مصطلحات الامن السيبراني

المصطلح باللغة العربية	التعريف باللغة العربية	المصطلح باللغة الانجليزية	التعريف باللغة الانجليزية	اسم المرجع	تعلق المصطلح
		4-eyes principle	A security principle whereby two individuals must approve an action before it can be taken. This principle is also known as two-man rule or two-person integrity.	SWIFT Customer Security Controls Framework v2021	Cyber Security
		Administrator	May refer to Application Administrators - responsible for configuring, maintaining, and conducting privileged activities through an application interface System Administrators – responsible for configuring, maintaining, and conducting other privileged activities via operating systems or other direct (non-front-end) access	SWIFT Customer Security Controls Framework v2022	Cyber Security
		Application account	Application accounts are defined as log-on designated for an application. They are not meant to be used by a human or GUI access. Application accounts have a password that is stored, retrieved, and used automatically by the application. An application account is typically used for integration purposes (for example, calling of API) or to support STP (Straight-through processing)	SWIFT Customer Security Controls Framework v2023	Cyber Security
		Asset class	A category of computing asset (for example, databases, servers, applications).	SWIFT Customer Security Controls Framework v2024	Cyber Security
		Back office	The systems responsible for business logic, transaction generation, and other activities occurring before transmission into the local SWIFT infrastructure.	SWIFT Customer Security Controls Framework v2025	Cyber Security
		Connector	Connectors are local software designed to facilitate communication with a messaging or communication interface, both to a service provider. When using a connector, interface components are usually offered by a service provider (for example, by a service bureau, hub infrastructure, or SWIFT). Alliance Lite2 AutoClient, Direct Link, MicroGateway, and equivalent products are considered SWIFT connector solutions. File transfer solutions or middleware servers (such as IBM® MQ servers) are considered customer connectors.	SWIFT Customer Security Controls Framework v2026	Cyber Security
		Customer connector	In the future, an application integrating all functionalities to directly and independently connect to the SWIFT API Gateway to process transactions will also be considered as a customer (homemade API) connector. File transfer solutions or middleware servers (such as IBM® MQ servers) are considered customer connectors as opposed to SWIFT-compatible products (such as communication and messaging interfaces or connectors) delivered by SWIFT or related third-party vendors. In the future, an application integrating all functionalities to directly and independently connect to the SWIFT API Gateway to process transactions will also be considered as a customer (homemade API) connector.	SWIFT Customer Security Controls Framework v2027	Cyber Security
		CVSS - Common Vulnerability Scoring System	CVSS is an open industry standard for assessing the severity of software vulnerabilities by assigning severity scores to these vulnerabilities, allowing for the prioritization of responses and resources in line with the threat.	SWIFT Customer Security Controls Framework v2028	Cyber Security
		Communication interface	Communication Interface software provides a link between the SWIFTNet network and Messaging Interface software. Communication interfaces provide centralized, automated, and high-throughput integration with different in-house financial applications and service-specific interfaces. Communication Interfaces are provided by SWIFT (for example, Alliance Gateway or Alliance Gateway Instant). Communication interfaces holding a SWIFT-compatible label can also be provided by third-party vendors.	SWIFT Customer Security Controls Framework v2029	Cyber Security
		Cybersecurity incident	Any malicious act or suspicious event that compromises, or was an attempt to compromise, a computing environment.	SWIFT Customer Security Controls Framework v2030	Cyber Security
		Data exchange layer	The transporting of data between the SWIFT-related components (in the local SWIFT infrastructure or at a service provider) and a user back office first hop, at the application level, as seen from the SWIFT-related components.	SWIFT Customer Security Controls Framework v2031	Cyber Security
		Dedicated operator PC	An operator PC located in the secure zone and dedicated to interacting with components of the secure zone.	SWIFT Customer Security Controls Framework v2032	Cyber Security
		Endpoint Detection and Response (EDR)	Endpoint detection and response is an emerging technology that addresses the need for continuous monitoring and response to advanced threats by detecting suspicious activities and (traces of) other problems on hosts/endpoints.	SWIFT Customer Security Controls Framework v2033	Cyber Security
		Endpoint Protection Platform (EPP)	An emerging solution to address attack prevention. More frequently combined with EDR.	SWIFT Customer Security Controls Framework v2034	Cyber Security
		End User	Individuals requiring interactive access to the application (for example, for business transactions, monitoring, and access control). This includes security officers and application administrators responsible for configuring and maintaining the application.	SWIFT Customer Security Controls Framework v2035	Cyber Security
		General (enterprise) IT environment	The general IT infrastructure is used to support the broad organization. This includes general IT services and general-purpose operator PCs.	SWIFT Customer Security Controls Framework v2036	Cyber Security
		General IT services	Supporting IT infrastructure, such as authentication services, asset management, databases, data storage, security services (for example, patching), and networking services (for example, DNS, NTP).	SWIFT Customer Security Controls Framework v2037	Cyber Security
		General-purpose operator PCs	An operator PC located in the general enterprise environment and used for daily business activities	SWIFT Customer Security Controls Framework v2038	Cyber Security
		Graphical user interface (GUI)	Software that produces the graphical interface for a user (that is, Alliance Web Platform and equivalent products).	SWIFT Customer Security Controls Framework v2039	Cyber Security
		Hardware token	A USB token, smart card, or similar device	SWIFT Customer Security Controls Framework v2040	Cyber Security
		Interactive log-in/session	The session model indicates an exchange of data (for example, when a user enters data or a command and the system returns data)	SWIFT Customer Security Controls Framework v2041	Cyber Security
		Indicators of compromise (IOC)	Artifacts that can be observed on a network or operating system that might indicate a system compromise	SWIFT Customer Security Controls Framework v2042	Cyber Security
		IT services	A set of components in support of business processes inside the secure zone, such as a release and patching deployment platform, Active Directory.	SWIFT Customer Security Controls Framework v2043	Cyber Security
		Jump server	A server is used to provide access to the user's secure zone from the user’s corporate network (for example, Citrix or Remote Desktop).	SWIFT Customer Security Controls Framework v2044	Cyber Security
		Local Authentication (LAU)	Local Authentication, abbreviated as LAU, provides integrity and authentication of files exchanged between applications. Local Authentication requires that the sending and receiving entity use the same key to compute a Local Authentication file signature.	SWIFT Customer Security Controls Framework v2045	Cyber Security
		Local SWIFT infrastructure	The collection of SWIFT-specific components within the user's production environment, including systems, applications, supporting hardware, tokens, and other authenticators. Also known as the SWIFT Secure Zone.	SWIFT Customer Security Controls Framework v2046	Cyber Security
		Messaging interface	Messaging Interface software supporting the use of SWIFT messaging services (FIN, InterAct, and FileAct). The software provides the means for users to connect business applications to SWIFT messaging services and is typically connected directly to the communication interface. Messaging interfaces are provided by SWIFT (for example, Alliance Access or Alliance Messaging Hub). Messaging interfaces holding a SWIFTcompatible label can also be provided by third-party vendors	SWIFT Customer Security Controls Framework v2047	Cyber Security
		Middleware	Software that enables two separate programs to interact and/or exchange data with each other (for example, IBM® MQ, BizTalk, ConnectDirect). Usually composed of a Server and Clients running on various interconnected systems (Client-Server model). In the case of a peer-to-peer model without a central server, connectivity can be considered as being direct between the systems (so not through middleware)	SWIFT Customer Security Controls Framework v2048	Cyber Security
		Middleware server	Local middleware systems implementations, such as IBM® MQ server (including MQ queues manager, MQ appliance, or both), are used for data exchange between the SWIFT-related components (in the local SWIFT infrastructure or at a service provider) and a user back office first hop as seen from the SWIFT-related components	SWIFT Customer Security Controls Framework v2049	Cyber Security
		Multi-factor authentication	Multi-factor authentication is a method of user authentication where at least two different components are required to authenticate a user. Following authentication factors can be selected: • Knowledge factor (something the user knows), for example, a PIN or a password • Possession factor (something the user has), for example, an HSM token, a Digipass, mobile phone, or an RSA One Time Password device • Human factor (something the user is), for example, fingerprint or any other biometric	SWIFT Customer Security Controls Framework v2050	Cyber Security
		Network access control list (ACL)	A network access control list refers to rules that are applied to port numbers or IP addresses for controlling traffic in and out. These lists are available on a network device	SWIFT Customer Security Controls Framework v2051	Cyber Security
		Network devices	Components are used to assist in the management, routing, and security of the network (for example, routers, switches, firewalls).	SWIFT Customer Security Controls Framework v2052	Cyber Security
		Non-SWIFT footprint	Component deployed in user environment to link with SWIFT messaging services, SWIFT Transaction Platform, or a service provider and that is not a messaging interface, a communication interface, or a connector delivered by SWIFT or a related third-party vendor. File server solutions, middleware/MQ servers, or customer (homemade API) connectors are such nonSWIFT footprints.	SWIFT Customer Security Controls Framework v2053	Cyber Security
		Operating system (OS) account	User accounts on a server or PC that are used for direct access to the operating system.	SWIFT Customer Security Controls Framework v2054	Cyber Security
		Operator	Collectively refers to both individual types below: End users – individuals requiring interactive access to the application (for example, for business transactions, monitoring, and access control). This includes security officers and application administrators responsible for configuring and maintaining the application. Operating System Administrators – responsible for configuring, maintaining, and conducting other privileged activities on the operating systems hosting the local SWIFT infrastructure.	SWIFT Customer Security Controls Framework v2055	Cyber Security
		Operator PC	The PC is used by operators to conduct their duties.	SWIFT Customer Security Controls Framework v2056	Cyber Security
		PIN	Personal Identification Number - A secret number that acts like a password preventing others from gaining unauthorized access to or using a token, mobile device, or card.	SWIFT Customer Security Controls Framework v2057	Cyber Security
		Privileged account	An account on an operating system or application that grants elevated access beyond that of a typical user. Includes administrator accounts on operating systems, and security officer or application owner accounts on applications	SWIFT Customer Security Controls Framework v2058	Cyber Security
		Reasonable comfort	A level of comfort that Management can obtain from internal or external subject matter experts (SME) when: - Appropriate level of independence and objectivity of the SME is ensured; - Fair validation by the SME of control design and implementation, confirming mitigation of risks as per the control objective; and - Noted deviations do not materially impact the control’s ability to mitigate the risk, or alternative controls compensate for the noted deviations. External assessments and certifications (such as against SOC or the industry standards identified in Appendix E) that cover CSCF controls, may give Management reasonable comfort about the appropriateness of the controls as well as their operating effectiveness. The scope of and approach used for control evaluation in the context of such external assessments or certifications must be understood before relying, either in part or in full, on them.	SWIFT Customer Security Controls Framework v2059	Cyber Security
		Relationship Management Application (RMA)	A filter that enables the user to limit the correspondents from which messages can be received as well as the type of messages that can be received. The use of the Relationship Management Application mechanism is mandatory for the FIN service. It is available on an optional basis for SCORE FileAct and Generic FileAct.	SWIFT Customer Security Controls Framework v2060	Cyber Security
		Remote access	Access to a computer from outside of the local network. For example, from home or from another organization's network	SWIFT Customer Security Controls Framework v2061	Cyber Security
		Remote log-in	Log in to a system initiated over a network connection rather than directly from the local PC	SWIFT Customer Security Controls Framework v2062	Cyber Security
		Secure zone	A segmented zone on user premises separated from the general enterprise. The secure zone contains SWIFT-related systems (for example, messaging interface, and communication interface), and optionally other protected systems.	SWIFT Customer Security Controls Framework v2063	Cyber Security
		Server Environment	Datacenter or other secured physical location hosting servers	SWIFT Customer Security Controls Framework v2064	Cyber Security
		Service bureau	A service bureau is a SWIFT user or non-user organization that provides services to connect SWIFT users. The services offered by a service bureau typically include sharing, hosting, or operating SWIFT connectivity components, logging in, or managing sessions or security on behalf of SWIFT users. Service bureaux are subject to the Shared Infrastructure Programme.	SWIFT Customer Security Controls Framework v2065	Cyber Security
		Service provider	An organization that provides services to SWIFT users regarding the day-to-day operation of their SWIFT connection. The services offered typically include sharing, or operating SWIFT connectivity components, logging on, or managing sessions or security for SWIFT users. Those organizations include shared infrastructure providers (for example, service bureau, shared connectivity providers, SWIFT, and group hub).	SWIFT Customer Security Controls Framework v2066	Cyber Security
		Single-user or safe mode	Protected mode of operation that limits the privileges of the user	SWIFT Customer Security Controls Framework v2067	Cyber Security
		SOAP	Simple Object Access Protocol	SWIFT Customer Security Controls Framework v2068	Cyber Security
		Software token	Authentication token in logical (software) form.	SWIFT Customer Security Controls Framework v2069	Cyber Security
		Staff	All personnel (such as employees, agents, consultants, and contractors)	SWIFT Customer Security Controls Framework v2070	Cyber Security
		SWIFT connector	A connector is provided by SWIFT (for example, SIL/ DirectLink, Alliance Lite2 AutoClient, or MicroGateway). A connector holding a SWIFT-compatible label provided by a related third-party vendor.	SWIFT Customer Security Controls Framework v2071	Cyber Security
		SWIFT footprint	Messaging interface, communication interface, or connectors products provided by SWIFT or holding a SWIFT-compatible label and provided by a third-party vendor.	SWIFT Customer Security Controls Framework v2072	Cyber Security
		Thick client	A software program installed and executed on the local operator PC, rather than via a browser interface	SWIFT Customer Security Controls Framework v2073	Cyber Security
		Third-party	An entity independent of the SWIFT user or user's SWIFT connectivity provider. For example, an outsourced or external IT provider or cloud provider. By default, the service bureau and L2BA provider are considered service providers and not third parties, unless the user specifically engages with them to host and/or operate in full or part of the user’s local SWIFT infrastructure (still owned by the user).	SWIFT Customer Security Controls Framework v2074	Cyber Security
		Transaction Authentication Number (TAN)	A type of single-use password is generally used in conjunction with a standard ID and password. Initially presented in a list (table).	SWIFT Customer Security Controls Framework v2075	Cyber Security
		(SWIFT) Transaction Platform	Future Platform to be deployed centrally by SWIFT to offer complete transaction management as per the strategy endorsed by the Board in March 2020.	SWIFT Customer Security Controls Framework v2076	Cyber Security
		Transport Layer Security (TLS)	A cryptographic protocol that ensures confidentiality and integrity on the network and protects against replay attacks.	SWIFT Customer Security Controls Framework v2077	Cyber Security
		User	An organization that SWIFT has admitted under the Corporate Rules as a duly authorized user of SWIFT services and products. The eligibility criteria to become a SWIFT user are set out in the Corporate Rules.	SWIFT Customer Security Controls Framework v2078	Cyber Security
		User application accounts	User accounts are established at the applications layer to grant access and permissions to the application (that is, not operating system accounts)	SWIFT Customer Security Controls Framework v2079	Cyber Security
الإجراءات التصحيحية	الخطوات أو الإجراءات التي تعمل على إزالة النواقص في نظام إدارة استمرارية الأعمال.	Activity	A process, service, procedure, product, task, or combination Of them that is managed by the organization.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
اختبار	تقييم جاهزية وصلاحية وملائمة الأدوات والتقنيات والمرافق والبنية التحتية لتنفيذ خطط استمرارية الأعمال.	Audit	An organized, autonomous, and documented form Of activity Of an organization conducted by an independent body in order to comply with the BCM Standard	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
إدارة استمرارية الأعمال	جميع الإجراءات والتدابير التي تتخذها الجهات بهدف الاستمرار في تقديم خدماتها الضرورية للمجتمع، أثناء الطوارئ والأزمات والكوارث التي قد تتعرض لها هذه الجهات بشكل جزئي أو كلي، وتشمل تطوير خطط للبدائل من مرافق وخدمات وأفراد لضمان استمرار تقديم خدماتها.	Awareness	Development Of understanding Of primary Business Continuity Management risks and issues. Awareness enables the workforce to identify threats and respond promptly and appropriately. Awareness is created among employees in the organization and it is less formalized as compared to training.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
الإدارة العليا	فرد أو مجموعة من الأفراد على قمة الهرم الوظيفي ويقومون بدور قيادي في إدارة وتوجيه المؤسسة ويتمتعون بالصلاحيات والسلطة.	Business Continuity (BC)	The ability Of the organization to continue its prioritized activities at a predetermined level after the occurrence Of a disruptive incident.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
استراتيجية استمرارية الأعمال	نہج منظم يمكن عملية التخطيط من أجل التعافي والاستمرار بعد انقطاع وتعطل الانشطة.	Business Continuity Management (BCM)	A comprehensive management process, which highlights possible threats and the impact of such threats on the business operations of the organization. The identification of threats assists in developing organizational resilience, toward these threats, and an effective and suitable response that will protect the stakeholders' interest, brand name, and reputation.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
استراتيجية التعافي	نهج منظم يستخدم في إدارة استمرارية الأعمال للتأكد من استمرارية الاستجابة والتعافي بعد حدوث التعطل أو التوقف.	Business Continuity Management Program (BCM Program)	It is a component of the overall organizational management system, which establishes, implements, operates, reviews, monitors, maintains, and improves business continuity capability.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
استمرارية الأعمال	قدرة مواصلة المؤسسة أنشطتها الحيوية على مستوى محدد مسبقا في حال تعرض لتعطل.	Business Continuity Plan	Set of procedures in a documented form, which direct the organization to react, and recover, after the interruption.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
الأطراف المعنية	فرد أو مجموعة أو مؤسسة قد يتأثرون بانقطاع أو تعطل نشاط أو خدمة بشكل مباشر.	Business Continuity Policy	It is the major document that identifies the governance and scope of the business continuity plan along with BCM objectives and highlights the cause of its implementation.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
أعلى وقت مقبول للانقطاع (MAO)	أعلى وقت يمكن للمؤسسة تحمله بعد الانقطاع.	Business Continuity Strategy	The method of an organization to plan in order to recover and continue after a disruptive event.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
الأنشطة الحيوية	هي العمليات أو الخدمات أو الإجراءات أو المنتجات أو المهام أو مجموعة منها التي تم تحديدها خلال عملية تحليل التأثير على الأعمال.	Business Impact Analysis (BIA)	It is the process of analyzing business activities and the impacts of disruptive incidents that may happen over time.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
أهداف إدارة استمرارية الأعمال	النتائج المرجوة التي تسعى المؤسسة لتحقيقها من خلال نظام إدارة استمرارية الأعمال.	Competence	Capacity to apply skills, resources, and knowledge to accomplish desired goals.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
برنامج إدارة استمرارية الأعمال	نظام إداري متكامل لدى المؤسسة يؤسس ويطبق ويشغل ويراجع ويشرف ويحافظ ويطور إمكانية استمرارية الأعمال، ويتم دعمه من قبل الإدارة العليا في المؤسسة.	Continual Improvement	Consistent activities to increase the performance level.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
التحسين المستمر	الأنشطة المستمرة التي تساهم في تطوير برنامج إدارة استمرارية الأعمال.	Compliance	The extent to which requirements are fulfilled	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
تحليل التأثير على الأعمال	عملية تحليل مهام الأعمال ومعرفة التأثير الذي قد يسببه تعطل الأعمال عليها من حيث التأثير على القيمة والأولويات. فهذا التحليل يوضح البنية التحتية الازمة لدعم أنشطة الأعمال الحرجة والهام الخاصة بالمؤسسة.	Conformity	The extent to which mandatory requirements are fulfilled.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
تدريب	هو جهد أو نشاط تنظيمي مخطط يهدف لتسهيل اكتساب الأفراد المهارات المرتبطة بالعمل والحصول على المعارف التي تساعد على تحسين الأداء وأهداف إدارة استمرارية الأعمال.	Corrective Action	Steps or measures that remove discrepancies.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
تدقيق	نشاط منظم ومستقل وموثق تجربه وحدة مستلقة في المؤسسة من أجل الامتثال لمتطلبات معيار إدارة استمرارية الأعمال.	Capability	Ability Of capacity to perform a specific activity effectively.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
التدقيق الداخلي	مراجعة مدى مواءمة النظام المعيار إدارة استمرارية الأعمال ومن ثم وضع اجراءات تصحيحية مما تتيح اتخاذ قرارات فعالة ومناسبة.	Disruption	An incident that disturbs routine operation, process, or function Of the business. These events could be anticipated	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
التعافي	جميع الأعمال والإجراءات التي يتم اتخاذها بعد حدوث تعطل أو توقف، بهدف استعادة الأنشطة الحيوية.	Exercise	Activity in which the business continuity plans are rehearsed in part or in whole to ensure that the plans contain the appropriate information and produce the desired results when put into effect.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
تعطل	الحدث الذي قد يؤدي إلى توقف عملية حيوية في المؤسسة.	External and internal issues	External or internal variables that can have an impact on the business continuity capability Of the organization.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
تقييم المخاطر	التطوير الهيكلي وتطبيق ثقافة الإدارة والسياسة والإجراءات والممارسات الخاصة بمهام تحديد المخاطر وتحليلها وتقييمها ورقابتها والاستجابة لها.	Fit-For-Purpose	Fulfilling the requirements of the organization.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
التمرين	النشاط الذي يقيم ويفحص خطط استمرارية الأعمال إما بشكل جزئي أو كلي.	Interested Party	Individuals, groups, or an organization can affect or be affected or considered to be influenced by an activity or decision.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
الحد الأدنى المقبول لاستمرارية الأعمال (MBCO)	الحد الأدنى من الخدمات أو النشاطات التي يمكن للمؤسسة الاستمرار في تقديمها.	Incident Response Plan	Set of procedures for immediate response after an accident, and it is focused on the safety of personal	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
خطة استمرارية الأعمال	مجموعة من الإجراءات المدوّنة التي يتم تطويرها وتجميعها وحفظها لتمكين المؤسسة من مواصلة أنشطتها الحيوية على مستوى مقبول محدد مسبقا في حال توقف الأعمال أو تعطلها.	Internal Audit	A compliance review against BCM standard requirements. Therefore take corrective actions and suitable decisions accordingly.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
خطة الاستجابة الإعلامية	مجموعة من الإجراءات التي من شأنها تمكين المؤسسة من التواصل مع الإعلام والأطراف المعنية بشكل فعال من خلال تنسيق الأدوار والمسؤوليات واستخدام وسائل الإعلام المتاحة لتوصيل المعلومات والإرشادات الازمة للجمهور خلال توقف أو التعطل.	Minimum Business Continuity Objective (MBCO)	Minimal level for product or service, which is considered appropriate for the Organization to accomplish organizational goals after disruption	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
خطة الاستجابة للحوادث	مجموعة من الإجراءات توضح تفاصيل الاستجابة الفورية للحادث وتركز على سلامة الأفراد كأولية أولى.	Media Response plan	Set of procedures that will enable the organization to communicate with media and interested parties throughout roles and responsibilities and use of available media channels to communicate and deliver the necessary information and instruction effectively during a disruption.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
خطر	حدث يمكن أن يقع و يسبب تعطل أو توقف للأنشطة.	Maximum Acceptable Outage (MAO)	The time it would take for adverse impacts, which might arise as a result Of not providing a product/service or performing an activity, to become unacceptable.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
زمن التعافي الأمثل(RTO)	الوقت المستهدف لإعادة المنتج أو الخدمة أو النشاط بعد وقوع حادث ما. هي الوثيقة الرئيسية التي تحدد الحوكمة والنطاق والأهداف والمسؤوليات المتعلقة	Non-Conformities	Mandatory requirements in the BCM standard are not fulfilled.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
سياسة استمرارية الأعمال	بتطبيع استمرارية الأعمال في المؤسسة.	BCM Objectives	The targets or goals that an organization wants to achieve throughout the BCM Program.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
عدم المطابقة	عدم استيفاء متطلبات أساسية في معيار إدارة استمرارية الأعمال.	Prioritized Activities	Activities that are critical and must be given priority when recovering from a disruptive incident in order to reduce the impacts	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
عملية	مجموعة من الإجراءات المترابطة التي تحقق منتجات أو خدمات	Process	It is a set of interdependent actions that convert inputs into finished products	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
العودة إلى الحالة العادية	الإجراء الذي يوضح الرجوع إلى الوضع الطبيعي في المؤسسة، وأنه تمت السيطرة على حالة الطارئ، ولا يستدعي استمرارية تفعيل الخطط.	Resources	Resources include information, skills, people, technology, assets, and premises, which are obtained and used by an organization to achieve its organizational goals and objectives.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
القضايا الخارجية والداخلية	المتغيرات الخارجية أو الداخلية التي يمكن أن يكون لها تأثير على قدرة استمرارية الأعمال في المؤسسة.	Recovery	Retrieval or recapturing of normal or prior state.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
الكفاءة	الاستخدام الأمثل للموارد المتاحة لتحقيق حجم أو مستوى معين من النتائج بأقل التكاليف وهو من أهم مقاييس نجاح المؤسسات في تحقيق أهداف إدارة استمرارية الأعمال.	Recovery Strategies	A strategy that is used by an organization to make continuing after an incident it's regaining or	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
المستوى المقبول المخاطر(Risk Appetite)	مستوى الخطر الذي ترى المؤسسة استيعابه ويمكن قبوله.	Risk Appetite	The extent to which an organization can afford and bear the risks and neutralize these risks to eliminate the threats.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
المطابقة	مدى الالتزام بالمتطلبات الأساسية.	Recovery Time Objective (RTO)	Time span after the occurrence of an incident in which an activity or product should be restarted or resources and assets should be regained.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
المقدرة	امكانية اجراء نشاط معين على نحو فعال.	Risk Assessment	The process in which risks are identified, analyzed, and evaluated.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
ملاءمتها للغرض	استيفاء شروط المؤسسة.	Risk	The impacts of uncertainties on organizational goals.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
موارد	الأصول والأفراد والمهارات والمعلومات والتكنولوجيا ( شاملة الأجهزة والمعدات) والمباني والموردون والمعلومات ( سواء كانت إلكترونية أم (لا الواجب توافرها من أجل الاستجابة والتعافي وتلبية أهداف البرنامج.	Stand Down	An official declaration, which communicates that the emergency situation is controlled and no further invocation of plans is required.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
الموائمة	مدى استيفاء المتطلبات.	Top Management	A group of individuals sits at the top of the organization and plays the role of guiding and controlling the organization.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
نشاط	عملية أو خدمة أو إجراء أو منتج أو مهمة أو مجموعة منها تقدمها أو تعمل عليها المؤسسة.	Test	This is an activity or action that is undertaken to gauge the capabilities or effectiveness of a strategy or plan against a predetermined criteria or benchmark.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
الوعي	تطوير الفهم الأساسي لنظام إدارة استمرارية الأعمال ونشر المعرفة للقوى العاملة لمواجهة التحديات والتهديدات التي قد تؤثر على سير عمل المؤسسة. وتقل فيها الصفة الرسمية مقارنة بالتدريب.	Training	This activity is more formalized as compared to awareness. It purports to build skills and knowledge to increase the performance of staff regarding a specific function.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
الأهداف الذكية	أهداف محددة ذات علاقة ويمكن قياسها وتحقيقها ووضعها ضمن إطار زمني محدد.	SMART Objectives	Specific, Measurable, Achievable, Relevant, and time objectives.	معيار أدارة استمرارية الأعمال	أدارة استمرارية الأعمال
		Activity	process or set Of processes undertaken by an organization (or on its behalf) that produces and supports one or more products	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 1	أدارة استمرارية الأعمال
		Audit	systematic examination to determine whether activities and related results conform to planned arrangements and whether these arrangements are implemented effectively and are suitable for achieving the organization's policy and 0b• ecti ves	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 2	أدارة استمرارية الأعمال
		Business continuity	strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable pre-defined level	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 3	أدارة استمرارية الأعمال
		Business continuity management (BCM)	holistic management process that identifies potential threats impacts to business operations that those threats if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creatin activities	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 4	أدارة استمرارية الأعمال
		Business continuity management lifecycle	series Of business continuity activities which collectively business continuity management programme	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 5	أدارة استمرارية الأعمال
		Business continuity management personnel	those assigned responsibilities defined in the BCMS, those accountable for BCM policy and its implementation, those who implement and maintain the BCMS, those who use or invoke the business continuity and incident management laws, and those with authority during an incident	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 6	أدارة استمرارية الأعمال
		Business continuity management program	ongoing management and governance process supported by top management and appropriately resourced to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of products and services through training, exercising, maintenance, and review	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 7	أدارة استمرارية الأعمال
		Business continuity management response	element of ofBCM concerned with the development and implementation Of appropriate plans and arrangements to ensure continuity Of critical activities, and the management Of an incident	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 8	أدارة استمرارية الأعمال
		business continuity management system	that part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 9	أدارة استمرارية الأعمال
		business continuity plan (BCP)	documented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical activities at an acceptable pre-defined level	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 10	أدارة استمرارية الأعمال
		business continuity strategy	approach by an organization that will ensure its recovery and continuity in the face of a disaster or Other major incidents or business disruption	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 11	أدارة استمرارية الأعمال
		business impact analysis	process of analyzing business functions and the effect that a business disruption might have on them	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 12	أدارة استمرارية الأعمال
		consequence	outcome Of an incident that will have an impact on an organization's objectives	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 13	أدارة استمرارية الأعمال
		cost-benefit analysis	financial technique that measures the cost of implementing a particular solution and compares this with the benefit delivered by that solution	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 14	أدارة استمرارية الأعمال
		critical activities	those activities that have to be performed in order to deliver the key products and services that enable an organization to meet its most important and time-sensitive 0b•ectives	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 15	أدارة استمرارية الأعمال
		disruption	the event, whether anticipated (e.g. a labor strike or hurricane) or unanticipated (e.g. a blackout or earthquake), which causes an unplanned, negative deviation from the expected delivery of products or services according to the or nation's 0b' actives	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 16	أدارة استمرارية الأعمال
		exercise	activity in which the business continuity plan(s) is rehearsed in part or in whole to ensure that the plan(s) contains the appropriate information and produces the desired result when put into effect	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 17	أدارة استمرارية الأعمال
		galn	positive consequence	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 18	أدارة استمرارية الأعمال
		impact	evaluated the consequence Of a particular outcome	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 19	أدارة استمرارية الأعمال
		incident	the situation that might be, or could lead to, a business disruption, loss, emergency, or crisis	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 20	أدارة استمرارية الأعمال
		Incident Management Plan (IMP)	clearly defined and documented plan Of action for use at the time Of an incident, typically covering the key personnel, resources, services, and actions needed to implement the incident management process	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 21	أدارة استمرارية الأعمال
		internal audit	audit conducted by, or on behalf of, the organization itself for management review and Other internal purposes, and which might form the basis for an organization's self-declaration Of conform	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 22	أدارة استمرارية الأعمال
		invocation	act of declaring that an organization's business continuity plan needs to be put into effect in order to continue the delivery Of key products or services	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 23	أدارة استمرارية الأعمال
		likelihood	chance Of Something happening, whether defined, measured, or estimated objectively or subjectively, or in terms Of general descriptors (such as rare, unlikely, likely, almost certain), free agencies, or mathematical Obabilities	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 24	أدارة استمرارية الأعمال
		loss	negative consequence	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 25	أدارة استمرارية الأعمال
		management system	system to establish policy and objectives and to achieve those objectives	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 26	أدارة استمرارية الأعمال
		maximum tolerable period Of disruption	duration after which an organization's viability will be irrevocably threatened if product and service delivery cannot be resumed	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 27	أدارة استمرارية الأعمال
		nonconformity	non-fulfillment Of a requirement	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 28	أدارة استمرارية الأعمال
		organization	group Of people and facilities with an arrangement Of responsibilities, authorities, and relationships	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 29	أدارة استمرارية الأعمال
		process	set Of interrelated or interacting activities that transform inputs into outputs	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 30	أدارة استمرارية الأعمال
		products and services	beneficial outcomes provided by an organization to its customers, recipients, and stakeholders, e.g. manufactured items, car insurance, regulatory compliance, and community nursing	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 31	أدارة استمرارية الأعمال
		recovery time objective	target time set for resumption Of product, service, or activity delivery after an incident	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 32	أدارة استمرارية الأعمال
		resilience	ability of an organization to resist being affected by an incident	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 33	أدارة استمرارية الأعمال
		resources	all assets, people, skills, information, technology (including plant and equipment), premises, and supplies and information (whether electronic or not) that an organization has to have available to use when needed, in order to operate and meet its ob- actives	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 34	أدارة استمرارية الأعمال
		risk	something that might happen and its effect(s) on the achievement Of objectives	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 35	أدارة استمرارية الأعمال
		risk assessment	overall process Of risk identification, analysis, and evaluation	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 36	أدارة استمرارية الأعمال
		risk management	structured development and application Of management culture, policy, procedures, and practices to the tasks of identifying, analyzing, evaluating, and controlling relied risk	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 37	أدارة استمرارية الأعمال
		stakeholders	those with a vested interest in an organization's achievements	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 38	أدارة استمرارية الأعمال
		system	set Of interrelated or interacting elements	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 39	أدارة استمرارية الأعمال
		top management	person or group Of people who direct and control an organization at the highest level	Business Continuity Management Standard and Guide AE/HSC/NCEMA 7000: 2012 Version 40	أدارة استمرارية الأعمال
		CIIP Policy	National-level policy developed by NESA comprised of key initiatives and actions to enhance the preparedness and response to National cyber incidents targeting the security of the nation’s CII.	National Cyber Risk Management Framework	Cyber Risk
		CIIP Working Group	Cross-sector governance body, chaired by NESA and comprised of NESA, Sector Regulators (Sector leaders or representatives), and other stakeholders to foster Sector collaboration and support National/cross-sector planning, implementation, and monitoring activities to elevate Critical Information Infrastructure Protection.	National Cyber Risk Management Framework	Cyber Risk
		Controls	Mechanisms used to mitigate vulnerabilities. Controls can be corrective, detective, or preventative.	National Cyber Risk Management Framework	Cyber Risk
		Critical Information Infrastructure	All assets that support the delivery of a critical national service.	National Cyber Risk Management Framework	Cyber Risk
		Critical Information Infrastructure Operator	An entity is responsible for the investments in, and/or day-to-day operation of, a particular critical information infrastructure.	National Cyber Risk Management Framework	Cyber Risk
		Critical National Service8 373	Vital service, the disruption or destruction of which may have a debilitating impact on the National security, economy, society, or any combination of these.	National Cyber Risk Management Framework	Cyber Risk
		Critical Sector	A Sector identified at the National level that provides critical service(s).	National Cyber Risk Management Framework	Cyber Risk
		Information Asset	A physical or virtual asset of ICT systems, such as data, systems, facilities, networks, and computers.	National Cyber Risk Management Framework	Cyber Risk
		Information Infrastructure	The entirety of information assets, both physical and virtual, that are part of a given infrastructure.	National Cyber Risk Management Framework	Cyber Risk
		Information Infrastructure Operator (or Operator)	An entity is responsible for the investments in, and/or day-to-day operation of, a particular information infrastructure.	National Cyber Risk Management Framework	Cyber Risk
		Information Sharing Capability	A set of policies, systems, processes, and organizational roles needed to share information based on established requirements.	National Cyber Risk Management Framework	Cyber Risk
		Root Cause Analysis	A method of solving problems that tries to identify the root cause of the problems. A root cause is a cause that once removed from the problem fault sequence, prevents the final undesirable event from recurring.	National Cyber Risk Management Framework	Cyber Risk
		Regulator	A government body that sets regulations and monitors compliance and behavior of regulated entities in a particular Sector (or market).	National Cyber Risk Management Framework	Cyber Risk
		Sector Plan	Detailed plan developed by a Sector Regulator and approved by NESA outlining the actions, responsible entities, and timelines necessary to address the highest levels of risk identified in the Sector/National Risk Assessments and guide implementation of related CII Cyber Security and Protection Requirements.	National Cyber Risk Management Framework	Cyber Risk
		Sector CIIP Working Group	Sector governance body, co-chaired by NESA and Sector Regulator (Sector leader or representative) and comprised of NESA, Sector Regulator, Operators, and other stakeholders to foster Sector collaboration and support Sector planning, implementation, and monitoring activities to elevate Critical Information Infrastructure Protection.	National Cyber Risk Management Framework	Cyber Risk
		Threat	Any potential danger that could impact confidentiality, integrity, or availability and can be a natural, man-made, internal or external, intentional or accidental threat.	National Cyber Risk Management Framework	Cyber Risk
		Threat Actor	Who or what may violate an asset’s security requirements (confidentiality, integrity, availability).	National Cyber Risk Management Framework	Cyber Risk
		Threat Motive	The intent of an actor (e.g., deliberate or accidental). Motive applies only to human actors.	National Cyber Risk Management Framework	Cyber Risk
		Threat Consequences	The immediate result (disclosure, modification, destruction, loss, interruption) of violating the security.	National Cyber Risk Management Framework	Cyber Risk
		Vulnerability	A flaw, loophole, or error that can potentially exploit a system’s security policy	National Cyber Risk Management Framework	Cyber Risk
		CIIP Policy	National-level policy developed by NESA comprised of key initiatives and actions to enhance the preparedness and response to National cyber incidents targeting the security of the nation’s CII.	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		CIIP Working Group	Cross-Sectors governance body, chaired by NESA and comprised of NESA, Sector Regulators (Sector leaders or representatives), and other stakeholders to foster Sector collaboration and support National/cross-sector planning, implementation, and monitoring activities to elevate Critical Information Infrastructure Protection.	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		Controls	Mechanisms used to mitigate vulnerabilities. Controls can be corrective, detective, or preventive.	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		Critical Information Infrastructure	All assets that support the delivery of a critical national service.	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		Critical Information Infrastructure Operator	An entity is responsible for the investments in, and/or day-to-day operation of, a particular critical information infrastructure.	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		Critical National Service1	Vital service, the disruption or destruction of which may have a debilitating impact on the National security, economy, society, or any combination of these.	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		Critical Sector	A Sector identified at the National level that provides critical service(s).	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		Information Asset	A physical or virtual asset of ICT systems such as data, systems, facilities, networks, and computers.	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		Information Infrastructure	The entirety of information assets, both physical and virtual, that are part of a given infrastructure.	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		Information Infrastructure Operator (or Operator)	An entity is responsible for the investments in, and/or day-to-day operation of, a particular information infrastructure.	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		Information Sharing Capability	A set of policies, systems, processes, and organizational roles needed to share information based on established requirements.	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		Regulator	A government body that sets regulations and monitors compliance and behavior of regulated entities in a particular Sector (or market).	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		Sector Plan	Detailed plan developed by a Sector Regulator and approved by NESA outlining the actions, responsible entities, and timelines necessary to address the highest levels of risk identified in the Sector/National Risk Assessments and guide implementation of related CII Cyber Security and Protection Requirements.	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		Sector CIIP Working Group	Sector governance body, co-chaired by NESA and Sector Regulator (Sector leader or representative) and comprised of NESA, Sector Regulator, Operators, and other stakeholders to foster Sector collaboration and support Sector planning, implementation, and monitoring activities to elevate Critical Information Infrastructure Protection.	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		Threat	Any potential danger that could impact confidentiality, integrity, or availability and can be a natural, man-made, internal or external, intentional or accidental threat.	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		Threat Actor	who or what may violate the security requirements (confidentiality, integrity, availability) of an asset.	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		Threat Motive	the intent of an actor (e.g., deliberate or accidental). Motive applies only to human actors.	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		Threat Consequences	the immediate result (disclosure, modification, destruction, loss, interruption) of violating the security.	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		Vulnerability	A flaw, loophole, or error that can potentially exploit a system’s security policy.	National Cyber Risk Management Framework Volume Two: Risk Assessment	Cyber Risk
		Cloud Computing	The practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Confidentiality	The property that information is not made available or disclosed to unauthorized individuals, entities, or processes	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Control	Means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of administrative, technical, management, or legal nature Note: Control is also used as a synonym for safeguard or countermeasure	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Critical Entity	An entity responsible for the investments in, and/or day-to-day operation of a particular critical information infrastructure	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Critical Information Infrastructure	Physical and virtual information assets that support the carrying-out of a critical function and the delivery of a critical service	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Critical Information Infrastructure Operator	An entity responsible for the investments in, and/or day-to-day operation of, a particular critical information infrastructure	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Critical Information Infrastructure Protection	The protection of critical information infrastructure such as information assets, that support the delivery of a critical service	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Critical Sector	A sector identified at the national level that provides critical service(s).	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Critical Service	Vital service, the disruption or destruction of which may have a debilitating impact on the national security, economy, society, or any combination of these.	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Cryptographic System	A related set of hardware or software used for cryptographic communication, processing, or storage, and the administrative framework in which it operates	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Cybersecurity	Cybersecurity is the set of technologies, processes, legislations, practices, and other required capabilities designed to protect the information infrastructure from disruption, breakdown, or misuse.	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Cyberspace	Global electronic medium comprised of a network of interdependent information technology infrastructures, telecommunications networks, and computer processing systems	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Demilitarized Zone (or DMZ)	A small network with one or more servers that are kept separate from the core network, either on the outside of the firewall or as a separate network protected by the firewall. Demilitarized zones usually provide public domain information to less trusted networks, such as the Internet	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Entity Context	Refers to the set of entity information assets, practices, and standards that characterize core cyber security capabilities to establish a minimum level of information assurance within a given entity	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Filter	A hardware or software device that controls the flow of data in accordance with a security policy	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Firewall	A network protection device that filters incoming and outgoing network data, based on a series of rules	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Gateway	Gateways connect two or more networks from different security domains to allow access to or transfer information according to defined security policies. Some gateways can be automated through a combination of physical or software mechanisms	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Guideline	A description that clarifies what should be done and how to achieve the objectives set out in policies ⁴	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Hacktivists	People that perform the act of hacking, or breaking into computer systems, for a politically or socially motivated purpose	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Hardware	A generic term for any physical component of information and communication technology	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Host-based Intrusion Detection System (HIDS or IDS) IATFs	A security device, resident on a specific host, which monitors system activities for malicious or unwanted behavior Information Assurance Technical Forums are governance bodies that engage key stakeholders (such as industry leaders, experts, relevant entities, and sector regulators) in the development of the UAE IA Regulation.	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Implementing Entity	Refers to any entity implementing the UAE IA Regulation – including critical entities mandated to implement these, as well as any other entities implementing these.	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Information Asset	A physical or virtual asset of ICT systems such as data, systems, facilities, networks, and computers.	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Information Assurance	Practice of protecting information and managing risks related to the use, processing, storage, and transmission of information or data, and the systems and processes used for those purposes.	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Information Security	Preservation of confidentiality, integrity, and availability of information; in addition, other properties such as authenticity, accountability, nonrepudiation, and reliability can also be involved ⁴.	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Information Security Event	An identified occurrence of a system, service, or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant⁴.	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Information Security Incident	A single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Information Security Policy	A high-level document that describes how an entity protects its systems. The ISP is normally developed to cover all systems and can exist as a single document or as a set of related documents	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Information Sharing Capability	A set of policies, systems, and organizational roles needed to share information based on established requirements	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Information Sharing Community	Group of organizations that agree to share information	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Integrity	The property of safeguarding the accuracy and completeness of assets⁴	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Key Management	The use and management of cryptographic keys and associated hardware and software. It includes their generation, registration, distribution, installation, usage, protection, storage, access, recovery and destruction	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Malicious Code or Malware	Any software that attempts to subvert the confidentiality, integrity, or availability of a system. Types of malicious code include logic bombs, trapdoors, Trojans, viruses, and worm	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Management Controls Media	The security controls (i.e., safeguards or countermeasures) for an information system that focuses on the management of risk and the management of information systems security A generic term for hardware that is used to store information	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Media Disposal	The process of relinquishing control of media when no longer required, in a manner that ensures that no data can be recovered from the media	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		National Context	Refers to the set of national information assets, practices, and standards that characterize core cyber security capabilities to establish a minimum level of information assurance at a national level	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		National Cyber Response Framework	The program is designed to increase situational awareness, rapidly identify and analyze incidents, and coordinate responses with national cyber security stakeholders	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Network Device	Any device designed to facilitate the communication of information destined for multiple system users. For example: cryptographic devices, firewalls, routers, switches, and hubs	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Non-Repudiation	Protection against an individual falsely denying having performed a particular action. Provides the capability to determine whether a given individual took a particular action such as creating information, sending a message, approving information, and receiving a message.	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Policy	Overall intention and direction as formally expressed by management	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Regulator	A government body that sets and monitors compliance and behavior of regulated entities in a particular sector (or market)	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Remote Access	Access to a system from a location not under the physical control of the system owner	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Removable Media	Storage media that can be easily removed from a system and is designed for removal	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Residual risk	The risk remaining after risk treatment	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Risk	Combination of the probability of an event and its consequence⁴	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Risk acceptance	The decision to accept a risk⁴ Systematic use of information to identify sources and to estimate the risk⁴	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Risk analysis	The overall process of risk analysis and risk evaluation	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Risk assessment Risk evaluation	Process of comparing the estimated risk against given risk criteria to determine the significance of the risk⁴	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Risk management	Coordinated activities to direct and control an organization with regard to risk⁴	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Risk treatment	Process of selection and implementation of measures to modify risk⁴ NOTE: In this International Standard the term ‘control’ is used as a synonym for ‘measure’	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Sector Plan	Detailed plan developed by sector regulator and approved by NCSA outlining the actions, responsible entities, and timelines necessary to address the highest levels of risk identified in the Sector/National Risk Assessments and guide implementation of related CII Cybersecurity and Protection Requirements.	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Sector-Specific CIIP Working Group	Sector-specific governance body, chaired by NCSA and comprised of sector regulators, operators, and other stakeholders to foster sector collaboration and support sector planning, implementation, and monitoring activities to elevate Critical Information Infrastructure Protection	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Software Component	An element of a system, including but not limited to, a database, operating system, network, or web application	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Statement of applicability	A documented statement describing the control objectives and controls that are relevant and applicable to the organization’s ISMS. NOTE: Control objectives and controls are based on the results and conclusions of the risk assessment and risk treatment processes, legal or regulatory requirements, contractual obligations, and the organization’s business requirements for information security	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Supply Chain	The sequence of processes involved in the production and distribution of a product or a service	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Technical Controls	The security controls (i.e., safeguards or countermeasures) for an information system are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Third-party	That person or body that is recognized as being independent of the parties involved, as concerns the issue in question	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Threat	A potential cause of an unwanted incident, which may result in harm to a system or organization	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Threat Agent	Any person or thing that acts - or has the power to act - to cause, carry, transmit, or support a threat	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Threat Vector	The method a threat uses to get to the target	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Trusted information communication entity	Autonomous organization supporting information exchange within an information-sharing community	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Vulnerability	A weakness of an asset or group of assets that can be exploited by one or more threats	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
		Wireless Communications	The transmission of data over a communications path using electromagnetic waves rather than a wired medium	UAE Information Assurance Regulation	Information Assurance (IA) Regulation
الإجراءات التصحيحية	الخطوات أو الإجراءات التي تعمل على إزالة النواقص في نظام إدارة استمرارية الأعمال.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2001	إدارة استمرارية الأعمال
اختبار	تقييم جاهزية وصلاحية وملائمة الأدوات والتقنيات والمرافق والبنية التحتية لتنفيذ خطط استمرارية الأعمال.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
إدارة استمرارية الأعمال	جميع الإجراءات والتدابير التي تتخذها الجهات بهدف الاستمرار في تقديم خدماتها الضرورية للمجتمع ، أثناء الطوارئ والأزمات والكوارث التي قد تتعرض لها هذه الجهات بشكل جزئي أو كلي، وتشمل تطوير خطط للبدائل من مرافق وخدمات وأفراد الضمان استمرار تقديم خدماتها.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
الإدارة العليا	فرد أو مجموعة من الأفراد على قمة الهرم الوظيفي ويقومون بدور قيادي في إدارة وتوجيه المؤسسة ويتمتعون بالصلاحيات والسلطة.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
استراتيجية استمرارية الأعمال	نہج منظم يمكن عملية التخطيط من أجل التعافي والاستمرار بعد انقطاع وتعطل الانشطة.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
استراتيجية التعافي	نہج منظم يستخدم في إدارة استمرارية الأعمال للتأكد من استمرارية الاستجابة والتعافي بعد حدوث التعطل أو التوقف.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2001	إدارة استمرارية الأعمال
استمرارية الأعمال	قدرة مواصلة المؤسسة أنشطتها الحيوية على مستوى محدد مسبقاً في حال التعرض لتعطل.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
الأطراف المعنية	فرد أو مجموعة أو مؤسسة قد يتأثرون بانقطاع أو تعطل نشاط أو خدمة بشكل مباشر.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
أعلى وقت مقبول للانقطاع (MAO)	أعلى وقت يمكن للمؤسسة تحمله بعد الانقطاع.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
الأنشطة الحيوية	هي العمليات أو الخدمات أو الإجراءات أو المنتجات أو المهام أو مجموعة منها التي تم تحديدها خلال عملية تحليل التأثير على الأعمال.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2001	إدارة استمرارية الأعمال
أهداف إدارة استمرارية الأعمال	النتائج المرجوة التي تسعى المؤسسة لتحقيقها من خلال نظام إدارة استمرارية الأعمال.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
برنامج إدارة استمرارية الأعمال	نظام إداري متكامل لدى المؤسسة يؤسس ويطبق ويشغل ويراجع و يشرف ويحافظ ويطور إمكانية استمرارية الأعمال، ويتم دعمه من قبل الإدارة العليا في المؤسسة.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
التحسين المستمر	الأنشطة المستمرة التي تساهم في تطوير برنامج إدارة استمرارية الأعمال.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
تحليل التأثير على الأعمال	عملية تحليل مهام الأعمال ومعرفة التأثير الذي قد يسببه تعطل الأعمال عليها من حيث التأثير على القيمة والأولويات. فهذا التحليل يوضح البنية التحتية اللازمة لدعم أنشطة الأعمال الحرجة والمهام الخاصة بالمؤسسة.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
تدريب	هو جهد أو نشاط تنظيمي مخطط يهدف لتسهيل اكتساب الأفراد المهارات المرتبطة بالعمل و الحصول على المعارف التي تساعد على تحسين الأداء و أهداف إدارة استمرارية الأعمال.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2001	إدارة استمرارية الأعمال
تدقيق	نشاط منظم ومستقل وموثق تجريه وحدة مستلقة في المؤسسة من أجل الامتثال لمتطلبات معيار إدارة استمرارية الأعمال.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
التدقيق الداخلي	مراجعة مدى مواءمة النظام المعيار إدارة استمرارية الأعمال ومن ثم وضع اجراءات تصحيحية مما تتيح اتخاذ قرارات فعالة ومناسبة.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
التعافي	جميع الأعمال والإجراءات التي يتم اتخاذها بعد حدوث تعطل أو توقف، بهدف استعادة الأنشطة الحيوية.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
تعطل	الحدث الذي قد يؤدي إلى توقف عملية حيوية في المؤسسة.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2001	إدارة استمرارية الأعمال
تقييم المخاطر	التطوير الهيكلي وتطبيق ثقافة الإدارة والسياسة والإجراءات والممارسات الخاصة بمهام تحديد المخاطر وتحليلها وتقييمها ورقابتها والاستجابة لها.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
التمرين	النشاط الذي يقيم ويفحص خطط استمرارية الأعمال إما بشكل جزئي أو كلي.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
الحد الأدنى المقبول لاستمرارية الأعمال (MBCO)	الحد الأدنى من الخدمات أو النشاطات التي يمكن للمؤسسة الاستمرار في تقديمها.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
خطة استمرارية الأعمال	مجموعة من الإجراءات المدوّنة التي يتم تطويرها وتجميعها وحفظها لتمكين المؤسسة من مواصلة أنشطتها الحيوية على مستوى مقبول محدد مسبقاً في حال توقف الأعمال أو تعطلها.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
خطة الاستجابة الإعلامية	مجموعة من الإجراءات التي من شأنها تمكين المؤسسة من التواصل مع الإعلام والأطراف المعنية بشكل فعال من خلال تنسيق الأدوار والمسؤوليات واستخدام وسائل الإعلام المتاحة لتوصيل المعلومات والإرشادات الازمة للجمهور خلال توقف أو التعطل.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2001	إدارة استمرارية الأعمال
خطة الاستجابة للحوادث	مجموعة من الإجراءات توضح تفاصيل الاستجابة الفورية للحادث وتركز على سلامة الأفراد كأولية أولى.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
خطر	حدث يمكن أن يقع و يسبب تعطل أو توقف للأنشطة.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
زمن التعافي الأمثل (RTO)	الوقت المستهدف لإعادة المنتج أو الخدمة أو النشاط بعد وقوع حادث ما.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
سياسة استمرارية الأعمال	هي الوثيقة الرئيسية التي تحدد الحوكمة والنطاق والأهداف والمسؤوليات المتعلقة بتطبيق استمرارية الأعمال في المؤسسة.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2001	إدارة استمرارية الأعمال
عدم المطابقة	عدم استيفاء متطلبات أساسية في معيار إدارة استمرارية الأعمال.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
عملية	مجموعة من الإجراءات المترابطة التي تحقق منتجات أو خدمات.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
العودة إلى الحالة العادية	الإجراء الذي يوضح الرجوع إلى الوضع الطبيعي في المؤسسة، وأنه تمت السيطرة على حالة الطارئ، ولا يستدعي استمرارية تفعيل الخطط.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
القضايا الخارجية والداخلية	المتغيرات الخارجية أو الداخلية التي يمكن أن يكون لها تأثير على قدرة استمرارية الأعمال في المؤسسة.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
الكفاءة	الاستخدام الأمثل للموارد المتاحة لتحقيق حجم أو مستوى معين من النتائج بأقل التكاليف وهو من أهم مقاييس نجاح المؤسسات في تحقيق أهداف إدارة استمرارية الأعمال.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2001	إدارة استمرارية الأعمال
المستوى المقبول المخاطر(Risk Appetite)	مستوى الخطر الذى ترى المؤسسة استيعابه ويمكن قبوله.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
المطابقة	مدى الالتزام بالمتطلبات الأساسية.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
المقدرة	امكانية اجراء نشاط معين على نحو فعال.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
ملاءمتها للغرض	استيفاء شروط المؤسسة.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2001	إدارة استمرارية الأعمال
موارد	الأصول والأفراد والمهارات والمعلومات والتكنولوجيا ( شاملة الأجهزة والمعدات) والمباني والموردون والمعلومات ( سواء كانت إلكترونية أم لا) الواجب توافرها من أجل الاستجابة والتعافي وتلبية أهداف البرنامج.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
الموائمة	مدى استيفاء المتطلبات.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
نشاط	عملية أو خدمة أو إجراء أو منتج أو مهمة أو مجموعة منها تقدمها أو تعمل عليها المؤسسة.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
الوعي	تطوير الفهم الأساسي لنظام إدارة استمرارية الأعمال ونشر المعرفة للقوى العاملة لمواجهة التحديات والتهديدات التي قد تؤثر على سير عمل المؤسسة. وتقل فيها الصفة الرسمية مقارنة بالتدريب.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2002	إدارة استمرارية الأعمال
الأهداف الذكية	أهداف محدّدة ذات علاقة ويمكن قياسها وتحقيقها ضمن إطار زمني محدد.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2001	إدارة استمرارية الأعمال
تدريب	هو جهد أو نشاط تنظيمي مخطط يهدف لتسهيل اكتساب الأفراد المهارات المرتبطة بالعمل و الحصول على المعارف التي تساعد على تحسين الأداء و أهداف إدارة استمرارية الأعمال.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
تدقيق	نشاط منظم ومستقل وموثق تجريه وحدة مستلقة في المؤسسة من أجل الامتثال لمتطلبات معيار إدارة استمرارية الأعمال.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
التدقيق الداخلي	مراجعة مدى مواءمة النظام المعيار إدارة استمرارية الأعمال ومن ثم وضع اجراءات تصحيحية مما تتيح اتخاذ قرارات فعالة ومناسبة.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
التعافي	جميع الأعمال والإجراءات التي يتم اتخاذها بعد حدوث تعطل أو توقف، بهدف استعادة الأنشطة الحيوية.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
تعطل	الحدث الذي قد يؤدي إلى توقف عملية حيوية في المؤسسة.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
تقييم المخاطر	التطوير الهيكلي وتطبيق ثقافة الإدارة والسياسة والإجراءات والممارسات الخاصة بمهام تحديد المخاطر وتحليلها وتقييمها ورقابتها والاستجابة لها.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
التمرين	النشاط الذي يقيم ويفحص خطط استمرارية الأعمال إما بشكل جزئي أو كلي.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
الحد الأدنى المقبول لاستمرارية الأعمال (MBCO)	الحد الأدنى من الخدمات أو النشاطات التي يمكن للمؤسسة الاستمرار في تقديمها.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
خطة استمرارية الأعمال	مجموعة من الإجراءات المدوّنة التي يتم تطويرها وتجميعها وحفظها لتمكين المؤسسة من مواصلة أنشطتها الحيوية على مستوى مقبول محدد مسبقاً في حال توقف الأعمال أو تعطلها.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
خطة الاستجابة الإعلامية	مجموعة من الإجراءات التي من شأنها تمكين المؤسسة من التواصل مع الإعلام والأطراف المعنية بشكل فعال من خلال تنسيق الأدوار والمسؤوليات واستخدام وسائل الإعلام المتاحة لتوصيل المعلومات والإرشادات الازمة للجمهور خلال توقف أو التعطل.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
خطة الاستجابة للحوادث	مجموعة من الإجراءات توضح تفاصيل الاستجابة الفورية للحادث وتركز على سلامة الأفراد كأولية أولى.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
خطر	حدث يمكن أن يقع و يسبب تعطل أو توقف للأنشطة.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
زمن التعافي الأمثل (RTO)	الوقت المستهدف لإعادة المنتج أو الخدمة أو النشاط بعد وقوع حادث ما.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
سياسة استمرارية الأعمال	هي الوثيقة الرئيسية التي تحدد الحوكمة والنطاق والأهداف والمسؤوليات المتعلقة بتطبيق استمرارية الأعمال في المؤسسة.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
عدم المطابقة	عدم استيفاء متطلبات أساسية في معيار إدارة استمرارية الأعمال.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
عملية	مجموعة من الإجراءات المترابطة التي تحقق منتجات أو خدمات.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
العودة إلى الحالة العادية	الإجراء الذي يوضح الرجوع إلى الوضع الطبيعي في المؤسسة، وأنه تمت السيطرة على حالة الطارئ، ولا يستدعي استمرارية تفعيل الخطط.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
القضايا الخارجية والداخلية	المتغيرات الخارجية أو الداخلية التي يمكن أن يكون لها تأثير على قدرة استمرارية الأعمال في المؤسسة.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
الكفاءة	الاستخدام الأمثل للموارد المتاحة لتحقيق حجم أو مستوى معين من النتائج بأقل التكاليف وهو من أهم مقاييس نجاح المؤسسات في تحقيق أهداف إدارة استمرارية الأعمال.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
المستوى المقبول المخاطر (Risk Appetite)	مستوى الخطر الذى ترى المؤسسة استيعابه ويمكن قبوله.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
المطابقة	مدى الالتزام بالمتطلبات الأساسية.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
المقدرة	امكانية اجراء نشاط معين على نحو فعال.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
ملاءمتها للغرض	استيفاء شروط المؤسسة.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
موارد	الأصول و الأفراد والمهارات والمعلومات والتكنولوجيا ( شاملة الأجهزة والمعدات) والمباني والموردون والمعلومات ( سواء كانت إلكترونية أم (لا) الواجب توافرها من أجل الاستجابة والتعافي وتلبية أهداف البرنامج.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
الموائمة	مدى استيفاء المتطلبات.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
نشاط	عملية أو خدمة أو إجراء أو منتج أو مهمة أو مجموعة منها تقدمها أو تعمل عليها المؤسسة.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
الوعي	تطوير الفهم الأساسي لنظام إدارة استمرارية الأعمال ونشر المعرفة للقوى العاملة لمواجهة التحديات والتهديدات التي قد تؤثر على سير عمل المؤسسة. وتقل فيها الصفة الرسمية مقارنة بالتدريب.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
الأهداف الذكية	أهداف محدّدة ذات علاقة ويمكن قياسها وتحقيقها ضمن إطار زمني محدد.			معيار إدارة استمرارية الأعمال الدليل الإرشادي AE/SCNS/NCEMA 7001:2015	إدارة استمرارية الأعمال
		Cloud Computing	The practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer	UAE Information Assurance Regulation	Information Assurance
		Confidentiality	The property that information is not made available or disclosed to unauthorized individuals, entities, or processes	UAE Information Assurance Regulation	Information Assurance
		Control	Means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of administrative, technical, management, or legal nature Note: Control is also used as a synonym for safeguard or countermeasure	UAE Information Assurance Regulation	Information Assurance
		Critical Entity	An entity responsible for the investments in, and/or day-to-day operation of a particular critical information infrastructure	UAE Information Assurance Regulation	Information Assurance
		Critical Information Infrastructure	Physical and virtual information assets that support the carrying-out of a critical function and the delivery of a critical service.	UAE Information Assurance Regulation	Information Assurance
		Critical Information Infrastructure Operator	An entity responsible for the investments in, and/or day-to-day operation of, a particular critical information infrastructure	UAE Information Assurance Regulation	Information Assurance
		Critical Information Infrastructure Protection	The protection of critical information infrastructure such as information assets, that support the delivery of a critical service	UAE Information Assurance Regulation	Information Assurance
		Critical Sector	A sector identified at the national level that provides critical service(s).	UAE Information Assurance Regulation	Information Assurance
		Critical Service	Vital service, the disruption or destruction of which may have a debilitating impact on the national security, economy, society, or any combination of these.	UAE Information Assurance Regulation	Information Assurance
		Cryptographic System	A related set of hardware or software used for cryptographic communication, processing, or storage, and the administrative framework in which it operates	UAE Information Assurance Regulation	Information Assurance
		Cybersecurity	Cybersecurity is the set of technologies, processes, legislations, practices, and other required capabilities designed to protect the information infrastructure from disruption, breakdown, or misuse.	UAE Information Assurance Regulation	Information Assurance
		Cyberspace	Global electronic medium comprised of a network of interdependent information technology infrastructures, telecommunications networks, and computer processing systems	UAE Information Assurance Regulation	Information Assurance
		Demilitarized Zone (or DMZ)	A small network with one or more servers that are kept separate from the core network, either on the outside of the firewall or as a separate network protected by the firewall. Demilitarized zones usually provide public domain information to less trusted networks, such as the Internet	UAE Information Assurance Regulation	Information Assurance
		Entity Context	Refers to the set of entity information assets, practices, and standards that characterize core cyber security capabilities to establish a minimum level of information assurance within a given entity	UAE Information Assurance Regulation	Information Assurance
		Filter	A hardware or software device that controls the flow of data in accordance with a security policy	UAE Information Assurance Regulation	Information Assurance
		Firewall	A network protection device that filters incoming and outgoing network data, based on a series of rules	UAE Information Assurance Regulation	Information Assurance
		Gateway	Gateways connect two or more networks from different security domains to allow access to or transfer information according to defined security policies. Some gateways can be automated through a combination of physical or software mechanisms	UAE Information Assurance Regulation	Information Assurance
		Guideline	A description that clarifies what should be done and how to achieve the objectives set out in policies ⁴	UAE Information Assurance Regulation	Information Assurance
		Hacktivists	People that perform the act of hacking, or breaking into computer systems, for a politically or socially motivated purpose	UAE Information Assurance Regulation	Information Assurance
		Hardware	A generic term for any physical component of information and communication technology	UAE Information Assurance Regulation	Information Assurance
		Host-based Intrusion Detection System (HIDS or IDS) IATFs	A security device, resident on a specific host, which monitors system activities for malicious or unwanted behavior Information Assurance Technical Forums are governance bodies that engage key stakeholders (such as industry leaders, experts, relevant entities, and sector regulators) in the development of the UAE IA Regulation.	UAE Information Assurance Regulation	Information Assurance
		Implementing Entity	Refers to any entity implementing the UAE IA Regulation – including critical entities mandated to implement these, as well as any other entities implementing these.	UAE Information Assurance Regulation	Information Assurance
		Information Asset	A physical or virtual asset of ICT systems such as data, systems, facilities, networks, and computers.	UAE Information Assurance Regulation	Information Assurance
		Information Assurance	Practice of protecting information and managing risks related to the use, processing, storage, and transmission of information or data, and the systems and processes used for those purposes.	UAE Information Assurance Regulation	Information Assurance
		Information Security	Preservation of confidentiality, integrity, and availability of information; in addition, other properties such as authenticity, accountability, nonrepudiation, and reliability can also be involved ⁴.	UAE Information Assurance Regulation	Information Assurance
		Information Security Event	An identified occurrence of a system, service, or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant⁴.	UAE Information Assurance Regulation	Information Assurance
		Information Security Incident	A single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security	UAE Information Assurance Regulation	Information Assurance
		Information Security Policy	A high-level document that describes how an entity protects its systems. The ISP is normally developed to cover all systems and can exist as a single document or as a set of related documents	UAE Information Assurance Regulation	Information Assurance
		Information Sharing Capability	A set of policies, systems, and organizational roles needed to share information based on established requirements	UAE Information Assurance Regulation	Information Assurance
		Information Sharing Community	Group of organizations that agree to share information	UAE Information Assurance Regulation	Information Assurance
		Integrity	The property of safeguarding the accuracy and completeness of assets⁴	UAE Information Assurance Regulation	Information Assurance
		Key Management	The use and management of cryptographic keys and associated hardware and software. It includes their generation, registration, distribution, installation, usage, protection, storage, access, recovery and destruction	UAE Information Assurance Regulation	Information Assurance
		Malicious Code or Malware	Any software that attempts to subvert the confidentiality, integrity, or availability of a system. Types of malicious code include logic bombs, trapdoors, Trojans, viruses and worms	UAE Information Assurance Regulation	Information Assurance
		Management Controls Media	The security controls (i.e., safeguards or countermeasures) for an information system that focuses on the management of risk and the management of information systems security A generic term for hardware that is used to store information	UAE Information Assurance Regulation	Information Assurance
		Media Disposal	The process of relinquishing control of media when no longer required, in a manner that ensures that no data can be recovered from the media	UAE Information Assurance Regulation	Information Assurance
		National Context	Refers to the set of national information assets, practices, and standards that characterize core cyber security capabilities to establish a minimum level of information assurance at a national level	UAE Information Assurance Regulation	Information Assurance
		National Cyber Response Framework	The program is designed to increase situational awareness, rapidly identify and analyze incidents, and coordinate responses with national cyber security stakeholders	UAE Information Assurance Regulation	Information Assurance
		Network Device	Any device designed to facilitate the communication of information destined for multiple system users. For example: cryptographic devices, firewalls, routers, switches, and hubs	UAE Information Assurance Regulation	Information Assurance
		Non-Repudiation	Protection against an individual falsely denying having performed a particular action. Provides the capability to determine whether a given individual took a particular action such as creating information, sending a message, approving information, and receiving a message.	UAE Information Assurance Regulation	Information Assurance
		Policy	Overall intention and direction as formally expressed by management	UAE Information Assurance Regulation	Information Assurance
		Regulator	A government body that sets and monitors compliance and behavior of regulated entities in a particular sector (or market)	UAE Information Assurance Regulation	Information Assurance
		Remote Access	Access to a system from a location not under the physical control of the system owner	UAE Information Assurance Regulation	Information Assurance
		Removable Media	Storage media that can be easily removed from a system and is designed for removal	UAE Information Assurance Regulation	Information Assurance
		Residual risk	The risk remaining after risk treatment	UAE Information Assurance Regulation	Information Assurance
		Risk	Combination of the probability of an event and its consequence⁴	UAE Information Assurance Regulation	Information Assurance
		Risk acceptance	The decision to accept a risk⁴	UAE Information Assurance Regulation	Information Assurance
		Risk analysis	Systematic use of information to identify sources and to estimate the risk⁴ Overall process of risk analysis and risk evaluation	UAE Information Assurance Regulation	Information Assurance
		Risk assessment Risk evaluation	Process of comparing the estimated risk against given risk criteria to determine the significance of the risk⁴	UAE Information Assurance Regulation	Information Assurance
		Risk management	Coordinated activities to direct and control an organization with regard to risk⁴	UAE Information Assurance Regulation	Information Assurance
		Risk treatment	Process of selection and implementation of measures to modify risk⁴ NOTE: In this International Standard the term ‘control’ is used as a synonym for ‘measure’	UAE Information Assurance Regulation	Information Assurance
		Sector Plan	Detailed plan developed by sector regulator and approved by NCSA outlining the actions, responsible entities, and timelines necessary to address the highest levels of risk identified in the Sector/National Risk Assessments and guide implementation of related CII Cybersecurity and Protection Requirements.	UAE Information Assurance Regulation	Information Assurance
		Sector-Specific CIIP Working Group	Sector-specific governance body, chaired by NCSA and comprised of sector regulators, operators, and other stakeholders to foster sector collaboration and support sector planning, implementation, and monitoring activities to elevate Critical Information Infrastructure Protection	UAE Information Assurance Regulation	Information Assurance
		Software Component	An element of a system, including but not limited to, a database, operating system, network, or web application	UAE Information Assurance Regulation	Information Assurance
		Statement of applicability	A documented statement describing the control objectives and controls that are relevant and applicable to the organization’s ISMS. NOTE: Control objectives and controls are based on the results and conclusions of the risk assessment and risk treatment processes, legal or regulatory requirements, contractual obligations, and the organization’s business requirements for information security	UAE Information Assurance Regulation	Information Assurance
		Supply Chain	The sequence of processes involved in the production and distribution of a product or a service	UAE Information Assurance Regulation	Information Assurance
		Technical Controls	The security controls (i.e., safeguards or countermeasures) for an information system are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system	UAE Information Assurance Regulation	Information Assurance
		Third-party	That person or body that is recognized as being independent of the parties involved, as concerns the issue in question	UAE Information Assurance Regulation	Information Assurance
		Threat	A potential cause of an unwanted incident, which may result in harm to a system or organization	UAE Information Assurance Regulation	Information Assurance
		Threat Agent	Any person or thing that acts - or has the power to act - to cause, carry, transmit, or support a threat	UAE Information Assurance Regulation	Information Assurance
		Threat Vector	The method a threat uses to get to the target	UAE Information Assurance Regulation	Information Assurance
		Trusted information communication entity	Autonomous organization supporting information exchange within an information-sharing community	UAE Information Assurance Regulation	Information Assurance
		Vulnerability	A weakness of an asset or group of assets that can be exploited by one or more threats	UAE Information Assurance Regulation	Information Assurance
		Wireless Communications	The transmission of data over a communications path using electromagnetic waves rather than a wired medium	UAE Information Assurance Regulation	Information Assurance
		Authority	The Capital Market Authority, including (where the context permits) any committee, sub-committee, employee, or agent to whom any function of the Authority may be delegated.	Members Technical Requirements	Stock Exchange Risk & Security Division
		AES	A privacy transform was developed to replace the aging Data Encryption Standard (DES) by NIST (National Institute of Standards and Technology), a U.S. Government agency, and is a new Federal Information Processing Standard (FIPS) publication.	Members Technical Requirements	Stock Exchange Risk & Security Division
		Back-office supporting applications	Back Office Systems and the Network Management Systems that support the core trading platform in performing trading activities between Tadawul, Members, Data Vendors, and Investors.	Members Technical Requirements	Stock Exchange Risk & Security Division
		BC	Business Continuity.	Members Technical Requirements	Stock Exchange Risk & Security Division
		BCM	Business Continuity Management is defined as a holistic management process that identifies potential threats to an organization and the impacts on business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.	Members Technical Requirements	Stock Exchange Risk & Security Division
		BCP	Business Continuity planning is the process of creating systems of prevention and recovery to deal with potential threats.	Members Technical Requirements	Stock Exchange Risk & Security Division
		BIA	Business Impact Analysis is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident, or emergency.	Members Technical Requirements	Stock Exchange Risk & Security Division
		CERT	Communications Emergency Response Team. The team formed during the occurrence of a critical security incident and is responsible for quickly and efficiently resolving the incident	Members Technical Requirements	Stock Exchange Risk & Security Division
		Core trading platform	OMS (Order Management System), FIX Servers (Genium FIX, Equator FIX, and TIP gateway), and web applications that are in place to perform trading activities between Tadawul, its Members, the Data Vendors, and investors.	Members Technical Requirements	Stock Exchange Risk & Security Division
		Committee	The Committee for the Resolution of Securities Disputes.	Members Technical Requirements	Stock Exchange Risk & Security Division
		DRP	A Disaster Recovery Plan is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster.	Members Technical Requirements	Stock Exchange Risk & Security Division
		Governing body	A group of top officials establishes rules that govern the actions and conduct of an organization.	Members Technical Requirements	Stock Exchange Risk & Security Division
		IS	Information Security.	Members Technical Requirements	Stock Exchange Risk & Security Division
		IVR	Interactive Voice Response.	Members Technical Requirements	Stock Exchange Risk & Security Division
		Major Change	Any change that occurred on the trading platform or/and trading infrastructure, that includes, but is not limited to, the following: services, systems, data, Networks, applications, websites, areas, or locations related to the trading.	Members Technical Requirements	Stock Exchange Risk & Security Division
		Market Information Data Vendor	Market Information Data Vendors are licensed to carry out the service of data dissemination and distribution where the data vendor re-distributes market data in accordance with the Tadawul Information License Agreement (TILA).	Members Technical Requirements	Stock Exchange Risk & Security Division
		Members	Members of the Saudi Stock Exchange (Tadawul) and its subsidiaries.	Members Technical Requirements	Stock Exchange Risk & Security Division
		MTPD	Maximum Tolerable Period Of Disruption is defined as the time it would take for adverse impacts, which might arise as a result of not providing a system/service or performing an activity, to become unacceptable.	Members Technical Requirements	Stock Exchange Risk & Security Division
		NTP	Network Time Protocol is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.	Members Technical Requirements	Stock Exchange Risk & Security Division
		OMS	Order Management System is a software system used by the Member to communicate electronically with the Exchange for sending, amending, canceling, or deactivating orders and receiving the responses from the Exchange.	Members Technical Requirements	Stock Exchange Risk & Security Division
		PKI	Public Key Infrastructure. System required to provide public key encryption and digital signatures service.	Members Technical Requirements	Stock Exchange Risk & Security Division
		RFC	Request for change.	Members Technical Requirements	Stock Exchange Risk & Security Division
		RPO	A recovery point objective is defined by Business Continuity planning. It is the maximum targeted period in which data might be lost from an IT service due to a major incident.	Members Technical Requirements	Stock Exchange Risk & Security Division
		RTO	The recovery time objective is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in Business Continuity.	Members Technical Requirements	Stock Exchange Risk & Security Division
		SLA	A service level agreement is a contract between a service provider (either internal or external) and the end user that defines the level of service expected from the service provider.	Members Technical Requirements	Stock Exchange Risk & Security Division
		SMS	Short Messaging Service	Members Technical Requirements	Stock Exchange Risk & Security Division
		SSL	Secure Socket Layer is a standard security protocol for establishing encrypted links between a web server and a browser in online communication.	Members Technical Requirements	Stock Exchange Risk & Security Division
		Token-based 2-factor authentication	It is an authentication technique that uses two factors to authenticate a user to a system or application, thus adding an "extra" layer of security. A token is used to generate a random number at regular intervals which is only known to the token device holder.	Members Technical Requirements	Stock Exchange Risk & Security Division
		Tadawul	In relation to this document, Tadawul means The Saudi Stock Exchange company and its subsidiaries.	Members Technical Requirements	Stock Exchange Risk & Security Division
		Tadawul Subsidiaries	Any company that is a subsidiary, holding, or affiliate that is fully owned by Tadawul.	Members Technical Requirements	Stock Exchange Risk & Security Division
		Third-Party	The outsourcing services providers, external services providers, cloud Computing suppliers, sellers, suppliers governmental entities, etc.	Members Technical Requirements	Stock Exchange Risk & Security Division
		VOIP	Voice Over Internet Protocol	Members Technical Requirements	Stock Exchange Risk & Security Division
		Regulation	The Implementing Regulation of the Law.	The Implementing Regulation of the Personal Data Protection Law	Data
		Direct Marketing	Communicate with the Data Subject by any direct physical or electronic means with the aim of directing marketing material; this includes but is not limited to advertisements or promotions.	The Implementing Regulation of the Personal Data Protection Law	Data
		Personal Data Breach	Any incident that leads to the Disclosure, Destruction, or unauthorized access to Personal Data, whether intentional or accidental and by any means, whether automated or manual.	The Implementing Regulation of the Personal Data Protection Law	Data
		Vital Interest	Any interest necessary to preserve the life of a Data Subject.	The Implementing Regulation of the Personal Data Protection Law	Data
		Actual Interest	refers to any moral or material interest of the Data Subject that is directly linked to the purpose of Processing Personal Data, and the Processing is necessary to achieve that interest.	The Implementing Regulation of the Personal Data Protection Law	Data
		Legitimate Interest	refers to any necessary interest of the Controller that requires the Processing of Personal Data for a specific purpose, provided it does not adversely affect the rights and interests of the data subject.	The Implementing Regulation of the Personal Data Protection Law	Data
		Pseudonymization	Conversion of the main identifiers that indicate the identity of the Data Subject into codes that make it difficult to directly identify them without using additional data or information. The pseudonymized data or additional information should be kept separately, and appropriate technical and administrative controls should be implemented to ensure that they are not specifically linked to the data subject's identity.	The Implementing Regulation of the Personal Data Protection Law	Data
		Anonymization	Removal of direct and indirect identifiers that indicate the identity of the Data Subject in a way that permanently makes it impossible to identify the Data Subject.	The Implementing Regulation of the Personal Data Protection Law	Data
		Explicit Consent	Direct and explicit consent given by the Data Subject in any form that clearly indicates the Data Subject's acceptance of the Processing of their Personal Data in a manner that cannot be interpreted otherwise, and whose obtention can be proven.	The Implementing Regulation of the Personal Data Protection Law	Data
النظام	نظام حماية البيانات الشخصية.			نظام حماية البيانات الشخصية	حماية البيانات الشخصية
اللوائح	اللوائح التنفيذية للنظام.			نظام حماية البيانات الشخصية	حماية البيانات الشخصية
الجهة المختصة	الجهة التي يصدر بتحديدها قرار من مجلس الوزراء.			نظام حماية البيانات الشخصية	حماية البيانات الشخصية
البيانات الشخصية	كل بيان مهما كان مصدره أو شكله - من شأنه أن يؤدي إلى معرفة الفرد على وجه التحديد، أو يجعل التعرف عليه ممكنا بصفة مباشرة أو غير مباشرة، ومن ذلك الاسم، ورقم الهوية الشخصية، والعناوين وأرقام التواصل، وأرقام الرخص والسجلات والممتلكات الشخصية، وأرقام الحسابات البنكية والبطاقات الائتمانية، وصور الفرد الثابتة أو المتحركة، وغير ذلك من البيانات ذات الطابع الشخصي.			نظام حماية البيانات الشخصية	حماية البيانات الشخصية
المعالجة	أي عملية تُجرى على البيانات الشخصية بأي وسيلة كانت يدوية أو آلية، ومن ذلك عمليات الجمع، والتسجيل، والحفظ والفهرسة، والترتيب والتنسيق والتخزين والتعديل والتحديث، والدمج، والاسترجاع والاستعمال، والإفصاح ، والنقل والنشر والمشاركة في البيانات أو الربط البيني، والحجب، والمسح، والإتلاف.			نظام حماية البيانات الشخصية	حماية البيانات الشخصية
الجمع	حصول جهة التحكم على البيانات الشخصية وفقاً لأحكام النظام، سواء من صاحبها مباشرة أو ممن يمثله أو ممن له الولاية الشرعية عليه أو من طرف آخر.			نظام حماية البيانات الشخصية	حماية البيانات الشخصية
الإتلاف	أي إجراء يتم على البيانات الشخصية ويجعل من المتعذر الاطلاع عليها أو استعادتها مرة أخرى أو معرفة صاحبها على وجه التحديد.			نظام حماية البيانات الشخصية	حماية البيانات الشخصية
الإفصاح	تمكين أي شخص عدا- جهة التحكم أو جهة المعالجة بحسب الأحوال- من الحصول على البيانات الشخصية أو استعمالها أو الاطلاع عليها بأي وسيلة ولأي غرض.			نظام حماية البيانات الشخصية	حماية البيانات الشخصية
النقل	نقل البيانات الشخصية من مكان إلى آخر لمعالجتها.			نظام حماية البيانات الشخصية	حماية البيانات الشخصية
النشر	بث أي من البيانات الشخصية عبر وسيلة نشر مقروءة أو مسموعة أو مرئية، أو إتاحتها.			نظام حماية البيانات الشخصية	حماية البيانات الشخصية
البيانات الحساسة	كل بيان شخصي يتعلق بأصل الفرد العرقي أو أصله الإثني، أو معتقده الديني أو الفكري أو السياسي. وكذلك البيانات الأمنية والجنائية، أو بيانات السمات الحيوية التي تحدد الهوية، أو البيانات الوراثية، أو البيانات الصحية، والبيانات التي تدل على أن الفرد مجهول الأبوين أو أحدهما.			نظام حماية البيانات الشخصية	حماية البيانات الشخصية
البيانات الوراثية	كل بيان شخصي يتعلق بالخصائص الوراثية أو المكتسبة لشخص طبيعي، يحدد بشكل فريد السمات الفيسيولوجية أو الصحية لذلك الشخص، ويستخلص من تحليل عينة بيولوجية للشخص كتحليل الأحماض النووية أو تحليل أي عينة أخرى تؤدي إلى استخلاص بيانات وراثية. البيانات الصحية كل بيان شخصي يتعلق بحالة الفرد الصحية، سواء الجسدية أو العقلية أو النفسية أو المتعلقة بالخدمات الصحية الخاصة به.			نظام حماية البيانات الشخصية	حماية البيانات الشخصية
الخدمات الصحية	الخدمات المتعلقة بصحة الفرد، ومن ذلك الخدمات الوقائية والعلاجية والتأهيلية والتنويم وتوفير الدواء.			نظام حماية البيانات الشخصية	حماية البيانات الشخصية
البيانات الائتمانية	كل بيان شخصي يتعلق بطلب الفرد الحصول على تمويل، أو حصوله عليه، سواء لغرض شخصي أو عائلي، من جهة تُمارس التمويل، بما في ذلك أي بيان يتعلق بقدرته على الحصول على ائتمان أو بقدرته على الوفاء به أو بتاريخه الائتماني.			نظام حماية البيانات الشخصية	حماية البيانات الشخصية
صاحب البيانات الشخصية	الفرد الذي تتعلق به البيانات الشخصية.			نظام حماية البيانات الشخصية	حماية البيانات الشخصية
الجهة العامة	أي وزارة أو مصلحة أو مؤسسة عامة أو هيئة عامة، أو أي جهة عامة مستقلة في المملكة، أو أي من الجهات التابعة لها.			نظام حماية البيانات الشخصية	حماية البيانات الشخصية
جهة التحكم	أي جهة عامة، وأي شخصية ذات صفة طبيعية أو اعتبارية خاصة؛ تحدد الغرض من معالجة البيانات الشخصية وكيفية ذلك ؛ سواء أباشرت معالجة البيانات بوساطتها أم بوساطة جهة المعالجة.			نظام حماية البيانات الشخصية	حماية البيانات الشخصية
جهة المعالجة	أي جهة عامة، وأي شخصية ذات صفة طبيعية أو اعتبارية خاصة؛ تعالج البيانات الشخصية لمصلحة جهة التحكم ونيابة عنها.			نظام حماية البيانات الشخصية	حماية البيانات الشخصية
اللائحة	اللائحة التنفيذية للنظام.			اللائحة التنفيذية لنظام حماية البيانات الشخصية	البيانات الشخصية
التسويق المباشر	التواصل مع صاحب البيانات الشخصية بأي وسيلة مادية أو إلكترونية مباشرة بهدف توجيه مادة تسويقية، ويشمل ذلك على سبيل المثال لا الحصر الإعلانات أو العروض الترويجية.			اللائحة التنفيذية لنظام حماية البيانات الشخصية	البيانات الشخصية
تسرب البيانات الشخصية	أي حادثة تؤدي إلى الإفصاح عن البيانات الشخصية أو تلفها أو الوصول غير المشروع إليها، سواء كان ذلك بقصد أو بغير قصد، وبأي وسيلة كانت سواء آلية أو يدوية.			اللائحة التنفيذية لنظام حماية البيانات الشخصية	البيانات الشخصية
المصلحة الحيوية	أي من المصالح الضرورية للحفاظ على حياة صاحب البيانات الشخصية.			اللائحة التنفيذية لنظام حماية البيانات الشخصية	البيانات الشخصية
المصلحة المتحققة	أي مصلحة معنوية أو مادية لصاحب البيانات الشخصية ترتبط بشكل مباشر بالغرض من معالجة البيانات الشخصية، وتكون المعالجة ضرورية لتحقيق تلك المصلحة.			اللائحة التنفيذية لنظام حماية البيانات الشخصية	البيانات الشخصية
المصلحة المشروعة	أي حاجة ضرورية لدى جهة التحكم يتطلب تحقيقها معالجة بيانات شخصية لغرض محدد، على ألا تؤثر على حقوق ومصالح صاحب البيانات الشخصية.			اللائحة التنفيذية لنظام حماية البيانات الشخصية	البيانات الشخصية
الترميز	تحويل المعرفات الرئيسية التي تدل على هوية صاحب البيانات الشخصية إلى رموز تجعل من المتعذر تحديد هوية صاحب البيانات الشخصية بشكل مباشر دون استخدام بيانات أو معلومات إضافية، وأن يتم الاحتفاظ بتلك البيانات أو المعلومات الإضافية بشكل منفصل ووضع الضوابط الفنية والإدارية اللازمة لضمان عدم ربطها بصاحب البيانات الشخصية بشكل محدد.			اللائحة التنفيذية لنظام حماية البيانات الشخصية	البيانات الشخصية
إخفاء الهوية	إزالة المعرفات المباشرة وغير المباشرة التي تدل على هوية صاحب البيانات الشخصية بشكل نهائي يتعذر معه تحديد هوية صاحب البيانات الشخصية.			اللائحة التنفيذية لنظام حماية البيانات الشخصية	البيانات الشخصية
الموافقة الصريحة	موافقة تمنح بشكل مباشر وصريح من صاحب البيانات الشخصية بأي شكل من الأشكال وتدل على قبوله بمعالجة بياناته الشخصية بحيث لا يمكن تفسيرها بخلاف ذلك، وتكون قابلة للإثبات.			اللائحة التنفيذية لنظام حماية البيانات الشخصية	البيانات الشخصية
الطفل	كل شخص لم يتجاوز الثامنة عشرة من عمره.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
الأهلية	صلاحية الشخص لصدور التصرفات منه على وجه يعتد به شرعاً ونظاماً.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
فاقد الأهلية	من ليس لديه أهلية كالصغير غير المميز - وهو من لم يكمل السابعة من عمره – والمجنون، والمعتوه، وفاقد الإدراك ونحوهم.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
ناقص الأهلية	من لديه أهلية غير مكتملة كالصغير المميز - وهو من أكمل السابعة ولم يتم الثامنة عشرة من العمر – وذو الغفلة، والسفيه، ومن به عاهة عقلية، ونحوهم.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
ومن في حكمه	فاقد أو ناقص الأهلية.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
الولي	أحد الوالدين أو من تكون له الولاية على شؤون الطفل حسب أحكام الشريعة أو الأنظمة ذات العلاقة.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
الولاية	سلطة يثبتها الشرع للولي تخوله صلاحية التصرف وإدارة شؤون الطفل نيابة عنه فيما يتعلق ببدنه ونفسه وماله وبما يحقق مصالحه، ومنها اتخاذ القرارات الخاصة بمعالجة بياناته الشخصية.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
البيانات الشخصية	كل بيان - مهما كان مصدره أو شكله - من شأنه أن يؤدي إلى معرفة الطفل ومن في حكمه على وجه التحديد، أو يجعل التعرف عليه ممكناً بصفة مباشرة أو غير مباشرة عند دمجه مع بيانات أخرى، ويشمل ذلك -على سبيل المثال لا الحصر - الاسماء، وأرقام الهويات الشخصية، والعناوين، وأرقام التواصل، وأرقام الحسابات البنكية والبطاقات الائتمانية، وصور المستخدم الثابتة أو المتحركة، وغير ذلك من البيانات ذات الطابع الشخصي.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
البيانات الشخصية الحساسة	كل بيان شخصي يتضمن الإشارة إلى أصل الطفل ومن في حكمه العرقي أو القبلي، أو معتقده الديني أو الفكري أو السياسي، أو يدل على عضويته في جمعيات أو مؤسسات أهلية. وكذلك البيانات الجنائية والأمنية، أو بيانات السمات الحيوية التي تحدد الهوية، أو البيانات الوراثية أو البيانات الائتمانية، أو البيانات الصحية، وبيانات تحديد الموقع، والبيانات التي تدل على أن الفرد مجهول الأبوين أو أحدهما.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
معالجة البيانات	جميع العمليات التي تُجرى على البيانات الشخصية بأي وسيلة كانت يدوية أو آلية، وتشمل هذه العمليات – على سبيل المثال لا الحصر – جمع البيانات ونقلها وحفظها وتخزينها ومشاركتها وإتلافها وتحليلها واستخراج أنماطها والاستنتاج منها وربطها مع بيانات أخرى.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
جهة التحكم	أي جهة حكومية أو جهة اعتبارية عامة مستقلة في المملكة، وأي شخصية ذات صفة طبيعية أو اعتبارية خاصة؛ تحدد الغرض من معالجة البيانات الشخصية وكيفية ذلك؛ سواء تمت معالجة البيانات بواسطتها أو من خلال جهة المعالجة.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
جهة المعالجة	أي جهة حكومية أو جهة اعتبارية عامة مستقلة في المملكة، وأي شخصية ذات صفة طبيعية أو اعتبارية خاصة تعالج البيانات الشخصية لمصلحة جهة التحكم ونيابة عنها.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
إشعار الخصوصية	هو بيان خارجي موجه للأفراد يوضح محتوى البيانات الشخصية ووسائل جمعها والغرض من معالجتها وكيفية استخدامها والجهات التي سيتم مشاركة هذه البيانات معها وفترة الاحتفاظ بها وآلية التخلصمنها.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
سياسة الخصوصية	هي وثيقة داخلية موجهة للعاملين في الجهات توضح حقوق أصحاب البيانات والالتزامات التي يجب الامتثال لها للمحافظة على خصوصية أصحاب البيانات وحماية حقوقهم.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
الإفصاح عن البيانات	تمكين أي شخص - عدا جهة التحكم - من الحصول على البيانات الشخصية أو استعمالها أو الاطلاع عليها بأي وسيلة ولأي غرض.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
تسريب البيانات	الإفصاح عن البيانات الشخصية، أو الحصول عليها، أو تمكين الوصول إليها دون تصريح أو سند نظامي، سواء بقصد أو بغير قصد.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
نقل البيانات الشخصية	إرسال البيانات الشخصية إلى جهة خارج الحدود الجغرافية للمملكة - بأي وسيلة كانت - بهدف معالجتها سواء كانت بطريقة مباشرة أو غير مباشرة وفقاً لأغراض محددة مبنية على أسس نظامية – بما في ذلك النقل لأغراض أمنية أو لحماية الصحة أو السلامة العامة أو تنفيذاً لاتفاقية تكون المملكة طرفاً فيها.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
الموافقة الصريحة	موافقة مكتوبة أو إلكترونية تكون صريحة ومحددة وصادرة بإرادة حرة ومطلقة من صاحب البيانات تدل على قبوله لمعالجة بياناته الشخصية.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
الموافقة الضمنية	هي موافقة لا يتم منحها صراحةً من قبل صاحب البيانات أو الشخص المخول بذلك، ولكنها تُمنح ضمنيًا من خلال أفعال الشخص ووقائع وظروف الموقف.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
التسويق المباشر	أي اتصال بأي وسيلة كانت، يتم من خلاله توجيه مادة تسويقية أو دعائية إلى شخص بعينه.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
الجهة التنظيمية	أي جهة حكومية أو جهة اعتبارية عامة مستقلة تتولى مهام ومسؤوليات تنظيمية أو رقابية لقطاع معين في المملكة العربية السعودية بناءً على مستند نظامي.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
مكتب الجهة	مكتب البيانات بالجهة.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
المكتب	مكتب إدارة البيانات الوطنية.			سياسة حماية البيانات الشخصية للأطفال ومن في حكمهم	حماية البيانات
الوزارة	وزارة التعليم.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
المكتب	مكتب إدارة البيانات في الوزارة.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
البيانات	مجموعة من الحقائق في صورتها الأولية أو في صورة غير منظمة مثل الأرقام أو الحروف أو الصور الثابتة أو الفيديو أو التسجيلات الصوتية أو الرموز التعبيرية.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
الوصول إلى البيانات	القدرة على الوصول المنطقي والمادي إلى البيانات والموارد التقنية للوزارة لغرض استخدامها. مستوى الوصول إلى البيانات مستوى يعتمد على الأذونات والصلاحيات التي تقيد الوصول إلى البيانات والموارد التقنية على الأشخاص المصرح لهم وفقاً لما هو مطلوب لإنجاز المهام والمسؤوليات المناطة بهم.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
التحقق	التأكد من هوية أي مستخدم أو عمليّة أو جهاز بصفته متطلباً أساسيّاً للسماح بالوصول إلى الموارد التقنية.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
التصريح	تعريف حقوق وصلاحيات الوصول إلى البيانات والموارد التقنية لأي مستخدم أو برنامج أو عمليّة، والتحكم بمستويات الوصول إليها.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
توافر البيانات	ضمان إمكانية الوصول المناسب والموثوق إلى البيانات واستخدامها عند الحاجة.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
سرية البيانات	الحفاظ على القيود المصرّح بها للوصول إلى البيانات أو الإفصاح عنها.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
سلامة البيانات	حماية البيانات من أي تعديل أو إتلاف غير مصرح به نظاماً. البيانات المحمية البيانات المصنّفة على أنها (سري للغاية، سري، مقيد).			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
المعلومات العامة	البيانات بعد المعالجة - غير المحمية - التي تتلقاها أو تنتجها أو تتعامل معها الوزارة مهما كان مصدرها، أو شكلها أو طبيعتها.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
البيانات المفتوحة	مجموعة محدّدة من المعلومات العامة - مقروءة آلياً - تكون متاحة للعموم مجاناً ودون قيود ويمكن لأي فرد أو جهة عامة أو خاصة استخدامها أو مشاركتها.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
البيانات الحسّاسة	البيانات التي يؤدّي فقدانها أو إساءة استخدامها أو الوصول غير المصرح به إليها أو تعديلها إلى ضرر جسيم أو تأثير سلبي على المصالح الوطنية أو أنشطة الجهات الحكومية أو خصوصية الأفراد وحماية حقوقهم.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
مستويات تصنيف البيانات	مستويات التصنيف التالية ( سري للغاية ، (سري)، (مقيد)، (عام).			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
الفرد	الشخص المتقدم بطلب الاطلاع أو الحصول على المعلومات العامة.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
البيانات الشخصية	كل بيان - مهما كان مصدره أو شكله - من شأنه أن يؤدّي إلى معرفة الفرد على وجه التحديد، أو يجعل التعرف عليه ممكنا بصفة مباشرة أو غير مباشرة عند دمجه مع بيانات أخرى، ويشمل ذلك على سبيل المثال لا الحصر - الاسم ورقم الهوية الشخصية، والعناوين وأرقام التواصل، وأرقام الرُّخص والسجلات والممتلكات الشخصية، وأرقام الحسابات البنكية والبطاقات الائتمانية، وصور الفرد الثابتة أو المتحركة، وغير ذلك من البيانات ذات الطابع الشخصي.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
صاحب البيانات الشخصية	الشخص الطبيعي الذي تتعلق به البيانات الشخصية أو من يمثله أو من له الولاية الشرعية عليه.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
معالجة البيانات الشخصية	جميع العمليات التي تُجرى على البيانات الشخصية بأي وسيلة كانت يدوية أو آلية وتشمل هذه العمليات - على سبيل المثال لا الحصر - جمع البيانات ونقلها وحفظها وتخزينها ومشاركتها وإتلافها وتحليلها واستخراج أنماطها والاستنتاج منها وربطها مع بيانات أخرى.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
جهة التحكم	أي جهة ترتبط تنظيميا بالوزارة تحدد الغرض من معالجة البيانات الشخصية وكيفية ذلك سواء تمت معالجة البيانات بواسطتها او عن طريق جهة المعالجة.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
جهة المعالجة	أي جهة حكومية أو جهة اعتبارية عامة مستقلة في المملكة، وأي شخصية ذات صفة طبيعية أو اعتبارية خاصة؛ تعالج البيانات الشخصية لمصلحة جهة التحكم ونيابة عنها.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
الإفصاح عن البيانات الشخصيّة	تمكين أي شخص - عدا جهة التحكّم - من الحصول على البيانات الشخصية أو استعمالها أو الاطلاع عليها بأي وسيلة ولأي غرض.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
نقل البيانات الشخصية	إرسال البيانات الشخصية إلى جهة خارج الحدود الجغرافية للمملكة - بأي وسيلة كانت - بهدف معالجتها سواء كانت بطريقة مباشرة أو غير مباشرة وفقاً لأغراض محدّدة مبنية على أسس نظاميّة، بما في ذلك النقل لأغراض أمنية أو لحماية الصحة أو السلامة العامة أو تنفيذاً لاتفاقية تكون المملكة طرفاً فيها.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
الموافقة الصريحة	موافقة مكتوبة أو الكترونية تكون صريحة ومحدّدة وصادرة بإرادة حرّة ومطلقة من صاحب البيانات تدل على قبوله لمعالجة بياناته الشخصية.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
التسويق المباشر	أي اتصال بأي وسيلة كانت، يتم عن طريقه توجيه مادة تسويقية أو دعائية إلى شخص بعينه.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
النقل المباشر	نقل البيانات الشخصية من الجهة المرسلة إلى الجهة المستقبلة دون مرور البيانات بأي جهة أخرى.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
النقل غير المباشر	نقل البيانات الشخصية من الجهة المرسلة إلى الجهة المستقبلة مروراً بجهة أخرى أو أكثر.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
النقل العرضي	نقل البيانات الشخصية بشكل غير متكرر أو منتظم - عادةً ما يكون لمرة واحدة - لعدد محدود من الأشخاص، ومنها على سبيل المثال، نقل البيانات لغرض الإستفادة من خدمة في دولة أخرى لمصلحة صاحب البيانات.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
قائمة الإعتماد	قائمة معتمدة من مكتب إدارة البيانات الوطنية تتضمن أسماء الدول التي تتمتع بمستوى كافٍ من الحماية لحقوق أصحاب البيانات فيما يتعلق بمعالجة بياناتهم الشخصية.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
البيانات غير المعالجة	هي البيانات التي لم تخضع لعمليات متقدمة من المعاجلة ويتم تبادلها في صيغتها الأولية كالبيانات الأساسية للمواطن التي يتم عرضها في بطاقة الهوية الوطنية، باستثناء المعالجة التي تفرضها الأنظمة واللوائح والسياسات لغرض مشاركة البيانات، ومنها على سبيل المثال لا الحصر، المعالجة المسبقة قبل مشاركة البيانات الشخصية كالتعتيم (Data Making) أو المزج (Data Scrambling) أو التعمية (Data Anonymization).			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
منتجات البيانات	الخدمات أو التطبيقات المعتمدة على البيانات بعد معالجتها بهدف خلق قيمة مضافة عن طريق دمجها مع بيانات أخرى أو إثرائها أو تهيئتها أو تحليلها أو تمثيلها، ومنها على سبيل المثال لا الحصر الرّؤى والتحليلات التنبؤية أو الوصفية، ولوحات المعلومات التفاعلية (المنصات) وغيرها. البيانات الحكومية هي البيانات التي تنتجها الجهات الحكومية.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
الخدمات الحكومية	الخدمات الأساسية التي تقدمها الجهات الحكومية والتي يمكن تقديمها عن طريق طرف ثالث نيابة عن الجهة الحكومية.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
مزوّد البيانات	أي فرد أو جهة حكومية أو جهة خاصة تقوم بتزويد البيانات أو تقديم منتجات البيانات بمقابل مالي بشكل مباشر أو غير مباشر.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
المستفيد من البيانات	أي فرد أو جهة حكومية أو جهة خاصة تقوم بطلب البيانات أو الإستفادة من منتجات البيانات بمقابل مالي.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
التسويق	نشاط تبادل أو تداول أو تزويد البيانات الخام أو البيانات المعالجة مقابل مبلغ نقدي أو قيمة عينية أخرى.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
الجهة الحكومية	أي جهة حكومية أو جهة عامة مستقلة بالمملكة، أو أي من الجهات التابعة لها، ويعد في حكم الجهة الحكومية أي شركة تقوم بإدارة المرافق العامة أو البنى التحتية الوطنية أو تشغيلها أو صيانتها، أو تقوم بمباشرة خدمة عامة فيما يخص إدارة تلك المرافق أو البنى التحتية.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
الجهة الخاصة	أي شخصية ذات صفة اعتبارية خاصة مرخصة بالعمل في المملكة - سواء أكانت محليّة أو أجنبية - ويعد في حكم الجهة الخاصة الفرد المواطن أو المقيم بشكل رسمي في المملكة الذي يقوم بتزويد البيانات أو تقديم منتجات البيانات.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
الجهة غير الربحية	أي جهة غير حكومية مرخصة بالعمل في المملكة وتقدّم خدماتها ومنتجاتها بشكل غير ربحي.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
المطوّر	أي شخصية ذات صفة طبيعية أو اعتبارية تقوم بتطوير أنظمة الذكاء الاصطناعي عن طريق بناء نماذج تنبؤية باستخدام البيانات والخوارزميات لتحقيق أهداف محدّدة.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
المستخدم	أي شخصية ذات صفة طبيعية أو اعتبارية تقوم بتطبيق أو استخدام أنظمة الذكاء الاصطناعي لتحقيق أهداف محددة.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
صاحب البيانات	الفرد الذي تتعلق به البيانات الشخصية أو من يمثله أو من له الولاية الشرعية عليه.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
عينة البيانات	البيانات التي يتم استخدامها في بناء وتدريب واختبار النماذج التنبؤية وخوارزميات الذكاء الاصطناعي للوصول إلى نتائج معينة.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
تقنيات الذكاء الاصطناعي	هي مجموعة من النماذج التنبؤية والخوارزميات المتقدّمة التي يمكن استخدامها لتحليل البيانات واستشراف المستقبل أو تسهيل عملية اتخاذ قرارات على أحداث متوقعة بالمستقبل.			سياسات حوكمة البيانات وكالة التخطيط والتطوير مكتب إدارة البيانات	حوكمة البيانات
		Data	A collection of facts in a raw or unorganized form such as numbers, characters, images, video, voice recordings, or symbols.	National Data Governance Interim Regulations	Data Governance
		National Data	All data – regardless of form, source, or nature – that has been collected and processed within the jurisdiction of the Kingdom and under national sovereignty.	National Data Governance Interim Regulations	Data Governance
		Personal Data	Is any element of data, regardless of source or form whatsoever, which independently or when combined with other available information could lead to the identification of a person including but not limited to First Name and Last Name, Saudi National Identity ID Number, addresses, Phone Number, bank account number, credit card number, health data, images or videos of the person.	National Data Governance Interim Regulations	Data Governance
		Data Access	Ability to view or make use of any data or resources in an information system of an entity.	National Data Governance Interim Regulations	Data Governance
		Access Level	A category within a given security classification limiting data access to only authorized persons based on what is needed to complete their duties.	National Data Governance Interim Regulations	Data Governance
		Authentication	Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to data or resources in an information system.	National Data Governance Interim Regulations	Data Governance
		Authorization	Access privileges to data or resources in an information system granted to a user, program, or process or the act of granting those privileges.	National Data Governance Interim Regulations	Data Governance
		Data Availability	The state of making data accessible and usable when needed in a timely and reliable manner.	National Data Governance Interim Regulations	Data Governance
		Data Confidentiality	The state of keeping data secret by preserving authorized restrictions on data access and disclosure.	National Data Governance Interim Regulations	Data Governance
		Data Integrity	The state of ensuring data validity by guarding against improper information modification or destruction.	National Data Governance Interim Regulations	Data Governance
		Restricted / Protected Data	Data classified as Confidential, Secret, or Top Secret.	National Data Governance Interim Regulations	Data Governance
		Public Information	Raw data or processed data - unprotected - that is received, produced or held by public entities, regardless of the source, form or nature.	National Data Governance Interim Regulations	Data Governance
		Open data	Datasets – that are machine-readable - made publicly available for free such that any individual, Business, or Public Entity can use or share it – considered a subset of Public Data.	National Data Governance Interim Regulations	Data Governance
		Sensitive Data	Data, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of government programs, or the privacy to which individuals are entitled.	National Data Governance Interim Regulations	Data Governance
		Requestor of Public Information / Applicant	the person applying for access to public information.	National Data Governance Interim Regulations	Data Governance
		Data Subject	Any natural person to whom the personal data relates to, or his representative, or the person who has legal custody over him/her. Personal Data Processing; Processing of personal data by any means, whether manual or automated processing, including collection, transfer, recording, storage, data-sharing, destruction, analysis, extraction of their patterns, conclusion and interconnection.	National Data Governance Interim Regulations	Data Governance
		Data Controller	Any entity, or any natural or legal person, that collects Personal Data from a Data Subject and carries out processing of that Personal Data, directly or indirectly, through a processor, pursuant to a legal basis.	National Data Governance Interim Regulations	Data Governance
		Data Processor	Any independent governmental or public entity, or any natural or legal person, which engages in the Processing of Personal Data, on behalf of a Data Controller pursuant to a legal basis.	National Data Governance Interim Regulations	Data Governance
		Privacy Notice	Declaration directed towards data subjects that defines what personal data would be collected, the purpose behind processing it, how it would be used and which entities it would be shared with, the duration of its storage, and the means for disposing it.	National Data Governance Interim Regulations	Data Governance
		Personal Data Destruction	Any action that leads to removal of personal data, rendering it impossible to view such Personal Data or retrieve it by any means, whether digital or physical.	National Data Governance Interim Regulations	Data Governance
		Data Classification	Grouping data into levels based on the assessment of impact relating to unauthorized disclosure of the data or its content.	National Data Governance Interim Regulations	Data Governance
		Data Classification Levels, One of the following, “Top Secret,” “Secret,” “Confidential,” “Public.”		National Data Governance Interim Regulations	Data Governance
		Data Classification Marker	Marker or text assigned to classified data in specific ways to reflect the data classification level and its duration and to ensure adequate protection.	National Data Governance Interim Regulations	Data Governance
		Disclosure of Personal Data	The intentional or unintentional access of Personal Data to any party, apart from Data Controller, Data Processor, or Data Subject, allowing them to use or view same by any means and for any purpose.	National Data Governance Interim Regulations	Data Governance
		Personal Data Breach	Disclosure, acquisition, or access to personal data in unauthorized form or in the absence of a legal basis, whether intentionally or unintentionally.	National Data Governance Interim Regulations	Data Governance
		Consent	A knowing, voluntary, clear, and specific, expression of consent, whether oral or written, from the Data Subject signifying agreement to the processing of their personal data.	National Data Governance Interim Regulations	Data Governance
		Implied Consent	Consent of the Data Subject that is understood from their actions, certain events, or circumstances e.g. consent to the terms and conditions.	National Data Governance Interim Regulations	Data Governance
		Third-Party	A natural or legal person, public entity, agency, or body other than the Data Subject, Data Controller, Data Processor, or authorized persons, involved in the processing of personal data.	National Data Governance Interim Regulations	Data Governance
		Business Data Executive	The person who is ultimately responsible for specific data being collected and maintained by the Public Entity affiliated is usually a member of senior management. A Public Entity may naturally have multiple Business Data Executives.	National Data Governance Interim Regulations	Data Governance
		Business Data Steward	The person responsible for the business and technical deployment of the rules set forth by the Business Data Executive and for ensuring that the rules applied within systems are working, usually a member of the Business, IT, and/or Information Security departments.	National Data Governance Interim Regulations	Data Governance
		Open Data and Information Access Officer	The person is responsible for the open data agenda and underlying activities, including planning, execution, and reporting.	National Data Governance Interim Regulations	Data Governance
		Data User	Any person given the authority to access the data for reading, using, or updating it based on their responsibilities as authorized by the Business Data Executive.	National Data Governance Interim Regulations	Data Governance
		Metadata	Information that describes data and its characteristics including business metadata, technical metadata, and operational metadata.	National Data Governance Interim Regulations	Data Governance
		Machine-readable	Structured data in a specific format that can be automatically parsed and processed by a computer.	National Data Governance Interim Regulations	Data Governance
		National Open Data Portal	The central national portal is dedicated to managing, storing, and publishing open datasets across the Kingdom.	National Data Governance Interim Regulations	Data Governance
		Open data License	A legally binding instrument that grants permission to access, re-use, and redistribute open data with few or no restrictions.	National Data Governance Interim Regulations	Data Governance
		Open Format	Any widely accepted, non-proprietary, platform-independent, machine-readable method for transmitting data, which permits automated processing of such data and facilitates analysis and search capabilities.	National Data Governance Interim Regulations	Data Governance
		Data Requestor	The entity from the public, private, or third sectors or the individual submitting a request to share data.	National Data Governance Interim Regulations	Data Governance
		Data Sharing Request	The dedicated form for requesting to share data includes information about the Requestor, the data requested, and the purpose for which this data is requested.	National Data Governance Interim Regulations	Data Governance
		Data Sharing Agreement	A data Sharing Agreement is a formal agreement signed between the Public Entity and another party to agree to share data according to certain terms and conditions that align with the data sharing principles.	National Data Governance Interim Regulations	Data Governance
		Delivery Model for Data Sharing	The mechanism by which data will be shared. It includes the medium of transmitting the data, the parties involved in sharing, and the sharing model direct sharing, sharing through a service provider, or through multiple parties.	National Data Governance Interim Regulations	Data Governance
		Security Controls	Hardware, procedures, policies, and physical and logical safeguards are put into place to ensure the integrity and protection of data and the means of processing, accessing, and transferring it.	National Data Governance Interim Regulations	Data Governance
		PublicEntity	Any government or affiliated organization that manages, operates, or maintains a public function or operates or maintains any elements of national infrastructure or provides a public service. Regulatory	National Data Governance Interim Regulations	Data Governance
		Authority	Any independent governmental or public entity assuming regulatory duties and responsibilities for a specific sector in the Kingdom of Saudi Arabia under a legal instrument.	National Data Governance Interim Regulations	Data Governance
		Entity„s Office	The data management and privacy office within the public entity or the organizational unit responsible for data governance across the private and third sectors.	National Data Governance Interim Regulations	Data Governance
		Chief Data and Privacy Officer (CDPO)	The head of the entity„s office. Therefore, an executive within the organization has the authority and the influence to ensure that the data management and privacy program is followed by providing overall leadership for required initiatives and activities. NDMO	National Data Governance Interim Regulations	Data Governance
البيانات الشخصية	كل بيــان - مهمــا كان مصــدره أو شــكله - مــن شــأنه أن يــؤدي إلــى معرفــة الفــرد علـى وجـه التحديـد، أو يجعلـه قابـًا للتعـرف عليــه بصفــة مباشــرة أو غيــر مباشــرة عنــد دمجــه مــع بيانــات أخــرى، ويشــمل ذلــك -علــى ســبيل المثــال ال الحصــر - الأســم، وأرقــام الهويــات الشــخصية، والعناويــن، وأرقـام التواصـل، وأرقـام الحسـابات البنكيـة والبطاقــات الأئتمانيــة، وصــور المســتخدم الثابتـة أو المتحركـة، وغيـر ذلـك مـن البيانـات ذات الطابــع الشــخصي.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
البيانات	مجموعـة مـن الحقائـق فـي صورتهـا الأوليـة أو فــي ّ صــورة غيــر منظمــة مثــل الأرقــام أو الحــروف أو الصــور الثابتــة أو الفيديــو أو التســجيالت الصوتيــة أو الرمــوز التعبيريــة.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الوصول إلى البيانات	القــدرة علــى الوصــول المنطقــي والمــادي إلـى البيانـات والمـوارد التقنيـة للجهـة لغـرض اســتخدامها.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
مستوى الوصول إلى البيانات	مسـتوى يعتمـد علـى الأذونـات والصالحيـات التــي تقيــد الوصــول إلــى البيانــات والمــوارد التقنيــة علــى الأشــخاص المصــرح لهــم وفقــاً لمــا هــو مطلــوب إلنجــاز المهــام والمســؤوليات المناطــة بهــم.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
التحقق	التأكــد مــن هويــة أي مســتخدم أو عمليــة أو جهــاز بصفتــه متطلبــاً أساســياً للســماح بالوصــول إلــى المــوارد التقنيــة.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
التصريح	تعريــف حقــوق وصالحيــات الوصــول إلــى البيانــات والمــوارد التقنيــة ألي مســتخدم أو برنامــج أو عمليــة، والتحكــم بمســتويات الوصــول إليهــا.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
توافر البيانات	ضمـان إمكانية الوصول المناسـب والموثوق إلـى البيانـات واسـتخدامها عند الحاجة.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
سرية البيانات	الحفــاظ علــى القيــود المصــرح بهــا للوصــول إلــى البيانــات أو الأفصــاح عنهــا.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
سالمة البيانات	حمايـة البيانـات مـن أي تعديـل أو إتـاف غيـر ّ ح بـه نظامـا.ً			سياسات حوكمة البيانات الوطنية	إدارة البيانات
مصـر البيانات المحمية	ّ البيانــات المصنفــة علــى أنهــا (ســري للغايــة، ّ ســري، مقيــد).			سياسات حوكمة البيانات الوطنية	إدارة البيانات
المعلومات العامة	البيانـات بعـد المعالجـة – غيـر المحميـة – التـي تتلقاهــا أو تنتجهــا أو تتعامــل معهــا الجهــات العامــة مهمــا كان مصدرهــا، أو شــكلها أو طبيعتهــا			سياسات حوكمة البيانات الوطنية	إدارة البيانات
البيانات المفتوحة	مجموعــة محــددة مــن المعلومــات العامــة – مقــروءة آليــاً - تكــون متاحــة للعمــوم مجانــاً ودون قيــود ويمكــن ألي فــرد أو جهــة عامــة أو خاصــة اســتخدامها أو مشــاركتها.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
البيانات الحساسة	البيانــات التــي يــؤدي فقدانهــا أو إســاءة اسـتخدامها أو الوصـول غيـر المصـرح بـه إليها أو تعديلهــا إلــى ضــرر جســيم أو تأثيــر ســلبي علــى المصالــح الوطنيــة أو أنشــطة الجهــات الحكوميــة أو خصوصيــة الأفــراد وحمايــة حقوقهــم.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الفرد	الشــخص المتقــدم بطلــب الأطــاع أو الحصــول علــى المعلومــات العامــة.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
صاحب البيانات الشخصية	الشـخص الطبيعـي الـذي تتعلـق بـه البيانـات الشــخصية أو مــن يمثلــه أو مــن لــه الواليــة الشــرعية عليــه.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
معالجة البيانات الشخصية	ُ جميــع العمليــات التــي تجــرى علــى البيانــات الشـخصية بـأي وسـيلة كانـت يدويـة أو آليـة، وتشـمل هـذه العمليـات -علـى سـبيل المثـال ال الحصــر- جمــع البيانــات ونقلهــا وحفظهــا وتخزينهــا ومشــاركتها وإتالفهــا وتحليلهــا واسـتخراج أنماطهـا والأسـتنتاج منهـا وربطهـا مــع بيانــات أخــرى.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
جهة التحكم	أي جهــة حكوميــة أو جهــة اعتباريــة عامــة مســتقلة فــي المملكــة، وأي شــخصية ذات صفــة طبيعيــة أو اعتباريــة خاصــة؛ تحــدد الغــرض مــن معالجــة البيانــات الشــخصية وكيفيـة ذلـك؛ سـواء تمـت معالجـة البيانـات بواســطتها أو عــن طريــق جهــة المعالجــة.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
جهة المعالجة	أي جهــة حكوميــة أو جهــة اعتباريــة عامــة مســتقلة فــي المملكــة، وأي شــخصية ذات صفــة طبيعيــة أو اعتباريــة خاصــة؛ تعالــج البيانــات الشــخصية لمصلحــة جهــة التحكــم ً ونيابــة عنهــا.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الأفصاح عن البيانات الشخصية	تمكيــن أي شــخص - عــدا جهــة التحكــم - مــن الحصــول علــى البيانــات الشــخصية أو اســتعمالها أو الأطــاع عليهــا بــأي وســيلة وألي غــرض.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
تسريب البيانات الشخصية	الأفصــاح عــن البيانــات الشــخصية، أو الحصــول عليهــا، أو تمكيــن الوصــول إليهــا دون تصريــح أو ســند نظامــي، ســواء بقصــد أو بغيــر قصــد.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الموافقة الضمنية	ً هـي موافقـة ال يتـم منحهـا صراحـة ِ مـن قبـل صاحــب البيانــات، ُ ولكنهــا تمنــح ضمنيــاً عــن طريــق أفعــال الشــخص ووقائــع وظــروف الموقـف، كتوقيـع العقـود أو الموافقـة علـى الشــروط والأحــكام.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الأطراف الخارجية	أي جهــة حكوميــة أو جهــة اعتباريــة عامــة مســتقلة فــي المملكــة، وأي شــخصية ذات صفــة طبيعيــة أو اعتباريــة خاصــة بخــاف صاحــب البيانــات أو جهــة التحكــم أو جهــة ُ المعالجــة والأشــخاص المصــرح لهــم، تعنــى بمعالجــة البيانــات الشــخصية.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
ممثل بيانات أعمال	هــو الشــخص المســؤول عــن البيانــات التــي يتـم جمعهـا والأحتفـاظ بهـا مـن قبـل الجهـة العامـة التـي يعمـل بهـا، و غالبـاً مـا يكـون في ٍ مســتوى إداري عــال، ويمكــن أن يوجــد فــي الجهـة العامـة أكثـر مـن ممثـل بيانـات أعمـال.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
مستخدم البيانات	أي شــخص يمنــح صالحيــة الوصــول إلــى البيانـات بغـرض الأطـاع عليها أو اسـتخدامها أو تحديثهــا وفقــاً للمهــام المصــرح بهــا مــن قبــل ممثــل بيانــات الأعمــال.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
البيانات الوصفية	هــي المعلومــات التــي تصــف البيانــات وخصائصهــا، ومــن بينهــا بيانــات الأعمــال والبيانــات التقنيــة والتشــغيلية.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
البيانات المقروءة آليا ُي ُ	ً قصـد بهـا البيانـات المهيكلـة بصيغـة معينـة يمكــن قراءتهــا ومعالجتــه آليــاً باســتخدام أجهــزة الحاســب الألــي أو الأجهــزة اللوحيــة وغيرهــا مــن الأجهــزة.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
جهة المعالجة	أي جهــة حكوميــة أو جهــة اعتباريــة عامــة مســتقلة فــي المملكــة، وأي شــخصية ذات صفــة طبيعيــة أو اعتباريــة خاصــة؛ تعالــج البيانــات الشــخصية لمصلحــة جهــة التحكــم ً ونيابــة عنهــا.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
المنصة الوطنية للبيانات المفتوحة	ّ هــي منصــة وطنيــة موحــدة علــى مســتوى ُ المملكــة تعنــى بــإدارة وحفــظ ونشــر مجموعــات البيانــات المفتوحــة.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
ترخيص البيانات المفتوحة	رخصة تنظم استخدام البيانات المفتوحة.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الصيغة المفتوحة	أي صيغــة مقبولــة علــى نطــاق واســع وغيــر مسـجلة الملكيـة وغيـر خاصـة بمنصـة معينـة ويمكــن قراءتهــا آليــاً ّ وتمكــن المعالجــة الأليــة لتلــك ّ البيانــات، كمــا تيســر قــدرات التحليــل والبحــث.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
مقدم الطلب	أي جهـة مـن القطاعيـن العـام أو الخـاص، أو القطــاع الثالــث، أو أي فــرد يتقــدم بطلــب لمشــاركة البيانــات.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
طلب مشاركة البيانات	النمـوذج المخصـص لطلـب مشـاركة البيانات والــذي يتضمــن معلومــات عــن مقــدم الطلــب، والبيانــات المطلوبــة، والغــرض الـذي مـن أجلـه تـم طلـب مشـاركة البيانـات.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
اتفاقية مشاركة البيانات	اتفاقيـة رسـمية موقعـة بيـن طرفيـن - جهـة حكوميـة مـع أي طـرف أخـر - للموافقـة علـى مشــاركة البيانــات وفقــاً لشــروط وأحــكام محــددة ومتوافقــة مــع مبــادئ مشــاركة البيانــات.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
آلية مشاركة البيانات	الطريقــة التــي يتــم عــن طريقهــا مشــاركة البيانــات ً - تشــمل كال مــن وســيلة نقــل البيانـات، والأطـراف المشـاركة فـي مشـاركة البيانــات،			سياسات حوكمة البيانات الوطنية	إدارة البيانات
ونمــوذج المشــاركة	المشــاركة المباشـرة، المشـاركة عـن طريـق مـزود خدمة، المشــاركة عــن طريــق أطــراف متعــددة.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الضوابط الأمنية	الأجهـزة والأجـراءات والسياسـات والضمانـات الماديـة المسـتخدمة لضمـان سـامة البيانات وحمايتهــا ووســائل معالجتهــا والوصــول إليهــا.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الجهة العامة	أي جهــة حكوميــة أو جهــة اعتباريــة عامــة مســتقلة فــي المملكــة، أو أي مــن الجهــات التابعـة لهـا، وتعـد فـي حكـم الجهـة العامة أي شـركة تقـوم بـإدارة المرافـق العامـة أو البنـى التحتيــة الوطنيــة أو تشــغيلها أو صيانتهــا، أو تقـوم بمباشـرة خدمـة عامـة فيمـا يخـص إدارة تلــك المرافــق أو البنــى التحتيــة.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الجهة التنظيمية	أي جهــة حكوميــة أو جهــة اعتباريــة عامــة مسـتقلة تتولـى مهام ومسـؤوليات تنظيمية أو رقابيـة لقطـاع معيـن فـي المملكـة العربيـة ً علــى مســتند نظامــي.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الســعودية بنــاء مكتب الجهة	مكتــب إدارة البيانــات والخصوصيــة فــي الجهــة العامــة.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
المكتب	مكتب إدارة البيانات الوطنية.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الطفل	كل شــخص لــم يتجــاوز الثامنــة عشــرة مــن عمــره.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الأهلية	صالحيــة الشــخص لصــدور التصرفــات منــه علــى وجــه يعتــد بــه شــرعاً ونظامــا.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
ناقص الأهلية	مـن لديـه أهليـة غيـر مكتملـة كالصغيـر المميـز – وهـو مـن أكمـل السـابعة ولـم يتـم الثامنـة عشـرة مـن العمـر – وذي الغفلـة، والسـفيه، ومـن بـه عاهـة عقليـة، ونحوهـم. ومن في حكمه فاقد أو ناقص الأهلية.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الولي	أحـد الوالديـن أو مـن تكـون لـه الواليـة علـى شــؤون الطفــل حســب أحــكام الشــريعة أو الأنظمــة ذات العالقــة.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الوالية	سـلطة يثبتهـا الشـرع للولـي تخولـه صالحيـة التصــرف وإدارة شــؤون الطفــل نيابــة عنــه فيمــا يتعلــق ببدنــه ونفســه ومالــه وبمــا يحقــق مصالحــه، ومنهــا اتخــاذ القــرارات الخاصــة بمعالجــة بياناتــه الشــخصية.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
البيانات الشخصية الحساسة	كل بيـان شـخصي يتضمـن الأشـارة إلـى أصـل الطفـل ومـن فـي حكمـه العرقـي أو القبلـي، أو معتقـده الدينـي أو الفكـري أو السياسـي، أو يــدل علــى عضويتــه فــي جمعيــات أو مؤسسـات أهليـة. وكذلـك البيانـات الجنائيـة والأمنيــة، أو بيانــات الســمات الحيويــة التــي تحـدد الهويـة، أو البيانـات الوراثية، أو البيانات الأئتمانيــة، أو البيانــات الصحيــة، وبيانــات تحديـد الموقـع، والبيانـات التـي تـدل علـى أن الفــرد مجهــول الأبويــن أو أحدهمــا.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
إشعار الخصوصية	ّ هــو بيــان خارجــي موجــه لألفــراد يوضــح محتـوى البيانـات الشـخصية ووسـائل جمعهـا والغـرض مـن معالجتهـا وكيفيـة اسـتخدامها والجهـات التـي سـيتم مشـاركة هـذه البيانـات معهــا وفتــرة الأحتفــاظ بهــا وآليــة التخلــص منهــا.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
سياسة الخصوصية	هــي وثيقــة داخليــة موجهــة إلــى العامليــن فــي الجهــات توضــح حقــوق أصحــاب البيانـات والألتزامـات التـي يجـب الأمتثـال لهـا للمحافظـة علـى خصوصيـة أصحـاب البيانـات وحمايــة حقوقهــم.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الأفصاح عن البيانات	تمكيــن أي شــخص - عــدا جهــة التحكــم - مــن الحصــول علــى البيانــات الشــخصية أو اســتعمالها أو الأطــاع عليهــا بــأي وســيلة وألي غــرض.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
نقل البيانات الشخصية	إرســال البيانــات الشــخصية إلــى جهــة خــارج الحــدود الجغرافيــة للمملكــة – بــأي وســيلة كانـت – بهـدف معالجتها سـواء كانت بطريقة مباشــرة أو غيــر مباشــرة وفقــاً ألغــراض محـددة مبنيـة علـى أسـس نظاميـة، بمـا فـي ذلـك النقـل ألغـراض أمنيـة أو لحمايـة الصحة أو السـامة العامـة أو تنفيـذاً التفاقيـة تكـون المملكــة طرفــاً فيهــا			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الموافقة الصريحة	موافقـة مكتوبـة أو إلكترونيـة تكـون صريحـة ومحــددة وصــادرة بــإرادة حــرة ومطلقــة مــن صاحــب البيانــات تــدل علــى قبولــه لمعالجــة بياناتــه الشــخصية.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
التسويق المباشر	أي اتصــال، بــأي وســيلة كانــت، يتــم عــن طريقـه توجيـه مـادة تسـويقية أو دعائيـة إلـى شــخص بعينــه.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
النقل المباشر	نقـل البيانـات الشـخصية مـن الجهـة المرسـلة إلــى الجهــة المســتقبلة دون مــرور البيانــات بـأي جهـة أخـرى.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
النقل غير المباشر	نقـل البيانـات الشـخصية مـن الجهـة المرسـلة إلـى الجهـة المسـتقبلة مـروراً بجهـة أخـرى أو أكثـر.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
النقل العرضي	نقـل البيانـات الشـخصية بشـكل غيـر متكرر أو منتظـم ً – عـادة مـا يكـون لمـرة واحـدة – لعدد محـدود مـن الأشـخاص، ومنهـا علـى سـبيل المثــال، نقــل البيانــات لغــرض الأســتفادة مـن خدمـة فـي دولـة أخـرى لمصلحـة صاحـب البيانـات.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
قائمة الأعتماد	قائمــة معتمــدة مــن مكتــب إدارة البيانــات الوطنيــة تتضمــن أســماء الــدول التــي تتمتــع ٍ بمسـتوى كاف مـن الحمايـة لحقـوق أصحـاب البيانــات فيمــا يتعلــق بمعالجــة بياناتهــم الشــخصية.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
جهة التحكم	أي جهــة حكوميــة أو جهــة اعتباريــة عامــة مســتقلة فــي المملكــة، وأي شــخصية ذات صفــة طبيعيــة أو اعتباريــة خاصــة؛ تحــدد الغــرض مــن معالجــة البيانــات الشــخصية وكيفيـة ذلـك؛ سـواء تمـت معالجـة البيانـات بهــا أو عــن طريــق جهــة المعالجــة.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
جهة المعالجة	أي جهــة حكوميــة أو جهــة اعتباريــة عامــة مســتقلة فــي المملكــة، وأي شــخصية ذات صفــة طبيعيــة أو اعتباريــة خاصــة؛ تعالــج البيانــات الشــخصية لمصلحــة جهــة التحكــم ً ونيابــة عنهــا.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
البيانات غير المعالجة	هــي البيانــات التــي لــم تخضــع لعمليــات متقدمــة مــن المعاجلــة ويتــم تبادلهــا فــي صيغتهــا الأوليــة كالبيانــات الأساســية للمواطــن التــي يتــم عرضهــا فــي بطاقــة الهويــة الوطنيــة، باســتثناء المعالجــة التــي تفرضهــا الأنظمــة واللوائــح والسياســات لغـرض مشـاركة البيانـات، ومنهـا علـى سـبيل المثــال ال الحصــر، المعالجــة المســبقة قبــل مشـاركة البيانات الشـخصية كـ التعتيم.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
منتجات البيانات	الخدمــات أو التطبيقــات المعتمــدة علــى البيانــات بعــد معالجتهــا بهــدف خلــق قيمــة مضافـة عـن طريـق دمجهـا مـع بيانـات أخـرى أو إثرائهــا أو تهيئتهــا أو تحليلهــا أو تمثيلهــا، ومنهــا علــى ســبيل المثــال ال الحصــر الــرؤى والتحليــات التنبؤيــة أو الوصفيــة، ولوحــات المعلومــات التفاعليــة )المنصــات( وغيرهــا.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
تحقيق الأيرادات من البيانات	تحويـل القيمـة غيـر الملموسـة للبيانـات إلـى قيمـة حقيقيـة أو ماديـة بشـكل مباشـر )عـن طريــق تزويــد البيانــات غيــر المعالجــة( أو غيــر مباشـر )عـن طريـق تقديـم منتجـات البيانـات(.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
نموذج تحقيق الأيرادات	اســتراتيجية إدارة تدفقــات إيــرادات الجهــة والمــوارد المطلوبــة لــكل تدفــق إيــرادات والمســتهلكين المســتهدفين.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
نموذج العمل	الهيــكل الــذي يصــف الطريقــة التــي عــن طريقهــا يمكــن خلــق قيمــة ســوقية باســتغالل الفــرص التجاريــة، بمــا فــي ذلــك الشــركاء الرئيســين، الأنشــطة الرئيســة، شـرائح العمـاء، نمـوذج الأيـرادات وتدفقـات الأيـرادات، ويوضـح الروابـط المنطقيـة بينهـا وكيفيــة عملهمــا معــا.ً			سياسات حوكمة البيانات الوطنية	إدارة البيانات
نموذج التسعير	الأليــة المســتخدمة لتحديــد القيمــة العينيــة )ســعر( للبيانــات ومنتجــات البيانــات.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
البيانات الحكومية	هي البيانات التي تنتجها الجهات الحكومية.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الخدمات الحكومية	الخدمــات الأساســية التــي تقدمهــا الجهــات الحكوميـة، والتـي يمكـن تقديمهـا عـن طريـق طً ـرف ثالـث نيابـة عـن الجهـة الحكوميـة.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
مزود البيانات	أي فـرد أو جهـة حكوميـة أو جهـة خاصة تقوم بتزويــد البيانــات أو تقديــم منتجــات البيانــات بمقابـل مالـي بشـكل مباشـر أو غيـر مباشـر.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
المستفيد من البيانات	أي فـرد أو جهـة حكوميـة أو جهـة خاصة تقوم بطلــب البيانــات أو الأســتفادة مــن منتجــات البيانـات بمقابـل مالـي.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
التسويق	نشــاط تبــادل أو تــداول أو تزويــد البيانــات الخــام أو البيانــات المعالجــة مقابــل مبلــغ نقــدي أو قيمــة عينيــة أخــرى.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الجهة الحكومية	أي جهــة حكوميــة أو جهــة عامــة مســتقلة بالمملكــة، أو أي مــن الجهــات التابعــة لهــا، ويعــد فــي حكــم الجهــة الحكوميــة أي شــركة تقـوم بـإدارة المرافـق العامة أو البنـى التحتية الوطنيــة أو تشــغيلها أو صيانتهــا، أو تقــوم بمباشـرة خدمـة عامـة فيمـا يخـص إدارة تلـك المرافــق أو البنــى التحتيــة.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الجهة الخاصة	أي شــخصية ذات صفــة اعتباريــة خاصــة مرخصـة بالعمـل فـي المملكـة – سـواء أكانـت محليــة أو أجنبيــة –، ويعــد فــي حكــم الجهــة الخاصــة الفــرد المواطــن أو المقيــم بشــكل رســمي فــي المملكــة الــذي يقــوم بتزويــد البيانــات أو تقديــم منتجــات البيانــات.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
الجهة غير الربحية	أي جهــة غيــر حكوميــة مرخصــة بالعمــل فــي المملكــة وتقــدم خدماتهــا ومنتجاتهــا بشــكل غيـر ربحـي.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
المطور	أي شــخصية ذات صفــة طبيعيــة أو اعتباريــة تقـوم بتطويـر أنظمـة الـذكاء الأصطناعـي عـن طريـق بنـاء نمـاذج تنبؤيـة باسـتخدام البيانـات والخوارزميـات لتحقيـق أهـداف محـددة.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
المستخدم	أي شــخصية ذات صفــة طبيعيــة أو اعتباريــة تقــوم بتطبيــق أو اســتخدام أنظمــة الــذكاء الأصطناعــي لتحقيــق أهــداف محــددة.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
صاحب البيانات	الفـرد الـذي تتعلـق بـه البيانـات الشـخصية أو مــن مــن يمثلــه أو مــن لــه الواليــة الشــرعية عليـه			سياسات حوكمة البيانات الوطنية	إدارة البيانات
عينة البيانات	البيانــات التــي يتــم اســتخدامها فــي بنــاء وتدريــب واختبــار النمــاذج التنبؤيــة وخوارزميــات الــذكاء الأصطناعــي للوصــول إلــى نتائــج معينــة.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
تقنيات الذكاء الأصطناعي	هــي مجموعــة مــن النمــاذج التنبؤيــة والخوارزميــات المتقدمــة التــي يمكــن اســتخدامها لتحليــل البيانــات واستشــراف المســتقبل أو تســهيل عمليــة اتخــاذ قــرارات علــى أحــداث متوقعــة بالمســتقبل.			سياسات حوكمة البيانات الوطنية	إدارة البيانات
تقنيات التعرف على الوجه	تقنيــات توفــر إمكانيــة تحليــل مالمــح الوجــه الأرئيسـة )القياسـات الحيويـة( لتحديـد الهويـة الشــخصية لألفــراد فــي الصــور الثابتــة أو الصــور المتحركــة )المرئيــة(			سياسات حوكمة البيانات الوطنية	إدارة البيانات
إدارة البيانات	عملية تطوير وتنفيذ الخطط والسياسات والبرامج والممارسات والإشراف عليها التمكين الجهات من حوكمة البيانات وتعزيز قيمتها باعتبارها أحد الأصول القيمة والثمينة			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
أداة دليل البيانات المؤتمتة	أداة لإدارة البيانات وحوكمتها الوصفية Meta Data لأتمتتها ووضعها في دليل وفهرس وطني شامل للبيانات، لتمكين اكتشاف مجموعات البيانات ووصفها وتنظيمها وتحديد الجهات المنشأة للبيانات (مصدر المعلومة الصحيح) وذلك من أجل استخراج القيمة المضافة المستهدفة			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
شركاء الأعمال	الجهات التي تم اشراكها في إنتاج أو إدارة أو الإشراف على بيانات حكومية			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
نموذج احتساب الرسوم	آلية تساعد على تحصيل الإيرادات من البيانات وتصف الطريقة التي سيتم احتساب الرسوم حسب طبيعة البيانات ونوعيتها ومنتج البيانات والاستخدامات المتوقعة لها، وكذلك حجم الطلب... الخ			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
البيانات	مجموعة من الحقائق في صورتها الأولية أو في صورة غير منظمة مثل الأرقام أو الحروف أو الصور الثابتة أو التسجيلات المرئية أو التسجيلات الصوتية أو الرموز التعبيرية			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
مستويات تصنيف البيانات	مستويات التصنيف المعتمدة من مجلس الإدارة وهي: "سري للغاية"، " سري". "مقيد"، "عام"			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
جهة التحكم	أي جهة حكومية أو جهة اعتبارية عامة مستقلة في المملكة، وأي شخصية ذات صفة طبيعية أو اعتبارية خاصة تحدد الغرض من معالجة البيانات الشخصية وكيفية ذلك، سواء تمت معالجة البيانات بواسطتها أو من خلال جهة المعالجة			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
جهة المعالجة	أي جهة حكومية أو جهة اعتبارية عامة مستقلة في المملكة، وأي شخصية ذات صفة طبيعية او اعتبارية خاصة تعالج البيانات الشخصية لمصلحة جهة التحكم أو نيابة عنها			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
منتجات البيانات (البيانات المعالجة)	يُقصد بمنتجات البيانات المخرجات الناتجة عن تحويل البيانات بهدف خلق قيمة مضافة من خلال جمع المزيد من البيانات أو إثرائها أو إعدادها أو تحليلها أو تمثيلها او تصحيحها .... الخ			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
مقدم الطلب	أي جهة من القطاعين العام أو الخاص أو فرد يتقدم بطلب لمشاركة البيانات			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
اتفاقية مشاركة البيانات	اتفاقية رسمية موقعة بين طرفين - جهة حكومية مع أي طرف آخر- للموافقة على مشاركة البيانات وفقاً لشروط وأحكام محددة ومتوافقة مع مبادئ سياسة مشاركة البيانات			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
صاحب البيانات الشخصية	الشخص الطبيعي الذي تتعلق به البيانات الشخصية أو من يمثله أو من له الولاية الشرعية عليه البيانات قبل أو بعد المعالجة التي تتلقاها أو تنتجها أو تتعامل معها الجهات العامة مهما كان مصدرها أو شكلها أو طبيعتها			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
بيانات الجهة العامة	مجموعة بيانات رئيسية كمصادر اساسية بيانات الافراد الجهات الاعتبارية العقار... وغيره) في صورتها الأولية أو في صورة غير منظمة مثل الأرقام أو الحروف أو الصور أو الفيديو أو التسجيلات الصوتية أو الرموز التعبيرية			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
البيانات الرئيسية	كل بيان مهما كان مصدره أو شكله - من شأنه ان يؤدي إلى معرفة الفرد على وجه التحديد، أو يجعله قابلاً للتعرف عليه بصفه مباشرة أو غير مباشرة عند دمجه مع بيانات أخرى. ويشمل ذلك على سبيل المثال لا الحصر – الاسم، وارقام الهويات الشخصية، والعناوين وارقام التواصل وأرقام الحسابات البنكية والبطاقات الائتمانية وصور الفرد وغير ذلك من البيانات ذات الطابع الشخصي			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
الجهة العامة	أي جهة حكومية أو شخصية ذات صفة اعتبارية عامة مستقلة في المملكة، أو أي من الجهات التابعة لها - وتعد في حكم الجهة العامة أي شركة تقوم بإدارة المرافق العامة أو البنى التحتية الوطنية أو تشغيلها أو صيانتها، أو تقوم بمباشرة خدمة عامة فيما يخص إدارة تلك المرافق أو البنى التحتية			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
المعلومات العامة	البيانات بعد المعالجة وتصنيفها "عامة" التي تتلقاها أو تنتجها أو تتعامل معها الجهات العامة مهما كان مصدرها، أو شكلها أو طبيعتها			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
البيانات المرجعية	ضوابط متفق عليها لتمثيل عناصر البيانات الأكثر شيوعًا على سبيل المثال لا الحصر، الرموز البريدية، العملات النقدية وأنظمة قياس درجة الحرارة (درجة مئوية أو فهرنهايت)			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
المصدر الموثوق	مصدر مرجعي للبيانات تم إثبات موثوقيته من خلال التحقق المسبق من صحته			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
بيانات غير معالجة	البيانات التي لم تخضع للمعالجة أو للتبادل بصورة أولية بأي صيغة كانت			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
مجلس الإدارة	إرتباط مكتب إدارة البيانات الوطنية برئيس مجلس إدارة الهيئة السعودية للبيانات والذكاء الاصطناعي			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
المكتب	مكتب إدارة البيانات الوطنية			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
لجنة حوكمة البيانات	هي لجنة داخلية تشكل بالجهة وهدفها مشاركة اصحاب القرار بأهمية إدارة البيانات وحماية البيانات الشخصية ونشر التوعية بالجهة			ضوابط ومواصفات إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	إدارة البيانات
		Application	A software program hosted by an information system. Source NISTIR 7298r3 Glossary of Key Information Security Terms	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Asset	The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes. Source NISTIR 7298r3 Glossary of Key Information Security Terms	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Attacker	Refer to "Threat actor".	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		(Threat actor) Capability	Resources and skills of a threat actor.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Cyber risk	The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems.Source NISTIR 7298r3 Glossary of Key Information Security Terms	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Cybersecurity	Cybersecurity is defined as the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the Member Organization's information assets against internal and external threats.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Cyber threat intelligence (CTI)	Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes. Source NISTIR 7298r3 Glossary of Key Information Security Terms	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Cybersecurity) Incident	An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Source NISTIR 7298r3 Glossary of Key Information Security Terms	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Indicator of Compromise (loC)	Indicators of compromise serve as forensic evidence of potential intrusions on a host system or network.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		(Threat actor)Intent	The desire of a threat actor to target a particular entity. Threat actors are usually rational actors operating with a clear purpose (e.g. espionage, data theft/exfiltration, extortion, destruction, disruption, supply chain compromise).	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Kill Chain	Adopted from the military, the kill chain was developer by Lockheed Martin to identify and taxonomize the various phases of a cyber-attack (Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions upon Objectives).	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Malware	Hardware, firmware, or software that is intentionally included or inserted in a system for a harmful purpose. Source NISTIR 7298r3 Glossary of Key Information Security Terms	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		MITRE ATT&CK	An open-source framework developed by MITRE Xtaxonomizing tactics, techniques, and procedures used by threat actors when conducting cyber-attacks.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Member Organization	Any regulated entity supervised and regulated by SAMA.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Modus Operandi	A method of procedure, especially referred to a distinct pattern or method of operation that indicates or suggests the work of a single criminal in more than one crime.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Motivation	The type of benefit or harm a threat actor ultimately wants to achieve with its actions.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Network	Information system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices. Source NISTIR 7298r3 Glossary of Key Information Security Terms	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Open Source Intelligence (OSINT)	Relevant information derived from the systematic collection, processing, and analysis of publicly available information in response to known or anticipated intelligence requirements.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Organization	Company, entity, or group of people that works together for a particular purpose.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		(Threat actor) Origin	Country from which the threat actor launches its attacks. The origin of a threat actor cannot always be determined with sufficient precision because they tend to cover their tracks.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Procedure	Procedures are the specific implementation the threat actor uses for techniques. Source MITRE ATT&CK	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Process	A set of interrelated or interacting activities which transforms inputs into outputs.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Ransomware	A form of malware designed to deny access to a computer system or data until ransom is paid. A user of a system infected with ransomware is usually confronted with an extortion message (in many cases a windows popup) asking the victim to pay a ransom fee to the threat actor (usually in cryptocurrency) in order to regain access to their system and data.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Red team (exercise)	An exercise, reflecting real-world conditions, that is conducted as a simulated adversarial attempt to compromise organizational missions and/or business processes to provide a comprehensive assessment of the security capability of the information system and organization. Source NIST SP 1800-21B Glossary of Key Information Security Terms	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		(Threat actor) Resources	Resources measure the scope, intensity, sustainability, and diversity of the total set of actions that a threat actor can take.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Sector	One of the areas in which the economic activity of a country is divided.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Service	A capability or function provided by an entity. Source NISTIR 7298r3 Glossary of Key Information Security Terms	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		(Threat actor) Skill	The extent to which a threat actor is able to leverage technical means (e.g. create custom malware) and operates with awareness, intelligence, learning potential, problem- solving, decision-making coherence, and operational experience.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Stakeholder	One who is involved in or affected by a course of action.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Strategic threat intelligence	The level of threat intelligence focused on objectives, motivations, and intents of cyber threat actors. It aims at examining attributions to cyber threat actors, investigating real motivations and links between cyber events, and understanding complex systems dynamics and trends. Geopolitical, sectorial and context analysis is a fundamental tool.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Tactic	The threat actor's tactical goal the reason for performing an action. Source MITRE ATT&CK	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		(Threat actor) Target	The choices that actors make in terms of the target(s) of their attacks. A threat actor selects a target based on location, sector, and the types of information processed and attack surface available. The geopolitical landscape plays a key role in the targeting pattern of nation-state actors.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Taxonomy	A classification of interrelated elements.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Technique	Techniques represent "how" a threat actor achieves a tactical goal by performing an action. Source MITRE ATT&CK	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		(Cyber security) Threat	Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Source NISTIR 7298r3 Glossary of Key Information Security Terms	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Threat actor	Individuals, groups, organizations, or states that seek to exploit the organization's dependence on cyber resources (i.e., information in electronic form, information and communications technologies, and the communications and information-handling capabilities provided by those technologies)" (NIST 2012) or, more in general, "An individual or a group posing a threat" (NIST 2016).	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Threat landscape	A collection of threats in a particular domain or context, with information on identified vulnerable assets, threats, risks, threat actors and observed trends. Source ENISA	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Threat intelligence requirement	Threat intelligence requirements guide the intelligence production effort efficiently and establish what intelligence should be produced to meet the security objectives of an Organization.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		(Threat actor)Type	Grouping of threat actors who share similar characteristics, such as similar intents and motivations, and operate in similar ways.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Unified Kill Chain	An evolution of the kill chain framework detailing the phases of an attack.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		(Attack) Vector	General approach for achieving an impact, taking advantage r of the exposure of a type of, or a region in, an attack surface.	Financial Sector Cyber Threat Intelligence Principles	Cyber Security
		Access Control	Means to ensure that access to assets is authorized and restricted based on business and security requirements.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Application Architects	Application Architects identify needed changes to the portfolio of applications across the ecosystem. They develop and administer application-specific standards such as user interface design, globalization, Web services, portal application programming interfaces, XML, and content. They provide design recommendations based on long-term development organization strategy and develop enterprise level application and custom integration solutions including major enhancements and interfaces, functions and features.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Asset Management	The systematic process of deploying, operating, maintaining, upgrading, and disposing of assets in a safe, secure and cost effective manner	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Asset Owner	The term Asset owner identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use of the information assets.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Authorization Matrix	A matrix that defines the rights and permissions for a specific role needs for information. The matrix lists each user, the business process tasks he or she performs, and the affected systems.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Audit	Independent review and examination of records and activities to assess the effectiveness of IT governance controls and to ensure compliance with established policies, operational procedures and relevant standard, legal and regulatory requirements.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Authentication	Verifying the identity of a user, process, or device, often as a prerequisite in order to allow access to resources in a system.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Backup	Files, devices, data and procedures available for use in case of a failure or loss, or in case of deletion or suspension of their original copies.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Business Application	Any software or set of computer programs that are used by business users to perform various business functions.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Batch Processing	Batch processing is the processing of the transactions in a group or batch with no or minimal human interaction.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Configuration Item (CI)	Component of an infrastructure-or an item, such as a request for change, associated with an infrastructure-which is (or is to be) under the control of configuration management	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Change Management	The controlled identification and implementation of required changes within a business or information systems.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Chief Information Officer(CIO)	A senior-level executive referred as Chief Information Officer (CIO), Chief Technology Officer (CTO) / Head of IT or relevant stakeholder who is accountable for IT advocacy, aligning IT and business strategies, and planning, resourcing and managing the delivery of IT services, information and the deployment of associated human resources.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Classification	Setting the sensitivity level2 of data and information that results in security controls for each level of classification. Data and information sensitivity levels are set according to predefined categories where data and information is created, modified, improved, stored or transmitted. The classification level is an indication of the value or importance of the data and information of the organization.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Chief Operating Officer (COO)	A senior-level executive responsible for the daily operation of the organization.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Critical IT infrastructures	These are the information assets (i.e., facilities, systems, networks, processes, and key operators who operate and process them), whose loss or vulnerability to security breaches may result in significant negative impact on the availability, integration or delivery of basic services, including services that could result in serious loss of property, alongside observance of significant economic and/or social impacts.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Compensating Control	A management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in place of a recommended control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Containerization	Unit of software that packages up code and all its dependencies.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Data Masking	A computerized technique of blocking out the display of sensitive information or PII.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Database Administrator	Database administrator, frequently known just by the acronym DBA, is a role usually within the Information Technology department, charged with the creation, maintenance, backups, querying, tuning, user rights assignment and security of an organization's database.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Disaster Recovery	Programs, activities and plans designed to restore the organizations critical business functions and services to an acceptable situation, following exposure to cyber and IT incidents or disruption of such services.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Enterprise Architect	Description of the fundamental underlying design of the components of the business system, or of one element of the business system (e.g., technology), the relationships among them, and the manner in which they support the enterprise's objectives.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Feasibility study	A phase of a system development life cycle (SDLC) methodology that researches the feasibility and adequacy of resources for the development or acquisition of a system solution to a user need.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Formally documented	Documentation that is written, approved by the senior leadership and disseminated to relevant parties.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Freezing period	e.g. Salaries deposit days, public or national holidays.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Hypervisor	A hypervisor allows one host computer to support multiple guest Virtual Machines (VMs) by virtually sharing its resources, like memory and processing.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Incident	An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Incident Management	The monitoring and detection of events on an information systems and the execution of proper responses to those events.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Information Asset	A piece of information, stored in any manner, which is recognized as 'valuable' to the organization.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Interdependencies	Set of interaction with dependence of information assets on each another in order to deliver set of works or tasks.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		IT Change and Release Management	A holistic and proactive approach to managing the transition from a current to a desired organizational state, focusing specifically on the critical human or "soft" elements of change	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		IT facilities	The physical environment where the IT infrastructure is located.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		IT risk	The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		IT Steering committee	An executive-management-level committee that assists in the delivery of the IT strategy oversees day-to-day management of IT service delivery and IT projects, and focuses on implementation aspects.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Key Performance Indicator (KPI)	KPI is a type of performance measurement that evaluates the success of an organization or of a particular activity in which it engages to achieve particular objectives and goals.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Key Risk Indicator (KRI)	KRI is a measure used to indicate the probability an activity or organization will exceed its defined risk appetite. KRIS are used by organizations to provide an early signal of increasing risk exposures in various areas of the enterprise.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Likelihood	A weighted factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Member Organization	Organizations affiliated with SAMA.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Need-to-know	The restriction of data, which is considered sensitive unless one has a specific need to know; for official business duties.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Off-the-shelf system	Software that already exists and is available from commercial sources.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Outsourcing	Obtaining goods or services by contracting with a supplier or service provider.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Patch	An update to an operating system, application, or other software issued specifically to correct particular problems with the software.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Patch management	The systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Recovery	A procedure or process to restore or control something that is suspended, damaged, stolen or lost.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Recovery Point Objective (RPO)	The point in time to which data must be recovered after an outage. RPO is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Recovery Time Objective (RTO)	The amount of time allowed for the recovery of a business function or resource after a disaster occurs	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Regression Testing	Testing of a previously tested program following modification to ensure that defects have not been introduced or uncovered in unchanged areas of the software, as a result of the changes made.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Residual risks	The remaining risk after management has implemented a risk response.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Retention	The length of time that information, data, event logs or backups must be retained, regardless of the form (i.e., paper and electronic).	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Risk	A measure of the extent to which an organization is threatened by a potential circumstance or event, and typically a function of	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Risk register	Risk register is a table used as a repository for all risks identified and includes additional information about each risk, e.g. risk category, risk owner, and mitigation actions taken.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Risk Tolerance	The acceptable variation relative to performance to the achievement of objectives. Also refer to 'Risk appetite'.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Risk Treatment	A process to modify risk that can involve avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; taking or increasing risk in order to pursue an opportunity; removing the risk source; changing the likelihood; changing the consequences; sharing the risk with another party or parties; and retaining the risk by informed decision. Risk treatments that deal with negative consequences are sometimes referred to as "risk mitigation", "risk elimination", "risk prevention" and "risk reduction". Risk treatments can create new risks or modify existing risks.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Root-cause analysis	A principle-based, systems approach for the identification of underlying causes associated with a particular set of risks.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		RACI Chart	Illustrates who is Responsible, Accountable, Consulted and Informed within an organizational framework.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Security Testing	A process intended to ensure that modified or new systems and applications include appropriate security controls and protection and do not introduce any security holes or vulnerabilities that might compromise other systems or applications or misuses of the system, application or its information, and to maintain functionality as intended.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Security-by Design	A methodology to systems and software development and networks design that seeks to make systems, software and networks free from cybersecurity vulnerabilities/weaknesses and impervious to cyber-attack as much as possible through measures such as	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Segregation of Duties	Key principle that aims at minimizing errors and fraud when processing specific tasks. It is accomplished through having several people with different privileges, required to complete a task.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Service level agreement(SLA)	Defines the specific responsibilities of the service provider and sets the customer expectations.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Stress Testing	A type of performance testing conducted to evaluate a system or component at or beyond the limits of its anticipated or specified workloads, or with reduced availability of resources such as access to memory or servers.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		System Acquisition	Procedures established to purchase application software, or an upgrade, including evaluation of the supplier's financial stability, track record, resources and references from existing customers	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		System Configuration Management	The control of changes to a set of configuration items over a system life cycle.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Third-Party	Any organization acting as a party in a contractual relationship to provide goods or services (this includes suppliers and service providers).	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Threat	Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Unit Testing	A testing technique that is used to test program logic within a particular program or module.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		User Acceptance Testing (UAT)	Taking use cases or procedures for how the system was designed to perform and ensuring that someone who follows the procedure gets the intended result.	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Vulnerability	Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		Owner	Individual or group that holds or possesses the rights of and the responsibilities for an enterprise, entity or asset	Information Technology Governance Framework November 2021 Version 1.0	Data Governance
		agency	Any executive agency or department, military department, Federal Government corporation, Federal Government- controlled corporation, or other establishment in the Executive Branch of the Federal Government, or any independent regulatory agency.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		assessment	See security control assessment.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		assessor	See security control assessor.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		audit log	A chronological record of system activities, including records of system accesses and operations performed in a given period.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		audit record	An individual entry in an audit log related to an audited event.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		authentication	Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		availability	Ensuring timely and reliable access to and use of information.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		advanced persistent threat	An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors including, for example, cyber, physical, and deception. These objectives typically include establishing and extending footholds within the IT infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat pursues its objectives repeatedly over an extended period; adapts to defenders' efforts to resist it; and isdetermined to maintain the level of interaction needed to execute its objectives.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		baseline configuration	A documented set of specifications for a system, or a configuration item within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		bidirectional authentication	Two parties authenticating each other at the same time. Also known as mutual authentication or two-way authentication.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		blacklisting	A process used to identify software programs that are not authorized to execute on a system or prohibited Universal Resource Locators (URL)/websites.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		confidentiality [44 USC 3552]	Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		configuration management	A collection of activities focused on establishing and maintaining the integrity of information technology products and systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		configuration settings	The set of parameters that can be changed in hardware, software, or firmware that affect the security posture and/or functionality of the system.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		controlled area	Any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information or system.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		controlled unclassified information [EO 13556]	Information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		CUI categories [32 CFR 2002]	Those types of information for which laws, regulations, or governmentwide policies require or permit agencies to exercise safeguarding or dissemination controls, and which the CUI Executive Agent has approved and listed in the CUI Registry.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		CUI Executive Agent [32 CFR 2002]	The National Archives and Records Administration (NARA), which implements the executive branch-wide CUI Program and oversees federal agency actions to comply with Executive Order 13556. NARA has delegated this authority to the Director of the Information Security Oversight Office (ISOO).	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		CUI program [32 CFR 2002]	The executive branch-wide program to standardize CUI handling by all federal agencies. The program includes the rules, organization, and procedures for CUI, established by Executive Order 13556, 32 CFR Part 2002, and the CUI Registry.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		CUI registry	The online repository for all information, guidance, policy, and requirements on handling CUI, including everything issued by the CUI Executive Agent other than 32 CFR Part 2002. Among other information, the CUI Registry identifies all approved CUI categories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		cyber-physical systems	Interacting digital, analog, physical, and human components engineered for function through integrated physics and logic.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		dual authorization [CNSSI 4009, Adapted]	The system of storage and handling designed to prohibit individual access to certain resources by requiring the presence and actions of at least two authorized persons, each capable of detecting incorrect or unauthorized security procedures with respect to the task being performed.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		executive agency [OMB A-130]	An executive department specified in 5 U.S.C. Sec. 101; a military department specified in 5 U.S.C. Sec. 102; an independent establishment as defined in 5 U.S.C. Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C. Chapter 91.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		external system (or component)	A system or component of a system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		external system service	A system service that is implemented outside of the authorization boundary of the organizational system (i.e., a service that is used by, but not a part of, the organizational system) and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		external system service provider	A provider of external system services to an organization through a variety of consumer-producer relationships including, but not limited to joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		external network	A network not controlled by the organization.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		federal agency	See executive agency.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		federal information system [40 USC 11331]	An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		FIPS-validated cryptography	A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module is required to employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-approved cryptography.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		firmware [CNSSI 4009]	Computer programs and data stored in hardware - typically in read-only memory (ROM) or programmable read-only memory (PROM) - such that the programs and data cannot be dynamically written or modified during execution of the programs. See hardware and software.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		hardware [CNSSI 4009]	The material physical components of a system. See software and firmware.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		identifier	Unique data used to represent a person's identity and associated attributes. A name or a card number are examples of identifiers. A unique label used by a system to indicate a specific entity, object, or group.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		impact	With respect to security, the effect on organizational operations, organizational assets, individuals, other organizations, or the Nation (including the national security interests of the United States) of a loss of confidentiality, integrity, or availability of information or a system. With respect to privacy, the adverse effects that individuals could experience when an information system processes their PII.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		impact value [FIPS 199]	The assessed worst-case potential impact that could result from a compromise of the confidentiality, integrity, or availability of information expressed as a value of low, moderate or high.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		incident [44 USC 3552]	An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		information [OMB A-130]	Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, electronic, or audiovisual forms.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		information flow control	Procedure to ensure that information transfers within a system are not made in violation of the security policy.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		information resources [44 USC 3502]	Information and related resources, such as personnel, equipment, funds, and information technology.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		information technology [OMB A-130]	Any services, equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. For purposes of this definition, such services or equipment if used by the agency directly or is used by a contractor under a contract with the agency that requires its use; or to a significant extent, its use in the performance of a service or the furnishing of a product. Information technology includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including cloud computing and help-desk services or other professional services which support any point of the life cycle of the equipment or service), and related resources. Information technology does not include any equipment that is acquired by a contractor incidental to a contract which does not require its use.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		information security [44 USC 3552]	The protection of information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		information system [44 USC 3502]	A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		insider threat	The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure, or through the loss or degradation of departmental resources or capabilities.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		insider threat	Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		internal network	A network where establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or the cryptographic encapsulation or similar security technology implemented between organizationcontrolled endpoints, provides the same effect (with regard to confidentiality and integrity). An internal network is typically organization-owned, yet may be organization-controlled while not being organization-owned.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		network	A system implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		nonfederal system	A system that does not meet the criteria for a federal system.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		least privilege	The principle that a security architecture is designed so that each entity is granted the minimum system authorizations and resources that the entity needs to perform its function.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		local access	Access to an organizational system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		malicious code	Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of a system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		media [FIPS 200]	Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored, or printed within a system.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		mobile code	Software programs or parts of programs obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		mobile device	A portable computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); possesses local, non-removable/removable data storage; and includes a self- contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information, or built-in features that synchronize local data with remote locations. Examples include smartphones, tablets, and E-readers.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		multifactor authentication	Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). See authenticator.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		mutual authentication[CNSSI 4009]	The process of both entities involved in a transaction verifying each other. See bidirectional authentication.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		nonfederal organization	An entity that owns, operates, or maintains a nonfederal system.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		network access	Access to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		nonlocal maintenance	Maintenance activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		on behalf of (an agency) [32 CFR 2002]	A situation that occurs when	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		organization [FIPS 200, Adapted]	An entity of any size, complexity, or positioning within an organizational structure.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		personnel security [SP 800-53]	The discipline of assessing the conduct, integrity, judgment, loyalty, reliability, and stability of individuals for duties and responsibilities requiring trustworthiness.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		portable storage device	A system component that can be inserted into and removed from a system, and that is used to store data or information (e.g., text, video, audio, and/or image data). Such components are typically implemented on magnetic, optical, or solid-state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, and flash memory cards/drives that contain nonvolatile memory).	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		potential impact [FIPS 199]	The loss of confidentiality, integrity, or availability could be expected to have	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		privileged account	A system account with authorizations of a privileged user.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		privileged user	A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		records	The recordings (automated and/or manual) of evidence of activities performed or results achieved (e.g., forms, reports, test results), which serve as a basis for verifying that the organization and the system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items).	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		remote access	Access to an organizational system by a user (or a process acting on behalf of a user) communicating through an external network (e.g., the Internet).	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		remote maintenance	Maintenance activities conducted by individuals communicating through an external network (e.g., the Internet).	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		replay resistance	Protection against the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		risk [OMB A-130]	A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of (i) the adverse impact, or magnitude of harm, that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		risk assessment [SP 800-30]	The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		sanitization	Actions taken to render data written on media unrecoverable by both ordinary and, for some forms of sanitization, extraordinary means. Process to remove information from media such that data recovery is not possible. It includes removing all classified labels, markings, and activity logs.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		security [CNSSI 4009]	A condition that results from the establishment and maintenance of protective measures that enable an organization to perform its mission or critical functions despite risks posed by threats to its use of systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the organization's risk management approach.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		security assessment	See security control assessment.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		security control [OMB A-130]	The safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		security control assessment [OMB A-130]	The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		security domain [CNSSI 4009, Adapted]	A domain that implements a security policy and is administered by a single authority.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		security functions	The hardware, software, or firmware of the system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		split tunneling	The process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices (e.g., a networked printer) at the same time as accessing uncontrolled networks.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		system	See information system.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		system component [SP 800-128]	A discrete identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		system security plan	A document that describes how an organization meets the security requirements for a system or how an organization plans to meet the requirements. In particular, the system security plan describes the system boundary; the environment in which the system operates; how the security requirements are implemented; and the relationships with or connections to other systems.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		system service	A capability provided by a system that facilitates information processing, storage, or transmission.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		threat [SP 800-30]	Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		system user	Individual, or (system) process acting on behalf of an individual, authorized to access a system.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		whitelisting	A process used to identify software programs that are authorized to execute on a system or authorized Universal Resource Locators (URL)/websites.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		wireless technology	Technology that permits the transfer of information between separated points without physical connection. Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth.	Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations	Cyber Security
		Buyer	The people or organizations that consume a given product or service.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Category	The subdivision of a Function into groups of cybersecurity outcomes, closely tied to programmatic needs and particular activities. Examples Of Categories include "'Asset Management," "ldentity Management and Access Control," and "'Detection Processes."	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Critical Infrastructure	Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on cybersecurity, national economic security, national public health or safety, or any combination of those matters.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Cybersecurity	The process of protecting information by preventing, detecting, and responding to attacks.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Cybersecurity Event	A cybersecurity change that may have an impact on organizational operations (including mission, capabilities, or reputation).	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Cybersecurity Incident	A cybersecurity event that has been determined to have an impact on the organization prompting the need for response and recovery.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Detect (function)	Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Framework	A risk-based approach to reducing cybersecurity risk composed of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. Also known as the "Cybersecurity Framework.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Framework Core	A set of cybersecurity activities and references that are common across critical infrastructure sectors and are organized around particular outcomes. The Framework Core comprises four types of elements: Functions, Categories, Subcategories, and Informative References.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Framework Implementation Tier	A lens through which to view the characteristics Of an organization' s approach to risk—how an organization views cybersecurity risk and the processes in place to manage that risk.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Framework Profile	A representation of the outcomes that a particular system or organization has selected from the Framework Categories and Subcategories.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Function	One of the main components of the Framework. Functions provide the highest level of structure for organizing basic cybersecurity activities into Categories and Subcategories. The five functions are Identify, Protect, Detect, Respond, and Recover.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Identify (function)	Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Informative Reference	A specific section of standards, guidelines, and practices common among critical infrastructure sectors that illustrates a method to achieve the outcomes associated with each Subcategory. An example of an Informative Reference is ISO/IEC 27001 Control A. 10.8.3, which supports the "Data-in-transit is protected" Subcategory Of the "Data Security" Category in the "Protect" function.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Mobile Code	A program (e.g., script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and executed with identical semantics.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Protect (function)	Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Privileged User	A user that is authorized (and, therefore, trusted) to perform securityrelevant functions that ordinary users are not authorized to perform.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Recover (function)	Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Respond (function)	Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Risk	A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Risk Management	The process of identifying, assessing, and responding to risk.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Subcategory	The subdivision of a Category into specific outcomes of technical and/or management activities. Examples of Subcategories include "External information systems are catalogued," "Data-at-rest is protected," and '"Notifications from detection systems are investigated.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Supplier	Product and service providers used for an organization's internal purposes (e.g., IT infrastructure) or integrated into the products of services provided that organization's Buyers.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
		Taxonomy	A scheme of classification.	Framework for Improving Critical Infrastructure Cybersecurity	Cyber Security
التحكم في الوصول/ الدخول Access Control	حماية موارد النظام من الوصول غير المصرح به وهي عملية يتم من خلالها تنظيم استخدام موارد النظام، وفقاً لسياسة الأمن السيبراني، ويسمح به للمصرح لهم فحسب المستخدمين أو البرامج أو العمليات أو الأنظمة الأخرى) وفقاً لتلك السياسة.	Access Control	Protection of system resources against unauthorized access; a process by which use of system resources is regulated according to cybersecurity policy and is permitted by only authorized entities (users, programs, processes, or other systems) according to that policy.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
المجموعات النشطة Activity Groups	مجموعة متشابهة من الأنشطة الضارة والتسلسلات والسلوكيات أو العمليات \| والقدرات والبنية التحتية.	Activity Group	A collection of "similar" intrusions and malicious activity, behaviors or processes, capabilities, and infrastructure.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
القائمة المحددة من التطبيقات Applications Whitelisting	ممارسة أمنية، تتمثل في تحديد قائمة التطبيقات المعتمدة التي يُسمح بتواجدها وتفعيلها على أجهزة المستخدمين وخوادمهم في الجهة الهدف من القائمة المحددة \| هو حماية أجهزة المستخدمين وخوادمهم للجهة من التطبيقات التي قد تكون ضارة.	Applications Whitelisting	It is the security practice of specifying an index of approved software applications that are permitted to be present and active on the organizations end-users machines and servers. The goal of whitelisting is to protect the organizationS end-users machines and servers from potentially harmful applications.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
التوافر Availability	ضمان الوصول إلى المعلومات والبيانات والأنظمة والتطبيقات واستخدامها في الوقت المناسب.	Availability	he management, operational, and technical controls (e.g., safeguards or countermeasures) employed by an organization in lieu of the recommended controls that provide equivalent or comparable protection for OT/ICS assets.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
الضوابط البديلة Alternative Controls	الضوابط الإدارية والتشغيلية والتقنية على سبيل المثال الإجراءات الوقائية أو المضادة التي تستخدمها الجهة بدلاً من الضوابط الموصى بها، والتي توفر حماية كافية لأصول التقنية التشغيلية وأنظمة التحكم الصناعي (OT/ICS).	Alternative Controls	The management, operational, and technical controls (e.g., safeguards or countermeasures) employed by an organization in lieu of the recommended controls that provide equivalent or comparable protection for OT/ICS assets.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
نقاط اتصال محددة Choke Point	نقاط اتصال محددة؛ هي نقاط اتصال يتم من خلالها توجيه جميع حركة مرورالشبكة الواردة والصادرة	Choke Point	A choke point is a single point through which all incoming and outgoing network traffic is funneled.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
خطة التواصل Communication Plan	جزء من خطة الاستجابة للحوادث، تتضمن إجراءات التواصل مع أصحاب المصلحة - الداخليين والخارجيين في حال وقوع حادثة معينة.	Communication Plan	A section of an incident response plan that includes communications pro cedures for both internal and external stakeholders in the event of an in cident.funneled.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
السرية Confidentiality	الاحتفاظ بقيود مصرح بها للوصول إلى المعلومات والإفصاح عنها، بما في ذلك وسائل \| حماية المعلومات.	Confidentiality	Maintaining authorized restrictions on access to and disclosure of information, including means of protecting information.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
الآثار المترتبة Consequence	الاثار المترتبة على حادثة وتشمل الصحة والسلامة والتأثيرات البيئية وفقدان الممتلكات، وفقدان المعلومات (على سبيل المثال الملكية الفكرية و/أو تكاليف انقطاع الأعمال.	Consequence	Result of an incident, usually described in terms of health and safety effects, environmental impacts, loss of property, loss of information (for ex ample, intellectual property), and/or business interruption costs that occur from a particular incident.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
الإجراءات المضادة Countermeasure	عمل أو اجراء أو جهاز، يقلل من تهديد أو ثغرة أمنية أو هجوم، وذلك عن طريق ازالته أو منعه، أو تقليل الضرر الذي يمكن أن يسببه أو عن طريق اكتشافه والإبلاغ عنه؛ حتى يمكن اتخاذ الإجراء التصحيحي المناسب.	Countermeasure	Action, device, procedure,ity, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
درجة الحساسية Criticality	مقياس لدرجة اعتماد الجهة على أصول تقنية تشغيلية، وأنظمة التحكم الصناعي (OT/ICS) لتحقيق رسالة، أو أهداف إدارة معينة للجهة.	Criticality	A measure of the degree to which an organization depends on the OT/ICS for the success of a mission or of a business function.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
الأنظمة الحساسة Systems Critical	أي نظام أو شبكة قد يؤدي تعطلها، أو تغيري غري مرصح به يف تشغيلها، أو وصول غري مرصح به إليها، أو إىل البيانات املخزنة بها، أو املعالجة بواسطتها؛ إىل تأثري سلبي عىل توافر أعامل وخدمات الجهة، أو التسبب يف آثار سلبية اقتصادية، أو مالية أو أمنية، أو اجتامعية عىل املستوى الوطني.	Critical Systems	Any system or network whose failure, unauthorized change to its operation, unauthorized access to it, or to the data stored or processed by it; may result in negative impact on the organizations businesses and services' availability, or cause negative economic, financial,security or social impacts on the national level.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
الدفاع الأمني متعدد المراحل Defense in Depth	توفير ضوابط حماية أمنية متعددة المستويات للأمن السيبراني؛ كنوع من الدفاع لتأخير محاولة الاختراق او لمنعه.	Defense in Depth	Provision of multiple cybersecurity protections, especially in layers, with the intent to delay if not prevent an attack.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
المنطقة المحايدة Demilitarized Zone	هي منطقة محايدة معزولة؛ من خلال جدران حماية ما بين الشبكات الداخلية \| والخارجية.	Demilitarized Zone	Perimeter network segment that is logically between internal and external networks.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
اختبار قبول المصنع Factory Acceptance Test	اختبار لمعدات التقنية التشغيلية وأنظمة التحكم الصناعي (OT/ICS)، يتم إجراؤه \| في مقر مزود الخدمة حيث يتم بناء المعدات بعد الانتهاء من التجميع، وضبط الإعدادات، ويتم إجراؤه؛ للتحقق من الالتزام بالمواصفات الوظيفية المطلوبة. ويمكن حينئذ أن تحدد المشاكل إن وجدت فيه، ومعالجتها بسهولة أكبر.	Factory Acceptance Test	A test of the OT/ICS equipment, conducted at the vendor facility where the equipment was constructed after the completion of assembly and configuration, performed to validate compliance with the functional specifications and proper operation of the equipment in a location where problems can be more easily identified and remediated.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
التأثير Impact	مقياس الخسارة أو الضرر النهائي، المرتبط بالآثار المترتبة.	Industrial Control System	A collective term used to describe different types of control systems and associated instrumentation, which includes the devices, systems, networks, and controls used to operate and/or automate industrial processes,	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
أنظمة التحكم الصناعي Industrial Control Systems	مصطلح جامع يشير إلى أنواع مختلفة من أنظمة وأدوات التحكم و تشمل الأجهزة \| والأنظمة والشبكات المستخدمة لتشغيل و/أو أتمتة العمليات الصناعية.	Industrial Internet of Things	The extension and use of the internet of things (IOT) in industrial sectors and applications.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
إنترنت الأشياء الصناعي Industrial Internet of Things	استخدام إنترنت الأشياء في القطاعات والانشطة الصناعية.	Information Technology	The technology involving the development, maintenance, and use of computer systems, software, and networks for the processing and distribution of data; generally considered the business and administrative systems within an organization.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
تقنية المعلومات Information Technology	التقنيات التي تُعنى بتطوير الأنظمة الحاسوبية والبرمجيات والشبكات وصيانتها \| واستخدامها في عمليات معالجة البيانات وتوزيعها. وتتمثل هذه التقنيات في الأنظمة \| الإدارية، وأنظمة الأعمال في الجهة.	Integrity	Quality of a system reflecting the logical correctness and reliability of the OS, the logical completeness of the hardware and software implementing the protection mechanisms, and the consistency of the data structures and occurrence of the stored data.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
سلامة المعلومة Integrity	الحماية ضد تعديل المعلومات أو تخريبها بشكل غير مصرح به، وتتضمن ضمان عدم الإنكار للمعلومات والموثوقية.	Jump Host	A single. remote access point through which all ingress network tramc must pass between a higher-level zone and a lower level zone.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
نقاط الوصول عن بعد Jump Hosts	نقاط مركزية للوصول عن بعد تمر من خلالها جميع عمليات الدخول إلى الشبكة بين منطقة عالية المستوى Higher-Level one) ومنطقة منخفضة المستوى Lower .(Level Zone	Network Segmentation	The act or practice of splitting a computer network into subnetworks, each being a network segment.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
تقسيم الشبكة Network Segmentation	عملية تقسيم شبكة جهاز الحاسب إلى شبكات فرعية؛ بحيث تشكل كل شبكة فرعية - قسما من الشبكة الرئيسية	Network Segregation	The process to develop and enforce a ruleset for controlling the communications between specific hosts and services.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
فصل الشبكة Network Segregation	عمليـة تطويـر مجموعـة مـن القواعـد وفرضها للتحكـم بالأتصالأت بني املسـتضيفني والخوادم.	Operational Technology	The system of components, including network devices, computers, servers, cybersecurity devices, infrastructure equipment, and applications that support operations, maintenance, monitoring, and cybersecurity of the OT/ ICS environment.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
التقنية التشغيلية Operational Technology	مجموعة من المكونات التي تشمل أجهزة الشبكة وأجهزة الحاسب والخوادم وأجهزة الأمن السيبراني ومعدات البنية التحتية والتطبيقات التي تدعم عمليات التشغيل والصيانة والمراقبة والأمن السيبراني للبيئات التشغيلية، وأنظمة التحكم الصناعي (OT/ICS).	Process Hazard Analysis	A set of organized and systematic assessments of the potential hazards associated with an industrial process addressing known hazards with the process, previous incidents, engineering and administrative controls in place, consequences of the failure of those engineering and administrative controls, facility siting, human factors, and a qualitative evaluation of HSE effects.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
تحليل مخاطر العمليات Process Hazard Analysis	مجموعة من التقييمات المنظمة للمخاطر المحتملة والمتعلقة بعملية صناعية محددة، حيث توضح هذه التقييمات المخاطر المعروفة المرتبطة بالعملية المحددة والحوادث السابقة، والضوابط الهندسية والإدارية المطبقة والنتائج المترتبة على فشل هذه الضوابط. ويشمل ذلك تقييم جاهزية المنشأة، والعوامل البشرية، والتقييم النوعي لتأثيرات هذه العملية على الصحة والسلامة والبيئة.	Impact	A measure of the ultimate loss or harm associated with a consequence.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
مصفوفة توزيع المسؤوليات RACI Matrix	مصفوفة المسؤول، والخاضع للمساءلة والمستشار والشخص الواجب اخباره توضح هذه المصفوفة مهمة كل الأطراف المعنية في أي عملية أو قسم، أو إدارة، مع توضيح درجة المشاركة والمسؤولية لكل الأطراف المعنية في الإجراء.	RACI Matrix	Responsible, Accountable, Consulted, Informed Matrix. Matrix that maps each player in a process, capability or function with the degree of involve ment and responsibility undertaken in the process.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
التحكم في الوصول بناءً على الأدوار Role-Based Access Control	وسيلة للتحكم في الوصول إلى الشبكة، بناءً على أدوار المستخدمين في الجهة. إذ يتم منح المستخدمين صلاحية الوصول إلى المعلومات التي يحتاجونها؛ لتنفيذ مهماتهم فحسب، ولا يسمح لهم بالوصول إلى المعلومات التي لا يحتاجونها، أو التي لا تتعلق بأعمالهم.	Role-Based Access Control	A method of restricting network access based on the roles of individual users within an enterprise. RBAC lets employees have access rights only to the information they need to do their jobs and prevent them from accessing information that does not pertain to them.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
مبدأ الأمن من خلال التصميم Secure by Design	منهجية لتطوير الأنظمة والتطبيقات وتصميم الشبكات التي تسعى إلى جعلها خالية من نقاط الضعف، والثغرات الأمنية السيبرانية، ولديها المقدرة على صد الهجوم السيبراني قدر الإمكان من خلل عدة تدابير على سبيل المثال	Secure by Design	A methodology to systems and software development and networks design that seeks to make systems, software and networks free from cybersecurity vulnerabilities/weaknesses and impervious to cyber-attack as much as possible through measures such as: continuous testing, authentication safeguards, and adherence to best programming and design practices.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
اختبار قبول الموقع Site Acceptance Test	اختبار لمعدات التقنية التشغيلية، وأنظمة التحكم الصناعي (OT/ICS) يتم إجراؤه في مقر الجهة بعد الانتهاء من تركيب المعدات وضبط إعداداتها وذلك للتحقق من الالتزام بالمواصفات الوظيفية والتشغيل السليم للمعدات بالتزامن - مع مكونات أخرى عندما لا يمكن التحقق من ذلك في اختبار قبول المصنع (Factory Acceptance Test FAT). وتشمل هذه المكونات الأدوات وما يرتبط بها من معدات العمليات التي قامت أطراف أخرى بتصميمها وتثبيتها.	Site Acceptance Test	A test of the OT/ICS equipment conducted on-site at the organizationk facility after completion of the installation and configuration of the equipment performed to validate compliance with the functional specifications, proper operation of the equipment in conjunction with other components not possible in the factory acceptance testing (FAT) such as instrumentation and associated process equipment furnished and installed by others.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
مراجعة الشفرة المصدرية Source Code Review	عملية تتم بشكل مؤتمت أو يدوي؛ لمراجعة الأوامر والتعليمات، المكتوبة بلغة برمجة معينة؛ للبحث عن نقاط الضعف الأمنية فيها.	Source Code Review	A process that is conducted manually/ automatically to identify security-related weaknesses (flaws) in set of commands and instructions written in of programming languages	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
تمارين المحاكاة Tabletop Exercise	تمارين محاكاة مصممة لاختبار قدرات الكشف والاستجابة في البيئة التشغيلية للجهة. تشارك فرق الاستجابة التابعة للجهة في التمرين من خلال مناقشة سيناريو واقعي يعني بالأحداث السيبرانية في بيئات التقنية التشغيلية وأنظمة التحكم الصناعي (OT/ICS). وتهدف هذه التمارين إلى تحسين خطط الجهة؛ للاستجابة للحوادث واستمرارية الأعمال والتعافي من الكوارث، وتقديم التدريب اللازم لفرق الاستجابة في الجهة.	Tabletop Exercise	A simulated exercise designed to test the detection and response capabilities of an organization's operational environment. The organization's sponse teams cybersecurity event scenario in a discussion-based format. The goal of the exercise is to improve an organization's IRP, BCP, and DRP, as well as provide facilitated training to its response teams.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
الخطط والأساليب و الإجراءات Tactics Techniques, and Procedures	يشير هذا المصطلح إلى سلوكيات منفذي الهجمات السيبرانية. فيعني بالوصف العام لسلوكيات المنفذ وتمثل (دافع) الهجوم على سبيل المثال؛ الحصول على بيانات الدخول). وتمثل الأساليب (كيفية تحقيق المهاجم لهدفه، من خلال تنفيذ نشاط معين (على سبيل المثال؛ استخراج بيانات الدخول للحصول على صلاحيات الوصول). ويقصد بالإجراءات الوسائل والأدوات التي يستخدمها المهاجمون لتطبيق أساليبهم - (على سبيل المثال؛ استخدام برمجيات (PwerShell) لحقن ملف "lsass.exe" لاستخراج بيانات الدخول.	Tactics, Techniques, and Procedures	The behavior of a cyber-adversary. A tactic is the highest-level description of the behavior and represents the "why" of a technique (e.g. achieve credential access). Techniques represent "how" and adversary achieves a tactical goal by performing an action (e.g. dump credentials to achieve dential access). Procedures are the specific implementation the adversary uses for techniques (e.g. using PowerShell to inject into Isass.exe to dump credentials).	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
تحليل سلوكيات المستخدم User Behaviors Analytics ا	هي عملية تتبع لبيانات المستخدم وجمعها والقيام بتحليلها، وتحديد أنماط أنشطة المستخدم للكشف عن السلوكيات الضارة، أو غير الإعتيادية.	User Behaviors Analytics	Track, collect and analyze user data, and identify patterns of user activities in order to detect harmful or unusual behaviors.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
لمنطقة Zone	مجموعة من الأصول المادية أو المنطقية التي تتوافر فيها متطلبات الأمن السيبراني نفسها.	Zone	Grouping of logical or physical assets that share common cybersecurity requirements.	ضوابط الأمن السيبراني لألنظمة التشغيلية	Cyber Security
خوارزمية غير متماثلة	خوارزمية تشفير تستخدم مفتاح تشفير واحدًا للتشفير ومفتاحًا آخر لفك التشفير. يُطلق على المفتاحين اسم المفاتيح الخاصة والعامة.	Asymmetric Algorithm	A cryptographic algorithm that uses one cryptographic key for encryption, and another key for decryption. The two keys are called private and public keys.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
المصادقة	التحقق من هوية المستخدم أو العملية أو الجهاز، غالبًا ما يكون ذلك شرطًا أساسيًا للسماح بالوصول إلى الموارد في النظام.	Authentication	Verifying the identity of a user, process or device, often as a prerequisite to allowing access to resources in a system.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
أصالة	خاصية الأصالة والقدرة على التحقق منها والوثوق بها.	Authenticity	The property of being genuine and being able to be verified and trusted.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
خوارزمية التشفير الكتلي	طريقة تشفير رئيسية متماثلة تقوم بتقسيم البيانات إلى مجموعات أو كتل، ثم تقوم بتشفير كل منها على حدة.	Block Cipher Algorithm	A symmetric key cipher method that segments data into groups or blocks, then encrypts each one separately.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
شهادة	مجموعة من البيانات التي تحدد بشكل فريد المفتاح العام للكيان والمعلومات الأخرى الموقعة رقميًا من قبل هيئة التصديق (أي طرف موثوق به)، وبالتالي ربط المفتاح العام بالمالك.	Certificate	A set of data that uniquely identifies an entity's public key and other information that is digitally signed by a Certification Authority (i.e., a trusted party), thereby binding the public key to the owner.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
قائمة الشهادات الباطلة (CRL)	قائمة الشهادات الملغاة الصادرة عن جهة التصديق.	Certificate Revocation List (CRL)	A list Of revoked certificates issued by a Certification Authority.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
المرجع المصدق (CA)	جهة موثوقة مسؤولة عن إصدار وإلغاء شهادات المفتاح العام.	Certification Authority (CA)	A trusted entity that is responsible for issuing and revoking public key certificates.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
الاصطدام	ينتج عن اثنين أو أكثر من المدخلات المميزة نفس المخرجات.	Collision	Two or more distinct inputs produce the same output.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
سرية	خاصية منع إتاحة المعلومات أو الكشف عنها لأفراد أو كيانات أو عمليات غير مصرح لها.	Confidentiality	A property of preventing information from being available or disclosed to unauthorized individuals, entities or processes.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
التشفير البدائي	خوارزمية تشفير منخفضة المستوى تستخدم ككتلة بناء أساسية لخوارزميات التشفير ذات المستوى الأعلى.	Cryptographic Primitive	A low-level cryptographic algorithm used as a basic building block for higher-level cryptographic algorithms.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
التشفير	مبادئ ووسائل وأساليب تطبيق خوارزميات تحويل البيانات للأغراض الأمنية بما في ذلك النزاهة والسرية والمصادقة والأصالة وعدم الإنكار.	Cryptography	Principles, means and methods ofapplying data transformation algorithms for security purposes including integrity, confidentiality, authentication, authenticity and non-repudiation.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
الأمن الإلكتروني	الأمن السيبراني هو حماية الشبكات وأنظمة تكنولوجيا المعلومات وأنظمة التقنيات التشغيلية ومكوناتها من أجهزة وبرمجيات وخدماتها والبيانات التي تحتويها، من أي اختراق أو تعطيل أو تعديل أو وصول أو استخدام أو استغلال غير مصرح به. يشمل مفهوم الأمن السيبراني أيضًا أمن المعلومات والأمن الرقمي وما إلى ذلك	Cybersecurity	Cybersecurity is the protection of networks, IT systems, operational technologies systems and their components of hardware and software, their services and the data they contain, from any penetration, disruption, unauthorized modification, access, use or exploitation. The concept of cybersecurity also includes information security and digital security, etc	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
تشفير المنحنى الإهليلجي (ECC)	طرق تشفير المفتاح العام التي تستخدم العمليات في مجموعة منحنى إهليلجي	Elliptic Curve Cryptography (ECC)	Public-key cryptographic methods that use operations in an elliptic curve group	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
توزيع المفاتيح	انظر النقل الرئيسي.	Key Distribution	See Key Transport.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
تبادل المفاتيح	عملية تبادل المفاتيح العامة لإنشاء اتصالات آمنة.	Key Exchange	The process of exchanging public keys to establish secure communications.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
تدمير المفتاح	إزالة جميع آثار مواد المفاتيح بحيث لا يمكن استعادتها بالوسائل المادية أو الإلكترونية.	Key Destruction	Removing all traces of keying material so that it cannot be recovered by either physical or electronic means.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
التشفير	عملية تحويل النص العادي إلى نص مشفر باستخدام التشفير	Encryption	The process of transforming plaintext into ciphertext using a cryptographic	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
دالة تجزئة	دالة تقوم بتعيين سلسلة بتات إدخال ذات طول عشوائي إلى سلسلة بتات إخراج ذات طول ثابت. غالبًا ما يكون هذا الإخراج لا رجعة فيه ويعمل بمثابة تمثيل مكثف للمدخلات.	Hash Function	A function that maps an input bit string of arbitrary length to a fixedlength output bit string. This output is often irreversible and serves as a condensed representation of the input.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
MAC القائم على التجزئة (HMAC)	رمز مصادقة الرسالة الذي يستخدم وظيفة تجزئة المفاتيح المعتمدة.	Hash-based MAC (HMAC)	A message authentication code that uses an approved keyed-hash function.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
التشفير الهجين	أحد تطبيقات التشفير الذي يجمع بين اثنين أو أكثر من خوارزميات التشفير، وخاصة مزيج من التشفير المتماثل وغير المتماثل.	Hybrid encryption	An application of cryptography that combines two or more encryption algorithms, particularly a combination of symmetric and asymmetric encryption.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
ناقل التهيئة	ناقل عام معروف يستخدم كمدخل لتهيئة خوارزمية تشفير لزيادة الأمان ودعم المزامنة.	Initialization Vector	A known public vector used as an input to initialize an encryption algorithm to increase security and support synchronization.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
نزاهة	خاصية لا يتم بموجبها تغيير البيانات بطريقة غير مصرح بها منذ إنشائها ونقلها	Integrity	A property whereby data has not been altered in an unauthorized manner since it was created, transmitted	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
قيمة التحقق من النزاهة	المجموع الاختباري قادر على اكتشاف تعديل نظام المعلومات.	Integrity Check Value	Checksum capable of detecting modification of an information system.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
بروتوكولات كيربيروس	نظام مصادقة تم تطويره لتمكين طرفين من تبادل المعلومات الخاصة عبر شبكة عامة.	Kerberos Protocols	An authentication system developed to enable two parties to exchange private information across a public network.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
الاتفاقية الرئيسية	إجراء إنشاء المفتاح حيث تكون مادة المفتاح الناتجة عبارة عن وظيفة من المعلومات التي يساهم بها اثنان أو أكثر من المشاركين، بحيث لا يستطيع أي طرف أن يحدد مسبقًا قيمة مادة المفتاح بشكل مستقل عن مساهمة أي طرف آخر.	Key Agreement	A key-establishment procedure where resultant keying material is a function of information contributed by two or more participants, so that no party can predetermine the value ofthe keying material independently of any other party's contribution.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
أرشيف المفاتيح	وظيفة في دورة حياة مادة القفل؛ مستودع للتخزين طويل المدى لمواد القفل.	Key Archive	A function in the lifecycle of keying material; a repository for the longterm storage of keying material.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
جيل المفتاح	عملية توليد المفاتيح للتشفير.	Key Generation	The process of generating keys for cryptography.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
إدارة دورة الحياة الرئيسية (KLM)	الأنشطة التي تنطوي على التعامل مع مفاتيح التشفير وغيرها من معلمات الأمان ذات الصلة (على سبيل المثال، متجهات التهيئة) خلال دورة حياة المفاتيح بأكملها، بما في ذلك توليدها وتخزينها وإنشاءها وإدخالها وإخراجها واستخدامها وتدميرها.	Key Lifecycle Management (KLM)	The activities involving the handling of cryptographic keys and other related security parameters (e.g., initialization vectors) during the entire lifecycle of the keys, including their generation, storage, establishment, entry and output, use and destruction.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
الإدارة (كلم)	معلمات الأمان ذات الصلة (مثل "متجهات التهيئة") خلال دورة حياة المفاتيح بأكملها، بما في ذلك توليدها وتخزينها وإنشاءها وإدخالها وإخراجها واستخدامها وتدميرها.	Management (KLM)	related security parameters (e.g„ initialization vectors) during the entire lifecycle of the keys, including their generation, storage, establishment, entry and output, use and destruction.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
تسجيل المفتاح / الشهادة	وظيفة في دورة حياة مادة القفل؛ عملية التسجيل الرسمي لمواد المفتاح من قبل سلطة التسجيل.	Key Registration / Certification	A function in the lifecycle of keying material; the process of officially recording the keying material by a registration authority.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
إبطال المفتاح	وظيفة في دورة حياة مادة القفل؛ عملية يتم بموجبها تقديم إشعار إلى الكيانات المتضررة بضرورة إزالة مادة المفتاح من الاستخدام التشغيلي قبل نهاية الفترة المحددة لتلك المادة.	Key Revocation	A function in the lifecycle of keying material; a process whereby a notice is made available to the affected entities that the keying material should be removed from operational use prior to the end of the established to period of that in material.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
النقل الرئيسي	إجراء إنشاء المفتاح حيث يقوم أحد الكيانات بتوزيع المفتاح على كيان آخر	Key Transport	A key-establishment procedure whereby one entity distributes the key to another enti	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
التفاف المفتاح	طريقة لتشفير المفاتيح (مع معلومات السلامة المرتبطة بها) توفر حماية السرية والسلامة باستخدام خوارزمية مفاتيح متماثلة.	Key Wrap	A method of encrypting keys (along with associated integrity information) that provides both confidentiality and integrity protection using a symmetric key algorithm.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
تشفير خفيف الوزن	فئة فرعية في مجال التشفير تهدف إلى توفير حلول أمنية للأجهزة محدودة الموارد.	Lightweight Crypto	A sub-category in the field of cryptography that intends to provide security solutions for resource-constrained devices.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
رمز مصادقة الرسالة (MAC)	مجموع اختباري مشفر للبيانات يستخدم مفتاحًا متماثلًا لاكتشاف التعديلات العرضية والمتعمدة للبيانات. توفر أجهزة MAC حماية الأصالة والنزاهة.	Message Authentication code (MAC)	A cryptographic checksum on data that uses a symmetric key to detect both accidental and intentional modifications of the data. MACs provide authenticity and integrity protection.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
عدم التنصل	خدمة تستخدم التوقيع الرقمي الذي يتم استخدامه لدعم تحديد ما إذا كانت الرسالة قد تم توقيعها بالفعل بواسطة كيان معين.	Nonrepudiation	A service using a digital signature that is used to support a determination of whether a message was actually signed by a given entity.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
مفتاح سري	في الخوارزمية غير المتماثلة، يتم استخدام المفتاح الخاص للتوقيع الرقمي وفك تشفير البيانات، ويجب أن يظل سريًا.	Private Key	In an asymmetric algorithm, the private key is used for digital signing and decrypting data, and it must remain secret.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
المفتاح العمومي	في الخوارزمية غير المتماثلة، يُستخدم المفتاح العام للتحقق من التوقيع الرقمي وتشفير البيانات، وهو معروف للعامة.	Public Key	In an asymmetric algorithm, the public key is used for verifying digital signature and encrypting data, and it is publicly known.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
البنية التحتية للمفتاح العام (PKI)	إطار عمل تم إنشاؤه لإصدار شهادات المفتاح العام والحفاظ عليها وإلغائها.	Public Key Infrastructure (PKI)	A framework that is established to issue, maintain and revoke public key certificates.	National Cryptographic Standards (NCS – 1 : 2020)	Cyber Security
الحماية المتقدمة من التهديدات المستمرة (APT).	الحماية من التهديدات المتقدمة التي تستخدم تقنيات غير مرئية للوصول غير المصرح به إلى الأنظمة والشبكات والبقاء أطول فترة ممكنة من خلال التحايل على أدوات الكشف والحماية _ لتحقيق ذلك. تُستخدم الفيروسات والبرامج الضارة ذات يوم الصفر في هذه التقنيات.	Advanced Persistent Threat (APT) Protection	Protection against advanced threats that use invisible techniques to gain unauthorized access to systems and networks and stay as long as possible through circumventing detection and protection tools_ To accomplish that. viruses and zero-day malware are used in these techniques.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
أصل	أي شيء ملموس أو غير ملموس له قيمة للمنظمة. هناك أنواع عديدة من الأصول. ومنها ما يتضمن أشياء واضحة. مثل الأشخاص. الأجهزة. خدمات. براءات الاختراع والبرمجيات والخدمات. يمكن أن يشمل المصطلح أيضًا أشياء أقل وضوحًا. مثل المعلومات والخصائص (على سبيل المثال سمعة المنظمة وصورتها العامة، وكذلك المهارات والمعرفة).	Asset	Anything tangible or intangible that has value to the organization. There are many types of assets. and some of which include obvious things. such as: persons. machineries. utilities. patents, software and services. The term could also include less obvious things. such as: information and characteristics (eg„ organization's reputation and public image, as well as skill and knowledge).	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
هجوم	أي نوع من النشاط الضار الذي يحاول الوصول أو التجميع غير المصرح به. تعطيل والوقاية. تدمير أو تخريب موارد نظام المعلومات أو المعلومات نفسها.	Attack	Any kind of malicious activity that attempts to achieve unauthorized access, collection. disabling, prevention. destroy or sabotage of the information system resources or the information itself.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
مراجعة	المراجعة والفحص المستقل للسجلات والأنشطة لتقييم فعالية ضوابط الأمن السيبراني وضمان الامتثال للسياسات المعمول بها والإجراءات التشغيلية والمعايير ذات الصلة. المتطلبات القانونية والتنظيمية،	Audit	Independent review and examination of records and activities to assess the effectiveness of cybersecurity controls and to ensure compliance with established policies, operational procedures and relevant standard. legal and regulatory requirements,	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
المصادقة	التحقق من هوية المستخدم أو العملية أو الجهاز، غالبًا ما يكون ذلك شرطًا أساسيًا للسماح بالوصول إلى الموارد في النظام.	Authentication	Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
تفويض	إنها وظيفة تحديد حقوق/امتيازات الوصول إلى معلومات المنظمة وأمن الأصول التقنية والتحقق منها بشكل عام والتحكم في الوصول بشكل خاص.	Authorization	It is the function of defining and verifying access rights/privileges to organization's information and technical assets security in general and to access control in particular.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
التوفر	ضمان الوصول في الوقت المناسب إلى المعلومات. بيانات. الأنظمة والتطبيقات.	Availability	Ensuring timely access to and of information. data. systems and applications.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
دعم	ملفات. الأجهزة. البيانات والإجراءات المتاحة للاستخدام في حالة الفشل أو الضياع، أو في حالة حذف النسخ الأصلية أو تعليقها.	Backup	Files. devices. data and procedures available for use in case of failure or loss, or in case of deletion or suspension of original copies.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
إحضار جهازك الخاص (BYOD)	يشير هذا المصطلح إلى سياسة المنظمة التي تسمح للموظفين بإحضار أجهزتهم الشخصية (أجهزة الكمبيوتر المحمولة والأجهزة اللوحية والهواتف الذكية) إلى مقر المنظمة واستخدام هذه الأجهزة للوصول إلى الشبكات والمعلومات. تطبيقات وأنظمة المنظمة التي يتم تقييد الوصول إليها.	Bring Your Own Device (BYOD)	This term refers to the policy of the organization that allows employees to bring their personal devices (laptops. tablets and smartphones) to the premises Of the organization and use such devices to access the networks, information. applications and systems of the organization which are access-restricted.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
إدارة التغيير	هو نظام لإدارة الخدمة يضمن اتباع نهج منهجي واستباقي باستخدام أساليب وإجراءات قياسية فعالة (مثل التغيير في البنية التحتية والشبكات). إدارة التغيير تساعد جميع أصحاب المصلحة. بما في ذلك الأفراد والفرق على حد سواء. الانتقال من حالتها الحالية إلى الحالة المرغوبة التالية، كما تساعد أيضًا في تقليل تأثير الحوادث ذات الصلة على الخدمة	Change Management	It is a service management system that ensures a systematic and proactive approach using effective standard methods and procedures (e.g.. change in infrastructure and networks). Change Management helps all stakeholders. including individuals and teams alike. move from their current state to the next desired state, and also helps reduce the impact of relevant incidents on service	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
البنية التحتية الوطنية الحرجة (CNI)	هذه هي الأصول (أي المرافق والأنظمة والشبكات والعمليات والمشغلين الرئيسيين الذين يقومون بتشغيلها ومعالجتها)، والتي قد يؤدي فقدانها أو تعرضها للانتهاكات الأمنية إلى تأثير سلبي كبير على توفر الخدمات الأساسية أو تكاملها أو تقديمها، بما في ذلك الخدمات التي يمكن أن تؤدي إلى خسائر فادحة في الممتلكات و/أو الأرواح و/أو الإصابات، إلى جانب مراعاة التأثيرات الاقتصادية و/أو الاجتماعية الكبيرة. • تأثير كبير على الأمن القومي و/أو الدفاع الوطني و/أو اقتصاد الدولة أو القدرات الوطنية.	Critical National Infrastructure (CNI)	These are the assets (i.e., facilities, systems, networks, processes, and key operators who operate and process them), whose loss or vulnerability to security breaches may result in • Significant negative impact on the availability, integration or delivery of basic services, including services that could result in serious loss of property and/or lives and/or injuries, alongside observance of significant economic and/or social impacts. • Significant impact on national security and/or national defense and/or state economy or national capacities.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
دائرة تلفزيونية مغلقة CCTV	تلفزيون الدائرة المغلقة (CCTV)، المعروف أيضًا باسم المراقبة بالفيديو، هو استخدام كاميرات الفيديو لنقل إشارة إلى مكان معين. على مجموعة محدودة من المراقبين. غالبًا ما يتم تطبيق هذا المصطلح على تلك المستخدمة للمراقبة في المناطق التي قد تحتاج إلى مراقبة حيث يكون الأمن الجسدي مطلوبًا.	Closed-Circuit Television CCTV	Closed-Circuit Television (CCTV), also known as video surveillance, is the use Of video cameras to transmit a signal to a specific place. on a limited set of monitors. The term is often applied to those used for surveillance in areas that may need monitoring where physical security is needed.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
حوسبة سحابية	نموذج لتمكين الوصول إلى الشبكة عند الطلب إلى مجموعة مشتركة من قدرات/موارد تكنولوجيا المعلومات القابلة للتكوين (مثل الشبكات والخوادم والتخزين والتطبيقات والخدمات) التي يمكن توفيرها وإصدارها بسرعة بأقل جهد لإدارة التشغيل أو تفاعل مزود الخدمة. فهو يسمح للمستخدمين بالوصول إلى الخدمات القائمة على التكنولوجيا من السحابة دون معرفة البنية التحتية التكنولوجية التي تدعمهم أو الخبرة بها أو التحكم فيها. يتكون نموذج الحوسبة السحابية من خمس خصائص أساسية للخدمة الذاتية عند الطلب. الوصول إلى الشبكة في كل مكان، وتجميع الموارد المستقلة عن الموقع، والمرونة السريعة والخدمة المقاسة. هناك ثلاثة أنواع من نماذج تقديم خدمات الحوسبة السحابية البرمجيات السحابية كخدمة (SaaS)، والمنصة السحابية كخدمة (PaaS)، والبنية التحتية السحابية كخدمة (laaS) بناءً على وصول المؤسسة للحوسبة السحابية. هناك أربعة نماذج للسحابة الخاصة، والسحابة المجتمعية، والسحابة العامة. والسحابة الهجينة.	Cloud Computing	A model for enabling on-demand network access to a shared pool Of configurable IT capabilities/ resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal operation management effort or service provider interaction. It allows users to access technology-based services from the cloud without knowledge Of, expertise with, or control over the technology infrastructure that supports them. The cloud computing model is composed Of five essential characteristics: on-demand self-service. ubiquitous network access, location independent resource pooling, rapid elasticity and measured service. There are three types Of cloud computing services delivery models: Cloud Software as a Service (SaaS), Cloud Platform as a Service (PaaS), and Cloud Infrastructure as a Service (laaS): Based on the enterprise access for cloud computing. there are four models: Private Cloud, Community Cloud, Public Cloud. and Hybrid Cloud.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
مساومة	الإفصاح أو الحصول على المعلومات من قبل أشخاص غير مصرح لهم، والتي لا يجوز تسريبها أو الحصول عليها، أو انتهاك سياسة الأمن السيبراني للمنظمة من خلال الإفصاح. يتغير. التخريب أو فقدان أي شيء، سواء بقصد أو بغير قصد. مصطلح "التسوية" يعني الكشف عن البيانات الحساسة أو الحصول عليها أو تسريبها أو تغييرها أو استخدامها دون تصريح (بما في ذلك مفاتيح التشفير ومعايير الأمن السيبراني الهامة الأخرى).	Compromise	Disclosure of or obtaining information by unauthorized persons, which are unauthorized to be leaked or obtained, or violation Of the cybersecurity policy Of the organization through disclosure. change. sabotage or loss Of anything, either intentionally or unintentionally. The expression "compromise" means disclosure Of, obtaining, leaking, altering or use Of sensitive data without authorization (including cryptographic keys and other critical cybersecurity standards).	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
البيانات/ المعلومات السرية	المعلومات (أو البيانات) التنظيمية التي تعتبر بالغة الأهمية والحساسية وفقًا لتصنيف بيانات المنظمة، والتي أعدتها لاستخدامها من قبل المنظمة نفسها أو منظمات أخرى محددة. تتمثل إحدى طرق تحديد تصنيف هذا النوع من المعلومات/البيانات في تقييم التأثير الناتج عن الإفصاح أو الوصول أو الخسارة أو الضرر غير المصرح به. يمكن أن تكون التأثيرات مالية أو تتعلق بسمعة المنظمة أو العملاء، أو التأثير على حياة الأشخاص فيما يتعلق بالمعلومات التي تم الكشف عنها، أو التأثير والضرر على الأمن القومي أو الاقتصاد أو القدرات. تتضمن البيانات/المعلومات السرية جميع المعلومات التي إذا تم الكشف عنها أو فقدانها أو إتلافها بطريقة غير مصرح بها، فستكون هناك عواقب قانونية.	Confidential Data/ Information	Organizational information (or data) that is considered highly critical and sensitive as per the organization's data classification, which it has prepared to be used by the organization itself or Other specific organizations. One way to determine the classification of such type of information/data is through assessing the impact from unauthorized disclosure, access, loss or damage. Impacts could be financial or reputational on the organization or customers, impact on the lives of people related to the disclosed information, impact and harm on the national security, economy or capabilities. Confidential Data/lnformation includes all information that if disclosed, lost or damaged in an unauthorized manner, there would be legal consequences.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
سرية	الحفاظ على القيود المصرح بها على الوصول إلى المعلومات والكشف عنها، بما في ذلك وسائل حماية الخصوصية/المعلومات الشخصية.	Confidentiality	Maintaining authorized restrictions on access to and disclosure Of information, including means of protecting privacy/personal information.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
التشفير	هذه هي القواعد التي تتضمن مبادئ وطرق ووسائل تخزين ونقل البيانات أو المعلومات بشكل معين لإخفاء محتواها الدلالي أو منع الاستخدام غير المصرح به أو منع التعديل غير المكتشف بحيث لا يتمكن سوى الأشخاص المعنيين من قراءتها ومعالجتها .	Cryptography	These are the rules that include the principles, methods and means Of storing and transmitting data or information in a particular form in order to conceal its Semantic content, prevent unauthorized use or prevent undetected modification so that only the persons concerned can read and process the same.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
هجوم الانترنت	الاستغلال المتعمد لأنظمة الكمبيوتر والشبكات. والمنظمات التي يعتمد عملها على تكنولوجيا المعلومات والاتصالات الرقمية. من أجل التسبب في الضرر.	Cyber Attack	Intentional exploitation of computer systems, networks. and organizations whose work depends on digital ICT. in order to cause damage.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
المخاطر السيبرانية	المخاطر التي تتعرض لها العمليات التنظيمية (بما في ذلك الرؤية أو المهمة أو الوظائف أو الصورة أو السمعة)، أو الأصول التنظيمية، أو الأفراد، أو المنظمات الأخرى، أو الدولة بسبب احتمال الوصول غير المصرح به إلى المعلومات أو استخدامها أو الكشف عنها أو تعطيلها أو تعديلها أو تدميرها. / أو نظم المعلومات.	Cyber Risks	The risks to organizational operations (including vision, mission, functions, image or reputation), organizational assets, individuals, Other organizations, or the nation due to the potential Of unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
الأمن الإلكتروني	بموجب الأمر الملكي رقم 6801 وتاريخ 1439/2/1 1هـ، الأمن السيبراني هو حماية الشبكات وأنظمة تكنولوجيا المعلومات وأنظمة التقنيات التشغيلية ومكوناتها من أجهزة وبرمجيات وخدماتها والبيانات التي تحتويها، من أي اختراق أو خلل. أو التعديل أو الوصول أو الاستخدام أو الاستغلال غير المصرح به. يشمل مفهوم الأمن السيبراني أيضًا أمن المعلومات والأمن الرقمي.	Cybersecurity	According to the Royal Decree number 6801, dated 1 1 /2/1439H, cybersecurity is the protection Of networks, IT systems, operational technologies systems and their components of hardware and software, their services and the data they contain, from any penetration, disruption, modification, access, use or unauthorized exploitation. The concept Of cybersecurity also includes information security and digital security.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
مرونة الأمن السيبراني	القدرة الشاملة للمؤسسات على مقاومة الأحداث السيبرانية والتعافي منها في حالة حدوث ضرر.	Cybersecurity Resilience	The overall ability Of organizations to withstand cyber events and, where harm is caused, recover from them.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
الفضاء السيبراني	الشبكة المترابطة من البنية التحتية لتكنولوجيا المعلومات، بما في ذلك الإنترنت وشبكات الاتصالات وأنظمة الكمبيوتر والأجهزة المتصلة بالإنترنت، بالإضافة إلى الأجهزة وأجهزة التحكم المرتبطة بها. يمكن أن يشير المصطلح أيضًا إلى عالم افتراضي أو مجال افتراضي مثل مفهوم بسيط.	Cyberspace	The interconnected network of IT infrastructure, including the Internet, communications networks, computer systems and Internet-connected devices, as well as the associated hardware and control devices. The term can also refer to a virtual world or domain such as a simple concept.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
تصنيف البيانات والمعلومات	تحديد مستوى حساسية البيانات والمعلومات التي ينتج عنها ضوابط أمنية لكل مستوى من مستويات التصنيف. يتم تعيين مستويات حساسية البيانات والمعلومات وفقًا لفئات محددة مسبقًا حيث يتم إنشاء البيانات والمعلومات وتعديلها. تحسينها أو تخزينها أو نقلها. يعتبر مستوى التصنيف مؤشراً على قيمة أو أهمية البيانات والمعلومات الخاصة بالمنظمة.	Data and Information Classification	Setting the sensitivity level Of data and information that results in security controls for each level Of classification. Data and information sensitivity levels are set according to predefined categories where data and information is created, modified. improved, stored or transmitted. The classification level is an indication Of the value or importance Of the data and information Of the organization.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
أرشفة البيانات	إنها عملية نقل البيانات التي لم تعد تُستخدم بشكل نشط إلى جهاز تخزين منفصل للاحتفاظ بها على المدى الطويل. تتكون بيانات الأرشيف من البيانات الأقدم التي لا تزال مهمة للمؤسسة وقد تكون ضرورية للرجوع إليها مستقبلاً، بالإضافة إلى البيانات التي يجب الاحتفاظ بها للامتثال القانوني والتنظيمي ذي الصلة.	Data Archiving	It is the process Of moving data that is no longer actively used to a separate storage device for long-term retention. Archive data consists Of Older data that is still important to the organization and may be needed for future reference, as well as data that must be retained for relevant legal and regulatory compliance.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
التعافي من الكوارث	البرامج والأنشطة والخطط المصممة لاستعادة وظائف وخدمات الأعمال الحيوية للمنظمة إلى وضع مقبول، بعد التعرض للهجمات السيبرانية أو تعطيل هذه الخدمات	Disaster Recovery	Programs, activities and plans designed to restore the organization›s critical business functions and services to an acceptable situation, following exposure to cyber attacks or disruption of such services	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
نظام اسم النطاق (DNS)	نظام تقني يستخدم قاعدة بيانات موزعة عبر الشبكة و/أو الإنترنت والتي تسمح بترجمة أسماء النطاقات إلى عناوين IP، والعكس من أجل تحديد عناوين الخدمة مثل خوادم الويب والبريد الإلكتروني.	Domain Name System (DNS)	A technical system that uses a database distributed over the network and/or the Internet which allows the translation of domain names into IP addresses, and vice-versa in order to identify service addresses such as web and email servers.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
فعالية	تشير الفعالية إلى الدرجة التي يتم بها تحقيق التأثير المخطط له. تعتبر الأنشطة المخططة فعالة إذا تم تنفيذ هذه الأنشطة بالفعل، وتعتبر النتائج المخططة فعالة إذا تم تحقيق النتائج بالفعل. يمكن استخدام KPls لقياس وتقييم مستوى الفعالية.	Effectiveness	Effectiveness refers to the degree to which a planned impact is achieved. Planned activities are considered effective if these activities are already implemented, and the planned results are considered effective if the results are already achieved. KPls can be used to measure and evaluate the level Of effectiveness.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
كفاءة	العلاقة بين النتائج المحققة (المخرجات) والموارد المستخدمة (المدخلات). يمكن تعزيز كفاءة العملية أو النظام من خلال تحقيق المزيد من النتائج باستخدام نفس الموارد (المدخلات) أو حتى أقل.	Efficiency	The relationship between the results achieved (outputs) and the resources used (inputs). The efficiency of a process or system can be enhanced by achieving more results using the same resources (inputs) or even less.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
حدث	شيء يحدث في مكان محدد (مثل أنظمة الشبكات والتطبيقات) في وقت محدد.	Event	Something that happens in a specific place (such as network systems, applications) at a specific time.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
بروتوكول نقل النص التشعبي الآمن (HTTPS)	بروتوكول يستخدم التشفير لتأمين صفحات الويب والبيانات عند نقلها عبر الشبكة. إنها نسخة آمنة من بروتوكول نقل النص التشعبي (HTTP).	Hyper Text Transfer Protocol Secure (HTTPS)	protocol that uses encryption to secure web pages and data when they are transmitted over the network. It is a secure version Of the Hypertext Text Transfer Protocol (HTTP).	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
تعريف	إنها وسيلة التحقق من هوية المستخدم أو العملية أو الجهاز، عادةً كشرط أساسي لمنح الوصول إلى الموارد في النظام.	Identification	It is the means ofverifying the identity of a user, process, or device, typically as a prerequisite for granting access to resources in a system.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
حادثة	التسوية من خلال انتهاك سياسات الأمن السيبراني أو سياسات الاستخدام المقبول أو الممارسات أو ضوابط أو متطلبات الأمن السيبراني.	Incident	A compromise through violation Of cybersecurity policies, acceptable use policies, practices or cybersecurity controls or requirements.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
نزاهة	الحماية ضد التعديل أو التدمير غير المصرح به للمعلومات، بما في ذلك ضمان عدم إنكار المعلومات وصحتها.	Integrity	Protection against unauthorized modification or destruction Of information, including ensuring information non-repudiation and authenticity.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
(إنتر) المتطلبات الوطنية	المتطلبات الوطنية هي تلك التي طورتها منظمة أو هيئة تنظيمية في المملكة العربية السعودية للاستخدام التنظيمي (على سبيل المثال، ضوابط الأمن السيبراني الأساسية لـ NCAs ECO-12018) المتطلبات الدولية هي تلك التي طورتها منظمة عالمية للاستخدام التنظيمي أو أفضل الممارسات في جميع أنحاء العالم (على سبيل المثال، SWIFT) ، PCI DSS).	(Inter) National Requirements	National requirements are those developed by a regulatory organization or body in Saudi Arabia for regulatory use (e.g., NCAs Essential Cybersecurity Controls ECO-1:2018) International requirements are those developed by a global organization for worldwide regulatory or best practices use (e.g., SWIFT, PCI DSS).	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
نظام منع التسلل (IPS)	نظام يتمتع بقدرات كشف التسلل، فضلاً عن القدرة على منع وإيقاف الحوادث المشبوهة أو المحتملة.	Intrusion Prevention System (IPS)	A system with intrusion detection capabilities, as well as the ability to prevent and Stop suspicious or potential incidents.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
مؤشر الأداء الرئيسي (KPI)	نوع من قياس الأداء الذي يقيم نجاح منظمة أو نشاط معين تشارك فيه لتحقيق أهداف وغايات معينة.	Key Performance Indicator (KPI)	A type Of performance measurement that evaluates the success Of an organization or Of a particular activity in which it engages to achieve particular objectives and goals.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
وضع العلامات	عرض المعلومات (عن طريق تسمية وترميز محدد ومعياري) التي يتم وضعها على أصول المؤسسة (مثل الأجهزة والتطبيقات والمستندات) لاستخدامها للإشارة إلى بعض المعلومات المتعلقة بالتصنيف والملكية. النوع ومعلومات إدارة الأصول الأخرى.	Labeling	Display Of information (by specific and standard naming and coding) that is placed on the organization's assets (such as devices, applications and documents) to be used to refer to some information related to the classification, ownership. type and Other asset management information.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
الامتياز الأقل	مبدأ أساسي في الأمن السيبراني يهدف إلى منح المستخدمين امتيازات الوصول التي يحتاجونها للقيام بمسؤولياتهم الرسمية فقط.	Least Privilege	A basic principle in cybersecurity that aims at granting users the access privileges they need to carry out their official responsibilities only.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
البرامج الضارة	برنامج يصيب الأنظمة، عادةً بشكل سري، بهدف المساس بسرية أو سلامة أو توفر بيانات الضحية أو تطبيقاتها أو نظام تشغيلها أو إزعاج الضحية أو تعطيله بطريقة أخرى	Malware	A program that infects systems, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or of otherwise annoying or disrupting the victim	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
المصادقة المتعددة العوامل (MFA)	نظام أمني يتحقق من هوية المستخدم، الأمر الذي يتطلب استخدام عدة عناصر منفصلة لآليات التحقق من الهوية. تتضمن آليات التحقق عدة عناصر	Multi-factor authentication(MFA)	A security system that verifies user identity, which requires the use of several separate elements of identity verification mechanisms. Verification mechanisms include several elements	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
العمارة متعددة المستويات	بنية أو بنية يتم تطبيق نهج العميل والخادم عليها، والتي يتم فيها منطق العملية الوظيفية. يتم تطوير الوصول إلى البيانات وتخزين البيانات وواجهة المستخدم وصيانتها كوحدات منفصلة على منصات منفصلة.	Multi-tier Architecture	An architecture or structure to which a client-server approach is applied, in which the functional process logic. data access, data storage and user interface are developed and maintained as separate units on separate platforms.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
الحاجة إلى المعرفة والحاجة إلى الاستخدام	تقييد البيانات، والتي تعتبر حساسة ما لم يكن لدى الشخص حاجة محددة لمعرفتها لواجبات العمل الرسمية.	Need-to-know and Need-to-use	The restriction Of data, which is considered sensitive unless one has a specific need to know: for official business duties.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
النسخ الاحتياطي دون اتصال/خارج الموقع	نسخة احتياطية من قواعد البيانات والإعدادات. الأنظمة والتطبيقات والأجهزة التي تكون غير متصلة بالإنترنت ولا يمكن تحديثها. عادة، يتم استخدام الأشرطة الاحتياطية للنسخ الاحتياطي خارج الموقع.	Offline/ Offsite Backup	A backup of databases, settings. systems, applications and devices in which it is offline and not accessible to update. Typically, backup tapes are utilized for offsite backup.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
النسخ الاحتياطي عبر الإنترنت	طريقة للتخزين يتم من خلالها أخذ النسخة الاحتياطية بشكل منتظم على خادم بعيد عبر الشبكة (إما داخل شبكة المؤسسة أو يستضيفها مزود الخدمة).	Online Backup	A method of storage in which the backup is regularly taken on a remote server over a network, (either within the organization's network or hosted by a service provider).	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
طاقم المنظمة	الأفراد الذين يعملون في المنظمة (بما في ذلك الموظفين والموظفين المؤقتين والمقاولين).	Organization Staff	Individuals who work for the organization (including employees, temporary employees and contractors).	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
الاستعانة بمصادر خارجية	الحصول على السلع أو الخدمات عن طريق التعاقد مع مورد أو مقدم خدمة.	Outsourcing	Obtaining goods or services by contracting with a supplier or service provider.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
رقعة	دعم حزمة البيانات المستخدمة للترقية. إصلاح أو تحسين أنظمة تشغيل الكمبيوتر. البرامج أو التطبيقات. يتضمن ذلك إصلاح الثغرات الأمنية والأخطاء الأخرى، وعادة ما تسمى هذه التصحيحات بالإصلاحات أو إصلاحات الأخطاء وسهولة استخدام النظام أو تحسين الأداء.	Patch	Supporting data pack used to upgrade. fix or improve computer operating systems. software or applications. This includes fixing security vulnerabilities and other bugs, with such patches usually called fixes or bug fixes and system usability or performance improvement.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
اختبار الاختراق	ممارسة اختبار نظام الكمبيوتر أو الشبكة أو تطبيق الويب أو تطبيق الهاتف المحمول للعثور على نقاط الضعف التي يمكن أن يستغلها المهاجم.	Penetration Testing	The practice Of testing a computer system, network, web application or mobile application to find vulnerabilities that an attacker could exploit.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
رسائل البريد الإلكتروني التصيدية	محاولة الحصول على معلومات حساسة مثل أسماء المستخدمين وكلمات المرور. أو تفاصيل بطاقة الائتمان، غالبًا لأسباب ونوايا خبيثة، عن طريق التنكر في رسائل البريد الإلكتروني كمنظمة جديرة بالثقة.	Phishing Emails	The attempt to obtain sensitive information such as usernames, passwords. or credit card details, Often for malicious reasons and intentions, by disguising as a trustworthy organization in email messages.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
الأمن الجسدي	الأمن المادي يصف التدابير الأمنية المصممة لمنع الوصول غير المصرح به إلى مرافق المنظمة ومعداتها ومواردها، ولحماية الأفراد والممتلكات من الضرر أو الأذى (مثل التجسس أو السرقة أو الهجمات الإرهابية). يتضمن الأمن المادي استخدام طبقات متعددة من الأنظمة المترابطة. بما في ذلك الدوائر التلفزيونية المغلقة وحراس الأمن والحدود الأمنية والأقفال وأنظمة التحكم في الوصول والعديد من التقنيات الأخرى.	Physical Security	Physical security describes security measures designed to prevent unauthorized access to the Organization's facilities, equipment and resources, and to protect individuals and property from damage or harm (such as espionage, theft or terrorist attacks). Physical security involves the use Of multiple-tier of interconnected Systems. including CCTV, security guards, security limits, locks, access control systems and many other technologies.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
سياسة	وثيقة تحدد بياناتها التزامًا عامًا واتجاهًا. أو نية المنظمة كما تم التعبير عنها رسميًا من قبل المسؤول المفوض لها. سياسة الأمن السيبراني هي وثيقة تعبر بياناتها عن التزام الإدارة الرسمي بتنفيذ وتحسين برنامج الأمن السيبراني في المنظمة وتتضمن أهداف المنظمة فيما يتعلق بالأمن السيبراني وضوابطه ومتطلباته، وآليات تحسينه وتطويره.	Policy	A document whose statements define a general commitment, direction. or intention Of an organization as formally expressed by its Authorizing Official. Cybersecurity policy is e document whose statements express management's formal commitment to the implementation and improvement Of the organization's cybersecurity program and include the organization's objectives regarding the cybersecurity and its controls and requirements, and the mechanisms for improving and developing it.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
خصوصية	التحرر من التدخل غير المصرح به أو الكشف عن المعلومات الشخصية الخاصة بالفرد.	Privacy	Freedom from unauthorized interference or disclosure Of personal information about an individual.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
إدارة الوصول المميز	عملية إدارة الامتيازات عالية المخاطر على الأنظمة التي تحتاج إلى معالجة خاصة لتقليل المخاطر التي قد تنشأ عن إساءة استخدام الحقوق.	Privileged Access Management	The process Of managing high-risk privileges on systems which need special handling to minimize risk that may arise from rights misuse.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
إجراء	وثيقة تحتوي على وصف تفصيلي للخطوات اللازمة لتنفيذ عمليات أو أنشطة محددة بما يتوافق مع المعايير والسياسات ذات الصلة. يمكن أن تكون الإجراءات مجموعة فرعية من العمليات	Procedure	A document with a detailed description of the steps necessary to perform specific operations or activities in compliance with relevant standards and policies. Procedures can be a subset of processes	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
عملية	مجموعة من الأنشطة المترابطة أو التفاعلية التي تترجم المدخلات إلى مخرجات. تتأثر مثل هذه الأنشطة بسياسات المنظمة.	Process	A set of interrelated or interactive activities that translated input into output. Such activities are influenced by the policies of the organization.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
استعادة	إجراء أو عملية لاستعادة أو التحكم في شيء تم تعليقه أو تلفه أو سرقته أو فقده.	Recovery	A procedure or process to restore or control something that is suspended, damaged, stolen or lost.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
حفظ	طول الوقت تلك المعلومات. يجب الاحتفاظ بالبيانات أو سجلات الأحداث أو النسخ الاحتياطية، بغض النظر عن النموذج (أي الورقي والإلكتروني).	Retention	The length oftime that information. data, event logs or backups must be retained, regardless Of the form (i.e., paper and electronic).	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
معايير الترميز الآمن	ممارسة لتطوير برامج وتطبيقات الكمبيوتر بطريقة تحمي من التعرض لثغرات الأمن السيبراني المتعلقة بالبرامج والتطبيقات.	Secure Coding Standards	A practice for the development of computer software and applications in a way that protects against the exposure to cybersecurity vulnerabilities related to software and applications.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
التكوين الآمن والتصلب	حماية وتقوية وتكوين إعدادات أجهزة الكمبيوتر والأنظمة والتطبيقات وأجهزة الشبكات وأجهزة الأمان لمقاومة الهجمات الإلكترونية. مثل إيقاف أو تغيير حسابات المصنع والافتراضية، وإيقاف الخدمات غير المستخدمة ومنافذ الشبكة غير المستخدمة.	Secure Configuration and Hardening	Protecting, hardening and configuring the settings Of computers, systems, applications, network devices and security devices for resisting cyber-attacks. such as: stopping or changing factory and default accounts, stopping Of unused services and unused network ports.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
المعلومات الأمنية وإدارة الأحداث (SIEM)	نظام يقوم بإدارة وتحليل سجلات الأحداث الأمنية في الوقت الفعلي من أجل توفير مراقبة التهديدات وتحليل نتائج القواعد المترابطة لسجلات الأحداث والتقارير المتعلقة ببيانات السجلات والاستجابة للحوادث.	Security Information and Event Management (SIEM)	A system that manages and analyzes security events logs in real time in order to provide monitoring Of threats, analysis Of the results Of interrelated rules for event logs and reports on logs data, and incident response.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
اختبار الأمان	عملية تهدف إلى التأكد من أن الأنظمة والتطبيقات المعدلة أو الجديدة تتضمن ضوابط أمنية وحماية مناسبة ولا تقدم أي ثغرات أمنية أو نقاط ضعف قد تهدد الأنظمة أو التطبيقات الأخرى أو إساءة استخدام النظام أو التطبيق أو معلوماته، وللحفاظ على الوظائف كما هي. منوي.	Security Testing	A process intended to ensure that modified or new systems and applications include appropriate security controls and protection and do not introduce any security holes or vulnerabilities that might compromise other systems or applications or misuses Of the system, application or its information, and to maintain functionality as intended.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
الأمن حسب التصميم	منهجية لتطوير الأنظمة والبرمجيات وتصميم الشبكات التي تسعى إلى صنع الأنظمة. برمجيات وشبكات خالية من نقاط الضعف/نقاط الضعف في الأمن السيبراني وغير قابلة للهجوم السيبراني قدر الإمكان من خلال تدابير مثل الاختبار المستمر، وضمانات المصادقة، والالتزام بأفضل ممارسات البرمجة والتصميم.	Security-byDesign	A methodology to systems and software development and networks design that seeks to make systems. software and networks free from cybersecurity vulnerabilities/weaknesses and impervious to cyber-attack as much as possible through measures such as: continuous testing, authentication safeguards and adherence to best programming and design practices.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
إطار سياسة المرسل	طريقة للتحقق من أن خادم البريد الإلكتروني المستخدم في عنوان البريد الإلكتروني للمرسل ينتمي بالفعل إلى مجال البريد الإلكتروني لمؤسسة المرسل.	Sender Policy Framework	A method to validate that the email server used in the sender's email address actually belongs to the sender's organization email domain.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
الفصل بين الواجبات	مبدأ أساسي في الأمن السيبراني يهدف إلى تقليل الأخطاء والاحتيال عند معالجة مهام محددة. يتم تحقيق ذلك من خلال وجود العديد من الأشخاص ذوي الامتيازات المختلفة المطلوبة لإكمال المهمة.	Segregation Of Duties	Key principle in cybersecurity that aims at minimizing errors and fraud when processing specific tasks. It is accomplished through having several people with different privileges, required to complete a task.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
طرف ثالث	أي منظمة تعمل كطرف في علاقة تعاقدية لتوفير السلع أو الخدمات (وهذا يشمل الموردين ومقدمي الخدمات).	Third-party	Any organization acting as a party in a contractual relationship to provide goods or services (this includes suppliers and service providers).	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
تهديد	أي ظرف أو حدث من المحتمل أن يؤثر سلبًا على العمليات التنظيمية (بما في ذلك المهمة أو الوظائف أو الصورة أو السمعة) أو الأصول التنظيمية أو الأفراد من خلال نظام معلومات عبر الوصول غير المصرح به أو التدمير أو الكشف أو تعديل المعلومات و/أو رفض المعلومات خدمة. بالإضافة إلى احتمال قيام مصدر تهديد باستغلال ثغرة أمنية معينة في نظام معلومات بنجاح.	Threat	Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
استخبارات التهديد	فهو يوفر معلومات وتحليلات منظمة للهجمات الأخيرة والحالية والمحتملة التي يمكن أن تشكل تهديدًا إلكترونيًا للمنظمة.	Threat Intelligence	It provides organized information and analysis Of recent, current and potential attacks that could pose a cyber threat to the organization.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
وهن	أي نوع من الضعف في نظام الكمبيوتر. برمجة. طلب. مجموعة من الإجراءات. أو في أي شيء يترك الأمن السيبراني عرضة للتهديد.	Vulnerability	Any type of weakness in a computer system. software. application. set Of procedures. Or in anything that leaves cybersecurity exposed to a threat.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
جدار حماية تطبيقات الويب	إنه يحلل. المرشحات والشاشات. ويمنع حركة المرور على الإنترنت من وإلى تطبيق ويب، كما أنه قادر على تصفية محتوى تطبيقات ويب محددة.	Web Application Firewall	It analyzes. filters, monitors. and blocks Internet traffic to and from a web application, It is also able to filter the content Of specific web applications.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
البرمجيات الخبيثة يوم الصفر	البرمجيات الخبيثة التي لم تكن معروفة من قبل. تم إنتاجها/نشرها مؤخرًا، وعادةً ما يصعب اكتشافها بواسطة تطبيقات الحماية من البرامج الضارة القائمة على التوقيع.	Zero-Day Malware	Malware that is unknown before. produced/disseminated recently, and normally hard to detect by signature-based protection anti-malware applications.	Essential Cybersecurity Controls (ECC – 1 : 2018)	Cyber Security
تقنيات منع تسرب البيانات (DLP)	التقنيات المستخدمة لحماية البيانات الحساسة من الكشف غير المصرح به، ومنع تداولها خارج المؤسسة بأي شكل من أشكال هذه البيانات وموقعها؛ سواء تم تخزينها على وحدات تخزين (At-rest)، أو على أجهزة المستخدم أو الخوادم (In-Use)، أو قيد الحركة عبر الشبكة (In-transit).	Data Leakage Prevention Technologies (DLP)	Technologies used to protect sensitive data from unauthorized disclosure, and to prevent its circulation outside the organization in any form of such data, and its location; Whether stored on volumes (At-rest), or on the user devices or servers (In-Use), or in movement via the network (In-transit).	Data Cybersecurity Controls (DCC -1:2022)	Cybersecurity
نظام إدارة الأجهزة المحمولة (MDM).	نظام تقني يستخدم لإدارة ومراقبة وحماية الأجهزة المحمولة للموظفين من خلال تطبيق سياسات الأمن السيبراني.	Mobile Device Management (MDM) System	A technical system used to manage, monitor, and protect mobile devices of employees by applying cybersecurity policies.	Data Cybersecurity Controls (DCC -1:2022)	Cybersecurity
تقنيات إدارة الصلاحيات	التقنيات المستخدمة لحماية البيانات الحساسة من الكشف غير المصرح به، والحد من معالجتها وفقا للامتيازات المخصصة للمستخدمين المصرح لهم.	Rights Management Technologies	Technologies used to protect sensitive data from unauthorized disclosure, and to limit processing it as per the privileges assigned to the authorized users.	Data Cybersecurity Controls (DCC -1:2022)	Cybersecurity
خدمات استشارية	الخدمات التي يقدمها فريق استشاري محترف حيث يقوم المستشارون بمراجعة وتحليل بيانات ووثائق أعمال العميل، والتي قد تحتوي على بيانات حساسة وسرية، وتقديم المشورة والمعايير واستخدام خبراتهم للتوصية بأفضل الممارسات أو مساعدة الشركات بناءً على متطلباتهم الفردية. وهذا لا يشمل خدمات الأمن السيبراني المهنية. أمثلة، استشارات التحول الرقمي، تحليل وتطوير الإستراتيجية والتنظيم.	Consulting Services	Services provided by a professional advisory team where consultants review and analyze client business data and documents, which may contain sensitive and confidential data, and offer advice, benchmarks, and use their expertise to recommend best practice or help businesses based on their individual requirements. This does not include professional cybersecurity services. Examples, Digital Transformation Consultancy, Strategy and regulation analysis and development.	Data Cybersecurity Controls (DCC -1:2022)	Cybersecurity
خدمات الأحترافيه للأمن السيبراني	خدمات الأمن السيبراني التي يقدمها مزود معتمد/مرخص من NCA بناءً على تقييم واضح للأمن السيبراني أو نطاق الاستجابة. مثال على تقييم نقاط الضعف في الأمن السيبراني، والاستجابة لحوادث الأمن السيبراني، وتقييم مخاطر الأمن السيبراني.	Professional Cybersecurity Services	Cybersecurity services that are provided by an NCA- certified/licensed provider based on a clear cybersecurity assessment or response scope. Example Cybersecurity Vulnerability Assessment, Cybersecurity Incident Response., Cybersecurity Risk Assessment.	Data Cybersecurity Controls (DCC -1:2022)	Cybersecurity
الخدمات المدارة	الخدمات الاحترافية التي يتم توفيرها على أساس الاشتراك من قبل مزود معتمد/مرخص من NCA لتفريغ بعض عمليات تكنولوجيا المعلومات والأمن السيبراني الاحترافية. يتضمن ذلك المنتجات والحلول والبرامج والأجهزة. على سبيل المثال، مركز عمليات الأمن السيبراني المُدار (SOC). خدمات تكنولوجيا المعلومات المدارة.	Managed Services	Professional services that are provided on subscription basis by an NCA certified/licensed provider to offload some professional IT and cybersecurity operations. This includes products, solutions, software, and hardware. Example, Managed Cybersecurity Operations Center (SOC). Managed IT services.	Data Cybersecurity Controls (DCC -1:2022)	Cybersecurity
أصل	أي شيء ملموس أو غير ملموس له قيمة لمقدمي خدمات الاتصالات وفرق الخدمات التقنية. وهنا أنواع عديدة من الأصول، وبعضها يشمل أشياء واضحة، مثل: الأشخاص، والآلات، والمرافق، وبراءات الاختراع، والبرمجيات والخدمات. يمكن أن يشمل المصطلح أيضًا أشياء أقل وضوحًا، مثل: المعلومات والخصائص (على سبيل المثال، سمعة مقدمي خدمات الاتصالات وفريق الدعم الفني وصورتهم العامة، بالإضافة إلى المهارات والمعرفة).	Asset	Anything tangible or intangible that has value to the CSPs and CSTs. here are many types of assets, and some of which include obvious things, such as: persons, machineries, utilities, patents, software and services. The term could also include less obvious things, such as: information and characteristics (for example, CSP's and CST's reputation and public image, as well as skill and knowledge).	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
هجوم	أي نوع من النشاط الضار الذي يحاول الوصول غير المصرح به أو جمع أو تعطيل أو منع أو تدمير أو تخريب موارد نظام المعلومات أو المعلومات نفسها.	Attack	Any kind of malicious activity that attempts to achieve unauthorized access, collection, disabling, prevention, destroy or sabotage of the information system resources or the information itself.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
مراجعة	المراجعة والفحص المستقل للسجلات والأنشطة من أجل تقييم فعالية ضوابط الأمن السيبراني وضمان الالتزام بالسياسات والإجراءات التشغيلية والمعايير والمتطلبات التشريعية والتنظيمية ذات الصلة.	Audit	Independent review and examination of records and activities in order to assess the effectiveness of cybersecurity controls and to ensure adherence to policies, operational procedures, standards and relevant legislative and regulatory requirements.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
المصادقة	التأكد من هوية المستخدم أو العملية أو الجهاز، والذي غالبًا ما يكون شرطًا أساسيًا للسماح بالوصول إلى الموارد الموجودة في النظام.	Authentication	Ensure user's identity, process or device, which is often a prerequisite for allowing access to resources in the system.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
تفويض	تحديد والتحقق من حقوق/تراخيص المستخدم للوصول والسماح له/لها بمشاهدة المعلومات والموارد التقنية الخاصة بمقدمي الخدمات السحابية وفرق الخدمات التقنية على النحو المحدد في الحقوق/تراخيص المستخدم.	Authorization	Identification and verification of the rights/licenses of the user to access and allow him/her to view the information and technical resources of the CSPs and CSTs as defined in the rights/user licenses.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
التوفر	ضمان الوصول في الوقت المناسب إلى المعلومات والبيانات والأنظمة والتطبيقات.	Availability	Ensure timely access to information, data, systems and applications.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
دعم	الملفات والأجهزة والبيانات والإجراءات المتاحة للاستخدام في حالة الفشل أو الفقدان، أو في حالة حذف أو تعليق نسخها الأصلية.	Backup	Files, devices, data and procedures available for use in case of failure or loss, or in case of deletion or suspension of their original copies.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
دائرة تلفزيونية مغلقة (CCTV)	تستخدم CCTV، المعروفة أيضًا باسم المراقبة بالفيديو، كاميرات الفيديو لإرسال إشارة إلى موقع محدد على مجموعة محدودة من الشاشات. يُشار إلى هذا المصطلح غالبًا باسم تقنية المراقبة في المناطق التي قد تحتاج إلى مراقبة حيث يكون الأمن الجسدي مطلبًا مهمًا لها.	Closed-circuit television (CCTV)	CCTV, also known as video surveillance, uses video cameras to send a signal to a specific location on a limited set of screens. This term is often referred to as the surveillance technique in areas that may need to be monitored where physical security is an important requirement thereto.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
إدارة التغيير	إنه نظام إدارة خدمة يضمن اتباع نهج منهجي ونشط باستخدام أساليب وإجراءات قياسية فعالة (على سبيل المثال، التغيير في البنية التحتية والشبكات وما إلى ذلك). تساعد إدارة التغيير جميع أصحاب المصلحة، بما في ذلك الأفراد والفرق على حد سواء، على الانتقال من حالتهم الحالية إلى الحالة المرغوبة التالية، وتساعد أيضًا في تقليل تأثير الحوادث ذات الصلة على الخدمة.	Change Management	It is a service management system that ensures a systematic and proactive approach using effective standard methods and procedures (for example, change in infrastructure, networks, etc.). Change Management helps all stakeholders, including individuals and teams alike, move from their current state to the next desired state, and also helps reduce the impact of relevant incidents on service.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
تصنيف	تصنيف البيانات التي يتم إعدادها أو جمعها أو معالجتها أو تبادلها من قبل المنظمات لتقديم الخدمات أو إجراء الأعمال، بما في ذلك البيانات الواردة من أو المتبادلة مع أشخاص خارج المنظمات، والبيانات التي يتم إعدادها لمصلحة المنظمات أو المتعلقة بها. البنية التحتية الحساسة. يتم تصنيف البيانات المتعلقة بالمنظمات، باستخدام نهج من أعلى إلى أسفل، المستوى 1، المستوى 2، المستوى 3، أو المستوى 4.	Classification	Categorizing the data prepared, collected, processed, or exchanged by the organizations for the provision of services or conduct of businesses, including data received from or exchanged with persons outside organizations, and the data that is prepared for the interest of organizations or related to the sensitive infrastructure. Data related to organizations is classified, using a top down approach, level 1, level 2, level 3, or level 4.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
البيانات المصنفة	أي بيانات مصنفة في أي من المستويات التالية: المستوى 1، المستوى 2، المستوى 3، أو المستوى 4.	Classified Data	Any data classified at any of the following levels: level 1, level 2, level 3, or level 4.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
حوسبة سحابية	هو نموذج يتيح الوصول المريح عبر الشبكة عند الطلب إلى مجموعة مشتركة من موارد الحوسبة القابلة للتكوين (مثل الشبكات والخوادم والتخزين والتطبيقات والخدمات) التي يمكن توفيرها وإصدارها بسرعة بأقل جهد إداري أو تفاعل مع مزود الخدمة. تتكون النماذج السحابية من خمس خصائص أساسية: الخدمة الذاتية عند الطلب، والوصول إلى الشبكة على نطاق واسع، وتجميع الموارد، والمرونة السريعة، والخدمة المقاسة. هناك ثلاثة أنواع من نماذج تقديم خدمات الحوسبة السحابية: البرمجيات السحابية كخدمة (SaaS). النظام الأساسي السحابي كخدمة (PaaS). البنية التحتية السحابية كخدمة (laaS). هناك أربعة نماذج للنشر: السحابة الخاصة، والسحابة المجتمعية، والسحابة العامة، والسحابة الهجينة.	Cloud Computing	Is a model which enables convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud models are composed of five Essential Characteristics: On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, and Measured service. There are three types of cloud computing services delivery models: Cloud Software as a Service (SaaS). Cloud Platform as a Service (PaaS). Cloud Infrastructure as a Service (laaS). There are four deployment models: Private Cloud, Community Cloud, Public Cloud, and Hybrid Cloud.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
كتالوج التحكم في الامتثال للحوسبة السحابية (C5)	تم تطوير C5 بواسطة المكتب الفيدرالي الألماني لأمن المعلومات (BSI) لتحديد الحد الأدنى من المتطلبات لتأمين الخدمات السحابية من أجل إنشاء إطار من الثقة بين مقدمي الخدمات السحابية وعملائهم.	Cloud Computing Compliance Control Catalogue (C5)	C5 is developed by the German Federal Office for Information Security (BSI) to set minimum requirements to secure cloud services in order to establish a framework of trust between cloud providers and their customers.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
خدمات الحوسبة السحابية	هو تقديم الخدمات المتنوعة عبر الإنترنت ويمكن الوصول إليها من خلال منصات مختلفة (أجهزة الكمبيوتر المكتبية، أجهزة الكمبيوتر المحمولة، الهواتف الذكية..إلخ). وتشمل هذه الخدمات التطبيقات والبنى التحتية مثل الخوادم وقواعد البيانات والشبكات لدعم، من بين أمور أخرى، الاتصالات وتحليل البيانات ومعالجتها ومشاركتها وتخزينها.	Cloud Computing Services	Is the delivery of various services via the Internet and can be accesSible through different platforms (desktops, laptops, smart phones.. etc.). These services include applications and infrastructures such as servers, databases and networking to support, among other things, communication, data analysis, processing, sharing and storage.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
مصفوفة التحكم السحابية (CCM)	تم تطوير CCM بواسطة Cloud Security Alliance (CSA) لتوفير مبادئ الأمان الأساسية لمساعدة فرق الدعم الأمني على تقييم المخاطر الأمنية للخدمات السحابية التي يقدمها CSP.	Cloud Controls Matrix (CCM)	CCM is developed by the Cloud Security Alliance (CSA) to provide fundamental security principles to help the CSTs assessing the security risks of cloud services provided by the CSP.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
عميل السحابة	يُشار إليه في هذه الوثيقة باسم "مستأجر الخدمة السحابية (CST)"، هو أي شخص طبيعي أو اعتباري (مثل الشركات) يشترك في خدمات الحوسبة السحابية التي يقدمها مزود الخدمة.	Cloud Customer	In this document referred to as "Cloud Service Tenant (CST)" , is any natural or legal person (such as companies) who subscribes to the cloud computing services provided by the service provider.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
مزود الخدمة السحابية (CSP)	أي شخص طبيعي أو اعتباري (مثل الشركات) يقدم خدمات الحوسبة السحابية للجمهور، سواء بشكل مباشر أو غير مباشر من خلال مراكز البيانات (داخل المملكة وخارجها) ويديرها كليًا أو جزئيًا.	Cloud Service Provider (CSP)	Any natural or legal person (such as companies) who provides cloud computing services to the public, either directly or indirectly through data centers (both inside and outside KSA) and manages them in whole or in part.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
قاعدة بيانات إدارة التكوين (CMDB)	قاعدة بيانات إدارة التكوين، مفهوم تم تعريفه في الأصل بواسطة معيار عمليات ITIL ويتكون من قاعدة بيانات تستخدم لتخزين سجلات تكوين الأنظمة طوال دورة حياتها.	Configuration Management DataBase (CMDB)	Configuration Management DataBase, concept defined originally by the ITIL operations standard and consisting in database used to store configuration records of systems throughout their Lifecycle.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
حزمة التكنولوجيا السحابية (CTS)	بنية متعددة الطبقات للتقنيات الضرورية لتنفيذ خدمات الحوسبة السحابية (البنية التحتية لمركز البيانات، والشبكة المحلية (LAN)، وأجهزة التخزين/الحوسبة/التقارب الفائق، وبرنامج Hypervisor، ومنصة إدارة السحابة، والأجهزة الافتراضية، وأنظمة التشغيل، وبرامج التطبيقات، ومنصات التشغيل والصيانة، وتقنيات الأمان السحابية، وما إلى ذلك .…)	Cloud Technology Stack (CTS)	Layered architecture of technologies that are essential to implement cloud computing services (Data Center infrastructure, LAN, storage/ compute/ hyper convergence hardware, hypervisor, cloud management platform, virtual appliances, OSs, application software, O&M platforms, cloud security technologies etc.…)	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
مساومة	الكشف عن المعلومات أو الحصول عليها من قبل أشخاص غير مصرح لهم، والتي لا يجوز تسريبها أو الحصول عليها، أو انتهاك سياسة الأمن السيبراني للمنظمة من خلال الكشف أو التغيير أو التخريب أو فقدان أي شيء، سواء بقصد أو بغير قصد. يعني مصطلح "انتهاك الأمان" الكشف عن البيانات الحساسة أو الحصول عليها أو تسريبها أو تغييرها أو استخدامها دون تصريح (بما في ذلك مفاتيح التشفير ومعايير الأمن السيبراني الهامة الأخرى).	Compromise	Disclosure of or obtaining information by unauthorized persons, which are unauthorized to be leaked or obtained, or violation of the cybersecurity policy of the Organization through disclosure, change, sabotage or loss of anything, either intentionally or unintentionally. The expression "security violation" means disclosure of, obtaining, leaking, altering or use of sensitive data without authorization (including cryptographic keys and other critical cybersecurity standards).	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
سرية	الحفاظ على القيود المصرح بها على الوصول إلى المعلومات والكشف عنها، بما في ذلك وسائل حماية الخصوصية/المعلومات الشخصية.	Confidentiality	Maintaining authorized restrictions on access to and disclosure of information, including means of protecting privacy/personal information.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
البيانات/ المعلومات السرية	المعلومات (أو البيانات) شديدة الحساسية والأهمية، حسب تصنيف مقدمي الخدمة وفرق الخدمات التقنية، المخصصة للاستخدام من قبلهم. إحدى الطرق التي يمكن استخدامها لتصنيف هذا النوع من المعلومات هي قياس مدى الضرر عند الكشف عنها أو الوصول إليها بطريقة غير مصرح بها أو إتلافها أو تخريبها، حيث قد يؤدي ذلك إلى ضرر مادي أو معنوي لمقدمي خدمات الاتصالات و فرق الدعم الفني أو عملائها، مما يؤثر على حياة الأشخاص ذوي العلاقة بتلك المعلومات أو يؤثر ويضر بأمن الدولة أو اقتصادها الوطني أو مقدراتها الوطنية. تشمل المعلومات الحساسة جميع المعلومات التي يؤدي الكشف عنها بطريقة غير مصرح بها أو فقدانها أو تخريبها إلى المساءلة أو العقوبات القانونية.	Confidential Data/ Information	The information (or data) that is highly sensitive and important, according to the classification of the CSPs and CSTs, intended for use by them. One of the methods that can be used to classify this type of information is to measure the extent of the damage when it is disclosed, accessed in an unauthorized manner, damaged or sabotaged, as this may result in material or moral damage to the CSPs and CSTs or its clients, affecting the lives of persons related to that information or affecting and damaging the security of the state or its national economy or national capabilities. Sensitive information includes all information whose disclosure in unauthorized manner, loss or sabotage results in accountability or statutory penalties.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
البنية التحتية الوطنية الحرجة (CNI)	هذه هي الأصول (أي المرافق والأنظمة والشبكات والعمليات والمشغلين الرئيسيين الذين يقومون بتشغيلها ومعالجتها)، والتي قد يؤدي فقدانها أو تعرضها للانتهاكات الأمنية إلى تأثير سلبي كبير على توفر الخدمات الأساسية أو تكاملها أو تقديمها، بما في ذلك الخدمات التي يمكن أن تؤدي إلى خسائر فادحة في الممتلكات و/أو الأرواح و/أو الإصابات، إلى جانب ملاحظة آثار اقتصادية و/أو اجتماعية كبيرة. • تأثير كبير على الأمن القومي و/أو الدفاع الوطني و/أو اقتصاد الدولة أو القدرات الوطنية.	Critical National Infrastructure (CNI)	These are the assets (i.e. facilities, systems, networks, processes, and key operators who operate and process them), whose loss or vulnerability to security breaches may result in • Significant negative impact on the availability, integration or delivery of basic services, including services that could result in serious loss of property and/or lives and/or injuries, alongside observance of significant economic and/or social impacts. • Significant impact on national security and/or national defense and/or state economy or national capacities.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
التشفير	هذه هي القواعد التي تتضمن مبادئ وطرق ووسائل تخزين ونقل البيانات أو المعلومات بشكل معين لإخفاء محتواها الدلالي أو منع الاستخدام غير المصرح به أو منع التعديل غير المكتشف بحيث لا يتمكن سوى الأشخاص المعنيين من قراءتها ومعالجتها .	Cryptography	These are the rules that include the principles, methods and means of storing and transmitting data or information in a particular form in order to conceal its semantic content, prevent unauthorized use or prevent undetected modification so that only the persons concerned can read and process the same.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
هجوم الانترنت	الاستغلال المتعمد لأنظمة وشبكات الكمبيوتر، ومقدمي الخدمات السحابية وفرق الدعم الفني الذين يعتمد عملهم على تكنولوجيا المعلومات والاتصالات الرقمية، من أجل التسبب في الضرر.	Cyber-Attack	Intentional exploitation of computer systems and networks, and those CSPs and CSTs whose work depends on digital ICT, in order to cause damage.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
المخاطر السيبرانية	المخاطر التي تضر بعمليات مقدمي الخدمات السحابية وفرق الخدمات التقنية (بما في ذلك رؤية أو مهمة أو إدارة أو صورتهم أو سمعتهم) أو الأصول أو الأفراد أو المنظمات الأخرى أو الدولة بسبب الوصول أو الاستخدام أو الإفصاح أو التعطيل أو التعديل غير المصرح به. أو تدمير المعلومات و/أو نظم المعلومات.	Cyber Risks	Risks that harm the CSPs' and CSTs' processes (including the CSPs' and CSTs' vision, mission, management, image or reputation), assets, individuals, other organizations or the State due to unauthorized access, use, disclosure, disruption, modification or destruction of information and/or information systems.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
مرونة الأمن السيبراني	القدرة الشاملة لمقدمي خدمات الاتصالات وفرق الدعم الفني على مقاومة الحوادث السيبرانية وأسباب الضرر والتعافي منها.	Cybersecurity Resilience	Overall ability of the CSPs and CSTs to withstand cyber incidents and the causes of damage, and recovery therefrom.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
الأمن الإلكتروني	عملاً بأحكام نظام الهيئة الوطنية للأمن الإلكتروني الصادر بموجب المرسوم الملكي رقم (6801) وتاريخ (1439/02/11ه)، الأمن السيبراني هو حماية الشبكات وأنظمة تكنولوجيا المعلومات وأنظمة التقنيات التشغيلية ومكوناتها من أجهزة وبرمجيات وخدماتها. وما تحتويه من بيانات من أي اختراق أو تعطيل أو تعديل أو وصول أو استخدام أو استغلال غير مصرح به. يشمل مفهوم الأمن السيبراني أيضًا أمن المعلومات والأمن الرقمي وما إلى ذلك.	Cybersecurity	Pursuant to the provisions of NCA's Regulation issued by virtue of the Royal Decree No. (6801) of (11/02/1439), cybersecurity is protection of networks, IT systems, operational technologies systems and their components of hardware and software, their services and the data they contain, from any penetration, disruption, modification, access, use or unauthorized exploitation. The concept of cybersecurity also includes information security, digital security, etc.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
الفضاء السيبراني	الشبكة المترابطة من البنية التحتية لتكنولوجيا المعلومات، بما في ذلك الإنترنت وشبكات الاتصالات وأنظمة الكمبيوتر والأجهزة المتصلة بالإنترنت، بالإضافة إلى الأجهزة وأجهزة التحكم المرتبطة بها. يمكن أن يشير المصطلح أيضًا إلى عالم افتراضي أو مجال مثل مفهوم بسيط.	Cyberspace	The interconnected network of IT infrastructure, including the Internet, communications networks, computer systems and Internetconnected devices, as well as the associated hardware and control devices. he term can also refer to a virtual world or domain such as a simple concept.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
بيانات	أية معلومات أو سجلات أو إحصائيات أو وثائق يتم تصويرها وتسجيلها وتخزينها إلكترونياً.	Data	Any information, records, statistics or documents that are photocopied, recorded and stored electronically.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
تصنيف البيانات والمعلومات	تحديد مستوى حساسية البيانات والمعلومات التي ينتج عنها ضوابط أمنية لكل مستوى من مستويات التصنيف. يتم تعيين مستويات حساسية البيانات والمعلومات وفقًا لفئات محددة مسبقًا حيث يتم إنشاء البيانات والمعلومات أو تعديلها أو تحسينها أو تخزينها أو نقلها. مستوى التصنيف هو مؤشر على قيمة أو أهمية بيانات ومعلومات المنظمة.	Data and Information Classification	Setting the sensitivity level of data and information that results in security controls for each level of classification. Data and information sensitivity levels are set according to predefined categories where data and information is created, modified, improved, stored or transmitted. he classification level is an indication of the value or importance of the data and information of the Organization.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
الدفاع في العمق	هذا هو مفهوم ضمان المعلومات حيث يتم استخدام مستويات متعددة من الضوابط الأمنية (كدفاع) داخل نظام تكنولوجيا المعلومات/التكنولوجيا التشغيلية.	Defense-in-Depth	This is a concept of information assurance where multiple levels of security controls are used (as a defense) within the IT/OT system.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
التعافي من الكوارث	البرامج والخطط المصممة لاستعادة وظائف وخدمات الأعمال الحيوية للمنظمة إلى وضع مقبول، بعد التعرض للهجمات الإلكترونية أو تعطيل هذه الخدمات.	Disaster Recovery	Programs and plans designed to restore the organization's critical business functions and services to an acceptable situation, following exposure to cyber-attacks or disruption of such services.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
فعالية	تشير الفعالية إلى الدرجة التي يتم بها تحقيق التأثير المخطط له. تعتبر الأنشطة المخططة فعالة إذا تم تنفيذ هذه الأنشطة بالفعل، وتعتبر النتائج المخططة فعالة إذا تم تحقيق النتائج بالفعل. يمكن استخدام مؤشرات الأداء الرئيسية لقياس وتقييم مستوى الفعالية.	Effectiveness	Effectiveness refers to the degree to which a planned impact is achieved. Planned activities are considered effective if these activities are already implemented, and the planned results are considered effective if the results are already achieved. KPIs can be used to measure and evaluate the level of effectiveness.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
حدث	شيء يحدث في مكان محدد (مثل الشبكة والأنظمة والتطبيقات وما إلى ذلك) في وقت محدد.	Event	Something that happens in a specific place (such as network, systems, applications, etc.) at a specific time.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
فيدرامب	عملية التقييم والترخيص التي تقدمها حكومة الولايات المتحدة للوكالات الفيدرالية الأمريكية مصممة لضمان وجود الأمن عند الوصول إلى منتجات وخدمات الحوسبة السحابية. يعتمد FedRAMP لمقدمي الخدمات السحابية للتعامل مع البيانات في أحد مستويات التأثير الثلاثة: FedRAMP منخفض - قد يؤدي فقدان السرية والنزاهة والتوافر إلى تأثيرات سلبية محدودة على عمليات الوكالة أو أصولها أو أفرادها. FedRAMP متوسط - قد يؤدي فقدان السرية والنزاهة والتوافر إلى آثار سلبية خطيرة على عمليات الوكالة أو أصولها أو أفرادها. FedRAMP - أنظمة إنفاذ القانون وخدمات الطوارئ العالية، والأنظمة المالية، والأنظمة الصحية، وأي نظام آخر حيث من المتوقع أن يكون لفقدان السرية أو النزاهة أو التوفر تأثير سلبي شديد أو كارثي على العمليات التنظيمية أو الأصول التنظيمية أو الأفراد.	FedRAMP	US Government assessment and authorization process for U.S. federal agencies designed to ensure security is in place when accessing cloud computing products and services. FedRAMP certifies cloud service providers to handle data in one of three impact levels: FedRAMP Low - loss of confidentiality, integrity, and availability would result in limited adverse effects on an agency's operations, assets, or individuals. FedRAMP Moderate - loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency's operations, assets, or individuals. FedRAMP High - Law Enforcement and Emergency Services systems, Financial systems, Health systems, and any other system where loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
تعريف	وسيلة للتعرف على هوية المستخدم أو العملية أو الجهاز، والتي عادة ما تكون شرطا أساسيا لمنح الوصول إلى الموارد في النظام.	Identification	A means for identification of the identity of the user, process or device, which is usually a prerequisite for granting access to resources in the system.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
حادثة	خرق أمني من خلال انتهاك سياسات الأمن السيبراني أو سياسات الاستخدام المقبول أو الممارسات أو ضوابط أو متطلبات الأمن السيبراني.	Incident	A security breach through violation of cybersecurity policies, acceptable use policies, practices or cybersecurity controls or requirements.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
نزاهة	الحماية ضد التعديل أو التدمير غير المصرح به للمعلومات، بما في ذلك ضمان عدم إنكار المعلومات وموثوقيتها.	Integrity	Protection against unauthorized modification or destruction of information, including ensuring information non-repudiation and reliability.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
(الانتر) المتطلبات الوطنية	المتطلبات الدولية هي متطلبات تم تطويرها من قبل منظمة أو منظمة دولية، والتي يتم استخدامها بشكل كبير بطريقة قانونية في جميع أنحاء العالم (مثل: PCI، SWIFT، وما إلى ذلك). المتطلبات الوطنية هي متطلبات تم تطويرها من قبل هيئة تنظيمية داخل المملكة العربية السعودية للاستخدام القانوني (مثل: «ECC - 1: 2018»).	(Inter)National Requirements	The international requirements are requirements developed by an international organization or organization, which are highly-used in a statutory manner all over the world (such as: PCI, SWIFT, etc.). he national requirements are requirements developed by a regulatory organization within the KSA for statutory use (such as: the «ECC - 1: 2018»).	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
آيزو/آي إي سي 27000	تم تطوير هذه السلسلة من قبل المنظمة الدولية للمعايير (ISO) واللجنة الكهروتقنية الدولية (IEC) لتقديم توصيات حول أفضل الممارسات لإنشاء نظام إدارة أمن المعلومات (ISMS) وتنفيذه وصيانته وتحسينه باستمرار.	ISO/IEC 27000	This series developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) to provide best practice recommendations to establish, implement, maintain and continually improve information security management system (ISMS).	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
مؤشر الأداء الرئيسي (KPI)	نوع من أدوات قياس الأداء التي تقيم نجاح نشاط أو منظمة نحو تحقيق أهداف محددة.	Key Performance Indicator (KPI)	A type of performance measurement tool that assesses the success of an activity or organization towards achievement of specific objectives.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
وضع العلامات	عرض المعلومات (من خلال تسمية وترميز محدد ومعياري) التي يتم وضعها على أصول مقدمي خدمات الاتصالات وCST (مثل الأجهزة والتطبيقات والمستندات وما إلى ذلك) لاستخدامها للإشارة إلى بعض المعلومات المتعلقة بالتصنيف والملكية والنوع معلومات أخرى لإدارة الأصول.	Labeling	Display of information (by specific and standard naming and coding) that is placed on the CSP's and CST's assets (such as devices, applications, documents, etc.) to be used to refer to some information related to the classification, ownership, type and other asset management information.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
المستوى 1	ينطبق مستوى التصنيف على البيانات المصنفة على أنها (سرية للغاية) بناءً على ما تصدره المنظمة المختصة.	Level 1	A classification level applies to data classified as a (top secret) based on what is issued by the competent organization.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
المستوي 2	ينطبق مستوى التصنيف على البيانات المصنفة على أنها (سرية) بناء على ما تصدره الجهة المختصة.	Level 2	A classification level applies to data classified as a (secret) based on what is issued by the competent organization.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
مستوى 3	ينطبق مستوى التصنيف على البيانات المصنفة على أنها (عامة) بناء على ما تصدره الجهة المختصة.	Level 3	A classification level applies to data classified as a (public) based on what is issued by the competent organization.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
مستوى 4	ينطبق مستوى التصنيف على البيانات المصنفة على أنها (سرية) بناء على ما تصدره الجهة المختصة.	Level 4	A classification level applies to data classified as a (confidential) based on what is issued by the competent organization.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
المصادقة متعددة العوامل (MFA)	نظام أمني يتحقق من الهوية، ويتطلب استخدام عدة عناصر منفصلة لآليات التحقق من الهوية. تتضمن آليات التحقق عدة عناصر: المعرفة: (شيء يعرفه فقط المستخدم •مثل كلمة المرور»)؛الحيازة: (شيء يستخدمه المستخدم فقط « مثل برنامج أو جهاز يقوم بإنشاء أرقام عشوائية أو رسائل نصية قصيرة لتسجيلات الدخول، والتي تسمى: كلمة المرور لمرة واحدة)؛ والخصائص المتأصلة: (صفة تخص المستخدم فقط، مثل بصمة الإصبع).	Multi-Factor Authentication (MFA)	A security system that verifies identity, which requires the use of several separate elements of identity verification mechanisms.Verification mechanisms include several elements:Knowledge: (something ONLY the user knows •like password»);Possession: (something ONLY used by the user «such as a program or device generating random numbers or SMSs for login records, which are called: One-Time-Password); andInherent Characteristics: (a characteristic of the user ONLY, such as fingerprint).	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
المعيار الخاص بسنغافورة (MTGS SS)	يهدف هذا المعيار إلى تشجيع اعتماد الممارسات السليمة لإدارة المخاطر والأمن للحوسبة السحابية. يتمتع MTCS SS بثلاثة مستويات من الأمان، المستوى 1 هو الأساس والمستوى 3 هو الأكثر صرامة: • المستوى 1 - مصمم للبيانات والأنظمة الهامة غير التجارية، مع ضوابط الأمان الأساسية لمعالجة المخاطر والتهديدات الأمنية في المعلومات التي يحتمل أن تكون منخفضة التأثير الأنظمة التي تستخدم الخدمات السحابية. • المستوى 2 – مصمم لتلبية احتياجات معظم المؤسسات التي تقوم بتشغيل البيانات والأنظمة الهامة من خلال مجموعة من الضوابط الأمنية الأكثر صرامة. تتناول هذه المخاطر والتهديدات الأمنية في أنظمة المعلومات ذات التأثير المعتدل المحتمل باستخدام الخدمة السحابية. • المستوى 3 – مصمم للمؤسسات الخاضعة للتنظيم ذات المتطلبات المحددة، والتي تكمل أو تعالج المخاطر والتهديدات الأمنية في أنظمة المعلومات عالية التأثير باستخدام الخدمات السحابية.	Standard for Singapore(MTGS SS)	This standard aims to encourage the adoption of sound risk management and security practices for cloud computing. MTCS SS has three levels of security, Level 1 being the base and Level 3 being the most stringent: • Level 1 – Designed for non-business critical data and systems, with baseline security controls to address security risks and threats in potentially low impact information systems using cloud services. • Level 2 – Designed to address the need of most organizations running critical data and systems through a set of more stringent security controls. These address security risks and threats in potentially moderate impact information systems using cloud service. • Level 3 – Designed for regulated organizations with specific requirements, which supplement or address security risks and threats in high impact information systems using cloud services.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
طاقم عمل	الأشخاص الذين يعملون مع مقدمي خدمات الاتصالات أو فرق الدعم الفني (بما في ذلك الموظفين الرسميين والمؤقتين والمقاولين).	Staff	Persons working with CSPs or CSTs (including official and temporary staff and contractors).	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
الاستعانة بمصادر خارجية	الحصول على (السلع أو الخدمات) عن طريق التعاقد مع مورد أو مقدم خدمة.	Outsourcing	Obtaining (goods or services) by contracting with a supplier or service provider.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
اختبار الاختراق	اختبار نظام الكمبيوتر أو الشبكة أو تطبيق موقع الويب أو تطبيق الهاتف الذكي للبحث عن نقاط الضعف التي يمكن للمهاجم استغلالها.	Penetration Testing	Testing a computer system, network, website application or smart phone application to look for the vulnerabilities that the attacker can exploit.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
الأمن الجسدي	الأمن المادي يصف التدابير الأمنية المصممة لمنع الوصول غير المصرح به إلى مرافق المنظمة ومعداتها ومواردها، ولحماية الأفراد والممتلكات من الضرر أو الأذى (مثل التجسس أو السرقة أو الهجمات الإرهابية). يتضمن الأمن المادي استخدام مستويات متعددة من الأنظمة المترابطة، بما في ذلك الدوائر التلفزيونية المغلقة، وحراس الأمن، والحدود الأمنية، والأقفال، وأنظمة التحكم في الوصول والعديد من التقنيات الأخرى.	Physical Security	Physical security describes security measures designed to prevent unauthorized access to the organization's facilities, equipment and resources, and to protect individuals and property from damage or harm (such as espionage, theft or terrorist attacks). Physical security involves the use of multiple-tier of interconnected systems, including CCTV, security guards, security limits, locks, access control systems and many other technologies.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
سياسة	وثيقة تحدد بنودها التزامًا عامًا أو توجيهًا أو نية كما تم التعبير عنها رسميًا من قبل المسؤول المخول للمنظمة. سياسة الأمن السيبراني هي وثيقة تعكس بنودها الالتزام الرسمي للإدارة العليا بتنفيذ وتحسين برنامج الأمن السيبراني في المنظمة، والتي تتضمن أهداف مقدمي الخدمة وفرق الدعم الفني فيما يتعلق ببرنامج الأمن السيبراني وضوابطه ومتطلباته وآلية تحسين و تطوير نفسه.	Policy	A document whose clauses specify a general obligation, direction or intent as formally expressed by the Authorizing Official of the organization. Cybersecurity Policy is a document whose clauses reflect official commitment of the Senior Management to implement and improve the cybersecurity program in the organization, which includes the objectives of the CSPs and CSTs regarding the cybersecurity program, its controls and requirements, and the mechanism for improving and developing the same.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
إدارة الوصول المميز	عملية إدارة الصلاحيات عالية المخاطر على أنظمة المنظمة، والتي تتطلب في كثير من الأحيان معاملة خاصة لتقليل المخاطر التي قد تنشأ عن سوء استخدامها.	Privileged Access Management	The process of managing high-risk powers on organization's systems, which often require special treatment to minimize risks that may arise from misuse thereof.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
إجراء	وثيقة تحتوي على وصف تفصيلي للخطوات اللازمة لتنفيذ عمليات أو أنشطة محددة بما يتوافق مع المعايير والسياسات ذات الصلة. يتم تعريف الإجراءات كجزء من العمليات.	Procedure	A document with a detailed description of the steps necessary to perform specific operations or activities in compliance with relevant standards and policies. Procedures are defined as part of operations.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
عملية	مجموعة من الأنشطة المترابطة أو التفاعلية التي تترجم المدخلات إلى مخرجات. وتتأثر مثل هذه الأنشطة بسياسات مقدمي الخدمات المجتمعية وفرق العلوم والتكنولوجيا.	Process	A set of interrelated or interactive activities that translated input into output. Such activities are influenced by the policies of the CSPs and CSTs.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
مصفوفة RACI	مصفوفة مسؤولة وخاضعة للمساءلة ومستشارة ومستنيرة. مصفوفة تحدد كل لاعب في عملية أو قدرة أو وظيفة مع درجة المشاركة والمسؤولية المضطلع بها في العملية.	RACI Matrix	Responsible, Accountable, Consulted, Informed Matrix. Matrix that maps each player in a process, capability or function with the degree of involvement and responsibility undertaken in the process.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
استعادة	إجراء أو عملية لاستعادة أو التحكم في شيء تم تعليقه أو تلفه أو سرقته أو فقده.	Recovery	A procedure or process to restore or control something that is suspended, damaged, stolen or lost.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
المعلومات الأمنية وإدارة الأحداث (SIEM)	نظام يقوم بإدارة وتحليل سجلات الأحداث الأمنية في الوقت الفعلي من أجل توفير مراقبة التهديدات وتحليل نتائج القواعد المترابطة لسجلات الأحداث والتقارير المتعلقة ببيانات السجلات والاستجابة للحوادث.	Security Information and Event Management (SIEM)	A system that manages and analyses security events logs in real time in order to provide monitoring of threats, analysis of the results of interrelated rules for event logs and reports on logs data, and incident response.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
أمن تطوير النظام	أي تطبيق أو نظام أساسي أو برنامج وسيط أو نظام تشغيل أو برنامج Hypervisor أو مكدس الشبكة أو أي برنامج آخر يشكل جزءًا من Cloud Technology Stack.	System Development Security	Any application, platform, middleware, operating system, hypervisor, network stack and any other software that is part of the Cloud Technology Stack.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
طرف ثالث	أي منظمة تعمل كطرف في علاقة تعاقدية لتوفير السلع أو الخدمات (وهذا يشمل الموردين ومقدمي الخدمات).	Third-Party	Any organization acting as a party in a contractual relationship to provide goods or services (this includes suppliers and service providers).	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
تهديد	أي ظرف أو أحداث من المحتمل أن تؤثر سلبًا على أعمال مقدمي الخدمات السحابية وفرق الدعم الفني (بما في ذلك مهمتهم أو وظائفهم أو مصداقيتهم أو سمعتهم) أو أصولهم أو موظفيهم، من خلال استغلال نظام المعلومات من خلال الوصول غير المصرح به إلى الخدمات أو إتلافها أو الكشف عنها أو تغييرها أو رفضها بالإضافة إلى قدرة مصدر التهديد على النجاح في استغلال إحدى نقاط الضعف في نظام معلومات معين، والتي تشمل التهديدات السيبرانية.	'Threat	Any circumstance or events likely to adversely affect the business of the CSPs and CSTs (including its mission, functions, credibility or reputation), assets or employees, through exploiting an information system through unauthorized access to, destruction, disclosure, alteration or denial of services, in addition to the ability of the threat source to succeed in exploiting one of the vulnerabilities of a particular information system, which includes cyber threats.	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
الثغرة	أي نوع من الثغرة في نظام الحاسوب أو برامجه أو تطبيقاته في مجموعة من الإجراءات أو أي شيء يجعل الأمن السيبراني عرضة للخطر	Vulnerability	Any kind of vulnerability in the computer system, its programs or applications, in a set of procedures or anything that makes cybersecurity vulnerable	Cloud Cybersecurity Controls (CCC – 1: 2020)	Cybersecurity
واجهة برنامج التطبيق (API)	مجموعة من الأوامر والوظائف والأشياء والبروتوكولات التي تم تطويرها ليستخدمها المبرمجون في تطوير البرمجيات أو التفاعل مع الأنظمة و/أو البرامج الأخرى.	Application Program Interface (API)	Set of commands, functions, objects and protocols developed to be used by programmers for developing software or interacting with other systems and/ or software.	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
نقاط الضعف الحرجة	الثغرات الأمنية التي في حالة استغلالها قد تؤدي إلى الوصول غير المصرح به إلى البيانات أو المعلومات أو الأجهزة والأنظمة.	Critical Vulnerabilities	Vulnerabilities that if exploited could lead to unauthorized access to data or information or devices and systems.	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
البيانات في حالة الراحة	البيانات غير النشطة المخزنة في وسائط التخزين الدائمة، مثل: (قواعد البيانات والمحفوظات والأشرطة والنسخ الاحتياطي خارج الموقع وأجهزة الكمبيوتر المحمولة والأقراص).	Data-At-Rest	Inactive data stored in permanent storage media, such as: (Databases, archivals, tapes, off-site back up, laptops and Disks).	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
البيانات في العبور	البيانات المنقولة من مكان إلى آخر، عبر أي نوع من الشبكات؛ مثل: الإنترنت، والشبكة الخاصة، وغيرها.	Data-in-Transit	Data transmitted from one location to another, by any type of network; such as: Internet, private network, etc.	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
منع تسرب البيانات	طرق الاحتفاظ بالبيانات المهمة من الأفراد غير المصرح لهم ومنع تداولها خارج حدود المنظمة بغض النظر عن شكلها أو موقعها، سواء تم تخزينها في حالة ثابتة أو قيد الاستخدام في أجهزة كمبيوتر المستخدم أو الخوادم المركزية أو أثناء نقلها عبر الشبكة .	Data Leakage Prevention	Methods to keep important data from unauthorized individuals and prevent its circulation outside the confines of the organization regardless of its form or location, whether it be stored at-rest, or in-use in user PCs or central servers or in-transit through a network.	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
اخفاء البيانات	تقنية تعتمد على إخفاء جزء من البيانات لحمايتها عن طريق استبدال بعض الأحرف أو القيم برموز معينة.	Data Masking	A technique based upon hiding part of the data to protect it by replacing some characters or values with certain symbols.	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
تشويش البيانات	طريقة تعتمد على إعادة ترتيب البيانات أو استبدالها في مجموعة بيانات؛ بحيث تبقى قيم البيانات ولكنها غير متوافقة مع السجلات الأصلية ولا يمكن استعادتها.	Data Scrambling	A method that relies on rearranging or replacing data in a data set; so that the data values remain but are inconsistent with the original records and cannot be restored.	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
هجوم حجب الخدمة الموزع (DDoS)	محاولة تعطيل النظام وعدم إتاحة خدماته من خلال إرسال العديد من الطلبات من أكثر من مصدر في نفس الوقت.	Distributed Denial of Service Attack (DDoS)	An attempt to disable the system and make its services unavailable by sending many requests from more than one source at the same time.	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
حماية نقطة النهاية	الإجراءات والتكنولوجيا المستخدمة لحماية نقطة النهاية ضد الهجمات، مثل النطاقات وأجهزة الكمبيوتر وأجهزة الكمبيوتر المحمولة (مثل برامج مكافحة الفيروسات وبرامج مكافحة برامج التجسس وجدران الحماية الشخصية وأنظمة كشف التسلل.	End-point Protection	The actions and technology used for end-point protection against attcks, such as domains, computers and laptops (like anti-virus software, antispyware progams, personal fire walls and intrusion detection systems.	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
وظائف التجزئة	عملية تطبيق خوارزمية أحادية الاتجاه على البيانات من أجل الحصول على قيمة عددية معبرة عن تلك البيانات بحيث يصعب (أو يكاد يكون من المستحيل) العودة إلى البيانات الأصلية من القيمة العددية.	Hashing Functions	The process of applying a one-way algorithm upon data in order to obtain a numerical value expressing such data so that it is difficult (or almost impossible) to return to the original data from the numerical value.	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
الوسيطة	البرنامج الذي يساعد البرامج وقواعد البيانات (التي قد تكون على مضيف مختلف) على العمل معًا.	Middleware	The software that helps programs and databases (which may be on different host) work together.	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
الوصول عن بعد	يحصل المستخدمون على الدخول من خارج الشبكة الداخلية أو نظام المعلومات الداخلي.	Remote Access	Users gain entry from outside the internal network or internal information system.	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
الفحص أو الفحص	عملية التحقق من هوية الأشخاص، قبل التوظيف، بسبب ارتباطهم المتوقع بمهمة تتعلق بالأنظمة الحساسة.	Screening or Vetting	The process of verifying the identity of persons, prior to employment, due to their expected association with a task related to sensitive systems.	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
سر	ينطبق مستوى التصنيف على البيانات التي يؤدي الكشف عنها بشكل غير مصرح به إلى ضرر جسيم للأمن الوطني أو الاقتصاد الوطني أو العلاقات الدولية للمملكة العربية السعودية أو التحقيق في الجرائم الكبرى.	Secret	A classification level applies to data that the unauthorized disclosure of which results in a severe damage to the national security, national economy, KSAs international relationships or the investigation of major crimes.	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
حسابات الخدمة	الحساب المستخدم لتشغيل الخدمات أو البرامج، مع إمكانية الوصول إلى البيانات والموارد.	Service Accounts	Account used for operating services or software, with access to data and resources.	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
مصدر الرمز	مجموعة من الأوامر والتعليمات المكتوبة بإحدى لغات البرمجة.	Source Code	Set of commands and instructions written in one of programming languages.	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
اختبار الإجهاد	شكل من أشكال الاختبار المكثف أو الشامل بشكل متعمد يستخدم لتحديد مدى استقرار نظام أو كيان معين. فهي تنطوي على إرهاق مواردها واختبارها بما يتجاوز القدرة التشغيلية العادية، وغالبًا ما تصل إلى نقطة الانهيار، من أجل مراقبة النتائج.	Stress Testing	A form of deliberately intense or thorough testing used to determine the stability of a given system or entity. It involves overwhelming its resources and testing beyond normal operational capacity, often to a breaking point, in order to observe the results.	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
سري للغاية	ينطبق مستوى التصنيف على البيانات التي يؤدي الكشف عنها بشكل غير مصرح به إلى ضرر جسيم للأمن الوطني أو الاقتصاد الوطني أو العلاقات الدولية للمملكة العربية السعودية، ومن الصعب التعافي من مثل هذا الضرر.	Top Secret	A classification level applies to data that the unauthorized disclosure of which results in a severe damage to the national security, national economy or KSA's international relationships and it is hardly possible to recover from such a damage.	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
تحليلات سلوك المستخدم (UBA)	تتبع وجمع وتحليل بيانات المستخدم، وتحديد أنماط أنشطة المستخدم؛ من أجل اكتشاف السلوكيات الضارة أو غير العادية.	User Behavior Analytics (UBA)	Track, collect and analyze user data, and identify patterns of user activities; in order to detect harmful or unusual behaviors.	Critical Systems Cybersecurity Controls (CSCC – 1 : 2019)	Cybersecurity
		Authority	Digital Government Authority	Guideline Enterprise Architecture Establishment for Government Entities	Government
		Government entity	Ministries, government entities, departments, public bodies and institutions With independent public legal entities	Guideline Enterprise Architecture Establishment for Government Entities	Government
		EA Framework	An EA framework defines how to create and use an Enterprise Architecture typically by providing blueprints, structures, common language, methods, tools and templates With the intent Of achieving business objectives in alignment With an organization's overall strategy	Guideline Enterprise Architecture Establishment for Government Entities	Government
		EA metamodel	A model that describes how various Objects (i.e., concepts) and their relationships Of an enterprise are conceived and arranged in way in order to describe its architecture	Guideline Enterprise Architecture Establishment for Government Entities	Government
		BA (Business Architecture)	Business Architecture includes for example: The strategy, initiatives, list Of services and business procedures in the government entity	Guideline Enterprise Architecture Establishment for Government Entities	Government
		DA (Data Architecture)	Data architecture includes for example: data classification, data exchange, a list Of data used in the entity, the definition Of its sources and associated databases	Guideline Enterprise Architecture Establishment for Government Entities	Government
		AA (Application Architecture)	Application Architecture includes for example: a list Of applications and digital products, their characteristics, and integration information	Guideline Enterprise Architecture Establishment for Government Entities	Government
		TA (Technology Architecture)	Technology Architecture includes for example: software and hardware licenses, technical infrastructure, networks, communications and data centers	Guideline Enterprise Architecture Establishment for Government Entities	Government
الهيئة	هيئة الحكومة الرقمية.			المعايير الأساسية للتحول الرقمي	التحول الرقمي
الحكومة الرقمية	دعم العمليات الإدارية والتنظيمية والتشغيلية داخل القطاعات الحكومية - وفيما بينها - لتحقيق التحول الرقمي وتطوير وتحسين وتمكين الوصول بسهولة وفاعلية للمعلومات والخدمات الحكومية.			المعايير الأساسية للتحول الرقمي	التحول الرقمي
التحول الرقمي	تحويل نماذج الأعمال وتطويرها بشكل استراتيجي، لتكون نماذج رقمية مستندة على بيانات وتقنيات وشبكات الاتصال.			المعايير الأساسية للتحول الرقمي	التحول الرقمي
قياس التحول الرقمي	عملية تقييم تستند على منهجية محددة تستهدف الجهات الحكومية لتشخيص وضعها الراهن ومتابعة تطور رحلتها في التحول الرقمي وفق أفضل الممارسات والمعايير بما يساهم في تحقيق مستهدفات رؤية المملكة 2030.			المعايير الأساسية للتحول الرقمي	التحول الرقمي
الجهات الحكومية	الوزارات والهيئات والمؤسسات العامة والمجالس والمراكز الوطنية، وما في حكمها.			المعايير الأساسية للتحول الرقمي	التحول الرقمي
السياسات	تعمل على تحديد السياق أو طريقة العمل لإرشاد وتحديد الخطوات الحالية والمستقبلية، كما تحدد المطلوب من الجهات الحكومية من خلال المبادئ التي تضمنتها السياسات المطورة ويكون لغالبية السياسات معايير مرتبطة بها توفر المزيد من المعلومات للجهات الحكومية.			المعايير الأساسية للتحول الرقمي	التحول الرقمي
المعايير	مجموعة من المقاييس والقواعد والضوابط المنظمة للعمليات والمهمات ذات العلاقة بالحكومة الرقمية التي تعتمدها الهيئة.			المعايير الأساسية للتحول الرقمي	التحول الرقمي
الضوابط	الاشتراطات التي يجب على الجهات الحكومية أن تمتثل لها والذي يجب عليها القيام به لتحقيق ما ورد في السياسة المرتبطة بها من مستهدفات وأحكام عامة.			المعايير الأساسية للتحول الرقمي	التحول الرقمي
الأدلة الاسترشادية	توفّر أمثلةً توضح للجهات الحكومية آلية تطبيق السياسات والمعايير.			المعايير الأساسية للتحول الرقمي	التحول الرقمي
البنية المؤسسية	هي ممارسات وضوابط لدراسة الوضع الحالي للجهة الحكومية، وبناء خارطة الطريق للتحول إلى الوضع المستقبلي لتحقيق المواءمة بين قطاع الأعمال الخدمات والإجراءات وتقنية المعلومات البيانات، والتطبيقات، والبينة (التحتية والأهداف الاستراتيجية للجهة الحكومية.			المعايير الأساسية للتحول الرقمي	التحول الرقمي
استمرارية الأعمال	قدرة الجهة على مواصلة تقديم أنشطتها ذات الأولوية على مستويات محددة سلفًا بعد حدوث انقطاع.			المعايير الأساسية للتحول الرقمي	التحول الرقمي
خطة استمرارية الأعمال	معلومات موثقة لتوجيه الجهة بخصوص الاستجابة لأي انقطاع واستعادة واستئناف عملية تقديم المنتجات والخدمات وفق أهدافها المتعلقة باستمرارية الأعمال.			المعايير الأساسية للتحول الرقمي	التحول الرقمي
		Accountability	The property of being able to trace activities on a system to individuals who may then be held responsible for their actions. (NISTIR 7298r3 Glossary of Key Information Security Terms)	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Advanced Persistent Threat (APT)	An adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors (e.g., cyber, physical, and deception) to generate opportunities to achieve its objectives, which are typically to establish and extend footholds within the information technology infrastructure of organizations for purposes of continually exfiltrating information and/or to undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future; moreover, the advanced persistent threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives. (NISTIR 7298r3 Glossary of Key Information Security Terms)	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Audit	Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures. (NISTIR 7298r3 Glossary of Key Information Security Terms)	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Authentication	Verifying the identity of a user, process, or device, is often a prerequisite to allowing access to resources in an information system. (NISTIR 7298r3 Glossary of Key Information Security Terms)	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Authorization	Access privileges granted to a user, program, or process or the act of granting those privileges	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Availability	Ensuring timely and reliable access to and use of information. (NISTIR 7298r3 Glossary of Key Information Security Terms)	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Baseline	A set of minimum requirements to be met, and form the base for measurement	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		BYOD	Bring Your Own Device (BYOD) refers to the practice of performing work-related activities on personally owned devices	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Criticality	A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. (NISTIR 7298r3 Glossary of Key Information Security Terms)	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Cryptography	The discipline embodies the principles, means, and methods for the transformation of data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification. (NISTIR 7298r3 Glossary of Key Information Security Terms)	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Cyber Resiliency	The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. (NISTIR 7298r3 Glossary of Key Information Security Terms)	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Cyber Risk	Risk of financial loss, operational disruption, or damage, from the failure of the digital technologies employed for informational and/or operational functions introduced to a manufacturing system via electronic means from the unauthorized access, use, disclosure, disruption, modification, or destruction of the manufacturing system. (NISTIR 7298r3 Glossary of Key Information Security Terms)	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Cyber Threat	Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. (NISTIR 7298r3 Glossary of Key Information Security Terms)	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Cybersecurity	Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. (NISTIR 7298r3 Glossary of Key Information Security Terms)	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Data Confidentiality	The property that data or information is not made available or disclosed to unauthorized persons or processes. (NISTIR 7298r3 Glossary of Key Information Security Terms)	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Data Integrity	The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit. (NISTIR 7298r3 Glossary of Key Information Security Terms)	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Data Privacy	The governance for proper handling of sensitive data during collection, using, sharing, and storing, in a way that grants the right to a party to maintain control over and confidentiality of information about itself	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Data Security	A set of security objectives to protect data from unauthorized access, use, disclosure, disruption, modification, or destruction in order to maintain confidentiality, integrity, and availability	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Digital Boarding	The practice of signing up for a bank account or other banking service entirely online or via mobile with no physical presence	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Disaster	An incident, either man-made or natural, sudden or progressive, the impact of which is such that the affected organization must respond through exceptional measures	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Event	Any observable occurrence in a network or information technology, service, or system	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Financial Transaction	A communication carried out between at least two parties to exchange the value of an asset, and result in changes in the status of the finances of the parties	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Governance	A set of processes that ensures that assets are formally managed throughout the enterprise	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Guideline	A set of recommendations or goals that can be used when there are no specific standards/procedures in place, or they do not apply.	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Incident	An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. (NISTIR 7298r3 Glossary of Key Information Security Terms)	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Information Asset	Any resource that the entity possesses or employs to support information-related activities	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Information Protection	A set of security policies, processes, and procedures to manage the protection of information systems and assets. Online Banking Mobile-based or web-based banking in which customers reach traditional banking services over the Internet ( from desktops, tablets, mobiles, …)	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Policy	Statements, rules, or assertions that specify the correct or expected behavior of an entity. (NISTIR 7298r3 Glossary of Key Information Security Terms)	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Portable Devices	Computing devices include laptops, mobiles, and tablets that are owned by the entity, easily carried and moved, and allowed to connect to the entity’s network	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Procedure	Set of activities or steps done to achieve business process goals or apply policy	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Relevant Stakeholders	Internal employees who are empowered by the board of directors or senior management to independently make decisions	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Removable Media	Portable storage devices that are connected to information systems to provide data storage	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Security Standard	A set of published specifications that are designed to enhance the organizational, sectoral, national, and international security posture	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Senior Manager	A role at the highest level of management who manages, directs, and controls the organization	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Sensitivity	A measure of the degree to which an IT system or application requires protection (to ensure confidentiality, integrity, and availability) which is determined by an evaluation of the nature and criticality of the data processed, the relation of the system to the organization missions and the economic value of the system components. (NISTIR 7298r3 Glossary of Key Information Security Terms)	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Strategy	A high-level and long-term plan of action designed to achieve the desired objectives	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Vulnerability	Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. (NISTIR 7298r3 Glossary of Key Information Security Terms)	Cybersecurity Framework for Jordan Financial Sector	Cybersecurity
		Assets	Anything that has value to the Affiliate created (intellectual and personal data) or procured data, proposed or executed contracts, agreements, devices, systems, hardware, software, research information, training manuals, operational or support procedures, continuity plans, and any facilities that enable the organization to achieve business purposes.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Audit	log A chronological record of system activities. Includes records of system accesses and operations performed in a given period. Examples of auditable events are included in Appendix C.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Audit log	A chronological record of system activities. Includes records of system accesses and operations performed in a given period. Examples of auditable events are included in Appendix C.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Business Continuity	A set of instructions and procedures that describe how an organization’s mission/business processes will be sustained during and after a significant disruption.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Cloud Computing	Model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned. This includes any Cloud Computing service model; such as Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Cloud Service	Provider A third party providing Cloud Computing service.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Compliance	Assessment The practice and activities conducted to evaluate and verify the adherence to the enforced cybersecurity controls in the Standard and the Contract.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Confidential Information	Affiliate information intended for disclosure/release to limited Affiliate and third-party employees that will be used in Company-related business functions on a need-to-know basis.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Content-filtering	The use of a program to screen and exclude users from accessing web pages and services based on company restrictions.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Cybersecurity	The ability to protect or defend the use of cyberspace from cyberattacks.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Cybersecurity Assessment	Cybersecurity Assessments include Risk Assessment, Compliance Assessment, Vulnerability Assessment, Penetration Testing, and forensic analysis. Cybersecurity Assessment is conducted by Saudi Aramco using Saudi Aramco resources to ensure that the Affiliate is in compliance with cybersecurity controls in the Standard.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Cybersecurity Incident	Event or occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of Assets or an event that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. This includes physical incidents such as but not limited to	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Cybersecurity Policy	The set of laws, rules, directives, and practices that govern how an organization protects information systems and information.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		DMZ	A demilitarized Zone or a perimeter network is an additional layer of security to separate an organization’s Local Area Network (LAN) from other untrusted networks such as the Internet and has additional cybersecurity controls to restrict access to other layers in the network.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Exception	An exemption to any written information security policy, standard, procedure, or process that has been approved by the appropriate governing body and published for use.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Incident Response	A process detailing the steps required to minimize or eradicate Cybersecurity Incident that threatens the confidentiality, integrity, or availability of the organization’s Assets. A critical component of this process is highlighting the guidelines and procedures for defining the criticality of Cybersecurity Incidents, reporting and escalation process, and recovery procedures.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Industrial Control Systems (ICS)	Integrated system which is used to automate, monitor, and/or control an operating facility (e.g., plant process units). The ICS consists of operating area automation systems and their related auxiliary systems which are connected together at the PCN and PAN level to form a single integrated system.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Patch	A piece of software designed to fix operating system or software programming errors and vulnerabilities.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Penetration Testing	A live test of the effectiveness of security defenses through mimicking the actions of real‐life attackers to uncover vulnerabilities. This includes testing a computer system, network, or web application.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Remote Access	Act of utilizing a remote access service, hardware, or process to remotely connect to the organization's network or systems.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Risk	The measurement and articulation of the potential adverse impact on the operation of information systems, which is affected by threat occurrences on organizational operations, assets, and people.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Risk Assessment	The process by which risks are identified and the impact of those risks are determined. Risk Management The process of recognizing Risk; assessing the impact and likelihood of that Risk; and developing strategies to manage it, such as avoiding the Risk, reducing the negative effect of the Risk, and/or transferring the Risk.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		SACS	Stands for Saudi Aramco Cybersecurity Standard.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Sanitization	The process of permanently removing all data and/or licensed software, through overwriting or degaussing methods, from an Asset before that Asset is disposed of, loaned, destroyed, donated, or transferred.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		SAO	Stands for Saudi Aramco Organization.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Sender Policy Framework (SPF)	Email-validation mechanism that allows domain owners to publish a list of authorized IP addresses or subnets that are allowed to send emails on behalf of their domain to detect and block email spoofing, and reduce the amount of spam, fraud, and phishing.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Standard	A document of provides the minimum required information security controls.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Subsidiary / Controlled Affiliate	Legal entities, separate and distinct from Saudi Aramco, in which Saudi Aramco has greater than 50 percent direct or indirect ownership or otherwise controls.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Suspicious Activities	Any observed user, system, or network traffic behavior that could indicate or lead to a cyberattack.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Systems	A collection of communication and computing hardware, software, firmware, and applications organized to accomplish a specific function or set of functions.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Third-Party	Any external party; individual, business, or organization generates, acquires, compiles, transmits, or stores data on behalf of the company.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Threat	An activity, event, or circumstance with the potential to cause harm to information system resources.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Vulnerability	Any known or unknown flaw in an information system, application, or network that is subject to exploitation or misuse by threat agents.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Vulnerability Assessment	A process that defines, identifies, and classifies the security weaknesses/exposures (Vulnerabilities) in a computer, network, or communications infrastructure.	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Waiver	An exception or exemption to any written information security policy, standard, procedure, or practice that has been approved by the appropriate governing body and published for use	SACS-021 Affiliates Cybersecurity Standard (ACS)	Cybersecurity
		Access management	The process of granting authorized users the right to use the service and denying it to unauthorized users.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Advanced Persistent Threats (APT)	Protection from advanced threats that use hidden methods aimed at illegal access to technical systems and networks and trying to stay in them as long as possible by avoiding detection and protection systems. These methods usually use Malware Day-Zero viruses and malware that are not previously known to achieve their goal.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Application Whitelisting	A list of applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on a host according to a well-defined baseline. Application whitelisting technologies are intended to stop the execution of malware and other unauthorized software. Unlike security technologies such as antivirus software, which use blacklists to prevent known bad activity and permit all others, application whitelisting technologies are designed to permit known good activity and block all others.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Asset	Anything tangible or intangible that has value to an organization. There are various types of assets; and some of them include tangible items such as persons, machinery, utilities, patents, software, and services. The term asset may include intangible items such as information and properties (mental image, reputation, or skills and knowledge).	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Assurance	Grounds for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or by-pass.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Attack	Any kind of malicious activity that attempts to illegally collect, disrupt, deny, degrade, or destroy information system resources or the information itself.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Audit	Independent review and examination of records and activities to assess the adequacy of cybersecurity controls, to ensure compliance with established policies and operational procedures as well as relevant legislative and regulatory requirements.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Availability	Ensuring timely and reliable access to and use of information, data, systems, and applications.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		BOD	Board of Directors.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Bring Your Own Device (BYOD)	BYOD refers to personally owned computing devices, such as laptops, tablets, or smartphones that employees and operators are permitted to use at their place of work.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Business applications	Any application used by employees to perform various business functions in the entity.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Business Continuity	The organization's ability to continue the provision of IT and business services at determined and pre-accepted levels after the occurrence of a disruption event.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Business impact analysis (BIA)	Determine important activities and priorities of the institution, in addition to determining the extent of reliability between various activities, the minimum resources needed for recovery, and the extent of the impact that business interruption can cause.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Capital Market Institutions	Financial institutions licensed by and fall under the supervision and control of CMA	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Change Advisory Board	The board provides support to the change management team by introducing required changes and helping in change evaluation and prioritization.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Change management	Identifying and introducing required changes with regard to control of business systems/information.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Chief Executive Officer	The executive official has the authority to make key decisions within the organization.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Closed Circuit Television (CCTV)	is the use of video cameras to transmit signals to a specific place into a limited set of monitors.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Cloud computing	A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of IT resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud computing allows users to access IT-based services through a cloud computing network without the need to have knowledge or control of IT-supporting infrastructure.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Confidentiality	Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Cybersecurity Committee	It aims to help capital market institution to obtain good practices of cybersecurity, established by CMA.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Cybersecurity Controls	Administrative, operational, and technical controls (measures or counter-measures) stipulated in the information system to protect the confidentiality, integrity, and availability of the system and its information.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Cybersecurity Governance	A set of responsibilities and practices performed by BOD and Executive Management, with a view to providing strategic guidance of cybersecurity to ensure the achievement of its goals, and ensure cybersecurity risks are appropriately managed and enterprise's resources are properly utilized.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Cybersecurity Outreach Program	A program that explains a code of conduct suitable for the safe use of IT systems. The program contains cybersecurity policies and procedures to be followed.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Cybersecurity policy	A set of established standards to provide security services. These standards determine activities of data processing utilities to be conducted to preserve the security status of systems and data.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Cybersecurity Resilience	The enterprise's overall ability to withstand and recover from cybersecurity events and adverse conditions.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Cybersecurity risks	The risks that prejudice the organization's business (including the organization's mission, mental image, or reputation) or the organization's assets, individuals, other organizations, or the state, due to the possibility of unauthorized access and/or use or disclosure, or disruption, modification or destruction of information and/or information systems.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Cybersecurity	A set of security tools, policies, concepts, guarantees, guidelines, risk management approaches, procedures, training courses, best practices, guarantees, and technologies that can be used to protect information assets of capital market institutions against internal and external threats.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Data classification	Determine data sensitivity level during its creation, modification, enhancement, storage, or transfer. Thereafter, Data classification locates the need for controlling or securing the data and indicates its value in terms of commercial assets.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Effectiveness of Cybersecurity Controls	Measuring authenticity of execution (how far control is exercised in alignment with the security plan) and how far the security plan meets organizational needs according to existing risk tolerance.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Encryption	The rules include principles, methods, and tools for storing, and transferring data or information in a specific manner, in order to hide its meaningful content, and prevent unauthorized access or undiscovered modification, in such a way that no irrelevant person can read and process the same.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Enterprise risk management	The methods and processes used by an enterprise to manage risks to its mission and to establish the trust necessary for the enterprise to support shared missions. It involves the identification of mission dependencies on enterprise capabilities, the identification and prioritization of risks due to defined threats, the implementation of countermeasures to provide both a static risk posture and an effective dynamic response to active threats; and it assesses enterprise performance against threats and adjusts countermeasures as necessary.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Forensic evidence	The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Identity Management	The process of controlling information about users on computers, including information that authenticates the identity of a user and systems and/or actions authorized. It also includes information about the user and how and by whom that information can be accessed and modified.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Incident	A security breach of violating cybersecurity policies, acceptable use policies, cybersecurity practices, controls, or requirements.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Incident management plan	The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit the consequences of a malicious cyber-attack against an organization’s information systems(s).	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Integrity	Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Intrusion detection system (IDS)	IDS operates on hardware or software that collects information from different regions within a computer or network to identify and analyze potential security breaches that include all attempts of infiltration (attacks from outside organizations) and misuse (attacks from within organizations).	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Intrusion Prevention System (IPS)	A system that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its targets.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Jailbreaking	A privilege escalation of the device, for the purpose of removing software restrictions imposed by the software manufacturer, often leads to unlimited privileges on the device.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Key Performance Indicators (KPI)	A type of performance level measurement tool that evaluates the success of an activity or organization towards the achievement of specific goals.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Likelihood	A weighted factor is based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Malware	A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or of otherwise annoying or disrupting the victim.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Mobile Device Management (MDM)	is an industry term for the management of mobile devices.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Multi-Factor Authentication (MFA)	Authentication uses two or more factors to achieve authentication. Factors include (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Intrusion Prevention System (IPS)	A system that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its targets.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		NIST	National Institute of Standards and Technology www.nist.gov.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Official documentation	Written documentation approved by the senior management and communicated to relevant stakeholders.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Patch	An Update of operating systems, applications, or any other programs that are specially developed to correct specific problems in the program, including vulnerabilities.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Penetration Test	Test a computer system, network, website application, or smartphone application to find out vulnerabilities that the attacker could exploit.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Personal devices	Devices that are not owned or issued by the institution, such as smartphones.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Personal identification number (PIN)	A password consisting only of decimal digits	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Physical security	Physical protection for facilities hosting information assets from intended and unintended security events.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Portable storage device	Portable devices/flash drives (such as floppy disks, CDs, USB flash drives, external hard disk, and other flash memory cards/ drives that contain nonvolatile memory), as well as computing and portable communication devices with the capacity to store information (for example laptop, PDA, cell phones, digital cameras, and voice recorders).	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Authorities matrix	Matrix defines rights and permissions a particular job requires in order to access information. The matrix identifies each user’s roles and tasks, and the affected systems.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Privileged Accounts	An information system account with approved authorizations of a privileged user to perform security-related functions that ordinary users are not permitted to perform.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Official documentation	Written documentation approved by the senior management and communicated to relevant stakeholders.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Risk register	A sheet is used as a reference for all determined risks. It includes additional information about each risk separately, for example, risk category, risk owner, and mitigation measures.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Sandboxing	A restricted, controlled execution environment that prevents potentially malicious software from accessing any system resources except those for which the software is authorized.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Secure Coding Standards	The practice of developing computer software and applications in a way that guards against the accidental introduction of security vulnerabilities related to software and applications.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Security information and event management (SIEM)	A system that manages, and analyzes data of security events logs in real-time, to provide control of threats, analyze results of interrelated rules of event logs, and prepare reports about log data and incident response.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Security Operations Center (SOC)	A dedicated site (and team) where security-related data of enterprise information systems (websites, applications, databases, data centers and servers, networks, desktops, and other endpoints) are monitored, assessed, and defended. In most cases, SOC is allocated for inspection, investigation, and potential response to security breach indicators. SOC works closely through security-related classified information and disseminates the same in other areas of the organization (Such as Cybersecurity functions, incident management teams, and IT service providers).	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Sensitive Information	Information where the loss, misuse, or unauthorized access or modification could adversely affect the organizational matters or the privacy of individuals. In addition, sensitive information is also information that is sensitive in accordance with the regulatory data classification policy.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Service Level Agreement	An agreement between two parties, where one party is the customer and the other is the service provider, clarifies services that must be rendered by the service provider and criteria that must be met to render the service.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Software Development Life Cycle (SDLC)	SDLC describes the scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Threat	Any circumstance or event related to an information system, with the potential to adversely affect a capital market institution's business (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat source to successfully exploit a particular information system vulnerability.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Threat Intelligence	Organized information about recent, current, and potential attacks that may pose a cybersecurity threat to an organization.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Vulnerabilities Management	Periodic practice of identifying, evaluating, and treating security vulnerabilities.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		Vulnerability	A weakness found in computer systems, programs, or applications, a set of procedures, or anything that makes cybersecurity triggered by a threat.	Cybersecurity Guidelines for Capital Market Institutions	Cybersecurity
		asset	For the purposes of the model, assets are IT and OT hardware and software assets, as well as information essential to operating the function. The definition also includes interconnected or interdependent business and technology systems and the environment in which they operate.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		Asset, Change, and Configuration Management (ASSET)	The C2M2 domain with the purpose of managing the organization's IT and OT assets, including both hardware and software and information assets commensurate with the risk to critical infrastructure and organizational objectives.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		asset owner	A person or organizational unit, internal or external to the organization has primary responsibility for the viability, productivity, and resilience of an organizational asset.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		assets that are important to the delivery of the function	The subset of assets that are required for a normal state of operation of the function and output of the function's products or services. Loss of an asset that is considered "important to the delivery of the function" may not directly result in an inability to deliver the function but could result in operations being degraded. Identification of an important asset should focus on the loss of the service or role performed by that asset and should not include consideration of asset redundancy or other protections applied to assets.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		assets within the function that may be leveraged to achieve a threat objective	Assets that may be used in the pursuit of the tactics or goals of a threat actor that are of concern to the organization. Identifying assets within the function that may be leveraged to achieve a threat objective enables the organization to view assets from the perspective of a threat actor. A threat actor may leverage multiple tactics, like those defined in the MITRE ATT&CK frameworks (for Enterprise or Industrial Control Systems), to achieve their ultimate threat objectives (for example, extortion, data manipulation, IP theft, customer data theft, sabotage). These are some examples of assets within the function that may be leveraged to accomplish a threat objective public-facing assets that may serve as an initial access point individual assets that if compromised, may allow lateral movement within an organization's network assets with administrative rights that would enable privilege escalation information assets such as personally identifiable information that may cause harm to the organization or its stakeholders if lost, stolen, or disclosed See also threat objective.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		authentication	Verifying the identity of a user, process, or device, often as a Drereauisite to allowing access to IT. OT. or information assets—	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		availability	Ensuring timely and reliable access to and use of information. For an asset, the quality of being accessible to authorized users (people, processes, or devices) whenever it is needed.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		capacity management	Planning adequate budget, and equipment. and tools to meet current and future operational needs of the organization.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		change management	A continuous process of controlling changes to information or technology assets, related infrastructure, or any aspect Of services, enabling approved changes with minimum disruption.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		confidentiality	The preservation Of authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. For an information asset. confidentiality is the quality of being accessible only to authorized people, processes, and devices.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		configuration baseline	A documented set of specifications for an IT or OT System or asset. or a configuration item within a system, that has been formally reviewed and agreed upon at a given point in time, and which should be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and changes.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		configuration management	A collection of activities focused on establishing and maintaining the integrity of assets, through control of the processes for initializing. changing, and monitoring the configurations of those assets throughout their lifecycle.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		controls	The management, operational, and technical methods, policies, and procedures—manual or automated—(that is, safeguards or countermeasures) prescribed for IT and OT assets to protect the confidentiality, integrity, and availability of those assets and their associated information assets.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		critical infrastructure	Assets that provide the essential services that underpin society. Nations possess key resources whose exploitation or destruction by terrorists could cause catastrophic health effects or mass casualties comparable to those from the use of a weapon Of mass destruction, or could profoundly affect our national prestige and morale. In addition, there Is critical infrastructure so vital that its incapacitation, exploitation, or destruction through terrorist attack could have a debilitating effect on security and economic well-being	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		current	Updated at an organization-defined frequency, such as in the asset inventory is kept 'current, that is selected such that the risks to critical infrastructure and organization objectives associated with being out-of-date by the maximum interval between updates are acceptable to the organization and its stakeholders.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		cybersecurity controls	The administrative, operational, and technical measures (i.e., processes, policies, devices, practices, or other actions) prescribed for IT, OT, and information assets to manage their associated risk.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		cybersecurity event	See event.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		cybersecurity incident	See incident.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		cybersecurity incident lifecycle	See incident lifecycle.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		cybersecurity program	A cybersecurity program is an integrated group of activities designed and managed to meet cybersecurity objectives for the organization or the function. A cybersecurity program may be implemented at either the organization or the function level, but a higher-level implementation and enterprise viewpoint may benefit the organization by integrating activities and leveraging resource investments across the entire enterprise.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		Cybersecurity Program Management (PROGRAM)	The C2M2 domain with the purpose of establishing and maintaining an enterprise cybersecurity program that provides governance, strategic planning, and sponsorship for the organization's cybersecurity activities in a manner that aligns cybersecurity objectives with the organization's strategic objectives and the risk to critical infrastructure.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		cybersecurity program Strateg.'	A plan of action designed to achieve the performance targets that the organization sets to accomplish its mission, vision, values, and purpose for the cybersecurity program.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		cybersecurity requirements	Requirements levied on IT and OT systems that are derived from organizational mission and business case needs (in the context of applicable legislation, Executive Orders, directives, policies, standards, instructions, regulations, and procedures) to ensure the confidentiality, integrity, and availability of the services being provided by the organization and the information being processed, stored, or transmitted.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		cybersecurity responsibilities	Obligations for ensuring the organization's cybersecurity requirements are met.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		cyber risk	The Possibility Of harm or loss due to unauthorized access, use, disclosure, disruption, modification, or destruction Of IT, OT, or information assets. Cyber risk is a function Of impact, likelihood, and susceptibility.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		data	A collection of bits that may be processed, stored, or transmitted by an IT or OT system.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		data at rest	Data that is in some kind of storage, such as a hard drive or a server.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		data in transit	Data that is being transmitted via some kind of network, such as a private network or the internet.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		cyber attack	An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure, or for destroying the integrity of the data or stealing controlled information.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		cybersecurity	Prevention and limitation of unauthorized access, use, disclosure, disruption, modification, or destruction of IT, OT, and information assets to ensure their confidentiality, integrity, and availability	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		dependency risk	Dependency risk is measured by the likelihood and severity of damage if an IT or OT system is compromised due to a supplier or other third party on which delivery of the function depends. Evaluating dependency risk includes an assessment of the importance of the potentially compromised system and the impact of compromise on organizational operations and assets, individuals, other organizations, and the Nation. See also supply chain risk	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		de-provisioning	To revoke or remove an identity's access to organizational assets. See also provision.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		domain	In the context of the model cybersecurity practices.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		domain objectives	The practices within each domain are organized into objectives. The Objectives represent achievements that support the domain (such as "Manage Asset Configuration- for the ASSET domain and "Increase Cybersecurity Awareness" for the WORKFORCE domain). Each of the objectives in a domain comprises a set of practices, which are ordered by maturity indicator level.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		enterprise	The highest-level organizational unit that encompasses the function to which the C2M2 is being applied. Some enterprises may consist of multiple organizations (e.g., a holding company with one or more operating companies). Other enterprises may have a more homogenous structure that does not necessitate any differentiation between the terms enterprise and organization. For those organizations, enterprise, and organization may be used interchangeably. See also organization and function.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		enterprise architecture	The design and description Of an enterprise's entire set Of IT and OT assets how they are configured, how they are integrated, how they interface to the external environment at the enterprise's boundary, how they are operated to support the enterprise mission, and how they contribute to the enterprise's overall security posture. See also cybersecurity architecture.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		entity	In the context of identity and access management, someone or something having separate or distinct existence (such as a person, object. system, or process) that requires access to an asset.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		establish and maintain	The development. implementation, and ongoing support of the object Of the practice (such as a program). Development and implementation would typically result in documentation that captures important information about the activity. Ongoing support would typically result in periodic reviews and updates when events occur that may impact operations (such as major changes operations (such as major changes to IT and OT assets or changes to the threat environment). For example, “Establish and maintain identities” means that not only must identities be provisioned, but they also must be documented, have assigned ownership, and be kept up to date including review, corrective actions, addressing changes in requirements, and improvements	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		event	Any anomalous occurrence in a system or network that is related to a cybersecurity requirement. Depending on their potential impact, some events need to be declared as incidents. See also cybersecurity requirements.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		Event and Incident Response, Continuity of Operations (RESPONSE)	The C2M2 domain with the purpose of establishing and maintaining plans, procedures, and technologies to detect, analyze, and respond to cybersecurity events and to sustain operations throughout a cybersecurity event, commensurate with the risk to critical infrastructure and organizational objectives.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		function	In C2M2, function refers to the part of the organization that is being evaluated based on the model. A function may or may not align with organizational boundaries. For example, the function might be a line of business, a network security zone, or a single facility.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		governance	An organizational process of providing strategic direction for the organization while ensuring that it meets its obligations appropriately manages risk, and efficiently uses financial and human resources. Governance also typically includes the concepts of sponsorship (setting the managerial tone), compliance (ensuring that the organization is meeting its compliance obligations), and alignment (ensuring that processes such as those for cybersecurity program management align with strategic objectives).	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		guidelines	A set of recommended practices produced by a recognized authoritative source representing subject matter experts and community consensus or produced internally by an organization. See also standard.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		identity	The set of attribute values (that is, characteristics) by which a person or entity is recognizable and that, within the scope of an identity manager's responsibility, is sufficient to distinguish that person or entity from any other.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		Identity and Access Management (ACCESS)	The C2M2 domain with the purpose of creating and managing identities for entities that may be granted logical or physical access to the organization's assets. Control access to the organization's assets, commensurate with the risk to critical infrastructure and organizational objectives.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		impact	Negative consequences of an event or action. The impact is a key component in understanding the severity of a particular risk. The impact of cybersecurity incidents might include, for example, response costs, regulatory fines, and lost income from reputation damage.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		incident	An event (or series of events) that significantly affects (or has the potential to significantly affect) critical infrastructure or organizational assets and services and requires the organization (and possibly other stakeholders) to respond in some way to prevent or limit impact. Criteria for the declaration of an incident are determined by the organization. See also event.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		incident lifecycle	The stages of an incident are from detection to closure. Collectively, the incident lifecycle includes the processes of detecting, reporting logging triaging, declaring, tracking documenting, handling, coordinating, escalating, notifying gathering and preserving evidence, and closing incidents. Events also follow the incident lifecycle.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		information	Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		information assets	Information of value to the organization, such as business data, intellectual property, customer information, contracts, security logs, metadata, set points, and operational data. Information Assets may be in digital or non-digital form.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		Information Sharing and Analysis Center (INC)	An Information Sharing and Analysis Center (ISAC) shares critical information with industry participants on infrastructure protection. Each critical infrastructure industry has established an 'SAC to communicate with its members, its government partners, and other ISACs about threat indications, vulnerabilities, and protective strategies. ISACs work together to better understand cross-industry dependencies and to account for them in emergency response planning.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		information technology (IT)	A discrete set of electronic information resources organized for the collection, processing maintenance, use, sharing, dissemination, or disposition of information. In the context of this publication, the definition includes interconnected or interdependent business and technology systems and the environment in which they operate.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		institutionalization	The extent to which a practice or activity is ingrained into the way an organization operates and is followed routinely as part of corporate culture. The more an activity becomes part of how an organization operates, the more likely it is that the activity will continue to be performed over time, with a consistently high level of quality. See also maturity indicator level.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		least privilege	A security control that addresses the potential for abuse of authorized privileges. The organization employs the concept of least privilege by allowing only authorized access for users (and processes acting on behalf of users) who require it to accomplish assigned tasks in accordance with organizational missions and business functions. Organizations employ the concept of least privilege for specific duties and systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary to achieve the least privilege. Organizations also apply the least	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		logging	privilege concepts to the design, development, implementation, and operations of IT and OT systems.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		logical control	Logging typically refers to automated recordkeeping (by elements of an IT or OT system) of system, network, or user activity. Regular review and audit of logs (manually or by automated tools) is a critical monitoring activity that is essential for situational awareness, such as through the detection of cybersecurity events or weaknesses.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		maturity	A software, firmware, or hardware feature (that is, computational logic, not a physical obstacle) within an IT or OT system that restricts access to and modification of assets only to authorized entities. For contrast, see physical control.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		maturity indicator level (MIL)	The extent to which an organization has implemented and institutionalized the cybersecurity practices of the model.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		monitoring	A measure of the cybersecurity maturity of an organization in a given domain of the model. The model currently defines four maturity indicator levels (MILs). Each of the four defined levels is designated by a number (O through 3) and a name, for example, "MIL3 managed." A MIL is a measure of the progression within a domain from individual and team initiative, as a basis for carrying out cybersecurity practices, to organizational policies and procedures that institutionalize those practices, making them repeatable with a consistently high level of quality. As an organization progresses from one MIL to the next, the organization will have more complete or more advanced implementations of the activities in the domain.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		monitoring requirements	Collecting, recording, and distributing information about the behavior and activities of systems and persons to support the continuous process of identifying and analyzing risks to organizational assets and critical infrastructure that could adversely affect the operation and delivery of services.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		multifactor authentication	The requirements are established to determine the information gathering and distribution needs of stakeholders.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		objectives	Use of two or more factors to achieve verification of an identity. Factors include (1) something you know, such as a password or PIN, (2) something you have, such as a cryptographic identification device or token, (3) something you are, such as a biometric marker, and (4) something that indicates that you are where you say you are, such as a GPS token. See also authentication.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		operational resilience	See domain objectives and organizational objectives.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		operational risk	The organization's ability to adapt to risk affects its core operational capacities. Operational resilience is an emergent property of effective operational risk management, supported and enabled by activities such as security and business continuity. A subset of enterprise resilience, operational resilience focuses on the organization's ability to manage operational risk, whereas enterprise resilience encompasses additional areas of risk such as business risk and credit risk. See the related term operational risk.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		operations technology (OT)	The potential impact on assets and their related services that could result from inadequate or failed internal processes, failures of systems or technology, the deliberate or inadvertent actions of people, or external events. In the context of the model, the focus is on operational risk from cybersecurity threats.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		organization	In the context of the model, OT assets refer to assets that are on the OT segment of the organization's network and are necessary for service delivery or production activities. Examples include industrial control systems, building management systems, fire control systems, process control systems, safety instrumented systems, Internet of Things (IoT) devices, and physical access control mechanisms. Most modem control systems include assets traditionally referred to as IT, such as workstations that use standard operating systems, database servers, or domain controllers.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		organizational objectives	In the context of the model, the organization is the part of the enterprise that encompasses the function selected for C2M2 evaluation or improvement. In smaller enterprises, the terms enterprise and organization are often interchangeable. See also function and enterprise.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		periodically and according to defined triggers	Performance targets set by an organization. See also strategic objectives.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		physical control	A review or activity that occurs at defined, regular time intervals and at the occurrence of defined events. The organization-defined frequency and threshold values are commensurate with risks to organizational objectives and critical infrastructure.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		plan	A type of control that prevents physical access to and modification of information assets or physical access to technology and facilities. Physical controls often include such artifacts as card readers and physical barrier methods.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		policy	A detailed formulation of a program of action.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		position description	A documented description of roles, responsibilities, and expected or required actions related to a particular area of organizational activity, such as asset management.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		practice	A set of responsibilities that describe a role or roles filled by an employee. Also known as a job description.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		predefined states of operation	An activity described in the model that can be performed by an organization to support a domain objective. The purpose of these activities is to achieve and sustain an appropriate level of cybersecurity for the function, commensurate with the risk to critical infrastructure and organizational objectives.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		privacy	Distinct operating modes (which typically include specific IT and OT configurations as well as alternate or modified procedures) that have been designed for the function and can be invoked by a manual or automated process in response to an event, a changing risk environment, or other sensory and awareness data to provide greater safety, resiliency, reliability, or cybersecurity. For example, a shift from the normal state of operation to a high-security operating mode may be invoked in response to a declared cybersecurity incident of sufficient severity. The high-security operating state may trade off efficiency and ease of use in favor of increased security by blocking remote access and requiring a higher level of authentication and authorization for certain commands until a return to the normal state of operation is deemed safe.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		procedure	The assurance that information about an individual is collected, used, and disclosed only as authorized by that individual or as permitted under privacy laws and regulations.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		process	In the model, the procedure is synonymous with the process.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		provision	A series of discrete activities or tasks that contribute to the fulfillment of a task or mission.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		recovery point objectives (RPO)	To assign or activate an identity profile and its associated roles and access privileges. See also deprovisioning.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		recovery time objectives (RTO)	The point in time to which data is restored after an incident. The point to Which information used by the function must be restored to enable the activity to operate on resumption.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		risk	The period of time within which systems, applications, or functions must be recovered after an incident. RTO includes the time required for assessment, execution, and verification. The period of time following an incident within which a product service function or activity must be resumed, or resources must be recovered.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		risk analysis	A measure of the extent to which an organization is threatened by a potential circumstance or event, and typically a function of (1) the adverse impacts that would arise if the circumstance or event occurs and (2) the likelihood of occurrence. See also cyber risk.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		risk assessment	A risk management activity focused on understanding the likelihood and potential impact of risks, prioritizing risks, and determining a path for addressing risks. Analysis determines the importance of each identified risk and is used to facilitate the organization's response to the risk.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		risk criteria	The process of identifying risks to organizational operations (including mission, functions, image, and reputation), resources, other organizations, and the Nation, resulting from the operation of IT and OT systems.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		risk management program	Objective criteria that the organization uses for evaluating, categorizing, and prioritizing operational risks based on impact, tolerance for risk, and risk response approaches.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		Risk Management (RISK)	The program and supporting processes to manage cyber risk to organizational operations (including mission, functions, image, reputation), resources, other organizations, and the Nation. It includes (1) establishing the context for risk-related activities, (2) assessing risk, (3) responding to risk once determined, and (4) monitoring risk over time.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		risk management strategy	The C2M2 domain with the purpose of establishing, operating, and maintaining an enterprise cyber risk management program to identify, analyze, and respond to cyber risk the organization is subject to, including its business units, subsidiaries, related interconnected infrastructure, and stakeholders.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		risk mitigation	Strategic-level decisions on how senior executives manage risk to an organization's operations, resources, and other organizations.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		risk register	Prioritizing, evaluating, and implementing appropriate risk-reducing controls.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		risk response	A structured repository where identified risks are recorded to support risk management.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		secure software development	Accepting, avoiding, mitigating, or transferring risk to organizational operations, resources, and other organizations.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		security zone	Developing software using recognized processes, secure coding standards, best practices, and tools that have been demonstrated to minimize security vulnerabilities in software systems throughout the software development lifecycle. An essential aspect is to engage programmers and software architects who have been trained in secure software development.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		separation of duties	A grouping of systems and components with similar cybersecurity requirements. Zone access is restricted by network and security devices.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		situational awareness	A security control that] "addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example, (i) dividing mission functions and information system support functions among different individuals or roles; (ii) conducting information system support functions with different individuals, such as system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Organizations with significant personnel limitations may compensate for the separation of duty security control by strengthening the audit, accountability, and personnel security controls.”	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		Situational Awareness (SITUATION)	A sufficiently accurate and up-to-date understanding of the past, current, and projected future state of a system (including its cybersecurity safeguards), in the context of the threat environment and risks to the system's mission, to support effective decision-making with respect to activities that depend on or affect how well a system functions. It involves the collection of data, such as via sensor networks, data fusion, and data analysis (which may include modeling and simulation) to support automated or human decision-making (for example, concerning OT system functions). Situational awareness also involves the appropriate use of alarms and the presentation of the results of the data analysis in some form, such as using data visualization techniques that aid human comprehension and allow operators or other personnel to quickly grasp the key elements needed for good decision-making.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		sponsorship	The C2M2 domain with the purpose of establishing and maintaining activities and technologies to collect, analyze, alarm, present, and use cybersecurity information, including status and summary information from the other model domains, to form a common operating picture (COP), commensurate with the risk to critical infrastructure and organizational objectives.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		stakeholder	Enterprisæwide support of cybersecurity objectives by senior management as demonstrated by formal policy or by declarations of management's commitment to the cybersecurity program along with the provision of resources. Senior management monitors the performance and execution of the cybersecurity program and is actively involved in the ongoing improvement of all aspects of the cybersecurity program.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		standard	An external organization or an internal or external person or group that has a vested interest in the organization's cybersecurity practices, such as government, vendors, sector organizations, regulators, and internal business lines. Stakeholders may be involved in performing a given practice or may oversee, benefit from, or be dependent upon the quality with which the practice is performed.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		states of operation	A standard is a document, established by consensus, which provides rules, guidelines, or characteristics for activities or their results. See also guidelines.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		strategic objectives	See predefined states of operation.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		strategic planning	The performance targets that the organization sets to accomplish its mission, vision, values, and purpose.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		supply chain risk	The process of developing strategic objectives and plans for meeting these objectives.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		susceptibility	Supply chain risk is measured by the likelihood and severity of damage if an IT or OT system is compromised by a supply chain attack and takes into account the importance of the system and the impact of compromise on organizational operations and assets, individuals, other organizations, and the Nation. Supply chain attacks may involve manipulating computing system hardware, software, or services at any point during the lifecycle. Supply chain attacks are typically conducted or facilitated by individuals or organizations that have access through commercial ties, leading to stolen critical data and technology, corruption of the system or infrastructure, or disabling of mission-critical operations. See also risk and supply chain.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		Third-Party Risk Management (THIRD-PARTIES)	The probability that an event, once initiated or attempted, will succeed and lead to the realization of a risk. Susceptibility is a component of the overall probability of a risk and is the component of probability that the organization has the most control over.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		threat	The C2M2 domain with the purpose of establishing and maintaining controls to manage the cyber risks arising from suppliers and other third parties, commensurate with the risk to critical infrastructure and organizational objectives.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		Threat and Vulnerability Management (THREAT)	Any actor with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), resources, and other organizations through IT, OT, or communications infrastructure via unauthorized access, destruction, disclosure, modification of information, or denial of service. This includes actors without the intention to cause adverse impacts (e.g., insider mistakes).	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		threat objective	The C2M2 domain with the purpose of establishing and maintaining plans, procedures, and technologies to detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities, commensurate with the risk to the organization's infrastructure, such as critical, IT, operational, and organizational objectives.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		threat profile	Threat objectives are the potential outcomes of threat actor activities that are of concern because they would have negative impacts on the organization. For example, an organization that does not process confidential data may not be concerned about data theft but may be very concerned about an incident that causes an operational outage. Threat actors may leverage multiple tactics or techniques, like those defined in the MITRE ATT&CK frameworks (for Enterprise or Industrial Control Systems) to achieve their goals. Threat objective examples include data manipulation, intellectual property theft, damage to property, denial of control, loss of safety, and operational outages.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		triggers	A characterization of the likely intent, capability, and targets for threats to the function. It is the result of one or more threat assessments across the range of feasible threats to the IT, OT, and information assets of an organization and to the organization itself, identifying feasible threats, describing the nature of the threats, and evaluating their severity.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		vulnerability	Events (such as a change to IT infrastructure) and time intervals (such as monthly or yearly) that are used to indicate when an activity should occur, such as a review and possible update of the risk management strategy.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		vulnerability assessment	A cybersecurity vulnerability is a weakness or flaw in IT, OT, or communications systems or devices, system procedures, internal controls, or implementation that could be exploited by a threat.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
		Workforce Management (WORKFORCE)	Systematic examination of IT or OT assets or systems to determine the adequacy of cybersecurity measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed cybersecurity measures, and confirm the adequacy of such measures after implementation. This may include several types of assessments, such as a paper-based assessment, tool-based vulnerability scanning, and penetration tests.	Cybersecurity Capability Maturity Model (C2M2) Version 2.1 June 2022	Cybersecurity
الطفل	كل شخص لم يتجاوز الثامنة عشر ة من عمره.			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
الأهلية	صالحية الشخص لصدور التصرفات منه على وجه يعتد به شرعا ونظاما. فاقد الأهلية			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
ناقص الأهلية	من لديه أهلي ة غير مكتملة كالصغير المميز – وهو من أكمل السابعة ولم يتم الثامنة عشرة من العمر – وذو الغفلة، والسفيه، ومن به عاهة عقلية، ونحوهم.			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
ومن في حكمه	فاقد أو ناقص الأهلية.			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
الولي	أحد الوالدين أو من تكون له الوالية على شؤون الطفل حسب أحكام الشريعة أو الأنظمة ذات العالقة.			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
الوالية	سلطة يثبتها الشرع للولي تخوله صالحية التصرف وإدارة شؤون الطفل نيابة عنه فيما يتعلق ببدنه ونفسه وماله وبما يحقق مصالحه، ومنها اتخاذ القرارات الخاصة بمعالجة بياناته الشخصية.			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
البيانات الشخصية	كل بيان - مهما كان مصدره أو شكله - من شأنه أن يؤدي إلى معرفة الطفل ومن في حكمه على وجه التحديد، أو يجعل التعرف عليه ممكنا بصفة مباشرة أو غير مباشرة عند دمجه مع بيانات أخرى، ويشمل ذلك -على سبيل المثال ال الحصر - الأسماء، وأرقام الهويات الشخصية، والعناوين، وأرقام التواصل، وأرقام الحسابات البنكية والبطاقات الأئتمانية، وصور المستخدم الثابتة أو المتحركة، وغير ذلك من البيانات ذات الطابع الشخصي.			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
البيانات الشخصية الحساسة	كل بيان شخصي يتضمن الأشارة إلى أصل الطفل ومن في حكمه العرقي أو القبلي، أو معتقده الديني أو الفكري أو السياسي، أو يدل على عضويته في جمعيات أو مؤسسات أهلية. وكذلك البيانات الجنائية والأمنية، أو بيانات السمات الحيوية التي تحدد الهوية، أو البيانات الوراثية، أو البيانات الأئتمانية، أو البيانات الصحية، وبيانات تحديد الموقع، والبيانات التي تدل على أن الفرد مجهول الأبوين أو أحدهما.			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
معالجة البيانات	جرى على البيانات الشخصية بأي وسيلة كانت يدوية أو آلية، وتشمل هذه ُ جميع العمليات التي ت العمليات – على سبيل المثال ال الحصر – جمع البيانات ونقلها وحفظها وتخزينها ومشاركتها وإتالفها وتحليلها واستخراج أ نماطها والأستنتاج منها وربطها مع بيانات أخرى.			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
جهة التحكم	أي جهة حكومية أو جهة اعتبارية عامة مستقلة في المملكة، وأي شخصية ذات صفة طبيعية أو اعتبارية خاصة؛ تحدد الغرض من معالجة البيانات الشخصية وكيفية ذلك؛ سواء تمت معالجة البيانات بواسطتها أو من خالل جهة المعالجة.			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
جهة المعالجة	أي جهة حكومية أو جهة اعتبارية عامة مستقلة في المملكة، وأي شخصية ذات صفة طبيعية أو اعتبارية خا عنها. صة؛ تعالج البيانات الشخصية لمصلحة جهة التحكم ونيابة ّ إشعار			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
الخصوصية	هو بيان خارجي موجه لألفراد يوضح محتوى البيانات الشخصية ووسائل جمعها والغرض من معالجتها وكيفية استخدامها والجهات التي سيتم مشاركة هذه البيانات معها وفترة الأحتفاظ بها وآلية التخلص منها.			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
سياسة الخصوصية	هي وثيقة داخلية موجهة للعاملين في الجهات توضح حقوق أصحاب البيانات والألتزامات التي يجب الأمتثال لها للمحافظة على خصوصية أصحاب البيانات وحماية حقوقهم.			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
الأفصاح عن البيانات	تمكين أي شخص - عدا جهة التحكم - من الحصول على البيانات الشخصية أو استعمالها أو الأطالع عليها بأي وسيلة وألي غرض.			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
تسريب البيانات	الأفصاح عن البيانات الشخصية، أو الحصول عليها، أو تمكين الوصول إليها دون تصريح أو سند نظامي، سواء بقصد أو بغير قصد.			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
نقل البيانات الشخصية	إرسال البيانات الشخصية إلى جهة خارج الحدود الجغرافية للمملكة – بأي وسيلة كانت – بهدف معالجتها سواء كانت بطريقة مباشرة أو غير مباشرة وفقا ألغراض محددة مبنية على أسس نظامية – بما في ذلك النقل ألغراض أمنية أو لحماية الصحة أو السالمة العامة أو فيها التفاقية تكون المملكة طرفا تنفيذا .			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
الموافقة الصريحة	موافقة مكتوبة أو إلكترونية تكون صريحة ومحددة وصادرة بإرادة حرة ومطلقة من صاحب البيانات تدل على قبوله لمعالجة بياناته الشخصية.			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
الموافقة الضمنية	منح ُ من ِقبل صاحب البيانات أو الشخص المخول بذلك، ولكنها ت هي موافقة ال يتم منحها صراحة ا من خالل أفعال الشخص ووقائع وظروف الموقف.			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
ضمني التسويق المباشر	أي اتصال، بأي وسيلة كانت، يتم من خالله توجيه مادة تسويقية أو دعائية إلى شخص بعينه.			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
الجهة التنظيمية	أي جهة حكومية أو جهة اعتبارية عامة مستقلة تتولى مهام ومسؤوليات تنظيمية أو رقابية على مستند نظامي. لقطاع معين في المملكة العربية السعودية بناء مكتب			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
الجهة	مكتب البيانات بالجهة.			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
المكتب	مكتب إدارة البيانات الوطنية.			سياسة حماية البيانات الشخصية لألطفال ومن في حكمهم	Cybersecurity
		5-Whys	A technique used to determine an issue's root causes. It involves asking the question "Why?" repeatedly until the root causes are identified.
		A/B testing	A statistical way of comparing two (or more) techniques, typically an incumbent against a new rival. A/B testing aims to determine not only which technique performs better but also whether the difference is statistically significant. A/B testing usually considers only two techniques using one measurement but can be applied to any finite number of techniques and measures.
		Abend	An abnormal end to a computer job; termination of a task prior to its completion because of an error condition that cannot be resolved by recovery facilities while the task is executing
		Acceptable interruption window (AIW)	The maximum period of time that a system can be unavailable before compromising the achievement of the enterprise's business objectives
		Acceptable use policy (AUP)	A policy that establishes an agreement between users and the enterprise that defines, for all parties, the ranges of use that are approved before gaining access to a network or the Internet
		Acceptance criteria	Criteria that a solution must satisfy to be accepted by customers
		Acceptance testing	Testing performed to determine whether a customer, acquirer, user, or their designee should accept a solution
		Access control	The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises
		Access control list (ACL)	An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals Scope Notes: Also referred to as access control table
		Access control table	An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals
		Access method	The technique used for selecting records in a file, one at a time, for processing, retrieval or storage. The access method is related to, but distinct from, the file organization, which determines how the records are stored.
		Access path	The logical route that an end user takes to access computerized information Scope Notes: Typically includes a route through the operating system, telecommunications software, selected application software and the access control system.
		Access point	A point that accesses the network
		Access rights	The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy
		Access risk	The risk that information may be divulged or made available to recipients without authorized access from the information owner, reflecting a loss of confidentiality
		Access server	The centralized access control system for managing remote access dial-up services

		Accountability	The ability to map a given activity or event back to the responsible party
		Accountability of governance	The ability of governance to ensure that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance and progress against plans. In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson. Scope Notes: COBIT 5 and COBIT 2019 perspective
		Accountable party	The individual, group or entity that is ultimately responsible for a subject matter, process or scope Scope Notes: Within the IT Assurance Framework (ITAF), the term "management" is equivalent to "accountable party."
		Accuracy	The fraction of predictions that a classification model predicted correctly. In multiclass classification, accuracy is defined as correct predictions divided by total number of examples. In binary classification, accuracy is defined as true positives plus true negatives divided by total number of examples.
		Acknowledgment (ACK)	A flag set in a packet to indicate to the sender that the previously sent packet was accepted correctly by the receiver without error or that the receiver is now ready to accept a transmission
		Acquirer	The stakeholder who obtains a solution from a supplier See Affected stakeholder.
		Acquisition	The process of obtaining solutions by establishing and executing supplier agreements See Supplier agreement.
		Action	The mechanism by which the agent transitions between states of the environment in reinforcement learning. The agent chooses the action by using a policy.
		Action plan reappraisal (APR)	A bounded set of appraisal activities performed to address nonsystemic weaknesses that lead to a limited set of unsatisfied practice groups in an appraisal. The APR includes: • Conducting an eligibility analysis • Gaining authorization from ISACA • Reviewing and obtaining approval to proceed from the Appraisal Sponsor • Modifying the existing appraisal plan • Conducting a reappraisal of unsatisfied practice groups • Reporting the results to ISACA
		Active recovery site (Mirrored)	A recovery strategy that involves two active sites, each capable of taking over the other's workload in the event of a disaster Scope Notes: Each site will have enough idle processing power to restore data from the other site and to accommodate the excess workload in the event of a disaster.
		Active response	A response in which the system either automatically, or in concert with the user, blocks or otherwise affects the progress of a detected attack Scope Notes: Takes one of three forms: amending the environment, collecting more information or striking back against the user
		Activity	The main actions taken to operate the COBIT process
		Actuator	A device component responsible for enacting physical changes within an environment, e.g., relays, solenoids, switches
		AdaGrad	A sophisticated gradient descent algorithm that rescales the gradients of each parameter, effectively giving each parameter an independent learning rate

		Address	1. A number, character or group of characters that identifies a given device or a storage location, which may contain data or a program step 2. A device or storage location referred to by an identifying number, character or group of characters
		Address space	The number of distinct locations that may be referred to with the machine address Scope Notes: For most binary machines, it is equal to 2n, where n is the number of bits in the machine address.
		Addressing	The method used to identify the location of a participant in a network Scope Notes: Ideally, specifies where the participant is located rather than who they are (name) or how to get there (routing)
		Addressing exception	An exception that occurs when a program calculates an address that is outside the bounds of the storage that is available to the program See Unhandled exception.
		Adjusting period	A calendar containing "real" and adjusting accounting periods without overlap or gaps between the "real" periods. Adjusting accounting periods can overlap with other accounting periods. Scope Notes: For example, a period called DEC-93 can be defined that includes 01-DEC-1993 through 31-DEC-1993. An adjusting period called DEC31-93 can also be defined that includes only one day: 31-DEC-1993 through 31-DEC-1993.
		Administrative access	Elevated or increased privileges granted to an account for that account to manage systems, networks and/or applications. Administrative access can be assigned to an individual’s account or a built-in system account.
		Administrative control	The rules, procedures and practices dealing with operational effectiveness, efficiency and adherence to regulations and management policies
		Administrative distance	A metric used by routers to select the best network traffic path when multiple routes exist
		Advanced Encryption Standard (AES)	A public algorithm that supports keys from 128 bits to 256 bits in size
		Advanced Message Queueing Protocol (AMQP)	A messaging protocol on the application layer usually used with middleware
		Advanced persistent threat (APT)	An adversary that possesses sophisticated levels of expertise and significant resources, which allow them to create opportunities to achieve their objectives by using multiple attack vectors, e.g., cyber, physical and deception. These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information; undermining or impeding critical aspects of a mission themselves to carry out these objectives in the future. An advanced persistent threat (APT): • Pursues its objectives repeatedly over an extended period of time • Adapts to defenders' efforts to resist it • Is determined to maintain the level of interaction needed to execute its objectives Source: CMMC-NIST SP800-39
		Adversary	A threat agent
		Adware	A software package that automatically plays, displays or downloads advertising material to a computer after the software is installed on it or while the application is being used Scope Notes: In most cases, this is done without any notification to the user or without the user’s consent. The term adware may also refer to software that displays advertisements, whether or not it does so with the user’s consent; such programs display advertisements as an alternative to shareware registration fees. These are classified as adware in the sense of advertising supported software but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, and it provides the user with a specific service.
		Affected stakeholders	People impacted by a process, activity, work product, or decision
		Affirmation	A written or oral statement confirming implementation, or lack of implementation, of processes that meet the intent and value of one or more model practices. Affirmations must be provided: • By people who have a process role that involves implementing, following, or supporting processes • In an interactive forum where the appraisal team has control over the interaction Examples of affirmations: • Oral affirmations include: interview responses, presentations, and demonstrations, and can include responses to questions on white boards, Skype/Instant Message chat boards, etc. • Written affirmations include: emails, instant messages, and data contained in systems, documents See Process role and Appraisal participant
		Agile	1. A methodology of adopting flexible, adaptable and iterative processes (ISACA) 2. An approach to project management or delivery methodology in which the customer is intimately involved in the project, tasks are divided into short phases of work, and there is frequent reassessment and adaptation of plans (CMMI)
		Agile with Scrum	This is a CMMI context-specific tag is reserved for identifying unique information for agile projects using Scrum. It is a framework for managing work with an emphasis on software development. It is designed for small teams of developers who break their work into actions that can be completed within time-boxed iterations—called sprints—(e.g., two weeks) and track progress and replan in 15-minute stand-up meetings called daily scrums. See Agile
		Alert situation	The point in an emergency procedure when the elapsed time passes a threshold and the interruption is not resolved. The enterprise entering into an alert situation initiates a series of escalation steps.
		Alerting system	Provides real-time information about security issues, including vulnerabilities and exploits that are currently happening
		Algorithm	A finite set of well-defined, unambiguous rules for the solution of a problem in a finite number of steps. It is a sequence of operational actions that lead to a desired goal and is the basic building block of a program
		Algorithm analysis	A software verification and validation (V&V) task to ensure that the algorithms selected are correct, appropriate and stable, and meet all accuracy, timing and sizing requirements
		Alignment	A state where the enablers of governance and management of enterprise IT support the goals and strategies of the enterprise Scope Notes: COBIT 5 perspective
		Alignment goals	Goals that emphasize the alignment of all IT efforts with business objectives
		Allocated requirement	Requirement that results from levying all or part of a higher-level requirement on a solution's lower-level design component. Requirements can be assigned to logical or physical components, including people, consumables, delivery increments and architecture.
		Allocation entry	A recurring journal entry used to allocate revenues or costs Scope Notes: For example, an allocation entry could be defined to allocate costs to each department based on head count.
		Alpha	The use of alphabetic characters or an alphabetic character string
		Altcoin	Have no formal definition but are widely considered to be alternative digital currencies; can also be all cryptocurrencies other than bitcoin
		Alternate facilities	Locations and infrastructures from which emergency or backup processes are executed when the main premises are unavailable or destroyed Scope Notes: Includes other buildings, offices or data processing centers
		Alternate process	An automatic or manual process designed and established to continue critical business processes from point-of-failure to return-to-normal
		Alternative routing	A service that allows the option of having an alternate route to complete a call when the marked destination is not available Scope Notes: In signaling, alternate routing is the process of allocating substitute routes for a given signaling traffic stream in case of failure(s) affecting the normal signaling links or routes of that traffic stream.
		American National Standards Institute (ANSI)	The organization that coordinates the development of US voluntary national standards for nearly all industries. It is the US member body to the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Information-technology industry standards pertain to programming languages, electronic data interchange, telecommunications and physical properties of diskettes, cartridges and magnetic tapes.
		American Standard Code for Information Interchange (ASCII)	See ASCII
		Amortization	The process of cost allocation that assigns the original cost of an intangible asset to the periods benefited. This is calculated in the same way as depreciation.
		Amplitude	The strength of a radio signal
		Analog	A transmission signal that varies continuously in amplitude and time and is generated in wave formation Scope Notes: Analog signals are used in telecommunications.
		Analysis	1. To separate into elemental parts or basic principles to determine the nature of the whole 2. A course of reasoning showing that a certain result is a consequence of assumed premises 3. The methodical investigation of a problem and the separation of that problem into smaller related units for further detailed study (Source: ANSI)
		Analytical technique	The examination of ratios, trends and changes in balances and other values between periods to obtain a broad understanding of the enterprise's financial or operational position and to identify areas that may require further or closer investigation Scope Notes: Often used when planning the assurance assignment
		AngularJS	An open-source JavaScript library maintained by Google and the AngularJS community that lets developers create what are known as Single [web] Page Applications. AngularJS is popular with data scientists, as a way to show the results of their analysis.
		Anomaly	Unusual or statistically rare
		Anomaly detection	Detection on the basis of whether the system activity matches that defined as abnormal
		Anonymity	The quality or state of not being named or identified
		Anonymization	Irreversible severance of a data set from the identity of the data contributor to prevent any future reidentification, even by the organization collecting the data under any condition
		Antimalware	A widely used technology to prevent, detect and remove many categories of malware, including computer viruses, worms, Trojans, keyloggers, malicious browser plug-ins, adware and spyware
		Antiphishing	Software that identifies phishing content and attempts to block the content or warn the user about the suspicious nature of the content
		Antivirus software	An application software deployed at multiple points in an IT architecture. It is designed to detect and potentially eliminate virus code before damage is done and repair or quarantine files that have already been infected.
		Appearance	The act of giving the idea or impression of being or doing something
		Appearance of independence	The behavior that is appropriate of an IS auditor to meet the situations occurring during audit work (interviews, meetings, reporting, etc.) Scope Notes: An IS auditor should be aware that appearance of independence depends on the perceptions of others and can be influenced by improper actions or associations.
		Applet	A program written in a portable, platform-independent computer language, such as Java, JavaScript or Visual Basic Scope Notes: An applet is usually embedded in an HyperText Markup Language (HTML) page downloaded from web servers. Applets can only perform a restricted set of operations, thus preventing, or at least minimizing, the possible security compromise of the host computers. However, applets expose the user's machine to risk if not properly controlled by the browser, which should not allow an applet to access a machine's information without prior authorization of the user.
		Application	A computer program or set of programs that performs the processing of records for a specific function Scope Notes: Applications contrast with systems programs, such as an operating system or network control program, and with utility programs, such as copy or sort.
		Application acquisition review	An evaluation of an application system being acquired or evaluated, that considers matters such as: appropriate controls being designed into the system, the processing of information in a complete, accurate and reliable manner; the application will function as intended; the application will application functionality in compliance with any applicable statutory provisions and compliance with the established system acquisition process.
		Application architecture	A description of the logical grouping of capabilities that manage the objects necessary to process information and support the enterprise’s objectives Scope Notes: COBIT 5 and COBIT 2019 perspective
		Application benchmarking	The process of establishing the design and operation of automated controls within an application
		Application containerization	A mechanism that is used to isolate applications from each other within the context of a running operating system instance. In much the same way that a logical partition (LPAR) provides segmentation of system resources in mainframes, a computing environment—employing containers — segments and isolates the underlying system services so that they are logically sequestered from each other.
		Application controls	The policies, procedures and activities designed to provide reasonable assurance that objectives relevant to a given automated solution (application) are achieved
		Application development review	An evaluation of an application system under development that considers matters such as: appropriate controls are designed into the system; the application will process information in a complete, accurate and reliable manner; the application will function as intended; the application will function in compliance with any applicable statutory provisions and in compliance with the established system development life cycle process.
		Application development sandbox	A standalone computer, virtual machine or virtual environment used to conduct software development removed from production infrastructure
		Application implementation review	An evaluation of any part of an implementation project Scope Notes: Examples include project management, test plans and user acceptance testing (UAT) procedures
		Application layer	The application layer provides services for an application program to ensure that effective communication with another application program in a network is possible in the Open Systems Interconnection (OSI) communications model
		Application maintenance review	An evaluation of any part of a project to perform maintenance on an application system Scope Notes: Examples include project management, test plans and user acceptance testing (UAT) procedures
		Application or managed service provider (ASP/MSP)	A third party that delivers and manages applications and computer services, including security services to multiple users via the Internet or a private network
		Application program	A program that processes business data through activities such as data entry, update or query Scope Notes: Contrasts with systems programs, such as an operating system or network control program, and with utility programs, such as copy or sort
		Application programming	The act or function of developing and maintaining application programs in production
		Application programming interface	A set of routines, protocols and tools referred to as building blocks used in business application software development
		Application proxy	A service that connects programs running on internal networks to services on exterior networks by creating two connections, one from the requesting client and another to the destination service
		Application security	The security aspects supported by the application, primarily with regard to the roles or responsibilities and audit trails within the applications
		Application service provider (ASP)	A managed service provider (MSP) that deploys, hosts and manages access to a packaged application to multiple parties from a centrally managed facility Scope Notes: The applications are delivered over networks on a subscription basis.
		Application software	A software designed to fill the specific needs of a user; for example, software for navigation, payroll or process control. Contrasts with support software and system software.
		Application software tracing and mapping	A specialized tool that can be used to analyze the flow of data through the processing logic of the application software and document the logic, paths, control conditions and processing sequences Scope Notes: Both the command language or job control statements and programming language can be analyzed. This technique includes program/system: mapping, tracing, snapshots, parallel simulations and code comparisons.
		Application system	An integrated set of computer programs designed to serve a particular function that has specific input, processing and output activities Scope Notes: Examples include general ledger, manufacturing resource planning and human resource (HR) management.
		Application-specific integrated circuits (ASIC)	A solid-state device designed to perform a single or small group of functions
		Applistructure	An amalgamation of applications and technical infrastructure
		Appraisal	An examination of one or more processes by a trained team using an appraisal reference model as the basis for determining, at a minimum, strengths and weaknesses See Action plan reappraisal, Benchmark appraisal, Evaluation appraisal and Sustainment appraisal
		Appraisal Disclosure Statement (ADS)	A summary statement describing the ratings generated as outputs of the appraisal, and the conditions and constraints under which the appraisal was performed. The ADS may be used for public disclosure of maturity level or capability level profile ratings so they can be reported accurately and consistently.
		Appraisal final findings	The results of an appraisal that identify, at a minimum, any strengths and weaknesses within the appraisal scope. Appraisal findings are inferences drawn from corroborated objective evidence. See Objective evidence
		Appraisal method	A group of appraisal activities that satisfy a defined subset of requirements, as defined by ISACA in the CMMI V2.0 Appraisal Method Definition Document
		Appraisal objectives	The outcomes desired from an appraisal
		Appraisal output	The results of an appraisal See Appraisal results package
		Appraisal participant	The members of the organizational unit who must perform a process role and are identified in the appraisal plan as someone who will provide information used by an appraisal team See process role.
		Appraisal rating	A value an appraisal team assigns to a CMMI practice group, practice area or the maturity level or capability level target profile of an organizational unit during a benchmark appraisal, sustainment appraisal or action plan reappraisal. Ratings are determined by following the requirements in the appraisal method.
		Appraisal results package	A package consisting of all the items required to be updated, within the CMMI Appraisal System or retained by the Appraisal Sponsor, during the entire appraisal validity period. For a detailed list, refer to Activity 2.3.4 Record Appraisal Results.
		Appraisal scope	The definition of the boundaries of the appraisal that encompass and describe the organizational unit transparently and in detail. The appraisal scope includes the organizational unit and model scope. See model scope, and Organizational unit
		Appraisal sponsor	An individual, internal or external to the organization being appraised, who requires the appraisal to be performed, and who provides funding, the contract or other resources to conduct the appraisal. The appraisal sponsor also typically can commit the organization, e.g., approvals for purchases.
		Appraisal tailoring	An appraisal method selected for use in a specific appraisal. Tailoring helps an organization adapt the appraisal method to meet its business needs and objectives.
		Appraisal team member (ATM)	The role of the person(s) responsible for performing the activities as assigned and identified in the appraisal plan. ATMs must meet the minimum requirements for experience and training/ certification as defined by ISACA in the CMMI V2.0 Appraisal Method Definition Document.
		Appraisal teamleader (ATL)	The role of the individual who leads the activities of an appraisal and has satisfied the qualification criteria for experience, knowledge and skills as defined by ISACA in the CMMI V2.0 Appraisal Method Definition Document. The appraisal teamleader should also be an active Certified CMMI Lead Appraiser and listed on the CMMI website as sponsored by a CMMI Partner.
		Appropriate evidence	The measure of the quality of the evidence
		Architectural design	1. The process of defining a collection of hardware and software components and their interfaces to establish the framework for the development of a computer system See Functional design. 2. The result of the process outlined in definition 1 See Software engineering.
		Architecture	1. Description of the fundamental underlying design of the components of the business system, or of one element of the business system (e.g., technology), the relationships among them and the manner in which they support enterprise objectives (ISACA) 2. The set of structures that need to be considered to establish a solution. These structures are comprised of smaller components or elements, relationships among those structures and elements and the properties of both (CMMI). See Functional architecture.
		Architecture board	A group of stakeholders and experts who provide guidance on enterprise-architecture-related matters and decisions and for setting architectural policies and standards Scope Notes: COBIT 5 and COBIT 2019 perspective
		Archive	A lasting collection of computer system data or other records that are in long-term storage
		Arithmetic logic unit (ALU)	The area of the central processing unit that performs mathematical and analytical operations
		Array	An n-dimensional ordered set of data items identified by a single name and one or more indices so that each element of the set is individually addressable (e.g., a matrix, table or vector)
		Artifact	A form of objective evidence that is an output of the work being performed and the process being followed. It must demonstrate the extent of implementing, performing or supporting the organizational or project processes that can be mapped to one or more model practices. Artifacts must be provided by people with a process role to implement, perform, follow or support processes. See Document, Process role and Appraisal participant
		Artificial intelligence (AI)	An advanced computer system that can simulate human capabilities, such as analysis, based on a predetermined set of rules
		ASCII	The American Standard Code for Information Interchange (ASCII). It uses 7 or 8 bits to represent an alphanumeric symbol or special character.
		Assembler	A computer program that translates programs (source-code files) that are written in assembly language into their machine language equivalents (object-code files). This is in contrast to other programs, including Compiler and Interpreter. See Cross-assembler, Cross-compiler
		Assembly language	A low-level programming language that corresponds closely to the instruction set of a computer, allows symbolic naming of operations and addresses, and usually results in, a one-to-one translation of program instructions (mnemonics) into machine instructions
		Assertion	Any formal declaration, or set of declarations, about a subject matter made by management Scope Notes: Assertions should usually be made in writing and commonly contain a list of specific attributes about the subject matter or about a process involving the subject matter.
		Assessment	A broad review of the different aspects of a company or function that includes elements not covered by a structured assurance initiative Scope Notes: May include opportunities for reducing the costs of poor quality, employee perceptions of quality aspects, proposals to senior management on policy, goals, etc.
		Asset	Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation
		Asset inventory	A register used to record all relevant assets
		Asset value (AV)	The value of an asset to both the business and to competitors
		Assignable cause of process variation	An extraordinary event outside the bounds of the usual steps following the process
		Assurance	An IT audit and assurance professional is engaged to issue a written communication expressing a conclusion about the subject matters for which the accountable party is responsible. Assurance refers to a number of related activities designed to provide the reader or user of the report with a level of assurance or comfort regarding the subject matter. Scope Notes: Assurance engagements could include support for audited financial statements, reviews of controls, compliance with required standards and practices, and compliance with agreements, licenses, legislation and regulation.
		Assurance engagement	An objective examination of evidence for the purpose of providing an assessment of risk management, control or governance processes for the enterprise Scope Notes: Examples may include financial, performance, compliance and system security engagements.
		Assurance initiative	An objective examination of evidence for the purpose of providing an assessment on risk management, control or governance processes for the enterprise Scope Notes: Examples may include financial, performance, compliance and system security engagements
		Asymmetric cipher	A type of cipher that combines a widely distributed public key and a closely held, protected private key. A message that is encrypted by the public key can only be decrypted by its mathematically related counterpart.
		Asymmetric key (public key)	A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message Scope Notes: See public key encryption.
		Asynchronous Transfer Mode (ATM)	A high-bandwidth, low-delay switching and multiplexing technology that allows integration of real-time voice, video and data. It is a data-link layer protocol. Scope Notes: ATM is a protocol-independent transport mechanism. It allows high-speed data transfer rates of up to 155 Mbit/s. The acronym ATM should not be confused with the alternate usage for ATM, which refers to an automated teller machine.
		Asynchronous transmission	A transmission method where characters are sent one at a time
		Atomic	A condition of smart contracts where one or more conditions defined by the smart contract must be met for the transaction to execute in its entirety
		Atomic swaps	A peer-to-peer exchange of assets across separate blockchains triggered by predetermined rules, without the use of a third-party service and through the use of self-enforced smart contracts. It requires an exchange of assets on both sides or the transaction will not occur.
		Attack	An actual occurrence of an adverse event
		Attack mechanism	A method used to deliver the exploit. Unless the attacker is personally performing the attack, an attack mechanism may involve a payload, or container, that delivers the exploit to the target.
		Attack vector	A path or route used by the adversary to gain access to the target (asset) Scope Notes: There are two types of attack vectors: ingress and egress (also known as data exfiltration).
		Attenuation	A reduction of signal strength during transmission
		Attest reporting engagement	An engagement in which an IS auditor is engaged to either examine management’s assertion regarding a particular subject matter or the subject matter directly Scope Notes: The audit report should express an opinion about whether, in all material respects, the design and/or operation of control procedures in relation to an area of activity were effective. The report should also include a description of the scope (identification or description of the audit subject or activity, the period under review and the period when the audit was performed, the nature and extent of the work performed, and any qualifications or limitations in scope).
		Attestation	An engagement in which an IT auditor is engaged to either examine management’s assertion regarding a particular subject matter or the subject matter directly
		Attitude	A way of thinking, behaving, feeling, etc.
		Attribute sampling	A method to select a portion of a population based on the presence or absence of a certain characteristic
		Audit	A formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate or efficiency and effectiveness targets are being met Scope Notes: May be carried out by internal or external groups
		Audit accountability	A performance measurement of service delivery including cost, timeliness and quality against agreed service levels
		Audit authority	A statement of an employee's position within the enterprise, including lines of reporting and the rights of access
		Audit charter	A document approved by those charged with governance that defines the purpose, authority and responsibility of the internal audit activity Scope Notes: The charter should: - Establish the internal audit function’s position within the enterprise - Authorize access to records, personnel and physical properties relevant to the performance of IS audit and assurance engagements - Define the scope of the audit function’s activities
		Audit engagement	A specific audit assignment, task or review activity, such as an audit, control self-assessment review, fraud examination or consultancy. An audit engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives.
		Audit evidence	The information used to support the audit opinion
		Audit expert systems	The expert or decision support systems that can be used to assist IS auditors in the decision- making process by automating the knowledge of experts in the field Scope Notes: This technique includes automated risk analysis, systems software and control objectives software packages
		Audit log	See Audit trail
		Audit objective	The specific goal(s) of an audit Scope Notes: These often center on substantiating the existence of internal controls to minimize business risk
		Audit plan	1. A plan containing the nature, timing and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence to form an opinion Scope Notes: Includes the areas to be audited, the type of work planned, the high-level objectives and scope of the work. It also includes topics such as budget, resource allocation, schedule dates, type of report and its intended audience and other general aspects of the work. 2. A high-level description of the audit work to be performed in a certain period of time
		Audit program	A step-by-step set of audit procedures and instructions that should be performed to complete an audit
		Audit responsibility	The roles, scope and objectives documented in the service level agreement (SLA) between management and audit
		Audit risk	The risk of reaching an incorrect conclusion based upon audit findings Scope Notes: The three components of audit risk are: - Control risk - Detection risk - Inherent risk
		Audit sampling	The application of audit procedures to less than 100 percent of the items within a population to obtain evidence about a particular characteristic of the population.
		Audit subject matter risk	The risk relevant to the area under review: - Business risk (customer capability to pay, credit worthiness, market factors, etc.) - Contract risk (liability, price, type, penalties, etc.) - Country risk (political, environment, security, etc.) - Project risk (resources, skill set, methodology, product stability, etc.) - Technology risk (solution, architecture, hardware and software infrastructure network, delivery channels, etc.). Scope Notes: See inherent risk
		Audit trail	A logical path linking a sequence of events, in the form of data, used to trace the transactions that have affected the contents of a record Source : ISO
		Audit universe	An inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process Scope Notes: Traditionally, the list includes all financial and key operational systems and other units that would be audited as part of the overall cycle of planned work. The audit universe serves as the source from which the annual audit schedule is prepared. The universe will be periodically revised to reflect changes in the overall risk profile.
		Auditability	The level to which transactions can be traced and audited through a system
		Auditable unit	The subjects, units or systems that are capable of being defined and evaluated Scope Notes: Auditable units may include: • Policies, procedures and practices • Cost centers, profit centers and investment centers • General ledger account balances • Information systems (manual and computerized) • Major contracts and programs • Organizational units, such as product or service lines • Functions, such as information technology (IT), purchasing, marketing, production, finance, accounting and human resources (HR) • Transaction systems for activities, such as sales, collection, purchasing, disbursement, inventory and cost accounting, production, treasury, payroll, and capital assets • Financial statements • Laws and regulations
		Auditor	An individual assigned by ISACA to evaluate, audit or review an appraisal team leader or an appraisal
		Auditor’s opinion	A formal statement expressed by the IS audit or assurance professional that describes the scope of the audit, the procedures used to produce the report and whether or not the findings support that the audit criteria have been met Scope Notes: The types of opinions are: - Unqualified opinion— Notes no exceptions or none of the exceptions noted aggregate to a significant deficiency - Qualified opinion— Notes exceptions aggregated to a significant deficiency (but not a material weakness) - Adverse opinion— Notes one or more significant deficiencies aggregating to a material weakness
		Augmented reality	A computer-generated simulation that adds enhancements to existing reality enabling a user to interact with reality in a more meaningful way. It is often accessed through mobile applications that blend digital enhancements with the real world while ensuring that the user can easily distinguish between the two.
		Authentication	1. The act of verifying identity, i.e., user, system Scope Notes: Can also refer to the verification of the correctness of a piece of data. 2. The act of verifying the identity of a user or the user’s eligibility to access computerized information Scope Notes: Authentication is designed to protect against fraudulent logon activity. It can also refer to the verification of the correctness of a piece of data.
		Authentication Header (AH)	The protocol used to provide connectionless integrity and data-origin authentication for Internet Protocol (IP) datagrams and to provide protection against replays (RFC 4302) Scope Notes: AH ensures data integrity with a checksum that a message authentication code, such as MD5, generates. To ensure data-origin authentication, AH includes a secret shared key in the algorithm that it uses for authentication. To ensure replay protection, AH uses a sequence number field within the IP authentication header.
		Authenticity	The concept of undisputed authorship
		Authorization	The process of determining if the end user is permitted to have access to an information asset or the information system containing the asset
		Automated application controls	The controls that have been programmed and embedded within an application
		Auxiliary storage	A storage device other than main memory (RAM), e.g., disks and tapes
		Availability	The ability to ensure timely and reliable access to, and use of, information
		Availability risk	The risk that service may be lost or data are not accessible when needed
		Average precision	A metric for summarizing the performance of a ranked sequence of results. Average precision is calculated by taking the average of the precision values for each relevant result in a ranked list (each result in the ranked list where the recall increases relative to the previous result).
		Awareness	The idea of being acquainted with, mindful of, conscious of and well informed on a specific subject, which implies knowing and understanding a subject and acting accordingly
		Backbone	The main communication channel of a digital network. It is the part of a network that handles major traffic. Scope Notes: Employs the highest-speed transmission paths in the network and may also run the longest distances. Smaller networks are attached to the backbone, and networks that connect directly to the end-user or customer are called "access networks." A backbone can span a geographic area of any size, from a single building to an office complex to an entire country. Or, it can be as small as a backplane in a single cabinet.
		Backdoor	A means of regaining access to a compromised system by installing software or configuring existing software to enable remote access under attacker-defined conditions
		Backpropagation	An algorithm for iteratively adjusting the weights used in a neural network system. Backpropagation is often used to implement gradient descent.
		Backup	The files, equipment, data and procedures available for use in the event of a failure or loss, if the originals are destroyed or out of service
		Backup center	An alternate facility used to continue IT/IS operations when the primary data processing (DP) center is unavailable
		Bad actor	A term for a cybercriminal or hacker
		Bad actor	An individual, group, country or entity who intentionally causes harm
		Badge	A card or other device that is presented or displayed to obtain access to an otherwise restricted facility as a symbol of authority (e.g., the police) or a simple means of identification Scope Notes: Also used in advertising and publicity
		Balanced scorecard (BSC)	A coherent set of performance measures organized into four categories that include traditional financial measures and customer, internal business process and learning and growth perspectives. Developed by Robert S. Kaplan and David P. Norton.
		Bandwidth	The range between the highest and lowest transmittable frequencies. It equates to the transmission capacity of an electronic line and is expressed in bytes per second or Hertz (cycles per second).
		Bar code	A printed machine-readable code that consists of parallel bars of varied width and spacing
		Base case	A standardized body of data created for testing purposes Scope Notes: Users normally establish the data. Base cases validate production application systems and test the ongoing accurate operation of the system.
		Base measure	A measure that is functionally independent of other measures and cannot be expressed in other terms. A base measure is defined in terms of an attribute and the method for quantifying it. See Derived measure
		Base58 Encoding	A binary-to-text encoding process that converts long bit sequences into alphanumeric text, which is easier for users
		Base64 Encoding	A binary-to-text encoding process that converts long bit sequences into alphanumeric text
		Baseband	A form of modulation in which data signals are pulsed directly on the transmission medium without frequency division and usually utilizes a transceiver Scope Notes: The entire bandwidth of the transmission medium (e.g., coaxial cable) is utilized for a single channel.
		Baseline	1. A specification or product that has been formally reviewed and agreed on, serves as the basis for further development and can only be changed through formal change control procedures (ISACA) 2. A set of specifications or work products that: • Has been formally reviewed and agreed on, • Serves as the basis for further work or change, and • Can be changed only through change control procedures (CMMI) See Configuration baseline and Product baseline
		Baseline architecture	The existing description of the underlying design of the components of a business system before entering a cycle of architecture review and redesign Scope Notes: COBIT 5 and COBIT 2019 perspective
		BASIC	Beginners All-purpose Symbolic Instruction Code (BASIC) is a high-level programming language intended to facilitate learning to program in an interactive environment
		Bastion	A system heavily fortified against attacks
		Batch control	The correctness checks built into data processing systems for batches of input data, particularly in the data preparation stage Scope Notes: There are two main forms of batch controls: sequence control, which involves numbering the records in a batch consecutively so that the presence of each record can be confirmed, and control total, which is a total of the values in selected fields within the transactions.
		Batch processing	The processing of a group of transactions at the same time Scope Notes: Transactions are collected and processed against the master files at a specified time.
		Baud rate	The rate of transmission for telecommunications data, expressed in bits per second (bps)
		Bayes' Theorem	An equation for calculating the probability that something is true if something potentially related to it is true. If P(A) means “the probability that A is true” and P(A\|B) means “the probability that A is true if B is true,” then Bayes' Theorem tells us that P(A\|B) = (P(B\|A)P(A)) / P(B).
		Bayesian analysis	A mathematical model that uses probability to aid in answering theoretical questions about unidentified parameters
		Bayesian network	Graphs that compactly represent the relationship between random variables for a given problem. These graphs aid in reasoning or decision-making in the face of uncertainty. These networks are usually represented as graphs in which the link between any two nodes is assigned a value representing the probabilistic relationship between those nodes.
		Benchmark	A standard against which measurements or comparisons can be made
		Benchmark appraisal	A consistent and reliable assessment method that results in a rating. This includes clear and repeatable process steps, which are capable of achieving high accuracy and reliable appraisal results through the collection of objective evidence from multiple sources. A maturity level profile or capability level profile must be produced as part of this appraisal process and allows Appraisal Sponsors to compare an organization’s or project’s process implementation with others. Like other appraisal methods, benchmark appraisals identify opportunities for improving both process implementation and business performance.
		Benchmark model view	A logical grouping of predefined CMMI model components used to define the appraisal model view scope. Benchmark model views are defined in the CMMI V2.0 Model, Appendix B. • For maturity levels, the benchmark model view is a set of practice areas and their levels that are predefined for the purpose of conducting benchmark appraisals or sustainment appraisals. • For capability levels, the benchmark model view may either be a predefined view or a selection of practice or capability areas and their levels that meet the organization’s business needs and performance objectives.
		Benchmarking	A systematic approach to comparing enterprise performance against peers and competitors in an effort to learn the best ways of conducting business Scope Notes: Examples include benchmarking of quality, logistic efficiency and various other metrics.
		Benefit	An outcome whose nature and value (expressed in various ways) are considered advantageous by an enterprise
		Benefits realization	An objective of governance. It involves bringing new benefits to the enterprise, maintaining and extending existing forms of benefits, and eliminating initiatives and assets that are not creating sufficient value. Scope Notes: COBIT 5 and COBIT 2019 perspective
		Best practice	A proven activity or process that has been successfully used by multiple enterprises
		Bias	In machine learning, a learner’s tendency to make the same mistake repeatedly Scope Notes: Variance is the tendency to learn random things irrespective of the real signal. For example, it is easy to avoid overfitting (variance) by falling into the opposite error of underfitting (bias).
		Bidirectional traceability	An association that enables the ability to trace in either direction between logical entities, e.g., from requirements to design to code to test to the end solution, or from customer requirements to product component requirements See Requirements traceability and Traceability
		Big data	The ability to work with collections of data that had been impractical before because of their volume, velocity and variety (“the three Vs”). A key driver of this new ability has been easier distribution of storage and processing across networks of inexpensive commodity hardware using technology such as Hadoop instead of requiring larger, more powerful individual computers.
		Big game hunter (BGH)	A cyber big game hunter is a type of cyberattack that usually leverages ransomware to target large, high-value organizations or high-profile entities.
		Binary	The base 2 number system (2ⁿ). Permissible digits are 0 and 1.
		Binary code	A code whose representation is limited to 0 and 1
		Binding corporate rules (BCRs)	A set of rules that allow multinational organizations to transfer personal data from the EU to their affiliates outside of the EU
		Binomial distribution	A distribution that represents the outcomes of a fixed number of independent events, each with two mutually possible outcomes, a fixed number of trials and a constant probability of success. This is a discrete probability distribution, as opposed to continuous.
		Biometric data	Personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data
		Biometric locks	Door and entry locks that are activated by biometric features, such as voice, retina, fingerprint or signature
		Biometrics	A security technique that verifies an individual’s identity by analyzing a unique physical attribute, such as a handprint
		BIOS (BIOS)	A basic input/output system
		Bit (Bit)	A contraction of the term binary digit, and the most basic and smallest unit of computing information. A bit may be in one of two states, logic 1 or logic 0. It can be thought of as a switch that is either on or off. Bits are usually combined into computer words of various sizes, called "bytes."
		Bit-stream image	Bit-stream backups, also referred to as mirror image backups, involve the backup of all areas of a computer hard disk drive or other type of storage media Scope Notes: Such backups exactly replicate all sectors on a given storage device, including all files and ambient data storage areas.
		Black box testing	A testing approach that focuses on the functionality of the application or product and does not require knowledge of the code intervals
		Block cipher	A public algorithm that operates on plaintext in blocks (strings or groups) of bits
		Block height	The number of blocks preceding a specific block in a blockchain ledger. It is typically used to identify a specific block (e.g., block ID).
		Block producers	An entity used for proof-of-stake on a blockchain network
		Blockchain	A distributed, protected journaling and ledger system. Use of blockchain technologies can enable anything from digital currency (e.g., Bitcoin) to any other value-bearing transaction.
		Blockchain explorers	Front-end applications or user interfaces that allow a user to view individual records on a blockchain
		Blue team	A team of cybersecurity staff (including incident response consultants) charged with defending the enterprise during scheduled assessments called "red team" exercises
		Blueprint	An exact or detailed plan or outline
		Bluetooth	A wireless communications standard used for communication over short distances
		Bomb	A Trojan horse that attacks a computer system when a specific logical event occurs (logic bomb) or when a specific time-related logical event occurs (time bomb). It can also be hidden in electronic mail or data and triggers a computer system attack when read in a certain way (letter bomb). Similar to: Trojan horse, virus and worm
		Boolean	A set of principles of mathematical logic developed by George Boole, a nineteenth century mathematician. Boolean algebra is the study of operations carried out on variables that can have only one of two possible values, i.e., 1 (true) and 0 (false). "Add," "subtract," "multiply" and "divide" are the primary operations of arithmetic, while "and," "or" and "not" are the primary operations of Boolean Logic. In Pascal programming language, a Boolean variable is a type of variable that can have one of two possible values: true or false.
		Boosting	A machine learning technique that iteratively combines a set of simple and not very accurate classifiers (referred to as "weak" classifiers) into a classifier with high accuracy (a "strong" classifier) by upweighting the examples the model is currently misclassifying
		Boot	1. To initialize a computer system by clearing memory and reloading the operating system 2. To cause a computer system to reach a known beginning state. A boot program, in firmware, typically performs the boot function, which includes loading basic instructions that tell the computer how to load programs into memory and how to begin executing those programs. A distinction can be made between a warm boot and a cold boot. A cold boot starts the system from a powered-down state. A warm boot restarts the computer while it is powered up. Important differences between the two procedures are: • A power-up self-test, in which various portions of the hardware, e.g., memory, are tested for proper operation, is performed during a cold boot, while a warm boot does not normally perform such self-tests • A warm boot does not clear all memory
		Bootstrap	A short computer program that is permanently resident or easily loaded into a computer, and whose execution brings a larger program, such as an operating system or its loader, into memory
		Botnet	A term derived from a robot network; a large automated and distributed network of previously compromised computers that can be simultaneously controlled to launch large-scale attacks, such as a denial-of-service attack, on targeted victims
		Boundary	Logical and physical controls used to define a perimeter between the organization and the outside world
		Boundary value	1. A data value that corresponds to a minimum or maximum input, internal or output value specified for a system or component 2. A value that lies just inside or just outside of a specified range of valid input and output values
		Boundary value analysis	A selection technique in which test data are chosen to lie along boundaries of the input domain or output range classes, data structures, procedure parameters, etc. Choices often include maximum, minimum and trivial values or parameters. This technique is often called stress testing. See Testing, boundary value. Source: NBS
		Branch	An instruction that causes program execution to jump to a new point in the program sequence, rather than execute the next instruction. Contrasts with condition coverage, multiple condition coverage, path coverage and statement coverage. See Decision coverage
		Branch analysis	A test case identification technique that produces enough test cases so that each decision has a true and a false outcome at least once
		Branch coverage	A test coverage criterion that requires that for each decision point, each possible branch is executed at least once. Branch coverage is synonymous with decision coverage and contrasts with condition coverage, multiple condition coverage, path coverage and statement coverage.
		Bridge	A data link layer device developed in the early 1980s to connect local area networks (LANs) or create two separate LAN or wide area network (WAN) segments from a single segment to reduce collision domains Scope Notes: A bridge acts as a store-and-forward device by moving frames toward their destination. This is achieved by analyzing a data packet's MAC header, which represents the hardware address of an NIC.
		Bring your own device (BYOD)	An enterprise policy used to permit partial or full integration of user-owned mobile devices for business purposes
		Broadband	Multiple channels that are formed by dividing the transmission medium into discrete frequency segments Scope Notes: Broadband generally requires the use of a modem.
		Broadcast	A method to distribute information to multiple recipients simultaneously
		Brouter	A device that performs the functions of both a bridge and a router Scope Notes: A brouter operates at both the data link and network layers. It connects same data link type LAN segments as well as different data link ones, which is a significant advantage. Like a bridge, it forwards packets based on the data link layer address to a different network of the same type. Also, it processes and forwards messages to a different data link type network based on the network protocol address whenever required. When connecting same data link type networks, it is as fast as a bridge.
		Browser	A computer program that enables users to retrieve information that has been made publicly available on the Internet and permits multimedia (graphics) applications on the World Wide Web
		Browser protection	Software that evaluates the safety of websites
		Brute force	A class of algorithms that methodically try all possible combinations until a solution is found
		Brute-force attack	An attack that involves methodically trying all possible combinations of passwords or encryption keys until the correct one is found
		Budget	Estimated cost and revenue amounts for a given range of periods and set of books Scope Notes: There can be multiple budget versions for the same set of books.
		Budget formula	A mathematical expression used to calculate budget amounts based on actual results, other budget amounts and statistics Scope Notes: With budget formulas, budgets using complex equations, calculations and allocations can be automatically created.
		Budget hierarchy	A group of budgets linked together at different levels such that the budgeting authority of a lower-level budget is controlled by an upper-level budget
		Budget organization	An entity (department, cost center, division or other group) responsible for entering and maintaining budget data
		Buffer	A device or storage area (memory) used to store data temporarily to compensate for differences in rates of data flow, time of occurrence of events or amounts of data that can be handled by the devices or processes involved in the transfer or use of the data
		Buffer overflow	An anomaly that occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold Scope Notes: Because buffers contain a finite amount of data, excess data can overflow into adjacent buffers, corrupting or overwriting their valid data. Although it may occur accidentally through programming error, buffer overflow is also an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, which in effect, send new instructions to the attacked computer that can damage user files, change data or disclose confidential information.
		Bug	A fault in a program that causes it to perform in an unintended or unanticipated manner See Anomaly, Defect, Error, Exception and Fault
		Bulk data transfer	A data recovery strategy that includes recovery from complete backups that are physically shipped offsite once a week Scope Notes: Specifically, logs are batched electronically several times daily and then loaded into a tape library located at the same facility as the planned recovery.
		Bus	A common path or channel between hardware devices Scope Notes: Can be located between internal computer components or between external computers in a communication network
		Bus configuration	A configuration in which all devices (nodes) are linked along one communication line where transmissions are received by all attached nodes Scope Notes: This architecture is reliable in very small networks, as well as easy to use and understand. This configuration requires the least amount of cable to connect the computers together and, therefore, is less expensive than other cabling arrangements. It is also easy to extend, and two cables can be easily joined with a connector to make a longer cable to allow more computers to join the network. A repeater can also be used to extend a bus configuration.
		Bus topology	A network topology in which nodes are connected to a single cable
		Business balanced scorecard	A tool for managing organizational strategy that uses weighted measures for the areas of financial performance (lag) indicators, internal operations, customer measurements and learning and growth (lead) indicators that are combined to rate the enterprise
		Business case	Documentation of the rationale for making a business investment that is used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle
		Business continuity	A term for preventing, mitigating and recovering from disruption Scope Notes: The terms 'business resumption planning,' 'disaster recovery planning' and 'contingency planning' may also be used in this context as they focus on recovery aspects of continuity. For that reason, the 'resilience' aspect should also be taken into account. Scope Notes: COBIT 5 and COBIT 2019 perspective
		Business continuity plan (BCP)	A plan used by an enterprise to respond to the disruption of critical business processes (depends on the contingency plan for the restoration of critical systems)
		Business control	The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected
		Business dependency assessment (BDA)	A process of identifying resources critical to the operation of a business process
		Business function	An activity that an enterprise does, or needs to do, to achieve its objectives
		Business goal	The translation of the enterprise's mission from a statement of intention into performance targets and results
		Business impact	The net effect, positive or negative, on the achievement of business objectives
		Business impact analysis (BIA)	The process of evaluating the criticality and sensitivity of information assets by determining the impact of losing the support of any resource to an enterprise. This establishes the escalation of a loss over time, identifies the minimum resources needed to recover and prioritizes the recovery of processes and the supporting system. Scope Notes: This process captures income loss, unexpected expense, legal issues (regulatory compliance or contractual), interdependent processes and loss of public reputation or public confidence.
		Business impact analysis/assessment (BIA)	The process of evaluating the criticality and sensitivity of information assets. This exercise determines the impact to an enterprise of losing the support of any resource, establishes the escalation of that loss over time, identifies the minimum resources needed to recover and prioritizes the recovery of processes and the supporting system. Scope Notes: This process also addresses: • Income loss • Unexpected expense • Legal issues (regulatory compliance or contractual) • Interdependent processes • Loss of public reputation or public confidence
		Business interruption	Any event, whether anticipated (i.e., public service strike) or unanticipated (i.e., blackout), that disrupts the normal course of business operations at an enterprise
		Business Model for Information Security	A holistic and business-oriented model that supports enterprise governance and management information security and provides a common language for information security professionals and business management
		Business objective	A further development of business goals into tactical targets and desired results and outcomes
		Business performance	The accomplishment of a given capability or task measured against known preset objectives (including, but not limited to, quality, cost, speed, accuracy and completeness) for delivery of a solution to a customer. In the CMMI, the term "business performance" refers to performance at the business or organizational level; it can be both organization-specific or aggregated from the project level. For example, it may involve collecting measurement and performance data at the project level and aggregating data to enable organizational performance analysis at the business level. See Process performance
		Business process	An interrelated set of cross-functional activities or events that result in the delivery of a specific product or service to a customer
		Business process control	The policies, procedures, practices and organizational structures designed to provide reasonable assurance that a business process will achieve its objectives Scope Notes: COBIT 5 and COBIT 2019 perspective
		Business process integrity	Controls over business processes that are supported by the enterprise resource planning system (ERP)
		Business process owner	The individual responsible for identifying process requirements, approving process design and managing process performance Scope Notes: Must be at an appropriately high level in the enterprise and have the authority to commit resources to process-specific risk management activities
		Business process reengineering (BPR)	The thorough analysis and significant redesign of business processes and management systems to establish a better-performing structure that is more responsive to the customer base and market conditions while yielding material cost savings
		Business risk	The probability that a situation with uncertain frequency and magnitude of loss (or gain) could prevent the enterprise from meeting its business objectives
		Business service provider (BSP)	An application service provider (ASP) that also outsources business processes, such as payment processing, sales order processing and application development
		Business sponsor	The individual accountable for delivering the benefits and value of an IT-enabled business investment program to the enterprise
		Business-to-business (B-to-B)	Transactions in which the acquirer is an enterprise or individual operating in the scope of their professional activity. In this case, laws and regulations related to consumer protection are not applicable. Scope Notes: A contract’s general terms should be communicated to the other party and approved. Some companies require the other party to fill out a check-box with a description such as, "I specifically approve the clauses." This is not convincing; the best solution is adopting a digital signature scheme, which allows the approval of clauses and terms with a nonrepudiation condition.
		Business-to-consumer (B-to-C)	Selling processes in which the involved parties are an enterprise, which offers goods or services, and a consumer. In this case, there is comprehensive legislation that protects the consumer. Scope Notes: Comprehensive legislation can include: • Contracts established outside the merchant’s property (such as the right to end a contract for a full refund or a return policy for goods) • Distance contracts (such as rules that establish how a contract should be written, specific clauses or how a contract should be transmitted to the consumer and approved) • An electronic form of contract (such as an Internet contract or the option for the consumer to exit a procedure without having their data recorded)
		Business-to-consumer ecommerce (B2C)	The processes by which enterprises conduct business electronically with their customers and/or the public at large using the Internet as the enabling technology
		Bypass label processing (BLP)	A technique that involves reading a computer file while bypassing the internal file/data set label. This process can result in the bypassing of the security access control system.
		Byte	A sequence of adjacent bits, often an octet, operated on as a unit
		Byzantine fault tolerance (BFT)	The property of a system that allows it to withstand failures and continue to function even if some of the nodes fail or act maliciously
		C	A general-purpose, high-level programming language created for developing computer operating system software. It strives to combine the power of assembly language with the ease of a high-level language.
		C++	An object-oriented, high-level programming language
		Cadbury	A name associated with the Committee on the Financial Aspects of Corporate Governance (created in May 1991 by the UK Financial Reporting Council, the London Stock Exchange and the UK accountancy profession), which was chaired by Sir Adrian Cadbury. The committee produced a report on the subject commonly known in the UK as the Cadbury Report.
		Calibration layer	A post-prediction adjustment typically used to account for prediction bias. The adjusted predictions and probabilities should match the distribution of an observed set of labels.
		Candidate generation	The initial set of recommendations chosen by a recommendation system
		Capability	1. An aptitude, competency or resource that an enterprise may possess or require at an enterprise, business function or individual level that has the potential, or is required, to contribute to a business outcome and to create value (ISACA) 2. Organizational-level skills, abilities and knowledge embedded in people, processes, infrastructure and technology. An organization needs capabilities to implement its business model or fulfill its mission and achieve measurable business results. (CMMI)
		Capability area (CA)	A group of related practice areas that can improve the performance of the skills and activities of an organization or project. Capability areas are a type of view.
		Capability level	A list of practice areas (PAs) and their corresponding capability levels. A capability-level profile represents an organization's progress toward achieving its targeted practice group level for each in-scope PA.
		Capability level profile	A list of practice areas (PAs) and their corresponding capability levels. A capability level profile represents an organization’s progress toward achieving its targeted practice group level for each in-scope PA.
		Capability Maturity Model (CMM)	1. A model that contains the essential elements of effective processes for one or more disciplines. It also describes an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes with improved quality and effectiveness. 2. A model, from the Software Engineering Institute (SEI), used by many enterprises to identify best practices useful in helping them assess and increase the maturity of their software development processes. Scope Notes: CMM ranks software development enterprises according to a hierarchy of five process maturity levels. Each level ranks the development environment according to its capability of producing quality software. A set of standards is associated with each of the five levels. The standards for level one describe the most immature or chaotic processes, and the standards for level five describe the most mature or quality processes. This maturity model indicates the degree of reliability or dependency a business can place on a process to achieve its desired goals or objectives. It is also a collection of instructions that an enterprise can follow to gain better control over its software development process.
		Capability Maturity Model Integration (CMMI)	An integrated model of best practices that enable businesses to improve performance by improving their processes. Product teams developed the model with global members from across the industry. The CMMI provides a best-practice framework for building, improving and sustaining process capability. See CMMI product suite
		Capable process	A stable process that is able to meet the quality and process performance objectives set for it. The process variation is within set specification limits. See Stable process
		Capacity stress testing	A test for testing an application with large quantities of data to evaluate its performance during peak periods. This is also called volume testing.
		Capital expenditure/ expense (CAPEX)	An expenditure that is recorded as an asset because it is expected to benefit more than the current period. The asset is then depreciated or amortized over the expected useful life of the asset.
		Card swipe	A physical control technique that uses a secured card or ID to gain access to a highly sensitive location Scope Notes: If built correctly, card swipes act as a preventive control over physical access to sensitive locations. After a card has been swiped, the application attached to the physical card swipe device logs all card users who try to access the secured location. In this way, the card swipe device prevents unauthorized access and logs all attempts to enter the secured location.
		Cartel attack	An attack that involves a group of stakers with a large amount of staked tokens in a blockchain manipulating the blockchain in their favor. Alternatively, it is a type of 51% attack on PoS blockchain.
		Category	Logical groups or types of views of related capability areas that address common problems encountered by businesses when producing or delivering solutions
		Cathode ray tube (CRT)	A vacuum tube that displays data by means of an electron beam striking the screen. It is coated with suitable phosphor material or a device similar to a television screen where data can be displayed.
		Causal analysis	A method of searching for the origin of certain effects See Root cause
		Central bank digital currency (CBDC)	A digital form of fiat money
		Central processing unit (CPU)	Computer hardware that houses the electronic circuits that control/direct all operations of a computer system
		Centralized data processing	A distributed processing configuration formed by one central processor and database
		Centroid	The center of a cluster as determined by a k-means or k-median algorithm. For instance, if k is 3, then the k-means or k-median algorithm finds 3 centroids.
		Certificate (Certification) authority (CA)	A trusted third party that serves authentication infrastructures or enterprises, registers entities and issues entities certificates
		Certificate revocation list (CRL)	An instrument for checking the continued validity of the certificates for which the certification authority (CA) has responsibility Scope Notes: The CRL details digital certificates that are no longer valid. The time gap between two updates is critical and poses a risk in digital certificate verification.
		Certification practice statement (CPS)	A detailed set of rules governing the certificate authority's (CA) operations. It provides an understanding of the value and trustworthiness of certificates issued by a given CA. Scope Notes: In terms of the controls an enterprise observes, this is the method used to validate the authenticity of certificate applicants and the CA's expectations of how its certificates may be used.
		Certified CMMI High Maturity Lead Appraiser (CHMLA)	The ISACA designation for a person who leads high-maturity appraisal activities and has satisfied the qualification criteria for experience, knowledge and skills defined by the Appraisal Method Definition Document. This person also has an active certification for conducting high- maturity appraisals See Appraisal team leader
		Chain of custody	The process of evidence handling (from collection to presentation) that is necessary to maintain the validity and integrity of evidence Scope Notes: Includes documentation of who had access to the evidence and when and the ability to identify that the evidence is the exact item that was recovered or tested. Lack of control over evidence can lead to it being discredited. Chain of custody depends on verifying that evidence could not have been tampered with. This is accomplished by sealing off the evidence so it cannot be changed and providing a documentary record of custody to prove that the evidence was, at all times, under strict control and not subject to tampering.
		Challenge/response token	A method of user authentication carried out through use of the Challenge Handshake Authentication Protocol (CHAP) Scope Notes: When a user tries to log into the server using CHAP, the server sends the user a "challenge," which is a random value. The user enters a password, which is used as an encryption key to encrypt the "challenge" and return it to the server. The server is aware of the password. It, therefore, encrypts the "challenge" value and compares it with the value received from the user. If the values match, the user is authenticated. The challenge/response activity continues throughout the session, protecting it from password-sniffing attacks. In addition, CHAP is not vulnerable to "man-in-the-middle" attacks because the challenge value is a random value that changes on each access attempt.
		Change	1. A holistic and proactive approach to managing the transition from a current to a desired organizational state, focusing specifically on the critical human, or "soft" elements of change (ISACA) Scope Notes: Includes activities such as culture change (values, beliefs and attitudes), development of reward systems (measures and appropriate incentives), organizational design, stakeholder management, human resources policies and procedures, executive coaching, change leadership training, team building and communication planning and execution. 2. A methodical approach for controlling and implementing changes in a planned and structured manner (CMMI)
		Change enablement	A holistic and systemic process of ensuring that relevant stakeholders are prepared and committed to the changes involved in moving from a current state to a desired future state
		Change management	1. A holistic and proactive approach to managing the transition from a current to a desired organizational state, focusing specifically on the critical human, or "soft," elements of change (ISACA) Scope Notes: Includes activities such as culture change (values, beliefs and attitudes), development of reward systems (measures and appropriate incentives), organizational design, stakeholder management, human resources policies and procedures, executive coaching, change leadership training, team building and communication planning and execution. 2. A methodical approach for controlling and implementing changes in a planned and structured manner (CMMI)
		Change risk	A change in technology, regulation, business process, functionality, architecture, users or other variables that affect the enterprise business and technical environments and the level of risk associated with systems in operation
		Change control	The processes, authorities and procedures used for all changes made to a computerized system and/or the system data. Change control is a vital subset of the quality assurance program in an enterprise and should be clearly described in the enterprise standard operating procedures. See Configuration control
		Channels	Private channels, also called ledger conduits, in a permissioned blockchain network where two or more nodes perform private transactions
		Chargeback	The redistribution of expenditures to the units within a company that produced them Scope Notes: Chargeback is important because without such a policy, misleading views may be given as to the real profitability of a product or service because certain key expenditures will be ignored or calculated according to an arbitrary formula.
		Check digit	A numeric value, calculated mathematically, added to data to ensure that original data have not been altered or that an incorrect but valid match has not occurred Scope Notes: Check digit control is effective in detecting transposition and transcription errors.
		Check digit verification (self- checking digit)	A programmed edit or routine that detects transposition and transcription errors by calculating and checking the check digit
		Checklist	A list of items used to verify the completeness of a task or goal Scope Notes: Used in quality assurance (and, in general, in information systems audits) to check process compliance, code standardization, error prevention and other items for which consistency processes or standards have been defined
		Checkpoint restart procedures	A point in a routine where sufficient information can be stored to allow the restart of computation from that point
		Checkpointing	The process of storing a block in the history of a blockchain at intervals and refusing to accept divergent blockchain without these blocks
		Checksum	A value generated by an algorithm and associated with an input value and/or whole input file. The checksum value can be used to assess its corresponding input data or file later and verify that the input has not been maliciously altered. If a subsequent checksum value no longer matches the initial value, the input may have been altered or corrupted.
		Chi-square test	An analysis technique used to estimate whether two variables in a cross-tabulation are correlated. A chi-square distribution varies from normal distribution based on the “degrees of freedom” used to calculate it.
		Chief executive officer (CEO)	The highest ranking individual in an enterprise
		Chief financial officer (CFO)	The individual primarily responsible for managing the financial risk of an enterprise
		Chief information officer (CIO)	The most senior enterprise official who is accountable for IT advocacy, aligning IT and business strategies, and planning, resourcing and managing the delivery of IT services, information and the deployment of associated human resources Scope Notes: In some cases, the CIO role has been expanded to become the chief knowledge officer (CKO). The CKO deals in knowledge, not just information. Also see chief technology officer (CTO).
		Chief information security officer (CISO)	The individual in charge of information security in an enterprise
		Chief risk officer (CRO)	An executive tasked with assessing and responding to risk to an enterprise’s assets
		Chief security officer (CSO)	The individual typically responsible for all physical and digital security matters in an enterprise
		Chief technology officer (CTO)	The individual who focuses on technical issues in an enterprise Scope Notes: Often viewed as synonymous with chief information officer (CIO)
		Chipset	An integrated circuit (IC) or group of ICs that provides input and output for computer processing (e.g., RAM, graphics chips or WiFi chips)
		Cipher	An algorithm that performs encryption
		Ciphertext	Information generated by an encryption algorithm to protect the plaintext that is unintelligible to the unauthorized reader
		Circuit-switched network	A data transmission service that requires establishing a circuit-switched connection before data can be transferred from source data terminal equipment (DTE) to a sink DTE Scope Notes: A circuit-switched data transmission service uses a connection network.
		Circular routing	In open systems architecture, the logical path of a message in a communication network based on a series of gates at the physical network layer in the open systems interconnection (OSI) model
		Classification	The identification of two or more categories where an item belongs; a classic machine learning task
		Cleartext	Data that is not encrypted. This is also known as plaintext.
		Client-server	A term used to broadly describe the relationship between the receiver and provider of a service. Generally, the client-server describes a networked system where front-end applications, like the client, make service requests to another networked system. Client-server relationships are defined primarily by software. In a local area network (LAN), the workstation is the client, and the file server is the server. However, client-server systems are inherently more complex than file-server systems. Two disparate programs must work in tandem, and there are many more decisions to make about separating data and processing between the client workstations and the database server. The database server encapsulates database files and indexes, restricts access, enforces security and provides applications with a consistent interface to data via a data dictionary.
		Clipping	A technique for handling outliers. Specifically, clipping includes reducing feature values that are greater than a set maximum value down to that maximum value. It also involves increasing feature values that are less than a specific minimum value up to that minimum value.
		Cloud access security brokers (CASBs)	Software or appliances that are positioned between an enterprise technology infrastructure and a cloud service provider (CSP)
		Cloud computing	Convenient, scalable on-demand network access to a shared pool of resources that can be provisioned rapidly and released with minimal management effort or service provider interaction
		Cluster controller	A communication terminal control hardware unit that controls a number of computer terminals Scope Notes: All messages are buffered by the controller and then transmitted to the receiver.
		Clustering	An algorithm for dividing data instances into groups—not a predetermined set of groups, but groups identified by the execution of the algorithm because of similarities found among the instances. The center of each cluster is known as the "centroid."
		CMMI product suite	The integrated set of components that comprise CMMI. The product suite components include the model, appraisal method, training and certification, adoption guidance and systems and tools.
		Co-adaptation	A process by which neurons predict patterns in training data by relying almost exclusively on outputs of other specific neurons instead of the network's behavior as a whole
		Coaxial cable	A cable composed of an insulated wire that runs through the middle of each cable, a second wire that surrounds the insulation of the inner wire like a sheath and the outer insulation that wraps the second wire Scope Notes: Has a greater transmission capacity than standard twisted-pair cables but has a limited range of effective distance
		COBIT	1. COBIT 2019: The current iteration of COBIT, which builds on and integrates more than 25 years of developments in the field of enterprise governance of information and technology (I&T). It not only incorporates new insights from science but also operationalizes these insights as practices. COBIT is a broad and comprehensive I&T governance and management framework that continues to establish itself as a generally accepted framework for I&T governance. Scope Notes: Earlier versions of COBIT focused on information and technology (IT), whereas COBIT 2019 focuses on information and technology aimed at the whole enterprise, recognizing that I&T has become crucial in the support, sustainability and growth of enterprises. (See www.isaca.org/cobit for more information.) 2. COBIT 5: A complete, internationally accepted framework for governing and managing enterprise information and technology (IT) that supports enterprise executives and management in their definition and achievement of business and related IT goals. Formerly known as Control Objectives for Information and related Technology (COBIT), with this iteration used only as the acronym. COBIT describes five principles and seven enablers that support enterprises in the development, implementation and continuous improvement and monitoring of good IT-related governance and management practices. Scope Notes: Earlier versions of COBIT focused on control objectives related to IT processes, management and control of IT processes and governance aspects. Adoption and use of the COBIT framework are supported by guidance from a growing family of supporting products. 3. COBIT 4.1 and earlier: A complete, internationally accepted process framework for IT that supports business and IT executives and management in their definition and achievement of business and related IT goals by providing a comprehensive IT governance, management, control and assurance model. Formally known as Control Objectives for Information and related Technology (COBIT). COBIT describes IT processes and associated control objectives, management guidelines (activities, accountabilities, responsibilities and performance metrics) and maturity models. COBIT supports enterprise management in the development, implementation, continuous improvement and monitoring of good IT-related practices. Scope Notes: Adoption and use of the COBIT framework are supported by guidance for executives and management (Board Briefing on IT Governance, 2nd Edition), IT governance implementers (COBIT Quickstart, 2nd Edition; IT Governance Implementation Guide: Using COBIT and Val IT, 2nd Edition; and COBIT Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance) and IT assurance and audit professionals (IT Assurance Guide Using COBIT). Guidance also exists to support its applicability for certain legislative and regulatory requirements (e.g., IT Control Objectives for Sarbanes-Oxley, IT Control Objectives for Basel II) and its relevance to information security (COBIT Security Baseline). COBIT is mapped to other frameworks and standards to illustrate complete coverage of the IT management life cycle and support its use in enterprises using multiple IT-related frameworks and standards.

		COBOL	A high-level programming language used for solving problems in business data processing (stands for Common Business Oriented Language).
		CoCo	A framework published by the Canadian Institute of Chartered Accountants in 1995 (stands for Criteria of Control)
		Code audit	An independent review of source code by a person, team or tool to verify compliance with software design documentation and programming standards. Correctness and efficiency may also be evaluated. This contrasts with code inspections, code reviews and code walkthroughs.
		Code of ethics	A document designed to influence employees' individual and organizational behavior by defining organizational values and the rules to be applied in certain situations Scope Notes: A code of ethics is adopted to assist those in the enterprise called upon to make decisions in understanding the difference between 'right' and 'wrong' and to apply this understanding to their decisions. COBIT 5 and COBIT 2019 perspective
		Coding	1. In software engineering, the process of expressing a computer program in a programming language 2. The transforming of logic and data from design specifications (design descriptions) into a programming language
		Coding standards	Written procedures describing coding (programming) style conventions that specify rules governing the use of individual constructs. These are provided by the programming language, naming, formatting and documentation requirements, which prevent programming errors, control complexity and promote the understandability of the source code. They are synonymous with development and programming standards.
		Coefficient	A number or algebraic symbol prefixed as a multiplier to a variable or unknown quantity (e.g., x in x(y + z), 6 in 6ab)
		Coevolving	Originally a biological term, the way two or more ecologically interdependent species become intertwined over time Scope Notes: As species adapt to their environment, they also adapt to one another. Today’s multibusiness companies need to take their cue from biology to survive. They should assume that links among businesses are temporary and that the number of connections (not just content) matters. Rather than plan a collaborative strategy from the top, as traditional companies do, corporate executives in coevolving companies should simply set the context and let collaboration (and competition) emerge from business units.
		Coherence	A term that refers to establishing a potent binding force and sense of direction and purpose for an enterprise; relating different parts of an enterprise to each other and the whole to act as a seemingly unique entity
		Cohesion	The extent to which a system unit (subroutine, program, module, component, subsystem) performs a single dedicated function Scope Notes: Generally, the more cohesive the unit, the easier it is to maintain and enhance a system because it is easier to determine where and how to apply a change.
		Cold site	An IS backup facility that has the necessary electrical and physical components of a computer facility but does not have the computer equipment in place Scope Notes: The site is ready to receive the necessary replacement computer equipment in the event that the users have to move from the main computing location to the alternative computer facility.
		Collaborative filtering	A technique for making predictions about the interests of one user based on the interests of many other users. Collaborative filtering is often used in recommendation systems.
		Collision	The situation that occurs when two or more demands are made simultaneously on equipment that can handle only one at a given time (Federal Standard 1037C)
		Combined Code on Corporate Governance	The consolidation of the Cadbury, Greenbury and Hampel Reports in 1998 Scope Notes: Named after the committee chairs, these reports were sponsored by the UK Financial Reporting Council, the London Stock Exchange, the Confederation of British Industry, the Institute of Directors, the Consultative Committee of Accountancy Bodies, the National Association of Pension Funds and the Association of British Insurers. The Combined Code made to address the financial aspects of corporate governance, directors' remuneration and implementation of the Cadbury and Greenbury recommendations.
		Comment	1. In programming languages, a language construct that allows explanatory text to be inserted into a program and that does not have any effect on the execution of the program 2. Information embedded within a computer program, job control statements or a set of data that provides clarification to human readers but does not affect machine interpretation (Source: IEEE)
		Commercial off-the- shelf (COTS)	Items that can be purchased from a commercial supplier and used without tailoring
		Common Attack Pattern Enumeration and Classification (CAPEC)	A catalog of attack patterns that is “an abstraction mechanism for helping describe how an attack against vulnerable systems or networks is executed” (published by the MITRE Corporation)
		Common cause of variation	The variation of a process that exists because of normal and expected interactions among components of a process. This is also referred to as inherent cause of variation. See Special cause of variation
		Communication processor	A computer embedded in a communications system that generally performs the basic tasks of classifying network traffic and enforcing network policy functions Scope Notes: An example is the message data processor of a defense digital network (DDN) switching center. More advanced communication processors may perform additional functions.
		Communications controller	Small computers used to connect and coordinate communication links between distributed or remote devices and the main computer, thus freeing the main computer from this overhead function
		Community cloud	A cloud computing environment in which resources are shared among entities that have common interests or are in shared industries, e.g., healthcare or financial services
		Community strings	A string of characters that authenticates access to management information base (MIB) objects and functions as an embedded password Scope Notes: Examples are: • Read-only (RO): Gives read access to all objects in the MIB (except the community strings) but does not allow write access • Read-write (RW): Gives read and write access to all objects in the MIB but does not allow access to the community strings • Read-write-all: Gives read and write access to all objects in the MIB, including the community strings (only valid for Catalyst 4000, 5000 and 6000 series switches) Simple Network Management Protocol (SNMP) community strings are sent across the network in cleartext. The best way to protect an operating system software-based device from unauthorized SNMP management is to build a standard IP access list that includes the source address of the management station(s). Multiple access lists can be defined and tied to different community strings. If logging is enabled on the access list, log messages are generated every time the device is accessed from the management station. The log message records the source IP address of the packet.
		Compact disc–read- only memory (CD- ROM)	A compact disk used for the permanent storage of text, graphic or sound information. Digital data is represented compactly by tiny holes that can be read by lasers attached to high-resolution sensors. It is capable of storing up to 680 MB of data, equivalent to 250,000 pages of text or 20,000 medium-resolution images. This storage medium is often used for archival purposes and is synonymous with optical disks and write-once read-many times disks.
		Comparison program	A program for the examination of data that uses logical or conditional tests to identify similarities or differences
		Compartmentalization	A process for protecting very high-value assets or environments where trust is an issue. Access to an asset requires two or more processes, controls or individuals.
		Compensating control	An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions
		Competence	The ability to perform a specific task, action or function successfully Scope Notes: COBIT 5 and COBIT 2019 perspective
		Competencies	The strengths of an enterprise or what it does well Scope Notes: Can refer to the knowledge, skills and abilities of the assurance team or individuals conducting the work
		Compilation	The process of translating a program expressed in a problem-oriented or procedure-oriented language into object code. Compilation contrasts with assembling and interpret.
		Compiler	1. A computer program that translates programs expressed in a high-level language into their machine-language equivalents 2. A computer program that takes the finished source-code listing as input and outputs the machine-code instructions that the computer must have to execute the program See Assembler and Interpreter
		Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA)	A type of challenge-response test used in computing to ensure that a response was not generated by a computer. An example is the site request given to website users to recognize and type a phrase posted using various challenging-to-read fonts.
		Completely connected (mesh) configuration	A network topology in which devices are connected with many redundant interconnections between network nodes (primarily used for backbone networks)
		Completeness check	A procedure designed to ensure that no fields are missing from a record
		Compliance	A term that refers to the adherence to, and the ability to demonstrate adherence to, mandated requirements defined by laws and regulations, as well as voluntary requirements resulting from contractual obligations and internal policies
		Compliance documents	Policies, standards and procedures that document actions that are required or prohibited. Violations may be subject to disciplinary actions.
		Compliance risk	The probability and consequences of an enterprise failing to comply with laws, regulations or the ethical standards and codes of conduct applicable to the enterprise's industry
		Compliance testing	Control tests designed to obtain evidence on both the effectiveness of the controls and their operation during the audit period
		Component	A general term used to mean one part of something more complex Scope Notes: For example, a computer system may be a component of an IT service, or an application may be a component of a release unit. Components are cooperating packages of executable software that make their services available through defined interfaces. Components used in developing systems may be commercial off-the-shelf software (COTS) or purposely built. However, the goal of component-based development is to ultimately use as many predeveloped, pretested components as possible.
		Comprehensive audit	An audit designed to determine the accuracy of financial records and evaluate the internal controls of a function or department
		Computational linguistics	A branch of computer science for parsing the text of spoken languages (e.g., English or Mandarin) to convert it to structured data that can be used to drive program logic
		Computationally greedy	A term that means requiring a great deal of computing power; processor intensive
		Computer	1. A functional unit that can perform substantial computations, including numerous arithmetic operations (or logic operations), without human intervention during a run 2. A functional programmable unit that consists of one or more associated processing units and peripheral equipment, is controlled by internally stored programs and can perform substantial computations, including numerous arithmetic operations, or logic operations, without human intervention
		Computer emergency response team (CERT)	A group of people integrated at the enterprise with clear lines of reporting and responsibilities for standby support in case of an information systems emergency. This group acts as an efficient corrective control and should also be the single point of contact for all incidents and issues related to information systems.
		Computer forensics	The application of the scientific method to digital media to establish factual information for judicial review Scope Notes: This process often involves investigating computer systems to determine whether they have been used for illegal or unauthorized activities. As a discipline, it combines elements of law and computer science to collect and analyze data from information systems (e.g., personal computers, networks, wireless communication and digital storage devices) in a way that makes it admissible as evidence in a court of law.
		Computer instruction set	A complete set of the operators of a computer's instructions together with a description of the different meanings that can be attributed to their operands. This is synonymous with machine instruction set.
		Computer language	A language designed to enable humans to communicate with computers See Programming language
		Computer science	The branch of science and technology concerned with methods and techniques relating to data processing performed by automatic means
		Computer security incident response team (CSIRT)	The technical team responsible for addressing security incidents
		Computer sequence checking	A process that verifies that control numbers follow sequentially and that any control numbers out of sequence are rejected or noted on an exception report for further research
		Computer server	1. A computer dedicated to servicing requests for resources from other computers on a network. Servers typically run network operating systems. 2. A computer that provides services to another computer (the client)
		Computer system	A functional unit consisting of one or more computers and associated peripheral input and output devices and software that uses common storage for all or part of a program and all or part of the data necessary for the execution of the program. A computer system executes user-written or user-designated programs; performs user-designated data manipulation, including arithmetic and logic operations; and can execute programs that modify themselves during their execution. A computer system may be a stand-alone unit or may consist of several interconnected units. See Computer
		Computer-aided software engineering (CASE)	The use of software packages that aid in the development of all phases of an information system Scope Notes: System analysis, design programming and documentation are provided. Changes introduced in one CASE chart will update all other related charts automatically. CASE can be installed on a microcomputer for easy access.
		Computer-assisted audit technique (CAAT)	Any automated audit technique, such as generalized audit software (GAS), test data generators, computerized audit programs and specialized audit utilities
		Concurrency control	A class of controls used in a database management system (DBMS) to ensure that transactions are processed in an atomic, consistent, isolated and durable manner (ACID). This class of controls implies that only serial and recoverable schedules are permitted and that committed transactions are not discarded when undoing aborted transactions.
		Concurrent access	A failover process, in which all nodes run the same resource group and access the external storage concurrently. There can be no Internet Protocol (IP) or mandatory access control (MAC) address in a concurrent resource group.
		Concurrent appraisals	Two or more appraisals that have the same appraisal team leader (ATL) performing their conduct appraisal phases at the same time. Concurrent appraisals, also called simultaneous appraisals, are not allowed under any circumstances. Concurrent appraisals typically include: • Appraising one or more organizational units (OUs) with different scopes, or • Using two or more appraisal teams, with the same time frame for their conduct appraisal phase.
		Confidence interval	A range specified for an estimate to indicate margin of error, combined with a probability that a value will fall in that range
		Confidentiality	Preserving authorized restrictions on access and disclosure, including means for protecting privacy and proprietary information
		Configurable control	Typically, an automated control that is based on, and therefore dependent on, the configuration of parameters within the application system
		Configuration identification	A configuration management activity that involves selecting configuration items for a hardware/ software product, assigning them unique identifiers, and recording their functional and physical characteristics in technical documentation See Configuration item and Configuration management
		Configuration item (CI)	1. Component of an infrastructure—or an item, such as a request for change, associated with an infrastructure—that is (or is to be) under the control of configuration management (ISACA) Scope Notes: May vary widely in complexity, size and type, from an entire system (including all hardware, software and documentation) to a single module or a minor hardware component 2. Work products designated for configuration management and treated as a single entity in the configuration management process (CMMI) See Configuration management
		Configuration management	1. The control of changes to a set of configuration items over a system life cycle (ISACA) 2. The process of managing the integrity of work products using configuration identification, version control, change control and audits (CMMI) See Configuration identification, Configuration item, Configuration audit and Version control
		Confirmation	The number of blocks added to the blockchain after the network accepts that a particular transaction has been executed
		Consensus	A decision-making method that allows team members to develop a common basis of understanding and develop general agreement concerning a decision that all team members are willing to support
		Consensus mechanism	A fault-tolerant mechanism used in blockchain/distributed ledger systems to achieve the necessary agreement on data values or the state of the network among distributed processes or multiagent systems
		Consent	Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
		Consequence	The result of a realized risk. A consequence can be certain or uncertain and can have positive or negative, direct or indirect effects on objectives. Consequences can be expressed qualitatively or quantitatively.
		Consistency	The degree of uniformity, standardization and freedom from contradiction among the documents or parts of a system or component See Traceability
		Consistency checker	A software tool used to test requirements in design specifications for consistency and completeness
		Console log	An automated detail report of computer system activity
		Consolidation	The practice of collecting and summarizing the information provided into a manageable set to: • Determine the extent to which the objective evidence is corroborated and covers the areas being investigated • Determine the objective evidence sufficiency for making judgments • Revise the objective evidence-gathering plan as necessary to achieve this sufficiency See Objective evidence
		Consortium blockchain	A subset of private blockchains that provides a unique blend of public and private blockchain
		Constant	A value that does not change during processing; contrasts with variable
		Constrained Application Protocol (CoAP)	A messaging protocol usually implemented with low-powered devices
		Consulted	In a RACI (responsible, accountable, consulted, informed) chart, refers to those people whose opinions are sought on an activity (two-way communication)
		Consumer	One who utilizes goods
		Consumerization	A model in which emerging technologies are first embraced by the consumer market and later spread to the business
		Containers	A packaged environment that includes all necessary dependencies, executables and code for particular applications to run separately from the host computing device
		Containment	Actions taken to limit exposure after an incident has been identified and confirmed
		Content filtering	Controlling access to a network by analyzing the contents of the incoming and outgoing packets, and either letting them pass or denying them, based on a list of rules Scope Notes: Differs from packet filtering in that content filtering analyzes the data in the packet and packet filtering analyzes the attributes of the packet itself, e.g., source/target IP address and transmission control protocol (TCP) flags
		Context	The overall set of internal and external factors that might influence or determine how an enterprise, entity, process or individual acts Scope Notes: Context includes: • Technology context (technological factors that affect the ability of an enterprise to extract value from data) • Data context (data accuracy, availability, currency and quality) • Skills and knowledge (general experience and analytical, technical, and business skills) • Organizational and cultural context (political factors and whether the enterprise prefers data over intuition) • Strategic context (strategic objectives of the enterprise) COBIT 5 and COBIT 2019 perspective
		Contingency plan	Plan used by an enterprise or business unit to respond to a specific systems failure or disruption
		Contingency planning	Process of developing advance arrangements and procedures that enable an enterprise to respond to an event that might occur by chance or unforeseen circumstances
		Continuity	Preventing, mitigating and recovering from disruption Scope Notes: The terms business resumption planning, disaster recovery planning and contingency planning also may be used in this context; they all concentrate on the recovery aspects of continuity.
		Continuous auditing approach	Allows IS auditors to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer
		Continuous availability	Nonstop service, with no lapse in service; the highest level of service in which no downtime is allowed
		Continuous feature	A floating-point feature with an infinite range of possible values; contrasts with discrete feature
		Continuous improvement	The goals of continuous improvement (Kaizen) include elimination of waste (activities that add cost, but do not add value); just-in-time (JIT) delivery; production load leveling of amounts and types; standardized work; paced moving lines; and right-sized equipment. Scope Notes: A closer definition of the Japanese usage of Kaizen is to take it apart and put it back together in a better way. What is taken apart is usually a process, system, product or service. Kaizen is a daily activity whose purpose goes beyond improvement. It is also a process that, when done correctly, humanizes the workplace, eliminates hard work (both mental and physical), and teaches people how to do rapid experiments using the scientific method and how to learn to see and eliminate waste in business processes.
		Continuous risk and control monitoring	A process that includes: • Developing a strategy to regularly evaluate selected information and technology (I&T)- related controls/metrics • Recording and evaluating I&T-related events and the effectiveness of the enterprise in dealing with those events • Recording changes to I&T-related controls or changes that affect I&T-related risk • Communicating the current risk and control status to enable information-sharing decisions involving the enterprise
		Continuous variable	A variable whose value can be any of an infinite number of values, typically within a particular range
		Contract account	The account (or address) created when a smart contract is deployed by the smart contract owner. Contract account contains the runtime virtual machine bytecode for a contract.
		Contractual requirements	Result of analysis and refinement of customer requirements into a set of requirements suitable for inclusion in solicitation packages or supplier agreements. Contractual requirements include technical and nontechnical requirements necessary to acquire a solution. See Acquirer and Customer requirement
		Control	The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management or legal nature Scope Notes: Also used as a synonym for safeguard or countermeasure See Internal control
		Control center	Hosts the recovery meetings that manage disaster recovery operations
		Control flow diagram	A diagram that depicts the set of all possible sequences in which operations may be performed during the execution of a system or program. Types include box diagram, flowchart, input- process-output chart and state diagram. Contrasts with data flow diagram.
		Control framework	A set of fundamental controls that facilitates the discharge of business process owner responsibilities to prevent financial or information loss in an enterprise
		Control group	Members of the operations area who are responsible for the collection, logging and submission of input for the various user groups
		Control objective	A statement of the desired result or purpose to be achieved by implementing control procedures in a particular process
		Control Objectives for Enterprise Governance	A discussion document that presents an enterprise governance model focusing strongly on both the enterprise business goals and the information technology enablers that facilitate good enterprise governance, published by the Information Systems Audit and Control Foundation in 1999
		Control owner	A person to whom the enterprise has assigned the authority and accountability for making control-related decisions and who is responsible for ensuring that the control is implemented and is operating effectively and efficiently
		Control perimeter	The boundary defining the scope of control authority for an entity Scope Notes: For example, if a system is within the control perimeter, the right and ability exist to control it in response to an attack.
		Control practice	Key control mechanism that supports the achievement of control objectives through responsible use of resources, appropriate management of risk and alignment of IT with business
		Control risk	Risk that assets are lost/compromised or that financial statements are materially misstated, due to lack of, or ineffective, design and/or implementation of internal controls
		Control risk self- assessment	A method/process by which management and staff at all levels collectively identify and evaluate risk and controls within their business areas. This assessment may be under the guidance of a facilitator, such as an auditor or risk manager.
		Control section	The area of the central processing unit (CPU) that executes software, allocates internal memory and transfers operations between the arithmetic-logic, internal storage and output sections of the computer
		Control weakness	A deficiency in the design or operation of a control procedure. Control weaknesses can result in risk not being reduced to an acceptable level in the relevant activity area (relevant risk threatens achievement of the objectives that are relevant to the activity area being examined). Control weaknesses can be material when the design or operation of one or more control procedures does not reduce to a relatively low level the risk that misstatements, caused by illegal acts or irregularities, may occur and not be detected by the related control procedures.
		Controller	The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
		Convenience sampling	The use of a dataset that is not gathered scientifically in order to run quick experiments. Later on, it is essential to switch to a scientifically gathered dataset.
		Convergence	A state reached during training in which training loss and validation loss change very little or not at all with each iteration after a certain number of iterations
		Cookie	A web browser message used for the purpose of identifying users and possibly preparing customized web pages for them Scope Notes: The first time a cookie is set, a user may be required to go through a registration process. Subsequent to this, whenever the cookie's message is sent to the server, a customized view based on that user's preferences can be produced. The browser's implementation of cookies has, however, brought several security concerns, allowing breaches of security and the theft of personal information (e.g., user passwords that validate the user identity and enable restricted web services).
		Copyright	The protection of writings, recordings or other ways of expressing an idea. The idea itself may be common, but the way it was expressed is unique, such as a song or book.
		Core assets	The assets essential to a solution and may include: • Components • Domain models • Requirements • Performance models • Estimates and plans • Test plans and test descriptions • Process descriptions
		Corporate exchange rate	An exchange rate that can be used to perform foreign currency conversion. The corporate exchange rate is generally a standard market rate determined by senior financial management for use throughout the enterprise.
		Corporate governance	The system by which enterprises are directed and controlled. The board of directors is responsible for the governance of their enterprise. Corporate governance consists of the leadership and organizational structures and processes that ensure the enterprise sustains and extends strategies and objectives.
		Corporate security officer (CSO)	The person responsible for coordinating the planning, development, implementation, maintenance and monitoring of the information security program
		Corrective control	A control designed to correct errors, omissions, unauthorized uses and intrusions, once they are detected
		Correlation	The degree of relative correspondence between two sets of data. The correlation coefficient is a measure of how closely the two data sets correlate.
		Corroboration	The practice of considering multiple pieces of objective evidence in support of a judgment regarding an individual CMMI model practice See Objective evidence
		COSO (COSO)	The Committee of Sponsoring Organizations of the Treadway Commission Scope Notes: COSO's "Internal Control--Integrated Framework" is an internationally accepted standard for corporate governance. See www.coso.org.
		Cost-benefit analysis	A net result analysis that relies on the addition of positive factors and the subtraction of negative factors to build a business case supporting a risk response
		COTS	Configurable, off-the-shelf software
		Countermeasure	The reduction of threats or vulnerabilities through any direct process
		Coupling	A measure of interconnectivity among the structure of software programs. Coupling depends on the interface complexity between modules. This can be defined as the point at which entry or reference is made to a module, and what data pass across the interface. Scope Notes: In application software design, it is preferable to strive for the lowest possible coupling between modules. Simple connectivity among modules results in software that is easier to understand and maintain, and is less prone to a ripple or domino effect caused when errors occur at one location and propagate through the system.
		Covariant	A measure of the relationship between two variables whose values are observed at the same time. Whereas variance measures how a single variable deviates from its mean, covariance measures how two variables vary in tandem from their means.
		Coverage	The proportion of known attacks detected by an intrusion detection system (IDS)
		Coverage analysis	The determination and assessment of measures associated with the invocation of program structural elements to determine the adequacy of a test run. Coverage analysis is useful when attempting to execute each statement, branch, path or iterative structure in a program. Tools that capture this data and provide reports summarizing relevant information have this feature. See Testing, branch, Testing, path and Testing, statement.
		CPU	See Central processing unit
		Crack	To "break into" or "get around" the security of a software program Scope Notes: For example, certain newsgroups post serial numbers for pirated versions of software. A cracker may download this information in an attempt to crack the program so he/she can use it. Crack is commonly used in the case of cracking (unencrypting) a password or other sensitive data.
		Crash	The sudden and complete failure of a computer system or component
		Crash blossom	A sentence or phrase with an ambiguous meaning
		Credentialed analysis	In vulnerability analysis, passive monitoring approaches in which passwords or other access credentials are required Scope Notes: Usually involves accessing a system data object
		Credit risk	The potential that a borrower or creditor will fail to meet financial obligations in accordance with agreed terms
		Criteria	Standards and benchmarks to measure and present the subject matter and against which an IS auditor evaluates the subject matter Scope Notes: Criteria should be: - Objective— free from bias - Measurable— provide for consistent measurement - Complete— include all relevant factors to reach a conclusion - Relevant— relate to the subject matter In an attestation engagement, benchmarks against which management's written assertion on the subject matter can be evaluated. The practitioner forms a conclusion concerning subject matter by referring to suitable criteria.
		Critical control point	(QA) A function or an area in a manufacturing process or procedure, the failure of which, or loss of control over, may have an adverse effect on the quality of the finished product and may result in an unacceptable health risk
		Critical design review	A review to verify that the detailed design of one or more configuration items satisfies specified requirements; to establish the compatibility among the configuration items and other items of equipment, facilities, software and personnel; to assess risk areas for each configuration item; and, as applicable, to assess the results of producibility analyses, review preliminary hardware product specifications, evaluate preliminary test planning and evaluate the adequacy of preliminary operation and support documents See System design review.
		Critical functions	Business activities or information that cannot be interrupted or unavailable for several business days without significantly jeopardizing operation of the enterprise
		Critical infrastructure	Systems whose incapacity or destruction will have a debilitating effect on the economic security of an enterprise, community or nation
		Critical success factor (CSF)	The most important issue or action for management to achieve control over and within its IT processes
		Criticality	The importance of a particular asset or function to the enterprise, and the impact if that asset or function is not available
		Criticality analysis	Evaluation of resources or business functions to identify their importance to the enterprise, and the impact if a function cannot be completed or a resource is not available.
		Cross chain	Interoperability between two independent blockchains that allows blockchains to speak to each another, mainly during an asset swap or asset transfer
		Cross-border data transfers	The transfer of personal data to recipients outside of the territory in which the data originate
		Cross-border processing	Processing of personal data in the context of the activities of establishments in more than one country of a controller or processor, where the controller or processor is established in more than one country; or processing of personal data in the context of the activities of a single establishment of a controller or processor union but which substantially affects or is likely to substantially affect data subjects in more than one country
		Cross-certification	A certificate issued by one certificate authority (CA) to a second CA that allows users of the first certification authority to obtain the public key of the second CA and verify the certificates that the second CA created Scope Notes: Often refers to certificates issued to each other by two CAs at the same level in a hierarchy
		Cross-site request forgery (CSRF)	A type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts (also known as a one-click attack or session riding). CSRF is pronounced sea-surf.
		Cross-site scripting (XSS)	Injection of malicious scripts into otherwise benign and trusted websites Scope Notes: Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end user. Flaws that allow these attacks to succeed are widespread and occur anywhere a web application uses input from a user within the output that it generates without validating or encoding it. Source: OWASP
		Cross-validation	A mechanism for estimating how well a model will generalize to new data by testing the model against one or more nonoverlapping data subsets that are withheld from the training set
		Cryptoassets	Decentralized virtual currencies (and their underlying blockchain technology layers) that are meant to achieve something other than the exchange of value
		Cryptocurrency	A digital asset designed and created to function as a unit of account and payment method within its particular ecosystem. Cryptocurrency transactions usually take place within a peer-to-peer network and use cryptography to secure transaction records.
		Cryptography	The study of mathematical techniques related to aspects of information security, such as confidentiality, data integrity, entity authentication and data origin authentication
		Cryptosystem	Set of cryptographic primitives that are used to provide information security services. Most often, the term is used in conjunction with primitives providing confidentiality, i.e., encryption.
		Cryptotoken	Unit that is used for any function not related to payments within a blockchain; for example, as a function of a decentralized application or a smart contract. Security tokens or utility tokens are examples of cryptotokens. A cryptotoken can also be considered a cryptoasset.
		Culture	A pattern of behaviors, beliefs, assumptions, attitudes and ways of doing things Scope Notes: COBIT 5 and COBIT 2019 perspective
		Current risk	The risk state that exists in the moment, taking into account those actions that have already been taken but not actions that are anticipated or have been proposed
		Customer	The party responsible for buying or accepting a solution or for authorizing payment for a solution. Customers may also be end users.
		Customer relationship management (CRM)	Practices and strategies to identify, acquire and retain customers. CRM is also an industry term for software solutions that help an enterprise manage customer relationships in an organized manner.
		Customer requirement	The result of eliciting and consolidating needs, and resolving conflicts among those needs, expectations, constraints, and interfaces that clarifies and defines the solutions with affected stakeholders in a way that is acceptable to them See Customer.
		Cyber and information security risk	The danger, harm or loss related to the use of, or dependence on, information and communications technology, electronic data, and digital or electronic communications
		Cybercop	An investigator of activities related to computer crime
		Cybercrime	Category of crime involving technology that may or may not involve the Internet
		Cybercriminal	An individual or entity that uses technology with malicious intent
		Cyberespionage	Activities conducted for the reason of security, business, politics or technology to find information that ought to remain secret. It is not inherently military.
		Cybersecurity	1. The protection of information assets by addressing threats to information processed, stored and transported by internetworked information systems (ISACA) 2. Protection and restoration of products, services, solutions and supply chain, including technology, computers, telecommunications systems and services, and information, to ensure their availability, integrity, authentication, transport, confidentiality and resilience. Cybersecurity is a part of information security. (CMMI)
		Cybersecurity architecture	Description of the structure, components and topology (connections and layout) of security controls within the IT infrastructure of an enterprise Scope Notes: The security architecture shows how defense-in-depth is implemented and how layers of control are linked, and is essential to designing and implementing security controls in any complex environment.
		Cyberthreat actor	See Bad actor
		Cyberthreat actor (CTA)	See Bad actor
		Cyberwarfare	Activities supported by military organizations with the purpose of threatening the survival and well-being of society/foreign entity
		D3 (Data-driven documents)	A JavaScript library that eases the creation of interactive visualizations embedded in web pages. D3 is popular with data scientists as a way to present the results of their analysis.
		Damage evaluation	The determination of the extent of damage to provide an estimate of the recovery time frame and the potential loss to the enterprise
		DAP tools	Tools used to help control the data that end users can transmit
		DASH7 Alliance Protocol (D7A)	A protocol used to enable wireless communications between actuators and sensors
		Dashboard	A tool that is used for setting enterprise expectations at each level of responsibility and for continuous monitoring of the performance against set targets
		Data	1. Representations of facts, concepts or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means. In the simplest terms, data are pieces of information. (ISACA) 2. Qualitative or quantitative-based information that can be recorded, communicated and analyzed (CMMI)
		Data accuracy	A component of data quality that indicates whether the data values stored for an object are the correct values and are represented in a consistent and unambiguous form
		Data analysis	Obtaining an understanding of data by considering samples, measurement and visualization. Data analysis can be particularly useful when a data set is first received, before the first model is built, and is crucial for understanding experiments and debugging problems with the system.
		Data anonymization	Protection of private or sensitive information by encrypting or removing personally identifiable information from data sets to keep the people whom the data represent anonymous
		Data augmentation	Artificially boosting the range and number of training examples by transforming existing examples to create additional examples
		Data breach	See Personal data breach.
		Data classification	The assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levels of sensitivity of data are assigned according to predefined categories as data are created, amended, enhanced, stored or transmitted. Classification level is an indication of the value or importance of the data to the enterprise.
		Data classification scheme	An enterprise scheme for classifying data by factors such as criticality, sensitivity and ownership
		Data communications	The transfer of data between separate computer processing sites/devices using telephone lines, microwave and/or satellite links
		Data concerning health	Personal data related to the physical or mental health of a natural person, including the provision of healthcare services, that reveal information about his or her health status
		Data controller	See controller.
		Data custodian	Individual(s) and department(s) responsible for the storage and safeguarding of computerized data
		Data destruction	Elimination, erasure or clearing of data
		Data dictionary	Repository that stores all the details that correspond to the data flow diagram (DFD) stores, processes and flows. It may be called a database that contains the name, type, range of values, source and authorization for access for each data element in a system. It also indicates which application programs use those data so that when a data structure is contemplated, a list of the affected programs can be generated.
		Data diddling	Changing data with malicious intent before or during input into the system
		Data Encryption Standard (DES)	A legacy algorithm for encoding binary data that was deprecated in 2006. DES and its variants were replaced by the Advanced Encryption Standard (AES).
		Data exception	An exception that occurs when a program attempts to use or access data incorrectly
		Data exfiltration	Unauthorized acquisition of data from any network or endpoint
		Data flow	The flow of data from the input (in Internet banking, ordinarily user input at his/her desktop) to the output (in Internet banking, ordinarily data in a bank’s central database). Data flow includes travel through communication lines, routers, switches and firewalls, and processing through various applications on servers that process the data.
		Data flow analysis	A software verification and validation (V&V) task to ensure that the input and output data and their formats are properly defined, and that the data flows are correct
		Data flow diagram (DFD)	A diagram that depicts data sources, data sinks, data storage, processes performed on data (represented as nodes) and logical flow of data (represented as links between the nodes)
		Data frame	A popular data type for representing data sets in pandas. A data frame is analogous to a table. Each column of the data frame has a name (a header), and each row is identified by a number.
		Data governance	Setting direction on data use through prioritization and decision making, and ensuring alignment with agreed-on direction and objectives
		Data integrity	The degree to which a collection of data is complete, consistent and accurate
		Data leakage	Unauthorized transmission of data from an organization, either electronically or physically
		Data life cycle	The sequence of steps that data go through, beginning with its collection/generation and ending with archiving or deleting data at the end of its useful life
		Data loss prevention (DLP)	Detecting and addressing data breaches, exfiltration or unwanted destruction of data
		Data minimization	Principle that requires data to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
		Data mining	The use of computers to analyze large data sets to look for patterns that assist people in making business decisions
		Data normalization	A structured process for organizing data into tables in such a way that it preserves the relationships among the data
		Data owner	Individual(s) who has responsibility for the integrity, accurate reporting and use of computerized data
		Data portability	The ability to transmit a data subject’s data from one controller to another
		Data processing	Any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
		Data processor	A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller
		Data protection authority	Independent authority that monitors and supervises the application of a data protection law
		Data protection officer (DPO)	Enterprise officer who is responsible for informing and advising the enterprise about its data protection obligations and monitoring its compliance with them. The General Data Protection Regulation (GDPR) requires some enterprises to appoint a data protection officer.
		Data recipient	Any person, public authority, agency or another body to which the personal data are disclosed, including third parties
		Data retention	The policies that govern data and records management for meeting internal, legal and regulatory data archival requirements
		Data science	A new branch of science used to extract knowledge and insights from large and complex data sets. Data science work often requires knowledge of both statistics and software engineering.
		Data security	The controls that seek to maintain confidentiality, integrity and availability of information
		Data set	A collection of related records
		Data structure	A particular arrangement of data units, such as an array or a tree
		Data subject	A natural person whose personal data are collected, held or processed
		Data validation	1. A process used to determine whether data are inaccurate, incomplete or unreasonable. The process may include format checks, completeness checks, check key tests, reasonableness checks and limit checks. 2. The checking of data for correctness or compliance with applicable standards, rules and conventions
		Data warehouse (DW)	A generic term for a system that stores, retrieves and manages large volumes of data Scope Notes: Data warehouse software often includes sophisticated comparison and hashing techniques for fast searches and advanced filtering
		Data wrangling	The conversion of data, often through the use of scripting languages, to make data easier to manage
		Data-oriented systems development	The focus on providing ad hocreporting for users by developing a suitable accessible database of information and useable data rather than a function
		Database	A collection of data, often with controlled redundancy, organized according to a schema to serve one or more applications. The data are stored so that they can be used by different programs without considering the data structure or organization. A common approach is used to add new data and modify and retrieve existing data. See Archival database.
		Database administrator (DBA)	An individual or department responsible for the security and information classification of the shared data stored on a database system. This responsibility includes the design, definition and maintenance of the database.
		Database analysis	A software verification and validation (V&V) task to ensure that the database structure and access methods are compatible with the logical design
		Database management system (DBMS)	A software system that controls the organization, storage and retrieval of data in a database
		Database replication	The process of creating and managing duplicate versions of a database Scope Notes: Replication not only copies a database but also synchronizes a set of replicas so that changes made to one replica are reflected in all others. The beauty of replication is that it enables many users to work with their own local copy of a database while the database updates as if they were working on a single centralized database. For database applications in which users are distributed widely geographically, replication is often the most efficient method of database access.
		Database security	The degree to which a database is protected from exposure to accidental or malicious alteration or destruction
		Database specifications	The requirements for establishing a database application that include field definitions, field requirements and reporting requirements for the individual information in the database
		Datagram	A packet (encapsulated with a frame containing information) transmitted in a packet-switching network from source to destination
		Debugging	Determining the exact nature and location of a program error and fixing the error
		Decentralization	The process of distributing computer processing to different locations within an enterprise
		Decentralized autonomous organization (DAO)	A computer program on a blockchain that uses smart contracts to set organizational rules via decentralized means
		Decision boundary	The separator between classes learned by a model in a binary class or multiclass classification problems
		Decision coverage	A test coverage criterion requiring enough test cases so that each decision has a true and false result at least once, and each statement is executed at least once. Synonymous with branch coverage. Contrasts with condition coverage, multiple condition coverage, path coverage, statement coverage
		Decision support systems (DSS)	An interactive system that provides the user with easy access to decision models and data to support semistructured decision-making tasks
		Decision trees	A tree structure to represent a number of possible decision paths and an outcome for each path
		Decryption	A technique used to recover the original plaintext from the ciphertext so that it is intelligible to the reader. The decryption is a reverse process of the encryption.
		Decryption key	A digital piece of information used to recover plaintext from the corresponding ciphertext by decryption
		Deep learning	A multilevel algorithm that gradually identifies things at higher levels of abstraction, e.g., image classification
		Deep model	A type of neural network containing multiple hidden layers
		Deep packet inspection	A type of network packet filtering that evaluates the data and header of a packet transmitted through an inspection point
		Default	A computer software setting or preference that states what will automatically happen in the event that the user has not stated another preference. For example, a computer may have a default setting to launch or start Netscape whenever a GIF file is opened; however, if using Photoshop is the preference for viewing a GIF file, the default setting can be changed to Photoshop. Default accounts are provided by the operating system vendor (e.g., root in UNIX).
		Default deny policy	A policy whereby access is denied unless it is specifically allowed or the inverse of default
		Default password	The password used to gain access when a system is first installed on a computer or network device Scope Notes: A large list published on the Internet and maintained at several locations exists. Failure to change these after the installation leaves the system vulnerable.
		Default value	A standard setting or state taken by the program if no alternate setting or state is initiated by the system or the user or a value assigned automatically if one is not given by the user
		Defect	Refer to bug, error, exception and fault.
		Defect density	Number of defects per unit of solution size (e.g., the number of bugs per thousand lines of code)
		Defense in depth	The practice of layering defenses to provide added protection. Defense in depth improves security by increasing the effort needed in an attack by placing multiple barriers between an attacker and enterprise computing and information resources.
		Defense-in-depth approach	A systematic means of layering defenses to provide resiliency against exploited security vulnerabilities that can include aspects of physical, personnel, process, mission and cybersecurity needs
		Defined process	The essential subset of organizational process assets for any tailored and managed process. A fully defined process has enough detail that it can be consistently performed by trained and skilled people and is both persistent and habitual. A defined process is necessary at the practice group level 3 in the CMMI Practice Areas. See Managed process.
		Degauss	The application of variable levels of alternating currents for the purpose of demagnetizing magnetic recording media Scope Notes: The process involves increasing the alternating current field gradually from zero to some maximum value and back to zero, leaving a minimal residue of magnetic induction on the media. Degauss generally means to erase.
		Deidentification	Information that cannot reasonably identify, relate to, describe, be associated with or linked, directly or indirectly, to a particular consumer
		Deliverable	An item provided to an acquirer or other designated recipient as specified in an agreement, including a document, hardware item, software item, service or any type of work product See Acquirer.
		Demilitarized zone (DMZ)	A small, isolated network that serves as a buffer zone between trusted and untrusted networks Scope Notes: A demilitarized zone is typically used to house systems, such as web servers, that must be accessible from both internal networks and the Internet.
		Demodulation	The process of converting an analog telecommunications signal into a digital computer signal
		Demographic	A fact determined by measuring and analyzing data about a population, relying heavily on survey research and census data
		Denial-of-service attack (DoS)	An assault on a service from a single source that floods it with so many requests that it becomes overwhelmed and either stops completely or operates at a significantly reduced rate
		Dependent variable	A variable where the value "depends on" the value of the independent variable
		Depreciation	The process of cost allocation that assigns the original cost of equipment to the periods benefited Scope Notes: The most common method of calculating depreciation is the straight-line method, which assumes that assets should be written off in equal amounts over their lives.
		Derived measure	Measure defined as a function of two or more base measures often expressed as ratios, composite indices or other aggregate summary measures See Base measure.
		Derived requirements	Requirements not explicitly stated in customer requirements but inferred and developed from: • Contextual requirements, e.g., applicable standards, laws, policies, common practices, management decisions • Requirements needed to specify a solution component Derived requirements can also emerge during the analysis and design of solution components. See Product component requirements.
		Design	The process of defining the architecture, components, interfaces and other characteristics of a system or component See Architectural design, Preliminary design and detailed design.
		Design effectiveness	Occurring when the enterprise's controls are operated as prescribed by persons possessing the necessary authority and competence to perform the control effectively, satisfy the enterprise’s control objectives and effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements
		Design factors	Factors that can influence the design of an enterprise's governance system and position it for success in the use of information and technology (I&T). In COBIT^®2019, design factors include: enterprise strategy, enterprise goals, risk profile, I&T-related issues, threat landscape, compliance requirements, role of IT, sourcing model for IT, IT implantation methods, technology adoption strategy and enterprise size.
		Design phase	The period of time in the software life cycle during which the designs for architecture, software components, interfaces and data are created, documented and verified to satisfy requirements
		Design review	A formal, recorded, comprehensive and systematic examination of a solution or component design to determine whether the design meets applicable requirements, identifies problems and proposes solutions
		Designee	A delegated appraisal role responsible for performing some tasks as specified in a defined Appraisal Method Definition Document in place of the appraisal sponsor or appraisal team leader. Designee's tasks performed must be clearly identified in the appraisal plan. Only those tasks not specifically reserved, i.e., via a “must” or “shall” statement, for the appraisal team leader or appraisal sponsor may be delegated.
		Detailed IS controls	Controls over the acquisition, implementation, delivery and support of IS systems and services comprised of application controls and those general controls not included in pervasive controls
		Detection risk	Risk that assets are lost or compromised or financial statements are materially misstated due to failure of an enterprise’s internal controls to detect errors or fraud in a timely manner
		Detective application controls	Controls designed to detect errors that may have occurred based on predefined logic or business rules and usually executed after an action has taken place and often include a group of transactions
		Detective control	Controls designed to detect and report when errors, omissions and unauthorized uses or entries occur
		Develop, use and keep updated	A fundamental principle in CMMI denoting that work products resulting from projects and organizational processes must be used and useful to the work and enable performance. The work products should be kept current to reflect how work is performed or improved.
		Developer	A person or group that designs and/or builds, and/or documents and/or configures the hardware and/or software of computerized systems
		Development (Dev)	Creating a solution by deliberate effort. In some contexts, development can include maintenance of the developed product or service system. In the CMMI product suite, when this term is used with the phrase “development context specific,” it is referring to this definition.
		Development methodology	A systematic approach to software creation that defines development phases and specifies the activities, products, verification procedures and completion criteria for each phase See Incremental development, Rapid prototyping, Spiral model and Waterfall model.
		Device	A generic term for a computer subsystem, such as a printer, serial port or disk drive that frequently requires its own controlling software termed a device driver
		Device identity	Uniquely identifies a specific device
		Device management provision tools	Tools that help in device provisioning (the process of attaching a certificate to the device identity)
		DevOps	A combination of the terms: “development” and “operations.” An enterprise software development phrase used to denote a type of agile relationship between development and Information Technology (IT) operations. The goal of DevOps is to change and improve the relationship between development and operations by advocating better communication and collaboration between these two business units.
		Diagnostic	Pertaining to the detection and isolation of faults or failures (e.g., a diagnostic message and a diagnostic manual)
		Dial-back	Used as a control over dial-up telecommunications lines. The telecommunications link established through dial-up into the computer from a remote location is interrupted so the computer can dial back to the caller. The link is permitted only if the call is coming from a valid phone number or telecommunications channel.
		Dial-in access control	Prevents unauthorized access from remote users who attempt to access a secured environment. Ranges from dial-back control to remote user authentication.
		Differential privacy	Achieved by adding randomly generated noise to obfuscate personal identifiability. Computations performed on altered data are only statistically/directionally correct (i.e., not accurate).
		DigiCash	An electronic money corporation and the private, secure digital money it delivers
		Digital asset	Any token—whether created in a peer-to-peer and/or cryptographic environment—that exists in a digital format with the token holder having the ability and right to use or transfer the digital asset. All cryptocurrencies and cryptotokens are subsets of digital assets.
		Digital certificate	An electronic credential that permits an entity to exchange information securely via the Internet using the public key infrastructure (PKI)
		Digital certification	A process to authenticate (or certify) a party’s digital signature; carried out by trusted third parties.
		Digital code signing	The process of digitally signing computer code to ensure its integrity.
		Digital forensics	The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in any legal proceedings
		Digital signal processor (DSP)	Special processing unit specific to audio and telecommunication needs
		Digital signature	An electronic identification of a person or entity using a public key algorithm that serves as a way for the recipient to verify the identity of the sender, integrity of the data and proof of transaction
		Digital signature processor	Special processing unit specific to audio and telecommunication needs
		Dimension reduction	A technique to extract one or more dimensions that capture as much of the variation in the data as possible
		Dimensionality	In statistics, it refers to how many attributes a dataset has
		Direct reporting engagement	An engagement in which management does not make a written assertion about the effectiveness of their control procedures and an IS auditor provides an opinion about subject matter directly, such as the effectiveness of the control procedures.
		Disaster	An emergency event of such great magnitude that it overwhelms the capacity to respond and takes considerable time from which to recover
		Disaster declaration	The communication to appropriate internal and external parties that the disaster recovery plan (DRP) is being put into operation.
		Disaster notification fee	The fee that the recovery site vendor charges when the customer notifies them that a disaster has occurred and the recovery site is required. Scope Notes: The fee is implemented to discourage false disaster notifications.
		Disaster recovery (DR)	Activities and programs designed to return the enterprise to an acceptable condition. The ability to respond to an interruption in services by implementing a disaster recovery plan (DRP) to restore an enterprise's critical business functions.
		Disaster recovery plan (DRP)	A set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency or disaster
		Disaster recovery plan (DRP) desk checking	Typically a read-through of a disaster recovery plan (DRP) without any real actions taking place. Scope Notes: Generally involves a reading of the plan, discussion of the action items and definition of any gaps that might be identified
		Disaster recovery plan (DRP) walk-through	Generally a robust test of the recovery plan requiring that some recovery activities take place and are tested. A disaster scenario is often given and the recovery teams talk through the steps that they would need to take to recover. As many aspects of the plan as possible should be tested.
		Disaster tolerance	The time gap during which the business can accept the non-availability of IT facilities.
		Disclosure controls and procedures	The processes in place designed to help ensure that all material information is disclosed by an enterprise in the reports that it files or submits to the U.S. Security and Exchange Commission (SEC). Scope Notes: Disclosure Controls and Procedures also require that disclosures be authorized, complete and accurate, and recorded, processed, summarized and reported within the time periods specified in the SEC rules and forms. Deficiencies in controls, and any significant changes to controls, must be communicated to the enterprise’s audit committee and auditors in a timely manner. An enterprise’s principal executive officer and financial officer must certify the existence of these controls on a quarterly basis.
		Discount rate	An interest rate used to calculate a present value which might or might not include the time value of money, tax effects, risk or other factors.
		Discovery sampling	A form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in a population.
		Discovery-based appraisal	An appraisal in which limited objective evidence is provided by the appraised organization prior to the appraisal, and the appraisal team probes and uncovers a majority of the OE during the onsite period necessary to obtain sufficient coverage of model components See Verification-based appraisal for contrast
		Discrete variable	A variable whose potential values must be one of a specific number of values. Also known as discrete feature.
		Discretionary access control (DAC)	Logical access control filters that may be configured or modified by the users or data owners
		Discriminative model	A model that predicts labels from a set of one or more features. A discriminative model defines the conditional probability of an output based on the features and weights.
		Discriminator	A system that determines whether examples are real or fake
		Disk	A circular rotating magnetic storage hardware component. Disks can be hard (fixed) or flexible (removable) and can come in different sizes.
		Disk mirroring	The practice of duplicating data in separate volumes on two hard disks to make storage more fault-tolerant. Mirroring provides data protection in the case of disk failure because data are constantly updated to both disks.
		Diskless workstation	A workstation or PC on a network that does not have its own disk but instead stores files on a network file server
		Distributed data processing network	A system of computers connected by a communication network Scope Notes: Each computer processes its data and the network supports the system as a whole. Such a network enhances communication among the linked computers and allows access to shared files.
		Distributed denial-of- service attack (DDoS)	A denial-of-service (DoS) assault from multiple sources
		Diverse routing	A method of routing traffic through split cable facilities or duplicate cable facilities Scope Notes: This can be accomplished with different or duplicate cable sheaths. If different cable sheaths are used, the cable may be in the same conduit and, therefore, subject to the same interruptions as the cable it is backing up. The communication service subscriber can duplicate the facilities by having alternate routes, although the entrance to and from the customer premises may be in the same conduit. The subscriber can obtain diverse routing and alternate routing, including dual entrance facilities, from the local carrier. However, acquiring this type of access is time-consuming and costly. Most carriers provide facilities for alternate and diverse routing, although the majority of services are transmitted over terrestrial media, which are usually located in the ground or basement. Ground-based facilities are at great risk due to the aging infrastructures of cities. In addition, cable-based facilities usually share space with mechanical and electrical systems that can pose great risk due to potential human error and disasters.
		DMZ	See demilitarized zone.
		Document	A collection of information and data, regardless of the medium, that generally has permanence and can be read by humans or machines. Documents can be work products reflecting the implementation of processes that meet the intent and value of one or more model practices. Documents may be embedded within an automated, robotic or online system. Documents can be physical hard copies or soft copies that are accessible via hyperlinks in a web-based environment or application. Documents are used and kept updated. See Artifact and Record
		Documentation	Aids for understanding the structure and intended uses of an information system or its components, such as flowcharts, textual material and user manuals
		Documentation, software	Human-readable technical data or information, including computer listings and printouts, that describe or specify design features or other details, explain capabilities, or provide operating instructions to help users obtain desired results from a software system See Specification; Specification, requirements; Specification, design; Software design description; Test plan, Test report and User's guide.
		Domain	In COBIT, the grouping of control objectives into four logical stages in the life cycle of investments involving IT (Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate).
		Domain name system (DNS)	A hierarchical database distributed across the Internet, which allows names to be resolved into IP addresses (and vice versa) to locate services, such as web and email servers
		Domain name system (DNS) exfiltration	A technique of tunneling over DNS to gain network access; a lower-level attack vector for simple to complex data transmission, slow but difficult to detect
		Domain name system (DNS) poisoning	Corrupts the table of an Internet server's DNS, replacing an Internet address with the address of a vagrant or scoundrel address Scope Notes: If a web user looks for the page with that address, the request is redirected by the scoundrel entry in the table to a different address. Cache poisoning differs from another form of DNS poisoning in which the attacker spoofs valid email accounts and floods the in-boxes of administrative and technical contacts. Cache poisoning is related to URL poisoning or location poisoning, in which an Internet user's behavior is tracked by adding an identification number to the location line of the browser that can be recorded as the user visits successive pages on the site. It is also called DNS cache poisoning or cache poisoning.
		Double spending	A potential blockchain flaw in which the native digital token or currency can be spent more than once
		Double-loop step	Integrates the management of tactics (financial budgets and monthly reviews) and the management of strategy Scope Notes: A reporting system, based on the balanced scorecard (BSC), that allows process to be monitored against strategy and permits corrective actions to be taken as required
		Downfade	Wi-Fi signal condition that occurs when signals combine and produce lower signal strength—the inverse of upfade
		Downloading	The act of transferring computerized information from one computer to another computer
		Downsampling	Reducing the amount of information in a feature to train a model more efficiently
		Downtime report	A report of the time that elapses when a computer is not operating correctly because of machine failure
		Driver	A program that links a peripheral device or internal function to the operating system and provides for activation of all device functions; contrasts with test driver
		Driver (value and risk)	An event or other activity that results in the identification of an assurance/audit need
		Dry-pipe fire extinguisher system	A sprinkler system that does not have water in the pipes during idle usage, unlike a fully charged fire extinguisher system that has water in the pipes at all times Scope Notes: The dry-pipe system is activated at the time of the fire alarm and water is emitted to the pipes from a water reservoir for discharge to the location of the fire.
		Dual control	A procedure in which two or more entities (usually persons) operate in concert to protect a system resource so that no single entity acting alone can access that resource
		Due care	The level of care expected from a reasonable person of similar competency under similar conditions
		Due diligence	The performance of actions generally regarded as prudent, responsible and necessary to conduct a thorough and objective investigation, review or analysis
		Due professional care	The diligence that a person with a special skill would exercise under a given set of circumstances
		Dumb terminal	A display terminal without processing capability Scope Notes: A dumb terminal is dependent on the main computer for processing. All entered data are accepted without further editing or validation.
		Duplex routing	A method or communication mode of routing data over a communication network
		Dynamic analysis	Analysis that is performed in a real-time or continuous form
		Dynamic Host Configuration Protocol (DHCP)	A protocol used by networked computers (clients) to obtain IP addresses from DHCP servers, and parameters such as default gateways, subnet masks and domain name system (DNS) server IP addresses Scope Notes: The DHCP server ensures that all IP addresses are unique (e.g., no IP address is assigned to a second client while the first client's assignment is valid [its lease has not expired]). Thus, IP address pool management is done by the server and not by a human network administrator.
		Dynamic model	A model that is trained online in a continuously updating fashion—that is, data are continuously entering the model
		Dynamic partitioning	The variable allocation of central processing unit (CPU) processing and memory to multiple applications and data on a server
		Dynamic ports	Dynamic, or private, ports in the range 49152 through 65535; not listed by IANA because of their dynamic nature
		E-commerce	The processes by which enterprises conduct business electronically with their customers, suppliers and other external business partners, using the Internet as an enabling technology Scope Notes: E-commerce encompasses both business-to-business (B2B) and business-to- consumer (B2C) e-commerce models but does not include existing nonInternet e-commerce methods based on private networks such as the electronic data interchange (EDI) and the Society for Worldwide Interbank Financial Telecommunication (SWIFT).
		Early stopping	A method for regularization whereby model training ends before training loss finishes decreasing
		Eavesdropping	Listening to a private communication without permission
		Echo checks	The detection of line errors by retransmitting data to the sending device for comparison with the original transmission
		Econometrics	The use of mathematical and statistical methods in the field of economics to verify and develop economic theories
		Economic value added (EVA)	A technique developed by G. Bennett Stewart III and registered by the consulting firm of Stern, Stewart in which the performance of the corporate capital base (including depreciated investments such as training, research and development) and more traditional capital investments such as physical property and equipment are measured against what shareholders could earn elsewhere
		Edit control	The manual or automated detection of errors in the input portion of information sent to the computer for processing, allowing the user to edit data errors before processing
		Editing	The process of ensuring that data conform to predetermined criteria and enable early identification of potential errors
		Egress	The exiting of network communications
		Electronic data interchange (EDI)	The electronic transmission of transactions (information) between two enterprises, promoting a more efficient paperless environment and often replacing the use of standard documents, including invoices or purchase orders
		Electronic document	An administrative document (a document with legal validity, such as a contract) in any graphical, photographic, electromagnetic (tape) or other electronic representation of the content Scope Notes: Almost all countries have developed legislation concerning the definition, use and legal validity of an electronic document. An electronic document in whatever media that contain the data or information used as evidence of a contract or transaction between parties is considered together with the software program capable of reading it. The definition of a legally valid document as any representation of legally relevant data, not only those printed on paper, was introduced into the legislation related to computer crime. In addition, many countries in defining and disciplining the use of such instruments have issued regulations defining specifics, such as the electronic signature and data interchange formats.
		Electronic funds transfer (EFT)	The exchange of money via telecommunications, referring to any financial transaction that originates at a terminal and transfers a sum of money from one account to another
		Electronic signature	Any technique designed to provide the electronic equivalent of a handwritten signature to demonstrate the origin and integrity of specific data (e.g., digital signatures)
		Electronic vaulting	A data recovery strategy that allows enterprises to recover data within hours after a disaster Scope Notes: Electronic vaulting is typically used for batch/journal updates to critical files to supplement full backups taken periodically, including recovery of data from offsite storage media that mirror data via a communication link.
		Eligibility analysis	The description of the required criteria and analysis for determining and recording when an Action Plan Reappraisal can be conducted following a benchmark appraisal or sustainment appraisal See Action Plan Reappraisal.
		Elliptical curve cryptography (ECC)	An algorithm that combines plane geometry with algebra to achieve stronger authentication with smaller keys compared to traditional methods, such as RSA, which primarily use algebraic factoring Scope Notes: Smaller keys are more suitable to mobile devices.
		Embedded audit module (EAM)	An integral part of an application system designed to identify and report specific transactions or other information based on predetermined criteria. Identification of reportable items occurs as part of real-time processing. Reporting may be real-time online or use store and forward methods. It is also known as an integrated test facility or a continuous auditing module.
		Embedded software	Software part of a larger system that performs some of the requirements of that system, e.g., software used in an aircraft or rapid transit system. Such software does not provide an interface with the user. See firmware
		Empowerment	Authority given to a person or group to perform a specific task
		Encapsulation Security Payload (ESP)	A protocol designed to provide a mix of security services in IPv4 and IPv6. ESP can be used to provide confidentiality, data origin authentication, connectionless integrity, an antireplay service (a form of partial sequence integrity) and (limited) traffic flow confidentiality. (RFC 4303). Scope Notes: The ESP header is inserted after the IP header and before the next-layer protocol header (transport mode) or before an encapsulated IP header (tunnel mode).
		Encapsulation	The technique used by layered protocols in which a lower-layer protocol accepts a message from a higher-layer protocol and places it in the data portion of a frame in the lower layer. In software development, it is a technique that isolates a system function or a set of data and the operations on those data within a module and provides precise specifications for the module. See abstraction, information hiding and software engineering
		Encapsulation (objects)	The technique used by layered protocols in which a lower-layer protocol accepts a message from a higher-layer protocol and places it in the data portion of a frame in the lower layer
		Encryption	The process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext)
		Encryption algorithm	A mathematically based function or calculation that encrypts/decrypts data, including block or stream ciphers
		Encryption key	A piece of information in a digitized form used by an encryption algorithm to convert the plaintext to the ciphertext
		Encryption tools	Tools used to encrypt data
		End point	A device that can communicate with a connected network
		End user	1. A person, device, program or computer system that uses an information system for the purpose of data processing in information exchange 2. A person whose occupation requires the use of an information system but does not require any knowledge of computers or computer programming See user
		End-user computing	The ability of end users to design and implement their own information system using computer software products
		Endpoint detection and response systems	Systems focused on detecting and investigating suspicious activities on end points
		Engagement letter	Formal document that defines an IS auditor's responsibility, authority and accountability for a specific assignment
		Enterprise	A group of individuals working together for a common purpose, typically within the context of an organizational form such as a corporation, public agency, charity or trust
		Enterprise architecture (EA)	A description of the fundamental underlying design of the business system components or one element of the business system (e.g., technology), the relationships among them and the manner in which they support the enterprise’s objectives
		Enterprise architecture (EA) for IT	A description of the fundamental underlying design of the IT components of the business, the relationships among them and the manner in which they support the enterprise’s objectives
		Enterprise goal	Scope Notes: See business goal.
		Enterprise governance	A set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise’s resources are used responsibly
		Enterprise governance of information and technology (EGIT)	A concern for the value delivery from digital transformation and the mitigation of business risk that results from digital transformation. Three main outcomes can be expected after successful adoption of EGIT: benefits realization, risk optimization and resource optimization.
		Enterprise risk management (ERM)	The discipline by which an enterprise in any industry assesses, controls, exploits, finances and monitors risk from all sources for the purpose of increasing the enterprise's short- and long-term value to its stakeholders
		Entity relationship diagram (ERD)	A diagram that depicts a set of real-world entities and the logical relationships among them
		Entry criteria	Conditions that must be met before an effort can begin successfully See exit criteria.
		Environment	1. Everything that supports a system or the performance of a function 2. The conditions that affect the performance of a system or function
		Environmental risk	Threats to natural resources, human health and wildlife
		Episode	Each of the repeated attempts by the agent to learn an environment in reinforcement learning
		Epoch	A full training review of the entire dataset such that each example has been seen once. Thus, an epoch represents N/batch size training iterations where N is the total number of examples.
		Epsilon greedy policy	A policy that either follows a random policy with Epsilon probability or a greedy policy otherwise in reinforcement learning
		Eradication	The process of identifying and removing the root cause of an incident from the network when containment measures have been deployed after the incident occurs
		Erasure	The data subject’s ability to obtain the erasure of personal data from the controller; also known as the right to be forgotten
		ERP (enterprise resource planning) system	A packaged business software system that allows an enterprise to automate and integrate the majority of its business processes, share common data and practices across the entire enterprise and produce and access information in a real-time environment Scope Notes: Examples of ERP include SAP^®, Oracle Financials^®and J.D. Edwards^®.
		Error	A deviation between a computed, observed or measured value or condition and the true, specified or theoretically correct value or condition See anomaly, bug, defect, exception and fault.
		Error detection	Techniques used to identify errors in data transfers
		Escrow agent	A person, agency or enterprise authorized to act on behalf of another to create a legal relationship with a third party regarding an escrow agreement; also known as the custodian of an asset according to an escrow agreement Scope Notes: As it relates to a cryptographic key, an escrow agent is the agency or enterprise charged with the responsibility for safeguarding the key components of the unique key.
		Escrow agreement	A legal arrangement whereby an asset (often money but sometimes other property such as art, a deed of title, website, software source code or a cryptographic key) is delivered to a third party (named an escrow agent) to be held in trust or otherwise pending a contingency or the fulfillment of a condition(s) in a contract Scope Notes: Upon the occurrence of the escrow agreement, escrow agents will deliver the asset to the proper recipient; otherwise, the escrow agents are bound by their fiduciary duty to maintain the escrow account. Source code escrow signifies a deposit of the source code for the software into an account held by an escrow agent. Escrow is typically requested by a party licensing software (e.g., licensee or buyer) to ensure maintenance of the software. The software source code is released by the escrow agent to the licensee if the licensor (e.g., seller or contractor) files for bankruptcy or otherwise fails to maintain and update the software as promised in the software license agreement.
		Ethereum	An open source blockchain system enabling smart contracts and producing Ether as its native cryptocurrency
		Ethereum request for comments (ERC)	Ethereum blockchain standards designed to enable Layer 2 tokens
		Ethernet	A popular network protocol and cabling scheme that uses a bus topology and carrier sense multiple access/collision detection (CSMA/CD) to prevent network failures or collisions when two devices attempt to access the network simultaneously
		Evaluation	An examination of products, processes, services or environments to identify strengths and weaknesses
		Evaluation appraisal	A consistent and reliable assessment method typically used to identify improvement opportunities or business performance without a rating. This includes clear and repeatable process steps used to conduct an initial gap analysis, performance improvement progress monitoring or readiness for benchmark appraisals or sustainment appraisals
		Event	Something that happens at a specific place and/or time
		Event table	A table that lists events and the corresponding specified effect(s) of or reaction(s) to each event
		Event type	One of three possible types of events for the purpose of IT risk management: threat event, loss event and vulnerability event Scope Notes: The ability to consistently and effectively discern the different types of events that contribute to risk is a critical element in developing good risk-related metrics and well-informed decisions. Unless these categorical differences are recognized and applied, any resulting metrics lose meaning and, as a result, decisions based on those metrics are far more likely to be flawed.
		Evidence	1. Information that proves or disproves a stated issue 2. Information that an auditor gathers in the course of performing an IS audit; relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support Scope Notes: Audit perspective
		Example activities	Possible actions that may be taken when implementing processes that meet the intent of a practice. The intent of "Example Activities" is to serve as guidance and suggestions, not as required activities; it is not intended to be a comprehensive list.
		Example work products	Possible outputs of implementing processes that meet the intent of a practice. The intent of "Example Work Products" is to serve as guidance and suggestions, not as required work products; it is not intended to be a comprehensive list.
		Exception	An event that causes suspension of normal program execution. Types include addressing exception, data exception, operation exception, overflow exception, protection exception and underflow exception.
		Exception reports	Reports generated by a program that identifies transactions or data that appear to be incorrect Scope Notes: Exception reports contain items that may be outside a predetermined range or may not conform to specified criteria.
		Exclusive-OR (XOR)	An operator that returns a value of TRUE only if just one of its operands is TRUE Scope Notes: The XOR operation is a Boolean operation that produces a 0 if its two Boolean inputs are the same (0 and 0 or 1 and 1) and that produces a 1 if its two inputs are different (1 and 0). In contrast, an inclusive-OR operator returns a value of TRUE if either or both of its operands are TRUE.
		Executable code	The machine language code generally referred to as the object or load module
		Exit criteria	Conditions that must be met before successful completion of an effort
		Expert system	The most prevalent type of computer system that arises from the research of artificial intelligence Scope Notes: An expert system has a built-in hierarchy of rules, which are acquired from human experts in the appropriate field. Once input is provided, the system should be able to define the nature of the problem and provide recommendations to solve the problem.
		Exploding gradient problem	The tendency for gradients in deep neural networks (especially recurrent neural networks) to become surprisingly steep (high)
		Exploit	A method used to take advantage of a vulnerability
		Exposure	The potential loss to an area due to the occurrence of an adverse event
		Extended Binary Coded Decimal Interchange Code (EBCDIC)	An 8-bit code representing 256 characters; used in most large computer systems
		Extended enterprise	An enterprise that extends outside its traditional boundaries. Such enterprises concentrate on the processes they do best and rely on someone outside the entity to perform the remaining processes.
		eXtensible Access Control Markup Language (XACML)	A declarative online software application user access control policy language implemented in eXtensible Markup Language (XML)
		eXtensible Markup Language (XML)	A web-based application development technique that allows designers to create their own customized tags, thus enabling the definition, transmission, validation and interpretation of data between applications and enterprises; promulgated through the World Wide Web Consortium
		External router	A router at the extreme edge of the network under control, usually connected to an Internet service provider (ISP) or other service provider; also known as a border router
		External storage	The location that contains backup copies to be used in case recovery or restoration is required in the event of a disaster
		Externally owned account	An address generated from a user’s public key. An EOA is typically owned by an individual
		Extranet	A private network that resides on the Internet and allows a company to securely share business information with customers, suppliers or other businesses as well as to execute electronic transactions Scope Notes: Different from an Intranet in that it is located beyond the company's firewall. Therefore, an extranet relies on the use of securely issued digital certificates (or alternative methods of user authentication) and encryption of messages. A virtual private network (VPN) and tunneling are often used to implement extranets, to ensure security and privacy.
		Fail-over	The transfer of service from an incapacitated primary component to its backup component
		Fail-safe	A system or component that automatically places itself in a safe operational mode in the event of a failure Source: IEEE
		Failure	The inability of a system or component to perform its functions within specified performance requirements Source: IEEE See Bug, Crash, Exception and Fault.
		Failure analysis	Determining the exact nature and location of a program error to fix the error, to identify and fix other similar errors and to initiate corrective action to prevent future occurrences of this type of error. Contrasts with debugging.
		Fall-through logic	An optimized code, based on a branch prediction, that predicts which way a program will branch when an application is presented
		Fallback procedures	A plan of action or set of procedures to be performed if a system implementation, upgrade or modification does not work as intended Scope Notes: May involve restoring the system to its state prior to the implementation or change. Fallback procedures are needed to ensure that normal business processes continue in the event of failure and should always be considered in system migration or implementation.
		False authorization	Also called false acceptance, occurs when an unauthorized person is identified as an authorized person by the biometric system
		False negative (FN)	An example in which the model mistakenly predicted the negative class
		False positive (FP)	An example in which the model mistakenly predicted the positive class
		Fault tolerance	A system’s level of resilience to seamlessly react to hardware and/or software failure
		Feasibility study	Analysis of the known or anticipated need for a product, system or component to assess the degree to which the requirements, designs or plans can be implemented
		Feature	The machine-learning expression for a piece of measurable information about something. For example, if researchers store the age, annual income and weight of a set of people, they are storing three features about them.
		Feature cross	A synthetic feature formed by crossing (i.e., taking a Cartesian product of) individual binary features obtained from categorical data or from continuous features via bucketing. Feature crosses help represent nonlinear relationships.
		Federated learning	A distributed machine-learning approach that trains machine-learning models using decentralized examples residing on devices such as smartphones
		Feedforward neural network (FFN)	A neural network without cyclic or recursive connections. For example, traditional deep neural networks are feedforward neural networks.
		Few-shot learning	A machine-learning approach, often used for object classification, designed to learn effective classifiers from only a small number of training examples
		Fiber-optic cable	A cable made of glass fibers that transmits binary signals over a telecommunications network. Scope Notes: Fiber-optic systems have low transmission losses as compared to twisted-pair cables. They do not radiate energy or conduct electricity. They are free from corruption and lightning-induced interference, and they reduce the risk of wiretaps.
		Field	1. On a data medium or in storage, a specified area used for a particular class of data, e.g., a group of character positions used to enter or display wage rates on a screen 2. Defined logical data that is part of a record 3. The elementary unit of a record that may contain a data item, a data aggregate, a pointer or a link 4. A discrete location in a database that contains a unique piece of information. A field is a component of a record. A record is a component of a database.
		File	1. A set of related records treated as a unit, e.g., in stock control, a file can consist of a set of invoices 2. The largest unit of storage structure that consists of a named collection of all occurrences in a database of records of a particular record type
		File allocation table (FAT)	A table used by the operating system to keep track of where every file is located on the disk. Scope Notes: Since a file is often fragmented and thus subdivided into many sectors within the disk, the information stored in the FAT is used when loading or updating the contents of the file.
		File layout	Specifies the length of the file record and the sequence and size of its fields. Scope Notes: Also will specify the type of data contained within each field; for example, alphanumeric, zoned decimal, packed and binary.
		File server	A high-capacity disk storage device or a computer that stores data centrally for network users and manages access to those data. Scope Notes: File servers can be dedicated so that no process other than network management can be executed while the network is available; file servers can be non-dedicated so that standard user applications can run while the network is available.
		File Transfer Protocol (FTP)	A protocol used to transfer files over a Transmission Control Protocol/Internet Protocol (TCP/IP) network (Internet, UNIX, etc.)
		File-integrity monitoring	Detecting changes to files and configurations to determine any changes to a baseline
		Filing system	Structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.
		Filtering router	A router that is configured to control network access by comparing the attributes of the incoming or outgoing packets to a set of rules.
		FIN (Final)	A flag set in a packet to indicate that this packet is the final data packet of the transmission.
		Financial audit	An audit designed to determine the accuracy of financial records and information.
		Finger	A protocol and program that allows the remote identification of users logged into a system.
		Fire protection system	Systems that help to mitigate the unwanted effects of a fire
		Firewall	A system or combination of systems that enforces a boundary between two or more networks, typically forming a barrier between a secure and an open environment such as the Internet
		Firmware	The combination of a hardware device, e.g., an IC, and computer instructions and data that reside as read only software on that device. Such software cannot be modified by the computer during processing. See Embedded software.
		First responder interfaces	Systems used to document and communicate information about a breach or other security incident by those first responding to the breach or incident
		Fiscal year	Any yearly accounting period without regard to its relationship to a calendar year.
		Flat file	A data file that does not physically interconnect with or point to other files. Any relationship between two flat files is logical, e.g., matching account numbers.
		Flowchart or flow diagram	1. Graphical representation in which symbols are used to represent such things as operations, data, flow direction and equipment, for the definition, analysis or solution of a problem 2. A control flow diagram in which suitably annotated geometrical figures are used to represent operations, data or equipment, and arrows are used to indicate the sequential flow from one to another. Synonymous with flow diagram. See Block diagram, Box diagram, Bubble chart, Graph, Input-Process-output chart and Structure chart.
		Focus area	An area that describes a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components.
		Fog computing	Computing architecture that conducts a large portion of data computations on edge devices
		Follow-up activity	Activity that determines whether management has taken appropriate corrective actions to resolve deficiencies.
		Foreign key	A value that represents a reference to a tuple (a row in a table) containing the matching candidate key value. Scope Notes: The problem of ensuring that the database does not include any invalid foreign key values is known as the referential integrity problem. The constraint that values of a given foreign key must match values of the corresponding candidate key is known as a referential constraint. The relation (table) that contains the foreign key is referred to as the referencing relation and the relation that contains the corresponding candidate key as the referenced relation or target relation. (In the relational theory it would be a candidate key, but in real database management systems (DBMSs) implementations it is always the primary key.)
		Forensic examination	The process of collecting, assessing, classifying and documenting digital evidence to assist in the identification of an offender and the method of compromise.
		Format checking	The application of an edit, using a predefined field definition to a submitted information stream; a test to ensure that data conform to a predefined format.
		FORTRAN	An acronym for FORmula TRANslator, the first widely used high-level programming language. Intended primarily for use in solving technical problems in mathematics, engineering and science
		Forward error correction (FEC)	Error controlling mechanism for channels with a large amount of interference
		Fourth-generation language (4GL)	High-level, user-friendly, nonprocedural computer language used to program and/or read and process computer files.
		Frame relay	A packet-switched wide-area-network (WAN) technology that provides faster performance than older packet-switched WAN technologies. Scope Notes: Best suited for data and image transfers. Because of its variable-length packet architecture, it is not the most efficient technology for real-time voice and video. In a frame-relay network, end nodes establish a connection via a permanent virtual circuit (PVC).
		Framework	A framework is a basic conceptual structure used to solve or address complex issues. An enabler of governance. A set of concepts, assumptions and practices that define how something can be approached or understood, the relationships among the entities involved, the roles of those involved and the boundaries (what is and is not included in the governance system). See Control framework and IT governance framework.
		Fraud	Any act involving the use of deception to obtain illegal advantage
		Freeware	A type of software available free of charge
		Frequency	A measure of the rate by which events occur over a certain period of time
		Frequency analysis	An analysis that determines how often a particular risk scenario might be expected to occur during a specified period of time
		Full economic life cycle	The period of time during which material business benefits are expected to arise, and/or during which material expenditures (including investments, running and retirement costs) are expected to be incurred by an investment program Scope Notes: COBIT 5 perspective
		Full node	A critical network device that supports and provides security for the blockchain and is capable of validating and relaying new blocks into the chain
		Function	1. A mathematical entity whose value (the value of the dependent variable) depends on the values of one or more independent variables, with not more than one value of the dependent variable corresponding to each permissible combination of values from the respective ranges of the independent variables 2. A specific purpose of an entity, or its characteristic action 3. In data communication, a machine action, such as carriage return or line feed
		Function point analysis (FPA)	A technique used to determine the size of a development task, based on the number of function points Scope Notes: Function points are factors such as inputs, outputs, inquiries and logical internal sites.
		Functional analysis	1. A type of analysis that verifies whether or not each safety-critical software requirement is covered and that an appropriate criticality level is assigned to each software element (ISACA) 2. An examination of solution components to broaden and deepen understanding (CMMI)
		Functional architecture	The conceptual structure and logical arrangement of functions. This may include internal and external interface functions. See Architecture and Functional Analysis
		Functional design	1. The process of defining the working relationships among the components of a system. See Architectural Design 2. The result of the process in definition 1
		Functional requirement	A requirement that specifies the function(s) that a system or system component must be able to perform
		Functional safety	The detection of a potentially dangerous condition resulting in the activation of a protective or corrective solution to prevent hazardous events from arising, or the act of providing mitigation to reduce the consequence of the hazardous event. The aspect of the overall safety of a solution, solution component or piece of equipment that depends on the automatic protection mechanisms operating correctly in response to its inputs or failure in a predictable manner (fail-safe). An automatic protection system may be designed to properly handle likely human errors, hardware, solution or solution component failures and operational/environmental stress.
		Garbage in, garbage out (GIGO)	The concept of data that is nonsensical, or flawed, especially as it relates to the computational sciences
		Gas	A unit/fee that measures the amount of computational effort required to execute certain operations related to a function or smart contract on a blockchain. Best known in relation to the Ethereum blockchain/network.
		Gas fee	The cost required to process a transaction on the network (specific to the Ethereum blockchain). Miners can set the price of gas and decline to process a transaction if it does not meet the price threshold that they determine.
		Gateway	A physical or logical device on a network that serves as an entrance to another network (e.g., router, firewall or software)
		GB	Gigabyte
		Gemba walk	The term used to describe personal observation of work; where the work is happening. The original Japanese term comes from gembutsu, which means “real thing." It also known as “genba walk.”
		General Architecture for Text Engineering (GATE)	An open-source, Java-based framework for natural language processing tasks. The framework lets developers pipeline other tools designed to be plugged into it. The project is based at the UK University of Sheffield.
		General computer control	A control, other than an application control, that relates to the environment in which computer- based application systems are developed, maintained and operated and is therefore applicable to all applications. The objectives of general controls are to ensure the proper development and implementation of applications and the integrity of program and data files and computer operations. Like application controls, general controls may be either manual or programmed. Examples of general controls include the development and implementation of an IS strategy and security policy, the organization of IS staff to separate conflicting duties and the development of a disaster prevention and recovery plan.
		Generalization	The ability of a model to make correct predictions on new, previously unseen data, as opposed to the data used to train the model
		Generalized audit software (GAS)	Multipurpose audit software that can be used for general processes, such as record selection, matching, recalculation and reporting
		Generic process control	A control that applies to all processes of the enterprise
		Generic routing encapsulation (GRE)	An IP encapsulation protocol for transmitting network traffic between network nodes
		Genetic data	Personal data that relates to the inherited or acquired genetic characteristics of a natural person and gives unique information about the physiology or health of that natural person. Genetic data results, in particular, from an analysis of a biological sample from the natural person in question.
		Geographic disk mirroring	A data recovery strategy that takes a set of physically disparate disks and synchronously mirrors them over high-performance communication lines. Any write to a disk on one side will result in a write on the other side. The local write will not return until the acknowledgment of the remote write is successful.
		Geographical information system (GIS)	A tool used to integrate, convert, handle, analyze and produce information regarding the surface of the Earth Scope Notes: GIS data exist as maps, tri-dimensional virtual models, lists and tables.
		Gigabyte (GB)	A unit of data storage that equals approximately one-billion bytes (or precisely 2³⁰ or 1,073,741,824 bytes)
		Good practice	A proven activity or process that has been successfully used by multiple enterprises and shown to produce reliable results
		Governance	The method by which an enterprise evaluates stakeholder needs, conditions and options to determine balanced, agreed-upon enterprise objectives to be achieved. It involves setting direction through prioritization, decision making and monitoring performance and compliance against the agreed-upon direction and objectives.
		Governance component	Factors that, individually and collectively, contribute to the successful operation of the enterprise's governance system over information and technology (I&T). Components interact with each other resulting in a holistic governance system for I&T. Components include processes; organizational structures; principles, policies and procedures; information; culture, ethics and behavior; people, skills and competencies; and services, infrastructure and applications.
		Governance enabler	Something (tangible or intangible) that assists in the realization of effective governance Scope Notes: COBIT 5 perspective (this term was updated to "governance component" in COBIT 2019)
		Governance framework	A basic conceptual structure used to solve or address complex issues. In the governance context, a framework is used to build a governance system for the enterprise. In COBIT 2019, a governance framework should: 1. be based on a conceptual model, identifying the key components and relationships among components to maximize consistency and allow automation. 2. be open and flexible, allowing for the addition of new content and the ability to address new issues in the most flexible way while maintaining integrity and consistency. 3. align to relevant major standards, frameworks and regulations.
		Governance of enterprise IT	A governance view that ensures that information and related technology support and enable the enterprise strategy and achievement of enterprise objectives. This also includes the functional governance of IT, i.e., ensuring that IT capabilities are provided efficiently and effectively. Scope Notes: COBT 5 perspective
		Governance system	The core requirements that underlie the governance over enterprise information and technology. In COBIT 2019, the six principles for a governance system are: 1. Providing stakeholder value 2. Holistic approach 3. Dynamic governance system 4. Governance distinct from management 5. Tailored to enterprise needs 6. End-to-end governance system
		Governance, risk management and compliance (GRC)	A business term used to group the three closely related disciplines responsible for operations and the protection of assets
		Governance/ management objective	The outcomes (objectives) for achieving enterprise goals for information and technology. In COBIT 2019, a governance or management objective always relates to one process, a governance objective relates to a governance process and a management objective relates to a management process. Boards and executive management are typically accountable for governance processes, while management processes are the domain of senior and middle management.
		Governance/ management practice	For each COBIT 5 process, practices that provide a complete set of high-level requirements for effective and practical governance and management of enterprise IT. They are statements of actions from governance bodies and management. Scope Notes: COBIT 5 perspective
		Gradient boosting	A machine-learning technique for regression and classification problems that produces a prediction model in the form of an ensemble of weak prediction models, typically decision trees. It builds the model in a stage-wise fashion, like other boosting methods, and generalizes them by allowing the optimization of an arbitrary differentiable loss function.
		Gradient descent	An optimization algorithm for finding the input to a function that produces the largest (or smallest) possible value
		Graph	A diagram or other representation consisting of a finite set of nodes and internode connections called edges or arcs. Contrasts with blueprint. See Block diagram, Box diagram, Bubble chart, Call graph, Cause-effect graph, Control flow diagram, Data flow diagram, Directed graph, Flowchart, Input-process-output chart, Structure chart and Transaction flowgraph.
		Graphic software specifications	The documents, such as charts, diagrams and graphs, that depict program structure, states of data, control, transaction flow, HIPO and cause-effect relationships. Tables, including truth, decision, event, state-transition, module interface, and exception conditions/responses are necessary to establish design integrity.
		Graphics processing unit	A special processing unit made to render high-quality images and video files
		Greedy policy	A policy in reinforcement learning that always chooses the action with the highest expected return
		Ground truth	The correct answer; reality. Since reality is often subjective, expert raters typically are the proxy for ground truth.
		Guideline	A description of a particular way of accomplishing something that is less prescriptive than a procedure
		Habit and persistence	The routine way of doing business and following and improving processes that an enterprise demonstrates as part of its culture
		Hacker	An individual who attempts to gain unauthorized access to a computer system
		Handprint scanner	A biometric device used to authenticate a user through palm scans
		Haptic technology	A technology feature that renders an event of physical contact to a user through the application of vibrations
		Hard disk drive	Hardware used to read from or write to a hard disk See Disk and Disk drive
		Hard fork	A change to blockchain software that make its so any nodes validating according to the old software will see all blocks produced after the new software as invalid. For blockchain nodes to work in alignment with the new software, each will be required to upgrade. If a group of nodes does not upgrade and perpetuate the use of the old version of the software, a permanent split in the blockchain can occur.
		Harden	The process of configuring a computer or other network device to resist attacks
		Hardware	Physical equipment, as opposed to programs, procedures, rules and associated documentation; contrasts with software
		Hardware engineering	The application of a systematic, disciplined and measurable approach to transforming a set of requirements using documented techniques and technology to design, implement and maintain a tangible solution. In CMMI, hardware engineering represents all technical fields, e.g., electrical and mechanical, that transform requirements and ideas into tangible solutions. See Software engineering and Systems engineering
		Hash	A cryptographic function takes an input of an arbitrary length and produces an output (also known as a message digest) that is a standard-sized binary string. The output is unique to the input in such a way that even a minor change to the input results in a completely different output. Modern cryptographic hash functions are also resistant to collisions (situations in which different inputs produce identical output); a collision, while possible, is statistically improbable. Cryptographic hash functions are developed so that input cannot be determined readily from the output.
		Hash function	1. An algorithm that maps or translates one set of bits into another (generally smaller) so that a message yields the same result every time the algorithm is executed using the same message as input 2. Fixed values derived mathematically from a text message
		Hash power	The individual unit of power contributed by a single miner or worker to the proof-of-work (PoW) hash rate
		Hash rate	A measure of computational power. The proof-of-work (PoW) blockchain network measures the security profile using the total hash rate provided by all full nodes in supporting the consensus algorithm. Generally, the higher the total hash rate, the more secure the PoW blockchain network.
		Hash total	The total of any numeric data field in a document or computer file. This total is checked against a control total of the same field to facilitate the accuracy of processing.
		Hashed timelocks	A technical approach that involves a type of smart contract utilized in cryptoasset transactions and designed to remove counterparty risk, which is the risk that the other party to a transaction cannot participate in the trade
		Hashing	1. A technique involving using a hash function (algorithm) to create hash valued or checksums that validate message integrity 2. In data processing and machine learning, a mechanism for bucketing categorical data, particularly when the number of categories is large, but the number of categories actually appearing in the dataset is comparatively small
		Hazard	A condition or event that poses a risk to safety. Hazards can be internal or external.
		Help desk	A service offered via telephone/Internet by an enterprise to its clients or employees that provides information, assistance and troubleshooting advice regarding software, hardware or networks Scope Notes: A help desk is staffed by people who can either resolve the problem on their own or escalate the problem to specialized personnel. A help desk is often equipped with dedicated customer relationship management (CRM) software that logs the problems and tracks them until they are solved.
		Heuristic	A quick solution to a problem, which may or may not be the best solution
		Heuristic filter	A method often employed by antispam software to filter spam using criteria established in a centralized rule database Scope Notes: Every e-mail message is given a rank, based on its header and contents, which is then matched against preset thresholds. A message that surpasses the threshold will be flagged as spam and discarded, returned to its sender or put in a spam directory for further review by the intended recipient.
		Hexadecimal	The base-16 number system. Digits are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E and F. This is a convenient form in which to examine binary data because it collects four binary digits per hexadecimal digit, e.g., decimal 15 is 1111 in binary and F in hexadecimal.
		Hidden layer	A synthetic layer in a neural network between the input layer (the features) and the output layer (the prediction). Hidden layers typically contain an activation function (e.g., ReLU) for training. A deep neural network contains more than one hidden layer.
		Hierarchical database	A database structured in a tree/root or parent/child relationship. Scope Notes: Each parent can have many children, but each child may have only one parent.
		High maturity	A classification based on the Capability Maturity Model Integration (CMMI) model for processes. CMMI model practice group levels (and their associated practices) of 4 or 5 are considered high maturity. High maturity organizations and projects use quantitative and statistical analysis to determine, identify and manage central tendency and dispersion and understand and address process stability and capability and how these impact the achievement quality and process performance objectives.
		High-level language	A programming language that requires little knowledge of the target computer; can be translated into several different machine languages; allows symbolic naming of operations and addresses; provides features designed to facilitate the expression of data structures and program logic; and usually results in several machine instructions for each program statement. Examples are PL/1, COBOL, BASIC, FORTRAN, Ada, Pascal and C. This term contrasts with assembly language.
		Hijacking	An exploitation of a valid network session for unauthorized purposes
		Histogram	A graphical representation of the distribution of a set of numeric data, usually a vertical bar graph
		Homomorphic encryption	A type of encryption that supports two primitive operations in the ciphertext/encrypted space— multiplication and addition of two homomorphically encrypted values—wherein the decrypted product or sum provides a meaningful (i.e., when decrypted, the result would be the same as if performed on unencrypted values) value (only category of encryption wherein operations of encrypted yield meaningful result[s])
		Honeypot	A specially configured server, also known as a decoy server, designed to attract and monitor intruders in a manner so that their actions do not affect production systems
		Horizontal defense in depth	The controls that are in place to access an asset (this is functionally equivalent to the concentric ring model)
		Hot site	A fully operational offsite data processing facility equipped with both hardware and system software to be used in the event of a disaster
		Hub	A common connection point for devices in a network, hubs are used to connect segments of a local area network (LAN) Scope Notes: A hub contains multiple ports. When a packet arrives at one port, it is copied to the other ports so that all segments of the LAN can see all packets.
		Human firewall	A person prepared to act as a network layer of defense through education and awareness
		Hurdle rate	A required rate of return, above which an investment makes sense and below which it does not Scope Notes: Often based on the cost of capital, plus or minus a risk premium, and often varied based on prevailing economic conditions
		Hybrid application controls	A combination of manual and automated activities, all of which must operate for the control to be effective. Scope Notes: Sometimes referred to as computer-dependent application controls
		Hybrid blockchain	A blockchain that attempts to use optimal parts of private and public blockchain solutions; hybrid blockchains are not open to all parties, but still maintain the immutability, transparency and integrity features of public chains
		Hybrid cloud	A cloud computing environment that combines services and resources from both private and public clouds
		Hypercall	A stopgap between a hypervisor and the host to filter and control privileged operations
		Hyperledger	An umbrella project started by the Linux Foundation, with participation by IBM, Intel and SAP, to build open source blockchains and related tools
		Hyperlink	An electronic pathway that may be displayed in the form of highlighted text, graphics or a button that connects one web page with another web page address
		Hyperparameter	The knobs that are tweaked during successive runs of training a model
		Hypertext	A language that enables electronic documents that present information to be connected by links instead of being presented sequentially, as is the case with normal text
		Hypertext Markup Language (HTML)	A language designed for the creation of web pages with hypertext and other information to be displayed in a web browser; used to structure information--denoting certain text such as headings, paragraphs and lists--and can be used to describe, to some degree, the appearance and semantics of a document
		Hypertext Transfer Protocol (HTTP)	A communication protocol used to connect to servers on the World Wide Web. Its primary function is to establish a connection with a web server and transmit hypertext markup language (HTML), extensible markup language (XML) or other pages to client browsers.
		Hypertext Transfer Protocol Secure (HTTPS)	A protocol for accessing a secure web server, whereby all data transferred are encrypted. A standard port number is 443.
		Hyperthreading	The intel propriety implementation of simultaneous multithreading
		Hypervisors	A type of software that allows multiple virtual machines to be run on a host machine or group of host machines
		I/O	The acronym for input/output
		Identifiability	A condition that results in a personally identifiable information (PII) principal being identified, directly or indirectly, on the basis of a given set of PII
		Identifiable natural person	Someone who can be identified, directly or indirectly, from an identifier, such as a name, identification number, location data, online identifier or from one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
		Identifier	A set of attribute values that unambiguously distinguishes one entity from another. The total list of an entity's attribute values allows it to be unambiguously distinguished from all other entities within a given context and also recognized as a single identity in that context.
		Identity and access management (IAM)	A framework that encapsulates people, processes and products to identify and manage the data used in an information system, authenticate users and grant or deny access rights to data and system resources. The goal of IAM is to provide appropriate access to enterprise resources.
		Idle standby	A fail-over process in which the primary node owns the resource group and the backup node runs idle, only supervising the primary node Scope Notes: In case of a primary node outage, the backup node takes over. The nodes are prioritized, which means that the surviving node with the highest priority will acquire the resource group. A higher priority node joining the cluster will thus cause a short service interruption.
		IEEE (Institute of Electrical and Electronics Engineers)	An organization composed of engineers, scientists and students. IEEE is pronounced "I-triple-E." Scope Notes: Best known for developing standards for the computer and electronics industry
		IEEE 802.11	A family of specifications developed by the Institute of Electrical and Electronics Engineers (IEEE) for wireless local area network (WLAN) technology. 802.11 specifies an over-the-air interface between a wireless client and a base station or between two wireless clients.
		Image processing	The process of electronically inputting source documents by taking an image of the document, thereby eliminating the need for key entry
		Image recognition	A process that classifies objects, patterns or concepts in an image. Image recognition is also known as image classification.
		Imaging	A process that allows one to obtain a bit-for-bit copy of data to avoid damaging the original data or information when multiple analyses are performed Scope Notes: The imaging process helps in obtaining residual data, such as deleted files, fragments of deleted files and other information present, from the disk for analysis. This is possible because imaging duplicates the disk surface, sector by sector.
		Immutable	A term that describes something that is unable to be modified after creation
		Impact	A magnitude of loss resulting from a threat exploiting a vulnerability
		Impact analysis	A study to prioritize the criticality of information resources for the enterprise based on the costs (or consequences) of adverse events. In an impact analysis, threats to assets are identified and potential business losses are determined for different time periods. This assessment is used to justify the safeguards required and recovery time frames. This analysis is the basis for establishing the recovery strategy.
		Impact assessment	A review of the possible consequences of a risk See Impact analysis
		Impairment	A condition that causes a weakness or diminished ability to execute audit objectives Scope Notes: Impairment to organizational independence and individual objectivity may include a personal conflict of interest; scope limitations; restrictions on access to records, personnel, equipment or facilities; and resource limitations (such as funding or staffing).
		Impersonation	An entity that mimics a system, process or person in an attempt to manipulate the user into an action that can cause an unexpected or unwanted event to a system
		Implement	In business, the full economic life cycle of an investment program through retirement (i.e., when the full expected value of the investment is realized, as much value as is deemed possible has been realized or it is determined that the expected value cannot be realized and the program is terminated)
		Implementation	The process of translating a design into hardware components, software components or both See Coding
		Implementation life cycle review	The controls that support the process of transforming an enterprise’s legacy information systems into the enterprise resource planning (ERP) applications Scope Notes: Largely covers all aspects of systems implementation and configuration, such as change management
		Implementation phase	The period of time in the software life cycle during which a software product is created from design documentation and debugged
		Improvement in progress	A type of preliminary or final finding statement that reflects the current state of a practice area or practice newly implemented for a project(s) or organizational unit and shows promise of helping to achieve further improvement. Due to the recent nature of process implementation, artifacts may be limited.
		Improvement opportunity	A type of preliminary or final finding about a particular practice area or practice which typically meets the intent and value of a model practice but represents an opportunity for the process to be improved
		Incident	A violation or imminent threat of violation of computer security policies, acceptable use policies, guidelines or standard security practices
		Incident response	The response of an enterprise to a disaster or other significant event that may significantly affect the enterprise, its people or its ability to function productively. Incident response may include evacuation of a facility, initiating a disaster recovery plan (DRP), performing a damage assessment or any other measures necessary to bring an enterprise to a more stable status.
		Incident response plan (IRP)	The operational component of incident management (also called IRP) Scope Notes: The plan includes documented procedures and guidelines for defining the criticality of incidents, reporting and escalation processes and recovery procedures.
		Incident response tools	Tools used to identify and address cyberattacks or other digital security threats
		Inconsequential deficiency	A deficiency wherein a reasonable person would conclude, after considering the possibility of further undetected deficiencies, that the deficiency, either individually or when aggregated with others, would be trivial to the subject matter. If a reasonable person could not reach such a conclusion regarding a particular deficiency, that deficiency is more than inconsequential.
		Incremental development	A software development technique in which requirements definition, design, implementation and testing occur in an overlapping, iterative (rather than sequential) manner, resulting in incremental completion of the overall software product. Contrasts with rapid prototyping, the spiral model and the waterfall model.
		Incremental integration	A structured reformation of the program, module by module or function by function, with an integration test being performed following each addition. Methods include top-down, breadth- first, depth-first and bottom-up.
		Incremental testing	The deliberate testing of only the value-added functionality of a software component
		Independence	A type of self-governance that includes freedom from conflict of interest and undue influence. An IT auditor should be free to make his/her own decisions and not be influenced by the organization being audited and its people (managers and employees).
		Independent attitude	An attitude with an impartial point of view. This attitude allows an IS auditor to act objectively and with fairness.
		Independently and identically distributed	Data from a distribution that does not change, and where each value drawn does not depend on values that have been drawn previously. An i.i.d. is the ideal gas of machine learning—a useful mathematical construct but almost never exactly found in the real world.
		Indexed Sequential Access Method (ISAM)	A disk access method that stores data sequentially while also maintaining an index of key fields to all the records in the file for direct access capability
		Indexed sequential file	A file format in which records are organized and can be accessed, according to a pre-established key that is part of the record
		Individual data sovereignty	The capability of data subjects (owners of personal data) to manage and/or delimit the use of their personal data, according to applicable laws and regulations
		Industry standard	The procedures and criteria recognized as acceptable practices by peer professionals, credentialing or accrediting organizations
		Inference	The process of making predictions by applying the trained model to unlabeled examples in machine learning
		Information	An asset that, like other important business assets, is essential to an enterprise’s business. It can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means, shown on films, or spoken in conversation. Scope Notes: COBIT 5 and COBIT 2019 perspective
		Information and technology (I&T) operations and service delivery risk (I&T)	Risk related to the performance of IT systems and services. A poorly performing IT operation can bring destruction or reduction of value to the enterprise.
		Information and technology (I&T)- related risk	A part of overall business risk associated with the use, ownership, operation, involvement, influence and adoption of information and technology (I&T) within an enterprise
		Information architecture	One component of IT architecture (together with applications and technology)
		Information criteria	Information attributes that must be satisfied to meet business requirements
		Information engineering	Development techniques that work on the premise that data are at the center of information processing and that certain data relationships are significant to a business and must be represented in the data structure of its systems
		Information hiding	The practice of hiding the details of a function or structure, making them inaccessible to other parts of the program See Abstraction, Encapsulation and Software engineering.
		Information processing facility (IPF)	The computer room and support areas
		Information security	The assurance that information is protected against disclosure to unauthorized users (confidentiality), improper modification (integrity) and nonaccess when required (availability). Information security deals with all formats of information—paper documents, digital assets, intellectual property in people’s minds and verbal and visual communications.
		Information security governance	The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise’s information security resources are used responsibly.
		Information security governance	The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise’s resources are used responsibly
		Information security program	The combination of technical, operational and procedural measures and management structures implemented to provide for the confidentiality, integrity and availability of information based on business requirements and risk analysis
		Information security testing tools	ools used to test the accuracy and completeness of an enterprise’s cybersecurity practices and controls
		Information systems (IS)	The combination of strategic, managerial and operational activities involved in gathering, processing, storing, distributing and using information and its related technologies Scope Notes: Information systems are distinct from information technology (IT) in that an information system has an IT component that interacts with the process components.
		Information technology (IT)	The hardware, software, communication and other facilities used to input, store, process, transmit and output data in whatever form
		Informative material	A type of material that includes everything other than the required information. Explanatory information in practice are part of the informative material. Informative material also includes the overview and appendices, e.g., glossary and index. Informative material must not be ignored, as it is needed to correctly understand and adopt the model. External links can be added to the informative material. These are links to external assets such as: • Additional informative material • Adoption examples • Transition and adoption guidance from one model or standard to others • Templates • Training materials • Inherent security risk • The risk level or exposure without taking into account the actions that management has taken or might take
		Informed	Refers to those people who are kept up to date on the progress of an activity (one-way communication) in a RACI (Responsible, Accountable, Consulted, Informed) chart.
		Infrastructure as a Service (IaaS)	A form of cloud computing that offers the capability to provision processing, storage, networks and other fundamental computing resources, enabling the customer to deploy and run arbitrary software, including operating systems and applications
		Infrastructure risk	The risk that information and technology (I&T) infrastructure and systems may be unable to effectively support the current and future needs of the business in an efficient, cost-effective and well-controlled fashion
		Ingestion	A process to convert extracted information to a format that can be understood by investigators See Normalization
		Ingress	Traffic that comes into a network
		Inherent risk	The level of risk or exposure that does not account for the actions management has taken or might take (e.g., implementing controls)
		Inherent security risk	The level of risk or exposure that does not account for the actions management has taken or might take
		Inheritance (objects)	Database structures that have a strict hierarchy (no multiple inheritance). Inheritance can initiate other objects irrespective of the class hierarchy, thus, there is no strict hierarchy of objects.
		Initial program load (IPL)	The initialization procedure that causes an operating system to be loaded into storage at the beginning of a workday or after a system malfunction
		Initialization vector (IV) collisions	A type of attack involving initialization vectors (IVs). Wired equivalent privacy (WEP) can allocate the RC4 IVs used to create the keys that can drive a pseudo-random number generator, which is eventually used for encryption of the wireless data traffic. The IV in WEP is a 24-bit field: a small space that practically guarantees key reuse. The WEP standard also fails to specify how these IVs are assigned. Many wireless network cards reset the IVs to zero and then increment them by one for every use. If an attacker can capture two packets using the same IV (the same key, if the key has not been changed), mechanisms can be used to determine portions of the original packets. This and other weaknesses that result in key reuse can create a susceptibility to attacks. These attacks require a large number of packets (5-6 million) to fully derive the WEP key; on a large, busy network, this can occur in a short time, sometimes as quickly as 10 minutes (however, some of the largest corporate networks will likely require much more time to gather enough packets). In WEP-protected wireless networks, often multiple, or all, stations use the same shared key. This increases the chances of IV collisions greatly. The result is that the network becomes insecure if the WEP keys are not frequently changed, which furthers the need for a WEP key management protocol.
		Injection	A general term for attack types that inject code that is then interpreted/executed by the application Source Notes: OWASP
		Input control	Techniques and procedures used to verify, validate and edit data to ensure that only correct data are entered into the computer
		Input-processing- output	A structured software design technique. Identification of the steps involved in each process is performed, including the inputs and outputs in each step. A refinement called hierarchical input-process-output identifies the steps, inputs and outputs for both general and detailed levels.
		Input/output (I/O)	A way for microprocessors and computers to communicate with the outside world to get the data needed for programs and communicate the results of its data manipulations. This is accomplished through I/0 ports and devices.
		Insider threat software	Software designed to detect and mitigate actions by insiders who may pose a threat to an enterprise
		Insider threats	Threats to an enterprise that come from individuals within the enterprise, such as employees or contractors
		Installation	The phase in the system life cycle that includes assembly and testing of the hardware and software of a computerized system. Installation includes installing a new computer system, software or hardware or otherwise modifying the current system.
		Installation and checkout phase	The period of time in the software life cycle during which a software product is integrated into its operational environment and tested to ensure that it performs as required
		Instant messaging (IM)	An online mechanism or a form of real-time communication between two or more people based on typed text and multimedia data Scope Notes: Text is conveyed via computers or another electronic device (e.g., cellular phone or handheld device) and connected over a network, such as the Internet.
		Institute of Electrical and Electronic Engineers (IEEE)	An organization involved in the generation and promulgation of standards. IEEE standards represent the formalization of current norms of professional practice through the process of obtaining the consensus of concerned practicing professionals in a given field.
		Instruction	1. A program statement that causes a computer to perform a particular operation or set of operations 2. In a programming language, a meaningful expression that specifies one operation and identifies its operands, if any
		Instruction set	1. The complete set of instructions recognized by a given computer or provided by a given programming language 2. The set of the instructions of a computer, a programming language or the programming languages in a programming system See Computer instruction set
		Intangible asset	An asset that is not physical in nature Scope Notes: Examples include intellectual property (patents, trademarks, copyrights and processes), goodwill and brand recognition.
		Integrated circuit (IC)	An electronic circuit comprised of capacitors, transistors and resistors that is the building block of most electronic devices and equipment. It is also referred to as a chip or microchip.
		Integrated services digital network (ISDN)	A public end-to-end digital telecommunications network with signaling, switching and transport capabilities that support a wide range of services accessed by standardized interfaces with integrated customer control Scope Notes: The standard allows transmission of digital voice, video and data over 64-kbps lines.
		Integrated test facilities (ITF)	A testing methodology in which test data are processed in production systems Scope Notes: The data usually represent a set of fictitious entities such as departments, customers or products. Output reports are verified to confirm the correctness of the processing.
		Integration environment	The configuration of processes, systems, tools, people and associated infrastructure used when combining components to develop a solution
		Integrity	The guarding against improper information modification or destruction. This includes ensuring information nonrepudiation and authenticity.
		Integrity risk	The risk that data may be unavailable due to incompleteness or inaccuracy
		Intellectual property	Intangible assets that belong to an enterprise for its exclusive use. Examples include patents, copyrights, trademarks, ideas and trade secrets.
		Intent and value	A statement for the purposes of characterization and rating. When the phrases “intent and value” or “meet the intent and value” are used in the Medical Definition Document (MDD), it means the appraisal team must review and analyze Objective Evidence (OE) for the practice area intent, practice statement intent and their corresponding value statements. They must also present any additional required Practice information in order to characterize and rate accurately.
		Intent-based networking (IBN)	A form of network administration that incorporates artificial intelligence (AI), network orchestration and machine learning (ML) to automate administrative tasks across a network
		Interactive	A system or mode of operation in which each user entry causes a response from or action by the system. This is in contrast to batch processing. See Conversational, Online and Real time.
		Interface	1. A shared boundary between two functional units, defined by functional characteristics, common physical interconnection characteristics, signal characteristics and other characteristics, as appropriate. The concept involves the specification of the connection of two devices having different functions. 2. A point of communication between two or more processes, persons or other physical entities. 3. A peripheral device that permits two or more devices to communicate.
		Interface data	Information describing interfaces or connections
		Interface or connection	A shared boundary across components, humans, services, hardware or software that needs or exchanges information or data. Either the term “interface” or “connection” may be used to describe this boundary.
		Interface or connection description	A description of the functional and physical characteristics of a component and its boundaries, e.g., user, system, that describes its interaction with another component
		Interface testing	A testing technique used to evaluate output from one application while the information is sent as input to another application
		Internal control environment	The relevant environment on which the controls have an effect
		Internal control over financial reporting	A process designed by, or under the supervision of, the registrant’s principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant’s board of directors, management and other personnel to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principals. Includes those policies and procedures that: • Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the registrant • Provide reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in accordance with generally accepted accounting principles and that receipts and expenditures of the registrant are made only in accordance with authorizations of management and directors of the registrant • Provide reasonable assurance regarding the prevention or timely detection of unauthorized acquisition, use or disposition of the registrant’s assets that could have a material effect on the financial statements
		Internal control structure	The dynamic, integrated processes--effected by the governing body, management and all other staff--that are designed to provide reasonable assurance regarding the achievement of the following general objectives: • Effectiveness, efficiency and economy of operations • Reliability of management • Compliance with applicable laws, regulations and internal policies Management’s strategies for achieving these general objectives are affected by the design and operation of the following components: • Control environment • Information system • Control procedures
		Internal controls	The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected
		Internal penetrators	An authorized user of a computer system who oversteps his/her legitimate access rights Scope Notes: This category is divided into masqueraders and clandestine users.
		Internal rate of return (IRR)	The discount rate that equates an investment cost with its projected earnings Scope Notes: When discounted at the IRR, the present value of the cash outflow will equal the present value of the cash inflow. The IRR and net present value (NPV) are measures of the expected profitability of an investment project.
		Internal storage	The main memory of the computer’s central processing unit (CPU)
		International Organization for Standardization (ISO)	An organization that sets international standards. It deals with all fields except electrical and electronics, which are governed by the International Electrotechnical Commission (IEC). Synonymous with the International Standards Organization.
		International Standards Organization (ISO)	The world’s largest developer of voluntary International Standards
		Internet	1. Two or more networks connected by a router 2. The world’s largest network using Transmission Control Protocol/Internet Protocol (TCP/IP) to link government, university and commercial institutions
		Internet Assigned Numbers Authority (IANA)	Responsible for the global coordination of the DNS root, IP addressing and other Internet protocol resources
		Internet banking	Use of the Internet as a remote delivery channel for banking services Scope Notes: Services include traditional ones, such as opening an account or transferring funds to different accounts, and new banking services, such as electronic bill presentment and payment (allowing customers to receive and pay bills on a bank’s web site).
		Internet Control Message Protocol (ICMP)	A set of protocols that allow systems to communicate information about the state of services on other systems Scope Notes: For example, ICMP is used in determining whether systems are up, maximum packet sizes on links and whether a destination host/network/port is available. Hackers typically use (abuse) ICMP to determine information about the remote site.
		Internet Engineering Task Force (IETF)	An organization with international affiliates as network industry representatives that sets Internet standards. This includes all network industry developers and researchers concerned with the evolution and planned growth of the Internet.
		Internet Inter-ORB Protocol (IIOP)	A protocol developed by the object management group (OMG) to implement Common Object Request Broker Architecture (CORBA) solutions over the World Wide Web Scope Notes: CORBA enables modules of network-based programs to communicate with one another. These modules or program parts, such as tables, arrays and more complex program subelements, are referred to as objects. The use of IIOP in this process enables browsers and servers to exchange both simple and complex objects. This differs significantly from HyperText Transfer Protocol (HTTP), which only supports the transmission of text.
		Internet of Things (IoT)	A collection of sensors, actuators and computing capabilities that work together to solve a problem or provide a service over the Internet
		Internet Protocol (IP)	Specifies the format of packets and the addressing scheme
		Internet Protocol (IP) packet spoofing	An attack using packets with spoofed source Internet packet (IP) addresses Scope Notes: This technique exploits applications that use authentication based on IP addresses. This technique may enable an unauthorized user to gain root access to the target system.
		Internet proxy system	A server that acts as a gateway between an individual and the internet
		Internet service provider (ISP)	A third party that provides individuals and enterprises access to the Internet and a variety of other Internet-related services
		Internetwork Packet Exchange/Sequenced Packet Exchange (IPX)	Layer 3 of the open systems interconnect (OSI) model network protocol; SPX is layer 4 transport protocol. The SPX layer sits on top of the IPX layer and provides connection-oriented services between two nodes on the network.
		Interoperability	The ability to exchange, access and make use of information across different systems and/or networks without the need for intermediaries and the capacity to transfer an asset between two or more networks or systems without changing the state of the asset
		Interpret	To translate and execute each statement or construct of a computer program before translating and executing the next. Contrasts with assemble and compile.
		Interpreter	A computer program that translates and executes each statement or construct of a computer program before translating and executing the next. The interpreter must be a resident in the computer each time a program [source code file] written in an interpreted language is executed. Contrasts with assembler and compiler.
		Interrogation	Used to obtain prior indicators or relationships from extracted data, including telephone numbers, IP addresses and names of individuals
		Interrupt	A hardware or software signal stemming from an event that requires immediate attention
		Interruption window	The time that the company can wait from the point of failure to the restoration of the minimum critical services or applications. After this time, the progressive losses caused by the interruption are excessive for the enterprise.
		Interview	A meeting (virtual or face-to-face) that includes an interactive discussion between appraisal team members and those who have a process role, e.g., implementing, using, or following the processes, within the organizational unit or project
		Intranet	A private network that uses the infrastructure and standards of the Internet and World Wide Web but is isolated from the public Internet by firewall barriers
		Intruder	An individual or group that gains access to the network and its resources without permission
		Intrusion	Any event during which unauthorized access occurs
		Intrusion detection	The process of monitoring the events occurring in a computer system or network to detect signs of unauthorized access or attack
		Intrusion detection system (IDS)	A system that inspects network and host security activity to identify suspicious patterns that may indicate a network or system attack
		Intrusion prevention	A preemptive approach to network security used to identify potential threats and respond to them to stop, or at least limit, damage or disruption
		Intrusion prevention system (IPS)	A system designed to not only detect attacks but also prevent the intended victim hosts from being affected by the attacks
		Intrusive monitoring	In vulnerability analysis, the process of gaining information by performing checks that affect the normal operation of a system or by crashing the system
		Invalid inputs	1. Test data that lie outside the domain of the function the program represents 2. Not only inputs outside the valid range for data to be input, i.e., when the specified input range is 50 to 100, but also unexpected inputs, especially when these unexpected inputs may easily occur, e.g., the entry of alpha characters or special keyboard characters when only numeric data is valid or the input of abnormal command sequences to a program
		Investigation	The collection and analysis of evidence with the goal to identify the perpetrator of an attack or unauthorized use or access
		Investment (or expense) risk	The risk that I&T investment fails to provide value commensurate with its cost or is otherwise excessive or wasteful, including the overall I&T investment portfolio
		Investment portfolio	The collection of investments being considered and/or made Scope Notes: COBIT 5 perspective
		IP address	A unique binary number used to identify devices on a TCP/IP network. May be IP version 4 or 6.
		IP Authentication Header (AH)	Protocol used to provide connectionless integrity and data origin authentication for IP datagrams and to provide protection against replays (RFC 4302) Scope Notes: AH ensures data integrity with a checksum that a message authentication code, such as MD5, generates. To ensure data origin authentication, AH includes a secret shared key in the algorithm it uses for authentication. To ensure replay protection, AH uses a sequence number field within the IP authentication header.
		IP Security (IPSec)	A set of protocols developed by the Internet Engineering Task Force (IETF) to support the secure exchange of packets
		Irregularity	Violation of an established management policy or regulatory requirement. It may consist of deliberate misstatements or omissions of information concerning the area under audit or the enterprise as a whole, gross negligence or unintentional illegal acts.
		ISO	International Organization for Standardization
		ISO 9001:2000	The code of practice for quality management from the International Organization for Standardization (ISO). ISO 9001:2000 specifies requirements for a quality management system for any enterprise that needs to demonstrate its ability to consistently provide products or services that meet particular quality targets.
		ISO/IEC 17799	This standard defines information confidentiality, integrity and availability controls in a comprehensive information security management system Scope Notes: Originally released as part of the British Standard for Information Security in 1999 and then as the Code of Practice for Information Security Management in October 2000, it was elevated by the International Organization for Standardization (ISO) to an international code of practice for information security management. The latest version is ISO/IEC 17799:2005.
		ISO/IEC 27001	A standard for Information Security Management--Specification with Guidance for Use; the replacement for BS7799-2. It is intended to provide the foundation for third-party audit and is harmonized with other management standards, such as ISO/IEC 9001 and 14001.
		IT application	Electronic functionality that constitutes parts of business processes undertaken by, or with the assistance of, IT Scope Notes: COBIT 5 perspective
		IT architecture	A description of the fundamental underlying design of the IT components of the business, the relationships among them and the manner in which they support the enterprise’s objectives
		IT goal	A statement describing a desired outcome of enterprise IT in support of enterprise goals. An outcome can be an artifact, a significant change of a state or a significant capability improvement. Note: This was renamed "alignment goal" in COBIT 2019. Scope Notes: COBIT 5 perspective
		IT governance	The responsibility of executives and the board of directors; consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise's strategies and objectives
		IT governance framework	A model that integrates a set of guidelines, policies and methods that represent the organizational approach to IT governance. See also "governance framework." Scope Notes: Per COBIT, IT governance is the responsibility of the board of directors and executive management. It is an integral part of institutional governance and consists of the leadership and organizational structures and processes that ensure that the enterprise's IT sustains and extends the enterprise's strategy and objectives.
		IT Governance Institute^®(ITGI)	Founded in 1998 by the Information Systems Audit and Control Association (now known as ISACA). ITGI strives to assist enterprise leadership in ensuring long-term, sustainable enterprise success and to increase stakeholder value by expanding awareness.
		IT incident	Any event not part of the ordinary operation of a service that causes, or may cause, an interruption to or a reduction in the quality of that service
		IT infrastructure	The set of hardware, software and facilities that integrate an enterprise's IT assets Scope Notes: Specifically, the equipment (including servers, routers, switches and cabling), software, services and products used in storing, processing, transmitting and displaying all forms of information for the enterprise’s users
		IT investment dashboard	A tool for setting expectations for an enterprise at each level and continuously monitoring performance against set targets for expenditures on, and returns from, IT-enabled investment projects in terms of business values
		IT risk	The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise
		IT risk issue	1. An instance of IT risk 2. A combination of control, value and threat conditions that impose a noteworthy level of IT risk
		IT risk profile	A description of the overall (identified) IT risk to which the enterprise is exposed
		IT risk register	A repository of the key attributes of potential and known IT risk issues. Attributes may include name, description, owner, expected/actual frequency, potential/actual magnitude, potential/actual business impact and disposition.
		IT risk scenario	The description of an IT-related event that can lead to a business impact
		IT service	The day-to-day provision to customers of information and technology infrastructure and applications and support for their use—e.g., service desk, equipment supply and moves, and security authorizations Scope Notes: COBIT 2019 perspective
		IT steering committee	An executive-management-level committee that assists in the delivery of the IT strategy, oversees day-to-day management of IT service delivery and IT projects, and focuses on implementation aspects
		IT strategic plan	A long-term plan (i.e., three- to five-year horizon) in which business and IT management cooperatively describe how IT resources will contribute to the enterprise’s strategic objectives (goals)
		IT strategy committee	A committee at the level of the board of directors to ensure that the board is involved in major IT matters and decisions Scope Notes: The committee is primarily accountable for managing the portfolios of IT-enabled investments, IT services and other IT resources. The committee is the owner of the portfolio.
		IT tactical plan	A medium-term plan (i.e., six- to 18-month horizon) that translates the IT strategic plan into required initiatives, resource requirements and ways in which resources and benefits will be monitored and managed
		IT user	A person who uses IT to support or achieve a business objective
		IT-related incident	An IT-related event that causes an operational, developmental and/or strategic business impact
		ITIL (IT Infrastructure Library)	The UK Office of Government Commerce (OGC) IT Infrastructure Library, which is a set of guides on the management and provision of operational IT services
		JavaScript	A scripting language originally designed in the mid-1990s for embedding logic in web pages, but which later evolved into a more general-purpose development language. JavaScript continues to be very popular for embedding logic in web pages.
		Job	A user-defined unit of work to be accomplished by a computer. For example: the compilation, loading and execution of a computer program See Job control language.
		Job control language (JCL)	Used to control run routines in connection with performing tasks on a computer
		Joint PII controller	A PII controller that determines the purposes and means of the processing of PII with one or more other PII controllers
		Journal entry	A debit or credit to a general ledger account See Manual journal entry.
		Judgment sampling	Any sample that is selected subjectively or in such a manner that the sample selection process is not random or the sampling results are not evaluated mathematically
		K-means clustering	A data-mining algorithm to cluster, classify or group N objects based on their attributes or features into K number of groups (so-called clusters)
		K-nearest neighbors	A machine-learning algorithm that classifies things based on their similarity to nearby neighbors. The algorithm execution is refined by picking how many neighbors to examine (k) and some notion of distance to indicate how near the neighbors are.
		KB	Kilobyte
		Keras	A popular Python machine-learning API
		Kernel	Primary (of three) component of an operating system
		Kernel mode	Used for execution of privileged instructions for the internal operation of the operating system. In kernel mode, there are no protections from errors or malicious activity, and all parts of the system and memory are accessible.
		Key control indicator (KCI)	A measure of the effectiveness of controls to indicate a failure or weakness which may result in the increased likelihood or impact of risk events
		Key goal indicator (KGI)	A measure that tells management after the fact whether an IT process has achieved its business requirements; usually expressed in terms of information criteria
		Key length	The size of an encryption key measured in bits
		Key management	The generation, exchange, storage, use, destruction and replacement of keys in a cryptosystem
		Key management practice	A management practice that is required to successfully execute business processes
		Key performance indicator (KPI)	A type of performance measurement
		Key risk indicator (KRI)	A subset of risk indicators that are highly relevant and possess a high probability of predicting or indicating important risk Scope Notes: See also Risk indicator.
		Keylogger	Software used to record all keystrokes on a computer
		Keypoints	The coordinates of particular features in an image
		Kilobyte (KB)	Approximately one thousand bytes. This term is used to describe the size of computer memory or disk storage space. Because computers use a binary number system, a kilobyte is precisely 2¹⁰ or 1024 bytes.
		Knowledge portal	A repository of core information and knowledge for an extended enterprise Scope Notes: Generally a web-based implementation containing a core repository of information provided for the extended enterprise to resolve any issues
		Label	In supervised learning, the answer or result portion of an example
		Lag indicator	A metric for the achievement of a goal; an indicator relating to the outcome or result of an enabler Scope Notes: This indicator is available only after the fact or event.
		Lag risk indicator	A backward-looking metric that indicates risk has been realized after an event has occurred
		Latency	The time it takes a system or network to respond Scope Notes: More specifically, system latency is the time a system takes to retrieve data. Network latency is the time it takes for a packet to travel from source to destination.
		Latent variable	A variable that is not directly observed, but rather inferred (through a mathematical model) from other variables that are observed (directly measured)
		Layer 2 switches	Data link layer devices that can divide and interconnect network segments and help to reduce collision domains in Ethernet-based networks
		Layer 2 tokens	A secondary coding on top of the original blockchain coding structure that allows for the evolution of a decentralized blockchain to address limitations, i.e., scaling and smart contracts
		Layer 3 and 4 switches	Switches with operating capabilities at layer 3 and layer 4 of the open systems interconnect (OSI) model. These switches examine the incoming packet’s networking protocol, e.g., IP, and then compare the destination IP address to the list of addresses in their tables to actively calculate the best way to send a packet to its destination.
		Layer 4-7 switches	Used for load balancing among groups of servers Scope Notes: Also known as content switches, content services switches, web switches or application switches
		Lead indicator	A metric for the application of good practices; an indicator relating to the functioning of an enabler Scope Notes: This indicator will provide an indication of the possible outcome of the enabler.
		Lead risk indicator	A forward-looking metric that provides an early warning that risk may soon be realized before an event has occurred
		Leadership	The ability and process to translate organizational vision into desired behaviors that are followed at all levels of the extended enterprise
		Lean	A business methodology for optimizing efficiency in a process and minimizing economic waste
		Leased line	A communication line permanently assigned to connect two points, as opposed to a dial-up line that is available and open only when a connection is made by dialing the target machine or network. Also known as a dedicated line.
		Legacy system	An outdated computer system
		Legitimate interest	The basis for lawful processing of data
		Level of assurance	The degree to which the subject matter has been examined or reviewed
		Librarian	The individual responsible for the safeguarding and maintenance of all program and data files
		Licensing agreement	A contract that establishes the terms and conditions under which a piece of software is being licensed (i.e., made legally available for use) from the software developer (owner) to the user
		Life cycle	A series of stages that characterize the course of existence of an organizational investment (e.g., product, project, program)
		Life cycle methodology	The use of any one of several structured methods to plan, design, implement, test and operate a system from its conception to the termination of its use See Waterfall model.
		Life cycle model	A representation or description of the steps and activities for the development and updating of a solution communicated to stakeholders and followed by a project or organization. This description may include: • Phases • Sequences • Interrelationships • Inputs • Outputs • Decision points • Roles and responsibilities
		Lift	Compares the frequency of an observed pattern with how often one expects to see that pattern just by chance
		Likelihood	The probability of something happening
		Limit check	A test that measures specified amount fields against stipulated high or low limits of acceptability Scope Notes: When both high and low values are used, the test may be called a range check.
		Linear algebra	A branch of mathematics dealing with vector spaces and operations on them, such as addition and multiplication. It is designed to represent systems of linear equations.
		Linear regression	A mathematical technique to look for a linear relationship when starting with a set of data points that do not necessarily line up nicely. A linear relationship is one in which the relationship between two varying amounts, such as price and sales, can be expressed with an equation that can be represented as a straight line on a graph.
		Link editor (linkage editor)	A utility program that combines several separately compiled modules into one, resolving internal references between them
		Linux	Linux is a Unix-like, open-source and community-developed operating system (OS) for computers, servers, mainframes, mobile devices and embedded devices. https://www.techtarget.com/searchdatacenter/definition/Linux-operating-system
		Listening nodes	A publicly visible blockchain network device whose main function is to communicate and share data or information with any other node that connects with it
		Litecoin	A peer-to-peer cryptocurrency and open-source software project
		Literals	Any notation for representing a value within programming language source code, e.g., a string literal; a chunk of input data that is represented "as is" in compressed data
		Local area network (LAN)	A communication network that serves several users within a specified limited geographic area
		Lock	A mechanism for keeping something secure or restricting access to functionality or data
		Log	1. To record details of information or events in an organized record-keeping system, usually sequenced in the order in which they occurred 2. An electronic record of activity (e.g., authentication, authorization and accounting)
		Log analyzer	A tool used to track and analyze logs
		Logical access	The ability to interact with computer resources granted using identification, authentication and authorization
		Logical access controls	The policies, procedures, organizational structure and electronic access controls designed to restrict access to computer software and data files
		Logistic regression	A model similar to linear regression but where the potential results are a specific set of categories, instead of being continuous
		Logoff	The act of disconnecting from a a network or system
		Logon	The act of connecting to a network or system, which typically requires entry of a user ID and password
		Logs/log file	Files created specifically to record various actions occurring on a system being monitored, such as failed login attempts, full disk drives and email delivery failures
		LoRa/LoRaWAN	A proprietary member of the family of low-power wide area network (LPWAN) protocols designed for low-bandwidth, battery-powered devices requiring extended range
		Loss event	Any event during which a threat event results in loss Scope Notes: From Jones, J.; "FAIR Taxonomy," Risk Management Insight, USA, 2008
		Low-level language	See Assembly language. A programming language, wuch as assembly language or machine code, that provides little or no abstraction from a computer's instruction set architecture, i.e., in which commands or functions are structurally similar to the processor's instructions
		LTE for Machine- Type Communications (LTE-M)	A low-power wide area network (LPWAN) standard from the 3GPP, based on typical Long Term Evolution (LTE)
		MAC header	The hardware address of a network interface controller (NIC) inside a data packet
		Machine code	Computer instructions and definitions expressed in a form (binary code) that can be recognized by the CPU of a computer. All source code, regardless of programming language, is eventually converted to machine code.
		Machine language	The logical language a computer understands
		Machine learning (ML)	Processes of self-correction by computers during execution of successive or iterative tasks, wherein output of prior tasks (failures, false positives, false negatives, etc.) is received as input to later tasks, resulting in process correction without human intervention (e.g., software modifications)
		Machine learning model	The model artifact created by the machine learning training process. The process of training a machine learning model involves providing a machine learning model algorithm (that is, the learning algorithm) with training data.
		Machine learning overfitting (ML overfitting)	A complex machine learning model that tends to “memorize” noise in a large data set while failing to capture the overall trend
		Machine learning underfitting (ML underfitting)	A machine learning model that is too simple to model complex data
		Magnetic card reader	A hardware device used to read cards with a magnetic surface on which data can be stored and retrieved
		Magnetic ink character recognition (MICR)	A technology used to electronically input, read and interpret information directly from a source document Scope Notes: MICR requires the source document to have specially coded magnetic ink.
		Magnitude	A measure of the potential severity of loss or the potential gain from realized events/scenarios
		Mail relay server	An electronic mail (email) server that relays messages so that neither the sender or recipient is a local user
		Main establishment	The place of central administration for a controller with establishments in more than one country
		Main memory	A nonmoving storage device that uses one of a number of types of electronic circuitry to store information
		Main program	A software component that is called by the operating system of a computer and that usually calls other software components See Routine and Subprogram.
		Mainframe	A large high-speed computer, especially one supporting numerous workstations or peripherals
		Maintainability	The ease with which a software system or component can be modified to correct faults, improve performance or other attributes, or adapt to a changed environment; synonymous with modifiability
		Maintenance	Quality assurance (QA) activities, such as adjusting, cleaning, modifying and overhauling equipment to assure performance in accordance with requirements. Maintenance of a software system includes correcting software errors, adapting software to a new environment and making enhancements to software. See Adaptive maintenance, Corrective maintenance and Perfective maintenance.
		Malicious software	See Malware.
		Malignant threat	Malignant threats are threats that are unintentional. There is no motive, good or bad, for causing the losses associated with malignant threats
		Malware	Malicious software designed to infiltrate or damage a computer system or obtain information from it without the owner’s consent. Examples of malware include computer viruses, worms, Trojan horses, spyware and adware.
		Malware analysis tools	Tools used to analyze malware
		Man-in-the-middle attack (MitM)	A strategy in which the attacker intercepts the communication stream between two components of the target system and then replaces the traffic with the intruder’s own, eventually assuming control of the communication
		Managed discovery	A phased objective evidence collection approach beginning with an initial call by the appraisal team for a predetermined set of artifacts, followed by a set of iterative calls based on the appraisal team’s evaluation of those artifacts and remaining evidence gaps See Discovery-based appraisal and Verification-based appraisal.
		Managed process	A performed process that is recorded, followed, updated and made persistent and habitual for consistency. A managed process is necessary at the practice group level 2 in the CMMI Practice Areas. See Performed process.
		Management	The planning, building, running and monitoring of activities in alignment with the direction set by the governance body to achieve the enterprise objectives
		Management information system (MIS)	An organized assembly of resources and procedures required to collect, process and distribute data for use in decision making
		Mandatory access control (MAC)	Logical access control filters used to validate access credentials that cannot be controlled or modified by normal users or data owners
		Mapping	Diagramming data that are to be exchanged electronically, including specifications on how they are to be used and what business management systems need them See Application tracing and Mapping. Scope Notes: Mapping is a preliminary step for developing an applications link.
		Market risk	Pressures on an asset class
		Markov Chain	An algorithm for working with a series of events (for example, a system being in particular states) to predict the possibility of a certain event based on which other events have occurred and to identify probabilistic relationships between the different events
		Markov decision process (MDP)	A graph representing the decision-making model wherein which decisions (or actions) are taken to navigate a sequence of states, under the assumption that the Markov property holds. In reinforcement learning, these transitions between states return a numerical reward.
		Masking	A computerized technique of blocking out the display of sensitive information, such as passwords, on a computer terminal or report
		Masqueraders	Attackers that penetrate systems by using the identities and logon credentials of legitimate users
		Master file	A file of semi-permanent information that is used frequently for processing data or for more than one purpose
		Masternode	A blockchain network device that can process all the functions of a full node or miner and is also able to facilitate other processes
		Material misstatement	An untrue statement, whether accidental or intentional, that affects the results of an audit to a measurable extent
		Material weakness	A deficiency or a combination of deficiencies in internal control resulting in a reasonable possibility that a material misstatement will not be prevented or detected in a timely way. Weakness in control is considered "material" if the absence of the control results in failure to provide reasonable assurance that the control objective will be met. A weakness classified as material implies that: • Controls are not in place, are not in use or are inadequate • Escalation is warranted • There is an inverse relationship between materiality and the level of audit risk acceptable to the information security (IS) audit or assurance professional—that is, the higher the materiality level, the lower the acceptability of the audit risk and vice versa
		Materiality	An auditing concept that considers the importance of an item of information with regard to its impact or effect on the functioning of the entity being audited. Materiality is also an expression of the relative significance or importance of a particular matter in the context of the enterprise as a whole.
		MATLAB	A commercial computer language and environment popular for visualization and algorithm development
		Matrix	A set of numbers or terms arranged in rows and columns between parentheses or double lines. For purposes of manipulating a matrix with software, think of it as a two-dimensional array. As with its one-dimensional equivalent, a vector, this mathematical representation of the two- dimensional array makes it easier to take advantage of software libraries that apply advanced mathematical operations to the data—including libraries that can distribute the processing across multiple processors for scalability.
		Maturity	The degree of reliability or dependency a business can place on a process to achieve desired goals or objectives
		Maturity level	A rating that describes the degree to which organizational unit processes meet the intentions and values articulated in a predefined set of practice areas. The rating is based on the achievement of a specified set of practice group levels within the predefined set of practice areas.
		Maturity model	Scope Notes: See Capability Maturity Model (CMM).
		Maximum tolerable outage (MTO)	Maximum time an enterprise can support processing in alternate mode
		MB	Megabyte
		Mean	The average value, also known as arithmetic mean
		Mean absolute error	The average error of all predicted values when compared with observed values
		Mean squared error	The average of the squares of all the errors found when comparing predicted values with observed values
		Measure	A standard used to evaluate and communicate performance against expected results Scope Notes: Measures are normally quantitative in nature capturing numbers, dollars, percentages, etc., but they can also address qualitative information such as customer satisfaction. Reporting and monitoring measures help an enterprise gauge progress toward effective implementation of strategy.
		Measure (IEEE)	A quantitative assessment of the degree to which a software product or process possesses a given attribute
		Measurement and performance objectives	Statements that describe quantitative or qualitative objectives without requiring the additional rigor of statistical or quantitative analysis
		Measurement-based	A type of numerical data obtained by performing measurements but not based on statistical and quantitative management
		Media access control (MAC)	Lower sublayer of the OSI Model Data Link layer
		Media access control (MAC) address	A 48-bit unique identifier assigned to network interfaces for communications on the physical network segment
		Media oxidation	The deterioration of the media on which data are digitally stored due to exposure to oxygen and moisture Scope Notes: Tapes deteriorating in a warm, humid environment are an example of media oxidation. Proper environmental controls should prevent, or significantly slow, this process.
		Median	The value in the middle of a sorted list of values or, if the number of values is even, the average of the two in the middle
		Meet the intent and value	See Intent and value
		Megabit	Approximately 1 million bits. Precisely 1024 K bits, 2²⁰ bits or 1,048,576 bits.
		Megabyte	Approximately 1 million bytes. Precisely 1024 K Bytes, 2²⁰ bytes or 1,048,576 bytes See Kilobyte.
		Memorandum of agreement	A record of expectations and arrangements between two or more parties; also known as a “memorandum of understanding” See Statement of Work.
		Memory	Any device or recording medium that can hold and store binary data, and from which the entire original data set can be retrieved. Two types of memory are main, e.g., ROM and RAM, and auxiliary, e.g., tape and disk. See Storage device.
		Memory dump	Raw data copied from one place to another with little or no formatting for readability Scope Notes: Usually, dump refers to data copied from the main memory to a display screen or a printer. Dumps are useful for diagnosing bugs. After a program fails, it is possible to study a dump and analyze the contents of memory at the time of the failure. A memory dump will not help unless each person knows what to look for because dumps are usually output in a difficult-to-read form (binary, octal or hexadecimal).
		Memory inspection tools	Tools used to detect memory leaks, memory accesses and a variety of memory misuses
		Merkle tree	A data structure within which all nodes other than "leaf nodes" (nodes to which no subnodes are attached) include the hash values of all subnodes. Use of a cryptographically strong hashing function (i.e., a message digest) can allow rapid (logarithmic) verification of the integrity of all nodes on the tree.
		Mesh topology	A fault-tolerant topology in which network nodes and endpoints are mostly, if not fully, interconnected
		Message authentication code (MAC)	An American National Standards Institute (ANSI) standard checksum that is computed using Data Encryption Standard (DES).
		Message digest	The result of a cryptographic hash function taking an input of an arbitrary length and producing an output that is a standard-sized binary string. The output is unique to the input and even a minor change to the input results in a completely different output. Modern cryptographic hash functions are also resistant to collisions (situations in which different inputs produce identical outputs). A collision, while possible, is statistically improbable. Cryptographic hash functions are developed so that the input cannot be determined readily from the output. See Hash.
		Message digest algorithm	A one-way function that serves as a way for a recipient to verify data integrity and sender identity. Common message digest algorithms are MD5, SHA256 and SHA512.
		Message Queue Telemetry Transport (MQTT)	An ultra-lightweight communication protocol widely used in the Internet of Things
		Message switching	A telecommunications methodology that controls traffic by sending a complete message to a concentration point where it is stored until the communications path is established
		Metering	The monitoring and tracking of resource usage within a cloud environment, e.g., data, memory and storage
		Metric	A quantifiable entity that allows the measurement of the achievement of a process goal Scope Notes: Metrics should be SMART—specific, measurable, actionable, relevant and timely. Complete metric guidance defines the unit used, measurement frequency, ideal target value (if appropriate), the procedure to carry out the measurement and the procedure to interpret the assessment.
		Metric, software quality	A quantitative measure of the degree to which software possesses a given attribute that affects its quality
		Metropolitan area network (MAN)	A data network intended to serve an area the size of a large city
		Microcontroller	Special processing unit useful in embedded systems, such as fleet vehicles and process control applications
		Microwave transmission	A high-capacity line-of-sight transmission of data signals through the atmosphere, which often requires relay stations
		Middleware	Another term for an application programming interface (API). It refers to the interfaces that allow programmers to access lower- or higher-level services by providing an intermediary layer that includes function calls to the services.
		Milestone	A terminal element that marks the completion of a work package or phase Scope Notes: A milestone is typically marked by a high-level event such as project completion, receipt, endorsement or signing of a previously defined deliverable or a high-level review meeting at which the appropriate level of project completion is determined and agreed to. A milestone is associated with a decision that outlines the future of a project and, for an outsourced project, may have a payment to the contractor associated with it.
		Mini-team	A subset of the appraisal team members with primary responsibility for collecting sufficient appraisal data and objective evidence to ensure coverage of assigned model practice areas or sampled projects and organizational support functions; may also perform other tasks, e.g., project-level characterizations
		Miniature fragment attack	An attack method that involves fragmenting the IP packet into smaller ones before pushing it through the firewall, in the hope that only the first in the sequence of fragmented packets will be examined and the others will pass without review
		Mirrored site	An alternate site that contains the same information as the original Scope Notes: Mirrored sites are set up for backup and disaster recovery and to balance the traffic load for numerous download requests. Such download mirrors are often placed in different locations throughout the Internet.
		Mission-critical application	An application that is vital to the operation of the enterprise. The term is very popular for describing the applications required to run day-to-day business operations.
		Misuse detection	Detection based on whether a system activity matches an activity defined as "bad"
		Mnemonic	A symbol chosen to assist human memory and understanding, e.g., an abbreviation such as "MPY" for multiply
		Mobile computing	A technology that extends wireless computing to small devices that run specifically designed applications and is capable of expanding an enterprise network to reach remote places under circumstances that would not permit connectivity by other means Scope Notes: Mobile computing is comprised of smartphones, tablets and wearable devices
		Mobile device	portable electronic equipment that can connect to the Internet
		Mobile site	A mobile/temporary facility that serves as a business resumption location. The facility is typically delivered to an alternative site and can house information technology and staff.
		Mode	The value that occurs most often in a sample of data. Like the median, the mode cannot be directly calculated.
		Model	A way to describe a given set of components and their relationships to illustrate the main workings of an object, system or concept
		Model component	Any of the five main architectural elements or parts that compose the CMMI model. These include the view, practice area, practice group, practice and informative material. See Informative material, Practice, Practice area, Practice group and View.
		Model scope	The practice areas or model components to be appraised, defined in benchmark model views predefined by ISACA or customized for the organization’s needs. See Appraisal scope and Organizational unit.
		Modeling	Constructing programs that model the effects of a postulated environment to investigate the dimensions of a problem and observe the effects of algorithmic processes on responsive targets
		MODEM (modulator/ demodulator)	A device that connects a terminal or computer to a communications network via a telephone line. A modem turns digital pulses from a computer into frequencies within the audio range of a telephone system. When acting in the receiver capacity, a modem decodes incoming frequencies.
		Modular software	Software composed of discrete parts
		Modularity	The degree to which a system or computer program is composed of discrete components so that a change to one component has minimal impact on other components
		Modulation	The process of converting a digital computer signal into an analog telecommunications signal
		Module	1. In programming languages, a self-contained subdivision of a program that may be separately compiled 2. A discrete set of instructions, usually processed as a unit by an assembler, a compiler, a linkage editor, or a similar routine or subroutine 3. A packaged functional hardware unit suitable for use with other components See Unit.
		Monetary unit sampling	A sampling technique that estimates the amount of overstatement in an account balance
		Monitoring policy	A set of rules outlining or delineating the way information about the use of computers, networks, applications and information is captured and interpreted
		Monte Carlo method	The use of randomly generated numbers as part of an algorithm
		Moving average	The mean (or average) of time series data (observations equally spaced in time, such as per hour or per day) from several consecutive periods
		Multifactor authentication (MFA)	A combination of more than one authentication method, such as token and password (or personal identification number [PIN]) or token and biometric device
		Multiplexor	A device used for combining several lower-speed channels into a higher-speed channel
		Multiprocessing	A mode of operation in which two or more processes (programs) are executed concurrently (simultaneously) by separate CPUs that have access to a common main memory. Contrasts with multiprogramming. See Multitasking and Time sharing.
		Must	A word used in a statement of a method requirement to indicate that it is not tailorable. “Must” may be used interchangeably with “shall.” See Shall.
		Mutex	A lock set by a smart contract code before access is permitted to a shared resource or function, and released after its use, to prevent multiple threads from simultaneously gaining access to the locked region of the code
		Mutual authentication	A form of authentication in which a device sends a certificate to a server and, in return, is sent authentication of the server
		Mutual takeover	A failover process that is basically a two-way idle standby. Two servers are configured so that each can take over the other's node resource group. Both must have enough central processing unit (CPU) power to run both servers' applications with sufficient speed, or expected performance losses must be taken into account until the failed node reintegrates.
		N-gram	The analysis of sequences of "n" items (typically, words in natural language) to look for patterns. The value of "n" can be anything. An n-gram is used to construct statistical models of documents (e.g., when automatically classifying them) and to find positive or negative terms associated with a product name.
		Naive Bayes classifier	A collection of classification algorithms based on Bayes' Theorem. It is a family of algorithms that share a common principle that every feature being classified is independent of the value of any other feature.
		NaN trap	The result of one number in a model becoming a NaN during training, causing many or all other numbers in the model to eventually become a NaN. "NaN" is an abbreviation for "Not a Number."
		Narrowband IoT (NB- IoT)	A low-power wide area network (LPWAN) standard developed by the 3rd Generation Project Partnership (3GPP) for indoor devices requiring low cost, low battery usage and high density Source: 3rd Generation Partnership
		National Institute for Standards and Technology (NIST)	A US government agency that develops tests, test methods, reference data, proof-of concept implementations and technical analyses to advance the development and productive use of information technology Scope Notes: NIST creates mandatory standards that are followed by federal agencies and those doing business with them.
		Native tokens	1. Created at the genesis block and usually used to reward the successful processing of a transaction or the creation of a blockchain 2. Unit of account for a blockchain
		Natural bounds	The inherent range of variation in a process, as determined by process performance measures. Natural bounds are sometimes referred to as “control limits” or the “voice of the process.”
		Need-to-know	Principled approach to controlling what individuals can see. Employees can access only the data, systems and spaces necessary to do their job.
		Net present value (NPV)	Calculation based on the after-tax discount rate of an investment and a series of expected incremental cash outflows (initial investment and operational costs) and cash inflows (cost savings or revenues) that occur at regular periods during the life cycle of the investment Scope Notes: To arrive at a fair NPV calculation, cash inflows accrued by the business up to about five years after project deployment also should be taken into account.
		Net return	The revenue that a project or business makes after tax and other deductions; often classified as net profit
		Net-centric technologies	Information and objects (software and data) managed or stored on a network, whose contents and security are of prime importance compared to the contents and security of software and data in traditional computer processing, which emphasizes hardware location Scope Notes: An example of net-centric technologies is the Internet, where the network is its primary concern.
		NetBIOS	A program that allows applications on different computers to communicate within a local area network (LAN)
		Netcat	A simple UNIX utility that reads and writes data across network connections using Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). Netcat is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts. It is also a feature-rich network debugging and exploration tool, because it can create almost any kind of connection needed. Netcat is part of the Red Hat Power Tools collection and comes standard on SuSE Linux, Debian Linux, NetBSD and OpenBSD distributions.
		Network	A system of interconnected computers and the communication equipment used to connect them
		Network access control systems	Systems that assist in controlling devices and user access to networks
		Network address	An identifier for a node or host on a telecommunications network
		Network address translation (NAT)	A methodology for modifying network address information in IP datagram packet headers while they are in transit across a traffic routing device for the purpose of remapping one IP address space into another
		Network administrator	An individual who is responsible for planning, implementing and maintaining the telecommunications infrastructure; also may be responsible for voice networks Scope Notes: For smaller enterprises, the network administrator may also maintain a local area network (LAN) and assist end users.
		Network analyzer	A tool that creates a signal and characterizes the devices that receive it to help diagnose problems with Internet connectivity, WiFi network setups and issues on remote servers
		Network basic input/ output system	See NetBIOS.
		Network hop	A strategy in which an attacker whose identity is obscured successively hacks into a series of connected systems
		Network interface card (NIC)	A card designed for insertion into a computer to enable it to communicate with other computers on a network Scope Notes: Most NICs are designed for a particular type of network or protocol.
		Network interoperability	The ability of networks comprised of different topologies, configurations and functionalities to transmit data to and from one another
		Network News Transfer Protocol (NNTP)	A protocol that uses a reliable stream-based mechanism for the distribution, inquiry, retrieval and posting of netnews articles. For news-reading clients, NNTP enables retrieval of news articles stored in a central database, enabling subscribers to select only the articles they wish to read. (RFC 3977)
		Network segmentation	A common network security implementation technique that segments an enterprise network into zones that can be separately controlled, monitored and protected
		Network topology	The basic configuration and architecture of a set of interconnected nodes
		Network traffic analysis	A means of identifying patterns in network communications Scope Notes: Traffic analysis does not need to have the actual content of the communication but analyzes where traffic occurs, when and for how long communications take place, and the quantity of information transferred.
		Network-attached storage (NAS)	An architecture that uses dedicated storage devices to centralize data storage Scope Notes: NA storage devices generally do not provide traditional file/print or application services.
		Neural network	A robust function that fits an arbitrary set of inputs into an arbitrary set of binary outputs. Neural networks are used in deep learning research to match images to features and for many other applications.
		Neuron	A neural network node that typically takes in multiple input values and generates one output value
		Nibble	An equivalent of four binary digits or half a byte. Nibble can be represented by one hexadecimal digit.
		Node	Point at which terminals are given access to a network
		Node (neural network)	A neuron in a hidden layer
		Noise	Data transmission or data set disturbances, such as static, that cause messages to be misinterpreted by the receiver
		Non-model findings	Findings that are not directly traceable to model practices but that may be useful to an organization’s business, performance or improvement goals. Non-model findings cannot be used to determine ratings, but they may identify other areas that the team must consider in order to characterize practices.
		Nonce	A limited or single-use value, typically small, used for initialization, seed generation or some other special purpose
		Nondisclosure agreement (NDA)	A legal contract between at least two parties that outlines confidential materials the parties wish to share with one another for certain purposes but wish to restrict from generalized use; a contract through which the parties agree not to disclose information covered by the agreement Scope Notes: Also called a confidential disclosure agreement (CDA), confidentiality agreement or secrecy agreement, an NDA creates a confidential relationship between the parties to protect any type of trade secret. As such, an NDA can protect non-public business information. In the case of certain governmental entities, the confidentiality of information other than trade secrets may be subject to applicable statutory requirements, and in some cases must be revealed to an outside party requesting the information. Generally, the governmental entity will include a provision in the contract to allow the seller to review a request for information that the seller identifies as confidential and the seller may appeal such a decision requiring disclosure. NDAs are commonly signed when two companies or individuals are considering doing business together and need to understand the processes used in one another’s businesses solely for the purpose of evaluating the potential business relationship. NDAs can be "mutual," meaning that both parties are restricted in their use of the materials provided, or they can only restrict a single party. It is also possible for an employee to sign an NDA or NDA-like agreement with a company at the time of hiring; in fact, some employment agreements will include a clause restricting "confidential information" in general.
		Nonintrusive monitoring	The use of transported probes or traces to assemble information, track traffic and identify vulnerabilities
		Nonrepudiable transaction	A transaction that cannot be denied after the fact
		Nonrepudiation	The assurance that a party cannot later deny originating data; provision of proof of the integrity and origin of the data, verifiable by a third party Scope Notes: A digital signature can provide nonrepudiation.
		Nonstatistical sampling	Method of selecting a portion of a population, based in professional judgment and experience, for the purpose of quickly confirming a proposition. This method does not allow drawing mathematical conclusions regarding the entire population.
		Normal distribution	A probability distribution that, when graphed, is a symmetrical bell curve with the mean value at the center. The standard deviation value affects the height and width of the graph. Also known as "Gaussian distribution."
		Normalization	1. The elimination of redundant data 2. The process of converting an actual range of values into a standard range of values, typically -1 to +1 or 0 to 1
		NoSQL	A database management system that uses any of several alternatives to the relational, table- oriented model used by SQL databases
		Null	A value whose definition is to be supplied within the context of a specific operating system. This value is a representation of the set of no numbers or no value for the operating system in use.
		Null data	Data for which space is allocated but for which no value currently exists
		Null hypothesis	If the proposed model for a data set indicates that the value of "x" affects the value of "y," then the null hypothesis—i.e., the model compared against the proposed model to check whether "x" really is affecting "y"—will find that the observations are all based on chance and that there is no effect. The smaller the P-value computed from the sample data, the stronger the evidence is against the null hypothesis.
		Null string	A string containing no entries. Note that a null string has a length of zero.
		Numeric check	An edit check designed to ensure that the data element in a particular field is numeric
		Obfuscation	The deliberate act of creating source or machine code that is difficult for humans to understand
		Object code	Machine-readable instructions produced from a compiler or assembler program that has accepted and translated the source code
		Object management group (OMG)	A consortium with more than 700 affiliates from the software industry whose purpose is to provide a common framework for developing applications using object-oriented programming techniques Scope Notes: OMG is known principally for promulgating the Common Object Request Broker Architecture (CORBA) specification.
		Object orientation	An approach to system development in which the basic unit of attention is an object, which represents an encapsulation of both data (an object’s attributes) and functionality (an object’s methods) Scope Notes: Objects are usually created using a general template called a "class." A class is the basis for most design work in objects. A class and its objects communicate in defined ways. Aggregate classes interact through messages, which are directed requests for services from one class (the client) to another class (the server). A class may share the structure or methods defined in one or more other classes, a relationship known as inheritance.
		Object oriented design	A software development technique in which a system or component is expressed in terms of objects and connections between those objects
		Object oriented language	A programming language that allows the user to express a program in terms of objects and messages between those objects. Examples include C++, Smalltalk and LOGO.
		Object oriented programming	A technology for writing programs that are made up of self-sufficient modules containing all the information needed to manipulate a given data structure. The modules are created in class hierarchies so that the code or methods of a class can be passed to other modules. New object modules can be easily created by inheriting the characteristics of existing classes. See Object and Object-oriented design
		Object oriented system development	A system development methodology that is organized around "objects" rather than "actions" and "data" rather than "logic" Scope Notes: Object-oriented analysis is an assessment of a physical system to determine which objects in the real world need to be represented as objects in a software system. Any object- oriented design is a software design centered around designing the objects that will make up a program. Any object-oriented program is composed of objects or software parts.
		Objective	A statement of a desired outcome
		Objective evidence (OE)	Artifacts or affirmations used as indicators of the implementation or habit and persistence of processes to meet the intent and value of one or more model practices See Artifact and Affirmation
		Objective function	A function that combines decision variables, constraints and the goal value to solve an optimization problem. The objective is the goal to maximize or minimize; the objective function is used to find the optimum result.
		Objective in appearance	The avoidance of facts and circumstances that are so significant that a reasonable and informed third party would be likely to conclude, weighing all the specific facts and circumstances, that a firm, audit function or member of the audit team’s integrity, objectivity or professional skepticism has been compromised
		Objective of mind	The state of mind that permits the expression of a conclusion without being affected by influences that compromise professional judgment, thereby allowing an individual to act with integrity and exercise objectivity and professional skepticism
		Objectively evaluate	To review activities and work products against criteria that minimize subjectivity and bias by the reviewer
		Objectivity	The ability to exercise judgment, express opinions and present recommendations with impartiality
		Observation	The receipt of messages through electronic, sensory or vibrational signals and the human senses
		Observer	An individual assigned by ISACA to evaluate, audit or review an appraisal team leader candidate See Auditor
		Octal	The base-8 number system. Digits are 0, 1, 2, 3, 4, 5, 6 and 7.
		Offchain	Any blockchain actions that require data outside of the blockchain network
		Offline files	Computer file storage media that are not physically connected to a computer. Typical examples include tapes or tape cartridges used for backup purposes.
		Offline inference	The process of generating a group of predictions, storing those predictions and then retrieving those predictions on demand
		Offsite storage	A facility located away from the building that houses the primary information processing facility (IPF) used for storage of computer media, such as offline backup data and storage files
		On-demand self- service	The ability for a customer to self-assign and allocate cloud resources instantaneously without vendor interaction
		Onchain	Cryptoasset or token transactions which occur on and within the data records of a blockchain and are perpetually dependent on the state of that blockchain for their validity
		One-shot learning	A machine-learning approach often used for object classification that is designed to learn effective classifiers from a single training example
		Online Certificate Status Protocol (OCSP)	A protocol used for receiving the status of an X.509 certificate
		Online data processing	A type of data processing that involves entering information into a computer via a video display terminal Scope Notes: With online data processing, the computer immediately accepts or rejects the information as it is entered.
		OOP	The acronym for object-oriented programming
		Open Source Security Testing Methodology	An open and freely available methodology and manual for security testing
		Open system	System for which detailed specifications of the composition of its component are published in a nonproprietary environment, thereby enabling competing enterprises to use these standard components to build competitive systems Scope Notes: The advantages of using open systems include portability, interoperability and integration.
		Open Systems Interconnect (OSI) model (OSI)	A seven-layer conceptual model that describes functions of computer network or telecommunication systems
		Open Web Application Security Project (OWASP)	An open community dedicated to enabling organizations to conceive, develop, acquire, operate and maintain applications that can be trusted
		Operating system (OS)	A master control program that runs the computer and acts as a scheduler and traffic controller Scope Notes: The operating system is the first program copied into the computer memory after the computer is turned on; it must reside in memory at all times. It is the software that interfaces between the computer hardware (disk, keyboard, mouse, network, modem and printer) and the application software (word processor, spreadsheet email) which also controls access to the devices, is partially responsible for security components and sets the standards for the application programs that run in it.
		Operating system audit trail	Record of system events generated by a specialized operating system mechanism
		Operation and maintenance phase	The period of time in the software life cycle during which a software product is employed in its operational environment, monitored for satisfactory performance, and modified as necessary to correct problems or to respond to changing requirements
		Operational audit	An audit designed to evaluate the various internal controls, economy and efficiency of a function or department
		Operational concept	A general description of the way in which a component or solution is used or operates. An operational concept may also be referred to as a “concept of operations.”
		Operational control	Deals with the everyday operation of a company or enterprise to ensure that all objectives are achieved
		Operational level agreement (OLA)	An internal agreement covering the delivery of services that supports the IT organization in its delivery of services
		Operational risk	The potential for losses caused by inadequate systems or controls, human error or mismanagement, and natural disasters
		Operational scenario	A description of a potential sequence of events that includes the interaction of a component or solution with its environment and users, and with other solution components. Operational scenarios are used to evaluate the requirements and design of the system and to verify and validate the system.
		Operator console	A special terminal used by computer operations personnel to control computer and systems operations functions. Scope Notes: Operator console terminals typically provide a high level of computer access and should be properly secured.
		Opportunity	An uncertain event that may positively impact meeting objectives
		Opt-in	A declaration or an active motion in which a data subject agrees to particular data processing. Process or type of policy whereby the personally identifiable information (PII) principal is required to take an action to express explicit, prior consent for their PII to be processed for a particular purpose.
		Opt-out	A choice that is made on behalf of a data subject, indicating the subject’s desire to no longer receive unsolicited information
		Optical character recognition (OCR)	Used to electronically scan and input written information from a source document
		Optical scanner	An input device that reads characters and images that are printed or painted on a paper form into the computer
		Optimizing process	A quantitatively managed process that is continually improved to increase its capability. These continuous improvements can be made through both incremental and innovative improvements. An optimizing process is necessary at the practice group level 5 in the CMMI Practice Areas. See Quantitatively managed process and Defined process.
		Or	In the CMMI model, means either “and” or “or”
		Oracle	A relational-database programming system that incorporates the SQL programming language. It is a registered trademark of the Oracle Corp.
		Oracle problem	A paradoxical situation where the oracle can become the central point of failure for the smart contract due to decreased security and centralization
		Organisation for Economic Co- operation and Development (OECD)	An international organization helping governments tackle the economic, social and governance challenges of the global economy Scope Notes: The OECD groups 30 member countries in a unique forum to discuss, develop and refine economic and social policies.
		Organization	The manner in which an enterprise is structured. It can also mean the entity.
		Organizational directives	Expectations established by senior management that are adopted by an organization to influence and determine decisions. This may also be referred to as “organizational policies.”
		Organizational structure	A component of a governance system. This includes the enterprise and its structures, hierarchies and dependencies. Scope Notes: Another example is a "steering committee." See COBIT 5 perspective
		Organizational support function	A team or entity that provides products and/or services for a bounded set of activities needed by other portions of the organization. Examples of organizational support functions include quality assurance, configuration management, training and other process groups. Organizational support functions should be treated as projects in that there should be processes and process roles with plans, infrastructure and organizational boundaries that describe what they do and how they provide support to other projects within the organization.
		Organizational unit (OU)	The part of an organization that is the subject of an appraisal and to which the appraisal results are generalized. An organizational unit deploys one or more processes that have a coherent process context and defined set of process roles and operate within a coherent set of business objectives. See Process role
		Organizational unit coordinator (OUC)	An appraisal role, designated by the appraisal sponsor and appraisal team leader, that handles logistics and provides technical, administrative and logistical support, such as coordinating schedules, notifying participants, arranging facilities and resources, obtaining requested documentation and arranging catering
		Organization’s business objectives	A set of objectives developed by senior management to improve performance, build and improve capability and enhance profitability, market share and other factors that influence the organization’s success
		Organization’s measurement repository	A specific location or locations where measurement-based information is stored. The purpose is to collect and make measurement results available throughout the organization. This repository contains or references actual measurement results and related information needed to understand and analyze measurement results that are typically described as part of the organizational process assets. See Organization’s process assets and Organization’s set of standard processes
		Organization’s process asset library	A specific location or locations where information is stored to make process assets available that are useful to those who are defining, implementing, managing and following processes in the organization See Organization’s process assets
		Organization’s process assets	Process-related documentation, records and information, such as an organization's policies, standard processes, tailoring guidelines, checklists, lessons learned, templates, standards, procedures, plans, training materials, etc. See Process description and Organization’s process asset library
		Organization’s set of standard processes	A collection of process descriptions that guide consistent process implementation across an organization. These process descriptions cover the fundamental process elements and their relationships to each other, such as ordering and interfaces that should be incorporated into the defined processes implemented in work groups across the organization. A standard process is essential for long-term stability and improvement. See Process description and Process element
		Organogram	A hierarchy diagram of an organizational structure
		Orthogonal Frequency Division Multiple Access (OFDMA)	The OFDM multi-user variant that achieves multiple access by assigning subsets of subcarriers to different users, allowing simultaneous data transmission from several users
		Other expert	An individual internal or external to an enterprise that could be an IT auditor from an external firm, a management consultant or an expert in the area of the engagement who has been appointment by top management or the team
		Outcome	A result
		Outcome measure	A measure that represents the consequences of actions previously taken; often referred to as a lag indicator Scope Notes: Outcome measure frequently focuses on results at the end of a time period and characterizes historic performance. It is also referred to as a key goal indicator (KGI) and used to indicate whether goals have been met. These can be measured only after the fact and, therefore, are called "lag indicators."
		Outlier	Extreme values that might be errors in measurement and recording or accurate reports of rare events
		Output analyzer	A tool that checks the accuracy of the results produced by a test run Scope Notes: There are three types of checks that an output analyzer can perform. First, if a standard set of test data and test results exist for a program, the output of a test run after program maintenance can be compared with the set of results that should be produced. Second, as programmers prepare test data and calculate the expected results, these results can be stored in a file, and the output analyzer compares the actual results of a test run with the expected results. Third, the output analyzer can act as a query language; it accepts queries about whether certain relationships exist in the file of output results and reports compliance or noncompliance.
		Outsourcing	A formal agreement with a third party to perform IS or other business functions for an enterprise
		Over the air (OTA) updates	An update to a device’s firmware or software that is delivered via wireless communication
		Overfitting	A model of training data that, by taking too many of the data quirks and outliers into account, is overly complicated and will not be as useful as it could be to find patterns in test data
		Overflow	In a calculator, the state in which the calculator is unable to accept or process the number of digits in the entry or result Source: ISO See Arithmetic overflow
		Overflow exception	An exception that occurs when the result of an arithmetic operation exceeds the size of the storage location that is designated to receive it Source: IEEE
		Owner	An individual or group that holds or possesses the rights of and the responsibilities for an enterprise, entity or asset Scope Notes: Examples include process owners and system owners. See COBIT 5 perspective
		P value	The probability, under the assumption of no effect or no difference (the null hypothesis), of obtaining a result equal to or more extreme than what was actually observed
		Packet	Protocol data unit that is routed from source to destination in a packet-switched network Scope Notes: A packet contains both routing information and data.
		Packet analyzers	A tool that captures packets as they travel a network to monitor, intercept and decode data
		Packet filtering	Controlling access to a network by analyzing the attributes of the incoming and outgoing packets and either letting them pass or denying them, based on a list of rules
		Packet internet groper (PING)	An Internet program (Internet Control Message Protocol [ICMP]) used to determine whether a specific IP address is accessible or online. It is a network application that uses User Datagram Protocol (UDP) to verify reachability of another host on the connected network. Scope Notes: It works by sending a packet to the specified address and waiting for a reply. PING is used primarily to troubleshoot Internet connections. In addition, PING reports the number of hops required to connect two Internet hosts. There are both freeware and shareware PING utilities available for personal computers (PCs).
		Packet switching	The process of transmitting messages in convenient pieces that can be reassembled at the destination
		PageRank	An algorithm that determines the importance of something, typically to rank it in a list of search results. PageRank works by counting the number and quality of links to a page to determine a rough estimate of importance of the website. The underlying assumption is that more important websites are likely to receive more links from other websites.
		PAN	Acronym for primary account number (also referred to as account number). A unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account
		Pandas	A Python library for data manipulation that is popular with data scientists
		Paper test	A walk-through of the steps of a regular test, but without actually performing the steps Scope Notes: Usually used in disaster recovery and contingency testing; team members review and become familiar with the plans and their specific roles and responsibilities
		Parallel simulation	Involves an IS auditor writing a program to replicate those application processes that are critical to an audit opinion and using this program to reprocess application system data. Scope Notes: The results produced by parallel simulation are compared with the results generated by the application system and any discrepancies are identified.
		Parallel testing	The process of feeding test data into two systems, the modified system and an alternative system (possibly the original system), and comparing results to demonstrate the consistency and inconsistency between two versions of the application
		Parameter	A constant, variable or expression that is used to pass values between software modules. Synonymous with argument.
		Parity check	A general hardware control that helps to detect data errors when data are read from memory or communicated from one computer to another Scope Notes: A 1-bit digit (either 0 or 1) is added to a data item to indicate whether the sum of that data item’s bit is odd or even. When the parity bit disagrees with the sum of the other bits, the computer reports an error. The probability of a parity check detecting an error is 50 percent.
		Partitioned file	A file format in which the file is divided into multiple sub files and a directory is established to locate each sub file
		Pascal	A high-level programming language designed to encourage structured programming practices
		Passive assault	Intruders' attempt to learn some characteristic of the data being transmitted Scope Notes: With a passive assault, intruders may be able to read the contents of the data so the privacy of the data is violated. Alternatively, although the content of the data itself may remain secure, intruders may read and analyze the plaintext source and destination identifiers attached to a message for routing purposes, or they may examine the lengths and frequency of messages being transmitted.
		Passive response	A response option in intrusion detection in which the system simply reports and records the problem detected, relying on the user to take subsequent action.
		Password	A protected, generally computer-encrypted string of characters that authenticate a computer user to the computer system
		Password cracker	A tool that tests the strength of user passwords by searching for passwords that are easy to guess. It repeatedly tries words from specially crafted dictionaries and often also generates thousands (and in some cases, even millions) of permutations of characters, numbers and symbols.
		Patch	Fixes to software programming errors and vulnerabilities
		Patch management	1. An area of systems management that involves acquiring, testing and installing multiple patches (code changes) to an administered computer system to maintain up-to-date software and often to address security risk Scope Notes: Patch management tasks include maintaining current knowledge of available patches, deciding what patches are appropriate for particular systems, ensuring that patches are installed properly, testing systems after installation and documenting all associated procedures, such as specific configurations required. A number of products are available to automate patch management tasks. Patches are sometimes ineffective and can sometimes cause more problems than they fix. Patch management experts suggest that system administrators take simple steps to avoid problems, such as performing backups and testing patches on noncritical systems prior to installations. Patch management can be viewed as part of change management. 2. The process to identify, acquire, install, and verify a set of changes to a computer program or its supporting data for solutions and systems. A patch is typically an isolated change of a specified scope and is sometimes referred to as a bug fix. (CMMI)
		Patent	Protection of research and ideas that led to the development of a new, unique and useful product to prevent the unauthorized duplication of the patented item
		Path	A sequence of instructions that may be performed in the execution of a computer program
		Path analysis	Analysis of a computer program (i.e., source code) to identify all possible paths through the program, to detect incomplete paths or discover portions of the program that are not on any path
		Payback period	The length of time needed to recoup the cost of capital investment Scope Notes: Financial amounts in the payback formula are not discounted. Note that the payback period does not take into account cash flows after the payback period and therefore is not a measure of the profitability of an investment project. The scope of the internal rate of return (IRR), net present value (NPV) and payback period is the useful economic life of the project up to a maximum of five years.
		Payload	A piece of malicious software that lets an attacker control a compromised computer system. The payload is typically attached to and delivered by an exploit.
		Payment system	A financial system that establishes the means for transferring money between suppliers and users of funds, ordinarily by exchanging debits or credits between banks or financial institutions
		Payroll system	An electronic system for processing payroll information and the related electronic (e.g., electronic timekeeping and/or human resources [HR] system), human (e.g., payroll clerk), and external party (e.g., bank) interfaces. In a more limited sense, it is the electronic system that performs the processing for generating payroll checks and/or bank direct deposits to employees.
		Peer reviews	The examination of work products performed by similarly skilled personnel during the development of work products to identify defects for removal. Peer reviews are sometimes called work product inspections. See Work product
		Penetration testing	A live test of the effectiveness of security defenses through mimicking the actions of real-life attackers
		Perceptron	Neural network that approximates a single neuron with n binary inputs. It computes a weighted sum of its inputs and fires if that weighted sum is zero or greater.
		Performance	In IT, the actual implementation or achievement of a process
		Performance driver	A measure that is considered the "driver" of a lag indicator. It can be measured before the outcome is clear and, therefore, is called a "lead indicator." Scope Notes: There is an assumed relationship between the two that suggests that improved performance in a leading indicator will drive better performance in the lagging indicator. They are also referred to as key performance indicators (KPIs) and are used to indicate whether goals are likely to be met.
		Performance indicators	A set of metrics designed to measure the extent to which performance objectives are being achieved on an on-going basis Scope Notes: Performance indicators can include service level agreements (SLAs), critical success factors (CSFs), customer satisfaction ratings, internal or external benchmarks, industry best practices and international standards.
		Performance management	In IT, the ability to manage any type of measurement, including employee, team, process, operational or financial measurements. The term connotes closed-loop control and regular monitoring of the measurement.
		Performance parameters	Measurable criteria used to monitor progress toward quantitative objectives. Collectively, performance parameters provide a metric for determining the success of the business or project.
		Performance testing	A test for comparing the system’s performance to other equivalent systems using well-defined benchmarks
		Performance work statement (PWS)	A statement of work (SOW) for performance-based acquisitions that clearly describes the performance objectives and standards expected of the contractor. When a contract is awarded, the PWS is a legally binding document for the contractor. See SOW
		Performed process	A simple approach or set of steps that produces solutions or work products. A performed process is characteristic of Practice Group Level 1 in the CMMI Practice Areas.
		Peripheral device	Equipment that is directly connected to a computer. A peripheral device can be used to input data, e.g., a keypad, bar code reader, transducer or laboratory test equipment or to output data, e.g., a printer, disk drive, video system, tape drive, valve controller or motor controller. It is synonymous with "peripheral equipment."
		Peripherals	Auxiliary computer hardware equipment used for input, output and data storage Scope Notes: Examples of peripherals include disk drives and printers.
		Perplexity	One measure of how well a model is accomplishing its task
		Persistent and habitual	The routine way of doing business and following and improving a process that an organization follows as part of its culture
		Personal computer (PC)	Synonymous with microcomputer, a computer that is functionally similar to large computers but serves only one user
		Personal data	Information relating to an identified or identifiable natural person
		Personal data breach	Any accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of a subject’s data
		Personal digital assistant (PDA)	Also called a "palmtop" or "pocket computer," a handheld device that has computing, Internet, networking and telephone characteristics
		Personal identification number (PIN)	A type of password (i.e., a secret number assigned to an individual) that, in conjunction with some means of identifying the individual, serves to verify the authenticity of the individual Scope Notes: PINs have been adopted by financial institutions as the primary means of verifying customers in an electronic funds transfer (EFT) system.
		Personal information	A synonym for "personal data"
		Personally identifiable information (PII)	Any information that can be used to establish a link between the information and the natural person to whom such information relates or that is or might be directly or indirectly linked to a natural person
		Pervasive IS control	A general control designed to manage and monitor the IS environment and which, therefore, affects all IS-related activities
		Phase of BCP	A step-by-step approach consisting of various phases Scope Notes: Phase of BCP is usually comprised of the following phases: pre-implementation phase, implementation phase, testing phase and post-implementation phase.
		Phishing	A type of electronic mail (email) attack that attempts to convince a user that the originator is genuine with the intention of obtaining information for use in social engineering Scope Notes: For example, phishing attacks may take the form of an attacker masquerading as a lottery organization advising the recipient or the user's bank of a large win; in either case, the intent is to obtain account and personal identification number (PIN) details. Alternative attacks may seek to obtain apparently innocuous business information, which can be used in another form of active attack.
		Phreakers	Those who crack security, most frequently telephone and other communication networks
		Piggybacking	1. The act of following an authorized person into a restricted access area 2. The act of electronically attaching to an authorized telecommunications link to intercept and possibly alter transmissions
		PII controller	A privacy stakeholder (or privacy stakeholders) who determines the purposes and means for processing personally identifiable information (PII) other than natural persons who use data for personal purposes
		PII principal	The natural person to whom personally identifiable information (PII) relates
		PII processor	The privacy stakeholder who processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII controller
		PIN	See Personal identification number (PIN)
		Pipeline	A set of structured practices, tools and flows that DevOps practitioners adopt throughout the development and operational life cycle
		Pivot table	A tool that quickly summarizes long lists of data without requiring a single formula or copying a single cell. However, the most notable feature of pivot tables is that they can be arranged dynamically.
		Plain old telephone service (POTS)	A wired telecommunications system
		Plaintext	Digital information, such as cleartext, that is intelligible to the reader
		Platform	The hardware and software that must be present and functioning for an application program to run (perform) as intended. A platform includes, but is not limited to, the operating system or executive software, communication software, microprocessor, network, input/output hardware, any generic software libraries, database management, user interface software, and the like.
		Platform as a Service (PaaS)	Offers the capability to deploy onto the cloud infrastructure customer-created or acquired applications that are created using programming languages and tools supported by the provider
		PMBOK (Project Management Body of Knowledge) (PMBOK)	A project management standard developed by the Project Management Institute (PMI)
		Point-of-presence (POP)	A telephone number that represents the area in which the communication provider or Internet service provider (ISP) provides service
		Point-of-sale (POS) systems (POS)	Enables the capture of data at the time and place of transaction Scope Notes: POS terminals may include use of optical scanners for use with bar codes or magnetic card readers for use with credit cards. POS systems may be online to a central computer or may use stand-alone terminals or microcomputers that hold the transactions until the end of a specified period when they are sent to the main computer for batch processing.
		Point-to-Point Protocol (PPP)	A protocol used for transmitting data between two ends of a connection
		Point-to-Point Tunneling Protocol (PPTP)	A protocol used to transmit data securely between two end points to create a virtual private network (VPN)
		Poisson distribution	A distribution of independent events, usually over a period of time or space, used to help predict the probability of an event. Like the binomial distribution, this is a discrete distribution.
		Policy	A document that communicates required and prohibited activities and behaviors
		Polymorphism (Objects)	Polymorphism refers to database structures that send the same command to different child objects that can produce different results depending on their family hierarchical tree structure.
		Polynomial	Mathematical expression of more than two algebraic terms, especially the sum of several terms that contain different powers of the same variable(s)
		Population	The entire set of data from which a sample is selected and about which an IT auditor wishes to draw conclusions
		Port	A process or application-specific software element serving as a communication endpoint for the transport layer IP protocols (UDP and TCP)
		Port (Port number)	A process or application-specific software element serving as a communication endpoint for the Transport Layer IP protocols (UDP and TCP)
		Port scanning	The act of probing a system to identify open ports
		Portfolio	A grouping of "objects of interest" (investment programs, IT services, IT projects, other IT assets or resources) managed and monitored to optimize business value. (The investment portfolio is of primary interest to Val IT. IT service, project, asset and other resource portfolios are of primary interest to COBIT.)
		Posting	The process of actually entering transactions into computerized or manual files Scope Notes: Posting transactions might immediately update the master files or may result in memo posting, in which the transactions are accumulated over a period of time and then applied to master file updating.
		Practical Byzantine fault tolerance (pBFT)	Consensus mechanism in which all nodes are ordered in sequence with one node being primary node or leader, and all others referred to as backup nodes. All nodes in pBFT systems communicate with one another with the goal being that all honest nodes will come to an agreement of the state of the system using a majority rule. Nodes communicate for two reasons: to prove that messages came from a specific peer node and to confirm that messages were not modified during transmission. pBFT can be used for private and public blockchains and allows for instant transaction finality. However, such methodology requires a great number of messages between nodes, hence making a large blockchain network challenging.
		Practice	A practice consists of two parts: • Required practice information: Information required to understand the full intent and value of the practice, which includes the practice statement (intent), the value statement, and the additional required information • Explanatory practice information: Remaining parts of the practice, including additional explanatory PA/practice information, example activities and work products, which are important and useful to better understand the practice statement (intent), value statement, and additional required information
		Practice area (PA)	A collection of similar practices that together achieve the defined intent, value, and required information described in that practice area
		Practice area (PA) required information	The intent, value, and any additional required information for a practice area
		Practice group	The organizing structure for practices within a practice area to aid understanding and adoption and provide a path for performance improvement
		Predictive analytics	The analysis of data to predict future events, typically to aid in business planning. Predictive analytics incorporates predictive modeling and other techniques. Machine learning may be considered a set of algorithms to help implement predictive analytics.
		Predictive modeling	The development of statistical models to predict future events
		Preliminary design	1. The process of analyzing design alternatives and defining the architecture, components, interfaces and timing and sizing estimates for a system or component See Detailed design. 2. The result of the process in definition 1
		Preliminary findings	Draft strength and weakness statements developed by the appraisal team after evaluating objective evidence. Preliminary findings are validated with appraisal participants prior to the rating and final finding activities. See Appraisal final findings
		Preprocessing	Processing data before it is used to train a model
		Preventive application control	Application control that is intended to prevent an error from occurring. Preventive application controls are typically executed at the transaction level, before an action is performed.
		Preventive control	An internal control that is used to avoid undesirable events, errors and other occurrences that an enterprise has determined could have a negative material effect on a process or end product
		Prime number	A natural number greater than 1 that can only be divided by 1 and itself
		Primitive	A primitive is a fundamental interface, block of code or basic functionality that can be deployed and reused within broader systems or interfaces. Primitives can be combined in various ways to accomplish particular tasks. In cryptosystems, primitives form the building blocks of cryptographic algorithms.
		PRINCE2 (Projects in a Controlled Environment)	Developed by the Office of Government Commerce (OGC), PRINCE2 is a project management method that covers the management, control and organization of a project
		Principal component analysis	An algorithm that looks at the direction with the most variance and then determines that as the first principal component. This is very similar to how regression works in that it determines the best direction to map data.
		Principle	A component of a governance system. Principles translate desired behavior into practical guidance for day-to-day management.
		Principle of least privilege (PoLP)	A principled approach of controlling what someone can do. This is an extension of need-to- know, whereby individuals are only granted the least amount of system access necessary to perform their jobs.
		Principle of least privilege/access	Controls used to allow the least privilege access needed to complete a task
		Printed circuit board (PCB)	The foundation of most electronic devices onto which the electrical components, including semiconductors, connectors, resistors, capacitors, memory chips and processors, are mounted and linked via conductive copper circuits
		Prior distribution	In Bayesian inference, a distribution that models the many plausible values of the unknown quantity to be estimated. Bayesian inference is then using data (that is considered unchanging) to build a tighter posterior distribution for the unknown quantity.
		Privacy	The right of an individual to trust that others will appropriately and respectfully use, store, share and dispose of his/her associated personal and sensitive information within the context and according to the purposes for which it was collected or derived
		Privacy breach	A situation where personally identifiable information (PII) is processed in violation of one or more relevant privacy safeguarding requirements
		Privacy by design	The integration of privacy into the entire engineering process
		Privacy controls	Measures that treat privacy risk by reducing its likelihood or consequences. Privacy controls include organizational, physical and technical measures, e.g., policies, procedures, guidelines, legal contracts, management practices or organizational structures. Control is also used as a synonym for "safeguard" or "countermeasure."
		Privacy engineering	Within systems engineering, a discipline focused on maximizing the freedom of data subjects from adverse consequence associated with illicit or illegal disclosures or abuse during (or as a result of) processing
		Privacy impact	Anything that has an effect on the privacy of personally identifiable information (PII) owned by a data subject and/or group of data subjects
		Privacy impact assessment	The overall process of identifying, analyzing, evaluating, consulting, communicating and planning the treatment of potential privacy impacts with regard to the processing of personally identifiable information (PII) within the broader risk management framework of an enterprise
		Privacy incident management	The process by which an enterprise addresses a privacy breach
		Privacy information management system (PIMS)	An information security management system that addresses the protection of privacy potentially affected by the processing of personally identifiable information (PII)
		Privacy notice	A notification that provides individuals with information on how their personal data will be processed
		Privacy policy	The intention, direction, rules and commitment, as formally expressed by the personally identifiable information (PII) controller, related to the processing of PII in a particular setting. It is a set of shared values governing the privacy protection of PII when processed in information and communication technology systems.
		Privacy preferences	Specific choices made by an individual about how their personally identifiable information (PII) should be processed for a particular purpose
		Privacy principles	A set of shared values governing the privacy protection of personally identifiable information (PII) when processed in information and communication technology systems
		Privacy risk	Any risk of informational harm to data subjects and/or organization(s), including deception, financial injury, health and safety injuries, unwanted intrusion and reputational injuries, where the harm or damage goes beyond economic and tangible losses
		Privacy risk assessment	A process used to identify and evaluate privacy-related risk and its potential effects
		Private blockchain	A blockchain system in which all physical and digital assets are owned by one entity, group or permissioned participant
		Private branch exchange (PBX)	A telephone exchange owned by a private business as opposed to a common carrier or telephone company
		Private cloud	An on- or off-premises cloud environment in which a specific enterprise controls all infrastructure resources
		Private key	A mathematical key (kept secret by the holder) used to create digital signatures and, depending on the algorithm, decrypt messages or files encrypted for confidentiality with the corresponding public key
		Private key cryptosystems	A cryptosystem that involves secret, private keys. The keys are also known as "symmetric ciphers" because the same key both encrypts message plaintext from the sender and decrypts resulting ciphertext for a recipient. See Symmetric cipher
		Privilege	The level of trust with which a system object is imbued
		Privileged access management (PAM)	An access control mechanism that uses a combination of people, processes and technology to safeguard identities with special access or capabilities beyond regular users
		Privileged access management systems	Solutions that help control, secure, manage and monitor privileged access to critical assets
		Privileged user	Any user account with greater than basic access privileges. Typically, these accounts have elevated or increased privileges with more rights than a standard user account.
		Probability	A mathematical-driven measure of the possibility of a specific outcome as a ratio of all possible outcomes
		Probability distribution	For a discrete random variable, a listing of all possible distinct outcomes and their probabilities of occurring. Because all possible outcomes are listed, the sum of the probabilities must add up to 1.0.
		Probe	The act of inspecting a network or system to find weak spots
		Problem	In IT, the unknown underlying cause of one or more incidents
		Problem escalation procedure	The process of escalating a problem from junior to senior support staff and ultimately to higher levels of management Scope Notes: Problem escalation procedure is often used in help desk management when an unresolved problem is escalated up the chain of command until it is solved.
		Procedure	A document containing a detailed description of the steps necessary to perform specific operations in conformance with applicable standards. Procedures are defined as parts of processes.
		Process	1. Generally, a collection of activities influenced by the enterprise’s policies and procedures that takes inputs from a number of sources, (including other processes), manipulates the inputs and produces outputs (ISACA) Scope Notes: Processes have clear business reasons for existing, accountable owners, clear roles and responsibilities around the execution of the process and the means to measure performance. 2. A set of interrelated activities that transform inputs into outputs to achieve a given purpose (CMMI) See Process element
		Process action team	A team with responsibility for developing and implementing process-improvement activities for an organization See Process group
		Process architecture	The ordering, interfaces, interdependencies and other relationships among the process elements in a standard process or standard processes
		Process capability	A recorded range of expected results that can be achieved by following a process
		Process description	A record for a specific process. Process descriptions may be documents, embedded or automated steps or instructions in a robot, component, system, tool, or graphical representations, etc.
		Process element	The fundamental unit of a process that cannot be further broken down
		Process goals	A statement describing the desired outcome of a process Scope Notes: An outcome can be an artifact, a significant change of a state or a significant capability improvement of other processes. COBIT 5 perspective
		Process group	The people or team who hold a process role and are responsible for developing, deploying and updating the organization's process assets See Process role
		Process improvement	Tasks and activities planned, performed and used to improve an organization's process capability and performance to achieve business objectives more effectively See Organization’s business objectives
		Process improvement objectives	A set of measurement objectives established to focus process improvement in a specific, measurable way that improves performance to achieve an organization’s business objectives and build or improve capability See Measurement and performance objective, Organization’s business objectives and Quantitative objective
		Process improvement plan	A process improvement plan records the objectives, activities, resources, oversight, schedules, and associated risks to improve processes
		Process maturity assessment (PAM)	A subjective assessment technique derived from the Software Engineering Institute (SEI) Capability Maturity Model Integration (CMMI) concepts and developed as a COBIT management tool. It provides management with a profile of how well-developed the IT management processes are. Scope Notes: It enables management to easily place itself on a scale and appreciate what is required if improved performance is needed. It is used to set targets, raise awareness, capture broad consensus, identify improvements and positively motivate change.
		Process maturity attribute	The different aspects of a process covered in an assurance initiative
		Process measurement	Activities performed to collect information and assign numeric values related to the activities, steps and outputs of following a process. This information is analyzed to determine the effectiveness and efficiency of a process. See Measurement and Process performance
		Process monitoring	This context focuses on evaluating process adherence and performance improvement. This can be done within a single organization or included in the teaming relationship between an acquiring organization and a supplier organization. An acquiring organization typically conducts appraisals to monitor supplier process implementation, and results can serve as input toward: • Tailoring contract monitoring or process monitoring activities • Deciding incentive/award fees • Developing and keeping updated risk and opportunity management plans
		Process owner	The person or team responsible for developing, updating or following a process. An organization or project can have multiple owners at different levels of responsibility for: • An organization’s set of standard processes • Project-specific and project-defined processes
		Process performance	A measure of results achieved by following a process. Process performance may be characterized by both process measures (e.g., effort, cycle time and defect removal efficiency) and solution measures (e.g., reliability, defect density and response time). See Business performance
		Process performance baseline	A record and description of historical process performance resulting from following a defined process, which can include central tendency, e.g., mean, medium, mode, variation, and reflects how the process is being performed. Process performance baselines can be used as benchmarks for comparing actual process performance to expected process performance and can be used in process performance models to predict future process performance. See Process performance and Process performance model
		Process performance model	A predictive analytical tool that identifies the controllable factors and describes the relationships between measurable attributes of one or more processes, subprocesses, process elements, or work products See Process performance baseline and Quality and process performance objectives
		Process role	A description of the roles of people who develop, use, or follow a process in an organization. This role is typically recorded in a process description or related artifact, e.g., a roles and responsibility table or matrix. People in these roles provide objective evidence OE showing and explaining their roles and responsibilities and how they participate in the processes.
		Processing	Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing (by transmission, dissemination or otherwise making available), aligning or combining, restricting, erasing or destructing Scope Notes: In the context of privacy (e.g., GDPR)
		Processing PII	Operation or set of operations performed on personally identifiable information (PII). Examples of processing operations of PII include, but are not limited to, the collection, storage, alteration, retrieval, consultation, disclosure, anonymization, pseudonymization, dissemination or otherwise making available, deletion or destruction of PII.
		Processor (Data)	A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller
		Processor (IT)	See Central processing unit (CPU).
		Product component	A work product that is a building block of the product or solution. Product components can be integrated to produce the final product or solution. There can be multiple levels of components.
		Product life cycle	A representation of the set of steps or activities, consisting of phases, that begins at conception of a product or service and ends when the product or service is no longer available for use. For example, a product life cycle could consist of the following phases: • Concept and vision • Feasibility • Design/development • Production • Delivery • Phaseout, retirement or sunset. Organizations can produce multiple products or services for multiple customers, and so may define multiple product life cycles. These life cycles may be adapted from published literature for use in an organization.
		Product line	A group of products: • Sharing a common, managed set of features • Satisfying specific needs of a selected market or mission • Developed from a common set of core assets in a prescribed way
		Production program	Program used to process live or actual data that were received as input into the production environment
		Production software	Software being used and executed to support normal and authorized organizational operations Scope Notes: Production software is to be distinguished from test software, which is being developed or modified, but has not yet been authorized for use by management.
		Professional competence	Proven level of ability, often linked to qualifications issued by relevant professional bodies and compliance with their standards and codes of practice.
		Professional judgement	The application of relevant knowledge and experience in making informed decisions about the courses of action that are appropriate in the circumstances of the IS audit and assurance engagement
		Professional skepticism	An attitude that includes a questioning mind and a critical assessment of audit evidence Scope Notes: Source: American Institute of Certified Public Accountants (AICPA) AU 230.07
		Professional standards	Refers to standards issued by ISACA. The term may extend to related guidelines and techniques that assist the professional in implementing and complying with authoritative pronouncements of ISACA. In certain instances, standards of other professional organizations may be considered, depending on the circumstances and their relevance and appropriateness.
		Profiling	The automated processing of personal data to evaluate or make a decision about an individual. Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements
		Program (IT)	1. A sequence of instructions suitable for processing. Processing may include the use of an assembler, compiler, interpreter or another translator to prepare the program for execution. The instructions may include statements and necessary declarations. 2. (ISO) To design, write, and test programs 3. (ANSI) In programming languages, a set of one or more interrelated modules capable of being executed 4. Loosely, a routine 5. Loosely, to write a routine
		Program (Project Management)	A structured grouping of interdependent projects that is both necessary and sufficient to achieve a desired business outcome and create value. These projects could include, but are not limited to, changes in the nature of the business, business processes and the work performed by people as well as the competencies required to carry out the work, the enabling technology and the organizational structure.
		Program and project management office (PMO)	The function responsible for supporting program and project managers, and gathering, assessing and reporting information about the conduct of their programs and constituent projects
		Program Evaluation and Review Technique (PERT)	A project management technique used in the planning and control of system projects
		Program flowchart	Shows the sequence of instructions in a single program or subroutine Scope Notes: The symbols used in program flowcharts should be the internationally accepted standard. Program flowcharts should be updated when necessary.
		Program narrative	Provides a detailed explanation of program flowcharts, including control points and any external input
		Programmable read- only memory (PROM)	A chip that can be programmed using a PROM programming device. It can be programmed only once. It cannot be erased and reprogrammed. Each of its bit locations is a fusible link. An unprogrammed PROM has all links closed, establishing a known state of each bit. Programming the chip consists of sending an electrical current of a specified size through each link that is to be changed to the alternate state. This causes the fuse to blow, opening that link.
		Programming language	A language used to express computer programs Source: IEEE See Computer language, High-level language and Low-level language.
		Project	1. A structured set of activities concerned with delivering a defined capability (one that is necessary but not sufficient to achieve a required business outcome) to the enterprise based on an agreed-upon schedule and budget (ISACA) 2. A managed set of interrelated activities and resources, including people, that delivers one or more solutions to a customer or end user. A project typically has an intended beginning (project startup) and end and may be continuous. Projects typically operate according to a plan and set of requirements. The term “project” includes where and how the work gets done —whether developing a product, providing a service, performing an organizational function, acquiring and managing suppliers, etc. Work in support of a project is sometimes performed by workgroups. The operational parameters of workgroups can vary based on objectives and should therefore be clearly defined. Workgroups can operate as a project, if designated accordingly. (CMMI) See Process role and Organizational and in-scope projects.
		Project management officer (PMO)	The individual responsible for the implementation of a specified initiative for supporting the project management role and advancing the discipline of project management
		Project ownership risk	The risk that information and technology (I&T) projects fail to meet objectives through lack of accountability and commitment
		Project plan	A management document describing the project approach. The plan typically describes work to be done, resources required, methods to be used, configuration management and quality assurance procedures to be followed, schedules to be met, project organization, etc. Project in this context is a generic term. Some projects may also need integration plans, security plans, test plans, quality assurance plans, etc. (ISACA) Source: NIST See Documentation plan, Software development plan, Test plan and Software engineering. 1. A plan that provides the basis for performing and controlling project activities and addresses commitments to the customer. A project plan is based on estimating the attributes of work products and tasks, determining the resources needed, negotiating commitments, producing a schedule and identifying and analyzing risks. Iterating through these activities can be necessary to establish the project plan. (CMMI)
		Project portfolio	The set of projects owned by a company Scope Notes: It usually includes the main guidelines relative to each project, including objectives, costs, time lines and other information specific to the project.
		Project risk	A failed IT project that poses a significant risk to an enterprise, manifesting as lost market share, failure to seize new opportunities or other adverse impacts on customers, shareholders and staff
		Project startup	Initial time period when a project begins See Project
		Project team	Group of people responsible for a project whose terms of reference may include the development, acquisition, implementation or maintenance of an application system Scope Notes: The project team members may include line management, operational line staff, external contractors and IS auditors.
		Promiscuous mode	Allows the network interface to capture all network traffic irrespective of the hardware device to which the packet is addressed
		Proof of elapsed time (PoET)	A consensus mechanism algorithm often used on permissioned blockchain networks to randomly decide the next block publisher
		Proof of importance (PoI)	A variation of proof of stake that takes into consideration the role of validators and shareholders in the blockchain operation
		Proof of stake (PoS)	Proof of stake is a type of consensus algorithm by which a cryptocurrency blockchain network aims to achieve distributed consensus. In PoS consensus, the creator of the next block of data is chosen via several combinations of random selection and wealth or age (i.e., the stake) within the blockchain. With PoS, miners can mine or validate block transactions based on amount of cryptocurrency a miner holds. PoS was created as an alternative to PoW, which requires large amounts of energy. PoS gives mining power based on the percentage of cryptocurrency held by a miner. It is seen as less risky in terms of network attacks and security and used only for public blockchains.
		Proof of work (PoW)	PoW is conducted through miners (participants who keep the blockchain running by providing computing resources) who are competing to solve a cryptographic problem (i.e., hash puzzle). The PoW algorithm is used to confirm transactions and produce new blocks which are added to the chain. With PoW, miners compete against each other to complete transactions on the network and get rewarded. The computational work required to accomplish this is fairly (and usually increasingly) difficult for miners to perform, but easy for the network to verify. As difficulty increases over time, the amount of computational power, and hence, energy consumption, grows. Bitcoin is the first widespread application use of PoW. PoW is applicable to public blockchains.
		Protection domain	The area of the system that the intrusion detection system (IDS) is meant to monitor and protect
		Protective measure	A measure intended to achieve adequate risk reduction
		Protocol	The rules by which a network operates and controls the flow and priority of transmissions
		Protocol code	Cryptographically secure code prescribing strict adherence to the design and functioning of blockchains/distributed networks. This code can only be expanded or modified with approval from the network consensus mechanism.
		Protocol converter	Hardware devices, such as asynchronous and synchronous transmissions, that convert between two different types of transmission
		Protocol stack	A set of utilities that implements a particular network protocol Scope Notes: For instance, in Windows machines a Transmission Control Protocol/Internet Protocol (TCP/IP) stack consists of TCP/IP software, sockets software and hardware driver software.
		Prototyping	The process of quickly putting together a working model (a prototype) to test various aspects of a design, illustrate ideas or features and gather early user feedback. Prototyping uses programmed simulation techniques to represent a model of the final system to the user for advisement and critique. The emphasis is on end-user screens and reports. Internal controls are not a priority item since this is only a model.
		Provisioning	Allocating resources for cloud computing infrastructure or instance
		Proxy (sensitive attributes)	An attribute used as a stand-in for a sensitive attribute
		Proxy server	A server that acts on behalf of a user Scope Notes: Typical proxies accept a connection from a user, make a decision as to whether the user or client IP address is permitted to use the proxy, perhaps perform additional authentication, and complete a connection to a remote destination on behalf of the user.
		Pseudocode	A combination of programming language and natural language used to express a software design. If used, it is usually the last document produced prior to writing the source code.
		Pseudonymization	The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
		Public blockchain	A blockchain system in which physical and digital assets are decentralized, zero-trust based and hosted/maintained on ephemeral networks and nodes
		Public cloud	A cloud environment in which resources are shared between enterprises and individuals
		Public key	In an asymmetric cryptographic scheme, the key that may be widely published to enable the operation of the scheme
		Public key cryptosystem	A cryptosystem that combines a widely distributed public key and a closely held, protected private key. A message that is encrypted by the public key can only be decrypted by the mathematically related counterpart private key. Conversely, only the public key can decrypt data that was encrypted by its corresponding private key. See Asymmetric cipher
		Public key encryption	A cryptographic system that uses two keys: a public key, which is known to everyone, and a private or secret key, which is only known to the recipient of the message See also Asymmetric key
		Public key infrastructure (PKI)	A series of processes and technologies for the association of cryptographic keys with the entity to whom those keys were issued
		Public switched telephone network (PSTN)	A communications system that sets up a dedicated channel (or circuit) between two points for the duration of the transmission
		Purple team	A cooperative engagement where the red team simulates attacks and exploits while the blue team actively defends against them, allowing for real-time feedback, analysis and evaluation of defensive measures, detection capabilities, incident response processes and overall security controls. The purpose of a purple team is to improve the enterprise’s security posture by enhancing communication and collaboration between the red and blue teams.
		Purpose limitation	A process where data are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
		Python	A scripting programming language created in 1994 that is popular for data science
		QA	The acronym for quality assurance
		QC	The acronym for quality control
		Qualitative risk analysis	An approach based on expert opinion, judgment, intuition and experience
		Quality	A term that means being fit for purpose (and achieving intended value) Scope Notes: COBIT 5 perspective
		Quality and process performance objectives	Quantitative objectives and performance requirements for solution quality and process performance. These objectives include the use of statistical and quantitative analysis on the related data. See Measurement and performance objectives
		Quality assurance (QA)	A planned and systematic pattern of all actions necessary to provide adequate confidence that an item or product conforms to established technical requirements (ISO/IEC 24765)
		Quality assurance, software	1. A planned and systematic pattern of all actions necessary to provide adequate confidence that an item or product conforms to established technical requirements 2. A set of activities designed to evaluate the process by which products are developed or manufactured
		Quality attribute	A property of a solution by which affected stakeholders will judge its quality. Quality attributes are nonfunctional, significantly influence architecture and characterized by one or more measures. Scope Notes: Examples include availability, maintainability, modifiability, reliability, responsiveness, scalability, security, timeliness, throughput and usability.
		Quality control	The operational techniques and procedures used to achieve quality requirements
		Quality management system (QMS)	A system that outlines the policies and procedures necessary to improve and control the various processes that will ultimately lead to improved enterprise performance
		Quantile, quartile	When a set of sorted values is divided into groups that each have the same number of values (for example, if the values are divided into two groups at the median), each group is known as a quantile. If values are divided into four groups, they are called quartiles, which is a common way to divide values for discussion and analysis purposes. If there are five groups, they are called quintiles, and so forth.
		Quantitative management	A type of project management that uses quantitative techniques to understand actual or predicted process performance relative to quality and process performance objectives, variation and corrective action needed to meet the objectives
		Quantitative objective	A desired target value expressed using measures See Measure, Process improvement objectives and Quality and process performance objectives
		Quantitative risk analysis	An approach that is based on a calculation of a risk’s likelihood and impact using numerical and statistical techniques
		Quantitatively managed process	A defined process evaluated and controlled using statistical and other quantitative techniques. A quantitatively managed process is necessary at the Practice Group Level 4 in the CMMI Practice Areas.
		Queue	A group of items that is waiting to be serviced or processed
		Quick ship	A recovery solution provided by recovery and/or hardware vendors that includes a pre- established contract to deliver hardware resources within a specified number amount of hours after a disaster occurs Scope Notes: The quick ship solution usually provides enterprises with the ability to recover within 72 hours.
		R	An open-source programming language and environment for statistical computing and graph generation available for Linux, Windows and Mac
		RACI chart	A matrix that illustrates who is Responsible, Accountable, Consulted and Informed within an organizational framework
		RACI model	A method to define and depict roles and responsibilities
		Radio-wave interference	The superposition of two or more radio waves resulting in a different radio-wave pattern that is more difficult to intercept and decode properly
		RAM	Random-access memory
		Random forest	An ensemble approach to finding the decision tree that best fits the training data by creating many decision trees and then determining the average one. The random part of the term refers to building each of the decision trees from a random selection of features; the forest refers to the set of decision trees.
		Random-access memory (RAM)	A type of primary computer memory. RAM is volatile, and data is lost with power loss.
		Randomness	An important concept, also called entropy, in many cryptographic implementations. It is used to create keys, generate initialization vectors (i.e., random values that seed or initialize an algorithm), generate nonces (i.e., single-use, disposable values) and supply padding (i.e., additional data completing a block of fixed length).
		Range check	A measurement that ensures that data fall within a predetermined range
		Rank (ordinality)	The ordinal position of a class in a machine-learning problem that categorizes classes from highest to lowest
		Ransomware	Malware that restricts access to the compromised system until a ransom demand is satisfied
		Ransomware detectors	Tools used to detect ransomware
		Rapid application development (RAD)	A well-defined methodology that enables enterprises to develop strategically important systems faster, while reducing development costs and maintaining quality by using a series of proven application development techniques
		Rapid elasticity	The ability to quickly increase or reduce the amount of resources utilized by a cloud computing instance or infrastructure
		Rapid prototyping	A structured software requirements discovery technique that emphasizes generating prototypes early in the development process to permit early feedback and analysis in support of that process. Contrasts with incremental development, spiral model and waterfall model. See Prototyping.
		Rater	A human who provides labels in examples. Sometimes called an annotator.
		Read-only memory (ROM)	A type of primary computer memory. ROM is nonvolatile, and data stored there survives power loss.
		Real-time analysis	Analysis that is performed on a continuous basis, with results gained in time to alter the run-time system
		Real-time database activity monitoring solutions	Solutions that capture database query activity in the present time
		Real-time processing	A fast-response (immediate response) online system that obtains data from an activity or a physical process, performs computations and returns a response rapidly enough to affect (i.e., control) the outcome of the activity or process, for example in a process control application. Contrasts with batch processing.
		Reasonable assurance	A level of comfort short of a guarantee, but considered adequate given the costs of the control and the likely benefits achieved
		Reasonableness check	A measurement that compares data to predefined reasonability limits or occurrence rates established for that data
		Recall	A metric for classification models that answers the following question: Out of all the possible positive labels, how many did the model correctly identify?
		Recipient	A natural or legal person, public authority, agency or other body to which personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with state law are not regarded as recipients; the processing of those data by those public authorities should be in compliance with the applicable data protection rules, according to the purposes of the processing.
		Reciprocal agreement	An emergency processing agreement between two or more enterprises with similar equipment or applications Scope Notes: Typically, participants in a reciprocal agreement promise to provide processing time to each other when an emergency arises.
		Record	A collection of related information that is treated as a unit. Separate fields within the record are used for processing of the information.
		Record, screen and report layouts	Layouts that provide information regarding the type of record, its size and the type of data contained in the record (record layouts), or that describe what information is provided and necessary for input (screen and report layouts)
		Recovery	The phase in the incident response plan that ensures that affected systems or services are restored to a condition specified in the service delivery objectives (SDOs) or business continuity plan (BCP)
		Recovery action	A response or task executed to recover from a disruption in operations according to a written procedure
		Recovery point objective (RPO)	The earliest point in time that is acceptable to recover data, determined based on the acceptable data loss in case of a disruption in operations . The RPO effectively quantifies the permissible amount of data loss in case of interruption.
		Recovery strategy	An approach by an enterprise that will ensure its recovery and continuity in the face of a disaster or other major outage Scope Notes: Plans and methodologies are determined by the enterprise's strategy. There may be more than one methodology or solution for an enterprise's strategy. Examples of methodologies and solutions include: contracting for a hot site or cold site, building an internal hot site or cold site, identifying an alternate work area, a consortium or reciprocal agreement, contracting for mobile recovery or crate and ship, and many others.
		Recovery testing	A test to check the system’s ability to recover after a software or hardware failure
		Recovery time objective (RTO)	The amount of time allowed for the recovery of a business function or resource after a disaster occurs
		Rectification	A data subject’s ability to have any incorrect personal data be corrected
		Recurrent neural network	A neural network that is intentionally run multiple times, where parts of each run feed into the next run
		Red team	A group of skilled professionals who simulate real-world cyberattacks, security breaches and physical security compromises to evaluate the effectiveness of an enterprise’s defenses. The red team identifies vulnerabilities, weaknesses and potential exploits in the enterprise’s systems, networks, applications and physical security controls. They often use the same tactics, techniques and procedures as real-world adversaries to provide a realistic testing environment.
		Redo logs	Files maintained by a system, primarily a database management system (DBMS), for the purpose of reapplying changes following an error or outage recovery
		Redundancy check	A test that detects transmission errors by appending calculated bits onto the end of each segment of data
		Redundant array of inexpensive disks (RAID)	A storage configuration that uses hardware or software to write information to multiple disks to improve performance and fault-tolerant capabilities and/or save large files simultaneously
		Redundant site	A recovery strategy involving the duplication of key IT components, including data or key business processes, whereby fast recovery can take place
		Reengineering	A process involving the extraction of components from existing systems and restructuring these components to develop new systems or to enhance the efficiency of existing systems Scope Notes: Existing software systems can be modernized to prolong their functionality. An example is a software code translator that can take an existing hierarchical database system and transpose it to a relational database system. Computer-aided software engineering (CASE) includes a source-code reengineering feature.
		Reference model	A defined model describing practices and activities that is used for improving performance or as a benchmark for measuring capability or maturity
		Refraction	A form of signal degradation due to an RF signal being bent, typically when the signal passes through a medium of different density. This can decrease data rates and cause retransmissions.
		Registered interpreter	A role that works across the spoken languages of all appraisal stakeholders to simultaneously, clearly and accurately interpret and communicate appraisal information. Interpreters must be registered with ISACA. The interpreter’s job is to translate the content of original source information into the spoken language of the Appraisal Team Leader and the appraisal team. Certified CMMI Lead Appraisers may fulfill the role of Registered Interpreter and ATM if approved by ISACA, and consistent with the MDD requirements.
		Registered ports	Ports 1024 through 49151, which are listed by the IANA and can be used on most systems by ordinary user processes or programs executed by ordinary users
		Registration authority (RA)	An authority in a network that verifies user requests for a digital certificate and tells the certificate authority (CA) to issue it
		Regression analysis and testing	A software verification and validation (V&V) task to determine the extent of V&V analysis and testing that must be repeated when changes are made to any previously examined software products Source: IEEE See Testing, regression.
		Regression analysis tools	Tools that provide the information to allow for examination of the relationship between two or more variables
		Regression model	A type of model that outputs continuous (typically floating-point) values
		Regression testing	A testing technique used to retest earlier program abends or logical errors that occurred during the initial testing phase
		Regulation	Rules or laws defined and enforced by an authority to regulate conduct
		Regulatory requirements	Rules or laws that regulate conduct and that the enterprise must obey to be compliant
		Reidentification	The process of discovering the individual to whom deidentified data belong by matching anonymous data with publicly available information or auxiliary data
		Reinforcement learning	A class of machine-learning algorithms in which the process is not given specific goals to meet but, as it makes decisions, is instead given indications of whether it is doing well or not
		Rekeying	The process of changing cryptographic keys. Periodic rekeying limits the amount of data encrypted by a single key.
		Relational database	A database organization method that links files together as required. Relationships between files are created by comparing data, such as account numbers and names. A relational system can take any two or more files and generate a new file from the records that meet the matching criteria. Routine queries often involve more than one data file, e.g., a customer file and an order file can be linked to answer a question that relates to information in both files, such as the names of the customers that purchased a particular product. Contrasts with network database and flat file.
		Relational database management system (RDBMS)	A relational database management system (RDBMS) is a collection of programs and capabilities that enable IT teams and others to create, update, administer and interact with a relational database Scope Notes: Database management systems have evolved from hierarchical to network to relational models. Today, the most widely accepted database model is the relational model. The relational model has three major aspects or conditions of the populatioin. An Oracle database is a collection of data that is treated as a unit.
		Release	The formal notification and distribution of an approved version See Version.
		Release candidate (RC)	A software version that can possibly be released to end users
		Release-candidate push solutions	Solutions that push release-candidate software
		Relevance risk	The risk that the correct information may not get to the correct recipients at the correct time to allow the correct action to be taken or the correct decisions to be made
		Relevant audit evidence	Audit evidence that pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support
		Relevant information	Relating to controls, information that tells the evaluator something meaningful about the operation of the underlying controls or control component. Information that directly confirms the operation of controls is most relevant. Information that relates indirectly to the operation of controls can also be relevant, but is less relevant than direct information. Scope Notes: Refer to COBIT 5 information quality goals.
		Relevant sampling factor	A sampling factor that describes aspects or conditions that affect the way work is performed in the organizational unit. This effect results in work being performed differently, by either a project team or an organizational function. See Sampling factors.
		Reliable audit evidence	Audit evidence that, in the IS auditor's opinion, is valid, factual, objective and supportable
		Reliable information	Information that is accurate, verifiable and from an objective source Scope Notes: Refer to COBIT 5 information quality goals.
		Remediation	Actions taken to mitigate or eliminate a vulnerability after it has been identified and assessed
		Remote access	An authorized user’s ability to access a computer or network from anywhere through a network connection
		Remote access controllers	Hardware and software solutions for remote systems management
		Remote access service (RAS)	Any combination of hardware and software that enables remote access to tools or information that typically reside on a network of IT devices Scope Notes: Originally coined by Microsoft when referring to its built-in NT remote access tools, RAS was a service provided by Windows NT that allowed most of the assets that would be available on a network to be accessed over a modem link. Over the years, many vendors have provided hardware and software solutions to create remote access to various types of networked information. In fact, most modern routers include a basic RAS capability that can be enabled for any dial-up interface.
		Remote Authentication Dial- in User Service (RADIUS)	A type of service providing an authentication and accounting system often used for dial-up and remote access security
		Remote job entry (RJE)	The transmission of job control language (JCL) and batches of transactions from a remote terminal location
		Remote procedure call (RPC)	The traditional Internet service protocol widely used for many years on UNIX-based operating systems and supported by the Internet Engineering Task Force (IETF) that allows a program on one computer to execute a program on another (e.g., a server) Scope Notes: The primary benefit derived from using a remote procedure call is that a system developer need not develop specific procedures for the targeted computer system. For example, in a client-server arrangement, the client program sends a message to the server with appropriate arguments, and the server returns a message containing the results of the program executed. Common Object Request Broker Architecture (CORBA) and Distributed Component Object Model (DCOM) are two newer object-oriented methods for related RPC functionality.
		Removable media	Any type of storage device that can be removed from the system while it is running
		Repeaters	A physical layer device that regenerates and propagates electrical signals between two network segments Scope Notes: Repeaters receive analog or digital signals from a network segment and amplify (regenerate) them to compensate for distortion from transmission loss caused by reduction of signal strength during transmission (i.e., attenuation).
		Replay	The ability to copy a message or stream of messages between two parties and replay (retransmit) them to one or more of the parties
		Replication	In a broad computing sense, the use of redundant software or hardware elements to provide greater availability and fault-tolerant capabilities. In a database context, replication involves the sharing of data between databases to reduce workload among database servers, thereby improving client performance while maintaining consistency across all systems.
		Repository	An enterprise database that stores and organizes data
		Representation	A signed or oral statement issued by management to professionals, in which management declares that a current or future fact (e.g., a process, system, procedure or policy) is or will be in a certain state, to the best of management’s knowledge
		Repudiation	A denial by one of the parties to a transaction of participation in all or part of that transaction, or of the content of a communication related to that transaction
		Reputation risk	The current and prospective effect on earnings and capital arising from negative public opinion Scope Notes: Reputation risk affects a bank’s ability to establish new relationships or services, or to continue servicing existing relationships. It may expose the bank to litigation, financial loss or a decline in its customer base. A bank’s reputation can be damaged by Internet banking services that are executed poorly or otherwise alienate customers and the public. An Internet bank has a greater reputation risk as compared to a traditional brick-and-mortar bank, because it is easier for its customers to leave for a different bank and since it cannot discuss any problems in person with the customer.
		Request for comments (RFC)	A document approved by the Internet Engineering Task Force (IETF) and assigned a unique number once published Scope Notes: If the RFC gains enough interest, it may evolve into an Internet standard.
		Request for proposal (RFP)	A document distributed to software vendors requesting them to submit a proposal to develop or provide a software product
		Requirement	1. A condition or capability needed by a user to solve a problem or achieve an objective 2. A condition or capability that must be met or possessed by a system or system component to satisfy a contract, standard, specification or other formally imposed document 3. A documented representation of a condition or capability as in definition 1 or 2 See Design requirement, Functional requirement, Implementation requirement, Interface requirement, Performance requirement and Physical requirement. (ISACA) 4. A recorded description of an aspect, performance or capability required by a user or customer (CMMI)
		Requirements analysis	1. The process of studying user needs to arrive at a definition of a system, hardware or software requirements 2. The process of studying and refining system, hardware or software requirements (ISACA) Source: IEEE See Prototyping and Software engineering. 3. Tasks that determine the needs or conditions to meet a new or altered solution, accounting for multiple perspectives, e.g., balancing stakeholder needs and constraints, the allocation of requirements to components, or breaking down complex requirements to lower-level requirements (CMMI)
		Requirements definition	A technique in which affected user groups explain what is needed from a system Scope Notes: Some of these are business-, regulatory- or security-related requirements as well as development-related requirements.
		Requirements elicitation	A technique for gathering knowledge or information to proactively identify and record customer and end-user needs
		Requirements management	The process of documenting, analyzing, tracing, prioritizing and agreeing on requirements and then controlling change and communicating to relevant stakeholders. It is a continuous process throughout a project.
		Requirements phase	The period in the software life cycle during which requirements, such as functional and performance capabilities for a software product, are defined and documented Source: IEEE
		Requirements review	A process or meeting during which the requirements for a system, hardware item or software item are presented to project personnel, managers, users, customers or other interested parties for comment or approval. Types include system requirements review and software requirements review. Contrasts with code review, design review, formal qualification review and test readiness review. Source: IEEE
		Requirements traceability	A record of the relationships between requirements and related requirements, implementations and verifications See Bidirectional traceability.
		Residual risk	The remaining risk after management has implemented a risk response
		Residual security risk	The remaining probability of an event occurring and its consequence that still exists after a risk response has been implemented
		Resilience	The ability of a system or network to resist failure or to recover quickly from any disruption, usually with minimal recognizable effect
		Resource	Any enterprise asset that can help the organization achieve its objectives Scope Notes: COBIT 5 and COBIT 2019 perspective
		Resource management	1. The coordinated activities taken by an enterprise to plan, schedule, and allocate resources to meet its business objectives Scope Notes: In the International Standard, the term "control" is used as a synonym for "measure." (ISO/IEC Guide 73:2002) 2. One of the governance objectives. Entails recognizing risk; assessing the impact and likelihood of that risk; and developing strategies, such as avoiding the risk, reducing the negative effect of the risk and/or transferring the risk, to manage it within the context of the enterprise's risk appetite. Scope Notes: COBIT 5 perspective
		Resource optimization	One of the governance objectives. Involves effective, efficient and responsible use of all resources—human, financial, equipment, facilities etc. Scope Notes: COBIT 5 and COBIT 2019 perspective
		Resource pooling	In cloud computing, the ability to combine computing resources and services to serve multiple customers at once
		Responsible (RACI)	In a Responsible, Accountable, Consulted, Informed (RACI) chart, refers to the person who must ensure that activities are completed successfully
		Restricted access window (RAW)	A set access window in which a device can receive communications from other devices
		Restriction of processing	The marking of stored personal data with the aim of limiting their processing in the future
		Return on investment (ROI)	1. A measure of operating performance and efficiency, computed in its simplest form by dividing net income by the total investment over the period being considered (ISACA) 2. The ratio of benefit of a process or solution improvement to implementation costs to determine the value (CMMI)
		Return-oriented programming attacks	An exploit technique in which the attacker uses control of the call stack to indirectly execute cherry-picked machine instructions immediately prior to the return instruction in subroutines within the existing program code
		Reverse engineering	A software engineering technique whereby existing application system code can be redesigned and coded using computer-aided software engineering (CASE) technology
		Review	A process or meeting during which a work product or set of work products is presented to project personnel, managers, users, customers or other interested parties for comment or approval. Types include code review, design review, formal qualification review, requirements review and test readiness review. Contrasts with audit and inspection. Source: IEEE See Static analysis.
		Ring configuration	A type of network architecture in which all stations (nodes) are connected to a multi-station access unit (MSAU) that physically resembles a star-type topology. This configuration is used in either token ring or fiber distributed data interface (FDDI) networks. Scope Notes: A ring configuration is created when MSAUs are linked together in forming a network. Messages in the network are sent in a deterministic fashion from sender to receiver via a small frame, referred to as a token ring. To send a message, a sender obtains the token with the right priority as the token travels around the ring, with each receiving node reading those messages addressed to it.
		Ring topology	A type of local area network (LAN) architecture in which the cable forms a loop, with stations attached at intervals around the loop Scope Notes: In ring topology, signals transmitted around the ring take the form of messages. Each station receives the messages and each station determines, on the basis of an address, whether to accept or process a given message. After receiving a message, each station also acts as a repeater, retransmitting the message at its original signal strength.
		Risk	1. The combination of the likelihood of an event and its impact (ISACA) 2. A potential uncertain event that may be harmful or may negatively impact objective achievement (CMMI)
		Risk acceptance	A decision to accept a risk, made according to the risk appetite and risk tolerance set by senior management, where the enterprise can assume the risk and absorb any losses
		Risk aggregation	The process of integrating risk assessments at a corporate level to obtain a complete view of the overall risk for the enterprise
		Risk analysis	1. A process by which the frequency and magnitude of IT risk scenarios are estimated 2. The initial steps of risk management: analyzing the value of assets to the business, identifying threats to those assets and evaluating how vulnerable each asset is to those threats Scope Notes: Risk analysis often involves an evaluation of the probable frequency of a particular event, as well as the probable impact of that event.
		Risk appetite	The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission
		Risk assessment	A process used to identify and evaluate risk and its potential effects Scope Notes: Risk assessments are used to identify those items or areas that present the highest risk, vulnerability or exposure to the enterprise for inclusion in the IS annual audit plan. Risk assessments are also used to manage project delivery risk and project benefit risk.
		Risk avoidance	The process for systematically avoiding risk, constituting one approach to managing risk
		Risk awareness program	A program that creates an understanding of risk, risk factors and the various types of risk that an enterprise faces
		Risk capacity	The objective magnitude or amount of loss that an enterprise can tolerate without risking its continued existence
		Risk culture	An organization's shared values and beliefs that govern attitudes toward risk-taking, care and integrity, and determine how openly risk and losses are reported and discussed
		Risk evaluation	The process of comparing estimated risk against given risk criteria to determine the significance of the risk (ISO/IEC Guide 73:2002)
		Risk factor	A condition that can influence the frequency, the magnitude and ultimately the business impact of IT-related risk scenarios
		Risk gap	A gap that exists when the acceptable level of risk and the current state of risk are different
		Risk identification	The process for determining and documenting the risk an enterprise faces
		Risk indicator	A metric capable of showing that the enterprise may realize a risk.
		Risk management	1. The coordinated activities to direct and control an enterprise with regard to risk Scope Notes: In the International Standard, the term "control" is used as a synonym for "measure." (ISO/IEC Guide 73:2002) 2. One of the governance objectives. Entails recognizing risk; assessing the impact and likelihood of that risk; and developing strategies, such as avoiding the risk, reducing the negative effect of the risk and/or transferring the risk, to manage it within the context of the enterprise's risk appetite Scope Notes: COBIT 5 perspective
		Risk map	A (graphic) tool for ranking and displaying risk by defined ranges for frequency and magnitude
		Risk mitigation	1. The management of risk through the use of countermeasures and controls (ISACA) 2. A set of planned activities that, if performed, may minimize the probability or impact of the risk (CMMI)
		Risk owner	The person in whom the organization has invested the authority and accountability for making risk-based decisions and who owns the loss associated with a realized risk scenario Scope Notes: The risk owner may not be responsible for the implementation of risk treatment.
		Risk portfolio view	1. A method to identify interdependencies and interconnections among risk, as well as the effect of risk responses on multiple types of risk 2. A method to estimate the aggregate impact of multiple types of risk (e.g., cascading and coincidental threat types or scenarios, or risk concentration or correlation across silos) and the potential effect of risk response across multiple types of risk
		Risk reduction	The implementation of controls or countermeasures to reduce the likelihood or impact of a risk to a level within the organization’s risk tolerance
		Risk register	A list of risk scenarios that have been identified, analyzed and prioritized
		Risk response	Any combination of risk avoidance, risk acceptance, risk sharing or transfer, or risk mitigation that leads to a situation in which as much future residual risk (i.e., current risk with the risk response defined and implemented) as possible (usually depending on budgets available) falls within risk appetite limits
		Risk scenario	A tangible and assessable representation of risk Scope Notes: One of the key information items needed to identify, analyze and respond to risk (COBIT 2019 objective APO12)
		Risk scope	The selection of items included in the risk activities, based on understanding the full risk universe and then down-selecting to the specific part of the enterprise to which the risk activities will be applied
		Risk sharing	Scope Notes: See Risk transfer
		Risk source	An element that, alone or in combination, has the potential to give rise to risk
		Risk statement	A description of the current conditions that may lead to a loss, along with a description of the potential loss Source: Software Engineering Institute (SEI) Scope Notes: For a risk to be understandable, it must be expressed clearly. Such a treatment must include a description of the current conditions that may lead to the loss; and a description of the loss.
		Risk taxonomy	A scheme for classifying sources and categories of risk that provides a common language for discussing and communicating risk to stakeholders
		Risk tolerance	The acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives
		Risk transfer	The process of assigning risk to another enterprise, usually through the purchase of an insurance policy or by outsourcing the service Scope Notes: Also known as risk sharing
		Risk treatment	The process of selection and implementation of measures to modify risk (ISO/IEC Guide 73:2002)
		Risk universe	An enterprise's overall conception of risk, which encompasses the overall risk environment, defines the areas that risk management activities will address and provides a structure for information and technology (I&T)-related risk management
		Robustness	The degree to which a software system or component can function correctly in the presence of invalid inputs or stressful environmental conditions See Software reliability.
		ROI	See Return on Investment.
		ROM	See Read-only memory.
		Root cause	The underlying source of a defect or problem
		Root cause analysis	A process of diagnosis to establish the origins of events that can be used for learning from consequences, typically from errors and problems
		Root Mean Squared Error	The root mean square error (RMSE) measures the average difference between a statistical model's predicted values and the actual values. RMSE is one of two main performance indicators for regression models.
		Rootkit	A software suite designed to aid an intruder in gaining unauthorized administrative access to a computer system
		Rotating standby	A failover process in which there are two nodes (as in idle standby but without priority) Scope Notes: The node that enters the cluster first owns the resource group, and the second will join as a standby node.
		Rounding down	A method of fraud involving a computer code that instructs the computer to remove small amounts of money from authorized transactions by rounding down to the nearest whole-value denomination and rerouting the rounded-off amount to the perpetrator’s account
		Router	A networking device that can send (route) data packets from one local area network (LAN) or wide area network (WAN) to another, based on addressing at the network layer (Layer 3) in the open systems interconnection (OSI) model Scope Notes: Networks connected by routers can use different or similar networking protocols. Routers usually are capable of filtering packets based on parameters such as source addresses, destination addresses, protocols and network applications (ports).
		Routine	A subprogram that is called by other programs and subprograms Scope Notes: This term is defined differently in various programming languages. Source: IEEE See Module.
		RS-232 interface	An interface between data terminal equipment and data communications equipment employing serial binary data interchange
		RSA (RSA)	A public key cryptosystem developed by R. Rivest, A. Shamir and L. Adleman used for both encryption and digital signatures Scope Notes: The RSA has two different keys, the public encryption key and the secret decryption key. The strength of the RSA depends on the difficulty of the prime number factorization. For applications with high-level security, the number of the decryption key bits should be greater than 512.
		Ruby	A scripting language that first appeared in 1996. Ruby is popular in the data science community, but not as popular as Python, which has more specialized libraries available for data science tasks.
		Rulebase	The list of rules and/or guidance used to analyze event data
		Run instructions	Computer operating instructions that detail the step-by-step processes that are to occur so an application system can be properly executed. These instructions also identify how to address problems that occur during processing.
		Run-to-run totals	Aggregate numbers that provide evidence that a program processed all input data and that it processed the data correctly
		S curve	A type of curve that shows the growth of a variable in terms of another variable, often expressed as units of time. The S curve is often mentioned when someone predicts that a rising value will eventually level off.
		Safeguard	A practice, procedure or mechanism that reduces risk
		Safety	A condition of protection from harm. The two key domains of safety are workplace environment and functional safety.
		Salami technique	A method of computer fraud involving a computer code that instructs the computer to slice off small amounts of money from authorized transactions and reroute these amounts to the perpetrator’s account
		Sample eligible (SE)	A project or organizational support function in an OU that is suitable to be considered for the randomly generated sample (RGS) because the project is performing process activities that are believed to align to model practices
		Sampling factors	Context that reflects potential differences in processes and the way work is performed See Relevant sampling factor.
		Sampling risk	The probability that an IT auditor has reached an incorrect conclusion because an audit sample, rather than the entire population, was tested Scope Notes: While sampling risk can be reduced to an acceptably low level by using an appropriate sample size and selection method, it can never be eliminated.
		Sampling stratification	The process of dividing a population into subpopulations with similar characteristics explicitly defined, so that each sampling unit can belong to only one stratum
		Sandboxing	Using an isolated environment for testing purposes
		SAS	A commercial statistical software suite that includes a programming language also known as SAS
		Scalar	A quantity that has magnitude but no direction in space, such as volume or temperature
		Scaling	A commonly used practice in feature engineering to tame the range of values of a feature to match the scale of other features in the data set
		Scattering	Signal degradation that occurs when RF signal increases in size due to reflection or passing through objects
		Schedule risk	The risk that information and technology (I&T) projects will take longer than expected
		Scheduling	A method used in the information processing facility (IPF) to determine and establish the sequence of computer job processing
		Scope creep	Uncontrolled changes in a project’s scope. Also called requirement creep. Scope Notes: Scope creep can occur when the scope of a project is not properly defined, documented and controlled. Typically, the scope increase consists of either new products or new features of already approved products. Hence, the project team drifts away from its original purpose. Because of the tendency to focus on only one dimension of a project, scope creep can also result in a project team overrunning its original budget and schedule. For example, scope creep can be a result of poor change control, lack of proper identification of which products and features are required to bring about the achievement of project objectives or a weak project manager or executive sponsor.
		Scoping process	A process for identifying the boundary or extent to which a process, procedure, certification, contract, etc., applies
		Scoring	The part of a recommendation system that provides a value or ranking for each item produced by the candidate generation phase
		Screening router	A router configured to permit or deny traffic based on a set of permission rules installed by the administrator
		Scripting	Generally, the use of a computer language to write a program or script that can be run directly, with no need to compile it to binary code, as with languages such as Python, Java and C
		Secure development life cycle	The inclusion of security in the software development life cycle
		Secure Electronic Transaction (SET)	A standard that ensures credit card and associated payment order information travel safely and securely between the various involved parties on the Internet
		Secure multiparty computation (SMP or MPC)	Data operation in which multiple parties transact jointly while maintaining privacy of their individual and/or several input(s) during processing
		Secure Multipurpose Internet Mail Extensions (S/MIME)	Cryptographic security services for electronic messaging applications: authentication, message integrity and nonrepudiation of origin (using digital signatures); and privacy and data security (using encryption) to provide a consistent way to send and receive MIME data (RFC 2311)
		Secure Shell (SSH)	Network protocol that uses cryptography to secure communication, remote command line login and remote command execution between two networked computers
		Secure Sockets Layer (SSL)	A protocol used to transmit private documents through the Internet Scope Notes: The SSL protocol uses a private key to encrypt the data to be transferred through the SSL connection.
		Security administrator	The person responsible for implementing, monitoring and enforcing security rules established and authorized by management
		Security as a Service (SecaaS)	The next generation of managed security services dedicated to the delivery over the Internet of specialized information-security services
		Security awareness	The extent to which every member of an enterprise and every other individual who potentially has access to the enterprise's information understand: • Security and the levels of security appropriate to the enterprise • The importance of security and consequences of a lack of security • Their individual responsibilities regarding security (and act accordingly) Scope Notes: This definition is based on the definition for IT security awareness as defined in Implementation Guide: How to Make Your Organization Aware of IT Security, European Security Forum (ESF), United Kingdom, 1993.
		Security awareness campaign	A predefined, organized number of actions aimed at improving the security awareness of a special target audience about a specific security problem. Each security awareness program consists of several security awareness campaigns.
		Security awareness coordinator	The individuals responsible for creating and maintaining the security awareness program and coordinating the different campaigns and efforts of the various groups involved in the program. They are also responsible for ensuring that all materials are prepared, advocates/trainers are trained, campaigns are scheduled, events are publicized and the program as a whole moves forward.
		Security awareness program	A clearly and formally defined plan, structured approach and set of related activities and procedures with the objective of realizing and maintaining a security-aware culture Scope Notes: This definition clearly states that the goal is to realize and maintain a security- aware culture, i.e., attaining and sustaining security awareness at all times. This implies that a security awareness program is not a one-time effort but a continuous process.
		Security forum	Responsible for information security governance within the enterprise Scope Notes: A security forum can be part of an existing management body. Because information security is a business responsibility shared by all members of the executive management team, the forum needs to involve executives from all significant parts of the enterprise. Typically, a security forum has the following tasks and responsibilities: • Defining a security strategy in line with the business strategy • Identifying security requirements • Establishing a security policy • Creating an overall security program or plan • Approving major initiatives to enhance information security • Reviewing and monitoring information security incidents • Monitoring significant changes in the exposure of information assets to major threats
		Security incident	A series of unexpected events that involves an attack or series of attacks (compromise and/or breach of security) at one or more sites. A security incident typically includes an estimation of its level of impact. A limited number of impact levels are defined and, for each, the specific actions required and the people who need to be notified are identified.
		Security incident response team (SIRT)	Cross-functional team responsible for addressing security incidents
		Security management	The process of establishing and maintaining security for a computer or network system Scope Notes: The stages of the process of security management include prevention of security problems, detection of intrusions and investigation of intrusions and resolution. In network management, the stages comprise controlling access to the network and resources, finding intrusions, identifying entry points for intruders and repairing or otherwise closing those avenues of access.
		Security metrics	A standard of measurement used in management of security-related activities
		Security model	An engineering model informed by policies that specify how a system will enforce security
		Security perimeter	The boundary that defines the area of security concern and security policy coverage
		Security policy	A high-level document representing an enterprise’s information security philosophy and commitment
		Security procedures	The formal documentation of operational steps and processes that specify how security goals and objectives established in the security policy and standards are to be achieved
		Security resilience	The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from security disruptions, including cybersecurity. Resilience includes the capability to withstand and recover from deliberate attack, accidents or naturally occurring threats, vulnerabilities or other security events
		Security reviews and evaluations	The coverage or inclusion of security needs, constraints, efforts and activities in a continuous manner over time throughout the life cycle of a solution or when triggered by a security event. These reviews and evaluations focus on identifying and addressing, and when possible, preventing the most critical and urgent security issues first. Security events, trends, potential threats and disruptions can also trigger reviews or evaluations.
		Security software	Software used to administer security, which usually includes authentication of users, access granting according to predefined rules, monitoring and reporting functions
		Security standards	Practices, directives, guidelines, principles or baselines that state the required work and focus areas of current relevance and concern and are a translation of issues already mentioned in the security policy
		Security steps or actions	The terms used interchangeably to indicate the same intent or meaning as “security measures” in the CMMI Product Suite^®. Most security standards and frameworks refer to “security measures,” where measures are not measurements (a noun) but rather steps or actions (a verb).
		Security testing	Assurance that the modified or new system includes appropriate controls and does not introduce any security holes that might compromise other systems or misuses of the system or its information
		Security threats	Any circumstance or event with the potential to adversely impact organizational operations including mission, functions, assets, personnel, processes, systems or brand reputation through unauthorized access, destruction, disclosure, modification of information or denial of service. Source: CMMC without redundancies
		Security token	Digital assets or tokens created to represent a quantity of a specified investment, including rights to ownership, payment of a specific sum under a contract, entitlement to future profits, etc.
		Security vulnerabilities	Weakness in a solution, information system, system security procedure, internal control or implementation that could be exploited by a threat source Source: CMMC/NIST SP 800-30 Rev 1
		Security/transaction risk	The current and prospective risk to earnings and capital arising from fraud, error and the inability to deliver products or services, maintain a competitive position and manage information Scope Notes: Security risk is evident in each product and service offered, and it encompasses product development and delivery, transaction processing, systems development, computing systems, complexity of products and services and the internal control environment. A high level of security risk may exist with Internet banking products, particularly if those lines of business are not adequately planned, implemented and monitored.
		Segmentation	See Network segmentation
		Segregation of duty (SoD)	See Segregation/separation of duties (SoD).
		Segregation/ separation of duties (SoD)	A basic internal control that prevents or detects errors and irregularities by assigning the responsibility for initiating and recording transactions and the custody of assets to separate individuals Scope Notes: Segregation/separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code without detection.
		Semiconductor	Substrate for integrated circuit that regulates electric current and often made primarily of silicon
		Senior management	The person or persons who provide the policy and overall guidance for the process but do not typically provide the direct day-to-day monitoring and controlling of the process. A senior manager has authority to direct the allocation or reallocation of resources in support of organizational process improvement effectiveness. A senior manager can be any manager who satisfies this description, including the CEO of the organization.
		Sensitive attribute	A human attribute that may be given special consideration for legal, ethical, social or personal reasons
		Sensitive PII	Category of personally identifiable information (PII), either whose nature is sensitive, such as those that relate to the PII principal’s most intimate sphere, or that might have a significant impact on the PII principal. It can consist of PII that reveals the racial origin; political opinions or religious or other beliefs; personal data on health, sex life or criminal convictions; and other PII that may be defined as sensitive.
		Sensitivity	A measure of the impact that improper disclosure of information may have on an enterprise
		Sensor	A device or component that gathers information critical to an IoT application and converts it to data
		Separation of duty (SoD)	See Segregation/separation of duties (SoD).
		Sequence check	Verification that the control number follows sequentially and any control numbers out of sequence are rejected or noted in an exception report for further research Scope Notes: Can be alpha or numeric and usually utilizes a key field
		Sequential file	A computer file storage format in which one record follows another Scope Notes: Records can be accessed sequentially only.
		Serial correlation	The relationship between a variable and a lagged version of itself over various time intervals. Repeating patterns often show serial correlation when the level of a variable affects its future level.
		Server	A high-speed computer in a network shared by multiple users that holds the programs and data shared by all users
		Service	An activity that provides a promised exchange of value between a service provider and customer, product or work product. Services do not always produce tangible or storable products; in such instances, the service itself is the deliverable. See Solution.
		Service bureau	A computer facility that provides data processing services to clients on a continual basis
		Service catalogue	Structured information on all IT services available to customers Scope Notes: COBIT^®5 perspective
		Service delivery objective (SDO)	The level of services directly related to the business needs that must be reached during the alternate process mode until the normal situation is restored
		Service desk	The point of contact within the IT organization for users of IT services
		Service level agreement (SLA)	1. An agreement, preferably documented, between a service provider and the customer(s)/ user(s) that defines minimum performance targets for a service and how they will be measured (ISACA) 2. A contract between a service provider, either internal or external, and the customer or end user that defines the level of service expected from the service provider. SLAs are output-based in that their purpose is specifically to define what the customer will receive. SLAs do not define how the service itself is provided or delivered. (CMMI^®)
		Service provider	An organization supplying services to one or more (internal or external) customers.
		Service set identifier (SSID)	A 32-character unique identifier attached to the header of packets sent over a wireless local area network (WLAN) that acts as a password when a mobile device tries to connect to the base station subsystem (BSS) Scope Notes: The SSID differentiates one WLAN from another, so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device will not be permitted to join the BSS unless it can provide the unique SSID. Because an SSID can be sniffed in plaintext from a packet, it does not supply any security to the network. An SSID is also referred to as a network name because it is a name that identifies a wireless network.
		Service system	An integrated and interdependent combination of components that satisfy stakeholder requirements
		Service system component	A process, work product, person, consumable, customer or other resource required for a service system to deliver value that can include components owned by the customer or a third party
		Service system consumable	An item used by the service system that ceases to be available or becomes permanently changed by its use during the delivery of a service
		Service user	The organization using the outsourced service
		Service-oriented architecture (SOA)	A cloud-based library of proven, functional software applets that can be connected together to become a useful online application
		Servlet	A Java applet or a small program that runs within a web server environment Scope Notes: A Java servlet is similar to a common gateway interface (CGI) program, but unlike a CGI program, once started, it stays in memory and can fulfill multiple requests, thereby saving server execution time and speeding up the services.
		Session border controller (SBC)	Security features for Voice-over IP (VoIP) traffic similar to that provided by firewalls Scope Notes: SBCs can be configured to filter specific VoIP protocols, monitor for denial-of- service (DOS) attacks and provide network address and protocol translation features.
		Shadow IT	The use of systems, services, hardware or software on an enterprise network or within an enterprise’s infrastructure without proper vetting and approval from the IT or cybersecurity department
		Shall	An indication of a method requirement and hence not a tailoring option when used in any statement in the Appraisal Method Definition Document (MDD). In the MDD, “shall” may be used interchangeably with the word “must.” See Must
		Shared responsibility model	A cloud security framework that dictates the security obligations of a cloud service provider and its users to ensure accountability
		Shared vision	A common understanding of guiding principles, including mission, objectives, expected behavior, values and final outcomes developed and used by a project or work group
		Shell	Command line scripting languages, such as Perl and Python. Popular for data wrangling, Linux- based shell tools (which are either included with or easily available for Mac and Windows machines), include grep, diff, split, comm, head and tail.
		Shell programming	A script written for the shell or command line interpreter of an operating system and often considered a simple domain-specific programming language Scope Notes: Typical operations performed by shell scripts include file manipulation, program execution and printing text. Usually, shell script refers to scripts written for a UNIX shell, while command.com (DOS) and cmd.exe (Windows) command line scripts are usually called batch files. Many shell script interpreters also act as a command line interface such as the various UNIX shells, Windows PowerShell or the MS-DOS command.com. Others, such as AppleScript, add scripting capability to computing environments lacking a command line interface. Other examples of programming languages primarily intended for shell scripting include digital command language (DCL) and job control language (JCL).
		Sidechain	A separate blockchain that links data entries or transactions to a primary blockchain, allowing operations both from and to the sidechain
		Sign-on procedure	The procedure performed by a user to gain access to an application or operating system Scope Notes: If the users are properly identified and authenticated by the system’s security, they will be able to access the software.
		Signal-to-noise ratio (SNR)	A measurement of the level of a desired signal to background noise documented in decibels. Ratios greater than 1 dB indicates the signal exceeds noise by that level. Signal power less than 1 dB represents an unusable signal.
		Signature verification solutions	Secure solutions used to validate the identity of an individual
		Significant deficiency	A deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those responsible for oversight Scope Notes: A material weakness is a significant deficiency or a combination of significant deficiencies that result in more than a remote likelihood of an undesirable event(s) not being prevented or detected.
		Simple fail-over	A fail-over process in which the primary node owns the resource group Scope Notes: The backup node runs a noncritical application (e.g., a development or test environment) and takes over the critical resource group but not vice versa.
		Simple Mail Transport Protocol (SMTP)	The standard electronic mail (email) protocol on the Internet
		Simple Object Access Protocol (SOAP)	A platform-independent formatted protocol based on extensible markup language (XML) enabling applications to communicate with each other over the Internet Scope Notes: Use of SOAP may provide a significant security risk to web application operations because use of SOAP piggybacks onto a web-based document object model and is transmitted via HyperText Transfer Protocol (HTTP) (port 80) to penetrate server firewalls, which are usually configured to accept port 80 and port 21 File Transfer Protocol (FTP) requests. Web- based document models define how objects on a web page are associated with each other and how they can be manipulated while being sent from a server to a client browser. SOAP typically relies on XML for presentation formatting and also adds appropriate HTTP-based headers to send it. SOAP forms the foundation layer of the web services stack, providing a basic messaging framework on which more abstract layers can build. There are several different types of messaging patterns in SOAP, but by far the most common is the Remote Procedure Call (RPC) pattern in which one network node (the client) sends a request message to another node (the server), and the server immediately sends a response message to the client.
		Simple Text-Oriented Message Protocol (STOMP)	A plaintext protocol with semantics similar to HTTP designed for messaging applications
		Single factor authentication (SFA)	Authentication process that requires only the user ID and password to grant access
		Single point of failure	A resource whose loss will result in the loss of service or production
		Single sign-on (SSO)	A single point authentication system used by multiple systems and applications
		Size	Number of items or volume of work effort or work products being produced, such as activities, pages, requirements, number of components, solutions. Use size as a basis for scoping when producing estimates and plans.
		Skill	The learned capacity to achieve predetermined results Scope Notes: COBIT^®5 and COBIT^®2019 perspective
		Slack time (float)	Time in the project schedule, the use of which does not affect the project’s critical path; the minimum time to complete the project based on the estimated time for each project segment and their relationships Scope Notes: Slack time is commonly referred to as "float" and generally is not "owned" by either party of the transaction.
		Small form factor	An engineering design that allows device components to use as little physical space as possible while still remaining functional
		SMART (SMART)	Specific, measurable, attainable, realistic and timely, generally used to describe appropriately set goals
		Smart card	A small electronic device that contains electronic memory and possibly an embedded integrated circuit Scope Notes: Smart cards can be used for a number of purposes including the storage of digital certificates or digital cash, or they can be used as a token to authenticate users.
		Smart contract	Software (computer code) that automatically executes transactions and/or enforces agreements based on the fulfillment of the terms of the agreement by leveraging decentralized ledger technology that uses public validation to ensure correct and reliable performance according to agreed rules
		Sniff	The act of capturing network packets, including those not necessarily destined for the computer running the sniffing software
		Sniffers	Programs or hardware that monitor Internet traffic in real time
		Sniffing	The process by which data traversing a network are captured or monitored
		Social engineering	An attack based on deceiving users or administrators at the target site into revealing confidential or sensitive information
		Social IoT (SIoT)	A network of IoT-enabled devices that work together to provide a service or feature
		Soft fork	A software upgrade that is backward compatible with previous versions of the blockchain software. Thus, a soft fork does not require all blockchain nodes to upgrade to maintain functionality.
		Software	Programs, procedures, rules and any associated documentation pertaining to the operation of a system. It contrasts with hardware. See Application software, Operating system, System software and Utility software.
		Software as a Service (SaaS)	Offers the capability to use the provider’s applications running on cloud infrastructure. The applications are accessible from various client devices through a thin client interface, such as a web browser (e.g., web-based email).
		Software as a service, platform as a service and infrastructure as a service (SPI)	The acronym used to refer to the three cloud delivery models
		Software development kit (SDK)	A group of utilities and libraries provided by a manufacturer or open source community to develop software for a particular framework or device
		Software development plan	The project plan for the development of a software product. It contrasts with software development process and software life cycle.
		Software development process	The process by which user needs are translated into a software product. The process involves translating user needs into software requirements, transforming the software requirements into design, implementing the design in code, testing the code and sometimes installing and reviewing the software for operational activities. Note that these activities may overlap or be performed iteratively. See Incremental development, Rapid prototyping, Spiral model and Waterfall model.
		Software distribution solutions	Applications that build software installation packages and distribute them to end users
		Software documentation	Technical data or information, including computer listings and printouts in human-readable form, that describe or specify the design or details, explain the capabilities or provide operating instructions for using the software to obtain desired results from a software system. Types of software documentation include: • Project planning documents, i.e., software development plans and software verification and validation (V&V) plans • Software requirements and design specifications • Test documentation • Customer-deliverable documentation • Program source code • Representation of software solutions implemented in firmware • Reports, e.g., review, audit and project status • Data, i.e., defect detection and test • It contrasts with software item. See: Specification; Specification, requirements; Specification, design; Software design description; Test plan, Test report, User's guide.
		Software element analysis	See Software review.
		Software engineering	The application of a systematic, disciplined, quantifiable approach to the development, operation and maintenance of software, i.e., the application of engineering to software See Project plan, Requirements analysis, Architectural design, Structured design, System safety, Testing and Configuration management.
		Software engineering environment	The hardware, software and firmware used to perform a software engineering effort. Typical elements include computer equipment, compilers, assemblers, operating systems, debuggers, simulators, emulators, test tools, documentation tools and database management systems.
		Software life cycle	Period of time, beginning when a software product is conceived and ending when the product is no longer available for use. The software life cycle is typically broken into phases, denoting activities, such as requirements, design, programming, testing, installation, operation and maintenance. It contrasts with software development process. See waterfall model.
		Software reliability	1. The probability that software will not cause the failure of a system for a specified time under specified conditions. The probability is a function of the inputs to and use of the system in the software. The inputs to the system determine whether existing faults, if any, are encountered. 2. The ability of a program to perform its required functions accurately and reproducibly under stated conditions for a specified period of time
		Software review	An evaluation of software elements to ascertain discrepancies from planned results and to recommend improvement. This evaluation follows a formal process. It is synonymous with software audit. See Code audit, Code inspection, Code review, Code walk-through, Design review, Specification analysis and Static analysis.
		Software-defined access (SD-Access)	An intent-based networking technology that enables reduction of manual work, faster resolution of performance issues and better security. It is an evolution of SDN.
		Software-defined networking (SDN)	Microsegmentation network infrastructure technology that separates the management and data planes. Typically used on core distribution networks, SDN aids performance management, policy administration and bandwidth on demand.
		Software-defined wide area network (SD- WAN)	An extension of SDN across a WAN. It focuses on routing and traffic prioritization.
		Solution	A product, product component, service, service system, service system component or delivered or acquired product or service including relevant safety or security components
		Solution component	A work product that is a building block of the solution. Solution components are integrated to produce the solution. There can be multiple levels of solution components. See Product component
		Solution stack	A collection of hardware, software and services that work simultaneously to provide an enterprise or user with a final product
		SOPs	Standard operating procedures
		Source code	Computer instructions and data definitions documented in a form suitable for input to an assembler, compiler or other translator
		Source code compare program	Assurance that the software being audited is the correct version of the software by providing a meaningful listing of any discrepancies between the two versions of the program
		Source document	The form used to record data that have been captured Scope Notes: A source document may be a piece of paper, a turnaround document or an image displayed for online data input.
		Source lines of code (SLOC)	Often a deriver of single-point software-size estimations
		Source program	A computer program that must be compiled, assembled or otherwise translated to be executed by a computer. It contrasts with object program. See Source code.
		Source routing specification	A transmission technique where the sender of a packet can specify the route that packet should follow through the network
		Spaghetti code	Program source code written without a coherent structure. It implies the excessive use of GOTO instructions and contrasts with structured programming.
		Spam	Computer-generated messages sent as unsolicited advertising
		Spanning port	A port configured on a network switch to receive copies of traffic from one or more other ports on the switch
		Spatiotemporal data	Time series data that also include geographic identifiers, such as latitude-longitude pairs
		Spear phishing	An attack designed to entice specific individuals or groups to reveal important information. Social engineering techniques are used to masquerade as a trusted party to obtain important information, such as passwords from the victim.
		Special cause of variation	A cause of process variation that is a result of a known factor that results in a nonrandom distribution of output. It is also referred to as “exceptional” or “assignable” cause variation and is temporary in nature and not an inherent part of the process. See Common cause of variation
		Specification tree	A diagram that depicts all the specifications for a given system and shows their relationship to one another Source: IEEE
		Specification, requirements	A specification that documents the requirements of a system or system component. It typically includes functional requirements, performance requirements, interface requirements, design requirements (attributes and constraints), development (coding) standards, etc. This contrasts with "requirement." Source: NIST
		Spiral model	A model of the software development process in which the constituent activities (typically requirements analysis, preliminary and detailed design, coding, integration and testing) are performed iteratively until the software is complete. It is synonymous with "evolutionary model." Spiral model contrasts with "incremental development," "rapid prototyping" and "waterfall model."
		Split data systems	A condition in which each of an enterprise’s regional locations maintains its own financial and operational data while sharing processing with an enterprise-wide, centralized database Scope Notes: Split data systems permit easy sharing of data while maintaining a certain level of autonomy.
		Split domain name system (DNS)	An implementation of DNS that is intended to secure responses provided by the server such that different responses are given to internal vs. external users
		Split knowledge/split key	A security technique in which two or more entities separately hold data items that individually convey no knowledge of the information that results from combining the items. This is a condition under which two or more entities separately have key components that individually convey no knowledge of the plaintext key that will be produced when the key components are combined in the cryptographic module.
		Spoofing	The act of faking the sending address of a transmission in order to gain illegal entry into a secure system
		SPOOL (simultaneous peripheral operations online) (SPOOL)	An automated function that can be based on an operating system or application in which electronic data transmitted between storage areas are spooled or stored until the receiving device or storage area is prepared and able to receive the information Scope Notes: Spool allows more efficient electronic data transfers from one device to another by permitting higher speed sending functions, such as internal memory, to continue with other operations instead of waiting on the slower speed receiving device, such as a printer.
		SPSS	A commercial statistical software package used for predictive analysis
		Spyware	Software whose purpose is to monitor a computer user’s actions (e.g., websites visited) and report these actions to a third party without the informed consent of that machine’s owner or legitimate user
		SQL (SQL)	The ISO standard query language used by application programmers and end users to access relational databases. Variations of this popular language are often available for data storage systems that are not strictly relational.
		SQL injection	An attack that results from the failure of an application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Source: MITRE
		Stable process	The state in which special causes of process variation have been removed from the process and prevented from recurring. In a stable process, only common cause variation of the process remains. See Capable process, Common cause of variation and Special cause of variation
		Stablecoins	A type of cryptocurrency that is tied to an outside currency, such as the US dollar, to stabilize its value
		Stage-gate	A point in time when a program is reviewed and a decision is made to commit expenditures to the next set of activities on a program or project, to stop the work altogether or to put a hold on execution of further work
		Stakeholder	Anyone who has a responsibility for, an expectation of or some other interest in an enterprise Scope Notes: Examples include shareholders, users, government, suppliers, customers and the public.
		Standard	A mandatory requirement, code of practice or specification approved by a recognized external standards organization, such as the International Organization for Standardization (ISO)
		Standard deviation	The square root of a variance and a common way to indicate how different a particular measurement is from the mean
		Standard normal distribution	A normal distribution with a mean of 0 and a standard deviation of 1. When graphed, it is a bell-shaped curve centered around the y axis, where x=0.
		Standard operating procedures (SOP)	Written procedures that prescribe and describe the steps to be taken in normal and defined conditions and that are necessary to ensure control of production and processes
		Standardized score	A score that transforms a raw score into units of standard deviation above or below the mean. This translates the scores so they can be evaluated in reference to the standard normal distribution.
		Standing data	Permanent reference data used in transaction processing Scope Notes: These data are changed infrequently, e.g., a product price file or a name and address file.
		Star topology	A type of local area network (LAN) architecture that utilizes a central controller to which all nodes are directly connected Scope Notes: With star topology, all transmissions from one station to another pass through the central controller, which is responsible for managing and controlling all communication. The central controller often acts as a switching device.
		Stata	A commercial statistical software package; not to be confused with "strata"
		State	A condition or mode of existence in which a system, component or simulation may be, e.g., the preflight state of an aircraft navigation program or input state of a given channel
		State diagram	A diagram that depicts the states that a system or component can assume and shows the events or circumstances that cause or result from a change from one state to another. It is synonymous with "state graph." See State-transition table
		Stateful inspection	A firewall architecture that tracks each connection traversing all interfaces of the firewall and makes sure they are valid
		Statement of objectives (SOO)	The recorded top-level objectives of an acquisition or procurement used to guide discussions and negotiations between the acquirer and supplier
		Statement of work (SOW)	A description of work to be performed and their respective groupings of tasks or activities See Memorandum of agreement
		Static analysis	An analysis of information that occurs on a noncontinuous basis; also known as interval-based analysis
		Statistical and other quantitative techniques	A term used to acknowledge that while statistical techniques are required, other quantitative techniques can also be used effectively. Analytic techniques allow parameters describing a task or work product to be quantified. Use statistical and other quantitative techniques to: • Analyze variation in process performance • Monitor the selected processes that help achieve quality and process performance objectives This term is used at levels 4 and 5, where practices describe how statistical and other quantitative techniques are used to improve understanding of work groups and organizational processes and performance. See Statistical techniques and Quantitative management
		Statistical process control	Statistical analysis that identifies common and special causes of process variation and seeks to maintain process performance within limits See Common cause of variation, Special cause of variation and Statistical techniques
		Statistical sampling	A method of selecting a portion of a population by means of mathematical calculations and probabilities for the purpose of making scientifically and mathematically sound inferences regarding the characteristics of the entire population
		Statistical stratification	A method of selecting a portion of a population by means of mathematical calculations and probabilities for the purpose of making scientifically and mathematically sound inferences regarding the characteristics of the entire population
		Statistical techniques	Mathematical techniques used with the collection, analysis, interpretation and presentation of masses of numerical data to understand process variation and predict process performance. Examples include sampling techniques, analysis of variance, chi-squared tests, regression analysis and process control charts.
		Statutory requirements	Laws created by government institutions
		Storage area networks (SANs)	A variation of a local area network (LAN) that is dedicated for the express purpose of connecting storage devices to servers and other computing devices Scope Notes: SANs centralize the process for the storage and administration of data.
		Storage device	A unit into which data or programs can be placed, retained and retrieved See Memory.
		Storage limitation	The principle that personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
		Strata, stratified sampling	Sampling technique used to divide the units into homogeneous groups (strata) and draw a simple random sample from each group
		Strategic planning	The process of deciding on the enterprise’s objectives, changes in these objectives, and the policies to govern their acquisition and use
		Strategic risk	The risk associated with the future business plans and strategies of an enterprise
		Strength	A type of preliminary or final finding that is an exemplary or noteworthy implementation of a process that meets the intent and value of a CMMI model practice
		Strengths, weaknesses, opportunities and threats (SWOT)	A combination of an organizational audit listing the enterprise’s strengths and weaknesses and an environmental scan or analysis of external opportunities and threats
		String	1. A sequence of characters 2. A linear sequence of entities, such as characters or physical elements
		Structured design	Any disciplined approach to software design that adheres to specified rules based on principles such as modularity, top-down design and stepwise refinement of data; system structure and processing steps See Data structure centered design, Input-processing-output, Modular decomposition, Object- oriented design, Rapid prototyping, Stepwise refinement, Structured programming, Transaction analysis, Transform analysis, Graphical software specification/design documents, Modular software and Software engineering.
		Structured programming	Any software development technique that includes structured design and results in the development of structured programs See Structured design.
		Structured Query Language (SQL)	A language used to interrogate and process data in a relational database. Originally developed for IBM mainframes, many implementations have been created for mini- and microcomputer database applications. SQL commands can be used to interactively work with a database or embedded with a programming language to interface with a database.
		Subject access	This is the data subject’s right to obtain from the data controller, on request, certain information relating to the processing of his/her personal data
		Subject access request	Request by data subject to receive a copy of personal data that an enterprise processes, to understand the purpose of said processing, or to understand and/or delimit how the data may be shared by the enterprise
		Subject matter	The specific information subject to an IS auditor’s report and related procedures, which can include things such as the design or operation of internal controls and compliance with privacy practices or standards or specified laws and regulations (area of activity)
		Subprocess	A process that is part of a larger process. Subprocesses can be further decomposed into subprocesses and/or process elements. See Process, Process description and Process element
		Subprogram	A separately compilable, executable component of a computer program. Note that this term is defined differently in various programming languages. See Coroutine, Main program, Routine and Subroutine.
		Subroutine	A routine that returns control to the program or subprogram that called it. Note that this term is defined differently in various programming languages. See Module.
		Subroutine trace	A record of all or selected subroutines or function calls performed during the execution of a computer program and, optionally, the values of parameters passed to and returned by each subroutine or function
		Substantive testing	Obtaining audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period
		Sufficient audit evidence	Audit evidence is sufficient if it is adequate, convincing and would lead another IS auditor to form the same conclusions
		Sufficient evidence	The measure of the quantity of audit evidence, supports all material questions to the audit objective and scope Scope Notes: See evidence
		Sufficient information	Information is sufficient when evaluators have gathered enough of it to form a reasonable conclusion. For information to be sufficient, however, it must first be suitable. Scope Notes: Refer to COBIT 5 information quality goals
		Suitable information	Relevant (i.e., fit for its intended purpose), reliable (i.e., accurate, verifiable and from an objective source) and timely (i.e., produced and used in an appropriate time frame) information Scope Notes: Refer to COBIT 5 information quality goals
		Supervised learning	A type of machine learning algorithm in which a system is taught to classify input into specific, known classes
		Supervisory authority	An independent public authority
		Supervisory control and data acquisition (SCADA)	Systems used to control and monitor industrial and manufacturing processes and utility facilities
		Supplier	An entity having an agreement with an acquirer to design, develop, manufacture, maintain, modify, deliver or supply solutions under terms of an agreement. Examples include individuals, partnerships, companies, corporations, and associations. See Acquirer
		Supplier deliverable	An item to be provided to an acquirer or other recipient as specified in an agreement. The item can be a document, hardware or software item, service, solution, or any type of work product.
		Supply chain management (SBx)	A concept that allows an enterprise to more effectively and efficiently manage the activities of design, manufacturing, distribution, service and recycling of products and service its customers
		Support software	Software that aids in the development and maintenance of other software, e.g., compilers, loaders and other utilities
		Surge suppressor	Filters out electrical surges and spikes
		Suspense file	A computer file used to maintain information (transactions, payments or other events) until the proper disposition of that information can be determined Scope Notes: Once the proper disposition of the item is determined, it should be removed from the suspense file and processed in accordance with the proper procedures for that particular transaction. Two examples of items that may be included in a suspense file are receipt of a payment from a source that is not readily identified or data that do not yet have an identified match during migration to a new application.
		Sustainment appraisal	A consistent and reliable assessment method that is a type of benchmark appraisal with reduced sampling. A sustainment appraisal can only be performed if eligibility requirements are met. This includes clear and repeatable process steps that when followed are capable of achieving high accuracy and reliable appraisal results through the collection of objective evidence (OE) from multiple sources. A maturity level (ML) profile or capability level (CL) profile must be produced as part of this appraisal process and allows Appraisal Sponsors to compare an organization’s or project’s process implementation with others. Like other appraisal methods, sustainment appraisals identify opportunities for improving both process implementation and business performance.
		Switches	A data link layer device that enables local area network (LAN) segments to be created and interconnected, giving the added benefit of reducing collision domains in Ethernet-based networks
		Symmetric cipher	An algorithm that encrypts data using a single key. In symmetric cryptographic algorithms, a single key is used for encipherment (encrypting) and decipherment (decrypting).
		Symmetric key encryption	A system in which a different key (or set of keys) is used by each pair of trading partners to ensure that no one else can read their messages. The same key is used for encryption and decryption. See Private key cryptosystem
		Synchronize (SYN)	A flag set in the initial setup packets to indicate that the communicating parties are synchronizing the sequence numbers used for the data transmission
		Synchronous	A term that means occurring at regular, timed intervals, i.e., timing dependent
		Synchronous transmission	Block-at-a-time data transmission
		Syntax	The structural or grammatical rules that define how symbols in a language are to be combined to form words, phrases, expressions and other allowable constructs
		System	1. People, machines and methods organized to accomplish a set of specific functions 2. A composite, at any level of complexity, of personnel, procedures, materials, tools, equipment, facilities and software. The elements of this composite entity are used together in the intended operational or support environment to perform a given task or achieve a specific purpose, support or mission requirement. (DOD)
		System analysis	A systematic investigation of a real or planned system to determine its functions and how they relate to each other and any other system See Requirements phase
		System design	A process of defining the hardware and software architecture, components, modules, interfaces and data for a system to satisfy specified requirements See Design phase, Architectural design and Functional design
		System design review	A review conducted to evaluate the manner in which the requirements for a system have been allocated to configuration items, the system engineering process that produced the allocation, the engineering planning for the next phase of the effort, manufacturing considerations and the planning for production engineering Source: IEEE See Design review
		System development life cycle (SDLC)	The phases deployed in the development or acquisition of a software system Scope Notes: SDLC is an approach used to plan, design, develop, test and implement an application system or major modification to an application system. Typical phases of SDLC include the feasibility study, requirements study, requirements definition, detailed design, programming, testing, installation and postimplementation review but not the service delivery or benefits realization activities.
		System documentation	The collection of documents that describe the requirements, capabilities, limitations, design, operation and maintenance of an information processing system Source: ISO See Specification, Test documentation and User's guide
		System exit	Special system software features and utilities that allow the user to perform complex system maintenance Scope Notes: The use of system exits often permits the user to operate outside of the security access control system.
		System flowchart	Graphic representations of the sequence of operations in an information system or program Scope Notes: Information system flowcharts show how data from source documents flow through the computer to final distribution to users. Symbols used should be the internationally accepted standard. System flowcharts should be updated when necessary.
		System hardening	A process to eliminate as much security risk as possible by removing all nonessential software programs, protocols, services and utilities from the system
		System integration	The progressive linking and testing of system components into a complete system Source: ISO See Incremental integration
		System life cycle	The course of developmental changes through which a system passes from its conception to the termination of its use, e.g., the phases and activities associated with the analysis, acquisition, design, development, test, integration, operation, maintenance and modification of a system See Software life cycle
		System narrative	An overview explanation of system flowcharts, including key control points and system interfaces
		System of internal control	The policies, standards, plans and procedures and organizational structures designed to provide reasonable assurance that enterprise objectives will be achieved and undesired events will be prevented or detected and corrected Scope Notes: COBIT 5 perspective
		System software	1. Application-independent software that supports the running of application software 2. Software designed to facilitate the operation and maintenance of a computer system and its associated programs, e.g., operating systems, assemblers and utilities. This contrasts with application software. See Support software
		System testing	Testing conducted on a complete, integrated system to evaluate the system's compliance with its specified requirements Scope Notes: System test procedures are typically performed by the system maintenance staff in their development library.
		Systems acquisition process	Procedures established to purchase application software, or an upgrade, including evaluation of the supplier's financial stability, track record, resources and references from existing customers
		Systems analysis	The systems development phase in which systems specifications and conceptual designs are developed based on end-user needs and requirements
		Systems engineering	An interdisciplinary approach governing the technical and managerial effort required to transform a set of customer needs, expectations and constraints into solutions and to support solutions throughout their life cycle
		Systems thinking	A means of helping people to see overall structures, patterns and cycles in systems rather than seeing only specific events or elements. It allows the identification of solutions that simultaneously address different problem areas and leverage improvement throughout the wider system.
		T-distribution	A variation on normal distribution that accounts for the fact that only a sampling of all the possible values is being used instead of all of them
		Table look-up	Used to ensure that input data agree with predetermined criteria stored in a table
		Tableau	A commercial data visualization package often used in data science projects
		Tailoring	Developing or adapting a process description or work product according to organizational defined standard guidelines to achieve a result. For example, a project develops its tailored process from the organization’s set of standard processes to meet objectives and constraints within the project environment. See Organization’s set of standard processes and Process description
		Tailoring guidelines	Organizational guidelines that enable individuals, projects, and organizational functions to appropriately adapt standard processes for their use. Tailoring guidelines may allow additional flexibility when dealing with less critical processes or those that only indirectly affect business objectives. See Organization’s set of standard processes and Tailoring
		Tangible asset	Any assets that has physical form
		Tape management system (TMS)	A system software tool that logs, monitors and directs computer tape usage
		Taps	Wiring devices that may be inserted into communication links for use with analysis probes, local area network (LAN) analyzers and intrusion detection security systems
		Target	Person or asset selected as the aim of an attack
		Target wake time (TWT)	A set time interval in which a device can receive communications from other devices
		TB	Terabyte
		Tcpdump	A network monitoring and data acquisition tool that performs filter translation, packet acquisition and packet display
		Technical data package	A set of work products and information used to implement the design, e.g., coding standards, version control information, and engineering drawings
		Technical infrastructure security	Refers to the security of the infrastructure that supports the enterprise resource planning (ERP) networking and telecommunications, operating systems, and databases
		Technical performance	Characteristic of a process or solution generally defined by a functional or technical requirement that is often recorded in a contract or statement of work
		Technology infrastructure	Technology, human resources (HR) and facilities that enable the processing and use of applications
		Technology infrastructure plan	A plan for the technology, human resources and facilities that enable the current and future processing and use of applications
		Technology stack	The underlying elements used to build and run an application
		Telecommunications	Electronic communication by special devices over distances or around devices that preclude direct interpersonal exchange
		Teleprocessing	Using telecommunications facilities for the handling and processing of computerized information
		Telnet	Network protocol used to enable remote access to a server computer Scope Notes: Commands typed are run on the remote server.
		TensorFlow	A large-scale, distributed, machine-learning platform
		Terabyte	Approximately one-trillion bytes; precisely 2⁴⁰ or 1,099,511,627,776 bytes See Kilobyte, Megabyte and Gigabyte.
		Terminal	A device, usually equipped with a CRT display and keyboard, used to send and receive information to and from a computer via a communication channel
		Terminal Access Controller Access Control System Plus (TACACS+)	An authentication protocol, often used by remote-access servers
		Terms of reference	A document that confirms a client's and an IS auditor's acceptance of a review assignment
		Test	An activity in which a system or component is executed under specified conditions, the results are observed or recorded and an evaluation is made of some aspect of the system or component
		Test case	Documentation specifying inputs, predicted results and a set of execution conditions for a test item
		Test case generator	A software tool that accepts as input source code, test criteria and specifications or data structure definitions, then uses these inputs to generate test input data and, sometimes determines expected results Synonymous with test data generator and test generator
		Test data	Simulated transactions that can be used to test processing logic, computations and controls actually programmed in computer applications. Individual programs or an entire system can be tested. Scope Notes: This technique includes Integrated Test Facilities (ITFs) and Base Case System Evaluations (BCSEs).
		Test design	Documentation specifying the details of the test approach for a software feature or combination of software features and identifying the associated tests See Testing functional; Cause effect graphing; Boundary value analysis; Equivalence class partitioning; Error guessing; Testing, structural; Branch analysis; Path analysis; Statement coverage; Condition coverage; Decision coverage and Multiple-condition coverage.
		Test documentation	Documentation describing plans for, or results of, the testing of a system or component. Types include test case specification, test incident report, test log, test plan, test procedure and test report.
		Test driver	A software module used to invoke a module under test and, often, provide test inputs, control and monitor execution, and report test results Synonymous with test harness
		Test generators	Software used to create data for use in the testing of computer programs
		Test item	A software item that is the object of testing
		Test log	A chronological record of all relevant details about the execution of a test
		Test phase	The period of time in the software life cycle in which the components of a software product are evaluated and integrated, and the software product is evaluated to determine whether or not requirements have been satisfied
		Test plan	Documentation specifying the scope, approach, resources and schedule of intended testing activities. It identifies test items, the features to be tested, the testing tasks, responsibilities, required resources and any risk requiring contingency planning. See Test design and Validation protocol.
		Test procedure	A formal document developed from a test plan that presents detailed instructions for the setup, operation and evaluation of the results for each defined test See Test case.
		Test programs	Programs that are tested and evaluated before approval into the production environment Scope Notes: Test programs, through a series of change control moves, migrate from the test environment to the production environment and become production programs.
		Test readiness review	1. A review conducted to evaluate preliminary test results for one or more configuration items; to verify that the test procedures for each configuration item are complete, comply with test plans and descriptions, and satisfy test requirements; and to verify that a project is prepared to proceed to formal testing of the configuration items 2. A review, as in definition 1, for any hardware or software component Contrasts with code review, design review, formal qualification review and requirements review
		Test report	A document describing the conduct and results of the testing carried out for a system or system component
		Test scripts	A set of instructions to be performed on a system or program to test functionality and anticipated output
		Test set	The subset of the data set used to test a model after the model has gone through initial vetting by the validation set
		Test types	Test types include: • Checklist test—Copies of the business continuity plan (BCP) are distributed to appropriate personnel for review • Structured walk-through—Identified key personnel walk through the plan to ensure that the plan accurately reflects the enterprise's ability to recover successfully • Simulation test—All operational and support personnel are expected to perform a simulated emergency as a practice session • Parallel test—Critical systems are run at alternate site (hot, cold, warm or reciprocal) • Complete interruption test--Disaster is replicated, normal production is shut down with realtime recovery process
		Testability	1. The degree to which a system or component facilitates the establishment of test criteria and the performance of tests to determine whether those criteria have been met 2. The degree to which a requirement is stated in terms that permit establishment of test criteria and performance of tests to determine whether those criteria have been met See Measurable.
		Testing	The examination of a sample from a population to estimate characteristics of the population
		Testing, acceptance	Testing conducted to determine whether a system satisfies its acceptance criteria and to enable the customer to determine whether to accept the system. Contrasts with testing, development and testing, operational.
		Testing, alpha	Acceptance testing performed by the customer in a controlled environment at the developer's site. The software is used by the customer in a setting approximating the target environment, with the developer observing and recording errors and usage problems. Source: Pressman.
		Testing, beta	1. Acceptance testing performed by the customer in a live application of the software, at one or more end-user sites, in an environment not controlled by the developer. Source: Pressman 2. For medical device software, such use may require an Investigational device exemption [IDE] or Institutional Review Board [IRB] approval.
		Testing, boundary value	A testing technique using input values just below and just above the defined limits of an input domain, and with input values causing outputs to be just below and just above the defined limits of an output domain See Boundary value analysis and Testing, stress.
		Testing, branch	Testing technique to satisfy coverage criteria that require each possible branch (outcome) to be executed at least once for each decision point. Contrasts with testing, path and testing, statement. See Branch coverage.
		Testing, compatibility	The process of determining the ability of two or more systems to exchange information. In a situation where the developed software replaces an already working program, an investigation should be conducted to assess possible comparability problems between the new software and other programs or systems. See Different software system analysis, testing, integration and testing, interface.
		Testing, design based functional	The application of test data derived through functional analysis that is extended to include design functions and requirement functions Source: NBS See Testing, functional.
		Testing, development	Testing conducted during the development of a system or component, usually in the development environment, by the developer. Contrasts with testing, acceptance and testing, operational.
		Testing, functional	1. Testing that ignores the internal mechanism or structure of a system or component and focuses on the outputs generated in response to selected inputs and execution conditions 2. Testing conducted to evaluate the compliance of a system or component with specified functional requirements and corresponding predicted results Synonymous with black-box testing and input/output driven testing. Contrasts with testing, structural.
		Testing, integration	An orderly progression of testing in which software elements, hardware elements or both are combined and tested to evaluate their interactions, until the entire system has been integrated
		Testing, interface	Testing to evaluate whether systems or components pass data and control correctly to one another. Contrasts with testing, unit and testing, system. See Testing, integration.
		Testing, invalid case	A testing technique using erroneous (invalid, abnormal or unexpected) input values or conditions See Equivalence class partitioning.
		Testing, operational	Testing to evaluate a system or component in its operational environment. Contrasts with testing, development and testing, acceptance. See Testing, system.
		Testing, parallel	Testing a new or an altered data processing system with the same source data used in another system. The other system is considered as the standard of comparison. Synonymous with parallel run
		Testing, path	Testing to satisfy coverage criterion that each logical path through the program be tested. Often, paths through the program are grouped into a finite set of classes. One path from each class is then tested. Synonymous with path coverage. Contrasts with testing, branch; testing, statement; branch coverage; condition coverage; decision coverage; multiple condition coverage and statement coverage.
		Testing, performance	Functional testing to evaluate the compliance of a system or component with specified performance requirements
		Testing, regression	Rerunning test cases that a program has previously executed correctly to detect errors spawned by changes or corrections made during software development and maintenance
		Testing, special case	A testing technique using input values that seem likely to cause program errors, e.g., 0, 1, NULL and empty string See Error guessing.
		Testing, statement	Testing to satisfy the criterion that each statement in a program be executed at least once during program testing. Synonymous with statement coverage. Contrasts with testing, branch; testing, path; branch coverage; condition coverage; decision coverage; multiple condition coverage and path coverage.
		Testing, storage	A determination of whether certain processing conditions use more storage (i.e., memory) than estimated
		Testing, stress	Testing to evaluate a system or component at or beyond the limits of its specified requirements. Synonymous with testing, boundary value.
		Testing, system	The process of testing an integrated hardware and software system to verify that the system meets its specified requirements. Such testing may be conducted in the development environment and the target environment.
		Testing, unit	1. Testing of a module for typographic, syntactic and logical errors; for correct implementation of its design; and for satisfaction of its requirements 2. Testing to verify the implementation of the design for one software element, e.g., a unit or module, or a collection of software elements Source: IEEE Synonymous with component testing.
		Testing, usability	Tests designed to evaluate the machine/user interface. Determines if the communication devices are designed in a manner so that the information displayed is understandable, enabling the operator to correctly interact with the system
		Testing, valid case	A testing technique using valid (normal or expected) input values or conditions See Equivalence class partitioning.
		Testing, volume	Testing designed to challenge the ability of a system to manage the maximum amount of data over a period of time. This type of testing also evaluates the ability of a system to handle overload situations in an orderly fashion.
		Testing, worst case	Testing that encompasses upper and lower limits and circumstances that pose the greatest chance of finding errors. Synonymous with most appropriate challenge conditions. See Testing, boundary value; Testing, invalid case; Testing, special case; Testing, stress and Testing, volume.
		Third party	A natural or legal person, public authority, agency or body, other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data
		Third-party review	An independent audit of the control structure of a service organization, such as a service bureau, with the objective of providing assurance to the users of the service organization that the internal control structure is adequate, effective and sound
		Thread protocol	An IEEE 802.15.4-based protocol for IPv6 over low-power wireless personal area networks (6LoWPAN)
		Threat	Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm Scope Notes: A potential cause of an unwanted incident (ISO/IEC 13335)
		Threat agent	Methods and things used to exploit a vulnerability Scope Notes: Examples include determination, capability, motive and resources.
		Threat analysis	An evaluation of the type, scope and nature of events or actions that can result in adverse consequences, identification of the threats that exist against enterprise assets Scope Notes: The threat analysis usually defines the level of threat and the likelihood of it materializing.
		Threat event	Any event during which a threat element/actor acts against an asset in a manner that has the potential to directly result in harm
		Threat intelligence	Threat intelligence, or cyber threat intelligence, is information an organization uses to understand the threats that have, will, or are currently targeting the organization. This information is used to prepare, identify, and prevent security and cybersecurity threats looking to take advantage of valuable resources.
		Threat intelligence analysis	The application of individual and collective methods to analyze data and test hypotheses within various organizational or solution contexts. Threat intelligence data is extracted from multiple data sources, some of which will be deliberately deceptive. The threat intelligence analyst must analyze, isolate, separate, and sort the data to determine truth from deception. Although this discipline is found in its purest form inside national intelligence agencies, its methods are also applied and used for business or competitive intelligence. Source: CMMC/NIST 800 171B and CSF
		Threat intelligence systems	Systems that perform threat intelligence
		Threat vector	The path or route used by the adversary to gain access to the target
		Throughput	The quantity of useful work made by the system per unit of time. Throughput can be measured in instructions per second or some other unit of performance. When referring to a data transfer operation, throughput measures the useful data transfer rate.
		Thundering herd	Loss of service resulting from a lapse in connectivity that causes devices to simultaneously attempt reconnection
		Time series data	Time series data have measurements of observations accompanied by datetime stamps
		Timelines	Chronological graphs where events related to an incident can be mapped to look for relationships in complex cases Scope Notes: Timelines can provide simplified visualization for presentation to management and other nontechnical audiences.
		Timely information	Information produced and used in a time frame that makes it possible to prevent or detect control deficiencies before they become material to an enterprise Scope Notes: Refer to COBIT 5 information quality goals
		Token	In security systems, a physical device that is used to authenticate a user, typically in addition to a username and password, in programming languages, a single element of the language
		Token ring topology	A type of local area network (LAN) ring topology in which a frame containing a specific format, called the token, is passed from one station to the next around the ring Scope Notes: When a station receives the token, it is allowed to transmit. The station can send as many frames as desired until a predefined time limit is reached. When a station either has no more frames to send or reaches the time limit, it transmits the token. Token passing prevents data collisions that can occur when two computers begin transmitting at the same time.
		Tolerable error	The maximum error in the population that professionals are willing to accept and still conclude that the test objective has been achieved. For substantive tests, tolerable error is related to professionals’ judgment about materiality. In compliance tests, it is the maximum rate of deviation from a prescribed control procedure that the professionals are willing to accept.
		Tolerable risk	Risk that is within a tolerable or acceptable range, based on management's appetite
		Toolchain	The portfolio of tools and technologies used by DevOps practitioners to automate and enable the DevOps practices.
		Top-level management	The highest level of management in the enterprise, responsible for direction and control of the enterprise as a whole (such as director, general manager, partner, chief officer and executive manager)
		Topology	The physical layout of how computers are linked together Scope Notes: Examples of topology include ring, star and bus.
		Total cost of ownership (TCO)	Includes the original cost of the computer plus the cost of software, hardware and software upgrades, maintenance, technical support, training and certain activities performed by users
		Touch screen	A touch-sensitive display screen that uses a clear panel over or on the screen surface. The panel is an input device, a matrix of cells that transmits pressure information to the software.
		Traceability	1. The degree to which a relationship can be established between two or more products of the development process, especially products having a predecessor-successor or master- subordinate relationship to one another, e.g., the degree to which the requirements and design of a given software component match See Consistency. 2. The degree to which each element in a software development product establishes its reason for existing, e.g., the degree to which each element in a bubble chart references the requirement that it satisfies See Traceability analysis and Traceability matrix.
		Traceability analysis	The tracing of: 1. Software requirements specifications to system requirements in concept documentation 2. Software design descriptions to software requirements specifications and software requirements specifications to software design descriptions 3. Source code to corresponding design specifications and design specifications to source code Analyze identified relationships for correctness, consistency, completeness and accuracy See: Traceability and Traceability matrix.
		Traceability matrix	A matrix that records the relationship between two or more products, e.g., a matrix that records the relationship between the requirements and the design of a given software component See Traceability and Traceability analysis.
		Trade study	An evaluation of alternatives based on criteria and systematic analysis, to select the best alternative for attaining determined objectives
		Trademark	A sound, color, logo, saying or other distinctive symbol closely associated with a certain product or company
		Training	The process of determining the ideal parameters comprising a model
		Transaction	Business events or information grouped together because they have a single or similar purpose Scope Notes: Typically, a transaction is applied to a calculation or event that then results in the updating of a holding or master file.
		Transaction (IT)	1. A command, message or input record that explicitly or implicitly calls for a processing action, such as updating a file 2. An exchange between an end user and an interactive system 3. In a database management system, a unit of processing activity that accomplishes a specific purpose, such as a retrieval, an update, a modification or a deletion of one or more data elements of a storage structure
		Transaction analysis	A structured software design technique, deriving the structure of a system from analyzing the transactions that the system is required to process
		Transaction log	A manual or automated log of all updates to data files and databases
		Transaction protection	Also known as "automated remote journaling of redo logs," a data recovery strategy similar to electronic vaulting except that instead of transmitting several transaction batches daily, the archive logs are shipped as they are created
		Translation	Converting from one language form to another Source: NIST See Assembling, Compilation and Interpret.
		Transmission Control Protocol (TCP)	A connection-based Internet protocol that supports reliable data transfer connections Scope Notes: Packet data are verified using checksums and retransmitted if they are missing or corrupted. The application plays no part in validating the transfer.
		Transmission Control Protocol Internet Protocol (TCP/IP)	Provides the basis for the Internet, a set of communication protocols that encompass media access, packet transport, session communication, file transfer, electronic mail (email), terminal emulation, remote file access and network management
		Transparency	Refers to an enterprise’s openness about its activities and is based on the following concepts: • How the mechanism functions is clear to those who are affected by or want to challenge governance decisions • A common vocabulary has been established • Relevant information is readily available Scope Notes: Transparency and stakeholder trust are directly related; the more transparency in the governance process, the more confidence in the governance.
		Transport Layer Security (TLS)	A cryptographic protocol that provides secure communications, endpoint security and privacy on the Internet
		Trap door	Unauthorized electronic exit, or doorway, out of an authorized computer program into a set of malicious instructions or programs
		Triple DES (3DES)	A block cipher created from the Data Encryption Standard (DES) cipher by using it three times. 3DES was broken in 2016.
		Trojan horse	Purposefully hidden malicious or damaging code within an authorized computer program
		Trusted process	A process certified as supporting a security goal
		Trusted system	A system that employs sufficient hardware and software assurance measures to allow their use for processing a range of sensitive or classified information
		Tunnel	The paths that the encapsulated packets follow in an Internet virtual private network (VPN)
		Tunnel mode	Used to protect traffic between different networks when traffic must travel through intermediate or untrusted networks. Tunnel mode encapsulates the entire IP packet with an AH or ESP header and an additional IP header.
		Tunneling	Commonly used to bridge between incompatible hosts/routers or to provide encryption, a method by which one network protocol encapsulates another protocol within itself Scope Notes: When protocol A encapsulates protocol B, a protocol A header and optional tunneling headers are appended to the original protocol B packet. Protocol A then becomes the data link layer of protocol B. Examples of tunneling protocols include IPSec, Point-to-point Protocol Over Ethernet (PPPoE) and Layer 2 Tunneling Protocol (L2TP).
		Tuple	A row or record consisting of a set of attribute value pairs (column or field) in a relational data structure
		Turing-complete	A computational term meant to describe a system that can successfully be used as a Turing Machine, i.e., a system whose programming language can simulate what another programming language can accomplish
		Twisted pair	A low-capacity transmission medium, a pair of small, insulated wires that are twisted around each other to minimize interference from other wires in the cable
		Two-factor authentication	The use of two independent mechanisms for authentication (e.g., requiring both a smart card and a password), typically the combination of something you know, are or have
		UIMA	A framework used to analyze unstructured information, especially natural language. OASIS Unstructured Information Management Architecture (UIMA) is a specification that standardizes this framework, and Apache UIMA is an open-source implementation of it.
		Unambiguous	1. A term that means not having two or more possible meanings 2. A term that means not susceptible to different interpretations 3. A term that means not obscure or vague 4. A term that means clear, definite and certain
		Uncertainty	The difficulty of predicting an outcome due to limited knowledge of all components
		Unicode	A standard for representing characters as integers Scope Notes: Unicode uses 16 bits, which means that it can represent more than 65,000 unique characters; this is necessary for languages such as Chinese and Japanese.
		Uniform resource locator (URL)	The string of characters that form a web address
		Uninterruptible power supply (UPS)	A type of power supply that provides short-term backup power from batteries to a computer system when the electrical power fails or drops to an unacceptable voltage level
		Unit	1. A separately testable element specified in the design of a computer software element 2. A logically separable part of a computer program. It is synonymous with "component" and "module." Synonymous with component and module
		Unit testing	1. A testing technique used to test program logic within a particular program or module (ISACA) Scope Notes: The purpose of the test is to ensure that the internal operation of the program performs according to specification. It uses a set of test cases that focus on the control structure of the procedural design. 2. Testing of individual hardware or software units
		Universal description, discovery and integration (UDDI)	A web-based version of the traditional telephone book's yellow and white pages that enables businesses to be publicly listed and promotes greater e-commerce activities
		Universal Serial BUS (USB)	An external bus standard that provides capabilities to transfer data at a rate of 12 Mbps Scope Notes: A USB port can connect to up to 127 peripheral devices.
		UNIX	A multitasking, multiple-user (time-sharing) operating system developed at Bell Labs to create a favorable environment for programming research and development
		Unlinkability	A condition of privacy-relevant data that cannot be linked (i.e., related) across domains
		Unsupervised learning	A class of machine-learning algorithms designed to identify groupings of data without knowing what the groups will be in advance
		Untrustworthy host	A host that cannot be protected by the firewall. As a result, hosts on trusted networks can place only limited trust in it. Scope Notes: To the basic border firewall, add a host that resides on an untrusted network where the firewall cannot protect it. That host is minimally configured and carefully managed to be as secure as possible. The firewall is configured to require incoming and outgoing traffic to go through the untrustworthy host.
		Upfade	A byproduct of multipath whereby the RF signal takes multiple paths and results in stronger signal strength
		Uploading	The process of electronically sending computerized information from one computer to another computer Scope Notes: When uploading, most often the transfer is from a smaller computer to a larger one.
		Usability	The ease with which a user can learn to operate, prepare inputs for and interpret outputs of a system or component
		User	Any person, organization or functional unit that uses the services of an information processing system See End user
		User acceptance testing (UAT)	A type of functional testing that validates the results of the development phase where software is tested by the intended audience or business representative (from Stanford University)
		User awareness	A training process in security-specific issues to reduce security problems. Users are often the weakest link in the security chain.
		User Datagram Protocol (UDP)	A connectionless Internet protocol that is designed for network efficiency and speed at the expense of reliability
		User entity and behavioral analytics (UEBA)	The process of monitoring an account for abnormal activity and atypical usage to identify patterns (heuristics) that highlight user activity trends. UEBA can act as a proactive access control mechanism by identifying threat indicators, alerting on malicious behavior earlier and improving threat intelligence.
		User interface impersonation	A pop-up ad that impersonates a system dialog, an ad that impersonates a system warning or an ad that impersonates an application user interface in a mobile device
		User mode	A mode used for the execution of normal system activities
		User provisioning	A process to create, modify, disable and delete user accounts and their profiles across IT infrastructure and business applications
		User's guide	Documentation that describes how to use a functional unit and may include a description of the rights and responsibilities of the user, the owner and the supplier of the unit. It is synonymous with "user manual" and "operator manual."
		Utility program	A computer program that generally supports the processes of a computer, e.g., a diagnostic program, a trace program and a sort program
		Utility script	A sequence of commands input into a single file to automate a repetitive and specific task Scope Notes: The utility script is executed, either automatically or manually, to perform the task. In UNIX, these are known as shell scripts.
		Utility software	Computer programs or routines designed to perform some general support function required by other application software, the operating system or the system users. They perform general functions, such as formatting electronic media, making copies of files or deleting files.
		Utility token	Digital assets or tokens created and utilized to finance the creation of a network by providing its buyers with the ability to use some of the network ecosystem or products. They do not give any legal or economic right of ownership over the developer or any part of the ecosystem.
		V&V	The acronym for verification and validation
		Vaccine	A program designed to detect computer viruses
		Val IT	The standard framework for enterprises to select and manage IT-related business investments and IT assets by means of investment programs such that they deliver optimal value to the enterprise. It is based on COBIT.
		Valid input	Test data that lies within the domain of the function that the program represents
		Validate	A term that means to prove to be valid
		Validation	The process of establishing documented evidence that provides a high degree of assurance that a specific process will consistently produce a product meeting its predetermined specifications and quality attributes
		Validation, process	The process of establishing documented evidence that provides a high degree of assurance that a specific process will consistently produce a product meeting its predetermined specifications and quality characteristics Source: FDA
		Validation, software	The process of determining the correctness of the final program or software produced from a development project with respect to the user's needs and requirements. Validation is usually accomplished by verifying each stage of the software development life cycle. See Verification, software
		Validation, verification and testing	Techniques used as an entity to define a procedure of review, analysis and testing throughout the software life cycle to discover errors, determine functionality and ensure the production of quality software Source: NIST
		Validity check	Programmed checking of data validity in accordance with predetermined criteria
		Value	The relative worth or importance of an investment for an enterprise, as perceived by its key stakeholders, expressed as total life cycle benefits net of related costs, adjusted for risk and (in the case of financial value) the time value of money
		Value creation	The main governance objective of an enterprise, achieved when the three underlying objectives (benefits realization, risk optimization and resource optimization) are all balanced Scope Notes: COBIT 5 and COBIT 2019 perspective
		Value-added network (VAN)	A data communication network that adds processing services, such as error correction, data translation and/or storage, to the basic function of transporting data
		Variable	A name, label, quantity or data item whose value may be changed many times during processing. This contrasts with constant.
		Variable sampling	A sampling technique used to estimate the average or total value of a population based on a sample. It is a statistical model used to project a quantitative characteristic, such as a monetary amount.
		Variable trace	A record of the name and values of variables accessed or changed during the execution of a computer program. It is synonymous with data-flow trace, data trace and value trace. Source: IEEE See Execution trace, Retrospective trace, Subroutine trace and Symbolic trace
		Variance	How much a list of numbers varies from the mean (average) value. It is frequently used in statistics to measure how large the differences are in a set of numbers. It is calculated by averaging the squared difference of every number from the mean.
		Vaults	A secure environment to store critical data that is isolated from production and backup storage environments to limit exposure to cyberthreats
		Vector	An ordered set of real numbers, each denoting a distance on a coordinate axis. These numbers may represent a series of details about a single person, movie, product or the entity being modeled.
		Vector space	A collection of vectors, e.g., a matrix
		Vendor	A person or an organization that provides software, hardware, firmware and/or documentation to the user for a fee or in exchange for services, e.g., a medical device manufacturer
		Verifiable	A term that means can be proved or confirmed by examination or investigation See Measurable
		Verification	Checks that data is entered correctly
		Verification, software	In general, the demonstration of consistency, completeness and correctness of the software at each stage and between each stage of the development life cycle Source: NBS See Validation, software
		Verification-based appraisal	An appraisal in which the appraisal team focuses on verifying the set of objective evidence provided by the appraised organization in advance in order to reduce the amount of discovery during the appraisal onsite period See Discovery-based appraisal
		Verify	1. A term that means to determine whether a transcription of data or other operation has been accomplished accurately Source: ANSI 2. A term that means to check the results of data entry, e.g., keypunching 3. A term that means to prove to be true by demonstration
		Version	An initial release or a complete rerelease of a software item or software element See Release
		Version control	A practice that identifies the correct versions of work products and ensures they are available for use or for restoring to a previous version. It also includes the establishment and maintenance of baselines and the identification of changes to baselines to obtain previous baselines.
		Version number	A unique identifier used to identify software items and related software documentation that are subject to configuration control
		Vertical defense in depth	A strategy where controls are placed at different system layers, including hardware, operating system, application, database or user levels
		View	A selection of model components relevant to the organization or user. Two primary types of views currently exist: • Predefined view: A logical grouping of predefined CMMI model components used to define the appraisal model view scope. Examples include CMMI-DEV Maturity Level 2 and CMMI-SVC Maturity Level 5. • Customized view: Any combination of capability areas, practice areas, practice groups or practices that are defined by the end user. Customized views are defined to be relevant to business objectives. See Benchmark model view
		Virtual appraisal	Any appraisal (benchmark, evaluation, sustainment or APR) where any appraisal activity is performed virtually or remotely by the Appraisal Team Leader or appraisal team
		Virtual currency	Digital representations of value, not created or issued by a central bank or sovereign state, which can be used as a method of exchange
		Virtual face-to-face (F2F)	A meeting over a remote or virtual platform such as Teams, Zoom, FaceTime, etc., where the participants can actively, clearly and continually see and hear each other on camera with audio
		Virtual local area network (VLAN)	Logical segmentation of a LAN into different broadcast domains Scope Notes: A VLAN is set up by configuring ports on a switch so devices attached to these ports may communicate as if they were attached to the same physical network segment even though the devices are located on different LAN segments. A VLAN is based on logical rather than physical connections.
		Virtual machine (VM)	An emulation of a computing environment or operating system separate from the host computing system
		Virtual machine (VM) jumping	Exploitation of a hypervisor that allows an attacker to gain access to one virtual machine from another
		Virtual organizations	An organization that has no official physical site presence and is made up of diverse, geographically dispersed or remote employees
		Virtual private network (VPN)	A secure private network that uses the public telecommunications infrastructure to transmit data Scope Notes: In contrast to a much more expensive system of owned or leased lines that can only be used by one enterprise, VPNs are used by enterprises for both extranets and wide areas of intranets. Using encryption and authentication, a VPN encrypts all data that passes between two Internet points, maintaining privacy and security.
		Virtual private network (VPN) concentrator	A system used to establish VPN tunnels and handle large numbers of simultaneous connections. This system provides authentication, authorization and accounting services.
		Virtual reality	Computer-generated simulations that present the user with an altered reality. VR users typically wear a headset and hold a hand controller while experiencing an immersive recreation of a real or imaginary environment that masks their actual environment.
		Virtual solution delivery	A solution that includes the use of virtual, remote or hybrid methods to deliver a given service, process, activity, task or solution to customers and affected stakeholders. For context, the terms virtual delivery and remote delivery are used interchangeably.
		Virtualization	The process of adding a guest application and data onto a virtual server, recognizing that the guest application will ultimately be removed from the physical server
		Virus	A piece of code that can replicate itself and spread from one computer to another. It requires intervention or execution to replicate and/or cause damage. See Bomb, Trojan horse and Worm
		Virus signature	The file of virus patterns that are compared to existing files to determine whether they are infected with a virus or worm
		Virus signature file	The file of virus patterns that are compared to existing files to determine whether they are infected with a virus or worm
		VMS	The acronym for virtual memory system
		Voice mail	A system of storing messages in a private recording medium to allow the called party to retrieve the messages later
		Voice-over Internet Protocol (VoIP)	Also called IP Telephony, Internet Telephony and Broadband Phone, a technology that makes it possible to have a voice conversation over the Internet or any dedicated Internet Protocol (IP) network instead of over dedicated voice transmission lines
		Volatile data	Data that changes frequently and can be lost when the system power is shut down
		Vulnerability	A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events
		Vulnerability analysis	A process of identifying and classifying vulnerabilities
		Vulnerability event	Any event during which a material increase in vulnerability occurs. Note that this increase in vulnerability can result from changes in control conditions or threat capability/force. Scope Notes: From Jones, J.; "FAIR Taxonomy," Risk Management Insight, USA, 2008
		Vulnerability scanning	An automated process to proactively identify security weaknesses in a network or individual system
		Walk-through	A thorough demonstration or explanation that details each step of a process
		Wallet	An application or other service that gives holders of cryptocurrency the ability to store and retrieve their digital assets. Such wallets come in many forms, including hot wallets (any wallet application or service connected to the Internet) and cold wallets (or cold storage, often hardware devices that can be disconnected from the Internet or other electronic services).
		War dialer	Software packages that sequentially dial telephone numbers, recording any numbers that answer
		Warm site	A site that is similar to a hot site but not fully equipped with all of the necessary hardware needed for recovery
		Waterfall development	Also known as traditional development, a procedure-focused development cycle with formal sign-off at the completion of each level
		Waterfall model	A model of the software development process in which the constituent activities, typically a concept phase, requirements phase, design phase, implementation phase, test phase, installation and checkout phase, and operation and maintenance, are performed in that order, possibly with overlap but with little or no iteration. It contrasts with incremental development, rapid prototyping and spiral model.
		Weakness	A type of preliminary or final finding, which involves an ineffective, or nonexistent, implementation of one or more processes that meet the intent and value of a practice based on verified objective evidence. It is applicable across the project(s) and organizational support functions or organizational unit as a whole. This is realized if a) the process itself does not address a CMMI practice requirement or b) the project(s) or organizational support functions are not following their process that is compliant with the intent and value of the applicable CMMI practice.
		Web application firewalls	A buffer used between a web application and the Internet to mitigate cyberattacks
		Web hosting	The business of providing the equipment and services required to host and maintain files for one or more web sites and providing fast Internet connections to those sites Scope Notes: Most hosting is "shared," which means that web sites for multiple companies are on the same server to share/reduce costs.
		Web page	A viewable screen displaying information, presented through a web browser in a single view, sometimes requiring the user to scroll to review the entire page Scope Notes: An enterprise's web page may display the enterprise’s logo, provide information about the enterprise's products and services or allow a customer to interact with the enterprise or third parties contracted with the enterprise.
		Web server	End-point hardware or software that serves web pages to users
		Web Services Description Language (WSDL)	A language formatted with extensible markup language (XML). It is used to describe the capabilities of a web service as collections of communication endpoints capable of exchanging messages. WSDL is the language used by Universal Description, Discovery and Integration (UDDI). See also Universal Description, Discovery and Integration (UDDI)
		Web site	One or more web pages that may originate at one or more web server computers Scope Notes: A person can view the pages of a web site in any order, as he/she would read a magazine.
		Webapp security tools	Open-source tools used to identify threats to applications and data
		Weight	A coefficient for a feature in a linear model or an edge in a deep network
		Weka	An open-source set of command line and graphical user interface data analysis tools developed at the University of Waikato in New Zealand
		Well-known ports	Ports controlled and assigned by the Internet Assigned Numbers Authority (IANA). On most systems, they can be used only by system (or root) processes or programs executed by privileged users. The assigned ports use the first portion of the possible port numbers. Initially, these assigned ports were in the range 0-255. Currently, the range for assigned ports managed by the IANA has been expanded to 0-1023.
		White box testing	A testing approach that uses knowledge of a program/module’s underlying implementation and code intervals to verify its expected behavior
		Wi-Fi HaLow	An IEEE 802.11 modification that uses license-exempt 900 MHz bands to extend the WiFi connectivity range up to 1 kilometer
		Wi-Fi Protected Access (WPA)	A class of security protocols used to secure wireless (Wi-Fi) computer networks
		Wi-Fi Protected Access II (WPA2)	A wireless security protocol that supports 802.11i encryption standards to provide greater security. This protocol uses Advanced Encryption Standards (AES) and Temporal Key Integrity Protocol (TKIP) for stronger encryption.
		Wide area network (WAN)	A computer network connecting multiple offices or buildings over a larger area
		Wide area network (WAN) switch	A data link layer device used for implementing various WAN technologies, such as asynchronous transfer mode, point-to-point frame relay solutions and integrated services digital network (ISDN) Scope Notes: WAN switches are typically associated with carrier networks providing dedicated WAN switching and router services to enterprises via T-1 or T-3 connections.
		Width	The number of neurons in a particular layer of a neural network
		Windows NT	A version of the Windows operating system that supports preemptive multitasking
		Wired Equivalent Privacy (WEP)	A scheme that is part of the IEEE 802.11 wireless networking standard to secure IEEE 802.11 wireless networks (also known as Wi-Fi networks) Scope Notes: Because a wireless network broadcasts messages using radio, it is particularly susceptible to eavesdropping. WEP was intended to provide comparable confidentiality to a traditional wired network (in particular, it does not protect network users from each other), hence the name. Cryptoanalysts identified several serious weaknesses, and WEP was superseded by Wi-Fi Protected Access (WPA) in 2003 and then by the full IEEE 802.11i standard (also known as WPA2) in 2004. Despite the weaknesses, WEP provides a level of security that can deter casual snooping.
		Wireless computing	The ability of computing devices to communicate in a form to establish a local area network (LAN) without cabling infrastructure (wireless). This involves those technologies converging around IEEE 802.11 and 802.11b and radio band services used by mobile devices.
		Wireless local area network (WLAN)	A wireless communication network that serves several users within a specified limited geographic area
		Wiretapping	The practice of eavesdropping on information being transmitted over telecommunications links
		Work Breakdown Structure (WBS)	A list of tasks and activities, related work elements and their relationship to each other and the end product or service
		Work product	An output from a process, activity or task that may be stand-alone or part of a solution
		Work product and task attributes	Characteristics of solutions and tasks used to estimate work. These characteristics often include size, complexity, weight, form, fit and function. Characteristics are typically used as one input to deriving other resource estimates, e.g., effort, cost, schedule. See Work product
		Workaround	A sequence of actions the user should take to avoid a problem or system limitation until the computer program is changed. They may include manual procedures used in conjunction with the computer system.
		Workgroup	A collection of people who work together closely on highly interdependent tasks to achieve shared objectives. A workgroup typically reports to a responsible individual who may be involved in managing its daily activities. The operational parameters of workgroups can vary based on objectives and should, therefore, be clearly defined. Workgroups can operate as a project if designated accordingly.
		World Wide Web (WWW)	A sub network of the Internet through which information is exchanged by text, graphics, audio and video
		World Wide Web Consortium (W3C)	Founded in 1994, an international consortium of affiliates from public and private organizations involved with the Internet and web Scope Notes: The W3C's primary mission is to promulgate open standards to further enhance the economic growth of Internet web services globally.
		Worm	A programmed network attack in which a self-replicating program does not attach itself to programs but rather spreads independently of users’ action
		WPA2	A wireless security protocol that supports 802.11i encryption standards to provide greater security. This protocol uses advanced encryption standards (AES) and temporal key integrity protocol (TKIP) for stronger encryption.
		WPA3	A wireless security protocol released in mid-2018 that improves on WPA2 by eliminating the preshared key (PSK), which is susceptible to dictionary attacks
		Write blocker	A device that allows the acquisition of information on a drive without creating the possibility of accidentally damaging the drive
		Write protect	The use of hardware or software to prevent data from being overwritten or deleted
		X.25	A protocol for packet-switching networks
		X.25 Interface	An interface between data terminal equipment (DTE) and data circuit-terminating equipment (DCE) for terminals operating in packet mode on some public data networks
		X.500	A standard that defines how global directories should be structured Scope Notes: X.500 directories are hierarchical with different levels for each category of information, such as country, state and city.
		Z-Wave	A protocol that operates in the Part 15 unlicensed industrial, scientific and medical (ISM) band (approximately 900 MHz, depending on the location), giving it excellent barrier penetration and low power utilization. Z-Wave is similar to LoRa. It was originally developed by Zensys in 1999 for system on a chip (SoC) applications.
		Zero trust	A security model anchored in the assumption of breach, which means that anything outside or inside the network cannot be trusted and anyone who tries to access the network needs to be verified in advance
		Zero-day exploit	A vulnerability that is exploited before the software creator/vendor is aware of its existence. It may also refer to known flaws that do not have an available patch.
		Zero-knowledge proof	A critical aspect of cryptography, a method by which one party (Party A) is able to prove to another party (Party B) that Party A is aware of the value of a specific variable without conveying any additional information about that variable other than that they know its value
		Zero-trust architecture (ZTA)	A security model based on microsegmentation and the continuous validation of digital interactions to address the threat of lateral movement within a network. See also Zero trust.
		Zigbee	An IEEE 802.15.4 personal area network (PAN) protocol developed in 1998 that aims to provide moderate throughput and reliable connectivity via a mesh topology (similar to Z-Wave)
ضوابط	ضوابط إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	Controls	Controls for National Data Management, Governance, and Personal Data Protection
إدارة البيانات	عملية تطوير وتنفيذ الخطط والسياسات والبرامج والممارسات والإشراف عليها لتمكين الجهات من حوكمة البيانات وتعزيز قيمتها باعتبارها أحد الاصول القيمة والثمينة.	Data Management	The process of developing and implementing plans, policies, programs, and practices, and overseeing them to enable entities to govern data and enhance its value as one of the valuable and precious assets.
أداة دليل البيانات المؤتمتة	أداة لإدارة البيانات وحوكمتها الوصفية (Meta Data) لأتمتتها ووضعها في دليل وفهرس وطني شامل للبيانات لتمكين اكتشاف مجموعات البيانات ووصفها وتنظيمها وتحديد الجهات المنشأة للبيانات ( مصدر المعلومة الصحيح) وذلك من أجل استخراج القيمة المضافة المستهدفة	Automated Data Catalog Tool	A tool for managing and governing metadata to automate and place it in a comprehensive national data catalog and index, enabling the discovery, description, organization of datasets, and identification of data-producing entities (the correct source of information) in order to extract the targeted added value.
شركاء الأعمال	الجهات التي تم اشراكها في إنتاج أو إدارة أو الإشراف على بيانات حكومية	Business Partners	Entities involved in the production, management, or oversight of government data.
نموذج احتساب الرسوم	آلية تساعد على تحصيل الإيرادات من البيانات، وتصف الطريقة التي سيتم احتساب الرسوم حسب طبيعة البيانات ونوعيتها ومنتج البيانات والاستخدامات المتوقعة لها، وكذلك حجم الطلب... الخ	Fee Calculation Model	A mechanism that assists in revenue generation from data, describing the method for calculating fees based on the nature, quality, data product, expected uses, and demand size, etc.
البيانات	مجموعة من الحقائق في صورتها الأولية أو في صورة غير منظمة مثل الأرقام أوالحروف أو الصور الثابتة أو التسجيلات المرئية أو التسجيلات الصوتية أو الرموز التعبيرية	Data	A collection of facts in their raw or unorganized form, such as numbers, letters, still images, video recordings, audio recordings, or emojis.
مستويات تصنيف البيانات	مستويات التصنيف المعتمدة من مجلس الإدارة وهي: "سري للغاية". " سري"."مقيد". "عام"	Data Classification Levels	The classification levels approved by the Board of Directors are: "Highly Confidential," "Confidential," "Restricted," and "Public."
جهة التحكم	أي جهة حكومية أو جهة اعتبارية عامة مستقلة في المملكة، وأي شخصية ذات صفة طبيعية أو اعتبارية خاصة تحدد الغرض من معالجة البيانات الشخصية وكيفية ذلك، سواء تمت معالجة البيانات بواسطتها أو من خلال جهة المعالجة	Control Authority	Any government entity or independent public legal entity in the Kingdom, and any individual with natural or legal private status who determines the purpose of processing personal data and how it is done, whether the data is processed by them or through a processing entity.
جهة المعالجة	أي جهة حكومية أو جهة اعتبارية عامة مستقلة في المملكة، وأي شخصية ذات صفة طبيعية أو اعتبارية خاصة تعالج البيانات الشخصية لمصلحة جهة التحكم أونيابة عنها.	Processing Authority	Any government entity or independent public legal entity in the Kingdom, and any individual with natural or legal private status who processes personal data on behalf of or for the benefit of the control authority.
منتجات البيانات (البيانات المعالجة)	يقصد بمنتجات البيانات المخرجات الناتجة عن تحويل البيانات بهدف خلق قيمة مضافة من خلال جمع المزيد من البيانات أو إثرائها أو إعدادها أو تحليلها أوتمثيلها او تصحيحها .... الخ	Data Products (Processed Data)	Data products refer to the outputs resulting from the transformation of data to create added value by collecting more data, enriching it, preparing it, analyzing it, representing it, or correcting it, etc.
مقدم الطلب	أي جهة من القطاعين العام أو الخاص، أو فرد يتقدم بطلب لمشاركة البيانات	Applicant	Any entity from the public or private sector, or an individual who submits a request for data sharing.
اتفاقية مشاركة البيانات	اتفاقية رسمية موقعة بين طرفين - جهة حكومية مع أي طرف آخر - للموافقة على مشاركة البيانات وفقاً لشروط وأحكام محددة ومتوافقة مع مبادئ سياسة مشاركة البيانات	Data Sharing Agreement	A formal agreement signed between two parties—a government entity and any other party—to approve data sharing in accordance with specific terms and conditions that comply with the principles of the Data Sharing Policy.
صاحب البيانات الشخصية	الشخص الطبيعي الذي تتعلق به البيانات الشخصية أو من يمثله أو من له الولاية الشرعية عليه	Data Subject	The natural person to whom personal data pertains, or their representative, or someone with legal authority over them.
بيانات الجهة العامة	البيانات قبل أو بعد المعالجة التي تتلقاها أو تنتجها أو تتعامل معها الجهات العامة مهما كان مصدرها أو شكلها أو طبيعتها	Public Entity Data	Data received, produced, or processed by public entities, regardless of its source, form, or nature, whether before or after processing.
البيانات الرئيسية	مجموعة بيانات رئيسية كمصادر اساسية بيانات الافراد - الجهات الاعتبارية - العقار... وغيره) في صورتها الأولية أو في صورة غير منظمة مثل الأرقام أو الحروف أو الصور أو الفيديو أو التسجيلات الصوتية أو الرموز التعبيرية	Master Data	A set of master data as primary sources of data for individuals, legal entities, real estate, etc., in their raw or unorganized form, such as numbers, letters, images, videos, audio recordings, or emojis.
البيانات الشخصية	كل بيان - مهما كان مصدره أو شكله - من شأنه ان يؤدي إلى معرفة الفرد على وجه التحديد، أو يجعله قابلاً للتعرف عليه بصفه مباشرة أو غير مباشرة عند دمجه مع بيانات أخرى، ويشمل ذلك على سبيل المثال لا الحصر - الاسم، وارقام الشخصية، والعناوين وارقام التواصل وأرقام الحسابات البنكية والبطاقات الائتمانية، وصور الفرد، وغير ذلك من البيانات ذات الطابع الشخصي .	Personal Data	Any data—regardless of its source or form—that can lead to the identification of an individual, or makes them identifiable directly or indirectly when combined with other data. This includes, but is not limited to, names, identification numbers, addresses, contact numbers, bank account and credit card numbers, individual images, and other personal data.
الجهة العامة	أي جهة حكومية أو شخصية ذات صفة اعتبارية عامة مستقلة في المملكة، أو أي من الجهات التابعة لها - وتعد في حكم الجهة العامة أي شركة تقوم بإدارة المرافق العامة أو البنى التحتية الوطنية أوتشغيلها أو صيانتها، أو تقوم بمباشرة خدمة عامة فيما يخص إدارة تلك المرافق أو البنى التحتية .	Public Entity	Any government entity or independent public legal entity in the Kingdom, or any of its affiliated entities. It is also considered a public entity any company that manages, operates, or maintains public facilities or national infrastructure, or provides a public service related to the management of those facilities or infrastructure.
المعلومات العامة	البيانات بعد المعالجة وتصنيفها "عامة" التي تتلقاها أو تنتجها أو تتعامل معها الجهات العامة مهما كان مصدرها، أو شكلها أو طبيعتها.	General Information	Data after processing and classified as "Public" that is received, produced, or processed by public entities, regardless of its source, form, or nature.
البيانات المرجعية	ضوابط متفق عليها لتمثيل عناصر البيانات الأكثر شيوعا، على سبيل المثال لا الحصر، الرموز البريدية، العملات النقدية، وأنظمة قياس درجة الحرارة (درجة مئوية أو فهرنهايت)	Reference Data	Agreed-upon standards for representing the most common data elements, including but not limited to postal codes, currencies, and temperature measurement systems (Celsius or Fahrenheit).
المصدر الموثوق	مصدر مرجعي للبيانات تم إثبات موثوقيته من خلال التحقق المسبق من صحته.	Trusted Source	A reference source for data that has been proven trustworthy through prior verification of its accuracy.
بيانات غير معالجة	البيانات التي لم تخضع للمعالجة أو للتبادل بصورة أولية بأي صيغة كانت	Unprocessed Data	Data that has not undergone processing or initial exchange in any form.
مجلس الإدارة	ارتباط مكتب إدارة البيانات الوطنية برئيس مجلس إدارة الهيئة السعودية للبيانات والذكاء الاصطناعي	Board of Directors	The affiliation of the National Data Management Office with the Chairman of the Board of Directors of the Saudi Data and Artificial Intelligence Authority.
المكتب	مكتب إدارة البيانات الوطنية	Office	National Data Management Office
لجنة حوكمة البيانات	اي لجنة داخلية تشكل بالجهة وهدفها مشاركة اصحاب القرار بأهمية إدارة . البيانات وحماية البيانات الشخصية ونشر التوعية بالجهة	Data Governance Committee	An internal committee formed within the entity with the aim of informing decision-makers about the importance of data management and personal data protection, and to raise awareness within the entity.
حوكمة البيانات	هي مجموعة من الممارسات والإجراءات التي تساعد على ضمان إدارة أصول البيانات في الجهات، بدء من وضع الخطة المعنية بالبيانات وتطوير الضوابط والسياسات وحتى التنفيذ والامتثال. يتم تحقيق ذلك من خلال إطار حوكمي يوضح الأدوار والمسؤوليات بين ذوي العلاقة.	Data Governance	It is a set of practices and procedures that help ensure the management of data assets within entities, starting from the development of data-related plans and the establishment of controls and policies, to implementation and compliance. This is achieved through a governance framework that clarifies roles and responsibilities among stakeholders.
البيانات الوصفية ودليل البيانات البيانات الوصفية	اي معلومات تفصيلية تصف البيانات وخصائص استخدامها والتي تتكون من ثلاثة أنواع : 1 - البيانات الوصفية للأعمال ٢ - البيانات الوصفية الفنية - البيانات الوصفية التشغيلية. يعتبر دليل البيانات أحد المخرجات المرتبطة بالبيانات الوصفية Metadata، فهو إطار مرجعي يصف البيانات ومكوناتها وترابطها لإدارتها والرجوع لها كخارطة بيانات تفصيلية. كما أنه يحدد مصدر الحقيقة للبيانات في الجهة العامة.	Metadata and Data Catalog	Any detailed information that describes data and its usage characteristics, which consists of three types: 1 - Business Metadata, 2 - Technical Metadata, and 3 - Operational Metadata. The Data Catalog is one of the outputs related to metadata; it serves as a reference framework that describes data, its components, and their interconnections for management and reference as a detailed data map. It also identifies the source of truth for data within the public entity.
جودة البيانات	تمثل جودة البيانات مجموعة من العمليات الدورية لمعالجة البيانات وضمان صحتها ودقتها ونضجها لتلبية متطلبات العمل...	Data Quality	Data quality represents a set of periodic processes for data processing and ensuring its accuracy, precision, and maturity to meet business requirements.
تخزين البيانات	آلية حفظ البيانات على أجهزة ووسائل تخضع للتدابير اللازمة لتوفير البيانات بسهولة	Data Storage	The mechanism for storing data on devices and media that are subject to necessary measures to ensure easy access to the data.
إدارة المحتوى والوثائق	تعني إدارة المحتوى والوثائق بالحفاظ على البيانات والمعلومات وتنميتها من خلال رقمنتها وإدارة تبادلها والوصول إليها وحفظها سواء منظمة أو غير منظمة.	Content and Document Management	Content and document management refers to the preservation and enhancement of data and information through digitization, managing their exchange, accessibility, and storage, whether organized or unorganized.
النمذجة وهيكلة البيانات	نمذجة البيانات هي إنشاء تمثيل للبيانات في مجال اختصاص جهة معينة، والغرض من نماذج البيانات هو تبسيطها من خلال وصف هذه البيانات وتحديد مكوناتها، وكذلك تحديد العلاقة بين تلك المكونات.	Data Modeling and Structuring	Data modeling involves creating a representation of data within a specific domain of an entity, and the purpose of data models is to simplify this data by describing it and identifying its components, as well as defining the relationships between those components.
هيكلة البيانات	هي الإجراءات والأنظمة والهياكل التنظيمية المطلوبة باستخدام نماذج المقاييس العالمية كمرجع يشار إليه في الإجراءات من حفظ البيانات والوصول إليها ونقلها وتنظيمها ... وغيره، وعادة ما يتم تحديد هيكلة البيانات على مستويات مختلفة وتهدف إلى تقديم تمثيل لكيفية تنقل البيانات داخل الجهة.	Data Structuring	It refers to the procedures, systems, and organizational structures required using global standard models as a reference for data preservation, accessibility, transfer, organization, and more. Data structuring is typically defined at different levels and aims to provide a representation of how data flows within the entity.
إدارة البيانات المرجعية والرئيسية	هي مجموعة من الضوابط لضمان تحديد مصادر البيانات ومنشأها الرئيسي الصحيح والمشترك للجميع في المملكة لتوفير بيانات دقيقة وغنية وصحيحة ومتسقة، تمكن من تقديم معلومات صحيحة ودقيقة لمتخذي القرار باستخدام مجموعة من التقنيات.	Management of Reference and Master Data	It is a set of controls to ensure the accurate identification of data sources and their primary origin, which is common for all in the Kingdom, to provide accurate, rich, correct, and consistent data that enables delivering accurate and precise information to decision-makers using a variety of technologies.
ذكاء الأعمال والتحليلات	يشير ذكاء الأعمال والتحليلات إلى جمع وتحليل البيانات الداخلية والخارجية لاستخلاص المعرفة والقيمة للجهات. كما يتيح للجهات تحويل البيانات إلى نتائج وقياسات معلوماتية قيمة ومفيدة.	Business Intelligence and Analytics	Business intelligence and analytics refer to the collection and analysis of internal and external data to extract knowledge and value for entities. It enables entities to transform data into valuable and useful informational insights and metrics.
تكامل البيانات ومشاركتها	تشير الى كيفية تنقل البيانات من خلال النظم الموزعة في الجهات المختلفة بغرض تكامل البيانات.. وتحديد آلية مشاركة البيانات بين الجهات وطريقة نقلها وتسليمها ..	Data Integration and Sharing	It refers to how data flows through distributed systems across different entities for the purpose of data integration, specifying the mechanism for data sharing between entities and the method of transferring and delivering it.
تحقيق القيمة من البيانات	تمكن الجهات الحكومية الاستفادة من البيانات لكسب فوائد مالية واقتصادية واجتماعية وقيادية قابلة للقياس، وذلك من خلال إنشاء منتجات أو خدمات بيانات حكومية ذات مردود يساند في عملية اتخاذ القرار وتحقيق الطموحات، ومردود اقتصادي من خلال تحسين العمليات أو خفض التكاليف أو تنويع مصادر الدخل مما يسهم في النهضة التنموية.	Deriving Value from Data	It enables government entities to leverage data to gain measurable financial, economic, social, and leadership benefits by creating government data products or services that support decision-making and achieve aspirations, as well as providing economic returns through process improvement, cost reduction, or diversifying income sources, contributing to developmental progress.
البيانات المفتوحة	مجموعة محددة من المعلومات العامة - مقروءة آليا - تكون متاحة للعموم مجاناً ودون قيود من خلال منصة وطنية للبيانات المفتوحة، ويمكن لأي فرد أو جهة عامة أو خاصة استخدامها أو مشاركتها.	Open Data	A specific set of public information that is machine-readable, available to the public for free and without restrictions through a national open data platform, which can be used or shared by any individual or public or private entity.
حرية المعلومات	مجموعة من الأحكام والإجراءات التي تنظم ممارسة حق الاطلاع على المعلومات العامة المتعلقة بأعمال الجهات أو الحصول عليها، وتعزيز مبدأ الشفافية وحرية تداول هذه المعلومات.	Freedom of Information	A set of provisions and procedures that regulate the exercise of the right to access public information related to the activities of entities or to obtain it, promoting the principle of transparency and the free circulation of this information.
تصنيف البيانات	إطار موحد يهدف إلى تقسيم البيانات إلى مستويات محددة - تحدد آلية التعامل معها - بناء على قياس شدة الأثر المترتب على الإفصاح غير المصرح به نظاماً عن البيانات أو عن محتواها	Classification	A unified framework aimed at categorizing data into specific levels, which defines the handling mechanism based on assessing the severity of impact resulting from unauthorized disclosure of the data or its content.
حماية البيانات الشخصية	مجموعة من الأحكام والإجراءات التي تنظم معالجة البيانات الشخصية بما يكفل المحافظة على خصوصية أصحاب هذه البيانات وحماية حقوقهم.	Personal Data Protection	A set of provisions and procedures that regulate the processing of personal data to ensure the preservation of the privacy of data subjects and the protection of their rights.
أمن البيانات وحمايتها	مجموعة الأنظمة والإجراءات والتقنيات والحلول التقنية اللازمة لحماية البيانات من الوصول أو التعديل أو الحذف غير المصرح به ويتم التعاون في هذا المجال مع جهة الاختصاص وهي الهيئة الوطنية للأمن السيبراني	Data Security and Protection	A set of systems, procedures, technologies, and technical solutions necessary to protect data from unauthorized access, modification, or deletion, with collaboration in this area with the relevant authority, which is the National Cybersecurity Authority.
داما (DAMA)	هي منظمة عالمية غير ربحية متخصصة بتقديم مفاهيم وممارسات إدارة البيانات. تأسست في عام ١٩٨٠، وتضم حاليا ۷۰ منظمة محلية في ٣٣ دولة حول العالم. كل منها يهدف إلى تعزيز فهم وممارسة إدارة البيانات كأحد الأصول الرئيسية الداعمة للجهات العامة والخاصة. وقد أعدت DAMA الدليل الدولي المعياري والقياسي والاسترشادي لإدارة البيانات وحوكمتها DAMA DMBOK)، بالإضافة إلى تقديمها لعدد من الشهادات الاحترافية والمؤتمرات والدورات التدريبية. وقد قام المكتب باختيار ضوابط ومقاييس DAMA كمصدر رئيسي عند أعداد ضوابط إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية في المملكة.	DAMA (Data Management Association)	It is a global nonprofit organization specializing in providing data management concepts and practices. Founded in 1980, it currently includes 70 local organizations in 33 countries worldwide, each aiming to enhance the understanding and practice of data management as a key asset supporting public and private entities. DAMA has developed the international standard and guideline document for data management and governance (DAMA DMBOK), in addition to offering various professional certifications, conferences, and training courses. The office has chosen DAMA's controls and standards as a primary source when developing the national data management, governance, and personal data protection controls in the Kingdom.
مراقبة الامتثال	قياس مدى التزام الجهات الحكومية بتطبيق ضوابط إدارة البيانات وحوكمتها وذلك بناء على منهج وآلية محددة لقياس الامتثال	Compliance Monitoring	Measuring the extent to which government entities comply with data management and governance controls based on a defined methodology and mechanism for assessing compliance.
البيانات كأصول وطنية	تعزيز وتنمية هذا الأصل الوطني الهام من خلال إدارته وتمكينه ورفع القيمة المضافة منه وتنمية القدرات الداعمة لذلك	Data as National Assets	Enhancing and developing this important national asset through its management, empowerment, increasing its added value, and developing the supporting capabilities for that.
الخصوصية في التصميم	الأخذ بعين الاعتبار متطلبات حماية البيانات الشخصية في مراحل بناء وتطوير الأنظمة أو الإجراءات أو التطبيقات...... (التقنية او غير تقنية)	Privacy by Design	Considering the requirements for personal data protection during the stages of building and developing systems, procedures, or applications (technical or non-technical).
الأصل في البيانات الإتاحة	اتاحة ومشاركة البيانات الوطنية مع المستفيدين من جهات . وأفراد قدر الامكان	Data Availability Principle	Making national data available and sharing it with beneficiaries from entities and individuals as much as possible.
الاستخدام الأخلاقي للبيانات	بناء ممارسات وقواعد أخلاقية مبنية على قيم ومبادئ . لاستخدام البيانات متوافقة مع الأخلاق العامة ومرتكزات الثقافة السعودية	Ethical Use of Data	Establishing ethical practices and rules based on values and principles for data use that align with general ethics and the foundations of Saudi culture.
الاستخدام الأمثل	استخدام البيانات بالشكل الأمثل والابتعاد عن الازدواجية . وتمكين الاستجابة الفعالة من خلال تكامل البيانات وترابط . مدلولاتها ومشاركتها والاستفادة منها لتلبية احتياجات . وتطلعات التنمية الوطنية	Optimal Use	Utilizing data optimally and avoiding redundancy, while enabling effective responses through data integration, its interconnected meanings, sharing, and leveraging to meet the needs and aspirations of national development.
القرارات المبنية على البيانات	توفير البيانات وتحليلها لدعم متخذي القرار لاتخاذ قرارات فعالة على المستويات الاستراتيجية والتشغيلية وكافة الأصعدة	Data-Driven Decisions	Providing and analyzing data to support decision-makers in making effective decisions at strategic, operational, and all other levels.
ثقافة البيانات	رفع ثقافة ووعي المجتمع حول إدارة البيانات وحماية البيانات الشخصية. وتعزيز القدرات الوطنية في الجهات	Data Culture	Raising community awareness and culture regarding data management and personal data protection, and enhancing national capabilities within entities.
موثوقية البيانات	تحقيق ثقة المستفيدين في البيانات بين مختلف الأطراف المتشاركة من خلال رفع جودتها وصحتها	Data Reliability	Building trust among beneficiaries in data between various participating parties by improving its quality and accuracy.
اسم المجال	على سبيل المثال حوكمة البيانات	Domain Name	For example, Data Governance
رقم تعريف المجال	رمز تعريف فريد للمجال، مثل DG لمجال حوكمة البيانات	Domain Identifier Number	A unique identifier code for the domain, such as DG for Data Governance.
اسم المواصفة	اسم المواصفة، مثل السياسة والقواعد الاسترشادية	Standard Name	Standard name, such as policies and guidelines.
رقم تعريف الضابط	رمز تعريف فريد لكل ضابط باستخدام الصيغة التالية (رمز تعريف المجال. قيمة) حيث تمثل القيمة ترتيب الضابط في المجال مثال: 2.DG يمثل الضابط الثاني في مجال حوكمة البيانات.	Control Identifier Number	A unique identifier code for each control using the following format (Domain Identifier Code.Value), where the value represents the control's order in the domain. For example: 2.DG represents the second control in the Data Governance domain.
وصف الضابط	وصف عام للضابط ويشمل المواصفات الواردة به	Officer Description	General Description of the Officer, Including the Specifications Provided
رقم المواصفة	رمز تعريف فريد لكل مواصفة باستخدام الصيغة التالية (رمز تعريف الضابط. قيمة حيث تمثل القيمة ترتيب المواصفة في الضابط مثال: الرمز 2.2.DG يمثل المواصفة الثانية في الضابط الثاني في مجال حوكمة البيانات	Specification Number	رمز تعريف فريد لكل مواصفة باستخدام الصيغة التالية (رمز تعريف A unique identifier for each specification using the following format (Officer Identifier.Value, where the value represents the order of the specification within the officer. For example: the code 2.2.DG represents the second specification in the second officer in the field of data governance.). قيمة حيث تمثل القيمة ترتيب المواصفة في الضابط مثال: الرمز 2.2.DG يمثل المواصفة الثانية في الضابط الثاني في مجال حوكمة البيانات
المواصفة	الانشطة أو المهام اللازمة لتحقيق الامتثال	Specification	Activities or Tasks Necessary to Achieve Compliance
الأولوية	تحدد أولوية تطبيق المواصفة	Priority	Determines the Priority of Implementing the Specification
تاريخ الإصدار	يسمح تاريخ الإصدار يتعقب التغييرات عبر الإصدارات المختلفة بعد نشر المستند	Date of Issue	The date of issue allows for tracking changes across different versions after the document is published.
الارتباط	المواصفات ذات العلاقة والمرتبطة بهذا المواصفة، التي يجب على الجهة أن تمتثل لها من أجل ضمان تنفيذ فعال للمواصفة بشكل متكامل.	Relation / Link	Related specifications linked to this specification, which the entity must comply with to ensure effective and integrated implementation of the specification.
النظام	نظام حماية البيانات الشخصية.	The System	Personal Data Protection System
اللوائح	اللوائح التنفيذية للنظام.	Regulations	Executive Regulations of the System
الجهة المختصة	الجهة التي يصدر بتحديدها قرار من مجلس الوزراء.	Competent Authority	The entity designated by a decision from the Council of Ministers.
البيانات الشخصية	كل بيان - مهما كان مصدره أو شكله من شأنه أن يؤدي إلى معرفة الفرد على وجه التحديد، أو يجعل التعرف عليه ممكنا بصفة مباشرة أو غير مباشرة، ومن ذلك: الاسم، ورقم الهوية الشخصية، والعناوين، وأرقام التواصل، وأرقام الرخص والسجلات والممتلكات الشخصية، وأرقام الحسابات البنكية والبطاقات الائتمانية، وصور الفرد الثابتة أو المتحركة، وغير ذلك من البيانات ذات الطابع الشخصي.	Personal Data	Any information—regardless of its source or form—that can lead to the identification of an individual specifically or make it possible to identify them directly or indirectly, including: name, personal identification number, addresses, contact numbers, license and registration numbers, personal property numbers, bank account and credit card numbers, static or moving images of the individual, and other personal data.
المعالجة	اي عملية تُجرى على البيانات الشخصية بأي وسيلة كانت يدوية أو آلية، ومن ذلك عمليات الجمع، والتسجيل، والحفظ والفهرسة، والترتيب والتنسيق والتخزين والتعديل، والتحديث، والدمج، والاسترجاع والاستعمال، والإفصاح والنقل والنشر والمشاركة في البيانات أو الربط البيني، والحجب، والمسح والإتلاف.	Processing	Any operation performed on personal data by any means, whether manual or automated, including collection, recording, retention and indexing, organization and structuring, storage, modification, updating, merging, retrieval, use, disclosure, transfer, publication, sharing of data or interlinking, restriction, erasure, and destruction.
الجمع	حصول جهة التحكم على البيانات الشخصية وفقاً لأحكام النظام، سواء من صاحبها مباشرة أو ممن يمثله أو ممن له الولاية الشرعية عليه أو من طرف آخر.	Collection	The controlling entity's acquisition of personal data in accordance with the provisions of the system, whether directly from the data subject, from their representative, from a legally authorized person, or from another party.
الإتلاف	أي إجراء يتم على البيانات الشخصية ويجعل من المتعذر الاطلاع عليها أو استعادتها مرة أخرى أو معرفة صاحبها على وجه التحديد.	Destruction	Any action taken on personal data that renders it impossible to access, recover, or identify the data subject specifically.
الإفصاح	تمكين أي شخص عدا جهة التحكم أو جهة المعالجة بحسب الأحوال من الحصول على البيانات الشخصية أو استعمالها أو الاطلاع عليها بأي وسيلة ولأي غرض.	Disclosure	Enabling any person other than the controlling entity or the processing entity, as applicable, to access, use, or view personal data by any means and for any purpose.
النقل	نقل البيانات الشخصية من مكان إلى آخر لمعالجتها.	Transfer	Transfer of personal data from one location to another for processing.
النشر	بث أي من البيانات الشخصية عبر وسيلة نشر مقروءة أو مسموعة أو مرئية، أو إتاحتها.	Publication	Dissemination of any personal data through a readable, audible, or visual medium, or making it available.
البيانات الحساسة	كل بيان شخصي يتعلق بأصل الفرد العرقي أو أصله الإثني، أو معتقده الديني أو الفكري أو السياسي. وكذلك البيانات الأمنية والجنائية، أو بيانات السمات الحيوية التي تحدد الهوية، أو البيانات الوراثية، أو البيانات الصحية، والبيانات التي تدل على أن الفرد مجهول الأبوين أو أحدهما.	Sensitive Data	Any personal data related to an individual's racial or ethnic origin, religious, philosophical, or political beliefs. This includes security and criminal data, biometric data that identifies an individual, genetic data, health data, and data indicating that the individual is unknown to one or both parents.
البيانات الوراثية	كل بيان شخصي يتعلق بالخصائص الوراثية أو المكتسبة لشخص طبيعي، يحدد بشكل فريد السمات الفيسيولوجية أو الصحية لذلك الشخص، ويستخلص من تحليل عينة بيولوجية للشخص كتحليل الأحماض النووية أو تحليل أي عينة أخرى تؤدي إلى استخلاص بيانات وراثية.	Genetic Data	Any personal data related to the genetic or acquired characteristics of a natural person that uniquely identifies the physiological or health traits of that individual, derived from the analysis of a biological sample, such as DNA analysis or any other sample that leads to the extraction of genetic data.
البيانات الصحية	كل بيان شخصي يتعلق بحالة الفرد الصحية، سواء الجسدية أو العقلية أو النفسية أو المتعلقة بالخدمات الصحية الخاصة به.	Health Data	Any personal data related to an individual's health status, whether physical, mental, psychological, or related to their healthcare services.
الخدمات الصحية	الخدمات المتعلقة بصحة الفرد، ومن ذلك الخدمات الوقائية والعلاجية والتأهيلية والتنويم وتوفير الدواء.	Health Services	Services related to an individual's health, including preventive, therapeutic, rehabilitative, inpatient, and medication provision services.
البيانات الائتمانية	كل بيان شخصي يتعلق بطلب الفرد الحصول على تمويل، أو حصوله عليه، سواء لغرض شخصي أو عائلي، من جهة تمارس التمويل، بما في ذلك أي بيان يتعلق بقدرته على الحصول على ائتمان أو بقدرته على الوفاء به أو بتاريخه الائتماني.	Credit Data	Any personal data related to an individual's application for financing or their receipt of financing, whether for personal or family purposes, from a financing entity, including any information regarding their ability to obtain credit, their capacity to repay it, or their credit history.
صاحب البيانات الشخصية	الفرد الذي تتعلق به البيانات الشخصية.	Data Subject	The individual to whom the personal data pertains.
الجهة العامة	أي وزارة أو مصلحة أو مؤسسة عامة أو هيئة عامة، أو أي جهة عامة مستقلة في المملكة، أو أي من الجهات التابعة لها.	Public Entity	Any ministry, authority, public institution, public agency, or any independent public entity in the Kingdom, or any of its affiliated entities.
جهة التحكم	أي جهة عامة، وأي شخصية ذات صفة طبيعية أو اعتبارية خاصة؛ تحدد الغرض من معالجة البيانات الشخصية وكيفية ذلك سواء أباشرت معالجة البيانات بوساطتها أم بوساطة جهة المعالجة.	جهة التحكم	Any public entity, and any natural or legal person, that determines the purpose of processing personal data and how it is to be done, whether the processing is carried out by them or by a processing entity.
جهة المعالجة	ي جهة عامة، وأي شخصية ذات صفة طبيعية أو اعتبارية خاصة تعالج البيانات الشخصية لمصلحة جهة التحكم ونيابة عنها.	جهة المعالجة	Any public entity, and any natural or legal person that processes personal data on behalf of and for the benefit of the controlling entity.
اللائحة	اللائحة التنفيذية للنظام	Regulation	Executive Regulation of the System
التسويق المباشر	التواصل مع صاحب البيانات الشخصية بأي وسيلة مادية أو إلكترونية مباشرة بهدف توجيه مادة تسويقية، ويشمل ذلك على سبيل المثال لا الحصر الإعلانات أو العروض الترويجية.	Direct Marketing	Communicating with the data subject by any physical or electronic means directly for the purpose of delivering marketing material, which includes, but is not limited to, advertisements or promotional offers.
تسرب البيانات الشخصية	أي حادثة تؤدي إلى الإفصاح عن البيانات الشخصية أو تلفها أو الوصول غير المشروع إليها، سواء كان ذلك بقصد أو بغير قصد، وبأي وسيلة كانت سواء آلية أو يدوية.	Personal Data Breach	Any incident that results in the disclosure, destruction, or unauthorized access to personal data, whether intentional or unintentional, and by any means, whether automated or manual.
المصلحة الحيوية	أي من المصالح الضرورية للحفاظ على حياة صاحب البيانات الشخصية.	Vital Interest	Any interests necessary to preserve the life of the data subject.
المصلحة المشروعة	أي حاجة ضرورية لدى جهة التحكم يتطلب تحقيقها معالجة بيانات شخصية لغرض محدد، على ألا تؤثر على حقوق ومصالح صاحب البيانات الشخصية.	Legitimate Interest	Any necessity that a controlling entity requires, which necessitates the processing of personal data for a specific purpose, provided it does not affect the rights and interests of the data subject.
الترميز	تحويل المعرفات الرئيسية التي تدل على هوية صاحب البيانات الشخصية إلى رموز تجعل من المتعذر تحديد هوية صاحب البيانات الشخصية بشكل مباشر دون استخدام بيانات أو معلومات إضافية، وأن يتم الاحتفاظ بتلك البيانات أو المعلومات الإضافية بشكل منفصل ووضع الضوابط الفنية والإدارية اللازمة الضمان عدم ربطها بصاحب البيانات الشخصية بشكل محدد.	Pseudonymization	Transforming key identifiers that indicate the identity of the data subject into codes that make it impossible to directly identify the data subject without the use of additional data or information. This additional data or information should be kept separately, and necessary technical and administrative controls should be implemented to ensure it is not linked to the data subject in a specific manner.
إخفاء الهوية	إزالة المعرفات المباشرة وغير المباشرة التي تدل على هوية صاحب البيانات الشخصية بشكل نهائي يتعذر معه تحديد هوية صاحب البيانات الشخصية.	Anonymization	The removal of direct and indirect identifiers that indicate the identity of the data subject in such a way that it becomes impossible to determine the identity of the data subject.
الموافقة الصريحة	موافقة تمنح بشكل مباشر وصريح من صاحب البيانات الشخصية بأي شكل من الأشكال وتدل على قبوله بمعالجة بياناته الشخصية بحيث لا يمكن تفسيرها بخلاف ذلك، وتكون قابلة للإثبات .	Explicit Consent	Consent that is granted directly and explicitly by the data subject in any form, indicating their acceptance of the processing of their personal data in a manner that cannot be interpreted otherwise and is capable of being proven.
الحق في العلم	يحق للأفراد إحاطتهم علماً بالمسوغ النظامي لجمع بياناتهم الشخصية والغرض من ذلك.	Right to Know	Individuals have the right to be informed of the legal basis for collecting their personal data and the purpose of such collection.
الحق في الوصول إلى البيانات الشخصية	يحق للأفراد الوصول إلى بياناتهم الشخصية المتوفرة لدى جهة التحكم.	Right to Access Personal Data	Individuals have the right to access their personal data held by the controlling entity.
الحق في طلب الحصول على البيانات الشخصية	يحق للأفراد طلب تقديم نسخة من بياناتهم الشخصية بصيغة مقروءة وواضحة.	Right to Request Personal Data	Individuals have the right to request a copy of their personal data in a readable and clear format.
الحق في طلب تصحيح البيانات الشخصية	يحق للأفراد طلب تصحيح بياناتهم الشخصية إذا كانت غير صحيحة)، أو إتمامها إذا كانت ناقصة)، أو تحديثها إذا كانت غير محدثة).	Right to Request Correction of Personal Data	Individuals have the right to request the correction of their personal data if it is inaccurate, to complete it if it is incomplete, or to update it if it is outdated.
الحق في طلب إتلاف البيانات الشخصية	يحق للأفراد طلب إتلاف بياناتهم الشخصية وفقاً لمتطلبات النظام واللوائح التنفيذية للنظام.	Right to Request Deletion of Personal Data	Individuals have the right to request the deletion of their personal data in accordance with the requirements of the system and its executive regulations.
الحق في الرجوع عن الموافقة	يحق للأفراد في أي وقت الرجوع عن موافقتهم التي قدموها من قبل عن معالجة بياناتهم الشخصية.	Right to Withdraw Consent	Individuals have the right to withdraw their previously given consent for the processing of their personal data at any time.
اللائحة	لائحة نقل البيانات الشخصية إلى خارج المملكة.	Regulation	Regulation on the Transfer of Personal Data Outside the Kingdom
الضمانات المناسبة	متطلبات تفرضها الجهة المختصة على جهات التحكم تتضمن الإلزام بأحكام النظام واللوائح، عند نقل البيانات الشخصية أو الإفصاح عنها لجهات خارج المملكة، وذلك في أي من حالات الإعفاء من شروط توافر مستوى مناسب لحماية البيانات الشخصية أو الحد الأدنى من البيانات الشخصية، بحسب الأحوال؛ بهدف ضمان مستوى مناسب لحماية البيانات الشخصية خارج المملكة بما لا يقل عن مستوى الحماية المقرر في النظام واللوائح	Appropriate Safeguards	Requirements imposed by the competent authority on controlling entities that include compliance with the provisions of the system and regulations when transferring or disclosing personal data to entities outside the Kingdom, in any case of exemption from the conditions for maintaining an adequate level of protection for personal data or the minimum required personal data, as applicable; with the aim of ensuring an adequate level of protection for personal data outside the Kingdom that is at least equivalent to the level of protection stipulated in the system and regulations.
العمليات التشغيلية	مجموعة من الإجراءات المتعلقة بالعمليات التشغيلية الضرورية لنشاط جهة التحكم، مثل عمليات الموارد البشرية، والفواتير والحسابات وغيرها من الإجراءات المتعلقة بسير العمل	Operational Processes	A set of procedures related to the operational processes necessary for the activities of the controlling entity, such as human resources operations, billing, accounting, and other workflow-related procedures.
البنود التعاقدية القياسية	بنود إلزامية تستخدم عند نقل البيانات الشخصية خارج المملكة تكفل مستوى مناسب لحماية البيانات الشخصية عند نقلها خارج المملكة بما لا يقل عن مستوى الحماية المقرر في النظام واللوائح، وذلك وفق نموذج قياسي تصدره الجهة المختصة.	Standard Contractual Clauses	Mandatory clauses used when transferring personal data outside the Kingdom that ensure an adequate level of protection for personal data during the transfer, which is at least equivalent to the level of protection stipulated in the system and regulations, in accordance with a standard model issued by the competent authority.
القواعد المشتركة الملزمة	واعد تعد من قبل جهة التحكم ، تطبق على كل جهة تحكم ومعالجة طرف في مجموعة كيانات متعددة الجنسيات تكفل مستوى مناسب لحماية البيانات الشخصية عند نقلها خارج المملكة بما لا يقل عن مستوى الحماية المقرر في النظام واللوائح	Binding Common Rules	Rules established by the controlling entity, applicable to every controlling entity and processing party within a group of multinational entities, ensuring an adequate level of protection for personal data when transferred outside the Kingdom, which is at least equivalent to the level of protection stipulated in the system and regulations.
الجهة المختصة	الهيئة السعودية للبيانات والذكاء الاصطناعي.	Competent Authority	Saudi Data and Artificial Intelligence Authority (SDAIA)
مسؤول حماية البيانات الشخصية	شخص طبيعي أو أكثر يتم تعيينه أو تحديده من قبل جهة التحكم يتولى متابعة تنفيذ جهة التحكم لأحكام النظام ولوائحه التنفيذية، ومراقبة الإجراءات المعمول بها داخل جهة التحكم والإشراف عليها ، وتلقي الطلبات المتعلقة بالبيانات الشخصية وفقاً لأحكام النظام ولوائحه التنفيذية.	Data Protection Officer (DPO)	One or more natural persons appointed or designated by the controlling entity to oversee the implementation of the entity's compliance with the provisions of the system and its executive regulations, monitor the procedures in place within the controlling entity, and receive requests related to personal data in accordance with the provisions of the system and its executive regulations.
الأنشطة الأساسية	الأنشطة التي تجريها جهة التحكم لتحقيق أهدافها الرئيسية	Core Activities	The activities conducted by the controlling entity to achieve its primary objectives.
تعزيز ثقافة المشاركة	على جميع الجهات الحكومية مشاركة البيانات الرئيسية التي تنتجها وذلك لتحقيق التكامل بين هذه الجهات وتبني "مبدأ المرّة الواحدة" للحصول على البيانات من مصادرها الصحيحة والحد من ازدواجيتها وتعارضها وتعدد مصادرها. وفي حال تم طلب البيانات من غير مصدرها الأساسي، فعلى الجهة - المطلوب منها مشاركة هذه البيانات - أخذ موافقة الجهة الرئيسية - مصدر البيانات - قبل مشاركتها مع الجهة الطالبة.	Promoting a Culture of Sharing	All government entities should share the primary data they produce to achieve integration among these entities and adopt the "one-time principle" for obtaining data from its correct sources, thereby minimizing duplication, conflicts, and multiple sources. If data is requested from a source other than its primary one, the entity from which the data is requested must obtain the approval of the primary data source before sharing it with the requesting entity.
مشروعية الغرض	أن يتم مشاركة البيانات لأغراض مشروعة مبنية على أساس نظامي أو احتياج عملي مبرر يهدف إلى تحقيق مصلحة عامة دون إلحاق أي ضرر بالمصالح الوطنية، أو أنشطة الجهات أو خصوصية الأفراد أو سلامة البيئةويستثنى من ذلك البيانات والجهات المستثناة بأوامر سامية. المبدأ الثالث: الوصول المصرح به	Legitimacy of Purpose	Data should be shared for legitimate purposes based on regulatory grounds or justified practical needs aimed at achieving the public interest without causing harm to national interests, the activities of entities, individual privacy, or environmental safety, except for data and entities exempted by royal orders.
المسؤولية المشتركة	أن تكون جميع الأطراف المشاركة في مشاركة البيانات مسؤولة مسؤولية مشتركة عن قرارات مشاركة البيانات ومعالجتها وفقاً للأغراض المحددة، وضمان تطبيق الضوابط الأمنية المنصوص عليها في اتفاقية مشاركة البيانات، والأنظمة والتشريعات والسياسات ذات العلاقة.	Shared Responsibility	All parties involved in data sharing should share responsibility for decisions regarding data sharing and processing according to the specified purposes, and ensure the implementation of the security controls outlined in the data sharing agreement, as well as the relevant laws, regulations, and policies.
أمن البيانات	أن تقوم جميع الأطراف المشاركة في مشاركة البيانات بتطبيق الضوابط الأمنية المناسبة لحماية البيانات ومشاركتها في بيئة آمنة وموثوقة وفقاً للأنظمة والتشريعات ذات العلاقة، ووفقاً لما يصدر من الهيئة الوطنية للأمن السيبراني.	Data Security	All parties involved in data sharing should apply appropriate security controls to protect the data and share it in a safe and trustworthy environment, in accordance with relevant laws and regulations, and in line with directives issued by the National Cybersecurity Authority.
الاستخدام الاخلاقي	أن تقوم جميع الأطراف المشاركة في مشاركة البيانات بتطبيق الممارسات الأخلاقية أثناء عملية مشاركة البيانات لضمان استخدامها في إطار من العدالة والنزاهة والأمانة والاحترام، وعدم الاكتفاء بالالتزام بسياسات أمن المعلومات أو الالتزام بالمتطلبات التنظيمية والتشريعية ذات العلاقة.	Ethical Use	All parties involved in data sharing should apply ethical practices during the data sharing process to ensure that it is used in a framework of fairness, integrity, honesty, and respect, and not merely comply with information security policies or regulatory and legislative requirements.
الشفافية	للفرد الحق في معرفة المعلومات المتعلقة بأنشطة الجهات العامة تعزيزاً لمنظومة النزاهة والشفافية والمساءلة.	Transparency	Individuals have the right to know information related to the activities of public entities, reinforcing the system of integrity, transparency, and accountability.
الضرورة والتناسب	اي قيود على طلب الاطلاع أو الحصول على المعلومات المحمية التي تتلقاها أو تنتجها أو تتعامل معها الجهات العامة يجب أن تكون مبررة بطريقة واضحة وصريحة.	Necessity and Proportionality	Any restrictions on the request to access or obtain protected information received, produced, or handled by public entities must be clearly and explicitly justified.
الأصل في المعلومات العامة الإفصاح	لكل فرد الحق في الاطلاع على المعلومات العامة - غير المحمية - وليس بالضرورة أن يتمتع مقدم الطلب بحيثية معينة أو باهتمام معين بهذه المعلومات ليتمكن من الحصول عليها، كما لا يتعرض لأي مساءلة قانونية متعلقة بهذا الحق.	The Principle of Disclosure in Public Information	Every individual has the right to access public information that is unprotected, and it is not necessary for the requester to have a specific status or interest in this information to obtain it. Furthermore, they are not subject to any legal accountability related to this right.
الأصل في البيانات الإتاحة	يضمن هذا المبدأ إتاحة بيانات الجهات العامة للجميع من خلال الإفصاح عنها أو تمكين الوصول إليها أواستخدامها مالم تقتض طبيعتها عدم الإفصاح عنها أو حماية خصوصيتها أو سريتها.	The Principle of Data Availability	This principle ensures that public entity data is available to everyone through disclosure, enabling access, or use, unless its nature requires non-disclosure or protection of its privacy or confidentiality.
الصيغة المفتوحة وامكانية القراءة آلياً	يتم إتاحة البيانات وتوفيرها بصيغة مقروءة آلياً تسمح بمعالجتها بشكل آلي - بحيث يتم حفظها بصيغ الملفات شائعة الاستخدام مثل CSV ، أو XLS، أو JSON، أو XML).	Open Format and Machine Readability	Data should be made available in a machine-readable format that allows for automated processing, using commonly used file formats such as CSV, XLS, JSON, or XML.
حداثة البيانات	يتم نشر أحدث إصدار من مجموعات البيانات Data Sets المفتوحة بصفة منتظمة وإتاحتها للجميع حال توافرها. كما يتم نشر البيانات المجمعة من قبل الجهات العامة في أسرع وقت ممكن بمجرد جمعها، كلما أمكن ذلك، وتعطى الأولوية للبيانات التي تقل فائدتها بمرور الوقت.	Data Freshness	The latest version of open data sets should be regularly published and made available to everyone as soon as it is available. Additionally, data collected by public entities should be published as quickly as possible after collection, whenever feasible, with priority given to data that loses its usefulness over time.
الشمولية	جب أن تكون مجموعات البيانات المفتوحة شاملة وتتضمن أكبر قدر ممكن من التفاصيل، وأن تعكس البيانات المسجلة بما لا يتعارض مع سياسة حماية البيانات الشخصية. كما يجب إدراج البيانات الوصفية التي توضح وتشرح البيانات الأولية، مع تقديم التفسيرات أو المعادلات التي توضح كيفية استخلاص البيانات أو احتسابها.	Inclusiveness	Open data sets should be comprehensive and include as much detail as possible, reflecting the recorded data in a manner that does not conflict with personal data protection policies. Additionally, metadata should be included to clarify and explain the primary data, along with explanations or formulas that illustrate how the data was derived or calculated.
عدم التمييز	يجب إتاحة مجموعات البيانات للجميع دون تمييز ودون حاجة للتسجيل - يكون بإمكان أي شخص الوصول إلى البيانات المفتوحة المنشورة في أي وقت دون الحاجة إلى التحقق من الهوية أو تقديم مبرر للوصول إليها.	Non-Discrimination	Data sets must be made available to everyone without discrimination and without the need for registration—anyone should be able to access the published open data at any time without needing to verify their identity or provide a justification for access.
دون مقابل مالي	يجب إتاحة البيانات المفتوحة للجميع مجاناً.	Free of Charge	Open data must be made available to everyone free of charge.
رخيص البيانات المفتوحة في المملكة	تخضع البيانات المفتوحة لترخيص يحدد الأساس النظامي الاستخدام البيانات المفتوحة وكذلك الشروط والالتزامات والقيود المفروضة على المستخدم. كما يدل استخدام البيانات المفتوحة على قبول شروط الترخيص.	Open Data Licensing in the Kingdom	Open data is subject to a license that defines the legal basis for using open data, as well as the conditions, obligations, and restrictions imposed on the user. The use of open data indicates acceptance of the terms of the license.
تطوير نموذج الحوكمة وإشراك الجميع	تمكن البيانات المفتوحة عملية الاطلاع والمشاركة للجميع، وتعزز شفافية ومساءلة الجهات العامة ودعم عملية صنع القرار وتقديم الخدمات.	Developing the Governance Model and Engaging Everyone	Open data enables access and sharing for everyone, enhances the transparency and accountability of public entities, and supports the decision-making process and service delivery.
التنمية الشاملة والابتكار	من المفترض أن تلعب الجهات دورًا فعالا في تعزيز إعادة استخدام البيانات المفتوحة وتوفير الموارد والخبرات اللازمة الداعمة. ويجب على الجهات أن تعمل بتكامل بين الاطراف المعنية على تمكين الجيل القادم من المبتكرين في مجال البيانات المفتوحة وإشراك الأفراد والمؤسسات والجميع بوجه عام في إطلاق قدرات البيانات المفتوحة	Comprehensive Development and Innovation	Entities are expected to play an active role in promoting the reuse of open data and providing the necessary resources and supporting expertise. They should work collaboratively with stakeholders to empower the next generation of innovators in the field of open data and engage individuals, institutions, and the public in general in unlocking the potential of open data.
القواعد	القواعد المنظمة للسجل الوطني لجهات التحكم داخل المملكة.	Rules	Regulations Governing the National Register of Controlling Entities within the Kingdom
الجهة المختصة	الهيئة السعودية للبيانات والذكاء الاصطناعي.	Competent Authority	Saudi Data and Artificial Intelligence Authority (SDAIA)
المنصة	منصة حوكمة البيانات الوطنية.	Platform	National Data Governance Platform
السجل الوطني	هو سجل يتضمن جهات التحكم العامة الخاصة، والأفراد داخل المملكة التي تعمل على معالجة البيانات الشخصية، وذلك بهدف مراقبة ومتابعة جهات التحكم ومساعدتها في رفع مستوى الالتزام بأحكام النظام واللوائح بالإضافة إلى تقديم الخدمات المتعلقة بحماية البيانات الشخصية.	National Register	It is a register that includes public and private controlling entities, as well as individuals within the Kingdom who process personal data, with the aim of monitoring and following up with the controlling entities and assisting them in enhancing their compliance with the provisions of the system and regulations, in addition to providing services related to personal data protection.
الممثل	أي شخص ذي صفة طبيعية يتم تعيينه من قبل جهة التحكم العامة أو الخاصة لغرض استكمال إجراءات التسجيل في المنصة.	Representative	Any natural person appointed by the public or private controlling entity for the purpose of completing the registration procedures on the platform.
الأفراد	أي شخص ذي صفة طبيعية يقوم بمعالجة البيانات الشخصية لأغراض تتجاوز الاستخدام الشخصي أو العائلي	Individuals	Any natural person who processes personal data for purposes that go beyond personal or family use.
خدمة إشعار عن حادثة تسرب البيانات	خدمة تتيح لجهات التحكم الإشعار عن حادثة تسرب البيانات الشخصية للجهة المختصة خلال مدة لا تتجاوز (72) ساعة من وقت علمها بالحادثة، إذا كان من شأن تلك الحادثة الإضرار بالبيانات الشخصية أو صاحب البيانات الشخصية أو كانت تتعارض مع حقوقه أو مصالحه وفقاً للمادة الرابعة والعشرون) من اللائحة التنفيذية لنظام حماية البيانات الشخصية.	Data Breach Notification Service	A service that allows controlling entities to notify the competent authority of a personal data breach within a period not exceeding 72 hours from the time they become aware of the incident, if the incident could harm personal data or the data subject or conflict with their rights or interests, in accordance with Article 24 of the Executive Regulation of the Personal Data Protection System.
خدمة تقييم الأثر على الخصوصية	هي أداة تمكن من إجراء تحليل للأثر الناتج عن معالجة البيانات الشخصية في المنتجات والخدمات التي تقدمها، ويتم من خلالها تحديد نطاق وأهداف المعالجة وتحديد المسوغات النظامية ومعرفة المخاطر التي قد تنتج من معالجة البيانات الشخصية.	Privacy Impact Assessment Service	It is a tool that enables the analysis of the impact resulting from the processing of personal data in the products and services provided. It identifies the scope and objectives of the processing, determines the legal justifications, and assesses the risks that may arise from processing personal data.
خدمة الدعم القانوني	تقديم الدعم والإرشاد لمساعدة الجهات العامة في فهم نظام حماية البيانات الشخصية ولوائحه. وتفسير الأحكام والمتطلبات المنصوص عليها، والتوجيه إلى جميع الأدلة واللوائح ذات العلاقة، مما يساهم في ضمان التطبيق الفعال وتحقيق الأهداف المرجوة.	Legal Support Service	Providing support and guidance to assist public entities in understanding the Personal Data Protection System and its regulations. This includes interpreting the stipulated provisions and requirements, directing to all relevant guidelines and regulations, thereby contributing to effective implementation and achieving the desired goals.
خدمة تقييم الالتزام	تقييم الالتزام بشكل دوري من خلال معايير ومتطلبات محددة لمتابعة مستوى التزامهم والتأكد من فعالية الإجراءات المتخذة من قبلهم لتطبيق أحكام الأنظمة واللوائح والسياسات، واكتشاف الممارسات الخاطئة. لمعالجتها وتحسين ممارسة الأعمال والإجراءات.	Compliance Assessment Service	Periodic compliance assessment through specific criteria and requirements to monitor their level of compliance and ensure the effectiveness of the measures taken by them to implement the provisions of the regulations, policies, and rules, as well as to identify and address incorrect practices to improve business practices and procedures.
الاحتياج الفعلي	تقييم كل عنصر من عناصر البيانات الشخصية لتحديد ما إذا كانت هذه البيانات ضرورية بشكل مباشر لتحقيق الغرض من جمعها ومعالجتها.	Actual Need	Assessment of each element of personal data to determine whether such data is directly necessary to achieve the purpose for which it was collected and processed.
الغرض	ان يرتبط الغرض ارتباطاً مباشراً بالبيانات الشخصية التي تم جمعها وأن يكون ذا علاقة مباشرة بأغراض جهة التحكم، وألا يتعارض مع أحكام أنظمة أخرى نافذة في المملكة، وأن تلتزم جهة التحكم ببذل العناية اللازمة في تحقيق الغرض من المعالجة دون جمع بيانات شخصية غير ضرورية.	Purpose	The purpose must be directly related to the personal data collected and directly associated with the objectives of the controlling entity. It should not conflict with the provisions of other applicable regulations in the Kingdom, and the controlling entity must exercise due diligence in achieving the purpose of processing without collecting unnecessary personal data.
طرق الجمع	طرق ووسائل جمع البيانات الشخصية ملائمة لظروف صاحب البيانات الشخصية ومباشرة وواضحة وآمنة وخالية من أي وسيلة من الممكن أن تؤدي إلى الخداع أو التضليل أو الابتزاز، كما يجب ألا تكون مخالفة أو متعارضة مع أحكام الأنظمة النافذة في المملكة.	Methods of Collection	The methods and means of collecting personal data should be appropriate to the circumstances of the data subject, direct, clear, secure, and free from any means that could lead to deception, misrepresentation, or extortion. Additionally, they should not violate or conflict with the provisions of the applicable regulations in the Kingdom.
المحتوى	أن يكون ملائماً ومقتصراً على الحد الأدنى اللازم لتحقيق الغرض من جمع البيانات الشخصية سواء تم جمعها من صاحبها أو من غير صاحبها مباشرة، وفي حال تحقق الغرض من جمعها على جهة التحكم تجنب أن يشتمل المحتوى على ما يؤدي إلى معرفة صاحبها بصورة محددة.	Content	To be appropriate and limited to the minimum necessary to achieve the purpose of collecting personal data, whether collected directly from the data subject or from other sources. Once the purpose of collection is fulfilled, the content should avoid including information that could lead to the identification of the data subject.
الإتلاف	إتلاف البيانات الشخصية التي لم تعد ضرورية لتحقيق الغرض من جمعها. مع اتباع إجراءات آمنة لضمان إزالة البيانات بشكل دائم.	Destruction	Destruction of personal data that is no longer necessary to achieve the purpose for which it was collected, following secure procedures to ensure the permanent deletion of the data.
الحد الادنى من البيانات الشخصية	جمع البيانات الضرورية فقط لتحقيق الغرض المحدد والمعلن من جمع البيانات. وهذا يعني أن البيانات يجب أن تكون ذات صلة ومحدودة النطاق ومرتبطة بشكل مباشر بغرض المتحكم، وتجنب أي بيانات غير ضرورية أو مفرطة يمكن أن تكشف عن هوية صاحب البيانات بما يتجاوز ما هو مطلوب. كما يضمن عدم جمع أي بيانات إضافية لا تخدم الغرض المحدد بشكل مباشر.	Retention	Retention of the minimum personal data necessary to achieve the purpose of processing, along with restricting logical and physical access rights to personal data according to the principle of least privilege and actual need.
الاحتفاظ	الاحتفاظ بالحد الأدنى من البيانات الشخصية اللازمة لتحقيق الغرض من المعالجة، بالإضافة إلى تقييد صلاحيات الوصول المنطقي والمادي إلى البيانات الشخصية وفق الحد الأدنى من الامتيازات والاحتياج الفعل	Minimum Amount of Personal Data	refers to collecting only the data that is strictly necessary to achieve the specific, stated purpose of the data collection. This means the data must be relevant, limited in scope, and directly related to the controller’s purpose, avoiding any unnecessary or excessive data that could reveal the identity of the data subject beyond what is required. It also ensures that no additional data is collected that doesn't directly serve the specified purpose.
المملكة	المملكة العربية السعودية	The Kingdom	The Kingdom of Saudi Arabia
النظام	نظام حماية البيانات الشخصية الصادر بالمرسوم الملكي رقم (م/19) وتاريخ 1443/2/9هـ ("النظام ") والمعدل بالمرسوم الملكي رقم (م/148) وتاريخ 1444/9/5هـ.	The System	Personal Data Protection System issued by Royal Decree No. (M/19) dated 9/2/1443 AH ("the System") and amended by Royal Decree No. (M/148) dated 5/9/1444 AH.
اللوائح	اللوائح التنفيذية للنظام وتتضمن كلاً من اللائحة التنفيذية ولائحة نقل البيانات الشخصية إلى خارج المملكة."	Regulations	The executive regulations of the system, which include both the executive regulation and the regulation for transferring personal data outside the Kingdom.
الجهة المختصة	الهيئة السعودية للبيانات والذكاء الاصطناعي (سدايا). الضمانات المناسبة متطلبات تفرضها الجهة المختصة على جهات التحكم تتضمن الإلزام بأحكام النظام واللوائح، عند نقل البيانات الشخصية أو الإفصاح عنها لجهات خارج المملكة، وذلك في أي من حالات الإعفاء من شروط توافر مستوى مناسب لحماية البيانات الشخصية أو الحد الأدنى للبيانات الشخصية، بحسب الأحوال؛ بهدف ضمان مستوى مناسب لحماية البيانات الشخصية خارج المملكة بما لا يقل عن مستوى الحماية المقرر في النظام واللوائح.	Competent Authority	The Saudi Data and Artificial Intelligence Authority (SDAIA). Appropriate safeguards are requirements imposed by the competent authority on controlling entities, including compliance with the provisions of the system and regulations when transferring or disclosing personal data to entities outside the Kingdom, in any cases exempting the conditions for ensuring an adequate level of personal data protection or the minimum personal data requirements, as applicable; aiming to ensure an adequate level of personal data protection outside the Kingdom that is no less than the level of protection stipulated in the system and regulations.
القواعد المشتركة الملزمة	قواعد تعد من قبل جهة التحكم، تطبق على كل جهة تحكم ومعالجة طرف في مجموعة كيانات متعددة الجنسيات تكفل مستوى مناسب لحماية البيانات الشخصية عند نقلها خارج المملكة بما لا يقل عن مستوى الحماية المقرر في النظام واللوائح.	Binding Common Rules	Rules established by the controlling entity, applicable to all controlling and processing entities within a group of multinational entities, ensuring an adequate level of protection for personal data when transferred outside the Kingdom, that is no less than the level of protection stipulated in the system and regulations.
المنظمات الدولية	كيان قانوني يضم أعضاءً من ثلاث دول على الأقل، يعمل في دول متعددة ذات سيادة، تنشأ من خلال وثيقة قانونية رسمية، مثل المعاهدة أو الاتفاق. يستند إلى القانون الدولي، وتحدد هذه الوثيقة القانونية أهداف ومقاصد المنظمة الدولية وهياكلها وجهات اتخاذ القرار والولاية القضائية، مثل: الأمم المتحدة، والبنك الدولي، وجامعة الدول العربية، وصندوق النقد العربي)، وتشارك هذه المنظمات في أنشطة دولية ويجب أن تلتزم بأنظمة حماية البيانات الشخصية المختلفة عبر ولايات قضائية مختلفة.	International Organizations	A legal entity comprising members from at least three countries, operating in multiple sovereign states, established through an official legal document such as a treaty or agreement. Based on international law, this legal document outlines the objectives and purposes of the international organization, its structures, decision-making bodies, and jurisdiction, such as the United Nations, the World Bank, the Arab League, and the Arab Monetary Fund. These organizations engage in international activities and must comply with various personal data protection regulations across different jurisdictions.
نقل البيانات الشخصية	نقل البيانات الشخصية أو الكشف عنها أو منح حق الوصول إليها من المملكة العربية السعودية إلى جهات تحكم أو جهات معالجة أو متلقين آخرين في دول أو منظمات دولية أو ولاية قضائية أخرى غير المملكة العربية السعودية حيث لا تكون الجهة المصدرة للبيانات الشخصية أو الجهة المستوردة للبيانات الشخصية.	Transfer of Personal Data	Transfer of personal data, disclosure, or granting access from the Kingdom of Saudi Arabia to controlling entities, processing entities, or other recipients in countries or international organizations or other jurisdictions outside of the Kingdom of Saudi Arabia where neither the data exporter nor the data importer is located.
عمليات نقل بيانات الطرف الثالث / عمليات النقل اللاحقة	نقل البيانات الشخصية من دولة خارجية أو منظمة دولية إلى جهات تحكم أو جهات معالجة في نفس الدولة المنظمة أو في دولة منظمة أخرى.	Third-Party Data Transfers / Subsequent Transfers	Transfer of personal data from a foreign country or international organization to controlling entities or processing entities within the same organizing country or to another organizing country.
مجموعة الجهات	مجموعة من الجهات التي تمارس أنشطة اقتصادية مشتركة، مثل: حقوق الامتياز أو المشاريع المشتركة أو الشراكات المهنية، وتعمل هذه الكيانات تحت سيطرة مشتركة، على سبيل المثال: الملكية، أو المصالح الاقتصادية المشتركة، أو المشاركة المالية، أو قواعد الحوكمة	Group of Entities	A group of entities engaged in joint economic activities, such as franchises, joint ventures, or professional partnerships, operating under common control, for example: ownership, shared economic interests, financial participation, or governance rules.
المملكة	المملكة العربية السعودية	The Kingdom	The Kingdom of Saudi Arabia
النظام	نظام حماية البيانات الشخصية الصادر بالمرسوم الملكي رقم (م/19) وتاريخ 1443/2/9هـ ("النظام ") والمعدل بالمرسوم الملكي رقم (م/148) وتاريخ 1444/9/5هـ اللوائح اللوائح التنفيذية للنظام " وتتضمن كلا من اللائحة التنفيذية ولائحة نقل البيانات الشخصية إلى خارج المملكة	System	Personal Data Protection System issued by Royal Decree No. (M/19) dated 9/2/1443 AH ("the System") and amended by Royal Decree No. (M/148) dated 5/9/1444 AH, including the executive regulations of the System, which encompass both the executive regulation and the regulation for transferring personal data outside the Kingdom.
الجهة المختصة	الهيئة السعودية للبيانات والذكاء الاصطناعي (سدايا).	Relevant Authority	Saudi Data and Artificial Intelligence Authority (SDAIA)
الضمانات المناسبة	متطلبات تفرضها الجهة المختصة على جهات التحكم تتضمن الإلزام بأحكام النظام واللوائح، عند نقل البيانات الشخصية أو الإفصاح عنها لجهات خارج المملكة، وذلك في أي من حالات الإعفاء من شروط توافر مستوى مناسب لحماية البيانات الشخصية أو الحد الأدنى للبيانات الشخصية، بحسب الأحوال : بهدف ضمان مستوى مناسب لحماية البيانات الشخصية خارج المملكة بما لا يقل عن مستوى الحماية المقرر في النظام واللوائح.	Appropriate Safeguards	Requirements imposed by the relevant authority on controllers include the obligation to comply with the provisions of the laws and regulations when transferring personal data or disclosing it to entities outside the Kingdom, in any case of exemption from the requirements for ensuring an adequate level of protection for personal data or the minimum personal data, as applicable: aiming to ensure an adequate level of protection for personal data outside the Kingdom, at least equivalent to the level of protection established in the laws and regulations.
البنود التعاقدية القياسية	بنود إلزامية تستخدم عند نقل البيانات الشخصية خارج المملكة تكفل مستوى مناسب لحماية البيانات الشخصية عند نقلها خارج المملكة بما لا يقل عن مستوى الحماية المقرر في النظام واللوائح، وذلك وفق نموذج قياسي تصدره الجهة المختصة.	Standard Contractual Clauses	Mandatory clauses used when transferring personal data outside the Kingdom, ensuring an adequate level of protection for personal data during the transfer, at least equivalent to the level of protection established in the laws and regulations, according to a standard template issued by the relevant authority.
المنظمات الدولية	كيان قانوني يضم أعضاء من ثلاث دول على الأقل، يعمل في دول متعددة ذات سيادة، تنشأ من خلال وثيقة قانونية رسمية، مثل: المعاهدة أو الاتفاق الذي يستند إلى القانون الدولي، وتحدد هذه الوثيقة القانونية أهداف ومقاصد المنظمة الدولية وهياكلها وجهات اتخاذ القرار والولاية القضائية، (مثل: الأمم المتحدة، والبنك الدولي، وجامعة الدول العربية، وصندوق النقد العربي)، وتشارك هذه المنظمات في أنشطة دولية ويجب أن تلتزم بأنظمة حماية البيانات الشخصية المختلفة عبر ولايات قضائية مختلفة.	International Organizations	A legal entity comprising members from at least three countries, operating in multiple sovereign states, established through an official legal document, such as a treaty or agreement based on international law. This legal document outlines the goals and objectives of the international organization, its structures, decision-making bodies, and jurisdiction, such as the United Nations, the World Bank, the Arab League, and the Arab Monetary Fund. These organizations engage in international activities and must comply with various personal data protection regulations across different jurisdictions.
نقل البيانات الشخصية	نقل البيانات الشخصية أو الكشف عنها أو منح حق الوصول إليها من المملكة العربية السعودية إلى جهات تحكم أو جهات معالجة أو متلقين آخرين في دول أو منظمات دولية أو ولاية قضائية أخرى غير المملكة العربية السعودية حيث لا تكون الجهة المصدرة للبيانات الشخصية أو الجهة المستوردة للبيانات الشخصية.	Transfer of Personal Data	The transfer of personal data, disclosure, or granting access to it from the Kingdom of Saudi Arabia to controllers, processors, or other recipients in countries, international organizations, or jurisdictions other than the Kingdom, where neither the exporting entity nor the importing entity is located in Saudi Arabia.
عمليات نقل بيانات الطرف الثالث / عمليات النقل اللاحقة	نقل البيانات الشخصية من دولة خارجية أو منظمة دولية إلى جهات تحكم أو جهات معالجة في نفس الدولة المنظمة أو في دولة منظمة أخرى.	Third-Party Data Transfers / Subsequent Transfers	The transfer of personal data from a foreign country or international organization to controllers or processors in the same hosting country or in another hosting country.
التعميم (Generalization)	استبدال سمات محددة بقيم أكثر عمومية. على سبيل المثال: تجميع الأعمار إلى فئات عمرية (۲۰-۳۰)، (٣٠-٤٠) بدلا من استخدام الأعمار المحددة.	Generalization	Replacing specific attributes with more generalized values. For example, grouping ages into age ranges (20-30), (30-40) instead of using specific ages.
تجميع البيانات (Data Aggregation)	جمع البيانات الفردية في نطاق أو مجموعة أو فئة، على سبيل المثال: تحديد سنة الميلاد بدلاً من تاريخ الميلاد الكامل، ويتم التأكد من عدم إمكانية استخدام البيانات المجمعة لاستنتاج معلومات حول أفراد معينين.	Data Aggregation	Aggregating individual data into a range, group, or category, such as specifying the year of birth instead of the full birth date, ensuring that the aggregated data cannot be used to infer information about specific individuals.
التشفير	تشفير البيانات الشخصية باستخدام خوارزميات تشفير قوية، ويتم التأكد من تخزين مفاتيح التشفير بشكل آمن ومنفصل عن البيانات المشفرة.	Encryption	Encrypting personal data using strong encryption algorithms, ensuring that encryption keys are stored securely and separately from the encrypted data.
الإخفاء	تطبيق تقنيات إخفاء البيانات لإخفاء أو حجب عناصر بيانات معينة	Data Masking	Applying data masking techniques to conceal or obscure specific data elements.
الكتابة على البيانات والمحو الأمن (SE)	الكتابة على البيانات وتتمثل في استبدال البيانات الأصلية ببيانات عشوائية لا معنى لها ؛ مما يجعل البيانات الأصلية غير قابلة للاسترداد. يعد المحو الأمن تقنية أكثر تقدماً من الكتابة على البيانات، فهو يتضمن إرسال أمر إلى البرنامج المثبت بالجهاز لمحو جميع البيانات بما في ذلك المناطق التي لا يمكن الوصول إليها في العادة.	Data Overwriting and Secure Erasure (SE)	Data overwriting involves replacing the original data with random, meaningless data, rendering the original data unrecoverable. Secure erasure is a more advanced technique than data overwriting, as it involves sending a command to the software installed on the device to erase all data, including areas that are typically inaccessible.
إزالة البيانات (بدون إتلاف الأجهزة)	وتمثل هذه الطريقة استخدام مزيل التمغنط أو ما يسمى بـ ( ديجاوس) لتعطيل المجال المغناطيسي، الذي يخزن البيانات؛ مما يجعل البيانات غير قابلة للقراءة بشكل فعال. وتتميز هذه العملية بالكفاءة والسرعة : مما يجعلها الخيار المفضل لمحو البيانات المجمعة، كما أنها تبقي الجهاز سليماً لإعادة استخدامه. تعمل تقنية الإزالة (ديجاوس) على الوسائط المغناطيسية فقط، وهي غير مناسبة لمحركات الأقراص ذات الحالة الصلبة (SSD) أو وحدات التخزين القائمة على استخدام الفلاش.	Data Removal (Without Destroying the Hardware)	This method involves using a degausser to disable the magnetic field that stores the data, rendering it effectively unreadable. This process is characterized by efficiency and speed, making it the preferred choice for erasing aggregated data while keeping the device intact for reuse. The degaussing technique works only on magnetic media and is unsuitable for solid-state drives (SSDs) or flash-based storage units.
الطحن والتشويه	تقطيع الأصول إلى أجزاء صغيرة وتشويهها مادياً مما يجعل الأصول غير قابلة للقراءة بشكل فعال.	Aggregation and Anonymization	Splitting assets into small parts and physically distorting them, rendering the assets effectively unreadable.
مدد الاحتفاظ بفئات البيانات الشخصية	المدة الزمنية المتوقعة للاحتفاظ بالبيانات الشخصية، ومدد الاحتفاظ الخاصة بكل من فئات البيانات الشخصية، ما أمكن ذلك.	Retention Periods for Categories of Personal Data	The expected duration for retaining personal data, along with the retention periods specific to each category of personal data, where applicable.
التدابير التنظيمية والادارية والتقنية	وصف الإجراءات والوسائل التنظيمية والإدارية والتقنية التي تضمن المحافظة على البيانات الشخصية، على سبيل المثال: التشفير وضوابط الوصول والتدريب والتوعيه.	Organizational, Administrative, and Technical Measures	A description of the organizational, administrative, and technical measures that ensure the protection of personal data, such as encryption, access controls, training, and awareness programs.
رابط الملفات المجمعة من مصادر مختلفة	ربط أو جمع مجموعتين أو أكثر من البيانات الشخصية التي تم الحصول عليها من جهات تحكم مختلفة أو المجمعة أو الخاضعة للمعالجة منذ البداية لأغراض مختلفة أو جميع ما سبق.	Link to Aggregated Files from Various Sources	Linking or aggregating two or more sets of personal data obtained from different controllers, whether aggregated or processed from the outset for different purposes, or all of the above.
معالجة البيانات الشخصية بشكل آلي	وصف لأي شكل من أشكال المعالجة الآلية للبيانات الشخصية التي تبنى عليها عمليات اتخاذ القرارات.	Automated Processing of Personal Data	A description of any form of automated processing of personal data that underpins decision-making processes.
معالجة البيانات الشخصية على نطاق واسع	وصف لمعالجة البيانات الشخصية التي تتضمن عدداً كبيراً من أصحاب وحجم ونوع البيانات الشخصية، بالإضافة إلى النطاق الجغرافي للمعالجة والمجموعات المختلفةمن فئات أصحاب البيانات الشخصية.	Large-Scale Processing of Personal Data	A description of the processing of personal data that involves a large number of data subjects, the volume and type of personal data, as well as the geographical scope of the processing and the various groups of categories of data subjects.
تقييم الاثر	عملية تحليل وتقدير المخاطر المحتملة التي قد تنجم عن معالجة البيانات الشخصية، وخصوصًا تلك التي قد تؤثر على حقوق الأفراد وحريتهم. يشمل ذلك تقييم مدى تأثير المعالجة على الخصوصية، والتأكد من أن هناك تدابير مناسبة لحماية البيانات الشخصية، وضمان الامتثال لأحكام نظام حماية البيانات الشخصية واللوائح التنفيذية ذات الصلة.	Impact Assessment	An impact assessment is the process of analyzing and evaluating the potential risks that may arise from the processing of personal data, particularly those that may affect the rights and freedoms of individuals. This includes assessing the impact of processing on privacy, ensuring that appropriate measures are in place to protect personal data, and ensuring compliance with the provisions of the Personal Data Protection Law and its relevant executive regulations.
المسوغ النظامي	المسوغ النظامي لجمع ومعالجة البيانات الشخصية	Legal Justification	The legitimate basis for collecting his personal data.
عديمي الاهلية	عديمي الأهلية هم الأفراد الذين لا تتوافر لديهم القدرة القانونية على اتخاذ القرارات المتعلقة بمعالجة بياناتهم الشخصية، مثل القعملية تحليل وتقدير المخاطر المحتملة التي قد تنجم عن معالجة البيانات الشخصية، وخصوصًا تلك التي قد تؤثر على حقوق الأفراد وحريتهم. يشمل ذلك تقييم مدى تأثير المعالجة على الخصوصية، والتأكد من أن هناك تدابير مناسبة لحماية البيانات الشخصية، وضمان الامتثال لأحكام نظام حماية البيانات الشخصية واللوائح التنفيذية ذات الصلة. صر أو الأشخاص الذين تم الحكم عليهم بصفة قضائية بعدم الأهلية. يُعتبر هؤلاء الأفراد غير قادرين على إعطاء موافقة صريحة أو اتخاذ قرارات قانونية بشأن بياناتهم الشخصية.	Incompetent Persons	Eligibility assessment is the process of determining whether individuals have the legal capacity to make decisions regarding the processing of their personal data. This includes examining whether individuals are legally qualified to give consent for the processing of their data, based on their age or legal status, such as minors or individuals who have been judicially declared incompetent.
المسؤولية	ن يتم تحديد وتوثيق سياسات وإجراءات الخصوصية الخاصة بجهة التحكم واعتمادها من قبل المسؤول الأول بالجهة أو من يفوضه، ونشرها إلى جميع الأطراف المعنية بتطبيقها.	Principle of Accountability	Privacy policies and procedures of the control authority should be defined and documented, approved by the top responsible official of the entity or their delegate, and disseminated to all parties involved in their implementation.
الشفافية	ن يتم إعداد إشعار عن سياسات وإجراءات الخصوصية الخاصة بجهة التحكم يحدد فيه الأغراض التي من أجلها تمت معالجة البيانات الشخصية وذلك بصورة محددة وواضحة وصريحة.	Principle of Transparency	A notice regarding the privacy policies and procedures of the control authority should be prepared, specifying the purposes for which personal data has been processed in a clear, specific, and explicit manner.
الاختيار والموافقة	أن يتم تحديد جميع الخيارات الممكنة لصاحب البيانات الشخصية والحصول على موافقته (الضمنية أو الصريحة) فيما يتعلق بجمع بياناته واستخدامها أو الإفصاح عنها.	Choice and Consent	All possible options for the data subject should be identified, and their consent (implicit or explicit) should be obtained regarding the collection, use, or disclosure of their data.
الحد من جمع البيانات	ن يقتصر جمع البيانات الشخصية على الحد الأدنى من البيانات الذي يمكن من تحقيق الأغراض المحددة في إشعار الخصوصية.	Data Collection Limitation	The collection of personal data should be limited to the minimum necessary data required to achieve the purposes specified in the privacy notice.
الحد من استخدام البيانات والاحتفاظ بها والتخلص منها	أن يتم تقييد معالجة البيانات الشخصية بالأغراض المحددة في إشعار الخصوصية والتي من أجلها قدم صاحب البيانات موافقته الضمنية أو الصريحة، والاحتفاظ بها طالما كان ذلك ضرورياً لتحقيق الأغراض المحددة أو لما تقتضيه الأنظمة واللوائح والسياسات المعمول بها في المملكة وإتلافها بطريقة آمنة تمنع التسرب، أو الفقدان، أو الاختلاس، أو إساءة الاستخدام، أو الوصول غير المصرح به نظاماً.	Limitation of Data Use, Retention, and Disposal	The processing of personal data should be restricted to the purposes specified in the privacy notice for which the data subject has provided implicit or explicit consent. Data should be retained as long as necessary to achieve the specified purposes or as required by applicable laws, regulations, and policies in the Kingdom, and disposed of securely to prevent leakage, loss, theft, misuse, or unauthorized access.
الوصول إلى البيانات	أن يتم تحديد وتوفير الوسائل التي عن طريقها يمكن لصاحب البيانات الوصول إلى بياناته الشخصية المراجعتها، وتحديثها، وتصحيحها.	Data Access	Means should be identified and provided through which the data subject can access, review, update, and correct their personal data.
الحد من الإفصاح عن البيانات	أن يتم تقييد الإفصاح عن البيانات الشخصية للأطراف الخارجية بالأغراض المحددة في إشعار الخصوصية والتي من أجلها قدم صاحب البيانات موافقته الضمنية أو الصريحة.	Data Disclosure Limitation	Disclosure of personal data to external parties should be restricted to the purposes specified in the privacy notice for which the data subject has provided implicit or explicit consent.
أمن البيانات	أن تتم حماية البيانات الشخصية من التسرب، أو التلف، أو الفقدان، أو الاختلاس، أو إساءة الاستخدام. أو التعديل أو الوصول غير المصرح به - وفقاً لما يصدر من الهيئة الوطنية للأمن السيبراني والجهات ذات الاختصاص	Data Security	Personal data must be protected from leakage, damage, loss, theft, misuse, modification, or unauthorized access, in accordance with regulations issued by the National Cybersecurity Authority and relevant authorities.
المراقبة والامتثال	أن تتم مراقبة الامتثال لسياسات وإجراءات الخصوصية الخاصة بجهة التحكم، ومعالجة الاستفسارات والشكاوى والنزاعات المتعلقة بالخصوصية	Monitoring and Compliance	Compliance with the privacy policies and procedures of the control authority should be monitored, along with handling inquiries, complaints, and disputes related to privacy.

ضوابط	ضوابط إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية	Controls	Controls for National Data Management, Governance, and Personal Data Protection
إدارة البيانات	عملية تطوير وتنفيذ الخطط والسياسات والبرامج والممارسات والإشراف عليها لتمكين الجهات من حوكمة البيانات وتعزيز قيمتها باعتبارها أحد الاصول القيمة والثمينة.	Data Management	The process of developing and implementing plans, policies, programs, and practices, and overseeing them to enable entities to govern data and enhance its value as one of the valuable and precious assets.
أداة دليل البيانات المؤتمتة	أداة لإدارة البيانات وحوكمتها الوصفية (Meta Data) لأتمتتها ووضعها في دليل وفهرس وطني شامل للبيانات لتمكين اكتشاف مجموعات البيانات ووصفها وتنظيمها وتحديد الجهات المنشأة للبيانات ( مصدر المعلومة الصحيح) وذلك من أجل استخراج القيمة المضافة المستهدفة	Automated Data Catalog Tool	A tool for managing and governing metadata to automate and place it in a comprehensive national data catalog and index, enabling the discovery, description, organization of datasets, and identification of data-producing entities (the correct source of information) in order to extract the targeted added value.
شركاء الأعمال	الجهات التي تم اشراكها في إنتاج أو إدارة أو الإشراف على بيانات حكومية	Business Partners	Entities involved in the production, management, or oversight of government data.
نموذج احتساب الرسوم	آلية تساعد على تحصيل الإيرادات من البيانات، وتصف الطريقة التي سيتم احتساب الرسوم حسب طبيعة البيانات ونوعيتها ومنتج البيانات والاستخدامات المتوقعة لها، وكذلك حجم الطلب... الخ	Fee Calculation Model	A mechanism that assists in revenue generation from data, describing the method for calculating fees based on the nature, quality, data product, expected uses, and demand size, etc.
البيانات	مجموعة من الحقائق في صورتها الأولية أو في صورة غير منظمة مثل الأرقام أوالحروف أو الصور الثابتة أو التسجيلات المرئية أو التسجيلات الصوتية أو الرموز التعبيرية	Data	A collection of facts in their raw or unorganized form, such as numbers, letters, still images, video recordings, audio recordings, or emojis.
مستويات تصنيف البيانات	مستويات التصنيف المعتمدة من مجلس الإدارة وهي: "سري للغاية". " سري"."مقيد". "عام"	Data Classification Levels	The classification levels approved by the Board of Directors are: "Highly Confidential," "Confidential," "Restricted," and "Public."
جهة التحكم	أي جهة حكومية أو جهة اعتبارية عامة مستقلة في المملكة، وأي شخصية ذات صفة طبيعية أو اعتبارية خاصة تحدد الغرض من معالجة البيانات الشخصية وكيفية ذلك، سواء تمت معالجة البيانات بواسطتها أو من خلال جهة المعالجة	Control Authority	Any government entity or independent public legal entity in the Kingdom, and any individual with natural or legal private status who determines the purpose of processing personal data and how it is done, whether the data is processed by them or through a processing entity.
جهة المعالجة	أي جهة حكومية أو جهة اعتبارية عامة مستقلة في المملكة، وأي شخصية ذات صفة طبيعية أو اعتبارية خاصة تعالج البيانات الشخصية لمصلحة جهة التحكم أونيابة عنها.	Processing Authority	Any government entity or independent public legal entity in the Kingdom, and any individual with natural or legal private status who processes personal data on behalf of or for the benefit of the control authority.
منتجات البيانات (البيانات المعالجة)	يقصد بمنتجات البيانات المخرجات الناتجة عن تحويل البيانات بهدف خلق قيمة مضافة من خلال جمع المزيد من البيانات أو إثرائها أو إعدادها أو تحليلها أوتمثيلها او تصحيحها .... الخ	Data Products (Processed Data)	Data products refer to the outputs resulting from the transformation of data to create added value by collecting more data, enriching it, preparing it, analyzing it, representing it, or correcting it, etc.
مقدم الطلب	أي جهة من القطاعين العام أو الخاص، أو فرد يتقدم بطلب لمشاركة البيانات	Applicant	Any entity from the public or private sector, or an individual who submits a request for data sharing.
اتفاقية مشاركة البيانات	اتفاقية رسمية موقعة بين طرفين - جهة حكومية مع أي طرف آخر - للموافقة على مشاركة البيانات وفقاً لشروط وأحكام محددة ومتوافقة مع مبادئ سياسة مشاركة البيانات	Data Sharing Agreement	A formal agreement signed between two parties—a government entity and any other party—to approve data sharing in accordance with specific terms and conditions that comply with the principles of the Data Sharing Policy.
صاحب البيانات الشخصية	الشخص الطبيعي الذي تتعلق به البيانات الشخصية أو من يمثله أو من له الولاية الشرعية عليه	Data Subject	The natural person to whom personal data pertains, or their representative, or someone with legal authority over them.
بيانات الجهة العامة	البيانات قبل أو بعد المعالجة التي تتلقاها أو تنتجها أو تتعامل معها الجهات العامة مهما كان مصدرها أو شكلها أو طبيعتها	Public Entity Data	Data received, produced, or processed by public entities, regardless of its source, form, or nature, whether before or after processing.
البيانات الرئيسية	مجموعة بيانات رئيسية كمصادر اساسية بيانات الافراد - الجهات الاعتبارية - العقار... وغيره) في صورتها الأولية أو في صورة غير منظمة مثل الأرقام أو الحروف أو الصور أو الفيديو أو التسجيلات الصوتية أو الرموز التعبيرية	Master Data	A set of master data as primary sources of data for individuals, legal entities, real estate, etc., in their raw or unorganized form, such as numbers, letters, images, videos, audio recordings, or emojis.
البيانات الشخصية	كل بيان - مهما كان مصدره أو شكله - من شأنه ان يؤدي إلى معرفة الفرد على وجه التحديد، أو يجعله قابلاً للتعرف عليه بصفه مباشرة أو غير مباشرة عند دمجه مع بيانات أخرى، ويشمل ذلك على سبيل المثال لا الحصر - الاسم، وارقام الشخصية، والعناوين وارقام التواصل وأرقام الحسابات البنكية والبطاقات الائتمانية، وصور الفرد، وغير ذلك من البيانات ذات الطابع الشخصي .	Personal Data	Any data—regardless of its source or form—that can lead to the identification of an individual, or makes them identifiable directly or indirectly when combined with other data. This includes, but is not limited to, names, identification numbers, addresses, contact numbers, bank account and credit card numbers, individual images, and other personal data.
الجهة العامة	أي جهة حكومية أو شخصية ذات صفة اعتبارية عامة مستقلة في المملكة، أو أي من الجهات التابعة لها - وتعد في حكم الجهة العامة أي شركة تقوم بإدارة المرافق العامة أو البنى التحتية الوطنية أوتشغيلها أو صيانتها، أو تقوم بمباشرة خدمة عامة فيما يخص إدارة تلك المرافق أو البنى التحتية .	Public Entity	Any government entity or independent public legal entity in the Kingdom, or any of its affiliated entities. It is also considered a public entity any company that manages, operates, or maintains public facilities or national infrastructure, or provides a public service related to the management of those facilities or infrastructure.
المعلومات العامة	البيانات بعد المعالجة وتصنيفها "عامة" التي تتلقاها أو تنتجها أو تتعامل معها الجهات العامة مهما كان مصدرها، أو شكلها أو طبيعتها.	General Information	Data after processing and classified as "Public" that is received, produced, or processed by public entities, regardless of its source, form, or nature.
البيانات المرجعية	ضوابط متفق عليها لتمثيل عناصر البيانات الأكثر شيوعا، على سبيل المثال لا الحصر، الرموز البريدية، العملات النقدية، وأنظمة قياس درجة الحرارة (درجة مئوية أو فهرنهايت)	Reference Data	Agreed-upon standards for representing the most common data elements, including but not limited to postal codes, currencies, and temperature measurement systems (Celsius or Fahrenheit).
المصدر الموثوق	مصدر مرجعي للبيانات تم إثبات موثوقيته من خلال التحقق المسبق من صحته.	Trusted Source	A reference source for data that has been proven trustworthy through prior verification of its accuracy.
بيانات غير معالجة	البيانات التي لم تخضع للمعالجة أو للتبادل بصورة أولية بأي صيغة كانت	Unprocessed Data	Data that has not undergone processing or initial exchange in any form.
مجلس الإدارة	ارتباط مكتب إدارة البيانات الوطنية برئيس مجلس إدارة الهيئة السعودية للبيانات والذكاء الاصطناعي	Board of Directors	The affiliation of the National Data Management Office with the Chairman of the Board of Directors of the Saudi Data and Artificial Intelligence Authority.
المكتب	مكتب إدارة البيانات الوطنية	Office	National Data Management Office
لجنة حوكمة البيانات	اي لجنة داخلية تشكل بالجهة وهدفها مشاركة اصحاب القرار بأهمية إدارة . البيانات وحماية البيانات الشخصية ونشر التوعية بالجهة	Data Governance Committee	An internal committee formed within the entity with the aim of informing decision-makers about the importance of data management and personal data protection, and to raise awareness within the entity.
حوكمة البيانات	هي مجموعة من الممارسات والإجراءات التي تساعد على ضمان إدارة أصول البيانات في الجهات، بدء من وضع الخطة المعنية بالبيانات وتطوير الضوابط والسياسات وحتى التنفيذ والامتثال. يتم تحقيق ذلك من خلال إطار حوكمي يوضح الأدوار والمسؤوليات بين ذوي العلاقة.	Data Governance	It is a set of practices and procedures that help ensure the management of data assets within entities, starting from the development of data-related plans and the establishment of controls and policies, to implementation and compliance. This is achieved through a governance framework that clarifies roles and responsibilities among stakeholders.
البيانات الوصفية ودليل البيانات البيانات الوصفية	اي معلومات تفصيلية تصف البيانات وخصائص استخدامها والتي تتكون من ثلاثة أنواع : 1 - البيانات الوصفية للأعمال ٢ - البيانات الوصفية الفنية - البيانات الوصفية التشغيلية. يعتبر دليل البيانات أحد المخرجات المرتبطة بالبيانات الوصفية Metadata، فهو إطار مرجعي يصف البيانات ومكوناتها وترابطها لإدارتها والرجوع لها كخارطة بيانات تفصيلية. كما أنه يحدد مصدر الحقيقة للبيانات في الجهة العامة.	Metadata and Data Catalog	Any detailed information that describes data and its usage characteristics, which consists of three types: 1 - Business Metadata, 2 - Technical Metadata, and 3 - Operational Metadata. The Data Catalog is one of the outputs related to metadata; it serves as a reference framework that describes data, its components, and their interconnections for management and reference as a detailed data map. It also identifies the source of truth for data within the public entity.
جودة البيانات	تمثل جودة البيانات مجموعة من العمليات الدورية لمعالجة البيانات وضمان صحتها ودقتها ونضجها لتلبية متطلبات العمل...	Data Quality	Data quality represents a set of periodic processes for data processing and ensuring its accuracy, precision, and maturity to meet business requirements.
تخزين البيانات	آلية حفظ البيانات على أجهزة ووسائل تخضع للتدابير اللازمة لتوفير البيانات بسهولة	Data Storage	The mechanism for storing data on devices and media that are subject to necessary measures to ensure easy access to the data.
إدارة المحتوى والوثائق	تعني إدارة المحتوى والوثائق بالحفاظ على البيانات والمعلومات وتنميتها من خلال رقمنتها وإدارة تبادلها والوصول إليها وحفظها سواء منظمة أو غير منظمة.	Content and Document Management	Content and document management refers to the preservation and enhancement of data and information through digitization, managing their exchange, accessibility, and storage, whether organized or unorganized.
النمذجة وهيكلة البيانات	نمذجة البيانات هي إنشاء تمثيل للبيانات في مجال اختصاص جهة معينة، والغرض من نماذج البيانات هو تبسيطها من خلال وصف هذه البيانات وتحديد مكوناتها، وكذلك تحديد العلاقة بين تلك المكونات.	Data Modeling and Structuring	Data modeling involves creating a representation of data within a specific domain of an entity, and the purpose of data models is to simplify this data by describing it and identifying its components, as well as defining the relationships between those components.
هيكلة البيانات	هي الإجراءات والأنظمة والهياكل التنظيمية المطلوبة باستخدام نماذج المقاييس العالمية كمرجع يشار إليه في الإجراءات من حفظ البيانات والوصول إليها ونقلها وتنظيمها ... وغيره، وعادة ما يتم تحديد هيكلة البيانات على مستويات مختلفة وتهدف إلى تقديم تمثيل لكيفية تنقل البيانات داخل الجهة.	Data Structuring	It refers to the procedures, systems, and organizational structures required using global standard models as a reference for data preservation, accessibility, transfer, organization, and more. Data structuring is typically defined at different levels and aims to provide a representation of how data flows within the entity.
إدارة البيانات المرجعية والرئيسية	هي مجموعة من الضوابط لضمان تحديد مصادر البيانات ومنشأها الرئيسي الصحيح والمشترك للجميع في المملكة لتوفير بيانات دقيقة وغنية وصحيحة ومتسقة، تمكن من تقديم معلومات صحيحة ودقيقة لمتخذي القرار باستخدام مجموعة من التقنيات.	Management of Reference and Master Data	It is a set of controls to ensure the accurate identification of data sources and their primary origin, which is common for all in the Kingdom, to provide accurate, rich, correct, and consistent data that enables delivering accurate and precise information to decision-makers using a variety of technologies.
ذكاء الأعمال والتحليلات	يشير ذكاء الأعمال والتحليلات إلى جمع وتحليل البيانات الداخلية والخارجية لاستخلاص المعرفة والقيمة للجهات. كما يتيح للجهات تحويل البيانات إلى نتائج وقياسات معلوماتية قيمة ومفيدة.	Business Intelligence and Analytics	Business intelligence and analytics refer to the collection and analysis of internal and external data to extract knowledge and value for entities. It enables entities to transform data into valuable and useful informational insights and metrics.
تكامل البيانات ومشاركتها	تشير الى كيفية تنقل البيانات من خلال النظم الموزعة في الجهات المختلفة بغرض تكامل البيانات.. وتحديد آلية مشاركة البيانات بين الجهات وطريقة نقلها وتسليمها ..	Data Integration and Sharing	It refers to how data flows through distributed systems across different entities for the purpose of data integration, specifying the mechanism for data sharing between entities and the method of transferring and delivering it.
تحقيق القيمة من البيانات	تمكن الجهات الحكومية الاستفادة من البيانات لكسب فوائد مالية واقتصادية واجتماعية وقيادية قابلة للقياس، وذلك من خلال إنشاء منتجات أو خدمات بيانات حكومية ذات مردود يساند في عملية اتخاذ القرار وتحقيق الطموحات، ومردود اقتصادي من خلال تحسين العمليات أو خفض التكاليف أو تنويع مصادر الدخل مما يسهم في النهضة التنموية.	Deriving Value from Data	It enables government entities to leverage data to gain measurable financial, economic, social, and leadership benefits by creating government data products or services that support decision-making and achieve aspirations, as well as providing economic returns through process improvement, cost reduction, or diversifying income sources, contributing to developmental progress.
البيانات المفتوحة	مجموعة محددة من المعلومات العامة - مقروءة آليا - تكون متاحة للعموم مجاناً ودون قيود من خلال منصة وطنية للبيانات المفتوحة، ويمكن لأي فرد أو جهة عامة أو خاصة استخدامها أو مشاركتها.	Open Data	A specific set of public information that is machine-readable, available to the public for free and without restrictions through a national open data platform, which can be used or shared by any individual or public or private entity.
حرية المعلومات	مجموعة من الأحكام والإجراءات التي تنظم ممارسة حق الاطلاع على المعلومات العامة المتعلقة بأعمال الجهات أو الحصول عليها، وتعزيز مبدأ الشفافية وحرية تداول هذه المعلومات.	Freedom of Information	A set of provisions and procedures that regulate the exercise of the right to access public information related to the activities of entities or to obtain it, promoting the principle of transparency and the free circulation of this information.
تصنيف البيانات	إطار موحد يهدف إلى تقسيم البيانات إلى مستويات محددة - تحدد آلية التعامل معها - بناء على قياس شدة الأثر المترتب على الإفصاح غير المصرح به نظاماً عن البيانات أو عن محتواها	Classification	A unified framework aimed at categorizing data into specific levels, which defines the handling mechanism based on assessing the severity of impact resulting from unauthorized disclosure of the data or its content.
حماية البيانات الشخصية	مجموعة من الأحكام والإجراءات التي تنظم معالجة البيانات الشخصية بما يكفل المحافظة على خصوصية أصحاب هذه البيانات وحماية حقوقهم.	Personal Data Protection	A set of provisions and procedures that regulate the processing of personal data to ensure the preservation of the privacy of data subjects and the protection of their rights.
أمن البيانات وحمايتها	مجموعة الأنظمة والإجراءات والتقنيات والحلول التقنية اللازمة لحماية البيانات من الوصول أو التعديل أو الحذف غير المصرح به ويتم التعاون في هذا المجال مع جهة الاختصاص وهي الهيئة الوطنية للأمن السيبراني	Data Security and Protection	A set of systems, procedures, technologies, and technical solutions necessary to protect data from unauthorized access, modification, or deletion, with collaboration in this area with the relevant authority, which is the National Cybersecurity Authority.
داما (DAMA)	هي منظمة عالمية غير ربحية متخصصة بتقديم مفاهيم وممارسات إدارة البيانات. تأسست في عام ١٩٨٠، وتضم حاليا ۷۰ منظمة محلية في ٣٣ دولة حول العالم. كل منها يهدف إلى تعزيز فهم وممارسة إدارة البيانات كأحد الأصول الرئيسية الداعمة للجهات العامة والخاصة. وقد أعدت DAMA الدليل الدولي المعياري والقياسي والاسترشادي لإدارة البيانات وحوكمتها DAMA DMBOK)، بالإضافة إلى تقديمها لعدد من الشهادات الاحترافية والمؤتمرات والدورات التدريبية. وقد قام المكتب باختيار ضوابط ومقاييس DAMA كمصدر رئيسي عند أعداد ضوابط إدارة البيانات الوطنية وحوكمتها وحماية البيانات الشخصية في المملكة.	DAMA (Data Management Association)	It is a global nonprofit organization specializing in providing data management concepts and practices. Founded in 1980, it currently includes 70 local organizations in 33 countries worldwide, each aiming to enhance the understanding and practice of data management as a key asset supporting public and private entities. DAMA has developed the international standard and guideline document for data management and governance (DAMA DMBOK), in addition to offering various professional certifications, conferences, and training courses. The office has chosen DAMA's controls and standards as a primary source when developing the national data management, governance, and personal data protection controls in the Kingdom.
مراقبة الامتثال	قياس مدى التزام الجهات الحكومية بتطبيق ضوابط إدارة البيانات وحوكمتها وذلك بناء على منهج وآلية محددة لقياس الامتثال	Compliance Monitoring	Measuring the extent to which government entities comply with data management and governance controls based on a defined methodology and mechanism for assessing compliance.
البيانات كأصول وطنية	تعزيز وتنمية هذا الأصل الوطني الهام من خلال إدارته وتمكينه ورفع القيمة المضافة منه وتنمية القدرات الداعمة لذلك	Data as National Assets	Enhancing and developing this important national asset through its management, empowerment, increasing its added value, and developing the supporting capabilities for that.
الخصوصية في التصميم	الأخذ بعين الاعتبار متطلبات حماية البيانات الشخصية في مراحل بناء وتطوير الأنظمة أو الإجراءات أو التطبيقات...... (التقنية او غير تقنية)	Privacy by Design	Considering the requirements for personal data protection during the stages of building and developing systems, procedures, or applications (technical or non-technical).
الأصل في البيانات الإتاحة	اتاحة ومشاركة البيانات الوطنية مع المستفيدين من جهات . وأفراد قدر الامكان	Data Availability Principle	Making national data available and sharing it with beneficiaries from entities and individuals as much as possible.
الاستخدام الأخلاقي للبيانات	بناء ممارسات وقواعد أخلاقية مبنية على قيم ومبادئ . لاستخدام البيانات متوافقة مع الأخلاق العامة ومرتكزات الثقافة السعودية	Ethical Use of Data	Establishing ethical practices and rules based on values and principles for data use that align with general ethics and the foundations of Saudi culture.
الاستخدام الأمثل	استخدام البيانات بالشكل الأمثل والابتعاد عن الازدواجية . وتمكين الاستجابة الفعالة من خلال تكامل البيانات وترابط . مدلولاتها ومشاركتها والاستفادة منها لتلبية احتياجات . وتطلعات التنمية الوطنية	Optimal Use	Utilizing data optimally and avoiding redundancy, while enabling effective responses through data integration, its interconnected meanings, sharing, and leveraging to meet the needs and aspirations of national development.
القرارات المبنية على البيانات	توفير البيانات وتحليلها لدعم متخذي القرار لاتخاذ قرارات فعالة على المستويات الاستراتيجية والتشغيلية وكافة الأصعدة	Data-Driven Decisions	Providing and analyzing data to support decision-makers in making effective decisions at strategic, operational, and all other levels.
ثقافة البيانات	رفع ثقافة ووعي المجتمع حول إدارة البيانات وحماية البيانات الشخصية. وتعزيز القدرات الوطنية في الجهات	Data Culture	Raising community awareness and culture regarding data management and personal data protection, and enhancing national capabilities within entities.
موثوقية البيانات	تحقيق ثقة المستفيدين في البيانات بين مختلف الأطراف المتشاركة من خلال رفع جودتها وصحتها	Data Reliability	Building trust among beneficiaries in data between various participating parties by improving its quality and accuracy.
اسم المجال	على سبيل المثال حوكمة البيانات	Domain Name	For example, Data Governance
رقم تعريف المجال	رمز تعريف فريد للمجال، مثل DG لمجال حوكمة البيانات	Domain Identifier Number	A unique identifier code for the domain, such as DG for Data Governance.
اسم المواصفة	اسم المواصفة، مثل السياسة والقواعد الاسترشادية	Standard Name	Standard name, such as policies and guidelines.
رقم تعريف الضابط	رمز تعريف فريد لكل ضابط باستخدام الصيغة التالية (رمز تعريف المجال. قيمة) حيث تمثل القيمة ترتيب الضابط في المجال مثال: 2.DG يمثل الضابط الثاني في مجال حوكمة البيانات.	Control Identifier Number	A unique identifier code for each control using the following format (Domain Identifier Code.Value), where the value represents the control's order in the domain. For example: 2.DG represents the second control in the Data Governance domain.
وصف الضابط	وصف عام للضابط ويشمل المواصفات الواردة به	Officer Description	General Description of the Officer, Including the Specifications Provided
رقم المواصفة	رمز تعريف فريد لكل مواصفة باستخدام الصيغة التالية (رمز تعريف الضابط. قيمة حيث تمثل القيمة ترتيب المواصفة في الضابط مثال: الرمز 2.2.DG يمثل المواصفة الثانية في الضابط الثاني في مجال حوكمة البيانات	Specification Number	unique identifier for each specification using the following format (Officer Identifier.Value, where the value represents the order of the specification within the officer. For example: the code 2.2.DG represents the second specification in the second officer in the field of data governance.).
المواصفة	الانشطة أو المهام اللازمة لتحقيق الامتثال	Specification	Activities or Tasks Necessary to Achieve Compliance
الأولوية	تحدد أولوية تطبيق المواصفة	Priority	Determines the Priority of Implementing the Specification
تاريخ الإصدار	يسمح تاريخ الإصدار يتعقب التغييرات عبر الإصدارات المختلفة بعد نشر المستند	Date of Issue	The date of issue allows for tracking changes across different versions after the document is published.
الارتباط	المواصفات ذات العلاقة والمرتبطة بهذا المواصفة، التي يجب على الجهة أن تمتثل لها من أجل ضمان تنفيذ فعال للمواصفة بشكل متكامل.	Relation / Link	Related specifications linked to this specification, which the entity must comply with to ensure effective and integrated implementation of the specification.
النظام	نظام حماية البيانات الشخصية.	The System	Personal Data Protection System
اللوائح	اللوائح التنفيذية للنظام.	Regulations	Executive Regulations of the System
الجهة المختصة	الجهة التي يصدر بتحديدها قرار من مجلس الوزراء.	Competent Authority	The entity designated by a decision from the Council of Ministers.
البيانات الشخصية	كل بيان - مهما كان مصدره أو شكله من شأنه أن يؤدي إلى معرفة الفرد على وجه التحديد، أو يجعل التعرف عليه ممكنا بصفة مباشرة أو غير مباشرة، ومن ذلك: الاسم، ورقم الهوية الشخصية، والعناوين، وأرقام التواصل، وأرقام الرخص والسجلات والممتلكات الشخصية، وأرقام الحسابات البنكية والبطاقات الائتمانية، وصور الفرد الثابتة أو المتحركة، وغير ذلك من البيانات ذات الطابع الشخصي.	Personal Data	Any information—regardless of its source or form—that can lead to the identification of an individual specifically or make it possible to identify them directly or indirectly, including: name, personal identification number, addresses, contact numbers, license and registration numbers, personal property numbers, bank account and credit card numbers, static or moving images of the individual, and other personal data.
المعالجة	اي عملية تُجرى على البيانات الشخصية بأي وسيلة كانت يدوية أو آلية، ومن ذلك عمليات الجمع، والتسجيل، والحفظ والفهرسة، والترتيب والتنسيق والتخزين والتعديل، والتحديث، والدمج، والاسترجاع والاستعمال، والإفصاح والنقل والنشر والمشاركة في البيانات أو الربط البيني، والحجب، والمسح والإتلاف.	Processing	Any operation performed on personal data by any means, whether manual or automated, including collection, recording, retention and indexing, organization and structuring, storage, modification, updating, merging, retrieval, use, disclosure, transfer, publication, sharing of data or interlinking, restriction, erasure, and destruction.
الجمع	حصول جهة التحكم على البيانات الشخصية وفقاً لأحكام النظام، سواء من صاحبها مباشرة أو ممن يمثله أو ممن له الولاية الشرعية عليه أو من طرف آخر.	Collection	The controlling entity's acquisition of personal data in accordance with the provisions of the system, whether directly from the data subject, from their representative, from a legally authorized person, or from another party.
الإتلاف	أي إجراء يتم على البيانات الشخصية ويجعل من المتعذر الاطلاع عليها أو استعادتها مرة أخرى أو معرفة صاحبها على وجه التحديد.	Destruction	Any action taken on personal data that renders it impossible to access, recover, or identify the data subject specifically.
الإفصاح	تمكين أي شخص عدا جهة التحكم أو جهة المعالجة بحسب الأحوال من الحصول على البيانات الشخصية أو استعمالها أو الاطلاع عليها بأي وسيلة ولأي غرض.	Disclosure	Enabling any person other than the controlling entity or the processing entity, as applicable, to access, use, or view personal data by any means and for any purpose.
النقل	نقل البيانات الشخصية من مكان إلى آخر لمعالجتها.	Transfer	Transfer of personal data from one location to another for processing.
النشر	بث أي من البيانات الشخصية عبر وسيلة نشر مقروءة أو مسموعة أو مرئية، أو إتاحتها.	Publication	Dissemination of any personal data through a readable, audible, or visual medium, or making it available.
البيانات الحساسة	كل بيان شخصي يتعلق بأصل الفرد العرقي أو أصله الإثني، أو معتقده الديني أو الفكري أو السياسي. وكذلك البيانات الأمنية والجنائية، أو بيانات السمات الحيوية التي تحدد الهوية، أو البيانات الوراثية، أو البيانات الصحية، والبيانات التي تدل على أن الفرد مجهول الأبوين أو أحدهما.	Sensitive Data	Any personal data related to an individual's racial or ethnic origin, religious, philosophical, or political beliefs. This includes security and criminal data, biometric data that identifies an individual, genetic data, health data, and data indicating that the individual is unknown to one or both parents.
البيانات الوراثية	كل بيان شخصي يتعلق بالخصائص الوراثية أو المكتسبة لشخص طبيعي، يحدد بشكل فريد السمات الفيسيولوجية أو الصحية لذلك الشخص، ويستخلص من تحليل عينة بيولوجية للشخص كتحليل الأحماض النووية أو تحليل أي عينة أخرى تؤدي إلى استخلاص بيانات وراثية.	Genetic Data	Any personal data related to the genetic or acquired characteristics of a natural person that uniquely identifies the physiological or health traits of that individual, derived from the analysis of a biological sample, such as DNA analysis or any other sample that leads to the extraction of genetic data.
البيانات الصحية	كل بيان شخصي يتعلق بحالة الفرد الصحية، سواء الجسدية أو العقلية أو النفسية أو المتعلقة بالخدمات الصحية الخاصة به.	Health Data	Any personal data related to an individual's health status, whether physical, mental, psychological, or related to their healthcare services.
الخدمات الصحية	الخدمات المتعلقة بصحة الفرد، ومن ذلك الخدمات الوقائية والعلاجية والتأهيلية والتنويم وتوفير الدواء.	Health Services	Services related to an individual's health, including preventive, therapeutic, rehabilitative, inpatient, and medication provision services.
البيانات الائتمانية	كل بيان شخصي يتعلق بطلب الفرد الحصول على تمويل، أو حصوله عليه، سواء لغرض شخصي أو عائلي، من جهة تمارس التمويل، بما في ذلك أي بيان يتعلق بقدرته على الحصول على ائتمان أو بقدرته على الوفاء به أو بتاريخه الائتماني.	Credit Data	Any personal data related to an individual's application for financing or their receipt of financing, whether for personal or family purposes, from a financing entity, including any information regarding their ability to obtain credit, their capacity to repay it, or their credit history.
صاحب البيانات الشخصية	الفرد الذي تتعلق به البيانات الشخصية.	Data Subject	The individual to whom the personal data pertains.
الجهة العامة	أي وزارة أو مصلحة أو مؤسسة عامة أو هيئة عامة، أو أي جهة عامة مستقلة في المملكة، أو أي من الجهات التابعة لها.	Public Entity	Any ministry, authority, public institution, public agency, or any independent public entity in the Kingdom, or any of its affiliated entities.
جهة التحكم	أي جهة عامة، وأي شخصية ذات صفة طبيعية أو اعتبارية خاصة؛ تحدد الغرض من معالجة البيانات الشخصية وكيفية ذلك سواء أباشرت معالجة البيانات بوساطتها أم بوساطة جهة المعالجة.	جهة التحكم	Any public entity, and any natural or legal person, that determines the purpose of processing personal data and how it is to be done, whether the processing is carried out by them or by a processing entity.
جهة المعالجة	ي جهة عامة، وأي شخصية ذات صفة طبيعية أو اعتبارية خاصة تعالج البيانات الشخصية لمصلحة جهة التحكم ونيابة عنها.	جهة المعالجة	Any public entity, and any natural or legal person that processes personal data on behalf of and for the benefit of the controlling entity.
اللائحة	اللائحة التنفيذية للنظام	Regulation	Executive Regulation of the System
التسويق المباشر	التواصل مع صاحب البيانات الشخصية بأي وسيلة مادية أو إلكترونية مباشرة بهدف توجيه مادة تسويقية، ويشمل ذلك على سبيل المثال لا الحصر الإعلانات أو العروض الترويجية.	Direct Marketing	Communicating with the data subject by any physical or electronic means directly for the purpose of delivering marketing material, which includes, but is not limited to, advertisements or promotional offers.
تسرب البيانات الشخصية	أي حادثة تؤدي إلى الإفصاح عن البيانات الشخصية أو تلفها أو الوصول غير المشروع إليها، سواء كان ذلك بقصد أو بغير قصد، وبأي وسيلة كانت سواء آلية أو يدوية.	Personal Data Breach	Any incident that results in the disclosure, destruction, or unauthorized access to personal data, whether intentional or unintentional, and by any means, whether automated or manual.
المصلحة الحيوية	أي من المصالح الضرورية للحفاظ على حياة صاحب البيانات الشخصية.	Vital Interest	Any interests necessary to preserve the life of the data subject.
المصلحة المشروعة	أي حاجة ضرورية لدى جهة التحكم يتطلب تحقيقها معالجة بيانات شخصية لغرض محدد، على ألا تؤثر على حقوق ومصالح صاحب البيانات الشخصية.	Legitimate Interest	Any necessity that a controlling entity requires, which necessitates the processing of personal data for a specific purpose, provided it does not affect the rights and interests of the data subject.
الترميز	تحويل المعرفات الرئيسية التي تدل على هوية صاحب البيانات الشخصية إلى رموز تجعل من المتعذر تحديد هوية صاحب البيانات الشخصية بشكل مباشر دون استخدام بيانات أو معلومات إضافية، وأن يتم الاحتفاظ بتلك البيانات أو المعلومات الإضافية بشكل منفصل ووضع الضوابط الفنية والإدارية اللازمة الضمان عدم ربطها بصاحب البيانات الشخصية بشكل محدد.	Pseudonymization	Transforming key identifiers that indicate the identity of the data subject into codes that make it impossible to directly identify the data subject without the use of additional data or information. This additional data or information should be kept separately, and necessary technical and administrative controls should be implemented to ensure it is not linked to the data subject in a specific manner.
إخفاء الهوية	إزالة المعرفات المباشرة وغير المباشرة التي تدل على هوية صاحب البيانات الشخصية بشكل نهائي يتعذر معه تحديد هوية صاحب البيانات الشخصية.	Anonymization	The removal of direct and indirect identifiers that indicate the identity of the data subject in such a way that it becomes impossible to determine the identity of the data subject.
الموافقة الصريحة	موافقة تمنح بشكل مباشر وصريح من صاحب البيانات الشخصية بأي شكل من الأشكال وتدل على قبوله بمعالجة بياناته الشخصية بحيث لا يمكن تفسيرها بخلاف ذلك، وتكون قابلة للإثبات .	Explicit Consent	Consent that is granted directly and explicitly by the data subject in any form, indicating their acceptance of the processing of their personal data in a manner that cannot be interpreted otherwise and is capable of being proven.
الحق في العلم	يحق للأفراد إحاطتهم علماً بالمسوغ النظامي لجمع بياناتهم الشخصية والغرض من ذلك.	Right to Know	Individuals have the right to be informed of the legal basis for collecting their personal data and the purpose of such collection.
الحق في الوصول إلى البيانات الشخصية	يحق للأفراد الوصول إلى بياناتهم الشخصية المتوفرة لدى جهة التحكم.	Right to Access Personal Data	Individuals have the right to access their personal data held by the controlling entity.
الحق في طلب الحصول على البيانات الشخصية	يحق للأفراد طلب تقديم نسخة من بياناتهم الشخصية بصيغة مقروءة وواضحة.	Right to Request Personal Data	Individuals have the right to request a copy of their personal data in a readable and clear format.
الحق في طلب تصحيح البيانات الشخصية	يحق للأفراد طلب تصحيح بياناتهم الشخصية إذا كانت غير صحيحة)، أو إتمامها إذا كانت ناقصة)، أو تحديثها إذا كانت غير محدثة).	Right to Request Correction of Personal Data	Individuals have the right to request the correction of their personal data if it is inaccurate, to complete it if it is incomplete, or to update it if it is outdated.
الحق في طلب إتلاف البيانات الشخصية	يحق للأفراد طلب إتلاف بياناتهم الشخصية وفقاً لمتطلبات النظام واللوائح التنفيذية للنظام.	Right to Request Deletion of Personal Data	Individuals have the right to request the deletion of their personal data in accordance with the requirements of the system and its executive regulations.
الحق في الرجوع عن الموافقة	يحق للأفراد في أي وقت الرجوع عن موافقتهم التي قدموها من قبل عن معالجة بياناتهم الشخصية.	Right to Withdraw Consent	Individuals have the right to withdraw their previously given consent for the processing of their personal data at any time.
اللائحة	لائحة نقل البيانات الشخصية إلى خارج المملكة.	Regulation	Regulation on the Transfer of Personal Data Outside the Kingdom
الضمانات المناسبة	متطلبات تفرضها الجهة المختصة على جهات التحكم تتضمن الإلزام بأحكام النظام واللوائح، عند نقل البيانات الشخصية أو الإفصاح عنها لجهات خارج المملكة، وذلك في أي من حالات الإعفاء من شروط توافر مستوى مناسب لحماية البيانات الشخصية أو الحد الأدنى من البيانات الشخصية، بحسب الأحوال؛ بهدف ضمان مستوى مناسب لحماية البيانات الشخصية خارج المملكة بما لا يقل عن مستوى الحماية المقرر في النظام واللوائح	Appropriate Safeguards	Requirements imposed by the competent authority on controlling entities that include compliance with the provisions of the system and regulations when transferring or disclosing personal data to entities outside the Kingdom, in any case of exemption from the conditions for maintaining an adequate level of protection for personal data or the minimum required personal data, as applicable; with the aim of ensuring an adequate level of protection for personal data outside the Kingdom that is at least equivalent to the level of protection stipulated in the system and regulations.
العمليات التشغيلية	مجموعة من الإجراءات المتعلقة بالعمليات التشغيلية الضرورية لنشاط جهة التحكم، مثل عمليات الموارد البشرية، والفواتير والحسابات وغيرها من الإجراءات المتعلقة بسير العمل	Operational Processes	A set of procedures related to the operational processes necessary for the activities of the controlling entity, such as human resources operations, billing, accounting, and other workflow-related procedures.
البنود التعاقدية القياسية	بنود إلزامية تستخدم عند نقل البيانات الشخصية خارج المملكة تكفل مستوى مناسب لحماية البيانات الشخصية عند نقلها خارج المملكة بما لا يقل عن مستوى الحماية المقرر في النظام واللوائح، وذلك وفق نموذج قياسي تصدره الجهة المختصة.	Standard Contractual Clauses	Mandatory clauses used when transferring personal data outside the Kingdom that ensure an adequate level of protection for personal data during the transfer, which is at least equivalent to the level of protection stipulated in the system and regulations, in accordance with a standard model issued by the competent authority.
القواعد المشتركة الملزمة	واعد تعد من قبل جهة التحكم ، تطبق على كل جهة تحكم ومعالجة طرف في مجموعة كيانات متعددة الجنسيات تكفل مستوى مناسب لحماية البيانات الشخصية عند نقلها خارج المملكة بما لا يقل عن مستوى الحماية المقرر في النظام واللوائح	Binding Common Rules	Rules established by the controlling entity, applicable to every controlling entity and processing party within a group of multinational entities, ensuring an adequate level of protection for personal data when transferred outside the Kingdom, which is at least equivalent to the level of protection stipulated in the system and regulations.
الجهة المختصة	الهيئة السعودية للبيانات والذكاء الاصطناعي.	Competent Authority	Saudi Data and Artificial Intelligence Authority (SDAIA)
مسؤول حماية البيانات الشخصية	شخص طبيعي أو أكثر يتم تعيينه أو تحديده من قبل جهة التحكم يتولى متابعة تنفيذ جهة التحكم لأحكام النظام ولوائحه التنفيذية، ومراقبة الإجراءات المعمول بها داخل جهة التحكم والإشراف عليها ، وتلقي الطلبات المتعلقة بالبيانات الشخصية وفقاً لأحكام النظام ولوائحه التنفيذية.	Data Protection Officer (DPO)	One or more natural persons appointed or designated by the controlling entity to oversee the implementation of the entity's compliance with the provisions of the system and its executive regulations, monitor the procedures in place within the controlling entity, and receive requests related to personal data in accordance with the provisions of the system and its executive regulations.
الأنشطة الأساسية	الأنشطة التي تجريها جهة التحكم لتحقيق أهدافها الرئيسية	Core Activities	The activities conducted by the controlling entity to achieve its primary objectives.
تعزيز ثقافة المشاركة	على جميع الجهات الحكومية مشاركة البيانات الرئيسية التي تنتجها وذلك لتحقيق التكامل بين هذه الجهات وتبني "مبدأ المرّة الواحدة" للحصول على البيانات من مصادرها الصحيحة والحد من ازدواجيتها وتعارضها وتعدد مصادرها. وفي حال تم طلب البيانات من غير مصدرها الأساسي، فعلى الجهة - المطلوب منها مشاركة هذه البيانات - أخذ موافقة الجهة الرئيسية - مصدر البيانات - قبل مشاركتها مع الجهة الطالبة.	Promoting a Culture of Sharing	All government entities should share the primary data they produce to achieve integration among these entities and adopt the "one-time principle" for obtaining data from its correct sources, thereby minimizing duplication, conflicts, and multiple sources. If data is requested from a source other than its primary one, the entity from which the data is requested must obtain the approval of the primary data source before sharing it with the requesting entity.
مشروعية الغرض	أن يتم مشاركة البيانات لأغراض مشروعة مبنية على أساس نظامي أو احتياج عملي مبرر يهدف إلى تحقيق مصلحة عامة دون إلحاق أي ضرر بالمصالح الوطنية، أو أنشطة الجهات أو خصوصية الأفراد أو سلامة البيئةويستثنى من ذلك البيانات والجهات المستثناة بأوامر سامية. المبدأ الثالث: الوصول المصرح به	Legitimacy of Purpose	Data should be shared for legitimate purposes based on regulatory grounds or justified practical needs aimed at achieving the public interest without causing harm to national interests, the activities of entities, individual privacy, or environmental safety, except for data and entities exempted by royal orders.
المسؤولية المشتركة	أن تكون جميع الأطراف المشاركة في مشاركة البيانات مسؤولة مسؤولية مشتركة عن قرارات مشاركة البيانات ومعالجتها وفقاً للأغراض المحددة، وضمان تطبيق الضوابط الأمنية المنصوص عليها في اتفاقية مشاركة البيانات، والأنظمة والتشريعات والسياسات ذات العلاقة.	Shared Responsibility	All parties involved in data sharing should share responsibility for decisions regarding data sharing and processing according to the specified purposes, and ensure the implementation of the security controls outlined in the data sharing agreement, as well as the relevant laws, regulations, and policies.
أمن البيانات	أن تقوم جميع الأطراف المشاركة في مشاركة البيانات بتطبيق الضوابط الأمنية المناسبة لحماية البيانات ومشاركتها في بيئة آمنة وموثوقة وفقاً للأنظمة والتشريعات ذات العلاقة، ووفقاً لما يصدر من الهيئة الوطنية للأمن السيبراني.	Data Security	All parties involved in data sharing should apply appropriate security controls to protect the data and share it in a safe and trustworthy environment, in accordance with relevant laws and regulations, and in line with directives issued by the National Cybersecurity Authority.
الاستخدام الاخلاقي	أن تقوم جميع الأطراف المشاركة في مشاركة البيانات بتطبيق الممارسات الأخلاقية أثناء عملية مشاركة البيانات لضمان استخدامها في إطار من العدالة والنزاهة والأمانة والاحترام، وعدم الاكتفاء بالالتزام بسياسات أمن المعلومات أو الالتزام بالمتطلبات التنظيمية والتشريعية ذات العلاقة.	Ethical Use	All parties involved in data sharing should apply ethical practices during the data sharing process to ensure that it is used in a framework of fairness, integrity, honesty, and respect, and not merely comply with information security policies or regulatory and legislative requirements.
الشفافية	للفرد الحق في معرفة المعلومات المتعلقة بأنشطة الجهات العامة تعزيزاً لمنظومة النزاهة والشفافية والمساءلة.	Transparency	Individuals have the right to know information related to the activities of public entities, reinforcing the system of integrity, transparency, and accountability.
الضرورة والتناسب	اي قيود على طلب الاطلاع أو الحصول على المعلومات المحمية التي تتلقاها أو تنتجها أو تتعامل معها الجهات العامة يجب أن تكون مبررة بطريقة واضحة وصريحة.	Necessity and Proportionality	Any restrictions on the request to access or obtain protected information received, produced, or handled by public entities must be clearly and explicitly justified.
الأصل في المعلومات العامة الإفصاح	لكل فرد الحق في الاطلاع على المعلومات العامة - غير المحمية - وليس بالضرورة أن يتمتع مقدم الطلب بحيثية معينة أو باهتمام معين بهذه المعلومات ليتمكن من الحصول عليها، كما لا يتعرض لأي مساءلة قانونية متعلقة بهذا الحق.	The Principle of Disclosure in Public Information	Every individual has the right to access public information that is unprotected, and it is not necessary for the requester to have a specific status or interest in this information to obtain it. Furthermore, they are not subject to any legal accountability related to this right.
الأصل في البيانات الإتاحة	يضمن هذا المبدأ إتاحة بيانات الجهات العامة للجميع من خلال الإفصاح عنها أو تمكين الوصول إليها أواستخدامها مالم تقتض طبيعتها عدم الإفصاح عنها أو حماية خصوصيتها أو سريتها.	The Principle of Data Availability	This principle ensures that public entity data is available to everyone through disclosure, enabling access, or use, unless its nature requires non-disclosure or protection of its privacy or confidentiality.
الصيغة المفتوحة وامكانية القراءة آلياً	يتم إتاحة البيانات وتوفيرها بصيغة مقروءة آلياً تسمح بمعالجتها بشكل آلي - بحيث يتم حفظها بصيغ الملفات شائعة الاستخدام مثل CSV ، أو XLS، أو JSON، أو XML).	Open Format and Machine Readability	Data should be made available in a machine-readable format that allows for automated processing, using commonly used file formats such as CSV, XLS, JSON, or XML.
حداثة البيانات	يتم نشر أحدث إصدار من مجموعات البيانات Data Sets المفتوحة بصفة منتظمة وإتاحتها للجميع حال توافرها. كما يتم نشر البيانات المجمعة من قبل الجهات العامة في أسرع وقت ممكن بمجرد جمعها، كلما أمكن ذلك، وتعطى الأولوية للبيانات التي تقل فائدتها بمرور الوقت.	Data Freshness	The latest version of open data sets should be regularly published and made available to everyone as soon as it is available. Additionally, data collected by public entities should be published as quickly as possible after collection, whenever feasible, with priority given to data that loses its usefulness over time.
الشمولية	جب أن تكون مجموعات البيانات المفتوحة شاملة وتتضمن أكبر قدر ممكن من التفاصيل، وأن تعكس البيانات المسجلة بما لا يتعارض مع سياسة حماية البيانات الشخصية. كما يجب إدراج البيانات الوصفية التي توضح وتشرح البيانات الأولية، مع تقديم التفسيرات أو المعادلات التي توضح كيفية استخلاص البيانات أو احتسابها.	Inclusiveness	Open data sets should be comprehensive and include as much detail as possible, reflecting the recorded data in a manner that does not conflict with personal data protection policies. Additionally, metadata should be included to clarify and explain the primary data, along with explanations or formulas that illustrate how the data was derived or calculated.
عدم التمييز	يجب إتاحة مجموعات البيانات للجميع دون تمييز ودون حاجة للتسجيل - يكون بإمكان أي شخص الوصول إلى البيانات المفتوحة المنشورة في أي وقت دون الحاجة إلى التحقق من الهوية أو تقديم مبرر للوصول إليها.	Non-Discrimination	Data sets must be made available to everyone without discrimination and without the need for registration—anyone should be able to access the published open data at any time without needing to verify their identity or provide a justification for access.
دون مقابل مالي	يجب إتاحة البيانات المفتوحة للجميع مجاناً.	Free of Charge	Open data must be made available to everyone free of charge.
رخيص البيانات المفتوحة في المملكة	تخضع البيانات المفتوحة لترخيص يحدد الأساس النظامي الاستخدام البيانات المفتوحة وكذلك الشروط والالتزامات والقيود المفروضة على المستخدم. كما يدل استخدام البيانات المفتوحة على قبول شروط الترخيص.	Open Data Licensing in the Kingdom	Open data is subject to a license that defines the legal basis for using open data, as well as the conditions, obligations, and restrictions imposed on the user. The use of open data indicates acceptance of the terms of the license.
تطوير نموذج الحوكمة وإشراك الجميع	تمكن البيانات المفتوحة عملية الاطلاع والمشاركة للجميع، وتعزز شفافية ومساءلة الجهات العامة ودعم عملية صنع القرار وتقديم الخدمات.	Developing the Governance Model and Engaging Everyone	Open data enables access and sharing for everyone, enhances the transparency and accountability of public entities, and supports the decision-making process and service delivery.
التنمية الشاملة والابتكار	من المفترض أن تلعب الجهات دورًا فعالا في تعزيز إعادة استخدام البيانات المفتوحة وتوفير الموارد والخبرات اللازمة الداعمة. ويجب على الجهات أن تعمل بتكامل بين الاطراف المعنية على تمكين الجيل القادم من المبتكرين في مجال البيانات المفتوحة وإشراك الأفراد والمؤسسات والجميع بوجه عام في إطلاق قدرات البيانات المفتوحة	Comprehensive Development and Innovation	Entities are expected to play an active role in promoting the reuse of open data and providing the necessary resources and supporting expertise. They should work collaboratively with stakeholders to empower the next generation of innovators in the field of open data and engage individuals, institutions, and the public in general in unlocking the potential of open data.
القواعد	القواعد المنظمة للسجل الوطني لجهات التحكم داخل المملكة.	Rules	Regulations Governing the National Register of Controlling Entities within the Kingdom
الجهة المختصة	الهيئة السعودية للبيانات والذكاء الاصطناعي.	Competent Authority	Saudi Data and Artificial Intelligence Authority (SDAIA)
المنصة	منصة حوكمة البيانات الوطنية.	Platform	National Data Governance Platform
السجل الوطني	هو سجل يتضمن جهات التحكم العامة الخاصة، والأفراد داخل المملكة التي تعمل على معالجة البيانات الشخصية، وذلك بهدف مراقبة ومتابعة جهات التحكم ومساعدتها في رفع مستوى الالتزام بأحكام النظام واللوائح بالإضافة إلى تقديم الخدمات المتعلقة بحماية البيانات الشخصية.	National Register	It is a register that includes public and private controlling entities, as well as individuals within the Kingdom who process personal data, with the aim of monitoring and following up with the controlling entities and assisting them in enhancing their compliance with the provisions of the system and regulations, in addition to providing services related to personal data protection.
الممثل	أي شخص ذي صفة طبيعية يتم تعيينه من قبل جهة التحكم العامة أو الخاصة لغرض استكمال إجراءات التسجيل في المنصة.	Representative	Any natural person appointed by the public or private controlling entity for the purpose of completing the registration procedures on the platform.
الأفراد	أي شخص ذي صفة طبيعية يقوم بمعالجة البيانات الشخصية لأغراض تتجاوز الاستخدام الشخصي أو العائلي	Individuals	Any natural person who processes personal data for purposes that go beyond personal or family use.
خدمة إشعار عن حادثة تسرب البيانات	خدمة تتيح لجهات التحكم الإشعار عن حادثة تسرب البيانات الشخصية للجهة المختصة خلال مدة لا تتجاوز (72) ساعة من وقت علمها بالحادثة، إذا كان من شأن تلك الحادثة الإضرار بالبيانات الشخصية أو صاحب البيانات الشخصية أو كانت تتعارض مع حقوقه أو مصالحه وفقاً للمادة الرابعة والعشرون) من اللائحة التنفيذية لنظام حماية البيانات الشخصية.	Data Breach Notification Service	A service that allows controlling entities to notify the competent authority of a personal data breach within a period not exceeding 72 hours from the time they become aware of the incident, if the incident could harm personal data or the data subject or conflict with their rights or interests, in accordance with Article 24 of the Executive Regulation of the Personal Data Protection System.
خدمة تقييم الأثر على الخصوصية	هي أداة تمكن من إجراء تحليل للأثر الناتج عن معالجة البيانات الشخصية في المنتجات والخدمات التي تقدمها، ويتم من خلالها تحديد نطاق وأهداف المعالجة وتحديد المسوغات النظامية ومعرفة المخاطر التي قد تنتج من معالجة البيانات الشخصية.	Privacy Impact Assessment Service	It is a tool that enables the analysis of the impact resulting from the processing of personal data in the products and services provided. It identifies the scope and objectives of the processing, determines the legal justifications, and assesses the risks that may arise from processing personal data.
خدمة الدعم القانوني	تقديم الدعم والإرشاد لمساعدة الجهات العامة في فهم نظام حماية البيانات الشخصية ولوائحه. وتفسير الأحكام والمتطلبات المنصوص عليها، والتوجيه إلى جميع الأدلة واللوائح ذات العلاقة، مما يساهم في ضمان التطبيق الفعال وتحقيق الأهداف المرجوة.	Legal Support Service	Providing support and guidance to assist public entities in understanding the Personal Data Protection System and its regulations. This includes interpreting the stipulated provisions and requirements, directing to all relevant guidelines and regulations, thereby contributing to effective implementation and achieving the desired goals.
خدمة تقييم الالتزام	تقييم الالتزام بشكل دوري من خلال معايير ومتطلبات محددة لمتابعة مستوى التزامهم والتأكد من فعالية الإجراءات المتخذة من قبلهم لتطبيق أحكام الأنظمة واللوائح والسياسات، واكتشاف الممارسات الخاطئة. لمعالجتها وتحسين ممارسة الأعمال والإجراءات.	Compliance Assessment Service	Periodic compliance assessment through specific criteria and requirements to monitor their level of compliance and ensure the effectiveness of the measures taken by them to implement the provisions of the regulations, policies, and rules, as well as to identify and address incorrect practices to improve business practices and procedures.
الاحتياج الفعلي	تقييم كل عنصر من عناصر البيانات الشخصية لتحديد ما إذا كانت هذه البيانات ضرورية بشكل مباشر لتحقيق الغرض من جمعها ومعالجتها.	Actual Need	Assessment of each element of personal data to determine whether such data is directly necessary to achieve the purpose for which it was collected and processed.
الغرض	ان يرتبط الغرض ارتباطاً مباشراً بالبيانات الشخصية التي تم جمعها وأن يكون ذا علاقة مباشرة بأغراض جهة التحكم، وألا يتعارض مع أحكام أنظمة أخرى نافذة في المملكة، وأن تلتزم جهة التحكم ببذل العناية اللازمة في تحقيق الغرض من المعالجة دون جمع بيانات شخصية غير ضرورية.	Purpose	The purpose must be directly related to the personal data collected and directly associated with the objectives of the controlling entity. It should not conflict with the provisions of other applicable regulations in the Kingdom, and the controlling entity must exercise due diligence in achieving the purpose of processing without collecting unnecessary personal data.
طرق الجمع	طرق ووسائل جمع البيانات الشخصية ملائمة لظروف صاحب البيانات الشخصية ومباشرة وواضحة وآمنة وخالية من أي وسيلة من الممكن أن تؤدي إلى الخداع أو التضليل أو الابتزاز، كما يجب ألا تكون مخالفة أو متعارضة مع أحكام الأنظمة النافذة في المملكة.	Methods of Collection	The methods and means of collecting personal data should be appropriate to the circumstances of the data subject, direct, clear, secure, and free from any means that could lead to deception, misrepresentation, or extortion. Additionally, they should not violate or conflict with the provisions of the applicable regulations in the Kingdom.
المحتوى	أن يكون ملائماً ومقتصراً على الحد الأدنى اللازم لتحقيق الغرض من جمع البيانات الشخصية سواء تم جمعها من صاحبها أو من غير صاحبها مباشرة، وفي حال تحقق الغرض من جمعها على جهة التحكم تجنب أن يشتمل المحتوى على ما يؤدي إلى معرفة صاحبها بصورة محددة.	Content	To be appropriate and limited to the minimum necessary to achieve the purpose of collecting personal data, whether collected directly from the data subject or from other sources. Once the purpose of collection is fulfilled, the content should avoid including information that could lead to the identification of the data subject.
الإتلاف	إتلاف البيانات الشخصية التي لم تعد ضرورية لتحقيق الغرض من جمعها. مع اتباع إجراءات آمنة لضمان إزالة البيانات بشكل دائم.	Destruction	Destruction of personal data that is no longer necessary to achieve the purpose for which it was collected, following secure procedures to ensure the permanent deletion of the data.
الحد الادنى من البيانات الشخصية	جمع البيانات الضرورية فقط لتحقيق الغرض المحدد والمعلن من جمع البيانات. وهذا يعني أن البيانات يجب أن تكون ذات صلة ومحدودة النطاق ومرتبطة بشكل مباشر بغرض المتحكم، وتجنب أي بيانات غير ضرورية أو مفرطة يمكن أن تكشف عن هوية صاحب البيانات بما يتجاوز ما هو مطلوب. كما يضمن عدم جمع أي بيانات إضافية لا تخدم الغرض المحدد بشكل مباشر.	Retention	Retention of the minimum personal data necessary to achieve the purpose of processing, along with restricting logical and physical access rights to personal data according to the principle of least privilege and actual need.
الاحتفاظ	الاحتفاظ بالحد الأدنى من البيانات الشخصية اللازمة لتحقيق الغرض من المعالجة، بالإضافة إلى تقييد صلاحيات الوصول المنطقي والمادي إلى البيانات الشخصية وفق الحد الأدنى من الامتيازات والاحتياج الفعل	Minimum Amount of Personal Data	refers to collecting only the data that is strictly necessary to achieve the specific, stated purpose of the data collection. This means the data must be relevant, limited in scope, and directly related to the controller’s purpose, avoiding any unnecessary or excessive data that could reveal the identity of the data subject beyond what is required. It also ensures that no additional data is collected that doesn't directly serve the specified purpose.
المملكة	المملكة العربية السعودية	The Kingdom	The Kingdom of Saudi Arabia
النظام	نظام حماية البيانات الشخصية الصادر بالمرسوم الملكي رقم (م/19) وتاريخ 1443/2/9هـ ("النظام ") والمعدل بالمرسوم الملكي رقم (م/148) وتاريخ 1444/9/5هـ.	The System	Personal Data Protection System issued by Royal Decree No. (M/19) dated 9/2/1443 AH ("the System") and amended by Royal Decree No. (M/148) dated 5/9/1444 AH.
اللوائح	اللوائح التنفيذية للنظام وتتضمن كلاً من اللائحة التنفيذية ولائحة نقل البيانات الشخصية إلى خارج المملكة."	Regulations	The executive regulations of the system, which include both the executive regulation and the regulation for transferring personal data outside the Kingdom.
الجهة المختصة	الهيئة السعودية للبيانات والذكاء الاصطناعي (سدايا). الضمانات المناسبة متطلبات تفرضها الجهة المختصة على جهات التحكم تتضمن الإلزام بأحكام النظام واللوائح، عند نقل البيانات الشخصية أو الإفصاح عنها لجهات خارج المملكة، وذلك في أي من حالات الإعفاء من شروط توافر مستوى مناسب لحماية البيانات الشخصية أو الحد الأدنى للبيانات الشخصية، بحسب الأحوال؛ بهدف ضمان مستوى مناسب لحماية البيانات الشخصية خارج المملكة بما لا يقل عن مستوى الحماية المقرر في النظام واللوائح.	Competent Authority	The Saudi Data and Artificial Intelligence Authority (SDAIA). Appropriate safeguards are requirements imposed by the competent authority on controlling entities, including compliance with the provisions of the system and regulations when transferring or disclosing personal data to entities outside the Kingdom, in any cases exempting the conditions for ensuring an adequate level of personal data protection or the minimum personal data requirements, as applicable; aiming to ensure an adequate level of personal data protection outside the Kingdom that is no less than the level of protection stipulated in the system and regulations.
القواعد المشتركة الملزمة	قواعد تعد من قبل جهة التحكم، تطبق على كل جهة تحكم ومعالجة طرف في مجموعة كيانات متعددة الجنسيات تكفل مستوى مناسب لحماية البيانات الشخصية عند نقلها خارج المملكة بما لا يقل عن مستوى الحماية المقرر في النظام واللوائح.	Binding Common Rules	Rules established by the controlling entity, applicable to all controlling and processing entities within a group of multinational entities, ensuring an adequate level of protection for personal data when transferred outside the Kingdom, that is no less than the level of protection stipulated in the system and regulations.
المنظمات الدولية	كيان قانوني يضم أعضاءً من ثلاث دول على الأقل، يعمل في دول متعددة ذات سيادة، تنشأ من خلال وثيقة قانونية رسمية، مثل المعاهدة أو الاتفاق. يستند إلى القانون الدولي، وتحدد هذه الوثيقة القانونية أهداف ومقاصد المنظمة الدولية وهياكلها وجهات اتخاذ القرار والولاية القضائية، مثل: الأمم المتحدة، والبنك الدولي، وجامعة الدول العربية، وصندوق النقد العربي)، وتشارك هذه المنظمات في أنشطة دولية ويجب أن تلتزم بأنظمة حماية البيانات الشخصية المختلفة عبر ولايات قضائية مختلفة.	International Organizations	A legal entity comprising members from at least three countries, operating in multiple sovereign states, established through an official legal document such as a treaty or agreement. Based on international law, this legal document outlines the objectives and purposes of the international organization, its structures, decision-making bodies, and jurisdiction, such as the United Nations, the World Bank, the Arab League, and the Arab Monetary Fund. These organizations engage in international activities and must comply with various personal data protection regulations across different jurisdictions.
نقل البيانات الشخصية	نقل البيانات الشخصية أو الكشف عنها أو منح حق الوصول إليها من المملكة العربية السعودية إلى جهات تحكم أو جهات معالجة أو متلقين آخرين في دول أو منظمات دولية أو ولاية قضائية أخرى غير المملكة العربية السعودية حيث لا تكون الجهة المصدرة للبيانات الشخصية أو الجهة المستوردة للبيانات الشخصية.	Transfer of Personal Data	Transfer of personal data, disclosure, or granting access from the Kingdom of Saudi Arabia to controlling entities, processing entities, or other recipients in countries or international organizations or other jurisdictions outside of the Kingdom of Saudi Arabia where neither the data exporter nor the data importer is located.
عمليات نقل بيانات الطرف الثالث / عمليات النقل اللاحقة	نقل البيانات الشخصية من دولة خارجية أو منظمة دولية إلى جهات تحكم أو جهات معالجة في نفس الدولة المنظمة أو في دولة منظمة أخرى.	Third-Party Data Transfers / Subsequent Transfers	Transfer of personal data from a foreign country or international organization to controlling entities or processing entities within the same organizing country or to another organizing country.
مجموعة الجهات	مجموعة من الجهات التي تمارس أنشطة اقتصادية مشتركة، مثل: حقوق الامتياز أو المشاريع المشتركة أو الشراكات المهنية، وتعمل هذه الكيانات تحت سيطرة مشتركة، على سبيل المثال: الملكية، أو المصالح الاقتصادية المشتركة، أو المشاركة المالية، أو قواعد الحوكمة	Group of Entities	A group of entities engaged in joint economic activities, such as franchises, joint ventures, or professional partnerships, operating under common control, for example: ownership, shared economic interests, financial participation, or governance rules.
المملكة	المملكة العربية السعودية	The Kingdom	The Kingdom of Saudi Arabia
النظام	نظام حماية البيانات الشخصية الصادر بالمرسوم الملكي رقم (م/19) وتاريخ 1443/2/9هـ ("النظام ") والمعدل بالمرسوم الملكي رقم (م/148) وتاريخ 1444/9/5هـ اللوائح اللوائح التنفيذية للنظام " وتتضمن كلا من اللائحة التنفيذية ولائحة نقل البيانات الشخصية إلى خارج المملكة	System	Personal Data Protection System issued by Royal Decree No. (M/19) dated 9/2/1443 AH ("the System") and amended by Royal Decree No. (M/148) dated 5/9/1444 AH, including the executive regulations of the System, which encompass both the executive regulation and the regulation for transferring personal data outside the Kingdom.
الجهة المختصة	الهيئة السعودية للبيانات والذكاء الاصطناعي (سدايا).	Relevant Authority	Saudi Data and Artificial Intelligence Authority (SDAIA)
الضمانات المناسبة	متطلبات تفرضها الجهة المختصة على جهات التحكم تتضمن الإلزام بأحكام النظام واللوائح، عند نقل البيانات الشخصية أو الإفصاح عنها لجهات خارج المملكة، وذلك في أي من حالات الإعفاء من شروط توافر مستوى مناسب لحماية البيانات الشخصية أو الحد الأدنى للبيانات الشخصية، بحسب الأحوال : بهدف ضمان مستوى مناسب لحماية البيانات الشخصية خارج المملكة بما لا يقل عن مستوى الحماية المقرر في النظام واللوائح.	Appropriate Safeguards	Requirements imposed by the relevant authority on controllers include the obligation to comply with the provisions of the laws and regulations when transferring personal data or disclosing it to entities outside the Kingdom, in any case of exemption from the requirements for ensuring an adequate level of protection for personal data or the minimum personal data, as applicable: aiming to ensure an adequate level of protection for personal data outside the Kingdom, at least equivalent to the level of protection established in the laws and regulations.
البنود التعاقدية القياسية	بنود إلزامية تستخدم عند نقل البيانات الشخصية خارج المملكة تكفل مستوى مناسب لحماية البيانات الشخصية عند نقلها خارج المملكة بما لا يقل عن مستوى الحماية المقرر في النظام واللوائح، وذلك وفق نموذج قياسي تصدره الجهة المختصة.	Standard Contractual Clauses	Mandatory clauses used when transferring personal data outside the Kingdom, ensuring an adequate level of protection for personal data during the transfer, at least equivalent to the level of protection established in the laws and regulations, according to a standard template issued by the relevant authority.
المنظمات الدولية	كيان قانوني يضم أعضاء من ثلاث دول على الأقل، يعمل في دول متعددة ذات سيادة، تنشأ من خلال وثيقة قانونية رسمية، مثل: المعاهدة أو الاتفاق الذي يستند إلى القانون الدولي، وتحدد هذه الوثيقة القانونية أهداف ومقاصد المنظمة الدولية وهياكلها وجهات اتخاذ القرار والولاية القضائية، (مثل: الأمم المتحدة، والبنك الدولي، وجامعة الدول العربية، وصندوق النقد العربي)، وتشارك هذه المنظمات في أنشطة دولية ويجب أن تلتزم بأنظمة حماية البيانات الشخصية المختلفة عبر ولايات قضائية مختلفة.	International Organizations	A legal entity comprising members from at least three countries, operating in multiple sovereign states, established through an official legal document, such as a treaty or agreement based on international law. This legal document outlines the goals and objectives of the international organization, its structures, decision-making bodies, and jurisdiction, such as the United Nations, the World Bank, the Arab League, and the Arab Monetary Fund. These organizations engage in international activities and must comply with various personal data protection regulations across different jurisdictions.
نقل البيانات الشخصية	نقل البيانات الشخصية أو الكشف عنها أو منح حق الوصول إليها من المملكة العربية السعودية إلى جهات تحكم أو جهات معالجة أو متلقين آخرين في دول أو منظمات دولية أو ولاية قضائية أخرى غير المملكة العربية السعودية حيث لا تكون الجهة المصدرة للبيانات الشخصية أو الجهة المستوردة للبيانات الشخصية.	Transfer of Personal Data	The transfer of personal data, disclosure, or granting access to it from the Kingdom of Saudi Arabia to controllers, processors, or other recipients in countries, international organizations, or jurisdictions other than the Kingdom, where neither the exporting entity nor the importing entity is located in Saudi Arabia.
عمليات نقل بيانات الطرف الثالث / عمليات النقل اللاحقة	نقل البيانات الشخصية من دولة خارجية أو منظمة دولية إلى جهات تحكم أو جهات معالجة في نفس الدولة المنظمة أو في دولة منظمة أخرى.	Third-Party Data Transfers / Subsequent Transfers	The transfer of personal data from a foreign country or international organization to controllers or processors in the same hosting country or in another hosting country.
التعميم (Generalization)	استبدال سمات محددة بقيم أكثر عمومية. على سبيل المثال: تجميع الأعمار إلى فئات عمرية (۲۰-۳۰)، (٣٠-٤٠) بدلا من استخدام الأعمار المحددة.	Generalization	Replacing specific attributes with more generalized values. For example, grouping ages into age ranges (20-30), (30-40) instead of using specific ages.
تجميع البيانات (Data Aggregation)	جمع البيانات الفردية في نطاق أو مجموعة أو فئة، على سبيل المثال: تحديد سنة الميلاد بدلاً من تاريخ الميلاد الكامل، ويتم التأكد من عدم إمكانية استخدام البيانات المجمعة لاستنتاج معلومات حول أفراد معينين.	Data Aggregation	Aggregating individual data into a range, group, or category, such as specifying the year of birth instead of the full birth date, ensuring that the aggregated data cannot be used to infer information about specific individuals.
التشفير	تشفير البيانات الشخصية باستخدام خوارزميات تشفير قوية، ويتم التأكد من تخزين مفاتيح التشفير بشكل آمن ومنفصل عن البيانات المشفرة.	Encryption	Encrypting personal data using strong encryption algorithms, ensuring that encryption keys are stored securely and separately from the encrypted data.
الإخفاء	تطبيق تقنيات إخفاء البيانات لإخفاء أو حجب عناصر بيانات معينة	Data Masking	Applying data masking techniques to conceal or obscure specific data elements.
الكتابة على البيانات والمحو الأمن (SE)	الكتابة على البيانات وتتمثل في استبدال البيانات الأصلية ببيانات عشوائية لا معنى لها ؛ مما يجعل البيانات الأصلية غير قابلة للاسترداد. يعد المحو الأمن تقنية أكثر تقدماً من الكتابة على البيانات، فهو يتضمن إرسال أمر إلى البرنامج المثبت بالجهاز لمحو جميع البيانات بما في ذلك المناطق التي لا يمكن الوصول إليها في العادة.	Data Overwriting and Secure Erasure (SE)	Data overwriting involves replacing the original data with random, meaningless data, rendering the original data unrecoverable. Secure erasure is a more advanced technique than data overwriting, as it involves sending a command to the software installed on the device to erase all data, including areas that are typically inaccessible.
إزالة البيانات (بدون إتلاف الأجهزة)	وتمثل هذه الطريقة استخدام مزيل التمغنط أو ما يسمى بـ ( ديجاوس) لتعطيل المجال المغناطيسي، الذي يخزن البيانات؛ مما يجعل البيانات غير قابلة للقراءة بشكل فعال. وتتميز هذه العملية بالكفاءة والسرعة : مما يجعلها الخيار المفضل لمحو البيانات المجمعة، كما أنها تبقي الجهاز سليماً لإعادة استخدامه. تعمل تقنية الإزالة (ديجاوس) على الوسائط المغناطيسية فقط، وهي غير مناسبة لمحركات الأقراص ذات الحالة الصلبة (SSD) أو وحدات التخزين القائمة على استخدام الفلاش.	Data Removal (Without Destroying the Hardware)	This method involves using a degausser to disable the magnetic field that stores the data, rendering it effectively unreadable. This process is characterized by efficiency and speed, making it the preferred choice for erasing aggregated data while keeping the device intact for reuse. The degaussing technique works only on magnetic media and is unsuitable for solid-state drives (SSDs) or flash-based storage units.
الطحن والتشويه	تقطيع الأصول إلى أجزاء صغيرة وتشويهها مادياً مما يجعل الأصول غير قابلة للقراءة بشكل فعال.	Aggregation and Anonymization	Splitting assets into small parts and physically distorting them, rendering the assets effectively unreadable.
مدد الاحتفاظ بفئات البيانات الشخصية	المدة الزمنية المتوقعة للاحتفاظ بالبيانات الشخصية، ومدد الاحتفاظ الخاصة بكل من فئات البيانات الشخصية، ما أمكن ذلك.	Retention Periods for Categories of Personal Data	The expected duration for retaining personal data, along with the retention periods specific to each category of personal data, where applicable.
التدابير التنظيمية والادارية والتقنية	وصف الإجراءات والوسائل التنظيمية والإدارية والتقنية التي تضمن المحافظة على البيانات الشخصية، على سبيل المثال: التشفير وضوابط الوصول والتدريب والتوعيه.	Organizational, Administrative, and Technical Measures	A description of the organizational, administrative, and technical measures that ensure the protection of personal data, such as encryption, access controls, training, and awareness programs.
رابط الملفات المجمعة من مصادر مختلفة	ربط أو جمع مجموعتين أو أكثر من البيانات الشخصية التي تم الحصول عليها من جهات تحكم مختلفة أو المجمعة أو الخاضعة للمعالجة منذ البداية لأغراض مختلفة أو جميع ما سبق.	Link to Aggregated Files from Various Sources	Linking or aggregating two or more sets of personal data obtained from different controllers, whether aggregated or processed from the outset for different purposes, or all of the above.
معالجة البيانات الشخصية بشكل آلي	وصف لأي شكل من أشكال المعالجة الآلية للبيانات الشخصية التي تبنى عليها عمليات اتخاذ القرارات.	Automated Processing of Personal Data	A description of any form of automated processing of personal data that underpins decision-making processes.
معالجة البيانات الشخصية على نطاق واسع	وصف لمعالجة البيانات الشخصية التي تتضمن عدداً كبيراً من أصحاب وحجم ونوع البيانات الشخصية، بالإضافة إلى النطاق الجغرافي للمعالجة والمجموعات المختلفةمن فئات أصحاب البيانات الشخصية.	Large-Scale Processing of Personal Data	A description of the processing of personal data that involves a large number of data subjects, the volume and type of personal data, as well as the geographical scope of the processing and the various groups of categories of data subjects.
تقييم الاثر	عملية تحليل وتقدير المخاطر المحتملة التي قد تنجم عن معالجة البيانات الشخصية، وخصوصًا تلك التي قد تؤثر على حقوق الأفراد وحريتهم. يشمل ذلك تقييم مدى تأثير المعالجة على الخصوصية، والتأكد من أن هناك تدابير مناسبة لحماية البيانات الشخصية، وضمان الامتثال لأحكام نظام حماية البيانات الشخصية واللوائح التنفيذية ذات الصلة.	Impact Assessment	An impact assessment is the process of analyzing and evaluating the potential risks that may arise from the processing of personal data, particularly those that may affect the rights and freedoms of individuals. This includes assessing the impact of processing on privacy, ensuring that appropriate measures are in place to protect personal data, and ensuring compliance with the provisions of the Personal Data Protection Law and its relevant executive regulations.
المسوغ النظامي	المسوغ النظامي لجمع ومعالجة البيانات الشخصية	Legal Justification	The legitimate basis for collecting his personal data.
عديمي الاهلية	عديمي الأهلية هم الأفراد الذين لا تتوافر لديهم القدرة القانونية على اتخاذ القرارات المتعلقة بمعالجة بياناتهم الشخصية، مثل القعملية تحليل وتقدير المخاطر المحتملة التي قد تنجم عن معالجة البيانات الشخصية، وخصوصًا تلك التي قد تؤثر على حقوق الأفراد وحريتهم. يشمل ذلك تقييم مدى تأثير المعالجة على الخصوصية، والتأكد من أن هناك تدابير مناسبة لحماية البيانات الشخصية، وضمان الامتثال لأحكام نظام حماية البيانات الشخصية واللوائح التنفيذية ذات الصلة. صر أو الأشخاص الذين تم الحكم عليهم بصفة قضائية بعدم الأهلية. يُعتبر هؤلاء الأفراد غير قادرين على إعطاء موافقة صريحة أو اتخاذ قرارات قانونية بشأن بياناتهم الشخصية.	Incompetent Persons	Eligibility assessment is the process of determining whether individuals have the legal capacity to make decisions regarding the processing of their personal data. This includes examining whether individuals are legally qualified to give consent for the processing of their data, based on their age or legal status, such as minors or individuals who have been judicially declared incompetent.
المسؤولية	ن يتم تحديد وتوثيق سياسات وإجراءات الخصوصية الخاصة بجهة التحكم واعتمادها من قبل المسؤول الأول بالجهة أو من يفوضه، ونشرها إلى جميع الأطراف المعنية بتطبيقها.	Principle of Accountability	Privacy policies and procedures of the control authority should be defined and documented, approved by the top responsible official of the entity or their delegate, and disseminated to all parties involved in their implementation.
الشفافية	ن يتم إعداد إشعار عن سياسات وإجراءات الخصوصية الخاصة بجهة التحكم يحدد فيه الأغراض التي من أجلها تمت معالجة البيانات الشخصية وذلك بصورة محددة وواضحة وصريحة.	Principle of Transparency	A notice regarding the privacy policies and procedures of the control authority should be prepared, specifying the purposes for which personal data has been processed in a clear, specific, and explicit manner.
الاختيار والموافقة	أن يتم تحديد جميع الخيارات الممكنة لصاحب البيانات الشخصية والحصول على موافقته (الضمنية أو الصريحة) فيما يتعلق بجمع بياناته واستخدامها أو الإفصاح عنها.	Choice and Consent	All possible options for the data subject should be identified, and their consent (implicit or explicit) should be obtained regarding the collection, use, or disclosure of their data.
الحد من جمع البيانات	ن يقتصر جمع البيانات الشخصية على الحد الأدنى من البيانات الذي يمكن من تحقيق الأغراض المحددة في إشعار الخصوصية.	Data Collection Limitation	The collection of personal data should be limited to the minimum necessary data required to achieve the purposes specified in the privacy notice.
الحد من استخدام البيانات والاحتفاظ بها والتخلص منها	أن يتم تقييد معالجة البيانات الشخصية بالأغراض المحددة في إشعار الخصوصية والتي من أجلها قدم صاحب البيانات موافقته الضمنية أو الصريحة، والاحتفاظ بها طالما كان ذلك ضرورياً لتحقيق الأغراض المحددة أو لما تقتضيه الأنظمة واللوائح والسياسات المعمول بها في المملكة وإتلافها بطريقة آمنة تمنع التسرب، أو الفقدان، أو الاختلاس، أو إساءة الاستخدام، أو الوصول غير المصرح به نظاماً.	Limitation of Data Use, Retention, and Disposal	The processing of personal data should be restricted to the purposes specified in the privacy notice for which the data subject has provided implicit or explicit consent. Data should be retained as long as necessary to achieve the specified purposes or as required by applicable laws, regulations, and policies in the Kingdom, and disposed of securely to prevent leakage, loss, theft, misuse, or unauthorized access.
الوصول إلى البيانات	أن يتم تحديد وتوفير الوسائل التي عن طريقها يمكن لصاحب البيانات الوصول إلى بياناته الشخصية المراجعتها، وتحديثها، وتصحيحها.	Data Access	Means should be identified and provided through which the data subject can access, review, update, and correct their personal data.
الحد من الإفصاح عن البيانات	أن يتم تقييد الإفصاح عن البيانات الشخصية للأطراف الخارجية بالأغراض المحددة في إشعار الخصوصية والتي من أجلها قدم صاحب البيانات موافقته الضمنية أو الصريحة.	Data Disclosure Limitation	Disclosure of personal data to external parties should be restricted to the purposes specified in the privacy notice for which the data subject has provided implicit or explicit consent.
أمن البيانات	أن تتم حماية البيانات الشخصية من التسرب، أو التلف، أو الفقدان، أو الاختلاس، أو إساءة الاستخدام. أو التعديل أو الوصول غير المصرح به - وفقاً لما يصدر من الهيئة الوطنية للأمن السيبراني والجهات ذات الاختصاص	Data Security	Personal data must be protected from leakage, damage, loss, theft, misuse, modification, or unauthorized access, in accordance with regulations issued by the National Cybersecurity Authority and relevant authorities.
المراقبة والامتثال	أن تتم مراقبة الامتثال لسياسات وإجراءات الخصوصية الخاصة بجهة التحكم، ومعالجة الاستفسارات والشكاوى والنزاعات المتعلقة بالخصوصية	Monitoring and Compliance	Compliance with the privacy policies and procedures of the control authority should be monitored, along with handling inquiries, complaints, and disputes related to privacy.
البيانات الشخصية	كل بيان - مهما كان مصدره أو شكله من شأنه أن يؤدي إلى معرفة الفرد على وجه التحديد، أو يجعله قابلا للتعرف عليه بصفة مباشرة أو غير مباشرة عند دمجه مع بيانات أخرى، ويشمل ذلك على سبيل المثال لا الحصر - الاسم، وأرقام الهويات الشخصية، والعناوين وأرقام التواصل، وأرقام الحسابات البنكية والبطاقات الائتمانية، وصور المستخدم الثابتة أو المتحركة، وغير ذلك من البيانات ذات الطابع الشخصي.	Personal data	Any statement - whatever its source or form that would lead to the individual's specific identification, or make him directly or indirectly identifiable when combined with other data, including but not limited to - name, personal identification numbers, addresses and contact numbers, bank account and credit card numbers, static or animated user images, and other personal data.
التحقق	التأكد من هوية أي مستخدم أو عملية أو جهاز بصفته متطلباً أساسياً للسماح بالوصول إلى الموارد التقنية.	Verification	Ensuring the identity of any user, process, or device as a fundamental requirement for granting access to technical resources.
التصريح	تعريف حقوق وصلاحيات الوصول إلى البيانات والموارد التقنية لأي مستخدم أو برنامج أو عملية، والتحكم بمستويات الوصول إليها.	Authorization	Defining the rights and permissions for accessing data and technical resources for any user, program, or process, and controlling the levels of access to them.
توافر البيانات	ضمان إمكانية الوصول المناسب والموثوق إلى البيانات واستخدامها عند الحاجة.	Data Availability	Ensuring appropriate and reliable access to and use of data when needed.
البيانات	مجموعة من الحقائق في صورتها الأولية أو في صورة غير منظمة مثل الأرقام أو الحروف أو الصور الثابتة أو الفيديو أو التسجيلات الصوتية أو الرموز التعبيرية.	Data	A collection of facts in their raw form or unstructured form, such as numbers, letters, still images, video, audio recordings, or emojis.
سرية البيانات	الحفاظ على القيود المصرح بها للوصول إلى البيانات أو الإفصاح عنها.	Data Confidentiality	Maintaining authorized restrictions on access to or disclosure of data.
الوصول إلى البيانات	القدرة على الوصول المنطقي والمادي إلى البيانات والموارد التقنية للجهة لغرض استخدامها.	Data Access	The ability to have logical and physical access to the data and technical resources of the entity for the purpose of utilization.
سلامة البيانات	حماية البيانات من أي تعديل أو إتلاف غير مصرح به نظاميا	Data Integrity	Protecting data from any unauthorized modification or corruption.
مستوى الوصول إلى البيانات	مستوى يعتمد على الأذونات والصلاحيات التي تقيد الوصول إلى البيانات والموارد التقنية على الأشخاص المصرح لهم وفقاً لما هو مطلوب لإنجاز المهام والمسؤوليات المناطة بهم.	Data Access Level	A level based on permissions and authorities that restrict access to data and technical resources to authorized persons according to what is required to perform their assigned tasks and responsibilities.
البيانات المحمية	لبيانات المصنفة على أنها (سري للغاية سري، مقيد).	Protected Data	Data classified as (Highly Confidential, Confidential, Restricted).
المعلومات العامة	البيانات بعد المعالجة - غير المحمية - التي تتلقاها أو تنتجها أو تتعامل معها الجهات العامة مهما كان مصدرها، أو شكلها أو طبيعتها.	Public Information	Data after processing - unprotected - received, produced, or handled by public entities regardless of its source, form, or nature.
البيانات المفتوحة	مجموعة محددة من المعلومات العامة - مقروءة آلياً - تكون متاحة للعموم مجاناً ودون قيود ويمكن لأي فرد أو جهة عامة أو خاصة استخدامها أو مشاركتها.	Open Data	A specific set of public information - machine-readable - that is available to the public for free and without restrictions, which any individual or public or private entity can use or share.
البيانات الحساسة	البيانات التي يؤدي فقدانها أو إساءة استخدامها أو الوصول غير المصرح به إليها أو تعديلها إلى ضرر جسيم أو تأثير سلبي على المصالح الوطنية أو أنشطة الجهات الحكومية أو خصوصية الأفراد وحماية حقوقهم	Sensitive Data	Data whose loss, misuse, unauthorized access, or modification could cause significant harm or negative impact on national interests, governmental activities, or the privacy and protection of individuals' rights.
مستويات تصنيف البيانات	مستويات التصنيف التالية: (سري للغاية) ،(سري)، (مقيّد)، (عام).	Data Classification Levels	The following classification levels: (Highly Confidential), (Confidential), (Restricted), (Public).
الفرد	الشخص المتقدم بطلب الاطلاع أو الحصول على المعلومات العامة	Individual	The person requesting access to or obtaining public information.
الحصول على المعلومات العامة	جميع العمليات التي تجرى على البيانات الشخصية بأي وسيلة كانت يدوية أو آلية. وتشمل هذه العمليات على سبيل المثال لا الحصر - جمع البيانات ونقلها وحفظها وتخزينها ومشاركتها وإتلافها وتحليلها واستخراج أنماطها والاستنتاج منها وربطها مع بيانات أخرى.	Accessing Public Information	All processes carried out on personal data by any means, whether manual or automated. These processes include, but are not limited to, data collection, transfer, preservation, storage, sharing, destruction, analysis, pattern extraction, inference, and linking with other data.
الإفصاح عن البيانات الشخصية	تمكين أي شخص - عدا جهة التحكم - من الحصول على البيانات الشخصية أو استعمالها أو الاطلاع عليها بأي وسيلة ولأي غرض.	Disclosure of Personal Data	Enabling any person - other than the data controller - to obtain, use, or view personal data by any means and for any purpose.
تسريب البيانات الشخصية	الإفصاح عن البيانات الشخصية، أو الحصول عليها، أو تمكين الوصول إليها دون تصريح أو سند نظامي، سواء بقصد أو بغير قصد.	Leakage of Personal Data	The disclosure of personal data, or obtaining it, or enabling access to it without authorization or legal basis, whether intentionally or unintentionally.
الموافقة الضمنية	هي موافقة لا يتم منحها صراحة من قبل صاحب البيانات، ولكنها تمنح ضمنياً عن طريق أفعال الشخص ووقائع وظروف الموقف، كتوقيع العقود أو الموافقة على الشروط والأحكام.	Implied Consent	Consent that is not explicitly granted by the data subject but is implied through the person's actions and the facts and circumstances of the situation, such as signing contracts or agreeing to terms and conditions.
الأطراف الخارجية	أي جهة حكومية أو جهة اعتبارية عامة مستقلة في المملكة، وأي شخصية ذات صفة طبيعية أو اعتبارية خاصة بخلاف صاحب البيانات أو جهة التحكم أو جهة المعالجة والأشخاص المصرح لهم، تعنى بمعالجة البيانات الشخصية.	Third Parties	Any government entity or independent public legal entity in the Kingdom, and any natural or legal person other than the data subject, data controller, or data processor, and authorized persons involved in processing personal data.
ممثل بيانات أعمال	هو الشخص المسؤول عن البيانات التي يتم جمعها والاحتفاظ بها من قبل الجهة العامة التي يعمل بها، وغالباً ما يكون في مستوى إداري عالي، ويمكن أن يوجد في الجهة العامة أكثر من ممثل بيانات أعمال.	Business Data Representative	The person responsible for the data collected and retained by the public entity they work for, often at a high managerial level, and there may be more than one business data representative in the public entity.
مستخدم البيانات	أي شخص يمنح صلاحية الوصول إلى البيانات بغرض الاطلاع عليها أو استخدامها أو تحديثها وفقاً للمهام المصرح بها من قبل ممثل بيانات الأعمال.	Data User	Any person granted access to data for the purpose of viewing, using, or updating it according to the tasks authorized by the business data representative.
البيانات الوصفية	هي المعلومات التي تصف البيانات وخصائصها، ومن بينها بيانات الأعمال والبيانات التقنية والتشغيلية.	Metadata	Information that describes data and its characteristics, including business data, technical data, and operational data.
البيانات المقروءة آلياً	يقصد بها البيانات المهيكلة بصيغة معينة يمكن قراءتها ومعالجته آلياً باستخدام أجهزة الحاسب الآلي أو الأجهزة اللوحية وغيرها من الاجهزة.	Machine-readable data	It means data structured in a specific format that can be read and processed automatically using computers or tablets and other devices.
المنصة الوطنية للبيانات المفتوحة	هي منصة وطنية موحدة على مستوى المملكة تعنى بإدارة وحفظ ونشر مجموعات البيانات المفتوحة.	National Open Data Platform	It is a unified national platform at the level of the Kingdom concerned with managing, preserving and publishing open data sets.
ترخيص البيانات المفتوحة	رخصة تنظم استخدام البيانات المفتوحة.	Open Data Licensing	A license that regulates the use of open data.
الصيغة المفتوحة	أي صيغة مقبولة على نطاق واسع وغير مسجلة الملكية وغير خاصة بمنصة معينة ويمكن قراءتها آلياً وتمكن المعالجة الآلية لتلك البيانات، كما تيشر قدرات التحليل والبحث.	Open Format	Any widely accepted, non-proprietary, platform-specific, machine-readable format that enables automated processing of such data, and enables analysis and research capabilities.
ISO 8000	معيار دولي يركز على جودة البيانات، ويحدد متطلبات التوثيق وإدارة البيانات الدقيقة، ويشمل تحسين صحتها، وموثوقيتها، واكتمالها، وملاءمتها للاستخدام.	(ISO 8000)	International standard focusing on data quality, defining requirements for documentation and accurate data management, including improving its accuracy, reliability, completeness, and usability.
سياسة جودة البيانات	وثيقة تحدد المبادئ والإجراءات لضمان جودة البيانات المنتجة والمستخدمة في المنظمة.	Data Quality Policy	A document that outlines principles and procedures to ensure the quality of data produced and used in the organization.
خطة إدارة البيانات	وثيقة تحدد بيئة مرنة وآمنة لإدارة البيانات وضمان سهولة الوصول إليها ودقتها عبر جميع الأنظمة.	Data Management Plan	A document that defines a flexible and secure environment for data management, ensuring easy access and accuracy across all systems.
خطة تحسين الجودة	وثيقة تحدد طرق التحسين المستمر لجودة البيانات وضمان دقتها وموثوقيتها.	Quality Improvement Plan	A document that specifies continuous improvement methods for data quality, ensuring its accuracy and reliability.
دليل مراقبة جودة البيانات	وثيقة تضع آليات مراقبة جودة البيانات للتأكد من دقتها واكتمالها واتساقها بمرور الوقت.	Data Quality Monitoring Guide	A document that establishes mechanisms for monitoring data quality to ensure its accuracy, completeness, and consistency over time.
تقرير تحليل الوضع الراهن للبيانات	تقرير لتحليل جودة البيانات الحالية وتحديد الفجوات والمشكلات بناء على معيار ISO 8000.	Current Data Quality Analysis Report	A report analyzing the current data quality and identifying gaps and issues based on the ISO 8000 standard.
وثيقة توحيد البيانات	وثيقة توضح معايير تنسيق وتوحيد البيانات لضمان الاتساق وتقليل الأخطاء.	Data Standardization Document	A document that outlines standards for formatting and unifying data to ensure consistency and reduce errors.
تقرير مراجعة جودة البيانات	تقرير يقيّم مدى التزام البيانات بمعايير الجودة، ويقترح التوصيات لسد الفجوات.	Data Quality Review Report	A report that assesses the compliance of data with quality standards and suggests recommendations to close gaps.
تقرير الأداء	وثيقة تقيس الأداء في معالجة البيانات وتخزينها، باستخدام مؤشرات مثل الدقة، الوقت، التحديث، الأخطاء.	Performance Report	A document that measures performance in data processing and storage, using metrics such as accuracy, timing, updates, and errors.
دقة البيانات	التأكد من أن البيانات صحيحة وتعكس الواقع الفعلي.	Data Accuracy	Ensuring that the data is correct and reflects the actual reality.
اكتمال البيانات	التأكد من أن جميع الحقول الضرورية في البيانات موجودة ومملوءة.	Data Completeness	Ensuring that all necessary fields in the data are present and filled.
التوقيت المناسب	التأكد من توفر البيانات عند الحاجة لها وفي الوقت المناسب.	Timeliness	Ensuring data is available when needed and at the right time.
اتساق البيانات	التأكد من أن البيانات متطابقة ومتناسقة في كل الأنظمة المختلفة.	Data Consistency	Ensuring that the data is consistent and congruent across different systems.
موثوقية البيانات	التأكد من أن البيانات يمكن الاعتماد عليها لاتخاذ قرارات دقيقة.	Data Reliability	Ensuring that the data can be relied upon for making accurate decisions.
ملاءمة البيانات	التأكد من أن البيانات مفيدة للغرض الذي جُمعت من أجله.	Data Relevance	Ensuring that the data is useful for the purpose for which it was collected.
التحقق من البيانات	مقارنة البيانات بمعايير أو مصادر موثوقة للتحقق من صحتها.	Data Validation	Comparing data against standards or reliable sources to verify its accuracy.
التحكم في الوصول	التقييد الانتقائي للوصول إلى مكان أو مورد آخر. فعل تحديد الوصول إلى موارد المعلومات فقط للمستخدمين، البرامج، العمليات، أو الأنظمة المخولة.	Access control	The selective restriction of access to a place or other resource. The act of limiting access to information resources only to authorized users, programs, processes, or other systems.
الدقة	الدرجة التي تصف بها البيانات بشكل صحيح الكائن أو الحدث في العالم الحقيقي.	Accuracy	The degree to which data correctly describes the real-world object or event being described.
ACID	اختصار لـ Atomicity، Consistency، Isolation، و Durability. مجموعة من الخصائص التي تضمن معالجة معاملات قواعد البيانات بشكل موثوق.	ACID	An acronym for Atomicity, Consistency, Isolation, and Durability. A set of properties that guarantee database transactions are processed reliably.
بيانات العنوان	بيانات تصف موقع شخص أو منظمة أو مكان.	Address data	Data describing the location of a person, organization, or place.
البيانات المجمعة	بيانات يتم جمعها والتعبير عنها في شكل ملخص، لأغراض التحليل الإحصائي.	Aggregate data	Data that is collected and expressed in summary form, for statistical analysis purposes.
الشذوذ	انحراف أو خروج عن النظام أو الشكل أو القاعدة العادية أو الشائعة.	Anomaly	A deviation or departure from the normal or common order, form, or rule.
واجهة برمجة التطبيقات (API)	مجموعة من الوظائف والإجراءات التي تسمح بإنشاء التطبيقات التي تصل إلى ميزات أو بيانات نظام تشغيل أو تطبيق أو خدمة أخرى.	API (Application Programming Interface)	A set of functions and procedures that allow the creation of applications that access the features or data of an operating system, application, or other service.
الأرشفة	عملية نقل البيانات التي لم تعد مستخدمة بنشاط إلى جهاز تخزين منفصل للاحتفاظ بها على المدى الطويل.	Archiving	The process of moving data that is no longer actively used to a separate storage device for long-term retention.
الأصول	أي شيء له قيمة للمنظمة. في سياق البيانات، الأصول المعلوماتية هي البيانات والأنظمة والعمليات التجارية التي تستخدمها.	Asset	Anything that has value to the organization. In the context of data, information assets are data and the systems and business processes that use them.
سجل التدقيق	سجل يظهر من قام بالوصول إلى نظام كمبيوتر وما العمليات التي قام بها المستخدم خلال فترة زمنية معينة.	Audit trail	A record showing who has accessed a computer system and what operations the user has performed during a given period of time.
المصادقة	عملية التحقق من هوية المستخدم أو العملية أو الجهاز، غالبًا كشرط مسبق للسماح بالوصول إلى الموارد في نظام المعلومات.	Authentication	The process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
التفويض	عملية منح مستخدم أو برنامج أو عملية الوصول إلى كائن أو مجموعة من الكائنات.	Authorization	The process of granting a user, program, or process access to an object or a set of objects.
التوفر	ضمان الوصول إلى المعلومات واستخدامها بشكل موثوق وفي الوقت المناسب.	Availability	Ensuring timely and reliable access to and use of information.
النسخ الاحتياطي	نسخة من البيانات يتم إنشاؤها في حالة فقد البيانات الأصلية أو تلفها.	Backup	A copy of data that is made in case the original data is lost or damaged.
البيانات الضخمة	مجموعات بيانات كبيرة جدًا يمكن تحليلها حسابيًا لكشف الأنماط والاتجاهات والارتباطات، خاصة فيما يتعلق بالسلوك والتفاعلات البشرية.	Big Data	Extremely large datasets that may be analyzed computationally to reveal patterns, trends, and associations, especially relating to human behavior and interactions.
سلسلة الكتل	دفتر أستاذ رقمي يتم فيه تسجيل المعاملات التي تتم باستخدام البيتكوين أو أي عملة مشفرة أخرى بشكل زمني وعلني.	Blockchain	A digital ledger in which transactions made in Bitcoin or another cryptocurrency are recorded chronologically and publicly.
القاموس التجاري	مجموعة من المصطلحات التجارية وتعريفاتها، تُستخدم لضمان فهم مشترك عبر المنظمة.	Business glossary	A collection of business terms and their definitions, used to ensure a common understanding across the organization.
ذكاء الأعمال (BI)	التطبيقات والبنية التحتية والأدوات وأفضل الممارسات التي تمكّن من الوصول إلى المعلومات وتحليلها لتحسين الأداء واتخاذ القرارات.	Business Intelligence (BI)	Applications, infrastructure, and tools, and best practices that enable access to and analysis of information to improve and optimize decisions and performance.
بيانات التعريف التجارية	بيانات التعريف التي توفر سياقًا حول البيانات لمستخدمي الأعمال، مثل تعريفات البيانات والقواعد والعلاقات.	Business Metadata	Metadata that provides context about data for business users, such as data definitions, rules, and relationships.
الكاردينالية	مقياس "عدد" العلاقات. في نمذجة البيانات، تحدد عدد الوقائع في كيان واحد المرتبطة بعدد الوقائع في كيان آخر.	Cardinality	A measure of the "number of" relationships. In data modeling, it specifies the number of occurrences in one entity that are associated with the number of occurrences in another.
الحوسبة السحابية	نموذج يتيح الوصول الشبكي المريح والعالمي إلى مجموعة مشتركة من موارد الحوسبة القابلة للتكوين عند الطلب.	Cloud computing	A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources.
CRUD	اختصار يشير إلى العمليات الأساسية الأربعة للتخزين المستدام: إنشاء، قراءة، تحديث، وحذف.	CRUD	An acronym that refers to the four basic operations of persistent storage: Create, Read, Update, and Delete.
البيانات	الحقائق الممثلة كنصوص، أرقام، رسومات، صور، صوت، أو فيديو. يمكن أن تكون البيانات منظمة أو غير منظمة.	Data	Facts represented as text, numbers, graphics, images, sound, or video. Data can be structured or unstructured.
مسؤول البيانات	شخص مسؤول عن إدارة استخدام البيانات عبر المنظمة، بما في ذلك وضع السياسات وتطبيق المعايير.	Data administrator	A person responsible for managing the use of data across an organization, including policy setting and enforcing standards.
هندسة البيانات	هيكل الأصول البيانات المنطقية والمادية لمؤسسة وموارد إدارة البيانات.	Data architecture	The structure of an organization's logical and physical data assets and data management resources.
تنظيف البيانات	عملية الكشف عن وتصحيح (أو إزالة) السجلات الفاسدة أو غير الدقيقة من مجموعة بيانات.	Data cleansing	The process of detecting and correcting (or removing) corrupt or inaccurate records from a dataset.
مستهلك البيانات	شخص أو نظام يصل إلى البيانات ويستخدمها.	Data consumer	A person or system that accesses and uses data.
وصي البيانات	دور مسؤول عن الحفظ الآمن والنقل والتخزين للبيانات وتنفيذ القواعد التجارية.	Data custodian	A role responsible for the safe custody, transport, storage of the data, and implementation of business rules.
حوكمة البيانات	ممارسة السلطة والسيطرة (التخطيط، المراقبة، والتنفيذ) على إدارة أصول البيانات.	Data governance	The exercise of authority and control (planning, monitoring, and enforcement) over the management of data assets.
تكامل البيانات	مجموعة من العمليات الفنية والتجارية المستخدمة لدمج البيانات من مصادر مختلفة.	Data integration	The combination of technical and business processes used to combine data from
إدارة جودة البيانات	عملية ضمان أن البيانات تلبي المعايير والمتطلبات الخاصة بالدقة، الاكتمال، الاتساق، والسرعة.	Data lake	A storage repository that holds a vast amount of raw data in its native format until it is needed.
مصدر البيانات	نقطة منشأ البيانات، والتي يمكن أن تكون نظامًا أو شخصًا أو عملية تقوم بإنشاء البيانات.	Data lineage	The data’s origin, what happens to it, and where it moves over time.
معيار البيانات	اتفاق موثق حول كيفية تمثيل البيانات، وتنسيقها، واستخدامها عبر الأنظمة والعمليات.	Data Management	The development, execution, and supervision of plans, policies, programs, and practices that control, protect, deliver, and enhance the value of data and information assets.
برنامج وصاية البيانات	مبادرة منظمة لضمان تنفيذ ممارسات الحوكمة والجودة والسلامة للبيانات في جميع أنحاء المنظمة.	Data Management Body of Knowledge (DMBOK)	The guidebook produced by DAMA International that describes the disciplines, principles, and practices of data management.
هندسة مستودع البيانات	تصميم وهيكل مستودع البيانات، بما في ذلك العمليات الخاصة باستخراج البيانات وتحويلها وتحميلها واستعلامها.	Data mart	A subject-oriented database that is often a subset of a data warehouse.
نظام دعم القرار (DSS)	نظام يستخدمه الإدارة لتحليل البيانات التجارية ودعم اتخاذ القرارات.	Data mining	The process of discovering patterns and knowledge from large amounts of data.
البعد	هيكل يحدد فئات الحقائق والقياسات لتمكين المستخدمين من الإجابة على الأسئلة التجارية.	Data model	A description of the organization of data in a manner that reflects the information needs of an enterprise.
النموذج البعدي	نوع من نماذج البيانات مُحسن للاستعلام والتقارير، يستخدم عادة في مستودعات البيانات.	Data modeling	The act of exploring data-oriented structures.
التحول الرقمي	تكامل التكنولوجيا الرقمية في جميع مجالات الأعمال لتغيير كيفية عملها وتقديم القيمة.	Data owner	The person accountable for data’s accuracy, integrity, and timeliness.
قاعدة البيانات الموزعة	قاعدة بيانات مخزنة عبر مواقع متعددة، إما على خوادم مختلفة أو في مناطق جغرافية مختلفة.	Data privacy	The protection of personal data from unauthorized access.
إطار الحوكمة	هيكل يحدد القواعد والسياسات والإجراءات التي توجه إدارة البيانات.	Data profiling	The process of examining the data available in an existing data source and collecting statistics and information about that data.
النموذج الهيكلي	نموذج بيانات يتم فيه تنظيم البيانات في هيكل شجري حيث يكون لكل سجل والد واحد وعديد من الأبناء.	Data quality	The degree to which data is accurate, complete, timely, and consistent with all requirements and business rules.
التسلسل الهرمي	تمثيل لمجموعة من العلاقات حيث يتم تقسيم البيانات على مستويات أعلى إلى مستويات فرعية.	Data repository	A collection of databases or a place where databases are stored.
نموذج بيانات الصناعة	نموذج بيانات موحد خاص بصناعة معينة يحدد الهياكل والعلاقات الأساسية للبيانات.	Data steward	A person responsible for ensuring the quality and fitness of the organization's data assets.
حوكمة المعلومات	إدارة المعلومات بطريقة تضمن دقتها وأمانها وسهولة الوصول إليها واستخدامها بشكل مناسب.	Data warehouse	A subject-oriented, integrated, time-variant, non-volatile collection of data that supports decision-making processes.
إدارة المعلومات	عملية إدارة المعلومات لضمان جودتها وسهولة الوصول إليها وقابليتها للاستخدام عبر المنظمة.	Deduplication	The process of identifying and eliminating redundant data.
مستودع بيانات التعريف	نظام تخزين مركزي يحتوي على بيانات التعريف، والتي تُستخدم لوصف هيكل وأصل واستخدام البيانات.	ETL (Extract, Transform, Load)	A data integration process that involves extracting data from various sources, transforming it for analysis, and loading it into a data warehouse.
إدارة بيانات التعريف	عملية إدارة بيانات التعريف لضمان فهم البيانات وتصنيفها وسهولة الوصول إليها من قبل المستخدمين.	Data Governance Council	A group of individuals responsible for establishing and overseeing the data governance framework.
معايير بيانات التعريف	إرشادات متفق عليها بشأن هيكل وتنسيق واستخدام بيانات التعريف داخل المنظمة.	Data Governance Framework	A structure that defines the rules, roles, processes, and standards that ensure the effective management of data.
مستودع البيانات التشغيلية (ODS)	قاعدة بيانات تجمع البيانات التشغيلية من مصادر متعددة لأغراض التقارير والتحليل.	Data Quality Framework	A structure that outlines the methodologies and standards for measuring and improving data quality.
الكفاءة التشغيلية	قدرة المنظمة على تقديم المنتجات أو الخدمات بأقل تكلفة مع الحفاظ على الجودة.	Data Security	Measures and controls implemented to protect data from unauthorized access, modification, or destruction.
التحليلات التنبؤية	استخدام الخوارزميات الإحصائية وتقنيات التعلم الآلي لتحديد احتمالية النتائج المستقبلية بناءً على البيانات التاريخية.	Data Stewardship	The role of managing data assets to ensure they are accurate, accessible, and protected.
الخصوصية عند التصميم	نهج يدمج حماية الخصوصية في تصميم الأنظمة والعمليات والمنتجات.	Data Transformation	The process of converting data from one format or structure into another, often to enable analysis.
الاستعلام	طلب بيانات من قاعدة بيانات، غالبًا ما يتم صياغته باستخدام لغة استعلام مثل SQL.	Database	An organized collection of structured information or data, typically stored electronically in a computer system.
مراقبة الجودة	عملية مراقبة والتحكم في جودة البيانات لضمان تلبيتها للمعايير والمتطلبات المحددة.	Data Definition	The specification of the meaning, format, and constraints of data elements.
بيانات مرجعية	بيانات تُستخدم لتصنيف بيانات أخرى أو لتوفير سياق، مثل الرموز أو الأوصاف.	Data Lifecycle	The stages that data goes through from creation to eventual disposal.
النموذج العلاقي	نموذج بيانات يعتمد على نظرية الجبر العلاقي، حيث يتم تنظيم البيانات في جداول أو علاقات.	Data Integration	The process of combining data from different sources into a unified view.
التقارير	عملية إنشاء وتقديم البيانات في تنسيق منظم لأغراض التحليل واتخاذ القرار.	Data Modeling Tools	Software tools used for creating, managing, and maintaining data models.
إدارة المخاطر	عملية تحديد وتقييم وتخفيف المخاطر التي قد تؤثر على بيانات المنظمة وعمليات الأعمال.	Data Ownership	The rights, responsibilities, and accountability for managing and protecting data.
التحكم في الوصول القائم على الدور (RBAC)	طريقة لتقييد الوصول إلى البيانات بناءً على أدوار المستخدمين الفرديين داخل المنظمة.	Data Profiling Tools	Tools used to analyze data quality and identify issues such as duplicates or missing values.
البيانات شبه المهيكلة	بيانات لا تت conform لنموذج قاعدة بيانات علائقية تقليدية ولكن لا تزال تحتوي على بعض الهيكل التنظيمي، مثل ملفات JSON أو XML.	Data Quality Management	The process of ensuring that data meets the standards and requirements for accuracy, completeness, consistency, and timeliness.
SQL (لغة الاستعلام الهيكلية)	لغة برمجة قياسية تُستخدم لإدارة والتلاعب بقواعد البيانات العلائقية.	Data Source	The origin point of data, which could be a system, person, or process that generates the data.
الوصاية	الإدارة المسؤولة والإشراف على البيانات لضمان جودتها ودقتها وتوفرها.	Data Standard	A documented agreement on how data should be represented, formatted, and used across systems and processes.
البيانات المهيكلة	بيانات منظمة بطريقة محددة، غالبًا في صفوف وأعمدة، مما يجعل من السهل تخزينها واستعلامها.	Data Stewardship Program	A structured initiative to ensure that data governance, quality, and integrity practices are implemented throughout the organization.
دورة حياة تطوير النظام (SDLC)	عملية تُستخدم لتطوير أنظمة المعلومات بطريقة منظمة، من التخطيط حتى النشر.	Data Warehouse Architecture	The design and structure of a data warehouse, including the processes for data extraction, transformation, loading, and querying.
التصنيف	نظام تصنيف يُستخدم لتصنيف وتنظيم البيانات أو المفاهيم.	Decision Support System (DSS)	A system used by management to analyze business data and support decision-making.
البيانات غير المهيكلة	بيانات لا تحتوي على تنسيق أو هيكل محدد مسبقًا، مثل رسائل البريد الإلكتروني، ملفات النص، والفيديوهات.	Dimension	A structure that categorizes facts and measures in order to enable users to answer business questions.
اختبار قبول المستخدم (UAT)	عملية اختبار نظام أو تطبيق لضمان تلبيته للمتطلبات وجاهزيته للاستخدام.	Dimensional Model	A type of data model optimized for querying and reporting, typically used in data warehouses.
سلسلة القيمة	سلسلة الأنشطة التي تقوم بها المنظمة لتقديم منتج أو خدمة إلى السوق.	Digital Transformation	The integration of digital technology into all areas of a business to fundamentally change how it operates and delivers value.
الافتراضية	إنشاء نسخ افتراضية من الموارد المادية، مثل الخوادم أو أجهزة التخزين، لتحسين استخدام الموارد.	Distributed Database	A database that is stored across multiple locations, either on different servers or in different geographical areas.
سير العمل	تسلسل من المهام أو العمليات التي تحدد كيفية معالجة البيانات والتعامل معها داخل نظام.	Governance Framework	A structure that defines the rules, policies, and procedures that guide the management of data.
XML (لغة الترميز القابلة للتوسيع)	لغة ترميز مرنة تُستخدم لتخزين ونقل البيانات في تنسيق منظم.	Hierarchical Model	A data model in which data is organized into a tree-like structure where each record has a single parent and potentially many children.
إعداد الميزانية من الصفر	طريقة إعداد الميزانية حيث يجب تبرير كل نفقة لكل فترة جديدة، بدءًا من الصفر.	Hierarchy	A representation of a set of relationships where higher-level data is divided into sub-levels.
		Industry Data Model	A standardized data model specific to a particular industry that defines key data structures and relationships.
		Information Governance	The management of information in a way that ensures it is accurate, secure, accessible, and used appropriately.
		Information Management	The process of managing information in order to ensure its quality, accessibility, and usability across the organization.
		Metadata Repository	A centralized storage system that houses metadata, which is used to describe the structure, origin, and usage of data.
		Metadata Management	The process of managing metadata to ensure that data is well understood, classified, and accessible to users.
		Metadata Standards	Agreed-upon guidelines for the structure, format, and use of metadata within an organization.
		Operational Data Store (ODS)	A database that consolidates operational data from multiple sources for reporting and analysis.
		Operational Efficiency	The ability of an organization to deliver products or services at the lowest cost while maintaining quality.
		Predictive Analytics	The use of statistical algorithms and machine learning techniques to identify the likelihood of future outcomes based on historical data.
		Privacy by Design	An approach that integrates data privacy protections into the design of systems, processes, and products.
		Query	A request for data from a database, often formulated using a query language such as SQL.
		Quality Control	The process of monitoring and controlling data quality to ensure it meets defined standards and requirements.
		Reference Data	Data used to categorize other data or provide context, such as codes or descriptors.
		Relational Model	A data model based on the theory of relational algebra, in which data is organized into tables or relations.
		Reporting	The process of generating and delivering data in a structured format for analysis and decision-making.
		Risk Management	The process of identifying, assessing, and mitigating risks that could affect an organization's data and business operations.
		Role-based Access Control (RBAC)	A method for restricting access to data based on the roles of individual users within an organization.
		Semi-structured Data	Data that does not conform to a traditional relational database but still has some organizational structure, such as JSON or XML files.
		SQL (Structured Query Language)	A standard programming language used to manage and manipulate relational databases.
		Stewardship	The responsible management and oversight of data to ensure its quality, accuracy, and availability.
		Structured Data	Data that is organized in a defined manner, often in rows and columns, making it easy to store and query.
		System Development Life Cycle (SDLC)	A process used to develop information systems in a structured, systematic way, from planning through deployment.
		Taxonomy	A classification system used to categorize and organize data or concepts.
		Unstructured Data	Data that does not have a predefined format or structure, such as emails, text files, and videos.
		User Acceptance Testing (UAT)	The process of testing a system or application to ensure it meets the requirements and is ready for use.
		Value Chain	The series of activities that an organization performs to deliver a product or service to the market.
		Virtualization	The creation of virtual versions of physical resources, such as servers or storage devices, to optimize resource usage.
		Workflow	A sequence of tasks or processes that define how data is handled and processed within a system.
		XML (Extensible Markup Language)	A flexible markup language used to store and transport data in a structured format.
		Zero-based Budgeting	A method of budgeting where every expense must be justified for each new period, starting from zero.

مصطلحات الامن السيبراني

روابط مهمة

روابط مهمة