A set of data that informs a computer’s operating system which permissions, or access rights, that each user or group has to a specific system object, such as a directory or file. Each object has a unique security attribute that identifies which users have access to it, and the ACL is a list of each object and user access privileges such as read, write or execute.
Software that contains advertisements embedded in the application. Adware is considered a legitimate alternative offered to consumers who do not wish to pay for software. There are many ad-supported programs, games or utilities that are distributed as adware.
A type of security that manages and controls who or what is allowed entrance to a system, environment or facility. It identifies entities that have access to a controlled device or facility based on the validity of their credentials.
- In information security, an asset refers to any set of data, piece of information, or device that you have. This includes all physical assets that data is stored on — such as your network, your computer, your phone, or a thumb drive. Read our blog post for information on
Biometrics are personal physical identifiers, like a fingerprint or facial data. For example, a smartphone may have a biometric lock, which uses a recognized fingerprint to unlock the device only for a specific user.
The process of creating systems of prevention and recovery to deal with potential threats to a company. In addition to prevention, the goal is to enable ongoing operations before and during the execution of disaster recovery. Check out Carbide’s integrated Business Continuity Plan Builder.
The California Consumer Privacy Act is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States.
A Certified Information Systems Security Professional is an information security certification that is granted by (ISC)², an international nonprofit association. Since (ISC)² was founded in 1989 to create standardization and certification in a growing cybersecurity industry, CISSP has become a sought after credential within the information security industry.
You can read more about the CISSP certification on the (ISC)² website.
The most senior person or role responsible for the development, implementation, maintenance of, and adherence to privacy policies and procedures, focusing on information and data gathering.
The most senior person or role responsible for the development, implementation, maintenance of, and adherence to privacy policies and procedures.
A formal document produced after a review of an organization’s processes around privacy and information security, using the Center for Internet Security’s framework as a model for measuring compliance.
Storage services provided by an external supplier and made available to organizations, or individuals, on terms and conditions, which are defined by the external supplier. Cloud Storage and associated files reside outside of the organization’s domain (data centres) and facilitate the sharing of files and makes data available over a range of computers and other portable devices, usually accessed via options including, web browser; mobile app; synchronization client; drive mapping. Cloud Storage provider examples including, Dropbox, Box, Microsoft One Drive, Apple iCloud, Google Drive.
A designation issued by the Information Systems Audit and Control Association (ISACA). The designation is the global standard for professionals who have a career in information systems, in particular, auditing, control, and security.
The most senior person or role responsible for reviewing and ensuring compliance is maintained, in regards to the information security policies and procedures of an organization.
The most senior person or role responsible for the development and implementation of an organization’s security policies as they relate to information or data gathering practices. The Chief Information Security Officer has to ensure the security of vital information.
The most senior person or role responsible for the development and implementation of an organization’s security policies and procedures.
CIS Controls and CIS Benchmarks provide global standards for internet security and are a recognized global standard and best practices for securing IT systems and data against attacks. Through an independent consensus process, CIS Benchmarks provide frameworks to help organizations bolster their security.
Read more on this term in our blog post.
Data Loss Prevention is the method or strategy an organization uses to ensure its employees and contractors do not share protected information, either accidentally or otherwise. DLP measures could include, auditing, restricted user access or software for tracking access to information or systems.
Companies that need to comply with the General Data Protection Regulation (GDPR) in the European Union are legally required to designate a data protection officer. This officer is required by these regulations to be “involved, properly and in a timely manner, in all issues which relate to the protection of personal data.” The GDPR legally defines a data protection officer’s position and a number of tasks in Articles 38 and 39, which include responding to people who contact the data protection officer about anything related to “processing of their personal data and to the exercise of their rights.”
Short for denial-of-service attack, a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols. For all known DoS attacks, there are software fixes that system administrators can install to limit the damage caused by the attacks.
Any information that can be used to identify an individual, which personally relates to their past, present or future health falls under the definition of PHI. This information must be encrypted by law and must be stored only in encrypted form, and transmitted only through secure means. However, in the case of research data for publication, PHI can be anonymized such that it is no longer considered “protected”, and can be released without harm. Protected health information is defined by HIPAA as a list of 18 identifiers that must be protected and secured under the protection of the act. The identifiers include personal information such as name, date of birth, SSN, phone numbers and email addresses. Along with the personal identifiers, PHI covers such information as biometrics, full face images, medical record numbers, and health insurance beneficiary numbers.
A computer or small subnetwork that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet.
- A type of cyber attack, usually using a botnet or group of infected computers, to overwhelm a target with fake internet traffic. This results in a “flood” of requests to the victim, which can cause the focus of the attack to stop working correctly or respond to legitimate requests.
A malicious act where huge numbers of emails are directed to a specific system or a targeted user of that system. Email bombs will usually fill the allotted space on an email server for the user’s email and can result in crashing the email server, or at the very least, possibly rendering the user’s computer useless as their email attempts to download huge amounts of email.
The translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text; encrypted data is referred to as ciphertext.
A network security system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Network firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
Flooding is a Denial of Service (DoS) attack that is designed to bring a network or service down by flooding it with large amounts of traffic. Flood attacks occur when a network or service becomes so weighed down with packets initiating incomplete connection requests that it can no longer process genuine connection requests. By flooding a server or host with connections that cannot be completed, the flood attack eventually fills the host’s memory buffer. Once this buffer is full no further connections can be made, and the result is a Denial of Service.
- The GDPR is a data protection regulation of the European Union. Its purpose is to protect the rights of EU citizens with respect to their personal data. It primarily applies to any organization that collects or processes personal data of EU citizens. In order to be compliant, an organization must align its data collection and processing activities to the requirements of the seven key principles outlined in the GDPR.
Read more on this term in our blog post.
HIPAA is the federal standard of health data privacy compliance in the United States. This law governs healthcare entities, health insurance providers, other “covered entities,” and business associates (such as technology vendors) regarding all “Protected Health Information” (PHI). HIPAA regulations are designed to protect the personal and medical information of U.S. citizens. Some states have adopted even more protective state legislation.
A host is a computer or other device connecting to a network or the internet. This may also be used specifically to refer to a web host provider, which provides services and web servers for “hosting” websites for businesses and individuals.
HITRUST is a privately held company working in collaboration with the healthcare, technology, and information security organizations and industry to create the HITRUST Common Security Framework (CSF). This framework is a set of controls created to protect and maintain the privacy and security of Personal Health Information. By utilizing similar controls and standards like ISO and HIPAA, the HITRUST CSF is used as a standard to demonstrate compliance and security within your organization.
An incident response plan will determine the steps to take in the event of a cybersecurity incident at your business. An “incident” can range from a phishing attempt like a suspicious email asking for personal information, or your computer repeatedly crashing in an usual way that could indicate malware. Identifying such suspicious activity immediately can help catch attempted or active cyberattacks.
Read our blog post for more information on incident response plans.
An information security auditor is someone who looks at the safety and effectiveness of computer systems and their security components. A security auditor is mainly concerned with computer systems that may be out of date and could be at risk to a hacker attack.
- The ISO/IEC 27000-series (also known as the ‘ISMS Family of Standards’ or ‘ISO27K’ for short) comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
An information security program is designed to protect customers, employees, owners, and stakeholders from data breaches, loss of data, and loss of productivity. A security team is generally responsible for the design, configuration, implementation, and management of the information security program, but every single employee and contractor in the organization is responsible for following the policies and procedures. This means being aware of policies and procedures, reading them, and asking questions if there is anything unclear.
Short for Media Access Control address, a hardware address that uniquely identifies each node of a network.
Any type of malicious software designed to enter and cause damage to users’ computers without their knowledge. According to the Canadian Centre for Cyber Security some, “common forms of malware include computer viruses, worms, Trojans, spyware, and adware.” These types of attacks increase during times of crisis.
The National Institute of Standards and Technology, is “a unit of the US Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards. It also has active programs for encouraging and assisting industry and science to develop and use these standards,” according to the SANS Internet Storm Center.
In network management terms, network monitoring is the phrase used to describe a system that continuously monitors a network and notifies a network administrator through messaging systems (usually email) when a device fails or an outage occurs. Network monitoring is usually performed through the use of software applications and tools.
Network security is defined as ” the process of taking physical and software preventative measures to protect the underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby creating a secure platform for computers, users and programs to perform their permitted critical functions within a secure environment,” according to the SANS Institute. Read our blog post for information on network security.
A packet is a small piece of data, which is transmitted over a packet-switching network from one device to another. “One of the key features of a packet is that it contains the destination address in addition to the data. In IP networks, packets are often called datagrams, ” according to the SANS Internet Storm Center. See Packet Sniffing and Packet Switched Network.
A passphrase is a long password that is generally at least 20 characters and made up of multiple words. Strong passphrases are harder for computers to guess than passwords because they are longer and less predictable, especially if you choose one that’s unique to you. If you use a passphrase you should avoid common expressions, clichés, and quotations. For example, ToBeOrNotToBeThatIsTheQuestion123 is not a good passphrase because computers can easily identify it as from the Shakespeare play Hamlet, even though you’ve added numbers to the end.
A utility to determine whether a specific IP address is accessible. It works by sending a packet to the specified address and waiting for a reply. Primarily used to troubleshoot Internet connections.
A port scan is a “series of messages sent by someone attempting to break into a computer to learn which computer network services, each associated with a “well-known” port number, the computer provides. Port scanning gives the assailant an idea of where to probe for weaknesses. Essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can, therefore, be probed for weakness,” according to the SANS Internet Storm Center.
An information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.
A national standard for privacy and personal information security in the private sector. The Act outlines how private organizations collect, store, process, and disclose personal information.
A PIA is a formal risk management tool used to identify effects (actual or potential) on an individuals’ privacy that a system, technology, or business may have. A PIA also identifies methods for mitigating privacy risks. PIA’s are commonly adopted by healthcare organizations to analyze privacy impact and identify opportunities for improvement.
A method of communication using electromagnetic or electrostatic coupling in the radio frequency to track tags or tagged objects. Each tag contains information that is passed over a radio frequency when close enough to be read by the device reading the tags.
How an organization as a whole approaches the risks that could affect their security. An organization’s posture could include proactive planning, risk mitigation efforts, and remediation activities. Risk assessments are a way to measure and examine risks that could affect an organization. In order to understand what risks could affect your organization, it is best to have a document that is continually updated on a set schedule or as new risks are identified.
Read more on this term in our blog post.
Malicious software that blocks access to the victim’s data or threatens to publish or delete it until a ransom is paid.
- Malicious software that is activated each time your system boots up. Rootkits are difficult to detect because they are activated before your system’s Operating System has completely booted up. A rootkit often allows the installation of hidden files, processes, hidden user accounts, and more in the systems OS. Rootkits are able to intercept data from terminals, network connections, and the keyboard.
The Sarbanes-Oxley Act is a United States federal law that was created to regulate corporate financial accounting and reporting, after revelations of misdeeds including the Enron scandal. The purpose is to “oversee the audit of public companies that are subject to the securities laws; establish audit report standards and rules; and inspect, investigate, and enforce compliance on the part of registered public accounting firms, their associated persons, and certified public accountants,” according to the H.R.3763 – Sarbanes-Oxley Act of 2002 by the 107th United States Congress.
A protocol for transmitting private documents via the Internet. SSL uses a cryptographic system that uses two keys to encrypt data − a public key is known to everyone and a private or secret key known only to the recipient of the message.
Methods that outline how security is implemented. This can be a collection of policies, procedures, and standards that create the structures of governance, management, necessary to secure endpoints, software and data.
The overall security of your company’s IT resources, including the processes and plans you have established to defend your resources from cybercrime. Vendor security questionnaires are commonly used by businesses to assess the security posture of a potential service provider.
The act or profession of splitting a computer network into subnetworks, each being a network segment. The advantages of such splitting are primarily for boosting performance and improving security.
A program and/or device that monitors data traveling over a network. Sniffers can be used both for legitimate network management functions and for stealing information off a network. Unauthorized sniffers can be extremely dangerous to a network’s security because they are virtually impossible to detect and can be inserted almost anywhere.
A Service Organization Control 1 or Soc 1 (pronounced “sock one”) report is written documentation of the internal controls that are likely to be relevant to an audit of a customer’s financial statements.
A program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels.
The knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization. Many organizations require formal security awareness training for all workers when they join the organization and periodically thereafter, usually annually.
Read more on this term in our blog post.
A person or role responsible for enforcement and administration of an organization’s security policies and procedures.
An analysis of the current security policies, procedures, and operations, resulting in a report on the security weaknesses and strengths at a business.
Any software that covertly gathers user information through the user’s Internet connection without his or her knowledge, usually for advertising purposes.
- A SOC 2 report is the result of an audit reviewing the security controls related to operations and compliance of a service provider, such as a software company, as outlined by the American Institute of CPA’s (AICPA) Trust Services Criteria. Enterprise businesses may require potential vendors to share a SOC 2 report to assess their security posture before procurement, especially if it is a service or product that processes sensitive data.
A Threat and Risk Assessment analyzes a software system for vulnerabilities, examines potential threats associated with those vulnerabilities, and evaluates the resulting security risks. A vulnerability is a flaw or weakness in system security (procedures, design, implementation, or internal controls) that could be triggered or exploited and result in a security breach.
The process whereby companies monitor and manage interactions with all external parties with which it has a relationship. This may include both contractual and non-contractual parties. Third-party management is conducted primarily for the purpose of assessing the ongoing behavior, performance and risk that each third-party relationship represents to a company.
- A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer.
A network that is constructed to connect to a private network, such as a company’s internal network. There are a number of systems that enable you to create networks using the Internet as the medium for transporting data. A VPN secures the private network, using encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.
A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses can also replicate themselves. All computer viruses are man-made.
- When an unauthorized user joins non-password protected meetings via public links or using “guessable” meeting IDs to harass or disrupt the meeting and its members. This became a notable trend during the COVID-19 pandemic, especially in online classrooms.