Compliance & Security Glossary
90 commons terms to help you navigate compliance, security, and GRC.
A
Access to Personal Information
The ability for an individual to see and, when appropriate, correct personal data an organization holds about them.
American Institute of Certified Public Accountants (AICPA)
The professional body that defines SOC reporting standards and criteria and accredits firms that perform SOC audits.
Architecture
The overall design and structure of a system, including its components and how they interact.
Audit Scoping
The process of defining what will be included in an audit, such as systems, time periods, and activities.
Authentication
The process of verifying that a user, system, or process is who they claim to be.
Authorization
The process of granting or restricting access to resources based on an identity’s permissions.
Automated Evidence
Evidence collected directly from systems by technical integrations instead of manual screenshots or exports.
Availability
A Trust Services Criteria category focused on ensuring systems are reliably accessible for their intended use.
B
Board of Directors
A group of individuals responsible for overseeing an organization’s strategy, risk, and overall accountability.
Business Partner
An external individual or organization that collaborates with a company in delivering services or operations.
Business to Business (B2B)
A business model where products or services are sold to other organizations rather than individual consumers.
Business to Consumer (B2C)
A business model where products or services are sold directly to individual end users.
C
California Consumer Privacy Act (CCPA)
A California privacy law that gives residents rights over their personal information and imposes obligations on certain businesses.
Cloud Security Compliance
Meeting security and compliance requirements for systems and data hosted in cloud environments.
Collection
The act of obtaining personal information from individuals or other sources.
Commitments
Promises an organization makes to customers about how its services or systems will perform or behave.
Compliance
The practice of implementing and maintaining controls that meet external and internal requirements.
Compliance Framework
A structured set of requirements and guidance used to design and assess a compliance program.
Compliance Program
The ongoing set of processes, controls, and activities an organization uses to meet its compliance obligations.
Compromise
A loss or potential loss of confidentiality, integrity, or availability of information or systems.
Confidentiality
A Trust Services Criteria category focused on ensuring that only authorized parties can access sensitive information.
Contacts
People or entities a company communicates with, often for marketing or system notifications.
Control Activity
A specific action carried out to make sure risk mitigation directives are followed.
Controls
Policies, procedures, and technical measures designed to reduce risk and help ensure objectives are met.
Controls Convergence
The practice of consolidating overlapping controls across frameworks so they can be managed once and mapped many times.
COSO
A framework and thought leadership body focused on enterprise risk management, internal control, and fraud deterrence.
D
E
Endpoint Devices
Hardware or virtual devices like laptops, phones, or desktops that connect to networks and systems.
Entity
An organization or unit that operates as a distinct legal or management structure.
Environmental
Relating to physical conditions and events that can damage information systems or infrastructure.
External Users
Users who are not part of an organization’s internal staff but are authorized to interact with its systems.
F
G
General Data Protection Regulation (GDPR)
An EU regulation that sets comprehensive rules for protecting personal data of individuals in the European Union.
Governance, Risk, and Compliance (GRC)
An integrated approach for managing governance, risk management, and compliance across an organization.
Group
A collection of users that can be managed together for access control or segmentation.
H
Health Insurance Portability and Accountability Act (HIPAA)
A U.S. law that defines safeguards for protected health information and security requirements for covered entities and their partners.
HITRUST
A certifiable framework that harmonizes requirements from HIPAA, NIST, ISO, and other standards for healthcare-related security and privacy.
I
Information Assets
Data and the supporting software and infrastructure used to process, store, or transmit that data.
Information Security (InfoSec)
The practice of protecting information and systems from unauthorized access, use, disclosure, modification, or destruction.
Information Security Compliance
Ensuring that information security practices align with applicable laws, regulations, and standards.
Information Security Management System (ISMS)
A structured management system for defining, implementing, and improving information security across an organization.
Infrastructure
The physical and virtual resources that support an IT environment, such as servers, networks, and storage.
Integrity
A Trust Services Criteria category concerned with the accuracy, completeness, and reliability of data and system processing.
Internal Control
A process designed to provide reasonable assurance that an organization’s objectives will be achieved.
ISO 27001 Compliance
Aligning an organization’s information security management practices with the ISO 27001 standard.
Issue
A realized risk or problem that has already occurred and requires attention.
N
O
P
Personal Information
Information that can be linked to an identifiable individual.
Policies
High-level statements from management that describe what should be done to achieve control objectives.
Practitioner
In AICPA guidance, a CPA who performs an examination of controls relevant to trust services criteria.
Privacy Commitments
Statements an organization makes about how it will handle personal information.
Privacy Notice
A communication that explains how an organization collects, uses, shares, and protects personal information.
Process or Control Framework
A framework describing processes or controls that organizations are expected to implement for effective internal control.
Products
Goods or services an entity provides to customers, whether tangible or digital.
Project
A grouping within an account used to organize environments, assets, or work streams.
R
Residual Risk
The level of risk that remains after controls and risk responses have been applied.
Retention
The phase of the data lifecycle focused on how long information is stored and kept available.
Risk
A potential future event or condition that could negatively affect an organization’s objectives.
Risk Response
The decision to accept, avoid, reduce, or share a given risk.
S
Security Event
An occurrence that could impact the confidentiality, integrity, or availability of information or systems.
Security Incident
A security event that requires action to protect information assets or systems.
Security Questionnaires
Question sets used to evaluate the security posture of vendors or to assess internal risks.
Senior Management
The leadership team responsible for executing strategy and overseeing major organizational functions.
Service Provider
An external organization engaged to provide services that support or operate part of a company’s activities.
SOC 2 Compliance
Aligning controls and evidence with the SOC 2 Trust Services Criteria and undergoing examination by a CPA firm.
Software
Programs and instructions that tell computers how to perform tasks.
Stakeholders
Individuals or groups who are affected by or have an interest in an organization’s activities.
Subprocessor
A subprocessor is a third-party service provider that processes customer data on behalf of another company as part of delivering a product or service.
System
The combination of infrastructure, software, people, processes, and data used to achieve specific business objectives.
System Boundaries
The limits of what is included in a system, such as specific components, data, and processes.
System Components
The individual elements that together form a system, such as infrastructure, software, people, processes, and data.
System Event
An occurrence that may impact system operations or objectives, such as failures or disruptions.
System Incident
A system event that requires management action to prevent or reduce impact on objectives.
System Objectives
The goals a system is designed to achieve, such as performance, reliability, and functional outcomes.
System Requirements
Specifications that describe how a system must function to meet commitments and compliance needs.
T
Third Party
An entity other than the organization and its employees, such as customers, vendors, or partners.
Third Party Risk Management (TPRM)
The practice of identifying, assessing, and managing risks introduced by vendors and other external parties.
Threat
Any circumstance or event that could potentially harm an organization’s assets, operations, or people.
Trust Center
A Trust Center is a centralized page where organizations share security, privacy, and compliance information with customers, partners, and stakeholders.
Trust Services Criteria (TSC)
A set of criteria defined by the AICPA for evaluating controls related to security, availability, processing integrity, confidentiality, and privacy.
No terms found matching your search.
'%3e%3cg id='Final-Copy-2_2_' transform='translate(1275.000000, 200.000000)'%3e%3cpath class='st0' d='M7.4,12.8h6.8l3.1-11.6H7.4C4.2,1.2,1.6,3.8,1.6,7S4.2,12.8,7.4,12.8z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg id='final---dec.11-2020'%3e%3cg id='_x30_208-our-toggle' transform='translate(-1275.000000, -200.000000)'%3e%3cg id='Final-Copy-2' transform='translate(1275.000000, 200.000000)'%3e%3cpath class='st1' d='M22.6,0H7.4c-3.9,0-7,3.1-7,7s3.1,7,7,7h15.2c3.9,0,7-3.1,7-7S26.4,0,22.6,0z M1.6,7c0-3.2,2.6-5.8,5.8-5.8 h9.9l-3.1,11.6H7.4C4.2,12.8,1.6,10.2,1.6,7z'/%3e%3cpath id='x' class='st2' d='M24.6,4c0.2,0.2,0.2,0.6,0,0.8l0,0L22.5,7l2.2,2.2c0.2,0.2,0.2,0.6,0,0.8c-0.2,0.2-0.6,0.2-0.8,0 l0,0l-2.2-2.2L19.5,10c-0.2,0.2-0.6,0.2-0.8,0c-0.2-0.2-0.2-0.6,0-0.8l0,0L20.8,7l-2.2-2.2c-0.2-0.2-0.2-0.6,0-0.8 c0.2-0.2,0.6-0.2,0.8,0l0,0l2.2,2.2L23.8,4C24,3.8,24.4,3.8,24.6,4z'/%3e%3cpath id='y' class='st3' d='M12.7,4.1c0.2,0.2,0.3,0.6,0.1,0.8l0,0L8.6,9.8C8.5,9.9,8.4,10,8.3,10c-0.2,0.1-0.5,0.1-0.7-0.1l0,0 L5.4,7.7c-0.2-0.2-0.2-0.6,0-0.8c0.2-0.2,0.6-0.2,0.8,0l0,0L8,8.6l3.8-4.5C12,3.9,12.4,3.9,12.7,4.1z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)