These articles and videos are provided as genaeral guidance for all site visitors.
We provide more specific guidance, tools and training materials for our clients.
This is a glossary of useful terms you may come across on this site and in material about cyber security, information governance data protection and privacy. Some of the terms are specific to health and social care sector and the NHS; these generally have blue headings.
Some of this material is derived from the NCSC glossary of terms and is reproduced under the Open Govenment Licence.
Software that is designed to detect, stop and remove viruses and other kinds of malicious software.
Short for Application. Typically refers to a software program for a smartphone or tablet although programs on personal computers are sometimes also referred to as apps.
Malicious actor who seeks to exploit computer systems with the intent to change, destroy, steal or disable their information, and then exploit the outcome.
The process of determining if someone (or something) is who (or what) it claims to be. This is used to ensure that only the right people have access to the digital) assets they are entitled to have access to.
A network of infected devices, connected to the Internet, used to commit coordinated cyber attacks without their owner's knowledge.
An incident in which data, computer systems or networks are accessed or affected in a non-authorised way.
A software application which presents information and services from the web.
brute force attack
Using a computational power to automatically enter a huge number of combination of values, usually in order to discover passwords and gain access.
bring your own device (BYOD)
An organisation's strategy or policy that allows employees to use their own personal devices for work purposes.
In the Health and Care sector, a senior member of staff who is responsible for ensuring confidentiality and proper use of patient/client data
A form of digital identity for a computer, user or organisation to allow the authentication and secure exchange of information.
Where shared compute and storage resources are accessed as a service (usually online), instead of hosted locally on physical services. Resources can include infrastructure, platform or software services.
A user's authentication information used to verify identity - typically one, or more, of password, token, certificate.
Malicious attempts to damage, disrupt or gain unauthorised access to computer systems, networks or devices, via cyber means.
A breach of the security rules for a system or service - most commonly;
- Attempts to gain unauthorised access to a system and/or to data
- Unauthorised use of systems for the processing or storing of data
- Changes to a systems firmware, software or hardware without the system owners consent
- Malicious disruption and/or denial of service
The protection of devices, services and networks - and the information on them - from theft or damage.
data at rest
Describes data in persistent storage such as hard disks, removable media or backups.
data in motion
Describes data in transit between sites
Data Security & Protection Toolkit
An NHS assurance tool that organisations processing NHS patient data must use to assert their level of compliance with data protection law and NHS regulations
A digital asset is anything that exists in a binary format and comes with the right to use. Data that do not possess that right are not considered assets. Digital assets include but are not exclusive to: digital documents, audible content, motion picture, and other relevant digital data that are currently in circulation or are, or will be stored on digital appliances such as: personal computers, laptops, portable media players, tablets, storage devices, telecommunication devices, and any and all apparatuses which are, or will be in existence once technology progresses to accommodate for the conception of new modalities which would be able to carry digital assets; notwithstanding the proprietorship of the physical device onto which the digital asset is located.
A type of brute force attack in which the attacker uses known dictionary words, phrases or common passwords as their guesses.
A 'footprint' of digital information that a user's online activity leaves behind.
denial of service (DoS)
When legitimate users are denied access to computer services (or resources), usually by overloading the service with requests.
The unintentional installation of malicious software or virus onto a device without the users knowledge or consent. May also be known as a drive-by download.
A mathematical function that protects information by making it unreadable by everyone except those with the key to decode it.
end user device (EUD)
Collective term to describe modern smartphones, laptops and tablets that connect to an organisation's network.
May refer to software or data that takes advantage of a vulnerability in a system to cause unintended consequences.
Hardware or software which uses a defined rule set to constrain network traffic to prevent unauthorised access to or from a network.
General Data Protection Regulation, 2016. EU law that regulates data protection and privacy. Came into force on 25th May 2018 and was accompanied in the UK by the Data Protectin Act, 2018.
In mainstream use as being someone with some computer skills who uses them to break into computers, systems and networks.
Decoy system or network to attract potential attackers that helps limit access to actual systems by detecting and deflecting or learning from an attack. Multiple honeypots form a honeynet.
A breach of the security rules for a system or service, such as:
- attempts to gain unauthorised access to a system and/or data
- unauthorised use of systems for the processing or storing of data
- changes to a systems firmware, software or hardware without the system owners consent
- malicious disruption and/or denial of service
Information Governance Toolkit
NHS assurance toolkit, replaced in 2018 by the Data Sewcurity & Protection Toolkit (qv).
The potential for damage to be done maliciously or inadvertently by a legitimate user with privilleged access to systems, networks or data.
Internet of things (IoT)
Refers to the ability of everyday objects (rather than computers and devices) to connect to the Internet. Examples include kettles, fridges and televisions.
A small program that can automate tasks in applications (such as Microsoft Office) which attackers can use to gain access to (or harm) a system.
Using online advertising as a delivery method for malware.
Malicious software - a term that includes viruses, trojans, worms or any code or content that could have an adverse impact on organisations or individuals.
Steps that organisations and individuals can take to minimise and address risks.
Two or more computers linked in order to share resources.
Applying updates to firmware or software to improve security and/or enhance functionality.
Short for penetration test. An authorised test of a computer network or system designed to look for security weaknesses so that they can be fixed.
An attack on network infrastructure that results in a user being redirected to an illegitimate website despite the user having entered the correct address.
Untargeted, mass emails sent to many people asking for sensitive information (such as bank details) or encouraging them to visit a fake website.
The basic hardware (device) and software (operating system) on which applications can be run.
Malicious software that makes data or systems unusable until the victim makes a payment.
A network device which sends data packets from one network to another based on the destination address. May also be called a gateway.
software as a service (SaaS)
Describes a business model where consumers access centrally-hosted software applications over the Internet.
Using electronic or physical destruction methods to securely erase or remove data from memory.
SIRO (Senior information Risk Officer)
Senior person in an organisation responsible for managing information risk to information assets
Phishing via SMS: mass text messages sent to users asking for sensitive information (eg bank details) or encouraging them to visit a fake website.
Manipulating people into carrying out specific actions, or divulging information, that's of use to an attacker.
A more targeted form of phishing, where the email is designed to look like it's from a person the recipient knows and/or trusts.
A type of malware or virus disguised as legitimate software, that is used to hack into the victim's computer.
two-factor authentication (2FA)
The use of two different components to verify a user's claimed identity. Also known as multi-factor authentication.
Programs which can self-replicate and are designed to infect legitimate software programs or systems. A form of malware.
Virtual Private Network (VPN)
An encrypted network often created to allow secure connections for remote users, for example in an organisation with offices in multiple locations.
A weakness, or flaw, in software, a system or process. An attacker may seek to exploit a vulnerability to gain unauthorised access to a system.
water-holing (watering hole attack)
Setting up a fake website (or compromising a real one) in order to exploit visiting users.
Highly targeted phishing attacks (masquerading as a legitimate emails) that are aimed at senior executives.
Authorising approved applications for use within organisations in order to protect systems from potentially harmful applications.
Recently discovered vulnerabilities (or bugs), not yet known to vendors or antivirus companies, that hackers can exploit.
This is the tool used by the NHS to assure itself that its organisations, and those it works with, have secure and legally compliant systems and processes for handling the large amount of sensitive personal data that they deal with daily.
Guidance relating to information security, security incidents etc.
This introductory video is aimed at a general audience including small businesses and individuals. It is intended to raise awareness and signpost the audience to further advice and guidance. It does not set out to provide in-depth training or tailored advice, does not come with any support and never provides any specific legal advice.
Cyber crime is costing UK businesses an estimated £30 billion every year, and rising. Cyber breaches can have devastating effects, and could even lead to the closure of your business. It's never been more important to make cyber security a priority.
This free video contains essential cyber security awareness material and tips for staff in small and medium enterprises. Lessons are taken largely from public source material.
Guidance relating to information governance, with particular reference to best practice in the NHS.
Information governance includes the concept of CIA: confidentiality, integrity, and availability. The absence of any of these three concepts undermines the proper practice of information governance policies.
Confidentiality is the prevention of information disclosure to unauthorised individuals or systems. If information governance policies did not adequately maintain the confidentiality of research and development files, and these files were to be accessed by a rival company, the loss of confidential information would have a negative affect on the company.
Integrity ensures that the information has not been altered and is recorded and stored accurately. Easily gaining access to information is not of any value if the information in question is not what it should have been. In the interest of saving money on the cost of storage, a company would never consider randomly deleting sections of documents. Ensuring information integrity is crucial to supporting information governance.
Availability is the ability to access information when it is needed. If an organizational leader needs information for a shareholders meeting, but cannot access the files, the availability of this information is too low and will undoubtedly have a negative impact on the perception by the shareholders. If the availability of information is so low that the people who need it cannot access it, the information cannot properly serve its purpose. Information, no matter how valuable, is essentially worthless if it cannot be used to carry out tasks for which it is needed.
All three aspects of CIA must work together to achieve the necessary balance for information governance to function in the sought-after fashion. Too much or too little of any of these attributes will cause information governance to fail. Businesses should therefore apply these concepts on a case-by-case basis. Within the corporate structure, various documents may call for various levels of security. Research and development may be guarded more securely than lesser administrative functions like plans for company fire drills. Elements of CIA will need to be applied to all aspects of information, but it is up to the organization’s leaders to decide upon where and how much.
Information governnance has long been an important field within the NHS due to the large scale processing of sensitive personal data that the largest health organisation in the world undertakes.