access control asset attack authentication authenticity chain of custody confidential information control disruption endpoint device entity information processing facility information security breach information security event information security incident information security incident management information system interested party non-repudiation personnel personally identifiable information (PII) PII principal PII processor policy privacy impact assessment (PIA) procedure process record recovery point objective (RPO) recovery time objective (RTO) reliability rule sensitive information threat topic-specific policy user user endpoint device vulnerability