Data Security Terminology

Data security is a minefield of industry specific terms. Many of these are acronyms which are commonly used as nouns with no further explanation. Here are Kindus’ explanation of some of the more often used terms. Specific company names have been avoided. Integrated software solutions often aim to address more than one of the categories below.

AWS: Amazon Web Services; a package of cloud storage and application services provided by Amazon. The solutions are scalable but costs depend on usage.

BCM/BCP: Business Continuity Management/Business Continuity Plan; the procedure to ensure that a business can continue to operate following a data loss or data breach.  The plan sets out what should be done.  Management ensures that the plan adapts as the business changes.

Blockchain: Storage of data as a chain of files over a number of discrete devices (nodes). As data is changed the whole chain updates, a history of changes is kept within the chain. Data is protected because an unauthorised change to one node will be prevented by the combined knowledge of the entire chain.

BYOD: Bring Your Own Device; allowing personal laptops, tablets and phones to access corporate systems and data. The concept evolved into MDM (Mobile Device Management).

CRM: Customer Relationship Management; tracking customers and the business’s interactions with them. Integrated software may use analysis algorithms to identify trends and make predictions.

CSV: Computer System Validation; the process of ensuring that a computer system meets a set of agreed standards. In industries such as Pharma there are strict standards on what information can be recorded and accessed.

Cyber Essentials: A UK qualification demonstrating that an organisation meets certain security standards. Cyber Essentials is achieved by completing a self-assessment questionnaire which is marked by an external assessor.

Cyber Essentials Plus: A higher level certification than Cyber Essentials. Plus is assessed by an independent auditor. It entails a more rigorous probing of the organisation’s systems and procedures.

DDOS (or DOS): Distributed Denial of Service; an attack designed to bring down a computer system. A larger number of requests to access the system are made than it is able to cope with. The target system subsequently fails. The requests come from numerous infected remote nodes.

DPA:  The UK 2018 Data Protection Act; it is the UK variant of the EU GDPR.  It protects personal data and ensures that its commercial use is fair and transparent.

DPIA: Data Protection Impact Assessment; an analyis of the impact of a project on the personal data of individuals that it might gather or expose.

ERP: Enterprise Resource Planning; an integration of business processes. This might but would not be limited to CRM (Customer Relationship Management), stock control and financial systems.

E-Signature: Electronic Signature; a signed and dated stamp on electronic documents. The e-signature signifies agreement to the linked document in the same way as a signature of a printed document.

Ethical Hacking:  Hacking of computer systems where this has been previously approved to find security loopholes and the reporting of such issues  to the system owner.

EU ePR: EU ePrivacy regulation governing public directories of personal data and direct marketing.  The regulation has not yet been passed as law.

FDA: USA Food and Drug Administration; enforces USA legislation in the areas of food, drugs and tobacco.

GDPR: General Data Protection Register; laws preserving the security of data. Since Brexit GDPR applies to data within the EU and UK GDPR applies to data within the UK. The sets of law are broadly similar. They apply to bodies offering goods and services within the target market not just to those solely based within the locations.

GMP: Good Manufacturing Practice; GAMP: Good Automated Manufacturing Practice; GXP: Good Practice. Regulations and guidance on maintaining agreed standards. In the Pharma field the current standards are GAMP 5.

HRM: Human Resource Management; the management of employees within an organisation.

Infrastructure Qualification; the process of demonstrating that a software system matches what the user expects it to do. This could be part of CSV (Computer System Validation) or a less rigorous system review.

IoT: Internet of Things; the use of relatively simple connected devices to collect information. This is collected and processed remotely. Alerts can be set or further remote systems will act on the processed data. A simple example would be a heating system reacting to temperature changes that can also be remotely adjusted.

ISO27001: Information Security Organisation standard 27001; policies and procedures that govern how a body should store and process information. ISO27001 is not a legal requirement but a voluntary review of processes. If the approved standards are met an organisation can publicise that it is ISO27001 certified.

LEM: Log and Event Management; when software is set to log events as it runs a large volume of data can be created. LEM organises and filters this data to produce meaningful reports and alerts. This enables decisions to be made about the degree of use and security of systems.

MDM: Mobile Device Management; systems to allow laptops, tablets and phones within a corporate environment. Controls are set on the systems that the devices can access. Device use is monitored with the ability to lock or wipe individual devices.

MHRA: Medicines and Healthcare Products Regulatory Agency; the UK body responsible for ensuring that medicines and medical devices are safe to use.

NIS: EU Security of Network Information Systems; an EU directive that since Brexit has also passed into UK law. The legal regulations maintain the security of key systems (such as search engines and cloud services) and services (such as energy and health).

PCI DSS: A Data Security Standard affecting how credit card transactions are handled electronically.  Although not a law these standards are enforced by the major credit card providers including American Express, MasterCard and Visa.

Penetration Tests: An authorised probe of a computer system. The security of the system will be assessed and recommendations for improvements made.

Ransomware: A piece of computer code that will lock a computer system and threatens to destroy data. There is a promise that if a ransom is paid the system will be unlocked and data access restored.

Risk Assessment; a formal investigation of a computer system that will identify potential security risks. This is a pre-cursor or ‘lighter touch’ to a full penetration test.

S3: Amazon Simple Storage Services; a cloud storage system available to AWS (Amazon Web Services) users.

SaaS: Software as a Service; the provision of software through a subscription from a centrally hosted hub.

SIEM: Security Information and Event Management; the collection and analysis of security reports from software. SIEM is a sub category of LEM (Log and Event Management).

SLA: Service Level Agreement; a set of agreed standards. For example the categorisation of issues and agreed response times from a computer support (helpdesk) team.

Social Engineering: A criminal pretends to be someone in authority, trusted or personally known to the target in an attempt to get access to confidential information.

SOP: Standard Operating Procedure; in software and security this would govern who is allowed to access a system and what level of security they are granted. It will also govern the implementation of new systems, their maintenance and eventual retirement.

Zero Day: A hack or vulnerability that is present on newly released or updated software.  On release software will undergo deployments and configurations that may not have been covered by pre-release testing exposing unforseen vulnerabilities.