Security has it’s own set of acronyms and terms. Here’s a list you will find useful for your ISO 27001 and other security work,
Security and IT – Common acronyms
- Accept (related to risks)
These are risks you have decided as an organistion to accept. So you may choose to accept that as a US firm, the government is going to have pretty easy access to your data (ok, this is a little tongue in check, but you get the drift). Or you may accept that someone can photograph the screen showing your top secret document.
- Basic disclosure
These come from DIsclosure Scotland, and aren’t limited to Scotland! It checks for any ‘unspent convictions’ (if you’ve been convicted of a sentence of more than 2.5 years this an unspent conviction, and must always be declared if you’re asked about your record). If a conviction is for less than 2.5 years, it will eventually be wiped from the public record. http://www.civilandcorporate.co.uk/employment-criminal-record.html http://www.disclosurescotland.co.uk/disclosureinformation/index.htm
- BPSS Background checks
The Baseline Personnel Security Standards is a government inspired pre-employments screen. To comply you need: Basic Criminal Record Check Identity check (e.g. passport) Right to work check Address Check Verification of 5 year history – via employement and or qualification checks
Disclosure and Barring Service (DBS) checks (previously CRB)
- CHECK tester
- CLAS Consultant
Criminal Records Bureau – See DBS
- Gap Analysis
An analysis of where you are and where you want to be according to your SOA.
Old UK government protective marking scheme. IL2 was for pretty sensitive stuff that might cause financial or reputational loss. IL3 when it got more serious. This is now replaced with Official, Official sensitive and Secret.
Information Security Management System. This is a combination of documented policies, processes and systems describing your approach to information security
Information security standard, most recent variant ISO27001:2013.
IT Health Check – UK government term for 3rd party technical tests. These can consist of things like pen tests or social engineering tests.
- Mitigate (related to risks)
These are risks you have reduced. So you may make your organisation less vulnerable to virus’s by enforcing virus scanning. This mitigates (lowers) the risk.
National Cyber Security Centre.
Risk Management and Accreditation Document Set. A Lightweight RMADS is required for OFFICIAL / Full RMADS required for SECRET/TOP SECRET. This is a UK government standardised process, which generates a document including things like a description of your service, residual risks, RTP and a Threat assessment.
- Residual Risk Statement
Risks you have accepted or rejected
- Risk Register
A list of risks you have assessed.
Risk Treatment Protocol. A list of your risks, and what you’re going to do about them.
- SoA – statement of Applicability
A list of the controls you have chosen to accept. e.g. ‘Physical entry controls: Secure areas shall be protected by appropriate entry controls’. This will be a lonngg list.
- Security Screening
How you ensure people and often suppliers are secure. In the UK there is BPSS
- Social engineering
What it says! A common term used in security circles to define your position relating to security.
System operator manuals related to security processes and protocols
NCSC approved company who provide penetration testing services – see NCSC site
Got more? Let us know!