Glossary

ICT, Cybersecurity, and Oman-Regulatory Glossary

Short, stand-alone definitions of the acronyms and named programmes that recur across our services and FAQs. Each entry is anchor-linked — share /glossary#soc, /glossary#mtcit, and so on directly.

SOCSecurity Operations Centre
A 24/7 facility staffed by analysts who monitor an organisation's systems for security threats, investigate alerts, and coordinate response. AHAT's in-house Managed SOC launched in 2023 and operates SIEM/XDR aligned with the MITRE ATT&CK framework.
SIEMSecurity Information and Event Management
A platform that collects and correlates security event data from across an organisation's network, endpoints, and applications, then raises alerts on suspicious patterns. SIEM is the foundational technology in most modern Security Operations Centres.
XDRExtended Detection and Response
A security technology that unifies detection and response across endpoints, networks, identities, email, and cloud workloads into a single platform. XDR extends the older EDR (endpoint-only) model to give analysts a cross-domain view of an attack.
SOARSecurity Orchestration, Automation, and Response
Tooling that automates routine security tasks (alert triage, enrichment, containment) and orchestrates them across other security tools. SOAR reduces analyst workload in a SOC and shortens mean time to respond.
MITRE ATT&CK
A globally adopted knowledge base of adversary tactics and techniques, maintained by MITRE Corporation. SOCs map detections, threat-hunting queries, and incident reports to ATT&CK so they speak a common language with peers and regulators. AHAT's SOC is ATT&CK-aligned.
IAMIdentity and Access Management
The discipline and tooling that controls who can access which systems and what they can do once authenticated. Modern IAM covers single sign-on, multi-factor authentication, privileged access management, and identity governance.
DLPData Loss Prevention
Technology that detects and blocks the unauthorised exfiltration of sensitive data — for example, customer records being copied to personal email or removable media. DLP is a baseline requirement in regulated industries such as banking and government.
vCISOVirtual Chief Information Security Officer
A fractional, externally provided CISO engagement, typically delivered on a retainer. A vCISO sets the security strategy, owns the risk register, presents to the board, and runs the security programme — without the cost of a full-time executive hire. AHAT offers vCISO as part of its Cybersecurity Services.
VDIVirtual Desktop Infrastructure
Technology that hosts user desktops on central servers rather than on each user's local PC, streaming the desktop to thin clients or browsers. VDI is widely used in regulated environments because data never leaves the data centre. AHAT delivers Azure-hosted VDI for government, finance, education, and field-team scenarios.
ISO 27001
The international standard for Information Security Management Systems (ISMS), maintained by the International Organization for Standardization. ISO 27001 certification requires an audited management system covering risk treatment, controls, and continuous improvement. AHAT is ISO 27001:2022 certified.
MTCITMinistry of Transport, Communications and Information Technology
The Sultanate of Oman's ministry responsible for telecommunications, ICT regulation, and digital government. MTCIT maintains a public register of accredited Security Assessment Service Providers; AHAT is listed under ALHOLOL ALTHAKEYA INTERNATIONAL.
TRATelecommunications Regulatory Authority (Oman)
The Sultanate of Oman's regulator for telecommunications and licensed telecom services. AHAT holds an active TRA Telecom Services Licence (No. 498/2025) covering system integration, IT/telecom project management, managed services, and application development.
Riyadah
Oman's national SME development programme, administered by the Authority for Small and Medium Enterprises Development (ASMED). Riyadah registration certifies that a business meets the Sultanate's SME criteria and unlocks preferential treatment in government procurement. AHAT is a Riyadah-registered SME.
JSRSJoint Supplier Registration System
A vendor-registration platform used by Oman's major buyers (including energy-sector operators) to qualify suppliers across compliance, financial, technical, and HSE dimensions. AHAT is JSRS-registered.
Oman Vision 2040
The Sultanate of Oman's long-term national development strategy, replacing Vision 2020. Vision 2040 prioritises economic diversification away from hydrocarbons, with explicit emphasis on knowledge economy, digital transformation, and local private-sector capability. AHAT's service portfolio is explicitly aligned with Vision 2040.
EDREndpoint Detection and Response
Security tooling installed on endpoints (laptops, servers, mobile) that continuously records behaviour, detects anomalies, and supports active investigation and containment. EDR is the precursor to XDR — XDR extends EDR's endpoint focus to network, identity, email, and cloud.
MDRManaged Detection and Response
A delivery model where a service provider operates EDR/XDR tooling on the customer's environment and provides 24/7 monitoring, investigation, and response. MDR is essentially a SOC-as-a-service for organisations that don't run their own.
NDRNetwork Detection and Response
Security tooling that monitors network traffic (rather than endpoint logs) to detect lateral movement, command-and-control communication, and data-exfiltration patterns. Complementary to EDR — together they cover east-west and north-south traffic visibility.
PAMPrivileged Access Management
The discipline and tooling that controls accounts with elevated privileges — domain administrators, root, database owners, service accounts. PAM platforms enforce session recording, just-in-time elevation, password rotation, and approval workflows for privileged actions.
MFAMulti-Factor Authentication
An authentication policy requiring two or more independent factors — something you know (password), something you have (token, phone), something you are (biometric). Modern best practice is phishing-resistant MFA (FIDO2, passkeys); SMS-based MFA is increasingly considered weak.
Zero Trust ArchitectureZero Trust Architecture (ZTA)
A security model that assumes no implicit trust based on network location and instead verifies every access request individually using strong identity, device posture, and risk signals. ZTA is a strategic shift away from perimeter-based security.
IRIncident Response
The structured process for handling cybersecurity incidents — preparation, detection, containment, eradication, recovery, lessons learned. Mature IR practices include rehearsed playbooks, named on-call rotation, and written SLAs for time-to-acknowledge and time-to-contain.
NIST CSFNIST Cybersecurity Framework
A widely-adopted cybersecurity risk-management framework published by the US National Institute of Standards and Technology, organised around six functions (Govern, Identify, Protect, Detect, Respond, Recover). NIST CSF v2.0 is the current revision.
PCI-DSSPayment Card Industry Data Security Standard
The global compliance standard for organisations that store, process, or transmit cardholder data. PCI-DSS is mandatory for merchants and payment processors; non-compliance carries fines and risk of losing card-acquiring privileges. PCI-DSS v4.0 is the current revision.
SWIFT CSPSWIFT Customer Security Programme
SWIFT's mandatory security framework for all institutions connected to its global financial-messaging network. The Customer Security Controls Framework (CSCF) defines mandatory and advisory controls; institutions self-attest annually and may be independently assessed.
IaaSInfrastructure as a Service
A cloud delivery model where the provider supplies virtual machines, storage, networking, and the underlying hardware — the customer manages everything from the operating system up. Azure VMs, AWS EC2, and Google Compute Engine are IaaS offerings.
PaaSPlatform as a Service
A cloud delivery model where the provider supplies a managed application platform (operating system, runtime, databases, middleware) — the customer deploys application code and the platform handles the rest. App Service, AWS Elastic Beanstalk, and Cloud Run are PaaS offerings.
SaaSSoftware as a Service
A cloud delivery model where the provider supplies a complete software application delivered over the internet — the customer subscribes and uses, the provider manages everything. Microsoft 365, Salesforce, and Workday are SaaS offerings.
IaCInfrastructure as Code
The practice of provisioning and managing infrastructure through machine-readable definition files rather than manual configuration. Terraform, Bicep, and AWS CloudFormation are common IaC tools. IaC enables version control, peer review, and reproducible deployments.
CSPMCloud Security Posture Management
Tools that continuously inspect cloud configurations for misconfigurations, policy violations, and compliance drift. CSPM is essential for multi-cloud and large estates where manual review can't keep pace with the rate of change.
Landing Zone
A pre-architected, governance-ready cloud environment that an organisation deploys into when starting cloud adoption. A landing zone establishes identity, networking, security baselines, naming, and cost-management standards before workloads land — saving the rework of retrofitting governance later.
Data Residency
The requirement that specific categories of data be physically stored on infrastructure located within a particular jurisdiction. In Oman, regulators commonly require government, banking, and certain critical-infrastructure data to remain on Omani soil — shaping cloud architecture decisions for those workloads.
Hybrid Cloud
An architecture that combines on-premises infrastructure with one or more public cloud environments and treats them as a unified pool. Hybrid cloud is the common pattern in regulated industries where some workloads must stay on-prem (data residency, latency) while others move to cloud for elasticity and managed services.
SD-WANSoftware-Defined Wide Area Network
A WAN architecture that abstracts the control plane from underlying transport (MPLS, internet, wireless, satellite) and applies application-aware routing centrally. SD-WAN reduces MPLS dependency, improves resilience, and gives single-pane-of-glass policy management across distributed sites.
MPLSMultiprotocol Label Switching
A carrier-grade WAN technology that uses pre-established labels to route traffic through provider networks with quality-of-service guarantees. MPLS has been the enterprise WAN standard for two decades and is increasingly augmented or replaced by SD-WAN.
FSOFree-Space Optical Communication
Wireless data transmission using modulated light beams (typically infrared lasers) between line-of-sight terminals. FSO delivers fibre-grade bandwidth without spectrum licensing or trenching, ideal for short-range links between buildings, across rivers/roads, or where fibre installation is impractical.
mmWaveMillimetre-Wave (microwave)
High-frequency radio bands (24–86 GHz) that enable multi-gigabit point-to-point wireless links over distances up to 20+ km. mmWave is the practical choice for high-throughput connectivity where fibre isn't economical or geographically feasible.
BGPBorder Gateway Protocol
The routing protocol that exchanges reachability information between autonomous systems on the public internet. BGP is foundational to internet connectivity and is also used internally by large enterprises and service providers for traffic engineering.
VPNVirtual Private Network
An encrypted tunnel that connects two networks (site-to-site) or a remote user to a corporate network (client VPN) over an untrusted underlying network like the internet. Site-to-site IPsec VPNs remain the standard for connecting branch offices; client VPNs are increasingly replaced by zero-trust network access (ZTNA).
LLMLarge Language Model
A class of AI models trained on vast text corpora that can generate, summarise, classify, and reason over natural-language input. GPT-4, Claude, Gemini, and Llama are LLMs. Enterprise LLM use cases now include customer support, document understanding, code generation, and decision support.
RAGRetrieval-Augmented Generation
An AI architecture pattern where a language model is given access to a vector-search index of an organisation's documents before generating a response, so it cites the organisation's actual content rather than relying solely on its training data. RAG is the standard approach for enterprise knowledge assistants.
IoTInternet of Things
The connection of physical devices — sensors, meters, cameras, controllers, wearables — to networks for data collection and remote control. IoT scales from a single smart meter to city-wide deployments and intersects with OT in industrial settings.
OTOperational Technology
The hardware and software that monitors and controls physical processes — DCS, SCADA, PLCs, safety-instrumented systems. OT differs from IT in priorities: availability and process safety come before confidentiality, and patching is constrained by uptime requirements that can span years.
SCADASupervisory Control and Data Acquisition
An OT system architecture for monitoring and controlling industrial processes — pipelines, electrical grids, water treatment, manufacturing lines. SCADA systems aggregate data from field controllers (PLCs, RTUs) and present it to operators; their cybersecurity has become a national-critical concern.
MQTTMessage Queuing Telemetry Transport
A lightweight publish-subscribe messaging protocol designed for constrained devices and low-bandwidth networks. MQTT is the de-facto standard for IoT device-to-platform telemetry and is supported by all major cloud IoT services.
PDPLPersonal Data Protection Law (Oman)
Oman's Personal Data Protection Law (Royal Decree 6/2022), which entered into force in February 2023. PDPL governs the collection, processing, transfer, and retention of personal data; it applies to controllers and processors operating in Oman and carries explicit consent, breach-notification, and cross-border-transfer obligations.
MOCIIPMinistry of Commerce, Industry and Investment Promotion (Oman)
The Sultanate of Oman's ministry responsible for commercial registration, trademark registration, industrial licensing, and investment promotion. AHAT's trade name 'AHAT – The Smart Solutions' is registered as a trademark with MOCIIP (TM No. 155072, valid 2022–2032).
ASMEDAuthority for Small and Medium Enterprises Development
The Sultanate of Oman's SME-promotion agency, established in 2013 and currently the Authority for SMEs Development. ASMED administers the Riyadah programme and other SME-support initiatives, and certifies businesses as Omani SMEs for procurement-preference purposes.
PDOPetroleum Development Oman
The Sultanate of Oman's largest oil and gas operator and the country's leading upstream producer. PDO operates a strict supplier-qualification regime under JSRS and imposes its own cybersecurity baselines on connected suppliers and contractors.
OQ
OQ is Oman's integrated energy company, formed in 2019 through the merger of nine state-owned hydrocarbons businesses. OQ operates across upstream, downstream, petrochemicals, and clean energy, and runs its own supplier-qualification and cybersecurity expectations for partner organisations.
OWASP Top 10
The Open Web Application Security Project's regularly-updated list of the most critical web application security risks. The OWASP Top 10 is the de-facto baseline for application security testing and developer training; the current edition is OWASP Top 10 (2021), with a 2025 revision in preparation.
CIS Controls
The Center for Internet Security's prioritised set of cybersecurity best practices, organised into 18 controls and grouped by implementation difficulty. CIS Controls (formerly the SANS Top 20) are widely used as a starting baseline by organisations building out a security programme.
NIST 800-53
The US National Institute of Standards and Technology's catalogue of security and privacy controls for federal information systems. NIST 800-53 is highly granular (1,000+ controls) and informs many global compliance frameworks; the current revision is Rev 5.
SOC 2Service Organisation Control 2
An AICPA reporting framework that evaluates a service organisation's controls against five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are commonly requested by enterprise buyers procuring SaaS and outsourced services.

Need Our Services? Let’s Connect

    Glossary | AHAT — ICT, Cybersecurity & Oman Regulatory Terms