The ISC2 Cybersecurity Lexicon
The ISC2 Cybersecurity Lexicon
LEXICON
An introduction to basic cybersecurity
terminology and concepts
D
a vulnerability for denial or delay of service,
exfiltration or unauthorized modification of data.
E
a network security device that monitors incoming
and outgoing network traffic and decides whether
to allow or block specific traffic based on a defined
set of security rules. Usually the first line of defense
Encryption in a network.
the conversion of electronic data into ciphertext
that theoretically can only be decoded by Five Pillars of Information Security
authorized parties.
Confidentiality
Endpoint the attribute of data that ensures information is
a general term referring to a desktop computer, only being exposed to appropriately authorized
laptop or notebook computer or mobile device. parties and other systems.
Availability
the attribute of data that ensures it is always available
H
to appropriate parties when required for use. Hacker
a slang term that can mean a hostile human threat to
Non-repudiation IT systems, an IT security professional, a vulnerability
a method of guaranteeing message transmission researcher or an amateur security person.
between parties via digital signature and/or
encryption. Honeypot
decoy servers or systems set up to gather
Authentication information regarding human threats.
the process or action of verifying the identity of
a user or process.
I
G Identity and Access Management (IAM)
the framework for business processes that facilitates
Governance, Risk and Compliance (GRC) the management of electronic or digital identities.
the process of how an organization manages its The framework includes the organizational policies for
information resources. This process usually includes managing digital identity as well as the technologies
all aspects of how decisions are made for that needed to support identity management.
organization, such as policies, roles and procedures
the organization uses to make those decisions. Industrial Control Systems (ICS)
It is designed to ensure the business focuses on IT systems used to control industrial processes such
core activities, clarifies who in the organization as manufacturing, product handling, production
has the authority to make decisions, determines and distribution.
P
it documents the rights and obligations of individuals
and organizations with respect to the collection, use,
retention and disclosure of personal information.
Penetration Test
Privacy Impact Assessment (PIA)
an assessment of the effectiveness of established
decision tool used to identify and mitigate privacy
security defenses through mimicking the actions
risks. Notifies the public of 1) what PII is being
of a hostile human threat for finding exploitable
collected, 2) why the PII is being collected, 3) how the
vulnerabilities or other weaknesses and to attempt
PII will be retrieved, shared, accessed and stored.
to exploit those vulnerabilities or weaknesses.
S
mimic an attack of an external, hostile, experienced
human threat on an organization’s infrastructure for
locating and reporting on vulnerabilities.
Risk Safeguard
the possibility of damage or harm, and the a process, procedure, technique or feature that
likelihood that damage or harm will be realized; a mitigates the effects of a risk. Safeguards can be
function of the likelihood of a given threat source classified as technology, procedures/policies or
exploiting a potential vulnerability, and the resulting human factors.
impact of that adverse event on the organization.
Secrecy
Risk Assessment attempting to hide information or data.
assessing the threats, vulnerabilities and assets of
Secure Coding
information systems to determine the likelihood
the practice of developing computer software in a
threats will exploit these vulnerabilities and
way that guards against the accidental introduction
weaknesses to cause adverse effects.
of security vulnerabilities.
Risk Management
Software as a Service (SaaS)
The process of designing, developing, sustaining
a cloud computing service model that provides
and modifying operational processes and systems
software applications.
in consideration of applicable risks to asset
confidentiality, integrity and availability. Applicable
risks are those reasonably expected to be realized
and to cause an unacceptable impact.
Threat Actor
human-based agent that can negatively impact a
system’s IT assets. The threat agent is evaluated on
the agent, intent, target and mechanism used.
V
Virtual Desktop Infrastructure (VDI)
a desktop operating system running within a virtual
machine (VM) on a physical host server.
Virtual Machine
an IT endpoint or server designed to perform in a
software environment in exactly the same way as the
dedicated hardware.
Vulnerability
a weakness or exposure in a technology, protocol or
design of an information technology system such as
hardware, firmware and software.