| Assessment |
(1) the process of determining whether an outcome meets the actor’s intent; or (2) an atomic process within an Evaluation used to determine a resource’s Compliance with an Assessment Requirement |
Layer 5 |
| Assessment Requirement |
a tightly scoped, verifiable condition that must be satisfied and confirmed by an evaluator |
Layer 2 |
| Audit |
a formal, opinionated review of an organization’s Policies and posture, conducted at a specific point in time to verify that established requirements are met |
Layer 7 |
| Behavior Evaluation |
an opinionated observation of simulated or real-world activities |
Layer 5 |
| Capability |
a feature or function of a system; the primary component comprising an attack surface |
Layer 2 |
| Catalog |
a structured set of related prose and relevant metadata |
Layer 1
Layer 2
Layer 3 |
| Continuous Monitoring |
a multi-system process designed to collect Evaluation and operational data on an ongoing basis to better detect malicious action and non-compliance, enable Remediative Enforcement, and observe trends over time |
Layer 7 |
| Control |
(1) an organization’s ability to fully assert desired state on a system, resource, or state; or (2) a mechanism, such as a safeguard or countermeasure, that asserts desired state; or (3) prose describing the Objective and Assessment Requirements associated with a desired state |
Layer 2 |
| Compliance |
adherence to a Rule or set of Rules |
|
| Evaluation |
the manual or automated process of forming an opinion on the state of Compliance, guided by a set of Assessment Requirements |
Layer 5 |
| Enforcement |
an action taken in response to non-compliance findings and their causes |
Layer 6 |
| Evaluation Finding |
the evidence and opinionated result of an Assessment |
Layer 5 |
| Guidance |
prose intended to help bring about a desired outcome for a topic or generalized scenario, based on knowledge of relevant Vectors |
Layer 1 |
| Guideline |
atomic element of a Guidance Catalog; often includes explanatory context and recommendations for designing optimal implementations |
Layer 1 |
| GRC |
(1) the Governance, Risk, and Compliance domain within the cybersecurity field; or (2) a coordinated program dedicated to these elements within a business unit |
|
| Governance |
strategic oversight of an organization and its activities |
|
| Intent Evaluation |
an Evaluation ensuring that a resource is prepared in alignment with Policy, such as through proper training, configuration, or code |
Layer 5 |
| Organization |
any logical grouping of human, physical, virtual, and information resources such as a company, business unit, or team |
Layer 3 |
| Threat |
a circumstance or event where the concepts of a vector are applied to a Capability in a specific context, resulting in the potential for negative impact |
Layer 2 |
| Objective |
a unified statement of intent, which may encompass multiple situationally applicable statements or requirements |
Layer 2 |
| Opinion |
a firmly held approximation of reality formed within the constraints of an evaluator’s philosophy, perspective, and capabilities |
Layer 5
Layer 6
Layer 7 |
| Policy |
a clearly-scoped set of rules based on an organization’s Risk Appetite |
Layer 3 |
| Preventive Enforcement |
any action that interrupts another process which would otherwise cause non-compliance |
Layer 6 |
| Remediative Enforcement |
corrective action in response to non-compliance in a deployed activity |
Layer 6 |
| Residual Risk |
the Risk remaining after Risk Mitigation and Enforcement actions have been implemented |
Layer 3 |
| Risk |
the potential for loss or damage when a Threat is actualized, determined by calculating the impact of an event to an organization and the likelihood of its occurrence |
Layer 3 |
| Risk Catalog |
a group of related Risks relevant to an organization; used to determine when and how Policies are created for the organization |
Layer 3 |
| Risk Appetite |
the level of Risk an organization is willing to accept in pursuit of its objectives |
Layer 3 |
| Risk Assessment |
the process of identifying the potential or actual Risks introduced by a system |
Layer 3 |
| Risk Mitigation |
the process of developing actions to prevent Threats or reduce their impact on organization objectives |
Layer 3 |
| Risk Acceptance |
a clearly documented decision to accept an unmitigated Risk as necessary or unavoidable |
Layer 3 |
| Rule |
an active, enforceable Policy, regulation, or law |
Layer 1
Layer 2
Layer 3 |
| Sensitive Activity |
a type of action that introduces Risk to an organization |
Layer 4 |
| Vector |
(1) an opportunity for an attacker to exploit a vulnerability in the system; or (2) a path by which neglect could result in unintentional negative outcomes |
Layer 1 |
| Vulnerability |
(1) a weakness in a system inherent in or associated with a Capability that can be exploited when used in unintended ways; or (2) a lack of Control or gap in defense, introduced intentionally or unintentionally, which can be leveraged to cause harm |
Layer 2
Layer 4 |
