This glossary defines commonly used terms in cybersecurity in an enterprise-wide risk management (ERM) context. Words in italics have their own separate glossary entries, so please see cross listing for a complete understanding of definitions.

Access controls –

Mechanisms and techniques used to ensure that access to assets is authorized and restricted based on organization and security requirements.

Assessing risk-management effectiveness –

To evaluate or diagnose how well an organization risk management system is doing the right things (effectiveness) to manage risk. For internal audit/board: an objective written assessment of the effectiveness of the system of risk management and the internal control framework to the board.

BCP –

See business continuity plan (BCP).

Benchmarking –

The use of internal or external points of reference or standards against which risk management system and effectiveness may be compared, checked, or assessed.

Board –

The board of directors responsible for organization risk oversight and their equivalents in public agencies and not-for-profits.

Boom –

A term for a cyber event with all pre-event planning actions taking place left of boom and all reactionary measures happening right of boom.

Business continuity plan (BCP) –

Is typically made up of the corporate wide or level BCP and the business unit BCPs. The BCPs focus on the continuity, recovery, and resumption of the critical business unit functions (i.e., from a disruption).