title: Gemara Lexicon metadata: id: gemara-lexicon type: Lexicon gemara-version: "1.0.0" description: Controlled vocabulary for the Gemara project author: id: geamra-maintainers name: Gemara Maintainers type: Human terms: - id: assessment title: Assessment definition: > (1) the process of determining whether an outcome meets the actor's intent; or (2) an atomic process within an Evaluation used to determine a resource's Compliance with an Assessment Requirement references: - citation: Layer 5 - id: assessment-requirement title: Assessment Requirement definition: > a tightly scoped, verifiable condition that must be satisfied and confirmed by an evaluator references: - citation: Layer 2 - id: audit title: Audit definition: > a formal, opinionated review of an organization's Policies and posture, conducted at a specific point in time to verify that established requirements are met references: - citation: Layer 7 - id: behavior-evaluation title: Behavior Evaluation definition: an opinionated observation of simulated or real-world activities references: - citation: Layer 5 - id: capability title: Capability definition: > a feature or function of a system; the primary component comprising an attack surface references: - citation: Layer 2 - id: catalog title: Catalog definition: a structured set of related prose and relevant metadata references: - citation: Layer 1 - citation: Layer 2 - citation: Layer 3 - id: continuous-monitoring title: Continuous Monitoring definition: > a multi-system process designed to collect Evaluation and operational data on an ongoing basis to better detect malicious action and non-compliance, enable Remediative Enforcement, and observe trends over time references: - citation: Layer 7 - id: control title: Control definition: > (1) an organization's ability to fully assert desired state on a system, resource, or state; or (2) a mechanism, such as a safeguard or countermeasure, that asserts desired state; or (3) prose describing the Objective and Assessment Requirements associated with a desired state references: - citation: Layer 2 - id: compliance title: Compliance definition: adherence to a Rule or set of Rules - id: evaluation title: Evaluation definition: > the manual or automated process of forming an opinion on the state of Compliance, guided by a set of Assessment Requirements references: - citation: Layer 5 - id: enforcement title: Enforcement definition: > an action taken in response to non-compliance findings and their causes references: - citation: Layer 6 - id: evaluation-finding title: Evaluation Finding definition: the evidence and opinionated result of an Assessment references: - citation: Layer 5 - id: guidance title: Guidance definition: > prose intended to help bring about a desired outcome for a topic or generalized scenario, based on knowledge of relevant Vectors references: - citation: Layer 1 - id: guideline title: Guideline definition: > atomic element of a Guidance Catalog; often includes explanatory context and recommendations for designing optimal implementations references: - citation: Layer 1 - id: grc title: GRC definition: > (1) the Governance, Risk, and Compliance domain within the cybersecurity field; or (2) a coordinated program dedicated to these elements within a business unit - id: governance title: Governance definition: strategic oversight of an organization and its activities - id: intent-evaluation title: Intent Evaluation definition: > an Evaluation ensuring that a resource is prepared in alignment with Policy, such as through proper training, configuration, or code references: - citation: Layer 5 - id: organization title: Organization definition: > any logical grouping of human, physical, virtual, and information resources such as a company, business unit, or team references: - citation: Layer 3 - id: threat title: Threat definition: > a circumstance or event where the concepts of a vector are applied to a Capability in a specific context, resulting in the potential for negative impact references: - citation: Layer 2 - id: objective title: Objective definition: > a unified statement of intent, which may encompass multiple situationally applicable statements or requirements references: - citation: Layer 2 - id: opinion title: Opinion definition: > a firmly held approximation of reality formed within the constraints of an evaluator's philosophy, perspective, and capabilities references: - citation: Layer 5 - citation: Layer 6 - citation: Layer 7 - id: policy title: Policy definition: a clearly-scoped set of rules based on an organization's Risk Appetite references: - citation: Layer 3 - id: preventive-enforcement title: Preventive Enforcement definition: > any action that interrupts another process which would otherwise cause non-compliance references: - citation: Layer 6 - id: remediative-enforcement title: Remediative Enforcement definition: corrective action in response to non-compliance in a deployed activity references: - citation: Layer 6 - id: residual-risk title: Residual Risk definition: > the Risk remaining after Risk Mitigation and Enforcement actions have been implemented references: - citation: Layer 3 - id: risk title: Risk definition: > the potential for loss or damage when a Threat is actualized, determined by calculating the impact of an event to an organization and the likelihood of its occurrence references: - citation: Layer 3 - id: risk-catalog title: Risk Catalog definition: > a group of related Risks relevant to an organization; used to determine when and how Policies are created for the organization references: - citation: Layer 3 - id: risk-appetite title: Risk Appetite definition: > the level of Risk an organization is willing to accept in pursuit of its objectives references: - citation: Layer 3 - id: risk-assessment title: Risk Assessment definition: > the process of identifying the potential or actual Risks introduced by a system references: - citation: Layer 3 - id: risk-mitigation title: Risk Mitigation definition: > the process of developing actions to prevent Threats or reduce their impact on organization objectives references: - citation: Layer 3 - id: risk-acceptance title: Risk Acceptance definition: > a clearly documented decision to accept an unmitigated Risk as necessary or unavoidable references: - citation: Layer 3 - id: rule title: Rule definition: an active, enforceable Policy, regulation, or law references: - citation: Layer 1 - citation: Layer 2 - citation: Layer 3 - id: sensitive-activity title: Sensitive Activity definition: a type of action that introduces Risk to an organization references: - citation: Layer 4 - id: vector title: Vector definition: > (1) an opportunity for an attacker to exploit a vulnerability in the system; or (2) a path by which neglect could result in unintentional negative outcomes references: - citation: Layer 1 - id: vulnerability title: Vulnerability definition: > (1) a weakness in a system inherent in or associated with a Capability that can be exploited when used in unintended ways; or (2) a lack of Control or gap in defense, introduced intentionally or unintentionally, which can be leveraged to cause harm references: - citation: Layer 2 - citation: Layer 4