- CIA triad
- Confidentiality, Integrity, Availability — the three core goals of information security and assurance.
- IS audit
- An independent, systematic examination of information systems and controls to provide assurance over CIA and compliance.
- ITAF
- ISACA's Information Technology Assurance Framework — the standards, guidelines, and tools for IS audit and assurance work.
- IS audit standards
- Mandatory requirements in ITAF that every IS auditor must follow (vs. guidelines, which are recommended).
- IS audit guidelines
- Recommended best-practice guidance in ITAF — helpful but not mandatory, unlike standards.
- Risk-based audit planning
- Allocating limited audit resources to the areas of greatest risk and business impact to the organization.
- Audit universe
- The complete inventory of auditable areas/entities from which the risk-based audit plan is built.
- Audit charter
- A document, approved by senior management/the board, that defines the audit function's authority, scope, and responsibility.
- Audit independence
- Freedom from conditions that threaten objectivity; the auditor must be impartial in fact and appearance.
- Objectivity
- An unbiased mental attitude that lets the auditor perform work and form conclusions without compromise.
- Due professional care
- Applying the diligence and skill a prudent, competent auditor would exercise in the same situation.
- Materiality
- The threshold at which a finding is significant enough to influence decisions or require reporting.
- Audit risk
- The risk an auditor reaches a wrong conclusion; a function of inherent, control, and detection risk.
- Inherent risk
- The risk that exists before any controls are considered, due to the nature of the activity.
- Control risk
- The risk that a material error is not prevented or detected by the internal control system.
- Detection risk
- The risk that the auditor's procedures fail to detect a material error; the part the auditor controls.
- Control
- A policy, procedure, or mechanism that reduces risk by preventing, detecting, or correcting an event.
- Preventive control
- A control that stops an incident before it occurs (e.g., access controls, segregation of duties, firewalls).
- Detective control
- A control that identifies an incident after it occurs (e.g., audit logs, monitoring, reconciliations).
- Corrective control
- A control that restores systems and fixes the cause after an incident (e.g., backups, incident response).
- Compensating control
- An alternative control used when the ideal (primary) control cannot feasibly be implemented.
- Deterrent control
- A control that discourages a threat actor from acting (e.g., warning banners, visible cameras).
- Compliance testing
- Testing whether a control is operating as designed (e.g., are change requests approved before deployment?).
- Substantive testing
- Testing the integrity of data or results themselves (e.g., recomputing values, confirming balances).
- Audit evidence
- Sufficient, reliable, and relevant information that supports the auditor's findings and conclusions.
- CAATs
- Computer-Assisted Audit Techniques — software/analytics used to test large data populations directly.
- Generalized audit software
- CAAT tools that read, extract, sort, and analyze data files independent of the audited application.
- Integrated test facility (ITF)
- A CAAT that processes fictitious test transactions through the live system to verify processing controls.
- Test data
- A CAAT technique that runs known input through a program to confirm it produces the expected output.
- Continuous auditing
- Performing audit procedures automatically and frequently, often in near real time, on transactions.
- Continuous monitoring
- Management's ongoing, automated oversight of controls and performance (a management activity, not audit).
- Statistical sampling
- Selecting a sample using probability so results can be projected to the population with measurable confidence.
- Non-statistical sampling
- Sample selection based on auditor judgment; results cannot be statistically projected to the population.
- Attribute sampling
- Sampling that estimates the rate of occurrence of a condition (e.g., % of items missing approval).
- Variable sampling
- Sampling that estimates a numeric value or total (e.g., the dollar value of an account).
- Sampling risk
- The risk that the sample is not representative and leads the auditor to a wrong conclusion.
- Control self-assessment (CSA)
- Process owners assess the adequacy of their own controls; supplements, never replaces, independent audit.
- Audit finding
- A documented condition where a control is missing, inadequate, or not operating, with its risk and cause.
- Audit follow-up
- Confirming that management acted on agreed recommendations and that the risk was actually reduced.
- Audit report
- The auditor's objective communication of scope, findings, risk, and recommendations to management/the committee.
- Irregularity vs. illegal act
- An irregularity is intentional deception (fraud); an illegal act violates laws/regulations — both must be reported.
- Reasonable assurance
- A high but not absolute level of assurance — controls reduce risk to an acceptable level, not to zero.
- Engagement letter
- An agreement defining the objectives, scope, responsibilities, and deliverables of a specific audit engagement.
- Audit committee
- A board subcommittee that oversees the audit function, financial reporting, and internal controls.
- Three lines model
- Management owns/controls risk (1st line); risk & compliance oversee (2nd); internal audit assures (3rd).
- Stop-or-go sampling
- A sampling approach that lets the auditor stop early once enough evidence supports a low error rate.
- Re-performance
- An auditor independently executing a control or calculation to verify it produces the correct result.
- Walk-through
- Tracing a transaction end to end through a process to confirm the auditor understands the controls.
- COBIT
- ISACA's framework for the governance and management of enterprise IT, separating governance from management.
- IT governance
- The board/senior management's responsibility to set IT direction, define risk appetite, and monitor value.
- IT management
- Planning, building, running, and monitoring IT day to day — execution, distinct from governance.
- EDM (COBIT)
- COBIT governance objectives: Evaluate, Direct, and Monitor — the board's governance role.
- IT strategy
- The plan that aligns IT investments and capabilities with the organization's business objectives.
- IT steering committee
- A senior cross-functional group that prioritizes IT investments and aligns IT with business needs.
- Enterprise architecture
- A blueprint of business processes, data, applications, and technology and how they fit together.
- Policy
- A high-level statement of management intent and goals; mandatory direction for the organization.
- Standard
- A specific, mandatory requirement that supports a policy (e.g., 'use AES-256 for data at rest').
- Procedure
- Detailed, step-by-step instructions for performing a task in line with policy and standards.
- Guideline
- Recommended, discretionary best practice — the only document type that is not mandatory.
- Baseline
- A defined minimum level of security or configuration that systems must meet.
- Segregation of duties (SoD)
- Splitting a sensitive task so no one person can both perform and conceal an error or fraud.
- RACI chart
- A responsibility matrix: who is Responsible, Accountable, Consulted, and Informed for each activity.
- Accountable vs. responsible
- Accountable = ultimately answerable (one person); responsible = does the work (one or more people).
- Enterprise risk management (ERM)
- The organization-wide process to identify, assess, treat, and monitor risk against the risk appetite.
- Risk appetite
- The amount and type of risk an organization is willing to accept in pursuit of its objectives.
- Risk tolerance
- The acceptable variation around the risk appetite for a specific objective or activity.
- Residual risk
- The risk that remains after controls are applied; senior management formally accepts it.
- Risk mitigation
- Reducing risk to an acceptable level by implementing controls.
- Risk transfer
- Shifting the financial impact of a risk to a third party, such as via insurance.
- Risk avoidance
- Eliminating a risk by ceasing the activity that creates it.
- Risk acceptance
- A documented, management-approved decision to tolerate a risk and its potential impact.
- Maturity model
- A scale (e.g., 0–5) used to assess and improve how capable and consistent a process is.
- Key performance indicator (KPI)
- A metric that measures how well an activity achieves its objective (e.g., uptime, project on-time rate).
- Key risk indicator (KRI)
- A metric that signals rising exposure to a risk before it materializes.
- Balanced scorecard
- A performance tool linking objectives across financial, customer, internal, and learning perspectives.
- IT portfolio management
- Managing the set of IT investments to maximize value and align with strategy.
- Benefits realization
- Confirming that an IT investment actually delivered the value promised in its business case.
- Outsourcing
- Contracting a third party to perform an IT function; the organization retains accountability for risk.
- Service provider governance
- Overseeing outsourced/cloud providers via contracts, SLAs, right-to-audit clauses, and monitoring.
- Right-to-audit clause
- A contract term allowing the customer (or its auditors) to audit a service provider's controls.
- Data governance
- The framework of roles, policies, and standards ensuring data is accurate, available, and controlled.
- Data owner
- The senior business manager accountable for data who sets its classification and protection requirements.
- Data custodian
- The party (usually IT) responsible for implementing and maintaining controls protecting data day to day.
- Privacy by design
- Embedding privacy protections into systems and processes from the outset, not as an add-on.
- Regulatory compliance
- Adhering to applicable laws, regulations, and industry standards (e.g., GDPR, SOX, PCI DSS).
- PCI DSS
- The Payment Card Industry Data Security Standard governing the handling of cardholder data.
- Conflict of interest
- A situation where a person's private interest could improperly influence their professional duties.
- Quality management system (QMS)
- A documented set of processes ensuring IT services and products consistently meet requirements.
- Capacity planning (governance)
- Aligning IT resource investment with forecast business demand to deliver value efficiently.
- Strategic alignment
- Ensuring IT plans, investments, and operations directly support business goals.
- SDLC
- System Development Lifecycle — feasibility, requirements, design, build, test, implement, and review.
- Feasibility study
- An early analysis of whether a proposed system is technically, operationally, and economically viable.
- Business case
- The justification for a project — costs, benefits, risks, and alignment with strategy.
- Requirements definition
- Capturing what the system must do (functional) and how well (non-functional) before design.
- Waterfall
- A sequential SDLC where each phase completes before the next; suits stable, well-understood requirements.
- Agile
- An iterative SDLC delivering working software in short sprints; suits changing requirements and fast feedback.
- Prototyping
- Building an early working model to refine unclear requirements before full development.
- DevOps
- Integrating development and operations to deliver and run software faster and more reliably.
- Function point analysis
- A method to estimate software size/effort from the functionality delivered to the user.
- Project management
- Planning, executing, and controlling a project's scope, schedule, cost, quality, and risk.
- PMO
- Project Management Office — the function that governs and supports project delivery and standards.
- Critical path method
- Scheduling technique identifying the longest sequence of dependent tasks that sets the minimum duration.
- Gantt chart
- A bar chart showing project tasks against a timeline, used to plan and track schedule.
- Scope creep
- Uncontrolled growth of project scope without corresponding adjustments to time, cost, or resources.
- Unit testing
- Testing individual components or modules in isolation to confirm each works correctly.
- Integration testing
- Testing that combined components work together as expected.
- System testing
- Testing the complete, integrated system against its requirements.
- User acceptance testing (UAT)
- Testing by end users to confirm the system meets business requirements before go-live.
- Regression testing
- Re-testing after a change to confirm existing functionality still works.
- Parallel changeover
- Running old and new systems together until the new one is proven — safest, but most costly.
- Phased changeover
- Rolling out a new system in stages (by module, site, or function) to limit risk.
- Pilot changeover
- Deploying a new system to one group/location first before a wider rollout.
- Direct changeover
- Switching the old system off and the new one on at once (big-bang) — cheapest but riskiest.
- Data conversion
- Migrating data from the old system to the new one — must be complete, accurate, and reconciled.
- Post-implementation review
- An after-stabilization evaluation of whether a system met its objectives, benefits, and controls.
- Configuration management (dev)
- Controlling and tracking versions of code, documents, and components throughout development.
- Change control (dev)
- Managing approved changes to requirements, design, or code during a project.
- Source code escrow
- Depositing source code with a third party so the customer can access it if the vendor fails.
- Quality assurance (QA)
- Process-focused activities that build quality into development (vs. QC, which inspects the product).
- Quality control (QC)
- Product-focused inspection and testing to detect defects in the deliverable.
- System interface
- A connection allowing two systems to exchange data; a key control and audit point during integration.
- Decision support system (DSS)
- A system that helps managers analyze data and make semi-structured decisions.
- ERP system
- Enterprise Resource Planning — an integrated suite managing core business processes on shared data.
- Cutover plan
- The detailed plan and checklist for switching from the old system to the new one, including fallback.
- Fallback / rollback plan
- A documented way to revert to the prior system or state if an implementation fails.
- Application controls
- Controls within an application over input, processing, and output of transactions.
- Input controls
- Application controls ensuring data entered is accurate, complete, and authorized (e.g., edit checks).
- Edit check / validation
- An input control that verifies data meets defined rules (range, format, completeness) before processing.
- Output controls
- Controls ensuring processed results are accurate, complete, and distributed only to authorized recipients.
- Sign-off (go-live)
- Formal management/user approval that a system is ready to move into production.
- RTO
- Recovery Time Objective — the target time to restore a system after disruption; must be less than the MTD.
- RPO
- Recovery Point Objective — the maximum acceptable data loss measured backward in time; drives backup frequency.
- MTD
- Maximum Tolerable Downtime — the longest a process can be unavailable before unacceptable harm.
- Business Impact Analysis (BIA)
- Identifies critical processes and sets recovery objectives (MTD, RTO, RPO); the heart of resilience planning.
- Business continuity plan (BCP)
- A plan to keep critical business functions operating during and after a disruption.
- Disaster recovery plan (DRP)
- The IT-focused plan to restore systems, data, and infrastructure; it supports the broader BCP.
- Hot site
- A fully equipped recovery site with near-real-time data, ready for near-immediate failover (costliest).
- Warm site
- A recovery site with hardware and connectivity but needing data restored and configuration (moderate).
- Cold site
- A recovery site with power and cooling only (empty space) — cheapest, slowest to bring online.
- Reciprocal agreement
- A mutual-aid arrangement where two organizations agree to host each other in a disaster (rarely reliable).
- Mirror site
- A fully redundant site kept in sync with production for the fastest possible failover.
- Full backup
- A backup of all selected data — fastest to restore (one set), slowest/largest to create.
- Incremental backup
- Backs up data changed since the last backup of any type — fast backup, slow restore (full + all increments).
- Differential backup
- Backs up data changed since the last full backup — slower backup, faster restore (full + one differential).
- Grandfather-father-son
- A backup rotation scheme keeping daily (son), weekly (father), and monthly (grandfather) copies.
- Electronic vaulting
- Transmitting backup data to an offsite location to reduce data loss and speed recovery.
- Change management
- The controlled process to request, approve, test, document, and deploy changes to production.
- Emergency change
- An urgent change that follows an expedited path but still requires after-the-fact review and documentation.
- Configuration management
- Maintaining an accurate baseline of what hardware and software is in production and controlling changes.
- Configuration item (CI)
- A discrete, tracked component (hardware, software, service) recorded in the configuration baseline.
- Patch management
- Acquiring, testing, and applying software updates that fix vulnerabilities and defects.
- Release management
- Planning, scheduling, and controlling the build, test, and deployment of releases into production.
- Incident management
- Detecting, responding to, recovering from, and learning from disruptions and service incidents.
- Problem management
- Finding and eliminating the root cause of recurring incidents to prevent recurrence.
- Service level agreement (SLA)
- A documented agreement defining service targets (e.g., uptime) and how they are measured.
- Operating level agreement (OLA)
- An internal agreement between IT teams that supports delivery of an external-facing SLA.
- Capacity management
- Ensuring IT resources meet current and forecast demand, using trend analysis.
- Availability management
- Ensuring services meet agreed availability targets, measured by metrics like MTBF and MTTR.
- MTBF
- Mean Time Between Failures — the average operating time between failures; higher is more reliable.
- MTTR
- Mean Time To Repair — the average time to restore a failed component; lower is better.
- Job scheduling
- Automating and sequencing batch jobs so they run, complete, and are monitored for failure.
- End-user computing (EUC)
- User-built tools (spreadsheets, small apps) — a common, under-controlled operational risk.
- Help desk / service desk
- The single point of contact that logs, triages, and routes user incidents and requests.
- Database management system (DBMS)
- Software that stores, retrieves, and controls access to data with integrity and concurrency controls.
- Database normalization
- Organizing data to reduce redundancy and improve integrity by structuring tables and relationships.
- Referential integrity
- A database control ensuring relationships between tables stay valid (no orphaned foreign keys).
- RAID
- Redundant Array of Independent Disks — combines drives for fault tolerance and/or performance.
- Fault tolerance
- A system's ability to keep operating despite the failure of a component (e.g., redundancy).
- High availability
- Designing systems to minimize downtime, often via clustering, redundancy, and failover.
- Plan testing (BCP)
- Validating a plan: checklist, structured walk-through (tabletop), simulation, parallel, full interruption.
- Tabletop exercise
- A discussion-based test where the team walks through the plan against a scenario, no systems affected.
- Parallel test (BCP)
- Bringing up recovery systems alongside production to verify they work, without stopping production.
- Full interruption test
- Shutting down production and running on recovery systems — the most realistic and riskiest test.
- Recovery strategy
- The chosen approach (sites, backups, redundancy) that meets the RTO and RPO set by the BIA.
- Single point of failure
- A component whose failure would stop the whole system; eliminated through redundancy.
- Least privilege
- Granting users and processes only the minimum access needed to do their job, and nothing more.
- Authentication
- Proving a claimed identity with a credential — something you know, have, or are.
- Authorization
- Determining what an authenticated identity is permitted to access and do.
- Identification
- A subject claiming an identity (e.g., a username) — the first step of access control.
- Accountability
- Tying actions back to a specific identity through logging and monitoring.
- Multi-factor authentication (MFA)
- Using two or more factors from different categories — something you know, have, and are.
- Something you know
- An authentication factor based on knowledge — password, PIN, or passphrase.
- Something you have
- An authentication factor based on possession — token, smart card, or phone.
- Something you are
- An authentication factor based on a biometric — fingerprint, iris, or face.
- Need-to-know
- Restricting access to the specific information required to perform a task, even within a clearance level.
- Access recertification
- Periodic review of user access rights to catch privilege creep and remove unneeded access.
- Discretionary access control (DAC)
- Access decided by the data owner (e.g., file permissions, access control lists).
- Mandatory access control (MAC)
- Access enforced by the system from labels and clearances; rigid and high-security.
- Role-based access control (RBAC)
- Access granted by job role rather than the individual; scales well in enterprises.
- Attribute-based access control (ABAC)
- Access decided by attributes and policy (user, resource, time, location); the most granular.
- Single sign-on (SSO)
- One authentication that grants access to multiple systems (e.g., via Kerberos or SAML).
- Privileged access management (PAM)
- Controls that secure, monitor, and limit the use of high-privilege accounts.
- Symmetric encryption
- Encryption using one shared secret key for both encryption and decryption (e.g., AES); fast.
- Asymmetric encryption
- Encryption using a public/private key pair (e.g., RSA, ECC); solves key exchange and enables signatures.
- Hashing
- A one-way function producing a fixed-length digest used to verify integrity (e.g., SHA-256); not reversible.
- Digital signature
- A hash of a message encrypted with the sender's private key — integrity, authenticity, non-repudiation.
- Public Key Infrastructure (PKI)
- The certificate authorities, certificates, and policies that manage public keys and trust.
- Certificate authority (CA)
- A trusted entity that issues and signs digital certificates binding identities to public keys.
- Non-repudiation
- Assurance that a party cannot deny having performed an action, via digital signatures and logging.
- Encrypt for confidentiality
- Encrypt with the RECIPIENT's public key — only their private key can decrypt.
- Sign for authenticity
- Sign with YOUR private key — anyone can verify with your public key.
- Defense in depth
- Layering multiple, overlapping controls so that if one fails, others still protect the asset.
- Firewall
- A network control that permits or blocks traffic between networks based on a defined ruleset.
- Intrusion detection system (IDS)
- A control that detects and alerts on malicious or anomalous network/host activity.
- Intrusion prevention system (IPS)
- A control that detects and actively blocks malicious traffic in line.
- Network segmentation
- Dividing a network into zones (VLANs/subnets) to limit the spread of an attack.
- DMZ
- A buffer network segment between the internet and the internal network that hosts public-facing services.
- VPN
- A Virtual Private Network — an encrypted tunnel that protects data in transit over an untrusted network.
- TLS
- Transport Layer Security — encrypts application traffic in transit (e.g., HTTPS).
- IPsec
- A protocol suite that secures IP traffic at the network layer, commonly used for VPN tunnels.
- Data classification
- Labeling data by sensitivity so the right level of protection is applied throughout its lifecycle.
- Data loss prevention (DLP)
- Controls that detect and block unauthorized movement or exfiltration of sensitive data.
- Data at rest
- Stored data — protected with full-disk or database encryption.
- Data in transit
- Moving data — protected with TLS, IPsec, or VPNs.
- Data remanence
- Residual data left on media after deletion or formatting that may still be recoverable.
- Media sanitization
- Removing data via clearing, purging, or destruction so it cannot be recovered (NIST SP 800-88).
- SIEM
- Security Information and Event Management — aggregates and correlates logs for detection and analysis.
- Vulnerability scan
- An automated check that identifies known weaknesses without exploiting them.
- Penetration test
- An authorized, simulated attack that actively exploits weaknesses to demonstrate real impact.
- Social engineering
- Manipulating people into revealing information or granting access (e.g., phishing, pretexting).
- Phishing
- A social-engineering attack using fraudulent messages to steal credentials or deliver malware.
- Malware
- Malicious software (viruses, worms, ransomware, trojans) designed to harm or exploit systems.
- Chain of custody
- Documentation showing who handled evidence and when, preserving its integrity for legal use.
- Incident response lifecycle
- Prepare, detect & analyze, contain, eradicate, recover, and conduct post-incident review.
- Containment
- Limiting the spread and damage of a security incident before eradication and recovery.
- Physical access control
- Controls protecting facilities and equipment (badges, locks, mantraps, guards, cameras).
- Environmental control
- Protection against environmental threats — HVAC, fire suppression, UPS, and water detection.
- Security awareness training
- Educating users to recognize and resist threats — a key administrative control.
- Honeypot
- A decoy system that lures attackers to detect, study, and divert malicious activity.
- Inherent limitations of controls
- Controls can't give absolute assurance due to human error, collusion, and management override.
- Collusion
- Two or more people cooperating to bypass segregation of duties and conceal fraud.
- Management override
- Senior management bypassing controls — a key reason controls give only reasonable, not absolute, assurance.
- Audit trail
- A chronological record of system activity that lets an auditor reconstruct and verify events.
- Embedded audit module
- Code built into an application that continuously captures audit data on selected transactions.
- Snapshot technique
- A CAAT that captures the state of data before and after processing to verify a transaction's path.
- Risk assessment
- Identifying and analyzing risks to determine likelihood and impact, prioritizing audit and control effort.
- Audit scope
- The boundaries of an engagement — what systems, processes, and time period the audit will cover.
- Professional skepticism
- A questioning mindset that critically assesses evidence rather than assuming management's honesty.
- Fieldwork
- The evidence-gathering phase of an audit, where tests of controls and substantive tests are performed.
- Tone at the top
- The ethical climate set by leadership, which strongly shapes the organization's control environment.
- Control environment
- The overall attitude, awareness, and actions regarding controls — the foundation of internal control.
- COSO
- A framework defining internal control over five components, widely used for governance and SOX compliance.
- SOX
- The Sarbanes-Oxley Act — U.S. law requiring management/auditors to assess internal control over financial reporting.
- GDPR
- The EU General Data Protection Regulation governing the processing and protection of personal data.
- Data controller
- Under privacy law, the entity that decides why and how personal data is processed.
- Data processor
- A party that processes personal data on behalf of, and on the instructions of, the controller.
- Vendor risk management
- Assessing and monitoring the risk introduced by third-party suppliers and service providers.
- Cloud governance
- Overseeing cloud services for security, compliance, cost, and the shared-responsibility model.
- Shared responsibility model
- Cloud security split between provider (of the cloud) and customer (in the cloud).
- Key goal indicator (KGI)
- A metric that shows whether an IT process achieved its business goal (outcome-focused).
- IT balanced scorecard
- Aligning IT performance to business value across multiple perspectives, not just cost.
- Object-oriented design
- Designing software around reusable objects that bundle data and behavior.
- Rapid application development (RAD)
- A fast, iterative methodology using prototyping and user feedback to speed delivery.
- Spiral model
- An iterative SDLC that performs heavy risk analysis at each cycle before proceeding.
- Requirements traceability
- Linking each requirement to its design, build, and test so nothing is missed or unverified.
- Test plan
- A document defining test scope, approach, cases, data, and pass/fail criteria.
- Black-box testing
- Testing functionality against requirements without knowledge of internal code.
- White-box testing
- Testing based on knowledge of internal code structure and logic.
- Code review
- Examining source code to find defects and security flaws (static analysis or peer review).
- Library control software
- Tools that control and track access to and movement of program source and object code.
- Acceptance criteria
- The conditions a deliverable must meet for users to accept it as complete and correct.
- Hash total
- A control total computed over a field to detect data loss or alteration in processing or transfer.
- Checkpoint / restart
- A recovery feature that saves processing state so a long job can resume after failure.
- Storage area network (SAN)
- A high-speed network providing block-level shared storage to servers.
- Network-attached storage (NAS)
- File-level shared storage attached to a network for multiple clients.
- Cloud backup
- Offsite backup to a cloud provider, improving resilience and offsite copy management.
- Crisis management team
- The group that leads response and decision-making during a major disruption.
- Call tree
- A pre-defined contact chain for rapidly notifying staff during an incident or disaster.
- Service continuity
- Ensuring IT services can be restored within agreed timeframes after a disruption.
- Patch testing
- Validating patches in a non-production environment before deploying to production.
- Capacity threshold
- A defined utilization level that triggers action before performance degrades.
- Kerberos
- A symmetric-key SSO protocol using tickets and a Key Distribution Center (KDC).
- SAML
- An XML standard for exchanging authentication and authorization data for web SSO and federation.
- OAuth
- An authorization framework that lets apps access resources on a user's behalf without sharing credentials.
- Biometric false acceptance rate
- FAR — the rate at which a biometric system wrongly accepts an unauthorized user.
- Biometric false rejection rate
- FRR — the rate at which a biometric system wrongly rejects an authorized user.
- Crossover error rate (CER)
- The point where a biometric's FAR equals its FRR; lower CER means a more accurate system.
- Mantrap
- A physical access control with two interlocking doors that allows one person through at a time.
- Zero trust
- A security model that trusts no user or device by default and verifies every access request.
- Tokenization
- Replacing sensitive data with a non-sensitive token, keeping the real data in a secure vault.
- Endpoint protection
- Controls (anti-malware, EDR, hardening) that secure end-user devices and servers.
- Security incident
- An event that actually or potentially compromises the confidentiality, integrity, or availability of an asset.
- Forensic analysis
- The disciplined collection and examination of digital evidence to investigate an incident.