GovAssure Cyber Lexicon
A cyber lexicon is a dictionary of terms and definitions related to cyber security.
We’ve put together this cyber lexicon to help you understand the complex and ever-changing world of cyber security.
You can use the cyber lexicon to improve your understanding of cyber security terminology, and it can also be used to develop and implement cyber security policies and procedures.
We hope that using the lexicon introduces consistency in the use of terminology as part of:
As an example, there are a number of references for Identity and Access Management, so we have defined a preferred term of Identity and Access Management (IdAM) and adopted NCSC’s terminology where appropriate.
Cyber lexicons can help you learn about the latest threats and vulnerabilities and develop and implement cybersecurity policies and procedures. If you want to learn more about cyber security, we recommend you consult a cyber lexicon.
This list is not intended to be exhaustive but includes commonly used cyber security and GovAssure terms.
Download excel sheet of GovAssure Cyber Lexicon v1.2
| Preferred term | Alternative reference | Definition | Stage of GovAsssure process | Source |
|---|---|---|---|---|
| access control | A way of ensuring that only authorised users (or automated systems) can access data or services. | Stage 3 | NCSC | |
| access control list (ACL) | A mechanism that implements access control for a system resource by listing the identities of the system entities that are permitted to access the resource. | SANS | ||
| access logs | security logging | Records of all requests for access to a particular resource or system. | Stage 3 | NCSC |
| accountable individuals | Persons responsible for specific actions or decisions within an organisation. | Stage 3 | NCSC | |
| administrative functions | Tasks related to the management and maintenance of a system or network. | Stage 3 | NCSC | |
| administrator / admin | privileged user | A person who manages a computer system, usually with highly privileged access to data and services. | NCSC | |
| advanced persistent threat (APT) | A prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period of time. | Stage 3 | GovAssure | |
| algorithm | A set of rules or instructions for a computer to follow. | |||
| anti-malware | Software that is designed to detect, stop and remove malicious software (malware). | Stage 3 | NCSC | |
| arms length body (ALB) | Arm’s-length bodies (ALB) are a specific category of central government public bodies that are administratively classified by the Cabinet Office. | N/A | GovAssure | |
| artificial intelligence (AI) | The ability of a computer or machine to mimic human intelligence. | |||
| assessor | independent assessor independent assurance reviewer |
The individual conducting the GovAssure independent assurance review. | Stage 4 | GovAssure |
| asset | something of value to a person, business or organisation. | BSI | ||
| asset management | The process of maintaining and managing the valuable resources of a company, which could include hardware, software, and sensitive information. | Stage 3 | GovAssure | |
| asset register | asset inventory hardware inventory software library |
A database or list of assets, capturing key attributes such as ownership and financial value. | ITIL | |
| attack vector | The path or method used by an attacker to gain unauthorised access to a system. | |||
| authentication | The process of verifying the identity of a user, system, or service. | Stage 3 | NCSC/SANS | |
| authenticity | Authenticity is the validity and conformance of the original information. | SANS | ||
| authorised users | Individuals who have been granted permission to access specific resources. | Stage 3 | NCSC | |
| availability | The ability of an IT service or other configuration item to perform its agreed function when required. | ITIL/SANS | ||
| backdoor | A hidden method of bypassing normal authentication or encryption in a computer system. | |||
| backup / backing up | incremental backups | To make a copy of data stored on a computer or server to lessen the potential impact of failure or loss. | Stage 3 | BSI/SANS |
| bandwidth | The amount of data that can be transmitted over a network connection in a given time. | |||
| baseline profile | baseline target CAF profile baseline government profile |
The baseline CAF profile will be the aspirational minimum standard for all government organisations and systems to meet. It was developed and agreed by GSG, NCSC AND CDDO and models the most likely impactful attacks against the government and determines the indicators of good practice within the outcomes of CAF which would prevent or detect and mitigate the attack. An attack on a system under the baseline profile might be detected and remediated at a later point in the attack chain, and the organisation may not have the capability to detect it independently but might be notified of it by a third party in the case of more sophisticated activity. | Stage 2 | GovAssure |
| biometrics | Biometrics use physical characteristics of the users to determine access. | Stage 3 | SANS | |
| bit | A binary digit (0 or 1) the basic unit of information in computing. | |||
| blockchain | A decentralised, distributed ledger technology that records transactions across multiple computers. | |||
| blue team | penetration testing | During cyber security testing engagements, blue teams evaluate organisational security environments and defend these environments from red teams. | Stage 3 | NCSC/SANS |
| bot | A software application that performs automated tasks. | |||
| botnet | A network of computers infected with malware and controlled by a single attacker. | |||
| bring your own device (BYOD) | The authorised use of personally owned mobile devices such as smartphones or tablets in the workplace. | Stage 3 | BSI | |
| brute-force attack | A method of cracking passwords by trying all possible combinations. | |||
| bug | An error or flaw in software code. | |||
| business continuity management (BCM) | business continuity | Preparing for and maintaining continued business operations following disruption or crisis. | Stage 3 | BSI |
| business continuity plan (BCP) | A plan that outlines the procedures to follow in the event of a major incident or disaster to ensure the continuity of business operations. | Stage 3 | SANS | |
| business impact assessment (BIA) | A key activity in the practice of service continuity management that identifies vital business functions and their dependencies. | Stage 3 | ITIL/SANS | |
| cache | A temporary storage area for frequently accessed data. | |||
| CAF principles | The 14 principles, categorised within four objectives, for managing cyber risk and cyber security that comprise the CAF. | Stage 3 | GovAssure | |
| CDDO | Central Digital and Data Office | Stage 3 | GovAssure | |
| certificate-based device identity management | A security approach that uses digital certificates to authenticate devices. | Stage 3 | NCSC | |
| change control | The process through which all requests to change the approved baseline of a system, project, programme or portfolio are captured, evaluated and then approved, rejected or deferred. | Stage 3 | ||
| change management | Change management is a systematic approach to managing the transition or transformation of an organisation’s goals, processes, and technologies | Stage 3 | ||
| cloud computing | A model for enabling on-demand network access to a shared pool of configurable computing resources that can be rapidly provided with minimal management effort or provider interaction. | Stage 3 | BSI/ITIL/SANS | |
| competent authorities (CAS) | Organisations or agencies responsible for ensuring compliance with laws and regulations. | Stage 3 | NCSC | |
| computer security incident response team (csirt) | computer incident response team (CIRT) computer incident response centre (CIRC) computer incident response capability (CIRC) computer emergency response team (CERT) |
An expert group that manages the response to a computer security event or incident | Stage 3 | NCSC |
| confidentiality | Confidentiality is the need to ensure that information is disclosed only to those who are authorised to view it. | Stage 3 | SANS | |
| configuration | The arrangement and settings of system components. | Stage 3 | NCSC | |
| configuration item | any component that needs to be managed in order to deliver an IT service. | Stage 3 | ITIL | |
| configuration management | The process of systematically handling changes to a system in a way that it maintains integrity over time. | Stage 3 | GovAssure | |
| configuration management database (CMDB) | A centralised repository for collecting, processing, storing, and utilising asset data across an organisation. | Stage 3 | ITIL | |
| contributing outcome (CO) | The CAF principles are each divided into a collection of lower-level contributing cyber security and resilience outcomes which contribute to the overall security and resilience objective. In turn, each contributing outcome is associated with a set of indicators of good practice (IGPs) and, using the relevant IGPs, the circumstances under which the contributing outcome is judged ‘achieved’, ‘not achieved’ or ‘partially achieved’. | Stage 3 | GovAssure | |
| control | The means of managing a risk, ensuring that a business objective is achieved, or that a process is followed. | Stage 3 | ITIL | |
| corporately managed | Systems or resources that are managed at an organisational level. | Stage 3 | NCSC | |
| critical national infrastructure (CNI) | UK CNI | Critical national infrastructure (CNI) is a term used by the UK government to describe the assets, systems, and processes that deliver essential services to the country. | Stage 1 | GovAssure |
| critical system(s) | Government sector CNI systems or operators of essential services systems which support your organisation’s mission and outputs. | Stage 2 | GovAssure | |
| cryptography | The practice of securing communication through encoding. | Stage 3 | NCSC | |
| culture | A set of values that is shared by a group of people, including expectations about how people should behave, ideas, beliefs, and practices. | Stage 3 | ITIL | |
| cyber assurance | assurance | Cyber assurance is the process of ensuring that systems, networks, programs, devices, and data are protected from cyber-attacks through the application of technologies, processes, and controls. It involves assessing and verifying the effectiveness of security measures in place to identify and address vulnerabilities. | ||
| cyber assurance framework (CAF) | GovCAF (cyber assessment framework) | NCSC’s cyber assurance framework has been adopted as the framework underpinning GovAssure and the assurance approach to cyber security across government, in alignment with the critical national infrastructure sectors. the CAF provides an industry standard to help an organisation achieve and demonstrate an appropriate level of cyber resilience. | Stage 3 | GovAssure |
| cyber attack | A malicious attempt to damage, disrupt, or gain unauthorised access to a computer system or network. | |||
| cyber crime | Criminal activities carried out using computers or the internet. | |||
| Cyber GSeC | The Cyber GSeC is part of a broader suite of government security centres which look at the range of government security disciplines, from cyber security to physical and personnel security. the Cyber GSeC delivers a broad range of capabilities and services that support government organisations to improve their cyber security posture and achieve an appropriate level of cyber resilience. | N/A | GovAssure | |
| cyber incidents | Events that compromise the integrity, availability, or confidentiality of digital assets. | Stage 3 | NCSC | |
| cyber resilience | The ability to prepare for, respond to, and recover from cyber attacks. | Stage 3 | NCSC | |
| cyber risk assessment | The process of identifying, analysing, evaluating, and reporting on cyber security vulnerabilities and threats. | Stage 3 | GovAssure | |
| cyber security | cyber security | Cyber security’s core function is to protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access – both online and at work – from theft or damage. it’s also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online. |
NCSC | |
| cyber security training | The people who support the operation of your essential function(s) are appropriately trained in cyber security. a range of approaches to_cyber security_training, awareness and communications are employed. | Stage 3 | NCSC | |
| cyber threat intelligence | The information a business uses to understand the cyber threats that have, will, or are currently targeting the organisation. | Stage 3 | GovAssure | |
| cyber security audit | A systematic, measurable technical assessment of a system or process. it’s performed to check conformance with security policies and standards. | Stage 3 | GovAssure | |
| cyber security framework | A series of documents that provide guidance on how organisations can assess and improve their ability to prevent, detect, and respond to cyber attacks. | Stage 3 | GovAssure | |
| cyber security policy | A formal set of rules that guide individuals who work with IT assets and resources. | Stage 3 | GovAssure | |
| data breach | A confirmed incident in which sensitive, confidential, or otherwise protected data has been accessed and/or disclosed in an unauthorised fashion. | Stage 3 | GovAssure | |
| data encryption standard (DES) | A symmetric-key algorithm for the encryption of digital data. | Stage 3 | GovAssure | |
| data loss | An error condition in information systems in which information is destroyed by failures or neglect in storage, transmission, or processing. | Stage 3 | GovAssure | |
| data loss prevention (DLP) | A set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorised users. | Stage 3 | GovAssure | |
| data privacy | The aspect of information technology that deals with the ability an organisation or individual has to determine what data in a computer system can be shared with third parties. | Stage 3 | GovAssure | |
| data protection | Measures taken to ensure that data is kept safe from corruption and that access to it is suitably controlled. this includes data at rest, data in transit, and data in use. | Stage 3 | GovAssure | |
| Data Protection Act 2018 | GDPR | The Data Protection Act 2018 is a United Kingdom act of parliament which updates data protection laws in the UK. It is a national law which complements the European Union’s general data protection regulation and replaces the Data Protection Act 1998 | N/A | GovAssure |
| decision-makers | Individuals or bodies responsible for making choices or judgments. | Stage 3 | NCSC | |
| decryption | The process of converting encrypted data back in to its original form. | |||
| dedicated devices | devices used for a specific purpose and not for general computing tasks. | Stage 3 | NCSC | |
| demilitarized zone (DMZ) | Segment of a network where servers accessed by less trusted users are isolated. the name is derived from the term ‘demilitarised zone’. | Stage 3 | BSI/SANS | |
| denial of service (DOS attack) | denial of service (DOS) | An interruption in an authorised user’s access to a computer network, typically one caused with malicious intent. | Stage 3 | GovAssure/SANS |
| departmental security health check (DHSC) | health check | The departmental security health check was updated in 2023 at the same time as the roll out of GovAssure and is comprised of the following:_ standard – covering ‘GovS007s’, ‘physical’ standards and the standards, ‘response’ and ‘personnel’, added in 2023. best practice guide – covering two of the standards (‘GovS007s’, ‘physical’) and provided to departments to support compliance requirements and suggested evidence requirements._ |
Stage 3 | Cabinet Office |
| deployment | The movement of any service component into any environment. | Stage 3 | ITIL | |
| devops | an organisational culture that aims to improve the flow of value to customers. devops focuses on culture, automation, lean, measurement, and sharing (CALMS). | Stage 3 | ITIL | |
| digital certificate | A digital certificate is a file or electronic password that proves the authenticity of a device, server, or user through the use of cryptography and the public key infrastructure (PKI). | NCSC | ||
| digital footprint | The trail of data left behind by a person’s online activity. | |||
| digital forensics | The process of collecting and analysing evidence from digital devices. | |||
| digital rights management (DRM) | A systematic approach to copyright protection for digital media. | Stage 3 | GovAssure | |
| disaster | A sudden unplanned event that causes great damage or serious loss to an organisation. a disaster results in an organisation failing to provide critical business functions for some predetermined minimum period of time. | Stage 3 | ITIL | |
| disaster recovery plan (DRP) | business continuity plan | A disaster recovery plan (DRP) is a documented, structured approach that describes how an organisation can quickly resume operations after an unplanned incident. a DRP is an essential part of a business continuity plan (BCP). | Stage 3 | SANS |
| disruption | A circumstance or event that interrupts or prevents the correct operation of system services and functions. | Stage 3 | SANS | |
| distributed denial of service (DDOS) attack | A type of cyber-attack that involves multiple computers or other devices being used to overwhelm the targeted system, causing a denial of service for users of the targeted system. | Stage 3 | GovAssure/SANS | |
| domain name system (DNS) | The domain name system (DNS) is the way that internet domain names are located and translated into internet protocol addresses. A domain name is a meaningful and easy-to-remember “handle” for an internet address. | Stage 3 | GovAssure/SANS | |
| download | To transfer a file from a remote computer to your local computer. | |||
| due diligence | Due diligence is the requirement that organisations must develop and deploy a protection plan to prevent fraud, abuse, and additional deploy a means to detect them if they occur. | SANS | ||
| encryption | The method by which information is converted into secret code that hides the information’s true meaning. | Stage 3 | GovAssure | |
| endpoint protection | Security software placed on end-user devices including PCs, laptops, and mobile devices to protect them from threats. | Stage 3 | GovAssure | |
| enhanced profile | See in scope system | Stage 2 | GovAssure | |
| environment | A subset of the IT infrastructure that is used for a particular purpose, for example a live environment or test environment. can also mean the external conditions that influence or affect something. | Stage 3 | ITIL | |
| essential service(s) | critical service key service functions |
A service an organisation provides that either the UK public rely on (daily/near daily), or that is essential for maintaining societal or economic activities. an essential service could also be activities delivered that are fundamental to the delivery of an organisation’s overall mission. not being able to deliver them, would prohibit it from being able to operate its objectives or mission. | Stage 1 | GovAssure |
| event | An event is an observable occurrence in a system or network. | Stage 3-4 | SANS | |
| exploit | A piece of software or code that takes advantage of a vulnerability in a system. | |||
| exposure | A threat action whereby sensitive data is directly released to an unauthorised entity. | SANS | ||
| firewall | Hardware or software used to prevent unauthorised access to or from a network. | Stage 3 | NCSC/SANS | |
| firmware | Permanent software embedded into the memory of hardware devices. | |||
| gateway | A network point that acts as an entrance to another network. | SANS | ||
| GDPR | data protection act 2018 | The general data protection regulation is a set of rules designed to give EU citizens more control over their personal data. | N/A | NCSC |
| gigabyte (GB) | A unit of digital information equal to 1,024 megabytes. | |||
| govassure | the cyber security scheme covering UK government designed to assess and improve the security of critical systems within government organisations. | |||
| governance | The framework of tools, processes and policies for overseeing and managing an organisation’s IT strategy alignment with broader business objectives | Stage 3 | GovAssure | |
| government cyber security strategy (GCSS) | This strategy sets out the government’s approach to building a cyber resilient public sector. | Stages 1-5 | GovAssure | |
| government functional standard govs007: security | Security specific functional standard that is part of a suite of functional standards designed to promote consistent and coherent working within government organisations and across organisational boundaries. The GovS007: security standard sets expectations for protecting: – the government’s assets (people, property and information) – visitors to government property, and third party suppliers whilst engaged on government business. – citizen data. It comprises of the government security standards (cyber assessment framework and government CAF profiles and the government security policy & guidance collated in the cyber policy handbook. |
Stages 1-5 | Cabinet Office | |
| hacker | A person who uses computers to gain unauthorised access to data. | |||
| hardening | Hardening is the process of identifying and fixing vulnerabilities on a system. | SANS | ||
| hardware | The physical components of a computer system. | |||
| hashing | A one-way function that converts data into a unique fixed-length string. | |||
| host | Any computer that has full two-way access to other computers on the internet. or a computer with a web server that serves the pages for one or more web sites. | SANS | ||
| https | A secure protocol for transmitting data over the internet. | |||
| hyperlink | A clickable link that takes you to another webpage or document. | |||
| identity | A unique name that is used to identify and grant system access rights to a user, person, or role. | Stage 3 | ITIL/SANS | |
| identity and access management (IdAM) | identity and access management (IAM) access control access management |
The security discipline that enables the right individuals to access the right resources at the right times for the right reasons. | Stage 3 | GovAssure |
| identity profile | A collection of attributes that uniquely identify a user or system. | Stage 3 | NCSC | |
| identity theft | The fraudulent acquisition and use or a person’s private identifying information, usually for financial gain. | |||
| identity validation | The process of ensuring that an identity matches a known set of attributes. | Stage 3 | NCSC | |
| identity verification | Confirming the identity of a user or system. | Stage 3 | NCSC | |
| impact | The effect or influence of an event, action, or decision. | Stage 3 | NCSC | |
| in scope system(s) | An in-scope system will look different for different departments and should link back to a department’s annual reporting, departmental outcome delivery plans and wider strategic documentation. In-scope systems will include critical national infrastructure, operators of essential services, or fundamental departmental outputs. Identifying the network and information systems in scope will feed down from the essential services that were previously identified in Stage 1 of GovAssure. | Stage 2 | GovAssure | |
| incident | An unplanned interruption to a service or reduction in the quality of a service. | Stage 3 | ITIL/SANS | |
| incident management | The process of identifying, analysing, and correcting disturbances in the IT infrastructure while also preventing future incidents. | Stage 3 | GovAssure | |
| incident response plan | A set of instructions to help it staff detect, respond to, and recover from network security incidents. | Stage 3 | GovAssure | |
| independent assurance | Verification from a third-party that processes or systems meet defined criteria. | Stage 3 | NCSC | |
| independent assurance review (IAR) | assurance review | Objective third-party validation of the department’s completed self assessment against the CAF. This includes verifying and assessing the quality of evidence and information provided by departments to demonstrate how they have met the indicators of good practice against the relevant security outcomes of the CAF profile. This could also include conducting interviews with departmental staff. The reviewer will author their findings and provide a final report for the department to consider in the construction of their targeted improvement plan. | Stage 4 | GovAssure |
| independent assurance review report (IARR) | The report produced by the independent assessors, detailing the findings of the independent assurance review (IAR). | Stage 5 | GovAssure | |
| indicator of good practice (IGP) | The indicator of good practice describes the intended level that departments need to reach to achieve the relevant contributing outcome. As part of the department’s self assessment against the CAF, organisations will show how they meet each contributing outcome of the CAF by providing statements and evidence relevant to the stated IGP. The IGPs themselves are non-exhaustive and departments may implement additional good practice which would otherwise return an “achieved” or “partially achieved” contributing outcome. They are also intended to help inform expert judgement of what an assessor will need to consider when assessing a completed departmental return against the CAF. | Stage 3 | GovAssure | |
| information assurance (IA) | Measures that protect and defend information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. | Stage 3 | GovAssure | |
| information management | Information management (IM) is the appropriate and optimised capture, storage, retrieval, and use of information. | Gov007 | ||
| information systems | A set of interconnected components for collecting, storing, and processing data. | Stage 3 | NCSC | |
| information technology (IT) | The use of computers and software to manage information. | Stage 3 | NCSC | |
| infrastructure | The foundational services and facilities needed for the functioning of a system or organisation. | Stage 3 | NCSC | |
| integrity | Integrity is the need to ensure that information has not been changed accidentally or deliberately and that it is accurate and complete. | ITIL/SANS | ||
| internet | A global network of interconnected computer networks. | |||
| internet protocol (IP) address | A unique numerical address assigned to every device connected to the internet. | |||
| internet service provider (ISP) | A company that provides internet access to customers. | |||
| intrusion detection system (IDS) | network-based IDS | A security management system for computers and networks. an IDS gathers and analyses information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organisation) and misuse (attacks from within the organisation). | SANS | |
| Javascript | A programming language commonly used to create interactive effects within web browsers. | |||
| key performance indicator (KPI | An important metric used to evaluate the success in meeting an objective. | Stage 3 | ITIL | |
| keylogger | A type of surveillance software (considered to be either software of spyware) that has the capability to record every keystroke you make to a log file, usually encrypted. | |||
| kilobyte (KB) | A unit of digital information equal to 1,024 bytes. | |||
| local area network (LAN) | A computer network that spans a relatively small area. | |||
| lead government department (LGD) | Ministerial or non-ministerial department who holds responsibilities for range of arm’s length bodies or non-departmental public bodies for example through financial and or political accountability | N/A | GovAssure | |
| least privilege | Least privilege is the principle of allowing users or applications the least amount of permissions necessary to perform their intended function. | SANS | ||
| logging | The practice of recording events or transactions for monitoring purposes. | Stage 3 | NCSC | |
| logic bombs | Logic bombs are programs or snippets of code that execute when a certain predefined event occurs. logic bombs may also be set to go off on a certain date or when a specified set of circumstances occurs. | SANS | ||
| logical separation | The division of resources or processes in a way that they operate independently but share the same physical infrastructure. | Stage 3 | NCSC | |
| mac address | A physical address; a numeric value that uniquely identifies that network device from every other device on the planet. | |||
| machine learning | A type of AI that allows software applications to become more accurate in predicting outcomes without being explicitly programmed to do so. | |||
| malicious code | Software (e.g., trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorised access to system resources or tricks a user into executing other malicious logic. | SANS | ||
| malware | Derived from ‘malicious software’, malware is any kind of software that can damage computer systems, networks or devices. includes viruses, ransomware and trojans. | Stage 3 | NCSC | |
| man-in-the-middle attack (MITM | A man-in-the-middle attack is a type of cyber attack in which the attacker secretly intercepts and relays messages between two parties who believe they are communicating directly with each other. the attack is a type of eavesdropping in which the attacker intercepts and then controls the entire conversation. | SANS | ||
| minimum cyber security standard (MCSS) | The legacy cyber standard for government that was withdrawn in July 2023 | Stage 3 | GovAssure | |
| mission | used as part of the GovAssure scoping document to provide a concise statement that explains an organisations purpose, objectives, and how it achieves them. | GovAssure | ||
| mitigation | Actions taken to reduce the severity or impact of a risk or incident. | Stage 3 | NCSC | |
| MITRE ATT&CK� | Mitre attack chain | A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations | Stage 3 | MITRE |
| monitoring | The continuous observation of a system or process. | Stage 3 | NCSC | |
| multi factor authentication (MFA) | A security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. | Stage 3 | GovAssure | |
| national cyber strategy | A government’s plan for securing its nation’s cyber infrastructure. | Stage 1 | NCSC | |
| National Institute of Standards and Technology (NIST) | National institute of standards and technology, a unit of the US commerce department. formerly known as the national bureau of standards, NIST promotes and maintains measurement standards. It also has active programs for encouraging and assisting industry and science to develop and use these standards. | NIST | ||
| national technical authorities | National technical authorities (NTAs) are organisations in the UK that provide advice and security services to protect the country’s interests, for example NCSC, NPSA, CESG, UK NACE and NTAC. | Cabinet Office | ||
| National Cyber Security Centre (NCSC) | The UK government department responsible for providing advice and support for the public and private sector in how to avoid cyber security threats. | N/A | GovAssure | |
| network | A group of two or more connected computing devices. | |||
| network and information systems (NIS) regulations | UK legislation aimed at improving the security and resilience of critical services. | N/A | NCSC | |
| networks & information systems (NIS) regulations | EU legislation aimed at improving cyber security across member states. | N/A | NCSC | |
| network security | The practice of securing a computer network from intruders, whether targeted attackers or opportunistic malware. | Stage 3 | GovAssure | |
| node | A device connected to a network. | |||
| objecting a: managing security risk | NCSC terminology for the CAF Objective a – managing security risk, assesses if there are appropriate organisational structures, policies, and processes in place to understand, assess and systematically manage security risks to the network and information systems supporting essential functions. | Stage 3 | NCSC | |
| objective b: protecting against cyber attack | NCSC terminology for the CAF Objective b: protecting against a cyber attack details the security objectives for proportionate security measures to protect the networks and information systems supporting essential functions from cyber attack. | Stage 3 | NCSC | |
| objective c: minimising the impact of cyber security incidents | NCSC terminology for the CAF Objective c – minimising the impact of cyber security incidents, assesses if capabilities exist to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential functions. | Stage 3 | NCSC | |
| objective d: detecting cyber security events | NCSC terminology for the CAF. Objective c: detecting cyber security events details the security objectives dealing with capabilities to minimise the adverse impact of a cyber security incident on the operation of essential functions, including the restoration of those functions where necessary. | Stage 3 | NCSC | |
| operating system (OS) | The software that manages a computer’s hardware and software resources. | |||
| operational technology | Technology that interfaces with the physical world and includes industrial control systems (ICS), supervisory control and data acquisition (SCADA) and distributed control systems (DCS) | Stage 3 | NCSC glossary | |
| operators of essential services (OES) | Organisations that provide services critical for societal and economic well-being. | N/A | NCSC | |
| organisational structures | The hierarchical arrangement of roles and responsibilities within an organisation. | Stage 3 | NCSC | |
| open systems interconnection (OSI) | OSI (open systems interconnection) is a standard description or “reference model” for how messages should be transmitted between any two points in a telecommunication network. its purpose is to guide product implementers so that their products will consistently work with other products. The reference model defines seven layers of functions that take place at each end of a communication. Although OSI is not always strictly adhered to in terms of keeping related functions together in a well-defined layer, many if not most products involved in telecommunication make an attempt to describe themselves in relation to the OSI model. It is also valuable as a single reference view of communication that furnishes everyone a common ground for education and discussion. | SANS | ||
| packet | A small unit of data transmitted over a network. | |||
| password | A secret string of characters used to authenticate a user. | |||
| patch | A patch is a small update released by a software manufacturer to fix bugs in existing programs. | SANS | ||
| patching | Patching is the process of updating software to a different version. | SANS | ||
| payload | The part of malware that performs the malicious action. | |||
| penetration | Gaining unauthorised logical access to sensitive data by circumventing a system’s protections. | SANS | ||
| penetration testing | An authorised test of a computer network or system, designed to look for security weaknesses with the end aim of fixing them. | Stage 3 | NCSC | |
| phishing | Scam emails or text messages that contain links to websites which may contain malware, or may trick users into revealing sensitive information (such as passwords) or transferring money. | N/A | ||
| physical controls | physical security | Security measures that involve physical actions, like locks or guards. | Stage 3 | NCSC |
| platform | A base upon which applications or services are developed and run. | Stage 3 | NCSC | |
| policy | A set of guidelines or rules that dictate actions or procedures. | Stage 3 | NCSC | |
| port scan | A port scan is a series of messages sent by someone attempting to break into a computer to learn which computer network services, each associated with a “well-known” port number, the computer provides. port scanning, a favourite approach of computer cracker, gives the assailant an idea where to probe for weaknesses. essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed for weakness. | SANS | ||
| principle | These are a set of principles within NCSC’S CAF that guide the protection of information and systems from cyber threats. They include ideas such as protecting information, understanding the organisation, user education and awareness, incident management, etc. | Stage 3 | NCSC | |
| privileged access | Access rights that allow users to perform actions that regular users cannot. | Stage 3 | NCSC | |
| problem management practice | The practice of reducing the likelihood and impact of incidents by identifying actual and potential causes of incidents, and managing workarounds and known errors. | Stage 3 | ITIL | |
| process | A series of actions or steps taken to achieve a particular outcome. | Stage 3 | NCSC | |
| protocol | A set of rules or procedures for transmitting data between electronic devices. | |||
| proxy server | a server that acts as an intermediary between a client and another server. | |||
| ransomware | A type of malicious software designed to block access to a computer system until a sum of money is paid. | Stage 3 | GovAssure/SANS | |
| reconnaissance | Reconnaissance is the phase of an attack where an attacker finds new systems, maps out networks, and probes for specific, exploitable vulnerabilities. | SANS | ||
| red team | A group of white-hat hackers that attack an organisation’s digital infrastructure as an attacker would in order to test the organisation’s defences. | Stage 3 | GovAssure | |
| remote access | The ability to access a computer or network from a different location. | Stage 3 | NCSC | |
| resilience | The ability of a system or network to recover quickly from any damage, errors, or interruptions and to maintain service continuity. | Stage 3 | GovAssure | |
| risk | Possible future outcomes that we can describe in terms of their chances of occurrence, and the impact they would have if realised. | Stage 3 | NCSC | |
| risk appetite | The level of risk that an organisation is prepared to take in pursuit of its objectives | Stage 3 | NCSC | |
| risk assessment | The identification and evaluation of risks. | Stage 3 | NCSC/SANS | |
| risk management | The process of identifying, assessing, and controlling risks to an organisation’s IT systems. | Stage 3 | NCSC | |
| role based access control | Role based access control assigns users to roles based on their organisational functions and determines authorisation based on those roles. | SANS | ||
| router | A networking device that forwards data packets between computer networks. | |||
| scoping of service and in-scope systems | The process that a department will follow to identify their essential services and supporting systems that will be in scope for a GovAssure review. | Stage 2 | GovAssure | |
| secure by design (SBD) | A concept in which systems and software are designed from the ground up to be secure. security is considered in every aspect of design and is an integral part of the entire system life cycle. | Stage 3 | GovAssure | |
| security architecture | a detailed view of the network and security controls in the information system. it includes the placement of hardware and software components and describes the security controls and how they relate to the overall systems architecture. | Stage 3 | GovAssure | |
| security control | A safeguard or countermeasure to avoid, detect, counteract, or minimise security risks to physical property, information, computer systems, or other assets. | Stage 3 | GovAssure | |
| security culture | culture | Organisations responsible for essential functions should aim to create a positive security culture, where people are aware of their role in maintaining security and actively take part and contribute to improving security. This is particularly important where a technical solution is not possible, so security relies on people making the right cyber security decisions. developing a positive security culture is likely to take some time, with some changes possibly taking years to become established and is unlikely to be achieved simply through written guidance or training events. | Stage 3 | NCSC |
| security information and event management (SIEM) | Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. | Stage 3 | GovAssure | |
| security monitoring | Active analysis by organisations of logging information to look for signs of attacks or unusual behaviour, to help detect events that could be considered an incident and to respond accordingly. | Stage 3 | NCSC | |
| security operations centre (SOC) | A facility where enterprise information systems (web sites, applications, databases, data centres and servers, networks, desktops and other endpoints) are monitored, assessed, and defended. | Stage 3 | GovAssure | |
| security policy | A set of criteria for the provision of security services that system managers use to manage the protection of the system and its data. | Stage 3 | GovAssure/SANS | |
| security risks | Potential threats that could exploit vulnerabilities. | Stage 3 | NCSC | |
| security threats | threat | Events or actors that have the potential to harm an organisation. | Stage 3 | NCSC/Gov007 |
| self assessment | The process which an organisation will undertake to assess an in-scope system against either the CAF baseline or enhanced profile | Stage 3 | GovAssure | |
| sensitive information | Sensitive information, as defined by the federal government, is any unclassified information that, if compromised, could adversely affect the national interest or conduct of federal initiatives. | SANS | ||
| sensitive systems | Systems that handle confidential or critical information. | Stage 3 | NCSC | |
| separation of duties | Separation of duties is the principle of splitting privileges among multiple individuals or systems. | SANS | ||
| server | A computer that provides services to other computers over a network. | |||
| single sign-on (SSO) | Using a single set of credentials (such as the same login and password combination) to access multiple services. | Stage 3 | NCSC | |
| smishing (SMS phishing) | A type of cyber crime that uses text messages to trick people into sharing sensitive information or downloading malware | N/A | ||
| social engineering | The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. | |||
| software | Programs and applications that enable computer functions. | Stage 3 | NCSC | |
| spam | Electronic junk mail or junk newsgroup postings. | SANS | ||
| spoof | Attempt by an unauthorised entity to gain access to a system by posing as an authorised user. | SANS | ||
| spoofing | A type of attack where an attacker masquerades as a trusted source. | |||
| spyware | Malware that secretly monitors a user’s activity. | |||
| structured query language (SQL) injection | A code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). | |||
| staff awareness and training | user education and awareness cyber security training |
The process of training and informing users about security best practices and potential cyber threats, and the steps they can take to mitigate these threats. also a principle within the CAF staff have appropriate awareness, knowledge and skills to carry out their organisational roles effectively in relation to the security of network and information systems supporting the operation of essential functions. |
Stage 3 | NCSC/Gov007 |
| Stage 1 of GovAssure: organisational context and services | Initiation and identification of essential services and functions is about understanding the context of the department and using this context to understand the scope of the GovAssure review. GSG and the department will discuss essential services, the IT environment and key IT supplier relationships, threat drivers, risk management approaches, and roles and responsibilities before commencing the formal scoping process of GovAssure.` | Stage 1 | GovAssure | |
| Stage 2 of GovAssure: in-scope systems & assignment to government CAF profile | Scoping of critical systems and assigning the appropriate government CAF profile where GSG and the department will identify the network and information systems in scope for GovAssure; identify system boundaries including dependencies where applicable; agree which threat profile applies to the system being assessed, baseline or enhanced; and provide justification for selected systems. | Stage 2 | GovAssure | |
| Stage 3 of GovAssure: self assessment | Self assessment is where departments conduct a self assessment of each individual in-scope system against the CAF and the agreed government CAF profile for that system. the self assessment will provide an outcome-focused assessment against fourteen principles across four broad objectives: | Stage 3 | GovAssure | |
| Stage 4 of GovAssure: independent assurance review | Independent assurance review. once an organisation department’s self assessment has been completed, an independent assessor will assess the return. The assurance review will assess whether the organisation meets or does not meet the contributing outcome as evidenced against the requirements. Upon completing their review, the independent reviewer will author a final assessment. This will be the independent assurance review report. | Stage 4 | GovAssure | |
| Stage 5 of GovAssure: final assessment and targeted improvement plan | Final stage and targeted improvement plan is where the GovAssure team will author a pre-populated document outlining whether or not the department’s systems have met the government assigned CAF profiles that it assessed itself against. The final assessment will consist of a summary report and a more detailed technical report with follow-up activities to be recorded by the organisation to align with the profile. | Stage 5 | GovAssure | |
| supply chain risk management | The implementation of strategies to manage both everyday and exceptional risks along the supply chain, to reduce vulnerability and ensure continuity. | Stage 3 | GovAssure | |
| target government CAF profile | government CAF profile CAF target profile |
A profile, assigned to in-scope critical systems, that determines the target security state for the system at a contributing outcome level. | Stage 2 – 5 | GovAssure |
| targeted improvement plan (TIP) | A prioritised plan to resolve areas identified as requiring improvement to achieve the target CAF profile | Stage 5 | GovAssure | |
| threat assessment | A threat assessment identifies types of threats that an organisation might be exposed to. | SANS | ||
| threat assumptions | Hypothetical scenarios used for planning and risk assessment. | Stage 3 | NCSC | |
| threat intelligence | Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard. | Stage 3 | GovAssure | |
| threat model | A threat model is used to describe a given threat and the harm it could do to a system if it has a vulnerability. | SANS | ||
| threat vector | A path or tool that a threat actor uses to attack the target. | Stage 3 | GovAssure/SANS | |
| time-bound rights | Access or permissions that are limited to a specific time period. | Stage 3 | NCSC | |
| topology | The geometric arrangement of a computer system. common topologies include a bus, star, and ring. the specific physical, i.e., real, or logical, i.e., virtual, arrangement of the elements of a network. note 1: two networks have the same topology if the connection configuration is the same, although the networks may differ in physical interconnections, distances between nodes, transmission rates, and/or signal types. note 2: the common types of network topology are illustrated | SANS | ||
| transmission control protocol (TCP) | A set of rules (protocol) used along with the internet protocol to send data in the form of message units between computers over the internet. while IP takes care of handling the actual delivery of the data, TCP takes care of keeping track of the individual units of data (called packets) that a message is divided into for efficient routing through the internet. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent. | SANS | ||
| transport layer security (TLS) | A protocol that ensures privacy between communicating applications and their users on the internet. when a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the secure sockets layer. | SANS | ||
| trojan horse | A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorisations of a system entity that invokes the program. | SANS | ||
| trust | Must determine which permissions and what actions other systems or users can perform on remote machines. trusted ports |
SANS | ||
| two-factor authentication (2FA) | A method of confirming users’ claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, | Stage 3 | GovAssure | |
| UK critical national infrastructure (CNI) | Assets, services, and systems in the UK that are essential for national security and public well-being. | Stage 1 | NCSC | |
| unauthorised individuals | Persons who do not have permission to access specific resources. | Stage 3 | NCSC | |
| upload | To transfer a from your local computer to a remote computer. | |||
| user | A person, organisation entity, or automated process that accesses a system, whether authorised to do so or not. | SANS | ||
| user permissions | The rights granted to a user for accessing resources. | Stage 3 | NCSC | |
| user rights | The privileges or permissions assigned to a user. | Stage 3 | NCSC | |
| virtual private network (VPN) | A secure connection that extends a private network across a public network. | |||
| virus | A type of malware that is designed to infect legitimate software programs and replicates across networks when those programs are activated. | Stage 3 | NCSC | |
| vulnerability | A weakness, or flaw, in software, a system or process. An attacker exploits these to (for example) gain unauthorised access to a computer system. | Stage 3 | NCSC | |
| vulnerability assessment | The process of identifying, quantifying, and prioritising the vulnerabilities in a system. | Stage 3 | GovAssure | |
| vulnerability scanning | The process of inspecting the potential points of exploit on a computer or network to identify security holes. | Stage 3 | GovAssure | |
| wide area network (WAN) | A computer network that spans a large geographical area. | |||
| wireless security | The prevention of unauthorised access or damage to computers or data using wireless networks. | Stage 3 | GovAssure | |
| worm | A type of malware that spreads from one computer to another without human interaction. | |||
| zero-day exploit | An exploit that attacks a previously unknown vulnerability. |