.

A process for systematically managing, organizing, and controlling changes to system configurations to maintain integrity and traceability.

A repository that stores information about the configuration items (CIs) and their relationships within an IT environment. CMDBs support change management, incident management, and compliance reporting.

A documented specification of approved settings and parameters for configuring systems securely and consistently.

A lawful basis for processing personal data under GDPR that requires a clear, specific, informed, and unambiguous indication of the data subject's agreement to their data being processed. Consent must be freely given and as easy to withdraw as to give.

A legally binding agreement between a regulatory body and an organization that resolves compliance violations and mandates specific corrective actions.

Systems and processes for obtaining, recording, and managing user consent for the collection, processing, and sharing of personal data in compliance with privacy laws.

Technology that helps organizations collect, store, and manage user consent preferences for data processing activities and cookie usage on websites and applications.

A technology solution that enables websites and apps to collect, store, and manage user consent for data processing activities. CMPs help organisations comply with privacy regulations such as GDPR and ePrivacy Directive.

A regulatory enforcement action requiring an organization to take specific corrective actions to address compliance violations.

A record or receipt provided to a data subject confirming the details of the consent they have given for data processing.

The right of individuals to revoke their previously given consent for data processing, requiring organizations to cease processing based on that consent.

Regulatory requirements governing construction practices including building codes, safety standards, environmental regulations, and labor laws.

Regulations and practices designed to protect consumers in financial transactions, ensuring fair lending, transparent disclosure, and responsible practices.

Laws and regulations designed to safeguard consumers from unfair business practices, fraud, and harmful products or services.

Security practices for protecting container orchestration platforms like Kubernetes, including access control, network policies, and secrets management.

The practice of protecting containerised applications throughout their lifecycle, from image creation to runtime. Container security addresses image scanning, runtime protection, network policies, and orchestration platform security.

Technology that screens and restricts access to web content, email, or data transfers based on predefined policies to prevent exposure to malicious or inappropriate material.

The practice of monitoring and managing user-generated content on platforms to ensure compliance with policies, laws, and community standards.

A plan for maintaining or restoring business operations when disruptive events occur, covering both prevention and recovery activities.

A federal government initiative ensuring that agencies are able to continue performance of essential functions during emergencies.

An audit approach that uses technology to produce audit results simultaneously with, or shortly after, the occurrence of relevant events. Continuous auditing provides real-time assurance and enables faster identification of control failures.

An approach to compliance that replaces periodic point-in-time assessments with ongoing automated monitoring and evidence collection. Continuous compliance provides real-time visibility into the organisation's compliance posture.

Security controls integrated into continuous deployment pipelines to ensure code is scanned and validated before production release.

An ongoing effort to improve products, services, and processes incrementally over time through small, sustainable changes.

Security practices integrated into continuous integration pipelines, including automated scanning, testing, and policy enforcement during builds.

The ongoing awareness of information security, vulnerabilities, and threats to support organisational risk management decisions. Required by NIST SP 800-137 and recommended by most security frameworks.

An ongoing process of evaluating risks in real time rather than at periodic intervals, enabling more responsive risk management.

The ongoing process of validating that security controls, configurations, and compliance status remain effective and current.

Adherence to the specific terms, conditions, and obligations set forth in contracts and agreements with customers, vendors, and partners.

A measure (policy, procedure, technical mechanism, or physical safeguard) that modifies risk. Controls can prevent, detect, or correct security incidents.

The evaluation of a security or compliance control to determine whether it is properly designed and operating effectively.

The processes for providing confidence that controls are operating effectively and achieving their intended risk mitigation objectives.

A focused examination of specific controls to evaluate their design adequacy and operating effectiveness in achieving control objectives.

The use of technology to automatically implement, monitor, and enforce security and compliance controls without manual intervention.

The minimum set of security controls selected for a system based on its risk level and applicable regulatory requirements.

A comprehensive inventory of available security and compliance controls organized by type, function, and applicable framework requirements.

A weakness in the design or operation of a control that prevents it from effectively mitigating the intended risk or meeting its objective.

The process of defining the specifications and implementation approach for security and compliance controls to address identified risks.

Written records describing the design, implementation, operation, and effectiveness of security and compliance controls.

The degree to which a security or compliance control achieves its intended purpose in mitigating a specific risk or meeting a requirement.

The set of standards, processes, and structures that provide the foundation for carrying out internal control across an organisation. The control environment is established by leadership and sets the tone for the organisation.

Documentation, records, and artifacts that demonstrate a control exists, is properly designed, and operates effectively.

A structured set of controls organized into domains and objectives that provides a systematic approach to managing specific types of risk.

The process of identifying relationships between controls across different frameworks to enable efficient multi-standard compliance.

A deficiency identified when an organisation's existing controls do not fully meet the requirements of a target compliance framework or standard. Control gaps are identified through gap analysis and addressed through remediation plans.

The process of deploying and configuring security and compliance controls according to their design specifications and organizational requirements.

A comprehensive collection of defined security and compliance controls that an organization can select from based on its requirements.

The process of identifying relationships between controls in different frameworks. For example, mapping ISO 27001 Annex A controls to NIST 800-53 controls to identify overlap and gaps.

The ongoing assessment of control performance and effectiveness through testing, metrics, and automated monitoring tools.

A statement of the desired result or purpose to be achieved by implementing a control. Control objectives define what the organisation wants to achieve through its control activities and provide the basis for control design and assessment.

The individual responsible for the design, implementation, operation, and effectiveness of a specific security or compliance control.

The process of optimizing the control environment by eliminating redundant controls and ensuring each control serves a distinct purpose.

A process where operational teams evaluate the effectiveness of their own controls and risk management practices using structured methodology.

The process of evaluating whether controls are designed appropriately and operating effectively to achieve their intended objectives. Control testing is a core component of compliance audits and attestation engagements.

The process of testing and verifying that implemented controls function as intended and effectively mitigate their associated risks.

Regulatory requirements and best practices for deploying chatbots and virtual assistants that handle personal data, make decisions, or interact with consumers.

The requirement under privacy regulations to obtain user permission before placing non-essential cookies on their device. Cookie consent mechanisms must provide clear information about cookie purposes and allow granular choices.

A document that explains what cookies a website uses, their purposes, and how users can manage their cookie preferences.

An organization's adherence to laws, regulations, standards, and internal policies that govern its operations and business practices.

The system of rules, practices, and processes by which an organisation is directed and controlled. Corporate governance balances the interests of stakeholders including shareholders, management, customers, suppliers, government, and the community.

Action taken to eliminate the root cause of a detected nonconformity or other undesirable situation, preventing its recurrence. A key concept in ISO management systems.

A documented set of steps to address audit findings, control deficiencies, or non-conformities, including timelines and responsible parties.

A security control designed to restore systems and processes to their expected state after a security incident or policy violation has been detected.

A predefined logic pattern in SIEM systems that triggers alerts when specific combinations of events or conditions are detected across log sources.

Measures to prevent the use of counterfeit hardware, software, or components that could introduce vulnerabilities or compromise system integrity.

An action, device, procedure, or technique that reduces a threat, vulnerability, or attack by eliminating or preventing it, minimizing harm, or enabling discovery.

Under HIPAA, a health plan, healthcare clearinghouse, or healthcare provider that transmits any health information electronically. Covered entities must comply with all HIPAA Administrative Simplification rules.

A communication path that was not designed for information transfer but can be exploited to secretly transmit data in violation of security policies.

Techniques used by attackers to collect login credentials through methods such as phishing sites, keyloggers, or memory scraping tools.

The processes and tools for securely creating, storing, distributing, rotating, and revoking user credentials throughout their lifecycle.

The practice of regularly changing passwords, keys, certificates, and other credentials to limit the window of exposure from compromised credentials.

An automated attack that uses stolen username-password pairs from previous data breaches to attempt to log into other services. Exploits the tendency of users to reuse passwords across multiple sites.

The processes and protocols for communicating with internal and external stakeholders during a crisis to manage information flow and maintain trust.

The process by which an organization responds to and manages the impact of a major unpredictable event that threatens to harm the organization.

A documented guide for responding to major disruptions, defining leadership roles, communication protocols, and decision-making processes during a crisis.

A designated group of senior leaders responsible for making strategic decisions and coordinating the organization's response during a crisis.

An information asset, system, or resource whose compromise, loss, or failure would have a severe impact on the organization's operations or objectives.

Systems, assets, and networks (whether physical or virtual) so vital to a nation that their incapacitation or destruction would have a debilitating impact on security, economic stability, public health, or safety.

Regulations and security measures to protect essential services and systems such as energy, water, transportation, and healthcare from disruption.

An information system whose failure or compromise would have severe consequences for the organization's operations or mission.

Managing compliance obligations across multiple jurisdictions, addressing conflicting or overlapping regulatory requirements in different countries.

The movement of personal data from one jurisdiction to another. Cross-border transfers are regulated under GDPR, LGPD, and other privacy laws and typically require adequate safeguards such as Standard Contractual Clauses or Binding Corporate Rules.

The practice of monitoring user activity across multiple devices such as phones, tablets, and computers to build comprehensive behavioral profiles.

The discipline of identifying equivalent or related controls across multiple compliance frameworks. Enables unified control sets and reduces duplicate compliance effort.

A team composed of members from different departments or disciplines working together on shared objectives such as security or compliance.

A web security vulnerability that tricks authenticated users into submitting unintended requests to a web application, potentially performing unauthorized actions.

A web application vulnerability that tricks an authenticated user into submitting unintended requests to a web application. CSRF attacks exploit the trust that a site has in the user's browser.

A web application vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users, enabling data theft or session hijacking.

A web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. XSS attacks can steal session cookies, redirect users, or deface websites.

The study of analysing and breaking cryptographic systems. Cryptanalysis involves finding weaknesses in the mathematical algorithms or implementation of encryption schemes.

The ability of a system to quickly transition between different cryptographic algorithms and protocols in response to new threats or requirements.

Regulations governing cryptocurrency transactions including anti-money laundering requirements, tax reporting, and consumer protection.

A mathematical algorithm that maps data of arbitrary size to a fixed-size bit string (hash value). Hash functions are one-way, deterministic, and designed so that even a small change in input produces a dramatically different output.

A piece of information used by a cryptographic algorithm to transform plaintext into ciphertext or vice versa. Key security is fundamental to the strength of any cryptographic system.

The administration of cryptographic keys throughout their lifecycle including generation, distribution, storage, rotation, revocation, and destruction.

The unauthorized use of someone else's computing resources to mine cryptocurrency, typically delivered through malicious scripts on websites or compromised systems.

The knowledge and attitudes that members of an organization possess regarding the protection of information assets and cybersecurity best practices.

Security techniques that use decoys, misdirection, and disinformation to confuse attackers, detect intrusions, and gather intelligence about adversary methods.

State-sponsored or organized cyber operations aimed at stealing sensitive government, military, or corporate information.

A UK government-backed certification scheme that helps organisations protect against the most common cyber threats. Cyber Essentials covers five technical controls: firewalls, secure configuration, access control, malware protection, and patch management.

An observable occurrence in cyberspace that may or may not have security implications, requiring analysis to determine significance.

Routine practices and steps that users and organizations take to maintain system health and improve online security, similar to personal health hygiene.

An event that actually or imminently jeopardizes the confidentiality, integrity, or availability of information or information systems.

Insurance coverage designed to protect organisations against financial losses resulting from cyber incidents such as data breaches, ransomware attacks, and business interruption caused by cyber events.

An insurance product designed to protect organizations from the financial impacts of cybersecurity incidents including data breaches and ransomware.

The process by which insurers evaluate an organization's cybersecurity posture and risk profile to determine coverage terms and premiums.

A model developed by Lockheed Martin that describes the stages of a cyber attack: reconnaissance, weaponisation, delivery, exploitation, installation, command and control, and actions on objectives.

Legal and financial exposure arising from cybersecurity incidents, including costs of breach response, regulatory fines, and third-party claims.

A system integrating computation, networking, and physical processes where embedded computers monitor and control physical operations.

A simulated environment used for cybersecurity training, testing, and exercises that replicates real-world networks and scenarios without impacting production systems.

An organisation's ability to continuously deliver intended outcomes despite adverse cyber events. Goes beyond cybersecurity to include preparedness, response, and recovery.

A systematic evaluation of threats, vulnerabilities, and potential impacts to an organization's digital assets and information systems.

The process of calculating the potential financial impact of cyber risks using statistical models, enabling data-driven security investment decisions.

A potential cyber attack that could compromise information systems, data, or services through exploitation of vulnerabilities.

A proactive security practice of searching through networks and datasets to detect advanced threats that evade existing automated security solutions.

Evidence-based knowledge about existing or emerging cyber threats that can be used to inform decisions regarding the organisation's response to those threats. CTI includes indicators of compromise, threat actor profiles, and attack patterns.

The use of digital attacks by nation-states to disrupt, damage, or destroy another nation's computer systems and critical infrastructure.

The practice of protecting systems, networks, and programs from digital attacks that aim to access, change, or destroy sensitive information.

A structured set of guidelines and best practices for managing cybersecurity risk, helping organizations assess and improve their security posture.

The level of sophistication and effectiveness of an organization's cybersecurity practices, measured against a defined scale of capability levels.

An architectural approach that distributes security controls to individual access points rather than a centralized perimeter, enabling more flexible security.

A comprehensive set of policies, procedures, technologies, and personnel dedicated to protecting an organization's digital assets and managing cyber risk.

The potential for financial loss, operational disruption, or reputational damage resulting from the failure of digital technologies and cyber threats.

A high-level plan that defines an organization's approach to managing cybersecurity risk and protecting its digital assets over a defined period.

The personnel responsible for protecting an organization's digital assets, including their skills development, certification, and career pathway management.

Defence Information Systems Agency Security Technical Implementation Guides that provide technical security configuration standards for US Department of Defense information systems. STIGs are based on NIST SP 800-53 controls.

A demilitarized zone is a network segment that acts as a buffer between an organization's internal network and the external internet, hosting public-facing services.

A security technique that blocks access to malicious or unwanted domains by filtering DNS queries based on threat intelligence and policy.

Measures to protect the Domain Name System from attacks such as DNS spoofing, cache poisoning, and hijacking that redirect users to malicious sites.

A suite of specifications for securing information provided by the Domain Name System. DNSSEC adds cryptographic signatures to DNS records to protect against cache poisoning and spoofing attacks.

A protocol that encrypts DNS queries within HTTPS connections to prevent eavesdropping and manipulation of DNS traffic.

Domain Name System Security Extensions, a suite of specifications that adds authentication to DNS responses to protect against cache poisoning and spoofing attacks.

Data Protection Officer certification validating expertise in data protection laws, privacy management, and regulatory compliance.

A deceptive user interface design that tricks users into making unintended choices, increasingly subject to regulatory scrutiny and prohibition.

The practice of scanning dark web forums, marketplaces, and data dumps for an organization's compromised credentials, data, or mentions to enable early response.

The principle that personal data must be accurate, kept up to date, and corrected or erased when inaccuracies are identified.

Techniques applied to personal data to prevent identification of individuals, including generalization, suppression, noise addition, and data swapping methods.

Specific methods for anonymizing data including k-anonymity, l-diversity, t-closeness, differential privacy, and synthetic data generation.

The design of an organization's data structures, policies, and standards that govern how data is collected, stored, and used.

A comprehensive review of an organization's data processing activities to assess compliance with data protection laws and identify privacy risks.

The process of creating copies of data that can be used to restore the original in the event of data loss, corruption, or disaster.

An incident where confidential, private, or protected data is accessed, disclosed, or stolen by an unauthorised party. May trigger breach notification requirements under GDPR, HIPAA, or other regulations.

Legislation requiring organizations to notify affected individuals and authorities when personal data is compromised, with varying requirements by jurisdiction.

The legal obligation to inform affected individuals and regulatory authorities when personal data is compromised in a security incident within specified timeframes.

A documented set of procedures for responding to data breaches, including detection, containment, notification, and recovery steps.

An entity that collects personal information from various sources and sells or licenses it to other organizations for marketing, risk assessment, or other purposes.

A centralized inventory of an organization's data assets with metadata descriptions, ownership, lineage, and classification information to support governance and privacy.

Physical protection measures for data center facilities including perimeter security, access control, environmental monitoring, and video surveillance.

Physical and environmental security measures protecting data center facilities including access controls, surveillance, fire suppression, and power protection.

A classification system that rates data centers on their reliability and availability, from Tier I with basic infrastructure to Tier IV with fault tolerance.

The process of categorising data based on its sensitivity and the impact of unauthorised disclosure. Common levels: Public, Internal, Confidential, Restricted.

A secure environment where multiple parties can collaboratively analyze combined datasets without directly sharing or exposing raw personal data.