Appendix A: Glossary
| No: NA | Date(g): 1/1/2022 | Date(h): 28/5/1443 | Status: In-Force |
Term | Description |
Access management | Access management is the process of granting authorized users the right to use a service, while preventing access to non-authorized users. |
Audit | Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures. Source: NISTIR 7298r3 Glossary of Key Information Security Terms |
Availability | Ensuring timely and reliable access to and use of information. Source: NISTIR 7298r3 Glossary of Key Information Security Terms |
Back-up | Files, devices, data and procedures available for use in case of a failure or loss, or in case of deletion or suspension of their original copies. |
Business Continuity (BC) | The capability of an organization to continue delivery of IT and business services at acceptable predefined levels following a disruptive incident. Source: ISO 22301:2012 Societal security -- Business continuity management systems |
Business Continuity Management (BCM) | Holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a Fundamental Requirements for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities. Source: ISO 22301:2012 - Business continuity management systems — Requirements |
Change management | The controlled identification and implementation of required changes within a business or information systems. |
Cryptography | The discipline that embodies the principles, means, and methods for the transformation of data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification. Source: NISTIR 7298r3 Glossary of Key Information Security Terms |
Cyber risk | Risk of financial loss, operational disruption, or damage, from the failure of the digital technologies employed for informational and/or operational functions introduced to a manufacturing system via electronic means from the unauthorized access, use, disclosure, disruption, modification, or destruction of the manufacturing system Source: NISTIR 7298r3 Glossary of Key Information Security Terms |
Cyber security | Cyber security is defined as the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the Entities information assets against internal and external threats. |
Cyber Security event | Any observable occurrence in an information system or network that has, or may potentially result in, unauthorized access, processing, corruption, modification, transfer or disclosure of data and / or Information or (b) a violation of an explicit or implemented Organization security policy. |
Cyber security governance | A set of responsibilities and practices exercised by the Board of Directors with the goal of providing strategic direction for cyber security, ensuring that cyber security objectives are achieved, ascertaining that cyber risks are managed appropriately and verifying that the enterprise's resources are used responsibly. |
Cyber security incident | An occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. Source: NISTIR 7298r3 Glossary of Key Information Security Terms |
Cyber security incident management | The monitoring and detection of security events on an information system and the execution of proper responses to those events. |
Cyber security policy | A set of rules that governs all aspects of security-relevant system and system element behaviour. Note 1: System elements include technology, machine, and human, elements. Note 2: Rules can be stated at very high levels (e.g., an organizational policy defines acceptable behaviour of employees in performing their mission/business functions) or at very low levels (e.g., an operating system policy that defines acceptable behaviour of executing processes and use of resources by those processes) Source: NISTIR 7298r3 Glossary of Key Information Security Terms |
Cyber security risk assessment | The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place Source: NISTIR 7298r3 Glossary of Key Information Security Terms |
Cyber security risk management | The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system Source: NISTIR 7298r3 Glossary of Key Information Security Terms |
Cyber security strategy | A high-level plan, consisting of projects and initiatives, to mitigate cyber security risks while complying with legal, statutory, contractual, and internally prescribed requirements. |
Cyber security threat | Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Source: NISTIR 7298r3 Glossary of Key Information Security Terms |
Disaster Recovery (DR) | Programs, activities and plans designed to restore the organizations critical business functions and services to an acceptable situation, following exposure to cyber and IT incidents or disruption of such services. |
Head of Cyber Security | The Head of Cyber Security may refer to the Head of Information Security, the Chief Information Security Officer (CISO) or any other title given to the senior manager accountable for the cyber security function and processes. |
Fall-back | Business procedures and measures, undertaken when events have triggered the execution of either a business continuity plan or a contingency plan. |
Formally documented | Documentation that is written, approved by the senior leadership and disseminated to relevant parties. |
Identity management | The process of controlling information about users on computers, including how they authenticate and what systems they are authorized to access and/or what actions they are authorized to perform. It also includes the management of descriptive information about the user and how and by whom that information can be accessed and modified. Managed entities typically include users, hardware and network resources and even applications |
Disaster Recovery Plan | Disaster Recovery is part of BCM which includes policies, standards, procedures and processes pertaining to resilience, recovery or continuation of technology infrastructure supporting critical business processes. |
Major change | Any change to a system's configuration, environment, information content, functionality, or users which has the potential to change the risk imposed upon its continued operations. Source: NISTIR 7298r2 Glossary of Key Information Security Terms Critical changes are also included in the concept of major changes. |
Malware | Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code. Source: NISTIR 7298r3 Glossary of Key Information Security Terms |
Penetration testing | A test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an information system. Source: NISTIR 7298r3 Glossary of Key Information Security Terms |
Periodically | With this term, SAMA does not intend to define a default time interval. Each Entities has the responsibility to determine this interval based on its own risk- based approach. The same term adopted in different control requirements could be translated into different time intervals by the MO. |
Recovery | A procedure or process to restore or control something that is suspended, damaged, stolen or lost. |
Resilience | The ability to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs. |
Risk | A measure of the extent to which an organization is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Source: NISTIR 7298r3 Glossary of Key Information Security Terms |
Risk register | Risk register is a table used as a repository for all risks identified and includes additional information about each risk, e.g. risk category, risk owner, and mitigation actions taken. |
Shielding technique | Shielding," a process that obfuscates an application's binary code, ostensibly making it harder for hackers to reverse-engineer |
Strategy | Refer to “Cyber security strategy”. |
SIEM | A security information and event management (SIEM) tool is Application that provides the ability to gather security data from information system components and present that data as actionable information via a single interface. Source: NISTIR 7298r3 Glossary of Key Information Security Terms |
System Development Lifecycle (SDLC) | A system development lifecycle (SDLC) describes the scope of activities associated with a system, encompassing the system's initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation. Source: NISTIR 7298r3 Glossary of Key Information Security Terms |
Threat | Refer to “Cyber security threat”. |
Threat landscape | A collection of threats in a particular domain or context, with information on identified vulnerable assets, threats, risks, threat actors and observed trends. Source: ENISA |
Vulnerability | Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source Source: NISTIR 7298r3 Glossary of Key Information Security Terms |
Vulnerability management | Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Also refer to “Vulnerability”. |