github.com/gemaraproj/gemara@v1.3.0

docs/lexicon.yaml raw

  1title: Gemara Lexicon
  2metadata:
  3  id: gemara-lexicon
  4  type: Lexicon
  5  gemara-version: "1.0.0"
  6  description: Controlled vocabulary for the Gemara project
  7  author:
  8    id: geamra-maintainers
  9    name: Gemara Maintainers
 10    type: Human
 11terms:
 12  - id: assessment
 13    title: Assessment
 14    definition: >
 15      (1) the process of determining whether an outcome meets the actor's intent;
 16      or (2) an atomic process within an Evaluation used to determine a resource's
 17      Compliance with an Assessment Requirement
 18    references:
 19      - citation: Layer 5
 20  - id: assessment-requirement
 21    title: Assessment Requirement
 22    definition: >
 23      a tightly scoped, verifiable condition that must be satisfied and confirmed
 24      by an evaluator
 25    references:
 26      - citation: Layer 2
 27  - id: audit
 28    title: Audit
 29    definition: >
 30      a formal, opinionated review of an organization's Policies and posture,
 31      conducted at a specific point in time to verify that established requirements
 32      are met
 33    references:
 34      - citation: Layer 7
 35  - id: behavior-evaluation
 36    title: Behavior Evaluation
 37    definition: an opinionated observation of simulated or real-world activities
 38    references:
 39      - citation: Layer 5
 40  - id: capability
 41    title: Capability
 42    definition: >
 43      a feature or function of a system; the primary component comprising an
 44      attack surface
 45    references:
 46      - citation: Layer 2
 47  - id: catalog
 48    title: Catalog
 49    definition: a structured set of related prose and relevant metadata
 50    references:
 51      - citation: Layer 1
 52      - citation: Layer 2
 53      - citation: Layer 3
 54  - id: continuous-monitoring
 55    title: Continuous Monitoring
 56    definition: >
 57      a multi-system process designed to collect Evaluation and operational data
 58      on an ongoing basis to better detect malicious action and non-compliance,
 59      enable Remediative Enforcement, and observe trends over time
 60    references:
 61      - citation: Layer 7
 62  - id: control
 63    title: Control
 64    definition: >
 65      (1) an organization's ability to fully assert desired state on a system,
 66      resource, or state; or (2) a mechanism, such as a safeguard or
 67      countermeasure, that asserts desired state; or (3) prose describing the
 68      Objective and Assessment Requirements associated with a desired state
 69    references:
 70      - citation: Layer 2
 71  - id: compliance
 72    title: Compliance
 73    definition: adherence to a Rule or set of Rules
 74  - id: evaluation
 75    title: Evaluation
 76    definition: >
 77      the manual or automated process of forming an opinion on the state of
 78      Compliance, guided by a set of Assessment Requirements
 79    references:
 80      - citation: Layer 5
 81  - id: enforcement
 82    title: Enforcement
 83    definition: >
 84      an action taken in response to non-compliance findings and their causes
 85    references:
 86      - citation: Layer 6
 87  - id: evaluation-finding
 88    title: Evaluation Finding
 89    definition: the evidence and opinionated result of an Assessment
 90    references:
 91      - citation: Layer 5
 92  - id: guidance
 93    title: Guidance
 94    definition: >
 95      prose intended to help bring about a desired outcome for a topic or
 96      generalized scenario, based on knowledge of relevant Vectors
 97    references:
 98      - citation: Layer 1
 99  - id: guideline
100    title: Guideline
101    definition: >
102      atomic element of a Guidance Catalog; often includes explanatory context
103      and recommendations for designing optimal implementations
104    references:
105      - citation: Layer 1
106  - id: grc
107    title: GRC
108    definition: >
109      (1) the Governance, Risk, and Compliance domain within the cybersecurity
110      field; or (2) a coordinated program dedicated to these elements within a
111      business unit
112  - id: governance
113    title: Governance
114    definition: strategic oversight of an organization and its activities
115  - id: intent-evaluation
116    title: Intent Evaluation
117    definition: >
118      an Evaluation ensuring that a resource is prepared in alignment with Policy,
119      such as through proper training, configuration, or code
120    references:
121      - citation: Layer 5
122  - id: organization
123    title: Organization
124    definition: >
125      any logical grouping of human, physical, virtual, and information resources
126      such as a company, business unit, or team
127    references:
128      - citation: Layer 3
129  - id: threat
130    title: Threat
131    definition: >
132      a circumstance or event where the concepts of a vector are applied to a
133      Capability in a specific context, resulting in the potential for negative
134      impact
135    references:
136      - citation: Layer 2
137  - id: objective
138    title: Objective
139    definition: >
140      a unified statement of intent, which may encompass multiple situationally
141      applicable statements or requirements
142    references:
143      - citation: Layer 2
144  - id: opinion
145    title: Opinion
146    definition: >
147      a firmly held approximation of reality formed within the constraints of an
148      evaluator's philosophy, perspective, and capabilities
149    references:
150      - citation: Layer 5
151      - citation: Layer 6
152      - citation: Layer 7
153  - id: policy
154    title: Policy
155    definition: a clearly-scoped set of rules based on an organization's Risk Appetite
156    references:
157      - citation: Layer 3
158  - id: preventive-enforcement
159    title: Preventive Enforcement
160    definition: >
161      any action that interrupts another process which would otherwise cause
162      non-compliance
163    references:
164      - citation: Layer 6
165  - id: remediative-enforcement
166    title: Remediative Enforcement
167    definition: corrective action in response to non-compliance in a deployed activity
168    references:
169      - citation: Layer 6
170  - id: residual-risk
171    title: Residual Risk
172    definition: >
173      the Risk remaining after Risk Mitigation and Enforcement actions have been
174      implemented
175    references:
176      - citation: Layer 3
177  - id: risk
178    title: Risk
179    definition: >
180      the potential for loss or damage when a Threat is actualized, determined by
181      calculating the impact of an event to an organization and the likelihood of
182      its occurrence
183    references:
184      - citation: Layer 3
185  - id: risk-catalog
186    title: Risk Catalog
187    definition: >
188      a group of related Risks relevant to an organization; used to determine
189      when and how Policies are created for the organization
190    references:
191      - citation: Layer 3
192  - id: risk-appetite
193    title: Risk Appetite
194    definition: >
195      the level of Risk an organization is willing to accept in pursuit of its
196      objectives
197    references:
198      - citation: Layer 3
199  - id: risk-assessment
200    title: Risk Assessment
201    definition: >
202      the process of identifying the potential or actual Risks introduced by a
203      system
204    references:
205      - citation: Layer 3
206  - id: risk-mitigation
207    title: Risk Mitigation
208    definition: >
209      the process of developing actions to prevent Threats or reduce their impact
210      on organization objectives
211    references:
212      - citation: Layer 3
213  - id: risk-acceptance
214    title: Risk Acceptance
215    definition: >
216      a clearly documented decision to accept an unmitigated Risk as necessary or
217      unavoidable
218    references:
219      - citation: Layer 3
220  - id: rule
221    title: Rule
222    definition: an active, enforceable Policy, regulation, or law
223    references:
224      - citation: Layer 1
225      - citation: Layer 2
226      - citation: Layer 3
227  - id: sensitive-activity
228    title: Sensitive Activity
229    definition: a type of action that introduces Risk to an organization
230    references:
231      - citation: Layer 4
232  - id: vector
233    title: Vector
234    definition: >
235      (1) an opportunity for an attacker to exploit a vulnerability in the system;
236      or (2) a path by which neglect could result in unintentional negative
237      outcomes
238    references:
239      - citation: Layer 1
240  - id: vulnerability
241    title: Vulnerability
242    definition: >
243      (1) a weakness in a system inherent in or associated with a Capability that
244      can be exploited when used in unintended ways; or (2) a lack of Control or
245      gap in defense, introduced intentionally or unintentionally, which can be
246      leveraged to cause harm
247    references:
248      - citation: Layer 2
249      - citation: Layer 4