- Information security governance
- The board/executive responsibilities that set direction, ensure objectives are met, manage risk, and verify resources are used responsibly. Leadership owns security.
- RACI
- Responsible (does it), Accountable (answers for it — only one), Consulted (gives input), Informed (kept updated). Assigns ownership for tasks and controls.
- Risk appetite
- The amount and type of risk an organization is willing to pursue to meet its objectives — set by the board.
- Due care
- Acting on due diligence — implementing and maintaining reasonable controls a prudent organization would (doing the right thing).
- Due diligence
- Doing the research and verification — investigating risks and building the plans/policies needed (knowing what's right).
- Security strategy
- The long-term plan aligning the information security program to business objectives — the desired future state.
- Business alignment
- Ensuring security goals, investments, and metrics map directly to enterprise goals so security delivers value.
- GRC
- Governance, Risk, and Compliance — the integrated discipline coordinating how an organization is directed, manages risk, and meets obligations.
- Security steering committee
- A cross-functional body that aligns the security strategy with business priorities and directs program investment.
- Policy
- A high-level, mandatory statement of management intent and goals for security.
- Standard
- Mandatory, specific requirements that support a policy (e.g., 'use AES-256').
- Procedure
- Detailed, mandatory step-by-step instructions for carrying out a task securely.
- Guideline
- A recommended, discretionary best practice — the only optional item in the governance hierarchy.
- Baseline (security)
- A minimum required level of security that systems must meet.
- Governance document hierarchy
- Policy → Standard → Procedure → Guideline (guideline is the only optional one).
- Maturity model (CMMI)
- A staged scale (e.g., levels 1-5) rating process capability; the target a gap analysis measures against.
- Gap analysis
- A comparison of the current security state vs. a desired/target state to identify what's missing and drive the roadmap.
- Business case
- The cost/benefit justification (often ROSI) used to win management funding for a security investment.
- ROSI
- Return on Security Investment — the financial framing of a control's value used in a business case.
- COBIT
- ISACA's framework for the governance and management of enterprise IT.
- ISO/IEC 27001
- The international standard for a certifiable Information Security Management System (ISMS).
- ISO/IEC 27002
- A catalog of information security controls supporting ISO/IEC 27001.
- NIST Cybersecurity Framework
- A voluntary framework (Govern, Identify, Protect, Detect, Respond, Recover) for managing cybersecurity risk.
- Security culture
- The shared attitudes and behaviors of staff that enable or undermine security controls.
- Tone at the top
- The example and priority senior leadership sets, which shapes the organization's security culture.
- Strategic alignment
- Aligning security objectives with business objectives so security supports the mission.
- Value delivery
- Ensuring security investments deliver measurable value relative to their cost.
- Legal/regulatory/contractual requirements
- Obligations (laws, regulations, contracts) the security program must satisfy as part of governance.
- Organizational structure (security)
- How security roles and reporting lines are arranged so accountability is clear.
- CISO role
- The senior executive accountable for the information security program and for reporting risk to leadership.
- Data owner
- The senior business manager accountable for an asset — sets its classification and protection requirements.
- Data custodian
- The party (usually IT) responsible for implementing and maintaining the controls protecting data.
- Accountable vs. responsible
- Accountable = answers for the outcome (one party); Responsible = does the work (one or more).
- Information governance
- The framework of policies and standards governing how information is created, used, and retained.
- Strategic planning (security)
- Planning budgets, resources, and a roadmap to reach the security strategy's target state.
- Governance vs. management
- Governance sets direction and is accountable (board); management executes within that direction.
- Security balanced scorecard
- A tool linking security objectives to business perspectives so leadership can track strategy.
- Prudent person rule
- The standard of acting as a reasonable, careful person would — satisfied by due diligence plus due care.
- Steering committee charter
- The document defining the steering committee's authority, membership, and responsibilities.
- Security roles and responsibilities
- Clearly defined duties (owner, custodian, user, manager) so accountability is unambiguous.
- Compliance vs. security
- Compliance meets external requirements; security manages risk — compliance alone does not equal secure.
- Regulatory drivers
- Laws and regulations (e.g., GDPR, HIPAA, SOX, PCI DSS) that shape security obligations.
- Acceptable use policy (AUP)
- A policy defining how staff may use organizational systems and data.
- ISACA Code of Professional Ethics
- The ethical standards CISM holders must follow to keep the certification in good standing.
- Information security governance outcomes
- Strategic alignment, risk management, value delivery, resource management, and performance measurement.
- Top-down security approach
- Driving security from senior management down, which is more effective than a grassroots/bottom-up effort.
- Security program charter
- Senior-management authorization that establishes the program's mandate and authority.
- Stakeholder analysis
- Identifying the parties affected by security decisions so their needs inform strategy.
- Resource management (governance)
- Ensuring security knowledge, infrastructure, and people are used efficiently.
- Risk tolerance
- The acceptable deviation around the risk appetite for a specific objective or risk.
- Risk capacity
- The maximum amount of risk an organization could actually absorb before it fails.
- Inherent risk
- The level of risk that exists before any controls are applied — the raw exposure.
- Residual risk
- The risk that remains after controls are in place; the risk owner formally accepts it.
- Risk treatment
- The chosen response: mitigate (reduce), transfer (insure/outsource), avoid (stop), or accept.
- Risk mitigation
- Reducing risk by adding controls that lower likelihood or impact.
- Risk transfer
- Shifting the financial impact of a risk to a third party (e.g., insurance, outsourcing).
- Risk avoidance
- Eliminating a risk by ceasing the activity that creates it.
- Risk acceptance
- A documented, risk-owner-approved decision to tolerate a risk within the appetite.
- Risk assessment
- Identifying and analyzing risks (likelihood and impact) to prioritize them.
- Risk analysis
- Determining the likelihood and impact of identified risks (qualitative or quantitative).
- Qualitative risk analysis
- Subjective risk rating using scales like high/medium/low — fast, not dollar-based.
- Quantitative risk analysis
- Objective, dollar-based risk analysis using SLE, ARO, and ALE.
- Threat
- Any potential event or actor that could exploit a vulnerability to harm an asset.
- Vulnerability
- A weakness in a system, process, or control that a threat can exploit.
- Exploit
- The act or tool that leverages a vulnerability to cause harm.
- Likelihood x impact
- The core risk-rating equation: probability of an event times the harm it would cause.
- Exposure Factor (EF)
- The percentage of an asset's value lost if a specific risk event occurs.
- Single Loss Expectancy (SLE)
- The expected loss from one event: SLE = Asset Value x Exposure Factor.
- Annualized Rate of Occurrence (ARO)
- The expected number of times a risk event occurs in one year.
- Annualized Loss Expectancy (ALE)
- The expected yearly cost of a risk: ALE = SLE x ARO. Used to cost-justify controls.
- ALE formula
- ALE = SLE x ARO, where SLE = Asset Value x Exposure Factor.
- Risk register
- A documented inventory of risks with ratings, owners, treatments, controls, and status.
- Risk owner
- The party accountable for a risk who formally accepts its residual level (usually senior management).
- Control owner
- The party responsible for designing, implementing, and operating a specific control.
- KRI
- Key Risk Indicator — a forward-looking metric that signals rising risk before an incident.
- KPI
- Key Performance Indicator — a metric measuring how well the program or a control performs.
- KGI
- Key Goal Indicator — a metric showing whether a defined goal was achieved.
- Control deficiency
- A control that is missing or not operating effectively, leaving a gap that increases risk.
- Third-party risk
- Risk introduced through vendors and the supply chain; a provider's breach is still your problem.
- Supply-chain risk
- Risk arising from the products, services, and dependencies in an organization's supply chain.
- Emerging risk
- A new or evolving threat (e.g., AI-enabled attacks) the program must continuously scan for.
- Risk monitoring
- Ongoing tracking of risk levels and KRIs so the manager can act and report changes.
- Risk reporting
- Communicating risk posture to senior management so they can make informed decisions.
- Cost-benefit (control)
- A control is justified only when its annual cost is less than the reduction in ALE it delivers.
- Risk vs. control ownership
- Risk owner accepts the residual risk; control owner operates the control.
- Threat landscape
- The current set of threats and actors relevant to the organization, which changes over time.
- Vulnerability assessment
- Identifying and rating weaknesses in systems and processes (a management input to risk).
- Risk identification
- Finding the assets, threats, vulnerabilities, and scenarios that could affect the organization.
- Asset valuation
- Determining an asset's worth (tangible and intangible) to prioritize its protection.
- Annualized cost of safeguard (ACS)
- The yearly cost of a control; a control is justified when ACS is less than the ALE reduction it gives.
- Risk heat map
- A visual matrix plotting risks by likelihood and impact to prioritize them.
- Risk scenario
- A plausible description of how a threat could exploit a vulnerability and the resulting impact.
- Risk aggregation
- Combining individual risks to understand the organization's overall exposure.
- Risk velocity
- How quickly a risk would impact the organization once it materializes.
- Threat modeling (management view)
- Identifying likely threats to a system to prioritize controls during design.
- Risk-based approach
- Allocating security effort and spending based on the level of risk, not uniformly.
- Risk communication
- Conveying risk clearly to decision-makers so they can choose a response.
- Control self-assessment (CSA)
- A process where control owners assess their own controls' effectiveness.
- Continuous risk monitoring
- Ongoing tracking of risk and control status rather than point-in-time review.
- Risk treatment plan
- A documented plan of the chosen responses, owners, and timelines for treating risks.
- Acceptable risk
- Residual risk that falls within the organization's defined risk appetite/tolerance.
- Risk reassessment
- Re-evaluating risk as assets, threats, and the business environment change.
- Information security program
- The coordinated set of activities, controls, resources, and people that executes the security strategy.
- Defense in depth
- Layering multiple, overlapping controls so that if one fails, others still protect the asset.
- Least privilege
- Granting users and processes only the minimum access needed to do their job.
- Separation of duties
- Splitting a sensitive task so no single person can complete it alone, reducing fraud/error.
- Asset classification
- Labeling information assets by sensitivity so the right protection is applied; assigned by the data owner.
- Data classification levels
- Sensitivity labels (e.g., public, internal, confidential, restricted) that drive handling and controls.
- Preventive control
- A control that stops an incident before it happens (firewall rule, access control, encryption).
- Detective control
- A control that identifies an incident in progress or after the fact (IDS, log review, SIEM alert).
- Corrective control
- A control that restores systems after an incident (backups, patching, failover).
- Deterrent control
- A control that discourages a would-be attacker (warning banners, visible cameras, sanctions).
- Compensating control
- An alternative control used when the primary control isn't feasible (extra monitoring for SoD).
- Administrative control
- A policy/people control (policies, training, background checks).
- Technical control
- A technology-enforced (logical) control (firewalls, encryption, access control).
- Physical control
- A control in the physical world (locks, guards, cameras, fences).
- Control design and selection
- Choosing controls that meet the risk cost-effectively based on classification and requirements.
- Control implementation
- Deploying and integrating chosen controls into business processes and technology.
- Control testing and evaluation
- Verifying controls work as intended via assessment, audit, or testing.
- Security awareness training
- Ongoing education that reduces human risk by teaching staff to recognize threats and follow policy.
- Awareness vs. training vs. education
- Awareness builds recognition; training builds skills; education builds deep understanding.
- Management of external services
- Governing vendors/providers to security requirements via contracts, SLAs, and monitoring.
- SLA
- Service Level Agreement — a measurable service commitment between the organization and an external provider.
- OLA
- Operational Level Agreement — an internal agreement between teams that supports an SLA.
- Vendor risk management
- Assessing and monitoring the security risk introduced by third-party vendors.
- Program metrics
- Measures (KPIs/KGIs) that make the program's performance and value visible to management.
- Program communications and reporting
- Communicating program status, performance, and risk to stakeholders and leadership.
- Secure SDLC
- Embedding security into every phase of the system development lifecycle ('shift left').
- Shift left
- Addressing security early in development, where flaws are cheaper to fix.
- Policies, procedures, guidelines
- The program's documented rules: mandatory policies/procedures and optional guidelines.
- Industry standards and frameworks
- Recognized structures (ISO 27001, NIST CSF, COBIT) used to build and benchmark the program.
- Program resources
- The budget, people, and tools needed to build and run the security program.
- Information asset identification
- Inventorying the information assets the program must protect before classifying them.
- Need to know
- Limiting access to only the specific information required for a person's role.
- Access control (program)
- Managing who can access what, enforced through models like RBAC, MAC, DAC, and ABAC.
- Role-based access control (RBAC)
- Granting access by job role rather than the individual; scales well in enterprises.
- Identity and access management (IAM)
- The processes and tools that manage digital identities and their access rights.
- Configuration management
- Controlling and documenting system settings to a secure, known baseline.
- Change management
- A controlled process for evaluating, approving, and documenting changes to systems.
- Patch management
- Systematically applying updates to remediate known vulnerabilities.
- Encryption (program control)
- A technical control protecting confidentiality of data at rest and in transit.
- Data loss prevention (DLP)
- Controls that detect and block unauthorized movement of sensitive data.
- Security architecture
- The structured design of security capabilities within the enterprise's technology design.
- Enterprise architecture
- The overall structure of an enterprise's processes and technology that security must integrate with.
- Security baselines
- Standardized minimum security configurations applied across similar systems.
- Control framework
- A structured set of controls (e.g., NIST 800-53, ISO 27002) used to build the program.
- Penetration test (management view)
- An authorized simulated attack used to evaluate control effectiveness; results inform risk.
- Vulnerability scanning (program)
- Automated identification of known weaknesses to feed remediation and risk decisions.
- Logging and monitoring
- Recording and reviewing system activity to support detection and accountability.
- Data retention
- Policy defining how long data is kept before secure disposal, driven by legal and business needs.
- Secure disposal / sanitization
- Removing data from media (clear, purge, destroy) so it cannot be recovered.
- Privacy by design
- Building privacy protections into systems and processes from the start.
- Discretionary access control (DAC)
- Access decided by the data owner (e.g., file permissions, ACLs).
- Mandatory access control (MAC)
- Access enforced by the system from labels and clearances; rigid and high-security.
- Attribute-based access control (ABAC)
- Access decided by attributes and policy (user, resource, time, location) — most granular.
- Single sign-on (SSO)
- One authentication that grants access to multiple systems (e.g., via SAML or Kerberos).
- Multi-factor authentication (MFA)
- Requiring two or more factors from different categories: know, have, are.
- Provisioning and deprovisioning
- Granting access when staff join/change roles and promptly removing it when they leave.
- Privileged access management (PAM)
- Tightly controlling and monitoring high-privilege accounts.
- Data states
- At rest, in transit, and in use — each needs different protective controls.
- Endpoint protection
- Controls (EDR, antivirus, hardening) that secure user devices and servers.
- Network segmentation
- Dividing a network (VLANs, subnets) so a compromise can't spread freely.
- Zero trust
- A model that never implicitly trusts and verifies every access request continuously.
- Hardening
- Reducing a system's attack surface by removing unneeded services and applying secure settings.
- Security testing types
- Vulnerability scan, penetration test, code review, and audit — used to evaluate controls.
- Static vs. dynamic testing
- Static reviews source code; dynamic tests a running application.
- SOC 1 vs. SOC 2
- SOC 1 covers financial-reporting controls; SOC 2 covers security/availability controls.
- Audit (security)
- An independent evaluation of controls against a standard or policy.
- Continuous monitoring (program)
- Ongoing automated assessment of control effectiveness and security posture.
- Cloud shared responsibility
- Security duties split between the cloud provider and the customer by service model.
- Data privacy controls
- Controls protecting personal data and meeting privacy obligations (consent, minimization).
- Backup strategy (program)
- Defining what to back up, how often (RPO-driven), and where copies are stored.
- Control integration
- Embedding controls into business processes so security is part of how work is done.
- Security metrics dashboard
- A leadership view of KPIs/KGIs that communicates program performance.
- Incident response lifecycle
- Prepare → Detect → Triage → Contain → Eradicate → Recover → Post-incident review.
- Business Impact Analysis (BIA)
- Identifies critical processes and the impact of disruption; produces MTD, RTO, and RPO.
- Recovery Time Objective (RTO)
- The target time to restore a system after a disruption; must fit within the MTD.
- Recovery Point Objective (RPO)
- The maximum acceptable data loss measured backward in time; drives backup frequency.
- Maximum Tolerable Downtime (MTD)
- The absolute outer limit a process can be down before unacceptable harm; MTD = RTO + WRT.
- Work Recovery Time (WRT)
- The time to verify data and resume normal operations after systems are restored.
- Business Continuity Plan (BCP)
- A plan to keep critical business functions operating during/after a disruption (business-focused).
- Disaster Recovery Plan (DRP)
- The IT-focused plan to restore technology systems and data; it supports the BCP.
- BCP vs. DRP
- BCP keeps the business running; DRP restores the IT the business depends on.
- Incident response plan (IRP)
- The documented procedures, roles, and communications for handling a security incident.
- Containment
- Limiting the spread/damage of an incident before eradication and recovery — stop the bleeding first.
- Eradication
- Removing the root cause of an incident — malware, compromised accounts, the exploited weakness.
- Recovery (incident)
- Restoring affected systems to normal operation and validating they're clean.
- Post-incident review
- Lessons learned and root-cause analysis after an incident that improve the program.
- Lessons learned
- The documented improvements identified after an incident to prevent recurrence.
- Root cause analysis (RCA)
- Identifying the underlying cause of an incident so it can be permanently fixed.
- Event vs. incident vs. breach
- Event = observable occurrence; incident = harms CIA; breach = confirmed data exposure.
- Security event
- Any observable occurrence in a system or network; most are benign.
- Security incident
- An adverse event that harms or threatens the confidentiality, integrity, or availability of information.
- Data breach
- A confirmed incident in which protected data was accessed or exposed, often triggering notification.
- CSIRT
- Computer Security Incident Response Team — the group that detects, responds to, and recovers from incidents.
- SOC
- Security Operations Center — the function that monitors, detects, and responds to security events.
- SIEM
- Security Information and Event Management — aggregates and correlates logs for detection and analysis.
- Incident classification
- Categorizing an incident by type and severity to prioritize the response and escalation.
- Incident triage
- The initial assessment that decides which events are incidents and how severe they are.
- Escalation
- Routing an incident to the right level of authority based on its severity and impact.
- Chain of custody
- The documented, tamper-evident record of who handled evidence and when, preserving admissibility.
- Digital forensics
- The disciplined collection, analysis, and preservation of digital evidence.
- Evidence preservation
- Imaging, hashing, and securely storing evidence so it remains intact and admissible.
- Incident response communications
- Coordinated internal and external messaging during an incident, including legal/PR/regulators.
- Notification obligations
- Legal/regulatory duties to inform affected parties or regulators after a breach.
- Tabletop exercise
- A discussion-based test of the incident/continuity plan against a scenario.
- Simulation exercise
- A hands-on test that exercises the response team and tools against a realistic scenario.
- Hot site
- A fully equipped alternate site with near-real-time failover — fastest recovery, most expensive.
- Warm site
- An alternate site with hardware/connectivity but data restored on demand — moderate cost/speed.
- Cold site
- An alternate site with power/cooling only — cheapest, slowest to bring online.
- Full backup
- A backup of all selected data; fastest to restore from a single set.
- Incremental backup
- Backs up changes since the last backup of any type — fast backup, slow restore.
- Differential backup
- Backs up changes since the last full backup — slower backup, faster restore.
- MTBF
- Mean Time Between Failures — a reliability metric for how often a system fails.
- MTTR
- Mean Time To Repair — the average time to restore a failed component to service.
- Incident readiness
- The advance planning — IRP, BIA, BCP/DRP, training, testing — that prepares for incidents.
- Incident management training
- Preparing the response team and staff so they can execute the plan under pressure.
- Detection and analysis
- The NIST phase of identifying and confirming an incident from events and alerts.
- Crisis management
- Senior-leadership coordination of major incidents affecting the whole organization.
- Playbook (incident)
- A predefined set of response steps for a specific incident type.
- Indicators of compromise (IoC)
- Artifacts (e.g., malicious IPs, file hashes) that signal a possible intrusion.
- Containment strategy
- The plan for isolating affected systems while preserving evidence and operations.
- Incident severity levels
- Tiers (e.g., low/medium/high/critical) that determine response priority and escalation.
- Declaration of an incident
- The formal point at which an event is confirmed an incident, activating the IRP.
- First responder
- The initial responder who assesses, contains, and escalates an incident.
- Forensic readiness
- Preparing in advance to collect and preserve evidence so it's usable later.
- Containment: short vs. long term
- Quick isolation to stop spread, then a durable fix while operations continue.
- Parallel test (DR)
- Testing recovery systems alongside production without disrupting it.
- Full interruption test
- The most thorough (and risky) DR test that actually fails over to the recovery site.
- Checklist test
- The simplest DR test: reviewing the plan's contents for completeness.
- Recovery strategy
- The chosen approach (sites, backups, redundancy) to meet the RTO/RPO from the BIA.
- Alternate processing site
- A standby location (hot/warm/cold) used to resume operations after a disaster.
- Reciprocal agreement
- A mutual-aid arrangement to use another organization's facilities in a disaster.
- Incident metrics
- Measures like detection time, containment time, and MTTR used to improve response.
- Mean time to detect (MTTD)
- The average time from an incident's start to its detection.
- Mean time to contain (MTTC)
- The average time from detection to containment of an incident.
- Communication plan (incident)
- Predefined who-tells-whom-what during an incident, including spokespersons and regulators.
- Regulatory breach timelines
- Legally mandated windows to notify regulators/individuals after a breach (e.g., 72 hours under GDPR).
- Eradication vs. recovery
- Eradication removes the cause; recovery restores systems to normal, validated operation.
- Evidence handling
- Collecting, labeling, and storing evidence to preserve integrity and chain of custody.
- Order of volatility
- Collecting the most ephemeral evidence first (memory, then disk) during forensics.
- Tabletop vs. simulation vs. full
- A spectrum of plan tests from discussion-based to a real failover.
- Disaster recovery as a service (DRaaS)
- A cloud service providing recovery infrastructure to meet RTO/RPO.
- Crisis communication
- Coordinated external messaging to protect reputation and meet obligations during a major incident.