Certified in Cybersecurity

Chapter 1: Terms and Definitions

 Administrative Controls - Controls implemented through policy and procedures. Examples include
access control processes and requiring multiple personnel to conduct a specific operation.
Administrative controls in modern environments are often enforced in conjunction with physical
and/or technical controls, such as an access-granting policy for new users that requires login and
approval by the hiring manager.

 Artificial Intelligence - The ability of computers and robots to simulate human intelligence and
behaviour.

 Asset - Anything of value that is owned by an organization. Assets include both tangible items such as
information systems and physical property and intangible assets such as intellectual property.

 Authentication - Access control process validating that the identity being claimed by a user or entity is
known to the system, by comparing one (single factor or SFA) or more (multi-factor authentication or
MFA) factors of identification.

 Authorization - The right or a permission that is granted to a system entity to access a system resource.
NIST 800-82 Rev.2

 Availability - Ensuring timely and reliable access to and use of information by authorized users.

 Baseline - A documented, lowest level of security configuration allowed by a standard or

 Bot - Malicious code that acts like a remotely controlled “robot” for an attacker, with other Trojan and
worm capabilities.

 Classified or Sensitive Information - Information that has been determined to require protection
against unauthorized disclosure and is marked to indicate its classified status and classification level
when in documentary form.

 Confidentiality - The characteristic of data or information when it is not made available or disclosed to
unauthorized persons or processes. NIST 800-66

 Criticality - A measure of the degree to which an organization depends on the information or

 Data Integrity - The property that data has not been altered in an unauthorized manner. Data
integrity covers data in storage, during processing and while in transit. Source: NIST SP 800-27
Rev A
 Encryption - The process and act of converting the message from its plaintext to ciphertext.
Sometimes it is also referred to as enciphering. The two terms are sometimes used
interchangeably in literature and have similar meanings.
 General Data Protection Regulation (GDPR) - In 2016, the European Union passed
comprehensive legislation that addresses personal privacy, deeming it an individual human
right.
 Governance -The process of how an organization is managed; usually includes all aspects of
how decisions are made for that organization, such as policies, roles, and procedures the
organization uses to make those decisions.
 Health Insurance Portability and Accountability Act (HIPAA) - This U.S. federal law is the most
important healthcare information regulation in the United States. It directs the adoption of
national standards for electronic healthcare transactions while protecting the privacy of
individual's health information. Other provisions address fraud reduction, protections for
individuals with health insurance and a wide range of other healthcare-related activities. Est.
1996.
 Impact - The magnitude of harm that could be caused by a threat’s exercise of a vulnerability.
 Information Security Risk - The potential adverse impacts to an organization’s operations
(including its mission, functions and image and reputation), assets, individuals, other
organizations, and even the nation, which results from the possibility of unauthorized access,
use, disclosure, disruption, modification or destruction of information and/or information
systems.
 Institute of Electrical and Electronics Engineers - IEEE is a professional organization that sets
standards for telecommunications, computer engineering and similar disciplines.
 Integrity - The property of information whereby it is recorded, used and maintained in a way
that ensures its completeness, accuracy, internal consistency and usefulness for a stated
purpose.
 International Organization of Standards (ISO) - The ISO develops voluntary international
standards in collaboration with its partners in international standardization, the International
Electro-Technical Commission (IEC) and the International Telecommunication Union (ITU),
particularly in the field of information and communication technologies.
 Internet Engineering Task Force (IETF) - The internet standards organization, made up of
network designers, operators, vendors and researchers, that defines protocol standards (e.g.,
IP, TCP, DNS) through a process of collaboration and consensus. Source: NIST SP 1800-16B

 Likelihood - The probability that a potential vulnerability may be exercised within the
construct of the associated threat environment.
 Likelihood of Occurrence - A weighted factor based on a subjective analysis of the probability
that a given threat is capable of exploiting a given vulnerability or set of vulnerabilities.
 Multi-Factor Authentication - Using two or more distinct instances of the three factors of
authentication (something you know, something you have, something you are) for identity
verification.
 National Institutes of Standards and Technology (NIST) - The NIST is part of the U.S.
Department of Commerce and addresses the measurement infrastructure within science and
technology efforts within the U.S. federal government. NIST sets standards in a number of
areas, including information security within the Computer Security Resource Center of the
Computer Security Divisions.
 Non-repudiation - The inability to deny taking an action such as creating information,
approving information and sending or receiving a message.
 Personally Identifiable Information (PII) - The National Institute of Standards and Technology,
known as NIST, in its Special Publication 800-122 defines PII as “any information about an
individual maintained by an agency, including (1) any information that can be used to
distinguish or trace an individual’s identity, such as name, Social Security number, date and
place of birth, mother’s maiden name, or biometric records; and (2) any other information that
is linked or linkable to an individual, such as medical, educational, financial and employment
information.”
 Physical Controls - Controls implemented through a tangible mechanism. Examples include
walls, fences, guards, locks, etc. In modern organizations, many physical control systems are
linked to technical/logical systems, such as badge readers connected to door locks.
 Privacy - The right of an individual to control the distribution of information about themselves.
 Probability - The chances, or likelihood, that a given threat is capable of exploiting a given
vulnerability or a set of vulnerabilities. Source: NIST SP 800-30 Rev. 1
 Protected Health Information (PHI) - Information regarding health status, the provision of
healthcare or payment for healthcare as defined in HIPAA (Health Insurance Portability and
Accountability Act).

 Qualitative Risk Analysis - A method for risk analysis that is based on the assignment of a
descriptor such as low, medium or high. Source: NISTIR 8286
 Quantitative Risk Analysis - A method for risk analysis where numerical values are assigned to
both impact and likelihood based on statistical probabilities and monetarized valuation of loss
or gain. Source: NISTIR 8286
 Risk - A possible event which can have a negative impact upon the organization.
 Risk Acceptance - Determining that the potential benefits of a business function outweigh the
possible risk impact/likelihood and performing that business function with no other action.
 Risk Assessment - The process of identifying and analyzing risks to organizational operations
(including mission, functions, image, or reputation), organizational assets, individuals and
other organizations. The analysis performed as part of risk management which incorporates
threat and vulnerability analyses and considers mitigations provided by security controls
planned or in place.
 Risk Avoidance - Determining that the impact and/or likelihood of a specific risk is too great to
be offset by the potential benefits and not performing a certain business function because of
that determination.
 Risk Management - The process of identifying, evaluating and controlling threats, including all
the phases of risk context (or frame), risk assessment, risk treatment and risk monitoring.
 Risk Management Framework - A structured approach used to oversee and manage risk for an
enterprise. Source: CNSSI 4009
 Risk Mitigation - Putting security controls in place to reduce the possible impact and/or
likelihood of a specific risk.
 Risk Tolerance - The level of risk an entity is willing to assume in order to achieve a potential
desired result. Source: NIST SP 800-32. Risk threshold, risk appetite and acceptable risk are
also terms used synonymously with risk tolerance.
 Risk Transference - Paying an external party to accept the financial impact of a given risk.
 Risk Treatment - The determination of the best way to address an identified risk.

 Security Controls - The management, operational and technical controls (i.e., safeguards or
countermeasures) prescribed for an information system to protect the confidentiality, integrity
and availability of the system and its information. Source: FIPS PUB 199
 Sensitivity - A measure of the importance assigned to information by its owner, for the
purpose of denoting its need for protection. Source: NIST SP 800-60 Vol 1 Rev 1
 Single-Factor Authentication - Use of just one of the three available factors (something you
know, something you have, something you are) to carry out the authentication process being
requested.
 State - The condition an entity is in at a point in time.
 System Integrity - The quality that a system has when it performs its intended function in an
unimpaired manner, free from unauthorized manipulation of the system, whether intentional
or accidental. Source: NIST SP 800-27 Rev. A
 Technical Controls - Security controls (i.e., safeguards or countermeasures) for an information
system that are primarily implemented and executed by the information system through
mechanisms contained in the hardware, software or firmware components of the system.
 Threat- Any circumstance or event with the potential to adversely impact organizational
operations (including mission, functions, image or reputation), organizational assets,
individuals, other organizations or the nation through an information system via unauthorized
access, destruction, disclosure, modification of information and/or denial of service.
 Threat Actor - An individual or a group that attempts to exploit vulnerabilities to cause or force
a threat to occur.
 Threat Vector - The means by which a threat actor carries out their objectives.
 Token- A physical object a user possesses and controls that is used to authenticate the user’s
identity. Source: NISTIR 7711
 Vulnerability - Weakness in an information system, system security procedures, internal
controls or implementation that could be exploited by a threat source. Source: NIST SP 800-30
Rev 1