A comprehensive glossary of cybersecurity, compliance, and risk management terminology. Use this resource to understand key concepts in governance, risk, and compliance (GRC).
Security measures that regulate who can view or use resources in a computing environment. Includes authentication, authorization, and accounting (AAA).
AI systems that can autonomously take actions to achieve goals. In SigmaSRC, Agentic AI enforces security policies and remediates issues without human intervention.
A prolonged, targeted cyberattack where an intruder gains access to a network and remains undetected for an extended period to steal data.
A comprehensive list of all hardware, software, and data assets within an organization, essential for security and compliance management.
A chronological record of system activities that provides documentary evidence of the sequence of activities affecting an operation, procedure, or event.
The process of verifying the identity of a user, device, or system before granting access to resources.
The process of determining what resources a user, device, or system is permitted to access after authentication.
A minimum set of security controls that must be implemented across an organization to ensure a consistent security posture.
A plan that outlines how an organization will continue operating during and after a disaster or disruption.
An incident where sensitive, protected, or confidential data is accessed, copied, transmitted, or used by an unauthorized individual.
The three core principles of information security: Confidentiality, Integrity, and Availability.
A prioritized set of actions developed by the Center for Internet Security that provide specific, actionable ways to defend against the most common cyber attacks.
Configuration guidelines for various technology platforms, developed by the Center for Internet Security, that help organizations harden their systems.
A framework required for Department of Defense contractors that measures their cybersecurity maturity across five levels.
The use of technology to automatically monitor, enforce, and report on compliance with regulatory requirements and security policies.
When system configurations deviate from their defined baseline over time, potentially creating security vulnerabilities.
Real-time or near-real-time monitoring of security controls and compliance status, as opposed to periodic audits.
Information that requires safeguarding or dissemination controls pursuant to federal law, regulation, or government-wide policy.
The process of categorizing data based on its sensitivity level and the impact if it were disclosed, altered, or destroyed.
Defense Information Systems Agency Security Technical Implementation Guides - configuration standards for DOD systems.
Technologies and strategies to prevent sensitive data from leaving an organization's control.
Automated monitoring to identify when system configurations deviate from their approved baseline.
The process of converting data into a coded format to prevent unauthorized access.
Any device that connects to a network, including computers, laptops, smartphones, tablets, and IoT devices.
The process of gathering and documenting proof that security controls are in place and functioning as intended.
A U.S. government program that provides a standardized approach to security assessment and authorization for cloud products.
U.S. legislation that requires federal agencies to develop, document, and implement security programs.
A network security device that monitors and filters incoming and outgoing network traffic based on security rules.
An assessment that identifies the difference between current security posture and desired or required security state.
European Union regulation on data protection and privacy for individuals within the EU and EEA.
An integrated approach to managing an organization's governance, risk management, and regulatory compliance.
The process of securing a system by reducing its vulnerability surface through configuration changes and removing unnecessary services.
U.S. legislation that provides data privacy and security provisions for safeguarding protected health information (PHI).
The Health Information Technology for Economic and Clinical Health Act that strengthens HIPAA enforcement and promotes health IT adoption.
A certifiable security framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management.
Security systems that monitor network traffic for suspicious activity and can take action to block threats.
The process of preparing for, detecting, containing, and recovering from security incidents.
A document that outlines an organization's approach to protecting information assets and managing security risks.
An international standard for information security management systems (ISMS) that specifies requirements for establishing, implementing, and maintaining security.
The principle of providing users with only the minimum levels of access needed to perform their job functions.
The process of collecting, storing, analyzing, and retaining log data from various sources for security and compliance purposes.
The process of linking regulatory requirements (mandates) to specific technical controls that satisfy those requirements.
Authentication requiring two or more verification methods from different categories (something you know, have, or are).
A network security technique that divides a network into small, isolated segments to limit lateral movement of threats.
North American Electric Reliability Corporation Critical Infrastructure Protection standards for the bulk electric system.
A U.S. agency that develops cybersecurity standards and guidelines, including the NIST Cybersecurity Framework.
A NIST publication that provides requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems.
Enhanced security requirements for protecting CUI, building upon NIST 800-171.
A catalog of security and privacy controls for federal information systems and organizations.
A voluntary framework consisting of standards, guidelines, and practices to manage cybersecurity risk.
European Union directive aimed at achieving a high common level of cybersecurity across member states.
The process of identifying, acquiring, installing, and verifying patches for software and firmware.
A set of security standards designed to ensure that companies processing credit card information maintain a secure environment.
Authorized simulated attacks on a computer system to evaluate its security.
Any information about health status, healthcare provision, or payment for healthcare that can be linked to an individual.
Any data that could potentially identify a specific individual.
A document that identifies tasks needed to remedy weaknesses or deficiencies in security controls.
The automated or manual process of ensuring that security policies are consistently applied across an organization.
An evaluation of an organization's overall security state, including controls, configurations, and vulnerabilities.
A method of regulating access to resources based on the roles of individual users within an organization.
The process of addressing and correcting security vulnerabilities or compliance gaps.
The process of identifying, analyzing, and evaluating risks to an organization's information assets.
Quantifying the level of risk associated with identified vulnerabilities or threats, typically on a numerical scale.
Technology that provides real-time analysis of security alerts generated by network hardware and applications.
A report on controls at a service organization relevant to user entities' internal control over financial reporting.
A report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy.
U.S. legislation that sets requirements for public company boards, management, and public accounting firms regarding financial reporting.
Supplier Performance Risk System score that reflects a contractor's NIST 800-171 compliance status.
A document that describes the security controls in place for an information system.
Information about current and emerging cyber threats that helps organizations understand and prepare for potential attacks.
The criteria used in SOC 2 assessments: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
A risk measurement technique that quantifies the potential financial impact of security incidents.
A weakness in a system, application, or network that could be exploited by a threat actor.
The cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating vulnerabilities.
A security model that assumes no user or device should be trusted by default, even if connected to a corporate network.
A vulnerability that is unknown to the software vendor and has no available patch.