• Access control

    Certifying that only authorized access is given to assets (both physical and electronic). For physical assets, access control may be required for a facility or restricted area (e.g. screening visitors and materials at entry points, escorting visitors). For IT assets, access controls may be required for networks, systems, and information (e.g. restricting users on specific systems, limiting account privileges).

  • Administrative privileges

    The permissions that allow a user to perform certain functions on a system or network, such as installing software and changing configuration settings.

  • Allow list

    An access control list that identifies who or what is allowed access, in order to provide protection from harm.

  • Anti-virus software

    Software that defends against viruses, Trojans, worms, and spyware. Anti-virus software uses a scanner to identify programs that may be malicious. Scanners can detect known viruses, previously unknown viruses, and suspicious files.

  • Artificial intelligence

    A subfield of computer science that develops intelligent computer programs to behave in a way that would be considered intelligent if observed in a human (e.g. solve problems, learn from experience, understand language, interpret visual scenes).

  • Asymmetric key

    Two related keys (a public key and a private key) that perform complementary operations, such as encrypt and decrypt or generate signatures.

  • Authentication

    A process or measure used to verify a users identity.

  • Authorization

    Access privileges granted to a user, program, or process.

  • Availability

    The ability for the right people to access the right information or systems when needed. Availability is applied to information assets, software, and hardware (infrastructure and its components). Implied in its definition is that availability includes the protection of assets from unauthorized access and compromise.


  • Backdoor

    An undocumented, private, or less-detectable way of gaining remote access to a computer, bypassing authentication measures, and obtaining access to plaintext.

  • Baseline security controls

    The minimum mandatory protective mechanisms outlined by Treasury Board of Canada Secretariat (TBS) policy instruments to be used in interdepartmental IT security functions and information systems.

  • Beaconing

    A common technique in which a threat actor uses malware to connect infrastructure to another system or network, bypassing firewall restrictions on incoming traffic.

  • Blockchain

    A blockchain is a write-only database, dispersed over a network of interconnected computers, that uses cryptography to create a tamper-proof public record of transactions. Because blockchain technology is transparent, secure and decentralized, a central actor cannot alter the public record.

  • Browser-based exploitation

    A misuse of legitimate browser components to execute malicious code. Simply visiting a website with hidden malicious code can result in exploitation.

  • BEC Scam (Business Email Compromise)

    A scam that targets a victim by pretending they are someone of authority (typically a boss, finance, IT, or HR department) They attempt to gain access ot information, or get intermediary victim to direct funds, gift cards etc, to rip off an organization.


  • Cloud computing

    The use of remote servers hosted on the Internet. Cloud computing allows users to access a shared pool of computing resources (such as networks, servers, applications, or services) on demand and from anywhere. Users access these resources via a computer network instead of storing and maintaining all resources on their local computer.

  • Compromise

    The intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability.

  • Confidentiality

    The ability to protect sensitive information from being accessed by unauthorized people.

  • Critical infrastructure

    Processes, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence.

  • Cryptography

    The study of techniques used to make plain information unreadable, as well as to convert it back to a readable form.

  • Cyber attack

    The use of electronic means to interrupt, manipulate, destroy, or gain unauthorized access to a computer system, network, or device.

  • Cyber incident

    Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete, or render unavailable any computer network or system resource.

  • Cyber threat

    A threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries.


  • Data Loss

    When data is lost through a system failure, a ransomware attack, destructive viruses, fire, or flood.

  • Data Theft

    When data is stolen through insider or outsider actions. Examples are hacking with remote exfiltration, unauthorized copying data via USB or other external devices, unauthorized copying data to cloud services, Unauthorized emailing of data, stolen devices or servers, as well as other techniques.

  • Denial-of-Service attack

    Any activity that makes a service unavailable for use by legitimate users, or that delays system operations and functions.

  • Deny list

    Typically handled by an IT administrator. An access control list used to deny specific items (e.g. applications, email addresses, domain names, IP addresses) known to be harmful.

  • Detection

    The monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources.

  • Digital signature

    A cryptologic mechanism used to validate an item's (e.g. document, software) authenticity and integrity.


  • Encryption

    Converting information from one form to another to hide its content and prevent unauthorized access. Encryption makes data unreadable unless you have a special key (long password) to descramble it.

  • End-to-end encryption

    A confidentiality service provided by encrypting data at the source end-system, with corresponding decryption occurring only at the destination end-system.

  • End-user systems

    End systems for human use, such as a desktop with a personal computer (display, keyboard, mouse, and operating system).

  • Exfiltration

    The unauthorized removal of data or files from a system by an intruder.


  • Firewall

    A security barrier placed between two networks that controls the amount and kinds of traffic that may pass between the two. This protects local system resources from being accessed from the outside.


  • Gateway

    An intermediate system that is the interface between two computer networks. A gateway can be a server, firewall, router, or other device that enables data to flow through a network.


  • Hacker

    Someone who uses computers and the internet to access computers and servers without permission.

  • HIC (Health Information Custodian)

    A person whose primary function is to provide health care for payment. Examples of health care practitioners include: doctors, nurses, audiologists and speech-language pathologists, chiropractors, chiropodists, dental professionals, dieticians, medical radiation technologists, medical laboratory technologists, massage therapists, midwives, optometrists, occupational therapists, opticians, pharmacists, physiotherapists, psychologists and respiratory therapists… Health care is any observation, examination, assessment, care, service or procedure that is done for a healthrelated purpose and that is carried out or provided: • to diagnose, treat or maintain an individual’s physical or mental condition; • to prevent disease or injury or to promote health; or • as part of palliative care.


  • IPC - Information Privacy Commissioner

    Federally and provincially there are Offices of the Privacy Commissioner. These offices set out and govern the different privacy laws either federally, or by province, sector, and industry.

  • Integrity

    The ability to protect information from being modified or deleted unintentionally or when it’s not supposed to be. Integrity helps determine that information is what it claims to be. Integrity also applies to business processes, software application logic, hardware, and personnel.

  • Internet-of-things

    The network of everyday web-enabled devices that are capable of connecting and exchanging information between each other.

  • Intrusion detection

    A security service that monitors and analyzes network or system events to warn of unauthorized access attempts. The findings are provided in real-time (or near real-time).

  • IT asset

    The components of an information system, including business applications, data, hardware, and software.

  • IT threat

    Any potential event or act (deliberate or accidental) or natural hazard that could compromise IT assets.


  • Key management

    The procedures and mechanisms for generating, disseminating, replacing, storing, archiving, and destroying cryptographic keys.

  • Keystroke logger

    Software or hardware designed to capture a user's keystrokes on a compromised system. The keystrokes are stored or transmitted so that they may be used to collect valued information.


  • Least privilege

    The principle of giving an individual only the set of privileges that are essential to performing authorized tasks. This principle limits the damage that can result from the accidental, incorrect, or unauthorized use of an information system.


  • Malware

    Malicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware.

  • Management security control

    A security control that focuses on the management of IT security and IT security risks.

  • Multi-factor authentication

    A tactic that can add an additional layer of security to your devices and account. Multi-factor authentication requires additional verification (like a PIN or fingerprint) to access your devices or accounts. Two-factor authentication is a type of multi-factor authentication.


  • Overwrite

    To write or copy new data over existing data. The data that was overwritten cannot be retrieved.


  • Perimeter

    The boundary between two network security zones through which traffic is routed.

  • Phishing

    An attempt by a third party to solicit confidential information from an individual, group, or organization by mimicking or spoofing a specific, usually well-known brand, usually for financial gain. Phishers attempt to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which they may then use to commit fraudulent acts.

  • Plaintext

    Unencrypted information.

  • Privacy Officer

    The privacy administrator is responsible for safeguarding patient confidentiality at a clinic or hospital. Under regulations of applicable privacy laws and/or college guidelines, the privacy officer oversees institutional privacy policies, procedures, and rules.


  • Quantum computing

    A quantum computer can process a vast number of calculations simultaneously. Whereas a classical computer works with ones and zeros, a quantum computer will have the advantage of using ones, zeros and “superpositions” of ones and zeros. Certain difficult tasks that have long been thought impossible for classical computers will be achieved quickly and efficiently by a quantum computer.


  • Ransomware

    A type of malware that denies a user's access to a system or data until a sum of money is paid.

  • Redaction

    A form of data sanitization (making unreadable) for selected data-file elements (not to be confused with media sanitization, which addresses all data on media).

  • Remote exploitation

    Exploitation of a victim computer by sending specially crafted commands from a remote network to a service running on that computer to manipulate it for the purpose of gaining access or information.

  • Risk level

    The degree of risk (e.g. high, medium, low).


  • Sanitize

    Sanitization is a process through which data is irreversibly removed from media. The storage media is left in a re-usable condition in accordance with IT security policy, but the data that was previously on it cannot be recovered or accessed.

  • Secure destruction

    The destruction of information assets through one or more approved methods, carried out alone or in combination with erasing, to ensure that information cannot be retrieved.

  • Secure erasure

    A digital sanitization process that uses tools and industry-standard commands (e.g. ATA security erase) to erase all accessible memory locations of a data storage device.

  • Security control

    A management, operational, or technical high-level security requirement needed for an information system to protect the confidentiality, integrity, and availability of its IT assets. Security controls can be applied by using a variety of security solutions that can include security products, security policies, security practices, and security procedures.

  • Security Officer (Information Security Officer)

    The information security officer (data protection officer) is responsible for safeguarding patient data and systems at a clinic or hospital. Under regulations of applicable privacy laws and/or college guidelines, the privacy officer oversees institutional privacy policies, procedures, and rules.

  • Smishing

    Smishing is phishing via text message. Cyber criminals will send tects with links, or try to get the victime to reply with the hopes of somehow exploiting them.

  • Social engineering

    The practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or internet to trick people into revealing sensitive information. For example, phishing is a type of social engineering.

  • Spear phishing

    The use of spoofed emails to persuade people within an organization to reveal their usernames or passwords. Unlike phishing, which involves mass mailing, spear phishing is small-scale and well targeted.


  • Threat and risk assessment

    A process of identifying system assets and how these assets can be compromised, assessing the level of risk that threats pose to assets, and recommending security measures to mitigate threats.

  • Threat event

    An actual incident in which a threat agent exploits a vulnerability of an IT asset of value.

  • TRA

    See threat and risk assessment.

  • Trojan

    A malicious program that is disguised as or embedded within legitimate software.

  • Two-factor authentication

    A type of multi-factor authentication used to confirm the identity of a user. Authentication is validated by using a combination of two different factors including: something you know (e.g. a password), something you have (e.g. a physical token), or something you are (a biometric).

  • Two-step verification

    A process requiring two different authentication methods, which are applied one after the other, to access a specific device or system. Unlike two-factor authentication, two-step verification can be of the same type (e.g. two passwords, two physical keys, or two biometrics). Also known as Two-step authentication.


  • Unpatched application

    A supported application that does not have the latest security updates and/or patches installed.


  • Virtual private network

    A private communications network usually used within a company, or by several different companies or organisations to communicate over a wider network. VPN communications are typically encrypted or encoded to protect the traffic from other users on the public network carrying the VPN.

  • Virus

    A computer program that can spread by making copies of itself. Computer viruses spread from one computer to another, usually without the knowledge of the user. Viruses can have harmful effects, ranging from displaying irritating messages to stealing data or giving other users control over the infected computer.

  • VPN

    See virtual private network.

  • Vulnerability

    A flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations.

  • Vulnerability assessment

    A process to determine existing weaknesses or gaps in an information system's protection efforts.


  • Worm

    A malicious program that executes independently and self-replicates, usually through network connections, to cause damage (e.g. deleting files, sending documents via email, or taking up bandwidth).


  • Zero day

    A zero-day vulnerability is a software vulnerability that is not yet known by the vendor, and therefore has not been mitigated. A zero-day exploit is an attack directed at a zero-day vulnerability.