| Term | Category | Description |
| Access Control | Infosec | Configuring systems in order that individuals and other systems accessing them are able to carry out only the functions they should be allowed to, and no more |
| Authentication | Infosec | Authentication is the about confirming that someone is who they actually claim to be |
| Authorisation | Infosec | Authorization is the process of determining which level of access each user is granted |
| Automated decision making | Data protection | The process of making a decision by automated means without any human involvement. |
| Blue Team | Infosec | A security testing team that focuses on analysing systems and designing new or improved security mechanisms to defend the systems from attack. See also Red Team. |
| Brute Force Attack | Infosec | A means of trying to figure out the password of a particular login account for a system. It’s the simplest cracking program which loops through every possible password or through every entry in an extensive list of potential passwords. |
| Business Continuity Plan (BCP) | | A framework and procedure set that you build in order to maximise your chances of recovering from a business-impacting incident |
| BYOD | Infosec | The term BYOD refers to bring your own device, meaning the device which belongs to the person and not the company |
| CIA | Infosec | Confidentiality – or ensuring that no unauthorised access occurs Integrity – meaning the data is accurate and complete Availability – making sure that the data is accessible when required |
| Configuration Management | Infosec | A regime of recording, monitoring and regularly verifying the configuration of systems and applications to verify that changes that are made do not have unexpected security consequences |
| Conflict of Interest | Infosec | A set of circumstances that create a risk that professional judgement or actions regarding a primary interest will or could be unduly influenced by a secondary interest |
| Cookie | Infosec | HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user’s computer or other device by the user’s web browser. |
| Credential stuffing | Infosec | Credential stuffing is the automated injection stolen username and password pairs into multiple systems to fraudulently gain access to user accounts |
| Cyber Essentials | Infosec | Cyber Essentials is a simple but effective, Government backed certification scheme that will help you to protect your organisation, |
| Data controller | Data protection | An organisation or body which, alone or jointly with others, determines the purposes and means of the processing of personal data |
| Data Loss prevention | Infosec | Data loss prevention” is a term used to describe a general strategy for preventing disclosure of confidential information external to an organisation |
| Data processing | Data protection | Any operation performed on personal data (whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction. |
| Data Processor | Data protection | An organisation or body which processes personal data on behalf of the controller |
| Data Protection Officer | Data protection | Under the GDPR, some organisations need to appoint a Data Protection Officer (DPO) who is responsible for informing them of and advising them about their data protection obligations and monitoring their compliance with them |
| Data Protection Impact Assessments (DPIAs) | Data protection | A DPIA is a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan. Previously known as a PIA |
| Data subject | Data protection | The identified or identifiable living individual to whom personal data relates |
| Digital footprint | Infosec | A digital footprint is the data that’s left behind whenever a person uses a digital service, or someone posts information about that person onto a digital forum, such as a social network |
| DPA | Data Protection | Data protection assessment |
| DPIA | Data Protection | Data Protection Impact assessment |
| DSAR / SAR | Data Protection | Data subject access request / subject access request |
| ICO | Data protection | The UK Information Commissioners Office (The UK data protection regulating body) |
| Incident management | Infosec | incident management is about Detecting, reporting, assessing and responding to information security incident |
| ISO27001 | Infosec | The ISO Standard for Information Security Management System Requirements |
| Mobile Device management (MDM) | Infosec | A software system for the administration of mobile devices, such as smartphones, tablet computers and laptops. |
| Multiple Factor Authentication | Infosec | An authentication system that requires more than one distinct factor for successful authentication |
| Password Spraying | Infosec | Password spraying describes a technique where lists of a small number of common passwords are used to attack large numbers of user accounts. |
| Personal data | Data protection | Any information relating to a ‘data subject ’ who can be identified, directly or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person |
| Personal Data sharing | Data protection | The sharing of personal data between organisations, which may also include but not necessarily include international data transfer. |
| Personal Data transfer | Data protection | Usually refers to the international transfer of personal data between different countries and legal jurisdictions relating to Data protection. This would involve processing activities and not just transit. |
| Phishing | Infosec | Untargeted, mass emails sent to people in order to defraud them, asking them to disclose sensitive information or encouraging them to visit a fake website. |
| | |
| Profiling | Data protection | Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements |
| Ransomware | Infosec | Malicious software that makes data or systems unusable, typically by encrypting data, until the victim makes a payment |
| Risk management | Infosec | A set of coordinated activities that direct and control an organisation with regard to risk |
| Shadow IT | Infosec | Shadow IT is the use of information technology systems, devices, software, applications, and services without explicit IT department approval. |
| Shoulder surfing | Infosec | Shoulder surfing is a term to describe someone who is watching you type or reading your screen |
| Spear Phishing | Infosec | A targeted form of phishing, where the email is designed to look like it’s from a person the recipient knows and trusts. |
| Special category data / Sensitive personal data | Data protection | Special category data is defined in law as data revealing race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life and sex orientation. (Special category data is more “sensitive”) |
| Tailgating (or piggy backing) | Infosec | Tailgating is often described as the passage of unauthorised personnel, either intentional or accidental, behind that of an authorised person |
| Threat | Infosec | The potential cause of an unwanted incident, which may result in harm to a system or organisation |
| Virtual private network (VPN) | Infosec | An encrypted communication network service to allow secure connections between users, company networks and internet services |
| Zero Trust Security model | Infosec | The main concept behind the zero trust security model is “never trust, always verify,” which means that devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN |