acceptable risk
The level of residual risk that has been determined to be a reasonable level of potential loss / disruption for a specific IT system.
antivirus
Software that is designed to detect, stop and remove viruses and other types of malicious software.
attack surface
The set of services and interfaces available on a system or an environment which an attacker can use to try to enter, cause an effect on, or extract data from, that system or environment.
attacker
Malicious actor who seeks to exploit computer systems with the intent to change, destroy, steal or disable their information, and then exploit the outcome.
breach
An incident in which data, computer systems or networks are accessed or affected in a non-authorised way.
bring your own device (BYOD)
An organisation's strategy or policy that allows employees to use their own personal devices for work purposes.
cloud
Where shared compute and storage resources are accessed as a service (usually online), instead of hosted locally on physical services. Resources can include infrastructure, platform, or software services.
councillors
While councillors have distinct different roles, the framework uses the following four key distinctions:
- leader of the council or chair of risk committee – should be actively aware of an engaged in policy and risk management
- scrutiny committee and audit committee members – will be providing the appropriate level and timeliness of critical analysis of cyber risk
- cabinet members and portfolio-holders – to be broadly aware of cyber, but in relation to business continuity of the specific areas of interest in particular
- all other councillors – should be digitally equipped to understand and to follow good cyber practice.
Cyber 360
A combination of interviews, document review and other activities in relation to the LGA Cyber 360 framework indicators of good practice.
cyber attack
Malicious attempts to damage, disrupt or gain unauthorised access to computer systems, networks or devices, via cyber means.
cyber incident
A breach of the security rules for a system or service such as:
- attempts to gain unauthorised access to a system and / or to data
- unauthorised use of systems for the processing or storing of data
- changes to a systems firmware, software or hardware without the system owners consent
- malicious disruption and/or denial of service.
cyber security
The protection of devices, services and networks, and the information on them, from theft or damage.
cyber security
Cybersecurity risk is the probability of exposure or loss resulting from a cyber attack or data breach.
data at rest
Describes data in persistent storage such as hard disks, removable media, or backups.
defence in depth
An information / cyber security strategy integrating people, technology, and processes to establish variable defensive mechanisms across multiple layers and dimensions in order to protect valuable data and information.
DPA (Data Protection Action 2018)
Data Protection Act 2018
DSPT (data security and protection toolkit)
For example, NHS Digital's Data Security and Protection Toolkit
encryption
A mathematical function that protects information by making it unreadable by everyone except those with the key to decode it.
EUD (end user device)
Collective term to describe modern smartphones, laptops and tablets that connect to an organisation's network.
essential services
Processes and services which, if interrupted, will cause adverse effects to the public.
executive team (the ‘board’, the ‘directors’, executive leadership)
This is assumed to be a relatively small group, led by the chief executive, chief operating officer or, in unusual circumstances, the leader of the council. This framework uses the following three key distinctions:
- the chief executive – ultimately responsible for ensuring appropriate interrogation, management, and mitigation of risks, of which cyber is a key part
- the executive board – the small group of directors responsible for the major parts of the council operations who must receive regular risk reports, and make judgements about appropriate practices and interventions regarding cyber
- the wider leadership team – typically directors and assistant directors covering all of the main service areas of the council (They will often be the owners of business continuity plans, as well as line of business systems and data. Their understanding of data handling, cyber risk, IT disaster recovery and it’s linked to business continuity, is key.)
exploit
May refer to software or data that takes advantage of a vulnerability in a system to cause unintended consequences.
framework
'Framework' or 'the framework' is used to describe the collection of documents and process that make up the entirety of the LGA Cyber 360 Framework which includes, but is not limited to, the following:
- LGA Cyber 360 Framework (this document)
- LGA Cyber 360 application methodology
- CSIR (Council of Scientific & Industrial Research) tabletop template.
governance
The policies, procedures, and processes to manage and monitor the organisation’s regulatory, legal, risk, environmental, and operational requirements.
HMG SPF
Her Majesty's Government Security Policy Framework
information security
The protection of information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
insider threat
The potential for damage to be done maliciously or inadvertently by a legitimate user with access to systems, networks, or data.
IT resilience
The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by IT resources.
Just-in-Time access
Just-in-Time (JIT) access is a fundamental security practice where the privilege granted to access applications or systems is limited to predetermined periods of time, on an as-needed basis.
malware
Malicious software – a term that includes viruses, trojans, worms or any code or content that could have an adverse impact on organisations or individuals.
mitigation
Steps that organisations and individuals can take to minimise and address risks.
multi-factor authentication (MFA)
An authentication system that requires more than one distinct authentication factor for successful authentication.
network
Two or more computers linked to share resources.
patching
Applying updates to firmware or software to improve security and/or enhance functionality.
penetration test (pentest)
An authorised test of a computer network or system designed to look for security weaknesses so that they can be fixed.
phishing
A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.
platform
The basic hardware (device) and software (operating system) on which applications can be run.
policy
Statements, rules or assertions that specify the correct or expected behaviour of an entity.
ransomware
Malicious software that makes data or systems unusable until the victim makes a payment.
risk appetite
The types and amount of risk, on a broad level, an organisation is willing to accept in its pursuit of business activities.
risk assessment
The process of identifying, estimating, and prioritizing risks to organisational operations (including mission, functions, image, reputation), organisational assets, individuals, other organisations, and the Government.
risk management
The process of managing risks to organisational operations (including mission, functions, image, reputation), organisational assets, individuals, other organisations, and the Government, resulting from the operation of an information system, and includes:
- the conduct of a risk assessment
- the implementation of a risk mitigation strategy
- employment of techniques and procedures for the continuous monitoring of the security state of the information system.
risk mitigation / risk treatment
Prioritising, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.
risk reporting
Risk reporting is a method the method of communicating risks and the results of risk mitigation activities to decision makers and relevant stakeholders.
risk tolerance
The level of risk or the degree of uncertainty that is acceptable to an organisation.
security incident
A breach of the security rules for a system or service, such as:
- attempts to gain unauthorised access to a system and/or data
- unauthorised use of systems for the processing or storing of data
- changes to a systems firmware, software, or hardware without the system owner's consent
- malicious disruption and/or denial of service.
sanitisation
Using electronic or physical destruction methods to securely erase or remove data from memory.
secure baseline builds
A documented set of specifications, settings and configurations for an information system build that are designed to protect against threats and vulnerabilities.
social engineering
Manipulating people into carrying out specific actions, or divulging information, useful to an attacker.
two-factor authentication (2FA)
The use of two different components to verify a user's claimed identity. Also known as multi-factor authentication (MFA).
virus
Programs which can self-replicate and are designed to infect legitimate software programs or systems. A form of malware.
vulnerability
A weakness, or flaw, in software, a system or process. An attacker may seek to exploit a vulnerability to gain unauthorised access to a system.
whaling
Highly targeted phishing attacks (masquerading as a legitimate emails) that are aimed at senior executives.