In terms of cyber security, the AICPA (American Institute of Certified Public Accountants) is an organization that provides guidelines and best practices for assessing and reporting on the effectiveness of an organization's cybersecurity risk management program. This includes the AICPA's SOC (Service Organization Controls) reporting framework, which consists of three types of reports: SOC 1, SOC 2, and SOC 3.
Application security is the protection of software applications from cyber threats and vulnerabilities. Policies are established to guide the development and deployment of applications in a secure manner. Procedures are created to detail the steps necessary to secure applications and to ensure that policies are consistently followed. Training is provided to developers and other personnel to ensure that they understand the policies and procedures and are able to apply them effectively. By implementing policies, procedures, and training in SPIO, organizations can reduce the risk of cyber attacks on their applications and protect sensitive data from theft or damage.
An Application Security (AppSec) Program is a set of projects and activities that are undertaken to achieve Application Security across a portfolio of applications and development teams.
A cyber security assessment is a comprehensive evaluation of an organization's information technology systems, infrastructure, policies, and procedures to identify vulnerabilities and risks. The assessment can be performed by internal or external cybersecurity experts and typically involves reviewing policies, procedures, and training of personnel, analyzing security architecture and configuration, and testing security through simulations or real-world attack scenarios.
"Attack surface" refers to the sum of all the points, or potential vulnerabilities, where a cyber attacker could gain unauthorized access to an organization's systems or data. This includes not only the organization's digital assets, such as servers, databases, and applications, but also the physical infrastructure, employee devices, and external networks that may be connected to the organization's systems.
An attestation letter is a document that provides assurance to a third party about the validity and accuracy of certain information or processes related to an organization's cyber security. An attestation letter may be provided by an independent auditor or security expert to confirm that an organization has implemented appropriate security policies, procedures, and training to protect sensitive data and systems.
A cyber security audit is an independent evaluation of an organization's information systems, policies, and procedures to assess their compliance with relevant security standards and regulations. The audit typically involves a thorough review of the organization's security and risk management processes, and incident response plans, as well as an assessment of its ability to prevent, detect, and respond to cyber threats.
Consensus Assessments Initiative Questionnaire (CAIQ) is a self-assessment questionnaire that correspond to CSA’s cybersecurity controls framework for cloud computing: Cloud Controls Matrix (CCM). An IaaS, PaaS, or SaaS cloud service provider can use the CAIQ to document their security, increasing security transparency for potential customers, who can then determine if the CSP’s cloud services are secure enough for their purposes and data protection.
Cloud Controls Matrix is a set of controls developed by the Cloud Security Alliance (CSA) to help organizations assess the security capabilities of cloud service providers. The CCM provides a comprehensive framework for evaluating the security controls of cloud providers across different security domains, including compliance, data governance, access management, and incident response.
CIS (Center for Internet Security) is a non-profit organization in the cybersecurity industry that provides resources, tools, and best practice guidelines to help organizations improve their cybersecurity posture. CIS benchmarks are widely used to provide guidelines for securing systems and networks.
CIS 18 refers to the Center for Internet Security's Critical Security Controls for Effective Cyber Defense. It is a set of 18 security controls that provide organizations with a prioritized framework for improving their cybersecurity posture.
CIS 20 refers to the Center for Internet Security's Critical Security Controls for Effective Cyber Defense version 8.0. It is an updated version of the original CIS 18 controls.
Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the United States Department of Defense (DoD) to ensure that contractors and suppliers meet specific cybersecurity requirements when working on DoD contracts. Contractors and suppliers must achieve the appropriate level of CMMC certification to be eligible for DoD contracts.
The Children's Online Privacy Protection Act is a United States federal law that regulates the collection, use, and disclosure of personal information from children under the age of 13 by websites, online services, and mobile apps. The law requires operators of websites and online services to obtain verifiable parental consent before collecting personal information from children, and to provide parents with the option to review and delete their children's personal information.
The Cloud Security Alliance (CSA) is a nonprofit organization that promotes best practices for secure cloud computing. The CSA publishes research and standards related to cloud security and collaborates with industry leaders to develop and promote secure cloud technologies.
FedRAMP (Federal Risk and Authorization Management Program) is a US government program that provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud products and services. It aims to ensure that cloud systems used by federal agencies meet a minimum set of security requirements to protect sensitive government information. FedRAMP is mandatory for cloud service providers that want to offer their services to federal agencies.
FERPA (Family Educational Rights and Privacy Act) is a US federal law that protects the privacy of student education records. It applies to all educational institutions that receive funding from the US Department of Education. FERPA gives students and their parents certain rights, including the right to inspect and review their education records, the right to request that records be corrected, and the right to control the disclosure of personally identifiable information in their records.
FFIEC (Federal Financial Institutions Examination Council) is a US government interagency body that sets uniform principles, standards, and reporting forms for the examination of financial institutions. FFIEC's guidelines cover a wide range of areas, including information security, data protection, business continuity planning, and risk management. Financial institutions are required to comply with FFIEC guidelines to ensure the safety and soundness of the financial system.
HIPAA (Health Insurance Portability and Accountability Act) is a US federal law that establishes privacy and security standards for protected health information (PHI). HIPAA requires covered entities to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI.
HITECH (Health Information Technology for Economic and Clinical Health) is a US federal law that expands the privacy and security requirements of HIPAA. HITECH also established new breach notification requirements, which require covered entities to notify individuals if their unsecured PHI is breached. Additionally, HITECH increases penalties for HIPAA violations and gives states the authority to bring civil actions on behalf of individuals affected by HIPAA violations.
IaaS (Infrastructure as a Service) is a cloud computing model that provides virtualized computing resources, including servers, storage, and networking, over the internet.
IAM (Identity and Access Management) is a set of processes, policies, and technologies that enable organizations to manage and control access to their systems and data. IAM solutions help to ensure that only authorized individuals can access sensitive resources, and that access is granted on a "need-to-know" basis.
IDS (Intrusion Detection System) is a cybersecurity technology that monitors network traffic and systems for signs of malicious activity. IDS solutions use various techniques such as signature-based detection, anomaly detection, and behavioral analysis to identify patterns of unauthorized or unusual behavior.
IEC (International Electrotechnical Commission) is a global standards organization that develops and publishes standards related to electrical, electronic, and related technologies. IEC's standards cover a wide range of areas, including cybersecurity, where it has developed a series of standards known as the IEC 62443 series.
Injection is a type of cyber attack where an attacker exploits vulnerabilities in an application or system to inject malicious code or commands. Injection attacks are often carried out by inserting code or commands into input fields or parameters that are passed to an application or database.
ISO (International Organization for Standardization) is an independent, non-governmental international organization that develops and publishes standards for various industries and sectors, including cybersecurity.
ISO 27001 is a globally recognized standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information and mitigating cybersecurity risks. ISO 27001 includes a set of best practices for establishing, implementing, maintaining, and continually improving an ISMS, which helps organizations identify and manage information security risks and protect against cyber attacks.
ITAR (International Traffic in Arms Regulations) is a set of United States government regulations that control the export and import of defense-related articles, services, and technical data. Compliance with ITAR is critical for companies that export or import defense-related items, as violations can result in severe penalties, including fines, imprisonment, and loss of export privileges.
Least privilege is a principle in cyber security that recommends granting users and processes the minimum level of access necessary to complete their tasks, while restricting access to sensitive or critical resources.
A network scan is a cyber security technique used to identify active devices, open ports, and potential vulnerabilities within a network. By conducting regular network scans, organizations can proactively identify and address potential security weaknesses, reducing the risk of cyber attacks and data breaches.
NIST stands for the National Institute of Standards and Technology, which is a US government agency responsible for developing and publishing standards and guidelines related to information security and cybersecurity.
NIST 800-171 is a set of security requirements published by the National Institute of Standards and Technology (NIST) that applies to non-federal organizations that handle controlled unclassified information (CUI). NIST 800-171 compliance is mandatory for organizations that contract with the US federal government and handle CUI, and failure to comply can result in penalties and loss of business opportunities.
NIST 800-53 is a special publication by the National Institute of Standards and Technology (NIST) that provides a catalog of security and privacy controls for federal information systems and organizations. The publication outlines security requirements and guidelines for the selection, implementation, and assessment of security controls to protect the confidentiality, integrity, and availability of information systems.
NIST CSF (Cybersecurity Framework) is a set of guidelines and best practices for organizations to manage and reduce cybersecurity risks. The NIST CSF includes five core functions - Identify, Protect, Detect, Respond, and Recover - which serve as a foundation for developing and improving an organization's cybersecurity posture.
PaaS stands for Platform as a Service, which is a cloud computing model that provides a platform for developing, running, and managing applications without the need for infrastructure management. PaaS providers offer a complete software development environment including hardware, operating systems, and application frameworks, allowing developers to focus on coding and deploying applications rather than managing infrastructure.
PCI DSS stands for Payment Card Industry Data Security Standard, which is a set of security requirements developed by the major credit card companies to protect sensitive cardholder data. PCI DSS applies to any organization that accepts, processes, stores, or transmits cardholder data, and includes requirements for network security, access control, data protection, and monitoring. Compliance with PCI DSS is mandatory for all merchants that accept credit card payments, and failure to comply can result in fines, legal liabilities, and damage to a merchant's reputation.
Penetration testing, also known as pen testing, is a security assessment method that simulates a real-world attack to identify vulnerabilities in a system, application, or network. Penetration tests are conducted by ethical hackers who attempt to exploit weaknesses in a system's security defenses using a variety of tools and techniques. The goal of a penetration test is to identify vulnerabilities and provide recommendations for remediation before they can be exploited by malicious actors.
Phishing is a type of social engineering attack in which attackers use fraudulent emails, text messages, or other forms of communication to trick individuals into providing sensitive information or performing actions that can compromise their security.
A risk register is a document or tool used by organizations to record, track, and manage risks associated with their operations, systems, or projects. A risk register typically includes a list of identified risks, their likelihood, potential impact, and risk mitigation strategies.
SaaS stands for Software as a Service, which is a cloud computing model that delivers software applications over the internet as a subscription-based service. With SaaS, users can access software applications and data from anywhere with an internet connection, without the need for on-premise installation or maintenance. SaaS providers manage the infrastructure, security, and maintenance of the software application, freeing users from the burden of software updates, patches, and backups.
A security policy is a set of rules, guidelines, and procedures that govern an organization's approach to information security. Security policies define the expectations, responsibilities, and actions required to protect an organization's information assets, systems, and network infrastructure from unauthorized access, theft, damage, or disruption. Among other things, a security policy typically includes guidelines for password management, data classification, access control, incident response, and compliance with legal and regulatory requirements.
A security program is a comprehensive framework for managing an organization's information security risks. A security program typically includes policies, procedures, and training that outline the organization's security objectives, the roles and responsibilities of employees and stakeholders, and the steps required to protect the organization's information assets. Policies provide high-level guidance for security, while procedures provide detailed steps for implementing security measures. Training ensures that employees understand their role in the security program and are equipped with the knowledge and skills necessary to comply with policies and procedures.
Security standards are a set of guidelines, best practices, and requirements that define how organizations should implement security controls and protect their information assets. Security standards provide a common language and framework for information security, allowing organizations to evaluate their security posture against industry-recognized benchmarks and compliance requirements. Some examples of security standards include the Payment Card Industry Data Security Standard (PCI DSS), the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and the ISO 27001 standard.
SIG Lite is a simplified version of the SIG (Standard Information Gathering) questionnaire, which is a framework for assessing third-party vendor security risks. SIG Lite is designed to help organizations quickly assess a vendor's security posture and identify potential security risks. The questionnaire covers a range of security domains, including access control, data protection, incident response, and business continuity. SIG Lite is intended for use by smaller organizations or for assessing vendors with lower risk profiles, where a full SIG assessment may not be necessary.
Smishing is a type of social engineering attack in which an attacker uses SMS (Short Message Service) or text messages to trick users into divulging sensitive information or installing malware on their mobile devices. Smishing messages may appear to be from a trusted source, such as a bank or social media platform, and may include links or phone numbers that the user is prompted to click or call.
Service Organization Controls (SOC) are a set of standards developed by the American Institute of Certified Public Accountants (AICPA) to help organizations assess and report on the effectiveness of their internal controls. SOC reports provide assurance to customers and stakeholders that service organizations have appropriate controls in place to protect sensitive data and assets.
SOC 1 is a type of Service Organization Control (SOC) report that evaluates the effectiveness of an organization's internal controls over financial reporting. SOC 1 reports are based on the Statement on Standards for Attestation Engagements (SSAE) No. 18 and cover controls related to financial transactions and reporting processes.
SOC 2 is a type of Service Organization Control (SOC) report that evaluates the effectiveness of an organization's controls related to security, availability, processing integrity, confidentiality, and privacy. These reports are based on the Trust Services Criteria (TSC) developed by the AICPA and are commonly used by technology and cloud service providers to demonstrate compliance with industry standards and best practices.
SOC 2 Type 1 is a type of Service Organization Control (SOC) report that evaluates the effectiveness of an organization's controls related to security, availability, processing integrity, confidentiality, and privacy at a specific point in time. These reports are based on the Trust Services Criteria (TSC) developed by the AICPA and cover the design of a service organization's systems, processes, and procedures.
SOC 2 Type 2 is a type of Service Organization Control (SOC) report that evaluates the effectiveness of an organization's controls related to security, availability, processing integrity, confidentiality, and privacy over a period of time, typically six to twelve months. These reports are based on the Trust Services Criteria (TSC) developed by the AICPA and cover both the design and operating effectiveness of a service organization's systems, processes, and procedures.
SOC 3 is a type of Service Organization Control (SOC) report that provides a summary of an organization's controls related to security, availability, processing integrity, confidentiality, and privacy. These reports are based on the Trust Services Criteria (TSC) developed by the AICPA and are intended for public distribution. SOC 2 reports are more detailed and customizable, while SOC 3 reports are high-level and intended for public distribution.
SOPPA stands for the Student Online Personal Protection Act, a data privacy law passed in the state of Illinois. SOPPA aims to protect the privacy and security of student data collected by schools and education technology (EdTech) companies. The law requires schools and EdTech companies to provide transparency and obtain consent from parents or guardians before collecting, using, or disclosing student data. SOPPA also requires schools and EdTech companies to implement appropriate security measures to safeguard student data and provide notification in case of a data breach.
The Sarbanes-Oxley Act, also known as SOX, is a US federal law that was passed in 2002 in response to corporate accounting scandals such as Enron and WorldCom. The law introduced new or enhanced requirements for public companies and accounting firms to improve the accuracy and reliability of financial reporting and increase transparency and accountability. The law also includes provisions related to corporate governance, internal controls, and whistleblower protection. SOX compliance is mandatory for public companies.
Spear phishing is a type of phishing attack that is targeted at specific individuals or organizations. In a spear phishing attack, the attacker typically sends a personalized email or message that appears to come from a trusted source, such as a colleague, a supplier, or a customer. The message may contain a link or attachment that, when clicked or opened, installs malware on the recipient's device or directs the recipient to a fake website designed to steal login credentials or other sensitive information.
Server-Side Request Forgery (SSRF) is a type of security vulnerability in which an attacker can manipulate input data to trick a web application server into making unintended requests to other systems or servers. SSRF can be exploited to access sensitive data, bypass access controls, or launch attacks against other systems from the compromised server.
Static analysis is a method of analyzing software code without actually executing it. Static analysis tools review the code to detect potential vulnerabilities, such as buffer overflows, SQL injection, and cross-site scripting (XSS) attacks. The tools examine the code's syntax, data flow, and control flow to identify issues that could cause the software to behave in unexpected ways or be vulnerable to attack. Static analysis can be performed during the software development process to catch potential issues early and improve the overall security and reliability of the software.
Threat modeling is a process for identifying and analyzing potential threats and vulnerabilities to a system, network, or application. It involves identifying the assets that need protection, determining the possible threats and attack vectors that could be used to compromise those assets, and assessing the likelihood and potential impact of each threat.
In the context of cybersecurity, training refers to educating employees, contractors, and other stakeholders about security best practices and policies. This can include training on how to recognize and avoid common phishing and social engineering attacks, how to create strong passwords and use multi-factor authentication, how to handle sensitive data, and how to respond to security incidents. Effective training programs are ongoing and can help organizations reduce the risk of human error and improve overall security posture.
Trust Service Criteria (TSC) are a set of standards developed by the American Institute of Certified Public Accountants (AICPA) to evaluate the effectiveness of controls over information and systems. TSC cover areas such as security, availability, processing integrity, confidentiality, and privacy. These criteria are used in SOC 2 and SOC 3 audits, which assess the controls and processes of service organizations that provide services to other businesses.
A Vulnerability Disclosure Program (VDP), also known as a bug bounty program, is a cybersecurity initiative where organizations invite security researchers and ethical hackers to identify and report vulnerabilities in their systems and applications. The purpose of a VDP is to identify potential security flaws before malicious actors can exploit them, thereby reducing the risk of a cyber attack. In exchange for reporting vulnerabilities, organizations may offer rewards or recognition to the researchers who disclose them.
A Web Application Firewall (WAF) is a type of cybersecurity technology designed to protect web applications from a variety of attacks, such as SQL injection, cross-site scripting (XSS), and other common web-based threats. A WAF sits between the web application and the internet, monitoring and analyzing incoming traffic in real-time. It can detect and block malicious traffic before it reaches the web application, providing an additional layer of defense against cyber attacks. WAFs can be implemented on-premises or through a cloud-based service and can be configured to suit the specific security needs of the web application they protect. WAF is often required by security standards such as PCI-DSS.
Whaling is a type of cyber attack that typically targets high-level executives within an organization using social engineering techniques, such as email phishing or the use of malware. The goal is to obtain sensitive information or gain unauthorized access to systems and networks.
"Zero Trust" is a security model that assumes no implicit trust of any user or device attempting to access a network or system, whether inside or outside the network perimeter. This means that every user, device, and application must be authenticated and authorized before being granted access, and access is continuously monitored and validated based on various factors such as device posture, user behavior, and the sensitivity of the resource being accessed.