Security has it’s own set of acronyms and terms. Here’s a great abbreviation list you will find useful for your ISO 27001 and other security work,
Security and IT – Common acronyms:
-
- Accept (related to risks)
These are risks you have decided as an organistion to accept. So you may choose to accept that as a US firm, the government is going to have pretty easy access to your data (ok, this is a little tongue in check, but you get the drift). Or you may accept that someone can photograph the screen showing your top secret document. - Basic disclosure
These come from Disclosure Scotland, and aren’t limited to Scotland! It checks for any ‘unspent convictions’ (if you’ve been convicted of a sentence of more than 2.5 years this an unspent conviction, and must always be declared if you’re asked about your record). If a conviction is for less than 2.5 years, it will eventually be wiped from the public record. http://www.civilandcorporate.co.uk/employment-criminal-record.html http://www.disclosurescotland.co.uk/disclosureinformation/index.htm - BPSS Background checks
The Baseline Personnel Security Standards is a government inspired pre-employments screen. To comply you need: Basic Criminal Record Check Identity check (e.g. passport) Right to work check Address Check Verification of 5 year history – via employement and or qualification checks - Controls
- DBS
Disclosure and Barring Service (DBS) checks (previously CRB) - CHECK tester
- Accept (related to risks)
NCSC approved company who provide penetration testing services – see NCSC site
- CLAS Consultant
- CRB
Criminal Records Bureau – See DBS - Gap Analysis
An analysis of where you are and where you want to be according to your SOA. - IL2/3
Old UK government protective marking scheme. IL2 was for pretty sensitive stuff that might cause financial or reputational loss. IL3 when it got more serious. This is now replaced with Official, Official sensitive and Secret. - ISMS
Information Security Management System. This is a combination of documented policies, processes and systems describing your approach to information security - ISO27001
Information security standard, most recent variant ISO27001:2013. - ITHC
IT Health Check – UK government term for 3rd party technical tests. These can consist of things like pen tests or social engineering tests. - Mitigate (related to risks)
These are risks you have reduced. So you may make your organisation less vulnerable to virus’s by enforcing virus scanning. This mitigates (lowers) the risk. - NCSC
National Cyber Security Centre. - RMADS
Risk Management and Accreditation Document Set. A Lightweight RMADS is required for OFFICIAL / Full RMADS required for SECRET/TOP SECRET. This is a UK government standardised process, which generates a document including things like a description of your service, residual risks, RTP and a Threat assessment. - Residual Risk Statement
Risks you have accepted or rejected - Risk Register
A list of risks you have assessed. - RTP
Risk Treatment Protocol. A list of your risks, and what you’re going to do about them. - SoA – statement of Applicability
A list of the controls you have chosen to accept. e.g. ‘Physical entry controls: Secure areas shall be protected by appropriate entry controls’. This will be a lonngg list. - Security Screening
How you ensure people and often suppliers are secure. In the UK there is BPSS - Social engineering
- Stance
What it says! A common term used in security circles to define your position relating to security. - SyOps
System operator manuals related to security processes and protocols
Got more? Let us know!