- term: Assessment definition: (1) the process of determining whether an outcome meets the actor's intent; or (2) an atomic process within an Evaluation used to determine a resource's Compliance with an Assessment Requirement references: ["Layer 5"] - term: Assessment Requirement definition: a tightly scoped, verifiable condition that must be satisfied and confirmed by an evaluator references: ["Layer 2"] - term: Audit definition: a formal, opinionated review of an organization's Policies and posture, conducted at a specific point in time to verify that established requirements are met references: ["Layer 7"] - term: Behavior Evaluation definition: an opinionated observation of simulated or real-world activities references: ["Layer 5"] - term: Capability definition: a feature or function of a system; the primary component comprising an attack surface references: ["Layer 2"] - term: Catalog definition: a structured set of related prose and relevant metadata references: ["Layer 1", "Layer 2", "Layer 3"] - term: Continuous Monitoring definition: a multi-system process designed to collect Evaluation and operational data on an ongoing basis to better detect malicious action and non-compliance, enable Remediative Enforcement, and observe trends over time references: ["Layer 7"] - term: Control definition: (1) an organization's ability to fully assert desired state on a system, resource, or state; or (2) a mechanism, such as a safeguard or countermeasure, that asserts desired state; or (3) prose describing the Objective and Assessment Requirements associated with a desired state references: ["Layer 2"] - term: Compliance definition: adherence to a Rule or set of Rules references: [] - term: Evaluation definition: the manual or automated process of forming an opinion on the state of Compliance, guided by a set of Assessment Requirements references: ["Layer 5"] - term: Enforcement definition: an action taken in response to non-compliance findings and their causes references: ["Layer 6"] - term: Evaluation Finding definition: the evidence and opinionated result of an Assessment references: ["Layer 5"] - term: Guidance definition: prose intended to help bring about a desired outcome for a topic or generalized scenario, based on knowledge of relevant Vectors references: ["Layer 1"] - term: Guideline definition: atomic element of a Guidance Catalog; often includes explanatory context and recommendations for designing optimal implementations references: ["Layer 1"] - term: GRC definition: (1) the Governance, Risk, and Compliance domain within the cybersecurity field; or (2) a coordinated program dedicated to these elements within a business unit references: [] - term: Governance definition: strategic oversight of an organization and its activities references: [] - term: Intent Evaluation definition: an Evaluation ensuring that a resource is prepared in alignment with Policy, such as through proper training, configuration, or code references: ["Layer 5"] - term: Organization definition: any logical grouping of human, physical, virtual, and information resources such as a company, business unit, or team references: ["Layer 3"] - term: Threat definition: a circumstance or event where the concepts of a vector are applied to a Capability in a specific context, resulting in the potential for negative impact references: ["Layer 2"] - term: Objective definition: a unified statement of intent, which may encompass multiple situationally applicable statements or requirements references: ["Layer 2"] - term: Opinion definition: a firmly held approximation of reality formed within the constraints of an evaluator's philosophy, perspective, and capabilities references: ["Layer 5", "Layer 6", "Layer 7"] - term: Policy definition: a clearly-scoped set of rules based on an organization's Risk Appetite references: ["Layer 3"] - term: Preventive Enforcement definition: any action that interrupts another process which would otherwise cause non-compliance references: ["Layer 6"] - term: Remediative Enforcement definition: corrective action in response to non-compliance in a deployed activity references: ["Layer 6"] - term: Residual Risk definition: the Risk remaining after Risk Mitigation and Enforcement actions have been implemented references: ["Layer 3"] - term: Risk definition: the potential for loss or damage when a Threat is actualized, determined by calculating the impact of an event to an organization and the likelihood of its occurrence references: ["Layer 3"] - term: Risk Catalog definition: a group of related Risks relevant to an organization; used to determine when and how Policies are created for the organization references: ["Layer 3"] - term: Risk Appetite definition: the level of Risk an organization is willing to accept in pursuit of its objectives references: ["Layer 3"] - term: Risk Assessment definition: the process of identifying the potential or actual Risks introduced by a system references: ["Layer 3"] - term: Risk Mitigation definition: the process of developing actions to prevent Threats or reduce their impact on organization objectives references: ["Layer 3"] - term: Risk Acceptance definition: a clearly documented decision to accept an unmitigated Risk as necessary or unavoidable references: ["Layer 3"] - term: Rule definition: an active, enforceable Policy, regulation, or law references: ["Layer 1", "Layer 2", "Layer 3"] - term: Sensitive Activity definition: a type of action that introduces Risk to an organization references: ["Layer 4"] - term: Vector definition: (1) an opportunity for an attacker to exploit a vulnerability in the system; or (2) a path by which neglect could result in unintentional negative outcomes references: ["Layer 1"] - term: Vulnerability definition: (1) a weakness in a system inherent in or associated with a Capability that can be exploited when used in unintended ways; or (2) a lack of Control or gap in defense, introduced intentionally or unintentionally, which can be leveraged to cause harm references: ["Layer 2", "Layer 4"]