Compliance Glossary

AICPA standards for the American Institute of Certified Public Accountants (AICPA) who created the Service Organizational Controls standard. It is the largest organization of accountants in the United States. 

Access control is an essential aspect of security management and is used to protect resources, prevent unauthorized access, and ensure compliance.

Annex A is part of the ISO 27001 standard document. It outlines all ISO 27001 controls and groups them into categories.

An auditor is an accounting firm hired by a company to assess whether it meets a compliance standard such as SOC 2 or ISO 27001. Compliance standards require companies to implement a long list of security controls.

Authorization to Operate (ATO) is the official decision given by a senior government official (the Authorizing Official) to authorize operation of an information system on behalf of a federal agency.

An Authorizing Official (AO) is a senior official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations, organizational assets, individuals, other organizations, and the nation.

A SOC 2 bridge letter is a document that provides information about the controls and systems of a service organization for a period of time that is not covered by a previously issued SOC 2 report.

A HIPAA business associate is a person or organization that provides certain services or functions that involve access to protected health information (PHI) on behalf of a covered entity.

A HIPAA business associate is a person or organization that provides certain services or functions that involve access to protected health information (PHI) on behalf of a covered entity.

The California Consumer Privacy Act (CCPA) declares that companies must inform consumers about how their data is being used and empowers consumers to decide how or if their data is shared. 

The Payment Card Industry Security Standards Council (PCI SSC) established what cardholder data must be protected under PCI DSS.

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government initiative that standardizes security assessments, authorizations, and continuous monitoring for cloud services used by federal agencies.

Cloud compliance refers to the set of rules and regulations that govern the use of cloud computing services.

Compliance risk management is an organization’s process for regularly identifying, analyzing, and mitigating risks. In the context of SOC 2 and ISO 27001, risk management refers to security and compliance risk management, meaning you’ll want to understand risks to sector and geography specific regulation and compliance standards.

Compliance software is a software tool an organization can use to scan and monitor its vendors, systems, and controls to ensure they are compliant with certain security standards or regulations. Compliance software can be part of an organization's compliance risk management strategy to continuously track, monitor, and remediate any compliance risks that would jeopardize an organization's ability to stay compliant with relevant security standards and regulations.

Continuous Integration (CI) and Continuous Delivery (CD) are practices in software engineering for improving the development process through automation and streamlined workflows.

Continuous monitoring is an ongoing process of assessing and managing your security posture by tracking system changes, analyzing vulnerabilities, and evaluating compliance with security requirements. 

A control is a specific rule or safeguard used to improve a company’s security and compliance. Common types of safeguards include management, physical, legal, operational, and technical controls.

A control family is a group of related security controls categorized by function and purpose.

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls according to applicable laws, regulations, and government-wide policies, but is not classified.

A cookie consent policy provides users with transparency and control over how their personal information is collected and used through the use of cookies.

Cybersecurity is the body of technologies, processes, and practices designed to protect data, information, programs, systems, networks, and devices from digital attacks from unauthorized users on the internet. 

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework developed by the United States Department of Defense (DoD).

A data breach is a security incident in which sensitive, confidential, or protected information is accessed, stolen, or disclosed by an unauthorized individual or entity.

Data integrity refers to the accuracy, consistency, and reliability of data throughout its lifecycle, from creation to deletion.

Data loss prevention (DLP) is a set of policies and technologies designed to prevent sensitive or confidential information from being lost, stolen, or exposed.

Data mining is the process of discovering patterns, trends, and insights from large datasets.

The Defense Industrial Base (DIB) refers to the worldwide industrial complex that enables research and development, design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.

The Defense Innovation Unit (DIU) is an organization within the United States Department of Defense (DoD) that works to strengthen national security by increasing the military's adoption of innovative commercial technology.

The Department of Defense Information Network (DoDIN) is a global set of information capabilities, processes, and personnel for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policymakers, and support personnel.

DevSecOps integrates security practices within the DevOps process.

A Due Diligence Questionnaire is a comprehensive questionnaire used to assess a company's business operations, financial performance, legal and regulatory compliance, and other key areas.

FedRAMP 20x is the latest major iteration of the FedRAMP program designed to accelerate FedRAMP authorization processes by streamlining cloud security approvals and reducing the time it takes for cloud service providers (CSPs) to achieve authorization.

FedRAMP 20x Community Working Groups are collaborative forums where industry stakeholders work together to improve the FedRAMP authorization process.

FedRAMP baselines are predefined security control requirements that cloud service providers must meet to achieve FedRAMP authorization.

The FedRAMP Project Management Office (PMO) oversees the FedRAMP program, ensuring consistent implementation of security requirements and supporting cloud service providers and federal agencies through the authorization process.

The Federal Information Processing Standards (FIPS) 140-2 is a U.S. government security standard that specifies requirements for cryptographic modules used to protect sensitive data.

The Federal Information Processing Standards (FIPS) 140-3 is the updated version of the U.S. government’s cryptographic module validation standard, replacing FIPS 140-2.

The Federal Information Security Management Act is United States legislation that was enacted as part of the Electronic Government Act of 2002.

The FedRAMP Marketplace is an online directory where federal agencies and cloud service providers can find and verify FedRAMP-authorized cloud products.

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government initiative that standardizes security assessments, authorizations, and continuous monitoring for cloud services used by federal agencies.

A firewall is a network security device that monitors and controls incoming and outgoing network traffic.

In May 2018, the European Union implemented the General Data Protection Regulation (GDPR) to create one legal framework for collecting and processing personal information from individuals who live inside the European Economic Area. 

Governance, Risk, and Compliance (GRC) is a management framework that organizations use to ensure they are operating in a legal, ethical, and effective manner.

Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 in order to create national standards to protect sensitive patient health data.

The HIPAA Breach Notification Rule requires covered entities and their business associates to notify individuals, HHS, and, in some cases, the media when there is a breach of unsecured protected health information (PHI).

A covered entity is a healthcare provider, health plan, or healthcare clearinghouse that is subject to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

Healthcare organizations are legally required to have certain administrative safeguards, like employee training, in place to protect patient data against breaches and comply with HIPAA.

The HIPAA Enforcement Rule governs violation investigations and penalties.

The HIPAA Breach Notification Rule requires covered entities and their business associates to notify individuals, HHS, and, in some cases, the media when there is a breach of unsecured protected health information (PHI).

The HIPAA Privacy Rule establishes national standards for protecting the privacy and security of protected health information.

The Health Insurance Portability and Accountability Act (HIPAA) includes a set of rules to help healthcare organizations and their business associates protect the security and confidentiality of sensitive patient data. To become compliant, healthcare organizations must follow five HIPAA rules to safeguard this protected health information (PHI).

The HIPAA Security Rule outlines three types of safeguards — administrative, physical, and technical — to properly protect PHI.

The HIPAA Security Rule is a set of regulations issued by the U.S. Department of Health and Human Services (HHS) that establish national standards for protecting electronic personal health information (ePHI).

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was enacted under Title XIII of the American Recovery and Reinvestment Act (ARRA) of 2009.

The ISO 27001 is a security and compliance standard created jointly by the International Organization for Standardization and the International Electrotechnical Commission.

An ISO 27001 certification audit happens in multiple stages. For organizations pursuing certification for the first time, the audit process begins with a Stage 1 audit, also referred to as an ISMS design review. 

An ISO 27001 Stage 2 audit is the second part of a two-stage audit process for ISO/IEC 27001 certification

Impact levels are used within certain security frameworks, such as those provided by the United States Department of Defense (DoD), to categorize the potential impact of unauthorized disclosure, alteration, or destruction of information.

The ISO 27001 standard evaluates an organization’s information security management system, or ISMS. 

An information security policy is a set of rules and guidelines that define how an organization manages and protects its information assets, including data, systems, and networks.

The Department of Defense Information Network (DoDIN) is a global set of information capabilities, processes, and personnel for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policymakers, and support personnel.

An internal security audit is an evaluation of an organization's internal security controls, policies, and procedures to assess their effectiveness and identify areas for improvement.

ISO stands for the International Organization for Standardization, which is a non-governmental organization that develops and publishes international standards for a wide range of industries and sectors.

An intrusion detection system (IDS) is a network security technology designed to detect and respond to suspicious or malicious activity on a computer network.

An intrusion detection system (IDS) is a network security technology designed to detect and respond to suspicious or malicious activity on a computer network.

The Joint Interoperability Test Command (JITC) is part of the United States Department of Defense.

Keylogging is a technique used to capture and record keystrokes made on a keyboard.

Malware, short for malicious software, refers to any software or program that is specifically designed to cause harm, damage, or disruption to computer systems, networks, or mobile devices.

A SOC 2 management assertion is a statement made by the management of a service organization that describes the organization's commitment to security, availability, processing integrity, confidentiality, and privacy of customer data.

Multi-factor authentication (MFA) is a multi-step account login process that requires users to enter two or more pieces of information.

The NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) is a set of voluntary guidelines, standards, and best practices for managing cybersecurity risks in critical infrastructure organizations.

NIST Special Publication 800-53 is a comprehensive and flexible catalog of security and privacy controls designed to help federal agencies and private sector organizations manage cybersecurity risks and comply with FISMA.

The National Institute of Standards and Technology is a non-regulatory agency of the United States Department of Commerce.

"On-premises" (or "On-prem") refers to the location and management of servers, resources, and IT infrastructure.

An Attestation of Compliance (AoC) is a document that confirms that an organization has undergone a Payment Card Industry Data Security Standard (PCI DSS) assessment and is compliant with the standard.

Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards intended to ensure that all companies that process, store, transmit, or impact the security of cardholder data maintain a secure environment.

A PCI DSS Approved Scanning Vendor (ASV) is a company that has been certified by the Payment Card Industry Security Standards Council (PCI SSC) to conduct external vulnerability scans of merchants and service providers that handle payment card data.

A PCI SAQ (Payment Card Industry Self-Assessment Questionnaire) is a tool used by merchants and service providers to assess their compliance with the PCI DSS.

Patch management is the process of identifying, acquiring, testing, and applying software updates.

A penetration test (or “pen test”) is a simulated attack on an organization’s system and services, often conducted by a white hat or ethical hacker. The SOC 2 and ISO 27001 audits both require a penetration test. 

Phishing is a type of social engineering attack in which an attacker sends fraudulent emails, text messages, or other electronic communication to individuals, attempting to trick them into revealing sensitive information

A Plan of Action and Milestones (POA&M) is a structured document used to identify, track, and remediate security weaknesses in an organization’s information systems.

PaaS, or Platform-as-a-Service, is a cloud computing model that offers organizations a complete cloud platform—hardware, software, and infrastructure—for developing, running, and managing applications without building and maintaining those platforms on-premises.

A policy is a governing document describing what an organization does to ensure security and compliance. It outlines responsibilities and general procedures meant to implement and maintain specific security and compliance controls.

A privacy policy is an important tool for organizations to communicate with their customers or users about how their personal information is being collected, used, and protected, and to ensure compliance with applicable privacy laws and regulations.

PHI is protected under the Health Insurance Portability and Availability Act (HIPAA), and includes any health data created, transmitted, or stored by a HIPAA-covered entity and its business associates.

A Qualified Security Assessor (QSA) is an individual or organization that has been certified by the Payment Card Industry Security Standards Council (PCI SSC) to assess an organization's compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Ransomware is a type of malicious software that encrypts a victim's files or system, rendering them inaccessible, and then demands a ransom payment in exchange for restoring access. 

An RFI, or Request for Information, is a standard business process for collecting written information about the capabilities of various suppliers.

An RFP, or Request for Proposal, is a document that organizations use to solicit proposals from potential vendors or service providers for a specific product or service.

A Request for Quotation is a document and process used in procurement where an organization asks vendors or suppliers to provide a quote for the supply of specific products or services.

A risk assessment is a process that helps organizations identify and evaluate their cybersecurity risks, vulnerabilities, and threats.

Risk management is the process of identifying, assessing, and mitigating potential risks to an organization. 

The Service Organization Control 1 Report (SOC 1) is an auditor report assessing controls for financial reporting. The SOC 1 targets companies providing services that could affect clients’ financial statements or internal controls over financial reporting. 

The Service Organization Control 2 Report (SOC 2) is an auditor report assessing controls for security and compliance. Any company offering a B2B service, along with any B2C company handling sensitive information, should think about getting a SOC 2 report completed. 

SOC 2 auditors evaluate how effective your security program is and determine whether your internal controls meet the requirements of your chosen Trust Services Criteria (TSC). 

A SOC 2 report summarizes the results of the compliance audit and the auditor’s findings.

A SOC 2 Type 1 report examines how well a service organization's system and controls perform over a period of time.

A SOC 2 Type 2 report examines how well a service organization's system and controls perform over a period of time.

The Service Organizational Control 3 Report (SOC 3) is a more concise and high level version of the SOC 2 meant to be released publicly as marketing material.

The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of standards developed specifically for certified public accountants (CPAs) to evaluate an organization’s internal controls and how service companies report on these controls.

The Statement on Standards for Attestation Engagements No. 18 (SSAE 18) is a new set of standards that have replaced SSAE 16 to help increase the usefulness and quality of a SOC 1 report.

A Security Assessment Plan (SAP) is developed by a Third-Party Assessment Organization (3PAO) and outlines the specific procedures and methodologies that will be used during the security assessment for FedRAMP authorization. 

A Security Assessment Report (SAR) is a document prepared by a Third-Party Assessment Organization (3PAO) that details the findings from a security assessment of a cloud service provider.

A security questionnaire is a list of questions that assess your organization’s security and data privacy practices. Organizations often exchange questionnaires as part of the due diligence process.

Social engineering refers to the use of psychological manipulation techniques to trick people into divulging sensitive information.

The SIG is a comprehensive set of questions used to assess the cybersecurity, IT, data security, and privacy risks and controls of third-party service providers and vendors.

An ISO 27001 Statement of Applicability (SoA) is a document that identifies the controls that an organization has implemented to address the information security risks it has identified through a risk assessment.

The Supplier Performance Risk System (SPRS) is the Department of Defense's (DoD) official database for collecting and managing supplier performance and risk data.

A SOC 2 System Description is a narrative description of a service organization's systems, policies, and procedures related to the Trust Services Criteria of security, availability, processing integrity, confidentiality, and privacy.

A System Security Plan (SSP) is a comprehensive document that describes how an organization implements security controls to protect federal data.

A test refers to an auditor’s independent review of a security or compliance control. Auditors may assess a control’s design or implementation by requesting a copy of a relevant policy, conducting interviews, asking for related procedures, or even taking a sample of evidence, such as screenshots or tickets.

A Third-Party Assessment Organization (3PAO) is an independent auditor accredited by the FedRAMP Program Management Office to assess cloud service providers for FedRAMP compliance.

A threat assessment is a process of identifying, analyzing, and evaluating potential threats to an organization.

AICPA’s Trust Services Criteria are the framework used by auditors to determine which security and compliance controls they will test for in a company.

Unauthorized access refers to the act of accessing or attempting to access a system, network, or resource without proper authorization or permission.

In the military and defense sector, the valley of death describes the gap between a promising concept or prototype and the transition into a formal program of record or operational use.

Vendor assessment is the process of evaluating a third party’s information security posture and data privacy practices during the vendor procurement process.

A vendor assessment program is an organization’s process of reviewing vendor security practices in order to ensure information is properly protected.

Vendor Risk Management (VRM) refers to the process of identifying, assessing, monitoring, and mitigating the risks associated with outsourcing services or goods to third-party vendors or suppliers.

A vulnerability scan is a type of automated security assessment that checks a computer system or network for known security weaknesses and vulnerabilities.

Zero trust is a modern security strategy based on the principle never trust, always verify.