● 102 entries
Compliance & Frameworks
- Atomic Red TeamAn open-source library of small, focused tests created by Red Canary that emulates individual MITRE ATT&CK techniques to validate detections and security controls.
- Attack SurfaceSum of all points where an attacker can attempt to enter, extract data from, or manipulate a system, including networks, software, identities, supply chain, and people.
- Attack VectorSpecific path or technique an attacker uses to gain unauthorized access to a target, such as phishing, exploit of a CVE, or stolen credentials.
- CAPECCommon Attack Pattern Enumeration and Classification, a MITRE-maintained public catalogue of attack patterns used by adversaries to exploit known weaknesses.
- CCPAThe California Consumer Privacy Act, a U.S. state privacy law granting California residents rights over their personal information held by businesses.
- CCSPAn ISC2 cloud security certification covering architecture, data protection, platform and infrastructure security, operations, and legal compliance across major cloud providers.
- CEHAn ethical-hacking certification from EC-Council that teaches attacker tools and techniques across reconnaissance, exploitation, web, wireless, and cloud testing.
- CIA TriadFoundational information-security model that groups objectives into Confidentiality, Integrity, and Availability.
- CIS ControlsA prioritized set of best-practice cybersecurity safeguards maintained by the Center for Internet Security to defend against the most common cyberattacks.
- CISAAn ISACA certification for information systems auditors covering audit process, governance, acquisition, operations, and protection of information assets across five domains.
- CISMAn ISACA management-level certification for information security managers covering governance, risk, program development, and incident management across four domains.
- CISSPA senior-level vendor-neutral security certification from ISC2 covering eight domains of the Common Body of Knowledge and requiring five years of paid work experience.
- CMMCA U.S. Department of Defense certification program that verifies contractors in the Defense Industrial Base have adequate cybersecurity controls in place.
- COBITAn ISACA framework for the governance and management of enterprise information and technology, linking business goals to IT objectives and controls.
- ComplianceThe discipline of meeting legal, regulatory, contractual, and internal security requirements through documented controls, evidence collection, and ongoing assessment.
- CompTIA Security+An entry-level vendor-neutral cybersecurity certification from CompTIA covering foundational threats, architecture, operations, and governance for early-career practitioners.
- CPRAThe California Privacy Rights Act of 2020, which amends and expands the CCPA and took full effect on 1 January 2023.
- CRISCAn ISACA certification for IT risk and control professionals covering governance, IT risk assessment, response, reporting, and control selection across four domains.
- CVE Numbering Authority (CNA)An organization authorized by the CVE Program to assign CVE IDs and publish CVE records for vulnerabilities within its defined scope.
- Cyber InsuranceA specialty insurance product that transfers the financial impact of cyber incidents — including breach response, business interruption, and liability — to an insurer.
- Data Protection Impact Assessment (DPIA)A structured assessment, required by GDPR Article 35, that identifies and mitigates risks to individuals' rights and freedoms before high-risk personal data processing begins.
- Defense in DepthSecurity strategy that layers independent controls so that if any single control fails, others continue to prevent, detect, or contain an attack.
- DORAEU Regulation 2022/2554 on Digital Operational Resilience for the financial sector, applicable from 17 January 2025.
- DPAA Data Processing Agreement is the binding contract required by GDPR Article 28 between a data controller and processor when personal data is processed on the controller's behalf.
- DPDP Act (Digital Personal Data Protection Act, India)India's first comprehensive personal-data protection statute, enacted in August 2023 and being progressively operationalized, requiring lawful purpose for processing, consent notices, data-principal rights, breach notification, and a Data Protection Board of India.
- DPFEU-US Data Privacy Framework, the July 2023 adequacy mechanism that replaces Privacy Shield for transatlantic transfers of personal data.
- DREAD ModelA qualitative risk-rating model that scores threats on Damage, Reproducibility, Exploitability, Affected users, and Discoverability.
- Enterprise Risk Management (ERM)An integrated, organization-wide approach to identifying, governing, and treating strategic, financial, operational, compliance, and cyber risks in line with business objectives.
- EU AI ActEU Regulation 2024/1689 establishing harmonised rules on artificial intelligence with a risk-based approach, phased in between 2025 and 2027.
- EU Cyber Resilience Act (CRA)EU Regulation 2024/2847 imposing security-by-design, vulnerability handling, and conformity-assessment obligations on essentially all products with digital elements sold in the EU, with main obligations applying from December 2027.
- FAIR (Factor Analysis of Information Risk)An open international standard for quantifying information and cyber risk in financial terms by decomposing risk into loss event frequency and loss magnitude factors.
- FedRAMPA U.S. government program that standardizes security assessment, authorization, and continuous monitoring for cloud services used by federal agencies.
- FERPAA U.S. federal law that protects the privacy of student education records and gives parents and eligible students rights over those records.
- FISMAA U.S. federal law that requires federal agencies and their contractors to implement risk-based information security programs for systems handling government data.
- GDPRThe European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
- GIAC CertificationsA family of role-based cybersecurity certifications issued by GIAC and aligned with SANS Institute training, covering operations, incident response, forensics, and penetration testing.
- Gramm-Leach-Bliley Act (GLBA)A United States federal law that requires financial institutions to safeguard customer information and explain their information-sharing practices.
- HIPAAThe U.S. Health Insurance Portability and Accountability Act, which sets national standards for protecting individually identifiable health information.
- HITRUSTA risk- and compliance-focused security framework, the HITRUST CSF, widely used in US healthcare to demonstrate alignment with HIPAA, NIST and other authoritative sources.
- Inherent RiskThe level of risk that exists in an activity or asset before any controls or mitigations are applied, reflecting raw exposure to threats.
- ISO/IEC 27001The international standard specifying requirements for an Information Security Management System (ISMS), against which organizations can be formally certified.
- ISO/IEC 27002An international code of practice that provides detailed guidance and implementation advice for the information security controls listed in ISO/IEC 27001 Annex A.
- ISO/IEC 27017A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers.
- ISO/IEC 27018A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002.
- ISO/IEC 42001The first international management-system standard for AI, published in December 2023, specifying requirements to establish, implement, maintain, and continually improve an AI Management System (AIMS) for organizations that develop or use AI.
- ITILA globally recognized framework, published by AXELOS/PeopleCert, of best practices for IT service management throughout the service value system.
- LGPDBrazil's General Personal Data Protection Law (Law No. 13,709/2018), effective 18 September 2020, governing the processing of personal data by public and private entities.
- MITRE ATT&CKA globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- MITRE D3FENDA MITRE knowledge graph of defensive cybersecurity countermeasures and the digital artifacts they observe or modify, complementing MITRE ATT&CK.
- Monte Carlo Risk SimulationA computational technique that estimates risk by running thousands of randomized scenarios drawn from input probability distributions, producing a distribution of possible outcomes.
- Need-to-Know PrincipleSecurity principle that grants access to information only to individuals whose duties specifically require it, even if they hold the appropriate clearance.
- NIS2 DirectiveEU Directive 2022/2555 that raises baseline cybersecurity requirements and incident-reporting obligations for essential and important entities across the Union.
- NIST AI Risk Management Framework (AI RMF)NIST's voluntary framework for managing AI risks, published January 2023 (AI RMF 1.0) with a Generative AI Profile released in July 2024, organized around four Functions: Govern, Map, Measure, and Manage.
- NIST Cybersecurity FrameworkA voluntary risk-based framework published by the U.S. National Institute of Standards and Technology that organizes cybersecurity outcomes into six core functions.
- NIST Cybersecurity Framework 2.0The February 2024 update to the NIST Cybersecurity Framework, adding a sixth 'Govern' Function alongside Identify, Protect, Detect, Respond, and Recover, and broadening the audience beyond U.S. critical infrastructure to all organizations.
- NIST Risk Management FrameworkA seven-step NIST process, defined in SP 800-37, for integrating security, privacy, and supply-chain risk management into the system lifecycle.
- NIST SP 800-171A NIST publication defining security requirements for protecting Controlled Unclassified Information (CUI) stored or processed by non-federal organizations.
- NIST SP 800-30A NIST Special Publication that provides guidance for conducting risk assessments of information systems and the missions they support.
- NIST SP 800-37The NIST Risk Management Framework, defining a seven-step process for managing security and privacy risk across the system lifecycle.
- NIST SP 800-53A NIST publication providing a comprehensive catalog of security and privacy controls for U.S. federal information systems and many private-sector adopters.
- NIST SP 800-61The NIST Computer Security Incident Handling Guide, describing the four-phase lifecycle used by incident response teams in government and industry.
- OCTAVE MethodAn information-security risk-assessment methodology developed by the CMU Software Engineering Institute that focuses on organizational and operational risk to critical assets.
- OSCPA hands-on offensive security certification from Offensive Security earned by compromising a lab network in a 24-hour proctored practical exam.
- OSSTMMAn open peer-reviewed security testing methodology from ISECOM that defines scientific, repeatable measurements of operational security across five channels.
- OWASP API Security Top 10An OWASP awareness document that ranks the most critical security risks affecting web APIs, complementing the general OWASP Top 10 for web applications.
- OWASP ASVSThe OWASP Application Security Verification Standard, a catalogue of testable security requirements for designing, building, and verifying web applications and APIs.
- OWASP Dependency-CheckAn open-source software composition analysis tool from OWASP that scans project dependencies and reports known vulnerabilities by matching CPEs to CVE data.
- OWASP MASVSThe OWASP Mobile Application Security Verification Standard, a baseline of testable security requirements for iOS and Android mobile applications.
- OWASP Mobile Top 10An OWASP awareness document that ranks the most critical security risks for mobile applications running on iOS, Android, and similar platforms.
- OWASP SAMMThe OWASP Software Assurance Maturity Model, a framework for measuring and improving an organization's secure-software-development practices over time.
- OWASP Top 10An OWASP awareness document that lists the most critical security risks to web applications, updated periodically from real-world vulnerability data.
- OWASP WSTGThe OWASP Web Security Testing Guide, a comprehensive open-source manual that describes how to test web applications for the most common security weaknesses.
- OWASP ZAPZed Attack Proxy, an open-source web application security testing tool originally from OWASP and now stewarded by Checkmarx and the ZAP community.
- PASTA Threat ModelProcess for Attack Simulation and Threat Analysis, a seven-stage risk-centric threat-modeling methodology that aligns technical threats with business impact.
- PCI DSSA global information-security standard for organizations that store, process, or transmit payment card data, maintained by the PCI Security Standards Council.
- PIPEDACanada's federal private-sector privacy law governing how organisations collect, use and disclose personal information in the course of commercial activity.
- PIPL (Personal Information Protection Law, China)China's comprehensive personal-information protection statute, effective November 2021, with GDPR-like data subject rights, strict cross-border transfer requirements, and substantial penalties enforced by the Cyberspace Administration of China.
- PTESA community-built penetration testing methodology organizing engagements into seven phases from pre-engagement scoping through reporting and remediation guidance.
- Qualitative Risk AnalysisA risk analysis approach that rates likelihood and impact using descriptive scales such as low/medium/high or 1-5, rather than monetary or probabilistic values.
- Quantitative Risk AnalysisA risk analysis approach that expresses likelihood and impact in numbers, typically as probabilities and monetary loss distributions, to support data-driven decisions.
- Residual RiskThe risk that remains after planned controls and treatments have been applied, which the organization must either accept, transfer, or treat further.
- Risk AppetiteThe aggregate amount and type of risk an organization is willing to pursue or accept in pursuit of its strategic objectives, set by the board and senior leadership.
- Risk AssessmentA structured activity within risk management that identifies threats, vulnerabilities, and impacts on specific assets and rates the resulting risk to support treatment decisions.
- Risk ManagementThe coordinated process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to keep them within an organization's defined tolerance.
- Risk RegisterA living inventory of identified risks with their description, owner, scores, treatment, and status, used to track the organization's exposure over time.
- Risk ToleranceThe acceptable variation around a specific objective or risk category, expressed as concrete quantitative or qualitative limits derived from the broader risk appetite.
- Risk TreatmentThe decision and actions taken to modify a risk, typically by accepting, mitigating, transferring, or avoiding it, based on the organization's risk criteria.
- SANS Top 25An annually published list, maintained by MITRE with the SANS Institute, ranking the most dangerous software weaknesses based on real CVE data.
- Sarbanes-Oxley Act (SOX)U.S. federal law from 2002 that imposes governance, internal-control, and reporting requirements on publicly traded companies to protect investors.
- SCCStandard Contractual Clauses are EU Commission-approved model contracts that provide GDPR-compliant safeguards for transfers of personal data outside the EEA.
- SEC Cybersecurity Disclosure Rules (2023)U.S. Securities and Exchange Commission rules adopted in July 2023 requiring public companies to disclose material cyber incidents on Form 8-K within four business days and to describe their cybersecurity risk management, strategy, and governance annually on Form 10-K.
- Security by ObscurityApproach that relies on keeping the design, implementation, or location of a system secret as the primary means of defence rather than on intrinsic strength.
- Separation of Duties (SoD)Control principle that splits a sensitive task across multiple people or systems so that no single actor can complete the task alone.
- Single Point of Failure (SPOF)Component whose individual failure causes the entire system to stop working, undermining availability, resilience, and recovery objectives.
- SOC 2An AICPA attestation standard in which an independent auditor evaluates a service organization's controls against Trust Services Criteria.
- STRIDE ModelA Microsoft threat-classification framework that categorizes software threats as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
- Third-Party Risk Management (TPRM)The end-to-end discipline of identifying, assessing, contracting, monitoring, and offboarding third parties so that the cyber, operational, and compliance risks they introduce stay within appetite.
- Threat LandscapeCurrent picture of the threats facing an organization, sector, or region: actors, tactics, malware families, vulnerabilities, and trends over time.
- Threat VectorChannel or means through which a threat actor can deliver an attack, often used interchangeably with attack vector but with broader, threat-modelling connotation.
- TrikeAn open-source threat-modeling methodology that uses a requirements-driven, risk-based approach centered on actors, assets, and allowed actions.
- Vendor Risk ManagementThe subset of third-party risk management focused on assessing and overseeing direct suppliers, particularly their security, privacy, and operational resilience practices.
- Vendor Security AssessmentThe structured evaluation of a third-party supplier's security controls, policies, and practices before and during a business relationship to gauge the risk they introduce.