Knowledge Hub

Expand Your Horizons.

Step into the future of GRC and Cybersecurity knowledge, where our transformative insights both inspire and elevate your understanding.

Unlock Transformation with VisionaryPoint's capabilities. Empowering Leaders and igniting the future through our Integrated GRC Solutions.





Cybersecurity Knowledge Hub


Concepts and Definitions.

Elevate Your Understanding. Learn, Explore, Enrich with Our Knowledge Hub.

GRC Terms in A

Access Control

Policies and procedures that restrict or manage access to certain information or systems within an organization.


The expectation that individuals and organizations will be responsible for their actions and decisions.


Conforming to or following established guidelines, policies, or regulations.

Agile Governance

Applying agile methodologies to the governance process, allowing for more flexibility and adaptability in responding to changing business environments.

Asset Management

The systematic process of developing, operating, maintaining, upgrading, and disposing of assets in a cost-effective manner.


The process of evaluating risks and controls to determine the effectiveness of a company’s GRC practices.


An examination of processes, controls, and activities within an organization to ensure compliance with policies and regulations.

Cybersecurity Terms in A

Address Resolution Protocol Spoofing (ARP Spoofing)

An attack where the attacker sends falsified ARP messages over a local area network to link the attacker’s MAC address with the IP address of a legitimate computer or server.

Advanced Persistent Threat (APT)

A prolonged and targeted cyberattack in which an unauthorized user gains access to a network and remains undetected for an extended period.


The process of removing or modifying personally identifiable information from data to protect the privacy of individuals.

Application Programming Interface (API)

A set of rules that allows one software application to interact with another, often used for secure data sharing between applications.

Attack Surface

The sum of all possible entry points or vulnerabilities in a system that could be exploited by an attacker.

Attack Vector

The path or means by which a hacker gains access to a computer system or network to deliver a malicious outcome.


Ensuring that systems and data are accessible and operational when needed, and protecting against disruptions.

GRC Terms in B

Backup and Recovery

The process of creating and maintaining copies of data to ensure its availability in the event of data loss, system failure or other disruptions.

Balanced Scorecard

A strategic performance management tool that measures an organization’s activities in terms of its vision and strategies, incorporating financial and non-financial performance indicators.

Best Practices

Established methods or techniques that are widely recognized as effective and efficient in achieving specific business objectives or compliance goals.

Bribery and Corruption Controls

Policies and measures implemented to prevent and detect bribery and corruption within an organization.

Business Continuity Planning (BCP)

The process of developing and implementing strategies to ensure a business can continue operating in the event of a disaster or cybersecurity incident.

Business Ethics

The principles and standards that guide ethical behavior in business, ensuring that organizations operate with integrity and accountability.

Business Impact Analysis (BIA)

An assessment of the potential impact of disruptions to business operations, helping organizations prioritize their recovery efforts.

Cybersecurity Terms in B


A hidden or unauthorized means of access to a computer system, typically used for malicious purposes.

Blue Team

Security professionals responsible for defending and maintaining the security of a system or network.


A network of compromised computers (bots) that are controlled by a single entity (botmaster) for malicious activities.

Brute Force Attack

A type of attack where an attacker systematically tries all possible combinations of passwords or encryption keys until the correct one is found.

Browser Isolation

A security approach that executes web content in a separate environment to protect the local system from malicious code.

Bring Your Own Device (BYOD)

A policy allowing employees to use their personal devices for work, raising security concerns about data protection and network access.

Bug Bounty Program

A program that rewards individuals for finding and reporting software vulnerabilities to the organization.

GRC Terms in C

Capability Maturity Model Integration (CMMI)

A framework for improving and assessing an organization’s processes, including risk management and compliance practices.

Change Management

A systematic approach to dealing with changes within an organization, ensuring that changes are implemented smoothly with minimal disruption.

Cloud Governance

Policies and processes for managing and controlling the use of cloud services to ensure compliance and mitigate risks.


Adhering to laws, regulations, policies, and standards relevant to an organization’s operations.

Conflict of Interest

A situation in which an individual or entity has competing interests that could compromise their objectivity, leading to potential risks.

Continuous Monitoring

The ongoing process of tracking, evaluating, and managing risks and compliance in real-time rather than through periodic assessments.

Control Framework

A structured approach to defining, implementing, and managing controls within an organization to ensure compliance and manage risks.

Control Self-Assessment (CSA)

A process in which individuals within an organization assess and evaluate the effectiveness of controls related to their own activities.

Crisis Communication

The strategic communication process to manage and respond to a crisis, involving both internal and external stakeholders.

Crisis Management

The process of preparing for, responding to, recovering from, and learning from events that pose a threat to an organization.

Cybersecurity Terms in C

CIA Triad

The CIA Triad is a fundamental concept in cybersecurity, representing three core principles: Confidentiality, Integrity, Availability. These principles guide the development of effective security measures and policies.

Cloud Security

Measures and strategies to protect data, applications, and infrastructure in cloud computing environments.

Compromise Assessment

An evaluation of an organization’s systems and networks to identify signs of a security breach or compromise.

Credential Stuffing

A cyberattack method where attackers use stolen username and password combinations to gain unauthorized access to multiple accounts.

Critical Infrastructure

Systems and assets vital to a country’s functioning, such as energy, transportation, and communication, which are often targeted by cyber threats.


The practice and study of techniques for securing communication and data by encoding information so that only authorized parties can understand it.

Cyber Hygiene

Best practices and habits to maintain a secure online environment, including regular updates, strong passwords, and safe browsing.

Cyber Resilience

The ability of an organization to prepare for, respond to, and recover from cybersecurity incidents, ensuring business continuity.

Cyber Threat Intelligence

Information collected, analyzed, and disseminated to understand and counter cybersecurity threats.


The practice of protecting computer systems, networks, and data from theft, damage, or unauthorized access.

Cybersecurity Framework

A set of guidelines, best practices, and standards to help organizations manage and improve their cybersecurity posture.

Cross-Site Scripting (XSS)

A type of security vulnerability where attackers inject malicious scripts into web pages viewed by other users.

GRC Terms in D

Data Classification

The categorization of data based on its sensitivity, importance, and the level of protection required.

Data Governance

The management framework for ensuring high data quality, data management, data protection, and compliance with data-related regulations.

Delegation of Authority

The process of assigning decision-making authority to individuals or teams within an organization.

Disaster Recovery (DR)

The process and set of policies for recovering and restoring critical business operations after a disruptive event.


The creation, management, and storage of records and information related to GRC processes to provide evidence of compliance and decision-making.

Document Management

The systematic control and organization of documents to ensure efficient retrieval, storage, and disposal.

Due Diligence

The process of thoroughly researching and assessing the potential risks and benefits associated with a business decision or transaction.

Cybersecurity Terms in D

Dark Web

A part of the internet that is intentionally hidden and inaccessible through standard web browsers, often associated with illegal activities.

Data Breach

Unauthorized access, disclosure, or acquisition of sensitive data.

Data Loss Prevention (DLP)

Strategies and tools to prevent unauthorized access, use, and transmission of sensitive data.

Digital Forensics

The process of collecting, analyzing, and preserving electronic evidence to investigate and respond to cybercrimes.

Distributed Denial of Service (DDoS)

An attack that overwhelms a system or network with a flood of traffic, making it unavailable to users.

Drive-By Download

Malicious software download that occurs without the user’s knowledge or consent when visiting a website.

Deep Packet Inspection (DPI)

A method of analyzing and filtering network traffic at the packet level to identify and respond to potential threats.

GRC Terms in E


The process of identifying, collecting, and producing electronic information in response to legal or regulatory requests.

Employee Training and Awareness

Programs and initiatives to educate employees about GRC policies, procedures, and ethical standards to ensure compliance.

Enterprise Architecture

The process of aligning an organization’s business processes, IT infrastructure, and information systems with its strategic objectives.

Enterprise Risk Management (ERM)

A comprehensive and integrated approach to managing all types of risks across an entire organization.

Environmental, Social, and Governance (ESG) Criteria

Criteria that measure a company’s performance in areas related to environmental sustainability, social responsibility, and corporate governance.


The process of raising concerns or issues to higher levels of management or authority for resolution.

Event Management

The systematic process of identifying, assessing, prioritizing, and responding to events that could impact an organization’s objectives.


The degree to which an organization is at risk of potential harm, loss, or negative impact.

External Audit

An independent examination of an organization’s financial statements, controls, and compliance with external standards by an external auditing firm.

Entity-Level Controls

Controls that operate at the organizational level and impact multiple business processes, ensuring overall compliance and risk management.

Cybersecurity Terms in E

Email Spoofing

The forgery of an email header to make the message appear as if it came from a trusted source.

End-to-End Encryption

A method of secure communication that prevents third-parties from accessing data while it’s transferred from one end system to another.

Endpoint Detection and Response (EDR)

A cybersecurity technology that continuously monitors and responds to advanced threats on endpoints.

Endpoint Security

Protection of computer networks that are remotely bridged to client devices.

Ethical Hacking

Authorized and legal hacking activities performed by security professionals to identify vulnerabilities in a system.

Event Logging

The recording of events or activities in a system, often used for security monitoring and analysis.


A piece of software or sequence of commands that takes advantage of a vulnerability to cause unintended behavior in software, hardware, or electronic systems.


Unauthorized interception of private communication, often through passive monitoring.

GRC Terms in F

Fault Tree Analysis

A method used to analyze and visualize the potential causes of a specific event or failure, often employed in risk management.

Financial Risk

Risks associated with financial activities, including market risk, credit risk, and liquidity risk.

Formal Controls

Explicitly defined policies, procedures, and guidelines established by an organization to ensure compliance and manage risks.

Forensic Audit

An examination of financial records and transactions with the goal of uncovering evidence for legal proceedings, often related to fraud or financial misconduct.

Fraud Detection

The use of technology, analytics, and monitoring to identify and prevent fraudulent activities within an organization.

Fraud Prevention

Strategies, controls, and measures put in place to detect and prevent fraudulent activities within an organization.

Functional Segregation of Duties (SoD)

The practice of dividing tasks and responsibilities among different individuals or teams to prevent conflicts of interest and reduce the risk of errors or fraud.

Cybersecurity Terms in F

File Integrity Monitoring (FIM)

Monitoring and detecting changes to files for data integrity.


A network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules.


The application of scientific methods to investigate cybercrimes.


Testing technique involving inputting random data to find vulnerabilities.

Full Disk Encryption (FDE)

Encryption of an entire storage device for data protection.

GRC Terms in G

Gap Analysis

The process of assessing the difference between current practices and desired objectives, often used in compliance and risk management.

General Data Protection Regulation (GDPR)

European Union regulation designed to protect the privacy and personal data of individuals, requiring organizations to adhere to specific data protection standards.

Geopolitical Risk

Risks arising from political and economic instability, trade tensions, or other geopolitical factors that can affect global business operations.

Global Risk

Risks that have the potential to impact organizations on a global scale, such as economic downturns, geopolitical events, or pandemics.


The system of rules, practices, and processes by which an organization is directed and controlled to achieve its goals while addressing risks and ensuring compliance.

Governance, Risk, and Compliance (GRC)

An integrated approach to managing the three key components of organizational success: governance, risk management, and compliance.

Green IT Governance

Governance practices focused on environmentally sustainable and energy-efficient information technology operations.

GRC Software

Software solutions designed to streamline and automate governance, risk, and compliance processes within an organization.

Cybersecurity Terms in G


A device or software that connects different networks and serves as an entry point for data traffic.

Gray Hat Hacker

An individual who engages in both ethical and potentially malicious hacking activities.

GRC Terms in H


The process of aligning and standardizing policies, processes, and controls across different departments or business units to achieve consistency and efficiency.

Heat Map

A visual representation of data where values are depicted by color, often used in risk management to highlight areas of concern or priority.

Holistic Risk Management

An integrated and comprehensive approach to managing risks across an entire organization, considering various factors and interdependencies.

Hybrid Cloud Governance

Policies and controls for managing and securing data and applications in a hybrid cloud environment, which combines on-premises infrastructure with cloud services.

Cybersecurity Terms in H


The process of securing a computer system by reducing its vulnerabilities and limiting potential attack surfaces.


The process of converting input data (such as passwords) into a fixed-length string of characters, typically for security purposes.

Hypertext Transfer Protocol Secure (HTTPS)

A secure version of HTTP that encrypts data transmitted between a user’s browser and a website, often used for secure online transactions.

GRC Terms in I

Incident Management

The process of identifying, managing, and resolving security incidents, ensuring a rapid response to minimize the impact of security breaches.

Information Governance

The management framework for controlling and protecting information assets, ensuring their accuracy, integrity, and availability.

Information Security Policy

An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations by evaluating and improving the effectiveness of risk management, control, and governance processes.

Internal Control

Policies, procedures, and practices implemented by an organization to ensure the reliability of financial reporting, compliance with laws, and safeguarding of assets.

ISO 31000

An international standard providing guidelines for risk management, outlining principles, framework, and a process for managing risk effectively.

IT Governance

The framework and practices for aligning IT strategy with business objectives, ensuring the effective use of IT resources and managing associated risks.

IT Risk

Risks associated with the use of information technology, including cybersecurity threats, data breaches, and system failures.

Cybersecurity Terms in I

Incident Response

The process of managing and mitigating the impact of a cybersecurity incident or breach.

Insider Threat

The risk posed to an organization’s security by individuals within the organization, such as employees, contractors, or business partners.


Ensuring the accuracy and reliability of information, systems, and data.

Internet of Things Security (IoT Security)

Measures to protect internet-connected devices from cybersecurity threats.

IP Address Spoofing (IP Spoofing)

A technique where an attacker sends IP packets from a false (or « spoofed ») source address to deceive the

Identity and Access Management (IAM)

Policies, processes, and technologies that manage digital identities and control access to resources.

Indicators of Compromise (IoC)

Artifacts or behaviors that suggest a system has been compromised or under attack.

Information Security

The practice of protecting information from unauthorized access, disclosure, disruption, modification, or destruction.

Intelligence-Led Security

A proactive approach to cybersecurity that uses threat intelligence to inform decision-making and defense strategies.

Intrusion Detection System (IDS)

A security technology that actively blocks or prevents unauthorized access or malicious activities.

ISO 27001

An international standard for information security management systems, providing a framework for organizations to manage and secure their information assets.

IT Security

The protection of information technology systems and data from unauthorized access, attacks, or damage.

GRC Terms in J

Job Rotation

A practice where employees are moved between different roles within an organization to prevent fraud, increase cross-functional knowledge, and mitigate risk.

Joint Audit

An audit conducted by multiple parties, such as internal and external auditors or auditors from different business units, to assess and ensure compliance with governance and regulatory requirements.

Cybersecurity Terms in J

Jamming Attack

A cyber attack technique where the attacker disrupts or disables communication by transmitting interference signals.

JavaScript Security

Measures and practices to secure JavaScript code from vulnerabilities and malicious exploitation.

JSON Web Token (JWT)

A compact, URL-safe means of representing claims between two parties, commonly used for authentication and authorization.

GRC Terms in K

Key Risk Indicator (KRI)

A measurable metric used to assess and monitor a specific risk within an organization’s risk management framework.

Key Control Indicator (KCI)

A metric used to evaluate and measure the effectiveness of controls in managing risks.

Key Performance Indicator (KPI)

A measurable value used to assess the performance and effectiveness of an organization in achieving its goals and objectives in the context of GRC.

Key Risk Profile (KRP)

A summary of an organization’s key risks, including their potential impact, likelihood, and mitigation strategies.


An unethical practice where a person or entity receives illegal payments or rewards in return for providing favorable treatment or business opportunities.

Knowledge Management

The process of capturing, organizing, and utilizing an organization’s knowledge and expertise to improve decision-making, collaboration, and risk management.

KYC (Know Your Customer)

A compliance process carried out by financial institutions to verify the identity of customers and assess the potential risks associated with their activities.

Cybersecurity Terms in K


A network authentication protocol that uses tickets to allow nodes communicating over a non-secure network to prove their identity.


The core part of an operating system that oversees the communication between hardware and software components, including security-related operations.


Malicious software or hardware that records keystrokes on a computer or device, often used to capture sensitive information like passwords.

Keystroke Dynamics

A biometric authentication technique that analyzes the behavioral patterns of an individual’s keystrokes to verify their identity.

Key Exchange (KE)

A process in cryptography where two communicating entities securely exchange cryptographic keys to establish a secure communication channel.

Key Management

The process of generating, storing, handling, and protecting cryptographic keys used in encryption and decryption processes.

Knowledge-Based Authentication (KBA)

An authentication method that verifies a user’s identity by asking them questions based on personal information known to the user, such as their mother’s maiden name or the name of their first pet.

GRC Terms in M


The authority or permission granted to an individual or entity to perform specific tasks or make decisions within an organization.


The process of reducing the severity or impact of a risk through preventive or corrective actions.

Mobile Device Management (MDM)

Policies and technologies used to secure and manage mobile devices within an organization, ensuring compliance and data security.

Model Risk

The risk of financial loss resulting from the use of models or statistical techniques that are incorrect or misapplied.


The ongoing observation and surveillance of processes, controls, and activities to ensure compliance and identify emerging risks.

Cybersecurity Terms in M


Malicious software designed to harm or exploit computer systems or networks, including viruses, worms, Trojans, and ransomware.

Man-in-the-Middle Attack (MitM)

An attack where an attacker intercepts and potentially alters communication between two parties without their knowledge.

GRC Terms in N

Need-to-Know Principle

A security principle that restricts access to sensitive information to only those individuals who require it for their job responsibilities.


Failure to adhere to laws, regulations, policies, or standards relevant to an organization’s operations.

Non-Disclosure Agreement (NDA)

A legal contract that outlines confidential information that parties share with each other and restricts its use.

Non-Discretionary Access Control

Access control policies and mechanisms that are determined by an organization’s policies and cannot be changed by individual users.

Notification of Breach

The process of informing relevant parties about a security breach or data breach, typically required by data protection regulations.

Cybersecurity Terms in N

National Institute of Standards and Technology (NIST)

A U.S. government agency that develops and promotes cybersecurity standards and best practices.

Network Access Control (NAC)

A security approach that enforces policies to control access to a network, ensuring only authorized devices can connect.

Network Address Translation (NAT)

A technique that modifies network address information in packet headers while in transit, typically to map private IP addresses to a public IP address.

Network Forensics

The process of capturing, recording, and analyzing network events to identify security incidents.

Network Security

Measures and strategies to protect computer networks from unauthorized access, attacks, or data breaches.

Next-Generation Firewall (NGFW)

A firewall that integrates additional features beyond traditional firewall capabilities, such as intrusion prevention systems (IPS) and application-layer filtering.


A security property that prevents an individual or entity from denying the validity of their actions or commitments.

GRC Terms in O


Clear and specific goals or outcomes that an organization aims to achieve within a defined timeframe.

Operational Risk

The risk of loss resulting from inadequate or failed internal processes, systems, people, or external events.


The practice of contracting out certain business functions or processes to external service providers.


The supervision, monitoring, and review of activities and processes to ensure they align with organizational goals and comply with relevant standards.


The assignment of responsibility for a specific task, process, or control to an individual or team within an organization.

Cybersecurity Terms in O

Open Authorization (OAuth)

An open standard for access delegation, commonly used for granting third-party applications limited access to a user’s resources.

Open Source

Software with a source code that is made available to the public, allowing anyone to view, modify, and distribute it.

Open Web Application Security Project (OWASP)

An online community that produces freely available security-related resources for web application developers.

GRC Terms in P


A set of principles, guidelines, or rules established by an organization to govern its operations and decision-making.

Policy Management:

The systematic process of developing, implementing, and monitoring organizational policies to ensure compliance.

Preventive Controls

Measures and mechanisms designed to proactively avoid or minimize the occurrence of risks and issues.

Privacy Impact Assessment (PIA)

An assessment that identifies and evaluates the potential privacy risks and impacts of a project, system, or process.


A series of structured activities or steps designed to achieve a specific outcome or goal within an organization.

Process Mapping

The visual representation of a business process, illustrating its steps, inputs, outputs, and relationships.

Program Governance

The set of practices and processes for overseeing and managing an organization’s programs, ensuring alignment with strategic objectives.

Cybersecurity Terms in P

Packet Sniffing

The practice of intercepting and examining network traffic, often to capture sensitive information.

Password Hash

A cryptographic representation of a password, stored in databases instead of the actual password for security.

Patch Management

The process of planning, testing, and applying patches or updates to software and systems to address vulnerabilities and improve security.

Penetration Testing

A simulated cyberattack on a computer system, network, or web application to identify security vulnerabilities.


A type of social engineering attack where attackers attempt to trick individuals into providing sensitive information.

Physical Security

Measures to protect physical assets, facilities, and information from unauthorized access or damage.

Proxy Server

An intermediate server that acts as a gateway between a user’s device and the internet, providing security and anonymity.

GRC Terms in Q

Quality Control

Procedures, measures, and processes implemented to ensure that products, services, or operations meet specified quality standards.

Quality Management System (QMS)

A set of policies, processes, and procedures for planning and executing an organization’s core business processes with a focus on meeting customer expectations and regulatory requirements.

Cybersecurity Terms in Q


Isolating or restricting access to a system, network, or device that is suspected of being compromised to prevent further harm.

Quick Response Code (QR Code)

A two-dimensional barcode that can store various types of data, often used for quick access to information or links.

Quantum Computing

A type of computing that uses the principles of quantum mechanics, potentially impacting current cryptographic methods.

GRC Terms in R

RACI Matrix

A matrix that defines and clarifies the roles and responsibilities for each task or activity within a project or business process (Responsible, Accountable, Consulted, Informed).

Residual Risk

The level of risk that remains after risk mitigation measures have been applied.


The uncertainty of an event occurring that could have an impact on achieving objectives. Risk is often assessed in terms of likelihood and potential consequences.

Risk Appetite

The level of risk that an organization is willing to accept or tolerate to achieve its objectives.

Risk Assessment

The process of identifying, analyzing, and evaluating risks to understand their potential impact on an organization.

Risk Control

Measures and actions taken to manage and mitigate identified risks within an organization.

Risk Culture

The shared values, beliefs, and behaviors within an organization that influence how risks are perceived and managed.

Risk Identification

The process of recognizing and documenting potential risks that could affect an organization’s objectives.

Risk Management

The systematic process of identifying, assessing, prioritizing, and managing risks to achieve organizational objectives.

Risk Mitigation

Actions taken to reduce the likelihood or impact of identified risks.

Risk Register

A centralized document that captures and tracks information about identified risks, including their status and mitigation plans.


The process of correcting or resolving issues, deficiencies, or non-compliance identified during audits or assessments.

Records Management

The systematic control of an organization’s records, including their creation, storage, retrieval, and disposal, to ensure compliance and efficient business operations.

Root Cause Analysis

A methodical process for identifying the underlying causes of problems or incidents to prevent their recurrence.

Cybersecurity Terms in R


Malicious software that encrypts a user’s files and demands payment for their release.

Red Team

A group of security professionals who simulate cyberattacks to test and improve an organization’s defenses.

Reverse Engineering

The process of analyzing a system, software, or network to understand its design and functionality, often for security research.


A type of malicious software that provides unauthorized access to a computer or network while hiding its presence.

Role-Based Access Control (RBAC)

A method of restricting network access based on the roles of individual users within an organization.


A network device that forwards data packets between computer networks, often providing firewall capabilities.

GRC Terms in S

Sarbanes-Oxley Act (SOX)

U.S. legislation that establishes requirements for public company boards, management, and public accounting firms to ensure transparency and accountability in financial reporting.

Scenario Analysis

The process of examining and evaluating possible future events or situations to understand their potential impact on an organization.

Social Responsibility

The ethical and transparent conduct of an organization, taking into account its impact on society, the environment, and the well-being of stakeholders.


Individuals or groups that have an interest, involvement, or concern in an organization’s activities, objectives, or performance.

Strategic Risk

Risks arising from factors that may affect an organization’s ability to achieve its long-term objectives and strategic goals.

System Development Life Cycle (SDLC)

The process of planning, creating, testing, deploying, and maintaining an information system.

Systemic Risk

The risk of a widespread failure within a financial system, market, or economy that could have a cascading impact.

Cybersecurity Terms in S


Malicious software or content designed to deceive users by presenting false security threats or misleading information, often in an attempt to trick them into paying for unnecessary products or services.

Secure Sockets Layer (SSL)

A cryptographic protocol that provides secure and encrypted communication over the internet, often used to secure sensitive information during online transactions.

Security Information and Event Management (SIEM)

A cryptographic protocol that provides secure and encrypted communication over the internet, often used to secure sensitive information during online transactions.

Social Engineering

Techniques used by hackers to manipulate or deceive individuals into revealing sensitive information or performing certain actions that compromise security.


The act of impersonating someone or something else in order to deceive users or systems. This can involve IP spoofing, email spoofing, or website spoofing, among others.

SQL Injection

A type of web application attack where an attacker injects malicious SQL code into a vulnerable database query, potentially allowing unauthorized access or manipulation of data.

GRC Terms in T

Third-Party Risk Management

The process of identifying, assessing, and mitigating risks associated with external vendors, suppliers, and service providers.

Testing and Assurance

Processes and activities designed to evaluate the effectiveness of controls, systems, or processes within an organization.

Time-to-Recovery (TTR)

The time it takes to restore normal operations after a disruptive event or incident.

Tone at the Top

The ethical and compliance values set by an organization’s leadership, influencing the organization’s culture and behavior.

Testing and Assurance

Processes and activities designed to evaluate the effectiveness of controls, systems, or processes within an organization.

Cybersecurity Terms in T

Trojan Horse

Malicious software disguised as legitimate software to deceive users and gain unauthorized access to a system.

Transport Layer Security (TLS)

A protocol that ensures privacy between communicating applications and users on the internet.

Threat Surface

The sum of all potential entry points or vulnerabilities in a system that can be exploited by cyber threats.

Transmission Control Protocol/Internet Protocol (TCP/IP)

The fundamental suite of protocols governing the internet.

GRC Terms in U

Underlying Controls

The foundational controls and mechanisms that support an organization’s overall governance, risk, and compliance efforts.

Unified Compliance Framework

The process of exaA framework that consolidates multiple regulatory requirements and standards into a single set of controls to simplify compliance efforts.mining and evaluating possible future events or situations to understand their potential impact on an organization.

User Access Management

The process of managing and controlling user access to information systems and data, ensuring appropriate levels of access based on roles and responsibilities.

Cybersecurity Terms in U

Unified Threat Management (UTM)

A comprehensive security solution that combines multiple security features into a single platform or appliance.

User Account Control (UAC)

A security feature in Windows operating systems that prompts users for permission before allowing certain system changes.

GRC Terms in V

Value at Risk (VaR)

A statistical measure used to quantify the potential financial loss or risk exposure within a specific time frame and confidence level.

Vendor Risk Management

The process of assessing and mitigating risks associated with third-party vendors, suppliers, and service providers.


The degree of variation of a trading price series over time, often used in financial risk analysis.


Weaknesses or flaws in a system, application, or process that could be exploited by threats to compromise the security or functionality of the system.

Cybersecurity Terms in V

Virtual Private Network (VPN)

A network technology that creates a secure and encrypted connection over a less secure network, such as the internet.

Virtual Local Area Network (VLAN)

A network segmentation technique that creates multiple logical networks within a single physical network.

GRC Terms in Y

Yield Curve Risk

A graphical representation of the relationship between the interest rates and the time to maturity for a set of fixed-income securities, often used in risk analysis and financial planning.

Cybersecurity Terms in Y

YARA Rules

YARA is a pattern-matching tool for identifying and classifying malware or other malicious activities. YARA rules are used to define conditions for recognizing specific patterns in files or processes.

GRC Terms in Z

Zero Trust

A security framework that assumes no level of trust by default, requiring verification for every access request, regardless of whether it originates from inside or outside the network perimeter.


A segment or area within a network that has a defined level of security requirements or restrictions, often used in network architecture to control and monitor access.

Cybersecurity Terms in Z

Zero-Day (0-Day)

A vulnerability in software or hardware that is unknown to the vendor or the public, making it a potential target for exploitation before a fix or patch is available.

Zero-Day Exploit

An attack that takes advantage of a software vulnerability on the same day the vulnerability becomes publicly known, with no available fix or patch.

Zone transfer

The process of replicating DNS (Domain Name System) data from a primary server to a secondary (backup) server.

Zombie network

A group of compromised computers or devices that are controlled by a hacker to perform malicious activities.