- CIA triad
- Confidentiality, Integrity, Availability — the three core goals of information security.
- Confidentiality
- Ensuring only authorized people can read data; enforced by encryption and access control.
- Integrity
- Ensuring data is accurate and unaltered; enforced by hashing and digital signatures.
- Availability
- Ensuring authorized users can access data when needed; enforced by redundancy and backups.
- Non-repudiation
- Assurance that someone cannot deny an action they performed; provided by digital signatures and logging.
- AAA
- Authentication (prove identity), Authorization (grant rights), and Accounting (log activity).
- Authentication
- Verifying that a subject is who it claims to be (e.g., with a password, token, or biometric).
- Authorization
- Granting an authenticated subject the rights to access specific resources.
- Accounting (auditing)
- Recording what authenticated subjects do, for tracking and forensics.
- Authentication vs. authorization
- Authentication proves WHO you are; authorization decides WHAT you may access.
- Technical control
- A safeguard implemented by technology — firewall, encryption, MFA, antivirus.
- Managerial control
- An administrative safeguard — policies, risk assessments, security planning.
- Operational control
- A safeguard carried out by people — awareness training, guard duty, config management.
- Physical control
- A tangible safeguard — locks, fences, badges, cameras, bollards.
- Preventive control
- A control that stops an incident before it happens (e.g., a firewall rule or a lock).
- Deterrent control
- A control that discourages an attacker (e.g., a warning sign or lighting).
- Detective control
- A control that identifies an incident during or after it (e.g., an IDS or log review).
- Corrective control
- A control that fixes or limits damage after an event (e.g., restoring a backup).
- Compensating control
- An alternative control used when the primary control isn't feasible.
- Directive control
- A control that directs behavior, such as a policy or procedure.
- Zero Trust
- A model that removes implicit trust and verifies every request — 'never trust, always verify.'
- Control plane (Zero Trust)
- The 'brain' that makes access decisions: the Policy Engine and Policy Administrator.
- Data plane (Zero Trust)
- The part that enforces decisions on each request via the Policy Enforcement Point (PEP).
- Policy Engine (PE)
- The Zero Trust component that decides to grant or deny access based on policy and context.
- Policy Enforcement Point (PEP)
- The Zero Trust component that allows or blocks each actual request to a resource.
- Adaptive identity
- Adjusting authentication requirements based on context and risk (a Zero Trust concept).
- Implicit trust zone
- An area where access is trusted by default — what Zero Trust seeks to eliminate.
- Honeypot
- A decoy system that lures attackers away from real assets and records their behavior.
- Honeynet
- A network of honeypots that mimics a real environment to study attackers.
- Honeyfile
- A bait file (e.g., 'passwords.xlsx') that triggers an alert when accessed.
- Honeytoken
- Fake data (a credential, record, or API key) that signals compromise when used.
- Symmetric encryption
- Encryption using one shared secret key to both encrypt and decrypt; fast (e.g., AES).
- Asymmetric encryption
- Encryption using a public/private key pair; one key encrypts, the other decrypts (e.g., RSA, ECC).
- AES
- Advanced Encryption Standard — the dominant symmetric block cipher (128/192/256-bit keys).
- RSA
- A widely used asymmetric algorithm for key exchange and digital signatures.
- ECC
- Elliptic Curve Cryptography — asymmetric crypto giving strong security with smaller keys.
- Diffie-Hellman
- A key-exchange method that lets two parties derive a shared secret over an insecure channel.
- Hashing
- A one-way function producing a fixed-length digest; used for integrity, not reversible.
- SHA-256
- A secure hashing algorithm producing a 256-bit digest, used for integrity verification.
- MD5
- An obsolete hash function, broken by collisions — should not be used for security.
- Salting
- Adding unique random data to a password before hashing so identical passwords differ.
- Key stretching
- Repeatedly hashing a password (e.g., bcrypt, PBKDF2, Argon2) to slow brute-force attacks.
- Digital signature
- A message hash encrypted with the signer's private key; proves integrity and authenticity.
- Public key — when to use
- Encrypt FOR someone with their public key; verify a signature with the signer's public key.
- Private key — when to use
- Decrypt what was sent to you; SIGN messages with your own private key.
- Hybrid encryption
- Use asymmetric crypto to exchange a fast symmetric session key, then symmetric for the data (TLS).
- PKI
- Public Key Infrastructure — the CAs, policies, and keys that issue and manage digital certificates.
- Certificate Authority (CA)
- A trusted entity that issues and signs digital certificates.
- Root CA
- The top, self-signed CA in a trust chain; usually kept offline for protection.
- Intermediate CA
- A CA signed by the root that issues end-entity certificates to protect the root key.
- Digital certificate (X.509)
- A file binding a public key to a verified identity, signed by a CA.
- CSR
- Certificate Signing Request — a request sent to a CA to issue a certificate for a public key.
- CRL
- Certificate Revocation List — a published list of certificates the CA has revoked.
- OCSP
- Online Certificate Status Protocol — a real-time query to check if a certificate is revoked.
- Certificate pinning
- Associating a host with its expected certificate/key to resist fraudulent certs.
- Wildcard certificate
- A certificate that secures a domain and all its subdomains (e.g., *.example.com).
- TPM
- Trusted Platform Module — a hardware chip that securely stores keys and supports disk encryption.
- HSM
- Hardware Security Module — a tamper-resistant device for generating and storing keys.
- Secure enclave
- An isolated hardware region that protects data and keys even from the host OS.
- Key escrow
- Storing a copy of keys with a trusted third party so data can be recovered if a key is lost.
- Steganography
- Hiding data inside other data (e.g., within an image) so its existence is concealed.
- Obfuscation
- Making data or code hard to understand to slow analysis (not true encryption).
- Blockchain
- A distributed, append-only ledger secured by hashing and consensus.
- Tokenization (crypto)
- Replacing sensitive data with a non-sensitive token mapped to the real value stored securely.
- Cipher suite
- The set of algorithms (key exchange, encryption, hashing) negotiated for a TLS session.
- Perfect forward secrecy
- Using ephemeral keys so a compromised long-term key can't decrypt past sessions.
- Change management
- A structured process to approve, document, test, and roll back changes safely.
- Gap analysis
- Comparing the current security posture to a desired state to find what's missing.
- Phishing
- A fraudulent message (usually email) that tricks the victim into revealing credentials or running malware.
- Vishing
- Voice phishing — a social-engineering attack carried out over a phone call.
- Smishing
- SMS phishing — a social-engineering attack delivered by text message.
- Spear phishing
- A phishing attack targeted at a specific individual using personalized details.
- Whaling
- A phishing attack that specifically targets high-value executives.
- Business email compromise (BEC)
- Impersonating a trusted executive or vendor to authorize fraudulent payments.
- Pretexting
- Inventing a believable scenario or pretext to manipulate a victim into cooperating.
- Pharming
- Redirecting users from a legitimate site to a fake one, often via poisoned DNS.
- Watering hole attack
- Compromising a website the target group is known to visit, to infect them.
- Typosquatting
- Registering misspelled domains to catch users who mistype a URL.
- Impersonation
- Pretending to be someone trusted to gain access or information.
- Tailgating
- Following an authorized person through a secure door without credentials.
- Dumpster diving
- Searching discarded materials for sensitive information.
- Shoulder surfing
- Observing someone's screen or keypad to steal credentials or data.
- Disinformation/misinformation
- Spreading false content to manipulate beliefs or actions.
- Threat actor
- An individual or group that carries out an attack.
- Nation-state actor
- A government-sponsored, highly resourced threat actor; usually motivated by espionage.
- Advanced persistent threat (APT)
- A skilled, well-resourced adversary that maintains long-term stealthy access.
- Organized crime
- A profit-driven, well-funded threat actor group.
- Hacktivist
- An attacker motivated by a political or social cause.
- Insider threat
- A current/former employee or partner who misuses authorized access.
- Unskilled attacker
- A 'script kiddie' who uses others' tools without deep expertise.
- Shadow IT
- Hardware, software, or services used without IT/security approval.
- Threat vector
- The path or means an attacker uses to gain access (email, USB, supply chain).
- Attack surface
- The total set of points where an attacker could try to enter or extract data.
- Supply chain attack
- Compromising a trusted vendor, MSP, or software update to reach the target.
- Malware
- Malicious software — ransomware, trojans, worms, viruses, spyware, rootkits, keyloggers.
- Ransomware
- Malware that encrypts data and demands payment for the decryption key.
- Double extortion
- Ransomware that also steals data and threatens to leak it if unpaid.
- Trojan
- Malware disguised as legitimate software that hides a malicious payload.
- Worm
- Self-replicating malware that spreads across networks without user action.
- Virus
- Malware that attaches to a host file and spreads when that file is executed.
- Spyware
- Malware that secretly gathers information about a user or system.
- Keylogger
- Malware or hardware that records keystrokes to steal credentials.
- Rootkit
- Malware that hides at a privileged level (often the kernel) to maintain stealthy access.
- Logic bomb
- Malicious code that executes when a specific condition or time is met.
- Bloatware
- Unwanted pre-installed software that expands the attack surface.
- Fileless malware
- Malware that runs in memory using legitimate tools, leaving little on disk.
- Botnet
- A network of compromised devices controlled by an attacker (often for DDoS).
- Buffer overflow
- Writing more data than a buffer holds, overwriting adjacent memory to run code.
- Race condition (TOCTOU)
- A timing flaw between time-of-check and time-of-use that can be exploited.
- Memory injection
- Inserting malicious code into a running process's memory space.
- SQL injection
- Inserting malicious SQL into input so the database runs unintended commands.
- SQL injection fix
- Use parameterized queries (prepared statements) plus input validation.
- Cross-site scripting (XSS)
- Injecting script into a trusted site that runs in another user's browser.
- XSS fix
- Output encoding, input validation, and a Content Security Policy (CSP).
- Cross-site request forgery (CSRF)
- Tricking a logged-in user's browser into sending an unwanted authenticated request.
- Zero-day
- A vulnerability unknown to the vendor with no patch available yet.
- Misconfiguration
- An insecure default or setting; a leading cause of breaches.
- Default credentials
- Factory usernames/passwords left unchanged — an easy attacker entry point.
- VM escape
- Breaking out of a virtual machine to access the hypervisor or host.
- On-path attack
- An attacker secretly relays or alters traffic between two parties (formerly MITM).
- Replay attack
- Capturing and re-sending valid data (e.g., a session token) to impersonate a user.
- DNS poisoning
- Corrupting DNS records to redirect users to malicious sites.
- ARP poisoning
- Sending forged ARP messages to associate the attacker's MAC with another IP.
- DDoS attack
- Overwhelming a target with traffic from many sources to deny service.
- Amplification attack
- Using a service to multiply traffic volume toward a victim (a DDoS technique).
- Privilege escalation
- Gaining higher rights than granted — vertical (to admin) or horizontal (to a peer).
- Password spraying
- Trying a few common passwords against many accounts to avoid lockouts.
- Brute-force attack
- Systematically trying many passwords or keys until one works.
- Dictionary attack
- Trying passwords from a list of likely words.
- Rainbow table
- A precomputed table of hashes used to crack unsalted password hashes.
- Indicator of compromise (IoC)
- An artifact (IP, hash, behavior) suggesting a system was breached.
- Mitigation: segmentation
- Dividing a network into zones to limit how far an attacker can move.
- Mitigation: least privilege
- Granting only the minimum access needed to limit the blast radius.
- Mitigation: patching
- Applying updates to fix known vulnerabilities.
- Mitigation: hardening
- Removing unneeded services/accounts and applying secure baselines.
- Application allow list
- Permitting only approved software to run (stronger than block-listing).
- Sandboxing
- Running untrusted code in an isolated environment to contain harm.
- Defense in depth
- Layering multiple independent controls so one failure isn't a breach.
- Shared responsibility model
- Cloud split: provider secures the infrastructure; customer secures data, identity, and config.
- Security OF vs. IN the cloud
- Provider = security OF the cloud (infrastructure); customer = security IN the cloud (data/config).
- IaaS
- Infrastructure as a Service — customer manages OS, apps, and data (most responsibility).
- PaaS
- Platform as a Service — provider manages the platform; customer manages apps and data.
- SaaS
- Software as a Service — provider manages almost everything; customer manages data and access.
- Virtualization
- Running multiple guest operating systems on one physical host via a hypervisor.
- Hypervisor
- Software that creates and runs virtual machines (Type 1 bare-metal or Type 2 hosted).
- Containerization
- Packaging an app with its dependencies in an isolated container sharing the host kernel.
- Serverless
- Running code as functions without managing servers; the provider scales it.
- Microservices
- Building an app as small, independently deployable services.
- Infrastructure as Code (IaC)
- Provisioning infrastructure from version-controlled machine-readable files.
- Software-defined networking (SDN)
- Centrally programming network behavior via software, separate from hardware.
- IoT
- Internet of Things — networked everyday devices, often with weak built-in security.
- ICS/SCADA
- Industrial control systems that run physical processes; hard to patch, need segmentation.
- Embedded system
- A purpose-built computer inside a device, often with limited update ability.
- Security zone
- A network segment grouped by trust level to control traffic between areas.
- DMZ
- A perimeter network segment that hosts public-facing services, isolated from the internal LAN.
- Firewall
- A device that filters network traffic based on rules to enforce a security boundary.
- Next-generation firewall (NGFW)
- A firewall adding application awareness, deep inspection, and threat intel.
- WAF
- Web Application Firewall — protects web apps from layer-7 attacks like injection and XSS.
- UTM
- Unified Threat Management — one appliance combining firewall, IPS, AV, filtering, and more.
- IDS
- Intrusion Detection System — detects and alerts on suspicious traffic (passive).
- IPS
- Intrusion Prevention System — detects and blocks suspicious traffic inline (active).
- IDS vs. IPS
- IDS only detects/alerts (passive); IPS sits inline and can block (active).
- Proxy server
- An intermediary that mediates and can filter client requests to other servers.
- Jump server
- A hardened pivot host used to administer systems in a secure zone.
- Load balancer
- Distributes traffic across multiple servers for availability and scale.
- Fail-open vs. fail-closed
- Fail-open allows traffic on failure (availability); fail-closed blocks it (security).
- Active vs. passive (sensor)
- Active devices sit inline and can act; passive devices observe via a tap or span port.
- 802.1X
- A port-based network access control standard that authenticates devices before granting access.
- Port security
- Limiting which devices (by MAC) can connect to a switch port.
- Data at rest
- Data stored on disk, database, or backup; protected with encryption and access control.
- Data in transit
- Data moving across a network; protected with TLS or VPN encryption.
- Data in use
- Data actively processed in memory; protected by techniques like secure enclaves.
- Data classification
- Labeling data by sensitivity (public, sensitive, confidential, critical) to set controls.
- Data masking
- Hiding part of a data value (e.g., showing only the last four digits).
- Tokenization
- Replacing sensitive data with a non-sensitive token; the real value is stored securely.
- DLP
- Data Loss Prevention — detects and blocks unauthorized movement of sensitive data.
- Data sovereignty
- The principle that data is subject to the laws of the country where it resides.
- High availability (HA)
- Designing systems to stay operational with minimal downtime via redundancy.
- Clustering
- Linking servers so they act as one resilient unit, with failover.
- Load balancing vs. clustering
- Load balancing spreads traffic; clustering provides coordinated failover/redundancy.
- Hot site
- A fully equipped alternate site ready for near-instant failover (most expensive).
- Warm site
- A partially equipped recovery site needing some setup before use.
- Cold site
- A recovery site with space and power only; longest to bring online (cheapest).
- Geographic dispersion
- Placing redundant systems in different locations to survive regional disasters.
- RAID
- Redundant Array of Independent Disks — combines drives for redundancy and/or performance.
- UPS
- Uninterruptible Power Supply — battery backup that keeps systems up during short outages.
- 3-2-1 backup rule
- Keep 3 copies of data, on 2 media types, with 1 copy offsite.
- RTO
- Recovery Time Objective — the maximum acceptable time to restore a system.
- RPO
- Recovery Point Objective — the maximum acceptable data loss, measured back to the last backup.
- RTO vs. RPO
- RTO = how fast you recover (downtime); RPO = how much data you can lose.
- MTBF
- Mean Time Between Failures — average time a system runs before failing.
- MTTR
- Mean Time To Repair — average time to restore a failed system.
- Snapshot
- A point-in-time copy of a system or volume for quick recovery.
- Journaling
- Logging changes so a system can be restored to a consistent state after a crash.
- Hardening
- Reducing attack surface by removing unneeded services/accounts and applying secure baselines.
- Secure baseline
- A standard, approved secure configuration applied to systems.
- MDM
- Mobile Device Management — centrally enforces policies and security on mobile devices.
- BYOD
- Bring Your Own Device — employees use personal devices for work (higher risk).
- COPE
- Corporate-Owned, Personally Enabled — company device usable for personal tasks.
- WPA3
- The current secure Wi-Fi protocol; uses SAE to resist offline password cracking.
- SAE
- Simultaneous Authentication of Equals — WPA3's secure key-exchange handshake.
- Sanitization
- Securely erasing or destroying media so data can't be recovered before disposal.
- Asset inventory
- A maintained list of hardware/software assets, essential to securing them.
- Vulnerability scan
- An automated check that identifies known weaknesses in systems.
- Penetration test
- An authorized simulated attack that actually exploits weaknesses to prove risk.
- Vuln scan vs. pen test
- A scan only identifies weaknesses; a pen test exploits them.
- CVE
- Common Vulnerabilities and Exposures — a public catalog of unique vulnerability IDs.
- CVSS
- Common Vulnerability Scoring System — a 0–10 severity score for a vulnerability.
- False positive
- A reported vulnerability/alert that isn't actually a real issue.
- False negative
- A real vulnerability or attack that the tool failed to detect (dangerous).
- Responsible disclosure
- Reporting a vulnerability privately to the vendor before public release.
- Bug bounty
- A program that pays outside researchers for responsibly reported vulnerabilities.
- Remediation
- Fixing a vulnerability by patching, reconfiguring, or applying a compensating control.
- Rescanning/validation
- Re-scanning after remediation to confirm the fix actually worked.
- SIEM
- Security Information and Event Management — aggregates and correlates logs to detect threats.
- Log aggregation
- Centralizing logs from many sources for correlation and analysis.
- Alert tuning
- Adjusting detection rules to cut false positives and reduce alert fatigue.
- SNMP
- Simple Network Management Protocol — monitors and manages network devices.
- NetFlow
- A protocol that records IP traffic flow data for monitoring and analysis.
- SOAR
- Security Orchestration, Automation, and Response — automates response via playbooks.
- EDR
- Endpoint Detection and Response — monitors endpoints to detect and respond to threats.
- XDR
- Extended Detection and Response — correlates detection across endpoints, network, and cloud.
- FIM
- File Integrity Monitoring — alerts when critical files change unexpectedly.
- Antivirus/anti-malware
- Software that detects and removes malicious code on endpoints.
- Web filtering
- Blocking access to malicious or disallowed websites.
- DNS filtering
- Blocking resolution of known-malicious domains.
- SPF
- Sender Policy Framework — lists which mail servers may send for a domain.
- DKIM
- DomainKeys Identified Mail — cryptographically signs email to prove it wasn't altered.
- DMARC
- Ties SPF and DKIM together and tells receivers how to handle failures (anti-spoofing).
- SPF/DKIM/DMARC
- The email-authentication trio that fights spoofing and phishing.
- Identity and access management (IAM)
- Policies and tools that manage identities and control access.
- Provisioning/deprovisioning
- Creating accounts on hire and promptly removing them on departure.
- Identity proofing
- Verifying a person's real-world identity before issuing credentials.
- SSO
- Single Sign-On — one authentication grants access to multiple systems.
- Federation
- Trusting identities from another domain to access resources (e.g., SAML, OIDC).
- SAML
- Security Assertion Markup Language — an XML standard for federated SSO.
- OAuth
- An authorization framework that lets apps access resources without sharing passwords.
- OpenID Connect (OIDC)
- An authentication layer built on OAuth 2.0 for verifying identity.
- LDAP
- Lightweight Directory Access Protocol — queries and manages directory information.
- Kerberos
- A ticket-based network authentication protocol using a trusted Key Distribution Center.
- MFA
- Multi-factor authentication — two or more factors from different categories.
- Something you know
- An MFA knowledge factor — a password or PIN.
- Something you have
- An MFA possession factor — a token, phone, or smart card.
- Something you are
- An MFA inherence factor — a biometric like a fingerprint or face.
- Why two passwords isn't MFA
- Both are the same category (knowledge); MFA needs DIFFERENT factor types.
- TOTP
- Time-based One-Time Password — a short-lived code from an authenticator app.
- RBAC
- Role-Based Access Control — permissions follow the user's role.
- MAC (access)
- Mandatory Access Control — the system enforces labels/clearances (high security).
- DAC
- Discretionary Access Control — the resource owner decides who gets access.
- ABAC
- Attribute-Based Access Control — access decided by attributes and context.
- Least privilege
- Granting only the minimum access needed to do a job.
- Separation of duties
- Splitting a sensitive task so no single person controls the whole process.
- PAM
- Privileged Access Management — controls, vaults, and audits admin accounts.
- Just-in-time access
- Granting elevated rights only for the moment they're needed, then revoking.
- Incident response lifecycle
- Preparation; detection & analysis; containment, eradication & recovery; post-incident.
- IR: first action (live)
- Containment — isolate affected systems to stop the spread before eradicating.
- Eradication
- Removing the threat and any persistence from affected systems.
- Recovery (IR)
- Restoring systems from known-good, tested backups and monitoring for reinfection.
- Post-incident activity
- Lessons learned and root cause analysis that feed back into preparation.
- Tabletop exercise
- A discussion-based walkthrough of an incident scenario to test the plan.
- Threat hunting
- Proactively searching for hidden threats that evaded automated detection.
- Digital forensics
- Collecting and analyzing evidence in a sound, documented way.
- Chain of custody
- Documentation of who handled evidence, when, and how — to keep it admissible.
- Legal hold
- A directive to preserve relevant data when litigation/investigation is anticipated.
- Order of volatility
- Collecting the most volatile evidence (RAM) before the least (disk, archives).
- e-Discovery
- Identifying and producing electronic evidence for legal proceedings.
- Governance
- The policies, standards, procedures, and oversight that direct a security program.
- Policy
- A high-level statement of management's security intent and rules.
- Standard
- A specific mandatory requirement that supports a policy (e.g., password length).
- Procedure
- A step-by-step instruction for performing a task securely.
- Guideline
- A recommended, non-mandatory best practice.
- Acceptable Use Policy (AUP)
- Defines acceptable use of organizational systems and data.
- Change management policy
- Requires approval, testing, documentation, and rollback for changes.
- SDLC
- Software Development Life Cycle — the structured process for building software securely.
- Data owner
- The person accountable for a data set and for setting its classification.
- Data controller
- The party that determines why and how personal data is processed.
- Data processor
- The party that processes personal data on the controller's behalf.
- Data custodian/steward
- The role that implements controls and maintains data quality day-to-day.
- Risk management
- Identifying, assessing, and treating risk to keep it within appetite.
- Qualitative risk analysis
- Rating risk by likelihood and impact (low/medium/high), no dollar values.
- Quantitative risk analysis
- Assigning dollar values to risk using SLE, ARO, and ALE.
- Exposure factor (EF)
- The percentage of an asset's value lost in a single event.
- SLE
- Single Loss Expectancy = asset value × exposure factor.
- ARO
- Annualized Rate of Occurrence — expected number of events per year.
- ALE
- Annualized Loss Expectancy = SLE × ARO.
- ALE example
- A $20,000 SLE happening twice a year (ARO 2) gives an ALE of $40,000.
- Risk register
- A documented list of risks with owner, likelihood, impact, and treatment.
- Risk appetite
- The amount and type of risk an organization is willing to accept.
- Risk tolerance
- The acceptable variation around the risk appetite for a specific objective.
- Key Risk Indicator (KRI)
- A metric that signals rising risk exposure.
- Risk mitigation
- Reducing a risk's likelihood or impact with controls.
- Risk transference
- Shifting risk to another party, e.g., buying cyber insurance.
- Risk avoidance
- Eliminating a risk by stopping the risky activity entirely.
- Risk acceptance
- Acknowledging a risk and taking no action because it's within appetite.
- Four risk responses
- Mitigate, transfer, avoid, accept.
- Inherent vs. residual risk
- Inherent = risk before controls; residual = risk remaining after controls.
- Business impact analysis (BIA)
- Identifies critical functions and sets recovery objectives (RTO/RPO).
- SLA
- Service Level Agreement — defines guaranteed service levels and metrics with a provider.
- MOU/MOA
- Memorandum of Understanding/Agreement — outlines intentions between parties.
- MSA
- Master Service Agreement — overarching terms governing ongoing work.
- SOW/WO
- Statement of Work / Work Order — the specific deliverables and tasks.
- NDA
- Non-Disclosure Agreement — a confidentiality obligation between parties.
- BPA
- Business Partners Agreement — terms governing a partnership.
- Due diligence
- Investigating risks before entering an agreement or activity.
- Due care
- Taking reasonable, ongoing steps to protect assets (the 'prudent person' standard).
- Right-to-audit clause
- A contract term allowing a customer to audit a vendor's security.
- Vendor/third-party risk
- Risk introduced by suppliers, MSPs, and partners with access.
- Supply chain analysis
- Assessing the security of vendors and the components they provide.
- Compliance
- Meeting legal, regulatory, and contractual security requirements.
- Consequences of non-compliance
- Fines, sanctions, reputational damage, and possible loss of license.
- Attestation
- A formal statement confirming the state of controls (often by an auditor).
- Privacy: right to be forgotten
- An individual's right to request deletion of their personal data.
- Data retention
- Policy defining how long data is kept and when it's securely destroyed.
- Internal vs. external audit
- Internal audits are run by the organization; external by independent third parties.
- Regulatory audit
- An assessment required by a law or regulator (e.g., PCI DSS, HIPAA).
- Known environment (white-box)
- A pen test where the tester has full knowledge of the target.
- Partially known (gray-box)
- A pen test where the tester has limited information.
- Unknown environment (black-box)
- A pen test with no prior information — simulates an outsider.
- Passive reconnaissance
- Gathering info without directly touching the target (e.g., OSINT).
- Active reconnaissance
- Directly probing the target (e.g., scanning), which can be detected.
- Security awareness training
- Ongoing education that teaches users to recognize and report threats.
- Phishing campaign (internal)
- A simulated phishing test used to measure and improve user awareness.
- Anomalous behavior recognition
- Training users to spot and report unusual activity.
- Onboarding/offboarding
- Procedures for granting access on hire and revoking it on departure.
- Playbook
- A documented set of steps for responding to a specific type of incident.