Information Security Glossary

This resource is designed to demystify the complex jargon of information security. Whether you're a beginner or an expert, you'll get clear, concise definitions that will enhance your understanding and knowledge in this ever-evolving field.

An illustration of virtual data used as cover image for Information Security Glossary

QUICK MENU   |             A   B   C   D   E  F  G  H   K  M  O  P  Q   S  T  W  Z

A

Adaptive Multifactor Authentication. A security system that dynamically adjusts the level of authentication required based on various factors such as user behavior, location, and risk profile. It provides a flexible and risk-based approach to authentication.

AES stands for Advanced Encryption Standard. It is a widely used symmetric encryption algorithm that provides a high level of security for protecting sensitive data. AES uses a fixed block size and a variable key length, making it suitable for securing various applications, including data encryption, network communication, and file storage.

A program initiated by Apple that allows trusted Certificate Authorities (CAs) to issue digital certificates that are recognized and accepted by Apple devices and software. These certificates are used to establish secure connections and validate the authenticity of websites and applications.

C

California Consumer Privacy Act. A privacy law enacted in California, United States, that enhances consumer privacy rights and imposes obligations on businesses that collect and process personal information of California residents.

The state of adhering to the requirements and obligations outlined in the California Consumer Privacy Act. Organizations that handle personal information of California residents must ensure they have implemented the necessary policies and practices to comply with the law.

A trusted entity that issues digital certificates used to verify the authenticity of websites, software, or individuals. Certificate Authorities validate the identity and legitimacy of the certificate holder and sign the certificate to establish trust in online communications.

The senior executive responsible for overseeing an organization's information security program. The CISO is responsible for developing and implementing security strategies, policies, and practices to protect the organization's information assets.

The CIA Triad is a fundamental concept in information security, representing the three core principles of security: Confidentiality, Integrity, and Availability. Confidentiality ensures that data is accessible only to authorized individuals or systems. Integrity ensures that data remains unchanged and uncorrupted throughout its lifecycle. Availability ensures that data and systems are accessible and operational when needed by authorized users.

Acronym for Chief Information Security Officer. Refers to the senior executive responsible for overseeing an organization's information security program.

The set of practices, technologies, and controls used to protect data, applications, and infrastructure in cloud computing environments. Cloud security involves implementing measures to ensure confidentiality, integrity, and availability of resources stored or processed in the cloud.

The risk of failing to comply with laws, regulations, industry standards, or internal policies and procedures. Non-compliance can result in legal consequences, financial penalties, reputational damage, or loss of customer trust.

The practice of securing communication by converting information into an unreadable format, called ciphertext, using mathematical algorithms. Cryptography ensures confidentiality, integrity, and authenticity of data by enabling encryption and decryption processes. It is widely used to protect sensitive information during transmission or storage.

Cryptojacking refers to the unauthorized use of a computer's processing power to mine cryptocurrency. In cryptojacking attacks, malicious actors inject or execute scripts in websites, applications, or systems, harnessing the computing resources of infected devices without the owner's consent or knowledge. Cryptojacking can significantly degrade system performance and increase energy consumption.

D

An incident where unauthorized individuals gain access to sensitive or confidential data, leading to its unauthorized disclosure, theft, or loss. Data breaches can result from cyberattacks, human error, or other security vulnerabilities.

The set of processes, policies, and controls implemented to ensure the availability, integrity, and security of data within an organization. Data governance encompasses data quality, data management, data privacy, and regulatory compliance aspects.

Also known as DLP, it refers to the strategies, technologies, and processes implemented to prevent the unauthorized or accidental loss, leakage, or exposure of sensitive or confidential data.

The protection and proper handling of personal information, ensuring that individuals have control over how their data is collected, used, and shared. Data privacy regulations aim to safeguard individuals' privacy rights and establish guidelines for organizations handling personal data.

Measures and practices implemented to safeguard data from unauthorized access, disclosure, alteration, or destruction. Data protection involves implementing security controls, encryption, access controls, and data backup mechanisms to ensure data confidentiality and integrity.

A documented policy that defines how long an organization should retain certain types of data, including the criteria for retention and the process for data disposal. It helps organizations comply with legal and regulatory requirements and manage data effectively.

The protection of data from unauthorized access, use, disclosure, disruption, or destruction. Data security involves implementing a combination of technical, administrative, and physical safeguards to mitigate the risks to data confidentiality, integrity, and availability.

DDoS stands for Distributed Denial of Service. It is a type of cyber-attack where multiple compromised devices are used to flood a target system or network with a massive amount of traffic, overwhelming its resources and causing a disruption in service. DDoS attacks aim to make a website or online service unavailable to its intended users, often resulting in financial losses or reputational damage.

A digital certificate is a digital document that verifies the authenticity and identity of an entity, such as a website, organization, or individual. It is issued by a trusted third-party organization called a Certificate Authority (CA). Digital certificates contain information about the entity's public key and are used for secure communication, encryption, and authentication purposes.

DomainKeys Identified Mail. An email authentication method that uses cryptographic signatures to verify the authenticity and integrity of email messages. DKIM enables email recipients to determine if an email originated from a legitimate sender and detect tampering during transmission.

Acronym for Data Loss Prevention. Refers to the strategies, technologies, and processes implemented to prevent the unauthorized or accidental loss, leakage, or exposure of sensitive or confidential data.

Domain-based Message Authentication, Reporting, and Conformance. An email authentication protocol that helps prevent email spoofing and phishing attacks. DMARC allows email senders to specify policies for handling unauthenticated emails, reducing the risk of email fraud.

DOS stands for Denial of Service. It is a type of cyber-attack where an attacker attempts to disrupt or disable a computer system, network, or service, making it unavailable to its intended users. DOS attacks typically overwhelm the target's resources, such as bandwidth, processing power, or memory, leading to a loss of availability.

E

The process of encrypting email messages to protect their contents from unauthorized access or interception during transmission. Email encryption ensures that only authorized recipients can decrypt and read the message.

The cost associated with implementing and using email encryption solutions or services. Pricing may vary depending on the provider, the level of encryption, the number of users, and additional features included in the package.

A security solution that acts as a gateway or intermediary for incoming and outgoing email traffic. It helps protect email systems from spam, malware, phishing attacks, and other email-based threats.

The set of measures, technologies, and practices implemented to safeguard email communications from unauthorized access, interception, or manipulation. Email protection solutions aim to prevent spam, malware, phishing, and other email-based attacks.

The protection of email communications and systems from unauthorized access, interception, or tampering. Email security solutions include encryption, anti-spam filters, anti-malware scanners, and other mechanisms to detect and mitigate email-based threats.

A policy or setting that allows email attachments to be sent in encrypted formats such as PDF, ZIP, or Office XML file formats. This policy ensures that sensitive information is protected when transmitted via email.

A secure web-based platform or application that uses encryption technologies to protect data transmitted between users and the portal. Encrypted portals are commonly used for secure file sharing, document exchange, or online collaboration.

The process of converting plaintext or readable data into ciphertext or encoded data using encryption algorithms and keys. Encryption ensures that data is protected and can only be accessed by authorized individuals with the corresponding decryption keys.

The protection of individual devices, such as computers, laptops, smartphones, or tablets, from security threats. Endpoint security solutions include antivirus software, firewalls, intrusion prevention systems, and other measures to secure devices and prevent unauthorized access.

The comprehensive set of strategies, practices, and technologies implemented to protect an entire organization's information assets, networks, systems, and data from security threats. Enterprise security involves risk assessment, security policies, access controls, and incident response plans.

F

Fast Identity Online 2. A set of specifications and protocols that enable passwordless authentication and stronger security for online services. FIDO2 utilizes public-key cryptography and biometrics to provide secure and convenient authentication methods.

Financial Services Qualification System. A system used by financial institutions to assess and monitor the compliance and performance of suppliers. FSQS helps ensure that suppliers meet the required standards in areas such as information security, financial stability, and regulatory compliance.

OAuth (Open Authorization) is a standard for authorization and authentication. Full OAuth access refers to the complete access and permissions granted to an application or service by a user, allowing the application to act on behalf of the user within the granted scope.

G

General Data Protection Regulation. A comprehensive data protection regulation enforced in the European Union (EU) that governs the processing and protection of personal data of EU residents. GDPR aims to enhance individuals' privacy rights and imposes obligations on organizations handling personal data.

A software extension or add-in that integrates with the Gmail email client, providing additional features, functionality, or security enhancements. Gmail plugins can be used to extend the capabilities of Gmail for tasks such as encryption, productivity, or automation.

H

Compliance with the Health Insurance Portability and Accountability Act (HIPAA) regulations in the United States. HIPAA sets standards and requirements for protecting the privacy and security of individually identifiable health information and establishes rules for healthcare organizations and their business associates.

A rule under the Health Insurance Portability and Accountability Act (HIPAA) that governs the use and disclosure of protected health information (PHI). The Privacy Rule establishes individuals' rights over their health information and sets limits on the use and disclosure of PHI by covered entities.

I

The adherence to regulatory requirements, industry standards, and internal policies and procedures relating to information technology. IT compliance ensures that IT systems, processes, and controls meet the necessary legal, security, and operational requirements.

K

The process of securely generating, storing, distributing, and revoking cryptographic keys used in encryption and decryption processes. Key management ensures the proper handling and protection of encryption keys to maintain the security and integrity of encrypted data.

Key Management Service. A service or system that provides key management functions, including key generation, storage, rotation, and distribution. KMS is commonly used to manage cryptographic keys for encryption and decryption processes.

M

The ability to track and monitor the delivery and handling of email messages within an email system or service. Message visibility allows administrators or users to assess the status, location, or actions performed on specific email messages.

Multifactor Authentication. A security mechanism that requires users to provide multiple forms of identification or authentication factors to access a system or account. Typical factors include passwords, security tokens, biometrics, or SMS codes.

A program operated by Microsoft that establishes a list of trusted root certificates issued by Certificate Authorities (CAs). Microsoft includes these trusted certificates in its software and operating systems to ensure secure and trusted communications.

A notification or warning system that alerts users when they are about to send an email to unintended recipients. Misdirected emails prompts help prevent accidental disclosure of sensitive or confidential information to the wrong recipients.

A data governance and compliance tool developed by Microsoft. MS Purview provides organizations with capabilities to discover, classify, and manage data across various sources to ensure compliance with data protection regulations.

A software architecture or system where a single instance of the software serves multiple clients or tenants simultaneously. Each client's data and configurations are logically separated and isolated from other clients, ensuring privacy and security.

O

Open Authorization. A standard protocol that allows users to grant third-party applications or services access to their resources or data on a server, without sharing their credentials. OAuth enables secure and controlled authorization for web and mobile applications.

Open Source refers to software or applications that are freely available and can be modified, distributed, and studied by users. Open Source software is typically developed collaboratively, with its source code accessible to the public. It allows users to inspect, modify, and contribute to the software's development, promoting transparency, innovation, and community collaboration.

An identity layer built on top of the OAuth 2.0 protocol that enables authentication and authorization of users across different websites or applications. OpenID Connect provides a framework for securely verifying the identity of users and exchanging identity information.

A method of communication or authentication that occurs outside the main communication channel. Out-of-band authentication adds an extra layer of security by using a separate and independent channel to verify the user's identity or transaction.

A software extension or add-in that integrates with the Microsoft Outlook email client, providing additional features, functionality, or security enhancements. Outlook plugins can be used to extend the capabilities of Outlook for tasks such as encryption, productivity, or automation.

P

A secret code or password used to authenticate or authorize access to a system, device, or application. A passkey is typically known only to the authorized user and is used to prevent unauthorized access.

A sequence of words or a sentence used as a password or encryption key. Passphrases are generally longer and more complex than traditional passwords, providing increased security against brute-force attacks.

Payment Card Industry Data Security Standard. A set of security standards developed by the Payment Card Industry Security Standards Council (PCI SSC) to protect payment cardholder data. PCI DSS applies to organizations that handle credit card information and establishes requirements for secure payment card processing.

Pentest is short for Penetration Test. It is a methodical and controlled assessment of a computer system, network, or application's security posture. A penetration test aims to identify vulnerabilities and weaknesses that could be exploited by attackers. It involves simulating real-world attacks to assess the effectiveness of security controls and provide recommendations for improving security.

Pretty Good Privacy. A data encryption and decryption program that uses asymmetric encryption algorithms. PGP provides secure communication and data protection by encrypting messages and files, ensuring only authorized recipients can decrypt and read the content.

The process of encrypting data using the Pretty Good Privacy (PGP) encryption software. PGP encryption ensures the confidentiality and integrity of data by transforming it into ciphertext, which can only be decrypted by authorized recipients with the corresponding private key.

Protected Health Information. Sensitive and personally identifiable health information that is protected under the Health Insurance Portability and Accountability Act (HIPAA). PHI includes information related to an individual's medical history, treatment, or payment for healthcare services.

Personally Identifiable Information. Any information that can be used to identify an individual or that is linked to an identifiable person. PII includes data such as names, addresses, social security numbers, or email addresses.

Security controls or mechanisms that enforce and verify the identity and authenticity of users, devices, or entities based on predefined policies. Policy authentication controls ensure that only authorized users or entities can access protected resources or perform specific actions.

A component or system that manages the encryption and decryption of data based on predefined policies or rules. The policy encryption engine ensures that data is encrypted according to the specified policies, providing consistent and controlled encryption practices.

A technique or system that routes email messages based on predefined policies or rules. Policy-based message routing helps organizations manage email flow, apply security measures, or enforce compliance requirements based on message content or attributes.

The policy or practice of retaining email messages within an online portal or web-based application for a specific period. Portal email retention ensures that email communications are archived or stored according to legal, regulatory, or organizational requirements.

In asymmetric encryption, a confidential key that is kept secret by the owner and used for decrypting ciphertext or digitally signing messages. The private key must be kept secure to prevent unauthorized access or tampering with encrypted data.

In asymmetric encryption, a key that is freely available and can be shared with others. The public key is used for encrypting data or verifying digital signatures. It can be shared openly without compromising the security of the encryption system.

Q

Relating to quantum mechanics or quantum computing, which is a field of physics that studies the behavior of matter and energy at the quantum level. Quantum computing has the potential to impact encryption and security due to its ability to perform certain computations more efficiently than classical computers.

Encryption techniques or systems that leverage the principles of quantum mechanics to provide enhanced security against quantum computing attacks. Quantum encryption methods aim to protect data against the potential threat posed by future quantum computers.

R

The process of verifying the identity of the email recipient before allowing access to encrypted email content. Recipient authentication ensures that only authorized recipients can decrypt and read encrypted email messages.

A method of email delivery where the recipient's email server or client initiates the retrieval of the email from the sender's server. Recipient-driven delivery reduces the risk of misdirected emails and allows recipients to control the receipt of messages.

The adherence to laws, regulations, and standards applicable to an industry or organization. Regulatory compliance ensures that organizations operate within legal boundaries and meet requirements related to security, privacy, data protection, financial practices, or industry-specific regulations.

S

Secure Multipurpose Internet Mail Extensions (S/MIME) is the standard to secure MIME messages which brings SMTP communication to the next level by allowing widely accepted e-mail protocol to be used without compromising security. It uses PKI (Public key Infrastructure) to encrypt and/or sign the data. S/MIME provides cryptographic service benefits into e-mail: confidentiality and data integrity with message encryption; authentication and non-repudiation with digital signing.

Also known as SECaaS, it refers to the provision of security services or capabilities as a cloud-based service. Security as a Service allows organizations to leverage third-party expertise and infrastructure to enhance their security posture without the need for extensive in-house resources.

Secure Email Gateway. A security solution that filters and scans inbound and outbound email traffic to protect against spam, malware, phishing attacks, and other email-borne threats. SEGs provide advanced email security features and help organizations ensure the delivery of legitimate email while blocking malicious content.

A specific instance or implementation of a Secure Email Gateway (SEG). An SEG gateway is responsible for routing and processing email traffic, applying security filters, and enforcing email security policies.

The process of sending a large volume of email messages simultaneously or in batches. Sending bulk email is commonly used for marketing campaigns, newsletters, or communication with a large recipient list.

The individual or entity who initiates or sends an email message. The sender is responsible for composing the message, specifying the recipient(s), and delivering the email to the appropriate email server or service.

An email authentication framework that allows email senders to specify the authorized mail servers for their domain. SPF helps prevent email spoofing and domain forgery by verifying the sender's IP address against the authorized servers listed in the domain's SPF record.

A password or passphrase set by the email sender to encrypt or protect an email message. Sender-set passwords are used for securing sensitive or confidential email communications and ensure that only recipients with the correct password can decrypt and access the message.

A mailbox in an email system that can be accessed and used by multiple users within an organization. Shared mailboxes allow teams or departments to manage and collaborate on incoming and outgoing email messages from a single email address.

A confidential passphrase or shared secret known to multiple parties for authentication or encryption purposes. Shared secret passphrases are used to establish secure communication channels or verify the identity of participants in a secure system.

Security Information and Event Management. A technology that combines security event management (SEM) and security information management (SIM) to provide real-time monitoring, analysis, and correlation of security events and logs from various sources. SIEM helps identify and respond to security incidents or threats.

A method of network authentication where the user's device automatically authenticates with the network without requiring explicit user interaction or credentials. Silent network authentication uses pre-established trust or secure protocols to enable seamless and secure network access.

A mechanism that allows users to authenticate once and gain access to multiple systems or applications without the need to provide credentials for each individual system. Single sign-on improves user experience and simplifies user management and authentication processes.

Short Message Service. A text messaging service used to send short text messages between mobile devices or from a computer to a mobile device. SMS can be used for various purposes, including two-factor authentication or delivering one-time verification codes.

The use of SMS messages to deliver verification codes or authentication tokens to users for the purpose of identity verification or two-factor authentication. SMS authentication requires users to provide the received code as part of the authentication process.

Simple Mail Transfer Protocol. A standard protocol used for sending email messages between email servers or clients. SMTP is responsible for the transmission and routing of email across networks.

Service Organization Control 2. A reporting framework developed by the American Institute of Certified Public Accountants (AICPA) to evaluate and report on the controls and processes of service organizations. SOC 2 focuses on security, availability, processing integrity, confidentiality, and privacy of customer data.

Social engineering refers to the psychological manipulation and deception techniques used by attackers to manipulate individuals into divulging sensitive information or performing certain actions that may compromise security. Social engineering attacks exploit human trust, gullibility, or willingness to help, rather than relying solely on technical vulnerabilities. Examples include phishing, pretexting, baiting, and impersonation.

Integrations or plugins that allow users to log in to an application or service using their social media accounts, such as Facebook, Google, or Twitter. Social login connectors streamline the authentication process and provide convenience for users.

Verification codes or tokens that are automatically generated by a system or application for the purpose of authentication or identity verification. System-generated verification codes provide an additional layer of security to confirm the identity of the user.

T

Email gateways or services provided by external third-party vendors or providers. Third-party email gateways offer additional security features, filtering capabilities, or specialized functionalities beyond the built-in email services of an organization.

Transport Layer Security. A cryptographic protocol used to secure communication channels over networks. TLS ensures the confidentiality and integrity of data transmitted between applications or systems, such as web browsers and servers.

The previous version of the Transport Layer Security (TLS) protocol. TLS 1.2 provides secure encryption and authentication mechanisms for network communications.

The latest version of the Transport Layer Security (TLS) protocol. TLS 1.3 enhances security, improves performance, and provides stronger encryption algorithms and negotiation mechanisms compared to previous versions.

If TLS (Transport Layer Security) is not available, the email will be automatically delivered through secure fallback delivery options, like Web Portal or Secure PDF – ensuring messages are not undelivered or sent unprotected.

Two-Factor Authentication (2FA). A security measure that requires users to provide two different types of identification to access a system or account, typically combining a password or PIN with a second factor such as a fingerprint, security token, or SMS code.

W

World Wide Web Consortium. An international community that develops standards and guidelines for the World Wide Web. The W3C establishes protocols, specifications, and best practices to ensure interoperability, accessibility, and usability of web technologies.

A set of guidelines and standards developed by the W3C to ensure the accessibility of web content for people with disabilities. WCAG provides recommendations for making web content perceivable, operable, understandable, and robust for all users.

A website or online platform that provides access to various resources, services, or information. Web portals serve as gateways to specific content or functionalities and often require user authentication for personalized access.

An assurance program developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) to evaluate and certify the security, privacy, and reliability of online systems and services. WebTrust assurance focuses on ensuring the trustworthiness of e-commerce, online banking, and other web-based transactions.

Z

A security approach or framework that assumes no implicit trust for users, devices, or networks, regardless of their location. Zero Trust emphasizes continuous verification, strict access controls, and least-privileged access to protect against security breaches and unauthorized access.