Glossary of Terms

The glossary of terms and definitions listed below may be used by stakeholders to communicate their perspectives for common understanding. The terms and definitions are derived from various standards, applicable laws (e.g. The IT Act 2000), regulations and public sources. The source(s) of definitions of the terms are also provided, where available.

Basic Terms

Information Security (NIST CRSC)

• the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

Information Security (ISO 27000:2018)

• preservation of confidentiality, integrity and availability of information.

Note: In addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved.

Cyber Security (ITAA-2008)

• protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification, or destruction.

Note 1: The terms Information Security (IS) and Cyber Security (CS) are often used interchangeably, since there are only some minor distinctions between the two terms. Notes 2 to 5 below provide guidance for specific situations in which one term is more appropriate than the other.

Note 2: In general, the information security is used in the context of securing information that is held and managed in both digital and non-digital (paper-based) forms. Cybersecurity is used in the context of securing the cyber-ecosystem (IT, OT, and IIoT) from cyber-attacks.

Note 3: Data and information content encompasses i) content created, used and managed using office productivity tools, ii) content stored in databases and other electronic repositories, which may be located on-premises or on cloud, iii) content searched, accessed and shared using web, email and other technologies, iv) machine to machine exchange of content through information exchange standards and protocols (EDI, API, STIX/TAXII), and OT-specific communication protocols (Modbus, DNP3/ IEEE 1815-2012, IEC-60870, IEC 61850, IEC 61131, IEC 62351) and, v) archival content stored in online and offline backups.

Note 4: Data and information related activities encompass i) content creation, updation and deletion (CRUD activities), ii) data processing, iii) view, copy, scan, search and print, iv) content integrity and confidentiality protection using digital signatures and encryption, v) masking or redaction of sensitive content and reclassification of the masked/ redacted content, vi) content exchange and distribution through electronic media and communication channels, vii) short-term and long-term storage of content and, viii) secure disposal of content from all the electronic stores, as per the organisation policies.

Note 5: Most OT systems are process control systems. Typically, the input and output OT data of such systems have a short period of utility. Hence, confidentiality of such data exchanged through OT protocols, as well as intermittent data loss are minor concerns. As regards data integrity, the concern is more about the integrity of the process control systems that generate, consume and process the data using OT protocols. The most important concerns of such systems are the availability of the systems themselves, safety of the physical environment around the systems or influenced by them. In summary, focus of OT security is more about protecting critical processes (Safety, Availability, Integrity) and less about data loss (Confidentiality).

Cyber resiliency (NIST CRSC)

• the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. Cyber resiliency is intended to enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.

Note: Cybersecurity is the practice of protecting the digital infrastructure from unauthorised access, data breaches, and cyber-attacks. Cyber resilience is an organisation’s capability to prepare for, respond to, and recover from cyber threats and disruptions. Both functions require a combination of technologies, practices and processes, policies and controls, peope and governance for delivering the required outcomes.

Governance of Enterprise IT and Information Security

Adopted from ISO/IEC Standards

Accountable (ISO 38500:2015)

• answerable for actions, decisions and performance.

Accountability (ISO 38500:2015)

• state of being accountable. Accountability relates to an allocated responsibility. The responsibility can be based on regulation or agreement or through assignment as part of delegation.

Context of the organisation (ISO 9000:2015)

• Combination of internal and external issues that can have an effect on an organisation’s approach to developing and achieving its objectives.

Direct (ISO 38500:2015)

• communicate desired purposes and outcomes to. In the context of governance of IT, ‘direct’ involves setting objectives, strategies, and policies to be adopted by the members of the organisation to ensure that use of IT meets business objectives. Objectives, strategies, and policies can be set by managers if they have authority delegated by the governing body.

Entity (ISO 27014:2020)

• a corporate or enterprise group of companies or a single company in the public or private sector, a government body or a body owned or controlled by the government. An entity can have multiple Organizations within itself or be identical to the organisation, as in smaller companies. The entity has governance authority over the organisation.

Evaluate (ISO 38500:2015)

• consider and make informed judgements. In the context of governance of IT, evaluate involves judgements about the internal and external, current and future circumstances and opportunities relating to the organisation’s current and future use of IT.

Executive manager (ISO 38500:2015)

• person who has authority delegated from the governing body for implementation of strategies and policies to fulfil the purpose of the organisation. Executive managers can include roles which report to the governing body or the head of the organisation or have overall accountability for major reporting function, for example Chief Executive Officers (CEOs), Heads of Government Organizations, Chief Financial Officers (CFOs), Chief Operating Officers (COOs), Chief Information Officers (CIs), and similar roles. In management standards, executive managers can be referred to as top management.

Governance (ISO 38500:2015)

• system of directing and controlling

Governance of IT (ISO 38500:2015)

• system by which the current and future use of IT is directed and controlled. Governance of IT is a component or a subset of organisational governance. The term governance of IT is equivalent to corporate governance of IT, enterprise governance of IT, and organisational governance of IT.

Note: Typically, Enterprise IT Governance deals with resources required to acquire, process, store and disseminate information. Enterprise Information Security Governance deals with assurance of information confidentiality, integrity and availability and effective communication of the same with various external stakeholders.

Governing body (ISO 27014:2020)

• person or group of people who are accountable for the performance and conformance of the entity.

Management (ISO 38500:2015)

• exercise of control and supervision within the authority and accountability established by governance.

Note: The term management describes the coordinated activities to direct and control an organisation (ISO 9000:2015). It can include establishing policies and objectives, and processes to achieve the objectives. It is also used as a collective term for those with responsibility for controlling an organisation or parts of an organisation. The term managers is used to avoid confusion with management systems.

Managers (ISO 38500:2015)

• group of people responsible for control and supervision of an organisation or parts of an organisation. Executive managers are a category of managers.

Monitor (ISO 38500:2015)

• review as a basis for appropriate decisions and adjustments. Monitoring involves routinely obtaining information about progress against plans as well as the periodic examination of overall achievements against agreed strategies and outcomes to provide a basis for decision making and adjustments to plans. Monitoring includes reviewing compliance with relevant legislation, regulations, and organisational policies.

Organisation (ISO 27014:2020)

• The whole entity or part of an entity, which works under the governance authority of the entity.

Note: ISO/IEC 27014:2020 provides the distinction between entity and organisation in the context of ISMS. By definition, the ISMS covers the whole of an organisation, which by itself may cover the whole of the entity or part of the entity. Typically the two terms defined in ISO 27014:2020 are applied to both the governance of IT and Information Security.

Organisational governance (ISO 38500:2015)

• system by which Organisations are directed and controlled.

Responsibility (ISO 38500:2015)

• obligation to act and take decisions to achieve required outcomes

Top management (ISO 27014:2020)

• person or group of people who direct and control the organisation (as defined above) at the highest level. The top management of the organisation is accountable to the governing body of the entity and has the power to delegate authority and provide resources within the organisation. In smaller entities, where the entity and organisation are identical, top management is the same as governing body.

Use of IT (ISO 38500:2015)

• planning, design, development, deployment, operation, management, and application of IT to fulfil business objectives and create value for the organisation. The use of IT includes the demand for, and the supply of, IT, the current and future use of IT.

Customer (ISO 20000-10:2018)

• organisation or part of an organisation that receives a service or services.

EXAMPLE: Consumer, client, beneficiary, sponsor, purchaser.

Note 1: A customer can be internal or external to the organisation delivering the service or services.

Note 2: A customer can also be a user. A customer can also act as a supplier.

External supplier (ISO 20000-10:2018)

• another party that is external to the organisation that enters into a contract to contribute to the planning, design, transition, delivery or improvement of a service, service component or process.

Interested party, Stakeholder (ISO 9000:2015)

• person or organisation that can affect, be affected by, or perceive itself to be affected by a decision or activity.

Internal Supplier (ISO 20000-10:2018)

• part of a larger organisation that is outside the scope of the SMS, that enters into a documented agreement to contribute to the planning, design, transition, delivery or improvement of a service, service component or process.

EXAMPLE - procurement, infrastructure, finance, human resources, facilities.

Service provider (ISO 20000-10:2018)

• organisation that manages and delivers a service or services to customers.

Service integrator (ISO 20000-10:2018)

• entity that manages the integration of services and service components delivered by multiple suppliers

Note: The role of the service integrator supports the promotion of end-to-end service management, particularly in complex supply chains by ensuring all parties are aware of, enabled to perform, and are held accountable for their role in the supply chain.

User (ISO 20000-10:2018)

• individual or group that interacts with or benefits from a service or services.

Note: Examples of users include a person or community of people. A customer can also be a user.

Effectiveness (ISO 9000:2015, ISO 20000-10:2018)

• extent to which planned activities are realized and planned results are achieved.

Efficiency (ISO 9000:2015)

• relationship between the result achieved and the resources used.

Mission (ISO 9000:2015)

• organisation’s purpose for existing as expressed by top management.

Objective (ISO 9000:2015)

• result to be achieved. An objective can relate to different disciplines, be strategic, tactical, or operational, and can apply at different levels (such as strategic, organisation-wide, project, product and process. An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, or by other words with similar meaning (e.g. aim, goal, or target).

Note: Objectives are usually defined using SMART - Specific, Measurable, Achievable, Relevant and Time bound - statements of purpose.

Policy (ISO 38500:2015)

• intentions and direction of an organisation as formally expressed by its governing body or executive managers acting with appropriate authority.

Process (ISO 9000:2015)

• set of interrelated or interacting activities that use inputs to deliver an intended result.

Procedure (ISO 9000:2015)

• specified way to carry out an activity or a process, which may or may not be documented.

Strategy (ISO 9000:2015)

• plan to achieve a long-term or overall objective.

Vision (ISO 9000:2015)

• aspiration of what an organisation would like to become as expressed by top management.

Adopted from ITAA-2008

Computer Resource (ITAA-2008)

• computer, communication device, computer system, computer network, data, computer database or software.

Note: The term ‘Resource’ is also used, when there is no ambiguity that it refers to computer resource.

Computer (ITAA-2008)

• any electronic, magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network.

Note: The definition is also applied to OT and IIoT devices having programmable or upgradable software or firmware, such as i) PLCs, RTUs etc, and ii) CCTV cameras, smartcard and biometric readers etc.

Communication Device (ITAA-2008)

• Cell Phones, Personal Digital Assistance (Sic), or combination of both or any other device used to communicate, send or transmit any text, video, audio, or image.

Computer System (ITAA-2008)

• a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programmes, electronic instructions, input data, and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions.

Note: The definition is also applied to OT and IIoT systems having programmable or upgradable OT and IIoT devices, such as i) SCADA, DCS etc, and ii) smart grid technologies, such as automatic meter infrastructure etc.

Computer Network (ITAA-2008)

• the interconnection of one or more Computers or Computer systems or Communication device through i) the use of satellite, microwave, terrestrial line, wire, wireless or other communication media; and ii) terminals or a complex consisting of two or more interconnected computers or communication device whether or not the interconnection is continuously maintained.

Critical Information Infrastructure (ITAA-2008)

• the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.

Critical Sectors (G.S.R. 19(E) dated 16 Jan 2014)

• sectors, which are critical to the nation and whose incapacitation or destruction will have a debilitating impact on national security, economy, public health, or safety.

Data (ITAA-2008)

• a representation of information, knowledge, facts, concepts, or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network. ,.and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.

Information (ITAA-2008)

• includes data, message, text, images, sound, voice, codes, computer programmes, software and databases or microfilm or computer-generated micro fiche.

Adopted from General Use and Other Sources

Accountability

• the obligation to exercise authority that is based on established standards and to take ownership of the outcomes or results.

Note: Authority can be delegated, Responsibility can be shared but cannot be delegated, Accountability can neither be shared nor delegated.

Authority

• the right or power assigned to an individual or a government entity in order to achieve defined goals and objectives. An ‘authority’ gives official and legal right to take decisions, command action by others and enforce compliance.

Board of Directors

• usually maps to the governing body. Designations are usually in the form of CMD, MD, Executive and Non-executive Directors. In the Government, the word ‘Authority’ is also used.

Enterprise (TOGAF)

• any collection of Organizations that has a common set of goals.

Example: an enterprise could be a government agency, a whole corporation, a division of a corporation, a single department, or a chain of geographically distant Organizations linked together by common ownership. An extended enterprise nowadays frequently includes partners, suppliers, and customers.

Enterprise or Corporate Governance

• The functions carried out by the governing body of an entity and the top management of the Organisations of an entity.

Executive Management

• usually maps to the top management of the entity and its Organisations. Designations are usually in the form of CXOs.

Levels of management hierarchy.

Entities usually have the following levels of management hierarchy with regard to business/ IT / Information Security goals, plans, activities and functions:

• Strategic Level: long term (multi-year) planning, goal setting, management oversight activities and accountability lies with the governing body and top management. IS/ISO/IEC 9001:2015 defines the term ‘strategic direction’.

• Tactical Level: short term (quarterly/ half-yearly/ yearly) planning, target setting, management oversight activities and responsibility lies with the top management and senior management.

• Operational Level: ultra-short term (daily/ weekly/ fortnightly/ monthly) planning, target setting, management activities and responsibility lies with the senior, middle level and lower-level management.

Note 1: The term Business as Usual (BAU) is also used for operational level functions and activities.

Note 2: Audit and compliance verification/ validation is usually done across the three time-frames – long term, short term and ultra-short term.

Note 3: One mechanism to distinguish the levels of hierarchy within an entity is by the financial powers and decision authority that is delegated to each level. Another mechanism is the type of decision making that is allowed (strategic, tactical or operational) and the chain of command/ reporting.

Lower Management

• usually maps to supervisory or operative management, the first line managers of systems, processes, and teams.

Middle Management

• usually maps to department or branch management, the second line managers of systems, processes, and teams.

Responsibility

• an obligation to perform an assigned task or duty and take ownership of the outcomes or results.

Senior Management

• usually maps to the management that is one rung lower than the top management. In practice, general managers (GM) business unit, line and staff management heads are part of the senior management.

Aim or Goal

• the desired result of an effort. 

Note: In an entity/ organisational context, the term ‘mission’ is also used.

Function, Operation

• what an entity does in order to fulfil its goal, mission and objectives. Typically comprises of activities, processes, practices.

Key Performance Indicators (KPI)

• a mechanism for measurement.

Outcome

• the result or effect of an action. Typically expressed using quantifiable/ measurable/ comparative units.

Note: Objectives are rooted in intention and planning. Outcomes are the results of execution. Achievement of objectives can be measured through the outcomes.