This section explains the policy and management side of cybersecurity: risk assessment, controls, audit logs, segregation of duties, and compliance vocabulary.
Use it when the term is about governance, accountability, or control structure rather than technical mechanics alone.
- Acceptable Use Policy
An acceptable use policy defines the rules for how employees, contractors, or other users are allowed to use organizational systems, accounts, devices, and data.
- Asset Inventory
An asset inventory is the maintained record of the systems, devices, applications, identities, and other resources an organization needs to track and protect.
- Audit Log
An audit log is a record of relevant actions and events that helps organizations review activity, support investigations, and demonstrate accountability.
- Change Management
Change management is the controlled process for planning, approving, implementing, and reviewing changes that could affect systems or security.
- Compensating Control
A compensating control is an alternative safeguard used to reduce risk when the preferred or standard control is not fully available.
- Compliance Framework
A compliance framework is a structured set of requirements or control expectations used to guide and assess security and accountability practices.
- Control Mapping
Control mapping is the process of linking security controls to specific risks, policies, standards, or compliance requirements they are meant to address.
- Control Objective
A control objective is the specific security outcome a control is supposed to achieve.
- Data Classification
Data classification is the practice of labeling data by sensitivity or importance so controls and handling requirements can match the risk.
- Data Loss Prevention
Data loss prevention is the combination of policies and controls used to reduce the chance that sensitive data is exposed, moved, or shared in ways the organization did not intend.
- Exception Management
Exception management is the process for documenting, reviewing, approving, and tracking departures from a standard security requirement or baseline.
- Log Retention
Log retention is the policy and practice of keeping security-relevant logs for a defined period so they remain available for monitoring, investigation, and evidence needs.
- Policy Exception
A policy exception is an approved departure from a normal security requirement, usually with conditions, risk acknowledgment, and a time limit.
- Residual Risk
Residual risk is the risk that remains after security controls and mitigation steps have already been applied.
- Risk Appetite
Risk appetite is the general amount and type of risk an organization is willing to accept in pursuit of its objectives.
- Risk Assessment
Risk assessment is the process of identifying and evaluating security risk so organizations can prioritize controls and response decisions.
- Risk Register
A risk register is the structured record used to track identified risks, their status, ownership, and planned treatment.
- Risk Treatment
Risk treatment is the decision about what an organization will do about an identified security risk.
- Security Awareness Training
Security awareness training is the ongoing education that helps users recognize security risk, follow safer behavior, and report suspicious activity.
- Security Baseline
A security baseline is the standard minimum set of security settings or controls expected for a system, device, or environment.
- Security Debt
Security debt is the accumulated burden created when security improvements, hardening, or design cleanup are deferred and the unresolved issues continue to add risk over time.
- Security Policy
A security policy is a formal statement of the rules, expectations, and principles an organization uses to guide security decisions and behavior.
- Segregation of Duties
Segregation of duties is the control principle of dividing critical tasks so one person does not control every step of a sensitive process.
- Shadow IT
Shadow IT is the use of technology systems, services, applications, or infrastructure outside the organization’s approved security and governance processes.
- Third-Party Risk
Third-party risk is the security risk introduced by vendors, service providers, partners, contractors, and other outside parties that connect to the organization or handle its data.
- Vendor Assessment
A vendor assessment evaluates the security implications of relying on a third party, supplier, or service provider.
- Vendor Risk Management
Vendor risk management is the ongoing process of evaluating, monitoring, and reducing the security risk introduced by third-party vendors and service providers.