A
Acceptable Use Policy (AUP)
A formal organizational policy that defines permitted and prohibited uses of company resources, including computers, networks, and internet access. It establishes behavioral expectations to protect organizational assets and maintain security.
An employee signs an AUP upon onboarding, acknowledging that using company devices to access social media during work hours is prohibited.
Application Allowlisting
A proactive security control that permits only pre-approved applications to execute on systems, blocking any unauthorized or unlisted software from running. Unlike antivirus (reactive detection), allowlisting prevents execution before it occurs.
A company implements application allowlisting to ensure that even a user with administrative privileges cannot install or run unapproved software on a workstation.
B
Biometric Authentication
An authentication method that uses unique physical or behavioral characteristics—such as fingerprints, iris scans, or facial recognition—to verify a user's identity. It represents the 'something you are' factor in multifactor authentication frameworks.
A data center uses fingerprint scanners as biometric authentication to ensure only authorized personnel can physically enter the server room.
Brute Force Attack
A password attack method that systematically attempts numerous credential combinations until the correct one is found, exploiting weak authentication without intelligent guessing. Multiple failed login attempts from a single IP address are a common indicator.
A security analyst detects hundreds of failed login attempts per minute from an external IP targeting the company's web portal, identifying a brute force attack in progress.
Business Continuity Plan (BCP)
A documented strategic framework outlining procedures to maintain critical business operations during and after disasters or disruptions. It ensures system and data availability through recovery procedures, backup systems, and failover mechanisms.
Following a ransomware attack that took servers offline, the organization activated its BCP to switch operations to backup systems and maintain service availability.
C
Compensating Control
An alternative security measure implemented when a primary control is unavailable, impractical, or ineffective, providing a substitute layer of protection. It does not fully replace the original control but mitigates residual risk.
Because budget constraints prevented hiring a full-time security guard, the company deployed CCTV cameras as a compensating control to monitor facility access.
Cross-Site Scripting (XSS)
A web-based attack that injects malicious scripts into trusted websites, which then execute in the victim's browser by exploiting the browser's trust in the legitimate site. Unlike SQL injection, XSS directly targets the client side rather than the database.
An attacker embeds a malicious JavaScript snippet in a comment field of a vulnerable web forum, stealing session cookies from every user who loads the page.
D
Data Classification
A systematic process that categorizes organizational data based on its sensitivity and value—such as public, internal, confidential, or restricted—to determine appropriate security controls and resource allocation.
After implementing data classification, the security team applied encryption and strict access controls to all assets labeled 'restricted,' while leaving 'public' documents unrestricted.
Data Loss Prevention (DLP)
A security technology that monitors, detects, and blocks the unauthorized transmission or exfiltration of sensitive data through channels such as email, cloud storage, or removable media. DLP inspects outbound communications in real time to enforce data handling policies.
The DLP solution automatically blocked and alerted the security team when an employee attempted to email a spreadsheet containing customer Social Security numbers to an external address.
Digital Signature
A cryptographic mechanism using asymmetric encryption where the sender signs data with their private key and recipients verify authenticity with the sender's public key, ensuring both sender authentication and message integrity. It proves origin and detects any tampering in transit.
The legal department required all software releases to carry a digital signature so recipients could verify the code had not been altered since the developer signed it.
F
Full Disk Encryption (FDE)
A security control that encrypts all data stored on a drive, rendering it completely unreadable without the correct decryption key—even if the physical drive is removed and accessed on another machine. It is the most effective protection for data on lost or stolen devices.
When a sales executive's laptop was stolen at an airport, full disk encryption ensured that the customer database stored on the device remained inaccessible to the thief.
I
Incident Response Plan (IRP)
A documented set of procedures defining how an organization detects, contains, eradicates, and recovers from security incidents, with the primary goal of minimizing damage and reducing recovery time. It ensures a coordinated and repeatable response across teams.
Upon detecting a data breach, the security team followed the incident response plan to isolate affected systems, preserve forensic evidence, and notify stakeholders within the required timeframe.
Integrity
A core principle of the CIA triad that ensures data remains accurate, complete, and unaltered by unauthorized parties during storage or transit. Violations occur when data is modified without authorization, such as during a man-in-the-middle attack.
When an attacker modified financial transaction records in transit between the client and server, the integrity principle of the CIA triad was compromised.
Intrusion Detection System (IDS)
A network security tool that passively monitors traffic in real time to identify suspicious patterns, anomalies, or known attack signatures and generate alerts. Unlike a firewall, an IDS detects and reports threats rather than actively blocking them.
The IDS generated an alert when it detected a port-scanning pattern consistent with network reconnaissance being performed against the internal subnet.
L
Least Privilege
A foundational security principle that restricts each user, account, or process to only the minimum permissions and resources required to perform their specific job functions. It reduces the attack surface and limits damage from compromised accounts or insider threats.
Following a least privilege audit, the IT team revoked database administrator rights from developers who only needed read access to perform their daily tasks.
M
Man-in-the-Middle (MITM) Attack
An attack in which a threat actor secretly intercepts and potentially alters communications between two parties who believe they are communicating directly with each other. It targets data confidentiality and integrity in transit.
On an unsecured public Wi-Fi network, an attacker performed a MITM attack to intercept login credentials submitted by a user to their online banking portal.
Mandatory Access Control (MAC)
A security model in which the operating system enforces access decisions based on security labels and classifications assigned to both users and data objects by an administrator, with no discretion granted to data owners. It is commonly used in government and high-security environments.
In a government system using MAC, a user with a 'Secret' clearance label is automatically prevented by the system from reading files classified as 'Top Secret,' regardless of their role.
Multifactor Authentication (MFA)
An authentication method requiring two or more independent verification factors from distinct categories—something you know, something you have, and something you are—to confirm a user's identity. Even if one factor is compromised, unauthorized access is prevented without the others.
After enabling MFA, employees were required to enter their password and approve a push notification on their registered mobile device before gaining access to the corporate VPN.
N
Network Access Control (NAC)
A security solution that evaluates device health and enforces compliance policies—such as up-to-date antivirus and patches—before permitting a device to connect to the network. It proactively blocks non-compliant or unauthorized endpoints at the network perimeter.
When a contractor's laptop with an outdated antivirus definition attempted to connect to the corporate network, the NAC solution quarantined the device until it met compliance requirements.
P
Patch Management
A systematic process of identifying, testing, and deploying software and firmware updates to remediate known security vulnerabilities and bugs across organizational systems. Its primary goal is to eliminate weaknesses before attackers can exploit them.
The security team's patch management program automatically deployed the critical OS update within 48 hours of release, closing the vulnerability that was being actively exploited in the wild.
R
Ransomware
A category of malware that encrypts the victim's files or systems and restricts access, demanding a ransom payment in exchange for the decryption key. Its defining characteristic is extortion through encryption, distinguishing it from spyware or trojans.
After a ransomware infection encrypted all files on the company's file server, a ransom note appeared demanding cryptocurrency payment within 72 hours to restore access.
Risk Assessment
A systematic process of identifying, analyzing, and evaluating potential threats, vulnerabilities, and their impacts on organizational information assets to prioritize security controls appropriately. It forms the foundation of an organization's overall risk management program.
The annual risk assessment identified that the lack of encryption on employee laptops represented a high-likelihood, high-impact risk, prompting immediate implementation of full disk encryption.
S
Separation of Duties
A security principle requiring that critical or sensitive tasks be divided among multiple individuals so that no single person can complete a high-risk action alone, thereby preventing fraud and unauthorized actions. It differs from least privilege by focusing on task distribution rather than permission scope.
The finance department implemented separation of duties by requiring one employee to initiate wire transfers and a separate manager to authorize and approve them before execution.
Shoulder Surfing
A low-tech social engineering technique in which an attacker physically observes a victim entering sensitive information—such as passwords or PINs—by looking over their shoulder or from a nearby vantage point. It exploits physical proximity and a lack of situational awareness.
An attacker standing behind a user at a coffee shop practiced shoulder surfing to capture the VPN password typed on the user's laptop screen.
V
Vulnerability Scanning
An automated, proactive security assessment process that systematically scans systems, networks, and applications to detect unpatched software, misconfigurations, and weaknesses before they can be exploited. It is distinct from penetration testing, which simulates actual attacks to validate exploitability.
The quarterly vulnerability scan flagged an unpatched Apache web server version as a critical finding, allowing the team to apply the update before any exploitation occurred.