Glossary of Security & IT Terms
A quick reference for common security, IT, and compliance terminology.
A
AAA (Authentication, Authorization, Accounting) - Framework for controlling access: verifying identity, granting permissions, and logging activity.
ABAC (Attribute-Based Access Control) - Access control model based on attributes of users, resources, and environment rather than fixed roles.
ACL (Access Control List) - List of permissions attached to an object specifying which users/systems can access it.
AES (Advanced Encryption Standard) - Symmetric encryption algorithm, industry standard (AES-128, AES-256).
AI (Artificial Intelligence) - Computer systems performing tasks normally requiring human intelligence.
Annex A (ISO 27001) - The appendix to ISO 27001:2022 containing 93 security controls across 4 themes.
APT (Advanced Persistent Threat) - Prolonged and targeted cyber attack where an intacker gains access and remains undetected.
ASIS (Application Security) - Practice of securing applications through design, development, and deployment.
ATO (Authority to Operate) - Formal approval to operate an information system (US Federal context).
AUP (Acceptable Use Policy) - Policy defining acceptable use of organisation's IT resources.
AWS (Amazon Web Services) - Amazon's cloud computing platform.
B
BAA (Business Associate Agreement) - HIPAA-required contract between covered entity and business associate handling PHI.
BCP (Business Continuity Plan) - Documented procedures for maintaining business operations during disruption.
BIA (Business Impact Analysis) - Process of identifying critical business functions and impact of disruptions.
BPSS (Baseline Personnel Security Standard) - UK government pre-employment screening standard.
BYOD (Bring Your Own Device) - Policy allowing employees to use personal devices for work.
C
C2 (Command and Control) - Server or infrastructure used by attackers to control compromised systems.
CA (Certificate Authority) - Entity that issues digital certificates.
CAIQ (Consensus Assessments Initiative Questionnaire) - CSA's standardised questionnaire for cloud security.
CASB (Cloud Access Security Broker) - Security policy enforcement between cloud users and cloud applications.
CCPA (California Consumer Privacy Act) - California data privacy law (2020).
CCM (Cloud Controls Matrix) - CSA framework of cloud security controls.
CDE (Cardholder Data Environment) - PCI DSS term for network segment storing, processing, or transmitting payment card data.
CDN (Content Delivery Network) - Distributed network of servers delivering web content based on geographic location.
CERT (Computer Emergency Response Team) - Organisation handling computer security incidents.
CIA Triad - Confidentiality, Integrity, Availability - foundational security principles.
CIS (Center for Internet Security) - Non-profit developing cybersecurity best practices (CIS Controls, CIS Benchmarks).
CISO (Chief Information Security Officer) - Executive responsible for information security.
CMDB (Configuration Management Database) - Repository of IT infrastructure configuration items.
CMMC (Cybersecurity Maturity Model Certification) - US DoD cybersecurity certification for contractors.
COBIT (Control Objectives for Information and Related Technologies) - IT governance framework.
COPE (Corporate-Owned, Personally Enabled) - Mobile device strategy where company owns device but allows personal use.
COTS (Commercial Off-The-Shelf) - Software/hardware products available for purchase.
CPRA (California Privacy Rights Act) - Enhanced California privacy law (2023).
CPD (Continuing Professional Development) - Ongoing learning and skill development.
CQC (Care Quality Commission) - Independent regulator of health and social care in England.
CSA (Cloud Security Alliance) - Non-profit promoting cloud security best practices.
CSF (Cybersecurity Framework) - NIST framework for managing cybersecurity risk.
CSIRT (Computer Security Incident Response Team) - Team responsible for incident response.
CSPM (Cloud Security Posture Management) - Tools for identifying cloud misconfigurations and compliance risks.
CSR (Corporate Social Responsibility) - Company's commitment to ethical and sustainable practices.
CVE (Common Vulnerabilities and Exposures) - Publicly known security vulnerabilities with unique identifiers.
CVSS (Common Vulnerability Scoring System) - Standard for assessing vulnerability severity (0-10 scale).
CWE (Common Weakness Enumeration) - List of common software security weaknesses.
D
DAC (Discretionary Access Control) - Access control where resource owner determines permissions.
DAST (Dynamic Application Security Testing) - Testing applications in running state (black-box testing).
DDoS (Distributed Denial of Service) - Attack overwhelming system with traffic from multiple sources.
DevOps - Practices combining software development and IT operations.
DevSecOps - Integrating security practices into DevOps processes.
DLP (Data Loss Prevention) - Tools and processes preventing unauthorised data transmission.
DMZ (Demilitarized Zone) - Network segment between internal network and untrusted external network.
DNS (Domain Name System) - System translating domain names to IP addresses.
DNSSEC (DNS Security Extensions) - Security extensions to DNS protocol.
DoS (Denial of Service) - Attack making system unavailable to intended users.
DORA (Digital Operational Resilience Act) - EU regulation for financial sector operational resilience (2025).
DPA (Data Processing Agreement) - GDPR-required contract between data controller and processor.
DPO (Data Protection Officer) - Person responsible for GDPR compliance.
DR (Disaster Recovery) - Process of recovering IT systems after disaster.
DRP (Disaster Recovery Plan) - Documented procedures for recovering IT systems.
DSPT (Data Security and Protection Toolkit) - NHS annual self-assessment for data security.
E
EAL (Evaluation Assurance Level) - Common Criteria security evaluation level (EAL1-7).
EDR (Endpoint Detection and Response) - Security solution monitoring endpoints for threats.
ERP (Enterprise Resource Planning) - Integrated software managing business processes.
ESG (Environmental, Social, and Governance) - Framework for measuring sustainability and ethical impact.
F
FAIR (Factor Analysis of Information Risk) - Framework for quantitative risk analysis.
FAL (Federation Assurance Level) - NIST SP 800-63 measure of federated assertion strength.
FCA (Financial Conduct Authority) - UK financial services regulator.
FedRAMP (Federal Risk and Authorization Management Program) - US federal cloud security authorization programme.
FIDO (Fast Identity Online) - Standards for passwordless authentication.
FIPS (Federal Information Processing Standards) - US government computer security standards.
FISMA (Federal Information Security Management Act) - US law requiring federal information security.
FTP (File Transfer Protocol) - Protocol for transferring files (insecure; SFTP/FTPS preferred).
G
GDPR (General Data Protection Regulation) - EU/UK data protection regulation.
GLBA (Gramm-Leach-Bliley Act) - US law requiring financial institutions to protect customer information.
GPG (Good Practice Guidelines) - BCI's professional practice guidance for business continuity.
GRC (Governance, Risk, and Compliance) - Integrated approach to managing governance, risk, compliance.
H
HIPAA (Health Insurance Portability and Accountability Act) - US healthcare data protection law.
HIPS (Host Intrusion Prevention System) - Software preventing intrusions on individual hosts.
HITRUST (Health Information Trust Alliance) - Healthcare security framework combining multiple standards.
HSM (Hardware Security Module) - Physical device safeguarding cryptographic keys.
HTTP/HTTPS (Hypertext Transfer Protocol / Secure) - Web protocol; HTTPS adds TLS encryption.
I
IAM (Identity and Access Management) - Framework for managing digital identities and access.
IaaS (Infrastructure as a Service) - Cloud computing model providing virtualised infrastructure.
IASME (Information Assurance for Small and Medium Enterprises) - UK SME information security standard.
ICS (Industrial Control System) - Systems controlling industrial processes.
ICO (Information Commissioner's Office) - UK data protection and information rights regulator.
IdP (Identity Provider) - System authenticating users and providing identity assertions.
IDS (Intrusion Detection System) - System detecting potential security breaches.
IGA (Identity Governance and Administration) - Tools for managing identity lifecycle and access governance.
IPSEC (Internet Protocol Security) - Protocol suite for securing IP communications.
IPS (Intrusion Prevention System) - System detecting and blocking security threats.
IR (Incident Response) - Process of handling security incidents.
ISO (International Organization for Standardization) - International standards body.
ISMS (Information Security Management System) - Framework of policies and procedures for managing information security (ISO 27001).
ISP (Internet Service Provider) - Company providing internet access.
IT (Information Technology) - Use of computers and telecommunications.
ITGC (IT General Controls) - Controls supporting IT environment (access, change management, backups).
ITIL (Information Technology Infrastructure Library) - Framework for IT service management.
ITSM (IT Service Management) - Activities managing IT services.
J
JIT (Just-in-Time) - Providing access only when needed, for limited time.
K
KPI (Key Performance Indicator) - Measurable value demonstrating effectiveness.
KRI (Key Risk Indicator) - Metric predicting potential risk.
L
LDAP (Lightweight Directory Access Protocol) - Protocol for accessing directory services.
LMS (Learning Management System) - Software for delivering training and tracking completion.
M
MAC (Mandatory Access Control) - Access control enforced by system (e.g., classified systems).
MaaS (Malware-as-a-Service) - Criminal business model renting malware tools.
MDM (Mobile Device Management) - Software managing mobile devices.
MFA (Multi-Factor Authentication) - Authentication requiring two or more verification factors.
MiCA (Markets in Crypto-Assets) - EU regulation for crypto-asset providers.
ML (Machine Learning) - AI subset enabling systems to learn from data.
MOU (Memorandum of Understanding) - Non-binding agreement between parties.
MPLS (Multiprotocol Label Switching) - Networking protocol for efficient data forwarding.
MSSP (Managed Security Service Provider) - Company providing outsourced security monitoring.
MTPD (Maximum Tolerable Period of Disruption) - Time before outage becomes existential threat (now more commonly called MTD - Maximum Tolerable Downtime).
MTTR (Mean Time to Recover/Respond) - Average time to recover from or respond to incident.
MTTD (Mean Time to Detect) - Average time to detect security incident.
N
NAC (Network Access Control) - Security approach restricting network access based on policy.
NCSC (National Cyber Security Centre) - UK government cybersecurity authority.
NDI (Non-Disclosure Agreement) - Legal contract protecting confidential information.
NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) - Cybersecurity standards for electric grid.
NIS (Network and Information Systems) - UK/EU regulations for cybersecurity of essential services.
NIST (National Institute of Standards and Technology) - US agency developing technology standards.
NOC (Network Operations Center) - Centralised location monitoring and managing network.
O
OAuth (Open Authorization) - Standard for delegated authorization.
OIDC (OpenID Connect) - Authentication layer built on OAuth 2.0.
OLA (Operational Level Agreement) - Internal agreement supporting SLA.
OS (Operating System) - Software managing computer hardware and software resources.
OWASP (Open Web Application Security Project) - Non-profit focused on web application security.
OT (Operational Technology) - Hardware and software controlling industrial operations.
P
PaaS (Platform as a Service) - Cloud computing model providing platform for application development.
PAM (Privileged Access Management) - Managing and monitoring privileged account access.
PBAC (Policy-Based Access Control) - Access control based on policies combining attributes and rules.
PCI DSS (Payment Card Industry Data Security Standard) - Security standard for payment card data.
Pen Test (Penetration Test) - Authorised simulated cyber attack testing security.
PHI (Protected Health Information) - HIPAA term for individually identifiable health information.
PII (Personally Identifiable Information) - Information identifying an individual.
PIM (Privileged Identity Management) - Azure tool for managing privileged access.
PKI (Public Key Infrastructure) - System for creating, managing, distributing digital certificates.
PRA (Prudential Regulation Authority) - UK regulator for banks and insurers.
PSN (Public Services Network) - UK government shared network infrastructure.
Q
QSA (Qualified Security Assessor) - PCI DSS certified auditor.
R
RASP (Runtime Application Self-Protection) - Security technology embedded in applications.
RBAC (Role-Based Access Control) - Access control based on user roles.
RCO (Recovery Consistency Objective) - Ensuring data consistency across systems during recovery.
ReBAC (Relationship-Based Access Control) - Access control based on relationships between entities.
RFI (Request for Information) - Document requesting information from vendors.
RFP (Request for Proposal) - Document requesting vendor proposals.
ROI (Return on Investment) - Measure of profitability of investment.
RPO (Recovery Point Objective) - Maximum acceptable data loss measured in time.
RTO (Recovery Time Objective) - Maximum acceptable downtime after disruption.
S
SaaS (Software as a Service) - Cloud computing model delivering software via internet.
SAML (Security Assertion Markup Language) - XML standard for authentication and authorization.
SAQ (Self-Assessment Questionnaire) - PCI DSS compliance questionnaire.
SAST (Static Application Security Testing) - Testing source code for vulnerabilities (white-box testing).
SCA (Software Composition Analysis) - Identifying open-source components and vulnerabilities.
SCADA (Supervisory Control and Data Acquisition) - Industrial control system.
SCA (Strong Customer Authentication) - EU requirement for two-factor authentication in payments (PSD2).
SD-WAN (Software-Defined Wide Area Network) - Virtual WAN architecture.
SDLC (Software Development Life Cycle) - Process for software development.
SEC (Securities and Exchange Commission) - US financial markets regulator.
SIEM (Security Information and Event Management) - Platform aggregating and analyzing security logs.
SIG (Standardized Information Gathering) - Shared Assessments questionnaire for vendor security assessment.
SLA (Service Level Agreement) - Contract defining service levels.
SME (Subject Matter Expert) - Person with expertise in specific area.
SMS (Short Message Service) - Text messaging (also used for OTP delivery, phishing-vulnerable).
SNMP (Simple Network Management Protocol) - Protocol for network management.
SOC (Security Operations Center) - Centralised facility monitoring security.
SOC 2 (Service Organization Control 2) - AICPA standard for service provider controls.
SoD (Segregation of Duties) - Dividing tasks among multiple people to prevent fraud/error.
SOAR (Security Orchestration, Automation and Response) - Platform automating security responses.
SOX (Sarbanes-Oxley Act) - US law requiring financial reporting internal controls.
SP (Service Provider) - Organisation relying on IdP for authentication (SAML context).
SQL (Structured Query Language) - Programming language for databases.
SQLI (SQL Injection) - Attack injecting malicious SQL code.
SSH (Secure Shell) - Protocol for secure remote access.
SSL (Secure Sockets Layer) - Encryption protocol (deprecated; TLS is successor).
SSO (Single Sign-On) - Authentication allowing access to multiple systems with one login.
STRIDE - Threat modeling framework: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.
T
TCO (Total Cost of Ownership) - Complete cost of owning and operating technology.
TFTP (Trivial File Transfer Protocol) - Simple file transfer protocol (insecure).
TLS (Transport Layer Security) - Cryptographic protocol securing communications (successor to SSL).
TOTP (Time-Based One-Time Password) - Algorithm generating temporary passwords (e.g., authenticator apps).
TPM (Trusted Platform Module) - Hardware chip providing cryptographic functions.
TTP (Tactics, Techniques, and Procedures) - Patterns of attacker behaviour.
U
UAM (User Access Management) - Managing user access throughout lifecycle.
UAT (User Acceptance Testing) - Testing to verify system meets requirements.
UBA (User Behavior Analytics) - Analyzing user behaviour to detect anomalies.
UEBA (User and Entity Behavior Analytics) - Analyzing users and entities for anomalous behaviour.
UK GDPR - UK version of GDPR post-Brexit.
URL (Uniform Resource Locator) - Web address.
USB (Universal Serial Bus) - Standard for connecting devices.
V
VDI (Virtual Desktop Infrastructure) - Hosting desktops in virtualised environment.
VLAN (Virtual Local Area Network) - Logical network segment.
VM (Virtual Machine) - Software emulation of physical computer.
VPC (Virtual Private Cloud) - Isolated cloud network (AWS, GCP).
VPN (Virtual Private Network) - Encrypted connection over public network.
VRRP (Virtual Router Redundancy Protocol) - Protocol providing router redundancy.
VSQ (Vendor Security Questionnaire) - Questionnaire assessing vendor security posture.
Vuln (Vulnerability) - Weakness exploitable by threat.
W
WAF (Web Application Firewall) - Firewall filtering HTTP traffic to web applications.
WAN (Wide Area Network) - Network spanning large geographic area.
WebAuthn (Web Authentication) - W3C standard for passwordless authentication (FIDO2).
WFH (Work From Home) - Remote work arrangement.
Whitelisting - Allowing only approved entities (also called "allowlisting").
WIPS (Wireless Intrusion Prevention System) - System preventing wireless network intrusions.
X
XDR (Extended Detection and Response) - Security solution integrating multiple security products.
XML (Extensible Markup Language) - Markup language for encoding documents.
XSS (Cross-Site Scripting) - Attack injecting malicious scripts into web pages.
Z
Zero Day - Vulnerability exploited before vendor awareness or patch availability.
Zero Trust - Security model requiring verification of every access request regardless of location.
ZTA (Zero Trust Architecture) - Network architecture implementing Zero Trust principles.
ZTNA (Zero Trust Network Access) - Alternative to VPN using Zero Trust principles.
UK vs US Terminology Differences
| UK Term | US Term | Meaning |
|---|---|---|
| DPA (Data Protection Act) | Privacy Law | Data protection legislation |
| GDPR | State Privacy Laws (CCPA, etc.) | Privacy regulation |
| ICO | FTC / State AGs | Privacy regulator |
| NHS | HHS | Healthcare authority |
| FCA | SEC | Financial regulator |
| Cyber Essentials | NIST Cybersecurity Framework | Baseline security standard |
| NCSC | CISA | National cybersecurity agency |
| Whilst | While | During |
| Mobile phone | Cell phone | Portable telephone |
| Programme | Program | Organised initiative |
Framework-Specific Acronyms
ISO 27001
- ISMS: Information Security Management System
- SoA: Statement of Applicability
- PDCA: Plan-Do-Check-Act (cycle)
NIST
- CSF: Cybersecurity Framework
- RMF: Risk Management Framework
- SP: Special Publication
- IAL: Identity Assurance Level
- AAL: Authenticator Assurance Level
PCI DSS
- PAN: Primary Account Number
- SAD: Sensitive Authentication Data
- CHD: Cardholder Data
- AOC: Attestation of Compliance
- ROC: Report on Compliance
HIPAA
- PHI: Protected Health Information
- ePHI: Electronic Protected Health Information
- CE: Covered Entity
- BA: Business Associate
- OCR: Office for Civil Rights (enforcer)