Glossary of Terms ================= This glossary defines terms as they are used **within Thinkwerke documentation**. Where industry-standard definitions exist, they are respected; where ambiguity commonly exists in regulated environments, additional clarification is provided. The goal is **shared understanding across engineering, security, compliance, and audit stakeholders**. Audit-ready evidence -------------------- Documented, reproducible proof that demonstrates a control is implemented, operating, and effective. Evidence is generated through systems, workflows, and logs — not created ad hoc for audits. CI/CD (Continuous Integration / Continuous Delivery) ---------------------------------------------------- Automated pipelines that build, test, validate, and deploy software. In this documentation, CI/CD pipelines are treated as **control execution points** and **evidence generators**. CNAPP (Cloud-Native Application Protection Platform) ---------------------------------------------------- An integrated approach combining CSPM, workload protection, identity visibility, and runtime security for cloud-native environments, including Kubernetes. Compliance mapping ------------------ The structured translation of regulatory, standard, or contractual requirements into technical controls, implementations, and evidence artifacts. Control ------- A technical, procedural, or organisational mechanism designed to mitigate risk or satisfy a regulatory or security requirement. Control-to-proof ---------------- A traceable relationship between a defined control, its implementation, and the evidence that proves it is operating as intended. CSPM (Cloud Security Posture Management) ---------------------------------------- Continuous assessment of cloud configurations against security baselines, regulatory requirements, and organisational policies. Evidence by design ------------------ An approach where systems and processes are designed to **produce evidence continuously**, rather than generating documentation manually for audits. Operating model --------------- The defined ownership, workflows, escalation paths, and reporting structures that ensure security controls function consistently across teams and systems. Shared responsibility --------------------- The division of security and compliance responsibilities between a cloud provider and the customer. This documentation focuses on **making customer responsibilities explicit and provable**. SIEM (Security Information and Event Management) ------------------------------------------------ A system for collecting, correlating, and analysing security-relevant logs and events to support detection, investigation, and compliance reporting. SSLM (Secure Software Lifecycle Management) ------------------------------------------- An approach to embedding security controls across the full software lifecycle, including design, development, testing, deployment, and operation. Supply-chain security --------------------- Controls and processes that manage risk introduced through third-party software, open-source dependencies, build systems, and delivery pipelines. Tender evidence --------------- Pre-packaged, reusable evidence artifacts used to respond consistently and accurately to security and compliance sections of procurement processes. Vendor-hosted environment ------------------------- Infrastructure or platforms operated by third-party providers (e.g. cloud or SaaS vendors) where the customer retains defined security responsibilities. Vulnerability lifecycle ----------------------- The end-to-end process for identifying, prioritising, remediating, tracking, and evidencing vulnerabilities, including ownership and SLAs.