Les Schwab
Multifactor Identification
(MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is)
RACI
A common type of responsibility assignment matrix that uses responsible, accountable, consult, and inform statuses to define the involvement of stakeholders in project activities.
User provisioning
A process to create, modify, disable and delete user accounts and their profiles across IT infrastructure and business applications.
security incident
A security incident is defined as any actual or suspected event that may adversely impact the confidentiality, integrity, or availability of data or systems used by the University to process, store, or transmit that data
SSO (Single Sign-On)
A session/user authentication process that permits a user to enter one name and password in order to access multiple applications.
Incident Response Plan
An incident response plan is a systematic and documented method of approaching and managing situations resulting from IT security incidents or breaches. It is used in enterprise IT environments and facilities to identify, respond, limit and counteract security incidents as they occur.
IDS (Intrusion Detection System)
An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations.
AppCheck NG
AppCheck NG is a best-in-class Web Application and Infrastructure vulnerability scanner
Business Continuity (BC)
BC deals with the business operations side of BCDR. It involves designing and creating policies and procedures that ensure that essential business functions/processes are available during and after a disaster. BC can include the replacement of staff, service availability issues, business impact analysis and change management.
Containers
Containers offer a logical packaging mechanism in which applications can be abstracted from the environment in which they actually run. This decoupling allows container-based applications to be deployed easily and consistently, regardless of whether the target environment is a private data center, the public cloud, or even a developer's personal laptop. Containerization provides a clean separation of concerns, as developers focus on their application logic and dependencies, while IT operations teams can focus on deployment and management without bothering with application details such as specific software versions and configurations specific to the app. For those coming from virtualized environments, containers are often compared with virtual machines (VMs). You might already be familiar with VMs: a guest operating system such as Linux or Windows runs on top of a host operating system with virtualized access to the underlying hardware. Like virtual machines, containers allow you to package your application together with libraries and other dependencies, providing isolated environments for running your software services.
Disaster Recovery (DR)
DR is primarily focused on the IT side of BCDR. It defines how an organization's IT department will recover from a natural or artificial disaster. The processes within this phase can include server and network restoration, copying backup data and provisioning backup systems.
DLP (Data Loss Prevention)
Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.
BC/DR
Definition - What does Business Continuity and Disaster Recovery (BCDR) mean? Business continuity and disaster recovery (BCDR or BC/DR) is a set of processes and techniques used to help an organization recover from a disaster and continue or resume routine business operations. It is a broad term that combines the roles and functions of IT and business in the aftermath of a disaster.
ITGC
IT general controls (ITGC) are the basic controls that can be applied to IT systems such as applications, operating systems, databases, and supporting IT infrastructure. The objectives of ITGCs are to ensure the integrity of the data and processes that the systems support.
Identity data management
Identity management (IdM) is the task of controlling information about users on computers. Such information includes information that authenticates the identity of a user, and information that describes information and actions they are authorized to access and/or perform. It also includes the management of descriptive information about the user and how and by whom that information can be accessed and modified. Managed entities typically include users, hardware and network resources and even applications.
Penetration Testing
Penetration testing, also called pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Penetration testing can be automated with software applications or performed manually. Either way, the process involves gathering information about the target before the test, identifying possible entry points, attempting to break in -- either virtually or for real -- and reporting back the findings. The main objective of penetration testing is to identify security weaknesses.
PII
Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.
SAML
Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). ... SAML enables Single-Sign On (SSO), a term that means users can log in once, and those same credentials can be reused to log into other service providers.
CCPA
The California Consumer Privacy Act (CCPA), is a bill that enhances privacy rights and consumer protection for residents of California, United States. ... The CCPA becomes effective on January 1, 2020.
CAIQ
The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider. The CAIQ was developed to create commonly accepted industry standards to document the security controls in infrastructure-as-a-service, platform-as-a-service and software-as-a service applications.
CAIQ
The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider. The CAIQ was developed to create commonly accepted industry standards to document the security controls in infrastructure-as-a-service, platform-as-a-service and software-as-a service applications. The CAIQ is contains a series of yes or no control-assertion questions that can be customized to fit an individual cloud customer's needs. The CAIQ is intended to be used in conjunction with the CSA Guidance and the CSA Cloud Controls Matrix (CCM). The CAIQ is part of the CSA governance, risk management and compliance stack.
Okta
The Okta Identity Cloud is an independent and neutral platform that securely connects the right people to the right technologies at the right time.
SOC 2 Report
There are five Trust Services Principles, or criteria, that comprise a SOC 2 report: Security, Availability, Processing Integrity, Confidentiality and Privacy. Unlike PCI DSS, which has very explicit requirements, SOC 2 requirements allow more flexibility for the data provider to decide how it wants to meet the criteria. Therefore, SOC II reports are unique to each company. Essentially, the provider looks at the requirements, decides which ones are relevant to their business practices, and then writes their own controls to fit those requirements. The data provider can write extra controls as needed, and disregard others if they are not relevant to what they are doing if they so choose. The SOC II audit is simply the auditor's opinion on how that organization's controls fit the requirements. This makes the auditor's reputation very important to SOC II reporting, because an auditor who has had many years of experience in SOC reporting will more likely have a more thorough understanding of SOC controls and the best practices to apply to them. The end result of a clean (passed) opinion is that, according to the auditor, the data provider can be trusted as a secure hosting company.