Glossary

2FA enhances security by combining something the user knows (e.g., a password) with something the user has (e.g., a phone or security token).

Access control ensures only authorized users can access specific systems, resources, or data.

Accountability is the obligation of individuals or organizations to accept responsibility for their actions and decisions. Accountability is fundamental in the GRC for ensuring transparency and trust.

Accreditation is a formal recognition that an organization meets certain standards, often granted by an external body.

Adverse action is a decision that negatively impacts an individual or entity, such as denying credit or employment. It often triggers specific compliance requirements, such as providing reasons under the Fair Credit Reporting Act (FCRA).

AICPA stands for the American Institute of Certified Public Accountants. SOC audit and reporting standards that define the criteria for managing customer information were designed by this member association.

Anti-Money Laundering (AML) regulations and procedures aimed at preventing criminals from disguising illegally obtained funds as legitimate income.

Application security is the practice of protecting software applications from security threats throughout the development lifecycle.

Application whitelisting is a security control that allows only approved or trusted applications to execute on a system.

Asset management is the process of tracking and managing an organization’s IT and information resources.

Asset tagging helps in monitoring the life cycle of IT resources and ensuring security controls are enforced.

An audit trail is a record of all user activities and transactions within a system.

An Acceptable Use Policy (AUP) is a set of rules and guidelines that outline how users are permitted to use a company's or organization's resources, including networks, websites, and IT systems.

Backup and recovery is the process of creating and storing copies of data that can be restored in case of data loss.

Behavior-Based Detection is a security approach that identifies potential threats based on deviations from normal behavior rather than relying solely on known attack patterns.

A benchmark is a standard or point of reference against which things can be compared or assessed. Benchmarks help organizations gauge their performance and identify areas for improvement.

Benchmarking is the practice of comparing an organization's processes or performance metrics to industry standards or competitors. It helps identify compliance gaps and opportunities for improvement.

A network of compromised devices (bots) controlled remotely by attackers to perform malicious activities, such as launching DDoS attacks or sending spam. Botnets pose a significant threat to organizations by allowing attackers to harness distributed computing power for large-scale attacks.

Any PHI usage or disclosure that isn’t permitted under the Privacy Rule is considered a breach. When a breach occurs, Covered Entities are required to notify affected individuals.

A Business Associate is an entity that provides services to, or performs certain functions involving the use or disclosure of PHI on behalf of, a Covered Entity.

A statewide data privacy law, effective from January 1, 2020, that reinforced individuals’ rights by strengthening company laws around the use of personal information. CCPA is said to be a model of GDPR and is sometimes called the “GDPR light”.

A code of conduct is a set of rules outlining the social norms, ethical principles, and responsibilities of individuals within an organization.

Compliance Framework is a structured set of guidelines and practices that help organizations meet legal, regulatory, and operational requirements.

A set of requirements defined by a law, or by an authority, that is widely accepted as a standard for demonstrating your trust to your customers.

Confidentiality ensures that sensitive information is accessible only to those authorized to view it. It is a key principle of information security, protecting data from unauthorized disclosure. Encryption, access control, and data masking are common methods used to maintain confidentiality.

Continuity is the planning and preparation to ensure that an organization can continue its critical operations in the event of a disruption. Business continuity planning is vital for resilience and risk management.

A control framework is a structured approach to managing risks by implementing controls across an organization.

Corporate Social Responsibility (CSR) is a company’s commitment to ethical behavior, environmental sustainability, and community well-being beyond legal requirements.

If you are a Covered Entity, you are subject to, and legally required to, comply with all the standards set forth by HIPAA.

CRL stands for Certificate Revocation List. A list of digital certificates that have been revoked before their expiration date by the certificate authority (CA).

Cyber insurance helps mitigate the financial impact of security events, but organizations must still maintain robust security controls.

Cybersecurity compliance is about adherence to laws, policies, and standards that protect systems, networks, and data from cyber threats.

Data encryption is the process of converting plaintext data into a coded form to prevent unauthorized access.

Data exfiltration is the unauthorized transfer of data from a network or system.

Data governance is about policies and practices ensuring data is managed securely, accurately, and responsibly throughout its lifecycle.

Data integrity ensures that data remains accurate, consistent, and unaltered during storage, processing, or transmission.

Data Leakage Prevention (DLP) is a strategy or tool designed to prevent unauthorized transmission of sensitive information outside the corporate network.