Cybersecurity Glossary
Plain-language definitions for terms you will actually run into when dealing with SEC Reg S-P, NYDFS 23 NYCRR 500, and NIST CSF 2.0. Each entry notes which frameworks reference it and links to the relevant overview page.
SEC Reg S-P
Nonpublic Personal Information (NPI)
Personally identifiable financial information that a consumer provides to a financial institution, that results from a transaction, or that is otherwise obtained by the institution. NPI includes account numbers, income data, Social Security numbers, and any information on a consumer's application. Reg S-P requires firms to protect NPI through written policies, safeguards, proper disposal, and consumer notice.
Safeguards Rule
The core requirement of SEC Regulation S-P, codified as Rule 30(a). It requires SEC-registered investment advisers, broker-dealers, and transfer agents to adopt written policies and procedures addressing administrative, technical, and physical safeguards for customer records and information. The 2023 amendments added incident response program requirements and broadened the rules and scope.
Privacy Notice
A written disclosure that financial institutions must provide to customers describing the firm's information-sharing practices. Under Reg S-P, the initial privacy notice must be delivered at the time a customer relationship is established, and annual notices are required if the firm shares NPI with nonaffiliated third parties. The notice must clearly describe what information is collected, how it is shared, and how it is protected.
Opt-Out Notice
A notice that financial institutions must provide to consumers before sharing their NPI with nonaffiliated third parties (beyond certain exceptions). The opt-out notice must describe the categories of information that may be shared, the categories of third parties, and provide a reasonable method for the consumer to opt out. Firms must honor opt-out requests promptly.
Incident Response Program (IRP)
A written plan for detecting, responding to, and recovering from unauthorized access to customer information. The 2023 Reg S-P amendments made IRPs mandatory. Firms now need procedures for assessing security incidents, containing the damage, notifying affected individuals, and documenting what happened. Notification to affected individuals must generally happen within 30 days.
Service Provider (under Reg S-P)
Any third party that receives, stores, processes, or otherwise touches customer information as part of providing services to a covered financial institution. Under the amended Reg S-P, firms need written policies for overseeing these providers, including contract language requiring them to protect customer information and report security incidents.
NYDFS 500
Covered Entity (NYDFS)
Any person or organization operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the New York Banking Law, Insurance Law, or Financial Services Law. This includes banks, insurance companies, mortgage brokers, money transmitters, and licensed lenders regulated by the New York Department of Financial Services.
Cybersecurity Event
Any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an information system or information stored on such a system. Under NYDFS 500 Section 500.17, covered entities must notify DFS within 72 hours of determining that a qualifying cybersecurity event has occurred. Ransomware payments trigger separate 72-hour notification and 30-day reporting requirements.
Class A Company
A category introduced by the 2023 NYDFS 500 amendments for covered entities with at least $20 million in gross annual revenue from New York operations AND either 2,000 or more employees (including affiliates) or over $1 billion in gross annual revenue (including affiliates). Class A companies face additional requirements including annual independent cybersecurity audits, endpoint detection and response, and centralized logging.
Nonpublic Information (NPI under NYDFS)
Under NYDFS 500, nonpublic information is broader than the SEC definition. It includes all business-related information whose disclosure would cause a material adverse impact, as well as any personally identifiable information that can be used to identify an individual (combined with elements like SSN, drivers license, or financial account numbers). This broader scope means NYDFS-regulated firms must protect categories of data that Reg S-P may not cover.
Penetration Testing
A controlled simulated attack on an organization's systems to find exploitable vulnerabilities. NYDFS 500 Section 500.5 requires annual pen testing from both inside and outside the system boundaries. The 2023 amendments also added automated vulnerability scanning requirements. Class A companies have additional testing obligations on top of this.
Multi-Factor Authentication (MFA)
An access control method that requires two or more verification factors: something you know (password), something you have (token or phone), or something you are (biometric). NYDFS 500 Section 500.12 requires MFA for remote network access and all privileged accounts. The 2023 amendments got rid of most earlier MFA exceptions.
Chief Information Security Officer (CISO)
The person responsible for running the cybersecurity program, enforcing its policies, and reporting annually to senior leadership. Under NYDFS 500 Section 500.4, every covered entity must designate a CISO. The CISO can be in-house, at an affiliate, or at a third-party service provider, but the covered entity is still on the hook.
Annual Certification (NYDFS 500)
A yearly filing due by April 15 in which a covered entity certifies compliance with NYDFS 500 for the preceding calendar year. The certification must be signed by the highest-ranking executive and the CISO. The 2023 amendments added the option to file an acknowledgment of noncompliance with a remediation plan instead of a full certification. Records must be retained for five years.
NIST CSF 2.0
Core Functions (Govern, Identify, Protect, Detect, Respond, Recover)
The six top-level activities in the NIST Cybersecurity Framework 2.0. Govern sets cybersecurity strategy and oversight. Identify is about understanding your assets, risks, and business environment. Protect puts safeguards in place. Detect finds cybersecurity events. Respond takes action when something is detected. Recover gets you back to normal after an incident. Govern was added in the 2.0 update.
Implementation Tiers
A scale from Tier 1 (Partial) to Tier 4 (Adaptive) that describes how well an organization's cybersecurity risk management practices match what the Framework calls for. Tiers are not maturity levels. They help you figure out the right level of rigor for your cybersecurity program given your mission, risk tolerance, and resources.
Current Profile / Target Profile
A Current Profile describes the cybersecurity outcomes you are actually achieving today. A Target Profile describes where you want to be. Comparing the two shows your gaps and helps you prioritize what to fix first. You build a profile by picking which Framework categories and subcategories apply to your risk environment and business.
Subcategory
The most granular level of the NIST CSF hierarchy. Each subcategory is a specific outcome of a technical or management activity, organized under a category, which sits under one of the six core functions. For example, PR.AC-1 (identities and credentials are issued, managed, verified, revoked, and audited) is a subcategory under Protect. Organizations pick the subcategories relevant to them when building their profiles.
Informative References
Mappings from NIST CSF subcategories to specific sections of other standards and practices (like ISO 27001, COBIT, CIS Controls, and NYDFS 500). They help you connect the Framework to your existing compliance obligations. NIST maintains these mappings in the Cybersecurity and Privacy Reference Tool (CPRT).
Cybersecurity Supply Chain Risk Management (C-SCRM)
A process for managing cybersecurity risks across the supply chain, including vendors and service providers. NIST CSF 2.0 gave C-SCRM its own category within the Govern function. It covers identifying supply chain risks, setting requirements for suppliers, monitoring their compliance, and preparing for supply chain compromises.
General Cybersecurity Compliance
Risk Assessment
A process for finding and evaluating cybersecurity risks to an organization's information systems and data. Risk assessments document threats, vulnerabilities, likelihood, potential impact, and planned mitigations. Both SEC Reg S-P and NYDFS 500 require periodic risk assessments, and NIST CSF's Identify function provides the framework for conducting them.
Business Continuity and Disaster Recovery (BCDR)
Plans and procedures for keeping operations running during a major disruption and getting back to normal afterward, whether the cause is a cyberattack, natural disaster, or system failure. NYDFS 500 Section 500.16 requires covered entities to establish written BCDR plans. NIST CSF addresses this through the Recover function. The plans must be tested periodically and updated based on what breaks.
Encryption at Rest / in Transit
Encryption at rest protects data stored on disks, databases, and backups. Encryption in transit protects data moving across networks (TLS/SSL, VPN). NYDFS 500 Section 500.15 requires encryption of nonpublic information in both states, with compensating controls allowed only with written CISO approval and annual review. Reg S-P's Safeguards Rule implicitly requires encryption as a reasonable safeguard.
Access Controls
Policies and mechanisms that restrict who can get into information systems and what data they can see, based on role and need to know. This includes user provisioning, role-based permissions, least privilege, regular access reviews, and prompt deprovisioning when people change roles or leave. All five frameworks require documented access control policies.
Audit Trail
A chronological record of system activities showing who accessed what, when, and what they did. NYDFS 500 Section 500.6 requires audit trails sufficient to detect and respond to cybersecurity events, with records maintained for at least five years (three years for certain transaction records). You need them for incident investigation, compliance verification, and regulatory exams.
Vendor Due Diligence
Evaluating the security practices of third-party vendors before and during the engagement. This means reviewing their cybersecurity policies, incident response capabilities, insurance coverage, and compliance certifications. Both Reg S-P and NYDFS 500 require written policies for vendor oversight. NIST CSF addresses this through the C-SCRM component of the Govern function.
Data Classification
Sorting data into buckets based on how sensitive it is, what regulations apply, and its business value (for example: public, internal, confidential, restricted). Classification drives decisions about encryption, access controls, retention, and disposal. NYDFS 500 Section 500.13 requires policies for data retention and disposal, and NIST CSF's Identify function includes asset and data classification as a baseline activity.
HIPAA & Healthcare
Protected Health Information (PHI)
Individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. Includes medical records, lab results, billing data, and any information that can identify a patient and relates to their health condition, treatment, or payment. When stored or transmitted electronically, it's called ePHI.
Covered Entity (HIPAA)
Health plans, healthcare clearinghouses, and healthcare providers who transmit any health information electronically. These organizations must comply with all HIPAA Administrative Simplification rules including the Privacy, Security, and Breach Notification Rules.
Business Associate
A person or entity that performs functions or activities on behalf of a covered entity that involve access to PHI. Examples include cloud hosting providers, billing companies, EHR vendors, and IT consultants. Business associates must sign a Business Associate Agreement (BAA) and comply with HIPAA Security Rule requirements directly.
Business Associate Agreement (BAA)
A written contract between a covered entity and a business associate that establishes what the business associate can do with PHI, requires safeguards, mandates breach reporting, and ensures the associate will return or destroy PHI when the contract ends. HIPAA requires a BAA before any PHI is shared with a business associate.
Breach Notification Rule
HIPAA and HITECH require covered entities to notify affected individuals within 60 days of discovering a breach of unsecured PHI. Breaches affecting 500+ individuals must also be reported to HHS and prominent media outlets. The HITECH Act strengthened these requirements and extended them to business associates.
Minimum Necessary Standard
The principle that covered entities should limit PHI use, disclosure, and requests to the minimum amount needed to accomplish the intended purpose. Staff should only have access to the PHI they need for their job function. This applies to internal use, disclosures to business associates, and requests from other covered entities.
Banking & Credit Unions
FFIEC IT Examination
The Federal Financial Institutions Examination Council publishes IT examination handbooks that bank examiners use to assess information security, business continuity, authentication, outsourced technology, and other IT controls. Banks and credit unions are examined against these standards by their primary regulator (OCC, FDIC, Federal Reserve, or NCUA).
GLBA Safeguards Rule
Section 501(b) of the Gramm-Leach-Bliley Act requires financial institutions to protect the security and confidentiality of customer information. The FTC's Safeguards Rule (16 CFR 314) implements this for non-bank financial institutions. The 2023 amendments added requirements for a qualified individual, written risk assessments, access controls, encryption, MFA, and incident response.
NCUA Part 748
The National Credit Union Administration's regulation requiring federally insured credit unions to develop and implement a written information security program. Includes Appendix A (safeguards guidelines) and Appendix B (breach notification with a 72-hour reporting window to NCUA for incidents affecting 500+ members).
Qualified Individual
Under the FTC Safeguards Rule (2023 amendments), financial institutions must designate a single qualified individual responsible for overseeing, implementing, and enforcing the information security program. This person does not need to be an employee — the role can be outsourced — but the institution remains responsible for compliance.
Education (FERPA)
Education Records
Records directly related to a student that are maintained by an educational agency or institution, or by a party acting for the agency. Includes grades, transcripts, disciplinary records, financial aid information, and enrollment data. FERPA gives parents (and eligible students over 18) the right to inspect, review, and request amendments to these records.
Directory Information
Student information that an institution has designated as publicly releasable without consent — typically name, address, phone number, email, dates of attendance, degree, and enrollment status. Institutions must notify students of what they designate as directory information and provide an opt-out period before disclosing it.
Eligible Student
A student who has reached 18 years of age or is attending a postsecondary institution. At that point, FERPA rights transfer from the parent to the student. The student then controls access to their education records, consent for disclosures, and amendment requests.
Legitimate Educational Interest
The standard that allows school officials to access education records without student consent. A school official has a legitimate educational interest if they need to review a record to fulfill their professional responsibilities — teaching, advising, administering financial aid, or maintaining safety. Institutions must define this term in their annual FERPA notification.
SOC 2 & Audit
Trust Services Criteria (TSC)
The AICPA's five categories for evaluating controls at a service organization: Security (always required), Availability, Processing Integrity, Confidentiality, and Privacy. A SOC 2 report covers Security plus whichever additional categories are relevant to the service being audited.
SOC 2 Type I vs Type II
Type I evaluates whether controls are suitably designed at a specific point in time. Type II evaluates both design and operating effectiveness over a period (usually 6-12 months). Type II is more rigorous because it requires the auditor to test that controls actually worked throughout the review period, not just that they exist on paper.
Common Criteria (CC)
The 9 control areas within the Security category of SOC 2: Control Environment (CC1), Communication and Information (CC2), Risk Assessment (CC3), Monitoring Activities (CC4), Control Activities (CC5), Logical and Physical Access Controls (CC6), System Operations (CC7), Change Management (CC8), and Risk Mitigation (CC9). Every SOC 2 audit evaluates all 9.
Legal & Accounting
ABA Model Rules (Technology Ethics)
The American Bar Association's Model Rules of Professional Conduct impose duties of competence (Rule 1.1), confidentiality (Rule 1.6), and supervision (Rules 5.1-5.3) that extend to technology use. Comment 8 to Rule 1.1 requires lawyers to understand the risks and benefits of technology relevant to their practice, including cybersecurity for client data.
IRS Written Information Security Plan (WISP)
IRS Publication 4557 requires tax preparers to have a written plan documenting how they protect taxpayer data. The WISP must identify all types of taxpayer PII handled (SSNs, EINs, W-2s, bank accounts), describe safeguards, and be signed by the firm owner. This is a legal requirement under the FTC Safeguards Rule as applied to tax preparers.
Security Scanning & CTEM
CTEM (Continuous Threat Exposure Management)
An ongoing process for discovering, prioritizing, and validating security exposures across your environment. Unlike point-in-time assessments, CTEM continuously identifies what attackers could exploit — exposed services, misconfigurations, vulnerable software, and credential leaks — then tracks remediation through verification. The five CTEM stages are: Scoping, Discovery, Prioritization, Validation, and Mobilization.
MITRE ATT&CK Framework
A knowledge base of adversary tactics and techniques based on real-world observations. Tactics describe the attacker's goal (Reconnaissance, Initial Access, Credential Access, Lateral Movement, etc.) and techniques describe how they achieve it. BlackSheep maps all scan findings to ATT&CK tactics so you can prioritize fixes based on how attackers actually operate, not just abstract severity ratings.
Attack Surface
Every system, service, and entry point that an attacker could target. This includes domains, subdomains, exposed ports, cloud storage, admin panels, API endpoints, and any publicly accessible infrastructure. Attack surface management means continuously discovering and reducing these entry points. BlackSheep discovers your attack surface through CT log enumeration, DNS brute-force, banner grabbing, and OWASP passive checks.
Compensating Control
An alternative security measure that mitigates a risk when the primary control is not feasible or not yet in place. For example, if an open port is flagged as a risk but your endpoint firewall already blocks external access to it, the firewall is a compensating control. BlackSheep automatically detects compensating controls by cross-referencing endpoint, M365, and cloud assessment data against scan findings.
Remediation Workflow
The process of tracking a security finding from discovery through resolution. BlackSheep uses a five-stage pipeline: Open (newly discovered), Acknowledged (team is aware), In Progress (fix is underway), Remediated (fix deployed), and Verified (fix confirmed working). This provides auditors with evidence of continuous security improvement rather than just a list of findings.
OWASP Passive Security Checks
Security tests that analyze publicly accessible information without sending malicious payloads or requiring authentication. BlackSheep performs passive checks including HTTP method enumeration, security.txt validation, open redirect detection, subdomain takeover risk assessment, API endpoint discovery, and HTTPS redirect chain analysis. These overlap with checks from tools like OWASP ZAP and Burp Suite but are safe for automated compliance scanning.
Subdomain Takeover
A vulnerability that occurs when a subdomain points to a cloud service (like GitHub Pages, Heroku, or AWS S3) that has been decommissioned but the DNS record was never removed. An attacker can claim the abandoned service and serve malicious content under your domain name, making phishing attacks highly convincing. BlackSheep scans for dangling CNAME records pointing to unclaimed services.
Compliance Drift
The gradual divergence between your documented compliance posture and your actual security state. This happens when controls expire without re-validation, policies go past their review dates, or AI-set controls are never manually verified. BlackSheep continuously monitors for drift and alerts you when your compliance documentation no longer reflects reality.
You know the terms. Now track the requirements.
BlackSheep maps every requirement from Reg S-P, NYDFS 500, NIST CSF, DOL EBSA, and FINRA into one dashboard. See exactly where your gaps are in 30 minutes. Pre-built templates — you fill in what applies to your firm.
$249/month. That's less than one hour of a compliance consultant's time. Set up in an afternoon, not a quarter.
30-day money-back guarantee. If it doesn't save you time in the first month, you pay nothing.