🔐 Cybersecurity Glossary

A document that outlines the rules and guidelines for using an organization's information technology resources.

The responsibility of the board of directors to oversee the organization's cybersecurity strategy and risk management.

A strategic security approach combining technical controls, user awareness training, and governance policies to prevent sophisticated email fraud attacks targeting organizations. This includes implementing verification procedures for financial transactions, executive impersonation detection, and incident response protocols.

A systematic process to identify and minimize privacy risks associated with processing personal data, particularly when implementing new technologies or systems. This assessment evaluates potential impacts on individuals' privacy rights and determines appropriate safeguards and mitigation measures.

A cybersecurity strategy that uses multiple layers of security controls to protect information assets, so if one layer fails, another is in place.

An email authentication protocol that builds on SPF and DKIM to provide domain owners with protection against unauthorized use of their domain in email attacks. DMARC enables senders to specify how receiving mail servers should handle messages that fail authentication checks and provides reporting mechanisms for monitoring.

The practice of performing adequate research and assessment before making decisions about security investments, partnerships, or vendor engagements.

A security strategy and technology that monitors, detects, and blocks sensitive information from being transmitted via email in violation of organizational policies or regulatory requirements. Email DLP helps prevent accidental or intentional data breaches by enforcing content inspection and policy-based controls.

A governance framework that defines requirements and procedures for encrypting email communications to protect sensitive information in transit and at rest. This policy establishes standards for encryption methods, key management, and compliance with data protection regulations such as PDPL.

A security solution that filters and monitors incoming and outgoing email traffic to detect and block malicious content, spam, and phishing attempts. It acts as a protective barrier between an organization's email infrastructure and external threats, enforcing security policies and compliance requirements.

A documented procedure that outlines the steps to be taken when an email security incident occurs, including detection, containment, investigation, remediation, and reporting. This plan is essential for minimizing damage from email-based attacks and ensuring compliance with regulatory notification requirements.

A governance document that defines how long email messages must be retained, archived, and eventually deleted based on regulatory requirements, legal obligations, and business needs. This policy ensures compliance with data protection laws while managing storage resources effectively.

A structured program designed to educate employees about email-based threats such as phishing, malware, and social engineering attacks. This training is a critical component of security governance, helping organizations build a human firewall and reduce the risk of successful email attacks.

The level of risk existing before any controls are applied. Used in risk assessments to establish baseline risk level before evaluating the effectiveness of existing controls to arrive at residual risk.

A framework for assessing the current state and improvement path of an organization's cybersecurity capabilities across defined levels.

Specialized NCA framework governing cloud computing security for Saudi government and critical infrastructure entities. Contains 76 controls covering cloud provider selection, data residency (data must remain in KSA), shared responsibility, and cloud incident response.

NCA framework establishing cybersecurity resilience requirements for critical national infrastructure, focusing on continuity of essential services during cyber incidents.

A responsibility assignment matrix defining who is Responsible, Accountable, Consulted, and Informed for each task.

Data subject right under PDPL to request deletion of their personal data held by an organization under specific circumstances, including withdrawal of consent or when data is no longer necessary for the original purpose.

A unified security design that addresses the necessities and potential risks involved in a certain scenario and specifies when and where to apply security controls.

A minimum set of security controls required for a system or organization to operate safely.

The set of responsibilities exercised by the board and executive management to provide strategic direction and oversight of cybersecurity.

A comprehensive structure of policies, procedures, and controls that establishes accountability and oversight for cybersecurity activities across an organization. It defines roles, responsibilities, and decision-making processes to ensure security objectives align with business goals and regulatory requirements.

Quantifiable measurements used to track and evaluate the effectiveness of an organization's security program.

A formal document that defines the rules, guidelines, and practices for managing and protecting an organization's information assets.

A cross-functional leadership body responsible for providing strategic direction and oversight of the cybersecurity program.

An email authentication protocol that allows domain owners to specify which mail servers are authorized to send emails on behalf of their domain. SPF helps prevent email spoofing by enabling receiving servers to verify that incoming mail from a domain comes from an authorized IP address.