Remote Authentication Dial-in User Service - A security service that authenticates and authorizes dial-up users and is a centralized access control mechanism.

remote journaling - A method of transmitting changes to data to an offsite facility. This takes place as parallel processing of transactions, meaning that changes to the data are saved locally and to an off-site facility. These activities take place in real time and provide redundancy and fault tolerance.

repudiation - When the sender of a message denies sending the message. The countermeasure to this is to implement digital signatures.

residual risk - The remaining risk after the security controls have been applied. The conceptual formulas that explain the difference between total and residual risk arethreats

resources - Assets of an organization that can be used effectively.

risk - The likelihood of a threat agent taking advantage of a vulnerability and the resulting business impact. A risk is the loss potential, or probability, that a threat will exploit a vulnerability.

risk acceptance - Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.

risk analysis - A method of identifying risks and assessing the possible damage that could be caused in order to justify security safeguards.

risk avoidance - Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.

risk management - The process of identifying, assessing, and reducing the risk to an acceptable level and implementing the right mechanisms to maintain that level of risk.

risk mitigation - Putting security controls in place to attenuate the possible impact and/or likelihood of a specific risk.

risk transferrance - Paying an external party to accept the financial impact of a given risk.

role-based access control - Type of model that provides access to resources based on the role the user holds within the company or the tasks that the user has been assigned.

RPO - (Recovery Point Objective) - A measure of how much data the organization can lose before the organization is no longer viable.

RPO - (Recovery Point Objective) - The acceptable amount of data loss measured in time.

RTO - (Recoery Time Objective) - The target time set for recovering from any interruption.

RTO - (Recovery Time Objective) - The maximum time period within which a business process must be restored to a designated service level after a disaster to avoid unacceptable consequences.

rule-based access control - Type of model that uses specific rules that indicate what can and cannot happen between a subject and an object. This access control model is built on top of traditional RBAC and is thus commonly called RB-RBAC to disambiguate the otherwise overloaded RBAC acronym.

RUM - (Real User Monitoring) - An approach to web monitoring that aims to capture and analyze every transaction of every user of a website or application.

safeguard - A software configuration, hardware, or procedure that eliminates a vulnerability or reduces the risk of a threat agent from being able to exploit a vulnerability. Also called a countermeasure or control.

SAML - (Security Assertion Markup Language) - An XML standard that allows the exchange of authentication and authorization data to be shared between security domains.

sandbox - An isolated test environment that simulates the production environment but will not affect production components/data.

sandboxing - A type of control that isolates processes from the operating system to prevent security violations.

SAST - (Software Source Code Analysis) - Analysis of the application source code for finding vulnerabilities without executing the application.

SCADA - (Supervisory Control And Data Acquisition) - A system for remotely monitoring and controlling physical systems such as power and manufacturing plants.

SD-WAN - (Software Defined Wide Area Network) - An extension of the SDN practices to connect to entities spread across the internet to support WAN architecture especially related to cloud migration.

SDN - (Software-Defined Networking) - An approach to networking that relies on distributed software to provide improved agility and efficiency by centralizing the configuration and control of networking devices.

secure configuration management - Implementing the set of appropriate procedures to control the life cycle of an application, document the necessary change control activities, and ensure that the changes will not violate the security policy.

Security Assertion Markup Language - An XML standard that allows the exchange of authentication and authorization data to be shared between security domains.

security control framework - A notional construct outlining the organization

security evaluation - Assesses the degree of trust and assurance that can be placed in systems for the secure handling of sensitive information.

security governance - The entirety of the policies, roles, and processes the organization uses to make security decisions in an organization.

security information and event management - A software platform that aggregates security information and security events and presents them in a single, consistent, and cohesive manner.

security kernel - The hardware, firmware, and software elements of a trusted computing base (TCB) that implement the reference monitor concept. The kernel must mediate all access between subjects and objects, be protected from modification, and be verifiable as correct.

security label - An identifier that represents the security level of an object.

security perimeter - An imaginary boundary between the components within the trusted computing base (TCB) and mechanisms that do not fall within the TCB. It is the distinction between trusted and untrusted processes.

security policy - Documentation that describes senior management\'s directives toward the role that security plays within the organization. It provides a framework within which an organization establishes needed levels of information security to achieve the desired availability, integrity, and confidentiality goals. A policy is a statement of information values, protection responsibilities, and organization commitment managing risks.

security testing - Testing all security mechanisms and features within a system to determine the level of protection they provide. Security testing can include penetration testing, formal design and implementation verification, and functional testing.

segment - Data representation at Layer 4 of the Open Systems Interconnection (OSI) model.

sensitive information - Information that would cause a negative effect on the company if it were lost or compromised.

sensitivity label - A piece of information that represents the security level of an object. Sensitivity labels are used by the TCB as the basis for mandatory access control (MAC) decisions.

separation of duties - A security principle that splits up a critical task among two or more individuals to ensure that one person cannot complete a risky task by himself.

session initiation protocol - A signaling protocol used for initiating, maintaining, and terminating real-time sessions that include voice, video and messaging applications.

shoulder surfing - When a person looks over another person\'s shoulder and watches keystrokes or watches data as it appears on the screen in order to uncover information in an unauthorized manner.

SIEM - (Security Information and Event Management) - A software platform that aggregates security information and security events and presents them in a single, consistent, and cohesive manner.

simple security property - A Bell-LaPadula security model rule that stipulates that a subject cannot read data at a higher security level.

single factor authentication - Involves the use of simply one of the three available factors solely to carry out the authentication process being requested.

single loss expectancy - A dollar amount that is assigned to a single event that represents the company\'s potential loss amount if a specific threat were to take place. [asset value

single sign-on - A technology that allows a user to authenticate one time and then access resources in the environment without needing to reauthenticate.

SIP - (Session Initiation Protocol) - A signaling protocol used for initiating, maintaining, and terminating real-time sessions that include voice, video and messaging applications.