1title: Gemara Lexicon
2metadata:
3 id: gemara-lexicon
4 type: Lexicon
5 gemara-version: "1.0.0"
6 description: Controlled vocabulary for the Gemara project
7 author:
8 id: geamra-maintainers
9 name: Gemara Maintainers
10 type: Human
11terms:
12 - id: assessment
13 title: Assessment
14 definition: >
15 (1) the process of determining whether an outcome meets the actor's intent;
16 or (2) an atomic process within an Evaluation used to determine a resource's
17 Compliance with an Assessment Requirement
18 references:
19 - citation: Layer 5
20 - id: assessment-requirement
21 title: Assessment Requirement
22 definition: >
23 a tightly scoped, verifiable condition that must be satisfied and confirmed
24 by an evaluator
25 references:
26 - citation: Layer 2
27 - id: audit
28 title: Audit
29 definition: >
30 a formal, opinionated review of an organization's Policies and posture,
31 conducted at a specific point in time to verify that established requirements
32 are met
33 references:
34 - citation: Layer 7
35 - id: behavior-evaluation
36 title: Behavior Evaluation
37 definition: an opinionated observation of simulated or real-world activities
38 references:
39 - citation: Layer 5
40 - id: capability
41 title: Capability
42 definition: >
43 a feature or function of a system; the primary component comprising an
44 attack surface
45 references:
46 - citation: Layer 2
47 - id: catalog
48 title: Catalog
49 definition: a structured set of related prose and relevant metadata
50 references:
51 - citation: Layer 1
52 - citation: Layer 2
53 - citation: Layer 3
54 - id: continuous-monitoring
55 title: Continuous Monitoring
56 definition: >
57 a multi-system process designed to collect Evaluation and operational data
58 on an ongoing basis to better detect malicious action and non-compliance,
59 enable Remediative Enforcement, and observe trends over time
60 references:
61 - citation: Layer 7
62 - id: control
63 title: Control
64 definition: >
65 (1) an organization's ability to fully assert desired state on a system,
66 resource, or state; or (2) a mechanism, such as a safeguard or
67 countermeasure, that asserts desired state; or (3) prose describing the
68 Objective and Assessment Requirements associated with a desired state
69 references:
70 - citation: Layer 2
71 - id: compliance
72 title: Compliance
73 definition: adherence to a Rule or set of Rules
74 - id: evaluation
75 title: Evaluation
76 definition: >
77 the manual or automated process of forming an opinion on the state of
78 Compliance, guided by a set of Assessment Requirements
79 references:
80 - citation: Layer 5
81 - id: enforcement
82 title: Enforcement
83 definition: >
84 an action taken in response to non-compliance findings and their causes
85 references:
86 - citation: Layer 6
87 - id: evaluation-finding
88 title: Evaluation Finding
89 definition: the evidence and opinionated result of an Assessment
90 references:
91 - citation: Layer 5
92 - id: guidance
93 title: Guidance
94 definition: >
95 prose intended to help bring about a desired outcome for a topic or
96 generalized scenario, based on knowledge of relevant Vectors
97 references:
98 - citation: Layer 1
99 - id: guideline
100 title: Guideline
101 definition: >
102 atomic element of a Guidance Catalog; often includes explanatory context
103 and recommendations for designing optimal implementations
104 references:
105 - citation: Layer 1
106 - id: grc
107 title: GRC
108 definition: >
109 (1) the Governance, Risk, and Compliance domain within the cybersecurity
110 field; or (2) a coordinated program dedicated to these elements within a
111 business unit
112 - id: governance
113 title: Governance
114 definition: strategic oversight of an organization and its activities
115 - id: intent-evaluation
116 title: Intent Evaluation
117 definition: >
118 an Evaluation ensuring that a resource is prepared in alignment with Policy,
119 such as through proper training, configuration, or code
120 references:
121 - citation: Layer 5
122 - id: organization
123 title: Organization
124 definition: >
125 any logical grouping of human, physical, virtual, and information resources
126 such as a company, business unit, or team
127 references:
128 - citation: Layer 3
129 - id: threat
130 title: Threat
131 definition: >
132 a circumstance or event where the concepts of a vector are applied to a
133 Capability in a specific context, resulting in the potential for negative
134 impact
135 references:
136 - citation: Layer 2
137 - id: objective
138 title: Objective
139 definition: >
140 a unified statement of intent, which may encompass multiple situationally
141 applicable statements or requirements
142 references:
143 - citation: Layer 2
144 - id: opinion
145 title: Opinion
146 definition: >
147 a firmly held approximation of reality formed within the constraints of an
148 evaluator's philosophy, perspective, and capabilities
149 references:
150 - citation: Layer 5
151 - citation: Layer 6
152 - citation: Layer 7
153 - id: policy
154 title: Policy
155 definition: a clearly-scoped set of rules based on an organization's Risk Appetite
156 references:
157 - citation: Layer 3
158 - id: preventive-enforcement
159 title: Preventive Enforcement
160 definition: >
161 any action that interrupts another process which would otherwise cause
162 non-compliance
163 references:
164 - citation: Layer 6
165 - id: remediative-enforcement
166 title: Remediative Enforcement
167 definition: corrective action in response to non-compliance in a deployed activity
168 references:
169 - citation: Layer 6
170 - id: residual-risk
171 title: Residual Risk
172 definition: >
173 the Risk remaining after Risk Mitigation and Enforcement actions have been
174 implemented
175 references:
176 - citation: Layer 3
177 - id: risk
178 title: Risk
179 definition: >
180 the potential for loss or damage when a Threat is actualized, determined by
181 calculating the impact of an event to an organization and the likelihood of
182 its occurrence
183 references:
184 - citation: Layer 3
185 - id: risk-catalog
186 title: Risk Catalog
187 definition: >
188 a group of related Risks relevant to an organization; used to determine
189 when and how Policies are created for the organization
190 references:
191 - citation: Layer 3
192 - id: risk-appetite
193 title: Risk Appetite
194 definition: >
195 the level of Risk an organization is willing to accept in pursuit of its
196 objectives
197 references:
198 - citation: Layer 3
199 - id: risk-assessment
200 title: Risk Assessment
201 definition: >
202 the process of identifying the potential or actual Risks introduced by a
203 system
204 references:
205 - citation: Layer 3
206 - id: risk-mitigation
207 title: Risk Mitigation
208 definition: >
209 the process of developing actions to prevent Threats or reduce their impact
210 on organization objectives
211 references:
212 - citation: Layer 3
213 - id: risk-acceptance
214 title: Risk Acceptance
215 definition: >
216 a clearly documented decision to accept an unmitigated Risk as necessary or
217 unavoidable
218 references:
219 - citation: Layer 3
220 - id: rule
221 title: Rule
222 definition: an active, enforceable Policy, regulation, or law
223 references:
224 - citation: Layer 1
225 - citation: Layer 2
226 - citation: Layer 3
227 - id: sensitive-activity
228 title: Sensitive Activity
229 definition: a type of action that introduces Risk to an organization
230 references:
231 - citation: Layer 4
232 - id: vector
233 title: Vector
234 definition: >
235 (1) an opportunity for an attacker to exploit a vulnerability in the system;
236 or (2) a path by which neglect could result in unintentional negative
237 outcomes
238 references:
239 - citation: Layer 1
240 - id: vulnerability
241 title: Vulnerability
242 definition: >
243 (1) a weakness in a system inherent in or associated with a Capability that
244 can be exploited when used in unintended ways; or (2) a lack of Control or
245 gap in defense, introduced intentionally or unintentionally, which can be
246 leveraged to cause harm
247 references:
248 - citation: Layer 2
249 - citation: Layer 4