Definitions and pro-tips for the CISM certification.
An Acceptable Use Policy (AUP) defines permissible and prohibited uses of an organization’s resources, including networks, systems, and data. It outlines user responsibilities, legal compliance expectations, and potential consequences for violations, establishing clear boundaries for appropriate technology usage and mitigating organizational risk.
Access control defines and manages who or what entity has the authority to access specific information resources. This involves implementing mechanisms like authentication, authorization, and accounting to enforce security policies and protect data confidentiality, integrity, and availability.
An audit is a systematic, independent examination of an organization’s information systems, controls, and processes. It assesses adherence to established policies, standards, and regulations, providing objective evidence of effectiveness and identifying areas for improvement. Audit findings inform risk mitigation strategies.
An audit trail is a sequential record of system events, logging user actions, system changes, and access attempts. It provides a forensic history for security analysis, compliance verification, and incident response. Comprehensive audit trails are crucial for reconstructing activities and identifying potential breaches.
Availability guarantees timely and reliable access to information and resources for authorized users. This is achieved through redundant systems, robust infrastructure, and effective disaster recovery planning. Maintaining availability minimizes disruptions and ensures business continuity during planned or unplanned events.
Business Alignment ensures information security initiatives directly support and enable organizational goals. This involves understanding business processes, identifying critical assets, and tailoring security controls to protect those assets without hindering business operations or innovation. It requires ongoing communication and collaboration.
A Business Continuity Plan (BCP) outlines the strategies and procedures for maintaining essential business functions during and after a disruptive event. It prioritizes the continuation of critical operations, focusing on people, processes, and technology to minimize downtime and financial losses.
A Business Continuity Plan outlines an organization’s strategy for maintaining essential business functions during and after a disruptive event. It encompasses all aspects of operations, including IT, communications, personnel, and facilities, to ensure continued service delivery and minimize overall impact.
A Business Impact Analysis (BIA) identifies and evaluates the potential consequences of disruptions to critical business functions. It determines the financial, operational, and reputational impacts, establishing recovery priorities and resource requirements based on Maximum Tolerable Downtime (MTD) and Recovery Point Objective (RPO).
Chain of Custody is a meticulously documented and auditable record detailing the handling of evidence, from its initial seizure to its final disposition in legal proceedings. It establishes the integrity and authenticity of evidence by tracking every individual who handled it and the dates/times of transfer.
Change management is a structured process for controlling modifications to IT systems, infrastructure, and applications. It aims to minimize disruptions, reduce security vulnerabilities, and ensure changes are implemented effectively through planning, testing, approval, and documentation.
A compensating control is an alternative security measure implemented when a primary control is not feasible or effective. It provides a comparable level of protection by addressing the same risk, though through a different mechanism, ensuring acceptable risk mitigation in constrained circumstances.
Compliance signifies adherence to mandatory requirements established by laws, regulations, industry standards, or internal policies. It focuses on meeting specific rules and obligations, often demonstrated through documentation and reporting. Achieving compliance does not inherently guarantee robust security.
Confidentiality protects sensitive information from unauthorized access and disclosure. It’s achieved through mechanisms like encryption, access controls, and data masking, ensuring only authorized individuals can view or utilize protected data. Maintaining confidentiality is a core tenet of information security.
A control is a safeguard or countermeasure enacted to mitigate identified risks to organizational assets. These can be administrative (policies), technical (encryption), or physical (locks). Effective controls ensure confidentiality, integrity, and availability of information, aligning with risk management strategies.
Control Correlation identifies and leverages the synergistic relationships between independent security controls. This process optimizes control effectiveness by recognizing how one control’s output strengthens another, reducing overall risk and minimizing redundant efforts. It’s a key component of efficient governance.
A Control Objective is a specific, measurable statement defining the desired security outcome or result. It articulates *what* needs to be achieved to support information security goals and provides a basis for selecting and implementing appropriate controls to mitigate identified risks.
A control system comprises processes, policies, and technical safeguards implemented to reduce information-related risks. These systems ensure the confidentiality, integrity, and availability of data assets by providing assurance that stated objectives are achieved consistently. Effective controls align with organizational risk tolerance.
A data breach is a confirmed incident where sensitive, confidential, or protected data has been accessed, disclosed, stolen, or used by an unauthorized individual or entity. Breaches can occur through various means, including hacking, malware, or accidental disclosure, resulting in significant legal and reputational consequences.
Data Classification is the process of categorizing data based on its sensitivity, criticality, and legal requirements. This categorization drives the application of appropriate security controls, ensuring data is protected commensurate with its value and potential impact if compromised, and supports compliance efforts.
A Data Custodian is responsible for the secure storage, maintenance, and operational protection of data as directed by the Data Owner. This includes implementing access controls, performing backups, ensuring data integrity, and responding to security incidents related to the data under their care.
Data integrity ensures information is accurate, complete, and consistent throughout its lifecycle. Maintaining integrity involves implementing controls to prevent unauthorized or accidental modification, deletion, or creation of data, safeguarding its reliability for decision-making and operational processes.
A Data Owner is a senior-level individual with ultimate accountability for a specific dataset. They define data access policies, determine security requirements, and authorize data usage, ensuring alignment with business objectives and regulatory compliance. They are responsible for the data’s value and risk.
Data Remanence refers to the residual physical evidence of data that remains on a storage device after logical deletion, formatting, or overwriting. This residual data can potentially be recovered using specialized techniques, posing a security risk if sensitive information is not properly sanitized or destroyed.
Disaster Recovery (DR) focuses on restoring IT infrastructure and data following a disruptive event, aiming to resume critical business functions within defined timeframes. DR plans detail procedures for backup, replication, failover, and recovery, minimizing downtime and data loss during and after a disaster.
A Disaster Recovery Plan details the technical procedures for restoring IT infrastructure, data, and applications following a significant disruptive event. It focuses on minimizing downtime and data loss through pre-defined recovery strategies, including backups, failover systems, and recovery site activation.
Due Care represents the level of responsibility and caution an organization must exercise to protect information assets. It involves implementing reasonable and appropriate security controls based on identified risks and industry best practices. Demonstrating due care minimizes legal liability in the event of a security incident.
Due diligence encompasses comprehensive assessments performed to identify, analyze, and mitigate information security risks. This proactive process involves evaluating policies, procedures, technologies, and controls to ensure reasonable security measures are implemented and maintained throughout the organization’s lifecycle.
A framework provides a structured approach to managing information security, offering a collection of processes, guidelines, and best practices. It establishes a common language and methodology for assessing, implementing, and continuously improving security posture, supporting organizational governance objectives.
Governance establishes the organizational structures, processes, and relationships needed to direct and control information security. It defines responsibilities, ensures strategic alignment, and provides oversight to achieve information security objectives while managing risk and demonstrating accountability to stakeholders.
Incident Identification is the initial phase of the incident response lifecycle, involving the detection and verification of potential security events. This process determines whether an event constitutes a security incident requiring further investigation and response based on established criteria and thresholds.
Incident Management is a structured process for identifying, analyzing, containing, eradicating, and recovering from security incidents. Its core objective is to minimize business disruption and restore services to normal operation as quickly and efficiently as possible, while documenting lessons learned.
Incident Response is a structured, organized approach to addressing and managing the aftermath of a security breach or disruptive event. It involves phases of preparation, identification, containment, eradication, recovery, and lessons learned, aiming to minimize damage, restore operations, and prevent recurrence.
An information asset is any item possessing value to an organization, encompassing data in transit, at rest, and in use. This includes physical assets like hardware, virtual assets like software, and intangible assets such as intellectual property and brand reputation. Proper identification is crucial for risk management.
Information Security encompasses the strategies and practices used to protect information assets from unauthorized access, use, disclosure, disruption, modification, or destruction. It ensures confidentiality, integrity, and availability, safeguarding organizational data and systems against diverse threats and vulnerabilities.
Information Security Architecture defines the framework for implementing security controls within an organization’s IT environment. It establishes the relationships between security components, technologies, and processes to protect information assets and align with business objectives, ensuring a robust and adaptable security posture.
Information Security Governance establishes the organizational structures, policies, and processes to ensure information security aligns with business objectives. It encompasses directing and controlling security activities, defining roles and responsibilities, and ensuring accountability throughout the organization for protecting information assets.
Information Security Management encompasses the systematic application of policies, procedures, and technologies to protect the confidentiality, integrity, and availability of organizational information. It involves continuous monitoring, assessment, and improvement of security controls to align with business objectives and regulatory requirements.
The Information Security Manager leads the development, implementation, and maintenance of an organization’s information security program. This role encompasses risk assessment, policy creation, incident response, and ensuring compliance with relevant regulations and standards, reporting to executive leadership.
Information Security Metrics are quantifiable measurements used to track, assess, and report on the performance and effectiveness of an organization’s information security posture. These metrics provide objective data for decision-making, demonstrating the value of security investments and identifying areas requiring remediation.
An Information Security Program is a structured, organization-wide approach to managing information risk. It encompasses policies, procedures, standards, guidelines, and controls designed to protect the confidentiality, integrity, and availability of information assets. Continuous monitoring and improvement are essential.
Inherent Risk is the potential for loss or harm before the application of any mitigating controls. It represents the natural vulnerability of an asset or process, determined by factors like asset value, threat landscape, and existing vulnerabilities. It serves as the baseline for risk assessment.
Integrity ensures the accuracy, completeness, and reliability of information throughout its lifecycle. This is maintained by preventing unauthorized modification, deletion, or creation of data. Mechanisms include hashing, digital signatures, and version control to detect and prevent data corruption.
Key Performance Indicators (KPIs) are quantifiable metrics used to evaluate the success of an organization in meeting its strategic goals. In information security, KPIs measure the effectiveness of security programs, providing insights into performance, identifying trends, and supporting informed decision-making.
Key Risk Indicator (KRI) is a measurable metric that provides early warning signals of increasing risk exposure within an organization. KRIs are proactively monitored to identify potential issues before they escalate into significant incidents, enabling timely mitigation and informed decision-making.
Least Functionality is a security principle advocating for systems to be designed with only the essential functions required for their intended purpose. This minimizes the attack surface by reducing the number of potential vulnerabilities and limiting the impact of successful exploits.
Least privilege is a security principle requiring users be granted only the minimum necessary access rights to perform their defined job functions. This limits potential damage from malicious actors or accidental errors by restricting access to sensitive data and critical system resources.
Logical Access Controls are security mechanisms implemented within systems to regulate access to data and resources based on user identity, authentication, and authorization. These controls utilize software and policies to verify user credentials and enforce permissions, preventing unauthorized access.
Logical controls are software-based security measures designed to protect data and systems through access restrictions, authentication mechanisms, and data encryption. These controls govern access to information and resources, ensuring only authorized users can perform specific actions and preventing unauthorized data manipulation.
A maturity model provides a structured framework for evaluating and improving an organization’s processes. It defines specific stages representing increasing levels of organizational capability, typically ranging from initial/ad-hoc to optimized/continuous improvement. These models guide security program development and benchmarking.
Non-repudiation ensures that a sender cannot deny having sent a message or performed an action, and a receiver cannot deny having received it. This is typically achieved through cryptographic methods like digital signatures, coupled with robust audit trails and logging mechanisms.
Physical Access Controls are security measures designed to restrict unauthorized physical access to critical assets, including facilities, equipment, and data centers. These controls encompass measures like perimeter security, surveillance systems, locks, and personnel security procedures to protect against physical threats.
A policy is a high-level statement of management’s commitment to information security, outlining principles and expectations. It provides a directional framework for decision-making and establishes acceptable behavior regarding information assets, requiring consistent enforcement across the organization.
Privileged Access Management (PAM) is a security discipline focused on controlling, monitoring, and auditing access to highly sensitive accounts and resources. PAM solutions enforce least privilege principles, implement strong authentication, and provide session monitoring to mitigate the risks associated with compromised privileged credentials.
A procedure is a specific, documented sequence of steps designed to perform a defined task consistently. It details the precise actions required, including order and resources, to achieve a predictable outcome. Procedures support standards and policies by providing practical implementation guidance for personnel.
A RACI matrix is a responsibility assignment matrix used in project management and governance. It clearly defines roles for each task: Responsible (performs the work), Accountable (owns the outcome), Consulted (provides input), and Informed (kept updated). It promotes clarity and accountability.
Regulatory compliance involves adhering to external laws, regulations, and industry-specific standards governing information security and data privacy. Organizations must implement appropriate controls and processes to demonstrate adherence, avoid penalties, and maintain stakeholder trust and operational legitimacy.
Residual Risk represents the portion of inherent risk remaining after implementing security controls. It is the level of risk an organization knowingly accepts, typically documented through a formal risk acceptance process. Effective risk management requires continuous monitoring of residual risk levels.
Risk Appetite represents the level of risk an organization is willing to accept in pursuit of its strategic objectives. It’s a strategic decision, influenced by factors like industry, regulatory requirements, and organizational culture, and is expressed qualitatively or quantitatively to guide risk-based decision-making.
Risk Assessment systematically identifies, analyzes, and evaluates potential threats and vulnerabilities to an organization’s information assets. This process determines the likelihood and impact of risks, enabling informed decision-making regarding appropriate risk responses and resource allocation for mitigation.
A Risk Management Framework establishes a comprehensive, repeatable process for identifying, analyzing, responding to, and monitoring risks. It provides a structured approach to align risk management activities with organizational objectives, ensuring consistent and effective risk mitigation across the enterprise.
Risk Response involves selecting and implementing actions to address identified risks. Common strategies include risk avoidance, transference (e.g., insurance), mitigation (reducing likelihood or impact), and acceptance (acknowledging the risk). Each response requires careful cost-benefit analysis.
Risk Tolerance defines the acceptable variation from the established risk appetite. It’s a measurable boundary, often expressed as a statistical range, indicating the amount of deviation an organization will accept before taking corrective action. Tolerance levels are specific to individual risks and business objectives.
Security awareness training educates personnel about information security threats, vulnerabilities, and best practices. It aims to foster a security-conscious culture, reducing human error and improving an organization’s resilience against attacks like phishing, social engineering, and malware. Regular training is essential.
Segregation of Duties (SoD) is a critical internal control designed to prevent fraud and errors by dividing key tasks among multiple individuals. This ensures no single person controls all phases of a critical process, reducing the risk of malicious activity or unintentional mistakes going undetected.
Separation of Duties is a control designed to prevent fraud and errors by dividing critical tasks among multiple individuals. This ensures no single person has complete control over a sensitive process, requiring collusion for unauthorized actions and enhancing accountability.
A Service Delivery Model defines how IT services are provided, encompassing options like in-house development, outsourcing to third parties, cloud-based solutions (IaaS, PaaS, SaaS), or a hybrid approach. The chosen model dictates responsibility for security, compliance, and overall service management.
A Single Point of Failure represents a component within a system whose malfunction halts the entire system’s operation. These vulnerabilities create unacceptable risk and require mitigation through redundancy, failover mechanisms, or alternative processing paths to ensure business continuity and resilience.
A Service Level Agreement (SLA) is a formally negotiated contract defining the level of service expected from a vendor, including metrics like uptime, performance, and response times. It outlines responsibilities, problem resolution procedures, and often includes penalties for non-compliance, ensuring accountability.
A stakeholder is any individual, group, or organization with an interest in an organization’s information security. This includes executives, employees, customers, partners, and regulators. Stakeholders’ needs and expectations influence security decisions and program effectiveness.
A standard is a compulsory specification defining minimum acceptable criteria for processes, technologies, or practices. It establishes a uniform approach, ensuring consistency and compatibility across an organization. Standards are derived from policies and are more specific, outlining *how* compliance is achieved.
The System Development Life Cycle (SDLC) is a structured, phased approach to building or modifying information systems. It encompasses planning, analysis, design, implementation, testing, and maintenance. Proper SDLC management ensures alignment with business needs and effective risk mitigation throughout the system’s lifespan.
A Tabletop Exercise is a cost-effective, discussion-driven simulation used to evaluate and refine incident response and disaster recovery plans. Participants walk through scenarios to identify weaknesses, clarify roles, and improve coordination without disrupting live operations. It focuses on decision-making and communication.
Third-Party Risk Management encompasses identifying, assessing, and mitigating risks associated with utilizing external vendors or service providers. This includes evaluating their security posture, contractual obligations, and potential impact on an organization’s confidentiality, integrity, and availability of assets and data.
A threat represents a potential event that could exploit vulnerabilities and cause harm to organizational assets, including data, systems, or reputation. Threats originate from various sources, both internal and external, and require proactive identification and mitigation strategies to reduce associated risk exposure.
A threat agent is any entity – individual, group, or organization – possessing the intent and capability to exploit vulnerabilities and compromise information assets. Threat agents can be malicious insiders, external attackers, or even unintentional actors causing harm through negligence or error. Their characteristics drive risk assessment.
A threat vector represents the specific method or pathway an attacker utilizes to gain unauthorized access to a system or network. These vectors exploit vulnerabilities and include techniques like phishing, malware, social engineering, and exploiting software flaws to deliver malicious payloads.
Value Delivery focuses on maximizing the return on security investments by demonstrating tangible benefits to the business. This includes measuring the effectiveness of security controls, quantifying risk reduction, and communicating security’s contribution to business resilience and competitive advantage throughout the project lifecycle.
A vulnerability is a weakness or flaw in a system’s design, implementation, or operation that could be exploited to violate security policies or compromise system integrity. It represents a potential point of entry for threats, impacting confidentiality, integrity, or availability of assets.
Vulnerability assessment is a systematic process of identifying, quantifying, and prioritizing security weaknesses within an organization’s IT infrastructure. This includes scanning systems for known vulnerabilities, analyzing configurations, and reviewing security policies to determine potential attack vectors and remediation efforts.
Vulnerability Management is a continuous, proactive process encompassing identification, assessment, remediation, and reporting of security weaknesses in systems and applications. It aims to minimize the organization’s attack surface by systematically addressing vulnerabilities before they can be exploited, reducing overall risk exposure.
We're adding new exams every week. Let us know what you're studying for, and we'll bump it up our priority list! (Typical turnaround: 2-3 days)
Your feedback has been submitted successfully. We appreciate your help in making Cert Sensei better!