| Assessment |
Atomic process used to determine a resource’s compliance with an assessment requirement |
Layer 5 |
| Assessment Requirement |
Tightly scoped, verifiable condition that must be satisfied and confirmed by an evaluator |
Layer 2 |
| Audit |
A formal, opinionated review of an organization’s policies and posture, conducted at a specific point in time to verify that established requirements are met |
Layer 7 |
| Behavior Evaluation |
An opinionated observation of simulated or real-world activities |
Layer 5 |
| Compliance |
Adherence to an active policy |
|
| Continuous Monitoring |
A multi-system process designed to collect evaluation and telemetry data in an ongoing process to better detect malicious action, enable remediation activities, and observe trends over time |
Layer 7 |
| Control |
Safeguard or countermeasure containing a clear objective and assessment requirements |
Layer 2 |
| Control Catalog |
A set of related controls and relevant metadata |
Layer 2 |
| Enforcement |
An action taken in response to noncompliance findings and their causes |
Layer 6 |
| Evaluation |
The manual or automated process of forming an opinion on the state of compliance, guided by a set of assessment requirements |
Layer 5 |
| Finding |
The evidence and opinionated result of an assessment; often used as shorthand for noncompliance finding |
Layer 5 |
| Governance |
Strategic oversight of an organization and its activities |
|
| GRC |
Governance, risk, and compliance; especially a coordinated program dedicated to these elements within a business unit |
|
| Guidance |
A concerted documentation effort to help bring about an optimal future without foreknowledge of the implementation details |
Layer 1 |
| Guideline |
Atomic element of a guidance document; often includes explanatory context and recommendations for designing optimal outcomes |
Layer 1 |
| Intent Evaluation |
An evaluation ensuring that a resource is set up to succeed, such as through proper training, configuration, or code |
Layer 5 |
| Opinion |
A firmly held approximation of reality formed within the constraints of an evaluator’s philosophy, perspective, and capabilities |
Layer 5 |
| Organization |
Any logical grouping of human, physical, and information resources such as a company, business unit, or team |
|
| Policy |
A clearly-scoped set of rules based on an organization’s risk appetite |
Layer 3 |
| Prescriptive Implementation Documentation |
Design documentation that includes clear functional requirements for an activity, including security and other specifications that must be met |
|
| Preventive Enforcement |
Any action that interrupts another process which would otherwise cause noncompliance |
Layer 6 |
| Remediative Enforcement |
Corrective action in response to noncompliance in a deployed activity |
Layer 6 |
| Risk |
The potential for loss or damage when a threat is actualized, determined by calculating the impact of an event to an organization and the likelihood of its occurrence |
Layer 3 |
| Risk Acceptance |
A clearly documented decision to accept an unmitigated risk as necessary or unavoidable |
Layer 3 |
| Risk Catalog |
A group of related risks relevant to an organization; used to determine when and how rules are created for the organization |
Layer 3 |
| Threat |
Specifically-scoped opportunity for a negative impact to the organization |
Layer 2 |
| Vector |
(1) opportunity for an attacker to exploit a vulnerability in the system, or (2) a path by which neglect could result in unintentional negative outcomes |
Layer 1 |
