This section explains the policy and management side of cybersecurity: risk assessment, controls, audit logs, segregation of duties, and compliance vocabulary.
Use it when the term is about governance, accountability, or control structure rather than technical mechanics alone. It is most useful for security leaders, auditors, and compliance-focused teams.
- Acceptable Use Policy for Security and IT Access
An acceptable use policy defines the rules for how employees, contractors, or other users are allowed to use organizational systems, accounts, devices, and data.
- Asset Inventory for Security Coverage
An asset inventory is the maintained record of the systems, devices, applications, identities, and other resources an organization needs to track and protect.
- Compensating Controls for Security Gaps
A compensating control is an alternative safeguard used to reduce risk when the preferred or standard control is not fully available.
- Compliance Frameworks for Security Governance
A compliance framework is a structured set of requirements or control expectations used to guide and assess security and accountability practices.
- Control Mapping for Compliance Evidence
Control mapping is the process of linking security controls to specific risks, policies, standards, or compliance requirements they are meant to address.
- Control Objectives for Security Outcomes
A control objective is the specific security outcome a control is supposed to achieve.
- Data Classification for Security Handling
Data classification is the practice of labeling data by sensitivity or importance so controls and handling requirements can match the risk.
- Data Loss Prevention Controls
Data loss prevention is the combination of policies and controls used to reduce the chance that sensitive data is exposed, moved, or shared in ways the organization did not intend.
- Exception Management for Security Standards
Exception management is the process for documenting, reviewing, approving, and tracking departures from a standard security requirement or baseline.
- Log Retention for Security Evidence
Log retention is the policy and practice of keeping security-relevant logs for a defined period so they remain available for monitoring, investigation, and evidence needs.
- Policy Exception for Security Requirements
A policy exception is an approved departure from a normal security requirement, usually with conditions, risk acknowledgment, and a time limit.
- Residual Risk After Controls
Residual risk is the risk that remains after security controls and mitigation steps have already been applied.
- Risk Appetite for Security Decisions
Risk appetite is the general amount and type of risk an organization is willing to accept in pursuit of its objectives.
- Risk Assessment for Security Decisions
Risk assessment evaluates likely harm, exposure, and control context so security decisions and remediation priorities are grounded in actual risk.
- Risk Register for Security Tracking
A risk register is the structured record used to track identified risks, their status, ownership, and planned treatment.
- Risk Treatment Decisions
Risk treatment is the decision about what an organization will do about an identified security risk.
- Security Audit Log
An audit log is a record of relevant actions and events that helps organizations review activity, support investigations, and demonstrate accountability.
- Security Awareness Training for Safer User Behavior
Security awareness training is the ongoing education that helps users recognize security risk, follow safer behavior, and report suspicious activity.
- Security Baseline Standard
A security baseline is the standard minimum set of security settings or controls expected for a system, device, or environment.
- Security Change Management
Change management is the controlled process for planning, approving, implementing, and reviewing changes that could affect systems or security.
- Security Debt and Risk Exposure
Security debt is the accumulated burden created when security improvements, hardening, or design cleanup are deferred and the unresolved issues continue to add risk over time.
- Security Policy for Organizational Security
A security policy is a formal statement of the rules, expectations, and principles an organization uses to guide security decisions and behavior.
- Segregation of Duties in Security
Segregation of duties is the control principle of dividing critical tasks so one person does not control every step of a sensitive process.
- Shadow IT Risk
Shadow IT is the use of technology systems, services, applications, or infrastructure outside the organization’s approved security and governance processes.
- Third-Party Risk in Security
Third-party risk is the security risk introduced by vendors, service providers, partners, contractors, and other outside parties that connect to the organization or handle its data.
- Vendor Assessment for Third-Party Security Risk
A vendor assessment evaluates the security implications of relying on a third party, supplier, or service provider.
- Vendor Risk Management for Third Parties
Vendor risk management is the ongoing process of evaluating, monitoring, and reducing the security risk introduced by third-party vendors and service providers.