Updated
About this glossary
This glossary defines 30 of the managed IT, cybersecurity, Canadian compliance, and AI terms business leaders encounter most often when evaluating an IT provider or building a security program. Each definition is written in plain language and maintained by a CISSP-certified practitioner. Where a term has a deeper resource — a controls matrix, a service overview, or a full explainer — we link to it.
The glossary, A to Z
AI Governance
AI governance is the set of policies, controls, and accountability structures an organization uses to manage how artificial-intelligence tools are selected, deployed, and monitored. For Canadian SMBs it typically covers acceptable-use rules, data-handling boundaries for tools like Microsoft Copilot, ChatGPT, and Claude, model-risk review, and audit logging of AI-assisted decisions.
Business Continuity Plan (BCP)
A business continuity plan documents how an organization keeps critical operations running during and after a disruption such as a cyberattack, outage, or natural disaster. It defines essential functions, recovery priorities, communication procedures, and the people responsible — and is tested regularly, not just written once.
CIS Controls
The CIS Controls (currently v8.1) are a prioritized set of 18 cybersecurity safeguards published by the Center for Internet Security. They translate broad regulatory requirements such as PHIPA, PIPEDA, and OSFI B-13 into specific, verifiable technical actions, which is why Fusion Computing maps every compliance matrix to them.
CISSP
CISSP stands for Certified Information Systems Security Professional, the flagship cybersecurity credential issued by ISC². It requires five years of relevant experience across eight security domains, a rigorous adaptive exam, and ongoing continuing education. Fusion Computing’s founder holds the CISSP designation.
Co-Managed IT
Co-managed IT is a partnership model in which an external provider works alongside an organization’s internal IT staff, rather than replacing them. The provider supplies tools, after-hours coverage, security expertise, or project capacity while the in-house team retains day-to-day control.
CyberSecure Canada
CyberSecure Canada is the federal cybersecurity certification program for small and medium organizations (1-499 employees), administered through the Communications Security Establishment’s Canadian Centre for Cyber Security. Certification is based on 13 baseline security controls.
Disaster Recovery (DR)
Disaster recovery is the technical subset of business continuity focused on restoring IT systems, applications, and data after an incident. A DR plan specifies recovery time and recovery point objectives (RTO/RPO), backup architecture, and the runbook for bringing systems back online.
Endpoint Detection and Response (EDR)
EDR is security software that continuously monitors laptops, desktops, and servers for malicious behaviour, then enables rapid investigation and automated response. Unlike traditional antivirus, EDR detects novel threats by behaviour rather than known signatures and records activity for forensics.
FIPPA
FIPPA is Ontario’s Freedom of Information and Protection of Privacy Act, governing how provincial public institutions — including universities, colleges, and many agencies — collect, use, and protect personal information. Its municipal counterpart is MFIPPA.
Help Desk
A help desk (or service desk) is the support function that receives, triages, and resolves user IT issues, typically via phone, email, chat, or a ticketing portal. Service quality is measured by response time, resolution time, and first-contact resolution rate against an SLA.
Incident Response (IR)
Incident response is the structured process for detecting, containing, eradicating, and recovering from a cybersecurity incident such as ransomware or a data breach. A mature IR program includes a written plan, defined roles, communication templates, and regular tabletop exercises.
Large Language Model (LLM)
A large language model is an AI system trained on vast amounts of text to understand and generate human language; ChatGPT (OpenAI) and Claude (Anthropic) are the best-known examples. Businesses use LLMs for drafting, summarization, research, and customer support, which makes data-handling governance essential.
Managed Detection and Response (MDR)
MDR is a service that combines EDR tooling with a 24/7 human security team that investigates alerts and responds to threats on the client’s behalf. It gives small and mid-sized organizations enterprise-grade threat detection without building an in-house security operations centre.
Managed IT Services
Managed IT services is an outsourcing model in which a provider takes ongoing responsibility for an organization’s technology — monitoring, maintenance, security, support, and strategy — usually for a predictable monthly fee per user or device.
Managed Security Service Provider (MSSP)
An MSSP is a provider that specializes specifically in cybersecurity — monitoring, detection, response, and compliance — rather than general IT management. Many organizations use an MSP for day-to-day IT and an MSSP, or an MSP with an MDR service, for security.
Managed Service Provider (MSP)
A managed service provider is a company that remotely manages a client’s IT infrastructure and end-user systems under a subscription agreement. A good MSP acts as an outsourced IT department, covering help desk, security, backups, vendor management, and technology planning.
Multi-Factor Authentication (MFA)
MFA requires two or more independent proofs of identity — typically a password plus a code or approval from a separate device — before granting access. It is the single most effective control against credential theft and is mandatory under most Canadian cyber-insurance policies.
OSFI Guideline B-13
OSFI Guideline B-13 sets the technology and cyber risk management expectations for federally regulated financial institutions in Canada. It covers governance, technology operations, and cyber resilience, and increasingly shapes the security requirements those institutions pass on to their vendors.
Patch Management
Patch management is the disciplined process of identifying, testing, and deploying software updates to fix security vulnerabilities and bugs. Timely patching — typically within 14 days for critical vulnerabilities — is one of the highest-impact, lowest-cost security controls.
Penetration Testing
A penetration test is an authorized simulated attack on systems, networks, or applications to find exploitable weaknesses before a real attacker does. It produces a prioritized report of findings and is often required by cyber insurers, regulators, and enterprise clients.
PHIPA
PHIPA is Ontario’s Personal Health Information Protection Act, the privacy law that applies to every health information custodian in the province — clinics, hospitals, pharmacies, and regulated practitioners. It requires custodians to take reasonable technical, administrative, and physical safeguards to protect personal health information.
PIPEDA
PIPEDA is Canada’s federal private-sector privacy law, governing how businesses collect, use, and disclose personal information in the course of commercial activity. It remains in force in 2026 and would be replaced by the Consumer Privacy Protection Act (CPPA) if Bill C-27 passes.
Ransomware
Ransomware is malware that encrypts an organization’s files and demands payment for the decryption key, often combined with threats to leak stolen data. Defence depends on tested immutable backups, EDR/MDR, MFA, rapid patching, and a rehearsed incident-response plan.
Recovery Point Objective (RPO)
RPO is the maximum amount of data, measured in time, an organization can afford to lose in an incident. An RPO of four hours means backups must run at least every four hours so that no more than four hours of work is lost.
Recovery Time Objective (RTO)
RTO is the maximum acceptable length of time a system or process can be down before causing unacceptable harm. It drives backup design, failover architecture, and the priority order in a disaster-recovery runbook.
Remote Monitoring and Management (RMM)
RMM is the platform an MSP uses to remotely monitor client devices, deploy patches and software, automate maintenance, and raise alerts on problems. It is the operational backbone that lets a provider manage thousands of endpoints proactively rather than reactively.
Security Operations Center (SOC)
A security operations centre is the team and facility responsible for continuously monitoring, detecting, and responding to cybersecurity threats. Most small and mid-sized organizations access SOC capability through a managed detection and response service rather than building one in-house.
Security Orchestration, Automation and Response (SOAR)
SOAR is technology that automates and coordinates security tasks — gathering context, running playbooks, and executing routine response actions — so analysts handle more incidents faster. For most SMBs it is a capability inside a SOC or MDR service rather than a standalone purchase.
Service Level Agreement (SLA)
An SLA is the contractual commitment that defines the level of service a provider will deliver — for example, response and resolution times by priority, uptime targets, and the remedies if targets are missed. It turns ‘good support’ into measurable, enforceable terms.
Shadow AI
Shadow AI is the unsanctioned use of AI tools by employees without IT or security oversight — for example, pasting confidential data into a public chatbot. It is a fast-growing data-leakage and compliance risk that AI governance policies are designed to control.
SOC 2
SOC 2 is an independent audit report, defined by the AICPA, that attests to how a service organization manages data across five trust criteria: security, availability, processing integrity, confidentiality, and privacy. Enterprise clients often require a vendor’s SOC 2 report before sharing sensitive data. (Distinct from a Security Operations Centre, also abbreviated SOC.)
vCIO
A vCIO (virtual Chief Information Officer) provides outsourced IT strategy and leadership — technology roadmaps, budgeting, vendor strategy, and alignment of IT to business goals — without the cost of a full-time executive. A vCIO focuses on strategy and direction; a vCISO focuses on security.
vCISO
A vCISO (virtual Chief Information Security Officer) is a senior security leader provided on a fractional, outsourced basis. The role delivers security strategy, risk management, policy, and board-level reporting for organizations that need CISO expertise but not a full-time executive.
XDR (Extended Detection and Response)
XDR extends EDR beyond endpoints to correlate threat signals across email, identity, cloud, and network in a single platform. By unifying telemetry that traditional tools keep in silos, XDR speeds detection of multi-stage attacks that move between systems.
Zero Trust
Zero trust is a security model that assumes no user or device is automatically trusted, even inside the network. Every access request is continuously verified based on identity, device health, and context — summarized as ‘never trust, always verify.’
How to use this glossary
If you are scoping a managed IT or cybersecurity engagement, the fastest path is to start with the term that matches your immediate concern — MDR if you are worried about threats, PHIPA or OSFI B-13 if you are facing a compliance deadline, Shadow AI if your team has started using AI tools faster than your policies. Each definition links to the controls matrix, service page, or explainer that goes a level deeper.
For a structured self-assessment against a specific regulation, the linked controls matrices map each requirement to CIS Controls v8.1 and to the evidence an auditor or insurer expects to see.
Not sure which of these apply to your organization? We will walk through your situation in plain language — no jargon, no sales pitch.
