Security Glossary - C

​This glossary has been created to assist security professionals in defining security terms commonly used by the profession and the industry, worldwide. It is a developing list that will be maintained, and where appropriate, modified, and changed over time. Terms borrowed from related fields, such as engineering, investigations, safety, etc. will be included when deemed necessary for the security professional.


The definition's source is cited in brackets [ ] following the definition. View the key to all cited reference sources.

It is NOT our goal to publish this glossary in print since it is intended to be a current online reference (on the ASIS website) to serve security professionals on an ongoing basis.

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

A device for capturing visual images, whether still or moving; in security, part of a video surveillance. 
[ASIS GDL FPSM-2009]  [ANSI/ASIS PAP.1-2012]

canned message

A message that has been developed to be used in the event of an emergency. Messages may be pre-recorded and taped for playing at a later time or exist in a policy/procedure for future reference.
[ASIS GDL TASR 04 2008]

capability analysis

​Process of evaluating the 1) competence, aptitude, and experience of people and the organization, 2) suitability of technology, and 3) application of processes for particular purpose(s) to determine whether or not the expected output will fall within an acceptable range.

case file

​The tool used by investigators to organize and maintain their records, documents and reports during an investigation.
[ANSI/ASIS INV.1-2015]

CCT rating

Corrected Color Temperature (CCT) is a measure of the warmth or coolness of a light. It is measured in degrees Kelvin which is the Centigrade (Celsius) absolute temperature scale where 0°K is approximately 272°C. 

central command center

A designated location from which the deployment of contingency procedures and plans can be implemented.
[ASIS GDL TASR 04 2008]


​Third-party attestation related to products, processes, systems, or persons.
Note 1: Certification of a management system is sometimes also called registration.
Note 2: Certification is applicable to all objects of conformity assessment except for conformity assessment bodies themselves to which accreditation is applicable.
[ANSI/ASIS PSC.2-2012]

chain of custody

​A record detailing those who handled or possessed a piece of evidence. Synonymous with chain of evidence.
[ANSI/ASIS INV.1-2015]

chain of evidence

​See Chain of Custody.
[ANSI/ASIS INV.1-2015]

change agent

An individual who is willing to challenge established business processes and procedures in the pursuit of excellence.
[ASIS CSO.1-2008] [ANSI/ASIS CSO.1-2013]

Chief Security Officer (CSO)

(1) A leadership function responsible for providing comprehensive, integrated risk strategies (policy, procedures, management, training, etc.) to help protect an organization from security threats.
[ASIS CSO.1-2008]

(2) A senior executive level function responsible for providing comprehensive, integrated risk strategies (policy, procedures, management, training, etc.) to help protect an organization from  a wide spectrum of threats.
[ANSI/ASIS CSO.1-2013]

circumstantial evidence

​Indirect evidence which in and of itself does not prove a material fact. Often gathered and used cumulatively to prove a fact.
[ANSI/ASIS INV.1-2015]

civil records

Official records related to civil cases—i.e., when one party sues another. 


(1) ​Organization or person that receives a product or service.

  • Note 1: Examples include consumers, contractors, end-user, retailer, beneficiary and purchaser.
  • Note 2: A client can be internal (e.g., another division) or external to the organization.


  • Note 3: In ANSI/ASIS PSC.4-2013, client refers to the ship owner and/or charterer.

[ANSI/ASIS PSC.4-2013] 

(2) The individual or entity for which an investigation is performed.

  • ​Note: A customer is a more general term used to indicate the recipient of a tangible or intangible service or product.
[ANSI/ASIS INV.1-2015]

closed-circuit television (CCTV)

​See video surveillance.

communication and consultation

​(1) Continual and iterative processes that an organization conducts to provide, share, or obtain information, and to engage in dialogue with stakeholders and others regarding the management of risk.

  • Note 1: The information can relate to the existence, nature, form, likelihood, severity, evaluation, acceptability, treatment, or other aspects of the management of risk and quality assurance management.
  • ​Note 2: Consultation is a two-way process of informed communication between an organization and its stakeholders or others on an issue prior to making a decision or determining a direction on a particular issue. Consultation is: 
    — A process which impacts on a decision through influence rather than power; and
    — An input to decision making, not joint decision making.

[ANSI/ASIS PSC.1-2012]

(2) Ongoing, iterative, and two-way processes for the exchange of information with and between stakeholders and decision-makers regarding the management of risk.

  • Note 1: Information may relate to the context of the organization, characteristics of the risks and its assessment, and the selection and evaluation of risk treatment options.
  • ​Note 2: Communication and consultation informs the decision-making process but does not infer joint decision-making. 


​(1) A group of associated organizations sharing common interests.
[ANSI/ASIS SPC.4-2012] [ANSI/ASIS PSC.3-2013]

(2) A group of associated organizations and groups sharing common interests. 
[ANSI/ASIS PSC.1-2012]

(3) A group of associated organizations and people sharing common interests. 


(1) ​Ability to apply knowledge and skills to achieve intended results.
[ANSI/ASIS PSC.1-2012]

(2) Demonstrable ability to apply knowledge and skills to achieve intended results.

computer based training

​Any training that uses a computer as the focal point of instructional delivery. Training is provided through the use of computer hardware and software that guides the learner through an interactive learning program.


​A comprehensive admission to the commission of an offense or violation of the law that contains all of the elements of the offense or crime in question. Not to be confused with admission.
[ANSI/ASIS INV.1-2015]


Secrecy, the state of having the dissemination of certain information restricted.
[ASIS GDL IAP 05 2007]


(1) Fulfillment of a requirement.
[ASIS SPC.1-2009]  [ANSI/ASIS PAP.1-2012]  [ANSI/ASIS PSC.1-2012]  [ANSI/ASIS PSC.2-2012]

(2) Consistency with a requirement.

conformity assessment

​Demonstration that specified requirements relating to a product, process, system, person, or body are fulfilled.
[ANSI/ASIS PSC.2-2012]

conformity assessment body

​Body that performs conformity assessment services.

  • Note 1: An accreditation body is not a conformity assessment body.
  • ​Note 2: Bodies performing certification of management systems (certification) activity are therefore third-party conformity assessment bodies (named in Standard ANSI/ASIS PSC.2-2012 as certification body/bodies
[ANSI/ASIS PSC.2-2012]


(1) Outcome of an event affecting objectives. [ISO Guide 73:2009]  

  • Note 1: An event can lead to a range of consequences. 
  • Note 2: A consequence can be certain or uncertain and can have positive or negative effects on objectives. 
  • Note 3: Consequences can be expressed qualitatively or quantitatively. 
  • Note 4: Initial consequences can escalate through knock-on effects. 
[ANSI/ASIS PAP.1-2012]  [ANSI/ASIS PSC.1-2012]

  • Note 4: Initial consequences can escalate through cumulative effects from one event setting off a chain of events. 

(2) Result or effect of an action, condition, or decision on achieving objectives and outcomes.

  • Note 1: Uncertainties interact and may result in singular or multiple consequences with a potential for positive or negative effects on objectives.
  • Note 2: Consequences should consider both tangible and intangible factors and can be expressed qualitatively or quantitatively, or both.
  • ​Note 3: Consequences may have cascading effects. 


​A secondary result ensuing from an action or decision. From an insurance or security standpoint, costs, loss, or damage beyond the market value of the asset lost or damaged, including other indirect costs.
[ASIS GDL GLCO 01 012003]

consumer report

FCRA § 603(d)(15 U.S.C. § 1681a)(1) provides that the term "consumer report" means any written, oral, or other communication of any information by a Consumer Reporting Agency (CRA) bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for” (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under §1681b.  

Consumer Reporting Agency (CRA)

FCRA § 603(f)(15 U.S.C. § 1681a) provides that the term "consumer reporting agency" means any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.

contact list

​A list of team members and key players in a crisis. The list should include home phone numbers, pager numbers, cell phone numbers, etc.
[ASIS GDL BC 01 2005]

continual improvement

(1) Recurring process of enhancing the organizational resilience (OR) management system in order to achieve improvement in overall OR management performance consistent with the organization’s OR management policy.

  • Note: the process need not take place in all areas of activity simultaneously.
[ASIS SPC.1-2009]

(2) Recurring process of enhancing the business continuity management system in order to achieve improvements in overall business continuity management performance consistent with the organization’s business continuity management policy.
  • Note:  The process need not take place in all areas of activity simultaneously.
[ASIS/BSI BCM.01-2010]

(3) Recurring process of enhancing the PAPMS in order to achieve improvements in overall PAP management performance consistent with the organization’s PAP management policy.
  • Note: The process need not take place in all areas of activity simultaneously. 
[ANSI/ASIS PAP.1-2012]

(4) Recurring activity to increase the ability to fulfill requirements
  • Note:  The process of establishing objectives and finding opportunities for improvement is a continual process through the use of audit findings and audit conclusions, analysis of data, management reviews or other means and generally leads to corrective action or preventive action.  
[ANSI/ASIS PSC.1-2012]

(5) Ongoing processes to improve products, services, and management practices to enhance the ability to fulfill requirements

  • ​Note: Changes may be incremental or comprehensive. 


Strategic and tactical capability, pre-approved by management, of an organization to plan for and respond to conditions, situations, and events in order to continue operations at an acceptable predefined level.
Note: Continuity, as used in this Standard, is the more general term for operational and business continuity to ensure an organization’s ability to continue operating outside of normal operating conditions. It applies not only to for-profit companies, but organizations of all natures, such as non-governmental, public interest, and governmental organizations.
[ASIS SPC.1-2009]  [ANSI/ASIS PAP.1-2012]

continuity strategy

​Approach by an organization intended to ensure continuity and ability to recover in the face of a disruptive event, emergency, crisis, or other major outage.
[ASIS SPC.1-2009]

contract security service

​(1) Protective services provided by one entity, specializing in such services, to another entity on a compensated basis.

(2) A business that provides security services, typically the services of security officers, to another entity for compensation.
[ASIS GDL FPSM-2009]  [ANSI/ASIS PAP.1-2012]


​The act or process of judicially finding someone guilty of a crime; the state of having been proved guilty.

corrective action

​(1) Action to eliminate the cause of a detected nonconformity. 
[ASIS SPC.1-2009]

(2) Action to eliminate the cause of a detected nonconformity or other undesirable situation.

  • Note 1:  There can be more than one cause for a nonconformity.
  • Note 2: Corrective action is taken to prevent recurrence, whereas preventive action is taken to prevent occurrence. 
[ANSI/ASIS PSC.1-2012]

(3) Action to rectify the causes of a detected nonconformity or other undesirable circumstances.

  • Note 1:  There can be more than one cause for a nonconformity.
  • ​Note 2:  Corrective action is taken to prevent recurrence, whereas preventive action is taken to prevent occurrence.


​Comparing information from any investigative source with that provided by the Subject to confirm the information or to identify discrepancies.  (Joint Security Clearance Reform Team, ONCIX, 2013). 

cost-benefit analysis

​Any process by which an organization seeks to determine the effectiveness of spending, in relation to costs, in meeting policy objectives. A process in planning, related to the decision to commit funds or assets. This is a systematic attempt to measure or analyze the value of all the benefits that accrue from a particular expenditure. Usually, this process involves three steps: identification of all direct and indirect consequences of the expenditure; assignment of a monetary value to all costs and benefits resulting from the expenditure; discounting expected future costs and revenues accruing from the expenditure to express those costs and revenues in current monetary values.
[ASIS GDL GLCO 01 012003]


​The reliability or trustworthiness of an individual.
[ANSI/ASIS INV.1-2015]

credit bureau

​A Consumer Reporting Agency specifically involved in creating a consumer credit report.  See also Consumer Reporting Agency.

credit report

​A detailed report of an individual’s credit history prepared by a credit bureau including: (1) personal data (current and previous addresses, Social Security Number, employment history); (2) summary of credit history (number and type of accounts that are past-due or in good standing); (3) detailed account information; (4) inquires into applicant’s credit history (number and type of inquiries into applicant’s credit report); (5) details of any accounts turned over to credit agency (such as information about liens or wages garnishments via federal, state, or county records); and (6) information on how to dispute any of the above information.


​An act or omission which is in violation of a law forbidding or commanding it for which the possible penalties for an adult upon conviction include incarceration; for which a corporation can be penalized by a fine or forfeit; or for which a juvenile can be adjudged delinquent or transferred to criminal court for prosecution. The basic legal definition of crime is all punishable acts whatever the nature of the penalty.
[ANSI/ASIS PAP.1-2012]

crime preventation through environmental design (CPTED)

​[Pronounced sep-ted] An approach to reducing crime or security incidents through the strategic design of the built environment, typically employing organizational, mechanical, and natural methods to control access, enhance natural surveillance and territoriality, and support legitimate activity.
[ASIS GDL FPSM-2009]  [ANSI/ASIS PAP.1-2012]

criminal records

​Official records related to criminal cases. A crime is an act or omission that is prosecuted in a criminal court by a government prosecutor and can be punished by confinement, fine, restitution, and/or forfeiture of certain civil rights.


​(1) Any global, regional, or local natural or human-caused event or business interruption that runs the risk of {1} escalating in intensity, {2} adversely impacting shareholder value or the organization’s financial position, {3} causing harm to people or damage to property or the environment, {4} falling under close media or government scrutiny, {5} interfering with normal operations and wasting significant management time and/or financial resources, {6} adversely affecting employee morale, or {7} jeopardizing the organization’s reputation, products, or officers, and therefore negatively impacting its future.
[ASIS GDL BC 01 2005]

(2) An unstable condition involving an impending abrupt or significant change that requires urgent attention and action to protect life, assets, property, or the environment.
[ASIS SPC.1-2009]  [ANSI/ASIS PAP.1-2012]

crisis management

​Holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience, with the capacity for an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities – as well as effectively restoring operational capabilities.
Note: Crisis management also involves the management of preparedness, mitigation response, and continuity or recovery in the event of an incident – as well as management of the overall program through training, rehearsals, and reviews to ensure the preparedness, response, and continuity plans stays current and up-to-date.
[ASIS SPC.1-2009]

crisis management center

​A specific room or facility staffed by personnel charged with commanding, controlling, and coordinating the use of resources and personnel in response to a crisis.
[ASIS GDL BC 01 2005]

crisis management planning

​A properly funded ongoing process supported by senior management to ensure that the necessary steps are taken to identify and analyze the adverse impact of crisis events, maintain viable recovery strategies, and provide overall coordination of the organization’s timely and effective response to a crisis.
[ASIS GDL BC 01 2005]

crisis management team (CMT)

​(1) A group of individuals functionally responsible for directing the development and execution of the response and operational continuity plan, declaring an operational disruption or emergency/crisis situation, and providing direction during the recovery process, both pre-and post-disruptive incident.  Note: The crisis management team may include individuals from the organization as well as immediate and first responders, stakeholders, and other interested parties.
[ASIS SPC.1-2009]

(2) A group of individuals responsible for developing and implementing a comprehensive plan for responding to a disruptive incident.  The team consists of a core group of decision-makers trained in incident management and prepared to respond to any situation. Note: Members of the CMT should be knowledgeable of the business, authorized to identify a disruptive situation, communicate appropriately, and deploy the necessary resources (human and physical) to control the disruptive event to assure the safety and security of human and physical assets.
[ASIS/BSI BCM.01-2010]


​The individual (criterion) or collective (criteria) stated qualifications to be compared with an applicant’s or employee’s actual credentials, experience, or history in determining suitability for an employment decision (hiring or otherwise).

critical activity

Any function or process that is essential for the organization to deliver its products and/or services.
[ASIS SPC.1-2009]  [ANSI/ASIS PAP.1-2012]

critical business processes

​In terms of security issues, critical business processes include incident response, and the management of recovery efforts within the organization to restore critical systems and provide alternative facilities so that the organization can continue to function.
[ASIS CSO.1-2008]

critical control point (CCP)

(1) ​A point, step, or process at which controls can be applied and a threat or hazard can be prevented, eliminated, or reduced to acceptable levels.
[ANSI/ASIS PSC.1-2012]

(2) A point, step, or process at which controls can be applied to modify risk.
Note 1:  A threat or hazard can be prevented, eliminated, or reduced to targeted levels.
Note 2:  A point at which opportunity can be leveraged.

critical function

​Business activity or process that cannot be interrupted or unavailable for several business days without having a significant negative impact on the organization.
[ASIS GDL BC 01 2005]

critical infrastructures

​The sophisticated facilities, systems, and functions, which include human assets and physical and cyber systems, that work together in processes that are highly interdependent to provide the foundation for our national security, governance, economic vitality, and way of life.
[ASIS GDL PSO 11 2004]

critical records

​Records or documents that, if damaged, destroyed, or lost, would cause considerable inconvenience to the organization and/or would require replacement or recreation at a considerable expense to the organization.
[ASIS GDL BC 01 2005]


​(1) Of essential importance with respect to objectives and/or outcomes.
[ASIS SPC. 1-2009] [ANSI/ASIS/RIMS RA.1-2015] 

(2) The impact caused by a loss event, typically measured in financial terms.
[ASIS SPC. 1-2009]

criticality analysis

​A process designed to systematically identify, evaluate, and rank positive and negative impacts on an organization‘s stakeholders, assets, services, and activities based on the importance of its mission or function, or the significance of risks on the organization's ability to meet its objectives and expectations.
Note:  Determines which qualities or degrees of risk are of the highest importance for successful execution of an organization’s objectives or which might represent a decisive turning point in strategy execution.

criticality assessment

​A process designed to systematically identify and evaluate an organization’s assets based on the importance of its mission or function, the group of people at risk, or the significance of a disruption on the continuity of the organization.
[ASIS SPC.1-2009]  [ANSI/ASIS PAP.1-2012]  [ANSI/ASIS PSC.1-2012]

custodian of record

​The person or entity responsible for record possession, retention, and/or preservation.
[ANSI/ASIS INV.1-2015]

cyber isolation

​The removal of an individual’s or entity’s computer network from access to the Internet.
[ASIS GDL TASR 04 2008]

1 - 60Next