Acceptable use policies (AUPs) Formal written policies that describe proper and unacceptable behavior when using computer and network systems. For example, an acceptable use policy may set rules on what type of website browsing is permitted or if personal emails over the Internet are allowed.

Access control list (ACL) An implementation technique to control access to a resource by maintaining a table of authorized user IDs.

Active content Software or plug-ins that run within a client browser, usually on certain websites. Examples include Java applets, JavaScript, and ActiveX controls.

Agent In the context of distributed infrastructure, a piece of code that sits on a distributed device, such as the laptop or tablet of a mobile sales representative, to manage it. An agent typically reports the state of the device to the central server, reports any malware detected, and receives commands and updates.

Agentless central management tool In the context of distributed infrastructure, a piece of software housed on the central server that “pushes” changes, such as updates, to remote devices.

Apathy A state of indifference, or the suppression of emotions such as concern, excitement, motivation, and passion.

Application software Generally any business software that an end user (including customers) touches is considered an application. This includes email, word processing, and spreadsheet software.

Architecture operating model A framework for helping an organization understand how security controls are to be implemented. One common issue for the organization is that of centralization or decentralization of security within the business. An architecture operating model discussion can identify areas of disagreement and create a common set of beliefs on the proper placement and implementation of controls.

Architecture review committee A gateway committee that approves standard technologies and architectures.

Attribute-based access control (ABAC) An authorization control that relies on dynamic roles rather than the static roles of role-based access control. In ABAC, you build an expression of attributes describing the role that is dynamically built at run time.

Audit The act of recording relevant security events that occur on a computing or network device (server, workstation, firewall, etc.). Can also refer to a review of business and financial processes and files by an auditor.

Audit committee A committee that deals with audit issues and nonfinancial risks.

Auditor An individual accountable for assessing the design and effectiveness of security policies. Auditors may be internal or external to an organization.

Authentication The process of determining the identity of an individual or device.

Authorization The process of granting permission to some people to access systems, applications, and data.

Automated control A security control that stops behavior immediately and does not rely on human decisions.

Automatic declassification Automatically removing a classification after a certain period of time, such as 25 years.

Availability Ensuring accessibility of information to authorized users when required.

Best fit access privileges An approach to granting systems access. Best fit privilege provides a group or class of users only the access they need to do their job. Compare with least access privileges, an approach that typically customizes access to individual users.

Best practices Leading techniques, methodologies, or technologies that through experience have proved to be very reliable. Best practices tend to produce consistent and quality results.

Bolt-on In terms of information security, refers to adding information security as a distinct layer of control. Bolt-on security is the opposite of integrated security, in which information security controls are an integral part of the process design and not a separate distinct layer.

Breach A confirmed event that compromises the confidentiality, integrity, or availability of information.

Bring your own device (BYOD) A policy of allowing employees, contractors, and others to sign on to their organization’s network with their own phones, computers, and other devices rather than equipment belonging to the organization.

Business as usual (BAU) A term used with reference to an organization’s budget, to mean normal spending. Integrating the costs of governance into an organization’s BAU budget makes these costs seem like a normal operating expense rather than something exceptional.

Business continuity plan (BCP) A plan on how to continue business after a disaster. A BCP includes a disaster recovery plan (DRP) as a component.

Business continuity representative An individual who understands the organization’s capability to restore the system, application, network, or data. This individual also has access to call lists to contact anyone in the organization during off hours.

Business impact analysis (BIA) A formal analysis to determine the impact on an organization in the event that key processes and technology are not available.

Business process reengineering (BPR) A management technique used to improve the efficiency and effectiveness of a process within an organization.

Chain of custody A legal term referring to how evidence is documented and protected. Evidence must be documented and protected from the time it’s obtained to the time it’s presented in court.

Change agent A person who challenges current thinking.

Change management The practice of managing upgrades to an IT system, including understanding the impact of change and knowing how to recover if something goes wrong.

Chief information officer (CIO) The person who determines the overall strategic direction and business contribution of the information systems function in an organization; often the one within the organization designated as accountable for information security.

Chief information security officer (CISO) The person within an organization responsible for securing anything related to digital information; this person often has a role in ensuring the organization’s compliance with the information security provisions of laws such as the Gramm-Leach-Bliley Act. Sometimes referred to simply as information security officer (ISO).

Chief privacy officer (CPO) Most senior leader responsible for managing risks related to data privacy.

Committee of Sponsoring Organizations (COSO) An organization that developed a framework for validating internal controls and managing enterprise risks; focuses on financial operations and risk management.

Communications plan Outlines what information is to be shared and how the information will be disseminated.

Compensating control A security control that achieves the desired outcome and policy intent, but doesn’t necessarily achieve it the way the policy says to do it. The outcome is the same, however.

Compliance The ability to reasonably ensure conformity and adherence to organization policies, standards, procedures, laws, and regulations.

Compliance officer An individual accountable for monitoring adherence to laws and regulations.

Compliance risk Relates to the impact on the business for failing to comply with legal obligations.

Computer-based training (CBT) Training done partly or fully on computer-based channels of communication, such as the Internet or through training software.

Confidential A level of government classification that refers to data in which unauthorized disclosure would reasonably be expected to cause some damage to the national security.

Confidentiality Limiting access to information/data to authorized users only.

Confidentiality agreement (CA) Legally binding agreements on the handling and disclosure of company material.

Configuration management (CM) A collection of activities that track system configuration. It starts with a baseline configuration. It continues through a system’s life cycle, including changing and monitoring configurations.

Consumer rights Established rules on how consumers and their information should be handled during an e-commerce transaction.

Contingent accounts Accounts used to recover a system in case of disaster; such accounts need unlimited rights to install, configure, repair, and recover networks and applications, and to restore data. This elevated level of access makes such accounts prime targets for hackers.

Continuous improvement An ad hoc, ongoing effort to improve business products, services, or processes.

Contractors Temporary workers who can be assigned to any role.

Control environment The overall way in which an organization’s controls are governed and executed.

Control Objectives for Information and related Technology (COBIT) A widely accepted framework that brings together business and control requirements with technical issues.

Control partners People within an organization whose responsibility it is to offer an opinion on the soundness and impact of security policy. Control partners often work in the areas of internal audit or operational risk, or the compliance or legal departments of their organizations.

Coordinated operating model An operating model in which the technology solution shares data across the enterprise, but there is only minimal sharing and standardization of services.

Corrective control A security control that restores a system or process.

Critical infrastructure Assets that are essential for the society and economy to function, such as key elements of the transportation, energy, communications, banking, and other systems.

Cyberterrorism An attack that attempts to cause fear or major disruptions in a society through attacking government computers, major companies, or key areas of the economy.

Data administrator Implements policies and procedures such as backup, versioning, uploading, downloading, and database administration.

Data at rest The state of data stored on any type of media.

Data classification Level of protection based on data type.

Data custodian An individual responsible for the day-to-day maintenance of data and the quality of that data. May perform backups and recover data as needed. A data custodian also grants access based on approval from the data owner.

Data encryption When data is encrypted, the actual information can be viewed only when the data is decrypted with a key.

Data in transit The state of data when traveling over or through a network.

Data leakage Unauthorized sharing of sensitive company information, whether intentional or accidental.

Data leakage protection (DLP) A formal program that reduces the likelihood of accidental or malicious loss of data. May also stand for data loss protection.

Data loss protection (DLP) A formal program that reduces the likelihood of accidental or malicious loss of data. May also stand for data leakage protection.

Data manager An individual who establishes procedures on how data should be handled.

Data owner An individual who approves user access rights to information that is needed to perform day-to-day operations.

Data privacy The laws that set expectations on how your personal information should be protected and places limits on how the data should be shared.

Data security administrator One who grants access rights and assesses information security threats to the organization.

Data steward Owner of data and approver of access rights; responsible for data quality.

Data user The end user of an application. A data user is accountable for handling data appropriately by understanding security policies and following approved processes and procedures.

Declassification The process of changing the status of classified data to unclassified data.

Defense in depth The approach of using multiple layers of security to protect against a single point of failure.

Demilitarized zone (DMZ) Taken from the military, a buffer between two opposing forces. With regards to networks, it is the segment that sits between the public Internet and a private local area network (LAN). A DMZ is built to protect private LANs from the Internet. It uses a series of firewalls, routers, IDSs, and/or IPSs. The DMZ is where public web servers, email servers, and public DNS servers are located.

Detective control A manual security control that identifies a behavior after it has happened.

Digital assets Any digital material owned by an organization, including text, graphics, audio, video, and animations.

Disaster recovery plan (DRP) A plan to recover an organization’s IT assets during a disaster, including software, data, and hardware.

Discovery management In the context of workstation central management systems, refers to processes that determine what is installed on a workstation. It could also refer to knowing what information sits on a workstation.

Distributed infrastructure A term for an organization’s collection of computers, including laptops, tablets, and smartphones, networked together and equipped with distributed system software, so that they work together as one, even though they are in various locations.

Diversified operating model An operating model in which the technology solution has a low level of integration and standardization within the enterprise. Typically, the exchange of data and use of services outside the business unit itself are minimal.

Division of labor How various tasks are grouped into specialties to enhance the depth and quality of work product.

Domain A logical piece of our technology infrastructure with similar risks and business requirements.

Dormant account An account that hasn’t been used for an extended period of time.

Due care A legal term that refers to effort made to avoid harm to another party. It essentially refers to the care that a person would reasonably be expected to see under particular circumstances.

Early adopter One who adopts a security policy early on as a type of pilot. Early adopters provide useful feedback to the IT team, and can serve as role models of good practice for other users within the organization.

Email policy A policy that discusses what’s acceptable when using the company email system.

Enterprise data management (EDM) The discipline of creating, integrating, securing, disseminating, and managing data across the enterprise. Larger organizations may have a dedicated EDM team.

Enterprise risk management (ERM) A framework that aligns strategic goals, operations effectiveness, reporting, and compliance objectives; not technology specific.

Entitlement A fine-grained granting of access to information resources, often facilitated through use of an application gateway. For example, an application can allow a user to approve a payment but limit the amount to less than $1000.

Escalation In the context of information security, refers to a process by which senior leaders through a chain of command are apprised of a risk. An escalation continues one level of organizational structure at a time until the issue is addressed or the escalation reaches the highest level of the organization.

Evangelists People with enthusiasm for a cause or project. Evangelists often gain acceptance for a project from a wide audience.

Evidence 1. Information that supports a conclusion. 2. Material presented to a regulator to show compliance.

Exception A deviation from a centrally supported and approved IT security standard. Exceptions can come about because of a lack of preparedness by the organization to comply with a standard or due to the use of a technology that has not been sanctioned by the standards.

Executive A senior business leader accountable for approving security policy implementation, driving the security message within an organization, and ensuring that policies are given appropriate priority.

Executive committee A committee that helps align the security committee to organization goals and objectives.

Executive management sponsorship Getting senior management to participate in training to improve the effectiveness of security policies.

External connection committee A gateway committee that approves external data connections.

File Transfer Protocol (FTP) A protocol used to exchange files over a local area network (LAN) or wide area network (WAN).

Financial risk Events that could potentially impact the business when it fails to provide adequate liquidity to meet its obligations.

Firecall-ID process Granting elevated rights temporarily to enable a person to resolve a problem quickly. Provides emergency access to unprivileged users.

Firewall A device that filters the traffic in and out of a local area network (LAN). Many firewalls can do deep packet inspection, in which they examine the content, as well as the type, of the traffic. A firewall can be used internally on the network to further protect segments. Firewalls are most commonly used to filter traffic between the public Internet and an internal private LAN.

Flat network A network with little or no controls that limit network traffic.

Flat organizational structure An organization with few layers separating the leaders from the bottom ranks of workers.

Full disclosure The concept that an individual should know what information about them is being collected. An individual should also be told how that information is being used.

Gateway committees Committees that review technology activity and provide approvals before the project or activity can proceed to the next stage.

General counsel The highest ranking lawyer in an organization, who usually reports to the president or chief executive officer. He or she is asked to give legal opinions on various organization issues, participate in contract negotiations, and act as a liaison with outside law firms retained by the organization.

Globalization The development of a world economy held together by advanced technology for communications, transportation, and finance.

Gold master A master image that is copied for deployment. Use of golden images saves time by eliminating the need for repetitive configuration changes and performance tweaks. It ensures all images imaged using a copy of the gold master are configured the same.

Governance The act of managing implementation and compliance with organizational policies.

Governance, risk management, and compliance (GRC) A set of tools that bring together the capabilities to systematically manage risk and policy compliance.

Granularity The level of detail a set of security policies goes into. The more granular a policy, the easier it is to enforce and to detect violations. But less granular policies may be more helpful in responding to new threats.

Group Policy An automated management tool used in Microsoft domains. Administrators can configure a setting one time in Group Policy and it will apply to multiple users and computers.

Guideline A parameter within which a policy, standard, or procedure is recommended when possible but is optional.

Harden To eliminate as many security risks as possible by reducing access rights to the minimum needed to perform any task, ensuring access is authenticated to unique individuals, removing all nonessential software, and other configuration steps that eliminate opportunities for unauthorized access.

Head of information management A role that deals with all aspects of information such as security, quality, definition, and availability; responsible for data quality.

Help desk management In the context of workstation central management systems, services that provide support to the end user. This includes allowing the help desk technician to remotely access the workstation to diagnose problems, reconfigure software, and reset IDs.

Hierarchical organizational structure An organization with multiple layers of reporting, which separates leaders from the bottom ranks of workers.

Highly sensitive classification A classification level used to protect highly regulated data or strategic information.

Honeypot A network security device that acts as a decoy to analyze hacker activity.

Human resources representative An individual who is an expert on HR policies and disciplinary proceedings or employee counseling.

Imaging A technology used to create baselines of systems. An image is captured from a source computer. This image can then be deployed to other systems. Images include the operating system, applications, configuration settings, and security settings.

Incident An event that violates an organization’s security policies.

Incident response team (IRT) A specialized group of people whose purpose is to respond to major incidents.

Information assurance The implementation of controls designed to ensure confidentiality, integrity, availability, and nonrepudiation.

Information security The act of protecting information or data from unauthorized use, access, disruption, or destruction.

Information security officer (ISO) See chief information security officer.

Information security program charter A capstone document that establishes the reporting lines and delegation of responsibilities for information security to management below the organization’s chief information officer (CIO) or other executive leader.

Information security representative In the context of an IRT team, an information security representative provides risk management and analytical skills. A representative may also have specialized forensic skills for collecting and analyzing evidence.

Information security risk assessment A formal process to identify threats, potential attacks, and impacts to an organization.

Information systems security (ISS) The act of protecting information systems or IT infrastructures from unauthorized use, access, disruption, or destruction.

Information systems security management life cycle The five-phase management process of controlling the planning, implementation, evaluation, and maintenance of information systems security.

Information systems security policies Collections of documents that outline the controls, actions, and processes to be performed by an organization to protect its information systems.

Information technology and infrastructure library (ITIL) A framework that contains a comprehensive list of concepts, practices, and processes for managing IT services.

Information technology subject matter expert An individual who has intimate knowledge of the systems and configurations of an organization. This individual is typically a developer, system administrator, or network administrator. He or she has the needed technical skills to make critical recommendations on how to stop an attack.

Insider An employee, consultant, contractor, or vendor. The insider may even be one of the IT technical people who designed the system, application, or security that is being hacked. The insider knows the organization and the applications.

Integrated audit An audit in which two or more audit disciplines are combined to conduct a single audit.

Integrity The act of ensuring that information has not been improperly changed.

Intellectual property (IP) Any product of human intellect that is unique and not obvious with some value in the marketplace.

Interactive Refers to system accounts (also known as service accounts) to which it is possible for someone to log on. System accounts, because of their high level of access, are attractive to hackers. Interactivity makes these accounts more vulnerable to hackers. Noninteractive system accounts are much more secure.

Internal classification A classification level for data that would cause disruption to daily operations and some financial loss to the business if leaked.

International Organization for Standardization (ISO) An organization that creates widely accepted international standards on information security and IT risks.

Internet filters Software that blocks access to specific sites on the Internet.

Intrusion detection system (IDS) A series of software agents, appliances, and servers that monitors for network activity that is deemed a threat, alerts administrators, and logs the information. IDSs operate by matching signatures of known possible network attack traffic or by building over time a baseline of normal behavior, and then alerting on traffic that is anomalous to that normal pattern of behavior.

Intrusion prevention system (IPS) A system that intercepts potentially hostile activity prior to it being processed.

Inventory management In the context of workstation central management systems, refers to tracking what workstation and related network devices exist. This usually takes place whenever a workstation connects to the local area network (LAN).

IRT coordinator The person who keeps track of all the activity of the IRT during an incident. He or she acts as the official scribe of the team. All activity flows through this person. The person records who’s doing what.

IRT manager The IRT manager is the team lead. This individual makes all the final calls on how to respond to an incident. He or she is the interface with management.

ISO/IEC 27000 series Information security standards published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC). ISO/IEC 27002, for example, provides best practice recommendations on information security management for those who are responsible for initiating, implementing, or maintaining an information security management system.

Issue-specific standard A standard that focuses on areas of current relevance and concern to an organization. Such standards are used to express security control requirements, typically for nontechnical processes, and are used to guide human behavior.

IT policy framework A logical structure that is established to organize policy documentation into groupings and categories that make it easier for employees to find and understand the contents of various policy documents. Policy frameworks can also be used to help in the planning and development of the policies for an organization.

Label A mark or comment placed inside the document itself indicating a level of protection.

LAN domain This domain refers to the organization’s local area network (LAN) infrastructure. A LAN allows two or more computers to be connected within a small area. The small area could be a home, office, or group of buildings.

LAN-to-WAN domain This domain refers to the technical infrastructure that connects the organization’s local area network (LAN) to a wide area network (WAN), such as the Internet. This allows end users to surf the Internet.

Law Any rule prescribed under the authority of a government entity. Establishes legal thresholds.

Layered security approach Having two or more layers of independent controls to reduce risk.

Least access privileges The principle of granting users only the systems access they need to accomplish their jobs. Typically this is done by customizing access to individuals. Compare with best fit access privileges, an approach that typically customizes access to a group or class of users.

Legal representative An individual who has an understanding of laws and regulatory compliance.

Lessons learned Knowledge gained from a particular experience, such as the implementation of a policy change. Lessons learned can be shared with others, turned into standard procedure, and applied to similar situations in the future.

Log management In the context of workstation central management systems, refers to extracting logs from the workstation—typically, moving the logs to a central repository. Later these logs are scanned to look for security weakness or patterns of problems.

Log server A separate platform used to collect logs from platforms throughout the network.

Mandatory declassification A process of reviewing specific records when requested and declassifying them if warranted.

Manual control A security control that does not stop behavior immediately and relies on human decisions.

Matrix relationships The complex relationships between multiple stakeholders in an organization.

Mitigating control A security control after the fact. It assumes the absence or breakdown of a primary control. A mitigating control addresses the security issue at hand, but may not achieve a policy’s full intent.

Multifactor authentication Authentication of users on a network by more than one factor, such as a combination of password and access code.

Nation-states Sovereign countries with their own national governments.

National Institute of Standards and Technology (NIST) An organization that creates security guidelines on security controls for federal information systems.

Need to know A principle that restricts information access to only those users with an approved and valid requirement.

NIST SP 800-53 A publication for the U.S. National Institute of Standards and Technology (NIST), titled “Recommended Security Controls for Federal Information Systems and Organizations.”

Nondisclosure agreement (NDA) Legally binding agreement on the handling and disclosure of company material. This is also known as a confidentiality agreement.

Nonrepudiation The concept of applying technology in such a way that an individual cannot deny or dispute they were part of a transaction.

Operating model An organized, planned approach for operations.

Operational deviation The difference between what policies and procedures state should be done and what is actually performed.

Operational risk An event that disrupts the daily activities of an organization.

Operational risk committee A committee that provides important information on the risk appetite of the organization and various businesses.

Opt-in The practice of agreeing to use of personal information beyond its original purpose. An example of opt-in is asking a consumer who just sold his or her home if the real-estate company can share the consumer’s information with a moving company.

Opt-out The practice of declining permission to use personal information beyond its original purpose. For example, a consumer who just sold his or her home may decline permission for the real estate company to share his or her information with a moving company.

Organizational culture The traditions, customs, patterns of behavior, values, and beliefs shared by members of an organization. Anyone seeking to introduce change into an organization, such as a new set of security policies, must know and take account of organizational culture.

Outdated technology Hardware or software that makes it difficult to implement best practices consistently.

Patch management Refers to making sure that devices on the network, such as workstations and servers, have current patches from the vendor. It’s particularly important to apply security patches in a timely way to address known vulnerabilities.

Payment Card Industry Data Security Standard (PCI DSS) A worldwide information security standard that describes how to protect credit card information. If you accept Visa, MasterCard, or American Express, you are required to follow PCI DSS.

Penetration test A test designed not just to identify, but also to actually exploit weaknesses in system architecture or the computing environment.

Personal privacy In e-commerce, broadly deals with how personal information is handled and what it is used for.

Personally identifiable information (PII) Sensitive information used to uniquely identify an individual in a way that could potentially be exploited.

Pervasive control A common control, such as the same ID and password, that is used across a significant population of systems, applications, and operations.

Phishing Use of any communication to attempt to get information from the target. Email is commonly used.

Policy A document that states how the organization is to perform and conduct business functions and transactions with a desired outcome.

Policy definitions document A glossary for an organization’s security policies, ideally clear and concise, often used by auditors and regulators when evaluating the soundness of an organization’s controls.

Policy framework A structure for organizing policies, standards, procedures, and guidelines.

Policy principles document A document that communicates general rules that cut across the entire organization. The principles focus on key risks or behaviors and express core values of the organization that often include the areas where there will be zero tolerance for transgression.

Pretexting When a hacker outlines a story in which the employee is asked to reveal information that weakens the security.

Preventive control An automated security control that stops a behavior immediately.

Privacy policy Places importance on privacy in the business and discusses the regulatory landscape and government mandates. This policy often talks about physical security and the importance of “locking up” sensitive information.

Privileged-level access agreement (PAA) Designed to heighten the awareness and accountability of those users with administrator rights.

Procedure A written statement describing the steps required to implement a process.

Project committee A gateway committee that approves project funding, phases, and base requirements.

Public classification A classification level for data that has no negative impact on the business if released to the public.

Public record Any record required by law to be made available to the public. These types of records are made or filed by a governmental entity.

Public relations representative In the context of an IRT team, it is an individual who can advise on how to communicate to the public and customers that might be impacted by the incident. This person is valuable in ensuring that accurate information gets out and damaging misconceptions are prevented.

Quality assurance A kind of preventive, before-the-fact control within an organization that prevents mistakes from happening.

Quality control A kind of detective, after-the-fact control that affords an organization opportunities to learn from its mistakes.

Recovery point objectives (RPOs) The maximum acceptable levels of data loss after a disaster.

Recovery time objective (RTO) A measure of how quickly a business process should be recovered after a disaster. The RTO identifies the maximum allowed downtime for a given business process.

Reduction in force Laying off employees or downsizing to save money.

Regulations Established rules of what an organization has to do to meet legal requirements.

Remote Access domain This domain refers to the technology that controls how end users connect to the organization’s local area network (LAN). A typical example is someone needing to connect to the office from his or her home.

Remote authentication Enhanced authentication over what’s typically found in the office. Usually it requires more than an ID and password, such as a security token or smartcard.

Replicated operating model An operating model in which the technology solution shares services across the enterprise, but the level of data sharing is minimal.

Residual risk The risk that remains after all the controls have been applied.

Risk The likelihood or probability of an event and its impact.

Risk and control self-assessment (RCSA) A tool that allows an organization to understand its risks and their potential impact on the business. It is a formal exercise many organizations conduct annually.

Risk appetite Understanding risks and determining how much potential risk and related problems the business is willing to accept.

Risk assessment See information security risk assessment.

Risk culture The way an organization normally deals with risk; for instance, whether by following security policies consistently or not. The leaders of an organization are usually a strong influence on its risk culture.

Risk evaluation A domain in the ISACA Risk IT framework that calls for analyzing risk and determining impact on the business.

Risk exposure The level of damage and likelihood of a risk being realized.

Risk governance A domain in the ISACA Risk IT framework that ensures that risk management activity aligns with the business’s goals, objectives, and tolerances.

Risk response A domain in the ISACA Risk IT framework that specifies the ability to react so that risks are reduced and remedied in a cost-effective manner.

Risk tolerance The dominant view within an organization of how much risk is acceptable.

Roadshow In the information security context, a presentation before a large group on a topic such as a new security policy. A roadshow may involve gathering all employees of a company into a large auditorium, or simply showing up as a guest speaker at a department’s regular staff meeting.

Role-based access control (RBAC) A system of granting users access to a network on the basis of their role rather than their individual identity. An accounting firm may have a role of “accountant,” for instance, and all newly hired accountants may be assigned the same package of access privileges.

Router Connects local area networks (LANs) or a LAN and a wide area network (WAN).

Secret A level of government classification that refers to data, the unauthorized disclosure of which would reasonably be expected to cause serious damage to the national security.

Security awareness program Training about security policies, threats, and handling of digital assets.

Security baseline Defines a set of basic configurations to achieve defined security objectives. These defined security objectives are typically represented by security policies and a well-defined security framework.

Security committee A committee that acts as a steering committee for the information security program.

Security compliance committee A gateway committee that approves uses of specific controls for compliance.

Security content automation protocol (SCAP) A group of specifications that standardize how security software products measure, evaluate, and report compliance. NIST created SCAP, and several private companies created SCAP-compliant tools.

Security control mapping When related to compliance, it’s the mapping of regulatory requirements to policies and controls.

Security event Any undesirable event that occurs outside the normal daily security operations. Typically, a security event relates to a breakdown in controls as defined by the security policies.

Security management Refers to managing security in an organization, usually IT security. This can include making sure end users have limited rights and access controls are in place, among many other techniques and processes.

Security personnel Individuals responsible for designing and implementing a security program within an organization.

Security policies A set of policies that establish how an organization secures its facilities and IT infrastructure. Can also address how the organization meets regulatory requirements.

Security policy compliance Adherence to the organization’s set of rules with regard to security policies.

Security token A hardware device or software code that generates a token (usually represented as a series of numbers) at logon. A security token is extremely difficult and some say impossible to replicate. When assigned to an individual as part of his or her required logon, it provides assurance of who is accessing the network.

Segmented network A network that limits how computers are able to talk to each other.

Segregation of duties (SOD) Another term for separation of duties.

Sensitive but unclassified A level of government classification that refers to data that is confidential and not subject to release under the Freedom of Information Act.

Sensitive classification A classification level for data that would mean significant financial loss if leaked.

Separation of duties (SOD) A requirement that high-risk tasks be divided so that it takes more than one person to perform them. The idea is to prevent employees from concealing errors or fraud in the normal course of their duties.

Service level agreement (SLA) The portion of a service contract that formally defines the level of service. These agreements are typical in telecommunications contracts for voice and data transmission circuits.

Shareholder A person who buys stock in a company (investor).

Simple Network Management Protocol (SNMP) A protocol used to query and manage network devices. SNMP v1 had known vulnerabilities such as transmitting the community name in clear text. SNMP v2 and v3 improved security and performance of SNMP.

Sniffer A network device that can read communications traffic on a local area network (LAN).

Social engineering Manipulating or tricking a person into weakening the security of an organization.

Span of control Relates to the number of areas of control achieved through the number of direct reports found in an organization.

Spear phishing Phishing that is targeted at a small group.

Standard An established and proven norm or method. This can be a procedural standard or a technical standard implemented organization-wide.

Stateful firewall A firewall that watches all the traffic for a given connection. It inspects packets containing data, looking for patterns and sequences that don’t make sense. This is useful to block packets from someone pretending to be someone else in an attempt to hijack your session.

Stateless firewall A firewall that restricts and blocks traffic based on source and destination addresses or other static values. It looks at each data packet independently.

Statement on Standards for Attestation Engagements No. 16 (SSAE16) A standard created by the American Institute of Certified Public Accountants for auditing an organization’s control environment, including information security controls.

Strategic risk An event that may change how the entire organization operates.

Structured Query Language (SQL) A standardized language used to access a database.

Structured Query Language (SQL) injection A type of attack in which the hacker adds SQL code to a Web or application input box to gain access to or alter data in the database.

Switch A piece of equipment that is similar to a hub but can filter traffic. You can set up rules that control what traffic can flow where. Unlike hubs, which duplicate the traffic to all ports, a switch typically routes traffic only to the port where the system is connected. This reduces network traffic, thus reducing the chance of someone intercepting the traffic.

System access policy Rules of conduct on how and when access to systems is permitted. This policy covers end user credentials like IDs and passwords. The policy may also be specific to the business or application, such as the use of role-based access control (RBAC).

System software Software that supports the running of the applications.

System/Application domain This domain refers to the technology needed to collect, process, and store the information. It includes controls related to hardware and software.

Systematic declassification A process of reviewing records exempted from automatic declassification and then removing the data from classification.

Systems administrators IT staff who provide administrative support to the systems and databases.

System-specific standard A standard that focuses on specific technology or systems being used within an organization. These are used to express the security control implementation requirements for some specific technology.

Target state A term used in technology to describe a desired future state of information security, including policy goals and objectives and the tools, processes, and resources needed to achieve them.

Taxonomy The practice and science of classification. A hierarchical taxonomy is a tree structure of classifications for a given set of objects or documents.

Threat A human or natural event that could impact the system.

Threat vector A general information security term to describe a tool or path by which a hacker can gain unauthorized access.

Tone at the top The message from an organization’s leadership on a given subject. When senior executives voice support for a policy, they are said to be setting the tone at the top.

Top Secret A level of government classification that refers to data, the unauthorized disclosure of which would reasonably be expected to cause grave damage to the national security.

Town hall meeting A gathering of teams to make announcements and discuss topics.

Trouble ticket A complete record of what access was granted and the business reason behind it in order to resolve a problem.

Two-factor authentication Requires end users to authenticate their identity using at least two of three different types of credentials. The three most commonly accepted types of credentials are something you know, something you have, and something you are.

Unclassified A level of government classification that refers to data available to the public.

Unified operating model An operating model in which the technology solution both shares data and has standardized services across the enterprise.

User domain This domain refers to any user accessing information. This includes customers, employees, consultants, contractors, or any other third party. These users are often referred to as end users.

User proxy An application firewall that is used to control the flow of traffic to and from the Internet to user workstations attached to a local area network (LAN). The proxy intercepts the user’s request for an Internet resource, initiates a new connection, and proxies the result back to the requestor.

Value delivery Focusing resources to deliver the greatest benefits.

Vendor governance committee A gateway committee that approves new vendors and has oversight of existing vendors. This includes making sure new vendors meet minimum security policy requirements such as having a formal contract in place and adequate proof of security controls.

Virtual private network (VPN) A VPN is set up between two devices to create an encrypted tunnel. All communications are protected from eavesdropping and considered highly secure.

Vulnerability A weakness in a system that can be exploited.

Vulnerability window The time in which a vulnerability can be exploited (i.e. before it is patched).

WAN domain This domain includes wide area networks (WANs), which are networks that cover large geographical areas. The Internet is an example of a WAN. A private WAN can be built for a specific company to link offices across the country or globally.

Web graffiti Alterations to a webpage that result from a website defacement attack. Website graffiti can contain abusive language or even pornographic images.

Web services Automated information services over the Internet using standardized technologies and formats/protocols that simplify the exchange and integration of data. Web services help organizations to interoperate regardless of the types of operating systems, programming languages, and databases being used.

Web-Based Enterprise Management (WBEM) A set of standards and technologies used to query and manage systems and applications in a network. It is used on the Internet and internal networks. WBEM capabilities are built into GUI-based applications and command line applications.

Website defacement An attack on a website in which the site’s content is altered, usually in a way that embarrasses the website owner.

Whaling Phishing targeted at a single high value victim.

Workstation domain This domain refers to any computing device used by end users. This usually means a desktop or laptop that is the main computer for the end user.