# Glossary
source: https://developer.mastercard.com/riskrecon-api/documentation/glossary/index.md

The following glossary lists the most commonly used terms in RiskRecon.

### Action Plan {#action-plan}

Action plans are prioritized findings that RiskRecon provides to its customers and their vendors to mitigate risks detected in the scans. They are automatically generated based on your organization's custom risk policy which can be set by your organization's RiskRecon administrators.

### Add Company Scope {#add-company-scope}

Users with the Add Company scope or permission can add and remove TOEs from their portfolio.

### Alerts {#alerts}

In the RiskRecon portal, there is an **Alert Center** where users can configure to receive notifications regarding new issues or rating changes via the portal or email.

### Application Security {#application-security}

RiskRecon uses passive techniques to assess each web application discovered in your system through its scans for compliance with widely accepted application security practices. The Application Security domain summarizes the performance of each security criteria in its purview and the issues identified within them.

Consistent deployment of web application security controls appropriate for the risk context of a system is important to defend against application-level attacks. It is also an indicator that your company and third parties have a robust web application security program. RiskRecon recommends addressing issues in the order of the risk priority shown for each issue.

### Asset Value {#asset-value}

RiskRecon assigns asset values to the findings arising from scans. RiskRecon determines the risk value (asset value) of each internet-facing system based on deep analytics of its code, content, and configuration. Through these analytics, RiskRecon discovers the types of data each system collects. The primary analytics are focused on identifying the form fields of every web page and using machine learning models to determine the types of data each collects.

Systems that collect sensitive data such as user credentials, email addresses, credit card numbers, and so forth are marked as High-value assets. Systems that collect no sensitive information are marked lower. The asset Value ranks the importance of the technical asset in question.

* High-value assets, coupled with high issue severities, should be fixed quickly.
* Low-value assets, coupled with low issue severities, can be prioritized below high priority findings.

### Assessment Frequency {#assessment-frequency}

The assessment frequency indicates if the vendor is to be scanned once or continuously for risk assessment. This value can be continuous or one-time.

* If the assessment is continuous, RiskRecon re-analyzes the organization every two weeks for new systems, software versions, and findings.
* If the assessment is one time, RiskRecon provides a snapshot in-time assessment that does not update bi-weekly.

### Breach Events {#breach-events}

The Breach Event domain summarizes the breach events the organization has experienced. Recent breach events indicate gaps in the breach events protection program. Organizations with recent and also repeated breach events over time should be examined closely to ensure that controls are operating effectively to prevent future breach events.

### Customer Account {#customer-account}

A customer account is a unique ID given to each of the portals that a RiskRecon customer holds.

### CVE {#cve}

The Common Vulnerabilities and Exposures (CVE) is a program run by the MITRE Corporation which hosts publicly the catalog of cybersecurity threats and vulnerabilities. Each vulnerability collected are assigned a unique identifier to classify the issue making it easier to evaluate the issue across networks and find a suitable remedy for it.

### CVSS {#cvss}

The Common Vulnerability Scoring System (CVSS) is a method to assess the inherent risk in a vulnerability on a scale of 1-10 and where possible, this is used to assign a [severity rating](https://developer.mastercard.com/riskrecon-api/documentation/glossary/index.md#severity-rating).

### DNS Security {#dns-security}

The Domain Name System (DNS) security domain assesses the use of controls to prevent unauthorized modification of domain records resulting in domain hijacking. This domain also enumerates the DNS hosting providers to determine the level of fragmentation. Control of DNS records is essential to keeping systems accessible. Where domain hijacking controls do not appear to be implemented, the organization should demonstrate compensating controls or implement the recommended domain protection settings.

### Email Security {#email-security}

The Email Security domain analyzes the security configuration of email services. Email servers should be configured to encrypt email communications to protect email messages from unauthorized access. Domains should be configured to prove the authenticity of email messages to prevent spoofing.

### Finding {#finding}

A finding is a security gap discovered during the data retrieval or analysis phase. For example, Joomla 1.5 running on a host.

Findings for the Software Patching security domain may have [CVEs](https://developer.mastercard.com/riskrecon-api/documentation/glossary/index.md#cve) associated with them. RiskRecon provides a view of the CVEs associated with the Software Patching findings in the issue slide-out in the portal.

### Host {#host}

A host is a computer that has been given a unique name and provides services, such as serving web pages.

It can be defined as a computer or any other device that communicates to other computers in a network providing various services related to your business. They may span a huge network across geographies due to their wide distribution physically and on cloud environments.

### Internal IDs {#internal-ids}

An internal ID is an identification assigned to a company in addition to the TOE ID to track this company outside of RiskRecon.

### Internal Name {#internal-name}

Any internal name for the company being tracked outside of RiskRecon.

### Network Filtering {#network-filtering}

The Network Filtering domain analyzes the company networks and systems for the presence of unsafe network services and IoT devices. Proper control of the services exposed to the Internet is a basic security practice, as unsafe network services and IoT devices are a common vector for compromising systems and networks. Enterprises should limit the systems and services exposed to the Internet to those that are safe and necessary.

### Overall Rating {#overall-rating}

The overall score is a way to measure the security performance of a TOE in one or more of the security domains. The rating is the average of the scores of the nine Security Domains. For example, an increase in the overall score indicates an improvement in the security performance in one or more of the [security domains](https://developer.mastercard.com/riskrecon-api/documentation/glossary/index.md#security-domain) and vice versa.

### Portfolio {#portfolio}

Your RiskRecon portfolio is a collection of all entities with whom you have or intend to have business relationships, such as vendors, third parties, and subsidiaries. Each of these entities is a Target of Evaluation (TOE) for RiskRecon which it scans and monitors on your behalf to detect, track, and remedify cybersecurity issues.

### Read Only API Scope {#read-only-api-scope}

Users with the Read Only API scope or permission are only eligible to for a successful response from GET API endpoints. If the user attempts to execute a non-GET endpoint such as, POST, PUT, and DELETE they will receive an unauthorized request error.

### Risk Classifier Scope {#risk-classifier-scope}

Users with the Risk Classifier scope or permission can create the folder types for the Risk Relationships and Risk Scheme for your organization. They can also move TOEs to the created folders.

### Risk Relationship Folder {#risk-relationship-folder}

Users can use Risk Relationship folders to organize TOEs in their portfolios and customize them to suit their business needs. RiskRecon uses the words Folders and Risk Relationships alike.

### Risk Relationship Slug {#risk-relationship-slug}

A Risk Relationship Slug is a unique identifier for each risk relationship folder within your portfolio.

### RiskRecon System Administrator {#riskrecon-system-administrator}

The RiskRecon system administrator is a user within the customer account and is not a RiskRecon employee. Each customer designates which of their users should have system administrator privileges when they set up their customer account.

### Security Criteria {#security-criteria}

A security criterion is the lowest level of focus and rating within a RiskRecon analysis. Security Domains contain many security criteria. For example, the Software Patching security domain contains four criteria: Application Server Patching, OpenSSL Patching, CMS Patching, and Web Server Patching.

### Security Domain {#security-domain}

The security domains consist of nine areas of focus during a RiskRecon analysis. They are [Application Security](https://developer.mastercard.com/riskrecon-api/documentation/glossary/index.md#application-security), [Breach Events](https://developer.mastercard.com/riskrecon-api/documentation/glossary/index.md#breach-events), [DNS Security](https://developer.mastercard.com/riskrecon-api/documentation/glossary/index.md#dns-security), [Email Security](https://developer.mastercard.com/riskrecon-api/documentation/glossary/index.md#email-security), [Network Filtering](https://developer.mastercard.com/riskrecon-api/documentation/glossary/index.md#network-filtering), [Software Patching](https://developer.mastercard.com/riskrecon-api/documentation/glossary/index.md#software-patching), [System Hosting](https://developer.mastercard.com/riskrecon-api/documentation/glossary/index.md#system-hosting), [System Reputation](https://developer.mastercard.com/riskrecon-api/documentation/glossary/index.md#system-reputation), and [Web Encryption](https://developer.mastercard.com/riskrecon-api/documentation/glossary/index.md#web-encryption).

### Severity Rating {#severity-rating}

Using [CVSS](https://developer.mastercard.com/riskrecon-api/documentation/glossary/index.md#cvss), the RiskRecon Cybersecurity Ratings and Assessment platform rates the severity of each finding as Critical, High, Medium, or Low. If a CVSS rating is not available for an issue, RiskRecon assigns its own severity rating using its artificial intelligence algorithms.

### Software Patching {#software-patching}

The Software Patching domain enumerates systems that are running end-of-life and vulnerable software. Because end-of-life software is not supported by the vendor, it cannot be patched against known security issues or new vulnerabilities that might be discovered, increasing the likelihood of system compromise.

RiskRecon recommends addressing issues according to the assigned issue risk priority, which is determined based on the combination of issue severity and asset value. RiskRecon uses the CVSS rating as the severity for software patching issues.

### Subscription Level {#subscription-level}

A subscription is a license provided by RiskRecon to its customers. The subscription level that you avail depends upon the assessment frequency opted by you.

If the assessment frequency is *continuous*, then you can avail three types of subscriptions:

* RiskRecon Advisor
* RiskRecon Discover
* RiskRecon Enterprise

If the assessment frequency is *one-time*, then you can avail only the RiskRecon Snapshot type of subscription.

### Subsidiary {#subsidiary}

A subsidiary is a company owned or controlled by another company, which is called the parent company or holding company.

### System Hosting {#system-hosting}

The System Hosting domain provides insight into the internet attack surface of the company, detailing the number of systems, the system hosting providers, and the system geolocations. How the organization has instantiated its internet presence is a driver of the complexity of managing IT security, privacy, and regulatory risk.

In this domain, RiskRecon rates two criteria - the degree of system hosting fragmentation and the use of shared IP address hosting. All other criteria - hosting countries, hosting providers, hostname surface, and domain name surface are provided as information only. Detailed internet attack surface information is available in the **IT Profile** tab of the portal.

### System Reputation {#system-reputation}

The System Reputation domain enumerates systems owned by the company that are communicating with monitored C2 servers, sinkholes, and honeypots, or are exhibiting other hostile activities. The presence of the organization's assets in threat intelligence feeds is an indicator of lack of consistent and effective security controls deployed to all systems necessary to prevent malware infection and system abuse. Critical and high severity issues should be investigated on a priority basis. This domain shows all issues observed in the last 30 days.
Alert: The system reputation domain can have false positives. For example, false positives due to guest wireless networks.

### TOE {#toe}

A company that is being analyzed by RiskRecon could be termed as a Target of Evaluation (TOE). Such a company could be a vendor or any other party having direct or indirect business relations with the customer and needs to be evaluated for security reasons.

RiskRecon categorizes TOEs as existing or new TOEs:

* An existing TOE is defined as a TOE that RiskRecon currently monitors, but may not be in your portfolio.
* A new TOE is defined as a TOE that is not currently monitored by RiskRecon that you would like a security analyst to build and add to your portfolio.

### TOE PDF Reports {#toe-pdf-reports}

RiskRecon provides the following types of PDF reports for TOEs:

* **Executive Report**: The Executive Report provides an executive summary of the RiskRecon ratings and security performance metrics.
* **Summary Report**: The RiskRecon Summary Report provides the summary RiskRecon ratings and security performance metrics.
* **Detailed Report**: The RiskRecon Detailed Report provides the RiskRecon ratings, security performance metrics, and detailed findings and recommendations.
* **Action Plan Report**: The RiskRecon Action Plan Report provides issue tracking metrics and the current action plan for all the security domains and criteria.

### Web Encryption {#web-encryption}

RiskRecon uses passive techniques to analyze web encryption security configurations. Correctly configured web encryption is essential to ensuring that communications are protected from eavesdropping and that people can verify the authenticity of the system.

Addressing encryption issues also improves user experience, eliminating security alerts raised by the browser. RiskRecon strongly recommends first addressing all encryption issues in systems flagged as "high" value. These are systems RiskRecon observed to be collecting sensitive information.