👋
We'll be at SaaStr, Sep. 27-29. Come meet the team at booth 415!
Read More >
GLOSSARY

Your security and compliance glossary

All the terms you need to know when you’re trying to get compliance audit ready, fast.

AICPA

AICPA is the acronym for the American Institute of Certified Public Accountants. The AICPA is the originator of the SOC (System and Organization Controls) audit and reporting standards.

Annex A Controls

Annex A of the ISO 27001 standard consists of a list of 114 security controls divided into 14 sections, also known as domains, that organizations can utilize to improve the security of their information assets.

Attestation of Compliance (AOC)

Compliance risk management

Compliance risk management describes an organization’s strategy for managing the risk of non-compliance with pertinent regulations.

Compliance software

Compliance software describes the software tools an organization employs to monitor its internal systems and controls, in order to comply with required standards and regulations.

Cardholder Data (CHD)

Cardholder Data Environment (CDE)

Cardholder data environment refers to all people, processes, and technologies that store, process, transmit, or can impact the security of cardholder data.

Cybersecurity

Cybersecurity is the work of protecting data, information, programs, systems, networks, and devices from unauthorized or malicious access and use by external sources on the internet.

General Data Protection Regulation (GDPR)

GDPR is a set of data protection policies created by the European Union to ensure that citizens have control over personal data.

GRC

Governance, risk and compliance (GRC) refers to a company’s strategy for managing their overall governance, enterprise risk management and compliance with regulations.

HIPAA

HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed by Congress in 1996 with the goal of improving health care portability and the handling of confidential health information.

HIPAA Business Associates

A HIPAA business associate is a person or entity that performs certain functions or activities involving the use or disclosure of protected health information (PHI) on behalf of, or through the provision of services to, a covered entity.

HIPAA Compliance

HIPAA compliance involves fulfilling in an ongoing way the requirements of the initial Act of 1996, its subsequent amendments and additions, and any related legislation.

HIPAA Covered Entities

A HIPAA-covered entity is an individual, organization, or agency to which the HIPAA Rules apply; covered entities include health care providers, health plans, and health care clearinghouses.

HIPAA employee training

HIPAA compliance is required of organizations and employees who work in or with the healthcare industry, or who have access to protected health information (PHI). The goal of HIPAA compliance training is to ensure that organizations and their employees are appropriately protecting the privacy and security of patients’ PHI.

HIPAA Rules

The Health Insurance Portability and Accountability Act (HIPAA) is composed of a number of standards or rules by which compliance can be monitored. Among additional rules, the HIPAA Rules include the Privacy, Security, and Breach Notification Rules.

HIPAA Risk Assessment

The objective of a HIPAA risk assessment is to identify potential risks and vulnerabilities to the confidentiality, availability, and integrity of all protected health information that an organization creates, receives, maintains, or transmits.

HIPAA Rules: Breach Notification Rule

The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information.

HIPAA Rules: Enforcement Rule

The HIPAA Enforcement Rule introduced the ability for the U.S. Department of Health and Human Services (HHS) to fine organizations for avoidable ePHI breaches.

HIPAA Rules: Omnibus Rule

The HIPAA Final Omnibus Rule implements required amendments under the HITECH Act to strengthen privacy and security protections for individuals’ health information and modify the HIPAA Rules to improve their workability and effectiveness.

HIPAA Rules: Privacy Rule

The HIPAA Privacy Rule sets national standards to safeguard individuals’ medical records and other protected health information (PHI) and establishes when PHI may be used and disclosed.

HIPAA Rules: Security Rule

The HIPAA Security Rule operationalizes the protections of the HIPAA Privacy Rule by addressing the administrative, physical, and technical safeguards that covered entities must put in place to secure individuals’ electronic protected health information.

HIPAA Safeguards

HIPAA Safeguards are the administrative, technical, and physical safeguards that covered entities are required to maintain.

HIPAA Sanctions

HIPAA sanctions include a range of penalties for HIPAA violations.

HIPAA breach

A HIPAA breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted by HIPAA regulations, which compromises the security or privacy of the PHI.

Health Information Technology for Economic and Clinical Health Act (HITECH)

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted to promote the adoption and meaningful use of health information technology and help address the privacy and security concerns associated with the electronic transmission of health information.

ISMS Governing Body

An ISMS governing body is an organizational governance team whose primary objective is to provide appropriate management oversight for the organization’s ISMS.

ISO 27001

ISO 27001 is a set of requirements for an information security management system (ISMS) that helps keep consumer data safe by applying a risk management process to an organization’s people, process, and IT systems.

ISO 27001 security standard

The ISO27001 security standard is a set of best practices that support organizations in managing their information security by addressing people, processes, and technology.

ISO 27001 Internal Audit

An ISO 27001 internal audit involves thoroughly examining an organization’s ISMS before undergoing an ISO audit with an external auditor.

ISO 27001 Key Performance Indicators (KPIs)

ISO 27001 key performance indicators (KPIs) are metrics an organization establishes for its ISMS to measure the operating effectiveness of the ISMS and its implemented controls.

ISO 27001 Management Review

The ISO 27001 management review intends to ensure that an organization’s ISMS and its objectives remain appropriate and effective given the organization’s purpose, issues, and risks around its information assets.

ISO 27001 Nonconformities

An ISO 27001 nonconformity is an organization’s non-fulfillment of a requirement of the ISO standard.

ISO 27001 Risk Assessment

An ISO 27001 risk assessment intends to help an organization identify, analyze, and evaluate weaknesses in its information security processes and procedures.

ISO 27001 Risk Treatment Plan

An ISO 27001 risk treatment plan should be developed following a company’s completion of its risk assessment, documenting its actions to address each risk identified during the assessment process.

ISO 27001 Stage 1 Audit

The ISO 27001 Stage 1 Audit is the first part of the two-stage external ISO certification process, consisting of an extensive documentation review to ensure an organization’s policies and procedures meet the requirements of the ISO standard and the organization’s ISMS.

ISO 27001 Stage 2 Audit

The ISO 27001 Stage 2 Audit is the second part of the two-stage external ISO certification process, consisting of tests to ensure that an organization’s ISMS was properly designed and implemented and is functioning appropriately.

IT security policy

An information technology (IT) security policy establishes rules and procedures for the individuals who interact with an organization’s IT assets and resources. The goal of an effective IT security policy is to protect information technology systems from any unauthorized access, use, alteration, or destruction, and to provide guidance in the case of the compromise of any systems.

Information Security Management System (ISMS)

An Information Security Management System (ISMS) establishes a systematic approach to managing an organization’s information security.

Merchant

Protected health information

Protected health information (PHI) describes health data that is created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations, and payment for healthcare services.

Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS is an industry-mandated set of requirements for all organizations that store, process, transmit, or impact security of branded customer cardholder data.

Qualified Security Assessor (QSA)

A Qualified Security Assessor can refer to a company that is authorized by the PCI Security Standards Council to perform a Report on Compliance assessments, or an individual who performs the assessment.

Report on Compliance (ROC)

Security questionnaire

A security questionnaire is a tool that an enterprise may circulate to a service organization to evaluate and validate its security practices before choosing to do business with that organization.

SOC 1

A SOC 1 report is documentation of the internal controls that are likely to be relevant to an audit of a customer's financial reporting.

SOC 2

SOC 2 defines controls for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.

SOC 2 auditor

SOC auditors are independent CPAs who work with the SOC (System and Organization Controls) suite to evaluate and report on the controls in place at a service organization, relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.

SOC 2 Type I report

A SOC 2 Type I report attests to a company’s security rules (“controls”) at a specific point in time.

SOC 2 Type II report

A SOC 2 Type II report attests to a company’s security rules (“controls”) over a period of time (typically 3-12 months).

SOC 3

A SOC 3 report covers the same basic materials and concerns of a SOC 2 report, but it only distributes the auditor’s report without including description of the tests and their results or any opinions on the processes and results.

SOC reports

A service organization controls (SOC) report is a way to verify that an organization is following specific best practices related to protecting their clients’ data.

SOC Trust Services Criteria

The five Trust Services Criteria comprise the evaluation structure of a SOC 2 audit and report. The Trust Services Criteria are applied to report on the suitability of the design and operating effectiveness of controls relevant to the Security, Availability, Processing Integrity, Confidentiality, and Privacy of an organization’s information and systems.

SSAE 16

The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of auditing standards and guidance on using the standards, published by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).

SSAE 18

SSAE 18 is a series of enhancements aimed to increase the usefulness and quality of SOC reports, now, superseding SSAE 16.

Self-Assessment Questionnaire (SAQ)

Service Provider

Statement of Applicability

The Statement of Applicability (SoA) is a fundamental component of an organization’s ISMS, benchmarking against ISO 27001’s full Annex A control set, including the justification for inclusion or exclusion of each control as part of the organization’s ISMS implementation.

Vendor assessment

Vendor assessment describes an organization’s program of assessing its vendors’ management of that organization’s information, and whether vendors are implementing and maintaining appropriate security controls.

Vendor management policy

A vendor management policy reviews all of an organization’s vendors — each third-party, contractor, or associate with whom an organization does business — and establishes requirements for the level of information security that vendors should maintain.

Vendor review

Vendor review is a process by which an organization can understand the potential risks of utilizing a vendor’s product or service, as well as an ongoing process to ensure that quality security practices are being maintained in an ongoing fashion.

AICPA

AICPA is the acronym for the American Institute of Certified Public Accountants. The AICPA is the originator of the SOC (System and Organization Controls) audit and reporting standards.

SOC 1

A SOC 1 report is documentation of the internal controls that are likely to be relevant to an audit of a customer's financial reporting.

SOC 2

SOC 2 defines controls for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.

SOC 2 auditor

SOC auditors are independent CPAs who work with the SOC (System and Organization Controls) suite to evaluate and report on the controls in place at a service organization, relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.

SOC 2 Type I report

A SOC 2 Type I report attests to a company’s security rules (“controls”) at a specific point in time.

SOC 2 Type II report

A SOC 2 Type II report attests to a company’s security rules (“controls”) over a period of time (typically 3-12 months).

SOC 3

A SOC 3 report covers the same basic materials and concerns of a SOC 2 report, but it only distributes the auditor’s report without including description of the tests and their results or any opinions on the processes and results.

SOC reports

A service organization controls (SOC) report is a way to verify that an organization is following specific best practices related to protecting their clients’ data.

SOC Trust Services Criteria

The five Trust Services Criteria comprise the evaluation structure of a SOC 2 audit and report. The Trust Services Criteria are applied to report on the suitability of the design and operating effectiveness of controls relevant to the Security, Availability, Processing Integrity, Confidentiality, and Privacy of an organization’s information and systems.

SSAE 16

The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of auditing standards and guidance on using the standards, published by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).

SSAE 18

SSAE 18 is a series of enhancements aimed to increase the usefulness and quality of SOC reports, now, superseding SSAE 16.

Annex A Controls

Annex A of the ISO 27001 standard consists of a list of 114 security controls divided into 14 sections, also known as domains, that organizations can utilize to improve the security of their information assets.

ISMS Governing Body

An ISMS governing body is an organizational governance team whose primary objective is to provide appropriate management oversight for the organization’s ISMS.

ISO 27001

ISO 27001 is a set of requirements for an information security management system (ISMS) that helps keep consumer data safe by applying a risk management process to an organization’s people, process, and IT systems.

ISO 27001 security standard

The ISO27001 security standard is a set of best practices that support organizations in managing their information security by addressing people, processes, and technology.

ISO 27001 Internal Audit

An ISO 27001 internal audit involves thoroughly examining an organization’s ISMS before undergoing an ISO audit with an external auditor.

ISO 27001 Key Performance Indicators (KPIs)

ISO 27001 key performance indicators (KPIs) are metrics an organization establishes for its ISMS to measure the operating effectiveness of the ISMS and its implemented controls.

ISO 27001 Management Review

The ISO 27001 management review intends to ensure that an organization’s ISMS and its objectives remain appropriate and effective given the organization’s purpose, issues, and risks around its information assets.

ISO 27001 Nonconformities

An ISO 27001 nonconformity is an organization’s non-fulfillment of a requirement of the ISO standard.

ISO 27001 Risk Assessment

An ISO 27001 risk assessment intends to help an organization identify, analyze, and evaluate weaknesses in its information security processes and procedures.

ISO 27001 Risk Treatment Plan

An ISO 27001 risk treatment plan should be developed following a company’s completion of its risk assessment, documenting its actions to address each risk identified during the assessment process.

ISO 27001 Stage 1 Audit

The ISO 27001 Stage 1 Audit is the first part of the two-stage external ISO certification process, consisting of an extensive documentation review to ensure an organization’s policies and procedures meet the requirements of the ISO standard and the organization’s ISMS.

ISO 27001 Stage 2 Audit

The ISO 27001 Stage 2 Audit is the second part of the two-stage external ISO certification process, consisting of tests to ensure that an organization’s ISMS was properly designed and implemented and is functioning appropriately.

Information Security Management System (ISMS)

An Information Security Management System (ISMS) establishes a systematic approach to managing an organization’s information security.

Statement of Applicability

The Statement of Applicability (SoA) is a fundamental component of an organization’s ISMS, benchmarking against ISO 27001’s full Annex A control set, including the justification for inclusion or exclusion of each control as part of the organization’s ISMS implementation.

HIPAA

HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed by Congress in 1996 with the goal of improving health care portability and the handling of confidential health information.

HIPAA Business Associates

A HIPAA business associate is a person or entity that performs certain functions or activities involving the use or disclosure of protected health information (PHI) on behalf of, or through the provision of services to, a covered entity.

HIPAA Compliance

HIPAA compliance involves fulfilling in an ongoing way the requirements of the initial Act of 1996, its subsequent amendments and additions, and any related legislation.

HIPAA Covered Entities

A HIPAA-covered entity is an individual, organization, or agency to which the HIPAA Rules apply; covered entities include health care providers, health plans, and health care clearinghouses.

HIPAA employee training

HIPAA compliance is required of organizations and employees who work in or with the healthcare industry, or who have access to protected health information (PHI). The goal of HIPAA compliance training is to ensure that organizations and their employees are appropriately protecting the privacy and security of patients’ PHI.

HIPAA Rules

The Health Insurance Portability and Accountability Act (HIPAA) is composed of a number of standards or rules by which compliance can be monitored. Among additional rules, the HIPAA Rules include the Privacy, Security, and Breach Notification Rules.

HIPAA Risk Assessment

The objective of a HIPAA risk assessment is to identify potential risks and vulnerabilities to the confidentiality, availability, and integrity of all protected health information that an organization creates, receives, maintains, or transmits.

HIPAA Rules: Breach Notification Rule

The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information.

HIPAA Rules: Enforcement Rule

The HIPAA Enforcement Rule introduced the ability for the U.S. Department of Health and Human Services (HHS) to fine organizations for avoidable ePHI breaches.

HIPAA Rules: Omnibus Rule

The HIPAA Final Omnibus Rule implements required amendments under the HITECH Act to strengthen privacy and security protections for individuals’ health information and modify the HIPAA Rules to improve their workability and effectiveness.

HIPAA Rules: Privacy Rule

The HIPAA Privacy Rule sets national standards to safeguard individuals’ medical records and other protected health information (PHI) and establishes when PHI may be used and disclosed.

HIPAA Rules: Security Rule

The HIPAA Security Rule operationalizes the protections of the HIPAA Privacy Rule by addressing the administrative, physical, and technical safeguards that covered entities must put in place to secure individuals’ electronic protected health information.

HIPAA Safeguards

HIPAA Safeguards are the administrative, technical, and physical safeguards that covered entities are required to maintain.

HIPAA Sanctions

HIPAA sanctions include a range of penalties for HIPAA violations.

HIPAA breach

A HIPAA breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted by HIPAA regulations, which compromises the security or privacy of the PHI.

Health Information Technology for Economic and Clinical Health Act (HITECH)

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted to promote the adoption and meaningful use of health information technology and help address the privacy and security concerns associated with the electronic transmission of health information.

Protected health information

Protected health information (PHI) describes health data that is created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations, and payment for healthcare services.

Attestation of Compliance (AOC)

Cardholder Data (CHD)

Cardholder Data Environment (CDE)

Cardholder data environment refers to all people, processes, and technologies that store, process, transmit, or can impact the security of cardholder data.

Merchant

Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS is an industry-mandated set of requirements for all organizations that store, process, transmit, or impact security of branded customer cardholder data.

Qualified Security Assessor (QSA)

A Qualified Security Assessor can refer to a company that is authorized by the PCI Security Standards Council to perform a Report on Compliance assessments, or an individual who performs the assessment.

Report on Compliance (ROC)

Self-Assessment Questionnaire (SAQ)

Service Provider

Compliance risk management

Compliance risk management describes an organization’s strategy for managing the risk of non-compliance with pertinent regulations.

Compliance software

Compliance software describes the software tools an organization employs to monitor its internal systems and controls, in order to comply with required standards and regulations.

Cybersecurity

Cybersecurity is the work of protecting data, information, programs, systems, networks, and devices from unauthorized or malicious access and use by external sources on the internet.

General Data Protection Regulation (GDPR)

GDPR is a set of data protection policies created by the European Union to ensure that citizens have control over personal data.

GRC

Governance, risk and compliance (GRC) refers to a company’s strategy for managing their overall governance, enterprise risk management and compliance with regulations.

IT security policy

An information technology (IT) security policy establishes rules and procedures for the individuals who interact with an organization’s IT assets and resources. The goal of an effective IT security policy is to protect information technology systems from any unauthorized access, use, alteration, or destruction, and to provide guidance in the case of the compromise of any systems.

Security questionnaire

A security questionnaire is a tool that an enterprise may circulate to a service organization to evaluate and validate its security practices before choosing to do business with that organization.

Vendor assessment

Vendor assessment describes an organization’s program of assessing its vendors’ management of that organization’s information, and whether vendors are implementing and maintaining appropriate security controls.

Vendor management policy

A vendor management policy reviews all of an organization’s vendors — each third-party, contractor, or associate with whom an organization does business — and establishes requirements for the level of information security that vendors should maintain.

Vendor review

Vendor review is a process by which an organization can understand the potential risks of utilizing a vendor’s product or service, as well as an ongoing process to ensure that quality security practices are being maintained in an ongoing fashion.

Vanta automates compliance starting with SOC 2
Please enter your first name
Please enter your last name
Please enter a valid email address
Please enter a job title
Please enter your company name
Please enter your company website
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.