Your glossary for risk and compliance
Helpful definitions of all of the terms you need to know to better manage risk and compliance.
Terms27001 Annex A controls Access control Access control policies Access Control System ACSC annual cyber threat report ACSC cyber security ACSC cyber threat report Active Attack Activity Monitors AFSL Authorised Representative AICPA APRA APRA Security ASIC Asset inventory Asset Labeling Asset Security Attack Surface Attack Vector Attestation of Compliance (AOC) Attribute Attribute-Based Access Control (ABAC) Audit Management Software BS 10012 Buffer Overflow Business Continuity Business Continuity Management (BCM) Business Continuity Plan (BCP) Business Impact Analysis (BIA) Business Resilience Ciphertext Cloud Control Matrix (CCM) Cloud Controls Matrix (CCM) domains Cloud Infrastructure Cloud security COBIT Framework COBIT Framework Goals COBIT Framework Principles Common Vulnerabilities and Exposures(CVE) Common Vulnerability Scoring System (CVSS) Communication and consultation Communication security Compliance Automation Compliance automation software Compliance Due Diligence Compliance Issue Compliance Management Compliance management system (CMS) Compliance Manager/Officer Compliance Risk Compliance risk management Computer Security Threats Configuration Management Database (CMDB) Consequence Context Control CPS 234 Crimeware Cross Site Request Forgery (CSRF) Cryptography in ISO CSIO Cyber Security Cyber Essentials Cyber Insurance Cyber Resiliency Cyber Risk Consultant Cyber Risk Management Frameworks Cyber Safety Cyber security asset management Cyber security awareness Cyber security awareness training Cyber security credentials Cyber security framework NIST Cyber security gamification Cyber security incident Cyber security incident report Cyber security incident response plan Cyber security incidents Cyber security management Cyber Security Report Cyber security reports Cyber security risk appetite Cyber terrorism Cyber-Risk Quantification Cybersecurity Asset Management Cybersecurity consultants Cybersecurity frameworks Cybersecurity Maturity Model Certification (CMMC) Cybersecurity Mesh Cybersecurity Mesh Architecture Dark Data Data Access Management Data Asset Data breach Data Breach Preventions Data Classification for NIST 800-53 Data Controller Data Democratization Data Exfiltration Data Integrity Data Leak Data Mining Data Owner Data protection impact assessment (DPIA) Data Wiping Database Audit and Protection (DAP) Defence in Depth Difference between Cyber Safety and Cyber Security Discretionary Access Control (DAC) Discretionary Access Control (DAC) attributes DMARC security Domain Name System (DNS) DoS Attack DPIS Stages DREAD Model Dynamic Security Management Email Encryption Email security Email Security Solutions end point security Endpoint cyber security Enterprise Architecture Enterprise Risk Management (ERM) software Essential 8 Maturity Model Essential eight Cyber mitigation strategies Executive Order Exploit FedRAMP Financial Risk Financial Risk Management Focused Risk Assessment Forensics Framework Fraud Management Gartner and the Magic Quadrant GDPR GDPR compliance GDPR data governance GDPR requirements GDPR risk assessment Global Regulatory Management Governance Risk & Compliance (GRC) GPDR GRC elements GRC Implementation GRC Tools Hacker HIPAA HIPAA vs. PCI DSS Compliance HITRUST How long will it take to get ISO 27001? How many controls are there in ISO 27001? Hybrid Data Center ICT supply chain risk management IDPS Immediate Response Strategies Implementation ISO 27003 Implementing ISO 27001 Importance of ISO 27005 Incident Incident Lifecycle Incident management Incident Management Framework Incident Response Incident Response Plan Incident Response Tools Information Asset Information asset definition ISO 27001 Information classification policy ISO 27001 Information Governance Information Management System Information security Information security Information security assessment Information Security Awaness Information security controls Information Security Governance Information Security Governance benefits Information Security Management System (ISMS) Information Security Policy (ISP) Information security risk acceptance Information security risk communication Information Security Risk Management Information security risk monitoring and review Information security risk treatment Inherent Risk Insider Threat Actors Instant Communications Security And Compliance Integrated Management System Integrated Risk Management (IRM) Internal Environment Internet of Things (IoT) Intrusion detection systems (IDS) Intrusion Prevention Systems (IPS) IRAP Assessors IRAP certification ISO ISO / IEC 27004:2016 advantages ISO 27001 2005 ISO 27001 and NIST 800-53 ISO 27001 Annex A ISO 27001 as an Individual ISO 27001 Audit ISO 27001 back up policy ISO 27001 benefits ISO 27001 certification requirements ISO 27001 certified ISO 27001 controls ISO 27001 cost ISO 27001 domains ISO 27001 gap analysis ISO 27001 lead auditor ISO 27001 lead implementer ISO 27001 mandatory clauses ISO 27001 or ISO 27018 ISO 27001 password policy ISO 27001 penetration testing ISO 27001 requirement checklist ISO 27001 risk assessment ISO 27001 risk register ISO 27001 scope ISO 27001 secure development policy ISO 27001 security awarness ISO 27001 security policy ISO 27001 surveillance audit ISO 27001 toolkit ISO 27001 vulnerability management ISO 27001:2013 vs. ISO 27001:2017 ISO 27002 ISO 27002 benefits ISO 27002 framework ISO 27002 importance ISO 27002 scope ISO 27002 security policy ISO 27002 standard focus ISO 27002:2022 ISO 27002:2022 controls ISO 27003 ISO 27003 ISO 27003 and ISO 27001 ISO 27003 and ISO 27002 ISO 27003 benefits ISO 27004 ISO 27005 ISO 27005 and ISRM ISO 27008 ISO 27014 ISO 27102 ISO accreditation ISO activities ISO Audit ISO certification meaning ISO certifications ISO cloud security standard ISO compliance ISO Compliance vs. Certification: What's the Difference? ISO consultants ISO cyber security ISO data center ISO data retention policy ISO data security ISO directives ISO directives part 1 ISO directives part 2 ISO document control ISO external audits ISO framework ISO health ISO information security ISO internal audit ISO rules ISO standard ISO standards for Cybersecurity ISO/IEC 27000 ISO/IEC 27001 Foundation ISO/IEC 27001:2017 ISO/IEC 27003:2017 requirements ISO/IEC 27004 ISO/IEC 27004:2016 clauses ISO/IEC 27005 ISO/iec standards list ISO27001 and ISO27002 IT Audit IT Security Jailbreak Keystroke logging Likelihood Logic Bomb Malware vs. Viruses vs. Worm Mandatory Access Control (MAC) Mitigating Controls for Risk Management Money Laundering Monitoring Network Network Access Control Network Security Network Segmentation Network Segregation NIS Directive NIST NIST 800 171 NIST 800-171 compliance checklist NIST 800-171 controls NIST 800-171 Purpose NIST 800-53 checklist NIST 800-53 control families NIST 800-53 risk assessment NIST compliance NIST controls NIST Cybersecurity framework v1.1 NIST cybersecurity standards NIST guidelines NIST SP 800-53 NIST SP 800-53 Benefits NIST SP 800-53 enhanced controls NIST SP 800-53 minimum/base controls Non-Repudiation Notifiable data breach OAIC Operational Risk Operational Risk Management (ORM) Operational Risk Management Program Benefits Operational security Operational Technology (OT) Passive Attack Passive Scanning Patch Management PCI DSS PCI DSS Standards Personally Identifiable Information (PII) PIMS Policy management Prioritisation Privilege Escalation Purpose of ISO 27008 Purpose of risk management Quadrant Ransomware Ransomware Protection RCSA Redaction Regulatory Compliance Remediation Reputational Risk Risk Risk analysis Risk Categories Risk Center Risk Financing Risk identification Risk Identification (RI) Risk management Risk management framework Risk management policy Risk management process Risk management standards Risk management system and process Risk Management Tool RIsk Mitigation Risk Mitigation Controls Risk owner Risk profile Risk Reduction Risk Register Risk source Risk treatment Risk Vs. Compliance Role-Based Access Control (RBAC) Role-Based Access Control (RBAC) Benefits Secure Access Service Edge (SASE) security and integrity Security Audit Security Event Security governance Security Incident Security Incident Report Security Indicators Security Management Security Metrics Security Perimeter Security Testing Requirements Segregation of Duties (SOD) Single Loss Expectancy SOA SOC 1 SOC 2 SOC 2 Audit SOC 2 Compliance SOC 2 Controls SOC 2 Standards SOC 2 Trust Principles SOC 3 SOC Reports Spear phishing Spyware Threat SSAE 16 SSAE 18 Stakeholder Statement of Applicability (SoA) Strategic Risk Supplier Risk Management Thin Client Third-party risk management Threat Threat Modeling Threat Modeling Frameworks and Methodologies Triage Types of Insider Threat Actors Vendor Vendor assessment Vendor management policy Vendor Management Policy (VMP) Vendor Risk Management (VRM) Virtual Private Network (VPN) Vulnerability Vulnerability management Vulnerability scanning Wardriving Watering Hole Attack Web Security Threats What are the benefits of compliance process automation? What does APRA do? What is the ASD Essential 8? What is the purpose of NIST 800-53? Who needs ISO 27001? Why Cybersecurity Is Essential in OT and IT? Zero Day
What are threat modeling frameworks and methodologies?STRIDE STRIDE stands for spoofing, tampering, repudiation, informative disclosure, denial of service (DoS), and elevation of privilege. 1. Spoofing is when a computer or person pretends to be something they are not 2. Tampering refers to violating the integrity of data 3. Repudiation interferes with the process of linking an action to the person who did it 4. Information disclosure involves giving away sensitive information 5. DoS makes it impossible for legitimate users to use a resource 6. Elevation of privilege provides unauthorized access to a system or application to someone who already has a level of access DREAD DREAD stands for damage potential, reproducibility, exploitability, affected users, and discoverability. 1. Damage potential outlines how much damage can result from a negative event 2. Reproducibility determines how easy it is to replicate an attack 3. Exploitability refers to the ease with which an actor can launch an attack 4. Affected users involve in detailing the percentage of users affected by the event 5. Discoverability examines how easy it is to locate the vulnerability PASTA The acronym PASTA stems from Process for Attack Simulation and Threat Analysis. This involves seven steps: 1. Definition of your objectives 2. Definition of the technical scope of the project 3. Decomposition 4. Analysis of threats 5. Analysis of weaknesses and vulnerabilities 6. Attacks modeling 7. Analysis of the risk and impact on the business VAST VAST refers to Visual, Agile, and Simple Threat modeling. VAST is a foundational element of a threat modeling platform called ThreatModeler. VAST integrates within workflows designed using the principles of DevOps. TRIKE Trike is an open-source framework that seeks to defend a system instead of attempting to replicate how an actor may attack it. With the Trike framework, users make a model of the application or system they are defending. You then use the acronym CRUD to see who can: 1. Create data 2. Read data 3. Update data 4. Delete data This is studied with the aid of a data flow diagram. The threats examined include either elevations of privileges or denials of service. OCTAVE OCTAVE refers to Operationally Critical Threat Asset and Vulnerability Evaluation. It was designed by Carnegie Mellon University. OCTAVE requires three different phases: 1. Building threat profiles based on specific assets 2. Identifying vulnerabilities in the infrastructure 3. Developing security strategies and plans NIST NIST refers to the National Institute of Standards and Technology, which has developed its own threat modeling system that focuses on data. NIST requires four phases: 1. Identifying the system and outlining how it works, including how it manages the data within or dependent on it 2. Ascertaining the applicable attack vectors the model will address 3. Figuring out the necessary security controls to mitigate attacks 4. Analyzing the model created to assess its effectiveness
Back to glossary search