Access Control Lists - A lis of permissions associated with an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. (ISO 27001 A.9.4.1-2; MLPS Article 20(7) and 20(9))

Anonymization - A process that removes the association between the identifying dataset and the data subject.

Anti-Malware - A program specifically designed to detect many forms of malware and prevent them from infecting computers, as well as cleaning computers that have already been infected. (ISO 27001 A.12.2.1; MLPS Article 20(4), GB/T 22239-2019 6.1.4, GB/T 22239-2019 6.1.9)

Breach Detection Tools - A security service that monitors and analyzes network or system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner. (CCP Article 20(4))

Data Backup - A copy of information to facilitate recovery during the cryptoperiod of the key, if necessary. (ISO A.12.3.1, CCP Article 20(6), GB/T 22239-2019 6.1.4, GB/T 22239-2019 6.1.9)

Data Loss Prevention - DLP - A systems ability to identify, monitor, and protect data in use (e.g. endpoint actions), data in motion (e.g. network actions), and data at rest (e.g. data storage) through deep packet content inspection, contextual security analysis of transaction (attributes of originator, data object, medium, timing, recipient/destination, etc.), within a centralized management framework. Data loss prevention capabilities are designed to detect and prevent the unauthorized use and transmission of NSS information. (CCP Article 31)

Encryption - The cryptographic transformation of data to produce ciphertext. (ISO A.10.1.1-2, CCP Article 20(6) and Article 47)

Firewalls - An inter-network gateway that restricts data communication traffic to and from one of the connected networks (the one said to be “inside” the firewall) and thus protects that network’s system resources against threats from the other network (the one that is said to be “outside” the firewall). (CCP Article 20(4))

Intrusion Detection tools - A software application that can be implemented on host operating systems or as network devices to monitor activity that is associated with intrusions or insider misuse, or both. (CCP Article 20(4))

Intrusion Detection System - An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations.

Logging - Cataloging of network data, most likely via the Firewall or another monitoring tool. (ISO A.12.4.1 -4; Article 20(5)).

Logical Access Control - An automated system that controls an individual’s ability to access one or more computer system resources such as a workstation, network, application, or database. A logical access control system requires validation of an individual’s identity through some mechanism such as a PIN, card, biometric, or other token. It has the capability to assign different access privileges to different persons depending on their roles and responsibilities in an organization. (ISO 27001 A.9.2.1-4, A.9.3.1; CCP GB/T 22239-2019 6.1.4 Computing environment security, 6.1.2 Communication network security)

Masking - The process of systematically removing a field or replacing it with a value in a way that does not preserve the analytic utility of the value, such as replacing a phone number with asterisks or a randomly generated pseudonym.

Mobile Device Management (MDM) tools - Mobile device management (MDM) is a type of security software used by an IT department to monitor, manage and secure employees' mobile devices that are deployed across multiple mobile service providers and across multiple mobile operating systems being used in the organization.

Multi-factor Authentication - Authentication using two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

Network Authentication - Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. (CCP 20(9))

Password Selection and Aging Procedures - A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly.

Pseudonymization - A particular type of de-identification that both removes the association with a data subject and adds an association between a particular set of characteristics relating to the data subject and one or more pseudonyms. Typically, pseudonymization is implemented by replacing direct identifiers with a pseudonym, such as a randomly generated value.

Regular Software updates - Updating system software, including 3rd party software, when newer versions become available. Organizations can automate this or manually update nightly/weekly/monthly as needed. (ISO 27001 A.12.5.1, GB/T 22239-2019 6.1.4 Computing environment security)

Tokenization - The means used to confirm the identity of a user, processor, or device (e.g., user password or token).

Vulnerability Detection Tools - Tools that scan the network for vulnerabilities. Ex: Nessus (ISO 27001 A.16.6.1-2, CCP Article 20(4) and (8); GB/T 22239-2019 6.1.9 Secure operation and maintenance management)

Vulnerability Management Process - The cyclical practice of identifying, classifying, prioritizing, re-mediating, and mitigating software vulnerabilities.

Capacity Monitoring - Capacity is monitored to ensure system performance (ISO 27001 A.12.1.3)

Segregation of Environments - Operational environments are separated from development and testing environments to reduce risks to operational environment. (ISO 27001 A.12.1.4; CCP 6.1.8 Built-out management security)

Control of software installation - Procedures are implemented to control the installation of software on operational systems (ISO27001 A.12.5.1; CCP Article 20(3))

Network security management - (ISO 27001 A.13.1.1-3; CCP Article 31 Data Information and Security Protections)

Electronic Messaging Protection - Tools or methodologies used to ensure information involved in electronic messaging is appropriately protected. (ISO 27001 A.13.2.3, CCP GB/T 22239-2019 6.1.2 Communication network security)

System acquisition, development and maintenance - As new systems are aquired, developed, and maintained, the same level of technical requirements should be applied (ISO 27001 A.14.1.1-3; CCP Article 31 Data Information and Security Protections)

Test Data - Test data should be selected carefully, protected and controlled. (ISO 27001 A.14.3.1; CCP Article 31 Data Information and Security Protections)

Redundancies - Systems should utilze redundancies to ensure availability of information processing facilities. (ISO 27001 A.17.2.1; CCP GB/T 22239-2019, 6.1.9 Secure operation and maintenance management)