The pixel

Glossary

Expand your cybersecurity education with an in-depth glossary of data security terminology and concepts.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Access Control

The process of restricting access to resources, such as computers, files, or services, to authorized users only.

Learn More
Active Data Collection

Active data collection refers to data that is collected knowingly and transparently from the user, such as through a web form, check box, or survey.

Learn More
Adequate Level of Protection

Under the GDPR, Adequate Level of Protection refers to the level of data protection that the European Commission requires from a third country or international organization before approving cross-border data transfers to that third country or international organization.In making their judgement, the European Commission considers not only the data protection rules, and security measures of the third country or international org., but also the rule of law, respect for human rights, and the enforcement of compliance and data protection rules.

Learn More
Anomaly

A type of behavior or action that seems abnormal when observed in the context of an organization and a user's historical activity. It is typically analyzed using some sort of machine-learning algorithm that builds a profile based upon historical event information including login locations and times, data-transfer behavior and email message patterns. Anomalies are often a sign that an account is compromised.

Learn More
Anonymization

Data Anonymization is a process that alters personally identifiable data (PII) in such a manner that it can no longer be used to identify an individual. This can be done by removing certain identifying values from data sets, or by generalizing identifying values.

Learn More
Anonymous Data

Anonymous data is data that is not related to an identifiable individual and cannot be used in combination with other data to identify individuals. Anonymous data is not protected by the GDPR.

Learn More
Appropriate Safeguards

In the context of the GDPR, Appropriate Safeguards refers to the application of the GDPR's data protection principles to data processing. The GDPR's data protection principles include transparency, data minimization, storage limitation, data quality, legal basis for processing, and purpose limitation.

Learn More
Audit Trail

A trail of files, logs, or paperwork used to record an activity for auditing purposes.

Learn More
Auditing

The act of systematically examining, evaluating, and analyzing an organization's assets to ensure compliance and security standards are met.

Learn More
Authentication

The process of verifying a claimed identity and proving that someone is who they claim to be when attempting to access a resource.

Learn More
Automated Processing

Data processing that is performed without human interaction.

Learn More
Brazil General Data Protection Law

Brazil passed a new legal framework in mid-August of 2018 aimed at governing the use and processing of personal data in Brazil: the General Data Protection Law. The law replaces approximately 40 or so laws that currently deal with the protection of privacy and personal data, and is aimed at guaranteeing individual rights, and encouraging economic growth by creating clear and transparent rules for data collection.

Learn More
CASB

An acronym for Cloud Access Security Broker. This is a type of security that monitors and controls the cloud applications that an organization's employees might use. Typically, the control is enforced by routing web traffic through a forward- or reverse-proxy. CASBs are good for managing Shadow IT and limiting employee's use of certain SaaS or the activity within those SaaS but do not monitor third-party activity in the cloud–i.e. shared documents or email.

Learn More
CCPA

An acronym of the California Consumer Privacy Act.

Learn More
CDO

An acronym for Chief Data Officer. This is the executive within an organization who is the head of information security.

Learn More
CISO

An acronym for Chief Information Security Officer. This is an executive within an organization responsible for managing compliance with privacy laws and policies.

Learn More
CMMC

An acronym of Cybersecurity Maturity Model Certification is a security framework for Defense Industrial Base contractors to follow.

Learn More
CPO

An acronym for Chief Privacy Officer. This is an executive within an organization responsible for managing compliance with privacy laws and policies.

Learn More
CSP

An acronym for Cloud Service Provider. This is any company that sells a cloud computing service, be it PaaS, IaaS, or SaaS.

Learn More
CUI

An acronym of Controlled Unclassified Information.

Learn More
Certification

A certification is a declaration by a certifying body that an organization or product meets certain security or compliance requirements.

Learn More
Cloud Native Database

A database service which is deployed and delivered through a cloud service provider (CSP) platform.

Learn More
Confidentiality

The guarantee that information is only available to those who are authorized to use it.

Learn More
Consent

In the context of privacy, consent is the ability of a data subject to decline or consent to the collection and processing of their personal data. Consent can be explicit, such as opting-in via a form, or implied, such as agreeing to an End-User License Agreement, or not opting out. Under many data protection laws, consent must always be explicit.

Learn More
Cross-border Data Transfer

The transfer of personal data from one legal jurisdiction, such as the EU, to another, such as the US. Many data protection laws place major restrictions on cross-border data transfers.

Learn More
Cybersecurity

The protection of information and communications against damage, exploitation, or unauthorized use.

Learn More
DDR

ֿAn acronym for Data Detection and Response

Learn More
DLP

An acronym for Data Leak Prevention or Data Loss Prevention. A type of security that prevents sensitive data, usually files, from being shared outside the organization or to unauthorized individuals within the organization. This is done usually through policies that encrypt data or control sharing settings.

Learn More
DPA

An acronym for Data Protection Authority. This is an independent public authority set up to supervise and enforce data protection laws in the EU. Each EU member state has its own DPA.

Learn More
DPO

An acronym for Data Protection Officer. This is an individual within an organization who is tasked with advising the organization on GPDR compliance and communicating with their Data Protection Authority. Organizations that process personal data as part of their business model are required to appoint a DPO.

Learn More
DRM

Digital Rights Management: a set of access control technologies for restricting the use of confidential information, proprietary hardware and copyrighted works, typically using encryption and key management.

Learn More
Data Breach

A data breach is a security incident during which sensitive, protected, or confidential data has been accessed or exposed to unauthorized entities. These incidents may expose protected or personal health information (PHI), personally identifiable information (PII), intellectual property, classified information, or other confidential data.

Learn More
Data Breach Notification

The act of notifying regulators as well as victims of data breaches that an incident has occurred. Under Article 34 of the GDPR, an organization must notify affected users within 72 hours of the incident.

Learn More
Data Broker

According to the GDPR, a Data Broker is any entity that collects and sells individuals’ personal data.

Learn More
Data Catalog

An organized inventory of data assets in the organization. Data catalogs use metadata to help organizations manage their data. They also help data professionals collect, organize, access, and enrich metadata to support data discovery and governance.

Learn More
Data Categorization

The process of dividing the data into groups of entities whose members are in some way similar to each other. Data privacy and security professionals can then categorize that data as high, medium, and low sensitivity data.

Learn More
Data Class

A definition that allows each type of data in a data store to be programmatically detected, typically using a test or algorithm. Data privacy and security professionals associate data classes with rules that define actions that should be taken when a given data class is detected. For example, sensitive information or PII should be tagged with a business term or classification, and further for some sensitive data classes a specific data quality constraint should be applied.

Learn More
Data Classification

Data classification is the process of organizing data into relevant categories to make it simpler to retrieve, sort, use, store, and protect.

Learn More
Data Controller

According to the GDPR, a Data Controller is an organization, agency, public authority, or individual that determines the how and why of data processing. The data controller may also be a data processor, or they may employ a third-party data processor.

Learn More
Data Flow

In communications, data flow is the path taken by a message from origination to destination that includes all nodes through which the data travels.

Learn More
Data Flow Diagram

An illustration that shows the way information flows through a process or system. Data flow diagrams include data inputs and outputs, data stores, and the various subprocesses the data moves through.

Learn More
Data Inventory

Also known as records of authority, data inventories identify personal data within systems and help in the mapping of how data is stored and shared. Data inventories are defined under privacy regulations including the GDPR, CCPA, and CPRA.

Learn More
Data Localization

The requirement that data is physically stored in the same country or group of countries that it originated from. This is a common requirement in modern privacy and data protection bills, such as the GDPR, China’s CSL, and Brazil’s Security Law. For example, under the GDPR, a company collecting the data of an EU citizen would have to store that data on a server in the EU.

Learn More
Data Loss

The accidental loss of data, whether via accidental deletion, destruction, or theft.

Learn More
Data Minimization

A privacy concept that states data collectors should only collect and retain the bare minimum of personal data that is necessary for the data processor to perform their duties, and should delete that data when it is no longer necessary.

Learn More
Data Processing

Any action that is performed on personal data or sets of personal data, such as collecting, structuring, storing, or disseminating that data.

Learn More
Data Processor

GDPR defines a data processor in GDPR as any organization that collects, processes, stores or transmits personal data of EU citizens.

Learn More
Data Protection

A legal term referring to laws and regulations aimed at protecting the personal data of individuals and determining that data’s fair use.

Learn More
Data Protection Impact Assessment

Data Protection Impact Assessment (DPIA) is a requirement that compels businesses to assess the risk and impact of their processing activities.While the CCPA does not require businesses to conduct a DPIA, the California Consumer Privacy Act (CPRA) under Section 1798.185(a)(15) requires businesses to perform an assessment on processing activities that may expose personal data to significant risks.

Learn More
Data Protection Principle

This is a principle set forth in Article 5 of the GDPR. The principles listed in Article 5 are: Lawfulness, fairness and transparency; Purpose limitation; Data minimization; Accuracy; Storage limitation; Integrity and confidentiality.

Learn More
Data Residency

A concept that refers to the physical or geographic location of an organization's data. Privacy and security professionals focus on the data laws or regulatory requirements imposed on data based on the data laws that govern a country or region in which it resides. When a businesses uses cloud services (IaaS, PaaS, or SaaS), they may not be aware of their data's physical location. This can create data residency concerns when, for example, data for a citizen of the European Union is stored in a US-based cloud datacenter.

Learn More
Data Security Posture Management (DSPM)

Data security posture management (DSPM) provides the missing piece to complete most security teams' puzzles – a means of identifying, contextualizing, and protecting sensitive data.

Learn More
Data Sprawl

A term that refers to the staggering amount and variety of data produced by businesses every day. This is largely due to the variety of enterprise software, mobile apps, storage systems, and data formats each company relies on.

Learn More
Data Store

A repository for storing, managing and distributing data sets on an enterprise level.

Learn More
Data Subject

The individual that a piece or set of data pertains to.

Learn More
Data Theft

The act of stealing of information.

Learn More
Defense Industrial Base

Defense Industrial Base (DIB) contractors are companies that conduct business with the US military and are part of the military industry complex responsible for research, production, delivery, and service.

Learn More
ELN

Electronic Lab Notebooks (Electronic Laboratory Notebook or ELN) is the digital form of a paper lab notebook.

Learn More
EU-US Privacy Shield

An adequacy agreement created in 2016 to replace the EU-U.S. Safe Harbor Agreement. The EU-U.S. Privacy Shield lets participating organizations under the jurisdiction of the US Federal Trade Commission transfer personal data from the EU to the United States.

Learn More
Encrypted Data

Encryption is the method of converting a plaintext into a cipher text so that only the authorized parties can decrypt the information and no third parties can tamper with the data. Unencrypted usually refers to data or information that is stored unprotected, without any encryption. Encryption is an important way for individuals and companies to protect sensitive information from hacking. For example, websites that transmit credit card and bank account numbers encrypt this information to prevent identity theft and fraud.

Learn More
European Data Protection Board

The primary supervisory authority established by the GDPR. The board consists of the heads of EU member states’ supervisory authorities as well as the European Data Protection Supervisor. The goal of the EDPB is to ensure consistent application of the GDPR by member states.

Learn More
European Data Protection Supervisor

An independent authority that aims to ensure that European organizations and member states comply with the privacy rules of the GDPR.

Learn More
Exact Matching

Where the a result of a query, algorithm or search only registers a match if there is a 100% match.

Learn More
Exfiltration

The unauthorized transfer of data off of a computer or network.

Learn More
False Positive

A false positive is an alert that incorrectly indicates a vulnerability exists or malicious activity is occurring. These false positives add a substantial number of alerts that need to be evaluated, increasing the noise level for security teams.

Learn More
File Clustering

An unsupervised learning method whereby a series of files is divided into multiple groups, so that the grouped files are more similar to the files in their own group and less similar to those in the other groups.

Learn More
Fuzzy Matching

Where scores of a result can fall from 0 - 100, based on the degree to which the search data and file data values match.

Learn More
GDPR

The General Data Protection Regulation (GDPR) is a European Union regulation that requires companies to provide protection, transparency, and accountability for EU citizen’s personal data. The GDPR became effective on May 25, 2018.

Learn More
Ghost Data

Ghost data in cybersecurity refers to data that still exists within a database or storage system but is no longer actively used or known to be accessible.

Learn More
HIPAA

An acronym for the Health Insurance Portability and Accountability Act. This is an American law that sets national standards and regulations for the transfer of electronic healthcare records. Under HIPAA, patients must opt in before their healthcare information can be shared with other organizations.

Learn More
HITECH

An acronym for the Health Information Technology for Economic and Clinical Health Act. This is an American law enacted as part of the American Recovery and Reinvestment Act of 2009. HITECH aims to build on the healthcare security and privacy requirements set forth by HIPAA. HITECH does so by adding tiered monetary penalties for noncompliance, as well as the requirement for breach notifications.

Learn More
Health Breach Notification Rule

A Federal Trade Commission rule requiring vendors of personal health records to notify consumers following a breach involving unsecured information. And if a service provider to such a vendor is breached, they must notify the vendor. The rule also stipulates an exact timeline and method by which these public notifications must be made.

Learn More
IRM

Information Rights Management is a subset of Digital Rights Management that protects corporate information from being viewed or edited by unwanted parties typically using encryption and permission management.

Learn More
ISO 27001

International standard for how to manage information security, first published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, then revised in 2013. It outlines standards for creating, executing, maintaining and optimizing an information security management system, in order to help organizations make their information assets more security.

Learn More
Information Security Policy

The directives, rules, regulations, and best practices that an organization follows to manage and secure information.

Learn More
Insider Threat

Any individual with insider access to an organization's networks or resources that would allow them to exploit the vulnerabilities of that organization's security or steal data.

Learn More
Integrity

The assurance that information has not been changed and that it is accurate and complete. The GDPR mandates that data controllers and processors implement measures guarantee data integrity.

Learn More
Least Privilege

A security principle which mandates that users should be granted the least amount of permissions necessary to perform their job.

Learn More
Legal Basis for Processing

The GDPR mandates that data controllers must demonstrate a legal basis for data processing. The six legal bases for processing listed in the law are: consent, necessity, contract requirement, legal obligation, protection of data subject, public interest, or legitimate interest of the controller.

Learn More
MFA

An acronym for Multifactor Authentication. This represents an authentication process that requires more than one factor of verification. An example would be a login that requires a username and password combination, as well as an SMS-code verification, or the use of a physical security key.

Learn More
Malconfiguration

A deliberate configuration change within a system by a malicious actor, typically to create back-door access or exfiltrate information. While the original change in configuration might involve a compromised account or other vulnerability, a malconfiguration has the benefit of offering long term access using legitimate tools, without further need of a password or after a vulnerability is closed.

Learn More
Malware

A term that represents a number of different types of malicious software that is intended to infiltrate computers or computer network.

Learn More
Managed Database

A database with storage, data, and compute services that is managed and maintained by a third-party provider instead of by an organization's IT staff.

Learn More
Masked Data

Sensitive information swapped with arbitrary data intended to resemble true production data, rendering it useless to bad actors. It's most frequently used in test or development environments, where realistic data is needed to build and test software, but where there is no need for developers to see the real data.

Learn More
Metadata

Data that describes other data. For databases, metadata describes properties of the data store itself, as well as the definition of the schema.

Learn More
Misconfiguration

A dangerous or unapproved configuration of an account that could potentially lead to a compromise typically done by a well-intentioned user attempting to solve an immediate business problem. While there is no malicious intent, misconfiguration is actually the leading cause of data loss or compromise.

Learn More
Misplaced Data

Misplaced data occurs when any data moves from an approved environment to an unapproved environment.

Learn More
NIST

An acronym for the National Institute of Standards and Technology. NIST is a unit of the US Commerce Department tasked with promoting and maintaining measurement standards. NIST leads the development and issuance of security standards and guidelines for the federal government.

Learn More
NPI

An acronym for nonpublic personal information.

Learn More
NYDFS Cybersecurity Regulation

NYDFS is an acronym for the New York Department of Financial Services.

Learn More
Negligence

In data security or privacy terms, this is the breach of a legal duty to protect personal information.

Learn More
Notice at Collection

Notice at Collection, is a transparency requirement that compels businesses to inform consumers, at or before the point of collection, about the category of personal information (PI) that they collect.

Learn More
Obfuscated Data

Sensitive information swapped with arbitrary data intended to resemble true production data, rendering it useless to bad actors. It's most frequently used in test or development environments, where realistic data is needed to build and test software, but where there is no need for developers to see the real data.

Learn More
Opt In

When an individual makes an active indication of choice, such as checking a box indicating willingness to share information with third parties.

Learn More
Opt Out

Either an explicit request for a user to no longer share information or receive updates from an organization, or a lack of action that implies that the choice has been made, such as when a person does not uncheck a box indicating willingness to share information with third parties.

Learn More
PCI DSS

An acronym for the Payment Card Industry Data Security Standard. This is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.

Learn More
PHI

An acronym for Protected Health Information. The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information.

Learn More
PII

An acronym of Personally Identifiable Information. This is any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Examples include social security number (SSN), passport number, driver's license number, taxpayer identification number, patient identification number, financial account number, or credit card number, personal address information including street address or email address, or personal telephone numbers.

Learn More
Passive Data Collection

Any data collection technique that gathers information automatically, with or without the end user’s knowledge.

Learn More
Purpose limitation

Purpose limitation or data use limitations requires that businesses ensure that they limit the use of personal information (PI) to the purposes for which it was collected.The GDPR provides more leeway when it comes to purpose limitation. <a href=https://gdpr.eu/article-5-how-to-process-personal-data/GDPR Article 5</a> indicates that “further processing” may be permitted when the new purposes are “not… considered… incompatible with the initial purposes.”

Learn More