Anonymity - e.g. blurring faces in a photo | Approvals |
Audit Trail - recording information such as who does what | Audits |
Authentication - validating identity | Authorization - requiring permission to do things |
Automated Controls - systems that implement rules to reduce risk | Backups - backing things up to avoid loss |
Bulkhead - a structure that limits damage to some area | Change control - controlling change to systems |
Checklists | Chinese Wall - implementing separate information environments |
Continuous Improvement - a process for improving a process | Cryptography - making things secure with encryption |
Deletion - deleting and wiping data that is not required | Diversification - investing resources in more than one place e.g. 50 geographically distributed data centers versus one big one |
Due Diligence - investigating things with clear accountability for this investigation | Duplication - securing multiple instances of a critical resource |
Engineering Controls - engineering such as an air purification system that reduces health risks | Equipment - e.g. safety equipment |
Error Tolerance - designing things to continue to function when there is an error | Fail-safe - a mechanism that reduces the impact of failure e.g. traffic lights that blink when they are offline |
Four Eyes Principle - having two people conduct an activity | Governance - e.g. a board of directors |
Information Security - securing digital resources | Inspections |
Know Your Customer - validation of customer identity / data | Latent Human Error - designing things to prevent human error |
Least Privilege - not giving away authority / information beyond what is required | Maintenance |
Non-repudiation - proof of a transaction | Oversight Bodies - authorities that monitor authorities |
Performance Management - risk can't be controlled without holding people accountable / rewarding performance | Physical Security - securing physical environments such as a sidewalk or office |
Policies | Principles - such as safety principles on a production line |
Procedures | Reliability Engineering - designing things not to fail |
Resilience - designing things to be resistant to stresses | Reviews |
Risk Elimination - completely removing / avoiding a risk | Risk Identification - the process of regularly identifying risks |
Risk Measurement | Risk Monitoring - the process of checking if risks are occurring / being controlled |
Risk Responses - planning to avoid / mitigate / transfer risk | Risk Sharing - sharing risk with others to reduce its impact/probability |
Risk Transfer - e.g. insurance that transfers risk for a fee | Risk Treatment - another term for risk responses such as mitigating risk |
Roles & Responsibilities - making it clear who is accountable / responsible | Rules |
Self-destruct - the ability to destroy something that is lost / compromised | Separation of Duties - structuring responsibilities to prevent a single point of failure |
Testing | Training |
User Input Validation |