45 key terms used across cybersecurity compliance frameworks.
Security measures that regulate who or what can view or use resources in a computing environment. Access controls include authentication (verifying identity), authorization (granting permissions), and accounting (tracking access).
A chronological record of system activities that provides documentary evidence of the sequence of events. Audit trails are used to detect security violations, performance problems, and application flaws.
The process of verifying the identity of a user, device, or system. Common methods include passwords, multi-factor authentication (MFA), biometrics, and digital certificates.
The process of determining whether an authenticated user has permission to access a specific resource or perform a specific action. Typically implemented through role-based access control (RBAC) or attribute-based access control (ABAC).
The capability of an organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Business continuity planning (BCP) identifies threats and establishes procedures to ensure resilience.
The three core principles of information security: Confidentiality (preventing unauthorized disclosure), Integrity (preventing unauthorized modification), and Availability (ensuring authorized access when needed).
An alternative security measure employed when a primary control cannot be implemented. Compensating controls must meet the intent of the original requirement, provide a similar level of defense, and be documented.
The state of being in accordance with established guidelines, specifications, or legislation. In cybersecurity, compliance typically refers to meeting the requirements of regulatory frameworks like HIPAA, PCI DSS, or GDPR.
A safeguard or countermeasure designed to protect the confidentiality, integrity, and availability of information systems and data. Controls can be technical (firewalls, encryption), administrative (policies, training), or physical (locks, badges).
A structured set of controls organized into categories that provides guidance for building and evaluating a cybersecurity program. Examples include NIST CSF, ISO 27001, and CIS Controls.
Under HIPAA, an organization that must comply with the Privacy and Security Rules: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically.
Controlled Unclassified Information — government-created or -owned information that requires safeguarding but is not classified. CUI protection requirements are defined in NIST SP 800-171 and enforced through CMMC.
An incident in which sensitive, protected, or confidential data is accessed, disclosed, or stolen by an unauthorized party. Breach notification requirements vary by regulation (GDPR requires 72-hour notification, HIPAA requires 60-day notification).
The process of organizing data into categories based on its sensitivity level and the impact of unauthorized disclosure. Common levels include Public, Internal, Confidential, and Restricted.
Under GDPR, the entity that determines the purposes and means of processing personal data. The controller bears primary responsibility for compliance with data protection principles.
Under GDPR, an entity that processes personal data on behalf of a data controller. Processors must follow the controller's instructions and implement appropriate security measures.
A process required under GDPR Article 35 to identify and minimize data protection risks of a project or system that is likely to result in high risk to individuals' rights and freedoms.
A security strategy that employs multiple layers of controls throughout an IT system. If one layer fails, additional layers continue to provide protection. Also known as layered security.
Data Loss Prevention — technologies and policies that detect and prevent unauthorized transmission of sensitive data outside the organization. DLP solutions monitor email, web, endpoints, and cloud services.
Endpoint Detection and Response — security solutions deployed on endpoints that continuously monitor for and respond to cyber threats. EDR provides behavioral analysis, threat hunting, and forensic capabilities beyond traditional antivirus.
The process of converting data into a coded form (ciphertext) to prevent unauthorized access. Data should be encrypted at rest (stored), in transit (moving across networks), and increasingly in use.
Electronic Protected Health Information — individually identifiable health information that is created, stored, transmitted, or received electronically. HIPAA Security Rule specifically addresses ePHI protection.
Federal Risk and Authorization Management Program — a U.S. government program that provides standardized security assessment and authorization for cloud products and services used by federal agencies. Based on NIST SP 800-53 controls.
Federal Information Security Modernization Act — U.S. legislation requiring federal agencies to develop, document, and implement information security programs. FISMA compliance is measured against NIST SP 800-53 controls.
A structured approach to managing cybersecurity risk. Frameworks provide a common language, systematic methodology, and set of best practices. They may be regulatory (PCI DSS, HIPAA), voluntary (NIST CSF, CIS), or certifiable (ISO 27001, CMMC).
A comparison of an organization's current security posture against the requirements of a specific framework to identify areas where controls are missing or insufficient. ControlMap automates cross-framework gap analysis.
The system of policies, processes, and organizational structures that ensure cybersecurity activities align with business objectives and regulatory requirements. Governance establishes accountability, defines roles, and sets strategic direction.
Intrusion Detection System / Intrusion Prevention System — network security tools that monitor traffic for suspicious activity. IDS detects and alerts; IPS detects and blocks. May be network-based (NIDS/NIPS) or host-based (HIDS/HIPS).
The organized approach to detecting, containing, eradicating, and recovering from cybersecurity incidents. An incident response plan defines roles, procedures, communication protocols, and escalation paths.
Information Security Management System — a systematic approach to managing sensitive information so that it remains secure. ISO 27001 certification requires implementing and maintaining an ISMS.
The principle that users, systems, and processes should be granted only the minimum access permissions needed to perform their authorized functions. Reduces attack surface and limits blast radius of compromised accounts.
Multi-Factor Authentication — requiring two or more verification factors (something you know, have, or are) to gain access. Phishing-resistant MFA methods like FIDO2 and passkeys are preferred over SMS-based codes.
A globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. Used by security teams to improve detection, threat hunting, and red team exercises.
The process of identifying, testing, and deploying software updates to fix security vulnerabilities. Effective patch management requires accurate asset inventories, risk-based prioritization, and defined SLAs for remediation timelines.
An authorized simulated attack on a system to evaluate its security. Pen tests identify vulnerabilities that could be exploited by attackers and validate that existing controls are effective.
Under GDPR, any information relating to an identified or identifiable natural person. This includes names, email addresses, IP addresses, location data, and online identifiers.
A systematic process of identifying threats and vulnerabilities, analyzing their likelihood and potential impact, and determining appropriate mitigations. Risk assessments should be performed regularly and whenever significant changes occur.
A documented inventory of identified risks including their likelihood, impact, current controls, risk owner, and treatment plan. The risk register is a living document that supports ongoing risk management.
Security Information and Event Management — a platform that aggregates and correlates log data from across the IT environment to provide centralized visibility, threat detection, and compliance reporting.
Security Operations Center — a centralized team (and facility) responsible for monitoring, detecting, and responding to cybersecurity incidents. SOCs typically operate 24/7 for critical environments.
The risk that an organization's security is compromised through vulnerabilities in its vendors, suppliers, or service providers. Supply chain attacks exploit trusted relationships to bypass direct defenses.
Information about current and emerging cyber threats collected from multiple sources (ISACs, government feeds, commercial platforms, OSINT). Threat intelligence informs detection rules, vulnerability prioritization, and incident response.
A weakness in a system, application, or process that could be exploited by a threat actor to gain unauthorized access or cause damage. Vulnerabilities are scored using CVSS (Common Vulnerability Scoring System).
Web Application Firewall — a security solution that inspects HTTP/HTTPS traffic to and from web applications, blocking common attacks like SQL injection, XSS, and remote file inclusion.
A security model based on the principle "never trust, always verify." Zero trust requires continuous verification of identity and authorization for every access request, regardless of network location. Implementation involves micro-segmentation, identity-aware proxies, and device posture checks.