Glossary
Activity
A scheduled or ad-hoc one-time activity that is performed on a specific date and can involve a chosen set of assets. (Previously "Internal control event"). Can be repeated according to an activity series.
Activity Plan
A collection of scheduled activities (Internal control plan - A year-plan that contains several internal controls).
Activity Series
A series of planned activities.
Activity Template
A template for activities that can be done ad-hoc or planned, or repeated at regular intervals. (Formerly known as: Internal control)
Agreement
A legal agreement between the Ciso customer and a supplier.
Agreement Type
A type of agreement.
Application
Applications or IT-systems that your organization uses. Each application will be one box in the view. We also document which information objects are handled or stored in each application. In that way, an application will inherit demands for information security depending on which information it handles. We can also visualize integrations and dependencies between applications as arrows representing the information flow from one application to another.
Application Organization Relationship
A description of the kind of relation (and thereby responsibilities) a certain organization (supplier) has to a certain application.
Device
A device is something that can process and/or store information. It can be a database server, employee laptops, or mobile phones. It can also be a physical medium such as a folder with papers.
Domain Object
Objects in Ciso´s model.
ECC Employee Compliance Center
ECC is the name of the simplified user interface tailored to non-expert users.
External Contact Person
An external contact person that belongs to one external organization.
ISO Cybersecurity Concept / NIST Function
Five functions/pillars/concepts that are used to categorize security controls and mechanisms:
- Identify
- Protect
- Detect
- Respond
- Recover
Information Flow
Represents information that is moved from one application to another in some way. Usually by an automated integration, but can also be totally manual. The arrow should always point from the system that has the information before the transfer takes place to the system that receives more information after the transfer (regardless of how the integration is technically implemented).
Information Object
Information objects are common names for the different types of information people in your organization handle. Some information is more valuable or sensitive than other. To know which information is worthy to protect we need to identify the information objects and agree on good names for them. Information objects are usually real "things" like a Customer or an Invoice, but can also be a bit more abstract things like an Order, a Support Ticket, or different kinds of events. Information objects should be given clear singular names that are meaningful to your business domain experts.
Location
A location is either a physical place such as an office or datacenter containing servers or other devices, or it can be an organization or company that hosts information processing services for you. Examples:
- The small server-room in the basement of the office
- Site "X" datacenter
Named Document
A document stored outside Ciso. In Ciso, we keep track of the document name, a description, and who owns the document. Ciso can also list security controls that refer to the document and keep track of statements on it.
Named Person / Ciso User
A person with a name in Ciso. Can be invited as a user that can log in to Ciso.
Operational Capabilities
From ISO. Example: (#Governance, #Asset_management, #Information_protection, #Human_resource_security, #Physical_security, #System_and_network_security, #Application_security, #Secure_configuration, #Identity_and_access_management, #Threat_and_vulnerability_management, #Continuity, #Supplier_relationships_security, #Legal_and_compliance, #Information_security_event_management, #Information_security_assurance)
Organization
An organization, can be external suppliers, partners, or internal organizations.
Organizational Unit
Separate part of an organization, for example, a department.
Our Security Requirement
A requirement or criterion/question about a security concern about a delivery of a service/application.
Performance Evaluation Criteria Catalog
A catalog of performance evaluation criteria.
Performance Evaluation Criterion
A specific criterion that the customer uses to evaluate how well a supplier fulfills the customer's needs.
Position
An organizational position that can be held by one person (or be vacant).
Process/Activity
Visual work-flow descriptions of the activities people in your organization regularly perform. A process is a collection of activities that are done in a particular order.
Processing of (Personal) Data
A process that uses a specific information object. If the info object contains attributes classified as personal data, this is a processing of personal data, and GDPR rules apply.
Risk
A specific combination where a threat can utilize a vulnerability to compromise an asset.
Security Standard
An established and well-known standard for information security, such as ISO 27001, NIST SP800-53 etc
Security Control / Säkerhetsåtgärd
An identified control (åtgärd) that mitigates risks of an organization. Examples are listed in security standards, for example ISO 27001:2013 Annex A 12.3 - BackupSe MSBs termbank.
Security Mechanism (Deprecated)
Deprecated - replaced by Security Requirement. Was: An implementable mechanism that increases security. Security mechanisms are concrete interpretations of how the organization should fulfill the security goals of its information (CIAT). For example, the security mechanism "Backup & Restore" helps to fulfill goals of availability. Security mechanisms can be defined at different levels of ambition (base, enhanced, etc), to describe how to fulfill increasing levels of security goals.
Security Service
A security service is something that provides actual implemented increased security. It can be a concrete thing, like a firewall that protects the network at a specific location, or the use of a central LDAP (AD) directory for managed user provisioning and access control. It can also be a more general service level or standardized package provided by your own organization or an external partner. In Ciso, a security service provides a number of security mechanisms to all objects that it is connected to. For example, if you are using online software as a service, the provider of that service should provide many basic security mechanisms for you; user management, encryption, backups etc. In that case, we recommend that you create one security service in Ciso that corresponds to all the mechanisms that the provider actually has in place for your data.
Statement of Applicability
A statement about which controls from a specific standard that we deem applicable to our organization. Also specifies which document(s), process(es), or security mechanisms that we use to fulfill each control.
Supplier Performance Evaluation
A customer's evaluation of how well a supplier fulfills their needs.
Supplier Review
A review of a supplier of a service. Questions to be answered both by "us" (the Ciso customer), and the supplier.
Supplier Review Template
A template for a specific type of supplier. Lists a number of chosen evaluation criteria.
Supplier Self-Assessment
A questionnaire that a supplier answers, giving their own assessment of how well they fulfill specific demands from the customer.
Threat
A threat (-agent) who can exploit vulnerabilities and pose a risk to our organization.
Threat Catalogue
A list of sample threats
Vulnerability
A vulnerability that can be exploited. Can be technical or administrative.
Vulnerability Catalog
A maintainable list of vulnerabilities.