● 102 entries

Compliance & Frameworks

Atomic Red TeamAn open-source library of small, focused tests created by Red Canary that emulates individual MITRE ATT&CK techniques to validate detections and security controls.
Attack SurfaceSum of all points where an attacker can attempt to enter, extract data from, or manipulate a system, including networks, software, identities, supply chain, and people.
Attack VectorSpecific path or technique an attacker uses to gain unauthorized access to a target, such as phishing, exploit of a CVE, or stolen credentials.
CAPECCommon Attack Pattern Enumeration and Classification, a MITRE-maintained public catalogue of attack patterns used by adversaries to exploit known weaknesses.
CCPAThe California Consumer Privacy Act, a U.S. state privacy law granting California residents rights over their personal information held by businesses.
CCSPAn ISC2 cloud security certification covering architecture, data protection, platform and infrastructure security, operations, and legal compliance across major cloud providers.
CEHAn ethical-hacking certification from EC-Council that teaches attacker tools and techniques across reconnaissance, exploitation, web, wireless, and cloud testing.
CIA TriadFoundational information-security model that groups objectives into Confidentiality, Integrity, and Availability.
CIS ControlsA prioritized set of best-practice cybersecurity safeguards maintained by the Center for Internet Security to defend against the most common cyberattacks.
CISAAn ISACA certification for information systems auditors covering audit process, governance, acquisition, operations, and protection of information assets across five domains.
CISMAn ISACA management-level certification for information security managers covering governance, risk, program development, and incident management across four domains.
CISSPA senior-level vendor-neutral security certification from ISC2 covering eight domains of the Common Body of Knowledge and requiring five years of paid work experience.
CMMCA U.S. Department of Defense certification program that verifies contractors in the Defense Industrial Base have adequate cybersecurity controls in place.
COBITAn ISACA framework for the governance and management of enterprise information and technology, linking business goals to IT objectives and controls.
ComplianceThe discipline of meeting legal, regulatory, contractual, and internal security requirements through documented controls, evidence collection, and ongoing assessment.
CompTIA Security+An entry-level vendor-neutral cybersecurity certification from CompTIA covering foundational threats, architecture, operations, and governance for early-career practitioners.
CPRAThe California Privacy Rights Act of 2020, which amends and expands the CCPA and took full effect on 1 January 2023.
CRISCAn ISACA certification for IT risk and control professionals covering governance, IT risk assessment, response, reporting, and control selection across four domains.
CVE Numbering Authority (CNA)An organization authorized by the CVE Program to assign CVE IDs and publish CVE records for vulnerabilities within its defined scope.
Cyber InsuranceA specialty insurance product that transfers the financial impact of cyber incidents — including breach response, business interruption, and liability — to an insurer.
Data Protection Impact Assessment (DPIA)A structured assessment, required by GDPR Article 35, that identifies and mitigates risks to individuals' rights and freedoms before high-risk personal data processing begins.
Defense in DepthSecurity strategy that layers independent controls so that if any single control fails, others continue to prevent, detect, or contain an attack.
DORAEU Regulation 2022/2554 on Digital Operational Resilience for the financial sector, applicable from 17 January 2025.
DPAA Data Processing Agreement is the binding contract required by GDPR Article 28 between a data controller and processor when personal data is processed on the controller's behalf.
DPDP Act (Digital Personal Data Protection Act, India)India's first comprehensive personal-data protection statute, enacted in August 2023 and being progressively operationalized, requiring lawful purpose for processing, consent notices, data-principal rights, breach notification, and a Data Protection Board of India.
DPFEU-US Data Privacy Framework, the July 2023 adequacy mechanism that replaces Privacy Shield for transatlantic transfers of personal data.
DREAD ModelA qualitative risk-rating model that scores threats on Damage, Reproducibility, Exploitability, Affected users, and Discoverability.
Enterprise Risk Management (ERM)An integrated, organization-wide approach to identifying, governing, and treating strategic, financial, operational, compliance, and cyber risks in line with business objectives.
EU AI ActEU Regulation 2024/1689 establishing harmonised rules on artificial intelligence with a risk-based approach, phased in between 2025 and 2027.
EU Cyber Resilience Act (CRA)EU Regulation 2024/2847 imposing security-by-design, vulnerability handling, and conformity-assessment obligations on essentially all products with digital elements sold in the EU, with main obligations applying from December 2027.
FAIR (Factor Analysis of Information Risk)An open international standard for quantifying information and cyber risk in financial terms by decomposing risk into loss event frequency and loss magnitude factors.
FedRAMPA U.S. government program that standardizes security assessment, authorization, and continuous monitoring for cloud services used by federal agencies.
FERPAA U.S. federal law that protects the privacy of student education records and gives parents and eligible students rights over those records.
FISMAA U.S. federal law that requires federal agencies and their contractors to implement risk-based information security programs for systems handling government data.
GDPRThe European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
GIAC CertificationsA family of role-based cybersecurity certifications issued by GIAC and aligned with SANS Institute training, covering operations, incident response, forensics, and penetration testing.
Gramm-Leach-Bliley Act (GLBA)A United States federal law that requires financial institutions to safeguard customer information and explain their information-sharing practices.
HIPAAThe U.S. Health Insurance Portability and Accountability Act, which sets national standards for protecting individually identifiable health information.
HITRUSTA risk- and compliance-focused security framework, the HITRUST CSF, widely used in US healthcare to demonstrate alignment with HIPAA, NIST and other authoritative sources.
Inherent RiskThe level of risk that exists in an activity or asset before any controls or mitigations are applied, reflecting raw exposure to threats.
ISO/IEC 27001The international standard specifying requirements for an Information Security Management System (ISMS), against which organizations can be formally certified.
ISO/IEC 27002An international code of practice that provides detailed guidance and implementation advice for the information security controls listed in ISO/IEC 27001 Annex A.
ISO/IEC 27017A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers.
ISO/IEC 27018A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002.
ISO/IEC 42001The first international management-system standard for AI, published in December 2023, specifying requirements to establish, implement, maintain, and continually improve an AI Management System (AIMS) for organizations that develop or use AI.
ITILA globally recognized framework, published by AXELOS/PeopleCert, of best practices for IT service management throughout the service value system.
LGPDBrazil's General Personal Data Protection Law (Law No. 13,709/2018), effective 18 September 2020, governing the processing of personal data by public and private entities.
MITRE ATT&CKA globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
MITRE D3FENDA MITRE knowledge graph of defensive cybersecurity countermeasures and the digital artifacts they observe or modify, complementing MITRE ATT&CK.
Monte Carlo Risk SimulationA computational technique that estimates risk by running thousands of randomized scenarios drawn from input probability distributions, producing a distribution of possible outcomes.
Need-to-Know PrincipleSecurity principle that grants access to information only to individuals whose duties specifically require it, even if they hold the appropriate clearance.
NIS2 DirectiveEU Directive 2022/2555 that raises baseline cybersecurity requirements and incident-reporting obligations for essential and important entities across the Union.
NIST AI Risk Management Framework (AI RMF)NIST's voluntary framework for managing AI risks, published January 2023 (AI RMF 1.0) with a Generative AI Profile released in July 2024, organized around four Functions: Govern, Map, Measure, and Manage.
NIST Cybersecurity FrameworkA voluntary risk-based framework published by the U.S. National Institute of Standards and Technology that organizes cybersecurity outcomes into six core functions.
NIST Cybersecurity Framework 2.0The February 2024 update to the NIST Cybersecurity Framework, adding a sixth 'Govern' Function alongside Identify, Protect, Detect, Respond, and Recover, and broadening the audience beyond U.S. critical infrastructure to all organizations.
NIST Risk Management FrameworkA seven-step NIST process, defined in SP 800-37, for integrating security, privacy, and supply-chain risk management into the system lifecycle.
NIST SP 800-171A NIST publication defining security requirements for protecting Controlled Unclassified Information (CUI) stored or processed by non-federal organizations.
NIST SP 800-30A NIST Special Publication that provides guidance for conducting risk assessments of information systems and the missions they support.
NIST SP 800-37The NIST Risk Management Framework, defining a seven-step process for managing security and privacy risk across the system lifecycle.
NIST SP 800-53A NIST publication providing a comprehensive catalog of security and privacy controls for U.S. federal information systems and many private-sector adopters.
NIST SP 800-61The NIST Computer Security Incident Handling Guide, describing the four-phase lifecycle used by incident response teams in government and industry.
OCTAVE MethodAn information-security risk-assessment methodology developed by the CMU Software Engineering Institute that focuses on organizational and operational risk to critical assets.
OSCPA hands-on offensive security certification from Offensive Security earned by compromising a lab network in a 24-hour proctored practical exam.
OSSTMMAn open peer-reviewed security testing methodology from ISECOM that defines scientific, repeatable measurements of operational security across five channels.
OWASP API Security Top 10An OWASP awareness document that ranks the most critical security risks affecting web APIs, complementing the general OWASP Top 10 for web applications.
OWASP ASVSThe OWASP Application Security Verification Standard, a catalogue of testable security requirements for designing, building, and verifying web applications and APIs.
OWASP Dependency-CheckAn open-source software composition analysis tool from OWASP that scans project dependencies and reports known vulnerabilities by matching CPEs to CVE data.
OWASP MASVSThe OWASP Mobile Application Security Verification Standard, a baseline of testable security requirements for iOS and Android mobile applications.
OWASP Mobile Top 10An OWASP awareness document that ranks the most critical security risks for mobile applications running on iOS, Android, and similar platforms.
OWASP SAMMThe OWASP Software Assurance Maturity Model, a framework for measuring and improving an organization's secure-software-development practices over time.
OWASP Top 10An OWASP awareness document that lists the most critical security risks to web applications, updated periodically from real-world vulnerability data.
OWASP WSTGThe OWASP Web Security Testing Guide, a comprehensive open-source manual that describes how to test web applications for the most common security weaknesses.
OWASP ZAPZed Attack Proxy, an open-source web application security testing tool originally from OWASP and now stewarded by Checkmarx and the ZAP community.
PASTA Threat ModelProcess for Attack Simulation and Threat Analysis, a seven-stage risk-centric threat-modeling methodology that aligns technical threats with business impact.
PCI DSSA global information-security standard for organizations that store, process, or transmit payment card data, maintained by the PCI Security Standards Council.
PIPEDACanada's federal private-sector privacy law governing how organisations collect, use and disclose personal information in the course of commercial activity.
PIPL (Personal Information Protection Law, China)China's comprehensive personal-information protection statute, effective November 2021, with GDPR-like data subject rights, strict cross-border transfer requirements, and substantial penalties enforced by the Cyberspace Administration of China.
PTESA community-built penetration testing methodology organizing engagements into seven phases from pre-engagement scoping through reporting and remediation guidance.
Qualitative Risk AnalysisA risk analysis approach that rates likelihood and impact using descriptive scales such as low/medium/high or 1-5, rather than monetary or probabilistic values.
Quantitative Risk AnalysisA risk analysis approach that expresses likelihood and impact in numbers, typically as probabilities and monetary loss distributions, to support data-driven decisions.
Residual RiskThe risk that remains after planned controls and treatments have been applied, which the organization must either accept, transfer, or treat further.
Risk AppetiteThe aggregate amount and type of risk an organization is willing to pursue or accept in pursuit of its strategic objectives, set by the board and senior leadership.
Risk AssessmentA structured activity within risk management that identifies threats, vulnerabilities, and impacts on specific assets and rates the resulting risk to support treatment decisions.
Risk ManagementThe coordinated process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to keep them within an organization's defined tolerance.
Risk RegisterA living inventory of identified risks with their description, owner, scores, treatment, and status, used to track the organization's exposure over time.
Risk ToleranceThe acceptable variation around a specific objective or risk category, expressed as concrete quantitative or qualitative limits derived from the broader risk appetite.
Risk TreatmentThe decision and actions taken to modify a risk, typically by accepting, mitigating, transferring, or avoiding it, based on the organization's risk criteria.
SANS Top 25An annually published list, maintained by MITRE with the SANS Institute, ranking the most dangerous software weaknesses based on real CVE data.
Sarbanes-Oxley Act (SOX)U.S. federal law from 2002 that imposes governance, internal-control, and reporting requirements on publicly traded companies to protect investors.
SCCStandard Contractual Clauses are EU Commission-approved model contracts that provide GDPR-compliant safeguards for transfers of personal data outside the EEA.
SEC Cybersecurity Disclosure Rules (2023)U.S. Securities and Exchange Commission rules adopted in July 2023 requiring public companies to disclose material cyber incidents on Form 8-K within four business days and to describe their cybersecurity risk management, strategy, and governance annually on Form 10-K.
Security by ObscurityApproach that relies on keeping the design, implementation, or location of a system secret as the primary means of defence rather than on intrinsic strength.
Separation of Duties (SoD)Control principle that splits a sensitive task across multiple people or systems so that no single actor can complete the task alone.
Single Point of Failure (SPOF)Component whose individual failure causes the entire system to stop working, undermining availability, resilience, and recovery objectives.
SOC 2An AICPA attestation standard in which an independent auditor evaluates a service organization's controls against Trust Services Criteria.
STRIDE ModelA Microsoft threat-classification framework that categorizes software threats as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
Third-Party Risk Management (TPRM)The end-to-end discipline of identifying, assessing, contracting, monitoring, and offboarding third parties so that the cyber, operational, and compliance risks they introduce stay within appetite.
Threat LandscapeCurrent picture of the threats facing an organization, sector, or region: actors, tactics, malware families, vulnerabilities, and trends over time.
Threat VectorChannel or means through which a threat actor can deliver an attack, often used interchangeably with attack vector but with broader, threat-modelling connotation.
TrikeAn open-source threat-modeling methodology that uses a requirements-driven, risk-based approach centered on actors, assets, and allowed actions.
Vendor Risk ManagementThe subset of third-party risk management focused on assessing and overseeing direct suppliers, particularly their security, privacy, and operational resilience practices.
Vendor Security AssessmentThe structured evaluation of a third-party supplier's security controls, policies, and practices before and during a business relationship to gauge the risk they introduce.