Glossary
Key terms used throughout OSA.
- Actor
- A security role responsible for implementing or operating controls within an OSA pattern. OSA aligns its actor taxonomy to the NIST NICE Workforce Framework (SP 800-181).
- Source: OSA / NIST NICE
- Architecture
- A set of design artefacts describing components, their relationships, and the principles governing design and evolution over time.
- Source: OSA / Zachman
- Baseline
- A minimum set of controls for an information system based on its impact level. NIST 800-53 Rev 5 defines Low, Moderate, and High baselines. OSA control pages show which baselines include each control.
- Source: NIST
- Compliance Framework
- A structured set of guidelines and controls that organisations must follow to meet regulatory or industry requirements. OSA maps NIST 800-53 controls to 80 frameworks spanning global standards, sector-specific regulations, and regional requirements.
- Source: OSA
- Control
- A technical countermeasure, organisational process, or management practice that maintains IT system security properties. Controls can be preventative, detective, or reactive. NIST 800-53 Rev 5 classifies them as Technical, Operational, or Management.
- Source: NIST
- Control Family
- A grouping of related NIST 800-53 controls. The 20 families include Access Control (AC), Incident Response (IR), System and Communications Protection (SC), and others. Each family addresses a specific security domain.
- Source: NIST
- Defence in Depth
- A security strategy employing multiple layers of controls so that if one layer fails, others continue to provide protection. No single control is relied upon exclusively.
- Source: NSA / NIST
- Incident
- A violation or imminent threat of violation of security policies, acceptable use policies, or standard security practices. Distinct from an event, which is any observable occurrence.
- Source: NIST SP 800-61
- Issue
- The gap between desired state and current state when an authority demands closure of that gap. In OSA assessments, issues are identified through gap analysis between current maturity scores and target levels.
- Source: OSA
- Least Privilege
- The principle that every programme, user, and system component should operate with the minimum set of privileges necessary to complete its function. One of Saltzer and Schroeder's original design principles, codified in NIST 800-53 as AC-06.
- Source: Saltzer & Schroeder / NIST
- Pattern
- A proven, reusable solution to a recurring security architecture problem. OSA patterns include architectural diagrams, NIST 800-53 control mappings, threat models, and real-world examples. Derived from Christopher Alexander's concept of design patterns.
- Source: OSA
- Risk
- The probable frequency and probable magnitude of future loss, typically expressed as likelihood multiplied by impact. In security architecture, risk drives the selection and prioritisation of controls.
- Source: FAIR / NIST
- Security
- An IT system's ability to protect confidentiality and integrity of processed data, provide availability, accountability for transactions, and assurance of continued correct operation.
- Source: OSA
- Security Architecture
- Design artefacts describing how security controls are positioned and how they relate to the overall IT architecture, maintaining confidentiality, integrity, availability, accountability, and assurance.
- Source: OSA
- Security Event
- An observable occurrence in a system or network that may indicate a security incident. Events are collected and correlated by SIEM systems to identify patterns requiring investigation.
- Source: NIST SP 800-61
- Threat
- Any circumstance or event with the potential to adversely impact organisational operations, assets, individuals, or other organisations through unauthorised access, destruction, disclosure, modification of information, or denial of service.
- Source: NIST SP 800-30
- Threat Model
- A structured representation of the threats relevant to a system or architectural scenario. OSA patterns include named threat scenarios (e.g., T-ZT-001) with descriptions, mitigating controls, and references to real-world incidents.
- Source: OSA
- Vulnerability
- A weakness in a system, system security procedure, internal control, or implementation that could be exploited by a threat source. Vulnerabilities exist at technical, process, and human levels.
- Source: NIST SP 800-30
- Zero Trust
- A security architecture approach that eliminates implicit trust and continuously validates every stage of digital interaction. Based on the principle of never trust, always verify. See OSA pattern SP-029.
- Source: NIST SP 800-207