ALE – (Annual loss expectancy) single loss expectancy (SLE) * annual rate of occurrence (ARO)
SLE – (Single loss expectancy) asset value (AV) * exposure factor (EV)
IaaS – Infrastructure as a service
IR – Incident response
Playbook – Comprehensive documents that provide step-by-step guides for addressing things.
Guidelines – Provide advice to organizations seeking to align with the policy and standards.
Risk Avoidance – Eliminating risk before it can become a threat. Such as applying patches as soon as they become available. Proactive action taken to prevent occurrence of a risk.
Risk Acceptance – Accepting risk by not taking an action to mitigate, avoid, or transfer. Usually done when the risk is small monetarily and will not cause legal repercussions.
Rules of Engagement – Information about the type and scope of testing, client contact details, handling of sensitive data, and details about the type and frequency of status meetings and reports in a penetration test.
Disaster Recovery Plan – Outline of actions to be taken during a person-made or natural disaster.
Non Disclosure Agreement (NDA) – Safeguard for sensitive and intellectual data, preventing its unauthorized disclosure. This legal contract is established between a company and a third-party vendor.
Reconnaissance – Information gathering and scanning are typical components. This process involves both scanning and OSINT gathering.
Passive Reconnaissance – Utilizing resources to gather information on an environment without directly establishing a connection with the target.
Data Controller – Also known as data owners, are organizations or individuals who collect and have control over the data.
Data Stewards – Responsible for executing the data controller’s intentions and are delegated with the responsibility for managing the data.
Data Custodians – Entrusted with the task of storing, managing, and securing the data.
Information Security Management System (ISMS) – Framework of policies an procedures that includes 1. All legal, physical, and technical controls involved in an organization’s information risk management processes. 2. Is a systematic approach to managing sensitive company information so that it remains secure.
ISO 27001 – Explains how companies can build a compliant ISMS, from scoping their system and assessing risk to developing policies and training staff. This is more of a broad overview that also focuses on Privacy Information Management Systems (PIMS).
ISO 27002 – Focuses specifically on controls. It expands on ISO 27001’s Annex A overview to dive deep into the purpose, design, and implementation guidance for each control.
ISO 27001 vs ISO 27002: What’s the Difference? | Secureframe
SOC 2, Type 2 Audit – Focuses on a service organization’s controls related to security, availability, processing integrity, confidentiality, and privacy. These audits must be performed by a third party.
Board-Based Oversight – Incorporates external members who bring industry experience and expertise. In some cases board members may receive compensation.
Committee-Based Oversight – Typically composed of internal staff members.
Leave a Reply