Annex: Glossary

This annex consolidates and standardizes definitions used across the ISMS policy and procedure set. Individual documents should reference this annex instead of including their own glossary sections.

How to use:

  • When a term is needed in a document, link to this annex section using a relative link.
  • Keep terms plain, vendor-neutral, and adaptable.

Terms

  • Access Review: A periodic or event-driven evaluation of user entitlements to verify they remain appropriate for role and business need.
  • Account Lifecycle: The end-to-end process of user account creation, modification, review, and termination aligned with employment status and role changes.
  • Audit Logging Framework: The coordinated system of policies, procedures, and technologies that support logging across domains (authentication/network, data access, etc.).
  • Authentication Event: A security event related to verifying the identity of a user, device, or service attempting to access a system or resource.
  • Authorization Event: A security event related to granting or denying access permissions to authenticated entities based on their privileges and roles.
  • Business Associate Agreement (BAA): A HIPAA-required contract between a covered entity and a business associate defining permitted uses/disclosures of ePHI and safeguards.
  • BYOD (Bring Your Own Device): A practice that allows workforce members to use personal devices for work-related purposes subject to security controls.
  • Clean Desk Policy: Practice requiring sensitive materials to be secured when workspaces are unattended.
  • Cloud Service Provider: A third-party organization providing cloud computing services, including infrastructure, platforms, or software.
  • Cross-Domain Correlation: The process of analyzing and linking related events across authentication, network, and data access logging domains.
  • Data Lifecycle Management: Managing data from creation through retention, archiving, and secure destruction.
  • Data Loss Prevention (DLP): Technology and processes that detect and prevent unauthorized transmission or use of sensitive data.
  • Electronic Protected Health Information (ePHI): Individually identifiable health information that is created, stored, transmitted, or maintained electronically.
  • Environmental Controls: Systems and procedures designed to protect against environmental hazards such as fire, flood, temperature extremes, and power failures.
  • Event Integration: The technical capability to combine and analyze security events from multiple specialized logging domains.
  • Identity and Access Management (IAM): Policies, processes, and technologies used to manage digital identities and control access to resources based on user roles and responsibilities.
  • Information Owner: Individual with authority and responsibility for specific information, including establishing handling requirements and approving access.
  • Information Security Management System (ISMS): A systematic approach to managing sensitive company information to keep it secure, including policies, procedures, and controls.
  • Least Privilege: The principle of restricting access rights to the minimum permissions needed to perform work.
  • Mobile Device Management (MDM): Software that enables an organization to secure, monitor, and manage mobile devices used for business purposes.
  • Multi-Factor Authentication (MFA): A security process requiring two or more authentication factors (e.g., password plus token/biometric) for access verification.
  • Network Flow: A sequence of packets from a source to a destination that share common characteristics such as IP addresses, ports, and protocols.
  • Privileged Access: Elevated administrative or system-level access that can modify configurations, security settings, or data beyond standard user capabilities.
  • Privilege Escalation: Gaining elevated access permissions beyond those initially granted to a user or service account.
  • Remote Lock: Administrative action that remotely makes a device inaccessible.
  • Remote Wipe: Administrative action that remotely deletes data from a device.
  • Risk Assessment: The process of identifying vulnerabilities and threats to information assets and determining the risk posed by those threats.
  • Role-Based Access Control (RBAC): A method of restricting access based on user roles aligned to job functions.
  • Security Incident: Any event that could result in unauthorized access, disclosure, modification, or destruction of information assets.
  • Security Information and Event Management (SIEM): Technology providing real-time analysis and correlation of security alerts and events from multiple sources.
  • Session Correlation: Linking related authentication and access events across multiple systems using session identifiers.
  • System Owner: The individual or group responsible for the procurement, development, operation, and maintenance of an information system.
  • Tailgating: Unauthorized access gained by following an authorized person through a controlled physical access point.
  • Threat Intelligence: Information about current and potential security threats used to enhance detection and response.
  • User Agent: Information about the client software, operating system, and device characteristics used for requests such as authentication.
  • Visitor Management System: Automated system for registering, tracking, and managing facility visitors.
  • SOC 2 Report: A report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
  • Physical Security Perimeter: The physical boundary around facilities, systems, or areas requiring protection.
  • Follow-Me Printing: Secure printing requiring user authentication at the printer before documents are released.