Welcome to our glossary. Here you’ll find clear definitions of important terms related to IT compliance, cybersecurity, and risk advisory services.
a
- Audit Report -
A formal document that summarizes the findings of an audit. It details whether a company’s policies, controls, and procedures meet defined standards or regulatory requirements. Audit reports may include recommendations for remediation and improvement.
- Audit Testing -
The process of evaluating an organization’s internal controls, systems, and data through specific procedures. These tests are used to determine compliance with established standards and identify potential weaknesses or risks.
c
- CCPA (California Consumer Privacy Act) -
A privacy law that grants California residents greater control over how their personal data is collected, stored, and shared. It requires businesses to disclose data practices and honor consumer rights like data access, deletion, and opt-out.
- CMMC (Cybersecurity Maturity Model Certification) -
A unified cybersecurity standard developed by the U.S. Department of Defense (DoD) to ensure that defense contractors and subcontractors adequately protect sensitive unclassified information. CMMC includes multiple compliance levels, each with specific security controls.
- CMMC Audit Preparation -
The process of getting ready for a CMMC assessment by reviewing current cybersecurity practices, implementing required controls, conducting gap analyses, and collecting documentation. Preparation often involves working with a CMMC consultant or advisor.
- CMMC Compliance Level 1 -
The CMMC foundational level, focused on basic cyber hygiene. CMMC Level 1 requires organizations to implement 15 security requirements in FAR clause 52.204-21.17, such as controlling physical access and using antivirus software. It is intended for contractors that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI).
- CMMC Compliance Level 2 -
An intermediate level of CMMC designed for organizations that process, store, or transmit CUI. CMMC Level 2 includes 110 practices based on NIST SP 800-171. It requires either a self-assessment or a formal assessment by an Authorized CMMC Third-Party Assessor Organization (C3PAO) and demonstrates that an organization can safeguard CUI against advanced persistent threats (APTs).
- CMMC Compliance Level 3 -
An advanced CMMC level designed for organizations that handle CUI. CMMC Level 3 requires DoD contractors and subcontractors to undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.
- Compliance Risk Management -
The practice of identifying, assessing, and mitigating risks related to legal, regulatory, or internal compliance requirements. It involves implementing policies, monitoring controls, and continuously evaluating the compliance landscape to reduce the risk of violations or breaches.
- Cybersecurity -
The practice of protecting systems, networks, and data from digital attacks, unauthorized access, or damage. It includes policies, technologies, and controls to ensure the confidentiality, integrity, and availability of information.
d
- DORA (Digital Operational Resilience Act) -
An EU regulation that strengthens the IT security of financial entities and their third-party service providers. DORA aims to ensure firms can withstand and recover from ICT-related disruptions.
f
- FISMA (Federal Information Security Modernization Act) -
A U.S. law that requires federal agencies and their contractors to implement information security programs that protect government data and systems. It mandates annual security reviews and risk assessments.
g
- GDPR (General Data Protection Regulation) -
A EU regulation that governs how organizations collect, process, and store personal data of EU residents. GDPR enforces strict data protection rules and grants individuals significant rights over their personal information.
- GLBA (Gramm-Leach-Bliley Act) -
A U.S. law requiring financial institutions to protect consumer financial data. It includes the Safeguards Rule and Privacy Rule, which mandate data security practices and customer privacy notices.
h
- HIPAA (Health Insurance Portability and Accountability Act) -
A U.S. law that sets national standards for protecting sensitive patient health information. HIPAA applies to healthcare providers, plans, and business associates that handle protected health information (PHI).
- HIPAA Breach -
An unauthorized access, use, or disclosure of PHI that compromises its security or privacy. Covered entities must assess the risk and may need to notify affected individuals and regulators.
- HIPAA Compliance -
Adherence to HIPAA’s Privacy, Security, and Breach Notification Rules. This includes implementing safeguards for PHI, training staff, and conducting regular risk assessments to ensure compliance.
- HIPAA Covered Entities -
Organizations that must comply with HIPAA, including healthcare providers, health plans, and healthcare clearinghouses. Business associates that process PHI on behalf of these entities are also subject to HIPAA requirements.
- HIPAA Rules -
The core HIPAA regulations:
- Privacy Rule: Governs the use and disclosure of PHI
- Security Rule: Sets standards for securing electronic PHI
- Breach Notification Rule: Outlines the process for reporting PHI breaches.
- HITRUST (Health Information Trust Alliance) -
A widely adopted framework that harmonizes multiple compliance standards, including HIPAA, NIST, and ISO 27001. HITRUST offers a certifiable approach to managing data protection and compliance risk.
- HITRUST Certifications -
Formal certifications awarded after a validated assessment against the HITRUST Common Security Framework (CSF). Certification demonstrates that an organization meets stringent security and privacy requirements.
- HITRUST Requirements -
Control requirements that align with various regulatory frameworks. Organizations must implement appropriate policies, procedures, and technical controls across areas like access management, encryption, and incident response.
i
- ISMS Risk Assessment -
An evaluation of information security risks within an Information Security Management System (ISMS). The process identifies threats, vulnerabilities, and the likelihood and impact of security incidents.
- ISO 27001 -
An international standard for managing information security. It outlines how to establish, implement, maintain, and continuously improve an ISMS to protect sensitive data.
- ISO 27001 Risk Assessment -
A key component of ISO 27001 compliance that involves identifying, analyzing, and mitigating information security risks based on organizational context and objectives.
m
- Merchant -
An individual or business that accepts payment cards (like credit or debit cards) for goods or services. Merchants must comply with the Payment Card Industry Data Security Standard (PCI DSS) to ensure secure cardholder data handling.
n
- NIST 800-53 -
A comprehensive set of security and privacy controls published by the National Institute of Standards and Technology (NIST) for federal information systems and critical infrastructure organizations.
- NIST AI RMF (AI Risk Management Framework) -
A voluntary framework from NIST designed to help organizations manage risks associated with artificial intelligence. It focuses on trustworthy AI through principles like fairness, privacy, and transparency.
- NIST CSF (Cybersecurity Framework) -
A widely used framework that helps organizations manage and reduce cybersecurity risks. It consists of five core functions: Identify, Protect, Detect, Respond, and Recover.
- NYDFS (New York Department of Financial Services) -
A state regulator that enforces cybersecurity regulations for financial institutions operating in New York. Its cybersecurity regulation (23 NYCRR 500) mandates risk assessments, incident response plans, and regular reporting.
p
- PCI DSS (Payment Card Industry Data Security Standard) -
A set of security standards developed to ensure that all organizations that store, process, or transmit credit card information maintain a secure environment.
- PCI Testing -
Security assessments required by PCI DSS to evaluate an organization’s adherence to PCI requirements. These assessments include vulnerability scans, penetration testing, and compliance audits.
- Penetration Testing Services -
Simulated cyberattacks conducted by ethical hackers to test an organization’s security defenses. These tests identify vulnerabilities that could be exploited by real attackers.
q
- Qualified Security Assessor (QSA) -
An individual certified by the PCI Security Standards Council to assess and validate a merchant’s or service provider’s compliance with PCI DSS requirements.
r
- Readiness Assessment -
A preliminary evaluation conducted before a formal audit to identify gaps, prepare documentation, and determine an organization’s audit readiness. Often used for frameworks like SOC 2, CMMC, and HITRUST.
- Risk Management -
The ongoing process of identifying, analyzing, and mitigating potential threats to organizational operations, data, and systems. It helps ensure regulatory compliance and business continuity.
s
- Self-Assessment Questionnaire (SAQ) -
A validation tool used by merchants and service providers to demonstrate PCI DSS compliance. There are multiple SAQ types depending on how payment data is handled.
- SOC (System and Organization Controls) -
A suite of audit reports developed by the American Institute of Certified Public Accountants (AICPA) that assess how service organizations handle data security, privacy, and internal controls. SOC reports help build trust with clients and partners.
- SOC 1 -
A type of SOC report focused on the effectiveness of internal controls relevant to financial reporting. It’s often required by organizations that outsource financial processing services and is used by clients’ auditors during their financial audits. There are two types of SOC 1 reports:
- Type I: Offers your auditor’s opinion that your system is sufficiently designed to achieve the related objectives on a specified date.
- Type II: Includes the same information as a SOC 1 Type I report but focuses on testing control effectiveness over a period of time.
- SOC 2 -
A type of SOC report focused on evaluating a service organization’s controls related to the Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. SOC 2 is highly relevant across a wide variety of industries and roles, and it is especially applicable for companies that store, process, or transmit customer data.
- SOC 2 Type I: Examines the design of controls at a specific point in time.
- SOC 2 Type II: Assesses the operational effectiveness of those controls over a defined period (typically 6-12 months).
- SOC 2 Auditor -
A licensed CPA firm or professional authorized to conduct SOC 2 examinations based on the AICPA’s Trust Services Criteria.
- SOC 3 -
A simplified, publicly shareable version of a SOC 2 report. It provides a high-level overview of compliance without disclosing sensitive control details.
- SOC Reports -
Independent third-party audit reports that assess an organization’s internal controls. Includes SOC 1, SOC 2, and SOC 3, each serving different compliance and trust-building purposes.
- SOC Trust Services Criteria -
The five core principles used to evaluate SOC 2 and SOC 3 reports. These include security, availability, processing integrity, confidentiality, and privacy.
- Social Engineering -
A cyberattack technique that manipulates people into revealing confidential information. Common tactics include phishing, pretexting, and baiting.
