Threat: any danger posed by someone or something to your data or systems
Threat Actor: an entity that takes advantage of a vulnerability to exploit your data or systems
Exposure: anything that exposes your data or systems to damage from a threat actor
Vulnerability: a weakness in data or systems that could be exploited by a threat actor
Countermeasure: something that mitigates a risk to data or systems by eliminating the vulnerability or reducing the risk of it being exploited by a threat actor
Risk: the chances of a threat actor taking advantage of a vulnerability to do damage
Risk Reduction: applying countermeasures to reduce a risk despite not fully eliminating it
Residual Risk: the risk that is left over after applying a countermeasure
Assurance: confidence that security components are protecting assets against threats
Confidentiality: protection of data from unauthorized exposure
Integrity: protection of data from unauthorized tampering or modification
Availability: ability of systems to perform consistently and quickly recover from incidents
Event: an observable occurrence within a system that may indicate a security incident
Incident: a confirmed instance of a cybersecurity violation
Risk Management: the process of identifying, analyzing, prioritizing, and addressing risks
Risk Analysis: the process of identifying risks and determining their potential impact on your organization and their potential mitigations
Baseline: something that serves as an example of the expected level of security, performance, or behavior within a system
Anomaly: an occurrence within a network or system that deviates from what is expected
Security Policy: outlines expectations and goals regarding the role of security in a business system, process, or asset
Regulation: certain standards and behaviors that are set by an authorizing body and enforced by law
Standard: established guidelines on how security should be applied to assets and resources
Guidelines: recommended actions on how security is to be applied to assets and resources
Procedures: step-by-step tasks to be performed to adhere to security goals
User: an individual who uses data to perform tasks/workflows
Client: anything that consumes a service and uses said service to perform tasks/workflows
Server: a system that dedicates its resources to providing a technical service to clients
Access Controls: regulate how users interact with systems and utilize the resources provided
Subject: an active person, process, or program that requests access to a resource
Access: information flow between the subject and the object
Object: a passive resource containing information with the expectation that subjects will access it
Identification: verifying that a subject is who they claim to be via credentials
Authentication: a method of validating the legitimacy of credentials provided during identification
Authorization: determining the resources that an authenticated subject is allowed to access and what level of access they should be granted
Accountability: tracking, monitoring, and logging a subject's use of resources to ensure they are utilized properly and that the subject is reprimanded if necessary
Audit: reviewing activities to ensure they comply with pre-determined regulations, standards, policies, or guidelines
Identity: attributes/characteristics that uniquely recognize a subject
Encryption: the act of transforming intelligible data into unintelligible data to prevent exposure to all entities except the intended, validated entity
Password: a sequence of characters that authenticates a subject to an object
Right: the ability of a user to perform an action as designated by a higher authority
Privilege: a special action a user is allowed to perform as determined by their role
Role: a job assignment or function assigned to a user that determines their access rights
Group: an organized collection of users that share the same roles or have the same access rights
Need-To-Know: granting users only the minimum knowledge they need to effectively do their job