Security & Compliance frameworks and work groups

Question 1

APRA

Answer 1

Australian Prudential Regulation Authority (APRA) is an independent statutory authority and Australia’s prudential regulator, responsible for supervising banks, insurance companies, and most superannuation funds to ensure financial stability and protect depositors, policyholders, and members. It mandates that institutions manage risks safely to meet their financial promises.

Question 2

ASLR

Answer 2

Address Space Layout Randomization (ASLR) is a security technique that randomizes the memory locations of key data areas—stack, heap, and libraries—within a process. By making memory addresses unpredictable, ASLR prevents attackers from relying on hard-coded locations to execute code, thereby mitigating buffer overflows and return-oriented programming (ROP) attacks.

Question 3

ASVS

Answer 3

(OWASP) Application Security Verification Standard (ASVS) is a comprehensive, community-driven framework providing a structured list of requirements and test cases to verify the security of web applications and APIs. It acts as a guide for developers to build secure software and a checklist for security professionals to conduct testing.

Question 4

ATT&CK

Answer 4

(MITRE) Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a globally accessible, free knowledge base of adversary tactics and techniques based on real-world observations of cybercriminal behavior. Standing for “Adversarial Tactics, Techniques, and Common Knowledge,” it acts as a comprehensive, structured matrix that models the “how” and “why” of cyberattacks, focusing on post-compromise behavior.

Question 5

BGDPL

Answer 5

Brazilian General Data Protection Law (Brazil) (BGDPL) Law No. 13.709, effective since August 2020, regulates the processing of personal data to protect individuals’ rights to privacy, mirroring the EU’s GDPR. It applies to any data processing within Brazil or data collected from individuals in Brazil.

Question 6

CAPEC

Answer 6

Common Attack Pattern Enumeration and Classification (CAPEC) is a comprehensive dictionary and classification taxonomy of known attacker techniques, patterns, and methodologies maintained by The MITRE Corporation. It helps security professionals understand how adversaries exploit software weaknesses (CWE) to strengthen defenses, with over 550+ patterns covering various domains, including SQL injection (CAPEC-66), XSS (CAPEC-63), and buffer overflows (CAPEC-100).

Question 7

CSAF

Answer 7

Common Security Advisory Framework (2.0) (CSAF) (CSAF) is an open-standard, machine-readable format (JSON) for creating and sharing security advisories about software and hardware vulnerabilities. It enables automated processing of security notifications, allowing organizations to instantly identify, analyze, and remediate vulnerabilities, replacing slow, manual analysis of PDF or HTML advisories.

Question 8

CIS

Answer 8

Center for Internet Security (CIS) The Center for Internet Security (CIS) is a nonprofit organization dedicated to improving public and private sector cybersecurity through community-driven best practices, such as the widely used CIS Critical Security Controls and CIS Benchmarks. It provides trusted security resources—including hardened cloud images and threat intelligence—to help organizations defend against evolving cyber threats.

Question 9

CVE

Answer 9

Common Vulnerabilities and Exposures (CVE) is an international, industry-standard dictionary of publicly known cybersecurity vulnerabilities in software and hardware. Managed by MITRE with support from the US Department of Homeland Security and CISA, it provides a standardized identifier—a CVE ID—for each flaw, enabling faster sharing of information, improved security, and consistent tracking across organizations.

Question 10

CVRF

Answer 10

Common Vulnerability Reporting Framework (now CSAF) is an industry-standard, XML-based language used to create, share, and process security advisories in a structured, machine-readable format. Developed to standardize how vendors and researchers report security vulnerabilities, CVRF enables automated tools to ingest, parse, and act on vulnerability information quickly, reducing the time needed to identify and remediate risks. (see CSAF)

Question 11

CVS

Answer 11

Common Vulnerability Score (see CVSS)

Question 12

CVSS

Answer 12

Common Vulnerability Scoring System (CVSS) The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the severity of IT vulnerabilities, assigning scores from 0.0 to 10.0. Scores are rated as Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), or Critical (9.0-10.0), allowing organizations to prioritize remediation efforts based on risk.

Question 13

DSS

Answer 13

Data Security Standard (See PCI DSS)

Question 14

EPSS

Answer 14

Exploit Prediction Scoring System (EPSS) is an open, data-driven framework that estimates the probability (0-100%) that a software vulnerability will be actively exploited in the wild within the next 30 days. Managed by FIRST, it helps security teams prioritize patching by focusing on real-world threat risk rather than just severity.

Question 15

GDPR

Answer 15

General Data Protection Regulation (Europe) (GDPR) (effective since May 2018) is the toughest privacy law in the world, mandating strict technical and organizational security measures to protect EU citizens’ personal data. It applies to any organization worldwide targeting EU individuals. Key requirements include mandatory breach notifications within 72 hours, “privacy by design,” and data minimization, with non-compliance penalties reaching up to €20 million or 4% of annual global turnover.

Question 16

HIPAA

Answer 16

Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a US federal law protecting sensitive patient health information from unauthorized disclosure. It mandates security standards for Protected Health Information (PHI), gives individuals rights over their records, and protects insurance coverage during job changes.

Question 17

ISO

Answer 17

International Organization for Standardization (ISO) is an independent, non-governmental international organization that develops and publishes voluntary, consensus-based, and market-relevant international standards for products, services, and systems. Founded in 1947 and headquartered in Geneva, Switzerland, it brings together experts from national standards bodies to improve quality, safety, and efficiency across industries worldwide.

Question 18

MITRE

Answer 18

The MITRE Corporation is a not-for-profit organization that strengthens global cybersecurity through research, FFRDCs, and open-source tools. Its cornerstone, the MITRE ATT&CK® framework, is a globally accessed knowledge base of adversary tactics and techniques used to build threat-informed defenses, validate security postures, and improve incident response across public and private sectors.

Question 19

NVD

Answer 19

National Vulnerability Database (USA) (NVD) is the U.S. government’s repository of publicly disclosed cybersecurity vulnerabilities, maintained by NIST. It synchronizes with the CVE list to provide deep analysis, including severity scoring (CVSS), impact metrics, and affected software versions. It is a critical tool for vulnerability management, compliance, and patching.

Question 20

NIST

Answer 20

National Institute of Standards and Technology (US) (NIST) in cybersecurity provides voluntary standards, guidelines, and frameworks—most notably the NIST Cybersecurity Framework (CSF)—to help organizations manage and reduce cybersecurity risk. It offers a structured, risk-based approach used globally to secure information systems and protect critical infrastructure.

Question 21

OWASP

Answer 21

Open Web Application Security Project (OWASP) is a nonprofit foundation dedicated to improving software security through community-led, open-source projects, tools, and educational resources. Best known for the OWASP Top 10, a standard awareness document identifying the most critical web application security risks, it offers free resources to help organizations develop secure applications.

Question 22

PCI DSS

Answer 22

Payment Card Industry Data Security Standard (PCI DSS) is a mandatory global security framework designed to protect credit card information. It requires any entity that stores, processes, or transmits cardholder data to follow specific security guidelines, such as encrypting data, maintaining firewalls, and managing vulnerabilities to reduce card fraud.

Question 23

PCI SSC

Answer 23

Payment Card Industry Security Standards Council (PCI SSC) is a global open body formed by major card brands (Visa, Mastercard, American Express, Discover, and JCB) to manage and develop security standards, such as PCI DSS, for protecting payment card data.

Question 24

PIPEDA

Answer 24

Personal Information Protection and Electronic Documents Act (Canada) (PIPEDA) is a Canadian federal law that regulates how private-sector organizations collect, use, and disclose personal information in the course of commercial business. It establishes rules for handling data to protect individual privacy.

Question 25

TARA

Answer 25

Threat Agent Risk Assessment (or Assessment and Remediation Analysis) (TARA) a cybersecurity methodology used to identify, evaluate, and mitigate risks in systems, particularly in automotive and IT industries. It involves identifying assets, damage scenarios, and threat scenarios to implement countermeasures.

Question 26

SAMM

Answer 26

Software Assurance Maturity Model (OWASP) (SAMM) is an open, framework-agnostic model designed to help organizations assess, formulate, and implement a secure software development strategy. It provides a risk-driven, measurable approach to improving security practices across five key business functions: Governance, Design, Implementation, Verification, and Operations.

Question 27

SLSA

Answer 27

Supply-chain Levels for Software Artifact (SLSA) is an OpenSSF-backed, incremental security framework designed to prevent tampering and improve the integrity of software artifacts. It provides a checklist of standards, ranging from Level 0 to Level 3 (with Level 4 in development), that establish trust by validating build processes and ensuring provenance, with higher levels requiring more rigorous, automated, and tamper-resistant security.

Question 28

SOC (1,2,3)

Answer 28

System and Organization Controls (SOC) are AICPA framework reports validating a service organization's controls. SOC 1 focuses on financial reporting controls. SOC 2 covers security, availability, and privacy (confidentiality, processing integrity, privacy) for data systems. SOC 3 is a high-level, public version of SOC 2.