Glossary
Security and compliance terminology used in CyberOrigen.
A
API (Application Programming Interface) A set of protocols and tools for building software applications. CyberOrigen provides a REST API for programmatic access.
ASV (Approved Scanning Vendor) A company approved by PCI SSC to conduct external vulnerability scans for PCI-DSS compliance.
Attestation A formal declaration that something is true. In CyberOrigen, users attest they have authorization to scan targets.
Audit Log A chronological record of security-relevant events for accountability and forensic analysis.
Audit Trail Complete documentation of all actions taken, providing evidence for compliance audits.
B
BAA (Business Associate Agreement) A HIPAA-required contract between covered entities and their business associates handling PHI.
Backup Codes One-time recovery codes for MFA, used when the primary authenticator is unavailable.
Breach Unauthorized access to or disclosure of protected information.
C
CDE (Cardholder Data Environment) Systems that store, process, or transmit payment card data. PCI-DSS scope definition.
CIA Triad Core security principles: Confidentiality, Integrity, and Availability.
Compliance Adherence to laws, regulations, standards, or policies.
Control A measure designed to protect systems or information. Can be technical, administrative, or physical.
CSF (Cybersecurity Framework) NIST's framework for managing cybersecurity risk through core functions: Identify, Protect, Detect, Respond, Recover.
CVE (Common Vulnerabilities and Exposures) A standardized identifier for known security vulnerabilities (e.g., CVE-2024-1234).
CVSS (Common Vulnerability Scoring System) A standardized scoring system for vulnerability severity, ranging from 0.0 to 10.0.
D
DAST (Dynamic Application Security Testing) Testing a running application for vulnerabilities by simulating attacks.
Data Subject Under GDPR, an identifiable natural person whose personal data is processed.
Defense in Depth Security strategy using multiple layers of controls to protect systems.
DORA (Digital Operational Resilience Act) EU regulation for ICT risk management in the financial sector.
DPA (Data Processing Agreement) Contract under GDPR between data controllers and processors.
DPIA (Data Protection Impact Assessment) GDPR-required assessment for high-risk data processing activities.
DPO (Data Protection Officer) Person responsible for GDPR compliance within an organization.
E
Encryption Process of encoding data so only authorized parties can read it.
ePHI (Electronic Protected Health Information) PHI in electronic form, protected under HIPAA.
EPSS (Exploit Prediction Scoring System) Probability that a vulnerability will be exploited in the wild.
Evidence Documentation proving control implementation or compliance status.
F
False Positive A finding incorrectly identified as a vulnerability when it's not.
Finding A discovered security issue, vulnerability, or compliance gap.
Framework A structured approach to implementing security or compliance (e.g., SOC 2, ISO 27001).
G
Gap Analysis Assessment identifying differences between current and desired security states.
GDPR (General Data Protection Regulation) EU regulation for data protection and privacy.
GRC (Governance, Risk, and Compliance) Integrated approach to managing governance, risk management, and compliance.
H
HIPAA (Health Insurance Portability and Accountability Act) US law protecting healthcare information privacy and security.
Host A computer or device on a network.
I
ICT (Information and Communication Technology) All technologies used for handling telecommunications and computer networks.
Incident A security event that threatens the confidentiality, integrity, or availability of systems or data.
ISMS (Information Security Management System) Framework of policies and procedures for systematically managing information security (ISO 27001).
IOC (Indicator of Compromise) Evidence that a security breach has occurred.
K
KRI (Key Risk Indicator) Metric used to measure potential risk exposure.
L
Least Privilege Security principle granting users minimum access needed for their role.
M
MFA (Multi-Factor Authentication) Authentication requiring multiple verification methods.
MISP (Malware Information Sharing Platform) Open-source threat intelligence platform integrated with CyberOrigen.
N
NIST (National Institute of Standards and Technology) US agency developing cybersecurity standards and frameworks.
Nuclei Template-based vulnerability scanner used by CyberOrigen.
O
OWASP (Open Web Application Security Project) Organization producing web security resources, including the OWASP Top 10.
P
PCI-DSS (Payment Card Industry Data Security Standard) Security standard for organizations handling payment cards.
Penetration Testing (Pen Test) Authorized simulated attack to evaluate security.
PHI (Protected Health Information) Individually identifiable health information protected by HIPAA.
PII (Personally Identifiable Information) Data that can identify an individual.
Policy Formal statement of rules and expectations for security practices.
Procedure Step-by-step instructions for implementing policies.
Q
QSA (Qualified Security Assessor) Individual certified by PCI SSC to assess PCI-DSS compliance.
Quarantine Isolation of suspected malicious files for review.
R
RACI Matrix Assignment matrix showing who is Responsible, Accountable, Consulted, and Informed.
RAG (Retrieval-Augmented Generation) AI technique using external knowledge to enhance responses.
Remediation Process of fixing identified vulnerabilities or compliance gaps.
Risk Potential for loss or damage when a threat exploits a vulnerability.
Risk Appetite Amount of risk an organization is willing to accept.
Risk Register Document listing identified risks, assessments, and treatment plans.
ROC (Report on Compliance) PCI-DSS assessment report completed by a QSA.
S
SAQ (Self-Assessment Questionnaire) PCI-DSS self-assessment tool for qualifying merchants.
SAST (Static Application Security Testing) Analyzing source code for vulnerabilities without executing it.
SIEM (Security Information and Event Management) System collecting and analyzing security logs and events.
SLA (Service Level Agreement) Contract defining expected service levels.
SOC 2 (Service Organization Control 2) Audit framework for service providers, based on Trust Services Criteria.
SSRF (Server-Side Request Forgery) Vulnerability allowing attackers to make requests from the server.
SSL/TLS Protocols for encrypting network communications.
T
Threat Potential cause of an unwanted incident.
Threat Intelligence Information about threats and threat actors.
TLPT (Threat-Led Penetration Testing) Advanced testing methodology required by DORA.
Trust Services Criteria AICPA criteria for SOC 2: Security, Availability, Processing Integrity, Confidentiality, Privacy.
V
Vulnerability A weakness that could be exploited by a threat.
Vulnerability Management Process of identifying, evaluating, treating, and reporting vulnerabilities.
W
WAF (Web Application Firewall) Security solution protecting web applications from attacks.
Webhook HTTP callback for real-time notifications between systems.
Z
Zero Day A vulnerability unknown to vendors or without available patches.