| Terms | Definition |
|---|---|
| American Institute of Certified Public Accountants (AICPA) | The American Institute of Certified Public Accountants (AICPA) is a non-profit professional organization representing certified public accountants (CPA) in the United States. The organization is integral to rule-making and standard-setting in the CPA profession and serves as an advocate for legislative bodies and public interest groups. |
| Anomaly Detection | Anomaly detection is the identification of rare items, events or observations which raise suspicions by differing significantly from the majority of the data. |
| Artificial intelligence | Artificial intelligence leverages computers and machines to mimic the problem-solving and decision-making capabilities of the human mind. |
| Audits | Auditing is defined as the on-site verification activity, such as inspection or examination, of a process or quality system, to ensure compliance to requirements. |
| Brand Equity | Brand equity refers to a value premium that a company generates from a product with a recognizable name when compared to a generic equivalent. |
| Brand Sentiment | Sentiment refers to the emotion or opinion conveyed in a brand mention, and mentions will either have a positive, negative or neutral sentiment. |
| Breaking News Events | Newly received information about an event that is currently occurring or developing. |
| California Consumer Privacy Act (CCPA) | The California Consumer Privacy Act (CCPA) grants consumers rights related to the collection, use and sale of their personal data—and prevents businesses from discriminating against them for exercising those rights. |
| California Privacy Rights Act (CPRA) | The California Privacy Rights Act of 2020 (CPRA), also known as Proposition 24, is a California ballot proposition that was approved by a majority of voters after appearing on the ballot for the general election on November 3, 2020. This proposition expands California’s consumer privacy law and builds upon the California Consumer Privacy Act (CCPA) of 2018, which established a foundation for consumer privacy regulations. |
| Casualty Actuarial Society (CAS) ERM | The Casualty Actuarial Society (CAS) is an international credentialing and professional education entity. The organization focuses exclusively on property and casualty risks in insurance, reinsurance, finance, and enterprise risk management. |
| Center for Internet Security Controls (CIS) | The CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks |
| Children’s Online Privacy Protection Rule (COPPA) | The Children’s Online Privacy Protection Act (COPPA) is a U.S. federal law designed to imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. |
| Cloud Computing | Cloud computing is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user. |
| Committee of Sponsoring Organizations (COSO) ERM | The COSO Framework is a system used to establish internal controls to be integrated into business processes. Collectively, these controls provide reasonable assurance that the organization is operating ethically, transparently and in accordance with established industry standards. |
| Company Reputation | A company’s reputation is an intangible asset and a source of competitive advantage against rivals because the company will be viewed as more reliable, credible, trustworthy and responsible to its employees, customers, shareholders and financial markets. |
| Competitive Benchmarking | Competitive benchmarking is a method for those who want to maintain an edge by knowing where they stand. It’s a way of determining the best processes, strategies, and techniques for achieving your business goals via a set of metrics. |
| Competitor Analysis | Competitive analysis in marketing and strategic management is an assessment of the strengths and weaknesses of current and potential competitors. |
| Consumer Insights | A customer insight, or consumer insight, is an interpretation of trends in human behaviors which aims to increase the effectiveness of a product or service for the consumer, as well as increase sales for the financial benefit of those provisioning the product or service. |
| Control Objectives for Information and Related Technologies (COBIT) | Control Objectives for Information and Related Technologies, more popularly known as COBIT, is a framework that aims to help organizations that are looking to develop, implement, monitor, and improve IT governance and information management. |
| Crisis Management | Crisis management is the process by which an organization deals with a disruptive and unexpected event that threatens to harm the organization or its stakeholders. |
| Critical Assets | Critical assets are the organizational resources essential to maintaining operations and achieving the organization’s mission. An insider threat program can protect these vital assets from malicious insiders or the unintended consequences from a complacent workforce. |
| Cybersecurity Maturity Model Certification (CMMC) ERM | CMMC is a more recent cybersecurity risk framework developed by the Under Secretary of Defense for Acquisition and Sustainment, the DoD, and other stakeholders to measure the cybersecurity maturity of government agencies and industry organizations doing business with the federal government. |
| Cybersecurity Threats | The protection of computer systems and networks from information disclosure, theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide. |
| Dashboard | A dashboard is a type of graphical user interface which often provides at-a-glance views of key performance indicators relevant to a particular objective or business process. |
| Datacenter | A data center or data centre is a building, a dedicated space within a building, or a group of buildings used to house computer systems and associated components, such as telecommunications and storage systems. |
| DevOps | DevOps is a set of practices that combines software development (Dev) and IT operations (Ops). It aims to shorten the systems development life cycle and provide continuous delivery with high software quality. |
| Distributed denial of service (DDoS) attacks | Distributed denial of service (DDoS) attacks are a subclass of denial of service (DoS) attacks. A DDoS attack involves multiple connected online devices, collectively known as a botnet, which are used to overwhelm a target website with fake traffic. |
| Domain Name | A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet. Domain names are used in various networking contexts and for application-specific naming and addressing purposes |
| Downtime | The term downtime is used to refer to periods when a system is unavailable |
| Emerging Risk | Emerging risks are risks which may develop or which already exist that are difficult to quantify and may have a high loss potential. |
| Endpoint Protection | Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. |
| Environment, Social and Governance (ESG) | Environment, Social, and Governance (ESG) refer to a trio of business standards used by socially conscious investors to screen potential investments. Investors are increasingly applying these non-financial factors as part of their analysis process to identify material risks and growth opportunities. |
| Exploit | An exploit is a code that takes advantage of a software vulnerability or security flaw. It is written either by security researchers as a proof-of-concept threat or by malicious actors for use in their operations. When used, exploits allow an intruder to remotely access a network and gain elevated privileges, or move deeper into the network. |
| ESG | ESG is a framework that helps stakeholders understand how an organization is managing risks and opportunities related to environmental, social, and governance criteria (sometimes called ESG factors). ESG is an acronym for Environmental, Social, and Governance. ESG takes the holistic view that sustainability extends beyond just environmental issues. While the term ESG is often used in the context of investing, stakeholders include not just the investment community but also customers, suppliers, and employees, all of whom are increasingly interested in how sustainable an organization’s operations are. |
| False Positives | False positives are mislabeled security alerts, indicating there is a threat when in actuality, there isn’t |
| Federal Information Security Management Act (FISMA) | The Federal Information Security Management Act (FISMA) is a United States federal law enacted as Title III of the E-Government Act of 2002. It requires federal agencies to implement information security programs to ensure their information and IT systems’ confidentiality, integrity, and availability, including those provided or managed by other agencies or contractors. |
| Federal Risk and Authorization Management Program (FedRAMP) | The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. |
| Fileless Attacks | Fileless malware is a type of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove. |
| Firewall | A firewall is a security device — computer hardware or software — that can help protect your network by filtering traffic and blocking outsiders from gaining unauthorized access to the private data on your computer. |
| General Data Protection Regulation (GDPR) | The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). |
| Geovisualiation | Refers to a set of tools and techniques supporting the analysis of geospatial data through the use of interactive visualization. |
| Gramm-Leach-Bliley Act (GLBA) | The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. |
| Health Insurance Portability and Accountability Act (HIPAA) | The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule. |
| High Impact Low Frequency Events | “High-impact, low-frequency” (HILF) is a term that refers to an event that happens with a low degree of frequency, usually in a manner that is irregular, unpredictable, and that causes a significant degree of disruption when it occurs. A closely related term is “high-impact, low-probability” (HILP). |
| Incident Management | Incident management refers to a set of practices, processes, and solutions that enable teams to detect, investigate, and respond to incidents. |
| Information Sensitivity | Information sensitivity is the control of access to information or knowledge that might result in loss of an advantage or level of security if disclosed to others. |
| International Organization for Standardization (ISO) | The International Organization for Standardization (ISO) is an international nongovernmental organization made up of national standards bodies; it develops and publishes a wide range of proprietary, industrial, and commercial standards and is comprised of representatives from various national standards organizations. |
| International Traffic in Arms Regulations (ITAR) | International Traffic in Arms Regulations (ITAR) is a United States regulatory regime to restrict and control the export of defense and military related technologies to safeguard U.S. national security and further U.S. foreign policy objectives. |
| IT Infrastructure | IT infrastructure refers to the composite hardware, software, network resources and services required for the existence, operation and management of an enterprise IT environment. |
| Johnson & Johnson (J&J) ERM | The Johnson & Johnson ERM framework helps identify potential events that may affect the enterprise, manage the associated risks and opportunities, and provide reasonable assurance that our Company’s objectives will be achieved. |
| Key performance indicator (KPI) | A quantifiable measure of performance over time for a specific objective. KPIs provide targets for teams to shoot for, milestones to gauge progress, and insights that help people across the organization make better decisions. |
| Keyword Tracking | Keyword tracking is essentially the activity of monitoring the position of your website for specific keywords. It’s a process that allows you to get important data and metrics about specific keywords and shows how well your website ranks for those exact keywords. |
| Machine Learning | Machine learning is a branch of artificial intelligence (AI) and computer science which focuses on the use of data and algorithms to imitate the way that humans learn, gradually improving its accuracy. |
| Malicious Software / Malware | Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive users access to information or which unknowingly interferes with the user’s computer security and privacy. |
| Market Intelligence | Market intelligence is the information relevant to a company’s market – trends, competitor and customer monitoring, gathered and analyzed. |
| Media Contact Database | A media contacts database is a resource which catalogs the names, contact information, and other details about people who work in various media professions. |
| Misconfiguration | An incorrect or subobtimal configuration of an information system or system component that may lead to vulnerabilities. |
| MISP | An open-source platform called Malware Information Sharing Platform (MISP) enables the sharing, storing, and correlating of threat intelligence, financial fraud information, vulnerability information, and even counter-terrorism information. By automatically making links between malware and its characteristics and storing data in an organized fashion, MISP aids security teams in the ingesting and analysis of threat data on malware attacks that have been discovered. Additionally, MISP permits the sharing of malware data with outside parties and aids in developing the rules. |
| MITRE ATT&CK | MITRE ATT&CK stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). A model and knowledge base for cyber adversary behavior, the MITRE ATT&CK framework reflects the many stages of an adversary’s attack lifecycle and the platforms they are known to target. A common taxonomy of specific adversary acts is provided by the strategy and method abstraction in the paradigm, which is understood by both the offensive and defensive sides of cybersecurity. |
| National Institute of Standards and Technology (NIST) | The National Institute of Standards and Technology is a non-regulatory government agency that develops technology, metrics, and standards to drive innovation and economic competitiveness at U.S.-based organizations in the science and technology industry. As part of this effort, NIST produces standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act (FISMA). NIST also assists those agencies in protecting their information and information systems through cost-effective programs. |
| Network | A network consists of two or more computers that are linked in order to share resources (such as printers and CDs), exchange files, or allow electronic communications. |
| NIST Risk Management Framework (NIST RMF) | The NIST Risk Management Framework (RMF) provides a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support the implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA). |
| NIST | The National Institute of Standards and Technology is known by the acronym NIST. One of the oldest physical science laboratories in the country, it is one of many federal organizations that fall under the U.S. Department of Commerce. NIST was established as a non-regulatory government organization in order to boost American industry’s competitiveness. Its main idea is based on the maxim “What is not measured cannot be managed.” The organization has worked to create and formally establish a large number of commercial and industrial standards over the years. The Federal Information Security Management Act’s criteria are better met by these businesses when NIST establishes technology and security policies that encourage innovation in science and technology-related sectors (FISMA). |
| Outreach | Outreach is an effort by individuals in an organization or group to connect its ideas or practices to the efforts of other organizations, groups, specific audiences or the general public. |
| OSINT | Open-source intelligence, or OSINT, is the process of obtaining data from open, legitimate data sources in order to fulfill a specified purpose. The dark web, blogs, social media, and news are examples of open sources. |
| Payment Card Industry Data Security Standard (PCI DSS) | The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud. |
| Penetration Testing | A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system |
| Phishing | Phishing is a type of social engineering where an attacker sends a fraudulent message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim’s infrastructure like ransomware. |
| Physical Security Risk Management | A process of identifying and mitigating sources of physical risks and other vulnerabilities within an organization that can potentially disrupt the business entity. |
| Port Monitoring | Port Monitoring provides insights about network switch port status but CPU load, memory utilization, historical port utilization, and more. |
| Ransomware | Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s personal data or perpetually block access to it unless a ransom is paid. |
| Real User Monitoring | Real user monitoring (RUM) is a passive monitoring technology that records all user interaction with a website or client interacting with a server or cloud-based application. Monitoring actual user interaction with a website or an application is important to operators to determine if users are being served quickly and without errors and, if not, which part of a business process is failing |
| Real-time Analytics | Real time analytics refers to the process of preparing and measuring data as soon as it enters the database. In other words, users get insights or can draw conclusions immediately (or very rapidly after) the data enters their system. |
| Reputation Damage | Reputational damage is the loss to financial capital, social capital and/or market share resulting from damage to a firm’s reputation. This is often measured in lost revenue, increased operating, capital or regulatory costs, or destruction of shareholder value. |
| Risk and Insurance Management Society Risk Maturity Model (RIMS) ERM | The nonprofit risk management society (RIMS) Risk Maturity Model (RMM) assessment consists of 68 readiness indicators that describe 25 competency drivers for seven critical ERM attributes to benchmark organizations against industry peers, track progress, and help execute an action plan. |
| Risk Appetite | Risk appetite is the general level of risk a company accepts while pursuing its objectives before it decides to take any action to reduce that risk. |
| Risk Assessment | Risk assessment is a term used to describe the overall process or method where you: Identify hazards and risk factors that have the potential to cause harm (hazard identification). |
| Risk Tolerance | Risk tolerance is the degree of variance from its risk appetite that the organization is willing to tolerate. |
| Root Cause Analysis | Root cause analysis (RCA) is a systematic process for finding and identifying the root cause of a problem or event. |
| Sarbanes-Oxley Act (SOX) | The Sarbanes-Oxley Act (SOX) is a federal act passed in 2002 with bipartisan congressional support to improve auditing and public disclosure in response to several accounting scandals in the early-2000s. |
| Scalability Testing | Scalability testing, is the testing of a software application to measure its capability to scale up or scale out in terms of any of its non-functional capability. |
| Search engine optimization (SEO) | Search engine optimization (SEO) is the process of improving the quality and quantity of website traffic to a website or a web page from search engines. |
| Security Risk | Any event that could result in the compromise of organizational assets i.e. the unauthorized use, loss, damage, disclosure or modification of organizational assets for the profit, personal interest or political interests of individuals, groups or other entities |
| Sentiment Analysis | Sentiment analysis is contextual mining of text which identifies and extracts subjective information in source material, and helping a business to understand the social sentiment of their brand, product or service while monitoring online conversations |
| Servers | A server is a piece of computer hardware or software that provides functionality for other programs or devices, called ‘clients’. |
| Service Level Agreement (SLA) | A service-level agreement (SLA) is a contract between a service provider and its customers that documents what services the provider will furnish and defines the service standards the provider is obligated to meet. |
| Share of Voice | Share of Voice in advertising is a measurement model within advertising. Share of voice measures the percentage of media spending by a company compared to the total media expenditure for the product, service, or category in the market. |
| Social Listening | Social Listening is the process of understanding the online conversation about a company or brand, as well as its products and services. |
| Supply Chain | A supply chain is the network of all the individuals, organizations, resources, activities and technology involved in the creation and sale of a product. |
| Synthetic Monitoring | Synthetic monitoring is a method to monitor your applications by simulating users – directing the path taken through the application. This synthetic monitoring provides information as to the uptime and performance of your critical business transactions, and most common paths in the application. |
| SOAR | SOAR (Security Orchestration, Automation, and Response) refers to how three different technology markets have come together. Platforms for threat intelligence, security orchestration and automation, and security incident response (TIP). The use of SOAR technologies enables enterprises to gather and combine enormous amounts of security data and warnings from numerous sources. It also helps unify threat detection and remediation methods and establish automated processes to respond to low-level security events. |
| SIEM | SIEM, or Security Information and Event Management, is a software program that collects and examines activity from a wide range of sources throughout your whole IT infrastructure. From network hardware, servers, domain controllers, and other sources, SIEM gathers security information. SIEM collects, organizes, normalizes, and analyses this data to help enterprises identify trends, spot dangers, and look into any alarms. |
| Systems and Organizations Controls 2 (SOC 2) | SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. The standard is based on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, privacy. |
| The Family Educational Rights and Privacy Act of 1974 (FERPA) | The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. |
| Third-Party Integration | The term ‘third-party integration’ means addition of necessary external data to an existing project using different APIs (Application Program Interfaces). |
| Threat Inventory | A threat inventory is. [a]n information and intelligence-based survey within the region of a law enforcement agency to identify potential individuals or groups that pose a criminal or terrorist threat without a judgment of the kind of threat they pose. The inventory is simply to determine their presence. |
| Threat Landscape | The threat landscape is the entirety of potential and identified cyberthreats affecting a particular sector, group of users, time period, and so forth. |
| Trend Analysis | Trend analysis is the widespread practice of collecting information and attempting to spot a pattern. |
| Troubleshoot | Troubleshooting is a form of problem solving, often applied to repair failed products or processes on a machine or a system. |
| Uptime | The meaning of uptime is time during which a piece of equipment (such as a computer) is functioning or able to function |
| Vendor Management | Vendor management is a term that describes the processes organizations use to manage their suppliers, who are also known as vendors. Vendor management includes activities such as selecting vendors, negotiating contracts, controlling costs, reducing vendor-related risks and ensuring service delivery. |
| Vulnerabilities | Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. |
| Website Monitoring | Website monitoring is the process of testing and verifying that end-users can interact with a website or web application as expected. |
| What if Analysis | A what-if analysis is a technique that is used to determine how projected performance is affected by changes in the assumptions that projections are based upon. |
| Wire Distribution | A newswire distributes news to editorial offices and journalists in the print, industrial and online media, as well as to news agencies, terminal and database systems. |
| Workflow Management | Workflow management refers to the identification, organization, and coordination of a particular set of tasks that produce a specific outcome. Workflow management is all about optimizing, improving, and automating workflows wherever possible to increase output, eliminate repetition, and reduce errors. |
| Zero-day Attacks | A zero-day is a computer-software vulnerability either unknown to those who should be interested in its mitigation or known and a patch has not been developed. |