Security Glossary

Access control refers to security mechanisms that determine who or what can view or use resources. These controls ensure that only authorized individuals or systems can access specific data, with...

Adaptive Multi-Factor Authentication (MFA) is an intelligent security mechanism that dynamically adjusts authentication requirements based on real-time contextual factors, such as user behavior, device type, location, and risk level. Unlike...

Advanced Encryption Standard (AES) is a widely used symmetric encryption algorithm that secures digital data by converting it into unreadable ciphertext using a secret key. AES is fast, highly secure,...

An Advanced Persistent Threat (APT) is a highly sophisticated and stealthy cyberattack in which an adversary attempts to infiltrate a network and maintains undetected access over time. While these attacks...

Asymmetric Key Encryption, also known as public-key cryptography, is a method of securing data using two distinct but mathematically linked keys. A public key for encryption and a private key...

At-rest encryption protects stored data from unauthorized access, ensuring confidentiality and security even if physical storage devices are lost, stolen, or compromised. It is essential for safeguarding sensitive information, meeting...

Attribute-Based Access Controls (ABAC) enhances security by allowing dynamic and context-aware access control. It reduces the risks of unauthorized access and insider threats by enforcing policies based on multiple attributes...

An Audit Trail (or Audit Log) is a detailed, chronological record of events, actions, and system activities created by IT systems, applications, or network devices. These logs capture a comprehensive...

The process of authentication involves verifying the identity of a user, system, or device before granting access to a network, application, or data. It ensures that only authorized users and...

Breach and Attack Simulation (BAS) is a cybersecurity practice that uses automated tools to mimic the techniques of real-world attackers safely. Instead of waiting for a cyber incident or relying...

Bring Your Own Key (BYOK) is a cloud security model that allows organizations to generate, own, and manage their own encryption keys while storing data in third-party or cloud services....

A Brute Force Attack (BFA) is a hacking method where attackers systematically try every possible combination of passwords or encryption keys until they gain access to a system. This approach...

The Bureau of Industry and Security (BIS) is a U.S. government agency within the U.S. Department of Commerce responsible for administering and enforcing export controls, sanctions, and technology...

Business Email Compromise (BEC) is a type of cyberattack where attackers attempt to deceive organizations by impersonating a trusted individual via email. They may do this by either compromising a...

The California Consumer Privacy Act (CCPA) is a privacy law that grants California residents rights over their personal data. Consumers can request access to the information businesses collect, request corrections,...

A Cloud Access Security Broker (CASB) is a security solution that acts as an intermediary between users and cloud services, ensuring that an organization’s security policies are enforced when...

Context-Aware Access Controls work by dynamically granting or restricting access to systems and data based on contextual signals such as user identity, device, location, time, and risk level. Unlike static...

Controlled Unclassified Information (CUI) refers to sensitive data that, while not classified, requires specific handling, safeguarding, or dissemination controls. CUI typically applies to information that is generated or possessed by...

The Criminal Justice Information Services (CJIS) is a division of the Federal Bureau of Investigation (FBI) that provides centralized criminal justice data and intelligence to law enforcement, national security agencies,...

The Cyber Assessment Framework (CAF) is a structured approach used to evaluate and enhance an organization’s cybersecurity posture. Developed by regulatory bodies such as the UK’s National Cyber...

Cyber Essentials Plus (CE+) is the advanced tier of the UK government-backed cybersecurity certification scheme. While the standard Cyber Essentials is a self-assessment, CE+ requires a hands-on technical audit by...

The Cyber Governance Code of Practice (The Code) is a UK government-backed guide introduced in 2025 by the Department for Science, Innovation and Technology (DSIT) and supported by the National...

The Cybersecurity Maturity Model Certification (CMMC) is a unified security framework designed by the U.S. Department of Defense to protect the Defense Industrial Base (DIB) from increasingly sophisticated cyber...

Data Access Governance (DAG) is a strategic framework of policies and technologies used to manage, monitor, and secure access to an organization's unstructured and semi-structured data. While traditional...

Data Anonymization is the process of irreversibly removing or altering personal or sensitive information so individuals cannot be identified, directly or indirectly, from the data. Once anonymized, the data can...

A data breach occurs when sensitive, confidential, or protected information is accessed, stolen, or exposed without authorization. It can have devastating consequences, including financial loss, reputational damage, regulatory penalties, and...

Data classification refers to the process of organizing data into categories based on its sensitivity, importance, and intended use. It helps businesses manage and protect their information, making sure that...

Data compartmentalization is the practice of dividing information into separate “buckets” or “zones,” so that each segment is accessible only by those who truly need it. Instead of keeping all...

A data leak occurs when sensitive or confidential information is either accidentally or unintentionally exposed. This could be due to human error, poor security practices, or system vulnerabilities. Unlike a...

Effective Data Lifecycle Management (DLM) is crucial for maintaining security, compliance, and efficiency within an organization. When data is managed properly at every stage, businesses can reduce security risks, prevent...

Data lineage refers to the process of tracking the flow of data throughout its lifecycle, from its origin to its final destination. It provides a visual map of how data...

Data Loss Prevention (DLP) refers to the strategies, policies, and technologies used to prevent sensitive data from being lost, accessed, or shared by unauthorized individuals. It helps organizations protect confidential...

A Data Protection Authority (DPA) is an independent public authority who are responsible for overseeing the enforcement of data protection laws and ensuring that individuals' personal data is handled...

Data residency refers to the physical or geographical location where an organization’s data is stored, processed, and managed. It is a critical aspect of data governance that businesses must...

The Data Security Maturity Model (DSMM) is a framework designed to help organizations develop a data-centric approach to safeguarding their sensitive information. In contrast to traditional security models that concentrate...

Data Security Posture Management (DSPM) is a strategy and set of tools that helps businesses continuously assess, monitor, and improve their data security practices. It involves identifying vulnerabilities, assessing risk,...

Data Sprawl is the uncontrolled proliferation of an organization’s information across a vast array of silos, including multi-cloud environments, SaaS applications, on-premises servers, and shadow IT. As organizations move...

A data store is a centralized location where digital data is collected, stored, managed, and retrieved. It can take various forms, such as databases, cloud storage, data warehouses, or file...

The Data (Use and Access) Act 2025 is a major update to UK data protection law designed to make data sharing safer, simpler, and more innovative. Rather than scrapping existing...

Data-Centric Security (DCS) is a strategic shift in cybersecurity that prioritizes the protection of the data itself over the security of the network, servers, or applications. While traditional security focuses...

Decryption is the cryptographic process of converting scrambled, unreadable data (Ciphertext) back into its original, usable format (Plaintext). It is the essential "unlocking" phase of the data protection...

The Defence Cyber Certification (DCC) is a cybersecurity scheme developed to raise the standards for digital protection across the UK defence supply chain. Introduced by the Ministry of Defence (MOD)...

The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of regulations that governs how the Department of Defense (DoD) works with contractors and subcontractors to ensure compliance with strict...

The Defense Industrial Base (DIB) is a network of companies in the private sector that develop, manufacture, and supply products and services for the U.S. Department of Defense (DoD)...

Introduced in January 2025, the Digital Operational Resilience Act (DORA) is an EU regulation designed to help financial organizations better withstand, respond to, and bounce back from digital disruptions and...

Digital Rights Management (DRM) refers to technologies and policies designed to protect digital content from unauthorized access, copying, and distribution. It is commonly used across industries such as media, publishing,...

Disk Encryption (often referred to as Full Disk Encryption or FDE) is a security technology that protects data by encrypting every bit of data on a physical drive. By converting...

End-to-End Encryption (E2EE) is a method of data transmission where the data is encrypted on the sender’s side and can only be decrypted by the intended recipient. This means...

Enterprise Access Control (EAC) is the centralized management of permissions and security policies across an entire organization’s digital and physical infrastructure. Unlike standard access control, which is often managed...

The European Union's Artificial Intelligence Act (AI Act) is a regulatory framework designed to oversee the development and deployment of artificial intelligence within EU member states. The Act,...

Exfiltration is the unauthorized theft or transfer of data from a secure system to an external location. Cybercriminals, insider threats, or advanced persistent threats (APTs) use various methods to exfiltrate...

Export Administration Regulations (EAR) govern the export and re-export of dual-use items, goods, technology, and software that have both civilian and military applications. Managed by the U.S. Department of...

The Family Educational Rights and Privacy Act (FERPA) is a U.S. federal law that protects the privacy of student education records. It applies to all educational institutions that receive...

Federal Contract Information (FCI) refers to information provided by or generated for the U.S. government under a federal contract that is not intended for public release. This data typically...

FIPS 140-2 is a U.S. government standard created by NIST to set the benchmark for how cryptographic systems should be designed and tested to protect sensitive data. In simple...

FIPS 140-3 builds upon the foundation of FIPS 140-2, updating it for today’s digital world. It aligns with international standards (ISO/IEC 19790:2012) and introduces stricter requirements for...

The Federal Information Security Management Act (FISMA) is a U.S. federal law that establishes guidelines and security standards for protecting government information and systems. It requires federal agencies and...

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government initiative that standardizes security assessments, authorizations, and monitoring for cloud services used by federal agencies. Established in...

File Integrity Monitoring (FIM) detects and alerts on unauthorized or unexpected changes to files, systems, and configuration data. FIM works by establishing a trusted baseline of files and monitoring for...

File-Centric Security (FCS) is a data-first model that embeds encryption and access policies directly into individual digital objects. By making files "Self-Defending," FCS ensures that protection travels with...

The Financial Industry Regulatory Authority (FINRA) is a non-governmental organization responsible for overseeing broker-dealers, investment firms, and financial professionals in the United States. Its primary goal is to protect investors...

The FTC Safeguards Rule is a set of mandatory security requirements under the Gramm-Leach-Bliley Act (GLBA) designed to protect consumer financial information. Following significant updates in 2021 and 2023, the...

General Data Protection Regulation (GDPR) is an EU data privacy law designed to protect individuals' personal information and give them greater control over how their data is collected, stored,...

Ghost data refers to residual, forgotten, or improperly deleted data that remains in a system, database, or cloud environment even after users believe it has been removed. This can occur...

The Gramm-Leach-Bliley Act (GLBA) is a U.S. federal law that mandates financial institutions to protect sensitive customer information. The Act requires companies to establish security measures to safeguard personal...

The HITECH Act was enacted in 2009 to strengthen HIPAA regulations and promote the adoption of electronic health records (EHRs) in the healthcare industry. It introduced stricter data security and...

HITRUST (Health Information Trust Alliance) is a widely recognized framework designed to help organizations manage risk and demonstrate compliance with various security and privacy regulations, particularly in the healthcare industry....

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law designed to protect sensitive patient health information from unauthorized access, breaches, and misuse. HIPAA enforces strict...

Homomorphic encryption is an advanced cryptographic technique that allows data to be processed and analyzed while remaining encrypted. Unlike traditional encryption, which requires decryption before computations can be performed, homomorphic...

In-transit encryption is the protection of data as it’s moving from one location to another. For example, when information is being sent between devices, across a network, or to...

Incident Response is a structured approach organizations take to detect, contain, and recover from cybersecurity incidents such as data breaches, ransomware attacks, or insider threats. A well-defined incident response plan...

Information Rights Management (IRM) is a set of technologies and policies used to protect and control access to sensitive digital information. IRM allows organizations to define who can access, edit,...

An Information Security Policy (ISP) is a comprehensive set of rules, directives, and localized practices that dictate how an organization manages, protects, and distributes its information assets. It serves as...

Insider Risk Management (IRM) is a set of strategies, practices, and tools that organizations use to detect, manage, and mitigate potential threats posed by individuals within the company who have...

Insider Threat refers to the risk posed by individuals within an organization, such as employees, contractors, or business partners, who intentionally or unintentionally misuse their access to sensitive information or...

Integrated Risk Management (IRM) is a set of practices and processes, supported by a risk-aware culture and enabling technologies, that improves decision-making and performance through an integrated view of how...

International Traffic in Arms Regulations (ITAR) refers to a set of U.S. government regulations that control the export, import, and transfer of defense and military-related technology and services. Managed...

ISO 27001 is an international standard that provides a framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It is designed to help organizations manage...

Malware, which is short for malicious software, refers to any software specifically designed to cause harm to a computer system, network, or device. It is used by cybercriminals to infiltrate...

A Man-in-the-Middle (MitM) Attack is a type of cyberattack where a malicious actor intercepts and potentially alters communications between two parties, typically without their knowledge. This attacker sits "in...

Masked Data refers to the process of obscuring or replacing sensitive information in a database or system with fictitious or scrambled values, making it unreadable to unauthorized users while maintaining...

Metadata is data that provides information about other data, helping to describe, organize, and manage digital content more effectively. It acts as a label or context for data, making it...

Misplaced Data is information that has been unintentionally stored in the wrong location, making it difficult to access, track, or secure. This can occur due to human error, poor data...

Multifactor Authentication (MFA) is a security mechanism that requires users to verify their identity using multiple forms of authentication before gaining access to a system, application, or network. Instead of...

The National Institute of Standards and Technology (NIST) is a U.S. government agency responsible for developing technology, standards, and best practices to enhance cybersecurity, innovation, and economic competitiveness. NIST...

The New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500) is a set of cybersecurity requirements designed to protect financial institutions and consumers from cyber threats. It...

The NHS Data Security & Protection (DSP) Toolkit is an online self-assessment tool used by organizations handling NHS patient data to ensure compliance with UK data protection laws and cybersecurity...

Non-Human Identities (NHIs) are digital credentials assigned to automated systems, applications, bots, APIs, and service accounts. Unlike human identities, which are tied to individual users and protected by Multi-Factor Authentication...

Nonpublic Personal Information (NPI) is any "personally identifiable financial information" that a financial institution collects about an individual in connection with providing a financial product or service. Unlike...

On-the-Fly Encryption (OTFE) is a way of keeping data secure without getting in the way of how people work. It automatically encrypts files as they’re saved and decrypts them...

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements designed to protect credit card transactions and consumer payment data from fraud and breaches. It...

Per-File Encryption is protected independently, making it more secure even if other parts of a system are compromised. Each file is encrypted with a unique encryption key, which must be...

Personally Identifiable Information (PII) is any data that can be used to identify a specific individual, including direct identifiers, such as names, social security numbers, and biometric data. As well...

Phishing is a method that cyber attackers use to impersonate trusted entities such as banks, employers, or government agencies. The goal is to trick individuals into revealing sensitive information like...

Principle of Least Privilege (PoLP) helps to ensure that users, systems, and applications are granted only the minimum level of access required to perform their specific tasks, and no more....

Protected Health Information (PHI) refers to any health-related data that can be linked to an individual and is safeguarded under regulations like the Health Insurance Portability and Accountability Act (HIPAA)...

Public Key Infrastructure (PKI) is a framework of policies, technologies, and procedures used to manage encryption keys and digital certificates for securing online communications and data exchanges. PKI enables organizations...

Ransomware is a type of malicious software (malware) that encrypts a victim’s data or locks them out of their system, demanding a ransom payment to restore access. Cybercriminals often...

Role-Based Access Controls (RBAC) is a security framework that restricts system access based on user roles and permissions within an organization. Instead of granting broad access, RBAC ensures that individuals...

Safe Harbor is a legal framework or agreement that protects against liability when specific conditions are met. In data privacy and cybersecurity, Safe Harbor principles have historically been used to...

Enacted in 2002, the Sarbanes-Oxley Act (SOX) is a U.S. federal law designed to protect investors by improving the accuracy and reliability of corporate disclosures and ensuring the integrity...

Security Information and Event Management (SIEM) collects, analyzes, and correlates security-related data from across an organization's IT infrastructure in real time. It combines log management and security event...

Security Orchestration, Automation, and Response (SOAR) platforms integrate multiple security tools, automate repetitive tasks, and guide incident response through predefined workflows, known as playbooks. What Does SOAR Do? SOAR enables...

Shadow AI is the unauthorized or unregulated use of artificial intelligence tools and models within an organization, often outside the oversight of IT and security teams. Just like Shadow IT,...

Shadow Data is any sensitive information that lives outside the visibility and control of the IT and security teams. Unlike shadow IT, which refers to unauthorized applications, Shadow Data refers...

Shadow IT is the use of unauthorized applications, devices, or software within an organization’s IT infrastructure, typically by employees or departments without the knowledge or approval of the IT...

Shadow SaaS is the use of unauthorized or unsanctioned cloud-based applications by employees without IT approval. These tools are typically used to meet specific work needs but pose risks to...

Smishing is a type of phishing attack that specifically targets mobile phone users through SMS (text messages). In a smishing attack, cybercriminals send fraudulent messages that appear to come from...

Spear Phishing is a highly targeted form of phishing attack where cybercriminals send deceptive emails or messages to specific individuals or organizations with the intent of stealing sensitive information, such...

Spoofing is a type of cyberattack where an attacker impersonates a legitimate entity, device, or user to deceive others and gain unauthorized access to sensitive information or systems. This technique...

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols designed to secure internet communications by encrypting data between users and servers. TLS is the modern, more secure...

Stale Data is information that is no longer actively used, updated, or relevant to an organization’s current operations but remains stored within its databases, file shares, or cloud environments....

A Supply Chain Attack is a cyberattack that targets vulnerabilities within an organization's supply chain, including software providers, third-party vendors, or service partners. Instead of directly breaching the...

Symmetric Key Encryption is a cryptographic method where the same key is used for both encryption and decryption of data. It is a fast and efficient technique commonly used for...

Third-Party Risk Management (TPRM) refers to the process of identifying, assessing, and mitigating risks associated with external vendors, suppliers, and service providers. As businesses increasingly rely on third parties for...

Tokenized data is a security method that replaces sensitive information with a unique, non-sensitive placeholder called a token. This process ensures that the original data is stored securely while the...

Two-Factor Authentication (2FA) is a security process that requires users to verify their identity using two different authentication factors before accessing an account or system. These factors typically tend to...

User and Entity Behavior Analytics (UEBA) is a cybersecurity approach that leverages machine learning and advanced analytics to detect anomalous behavior in users and systems. Instead of relying on predefined...

Vishing, also known as voice phishing, is a social engineering attack where cybercriminals use phone calls or voice messages to deceive individuals into sharing sensitive information, such as login credentials,...

A cybersecurity vulnerability is a weakness or flaw in a system, software, or network that can be exploited by cybercriminals to gain unauthorized access, disrupt operations, or steal sensitive data....

Zero Friction refers to security and access experiences designed to minimize user disruption while maintaining strong protection. It aims to reduce unnecessary prompts, manual steps, and delays by using intelligent...

Zero Trust is a cybersecurity framework that eliminates implicit trust within an organization’s network. Instead of assuming that users or devices inside the network are safe, Zero Trust requires...