🔐 Cybersecurity Glossary

A document that outlines the rules and guidelines for using an organization's information technology resources.

A list of permissions attached to a system resource that specifies which users or system processes are granted access.

The process of removing personally identifiable information from data so individuals cannot be identified.

The practice of protecting Application Programming Interfaces from attacks and misuse.

Breach and Attack Simulation — automated tools that continuously test security controls by simulating real-world attacks.

The total sum of all vulnerabilities and entry points that an attacker could potentially exploit.

A chronological record of system activities that provides documentary evidence of the sequence of activities that have affected operations, procedures, or events.

The practice of encrypting backup data to protect it from unauthorized access if backup media is lost or stolen.

Authentication method using unique biological characteristics such as fingerprints, facial recognition, or iris patterns.

A group of security professionals responsible for defending against simulated and real attacks.

The responsibility of the board of directors to oversee the organization's cybersecurity strategy and risk management.

An attack method that uses trial and error to guess passwords, login credentials, or encryption keys.

A program offered by organizations that rewards security researchers for responsibly reporting vulnerabilities.

A sophisticated scam targeting organizations that regularly perform wire transfers, exploiting compromised executive email accounts.

A strategic security approach combining technical controls, user awareness training, and governance policies to prevent sophisticated email fraud attacks targeting organizations. This includes implementing verification procedures for financial transactions, executive impersonation detection, and incident response protocols.

A process that identifies and evaluates the potential effects of disruption to critical business operations.

The documented chronological history of the handling and transfer of digital evidence.

Automated tools that continuously monitor cloud infrastructure for gaps in security policy enforcement.

A security solution focused on protecting workloads across cloud, on-premises, and hybrid environments.

A systematic examination of source code to find and fix mistakes overlooked in initial development.

The Saudi regulatory body overseeing the ICT sector including telecommunications security requirements.

An alternative security measure employed when the primary control cannot be implemented.

A freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of their personal data.

The practice of securing containerized applications and their infrastructure from development through production.

The phase of incident response focused on limiting the scope and damage of a security incident.

A Zero Trust security mechanism that continuously validates user identity and device trustworthiness throughout a session, rather than only at initial login. It monitors behavioral patterns, device posture, location, and contextual factors in real-time to detect anomalies and dynamically adjust access privileges or terminate sessions when risk levels change.

An automated approach to maintaining compliance with regulations and standards through continuous monitoring and assessment.

A statement of the desired result or purpose to be achieved by implementing a security control.

An action taken to eliminate the cause of a detected nonconformity to prevent recurrence.

An automated attack that uses stolen username/password pairs from data breaches to attempt logins on other services.

The overall coordination of an organization's response to a crisis that threatens the organization or its stakeholders.

Systems and assets vital to Saudi Arabia's national security, economy, or public health that require enhanced cybersecurity protection.

The transfer of personal data from one country to another, subject to legal restrictions and adequacy requirements.

The regulatory requirements under PDPL for transferring personal data outside Saudi Arabia, requiring data controllers to ensure adequate protection levels in the receiving country, obtain necessary approvals, implement appropriate safeguards such as standard contractual clauses, and maintain accountability for data protection throughout the transfer process.

A web security vulnerability that allows attackers to inject client-side scripts into web pages viewed by other users.

The unauthorized use of someone else's computing resources to mine cryptocurrency.

The mandatory process of reporting cybersecurity incidents to relevant regulatory authorities, affected parties, and stakeholders within specified timeframes, including details about the nature, scope, and impact of the incident as required by applicable regulations.

The mandatory or voluntary process of notifying relevant authorities, stakeholders, and affected parties about cybersecurity incidents within specified timeframes. In Saudi Arabia, this includes reporting to NCA for critical infrastructure and SAMA for financial institutions.

Insurance products designed to help organizations mitigate financial losses from cybersecurity incidents and data breaches.

An organization's ability to continuously deliver intended outcomes despite adverse cyber events, as required by NCA.

A technology platform that aggregates, correlates, and analyzes threat data from multiple sources to provide actionable intelligence.

An NCA ECC control domain requiring organizations to maintain a comprehensive inventory of all information assets, including hardware, software, data, and network components, with proper classification, ownership assignment, and lifecycle management to ensure adequate protection measures.

The second domain of the NCA ECC framework that encompasses technical and operational controls for protecting information systems, networks, and data, including access control, network security, encryption, vulnerability management, and security monitoring capabilities.

The first domain of the NCA ECC framework that establishes requirements for organizational leadership, cybersecurity strategy, policies, risk management, and compliance programs to ensure effective oversight and accountability for cybersecurity across the organization.

The first domain of SAMA CSF that requires financial institutions to establish comprehensive cybersecurity governance structures, including board-level oversight, cybersecurity strategy, risk management frameworks, policies and procedures, and organizational roles and responsibilities for managing cybersecurity risks.

An NCA ECC control domain requiring organizations to establish formal capabilities for detecting, analyzing, containing, eradicating, and recovering from cybersecurity incidents, including mandatory reporting to NCA within specified timeframes for incidents affecting critical systems or sensitive data.

NCA's periodic assessment of government entities' cybersecurity maturity against ECC controls.

A classification system within the NCA ECC framework that categorizes organizations into different maturity levels (Basic, Intermediate, Advanced) based on their criticality and risk profile, determining the depth and rigor of cybersecurity controls they must implement.

The third domain of SAMA CSF requiring financial institutions to develop and maintain capabilities to withstand, respond to, and recover from cybersecurity incidents, including incident response plans, business continuity and disaster recovery programs, backup strategies, and regular testing exercises to ensure operational resilience.

Data that is stored in databases, file systems, or other storage systems and is not actively being transmitted or processed.

The entity that determines the purposes and means of processing personal data.

Data that is actively moving from one location to another, such as across the internet or through a private network.

A policy-based approach to managing the flow of data through its lifecycle from creation and storage to deletion.

The process of hiding specific data within a database to ensure that sensitive data is not exposed to unauthorized personnel.

The right of data subjects to receive their personal data in a structured, commonly used, machine-readable format.

A systematic process to identify and minimize privacy risks associated with processing personal data, particularly when implementing new technologies or systems. This assessment evaluates potential impacts on individuals' privacy rights and determines appropriate safeguards and mitigation measures.

An entity that processes personal data on behalf of the data controller.

A process to identify and minimize the data protection risks of a project or system.

A designated person responsible for overseeing data protection strategy and compliance within an organization.

The concept that data is subject to the laws and governance structures within the nation where it is collected or processed.

Rights granted to individuals under PDPL including the right to access, rectify, erase, restrict processing, data portability, and object to processing of their personal data, which organizations must facilitate and respond to within specified timeframes.

AI-generated synthetic media used to impersonate individuals through manipulated audio, video, or images.

A cybersecurity strategy that uses multiple layers of security controls to protect information assets, so if one layer fails, another is in place.

A perimeter network segment that sits between the internal network and the external network to provide an additional layer of security.

The process of collecting, preserving, and analyzing electronic evidence for investigating cybersecurity incidents.

The systematic collection, preservation, analysis, and documentation of digital evidence from security incidents to determine the root cause, scope of compromise, attack vectors, and support legal proceedings or regulatory reporting.

The combined practice of collecting, preserving, analyzing, and presenting digital evidence from cybersecurity incidents while simultaneously containing and remediating the threat. It ensures evidence integrity for potential legal proceedings while enabling rapid recovery and lessons learned documentation.

A mathematical scheme for verifying the authenticity and integrity of digital messages or documents.

A centralized database that stores and manages user identities, credentials, and access permissions (e.g., Active Directory, LDAP).

A suite of extensions to DNS that adds security by enabling DNS responses to be validated as authentic.

An email authentication protocol that builds on SPF and DKIM to provide domain owners with protection against unauthorized use of their domain in email attacks. DMARC enables senders to specify how receiving mail servers should handle messages that fail authentication checks and provides reporting mechanisms for monitoring.

The practice of performing adequate research and assessment before making decisions about security investments, partnerships, or vendor engagements.

A security testing method that tests an application in its running state to find vulnerabilities from an external perspective.

A mandatory periodic evaluation process conducted by organizations subject to NCA ECC requirements to measure their adherence to the prescribed cybersecurity controls. The assessment involves self-evaluation, documentation review, technical testing, and may include third-party audits. Organizations must submit compliance reports to the NCA demonstrating implementation status, identified gaps, and remediation plans, with assessments typically required annually or following significant system changes.

A classification system within the NCA ECC framework that defines three progressive maturity levels for implementing cybersecurity controls based on organizational risk profile and criticality. Level 1 represents basic cybersecurity practices, Level 2 indicates intermediate security measures, and Level 3 denotes advanced security capabilities. Organizations must achieve the maturity level appropriate to their classification as determined by NCA.

A structured assessment methodology within the NCA ECC framework that measures an organization's cybersecurity maturity across five levels: Level 1 (Initial), Level 2 (Developing), Level 3 (Defined), Level 4 (Managed), and Level 5 (Optimized). Organizations are required to achieve specific maturity levels based on their classification and criticality, with higher-risk entities expected to reach higher maturity levels.

An approach to public-key cryptography based on the algebraic structure of elliptic curves, offering equivalent security with smaller key sizes.

A security strategy and technology that monitors, detects, and blocks sensitive information from being transmitted via email in violation of organizational policies or regulatory requirements. Email DLP helps prevent accidental or intentional data breaches by enforcing content inspection and policy-based controls.

A governance framework that defines requirements and procedures for encrypting email communications to protect sensitive information in transit and at rest. This policy establishes standards for encryption methods, key management, and compliance with data protection regulations such as PDPL.

A security solution that filters and monitors incoming and outgoing email traffic to detect and block malicious content, spam, and phishing attempts. It acts as a protective barrier between an organization's email infrastructure and external threats, enforcing security policies and compliance requirements.

A documented procedure that outlines the steps to be taken when an email security incident occurs, including detection, containment, investigation, remediation, and reporting. This plan is essential for minimizing damage from email-based attacks and ensuring compliance with regulatory notification requirements.

A governance document that defines how long email messages must be retained, archived, and eventually deleted based on regulatory requirements, legal obligations, and business needs. This policy ensures compliance with data protection laws while managing storage resources effectively.

A structured program designed to educate employees about email-based threats such as phishing, malware, and social engineering attacks. This training is a critical component of security governance, helping organizations build a human firewall and reduce the risk of successful email attacks.

The process of converting plaintext data into ciphertext using cryptographic algorithms and keys to protect confidentiality and prevent unauthorized access to sensitive information during storage or transmission.

The administration of cryptographic keys throughout their lifecycle, including generation, distribution, storage, rotation, backup, and destruction, ensuring secure key handling practices to maintain the effectiveness of encryption systems.

A security method where data is encrypted on the sender's device and only decrypted on the recipient's device, ensuring that no intermediary parties, including service providers, can access the plaintext content during transmission.

A cybersecurity technology that continuously monitors endpoints to detect and respond to cyber threats.

The phase of incident response where the root cause and artifacts of the security incident are removed from the environment.

The systematic gathering of proof that security controls are implemented and effective to satisfy compliance requirements.

The automatic switching to a standby system, server, or network upon the failure or abnormal termination of the primary.

Factor Analysis of Information Risk — a quantitative risk analysis methodology for information security and operational risk.

An open authentication standard that enables passwordless login using public key cryptography and biometrics.

Malicious code that operates entirely in memory without writing files to disk, making it harder to detect by traditional antivirus.

An assessment that compares an organization's current security posture against a desired standard or framework to identify areas needing improvement.

A dedicated hardware device for managing and safeguarding digital keys and performing cryptographic operations.

A mathematical function that converts an input of arbitrary length into a fixed-size output, commonly used for data integrity verification.

A form of encryption that allows computations to be performed on encrypted data without first decrypting it.

A fully equipped duplicate computing facility that can be activated immediately in case of a disaster.

A framework of policies, processes, and technologies that enables organizations to manage digital identities and control user access to critical information and systems. IAM ensures that the right individuals access the right resources at the right times for the right reasons.

A system that creates, maintains, and manages identity information for users while providing authentication services.

The process of limiting the scope and impact of a security incident by isolating affected systems, preventing lateral movement of threats, and stopping the incident from spreading to other parts of the network or organization.

The mandatory process of informing relevant stakeholders, regulatory authorities, and affected parties about security incidents within specified timeframes, including details about the nature, impact, and remediation measures of the incident.

A documented, structured approach with detailed procedures for detecting, responding to, and recovering from cybersecurity incidents. It defines roles, responsibilities, communication protocols, and step-by-step actions to minimize damage and restore normal operations efficiently.

A designated group of trained professionals responsible for managing and coordinating responses to cybersecurity incidents. The team typically includes technical experts, legal advisors, communications specialists, and management representatives who work together to contain, investigate, and remediate security breaches.

Proactive indicators that identify attacker behavior patterns in real-time, before damage occurs.

Forensic artifacts that identify potentially malicious activity on a system or network.

Technology that controls access to documents, emails, and files beyond the boundaries of the organization's network.

Managing and provisioning computing infrastructure through machine-readable configuration files rather than manual processes.

The level of risk existing before any controls are applied. Used in risk assessments to establish baseline risk level before evaluating the effectiveness of existing controls to arrive at residual risk.

A security risk that originates from within the organization, typically from current or former employees or business associates.

An independent assessment conducted within the organization to evaluate and improve the effectiveness of risk management, control, and governance.

A network security tool that monitors traffic for threats and automatically takes action to prevent them.

The administration of cryptographic keys in a cryptosystem, including generation, exchange, storage, use, and replacement of keys.

A metric used to provide an early signal of increasing risk exposures in various areas of the organization.

The principle that users should be given the minimum levels of access needed to perform their job functions.

The process of analyzing logs from multiple sources to identify patterns, anomalies, and potential security incidents.

An attack where the attacker secretly relays and possibly alters communications between two parties who believe they are directly communicating.

An outsourced cybersecurity service that provides threat monitoring, detection, and response capabilities.

A framework for assessing the current state and improvement path of an organization's cybersecurity capabilities across defined levels.

The maximum period of time that a business process can be disrupted without causing unacceptable consequences.

The average time it takes to discover a security incident from its initial occurrence.

A key performance indicator that measures the average time it takes for a SOC team to discover a security incident or breach from the moment it occurs. MTTD is critical for assessing the effectiveness of security monitoring capabilities and detection controls, with lower values indicating more mature security operations.

The average time it takes to contain and remediate a security incident after detection.

A Zero Trust security technique that divides networks into small, isolated segments to contain breaches and limit lateral movement. Each segment has its own access controls and security policies, allowing organizations to define granular security perimeters around critical assets and enforce strict traffic inspection between segments.

A security technique that divides a network into isolated segments down to the individual workload level.

Security strategy and controls for organizations using services from multiple cloud service providers simultaneously.

NCA requirements for cryptographic algorithms and key lengths used by government and critical infrastructure entities.

Specialized NCA framework governing cloud computing security for Saudi government and critical infrastructure entities. Contains 76 controls covering cloud provider selection, data residency (data must remain in KSA), shared responsibility, and cloud incident response.

NCA framework establishing cybersecurity resilience requirements for critical national infrastructure, focusing on continuity of essential services during cyber incidents.

A security approach that attempts to unify endpoint security and network access enforcement.

An authorization framework that enables applications to obtain limited access to user accounts via delegation tokens.

Authentication methods that verify user identity without traditional passwords, using biometrics, tokens, or cryptographic keys.

The process of distributing and applying updates to software to fix vulnerabilities and improve security.

The adherence to Saudi Arabia's Personal Data Protection Law, which establishes requirements for the collection, processing, storage, and transfer of personal data to protect individuals' privacy rights and ensure data controllers and processors implement appropriate technical and organizational measures.

A predefined set of actions and procedures for responding to a specific type of security incident.

Cryptographic algorithms designed to be secure against attacks from both classical and quantum computers.

A systematic process to identify and evaluate potential privacy risks associated with data processing activities, particularly when implementing new technologies, systems, or processes that handle personal data. Under PDPL and SAMA CSF requirements, organizations must conduct PIAs before processing high-risk personal data to ensure compliance and implement appropriate safeguards.

A subset of IAM that focuses on managing and monitoring accounts with elevated privileges, such as system administrators and database administrators. PAM solutions control, monitor, and secure privileged credentials to prevent unauthorized access to critical systems and sensitive data.

Processing personal data so it can no longer be attributed to a specific data subject without the use of additional information.

A framework of encryption and cybersecurity that protects communications between servers and clients using digital certificates.

A collaborative approach combining Red Team and Blue Team exercises to improve security effectiveness.

A responsibility assignment matrix defining who is Responsible, Accountable, Consulted, and Informed for each task.

The maximum acceptable length of time that a business process, application, or system can be down after a disaster or disruption before the organization experiences unacceptable consequences, used to prioritize recovery efforts and allocate resources.

A group of security professionals authorized to simulate real-world attacks to test an organization's defenses.

The process of addressing and resolving identified security findings, vulnerabilities, or compliance gaps.

The risk that remains after security controls have been applied.

The right of individuals to have their personal data erased when it is no longer necessary for the purpose it was collected.

Data subject right under PDPL to request deletion of their personal data held by an organization under specific circumstances, including withdrawal of consent or when data is no longer necessary for the original purpose.

The process of assigning monetary values to potential losses from cybersecurity risks using statistical methods.

A documented repository of identified risks, their analysis, and planned response actions.

The process of selecting and implementing measures to modify risk, including avoidance, mitigation, transfer, or acceptance.

A method of restricting system access to authorized users based on their role within the organization.

An access control method within IAM that assigns system permissions to users based on their organizational roles rather than individual identities. RBAC simplifies access management by grouping permissions into roles, ensuring users only have access necessary to perform their job functions in accordance with the principle of least privilege.

An asymmetric cryptographic algorithm widely used for secure data transmission using a public and private key pair.

A security technology that is built into an application to detect and prevent real-time attacks.

Security Assertion Markup Language — an XML-based standard for exchanging authentication and authorization data between parties.

The digital transformation component of Saudi Vision 2030 that drives cybersecurity requirements across all sectors.

The boundaries of a compliance assessment defining which systems, processes, and locations are included in the evaluation.

A cloud architecture model that combines network security functions with WAN capabilities to support dynamic secure access.

DNS configurations and protocols that protect against DNS hijacking, spoofing, and cache poisoning attacks.

A solution that monitors emails sent and received to prevent unwanted email including spam, phishing, and malware.

A unified security design that addresses the necessities and potential risks involved in a certain scenario and specifies when and where to apply security controls.

A business model in which a service provider integrates security services into a corporate infrastructure on a subscription basis.

An educational program designed to reduce human cybersecurity risks by teaching employees to recognize and respond to threats.

A minimum set of security controls required for a system or organization to operate safely.

The set of responsibilities exercised by the board and executive management to provide strategic direction and oversight of cybersecurity.

A comprehensive structure of policies, procedures, and controls that establishes accountability and oversight for cybersecurity activities across an organization. It defines roles, responsibilities, and decision-making processes to ensure security objectives align with business goals and regulatory requirements.

A comprehensive security solution that provides real-time analysis of security alerts and events generated by network hardware and applications. It collects, aggregates, correlates, and analyzes log data to detect threats, support compliance reporting, and enable rapid incident response.

A comprehensive solution that provides real-time analysis of security alerts generated by applications and network hardware. SIEM systems collect, aggregate, and analyze log data from across an organization's IT infrastructure to identify security threats, ensure compliance, and support incident investigation and forensics.

Quantifiable measurements used to track and evaluate the effectiveness of an organization's security program.

A centralized unit that deals with security issues on an organizational and technical level, responsible for continuous monitoring, detection, analysis, and response to cybersecurity incidents using a combination of technology solutions and human expertise.

A stack of compatible tools that allows organizations to collect security data and automate responses to low-level threats.

A formal document that defines the rules, guidelines, and practices for managing and protecting an organization's information assets.

An objective, quantifiable measure of an organization's cybersecurity posture generated by independent security rating platforms.

A cross-functional leadership body responsible for providing strategic direction and oversight of the cybersecurity program.

An email authentication protocol that allows domain owners to specify which mail servers are authorized to send emails on behalf of their domain. SPF helps prevent email spoofing by enabling receiving servers to verify that incoming mail from a domain comes from an authorized IP address.

Security practices and controls specific to serverless computing architectures like AWS Lambda, Azure Functions.

An authentication scheme that allows a user to log in with a single ID to gain access to multiple related but independent systems.

A process of identifying open-source software components and their known vulnerabilities in application codebases.

An approach to networking that uses software-based controllers to direct traffic on the network and communicate with hardware infrastructure.

A targeted phishing attack directed at specific individuals or organizations using personalized information to increase credibility.

A code injection technique used to attack data-driven applications by inserting malicious SQL statements into entry fields.

A digital certificate that authenticates a website identity and enables encrypted connections between a web server and browser.

A document that lists all ISO 27001 Annex A controls and indicates whether each is applicable, implemented, or excluded with justification.

A security testing method that analyzes source code, bytecode, or binary code for vulnerabilities without executing the program.

An attack that targets the less-secure elements in a supply chain to compromise the final target.

A discussion-based exercise where key personnel walk through a simulated scenario to test plans and identify gaps.

The fifth domain of the NCA ECC framework that establishes requirements for managing cybersecurity risks associated with third-party service providers, vendors, and cloud service providers, including due diligence, contractual security requirements, and ongoing monitoring of external parties.

An independent assessment conducted by an external qualified auditor to verify compliance with standards or regulations.

The fourth domain of SAMA CSF that mandates financial institutions to implement comprehensive third-party risk management programs, including vendor due diligence, contractual security requirements, continuous monitoring of third-party security posture, and incident notification obligations for service providers handling sensitive financial data.

An NCA ECC control domain mandating organizations to assess, monitor, and manage cybersecurity risks associated with vendors, suppliers, service providers, and other external parties that have access to organizational systems or data, including contractual security requirements and ongoing compliance verification.

The process of analyzing and controlling risks presented by third parties to an organization's data and operations.

An individual, group, or entity that conducts or has the intent to conduct malicious cyber activities against an organization's information systems or data. Threat actors are categorized by motivation (financial, political, espionage), capability (nation-state, organized crime, hacktivists), and targeting patterns.

The exchange of cyber threat information between organizations, government entities, and security communities using standards like STIX/TAXII.

A structured approach for identifying and prioritizing potential threats to a system and determining countermeasures.

The process of replacing sensitive data with unique identification symbols that retain all essential information without compromising security.

A systematic review of security weaknesses in an information system to identify, quantify, and prioritize vulnerabilities.

A systematic approach to identifying, evaluating, treating, and reporting security vulnerabilities in systems and software, including continuous monitoring and remediation processes to reduce organizational risk exposure.

An attack strategy where the threat actor infects websites frequently visited by the target group to compromise their systems.

A security solution that filters, monitors, and blocks HTTP/HTTPS traffic to and from a web application.

A security framework that eliminates implicit trust and requires continuous verification of every user and device attempting to access network resources, regardless of their location. ZTNA operates on the principle of 'never trust, always verify' and implements least-privilege access controls with micro-segmentation.