CompTIA Security+ — Security Program Management and Oversight

A non-exhaustive list of relevant terminology for the CompTIA Security+ SY0-701 exam, as of August 2025.

Acceptable Use Policy (AUP)

A policy type that defines how an employee or other entity can use a company’s network, system, or device.

Information Security Policy (ISP)

A policy type that provides a broad overview of how organizations secure information and data, which may involve high-level policies about credential policies, facility policies, change management, onboarding and offboarding, and encryption.

Business Continuity (BC) Plan

A plan designed to ensure that the business can continue to function even when a breach or incident occurs, outlining how functionality should be maintained in all capacities (where should services be shifted, if at all, what backups exist in the event of certain servers going down, etc.)

Disaster Recovery (DR) Plan

A plan designed specifically to address an organization’s response in the event of a major disaster, such as a fire, flood, or tornado, in order to restore services and their availability to users as quickly and efficiently as possible.

Incident Response (IR) Plan

A plan that acts as a set of guidelines and steps to be taken in the event of an incident from detection to the lessons learned. This can involve plans for communication, stakeholder management, BC, DR, continuity of operations (COOP), and retention.

Software Development Lifecycle (SDLC) Policy

A policy that defines how software, either organizationally developed or vendor developed, will be secure through the entire life cycle. This can involve software environment, testing, execution, maintenance, and provisioning/deprovisioning.

Change Management Policy

A policy that defines how a change will be submitted, approved, and implemented, designed to take both operational risk and cybersecurity into consideration during the change management process.

Password Standards

Standards that may define length, character use, reuse, and validity length for verification.

Access Control Standards

Standards that may define minimum requirements for account lifecycles, including but not limited to onboarding and offboarding policies, shared usage, and access requirements.

Physical Security Standards

Standards that include the minimum requirements for securing the physical premises and assets of an organization, often involving requirements for access control, security monitoring, and visitor entry.

Encryption Standards

Standards that detail the minimum requirements for data encryption at all organizational stages, including data at rest and in transit.

Change Management/Control Procedures

A specific set of procedures that oversee and evaluate how specific changes will be sourced, analyzed, and managed to provide a roadmap for the most effective implementation of the change.

Onboarding

The process of adding a new employee to a network or company, typically with procedures that standardize this process and outline the specific steps necessary to securely add the new employee.

Offboarding

The process of removing an employee from a network or company post-termination, defining the necessary steps to securely remove said employee including permission revocation, user account deletion, exit interviews, and asset retention.

Playbook

A procedural guide used to perform specific actions during an incident response, breaking down the steps necessary to complete the task.

Regulatory Requirements

Mandatory and legally enforceable security requirements that place standards and guidelines on how an organization protects itself, their data, and their customers from threats.

Legal Requirements

Legally enforced laws or regulations that may apply to an organization.

Industry Requirements

Laws and regulations specific to an industry, such as HIPAA.

Local/Regional Requirements

Involves laws that may differ from location to location, but must still be complied with by any industry or business that operates within that location. A prime example of such is the GDPR.

National Requirements

Requirements set into place by a specific country’s government for organizations that operate within their boundaries, such as the Federal Information Security Modernization Act (FISMA).

Global Guidelines

Guidelines that provide internationally accepted best practices, guidelines, and recommendations for the creation of a secure cyber landscape, but are not directly enforced by a single international governing body.

Governance

The method by which an organization monitors and controls their security programs, granting them the ability to protect the interests of the organization through oversight and policy implementation.

Board

A group of high-level individuals that is appointed by shareholders in the organization in order to delegate management duties to appropriate senior employees, and a critical component of a hierarchical structure.

Committee

A group of individuals chosen to specifically oversee and manage a specific component of an organization, typically involving subject matter experts (SMEs) and members of upper management.

Government Entity

A government-sponsored and -supported group that is appointed to oversee the creation of policies and compliance with said policies, such as CISA.

Centralized Governance

A hierarchical, top-to-bottom method of governance where a top entity is responsible for policies, standards, and the manner in which they are followed, which must be complied with at all lower levels.

Decentralized Governance

A model that relies on the lower portions of the organization in order to uphold security policies and standards of the primary organization in the manner in which they see fit.

Data Owner

Someone responsible for data. This individual should be one that best understands the data they are responsible for, not necessarily its point of origin.

Data Controller

The person responsible for deciding what and why the data needs to be collected, as well as how that data is processed.

Data Custodian/Steward

The person responsible for the safekeeping and protection of data, primarily focusing on the technical aspects of data security as opposed to the content or usage of the stored data.

Risk Management

How an organization identifies and responds to potential risks.

Risk Assessment

The process of assigning a risk severity value to an identified risk by assessing how likely the risk is to occur and what potential impact the risk would have on the organization if it occurs. There are many types.

Ad Hoc Risk Assessment

A type of risk assessment that is conducted in response to a particular occurrence or event.

Recurring Risk Assessment

A type of risk assessment that is conducted at preset intervals in order to monitor a risk, its potential impact, and its associated risk response.

One-Time Risk Assessment

A type of risk assessment that is used to provide a generalized overview of an organization’s risk profile at the current point in time.

Continuous Risk Assessment

A type of risk assessment that is used to monitor a risk on an ongoing basis, typically automated and best used for the identification of new or emerging threats.

Risk Analysis

The processes, methods, and technologies used to track, analyze, and evaluate risk.

Risk Severity

A metric used to choose which risk metrics best fit the situations.

Quantitative Risk Assessment

The use of numerical data, mathematical algorithms, statistics, and probability to produce replicable results, typically requiring more time for data collection.

Qualitative Risk Assessment

The use of subjective knowledge and experience in order to assess risk, typically quicker and best used when risk is difficult to numerically define.

Exposure Factor

How much damage an asset will incur when exposed to a particular risk, typically expressed as a percent.

Single Loss Expectancy (SLE)

The monetary amount of damage that would be incurred, based on the cost of the asset, every time a specified risk occurs. Calculated via the formula AV x EF.

Annual Rate of Occurrence (ARO)

A numerical calculation of how many times a risk is expected to occur in a year.

Annualized Loss Expectancy (ALE)

How much monetary damage can be expected each year from a specified risk, calculated via the formula “SLE x ARO”.

Probability

A numerical value used to indicate the chance of a vulnerability being exploited over a specific period of time.

Likelihood

The probability that a risk will occur, commonly expressed as a percentage.

Impact

What effect a risk would have on an organization if it were to occur.

Risk Register

A comprehensive guide to potential risks an organization may encounter, including information on likelihood, impact, description, and any other details that may be valuable to an organization.

Risk Matrix/Heat Map

A digestible visualization of risk, typically shown via a box matrix with the impact on one axis and the likelihood of occurrence on the other.

Key Risk Indicator (KRI)

A metric that can be used to identify increasing risk levels, the effectiveness of current risk controls, and the maintenance of acceptable residual risk.

Risk Owner

The individual or entity who assumes the responsibility of the oversight and management of risk, typically responsible for implementing controls to mitigate the identified risks.

Risk Threshold

The predefined boundary at which a risk becomes too high, typically requiring action and intervention once it is reached.

Risk Appetite

The amount of risk an organization is willing to take, typically used to balance operability with risk protection.

Expansionary Risk Appetite

A form of risk appetite in which one is willing to take higher risks at the chance of higher rewards.

Conservative Risk Appetite

A form of risk appetite in which one actively avoids taking risks, focusing on asset protection and stability.

Neutral Risk Appetite

A form of risk appetite in which one attempts to reach a balance between conservative and expansionary risks, offering moderate growth while granting protection to current assets and stability.

Risk Tolerance

The ability of an organization to withstand a risk and maintain operational functionality, especially as risk surpasses the risk appetite.

Risk Transference

A risk management strategy that shifts risk impact from one organization to another.

Risk Acceptance

A risk management strategy that occurs when an organization weighs the associated risks and decides the cost of addressing the risk is higher than its potential impact.

Exemption

A form of risk acceptance that acknowledges and approves the acceptance of a risk that lies beyond the risk appetite and risk tolerance of the organization, heavily scrutinized, documented, and must be approved by organizational leaders.

Exception

A form of risk acceptance used to allow for non-compliance to standards, policies, or procedures, often built on a case-by-case basis complete with total awareness of the risk.

Risk Avoidance

The decision to complete eliminate the risk by not engaging in the risky behavior, often not conducive to productivity and interactions but may be necessary for expediency.

Risk Mitigation

The decision to completely eliminate risks by not engaging in risky behavior, which may not be conducive to productivity and operations.

Risk Reporting

The process of creating, maintaining, and providing documentation of the status of the risk, typically used to inform the decision-making process.

Business Impact Analysis (BIA)

A type of analysis designed to identify the most critical functions an organization requires to operate as well as the systems that support these functions, using multiple metrics to identify and evaluate critical functions. There are four key metrics: recovery time objective, recovery point objective, mean time to repair, and mean time between failures.

Recovery Time Objective (RTO)

The time duration after a system failure but before repair that the organization can tolerate.

Recovery Point Objective (RPO)

The amount of data loss that an organization can tolerate during a system failure.

Mean Time To Repair (MTTR)

The average amount of time it takes to restore a system to normal functionality after a failure.

Mean Time Between Failures (MTBF)

The average time that occurs between failures, offering a metric for system reliability.

Vendor Assessment

A form of risk testing that ensures a particular vendor meets the agreed-upon security requirements, typically involving methods such as penetration testing, client audits, internal audit documentation, independent assessments, and supply chain analysis.

Penetration Testing

A method of vulnerability identification, of which there are multiple types. This often involves a distinct individual or party of individuals tasked with the subversion or bypassing of in-place security systems, followed by a report on the found vulnerabilities and weaknesses.

Right-to-Audit Clause

A provision of a contract between a vendor and client that ensures the client retains the permission to audit the vendor directly or via a third party.

Independent Assessment

A risk assessment that can be conducted by an entity not affiliated with either the client or vendor, providing a completely objective analysis of the vendor’s security posture and risk management strategies.

Supply Chain Analysis

A form of analysis that takes into account how products run through the supply chain as well as which outside vendors the organization makes contact with.

Vendor Selection

The process of choosing an appropriate vendor for the organization’s needs, which involve the thorough examination and assessment of all aspects of a potential vendor.

Due Diligence

The process of examining a vendor to the best of the organization’s ability to ensure the organization’s standards are met. This may involve the evaluation of vendor reputation, financial stability, product and service quality, security protocols, and regulatory compliance.

Conflict of Interest

A conflicting overlap in the vendor’s priorities as a result of meeting the needs of more than one client.

Service-Level Agreement (SLA)

A contract that outlines the minimum level of service a provider is expected to maintain and what the service provider will do if those minimums are not met.

Memorandum of Agreement (MOA)

A legally binding document between two parties that outlines the roles and responsibilities of the parties and their relationship to one another.

Memorandum of Understanding (MOU)

An informal agreement that outlines the relationship between parties, not legally binding.

Master Service Agreement (MSA)

A contract that specifies the baseline of expectations between a vendor and user over a prolonged period of time, acting as the primary contract for outlining baseline security and privacy requirements.

Work Order (WO)/Statement of Work (SOW)

Created for the purposes of addressing specific requirements for a project between an organization and a vendor.

Non-Disclosure Agreement (NDA)

A contract that can be used with individuals or third-party providers that specifies how sensitive information is treated during and after employment/use, specifying what information can or cannot be discussed as well as who said information can be shared with. Typical for the protection of sensitive information.

Business Partners Agreement (BPA)

An agreement that mitigates risk between two or more coordinating companies that outlines the expectations and responsibilities between two or more entities. Its extent depends on the partnership and may define profit-sharing specifications, delegation of duties and responsibilities, minimum security requirements, and best practices.

Vendor Monitoring

An ongoing process that analyzes a vendor’s compliance with business agreements and their performance of contractual obligations, which may include clear rules of engagement, performance monitoring, compliance monitoring, and financial monitoring.

Questionnaire

A method that can be applied to both vendor assessments and the vendor monitoring process to garner insight into a vendor, with effective versions tailored to address a specific area or subject.

Rules of Engagement

A set of agreements between a vendor or third party and the primary business that are established prior to any interaction, with rules detailing what systems may be access, what actions can be taken, when possible testing can occur, and any other details regarding the acceptable parameters of the testing, monitoring, or analysis.

Compliance Reporting

The process of documenting the methods used to inform interested parties of how an organization meets the applicable standards and regulations.

Internal Compliance Reporting

A type of compliance reporting designed to present compliance data to high-level entities within the organization, involving reports on gaps in compliance, current security posture, and recommendations for improvement, all used in the compliance decision-making process.

External Compliance Reporting

A type of compliance reporting designed to provide proof of compliance with applicable regulations and laws, often made as a requirement by governing agencies or external business partners.

Fine

A monetary penalty applied to an entity or organization in breach of compliance requirements.

Sanction

A formal penalty applied to an entity or organization when non-compliance occurs. This can vary from a warning to a criminal charge, and may also include financial penalties, limitations on business functions, or prison.

Reputational Damage

A result of a data breach or other non-compliance going public that may affect an organization’s business, such as via the loss of sales of withdrawal of partner support.

Loss of License

A result of non-compliance that results in the loss of an organization to legally perform certain functions for variable durations of time, ranging from a short time period (weeks, months, etc.) to permanent revocation.

Contractual Impacts

A result of non-compliance that may affect the stipulations of the contracts between business entities, potentially even leading to termination of the contract.

Due Diligence

A process by which an organization stays abreast of changes in compliance requirements, such as regulation updates or emerging threats to compliance.

Due Care

A process involving ensuring that the policies and processes used to achieve compliance are continually monitored and maintained.

Acknowledgement

Occurs when an organization formally states that the organization and its respective entities within are aware of applicable compliance requirements.

Attestation

Occurs when an organization formally states that they not only acknowledge compliance requirements, but also meet them. Typically done via a formal review of an organization.

Internal Compliance Monitoring

A method used to ensure that compliance is met and maintained within an organization, typically involving audits, reviews, and policy checks.