SECURITY+
REFERENCE DOSSIER

AAA is the foundational access control framework: Authentication verifies who you are; Authorization determines what you can do; Accounting records what you did. RADIUS and TACACS+ are common AAA protocols.

The 'A' in the CIA triad. Ensures authorized users can access systems and data when needed. Threatened by DoS attacks, hardware failures, and natural disasters.

The 'C' in the CIA triad. Ensures data is accessible only to those with authorized access. Protected through encryption, access controls, data classification, and need-to-know policies.

The 'I' in the CIA triad. Ensures data has not been tampered with by unauthorized parties. Protected through cryptographic hashing, digital signatures, checksums, and version control.

Ensures the origin of data or a transaction cannot be denied. Achieved through digital signatures, audit logs, and timestamping. Critical for legal admissibility and financial transactions.

Operates on "never trust, always verify." Every access request — inside or outside the perimeter — must be authenticated, authorized, and continuously validated against policy. Eliminates implicit trust zones.

A process identifying the difference between an organization's current security posture and a target state. The output is a prioritized remediation roadmap aligned to a framework or regulation.

A purposely vulnerable decoy system that appears to be a legitimate target. Detects unauthorized access, captures attacker tools and techniques, and generates early-warning alerts with zero false-positives.

A controlled network of interconnected honeypots simulating an entire production environment, enabling researchers to observe complete attack kill-chains from initial access through lateral movement.

A decoy document placed where an attacker would likely access during reconnaissance. Any read, write, or access attempt triggers an alert — zero false-positives since no legitimate use exists.

Digital decoys — fake credentials, API keys, database records, or email addresses — with no legitimate use. Any attempt to use them is an unambiguous indicator of compromise.

A physical or smart card containing encoded credentials (magnetic strip, RFID, or smart chip) that authenticates the holder and grants access to controlled physical spaces.

An interlocking door system preventing tailgating. The first door must close and authentication must complete before the second door opens. Also called a mantrap.

Vehicle access control devices — fixed or removable steel or concrete posts — that prevent unauthorized vehicles from entering a protected area. Protect against vehicle-borne IED attacks.

CCTV and IP camera systems providing continuous monitoring, recording, and deterrence. Modern systems include analytics for automated motion detection, facial recognition, and anomaly alerts.

Allow lists (whitelists) explicitly permit only approved entities; everything else is denied by default. Deny lists (blacklists) block known-bad entities. Allow lists provide stronger security but require more management.

A rollback plan specifying exactly how to restore prior state if a change causes unintended problems. Required component of any change request in a mature change management process.

A pre-approved time period — often nights or weekends — during which changes can be applied to systems with minimal business impact. Part of formal change management processes.

Documented, repeatable procedures ensuring tasks are performed consistently and correctly regardless of who executes them. SOPs are essential for incident response, change management, and audit compliance.

Systems like Git track changes to code, configuration files, and documentation over time. Enables rollback to known-good states, provides audit trails, and prevents unauthorized or accidental changes.

A systematic assessment of how a proposed change could affect business operations, security posture, and compliance. Mandatory before implementing changes that could disrupt critical services.

Uses mathematically linked key pairs: data encrypted with the public key can only be decrypted by the corresponding private key. Slower than symmetric encryption; used for key exchange and digital signatures.

Uses a single shared key for both encryption and decryption. Much faster than asymmetric encryption. Key distribution is a challenge — the shared key must be securely exchanged before communication. AES is the standard.

A one-way mathematical function producing a fixed-length digest of any input. Used for password storage, integrity verification, and digital signatures. Cannot be reversed to obtain the original data.

A random unique value appended to each password before hashing. Ensures that identical passwords produce different hashes, defeating rainbow table and dictionary attacks.

Created by hashing a message and encrypting the hash with the sender's private key. Recipients decrypt with the sender's public key and verify the hash matches. Provides authentication, integrity, and non-repudiation.

The complete system of hardware, software, policies, and procedures that manages digital certificates and public-private key pairs. Includes CAs, registration authorities, certificate stores, and revocation mechanisms.

Trusted third parties in the PKI hierarchy that issue, sign, and revoke digital certificates. They validate identity before issuing certificates, establishing chain-of-trust in cryptographic systems.

A tamper-resistant hardware device providing secure key generation, storage, and cryptographic operations. Keys never leave the HSM in plaintext. Used for PKI roots, code signing, and payment processing.

A dedicated microcontroller chip on the motherboard providing hardware-based security functions: secure key generation and storage, platform integrity measurement, and sealed storage tied to platform state.

Substitutes sensitive data values with randomly generated tokens stored in a token vault. The original data is never transmitted or stored in business systems, dramatically reducing data breach impact.

Conceals the existence of a message by embedding it within ordinary-looking files (images, audio, video). Unlike encryption (which hides content), steganography hides the fact that a message exists at all.

Takes a weak key (e.g., a user password) and applies hash functions repeatedly (PBKDF2, bcrypt, Argon2) to produce a stronger derived key. The added computation dramatically slows brute-force attacks.

Encrypts the entire contents of a storage device, including the OS, applications, and user data. Data is decrypted on-the-fly during normal use; protects against physical device theft.

The most sophisticated and well-resourced threat actors, operating with government backing. Conduct long-term APT campaigns for intelligence collection, critical infrastructure disruption, and geopolitical advantage.

Professional criminal enterprises with specialized roles: initial access brokers, ransomware developers, negotiators, and money laundering networks. Financially motivated and increasingly sophisticated.

Politically or socially motivated hackers. Operations include website defacement, DDoS attacks on target organizations, and publication of stolen data to embarrass or expose targets. Anonymous is a well-known example.

Uniquely dangerous because they bypass perimeter controls. Includes malicious insiders (intentional harm), negligent insiders (accidental exposure), and compromised insiders (credentials stolen by external actors).

Also called script kiddies. Despite low skills, they pose real risk by using automated tools that lower the attack barrier. Primarily target widely known, unpatched vulnerabilities.

IT systems, devices, software, or services used by employees without IT department approval. Creates security gaps: data outside organizational controls, compliance violations, and unmanaged vulnerabilities.

The unauthorized movement of data from within an organization to an external destination. Can be performed via network transfer, physical media, email, or cloud storage. A primary objective of many cyberattacks.

The covert collection of sensitive information from adversaries or competitors. Cyber espionage is conducted through APT campaigns — long-term, stealthy operations targeting high-value intellectual property or government secrets.

The most common motivation for cyberattacks. Includes ransomware, BEC fraud, credit card theft, cryptocurrency mining, and sale of stolen data. Drives the majority of the global cybercrime economy.

Mass social engineering attacks sent to broad audiences. Spear phishing targets specific individuals; whaling targets executives; vishing is via phone. The most common initial access vector in data breaches.

Social engineering conducted via voice calls. Attackers use pretexting, urgency, and authority to manipulate targets. Often targets elderly individuals or employees with access to financial systems.

SMS-based phishing (smishing) exploits the higher open rates and lower suspicion associated with text messages. Often impersonates financial institutions, delivery services, or government agencies to create urgency.

A sophisticated scam targeting businesses that regularly perform wire transfers. Attackers impersonate executives or vendors using spoofed or compromised email accounts. BEC causes billions in annual losses globally.

Attacks targeting less-secure elements in a supply chain — software vendors, hardware manufacturers, service providers — to compromise the ultimate target through trusted relationships. SolarWinds is the prime example.

A targeted attack where adversaries compromise websites known to be frequented by their actual target. Rather than attacking the target directly, they poison a trusted site the target regularly visits.

Also called URL hijacking. Registers misspelled or visually similar domain names to intercept users who make typing errors. The fake site may steal credentials, serve malware, or conduct phishing attacks.

Physical media used to introduce malware into air-gapped or otherwise secure systems. The "USB drop" attack exploits human curiosity. Autorun features can execute malware immediately upon connection.

Factory-set credentials that are publicly documented and not changed during deployment. Represent low-effort targets for attackers. Especially problematic in IoT devices, network equipment, and cloud services.

A vulnerability unknown to the vendor and/or without an available patch. Attackers who discover or purchase zero-days can exploit them indefinitely until disclosed and patched. Highly valued in criminal and nation-state markets.

Injects malicious SQL code through user input fields into database queries. Can extract confidential data, modify database records, bypass authentication, or execute OS commands. Prevention requires parameterized queries.

Injects malicious client-side scripts into web pages viewed by other users. Types include reflected (URL-based), stored (persistent in database), and DOM-based XSS. Can steal session cookies, credentials, or redirect users.

Occurs when a program writes more data to a memory buffer than it can hold, overwriting adjacent memory. Can cause crashes or, if exploited precisely, allow an attacker to redirect execution to injected code.

One of the most common vulnerability categories. Includes default credentials left unchanged, unnecessary services enabled, overly permissive access controls, and improperly configured cloud storage. Often the root cause of major breaches.

Exploits hypervisor vulnerabilities to break out of a VM's isolation boundary, gaining code execution on the host or other VMs. Considered a critical severity vulnerability in virtualized environments.

Occur when multiple processes access shared resources concurrently without proper synchronization. In TOCTOU (Time-of-Check Time-of-Use), an attacker changes a resource between when it's verified and when it's used.

The point at which a vendor ceases providing security updates and support for a product. All vulnerabilities discovered after EOL remain permanently unpatched, representing an ever-growing attack surface.

Uses a botnet of compromised devices (zombies) to flood targets with traffic or resource-exhausting requests. Harder to mitigate than single-source DoS. Types include volumetric (bandwidth), protocol, and application-layer attacks.

Exhaustive search attack trying all possible combinations. Pure brute force tries every possibility; dictionary attacks use word lists; credential stuffing uses known breached passwords. Mitigated by MFA, account lockout, and strong passwords.

Any software intentionally designed to cause disruption, gain unauthorized access, steal data, or hold systems for ransom. Categories include viruses (self-replicating), worms (self-propagating), trojans, ransomware, and rootkits.

A category of malware that encrypts victim data and demands payment for the decryption key. Modern ransomware often includes double extortion: threatening to publish stolen data if the ransom is not paid.

Malware designed to gain privileged access and conceal its presence by modifying OS components. Can intercept and alter OS calls to hide files, processes, and network connections. Firmware rootkits survive OS reinstalls.

Based on the birthday paradox in probability. Exploits that hash collisions occur more easily than intuition suggests. Used to forge digital signatures or create malicious documents with the same hash as legitimate ones.

An attacker secretly positions themselves between two communicating parties, intercepting and potentially modifying messages. Common on unsecured networks. Mitigated by TLS/SSL, certificate pinning, and MFA.

On-demand delivery of IT resources over the internet. Service models: IaaS (infrastructure), PaaS (platform), SaaS (software). Deployment models: public (shared), private (dedicated), hybrid (both), community (sector-shared).

An architecture combining private (on-premises or hosted) and public cloud resources. Organizations keep sensitive workloads on-premises while leveraging public cloud scalability for less sensitive workloads.

Functions-as-a-Service model where code runs in stateless containers managed entirely by the cloud provider. Reduces infrastructure management but creates risks around function-level IAM permissions and injection vulnerabilities.

An architectural style where applications are composed of small, loosely coupled services. Each microservice has its own security boundary and can be independently deployed, scaled, and updated.

Technology packaging application code and dependencies into lightweight, portable containers. Containers share the host OS kernel (unlike VMs), so kernel vulnerabilities affect all containers. Kubernetes orchestrates containerized workloads.

Treating infrastructure configuration as code managed in version control. Enables consistent, repeatable provisioning and eliminates configuration drift. Security policies can be embedded in IaC templates and enforced via policy-as-code.

Secure Access Service Edge converges SD-WAN capabilities with cloud-native security functions. Delivers security enforcement at the network edge close to users, enabling zero-trust access for distributed workforces.

Software-Defined WAN abstracts the underlying transport and centrally manages WAN connectivity. Enables dynamic path selection, application-aware routing, and centralized security policy enforcement across distributed locations.

In IaaS, the provider secures physical infrastructure; customers manage everything above the hypervisor. In PaaS, the provider also manages the OS/runtime. In SaaS, the provider manages everything except data and user access.

Divides a network into isolated zones using firewalls, VLANs, or microsegmentation. Limits lateral movement: an attacker who compromises one segment cannot freely access others. Critical for PCI DSS compliance.

A network zone between untrusted (internet) and trusted (internal) networks, hosting public-facing services. Firewalls control traffic into and out of the DMZ, limiting exposure if a DMZ host is compromised.

Controls network traffic between zones based on rules. Packet-filtering inspects headers; stateful tracks connection state; NGFW adds application awareness and IPS; WAF (Web Application Firewall) protects web apps from OWASP Top 10 attacks.

IDS (passive) inspects traffic and generates alerts without blocking. IPS (inline, active) can block or drop malicious traffic in real time. Both use signature-based detection (known attacks) and anomaly-based detection (behavioral deviations).

Extends a private network over a public one by creating an encrypted tunnel. IPSec VPNs encrypt at the network layer; SSL/TLS VPNs operate at the transport layer. Split tunneling sends only organizational traffic through the VPN.

An intermediary that processes requests on behalf of clients (forward proxy) or servers (reverse proxy). Forward proxies filter outbound traffic and cache content; reverse proxies load balance and protect web servers from direct exposure.

Distributes traffic across a pool of servers using algorithms (round-robin, least connections, IP hash). Provides both availability and performance benefits. Can perform health checks to remove failed servers from rotation.

Evaluates devices against security policy before granting network access. Non-compliant devices can be quarantined, given limited access, or blocked. Uses 802.1X authentication for wired/wireless enforcement.

Virtual LANs create logical network segments on a physical switch infrastructure. Traffic between VLANs requires a Layer 3 device (router/firewall), enabling granular access control and containing broadcast traffic.

Organizes data into categories based on sensitivity and required protection level. Enables appropriate security control application: public data has minimal controls while restricted/top secret data receives maximum protection including encryption and strict access controls.

Systems that monitor data in use (endpoints), in motion (network), and at rest (storage) to detect and prevent unauthorized disclosure. Use content inspection, contextual analysis, and pattern matching (regex for SSNs, credit cards).

Data stored on any persistent medium — local storage, databases, backup tapes, cloud object storage. Encryption at rest (TDE, BitLocker, cloud-native encryption) protects against unauthorized access to the physical or logical storage layer.

Data actively moving through a network between endpoints. TLS is the standard protection. Also covers data transferred via API, email (S/MIME, TLS), and VPN tunnels. Vulnerable to eavesdropping and MitM attacks if unencrypted.

Data currently being processed in RAM or CPU registers. Must be decrypted to be used, creating exposure. Secure enclaves and trusted execution environments provide hardware-isolated processing of sensitive data.

Information Rights Management (IRM) and Digital Rights Management (DRM) embed usage policies within documents and media files. Policies persist with the content, enforcing restrictions even after distribution outside the organization.

Architecture eliminating single points of failure through redundant components, automatic failover, and load distribution. "Five nines" (99.999%) availability allows only ~5 minutes of downtime per year. Achieved through clustering, replication, and geographic distribution.

The duplication of critical components or functions to increase reliability and availability. Includes hardware redundancy (dual NICs, RAID), network redundancy (multiple ISPs), geographic redundancy (multiple data centers), and personnel redundancy (cross-training).

RAID 0: Striping (performance, no redundancy). RAID 1: Mirroring (full redundancy). RAID 5: Striping with distributed parity (tolerates 1 drive failure). RAID 6: Tolerates 2 drive failures. RAID 10: Mirroring + striping (highest performance + redundancy).

Full: backs up all data (slowest to create, fastest to restore). Incremental: backs up changes since the last backup (fastest to create, slowest to restore). Differential: changes since last full (middle ground). The 3-2-1 rule is the backup gold standard.

Plans, procedures, and resources enabling restoration of IT operations after a disaster. Site types: hot (fully operational, immediate failover), warm (partially configured, hours to recover), cold (empty facility, days to recover). Must be regularly tested.

RTO defines the maximum tolerable downtime for a system. Drives disaster recovery infrastructure investment: a 15-minute RTO requires a hot standby; a 48-hour RTO may only need a cold site. Must be established through Business Impact Analysis.

RPO defines the maximum data loss an organization can tolerate, expressed as time since the last backup. A 1-hour RPO requires hourly backups (or continuous replication). Closely related to RTO in determining DR investment.

Placing redundant systems in geographically separate locations protects against site-level disasters. Cloud availability zones and regions implement geographic dispersal. Must consider data sovereignty laws when dispersing across international borders.

Application Programming Interfaces (APIs) allow different software systems to communicate and share data automatically. Security automation leverages APIs to connect SIEM, ticketing systems, threat intelligence platforms, and endpoint tools into unified workflows.

The elapsed time between detection of a security event and execution of a response action. Automation dramatically reduces reaction time from hours (manual) to seconds (automated playbook execution), limiting attacker dwell time.

Automated allocation and configuration of computing resources. In security contexts, ensures newly provisioned resources automatically receive baseline security configurations, preventing configuration drift and human error.

Ensuring that security controls scale automatically alongside infrastructure growth. Security groups, IAM policies, and network rules must be applied at provisioning time to prevent newly added resources from creating security gaps.

Logical groupings used to apply consistent security policies to multiple resources or users simultaneously. In cloud environments, security groups act as virtual firewalls controlling inbound and outbound traffic to instances.

Any component whose failure would cause the entire system or process to fail. Automation creates new single points of failure that must be identified and mitigated through redundancy, failover mechanisms, and manual fallback procedures.

Pre-approved, security-hardened configuration templates applied consistently across all systems of the same type. Eliminates configuration drift and human error. Tools like Ansible, Chef, and Puppet enforce standard configurations at scale.

The accumulated cost of shortcuts taken during development or implementation. In security automation, technical debt manifests as brittle scripts, hardcoded credentials, undocumented exceptions, and lack of error handling that must eventually be remediated.

Automation that generates ITSM tickets (ServiceNow, Jira) directly from monitoring alerts or user reports. Ensures every detected event is tracked, assigned, and followed through to resolution without manual intervention.

Automates the identity lifecycle: account creation, role assignment, access provisioning, and account deactivation. Integrates with HR systems to trigger automatically on hire, transfer, and termination events. Critical for preventing orphaned accounts.

Automation acts as a force multiplier, enabling small security teams to operate at the scale and speed needed to defend modern environments. SOAR platforms are the primary workforce multiplier in security operations.

The first phase of the incident response lifecycle (PICERL). Includes developing IR plans, building the team, acquiring tools, running tabletop exercises, and establishing communication procedures. The quality of preparation determines response effectiveness.

The process of identifying potential security incidents through automated monitoring (SIEM, EDR, NDR) and human analysis. Incidents can be detected via alerts, anomalies, user reports, or threat intelligence. Speed of detection limits attacker dwell time.

Short-term containment (immediate isolation of affected systems) and long-term containment (hardening remaining systems, deploying temporary fixes) limit the blast radius. Must balance stopping the attack with preserving forensic evidence.

Complete removal of all attacker footholds: malware, backdoors, compromised credentials, and exploited vulnerabilities. Must be thorough — missed persistence mechanisms allow attackers to regain access after recovery.

Restoring systems to normal operation from known-good backups or rebuilt images. Includes verification that systems are clean, monitoring for signs of re-infection, and gradual reconnection to production networks.

A structured post-incident review (typically within 2 weeks) examining the timeline, response effectiveness, gaps, and improvements. Output feeds back into the Preparation phase, continuously improving the IR capability.

Scientifically sound collection and analysis of digital evidence. Must follow established procedures to maintain admissibility. Encompasses disk forensics (deleted files, artifacts), memory forensics, network forensics, and log analysis.

A documented, unbroken record of who collected evidence, when it was collected, where it has been, and who has accessed it. Essential for evidence admissibility in court. Any gap or break in chain of custody can invalidate evidence.

Creating forensically sound copies of evidence (disk images, memory dumps, network captures) without altering the original. Write blockers prevent accidental modification. Hash verification (SHA-256) confirms the copy is identical to the original.

A directive suspending normal data destruction policies for data potentially relevant to litigation or regulatory investigation. Organizations must implement legal holds immediately upon awareness of potential legal proceedings to avoid spoliation claims.

A structured investigation technique (fishbone, 5-Whys) that identifies the fundamental causes of an incident, not just the symptoms. Distinguishes between proximate causes (what happened) and root causes (why it happened) to drive meaningful remediation.

A facilitated discussion-based exercise where participants walk through an incident scenario verbally. Less resource-intensive than full simulations; ideal for testing decision-making processes, communication flows, and policy gaps across teams.

Hypothesis-driven, proactive security analysis searching for evidence of adversary activity that has evaded automated detection. Hunters formulate hypotheses based on threat intelligence, then test them by querying logs, EDR telemetry, and network data.

A hands-on exercise recreating real incident conditions. Can range from red team/blue team exercises to full-scale disaster recovery tests. More resource-intensive than tabletop exercises but provides more realistic preparation.

Application-generated logs record user actions, transactions, errors, and security events within a specific application. Critical for investigating application-layer attacks like SQL injection, authentication bypass, and privilege escalation.

Telemetry from desktops, laptops, and mobile devices including process execution, file system changes, registry modifications, network connections, and user activity. EDR platforms aggregate and analyze endpoint logs for threat detection.

Records every connection attempt evaluated by the firewall: source/destination IP, port, protocol, action (allow/deny), and timestamp. Essential for detecting port scans, lateral movement, data exfiltration attempts, and policy violations.

Alert logs generated when traffic matches attack signatures or behavioral baselines. Include alert type, severity, source/destination, and signature match details. High-volume sources requiring tuning to reduce false positives.

Network device telemetry including flow data (NetFlow, sFlow), routing table changes, interface statistics, and DHCP/DNS logs. Used to reconstruct attack timelines, identify compromised hosts, and detect data exfiltration.

Windows Security Event Log, Linux syslog/auditd, and macOS Unified Log record authentication events, privilege use, object access, and policy changes. Critical for detecting pass-the-hash, privilege escalation, and account compromise.

Descriptive information about files, emails, and documents. Can reveal author information, location data, edit history, and timestamps. Investigators analyze metadata to establish timelines and attribute actions to specific users or systems.

Centralized visual displays aggregating data from SIEM, EDR, network monitoring, and threat intelligence platforms. Enable SOC analysts to quickly identify high-priority events and trends without manually reviewing individual log sources.

Scheduled security reports generated automatically by SIEM, vulnerability scanners, and compliance tools. Provide management visibility into security posture, trend analysis, and compliance status without manual effort.

A policy defining permitted and prohibited uses of organizational IT resources. All employees typically acknowledge the AUP as part of onboarding. Violations can result in disciplinary action up to and including termination.

Senior individuals responsible for a data set. Define classification, access permissions, and retention requirements. Accountable for ensuring their data is appropriately protected but typically rely on data custodians for technical implementation.

Technical administrators responsible for implementing and maintaining security controls protecting data as directed by data owners. Perform backups, encryption, access provisioning, and monitoring. Do not set policy — they implement it.

Under GDPR, the data controller determines the purposes and means of processing personal data. Controllers bear primary accountability and must ensure processors provide sufficient guarantees of compliance.

Process personal data strictly on behalf of and under instructions from the data controller. Must maintain records of processing activities and notify controllers of breaches. Enter into Data Processing Agreements (DPAs) with controllers.

The organizational framework defining how security decisions are made, who has authority, and how accountability is assigned. Includes boards, committees, working groups, and executive roles like CISO, CIO, and DPO.

Documented, pre-approved response procedures for known incident types. Reduce response time and ensure consistent, compliant actions under pressure. SOAR platforms automate playbook execution. Must be regularly updated based on lessons learned.

Onboarding provisions access aligned to role and AUP acknowledgment. Offboarding must be immediate and comprehensive: disable accounts, revoke certificates, recover devices, transfer data. Delayed offboarding is a common source of insider threat risk.

Policies governing password creation and management. NIST 800-63B recommends: minimum 8 characters, check against breach databases, no periodic forced resets unless compromised, and support for password managers. Complexity rules are now considered less effective than length.

A systematic process identifying assets, threats, vulnerabilities, and the likelihood and impact of potential incidents. Output is a prioritized risk register informing security investment decisions. Can be one-time, recurring, or continuous.

A board-level declaration of how much risk the organization is willing to accept. Guides all risk management decisions. Expansionary appetite accepts more risk for growth; conservative appetite minimizes risk even at cost to agility.

The primary risk management strategy: implementing controls to reduce risk to an acceptable level. Can target likelihood (preventive controls) or impact (corrective controls). Residual risk remains after mitigation.

Contractually shifting financial risk to a third party. Cyber insurance is the primary mechanism. Also includes outsourcing security functions to MSSPs and including liability clauses in vendor contracts. Does not eliminate the risk.

Eliminating a risk by discontinuing or not starting the activity that creates it. The most extreme risk response. May have business costs — forgoing cloud services avoids cloud risk but loses competitive benefits.

A formal decision to accept a risk because the cost of mitigation exceeds the cost of the risk itself, or the risk falls within risk tolerance. Must be explicitly documented and approved by appropriate management authority.

Assigns dollar values to risks using formulas: SLE (Single Loss Expectancy) = Asset Value × Exposure Factor; ALE (Annual Loss Expectancy) = SLE × ARO (Annualized Rate of Occurrence). Enables ROI calculations for security controls.

Categorizes risks using descriptive scales rather than precise financial values. Faster and simpler than quantitative analysis. Uses risk matrices plotting likelihood vs. impact. Suitable when precise data is unavailable or impractical to gather.

Analyzes how disruptions to specific business processes affect organizational objectives. Identifies critical functions, dependencies, maximum tolerable downtime, and data recovery requirements — the foundation for DR/BC planning.

A comprehensive log of all identified risks including: description, likelihood, impact, risk score, owner, mitigation status, and residual risk. The primary risk management artifact reviewed by boards and audit committees.

SLE = Asset Value × Exposure Factor. Represents the financial impact of a single incident. The building block for ALE calculations. If an asset is worth $100,000 and EF is 30%, SLE = $30,000.

ALE = SLE × ARO. The annualized expected loss from a specific risk. If a control costs less than the ALE reduction it provides, it's financially justified. Central metric in quantitative security ROI analysis.

Average time a repairable system operates without failure. Used for hardware procurement decisions and maintenance scheduling. Higher MTBF indicates greater reliability. Complements MTTR in availability planning.

Average time from failure detection to service restoration. Drives staffing and tooling decisions. Lower MTTR requires better diagnostics, spare parts, trained staff, and runbooks. MTTR directly impacts availability calculations.

A comprehensive evaluation of a vendor's security practices, financial stability, compliance certifications, and incident history. Typically involves questionnaires, review of SOC 2 reports, and contractual security requirements.

Reasonable investigation performed before entering a business relationship. Security due diligence examines vendor security controls, breach history, compliance posture, and data handling practices to identify unacceptable risks before contract execution.

A formal agreement defining measurable service standards. Security SLAs should include incident response time commitments, breach notification timelines, uptime guarantees, and audit rights. Non-compliance triggers financial penalties or termination.

A legally binding agreement protecting confidential information shared between parties. Defines what is confidential, how it can be used, and obligations if a breach occurs. Essential before sharing security architecture, source code, or business strategies with vendors.

Establishes a framework of cooperation and shared understanding between parties. Not legally binding like a contract, but sets expectations. Commonly used in government and inter-agency information sharing relationships.

A framework agreement establishing standard terms for an ongoing business relationship. Security provisions (data handling, breach notification, audit rights) established in the MSA apply to all subsequent work orders, reducing per-project negotiation time.

A contractual provision allowing the customer to inspect the vendor's security controls, processes, and compliance status. Can be exercised directly or through independent auditors. Essential for highly sensitive data processing relationships.

Maps and assesses the extended network of suppliers, sub-contractors, and service providers that contribute to a product or service. Identifies concentration risks, geographic risks, and third-party dependencies that could propagate to the organization.

Ongoing assessment of active vendor relationships. Includes reviewing annual SOC 2 reports, monitoring threat intelligence feeds for vendor breaches, conducting periodic security reviews, and tracking SLA performance metrics.

Internal reports track compliance program health for management. External reports (SOC 2, PCI DSS assessments, HIPAA attestations) demonstrate compliance to customers, regulators, and auditors. Automation reduces manual effort in both report types.

Consequences range from financial (fines up to 4% of global revenue under GDPR) to operational (loss of license, contract termination) to reputational (public disclosure of violations). Criminal liability may apply for negligent executives.

Data inventory maps what sensitive data exists and where it lives. Retention schedules define how long each data type must be kept (legal minimum) and when it must be deleted (to limit exposure). Balances legal retention requirements against privacy minimization principles.

Under GDPR Article 17 (Right to Erasure), individuals can request deletion of their personal data when it's no longer necessary, consent is withdrawn, or there's no legitimate interest. Organizations must propagate deletion requests to processors and third parties.

Major privacy frameworks: GDPR (EU — extraterritorial scope, up to 4% global revenue fines), CCPA (California), PIPEDA (Canada), LGPD (Brazil), PIPL (China). Organizations operating globally must comply with the strictest applicable law.

Under GDPR and similar laws, the natural person whose personal data is being processed. Data subjects have rights: access (view their data), rectification (correct errors), erasure (right to be forgotten), portability, and objection to processing.

Ethical hacking exercise simulating real attacks. Black box (no prior knowledge), white box (full knowledge), gray box (partial). Phases: reconnaissance, scanning, exploitation, post-exploitation, reporting. Must have written authorization (rules of engagement).

The first phase of penetration testing. Passive recon uses OSINT (public records, social media, DNS, job postings) without alerting the target. Active recon (port scanning, service enumeration) interacts directly with systems and may trigger alerts.

An audit conducted by an independent party with no conflict of interest. SOC 2 Type II, ISO 27001, and PCI DSS QSA assessments are common third-party audits. Provide customers and regulators with objective assurance of control effectiveness.

Organizations evaluate their own security controls against a framework (NIST CSF, CIS Controls, ISO 27001). Lower cost than external audits but lacks independence. Used to identify gaps before formal assessments and to demonstrate due care.

A formal declaration, typically signed by an executive or auditor, asserting that controls are operating effectively. Internal attestation comes from management; external attestation from independent third parties. Both carry legal accountability.

The documented agreement governing scope, limitations, timing, and emergency procedures for penetration tests. Defines in-scope and out-of-scope systems, prohibited techniques (e.g., physical intrusion, social engineering), and escalation procedures if critical vulnerabilities are found.

Simulated phishing exercises measure employee susceptibility and provide immediate teachable moments. Metrics (click rate, credential submission rate, report rate) track improvement over time. Platforms like KnowBe4 and Proofpoint automate campaign management.

Psychological manipulation exploiting human tendencies: trust, authority, urgency, fear, reciprocity. Techniques: pretexting (fabricated scenario), baiting (tempting offer), quid pro quo (exchange), tailgating (physical access). The most effective attack vector against well-patched environments.

Awareness programs educating employees about insider threat indicators: downloading large data volumes, accessing systems outside normal hours, expressing workplace grievances. Combines technical detection (UEBA) with a reporting culture.

A process for protecting information that could be aggregated by adversaries to reveal sensitive operational details. Involves identifying critical information, analyzing threats, identifying vulnerabilities, assessing risk, and applying countermeasures.

Awareness training covering: creating strong unique passwords, using password managers (1Password, Bitwarden), recognizing credential-harvesting attacks, and understanding why password reuse is dangerous. Complements technical controls like MFA.

Training users and deploying UEBA (User and Entity Behavior Analytics) to detect behavioral deviations. Unusual login times, abnormal data access volumes, and geographic impossibilities are key anomaly indicators.

The ongoing ability to perceive and comprehend security-relevant elements of the environment. Includes recognizing tailgating attempts, suspicious USB drives, unexpected callers, and unusual network behavior. A foundational skill for all security-conscious employees.

Removable media creates bidirectional risk: malware introduced into the organization (USB drop attacks) and data exfiltrated out. Controls include DLP policies, device encryption, endpoint USB port disabling, and awareness training.

Remote work expands the attack surface beyond organizational perimeter. Key risks: insecure home Wi-Fi, shoulder surfing, personal device use, VPN split tunneling. Controls: mandatory VPN, endpoint encryption, MFA, and remote work security training.