Cyber and compliance glossary
Clear, actionable definitions of the key terms in cybersecurity, risk management and compliance, with the FortaRisks resources to go further.
Compliance and regulation
- Compliance and regulation
DORA
DORA (Digital Operational Resilience Act) is the European regulation that imposes digital operational resilience on the financial sector. It harmonizes ICT risk management, incident reporting, resilience testing and oversight of critical ICT third-party providers, and has applied since January 2025.
Read the definition - Compliance and regulation
Gap analysis
A gap analysis compares an organization's current state against a target framework or objective to identify the gaps to close. In cybersecurity and compliance, it is the starting point of any program: it turns an abstract standard into a prioritized list of actions.
Read the definition - Compliance and regulation
GDPR
The GDPR (General Data Protection Regulation) is the European regulation that governs the processing of personal data. It imposes strict principles (lawfulness, minimization, transparency), rights for individuals and penalties of up to 20 million euros or 4% of worldwide turnover.
Read the definition - Compliance and regulation
ISO 27001
ISO 27001 is the leading international standard for setting up an information security management system (ISMS). It defines a risk-based approach, governance requirements and a set of security controls, and allows certification by an accredited body.
Read the definition - Compliance and regulation
Law 25 (Quebec)
Law 25 is Quebec's modernized privacy legislation. It imposes strict obligations on any organization that handles the personal information of Quebec residents: consent, transparency, governance, breach notification and penalties of up to 25 million dollars or 4% of worldwide turnover.
Read the definition - Compliance and regulation
NIS2
NIS2 is the European cybersecurity directive that replaces the 2016 NIS directive. It expands the sectors in scope, strengthens risk-management obligations, imposes tight incident-notification deadlines and holds senior management directly accountable.
Read the definition - Compliance and regulation
NIST CSF 2.0
The NIST Cybersecurity Framework (CSF) 2.0 is a voluntary cyber risk-management framework published by the US agency NIST. It organizes cybersecurity into six functions (Govern, Identify, Protect, Detect, Respond, Recover) and serves as a common language to assess and steer maturity across any sector.
Read the definition - Compliance and regulation
SOC 2
SOC 2 is a North American audit framework that attests to how well a service provider controls its customers' data. It rests on five trust criteria (security, availability, processing integrity, confidentiality, privacy) and produces an independent Type I or Type II audit report.
Read the definition
Third-party and supply-chain risk
- Third-party and supply-chain risk
SBOM (Software Bill of Materials)
An SBOM (Software Bill of Materials) is the complete, structured inventory of the components, libraries and dependencies that make up a piece of software. It works like a list of ingredients: without one, an organization cannot quickly tell whether a vulnerable component is hiding in what it uses.
Read the definition - Third-party and supply-chain risk
TPRM (Third-Party Risk Management)
TPRM (Third-Party Risk Management) is the discipline of continuously identifying, assessing and monitoring the cyber, operational, financial and compliance risks that an organization's suppliers, service providers and partners introduce. It is now one of the leading breach vectors.
Read the definition
Threat intelligence
- Threat intelligence
CISA KEV
The CISA KEV (Known Exploited Vulnerabilities) is the public catalog of vulnerabilities with confirmed exploitation in the wild, published by the US cybersecurity agency CISA. Unlike predictive scores, it lists only flaws actually used by attackers, which makes it a first-order prioritization signal.
Read the definition - Threat intelligence
CTI (Cyber Threat Intelligence)
CTI (Cyber Threat Intelligence) is the discipline of collecting, analyzing and turning threat data into actionable intelligence. It informs decisions at three levels: strategic (leadership), operational (campaigns and actors) and tactical (indicators and techniques), so you can anticipate rather than react.
Read the definition - Threat intelligence
CVE
A CVE (Common Vulnerabilities and Exposures) is the public, unique identifier assigned to a known security vulnerability. The CVE system, maintained by MITRE and supported by CISA, gives each flaw a common name (for example CVE-2024-3094) so that everyone refers to the same thing.
Read the definition - Threat intelligence
CVSS
The CVSS (Common Vulnerability Scoring System) is the open standard that assigns a vulnerability a severity score from 0 to 10. It breaks severity into objective criteria (attack vector, complexity, impact) to compare flaws on a common scale, independent of the vendor.
Read the definition - Threat intelligence
EPSS
EPSS (Exploit Prediction Scoring System) is a model that estimates the probability a vulnerability will be exploited within 30 days. Expressed from 0 to 100%, it complements CVSS by answering not 'how severe?' but 'how likely is a real attack?'.
Read the definition - Threat intelligence
IOC (Indicator of Compromise)
An IOC (Indicator of Compromise) is an observable technical artifact that betrays the likely presence of an attack: a malicious file hash, a suspicious IP or domain, a URL, a registry key. IOCs feed detection and incident response, but remain volatile signals that attackers change easily.
Read the definition - Threat intelligence
MITRE ATT&CK
MITRE ATT&CK is a public knowledge base cataloging the tactics, techniques and procedures (TTPs) attackers actually use. Organized into matrices, it serves as a common language to describe adversary behavior, design detection and assess defensive coverage.
Read the definition - Threat intelligence
STIX / TAXII
STIX and TAXII are the open standards of threat-intelligence sharing. STIX is a structured language to describe threats (indicators, actors, campaigns and their relationships); TAXII is the protocol that transports that data between systems. Together they enable machine-to-machine exchange of cyber intelligence.
Read the definition - Threat intelligence
Zero-day
A zero-day vulnerability is a security flaw unknown to the vendor or with no available patch at the time it is exploited. Defenders have zero days to prepare: the attack precedes the fix, which makes it one of the hardest threats to counter.
Read the definition
Governance and risk management
- Governance and risk management
Business continuity plan (BCP)
A business continuity plan (BCP) is the set of procedures that lets an organization maintain or restore its essential activities during and after a major disruption. It documents who does what, in what order and with what resources, to avoid improvising in a crisis.
Read the definition - Governance and risk management
Cyber insurance
Cyber insurance is a contract that covers all or part of the financial consequences of a cyber incident: response costs, business interruption, extortion, third-party liability. It is a risk-transfer tool, complementary to but never a substitute for security controls.
Read the definition - Governance and risk management
Cyber risk mapping
Cyber risk mapping is the exercise of identifying, assessing and ranking an organization's digital risks by tying them to its critical assets and processes. It turns a diffuse threat into a prioritized view, the basis of every cybersecurity investment decision.
Read the definition - Governance and risk management
Cybersecurity operating model
A cybersecurity operating model describes how an organization structures and runs its security day to day: roles, responsibilities, processes, decisions and interactions. It connects the security strategy to its concrete execution, so cybersecurity works as a coherent system rather than a pile of tools.
Read the definition - Governance and risk management
Operational resilience
Operational resilience is an organization's ability to keep delivering its essential services despite a severe disruption: cyberattack, outage, supplier failure. It goes beyond IT recovery by aiming for the continuity of critical functions from the customer's point of view.
Read the definition - Governance and risk management
Risk appetite
Risk appetite is the level of risk an organization is willing to take to achieve its objectives. Defined by leadership, it acts as a compass: it indicates which risks to reduce first, which to tolerate, and frames security decisions so you neither overdo nor underdo it.
Read the definition - Governance and risk management
Risk assessment
A risk assessment is the process of identifying the threats to an organization's assets, evaluating their likelihood and impact, and deciding how to treat them. It is the methodological core of risk management and a central requirement of standards such as ISO 27001.
Read the definition - Governance and risk management
RTO / RPO
The RTO (Recovery Time Objective) and RPO (Recovery Point Objective) are the two key metrics of a recovery plan. The RTO sets the maximum acceptable time to restore a service; the RPO sets the maximum amount of data you are willing to lose. Together they size the continuity and backup strategy.
Read the definition
Attacks and incidents
- Attacks and incidents
Business Email Compromise (BEC)
Business Email Compromise (BEC), also known as CEO fraud, is a scam that impersonates an executive, supplier or partner to obtain a fraudulent transfer or sensitive information. With no malware involved, it relies on manipulation and evades classic technical defenses.
Read the definition - Attacks and incidents
Data exfiltration
Data exfiltration is the unauthorized transfer of information out of an organization's systems by an attacker. It is often the final objective of an intrusion and the core of modern double-extortion attacks, where stolen data becomes blackmail leverage.
Read the definition - Attacks and incidents
EASM (External Attack Surface Management)
EASM (External Attack Surface Management) is the continuous discovery and monitoring of all of an organization's internet-facing assets: domains, servers, services, APIs, forgotten assets. It takes the attacker's point of view to reveal what is truly visible and exploitable from outside.
Read the definition - Attacks and incidents
EDR
EDR (Endpoint Detection and Response) is a security technology that continuously monitors endpoints and servers to detect malicious behavior, alert and enable a response. Unlike signature-based antivirus, it relies on behavioral analysis to spot unknown attacks.
Read the definition - Attacks and incidents
Lateral movement
Lateral movement is the phase where an attacker, after gaining an initial foothold, progresses through the network to reach higher-value systems and data. It is often the step that turns an isolated intrusion into a major compromise.
Read the definition - Attacks and incidents
Living off the land (LOLBins)
Living off the land refers to a technique where the attacker uses the legitimate tools already present on the system (PowerShell, WMI, admin utilities) rather than bringing their own malware. By blending into normal activity, they evade defenses based on detecting malicious files.
Read the definition - Attacks and incidents
Phishing
Phishing is an attack that manipulates a person into revealing sensitive information or performing a dangerous action, by impersonating a trusted party. It is the most widespread intrusion vector, now amplified by artificial intelligence.
Read the definition - Attacks and incidents
Ransomware
Ransomware is malicious software that encrypts a victim's data to demand a ransom in exchange for its return. Modern campaigns often add exfiltration and the threat of disclosure (double extortion), making it one of the most costly threats to organizations.
Read the definition
See your real risk in a 30-minute demo.
A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.