Glossary
This glossary provides definitions for key terms used throughout the Omnicom Secure Development and Acquisition documentation.
Access Controls
Security safeguards (i.e., hardware and software features, physical controls, operating procedures, management procedures, and various combinations) designed to detect and deny unauthorized access and permit authorized access to an information system.
Agile Development
An iterative development methodology that values human communication and feedback, adapting to change, and producing working results. Agile is accomplished in pieces (sprints), with each sprint building and improving on the lessons learned from previous sprints.
Authentication
The process of confirming that a person is who they claim they are.
Authorization
The controls determining the resources that users are permitted to access based upon the permissions and privileges they have been granted.
Availability
Ensuring that information systems can be accessed and are fit for use.
BISO
Business Information Security Officer.
Change Advisory Board (CAB)
The team that assesses, approves, and prioritizes high-risk and other specified changes, comprised of appointed and authorized representatives.
Change Control
The formal and approved process for submitting, reviewing, and approving changes to the production environment, including testing, documentation, implementation, validation, and tracking.
Cloud Native
Cloud provider pre-built, configurable services and functions that can be used to assemble an application. Containers, PaaS, service meshes, functions, microservices, immutable infrastructure, and declarative APIs exemplify this approach.
CMDB (Configuration Management Database)
An ITIL term for a database used by an organization to store information about hardware and software assets, commonly referred to as Configuration Items (CIs). The CMDB is foundational to the Asset Management Process.
Confidentiality
The degree to which an information asset requires protection from unauthorized disclosure.
Continuous Integration/Continuous Delivery (CI/CD)
Bridges the gap between development and operations by enforcing automation of the building, testing and deployment of applications. CI/CD pipelines are common within DevOps processes.
Control Point
A review and decision point within a business process workflow that enables capturing and logging required business, financial, technical and risk reviews and approvals before proceeding further.
Controlled Environment
Any infrastructure environment that includes the OMC security stack, hosted within an OMC managed and monitored environment. It may also include user endpoints (laptops, desktops) provided by OMC that include OMC's security stack and are monitored.
Data Owner
The individual or team who makes decisions such as who can access and edit data and how to use the data associated with their solution/application. They are responsible for overseeing and detailing the required protection of the data domain and for classifying data sources under the OMC Global Data Classification Policy.
DevSecOps
An extension of DevOps integrating security into the DevOps development life cycle as seamlessly and as transparently as possible.
Dynamic Application Security Testing (DAST)
A form of security vulnerability testing that communicates through an application's front-end interface to identify potential security vulnerabilities. It performs black-box testing.
Freeware
Stand-alone software applications that are free to use but have no contractual agreement with the supplier, meaning no liability and indemnification coverage. It is essentially use-at-your-own-risk software.
Infrastructure as Code (IaC)
The process of provisioning computer processing resources by service-readable definition files instead of using physical hardware configuration or interactive configuration tools.
Interactive Application Security Testing (IAST)
A form of security vulnerability testing that analyzes code while an automated or human functional testing routine runs the application, reporting vulnerabilities in real-time.
Issue and Project Tracking Tool
A workflow tool that can log and track issues within the development life cycle, facilitate agile project management, and provide control points at various stages. Examples are Atlassian Jira, GitHub Enterprise Projects/Issues, and Azure DevOps.
Penetration Testing
Also known as ethical hacking, it is an authorized simulated cyberattack on a computer system to evaluate the security of the solution.
Risk
The level of impact on organizational operations, assets, or individuals resulting from an information system's operation given the potential impact of a threat and the likelihood of that threat occurring.
Secure Development Life Cycle (SDLC)
The process of securely developing solutions and applications through several sequential phases, including requirement analysis, architecture and design, development, testing, deployment, operations/maintenance, and retirement.
Software Bill of Materials (SBOM)
The inventory of open-source and third-party libraries used or available within a given application. The SBOM is a key building block for managing software security and supply chain risk.
Software Composition Analysis (SCA)
A technology tool that analyzes applications and related components to detect Open-Source and third-party software components known to have security vulnerabilities, are out-of-date, or pose licensing risks.
Static Application Security Testing (SAST)
A set of technologies that analyze software code for coding and design conditions indicative of security vulnerabilities. These tools analyze applications from the inside out while in a non-running state.
Threats
Any circumstance or event with the potential to adversely impact an information system through unauthorized access, destruction, disclosure, modification of data, or denial of service.
Vulnerabilities
Weaknesses in information systems and procedures (technical, organizational, or physical) that could be exploited.