Security & Networking Glossary & Appendix (Small Business)

Govern — Program & Risk Governance NIST CSF 2.0CIS v8.1

Scope, policy, roles, training, vendor/supply-chain risk.

System Boundary concept

Definition. The set of people, processes, technology, and data flows included in the security program or assessment.

Why it matters. Determines what assets and obligations are in scope for controls, audits, and incident handling.

Evidence ideas: Network/data-flow diagrams; asset lists; list of in-scope SaaS; out-of-scope statement.

Mappings: CSF Govern; 800-53 PM/PL; CIS 1–2.

Risk Register process

Central list of risks with likelihood/impact, owner, status, and due date.

Mappings: CSF Govern; CIS 4; 800-53 RA/PM.

Policy Set (Access, Crypto, Change, Backup, Incident) governance

Approved documents that define minimums for how the organization manages access, cryptography, configuration changes, backups, and incident response.

Mappings: 800-53 PM/PL; CSF Govern.

Third-Party / Supply-Chain Risk vendor

Risk from external providers (SaaS, MSPs, shipping/payroll, etc.). Often managed with contracts, security questionnaires, and artifacts like SOC 2 or SBOM.

Mappings: 800-53 SR; CIS 15; CSF Govern.

Identify — Asset Management & Baselines CSF IdentifyCIS 1–2

Know your hardware, software/services, configurations, and data.

Authoritative Inventory (Hardware/Software) asset mgmt

A single source of truth listing devices and software/services, reconciled regularly (e.g., EDR, MDM, network discovery, SaaS admin exports).

Mappings: CIS 1–2; 800-53 CM-8.

Baseline Configuration configuration

Documented standard settings for systems (OS, firmware, services) used to harden deployments and speed recovery.

Mappings: 800-53 CM; CIS 4.

Data Classification (e.g., PII, CUI) data

Labels that dictate handling requirements (storage, encryption, access). Drives where controls must be strongest.

Mappings: CSF Identify; 800-171 3.x.

Protect — Secure Configuration & Access CIS 4–8800-53 AC/IA/SC

Hardening, MFA, least privilege, segmentation, crypto, endpoints.

MFA (Multi-Factor Authentication) access

Authentication using two or more independent factors (something you know/have/are). Prioritize admin, remote, and sensitive apps.

Mappings: CIS 6; 800-53 IA-2; 800-171 3.5.

Least Privilege & Periodic Access Review authorization

Grant only the access required; regularly remove unused roles and accounts.

Mappings: 800-53 AC-6; CIS 6.

Segmentation (VLANs / deny-by-default) network

Separate networks (e.g., Corp, POS, Guest, Mgmt). Use ACLs/firewalls to restrict east-west movement.

Mappings: 800-53 SC-7; CIS 12.

Cryptographic Hygiene crypto

TLS 1.2+ for data in transit, strong ciphers, key rotation, secrets vaulted (not in code or tickets).

Mappings: 800-53 SC-12/SC-13; 800-171 3.13.

EDR (Endpoint Detection & Response) endpoint

Agent-based protection with behavioral detection and centralized alerting.

Mappings: CIS 10; CSF Protect/Detect.

Detect — Logging, Monitoring & Vulnerability Mgmt CSF Detect

Centralized logs, alerting, scanning, patch metrics, wireless monitoring.

Centralized Logging & Time Sync observability

Send device and application logs to a central store (syslog/SIEM). Ensure consistent timestamps (NTP) and retention per policy.

Mappings: 800-53 AU; CIS 8.

SIEM/SOAR (Lite) monitoring

Correlation and alerting across log sources; playbooks to standardize response.

Mappings: CSF Detect; 800-53 IR/AU.

Vulnerability Scanning (AuthN) exposure

Scheduled internal/external scans, preferably authenticated, with tracking to remediation SLAs.

Mappings: CIS 7; 800-53 RA/SI.

Respond — Incident Response 800-53 IR800-171 3.6

IR plan, escalation, forensics readiness, communication.

Incident Response Plan & Tabletop Exercises IR

Documented roles, contact tree, and playbooks (e.g., ransomware, data leak). Test with tabletop drills and capture lessons learned.

Mappings: 800-53 IR-1..IR-8.

Forensics Readiness evidence

Time-synced systems, write-blocked imaging options, and a process for chain-of-custody to support investigation and reporting.

Mappings: 800-53 AU/IR.

Communication Templates stakeholders

Pre-approved messages for customers, regulators, and media to accelerate clear, lawful notification under pressure.

Recover — Backup & Continuity 800-53 CP

Backups, restore tests, alternate connectivity.

3-2-1 Backups resilience

Keep 3 copies of data on 2 different media with at least 1 offline/immutable. Encrypt at rest and in transit.

Mappings: CIS 11; 800-53 CP-9.

RPO/RTO (Recovery Point/Time Objective) continuity

RPO: maximum tolerable data loss. RTO: maximum tolerable downtime. Verify via restore tests and document results.

Mappings: 800-53 CP; CSF Recover.

Connectivity Failover WAN

Secondary internet path (e.g., LTE/5G) and out-of-band management to reach equipment during outages.

Networking — Perimeter, Routing & Wireless CIS 9/12/13/15

Firewalls, VPN, DNS/eDNS, WPA3-Enterprise, admin access.

Firewall Rule Hygiene perimeter

Least-privilege rules with object naming standards, periodic reviews, and cleanup of stale entries.

Mappings: 800-53 SC-7; CIS 13.

VPN Posture (MFA, split-tunnel policy) remote

Prefer MFA and device posture checks. Limit admin VPN to management segments; decide full vs. split tunnel by risk.

Mappings: 800-171 3.13; CIS 12.

WPA3-Enterprise / Guest Isolation wireless

Use 802.1X where possible for corporate SSIDs; isolate guest clients; rotate PSKs if used for IoT/POS.

Mappings: CIS 15; 800-53 SC.

DNS Egress Controls + DoT/DoH policy egress

Point clients to approved resolvers, block unauthorized DNS, and document encrypted DNS usage to avoid bypassing controls.

Mappings: CIS 9; 800-53 SC-7.

Management Plane Isolation (VRF/OOB) admin

Keep device administration on a dedicated management network/VRF or out-of-band path; never expose management to public networks.

Mappings: 800-53 SC-7.

Application & Web Security OWASP ASVSCIS 16

Security requirements, testing, secrets, dependencies, WAF/CDN.

Security Requirements & Threat Modeling SDLC

Define security controls early and analyze abuse/misuse cases (STRIDE/OCTAVE-style) to drive tests and sign-offs.

Mappings: OWASP ASVS 1.x; 800-53 SA.

Secrets Management credentials

Keep API keys, tokens, and passwords out of source code and tickets; use vaults and CI/CD-scoped secrets; scan commits for leaks.

Mappings: CIS 16; 800-53 SA-12.

SBOM & Dependency Scanning supply chain

Maintain a Software Bill of Materials; monitor third-party libraries for CVEs; pin versions and sign artifacts where possible.

Mappings: CIS 16; OWASP ASVS 14.

WAF/CDN Protections edge

Use a Web Application Firewall/edge CDN for rate-limiting, IP reputation, TLS termination, and virtual patching; lock origin to CDN.

Mappings: 800-53 SC; ASVS 14.

Physical & Environmental 800-53 PE

Doors, racks, visitor controls, power, labeling, environmental monitoring.

Controlled Access Areas facility

Lock and log access to rooms with network gear and servers; badge or key control with visitor sign-in.

Mappings: 800-53 PE-2..PE-6.

Power Resilience (UPS/Generator) continuity

UPS for graceful shutdown and short outages; test runtime and alerting; surge protection and grounding.

Mappings: 800-53 PE/CP.

Cable & Label Hygiene ops

Consistent labeling and spares reduce MTTR; store diagrams with drop IDs; track environmental sensors for temperature/humidity.