Glossary of Compliance

Compliance Glossary

Our list of curated compliance glossary offers everything you to know about compliance in one place.

a b c d e f g h i j k l m n o p q r s t u v w x y z

A

Administrative Controls

Administrative controls characterize the human factors of security involving all levels of personnel within an enterprise and determine which users are authorized to access what resources and information by such means as: – Employees are provided with training and awareness programs – Enterprises should be prepared for disasters and have recovery plans – Separation strategies…
Learn More Administrative Controls

Advanced Digital Signature

The advanced electronic signature is a digital signature to uniquely identify the signer based on an advanced certificate. The signature keys are utilized with a high degree of confidence by the signatory (who has sole possession of the signing key). An electronic signature is observed to be advanced, under eIDAS,  if it has met several…
Learn More Advanced Digital Signature

Asset

An asset may be intangible (e.g., humans, data,  software, information, capability, function, trademark, service, copyright,  image, patent, intellectual property, or reputation) or tangible (for instance, a physical item such as hardware, computing platform, firmware, network device, or other technology components). The value of an asset is decided by stakeholders in case of an event of…
Learn More Asset

Asset Inventory

An I.T. team maintains an asset inventory to make sure they provide an organization with the I.T. resources they need in a cost-effective, efficient manner. The asset data stored in this inventory includes location, users, performance, maintenance and support, documentation, licenses, lifecycle stage, compliance, cost, and more. I.T. assets can include: – Hardware – servers,…
Learn More Asset Inventory

BCP Testing

Business Continuity Planning (BCP) is the procedure of creating preventive and recovery systems to counter potential cyber threats to an enterprise or to ensure process continuity in the case of a cyberattack. BCP’s secondary goal is to make sure operational continuity before as well as during the execution of disaster recovery. The planning entails personnel…
Learn More BCP Testing

Classified Information

Classified national security information, also known as classified information, means information that has any predecessor order to require protection against unauthorized disclosure or has been regulated pursuant to E. O. 12958 as amended by E.O. 13292 and is marked to specify its classified status when in documentary form.
Learn More Classified Information

Control

Cybersecurity controls are specifically designed mechanism that is used to prevent, detect and reduce cyber-attacks and threats to data, including intrusion prevention systems and DDoS mitigation.
Learn More Control

Corrective Action

Corrective actions are methodical steps taken by an organization to close gaps, correct errors, or resolve other problems that have been found within the enterprise’s security program and for which the underlying or root cause has also been identified.
Learn More Corrective Action

Crisis Management Team

A crisis management team is a group of cybersecurity experts responsible for identifying and addressing crises within an enterprise. Their tasks include carrying out actions of accessing the current events, outlining the potential risks, and minimizing the fallout. 
Learn More Crisis Management Team

Critical Infrastructure

Critical infrastructure describes the physical assets and I.T. systems that are so vital to the enterprise that their destruction or incapacity would have a devitalizing impact on the economic or physical security or public health and safety.
Learn More Critical Infrastructure

Cryptographic Techniques

Cryptographic techniques are used to ensure the confidentiality and integrity of data in the presence of an antagonist. Various cryptographic methods based on the security needs and the threats involved, such as public key cryptography and symmetric key cryptography, can be used during the transit and storage of the data.
Learn More Cryptographic Techniques

Cryptomaterial

 All material, including devices, documents, or equipment that, contains cryptographic information and is essential to the authentication, encryption, or decryption of telecommunications.
Learn More Cryptomaterial

Data Classification Level

Data classification is a method for categorizing and defining files and other critical business information based on their information sensitivity. It’s mainly used in big corporations to build security systems that follow strict security compliance guidelines but are also effective in small environments.
Learn More Data Classification Level

Data Recovery

Data recovery is the method of restoring data that has been lost, corrupted, accidentally deleted, or made inaccessible. In enterprise I.T., data recovery typically refers to the restoration of data to a desktop, server, laptop, or external storage system from an existing backup.
Learn More Data Recovery

Data Restore

Data restore is the process of recovering backup data from secondary storage and restoring it to a new location or its original location. A restore is performed to move data to a new location or to return data that has been stolen, lost, or damaged to its original condition.
Learn More Data Restore

Detective Controls

Detective controls are the primary components of a cybersecurity program in providing visibility into breaches, malicious activity, and attacks on an enterprise’s I.T. environment. These controls include continuous monitoring, logging of events, and alerting that facilitate effective I.T. management.
Learn More Detective Controls

Deterrent Controls

Deterrent controls are administrative mechanisms (such as policies, standards, procedures,  laws, guidelines, and regulations) that are used to advise the execution of security within an enterprise.
Learn More Deterrent Controls

Digital Certificate

A Digital Certificate can be described as an electronic file that is tied to a cryptographic key pair to authenticate the identity of an individual, website, device, organization, user, or server. It is also known as an identity certificate or a public key certificate.
Learn More Digital Certificate

Digital Signature

A digital signature refers to a mathematical technique used to establish the authenticity and integrity of software, message, or digital document. It’s the digital equivalent of a stamped seal or a handwritten signature but offers far more inherent security.
Learn More Digital Signature

Disaster

Critical events such as cyber–attacks, natural disasters (earthquakes, floods, etc.), or hardware failures like routers or servers that affect the activities of an enterprise.
Learn More Disaster

Disaster Recovery Plan

After events like a cyber attack, natural disaster,  or even business disruptions, disaster recovery is an organization’s method of regaining access and control of its I.T. infrastructure. A variety of disaster recovery (D.R.) methods are implemented as part of a disaster recovery plan. D.R. is a crucial aspect of business continuity.
Learn More Disaster Recovery Plan

Electronic Signature

An electronic signature, or e-signature, authenticates that an individual who demands to have created a message is the one who created it. A signature can be defined as another layer of authentication and security as a schematic script related to a person.
Learn More Electronic Signature

Gap Analysis

A security gap assessment is a thorough analysis of an enterprise’s security defenses against various forms of cyberattacks. Its purpose is to identify the ‘gaps’ between their current state of security and their desired state, considering specific industry standards as well.
Learn More Gap Analysis

Identity Certificate

A digital certificate refers to an electronic “password” that allows a person or an organization to share data securely over the web on the public key infrastructure (PKI). Digital Certificate is also called an identity certificate or a public key certificate.
Learn More Identity Certificate

Information Access Rights

Access Rights are the permissions an individual user or an organization application holds to read, write, delete, modify, or otherwise access a computer file, change settings or configurations, or add or remove applications. An organization’s technology administrator can configure permissions for files, folders, servers, or specific applications on the computer.
Learn More Information Access Rights

Information Asset

An information asset is a body of data defined and managed as a single entity so that it can be understood, protected, shared, and utilized effectively and have manageable and recognizable value, content, risk, and lifecycles.
Learn More Information Asset

Integrity & Confidentiality Security

The CIA triad is a well-accepted model that enterprises use to evaluate their security capabilities and risk in case of a cyberattack. Confidentiality is a set of rules implemented to limit access to information, whereas integrity is the assurance that the information is accurate and trustworthy, and availability is a warranty of reliable access to…
Learn More Integrity & Confidentiality Security

ISMS

ISMS or information security management system (ISMS) is a set of procedures and policies for systematically managing an enterprise’s sensitive information. The goal of an ISMS is to detect and minimize the risk while ensuring business continuity by proactively countering the impact of a security breach.
Learn More ISMS

Lead Auditor

A lead auditor training has the necessary expertise and skills to perform an Information Security Management System (ISMS) audit by implementing widely recognized audit procedures, principles, and techniques.
Learn More Lead Auditor

Logical Controls

Logical controls are the automated system that manages a person’s ability to access one or more resources, such as a workstation, application, network, or database. A logical access control system requires authentication of an individual’s identity using some mechanism such as a  biometric, personal identification number (PIN) card, or other tokens. Different access privileges can…
Learn More Logical Controls

Management Controls

Management controls are actions implemented to manage the development, maintenance, and use of the system, including procedures, system-specific policies and rules of behaviour,  individual accountability, individual roles and responsibilities, and personnel security decisions.
Learn More Management Controls

Mandatory Procedures

Mandatory procedures explain the rules for how employees, partners, consultants, board members, and other endpoint users access online internet and applications resources, share data over networks, and otherwise practice responsible security.
Learn More Mandatory Procedures

Manned Security

Security personnel is physically present to guard properties, guard properties, people, assets, or more against the threat of entry, theft, assault, or criminal damage.
Learn More Manned Security

Non-Repudiation

In the context of ISO 27001, non-repudiation is one of the five pillars of information assurance. It refers to the inability to deny the validity of something and provides proof of the origin and integrity of data. Non-repudiation is guaranteed through digital signature and/or encryption.
Learn More Non-Repudiation

Nonconformity

A company is at risk of nonconformity if they are in noncompliance with the standard requirements of ISO 27001, that is, if in-event documentation specifies a process the organization is not following; or if an organization is not fulfilling contractual requirements in its dealings with third parties.
Learn More Nonconformity

Organizational (Security) Measures

Organizational and Technical security measures imply those measures aimed at protecting personal data against accidental loss, alteration, unlawful destruction, unauthorized access, or disclosure, in particular where the processing involves data over a network, in transit,  and against all other unlawful forms of processing.
Learn More Organizational (Security) Measures

Organizational Controls

Organizational controls reduce or mitigate the risk to the organization’s assets, including people, property, and data and include any type of policy, technique, procedure, method, solution, action, plan, or device designed to help accomplish that goal.
Learn More Organizational Controls

PDCA Cycle

The Plan-Do-Check-Act (PDCA/PDSA) cycle is a simple and effective approach with a continuous loop of planning, doing, checking (or studying), and acting, and it is generally used for testing improvement measures on a smaller scale before scaling procedures and working practices.
Learn More PDCA Cycle

Purpose Limitation

In practice, organizations must: – Clearly define the purpose of collecting personal data and their intention – Specify your purposes by complying with documentation obligations; – Perform transparency obligations to communicate to individuals about your purposes for collecting personal data; and – Ensure that if you plan to disclose or use personal data for any…
Learn More Purpose Limitation

Qualitative Risk Assessment

Qualitative risk assessment is the process of identifying risks and analyzing the impact they would have on a project. Project managers can prioritize risk as per probability and impact while detecting the main areas of risk exposure and improving understanding of project risks.
Learn More Qualitative Risk Assessment

Quantitative Risk Assessment

Quantitative risk assessment provides numerical characterizations of risk and relies primarily on the use of good methods, techniques, and models from the multiple disciplines employed by USACE. Thus, it comprises good economics, engineering, and environmental analysis.
Learn More Quantitative Risk Assessment

Recovery Time Objective

The Recovery Time Objective (RTO) is the time duration during or after a disaster that can elapse without an enterprise restoring its processes or services to acceptable levels before it will experience unendurable consequences associated with the disruption.
Learn More Recovery Time Objective

Registration

During the 2 to 3 months your company is still building its quality system, you’ll need to begin searching for an ISO registrar on the ANSI-ASQ National Accreditation Board (ANAB) to select the registrar right for you. Registrars must fulfill the requirements of the ISO Accreditation Bodies.
Learn More Registration

Resilience

Cyber resilience is an enterprise’s ability to enable business acceleration (enterprise resiliency) by preparing for, countering, and recovering from cyber threats and adapting to known and unknown crises, adversities, threats, and challenges.
Learn More Resilience

Restricted

An authenticator class, type, or instantiation has added risk of false acceptance associated with its use that is, therefore, subject to added requirements.
Learn More Restricted

RPO

A Recovery Point Objective (RPO) is the maximum amount of data or time that an organization can lose before causing harm or risk to its business or customers. It is a measure or guideline for disaster recovery planning and data preservation. RPOs return to a previous point when your data existed in a usable format,…
Learn More RPO

Statement of Applicability

A Statement of Applicability is a document needed for ISO 27001 certification. It’s a document that declares the Annex A controls that your enterprise determined to be necessary for mitigating information security risk, including the Annex A controls that were excluded.
Learn More Statement of Applicability

Surveillance Visit

The primary purpose of the surveillance visits is for the certification body to assert whether your management system really works in everyday operations or not. It will focus on prospects that the certification audit wasn’t able to check: for instance, whether all the incidents are recorded, whether all corrective and preventive actions are properly recorded…
Learn More Surveillance Visit

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.

Non-Repudiation

In the context of ISO 27001, non-repudiation is one of the five pillars of information assurance. It refers to the inability to deny the validity of something and provides proof of the origin and integrity of data. Non-repudiation is guaranteed through digital signature and/or encryption.

RPO

A Recovery Point Objective (RPO) is the maximum amount of data or time that an organization can lose before causing harm or risk to its business or customers. It is a measure or guideline for disaster recovery planning and data preservation. RPOs return to a previous point when your data existed in a usable format,…

Surveillance Visit

The primary purpose of the surveillance visits is for the certification body to assert whether your management system really works in everyday operations or not. It will focus on prospects that the certification audit wasn’t able to check: for instance, whether all the incidents are recorded, whether all corrective and preventive actions are properly recorded…