Cyera glossary

The process of restricting access to resources, such as computers, files, or services, to authorized users only.

Active data collection refers to data that is collected knowingly and transparently from the user, such as through a web form, check box, or survey.

Under the GDPR, Adequate Level of Protection refers to the level of data protection that the European Commission requires from a third country or international organization before approving cross-border data transfers to that third country or international organization.In making their judgement, the European Commission considers not only the data protection rules, and security measures of the third country or international org., but also the rule of law, respect for human rights, and the enforcement of compliance and data protection rules.

A type of behavior or action that seems abnormal when observed in the context of an organization and a user's historical activity. It is typically analyzed using some sort of machine-learning algorithm that builds a profile based upon historical event information including login locations and times, data-transfer behavior and email message patterns. Anomalies are often a sign that an account is compromised.

Data Anonymization is a process that alters personally identifiable data (PII) in such a manner that it can no longer be used to identify an individual. This can be done by removing certain identifying values from data sets, or by generalizing identifying values.

Anonymous data is data that is not related to an identifiable individual and cannot be used in combination with other data to identify individuals. Anonymous data is not protected by the GDPR.

In the context of the GDPR, Appropriate Safeguards refers to the application of the GDPR's data protection principles to data processing. The GDPR's data protection principles include transparency, data minimization, storage limitation, data quality, legal basis for processing, and purpose limitation.

The act of systematically examining, evaluating, and analyzing an organization's assets to ensure compliance and security standards are met.

A trail of files, logs, or paperwork used to record an activity for auditing purposes.

The process of verifying a claimed identity and proving that someone is who they claim to be when attempting to access a resource.

Data processing that is performed without human interaction.

Brazil passed a new legal framework in mid-August of 2018 aimed at governing the use and processing of personal data in Brazil: the General Data Protection Law. The law replaces approximately 40 or so laws that currently deal with the protection of privacy and personal data, and is aimed at guaranteeing individual rights, and encouraging economic growth by creating clear and transparent rules for data collection.

Breach Readiness is analyzing your organization’s ability to respond to a breach. This includes developing and maintaining an incident response plan, establishing a response team, and setting up the necessary tools and resources.

An acronym for Cloud Access Security Broker. This is a type of security that monitors and controls the cloud applications that an organization's employees might use. Typically, the control is enforced by routing web traffic through a forward- or reverse-proxy. CASBs are good for managing Shadow IT and limiting employee's use of certain SaaS or the activity within those SaaS but do not monitor third-party activity in the cloud–i.e. shared documents or email.

An acronym of the California Consumer Privacy Act.

An acronym for Chief Data Officer. This is the executive within an organization who is the head of information security.

A certification is a declaration by a certifying body that an organization or product meets certain security or compliance requirements.

An acronym for Chief Information Security Officer. This is an executive within an organization responsible for managing compliance with privacy laws and policies.

Explore cloud data, its types, benefits, challenges, and tools for storage, analytics, and management in modern cloud environments.

Learn what cloud data governance is, why it matters, key challenges, best practices, and how Cyera helps you secure and govern cloud data.

Discover what cloud data protection is and how to safeguard sensitive information with encryption, access control, data loss prevention, backup, dspm and recovery

A database service which is deployed and delivered through a cloud service provider (CSP) platform.

An acronym of Cybersecurity Maturity Model Certification is a security framework for Defense Industrial Base contractors to follow.

The guarantee that information is only available to those who are authorized to use it.

In the context of privacy, consent is the ability of a data subject to decline or consent to the collection and processing of their personal data. Consent can be explicit, such as opting-in via a form, or implied, such as agreeing to an End-User License Agreement, or not opting out. Under many data protection laws, consent must always be explicit.

An acronym of Controlled Unclassified Information.

An acronym for Chief Privacy Officer. This is an executive within an organization responsible for managing compliance with privacy laws and policies.

The transfer of personal data from one legal jurisdiction, such as the EU, to another, such as the US. Many data protection laws place major restrictions on cross-border data transfers.

An acronym for Cloud Service Provider. This is any company that sells a cloud computing service, be it PaaS, IaaS, or SaaS.

The protection of information and communications against damage, exploitation, or unauthorized use.

Learn what data access governance is, its importance, benefits, and how it helps secure sensitive data while ensuring compliance and efficient access control.

A data breach is a security incident during which sensitive, protected, or confidential data has been accessed or exposed to unauthorized entities. These incidents may expose protected or personal health information (PHI), personally identifiable information (PII), intellectual property, classified information, or other confidential data.

The act of notifying regulators as well as victims of data breaches that an incident has occurred. Under Article 34 of the GDPR, an organization must notify affected users within 72 hours of the incident.

According to the GDPR, a Data Broker is any entity that collects and sells individuals’ personal data.

An organized inventory of data assets in the organization. Data catalogs use metadata to help organizations manage their data. They also help data professionals collect, organize, access, and enrich metadata to support data discovery and governance.

The process of dividing the data into groups of entities whose members are in some way similar to each other. Data privacy and security professionals can then categorize that data as high, medium, and low sensitivity data.

A definition that allows each type of data in a data store to be programmatically detected, typically using a test or algorithm. Data privacy and security professionals associate data classes with rules that define actions that should be taken when a given data class is detected. For example, sensitive information or PII should be tagged with a business term or classification, and further for some sensitive data classes a specific data quality constraint should be applied.

Data classification is the process of organizing data into relevant categories to make it simpler to retrieve, sort, use, store, and protect.

According to the GDPR, a Data Controller is an organization, agency, public authority, or individual that determines the how and why of data processing. The data controller may also be a data processor, or they may employ a third-party data processor.

In communications, data flow is the path taken by a message from origination to destination that includes all nodes through which the data travels.

An illustration that shows the way information flows through a process or system. Data flow diagrams include data inputs and outputs, data stores, and the various subprocesses the data moves through.

Also known as records of authority, data inventories identify personal data within systems and help in the mapping of how data is stored and shared. Data inventories are defined under privacy regulations including the GDPR, CCPA, and CPRA.

The requirement that data is physically stored in the same country or group of countries that it originated from. This is a common requirement in modern privacy and data protection bills, such as the GDPR, China’s CSL, and Brazil’s Security Law. For example, under the GDPR, a company collecting the data of an EU citizen would have to store that data on a server in the EU.

The accidental loss of data, whether via accidental deletion, destruction, or theft.

What is DLP?

Learn what Data Loss Prevention (DLP) is, how it works, key benefits, and how to choose the right DLP solution to protect sensitive business data.

A privacy concept that states data collectors should only collect and retain the bare minimum of personal data that is necessary for the data processor to perform their duties, and should delete that data when it is no longer necessary.

Any action that is performed on personal data or sets of personal data, such as collecting, structuring, storing, or disseminating that data.

GDPR defines a data processor in GDPR as any organization that collects, processes, stores or transmits personal data of EU citizens.

A legal term referring to laws and regulations aimed at protecting the personal data of individuals and determining that data’s fair use.

An acronym for Data Protection Authority. This is an independent public authority set up to supervise and enforce data protection laws in the EU. Each EU member state has its own DPA.

Data Protection Impact Assessment (DPIA) is a requirement that compels businesses to assess the risk and impact of their processing activities.While the CCPA does not require businesses to conduct a DPIA, the California Consumer Privacy Act (CPRA) under Section 1798.185(a)(15) requires businesses to perform an assessment on processing activities that may expose personal data to significant risks.

This is a principle set forth in Article 5 of the GDPR. The principles listed in Article 5 are: Lawfulness, fairness and transparency; Purpose limitation; Data minimization; Accuracy; Storage limitation; Integrity and confidentiality.

A concept that refers to the physical or geographic location of an organization's data. Privacy and security professionals focus on the data laws or regulatory requirements imposed on data based on the data laws that govern a country or region in which it resides. When a businesses uses cloud services (IaaS, PaaS, or SaaS), they may not be aware of their data's physical location. This can create data residency concerns when, for example, data for a citizen of the European Union is stored in a US-based cloud datacenter.

A Data Risk Assessment is the process of analyzing your organization's data to see how secure it currently is, and identify potential areas of improving its security controls.

Learn how data security safeguards digital information, cuts breach risk, and meets compliance in today’s hybrid, cloud world

Data security posture management (DSPM) provides the missing piece to complete most security teams' puzzles – a means of identifying, contextualizing, and protecting sensitive data.

A term that refers to the staggering amount and variety of data produced by businesses every day. This is largely due to the variety of enterprise software, mobile apps, storage systems, and data formats each company relies on.

A repository for storing, managing and distributing data sets on an enterprise level.

The individual that a piece or set of data pertains to.

The act of stealing of information.

An acronym for Data Detection and Response

Defense Industrial Base (DIB) contractors are companies that conduct business with the US military and are part of the military industry complex responsible for research, production, delivery, and service.

An acronym for Data Leak Prevention or Data Loss Prevention. A type of security that prevents sensitive data, usually files, from being shared outside the organization or to unauthorized individuals within the organization. This is done usually through policies that encrypt data or control sharing settings.

An acronym for Data Protection Officer. This is an individual within an organization who is tasked with advising the organization on GPDR compliance and communicating with their Data Protection Authority. Organizations that process personal data as part of their business model are required to appoint a DPO.

Digital Rights Management: a set of access control technologies for restricting the use of confidential information, proprietary hardware and copyrighted works, typically using encryption and key management.

Electronic Lab Notebooks (Electronic Laboratory Notebook or ELN) is the digital form of a paper lab notebook.

Encryption is the method of converting a plaintext into a cipher text so that only the authorized parties can decrypt the information and no third parties can tamper with the data. Unencrypted usually refers to data or information that is stored unprotected, without any encryption. Encryption is an important way for individuals and companies to protect sensitive information from hacking. For example, websites that transmit credit card and bank account numbers encrypt this information to prevent identity theft and fraud.

The primary supervisory authority established by the GDPR. The board consists of the heads of EU member states’ supervisory authorities as well as the European Data Protection Supervisor. The goal of the EDPB is to ensure consistent application of the GDPR by member states.

An independent authority that aims to ensure that European organizations and member states comply with the privacy rules of the GDPR.

An adequacy agreement created in 2016 to replace the EU-U.S. Safe Harbor Agreement. The EU-U.S. Privacy Shield lets participating organizations under the jurisdiction of the US Federal Trade Commission transfer personal data from the EU to the United States.

Where the a result of a query, algorithm or search only registers a match if there is a 100% match.

The unauthorized transfer of data off of a computer or network.

A false positive is an alert that incorrectly indicates a vulnerability exists or malicious activity is occurring. These false positives add a substantial number of alerts that need to be evaluated, increasing the noise level for security teams.

An unsupervised learning method whereby a series of files is divided into multiple groups, so that the grouped files are more similar to the files in their own group and less similar to those in the other groups.

The Financial Industry Regulatory Authority (FINRA, Inc.) exists to protect investors.

Where scores of a result can fall from 0 - 100, based on the degree to which the search data and file data values match.

The General Data Protection Regulation (GDPR) is a European Union regulation that requires companies to provide protection, transparency, and accountability for EU citizen’s personal data. The GDPR became effective on May 25, 2018.

Ghost data in cybersecurity refers to data that still exists within a database or storage system but is no longer actively used or known to be accessible.

The Gramm-Leach-Bliley Act (GLBA) compels financial institutions to secure and provide transparency of nonpublic personal information (NPI).

A Federal Trade Commission rule requiring vendors of personal health records to notify consumers following a breach involving unsecured information. And if a service provider to such a vendor is breached, they must notify the vendor. The rule also stipulates an exact timeline and method by which these public notifications must be made.

An acronym for the Health Insurance Portability and Accountability Act. This is an American law that sets national standards and regulations for the transfer of electronic healthcare records. Under HIPAA, patients must opt in before their healthcare information can be shared with other organizations.

An acronym for the Health Information Technology for Economic and Clinical Health Act. This is an American law enacted as part of the American Recovery and Reinvestment Act of 2009. HITECH aims to build on the healthcare security and privacy requirements set forth by HIPAA. HITECH does so by adding tiered monetary penalties for noncompliance, as well as the requirement for breach notifications.

Incident response (sometimes called data incident response) refers to an organization’s processes and technologies for detecting and responding to cyberthreats, security breaches or cyberattacks. A formal incident response plan enables cybersecurity teams to limit or prevent damage.Incident Response services are usually an addition to your organization’s Data Security Platform that manages any type of data through automated discovery, classification, risk assessment, and remediation capabilities.

The directives, rules, regulations, and best practices that an organization follows to manage and secure information.

Any individual with insider access to an organization's networks or resources that would allow them to exploit the vulnerabilities of that organization's security or steal data.

The assurance that information has not been changed and that it is accurate and complete. The GDPR mandates that data controllers and processors implement measures guarantee data integrity.

Learn what the Investigatory Powers Act is, why it matters, and how it impacts data security, privacy, and compliance

Information Rights Management is a subset of Digital Rights Management that protects corporate information from being viewed or edited by unwanted parties typically using encryption and permission management.

International standard for how to manage information security, first published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, then revised in 2013. It outlines standards for creating, executing, maintaining and optimizing an information security management system, in order to help organizations make their information assets more security.

Misplaced data occurs when any data moves from an approved environment to an unapproved environment.

In data security or privacy terms, this is the breach of a legal duty to protect personal information.

An acronym for the National Institute of Standards and Technology. NIST is a unit of the US Commerce Department tasked with promoting and maintaining measurement standards. NIST leads the development and issuance of security standards and guidelines for the federal government.

Notice at Collection, is a transparency requirement that compels businesses to inform consumers, at or before the point of collection, about the category of personal information (PI) that they collect.

An acronym for nonpublic personal information.

NYDFS is an acronym for the New York Department of Financial Services.

Sensitive information swapped with arbitrary data intended to resemble true production data, rendering it useless to bad actors. It's most frequently used in test or development environments, where realistic data is needed to build and test software, but where there is no need for developers to see the real data.

When an individual makes an active indication of choice, such as checking a box indicating willingness to share information with third parties.

Either an explicit request for a user to no longer share information or receive updates from an organization, or a lack of action that implies that the choice has been made, such as when a person does not uncheck a box indicating willingness to share information with third parties.

Any data collection technique that gathers information automatically, with or without the end user’s knowledge.

An acronym for the Payment Card Industry Data Security Standard. This is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.

Protected health information (PHI) is a distinct category of sensitive data that is intimately linked to an individual's health and healthcare services.

Personally identifiable information (PII) refers to any information that can be used to identify an individual directly or indirectly.

Learn what PSD2 compliance is, why it matters, and how businesses can meet regulatory requirements for secure online payments and open banking

Purpose limitation or data use limitations requires that businesses ensure that they limit the use of personal information (PI) to the purposes for which it was collected.The GDPR provides more leeway when it comes to purpose limitation.

A type of malware that encrypts the files on an endpoint device using a mechanism for which only the attacker has the keys. While the attacker will offer the key in exchange for payment, fewer than half of victims that do pay actually recover their files.

The idea that organizations should only retain information as long as it is pertinent.

An individual’s right to request and receive their personal data from a business or other organization.

An individual’s right to have their personal data deleted by a business or other organization possessing or controlling that data.

The “right to be informed,” is a transparency requirement that compels businesses to inform data subjects, at the time of collection, about the personal data collected, purpose for processing the personal data, period of the personal data, and who the personal data will be shared with.

The right for individuals to correct or amend information about themselves that is inaccurate.

An individual’s right to have their personal data deleted by a business or other organization possessing or controlling that data.

In cybersecurity, a risk assessment is a comprehensive analysis of an organization to identify vulnerabilities and threats. The goal of a risk assessment is to identify an organization’s risks and make recommendations for mitigating those risks.

The Sarbanes-Oxley Act (SOX) is a federal law designed to improve financial transparency and responsibility for U.S. public companies. It’s enactment in 2002 was prompted by several well-publicized accounting scandals established a number of standards for public companies to follow.

The Sarbanes-Oxley Act (SOX) establishes auditing and financial accounting standards for publicly traded companies.

Any information that is protected against unwarranted disclosures, for reasons either legal, ethical, privacy, financial, or otherwise. This can include, but is not limited to: health data, personal information, confidential data such as trade secrets, etc...

Sensitive data discovery and classification is a process used to identify and categorize sensitive or confidential information within an organization's digital assets.

Data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization. According to NIST, this represents information, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.GDPR refers to this as sensitive personal data that represents a mixture of private opinions and health information that falls into specialized, legally protected categories. Businesses must treat this data with the highest security.

Sensitive personally identifiable information (SPII) is a subset of PII, but with heightened significance and risks.

Any unapproved cloud-based account or solution implemented by an employee for business use. It might also include the use of an unknown account with an approved provider, but administered by the user rather than corporate IT.

An unapproved cloud application that is connected in some way (typically by API) to that organization's SaaS or IaaS with access to corporate data but without permission from the organization.

Stale data is data collected that is no longer needed by an organization for daily operations. Sometimes the data collected was never needed at all. Most organizations store a significant amount of stale data.

Data in a standardized format, with a well-defined structure that is easily readable by humans and programs. Most structured data is typically stored in a database. Though structured data only comprises 20 percent of data stored worldwide, its ease of accessibility and accuracy of outcomes makes it the foundation of current big data research and applications.

Tokenization entails the substitution of sensitive data with a non-sensitive equivalent, known as a token. This token then maps back to the original sensitive data through a tokenization system that makes tokens practically impossible to reverse without them. Many such systems leverage random numbers to produce secure tokens. Tokenization is often used to secure financial records, bank accounts, medical records and many other forms of personally identifiable information (PII).

Understand UK GDPR and the Data Protection Act 2018, key obligations, data rights, and how to ensure compliance in the UK post-Brexit

Unmanaged data stores are deployments that must be completely supported by development or infrastructure teams, without the assistance of the cloud service provider. This additonal logistical burden may be undertaken by teams aiming to comply with data sovereignty requirements, abide by private network or firewall requirements for security purposes, or resource requirements beyond the provider's (database as a service) DBaaS size or IOPS

Data lacking a pre-defined model of organization or that does not follow one. Such data is often text-heavy, but can also include facts, figures and time and date information. The resulting irregularities and ambiguities make unstructured data much harder for programs to understand than data stored in databases with fields or documents with annotations. Many estimates claim unstructured data comprises the vast majority of global data, and that this category of data is growing rapidly.

A vulnerability is a weakness that could be exploited or triggered by a threat source in internal controls, procedures for systems security, an information system, or implementation. A weakness is synonymous with deficiency and may result in security or privacy risks or both.

AI governance defines the policies, frameworks, and accountability structures that guide how AI systems are built, used, and monitored across the enterprise. It connects risk management, compliance, and AI Data Security into a single operating model that teams can apply consistently, even as AI tools and use cases change.

Learn what AI security compliance means in 2025. Discover key frameworks like EU AI Act, NIST AI RMF, implementation strategies, and enforcement risks

As AI becomes a bigger part of how companies operate, it also brings new risks. Sensitive data, complex models, and automated decision systems can all create blind spots that traditional security tools are not designed to catch.

Learn what AI threat detection is and how it identifies prompt injection, model poisoning, and data extraction attacks targeting AI systems

Learn what AI TRiSM is, Gartner's framework for AI trust, risk, and security management, its four pillars, and how to implement it for responsible AI adoption.

Learn what prompt injection is, how attackers exploit LLMs through direct and indirect attacks, real-world examples, and enterprise defense strategies.

Shadow AI is the unauthorized use of AI tools within a work environment, and this unauthorized use has a large price tag. According to IBM’s latest data, organizations with high levels of shadow AI exposure face an average of $670,000 in breach costs.‍