🔐 Cybersecurity Glossary

A symmetric encryption algorithm established by the U.S. National Institute of Standards and Technology (NIST) in 2001, widely adopted as the global standard for encrypting sensitive data. AES supports key sizes of 128, 192, and 256 bits and is mandated by SAMA CSF for protecting financial data and by NCA ECC for securing classified government information.

The process of removing personally identifiable information from data so individuals cannot be identified.

Authentication method using unique biological characteristics such as fingerprints, facial recognition, or iris patterns.

A freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of their personal data.

The process of obtaining, recording, and managing explicit permission from data subjects before collecting, processing, or sharing their personal information, including mechanisms for withdrawal and audit trails as required by privacy regulations.

A Zero Trust security mechanism that continuously validates user identity and device trustworthiness throughout a session, rather than only at initial login. It monitors behavioral patterns, device posture, location, and contextual factors in real-time to detect anomalies and dynamically adjust access privileges or terminate sessions when risk levels change.

The transfer of personal data from one country to another, subject to legal restrictions and adequacy requirements.

Legal instruments and safeguards required under PDPL Article 36 for transferring personal data outside Saudi Arabia, including adequacy decisions, standard contractual clauses, binding corporate rules, or explicit consent, ensuring that data transferred internationally maintains equivalent protection standards as required within the Kingdom.

The entity that determines the purposes and means of processing personal data.

A policy-based approach to managing the flow of data through its lifecycle from creation and storage to deletion.

A privacy principle requiring organizations to collect and process only the minimum amount of personal data necessary to achieve specific, legitimate purposes, reducing privacy risks and compliance obligations.

The right of data subjects to receive their personal data in a structured, commonly used, machine-readable format.

The right of individuals to control how their personal information is collected, used, stored, and shared by organizations, ensuring that data handling practices comply with legal and regulatory requirements while protecting individual privacy rights.

A systematic process to identify and minimize privacy risks associated with processing personal data, particularly when implementing new technologies or systems. This assessment evaluates potential impacts on individuals' privacy rights and determines appropriate safeguards and mitigation measures.

An entity that processes personal data on behalf of the data controller.

A process to identify and minimize the data protection risks of a project or system.

A designated person responsible for overseeing data protection strategy and compliance within an organization.

The concept that data is subject to the laws and governance structures within the nation where it is collected or processed.

The combined practice of collecting, preserving, analyzing, and presenting digital evidence from cybersecurity incidents while simultaneously containing and remediating the threat. It ensures evidence integrity for potential legal proceedings while enabling rapid recovery and lessons learned documentation.

A secondary physical or cloud-based facility equipped with necessary infrastructure, systems, and data backups that enables an organization to resume critical IT operations and business functions following a major disruption, cyber attack, or disaster at the primary site.

A security strategy and technology that monitors, detects, and blocks sensitive information from being transmitted via email in violation of organizational policies or regulatory requirements. Email DLP helps prevent accidental or intentional data breaches by enforcing content inspection and policy-based controls.

A governance framework that defines requirements and procedures for encrypting email communications to protect sensitive information in transit and at rest. This policy establishes standards for encryption methods, key management, and compliance with data protection regulations such as PDPL.

A governance document that defines how long email messages must be retained, archived, and eventually deleted based on regulatory requirements, legal obligations, and business needs. This policy ensures compliance with data protection laws while managing storage resources effectively.

The process of converting plaintext data into ciphertext using cryptographic algorithms and keys to protect confidentiality and prevent unauthorized access to sensitive information during storage or transmission.

The administration of cryptographic keys throughout their lifecycle, including generation, distribution, storage, rotation, backup, and destruction, ensuring secure key handling practices to maintain the effectiveness of encryption systems.

A security method where data is encrypted on the sender's device and only decrypted on the recipient's device, ensuring that no intermediary parties, including service providers, can access the plaintext content during transmission.

A communication security method where data is encrypted on the sender's device and only decrypted on the recipient's device, preventing intermediaries including service providers from accessing the plaintext content. This approach aligns with PDPL Article 18 requirements for protecting personal data during transmission and NCA ECC controls for secure communications in critical infrastructure sectors supporting Vision 2030 digital transformation.

Any operation or set of operations performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, erasure, or destruction, whether automated or manual.

A systematic process to identify and evaluate potential privacy risks associated with data processing activities, particularly when implementing new technologies, systems, or processes that handle personal data. Under PDPL and SAMA CSF requirements, organizations must conduct PIAs before processing high-risk personal data to ensure compliance and implement appropriate safeguards.

Processing personal data so it can no longer be attributed to a specific data subject without the use of additional information.

The maximum acceptable length of time that a business process, application, or system can be down after a disaster or disruption before the organization experiences unacceptable consequences, used to prioritize recovery efforts and allocate resources.

The right of individuals to have their personal data erased when it is no longer necessary for the purpose it was collected.

Data subject right under PDPL to request deletion of their personal data held by an organization under specific circumstances, including withdrawal of consent or when data is no longer necessary for the original purpose.

An event or series of events that indicates a potential or actual breach of information security policies, unauthorized access to systems or data, disruption of services, or any occurrence that threatens the confidentiality, integrity, or availability of information assets.

A comprehensive security solution that provides real-time analysis of security alerts and events generated by network hardware and applications. It collects, aggregates, correlates, and analyzes log data to detect threats, support compliance reporting, and enable rapid incident response.

A centralized unit that deals with security issues on an organizational and technical level, responsible for continuous monitoring, detection, analysis, and response to cybersecurity incidents using a combination of technology solutions and human expertise.

A security framework that eliminates implicit trust and requires continuous verification of every user and device attempting to access network resources, regardless of their location. ZTNA operates on the principle of 'never trust, always verify' and implements least-privilege access controls with micro-segmentation.