Since this page contains information from nearly all other pages, this will remain under active construction until all notes have been fully updated.
#
Acronyms, Abbreviations, and Initialisms*
Please note that not all acronyms, abbreviations, and initialisms referenced below exist in the glossary with a simple definition. Some acronyms, abbreviations, and initialisms describe concepts, organizations, laws, standards, guidance, or models that require more thoughtful explanation and may exist in their own respective page or pages. For this reason, we chose not to directly link any content below to individual pages or anchors. Please use the search feature to locate and research these terms.
Short Form | Full Form |
---|---|
ABAC | Attribute-Based Access Control |
ACL | Access Control List |
AICPA | American Institute of Certified Public Accountants |
ALE | Annualized Loss Expectancy |
ANF | Application Normative Framework |
ANSI | American National Standards Institute |
AoC | Attestation of Compliance |
AONT-RS | All-or-Nothing-Transform with Reed-Solomon |
APEC | Asia-Pacific Economic Cooperation |
API | Application Programming Interface |
APP | Australian Privacy Principles |
APT | Advanced Persistent Threat |
ARO | Annual Rate of Occurrence |
ARRA | American Recovery and Reinvestment Act |
ASMP | Application Security Management Process |
AST | Application Security Testing |
ASV | Approved Scanning Vendor |
ATASM | Architecture, Threats, Attack Surfaces, and Mitigations |
AUP | Agreed-Upon Procedures |
AV | Asset Value |
BC | Business Continuity |
BCR | Binding Corporate Rule |
BCM | Business Continuity Management |
BCP | Business Continuity Plan |
BIA | Business Impact Analysis |
BICSI | Building Industry Consulting Services International |
BOSS | Business Operation Support Services |
BPA | Best Practices Analyzer |
CaaS | Compliance as a Service |
CAIQ | Consensus Assessments Initiative Questionnaire |
CAMP | Cloud Application Management for Platforms |
CapEx | Capital Expenditure |
CASB | Cloud Access Security Broker |
CBA | Cost-Benefit Analysis |
CBPR | Cross-Border Privacy Rules |
CC | Common Criteria |
CCL | Commerce Control List |
CCM | Cloud Controls Matrix |
CCRA | Cloud Computing Reference Architecture |
CDN | Content Delivery Network |
CI | Configuration Item |
CICA | Canadian Institute of Chartered Accountants |
CI/CD | Continuous Integration and Continuous Delivery |
CIP | Critical Infrastructure Plan |
CIS | Center for Internet Security |
CISA | Cybersecurity and Infrastructure Security Agency |
CJEU | Court of Justice of the European Union |
CMM | Capability Maturity Model |
CMVP | Cryptographic Module Validation Program |
COBIT | Control Objectives for Information and Related Technologies |
CompaaS | Compliance as a Service |
COPPA | Children's Online Privacy Protection Act |
CORS | Cross-Origin Resource Sharing |
CPEA | Cross-Border Privacy Enforcement Arrangement |
CSA | Cloud Security Alliance |
CSB | Cloud Service Broker |
CSC | Cloud Service Customer Critical Security Controls (formerly) |
CSCC | Cloud Standards Customer Council |
CSIM | Continual Service Improvement Management |
CSIRT | Computer Security Incident Response Team |
CSN | Cloud Service Partner |
CSP | Cloud Service Provider |
CSPRNG | Cryptographically Secure Pseudo Random Number Generator |
CSRF | Cross-Site Request Forgery |
CST | Cryptographic and Security Testing |
CVE | Common Vulnerabilities and Exposures |
CVSS | Common Vulnerability Scoring System |
CWE | Common Weakness Enumeration |
DAM | Database Activity Monitoring |
DAR | Data at Rest |
DAST | Dynamic Application Security Testing |
DBMS | Database Management System |
DDoS | Distributed Denial-of-Service |
DIM | Data in Motion |
DIT | Data in Transit |
DIU | Data in Use |
DMCA | Digital Millenium Copyright Act |
DLP | Data Leak Prevention Data Loss Prevention |
DOC | Department of Commerce |
DoS | Denial-of-Service |
DOT | Department of Transportation |
DPA | Data Protection Act |
DPD | Data Protection Directive |
DR | Disaster Recovery |
DRM | Digital Rights Management |
DRP | Disaster Recovery Plan |
DRS | Distributed Resource Scheduling |
DSaaS | Data Science as a Service |
DSS | Data Security Standards |
DTD | Document Type Definitions) |
EA | Enterprise Architecture |
EAL | Evaluation Assurance Level |
EAR | Export Administration Regulations |
ECB | Electronic Code Book |
ECPA | Electronic Communication Privacy Act |
eDiscovery | Electronic Discovery |
EDoS | Economic Denial-of-Service |
EEA | European Economic Area |
EF | Exposure Factor |
EFS | Encrypting File System |
EFTA | European Free Trade Association |
EL | Expression Language |
ELK | Elasticsearch, Logstash, Kibana |
EHR | Electronic Health Record |
ENISA | European Union Agency for Cybersecurity |
ePHI | Electronic Protected Health Information |
ERM | Enterprise Risk Management |
ESI | Electronically Stored Information |
EU | European Union |
FADP | Federal Act on Data Protection |
FAM | File Activity Monitoring |
FDE | Full Disk Encryption |
FDPIC | Federal Data Protection and Information Commissioner |
FedRAMP | Federal Risk and Authorization Management Program |
FERPA | Family Educational Rights and Privacy Act |
FIM | Federated Identity Management |
FIPS | Federal Information Processing Standard |
FISMA | Federal Information Security Management Act |
FPE | Format-Preserving Encryption |
FS | Forward Secrecy |
FT | Fault Tolerance |
FTC | Federal Trade Commission |
FTP | File Transfer Protocol |
GAAP | Generally Accepted Accounting Principles |
GDPR | General Data Protection Regulation |
GLBA | Gramm-Leach-Bliley Act |
HA | High Availability |
HHS | Department of Health and Human Services |
HIPAA | Health Insurance Portability and Accountability Act |
HITEHC | Health Information Technology for Economic and Clinical Health |
HQL | Hibernate Query Language |
HSM | Hardware Security Module |
HSTS | HTTP Strict Transport Security |
HTTP | Hypertext Transfer Protocol |
HTTPS | Hypertext Transfer Protocol Secure |
IaaS | Infrastructure as a Service |
IAASB | International Auditing and Assurance Standards Board |
IaC | Infrastructure as Code |
IAM | Identity and Access Management |
IAST | Interactive Application Security Testing |
IDCA | International Data Center Authority |
IdP | Identity Provider |
IDS | Intrusion Detection System |
IEC | International Electrotechnical Commission |
IG | Implementation Group |
IGO | Intergovernmental Organization |
IMT | Incident Management Team |
IoT | Internet of Things |
IP | Intellectual Property |
IPS | Intrusion Prevention System |
IRM | Information Rights Management |
IRT | Incident Response Team |
ISA | Internal Security Assessor |
ISM | Information Security Management |
ISMS | Information Security Management System |
ISO | International Organization for Standardization |
ISP | Information Security Plan Internet Service Provider |
IT | Information Technology |
ITA | International Trade Administration |
ITAR | International Traffic in Arms Regulations |
ITIL | Information Technology Infrastructure Library (formerly) |
ITOS | Information Technology Operation and Support |
ITSM | Information Technology Service Management |
JSON | JavaScript Object Notation |
JWT | JSON Web Token |
KEV | Known Exploited Vulnerabilities |
KRI | Key Risk Indicator |
KVM | Kernel-based Virtual Machine |
LDAP | Lightweight Directory Access Protocol |
LOI | Letter of Intent |
MAD | Maximum Allowable Downtime |
MD5 | Message-Digest Algorithm |
MDT | Microsoft Deployment Toolkit |
MFA | Multifactor Authentication |
MOA | Memorandum of Agreement |
MOU | Memorandum of Understanding |
MTD | Maximum Tolerable Downtime |
MSP | Managed Service Provider |
MTBF | Mean Time Before Failure |
MTTR | Mean Time to Repair |
MTTS | Mean Time to Switchover |
NaaS | Network as a Service |
NBI | Northbound Interface |
NEC | National Electrical Code |
NERC | North American Electric Reliability Corporation |
NFPA | National Fire Protection Association |
NIS | Network and Information Security |
NIST | National Institute of Standards and Technology |
NPI | Nonpublic Personal Information |
NVD | National Vulnerability Database |
NVLAP | National Voluntary Laboratory Accreditation Program |
OCR | Office for Civil Rights |
OECD | Organization for Economic Co-operation and Development |
OGNL | Object Graph Navigation Library |
OIDC | OpenID Connect |
OLA | Operational-Level Agreement |
OMB | Office of Management and Budget |
ONF | Organizational Normative Framework |
OpEx | Operational Expenditure |
ORM | Object Relational Mapping |
OS | Operating System |
OWASP | Open Web Application Security Project |
PaaS | Platform as a Service |
PAN | Primary Account Number |
PASTA | Process for Attack Simulation and Threat Analysis |
PCI | Payment Card Industry |
PDCA | Plan-Do-Check-Act |
PDPA | Personal Data Protection Act |
PFI | PCI Forensic Investigator |
PHI | Protected Health Information |
PI | Personal Information |
PII | Personally Identifiable Information |
PIPEDA | Personal Information Protection and Electronic Documents Act |
PKCS | Public Key Cryptography Standards |
PLA | Privacy-Level Agreement |
PMF | Privacy Management Framework |
PP | Protection Profile |
QA | Quality Assurance |
QSA | Qualified Security Assessor |
RASP | Runtime Application Self-Protection |
RBAC | Role-Based Access Control |
RCE | Remote Code Execution |
RDM | Release and Deployment Management |
REST | Representational State Transfer |
RMF | Risk Management Framework |
ROC | Report of Compliance |
ROI | Return on Investment |
RPO | Recovery Point Objective |
RSL | Recovery Service Level |
RSO | Reduced Sign-On |
RTO | Recovery Time Objective |
SaaS | Software as a Service |
SABSA | Sherwood Applied Business Security Architecture |
SAD | Sensitive Authentication Data |
SAML | Security Assertion Markup Language |
SAQ | Self-Assessment Questionnaire |
SAS | Statement on Auditing Standards |
SAST | Static Application Security Testing |
SBI | Southbound Interface |
SBU | Sensitive But Unclassified |
SCA | Source Code Analysis Stored Communication Act |
SCC | Standard Contractual Clause |
SCIM | System for Cross-domain Identity Management |
SDLC | Software Development Lifecycle |
SDN | Software-Defined Networking |
SEC | Securities and Exchange Commission |
SHA | Secure Hashing Algorithm |
SIEM | Security Information and Event Management |
SLE | Single Loss Expectancy |
SLM | Service Level Management |
SMSS | Secret Sharing Made Short |
SMTP | Simple Mail Transfer Protocol |
SOA | Service-Oriented Architecture |
SOAP | Simple Object Access Protocol |
SOC | System and Organization Controls |
SOX | Sarbanes-Oxley |
SP | Special Publication |
SPML | Service Provisioning Markup Language |
SQL | Structured Query Language |
SSAE | Statement on Standards for Attestation Engagements |
SSO | Single Sign-On |
SSRF | Server-Side Request Forgery |
ST | Security Target |
STAR | Security, Trust, Assurance, and Risk |
TADP | Trans-Atlantic Data Privacy |
TCI | Trusted Cloud Initiative |
TLS | Transport Layer Security |
TOCTOU | Time-of-Check, Time-of-Use |
TOE | Target of Evaluation |
TOTP | Time-Based One-Time Password |
TPM | Trusted Platform Module |
TSC | Trust Services Criteria |
TSP | Trust Services Principles |
TTP | Tactics, Techniques, and Procedures |
UC | Underpinning Contract |
UPS | Uninterruptible Power Supply |
U.S. | United States |
U.S.C. | United States Code |
USG | United States Government |
USML | United States Munitions List |
VLAN | Virtual Local Area Network |
VMI | Virtual Machine Introspection |
VPN | Virtual Private Network |
WAF | Web Application Firewall |
WDE | Whole Disk Encryption |
WORM | Write Once, Read Many |
WRT | Work Recovery Time |
WSTG | Web Security Testing Guide |
XML | Extensible Markup Language |
XSS | Cross-Site Scripting |
XXE | XML External Entities |
ZAP | Zed Attack Proxy |