Compliance Glossary

An AUP defines the rules for using an organization's IT resources, outlining permitted and prohibited activities.

Access control is a security mechanism that regulates who can view or use resources in a computing environment, ensuring only authorized users can access systems and data.

AI governance is the framework of policies, processes, and controls that ensure AI systems are developed and used responsibly, ethically, and in compliance with regulations.

AI risk management systematically identifies, assesses, and mitigates risks unique to artificial intelligence systems throughout their lifecycle.

Algorithmic accountability ensures that organizations can explain, justify, and take responsibility for the outcomes of automated decision-making systems.

ALE is a risk calculation that estimates the expected monetary loss from a risk over a one-year period, calculated by multiplying Single Loss Expectancy (SLE) by Annual Rate of Occurrence (ARO).

API security encompasses practices and technologies used to protect Application Programming Interfaces from attacks and misuse, including authentication, authorization, rate limiting, and input validation.

An asset inventory is a comprehensive list of all hardware, software, data, and information assets within an organization, serving as the foundation for security management and compliance.

An audit trail (or audit log) is a chronological record of system activities that provides documentary evidence of the sequence of events that have affected an operation or procedure.

Authentication is the process of verifying the identity of a user, device, or system before granting access to resources.

Authorization is the process of determining what actions or resources an authenticated user is permitted to access.

A backup strategy defines how an organization protects data through regular copies, including what to back up, how often, where to store backups, and how to verify they can be restored.

Breach notification is the legal requirement to inform regulators and affected individuals when personal data is compromised.

Business continuity planning (BCP) is the process of creating systems of prevention and recovery to deal with potential threats to a company, ensuring critical functions can continue during and after a disaster.

A BIA is a systematic process that identifies and evaluates the potential effects of disruptions to critical business operations, forming the foundation of business continuity planning.

BYOD (Bring Your Own Device) is a policy allowing employees to use personal devices for work, requiring specific security controls.

CCPA (California Consumer Privacy Act) and its amendment CPRA grant California residents rights over their personal data and impose obligations on businesses.

Change management is a structured process for planning, approving, implementing, and documenting changes to IT systems to minimize risk of unintended disruptions or security issues.

Cloud security encompasses the technologies, policies, and controls used to protect data, applications, and infrastructure in cloud computing environments.

CMMC (Cybersecurity Maturity Model Certification) is a DoD requirement for defense contractors that combines cybersecurity standards and third-party assessment to protect Controlled Unclassified Information (CUI).

Compliance automation uses software platforms to automatically collect evidence, monitor controls, and streamline audit preparation, reducing manual effort by 60-80% compared to traditional approaches.

Container security protects containerized applications throughout their lifecycle, from image building through deployment and runtime.

Continuous monitoring is the ongoing, automated observation of security controls, systems, and networks to detect issues, ensure compliance, and respond to threats in real-time.

Controls testing is the process of evaluating whether security and compliance controls are properly designed and operating effectively to achieve their intended objectives.

Cloud Security Posture Management (CSPM) continuously monitors cloud infrastructure for misconfigurations, compliance violations, and security risks.

Cyber insurance provides financial protection against losses from cyber incidents including data breaches, ransomware, and business interruption.

A data breach is a security incident where protected, sensitive, or confidential data is accessed, disclosed, or stolen by unauthorized parties.

Data classification is the process of organizing data into categories based on sensitivity and business impact, enabling appropriate security controls for each level.

DLP is a set of tools and processes that detect and prevent unauthorized transmission or storage of sensitive data outside the organization.

Data privacy refers to the proper handling of personal information including how it is collected, used, shared, and protected in compliance with regulations.

DevSecOps integrates security practices into the DevOps pipeline, making security a shared responsibility throughout the software development lifecycle.

Disaster recovery (DR) is a set of policies, tools, and procedures designed to enable the recovery or continuation of IT infrastructure and systems following a disaster.

DORA (Digital Operational Resilience Act) is an EU regulation that requires financial entities to ensure they can withstand, respond to, and recover from ICT-related disruptions and threats.

Email security encompasses technologies and practices to protect email communications from threats like phishing, malware, and business email compromise.

Encryption at rest protects data stored on disks, databases, or storage systems by converting it to an unreadable format that requires a key to decrypt.

Encryption in transit protects data as it moves between systems, networks, or devices, typically using TLS/SSL protocols to prevent interception.

EDR is a security solution that continuously monitors endpoint devices, detects suspicious activities, and provides automated response capabilities to investigate and contain threats.

The EU AI Act is the first comprehensive AI regulation, establishing risk-based requirements for AI systems sold or used in the European Union.

Evidence collection is the process of gathering documentation and artifacts that demonstrate security controls are designed properly and operating effectively.

FedRAMP (Federal Risk and Authorization Management Program) is a US government program that provides a standardized approach to security assessment for cloud products and services used by federal agencies.

A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules.

Digital forensics is the process of collecting, analyzing, and preserving electronic evidence in a way that is legally admissible to investigate security incidents.

A gap assessment (or gap analysis) is an evaluation that compares an organization's current security posture against the requirements of a target framework to identify areas needing improvement.

GDPR (General Data Protection Regulation) is the EU's comprehensive data privacy law that governs how organizations collect, process, and protect personal data of EU residents.

GRC is an integrated approach to managing an organization's overall governance, enterprise risk management, and compliance with regulations, combining these traditionally siloed functions.

HIPAA (Health Insurance Portability and Accountability Act) is a US federal law that establishes standards for protecting sensitive patient health information (PHI) from disclosure without consent.

HITRUST CSF is a comprehensive, certifiable security framework that integrates and harmonizes requirements from multiple standards including HIPAA, ISO 27001, NIST, and PCI DSS.

IAM is a framework of policies and technologies that ensure the right individuals have appropriate access to technology resources at the right times and for the right reasons.

Incident response is a structured approach to preparing for, detecting, containing, and recovering from security incidents while minimizing damage.

Insider threats are security risks that originate from within an organization, including malicious employees, contractors, or compromised accounts.

An Information Security Management System (ISMS) is the framework of policies, procedures, and controls that systematically manages information security risks.

ISO 27001 is an international standard for information security management systems (ISMS), providing a systematic approach to managing sensitive company information.

ISO/IEC 42001 is the international standard for AI management systems, providing a framework for organizations to responsibly develop and deploy artificial intelligence.

JIT access is a security practice that grants privileged access only when needed, for a limited duration, with automatic expiration to minimize standing privileges.

Key management encompasses the policies and procedures for generating, storing, distributing, rotating, and destroying cryptographic keys used for encryption.

The principle of least privilege grants users only the minimum permissions necessary to perform their job functions, reducing security risk.

LLM security addresses the unique risks of deploying Large Language Models, including prompt injection, data leakage, and adversarial attacks on AI systems.

Log management is the process of collecting, storing, analyzing, and retaining log data from systems and applications for security monitoring and compliance.

ML security addresses attacks and defenses specific to machine learning systems, including adversarial examples, data poisoning, and model extraction.

Malware protection encompasses technologies and practices to prevent, detect, and remove malicious software including viruses, ransomware, spyware, and trojans.

Model risk management is the oversight of risks arising from models making decisions, including AI/ML models, ensuring they perform as intended.

MFA is a security mechanism requiring users to provide two or more verification factors to gain access, significantly reducing the risk of unauthorized access.

Network segmentation divides a network into smaller subnetworks, isolating systems and limiting lateral movement if an attacker compromises one segment.

NIST SP 800-53 is a catalog of security and privacy controls for federal information systems, serving as the foundation for many compliance frameworks.

NIST CSF is a voluntary framework providing guidance on managing cybersecurity risk, organized around five core functions: Identify, Protect, Detect, Respond, and Recover.

OAuth 2.0 is an authorization framework that enables secure delegated access, allowing users to grant third-party apps limited access to their resources without sharing credentials.

Operational resilience is an organization's ability to prevent, adapt, respond to, and recover from disruptions while continuing to deliver critical operations.

OWASP Top 10 is a regularly updated list of the most critical web application security risks, serving as a standard for application security testing.

A password policy establishes rules for creating, managing, and protecting passwords to reduce the risk of unauthorized access.

Patch management is the process of acquiring, testing, and deploying software updates to fix vulnerabilities, improve functionality, and ensure system security.

PCI DSS is a set of security standards for organizations that process, store, or transmit credit card information to maintain a secure environment.

Penetration testing is a simulated cyberattack on your systems performed by security professionals to identify exploitable vulnerabilities.

Phishing is a social engineering attack that tricks victims into revealing sensitive information or taking harmful actions through deceptive emails, messages, or websites.

Privacy by Design is an approach that embeds privacy into the design and architecture of systems from the start, rather than adding it later.

A Qualified Security Assessor (QSA) is an individual certified by PCI SSC to perform on-site PCI DSS assessments and validate compliance for Level 1 merchants.

Quantitative risk assessment uses numerical values and mathematical models to calculate risk in financial terms, enabling objective comparison and prioritization.

Ransomware is malicious software that encrypts victim data and demands payment for the decryption key, often with threats to publicly release stolen data.

A risk assessment is a systematic process of identifying, analyzing, and evaluating potential threats to an organization's information assets.

A risk register is a document that tracks identified risks, their likelihood and impact scores, current controls, and treatment plans.

RTO (Recovery Time Objective) is the target time to restore systems after disaster, while RPO (Recovery Point Objective) is the maximum acceptable data loss.

Secrets management is the secure storage, access control, and rotation of sensitive credentials like API keys, passwords, certificates, and tokens.

Security awareness training educates employees about cybersecurity threats, safe practices, and their role in protecting organizational assets.

Security Key Performance Indicators are metrics that measure the effectiveness of an organization's security program and controls.

Security policies are formal documents that define an organization's rules and guidelines for protecting information assets.

SIEM (Security Information and Event Management) is a platform that aggregates logs from multiple sources, correlates security events, and provides real-time alerting and analysis.

SSO is an authentication method that allows users to access multiple applications with a single set of credentials, improving security and user experience.

SOC 1 is an audit report that evaluates the internal controls at a service organization relevant to user entities' financial reporting (ICFR).

SOC 2 is an auditing framework developed by AICPA that evaluates how service organizations manage customer data based on five Trust Service Criteria.

A tabletop exercise is a discussion-based practice session where teams walk through simulated incident scenarios to test response plans and identify gaps.

Third-party risk management (TPRM) is the process of identifying, assessing, and mitigating risks from vendors, suppliers, and service providers.

Threat modeling is a structured approach to identifying, quantifying, and addressing security threats to a system during design and development.

Trust Service Criteria (TSC) are the five categories used in SOC 2 audits: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Vendor risk management (VRM) ensures that third-party vendors don't create unacceptable risk for business disruption or security.

Version control (source control) tracks changes to code and configuration, enabling collaboration, audit trails, and rollback capabilities.

A VPN (Virtual Private Network) creates an encrypted tunnel for network traffic, providing secure remote access to private resources.

A vulnerability assessment is an automated process of identifying security weaknesses in systems, networks, and applications without actively exploiting them.

A WAF is a security solution that monitors, filters, and blocks HTTP traffic to and from a web application based on a set of rules to protect against web attacks.

A whistleblower policy provides a mechanism for employees to report concerns about illegal, unethical, or unsafe practices without fear of retaliation.

Zero Trust is a security model that requires strict identity verification for every person and device, regardless of network location.