Cybersecurity, Data Protection & ERP Glossary
Plain-English definitions of the terms that appear in security proposals, audit findings and ERP quotes — VAPT, EDR vs MDR, DPIA, ODPC, Annex A, eTIMS, STK Push and more. Written by the engineers who use them.
Plain-English definitions of the cybersecurity, data protection, compliance, ERP and software engineering terms that appear in proposals, audit findings and quotes — written by the engineers who use them, for Kenyan and African organisations.
Cybersecurity
The terms that appear in security proposals, audit findings and breach reports — defined without the marketing.
- VAPT (Vulnerability Assessment and Penetration Testing)
- Vulnerability Assessment and Penetration Testing: two activities sold together. The assessment is automated and broad, enumerating known weaknesses across your estate. The penetration test is manual and deep, with a human exploiting those weaknesses to prove what an attacker could actually achieve. The term is used most commonly in Kenya, India and the Gulf; US and European firms usually say 'pentest' and include the assessment quietly. Read more
- Penetration test (Pentest, Ethical hacking)
- An authorised, simulated attack carried out by a human tester to determine what an adversary could actually do to your systems. Unlike a scan, it finds business-logic flaws, broken access control and chained exploits, and it demonstrates impact rather than listing theoretical severities. Scoped in writing, run against agreed rules of engagement, and normally followed by a retest. Read more
- Vulnerability scan
- An automated check that compares observed software versions, open ports and configurations against a database of published vulnerabilities. Fast, cheap and repeatable, so it should run continuously. It cannot understand your application, which is why it never finds business-logic flaws or broken authorisation — the flaws that cause most breaches. Read more
- EDR (Endpoint Detection and Response)
- Software on your laptops and servers that records what processes do, detects malicious behaviour rather than matching known signatures, and gives an analyst the ability to investigate and respond. EDR is the technology. It assumes somebody is watching the console — which, in most organisations that buy it, nobody is. Read more
- MDR (Managed Detection and Response)
- EDR plus the humans. A provider's analysts watch your telemetry around the clock, triage the alerts, hunt for what the tooling missed, and take containment action — isolating a host, disabling an account — when something is real. The distinction that matters is whether they act at 03:00 or merely send you an email you will read at 08:00. Read more
- SOC (Security Operations Centre)
- The function that monitors an organisation's systems for security threats continuously. Genuine 24/7 coverage requires a minimum of five analysts before any rotation is sustainable, which is why most organisations that claim to have a SOC actually run business-hours monitoring — a configuration that provides the appearance of coverage rather than coverage. Read more
- SIEM (Security Information and Event Management)
- A platform that centralises logs from across your estate and correlates them into alerts. Valuable when tuned by someone who knows your environment; a very expensive noise generator when not. Buying a SIEM without staffing the detection engineering behind it is one of the more common ways security budgets are wasted. Read more
- Threat hunting
- Proactively searching for adversaries already inside a network who have not triggered any alert. It assumes the alerting has failed, which over a long enough period it will, and it is guided by threat intelligence about how attackers actually behave rather than by a rule that fired. Read more
- Incident response (IR)
- The disciplined handling of a confirmed security incident: contain, investigate, eradicate, recover, learn. The two mistakes made in the first hour are powering machines off, which destroys memory-resident evidence, and rebuilding immediately, which destroys the forensic trail needed to establish what was taken — and therefore what you are legally obliged to report. Read more
- Ransomware
- Malware that encrypts your data and demands payment for the key. Modern operators exfiltrate the data before encrypting it, so paying does not resolve the breach — they retain a copy and may extort again. Deployment is typically timed for nights and weekends, when nobody is watching the console. Read more
- Business Email Compromise (BEC, CEO fraud)
- An attacker gains access to, or convincingly impersonates, a trusted email account and induces a payment or a data disclosure. It rarely involves malware, so antivirus does not see it. In practice it costs Kenyan organisations more than ransomware, and the controls that stop it are email authentication, payment verification procedures and staff who feel able to question an urgent instruction from a director. Read more
- Phishing
- Deceiving someone into revealing credentials, authorising a payment, or running attacker code, usually by email. It remains the most common initial access route into organisations of every size, and AI-generated messages have removed the spelling and grammar errors staff were historically trained to look for. Read more
- MFA (Multi-Factor Authentication, 2FA)
- Requiring a second proof of identity beyond a password — an authenticator code, a hardware key, a push approval. It is the single highest-value security control available to a small organisation, it is usually free, and it defeats the overwhelming majority of credential-based attacks. SMS codes are the weakest form and still far better than none. Read more
- Zero trust
- An architectural principle: never trust a request because of where it came from. Every access is authenticated and authorised regardless of whether it originates inside the network. It replaces the older model of a hard perimeter around a soft interior, which fails the moment one laptop inside the perimeter is compromised. Read more
- Attack surface
- Everything an attacker could interact with: your public websites and APIs, exposed services, cloud storage, DNS records, staff email addresses, and third parties with access to your systems. Most organisations underestimate theirs, because it includes the assets nobody remembers deploying. Read more
- CVE (Common Vulnerabilities and Exposures)
- A public identifier assigned to a specific, disclosed software vulnerability, such as CVE-2021-44228. It is a reference number, not a severity: a CVE affecting software you do not run, or a component you never expose, may pose you no risk at all. Findings that consist only of CVE identifiers came from a scanner. Read more
- CVSS (Common Vulnerability Scoring System)
- An open standard for scoring the technical severity of a vulnerability from 0 to 10. It deliberately knows nothing about your business, so a 'critical' CVSS score on an isolated internal system may matter less to you than a 'medium' on the API holding customer records. Good reports rank by business impact and cite CVSS as supporting detail. Read more
- OWASP Top 10
- A widely referenced, periodically updated list of the most critical web application security risks, published by the Open Worldwide Application Security Project. It is an awareness document and a testing baseline, not a complete standard — passing it does not make an application secure, and no serious tester stops there. Read more
Data Protection
Kenya Data Protection Act and GDPR vocabulary, defined as regulators use it rather than as vendors do.
- Kenya Data Protection Act (KDPA, DPA 2019)
- Kenya's data protection law, enacted in 2019 and closely modelled on GDPR. It governs how personal data is collected, processed, stored and shared, gives data subjects enforceable rights, and is enforced by the Office of the Data Protection Commissioner. Its notable divergences from GDPR are a registration regime and its own conditions on transferring data out of Kenya. Read more
- ODPC (Office of the Data Protection Commissioner)
- Kenya's data protection regulator. It maintains the register of data controllers and processors, receives breach notifications and data-subject complaints, issues enforcement notices, and may impose administrative penalties. GDPR has no direct registration equivalent, which is why organisations arriving from a European compliance background routinely miss the obligation. Read more
- Personal data
- Any information relating to an identified or identifiable natural person. Broader than most people assume: it includes names and ID numbers, but also IP addresses, device identifiers, location data and any combination of attributes that could single someone out. If it can be linked back to a person, it is in scope. Read more
- Sensitive personal data
- Categories of personal data attracting stricter protection — typically health, biometric and genetic data, sex life, and details revealing race, ethnicity, religious or political beliefs. Processing it triggers heavier obligations, and handling it at scale is one of the circumstances that can require both a Data Protection Officer and a Data Protection Impact Assessment. Read more
- Data controller
- The party that determines why and how personal data is processed. The controller carries the primary legal obligations, and cannot discharge them by pointing at a supplier. If you decide what data to collect from your customers and what to do with it, you are the controller — regardless of who operates the system. Read more
- Data processor
- A party that processes personal data on a controller's behalf and on its instructions — a cloud host, a payroll bureau, a software vendor operating your system. Processors carry their own statutory duties, and the relationship must be governed by a written Data Processing Agreement. Read more
- Data subject
- The living individual the personal data relates to. Data subjects hold enforceable rights — access, rectification, erasure, objection, portability, and rights concerning automated decision-making — and organisations must be able to honour a request within statutory timelines rather than whenever engineering has capacity. Read more
- DPIA (Data Protection Impact Assessment)
- A documented assessment of the risks a processing activity poses to data subjects, and of the measures taken to mitigate them. Required before high-risk processing — large-scale monitoring, profiling, biometrics, sensitive data at scale. It must be done before the processing begins; a DPIA written after launch is evidence of a failure rather than of compliance. Read more
- DPO (Data Protection Officer)
- The person responsible for advising on and monitoring data protection compliance. Required for certain controllers and processors, notably public bodies and organisations whose core activities involve regular systematic monitoring or large-scale processing of sensitive data. The DPO must act independently, must not hold a conflicting role, and may be an external appointment. Read more
- Lawful basis
- The legal justification you rely on to process personal data — consent, contract, legal obligation, vital interests, public interest, or legitimate interests. You must establish one before processing, document it, and be able to state it. Consent is the most commonly claimed and the most frequently invalid, because it must be freely given, specific, informed and revocable. Read more
- Breach notification
- The duty to inform the regulator, and in higher-risk cases the affected individuals, when a personal data breach occurs. Under the Kenyan Act notification to the Commissioner is required without undue delay where a breach poses a real risk to data subjects' rights and freedoms. The clock starts when you become aware, not when you finish investigating. Read more
- Cross-border transfer
- Moving personal data outside Kenya. The Act imposes its own conditions, and for certain categories of data there are localisation expectations with no GDPR analogue. This is not academic for any organisation using Microsoft 365, Google Workspace or AWS — your data already leaves the country, and you need a documented basis for it. Read more
- GDPR (General Data Protection Regulation)
- The European Union's data protection regulation, and the template for Kenya's Act. It reaches organisations outside the EU that offer goods or services to, or monitor the behaviour of, individuals in the EU — so a Nairobi company with European customers is in scope. Complying with GDPR does not make you compliant in Kenya, chiefly because of registration and transfer rules. Read more
Compliance
Certification and assurance vocabulary, including what a certificate does and does not prove.
- ISO 27001
- The international standard for information security management systems. It certifies that an organisation identifies its information risks and manages them through a governed, continuously improving system. It does not certify that any particular product is secure. The current version is ISO/IEC 27001:2022, and it is the only version certification bodies now issue certificates against. Read more
- ISMS (Information Security Management System)
- The set of policies, procedures, risk processes and governance forums by which an organisation manages information security. Auditors certify that the ISMS genuinely operates, not that the documents exist — which is why bought template packs fail audits. It must produce records: risk reviews, internal audits, management reviews, incident logs. Read more
- Annex A
- The catalogue of information security controls accompanying ISO 27001. The 2022 revision restructured them into four themes — organisational, people, physical and technological — and added controls covering threat intelligence, cloud services and secure coding. Annex A is a reference list, not a checklist to implement in full; your risk assessment determines which apply. Read more
- Statement of Applicability (SoA)
- The document recording which Annex A controls you have implemented, which you have excluded, and the justification for each decision. Auditors read it early and closely, because it reveals whether your control selection was driven by your risk assessment or copied from a template. Read more
- Certification body
- The accredited, independent organisation that audits you and issues an ISO 27001 certificate. Accreditation rules prohibit the party implementing your ISMS from also certifying it, which is why no consultancy can certify you. Any firm offering to do both should be treated with caution, and the resulting certificate may be rejected by the customer you obtained it for. Read more
- Surveillance audit
- The annual audit confirming your ISMS still operates between full certification cycles. ISO 27001 certification runs on a three-year cycle: a two-stage initial audit, surveillance audits in the intervening years, then recertification. Budgeting for the first audit alone is the most common ISO 27001 costing error. Read more
- SOC 2
- An attestation report on a service organisation's controls, produced by a licensed accountancy firm — not a certification. A Type II report covers an observation period during which controls must be shown to operate. American customers overwhelmingly ask for SOC 2; European, Middle Eastern and African customers ask for ISO 27001. Ask your buyers which before spending anything. Read more
- Risk register
- The maintained record of identified information risks, their assessed likelihood and impact, their owners, and how each is being treated — mitigated, transferred, avoided or accepted. It is the artefact that makes a management system real, and the one auditors test hardest, because a stale register proves the system is not operating. Read more
ERP & Software
Enterprise systems, integrations and delivery terms — including the Kenyan payment and tax rails.
- ERP (Enterprise Resource Planning)
- A system in which finance, inventory, procurement, HR and operations share one database, so a single transaction updates every affected record at once. The value is not the software; it is being able to answer questions about your own business immediately and correctly, instead of reconciling four spreadsheets that disagree. Read more
- Fit-gap analysis
- Documenting how each of your processes actually works, then mapping it against what a candidate platform does natively. Where they differ, you decide explicitly: change the process, or customise the software. Done before purchase, it prevents the most expensive ERP failure mode. A vendor demonstration is not a fit-gap analysis. Read more
- Total Cost of Ownership (TCO)
- The full multi-year cost of a system: licences at projected headcount, implementation, data migration, training, support, hosting, and the internal administrator you will need. Comparing purchase prices instead of five-year TCO is why per-user licensing looks cheap in year one and stops looking cheap in year four. Read more
- Data migration
- Extracting, cleaning, mapping and reconciling data from an old system into a new one. Technically it is a small part of the work; the reconciliation is the project, and it must be done by people who know the business rather than by developers. It is where ERP implementations quietly fail, and everyone believes their data is cleaner than it is. Read more
- M-Pesa Daraja API
- Safaricom's API platform for integrating M-Pesa into software. The straightforward part is the happy path. The parts that catch teams out are reliable callback handling, idempotency so a retried callback does not double-post a payment, automatic reconciliation against invoices, and the transition from sandbox to production. Read more
- STK Push (Lipa na M-Pesa Online)
- The Daraja flow that pushes a payment prompt to a customer's handset, which they authorise with their PIN. It is the standard method for customer-initiated payments in Kenyan applications. The prompt can time out or be ignored, so a correct implementation reconciles against the callback rather than assuming the payment succeeded. Read more
- C2B and B2C
- Daraja transaction types. C2B (customer to business) covers paybill and till collections initiated by the payer. B2C (business to customer) covers disbursements from your account to customers or staff — refunds, payouts, salaries. Most systems need both, plus transaction status and reversal queries. Read more
- eTIMS
- The Kenya Revenue Authority's electronic Tax Invoice Management System. Integrating it means invoices are transmitted and validated as they are raised, rather than being re-keyed into a separate portal by someone at month end. For most Kenyan businesses this and M-Pesa are the two integrations that matter most. Read more
- API (Application Programming Interface)
- A defined interface through which one system asks another to do something or return data. APIs are how an ERP talks to your bank, how your app talks to M-Pesa, and how you avoid buying one monolith to do everything. Before signing with any platform, ask what its API permits — and what it costs to export your data and leave. Read more
- Secure SDLC (Secure Software Development Lifecycle)
- Building security into software from the first design decision rather than testing for it before launch. Threat modelling during design, code review on every change, dependency and secret scanning in the pipeline. It matters because the flaws penetration tests find are overwhelmingly design decisions taken early, when fixing them was nearly free. Read more
- Vendor lock-in
- The condition of being unable to leave a supplier without unacceptable cost. It arises from proprietary data formats, licences you do not own, and heavy customisation of a platform you cannot upgrade. The test is simple and worth applying before you sign: what does it cost to leave, and can we export our data in a usable form? Read more
- HRMS (Human Resource Management System)
- The system holding employee records, leave, attendance, performance and payroll. In Kenya, payroll means statutory handling of PAYE, NSSF, SHIF and NHIF deductions, which is the part generic international platforms most often get wrong and the part your staff notice first. Read more