Term 211
Risk management
Risk management is the process of identifying, assessing, and controlling threats to an organization's capital, earnings, and operations, including IT systems and data.
Acronym study
Terms 211–240 of 295 CISSP acronyms and key terms. Each entry includes a plain-English definition and a link to the full 800-word glossary page with exam context and practice questions.
Term 211
Risk management is the process of identifying, assessing, and controlling threats to an organization's capital, earnings, and operations, including IT systems and data.
Term 212
Risk mitigation is the process of reducing the likelihood or impact of a potential security threat to an acceptable level through specific controls and actions.
Term 213
A risk register is a formal document that lists and tracks all identified risks to an IT project, system, or organization, including their assessed impact, probability, and planned responses.
Term 214
A risk score is a numerical value that represents the level of risk associated with a given asset, threat, or vulnerability in a security context.
Term 215
Risk tolerance is the amount of risk an organization or individual is willing to accept in pursuit of its objectives, defining the boundary between acceptable and unacceptable losses.
Term 216
Risk transfer is the practice of shifting the financial burden of a potential loss to another party, typically through insurance or contracts.
Term 217
Risk-based access is a security model that dynamically adjusts access permissions based on the assessed risk of each access request, rather than granting a static level of access to all users.
Term 218
Risk-based vulnerability management is a cybersecurity approach that prioritizes the fixing of security weaknesses based on the level of risk they pose to an organization's specific environment, rather than just addressing all vulnerabilities in the order they are found.
Term 219
Rule-based access control (RuBAC) is a method of managing access to resources by evaluating a set of predefined rules that combine conditions such as time, location, device, and user attributes to allow or deny access.
Term 220
An S3 bucket policy is a JSON-based resource-based access control document that defines who can access an Amazon S3 bucket and its objects, and what actions they can perform.
Term 221
An S3 lifecycle policy is a set of rules that automatically transitions objects between storage classes or deletes them after a specified time to optimize cost and manage data lifecycles.
Term 222
A safeguard is a control, measure, or action designed to protect an organization's assets from threats, vulnerabilities, and risks.
Term 223
Security Assertion Markup Language (SAML) is an open standard that allows one system to securely tell another system that a user is who they say they are, without sharing the user's password.
Term 224
The Software Development Life Cycle (SDLC) is a structured process used by IT teams to plan, create, test, and deploy software in a reliable and organized way.
Term 225
Secure coding is the practice of writing software in a way that protects it from vulnerabilities and attacks by following security best practices throughout the development process.
Term 226
A secure enclave is a dedicated, isolated hardware component within a processor that protects sensitive data and code from unauthorized access, even if the main operating system is compromised.
Term 227
Security in IT is the practice of protecting systems, networks, and data from unauthorized access, damage, or theft.
Term 228
A security assessment is a systematic evaluation of an organization’s systems, networks, and applications to identify vulnerabilities, threats, and risks, and to recommend improvements.
Term 229
Security awareness is the ongoing practice of educating people within an organization about cybersecurity risks, safe behaviors, and their individual responsibilities to protect information assets.
Term 230
A security baseline is a documented minimum set of security configurations and settings that must be applied to a system, device, or network to ensure a known secure starting point.
Term 231
Security Command Center is a centralized cloud security management platform that helps organizations detect, investigate, and respond to threats across their cloud infrastructure.
Term 232
A security control is a safeguard or countermeasure designed to protect the confidentiality, integrity, and availability of information systems and data.
Term 233
Security defaults is a set of basic security settings in Microsoft Entra ID that automatically enables common protections like multifactor authentication for all users in a tenant.
Term 234
Security governance is the framework of rules, policies, and processes that an organization uses to align its cybersecurity activities with its business goals and legal obligations.
Term 235
A security group is a virtual firewall that controls inbound and outbound traffic to AWS resources, such as EC2 instances, based on defined rules.
Term 236
Security Hub is a cloud security posture management service that aggregates and prioritizes security alerts and compliance checks from multiple AWS services into a single place.
Term 237
The security kernel is the core, trusted part of an operating system that enforces access control and security policies for all system operations.
Term 238
Security misconfiguration occurs when security settings are defined, implemented, or maintained incorrectly, leaving systems, applications, or networks vulnerable to unauthorized access or data breaches.
Term 239
A security model is a formal framework that defines how subjects (users, processes) can access objects (files, resources) based on rules, ensuring confidentiality, integrity, and availability.
Term 240
A Security Operations Center (SOC) is a centralized team and facility that monitors, detects, analyzes, and responds to cybersecurity incidents across an organization's IT environment 24/7.