Terms and Jargon

A B C D E F G H I J K L M

N O P Q R S T U V W X Y Z

Click on the letters for navigation.

Heading letters will take you back to the top.

Access Control (AC): Policies or mechanisms ensuring only authorized users can view or use specific resources.

Access Control List (ACL): A list specifying which users or systems can access specific resources within a network or application.

Account Harvesting: The process of collecting legitimate account names on a system, often as a precursor to attacks.

Advanced Encryption Standard (AES): A widely used encryption algorithm to protect sensitive data adopted by the U.S. Government as its standard, specifically AES128 and AES265.

Advanced Persistent Threat (APT): A long-term, targeted cyberattack using stealth and sophistication to gain access to sensitive systems.

Antivirus: Software designed to detect and remove malware from computers and networks.

Asymmetric Cryptography: Encryption using a pair of keys (public and private) for secure data exchange.

Asset: Any item of value to an organization, such as data, devices, or infrastructure.

Asset Management: Cataloging and maintaining organizational assets to ensure protection and compliance.

Audit Trail: A record showing who accessed a system, when, and what actions were performed.

Authentication: The process of verifying a user, device, or system’s identity before granting access.

Authorization: Granting approved users specific permissions to access data or systems.

Availability: Ensuring systems and data are accessible and usable when needed.

Backup: A copy of data kept to restore operations after data loss or a cyber incident.

Baseline: A baseline is a documented set of minimum security controls, configurations, and standards established to protect systems and data. It serves as a benchmark for measuring security posture, ensuring compliance, and detecting deviations that may indicate risks or vulnerabilities.

Bastion Host: A specifically hardened server used as a primary defense in a network.

Biometrics: A security process that uses unique biological characteristics (fingerprints, facial recognition) to verify identity.

Bot/Botnet: A bot is automated software; a botnet is a network of infected devices used for malicious activities (DDoS, spam).

Brute Force Attack: Repeated attempts to guess passwords or encryption keys.

Business Continuity Plan (BCP): A plan to ensure business operations continue after major disruptions.

Business Impact Analysis (BIA): Identifying the effects of business process disruptions.

Certificate-Based Authentication: A form of authentication that relies on digital certificates, typically used within a Public Key Infrastructure (PKI).

Change Management: Controlling changes to systems or processes to minimize risk and disruption.

Chief Information Security Officer (CISO): Senior executive responsible for an organization's cybersecurity.

Cloud Computing: Delivery of computing services via the internet instead of local servers.

Compliance: Adhering to legal, regulatory, or organizational standards.

Confidentiality: Ensuring data is only accessible to authorized parties.

Configuration Management: Maintaining system integrity by managing configuration changes securely.

Control (Security Control): Policies or mechanisms to reduce risk and achieve compliance. Also referred to as a safeguard or countermeasure.

Corrective Action Plan (CAP): Actions taken to fix identified compliance gaps.

Cyber-Attack: Attempt to gain unauthorized access, disrupt, steal, or damage digital assets.

Cybersecurity Maturity Model Certification (CMMC): DoD standard for assessing and improving cyber hygiene for defense contractors.

Data Breach: An incident where sensitive, protected, or confidential data is accessed or disclosed without authorization.

Data Classification: Assigning levels to data indicating required levels of security.

Data Custodian: The individual responsible for the stewardship, management, and safekeeping of an organization’s data.

Data Encryption: The process of converting data to an unreadable form unless decrypted with a key.

Data Loss Prevention (DLP): Tools and processes to prevent unauthorized sharing or leakage of sensitive data.

Data Owner: The person who has responsibility and authority for data assets.

Denial of Service (DoS/DDoS): Attacks that overload or cripple systems or networks, making them unavailable.

Disaster Recovery: Strategies for restoring IT functions and data after a disruptive event.

Endpoint: Any device connected to an organization’s network (laptop, smartphone, server).

Endpoint Security: Measures to protect endpoints from being compromised by attacks, including a local firewall and anti-malware software.

Encryption: Using cryptography to make information unreadable without special knowledge (decryption).

Federal Contract Information (FCI): Non-public information provided or generated for U.S. government contracts.

Firewall: A technology or device that controls network traffic according to security rules.

FIPS: Federal Information Processing Standards are publicly announced standards developed by NIST for use in government computer systems. FIPS specifies security requirements, cryptographic protocols, and data handling procedures to ensure consistent protection and interoperability across federal agencies, thereby supporting compliance with laws such as FISMA.

FISMA: The Federal Information Security Modernization Act is a U.S. federal law that establishes mandatory security standards and frameworks for protecting federal information systems. It requires agencies and contractors to implement, review, and report on security controls to ensure the confidentiality, integrity, and availability of government data and operations.

Framework: A set of best practices and guidelines for managing risk (e.g., NIST CSF, ISO 27001).

Governance: Establishing policies and procedures for guiding and managing cybersecurity efforts.

HIPAA: The Health Insurance Portability and Accountability Act, a U.S. law for protecting health information privacy and security.

HITRUST: A certifiable framework for managing data protection and compliance, especially in healthcare.

Identity and Access Management (IAM): Tools or processes to review and control user identities and permissions.

Incident Response: The process to detect, contain, eradicate, recover, and review cyber incidents.

Information Security (InfoSec): Protecting data and systems from unauthorized access, disclosure, modification, destruction, or disruption.

Infrastructure: Underlying tech (servers, networks, devices) needed for company operations.

Insider Threat: Security risks originating from within an organization (employees, contractors).

Internet of Things (IoT): IoT refers to a network of interconnected physical devices embedded with sensors, software, and connectivity, allowing them to collect, share, and act on data autonomously or with minimal human intervention, frequently including OT and smart devices.

Intrusion Detection System (IDS): Tech that monitors networks or systems for malicious activity.

Intrusion Prevention System (IPS): Technology that not only detects but also prevents attacks.

ISO 27001: International standard for information security management systems (ISMS).

Least Privilege: The strategy of giving users the minimum levels of access required to perform their tasks.

Log Management: Collecting, analyzing, and storing logs to detect anomalies or prove compliance.

Malware: Malicious software designed to harm, exploit, or otherwise compromise systems.

Managed Security Services Provider (MSSP): A third-party company delivering outsourced security monitoring and management.

Mandatory Access Control (MAC): Access policies defined by a system, not users or owners.

Multi-Factor Authentication (MFA): An access control method requiring two or more proofs of identity.

National Institute of Standards and Technology (NIST): A U.S. agency that develops cybersecurity frameworks and standards. NIST publications are publicly available. Many are required by Federal law for Federal agencies, but are very useful for private organizations. Other publications were explicitly designed for private organizations.

NIST CSF: The NIST Cybersecurity Framework is a widely adopted guideline for handling cybersecurity risk.

NIST RMF: The NIST Risk Management Framework is a structured, risk-based process used by federal agencies and organizations to identify, implement, assess, and monitor cybersecurity controls. It ensures effective management of security and privacy risks throughout an information system’s lifecycle while meeting the requirements of FISMA.

NIST SP 800-171: NIST Special Publication outlining controls to protect Controlled Unclassified Information (CUI).

NIST SP 800-53: NIST Special Publication with detailed controls for federal information systems.

One-day Attack: An attack that exploits a vulnerability for which a fix has been released on that day. Such an attack exploits the fact that a vulnerability has been publicly announced, but very few users have applied the patch.

Operational Technology (OT): Refers to hardware and software that monitors or controls physical devices, processes, and infrastructure in industrial environments—such as manufacturing, utilities, or transportation—distinct from IT, which manages business data and applications.

Patch Management: Applying software updates to close security vulnerabilities.

Payment Card Industry Data Security Standard (PCI DSS): Standard for securing credit card data.

Penetration Test (Pen Test): Simulated attack to uncover weaknesses in systems or applications.

Personally Identifiable Information (PII): Information that can be used to identify an individual.

Phishing: A social engineering attack where attackers trick users into revealing confidential information.

Physical Security: Securing physical premises to prevent unauthorized access to assets.

Plan of Action and Milestones (POA&M): A document identifying tasks needing completion to address security weaknesses.

Policy: A documented set of rules or principles guiding decisions and actions.

Privacy Impact Assessment (PIA): Analyzing how systems/processes impact individual privacy.

Privacy: The right and expectation of individuals to control their personal information.

Privileged Account: Accounts with higher-level access to systems or data/settings.

Privilege Escalation: Gaining unauthorized, elevated access to resources.

Protected Health Information (PHI): Information about health status, provision of care, or payment related to healthcare.

Public Key Infrastructure (PKI): Framework for managing digital certificates and encryption keys.

Recovery Point Objective (RPO): The maximum amount of data loss a business can tolerate.

Recovery Time Objective (RTO): The maximum time a business can tolerate data/service downtime.

Remote Access: Ability to connect to a system or data from a location outside the organization.

Residual Risk: Remaining risk after mitigation measures are implemented.

Risk Assessment: Identification and evaluation of risks to organizational operations.

Risk Management: Ongoing identification, assessment, and prioritization of security risks.

Role-Based Access Control (RBAC): Access decisions are made based on a user’s assigned roles.

SCF (Secure Control Framework): Comprehensive cybersecurity and privacy control framework mapping to major standards.

Security Awareness Training: Programs to teach staff about recognizing and preventing cyber threats.

Security Control Assessment (SCA): Evaluation of safeguards and countermeasures to determine their effectiveness.

Security Incident: Any event that threatens the confidentiality, integrity, or availability of data/systems.

Security Information and Event Management (SIEM): Tools to collect and analyze security event data in real time.

Separation of Duties: Dividing tasks and privileges among multiple people to prevent fraud or error.

Service Organization Control (SOC): A SOC audit report is an independent, third-party evaluation of a service organization’s controls over financial reporting, security, or privacy, providing assurance and transparency to customers and stakeholders regarding risk management and compliance practices.

Single Sign-On (SSO): An authentication method that allows users to access multiple systems with one set of credentials.

Small Business Cybersecurity: Adjusted security best practices and standards appropriate for SMBs.

Smart Device: A smart device is an electronic device, often network-connected, capable of autonomous and interactive operation through sensors, processing, and communication, enabling it to collect, process, and exchange data, and often to automate tasks—for example, a smart switch, smart thermostat, or smart television.

Social Engineering: Manipulating people into disclosing confidential information.

Standard: Documented, required minimum of technical specifications of security controls.

Supply Chain Security: Ensuring external partners and suppliers do not pose cybersecurity risks.

System Security Plan (SSP): Description of system boundaries, environments, and security controls.

Threat: Any circumstance or event with the potential to cause harm to information or systems.

Threat Actor: An individual, group, or organization conducting malicious activity.

Tokenization: Replacing sensitive data with unique identification symbols (tokens) to protect the original data.

Two-Factor Authentication (2FA): See Multi-Factor Authentication.

User Provisioning: The process of creating, managing, and deactivating user accounts.

Virtual Chief Information Security Officer (vCISO): A consultant or consultancy firm hired to serve as a CISO, often on a part-time basis and also referred to as a fractional CISO.

Vulnerability: Weakness in a system or process that can be exploited.

Vulnerability Assessment: Systematic examination to identify and fix vulnerabilities.

White Hat: An ethical hacker performing authorized penetration testing.

Zero-Day: An undisclosed vulnerability with no available fix.

Zero-day Attack: An attack that exploits an undisclosed vulnerability for which no fix is available.