# Glossary

<table><thead><tr><th width="254">Concept</th><th>Explanation</th></tr></thead><tbody><tr><td></td><td></td></tr><tr><td>Domain</td><td>A division within your organisation on which you want to enforce an isolation of objects and the RBAC.<br>Demo and Starter are reserved for internal features.</td></tr><tr><td>Perimeter</td><td>An organisation can split a domain and link its audits, risk assessments, and other relevant objects to it. Doesn't enforce RBAC.</td></tr><tr><td></td><td></td></tr><tr><td>Role</td><td><p>A bundle of permissions. Four roles are built-in:</p><p><br>- <em>Domain Manager:</em> can set up and access everything on a domain<br>- <em>Analyst:</em> can input and read data, but cannot change the settings of a domain<br>- <em>Reader:</em> can only read the items of a domain<br>- <em>Approver:</em> can validate workflows on objects for a domain (eg, Risk Acceptance)</p></td></tr><tr><td>User group</td><td>A combination of a role and a domain, on which you can have your users.<br>User groups are automatically created on your behalf whenever you create a domain</td></tr><tr><td></td><td></td></tr><tr><td>Reference Control</td><td>A template for a control that can be used as a reference and re-instantiated when needed. </td></tr><tr><td>Applied Control</td><td><strong>The main component of the action plan</strong>. The actual action that you have implemented or will implement. It could be technical, process, policy, documentation, etc.</td></tr><tr><td>Evidence</td><td>A document, screenshot, config sample, etc., that can prove that an applied control has been properly implemented.</td></tr><tr><td>Task</td><td>Main component of the task management module. It can be a one-time thing, a periodic one. It supports assignment.</td></tr><tr><td></td><td></td></tr><tr><td>Catalog objects</td><td>Reusable objects of CISO Assistant, and are the building blocks of the library (Frameworks, threats, matrix, etc.)</td></tr><tr><td>Library</td><td>Container object that holds one or multiple catalog objects for CISO Assistant (e.g. Framework, matrix, etc.)</td></tr><tr><td>Framework</td><td>A set of requirements that covers patterns and expectations to comply with a regulation, prepare a certification, or establish a foundation.</td></tr><tr><td>Mapping</td><td>Based on the OLIR initiative and allows moving between a framework A to framework B while reusing the previous assessment.</td></tr><tr><td></td><td></td></tr><tr><td>Entity</td><td>Scope of an external review, usually the vendor / third party.</td></tr><tr><td>Solution</td><td>Product or service provided by the entity</td></tr><tr><td>Entity assessment</td><td>The actual review of the entity, which can trigger or be linked to an audit  </td></tr><tr><td>Representative</td><td>The person that needs to answer the questionnaire and requirement of the entity assessment.</td></tr><tr><td></td><td></td></tr><tr><td>URN</td><td>Uniform Resource Name, used as a unique identifier to link to multiple CISO Assistant catalog objects.</td></tr></tbody></table>