Glossary of Compliance

Compliance Glossary

Our list of curated compliance glossary offers everything you to know about compliance in one place.

a b c d e f g h i j k l m n o p q r s t u v w x y z

3PAO

Third-Party Assessment Organization, 3PAO for short, is an independent partner organization that conducts a thorough assessments of a cloud service provider for the FedRAMP (Federal Risk and Authorization Management Program) on the basis of federal security guidelines. The federal government depends on 3PAO assessments to make a risk-based decision on whether they should include a…

Administrative Access

In the context of PCI DSS, Administrative Access accounts have special rights and capabilities, allowing them to oversee systems, networks, and applications. For example, accounts in use for system administration can have different titles varying on the operating system. It can be an administrator, admin, or supervisor.

Administrative Controls

Administrative controls characterize the human factors of security involving all levels of personnel within an enterprise and determine which users are authorized to access what resources and information by such means as: – Employees are provided with training and awareness programs – Enterprises should be prepared for disasters and have recovery plans – Separation strategies…

Administrative Safeguards

Administrative Safeguards are actions, policies, and procedures to manage the development, implementation, and maintenance of security measures to protect PHI. It guides covered entities to be compliant with the HIPAA security rule. In order to comply with Administrative Safeguards, one must evaluate their existing security controls, accurately analyze risks to the systems, and evaluate documented…

Advanced Digital Signature

The advanced electronic signature is a digital signature to uniquely identify the signer based on an advanced certificate. The signature keys are utilized with a high degree of confidence by the signatory (who has sole possession of the signing key). An electronic signature is observed to be advanced, under eIDAS, if it has met several…

Adware

Adware is a hazardous type of malicious software that, once installed, can be challenging to remove. These programs force computers to download and display ads on the user’s screen in a destructive way. This software can be unknowingly installed by a person while visiting certain websites or downloading various files. For example, at least 50%…

AICPA

The American Institute of Certified Public Accountants (AICPA) is a professional organization representing certified public accountants in the United States. It was founded in 1887 and has more than 428,000 members currently. The AICPA sets accounting and auditing standards for the profession, provides education and training, and advocates for its members. It also offers certifications…

ANSI

The American National Standards Institute (ANSI) was established as an independent, privately funded non-profit organization based in Washington D.C. Today, ANSI has grown to host more than 200 consensus-based standards and conformity assessment systems for products and services used within the United States and abroad. These standards reflect the best practices for a given product…

AOC

An Attestation of Compliance (AOC) is a documented declaration of an organization’s compliance with the PCI DSS. It proves that a company can successfully implement outstanding security best practices to protect cardholder data.

AOV

Assessors and/or labs can certify the findings of an assessment on the Attestation of Validation (AOV) form, which are then included in the relevant Report on Validation.

APT- Advanced Persistent Threat

An Advanced Persistent Threat (APT) is a highly sophisticated and long-lasting cyberattack strategy. In an APT, intruders infiltrate a network covertly, aiming to steal sensitive data over an extended period while avoiding detection. Key APT objectives: GhostNet APT One notable example of an APT is GhostNet. Discovered in March 2009, GhostNet is considered one of…

Asset

An asset may be intangible (e.g., humans, data, software, information, capability, function, trademark, service, copyright, image, patent, intellectual property, or reputation) or tangible (for instance, a physical item such as hardware, computing platform, firmware, network device, or other technology components). The value of an asset is decided by stakeholders in case of an event of…

Asset Inventory

An I.T. team maintains an asset inventory to make sure they provide an organization with the I.T. resources they need in a cost-effective, efficient manner. The asset data stored in this inventory includes location, users, performance, maintenance and support, documentation, licenses, lifecycle stage, compliance, cost, and more. I.T. assets can include: – Hardware – servers,…

ASV

An Approved Scanning Vendor (ASV) is an entity that verifies whether a company’s PCI DSS external scanning requirements have been met. ASVs use techniques similar to those used by hackers, such as penetration testing, to run an external vulnerability assessment of a company’s network or website. A quarterly network scan by an approved scanning vendor…

Attestation

An attestation is a formal declaration or statement made by an independent third party (such as an accountant, auditor, or lawyer) expressing an opinion or providing assurance about certain information’s accuracy, reliability, or completeness. Attestations are commonly used in financial reporting to provide additional credibility and trustworthiness to the information being presented.

Attestation Report

An attestation report is a written statement by an independent third party (such as a CPA or an auditor) that expresses an opinion on the reliability and accuracy of an organization’s financial statements or other information. An attestation report is used to assure stakeholders (such as shareholders, creditors, and regulators) that the information being presented…

Audit Log/ Audit Trail

An audit log is an essential record of system activities that records the chronological sequence from the initiation to the completion of a transaction. It should be precise enough to provide all the information necessary for troubleshooting and understanding how events transpired.

Auditor’s Opinion

An auditor’s opinion is a written statement by an independent auditor expressing an opinion on the fairness and consistency of a company’s financial statements with generally accepted accounting principles (GAAP). The auditor’s opinion is typically included in an audit report, a formal document summarizing the auditor’s findings and conclusions from the audit engagement. An auditor’s…

Availability

In the context of SOC 2 (Service and Organization Controls), availability refers to the principle that requires organizations to have systems and processes in place to ensure that their services are available to their customers as needed. The availability principle is one of five trust services principles that are covered in a SOC 2 attestation…

Availability

Availability means the healthcare facility should keep their hardware and software systems up and running properly. This requires covered entities and business associates to keep their infrastructure updated to protect it against security threats. Availability is a requirement for HIPAA technical and physical safeguards. Its goal is to allow authorized individuals to access necessary information…

BAA

A Business Associate Agreement (BAA) is a signed agreement between covered entities and business associates. HIPAA privacy rule mandates that covered entities who share PHI with third party service providers specify the responsibilities of each party to secure PHI. A BAA must describe the permitted rules to use or disclose PHI and require the business…

BCP Testing

Business Continuity Planning (BCP) is the procedure of creating preventive and recovery systems to counter potential cyber threats to an enterprise or to ensure process continuity in the case of a cyberattack. BCP’s secondary goal is to make sure operational continuity before as well as during the execution of disaster recovery. The planning entails personnel…

Buffer Overflow

Buffers are memory storage areas that keep data temporarily as it is moved from one location to another. When the amount of data exceeds the memory buffer’s storage capacity, a buffer overflow (or buffer overrun) occurs. The application that is trying to copy the data to the buffer, as a result, overwrites nearby memory locations.

Business Associates

Business Associates are individuals or entities who work for or provide a service for a covered entity. The work involves use and disclosure of Protected Health Information (PHI). They must comply with the privacy rule of HIPAA. Business Associates perform functions like claims processing, data analysis, quality assurance, practice management, repricing, and more.

Business Impact Analysis

A Business Impact Analysis (BIA) is a critical process that predicts the potential consequences of a disruption to your business. It collects information necessary for creating proper recovery strategies. The extent and complexity of your BIA should align with your organization’s size and intricacy. Larger and more complex institutions may have a more detailed list…

California Consumer Privacy Act (CCPA)

Enacted in 2018, and going into effect on January 1, 2020, the California Consumer Privacy Act (CCPA) is one of the most comprehensive consumer data protection laws in the US. By offering Californians more control over their personal data, it seeks to strengthen their privacy rights and safeguards. Californian customers have various important rights regarding…

Card Skimmer

Card skimmer is a device attached to the card reader that skims and steals the card information like card number, expiration date, and CVV code. This device reads the debit/credit card information from the magnetic stripe at the back of the card and stores it in its memory module. Generally, a card skimmer is placed…

Card Verification Code or Value

A Card Verification Code/Value (CVC/CVV) is a series of numbers apart from the bank card number that is present on a debit or credit card. It provides an extra layer of security for card-not-present transactions where the PIN can’t be manually entered. In most cards, this is a three-digit number printed alongside the signature box.

Cardholder Data

Cardholder data (CD) consists of all personally identifiable information (PII), such as the cardholder’s name, card number, expiration date, and CVV security code of the individual with a credit or debit card. This is sensitive card information subject to security regulations like PCI DSS. Banks, payment merchants, and other entities that store and process this…

CCPA Ammendments

Since its initial implementation in 2018, the California Consumer Privacy Act has undergone a December 2020: The fourth iteration defined offline interaction requirements and reinstated the opt-out button. These amendments reflect the ongoing effort to balance privacy rights with business practicalities.

CCPA Compliance

CCPA, or California Consumer Privacy Act, is a set of compliance guidelines aimed at protecting data belonging to residents of the state of California. It came into effect on January 1, 2020, and is considered one of the most stringent privacy laws in the United States. It applies to all organizations, regardless of where the…

CCPA Consent

The California Privacy Rights Act (CPRA) updates the CCPA by clarifying what counts as consent: it’s a consumer’s freely given, clear, and informed choice about how their personal data is used. While the CCPA generally operates on an opt-out basis—meaning businesses can handle most personal data without explicit permission as long as consumers have the…

CCPA Data Subject Rights

The California Consumer Privacy Act establishes a set of fundamental rights for the residents of California, known as data subjects concerning their personal information. These rights empower consumers with greater control over their data and increase transparency in how businesses handle their personal information. The key Data Subject Rights under the CCPA are: Right to…

CCPA Personal Information

Under the California Consumer Privacy Act, or CCPA, ‘personal information’ is broadly defined to include a wide range of data that can be linked or reasonably associated with a particular consumer or household. This definition is crucial to understanding the scope and impact of the CCPA on data protection and privacy rights. This expansive definition…

CCPA Privacy Notice

CCPA (California Consumer Privacy Act) Privacy Notice is a ‘notice at collection’ provided to customers about the types of Personal Information (PI) collected by the business along with the reason for collecting it. The CCPA privacy notice serves as the primary mechanism through which businesses communicate their data collection practices. It empowers consumers to make…

CDE

The Cardholder Data Environment (CDE) consists of all systems, networks, and applications used in the payment card transaction process. It includes all the places where payment card data is stored, processed, or transmitted. This data includes information such as the cardholder’s name, card number, expiration date, and other sensitive information. To comply with the PCI…

CERT

Computer Emergency Response Team (CERT) is a team of IT security experts responsible for responding to cybersecurity incidents, vulnerabilities, and threats to mitigate them at the earliest. They identify, analyze, and respond to cyber incidents that could impact the security of the company’s critical systems. They also perform vulnerability assessments and help organizations implement the…

CIO Council

The Chief Information Officers or CIO Council is responsible for improving IT practices across the United States of America. They advocate for IT priorities and communicate key updates, initiatives, and guidance to federal CIOs and IT professionals. The CIO Council is part of the Office of Management and Budget (OMB) and informs federal CIOs about…

CIS

Center for Internet Security (CIS) is a 501 non-profit organization formed in 2000. They are responsible for CIS controls and CIS Benchmarks and aim at developing best internet security practices for public and private sectors to prevent cyber threats. Their Multi-State Information Sharing and Analysis Center (MS-ISAC) also offers real-time threat intelligence. Organizations can reach…

Classified Information

Classified national security information, also known as classified information, means information that has any predecessor order to require protection against unauthorized disclosure or has been regulated pursuant to E. O. 12958 as amended by E.O. 13292 and is marked to specify its classified status when in documentary form.

Cloud service offering (CSO)

Cloud Service Offering (CSO) refers to a specific product or service provided by a cloud service provider (CSP) to the federal agencies in the USA. Cloud Service Providers (CSPs) must determine if their Cloud Service Offering (CSO) is for government use only, available to the public, private, or a hybrid cloud setup. Additionally, CSOs are…

Cloud Service Providers

Cloud service providers offer various types of cloud computing services to their customers. Cloud computing is a model of computing that delivers shared computing resources (such as networks, servers, storage, applications, and services) over the internet rather than using local servers or personal devices.Cloud service providers offer a variety of services, including:– Infrastructure as a…

Cloud-hosted Business

A cloud-hosted business is a company that uses cloud computing services to host and operate its business applications, data, and other resources. Cloud computing is a model of computing that delivers shared computing resources (such as networks, servers, storage, applications, and services) over the internet rather than using local servers or personal devices. By using…

CMMC Assessment Scope

Determining the scope of your CMMC assessment is a need for a successful certification process. It sets the groundwork by outlining what you need to evaluate. This approach reduces the assessment’s duration and minimizes the impact of security controls on your workforce. This is why it is essential to account for every asset, whether within…

CMMC Maturity Level

CMMC 2.0 has three distinct security levels: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). The specific CMMC maturity level that your company needs to attain, along with the associated compliance, hinges on the sensitivity of the data set to handle. Level 1 (Foundational) Level 1 emphasizes fundamental cybersecurity practices. Companies can implement…

COBIT 5 Certification

COBIT 5, stands for Control Objectives for Information Related Technologies, 5th Edition. It is a framework for managing and governing corporate IT created by The Information Systems Audit and Control Association, or ISACA. The framework provides a globally accepted set of tools and resources that help organizations govern and manage their information and technology assets….

COBIT domains

COBIT 4.1 breaks down IT governance and management into four key domains, each focusing on specific areas of IT processes. Evaluate, Direct, and Monitor (EDM): EDM forms the major component of the COBIT 5 model and concerns itself with the optimal accomplishment of IT business integration and governance. This domain includes identifying directions for IT’s…

COBIT foundation certificate

COBIT Foundation is an entry-level/step professional certification that validates a candidate’s knowledge and skills of COBIT 5 Principles. The COBIT 5 Foundation certification is suited for individuals who are looking to gain an understanding of the core principles and practices of IT governance & enterprise IT management as outlined within the COBIT 5 framework. The…

COBIT framework

COBIT is an ISACA framework abbreviated for Control Objectives for Information and Related Technology. It was developed to assist IT managers, auditors, and users in developing IT governance and control. COBIT offers a list of widely accepted measures, indicators, processes, and best practices for IT resources management, considering a particular industry’s specificity. COBIT can be…

COBIT principles

COBIT 5 is built on five key principles that help organizations manage and govern their IT: Principle 1: Meeting stakeholder needsThis principle underscores the view that organizational requirements should be aligned with stakeholders’ requirements because organizations are established on such demands. Erosion of trust is mostly about knowing stakeholders and ensuring their demands are in…

Column-Level Database Encryption

It is a type of database encryption that selects specific attributes/data elements to be encrypted instead of the entire database or individual records. This type of encryption is generally implemented using algorithms like Triple Data Encryption Standard (TripleDES) or Advanced Encryption Standard (AES). This encryption benefits confidential or sensitive data such as personally identifiable information…

Compensating Controls

Also referred to as Alternative Controls, it is a set of security and privacy controls implemented by an organization in lieu of the NIST Special Publication 800-53 to mitigate risks and provide an alternative approach to achieving the same security objectives as primary controls. They are often used to reduce the impact of security breaches…

Compliance Report

A compliance report is a document that summarizes the results of an evaluation of an organization’s compliance with relevant laws, regulations, standards, or policies. They are used to assess an organization’s adherence to these requirements and to identify any areas where the organization may be non-compliant. Compliance reports may be prepared by internal teams or…

Confidentiality

In the context of SOC 2 (Service and Organization Controls), confidentiality refers to the principle that requires organizations to protect the confidentiality of their customer’s data and information. The confidentiality principle is one of five Trust Services Criteria covered in a SOC 2 attestation engagement. To meet the confidentiality principle, organizations must have controls to…

Continuous Security Monitoring

Continuous security monitoring is when you, as a company, monitor your IT systems and networks using automation constantly. Basically, you need to get reports on the security of your system in real-time. This helps you detect security threats, measure dips in control- efficiency, and isolate instances where your internal organizational rules are not abided by….

Continuous Security Validation

Continuous security validation allows a company to replicate and simulate full-scale attacks on its enterprise assets. They do this using software agents, virtual machines, and other tools. This process helps you to test and strengthen your security measures regularly. 4 key benefits to Continuous Security Validation Spotting policy mismatches It helps find mismatches in security…

Control

Cybersecurity controls are specifically designed mechanism that is used to prevent, detect and reduce cyber-attacks and threats to data, including intrusion prevention systems and DDoS mitigation.

Control Mapping

Control mapping is identifying, documenting, and evaluating the controls in place within an organization to address specific risks or objectives. It involves creating a map or diagram that illustrates the relationships between the various controls and how they work together to achieve the desired outcome. Control mapping is commonly used in risk management and compliance…

Control Objective

The basic goal of access control in the CIA triad is to preserve and secure the confidentiality, integrity, and accessibility of systems, information, and resources.

Controlled Disclosure

Controlled disclosure is releasing information to a restricted group of people or in a controlled manner rather than making the information widely available. Controlled disclosure is often used to protect sensitive or confidential information from unauthorized access or disclosure.An example of controlled disclosure might be a company releasing financial information to its shareholders but only…

Copycat Laws

“Copycat laws” are beginning to proliferate in the United States, and if you own a business, you may soon find that these new rules affect how you handle client data. While not exactly the same, many states are developing their own privacy laws that are modeled after California’s Consumer Privacy Act (CCPA) and share many…

Corrective Action

Corrective actions are methodical steps taken by an organization to close gaps, correct errors, or resolve other problems that have been found within the enterprise’s security program and for which the underlying or root cause has also been identified.

Corrective Controls

Corrective controls come into action after an information security problem or incident has been detected. These controls are there to make improvements, remedy flaws and guide corrective action.

Covered Entities

Covered Entities can be a health plan, health care clearinghouse, or health care provider. They electronically transmit health information as per HHS standards and include individuals and organizations. – Health plans are individuals or groups who provide medical care or cover its expenses. – Health care clearinghouses are private or public firms who process health…

CPA

Certified Public Accountant (CPA) is a professional designation given to accountants in the United States who have passed a certification exam and met certain education and experience requirements. It is a globally recognized test for which aspirants must take the Uniform CPA Examination. A CPA is licensed by the state in which they practice to…

Crisis Management Support Team

A crisis management support team is a group of cybersecurity experts responsible for identifying and addressing crises within an enterprise. Their tasks include carrying out actions of accessing the current events, outlining the potential risks, and minimizing the fallout.

Crisis Management Team

A crisis management team is a group of cybersecurity experts responsible for identifying and addressing crises within an enterprise. Their tasks include carrying out actions of accessing the current events, outlining the potential risks, and minimizing the fallout.

Critical Infrastructure

Critical infrastructure describes the physical assets and I.T. systems that are so vital to the enterprise that their destruction or incapacity would have a devitalizing impact on the economic or physical security or public health and safety.

Cryptographic Key

A cryptographic key is a string of characters, such as numbers or letters, which can encrypt and decrypt data when processed through an encryption algorithm. In simpler terms, a cryptographic key is a piece of data that transforms plaintext (unencrypted data) into ciphertext (encrypted data) and vice versa. In general, the key is used by…

Cryptographic Material

All material, including devices, documents, or equipment that, contains cryptographic information and is essential to the authentication, encryption, or decryption of telecommunications.

Cryptographic Techniques

Cryptographic techniques are used to ensure the confidentiality and integrity of data in the presence of an antagonist. Various cryptographic methods based on the security needs and the threats involved, such as public key cryptography and symmetric key cryptography, can be used during the transit and storage of the data.

Cryptomaterial

All material, including devices, documents, or equipment that, contains cryptographic information and is essential to the authentication, encryption, or decryption of telecommunications.

CSRF

Cross-Site Request Forgery (CSRF) is a security vulnerability that allows a cyber threat actor to perform actions on behalf of the user without their knowledge or consent. The CSRF attack occurs when the user clicks on a malicious link or visits a malicious website. This action makes the user’s browser send requests to legitimate websites…

Cybersecurity – Shared Responsibility

The cybersecurity shared responsibility model plays a great role in mitigating the various aspects of the cloud environment. For example, in a shared security model with GCP, Google will be responsible for ensuring that their firewalls remain impenetrable, and you, as a google cloud user, will be responsible for ensuring that you have implemented MFA,…

Data Base Administrator

Database administrators are IT technicians responsible for installing, managing, configuring, and maintaining an organization’s database systems’ performance, security, and availability. A database administrator’s primary role is to ensure the database is accessible, secure, and performing optimally. The responsibilities of a database administrator include monitoring database performance, ensuring data security and data integrity, backing up and…

Data Classification Level

Data classification is a method for categorizing and defining files and other critical business information based on their information sensitivity. It’s mainly used in big corporations to build security systems that follow strict security compliance guidelines but are also effective in small environments.

Data Recovery

Data recovery is the method of restoring data that has been lost, corrupted, accidentally deleted, or made inaccessible. In enterprise I.T., data recovery typically refers to the restoration of data to a desktop, server, laptop, or external storage system from an existing backup.

Data Restore

Data restore is the process of recovering backup data from secondary storage and restoring it to a new location or its original location. A restore is performed to move data to a new location or to return data that has been stolen, lost, or damaged to its original condition.

Data Use Agreement

A Data Use Agreement (DUA) is an agreement that oversees the sharing of data between research collaborators that fall under covered entities in the HIPAA privacy rule. A DUA defines the ways in which the information is established as a limited data set, its use by the intended recipient, and how well it is protected.

Data-Flow Diagram

It is a graphical representation using defined symbols and charts to explain the flow of data through a system or process. System analysts, database administrators, and designers often use the visual tool to describe the flow of information in a system visually and how that information is processed. The diagram comprises different components such as…

De-Identifed Data

Under the California Consumer Privacy Act (CCPA), de-identified data refers to any information that can’t be reasonably linked back to a specific person. If you’re working with data, this is a crucial concept to help you protect privacy while still using that data effectively. De-identifying data facilitates adherence to laws such as the CCPA. It…

De-Identified Information

De-Identified Information is health information that does not identify an individual if covered entities hold that there is no reasonable cause to believe that it can be used to identify an individual. The HIPAA privacy rule specifies two methods to de-identify PHI. – Expert determination method which applies statistical or scientific principles to conclude that…

Designated Record Set

A Designated Record Set is the records maintained by or for a covered entity to make decisions about people. It usually contains billing records, medical records, payment and claims records, case management records, health plan enrollment records, and so on.

Designated Record Set

Designated record sets include billing records, medical records, payment and claim records, case management records, health plan enrollment records, as well as other records used, in part or in whole or by or for a covered entity, to reach conclusions about individuals.

Detective Controls

Detective controls are the primary components of a cybersecurity program in providing visibility into breaches, malicious activity, and attacks on an enterprise’s I.T. environment. These controls include continuous monitoring, logging of events, and alerting that facilitate effective I.T. management.

Deterrent Controls

Deterrent controls are administrative mechanisms (such as policies, standards, procedures, laws, guidelines, and regulations) that are used to advise the execution of security within an enterprise.

DHS

The Department of Human Services, or DHS, provides and sponsors many types of health and social services as well as determines persons’ eligibility to receive those services. They collect personal and health information about you and/or your family, which is kept private and called “protected health information.”

Digital Certificate

A Digital Certificate can be described as an electronic file that is tied to a cryptographic key pair to authenticate the identity of an individual, website, device, organization, user, or server. It is also known as an identity certificate or a public key certificate.

Digital Signature

A digital signature refers to a mathematical technique used to establish the authenticity and integrity of software, message, or digital document. It’s the digital equivalent of a stamped seal or a handwritten signature but offers far more inherent security.

Direct Treatment Relationships

A healthcare provider is said to have a Direct Treatment Relationship with the patient if they provides services, diagnoses, products, or results directly to the patient.

Disaster

Critical events such as cyber–attacks, natural disasters (earthquakes, floods, etc.), or hardware failures like routers or servers that affect the activities of an enterprise.

Disaster Recovery Plan

A Disaster Recovery Plan is an official document developed by a company that gives precise instructions on how to respond to unanticipated situations such as natural disasters, power outages, cyber-attacks, and other disruptive events. In order for an organization to continue operating or swiftly resume critical functions, the plan includes tactics to mitigate the effects…

Disaster Recovery Plan

After events like a cyber attack, natural disaster, or even business disruptions, disaster recovery is an organization’s method of regaining access and control of its I.T. infrastructure. A variety of disaster recovery (D.R.) methods are implemented as part of a disaster recovery plan. D.R. is a crucial aspect of business continuity.

Disaster Recovery Plan

A HIPAA disaster recovery plan (HIPAA DRP) is a formal proposition that specifies the processes, actions, and methodologies that must be embraced to secure and restore electronic health records (EHR) in case of a natural or manmade disaster, calamity or similar event.

Electronic Document

“Electronic record” means record, data, or data generated, audio or visuals stored, received, or shared in an electronic form or computer generated micro fiche or microfilm.

Electronic Media

Electronic Media refers to storage systems such as hard drives, computers, USB, optical disk or any medium in which data can be stored in the digital format. Additionally, any medium used to transmit data such as the internet, extranet, dial up lines, private networks are considered as electronic media.

Electronic Signature

An electronic signature, or e-signature, authenticates that an individual who demands to have created a message is the one who created it. A signature can be defined as another layer of authentication and security as a schematic script related to a person.

Emancipated Minor

A minor is considered to be emancipated if they have either been legally released from parental supervision and custody, or if they have achieved the age of majority. These people are expected to provide for and take care of themselves.

Emancipated Minor

Emancipated Minors are minors considered adults for purposes of approval to treatment and for purposes of enabling access to PHI or authenticating disclosure of PHI.

Emergency Mode Operations Plan

Emergency Mode Operations Plan is a process that requires health care services to continue their business operation during a disastrous event. These include fire, earthquake, robbery, data theft, system failure, or any natural or man made disaster.

EMO Plan

An Emergency Mode Operation (EMO) plan is an organization’s contingency plan for continuous operations in the event of a fire, natural disaster, vandalism, or system failure. Budget and resources should be allocated for EMO and tested in a controlled environment.

ePHI

Any patient data that is created, stored, managed, transmitted, or shared via electronic means is Electronic Protected Health Information (ePHI). As per the HIPAA regulation, there are 18 HIPAA identifiers that qualify as ePHI. Covered entities and business associates are required to protect ePHI as per HIPAA security and privacy rule.

External Entity

External entity can be an outside individual, organisation or an outside system/application that is a source or recipient of data-flow. These entities do not lie inside the investigated subject and can be a potential threat to it.

External Entity

An external entity could imply any individual, organization or government body other than the applicant group that is dealing with or utilizing PHI.

Facility Security Plan

Facility Security Plan lays down the policies and procedures to prevent, detect, respond to and recover from security incidents that may occur in or around the facility and its servicing vessels.The protection of the facility here includes the security of the people on the facility, the inventory and other assets and equipment.

Facility Security Plan

All HIPAA-Covered Components have to implement a facility security plan to safeguard the facility and the equipment within from unauthorized physical access, theft, and tampering for all locations that store and/or access ePHI.

FedRAMP

FedRAMP or Federal Risk and Authorization Management Program is a government-led compliance program to make the adoption of cloud services across federal agencies secure and efficient. The FedRAMP Authorization Act of 2022 further made FedRAMP a stronger standard after which it was also incorporated into the National Defense Authorization Act (NDAA) in the U.S. The…

FedRAMP Program Management Office

The FedRAMP PMO (Program Management Office) is the executive office that manages the functioning of the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to continuous security and risk assessment for cloud products and services. GSA set up the FebRAMP PMO to coordinate with the Joint Authorization Board-the…

Gap Analysis

A security gap assessment is a thorough analysis of an enterprise’s security defenses against various forms of cyberattacks. Its purpose is to identify the ‘gaps’ between their current state of security and their desired state, considering specific industry standards as well.

Health Care Clearinghouse

A Health Care Clearinghouse can be any organization that processes non standard health information into a standard content format; on behalf of another entity or service.

Health Care Component

Health Care Component (HCC) is a component or a combination of components of a HIPAA hybrid entity. A hybrid entity is a covered entity whose business activities include covered and noncovered functions.

Health Care Provider

The term “Health Care Provider” includes: – a hospital, home health entity, skilled nursing facility, nursing facility, – long-term care facilities such as health care clinics, renal dialysis facilities, community mental health centers, blood centers, -emergency medical services provider, ambulatory surgical center, -Federally qualified health center, group practice, practitioner, pharmacist, physician, pharmacy, laboratory, a rural…

HHS

The United States Department of Health and Human Services (HHS) is an executive branch agency of the federal government of the United States that was established to safeguard the health of the country’s citizens and provide necessary human services.

HHS

The United States Department HHS, or Health and Human Services, is a cabinet-level executive branch of the U.S. federal government created to safeguard the health of all American citizens and provide essential human services.

HIC

Human Investigation Committee (HIC) are a group of people who ensure that the research on the human subjects involving their personal health information is conducted ethically. The compliance of all federal laws is also monitored by the committee. It has the right to approve, disapprove or request amendments in the research whenever required. The Committee…

HIC

The Department of Public Health’s (DPH) Human Investigations Committee (HIC) is responsible for monitoring, reviewing, and approving research by utilizing identifiable health information obtained by the Department with the purpose of protecting the rights and the well-being of the research subjects.

HIPAA Agreement

A HIPAA Business Associate Agreement is a contract between a HIPAA-covered entity (like a healthcare provider) and a business or individual that helps with certain functions involving PHI. It’s essentially a written arrangement that outlines how the PHI is used. HIPAA requires covered entities to work with business associates who demonstrate the prowess to protect…

HIPAA Authorization Form

A HIPAA authorization form, often called a HIPAA release form, is a document patients sign with their healthcare providers. It grants permission for the provider to use or share their protected health information (PHI) for specific reasons. These reasons include: When is HIPAA authorization required? HIPAA authorization is required in specific situations outlined by 45…

HIPAA Compliant Fax

HIPAA-compliant fax is a mandated-trusted method for securely transmitting patient data. To meet HIPAA’s stringent data protection requirements, healthcare professionals and companies use cloud-based fax services to safeguard the integrity of PHI. Is faxing HIPAA-compliant? Faxing, by its nature, is considered HIPAA-compliant due to its inherent security and point-to-point transmission. Fax lines and most IP…

HIPAA Confidentiality

The HIPAA Privacy Rule sets standards for safeguarding individuals’ medical records and identifiable health information, commonly known as PHI. For example, discussions between doctors and patients should occur privately, and patients may prefer to be contacted on their cell phones rather than at home. Even well-meaning family members may not necessarily access a loved one’s…

HIPAA Journal

The HIPAA Journal is a useful website for all things HIPAA. It’s got news, breach info, tips, and the latest in healthcare data security. They’ve got sections like “New HIPAA regulations” and “HIPAA Changes 2023.” You can find out about the latest HIPAA rule updates, like telehealth rules and security changes. They even wrote about…

HIPAA Liaison

HIPAA Liaisons are designated by each HCC to work with the Office of HIPAA Privacy and are the first point of contact regarding HIPAA Compliance questions and procedures for each of the listed covered entities. The HIPAA Liaisons may receive requests from patients as well, including but not limited to access, appeals, amendment, and accountings…

HIPAA Medical Privacy Laws

The HIPAA Medical Privacy Law Rule sets guidelines for using and disclosing individuals’ health information, also known as PHI. This purview extends to covered entities, including individuals and organizations involved in healthcare. The Privacy Rule upholds individuals’ rights to control and understand how their medical information is used. It strives to protect health information while…

HIPAA Privacy Practices

Covered entities must provide a Notice of Privacy Practices (Privacy Notice) to every individual whose PHI is processed by them. Healthcare providers send this notice to new enrollees during initiation and at least once every three years to the existing ones. Self-insured health plans create their own Privacy Notices, while fully insured plans rely on…

HIPAA Safeguards

The HIPAA Security Rule defines three crucial standards for safeguarding health information: Administrative Safeguards These safeguards are vital to manage security measures and protect ePHI. Usually, a designated security officer oversees these actions which include risk assessments, access controls, incident response, and security awareness training. Physical Safeguards These measures focus on securing buildings, equipment, and…

HIPAA Sanctions

HIPAA mandates the implementation of sanctions for policy violations within covered entities. This policy focuses on employee sanctions for HIPAA violations by emphasizing the importance of safeguarding patients’ PHI. Key policy components include: Violating HIPAA regulations can lead to penalties ranging from $100 to $250,000 and prison terms of 1 to 10 years. Consistent enforcement…

HIPAA Summary

HIPAA summary is a brief of the HIPAA frameworks. It talks about how healthcare providers and related entities must process health information and the measures to abide by while transmitting or sharing PHI. Key topics covered in the HIPAA summary are: The Privacy Rule (PHI and Key Concepts) The Privacy Rule governs the use and…

HIPAA Waiver Form

A HIPAA waiver form, also known as a medical record information release form, allows patients to authorize third parties to access their health records. It also permits healthcare providers to share information when needed. Patients can revoke or change these permissions at any time. Sharing medical records without a HIPAA authorization form is a violation….

HITRUST Assessment Process

HITRUST requires organizations to follow a step by step process to evaluate their information security posture against its guidelines. The process includes:

HiTrust Certification

The HITRUST Common Security Framework (CSF) is a certifiable framework that integrates and harmonizes multiple various regulatory requirements, standards, and best practices related to information security and data protection. Developed by the Health Information Trust Alliance (HITRUST), it aims to secure data in heavily regulated industries like healthcare. HITRUST organizations certification can be obtained through…

HiTrust CSF

HITRUST CSF stemmed from the concept of a common security framework, which is an ideal tool with regulatory compliance for handling management of information security and its risks. What’s more, it consolidates the standards arising from the commonly implemented frameworks, such as HIPAA, NIST, ISO and PCI-DSS, which lets organizations mitigate the issues connected with…

HITRUST CSF Assurance Program

The HITRUST CSF Assurance Program offers organizations a practical way to validate their compliance with the HITRUST CSF. This framework consolidates legal and regional requirements such as HIPAA, GDPR, NIST guidelines, FTC, laws of states similar to Nevada and Texas, and standards like PCI and COBIT. The two assessment models are self-assessment and validated assessment….

HITRUST CSF Control Categories

HITRUST CSF Control Categories are a bit complex, with over 150 individual controls in total. The exact number of controls your company needs to focus on can vary depending on how you define “control” and your specific compliance needs. HITRUST organizes its framework into 14 distinct Control Categories, each labeled with a unique identifier from…

HITRUST Implemented, 1-year (i1) Validated Assessment

The HITRUST Implemented, 1-Year (i1) Validated Assessment is a certification process for organizations seeking a foundational level of security assurance. Since it focuses on well-established security controls designed to meet common cybersecurity and compliance requirements without delving into the complexities, i1 is ideal for organizations that Unlike the HITRUST Risk-Based, 2-Year (r2) Assessment which evaluates…

HITRUST Inheritance Program

The HITRUST Inheritance Program lets organizations rely on shared security controls provided by internal IT services or external third parties, like service providers, vendors, cloud platforms (SaaS, IaaS/PaaS), colocation data centers, and other managed services. For example, if you’re using Salesforce, the HITRUST Inheritance Program allows you to incorporate the controls Salesforce uses into your…

HITRUST ISO 27001 Mapping

HITRUST and ISO 27001 are two of the most challenging yet highly sought-after information security certifications, especially for companies in the healthcare industry or those looking to partner with healthcare organizations. Often, meeting just one of these standards isn’t enough to satisfy all contractual requirements. That’s where mapping security controls between HITRUST and ISO 27001…

HITRUST MyCSF Tool

HiTRUST MyCSF Tool is Software-as-a-Service (SaaS) platform that assists organizations in Tracking and Reporting on various solutions of the framework. It makes the identification process easier, how control activities are implemented and preparation for certification much easier. It is designed for organizations that wish to prepare and pass their HiTRUST i1 and r2 assessments: to…

HITRUST Risk-based, 2-year (r2) Validated Assessment

The HITRUST Risk-Based, 2-Year (r2) Validated Assessment is a comprehensive certification program that offers a set of assessments that are customized to offer an in-depth evaluation of an entity’s Information security and Risk management practices. The r2 is centered on the assessment of implemented security controls as well as their levels of maturity, which makes…

Hybrid Entity

A Hybrid Entity in HIPAA is a covered entity that performs some of its functions as a covered entity (relating to healthcare) and others as a non-covered entity. These entities can avail some regulatory relief as their non-covered function doesn’t need to comply with the full scope of HIPAA privacy rules.

Hybrid Entity

A legal entity that carries out both covered as well as non-covered functions may designate itself as a hybrid Entity under HIPAA and may choose not to apply the Privacy Rule to its non-healthcare components, whereas all covered healthcare components must be in compliance with HIPAA, and the covered entity retains security compliances, oversight, and…

IaaS

Infrastructure as a Service (IaaS) is a cloud computing service that provides customers with access to computing infrastructure (such as servers, storage, and networking) on a pay-per-use basis. IaaS enables customers to rent or lease infrastructure resources on an as-needed basis rather than purchase and maintain their in-house infrastructure. With IaaS, customers can scale their…

Identity Certificate

A digital certificate refers to an electronic “password” that allows a person or an organization to share data securely over the web on the public key infrastructure (PKI). Digital Certificate is also called an identity certificate or a public key certificate.

IDS

Intrusion Detection System (IDS) is a system or software that monitors the network traffic and system for signs of malicious activities and violation of any security policies. The IDS then issues alerts on the detection of any intrusions or security threats in real time so that database administrators or security analysts can take necessary actions…

IETF

The Internet Engineering Task Force (IETF), formed in 1986, is a Standards Development Organization (SDO) for the Internet. It is responsible for developing and evolving standards that comprise the Internet protocol suite. It is a large international community of network operators, designers, and researchers who work towards a common goal to develop and promote standards…

In-house Recovery

In-house recovery means recovery of a dedicated physical server or an in-house server amid data replication or when there is a disaster.

Information Access Rights

Access Rights are the permissions an individual user or an organization application holds to read, write, delete, modify, or otherwise access a computer file, change settings or configurations, or add or remove applications. An organization’s technology administrator can configure permissions for files, folders, servers, or specific applications on the computer.

Information Asset

An information asset is a body of data defined and managed as a single entity so that it can be understood, protected, shared, and utilized effectively and have manageable and recognizable value, content, risk, and lifecycles.

Information Asset Management

Information asset management, also known as IAM, is the organization’s information assets (including its metadata and data) that are a key area of focus for the EIM programs and information governance within an organization.

Integrity & Confidentiality Security

The CIA triad is a well-accepted model that enterprises use to evaluate their security capabilities and risk in case of a cyberattack. Confidentiality is a set of rules implemented to limit access to information, whereas integrity is the assurance that the information is accurate and trustworthy, and availability is a warranty of reliable access to…

Internal Audit

An internal audit is a type of organizational audit that is conducted by a company’s own employees, rather than by an external third party. The purpose of an internal audit is to evaluate and improve the effectiveness of a company’s internal controls, risk management, and governance processes. Internal audits may cover a wide range of…

Internal Corporate Governance

Internal corporate governance refers to the processes and structures a company puts in place to ensure that it is managed ethically, transparently, and accountable. It includes the policies, procedures, and systems that a company uses to make decisions, set and achieve strategic goals, and manage risks. An example of internal corporate governance might be a…

ISACA

ISACA is a global association serving IT governance professionals, risk managers, cybersecurity stakeholders, etc. Initially, it was called The Information Systems Audit and Control Association. ISACA was founded in 1969 and is a nonprofit organization offering IT knowledge and certification to about 140000 members across hundreds of business and government enterprises around the globe. ISACA…

ISMS

ISMS or information security management system (ISMS) is a set of procedures and policies for systematically managing an enterprise’s sensitive information. The goal of an ISMS is to detect and minimize the risk while ensuring business continuity by proactively countering the impact of a security breach.

ISO 27001 Awareness

ISO 27001 Awareness refers to the knowledge and understanding of your organization’s personnel regarding ISO 27001 regulatory compliance and its components. The awareness helps educate your personnel on risks, threats, incidents, and breaches and teaches them how to treat sensitive data, software, and assets. It also helps them work efficiently during breach instances and mitigate…

ISO 27001 BCP

ISO 27001 Business Continuity Planning (BCP) is a part of the overall objective of ISO 27001, i.e., providing a strong and reliable information security framework for your organization. It refers to the structured approach to upholding an organization’s ability to continue its business operations efficiently during security upheaval and afterward. The key steps involved in…

ISO 27001 Data Destruction

ISO 27001 Data Destruction is an integral component of the overall framework that deals with data management when disposing of your organization’s sensitive and personal data. The standard specifies that the data you collect should be erased when it is no longer serving its purpose and should never be recovered. Here is what goes into…

ISO 27001 Domains

The ISO 27001 is divided into 14 domains. The reason why ISO 27001 is divided into these domains is that it gives a more structured approach towards a holistic framework, and each one of these domains handles a significant part of the objectives. ISO 27001 Domains are: These domains ensure personnel, data, controls, and systems…

ISO 27001 KPI

ISO 27001 KPIs are measures of your company’s ISMS efficiency and effectiveness. These measurements or metrics can be employed to assess the effectiveness of your company’s incident response, access control, and other practices. These metrics reveal the areas that should be run at an acceptable efficiency level. The following are some of the KPIs: Other…

ISO 27001 Risk Treatment Plan

ISO 27001 risk treatment plan is a component of the overall ISO 27001 framework that deals with your business’s treatment and implementation of plans regarding identified security risks. This risk treatment plan is crucial for your organization as it allows you to devise ways to mitigate any potential risk and reduce downtime, financial losses, etc….

ISO 27001 Security Awareness Training

ISO 27001 Security Awareness Training is crucial to the overall ISO 27001 security objective. According to the framework, all company employees, whether contractors or freelancers, should receive awareness education and training along with regular updates in organization policies and procedures. Again, it also depends on the job function. Usually, security awareness training is given to…

ISO 27001 Security Metrics

The ISO 27001 Security Metrics are critical metrics that present an insight into your company’s performance and progress relative to the ISMS compliance standards. These metrics enable your organization to measure success daily and provide an easy-follow method for regulatory compliance. Key aspects of ISO 27001 Security Metrics: These metrics support your company in making…

ISO 27001 Third-Party Audit

ISO third-party Audit is an examination conducted by an independent body to assess how your organization applies and implements the recommended measures. In this case, how security is implemented in your company and its effectiveness and efficiency are audited. Third-party audits verify your organization and examine its compliance with a globally accepted framework’s standards. They provide…

IT Infrastructure Library

IT Infrastructure Library, abbreviated as ITIL, is a compilation of guidelines for managing IT services to enhance service levels. One of the primary objectives of ITBM is to ensure that IT services remain relevant to the business agenda and on track as that agenda evolves. ITIL has evolved a lot over the years. The first…

Joint Authorization Board

A Joint Authorization Board or JAB provides FedRAMP (Federal Risk and Authorization Management Program) authorization to cloud service providers. The Board consists of the Chief Information Officers (CIOs) from the DHS (Department of Homeland Security, DoD (Department of Defense), and GSA (General Services Administration). The JAB reviews authorization packages based on the priority queue for…

Lead Auditor

A lead auditor training has the necessary expertise and skills to perform an Information Security Management System (ISMS) audit by implementing widely recognized audit procedures, principles, and techniques.

Legal Processing

The legal process is any formal notice or writ by a court obtaining jurisdiction over a person or organization through summons, mandate, subpoena, and warrant.

Limited Data Set

A limited data set is detailed as health information that excludes certain listed direct identifiers but that may include city; ZIP Code; state; elements of date; telephone numbers, fax numbers and other characteristics, numbers, or codes not listed as direct identifiers. The direct identifiers defined in the Privacy Rule’s limited data lays down provisions that…

Logical Controls

Logical controls are the automated system that manages a person’s ability to access one or more resources, such as a workstation, application, network, or database. A logical access control system requires authentication of an individual’s identity using some mechanism such as a biometric, personal identification number (PIN) card, or other tokens. Different access privileges can…

Management Assertion

A SOC 2 Management Assertion is a statement by a company’s management related to its system undergoing an audit. This statement is concerned with the effectiveness of the company’s internal controls related to security, availability, processing integrity, confidentiality, and privacy. The management acknowledges that the information they have provided is accurate per the descriptions. Additionally,…

Management Controls

Management controls are actions implemented to manage the development, maintenance, and use of the system, including procedures, system-specific policies and rules of behaviour, individual accountability, individual roles and responsibilities, and personnel security decisions.

Mandatory Procedures

Mandatory procedures explain the rules for how employees, partners, consultants, board members, and other endpoint users access online internet and applications resources, share data over networks, and otherwise practice responsible security.

Manned Security

Security personnel is physically present to guard properties, guard properties, people, assets, or more against the threat of entry, theft, assault, or criminal damage.

NIST 800-115

NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment aims at assisting the organization in discovering the system vulnerabilities through risk assessment and periodic penetration testing. This helps understand the effectiveness of security controls and the flaws that could be exploited by an attacker. This guide has been divided into some chapters…

NIST 800-145

NIST Special Publication 800-145, titled The NIST Definition of Cloud Computing, provides standardized terminology for cloud computing to ensure uniformity across organizations and industries. It outlines the key characteristics, deployment models, and service models associated with cloud computing to enhance understanding and cloud adoption. NIST 800-145 outlines five essential characteristics of cloud computing: on-demand self-service,…

NIST 800-172

NIST Special Publication 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations is an extension of the existing NIST SP 800-171. Current version specifically focus on sensitive but unclassified information dealt by organizations on behalf of the federal government and puts forward additional security requirements and practices pertaining to…

NIST AI Risk Management Framework (AI RMF)

The Artificial Intelligence Risk Management Framework (AI RMF) is designed in collaboration with private and public sectors. It is a practical guide to enable individuals and organizations to manage risks posed by generative AI in a way that aligns with their goals and objectives. NIST AI RMF is a voluntary framework developed to help users…

NIST CSF 2.0

NIST Cybersecurity Framework (CSF) 2.0 is an update to NIST CSF framework. It expands principles of NIST CSF and adds more structured guidance on minimizing cybersecurity risks. It encompasses organizations of all sizes, irrespective of their security maturity. After the successful debut of the NIST CSF in 2014 and adoption by 50% of US-based organizations…

NIST CSF Core Functions

The NIST Cybersecurity Framework (NIST CSF) comprises five core functions – Identify, Protect, Detect, Respond, and Recover. These functions offer guidelines to industries, governments, agencies, and organizations of all sizes, sectors, and maturity to manage their cybersecurity risks effectively. These are further divided into five categories and subcategories. Lets understand each of these: Identify (ID):…

NIST CSF Informative References

Informative references in NIST CSF are the sources that help to achieve a particular requirement. These sources are mapped to other guidelines, frameworks, or practices that are common among all sectors. For example, the Identify function in NIST CSF includes the subcategory that requires users to build an inventory for their physical devices and systems….

NIST Cybersecurity Framework (CSF)

The NIST Cybersecurity Framework (CSF) is a set of best practices that organizations can use to safeguard their data and enhance cyber security. Developed by the National Institute of Standards and Technology (NIST), the framework helps organizations protect critical infrastructure, such as healthcare and manufacturers. NIST CSF is flexible, adaptable and widely used to benchmark…

NIST Framework Profile

A NIST Framework Profile is an organization-specific configuration of the NIST Cybersecurity Framework (CSF) based on its business requirements, goals, and appetite for risks. Thus, it functions as an adaptation of how such an organization applies the five functional models of the framework – Identify, Protect, Detect, Respond, and Recover. There are two ways a…

NIST Identity and Access Management (IAM) Framework

The NIST Identity and Access Management (IAM) Framework is intended to help organizations ensure that only authorized individuals have access to critical resources, reducing unlawful access and data breaches into information systems. The framework guides organizations in developing and maintaining digital identities, as well as administering effective access controls. The NIST IAM Framework majorly deals…

NIST Privacy Framework

The NIST Privacy Framework is a set of guidelines and recommendations that are useful for the organization in minimizing privacy risks while collecting or storing personal information. It integrates privacy into product or service design while assuring compliance with a relevant law and building customer trust. The framework was created due to the growing number…

NIST Risk Management Framework (RMF)

NIST Risk Management Framework (RMF) is a seven-step repeatable process to manage and mitigate risks related to information systems. Developed by the National Institute of Standards and Technology (NIST), the framework was originally developed for federal agencies but has since been adopted by various industries to achieve compliance and manage cybersecurity risks. The framework integrates…

NIST Secure Software Development Framework (SSDF)

The NIST Secure Software Development Framework, or NIST SP 800-218, is a set of practices employed by NIST to be embedded in the development cycle of software. The framework promotes the concept of “security-by-design,” which supports developers in discovering and solving vulnerabilities at every stage of development. This approach reduces the chances that released software…

NIST SP 800-53

NIST SP 800-53 is a special publication by the National Institute of Standards and Technology; titled–Security and Privacy Controls for Information Systems and Organizations. It provides a comprehensive set of security and privacy controls organized into control families that support the development of safe and secure information systems. Primarily developed for federal agencies, it can…

Non-information Related Event

Occurrences where an employee or other trusted persons incidentally accesses information resulting in no harm can be considered non-information-related events.

Non-Repudiation

In the context of ISO 27001, non-repudiation is one of the five pillars of information assurance. It refers to the inability to deny the validity of something and provides proof of the origin and integrity of data. Non-repudiation is guaranteed through digital signature and/or encryption.

Nonconformity

A company is at risk of nonconformity if they are in noncompliance with the standard requirements of ISO 27001, that is, if in-event documentation specifies a process the organization is not following; or if an organization is not fulfilling contractual requirements in its dealings with third parties.

OCR

The Office for Civil Rights (OCR) promotes medical excellence throughout the nation by ensuring equal access to certain health and human services while protecting the privacy and security of health information.

Office of Management and Budget

The Office of Management and Budget (OMB) is the organization behind the president’s budget in the United States. It is the biggest office under the Executive Office of the President (EOP). The FedRAMP (Federal Risk and Authorization Management Program) guidelines were created by the OMB in 2011. The main purpose of this government program is…

Organizational (Security) Measures

Organizational and Technical security measures imply those measures aimed at protecting personal data against accidental loss, alteration, unlawful destruction, unauthorized access, or disclosure, in particular where the processing involves data over a network, in transit, and against all other unlawful forms of processing.

Organizational Controls

Organizational controls reduce or mitigate the risk to the organization’s assets, including people, property, and data and include any type of policy, technique, procedure, method, solution, action, plan, or device designed to help accomplish that goal.

PA DSS

Payment Application Data Security Standard (PA DSS) is a set of security requirements and assessment procedures created by PCI DSS that aims at helping software vendors develop secure payment applications to protect cardholder data and comply with PCI DSS. The standard is intended for developers and vendors who create various payment applications, such as POS…

PCI DSS – Level 1

PCI DSS – Level 1 is the highest level of this compliance. It applies to any merchant that processes more than 6 million card transactions per year. At this level of compliance, a merchant must adhere to the level 1 grade controls that include making an annual report by a qualified security assessor (QSA) or…

PCI DSS – Level 2

PCI DSS – Level 2 applies to merchants that process more than 1 million and less than 6 million card transactions annually. At this level of compliance, a merchant must adhere to the level 2 grade controls that include completing the self-assessment questionnaire and having an onsite audit.

PCI DSS – Level 3

Level 3 applies to merchants that process 20,000 to 1 million card transactions annually. At this level of compliance, a merchant must adhere to level 3 grade controls and policies. Some of these are completing the self-assessment questionnaire, doing quarterly scans to check vulnerabilities, submitting an attestation compliance form, etc.

PCI DSS – Level 4

PCI DSS – Level 4 applies to merchants that process less than 20,000 card transactions per year. At this level, merchants are required to adhere to level 4 grade protocols, and the business should not have encountered cyber attacks that compromised card holder’s data.

PCI DSS Approved Scanning Vendor

An ASV is an organization that uses a set of security tools and services (called “ASV scan solution”) to perform external vulnerability scans. Their goal is to test the security posture of a business environment and identify vulnerabilities, misconfigurations, and other gaps in a security system that can be used to cause a security incident. …

PCI DSS Overview

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security guidelines established in 2004 by none other than the major credit card companies like MasterCard, Visa, Discover Financial Services, JCB International, and American Express. To get to know what PCI DSS involves in one go, take a look at the six…

PCI DSS Rules

PCI DSS rules are global security standards for any organization dealing with cardholder data to reduce security incidents, information theft, and data breaches in the payment industry. Here are the 12 PCI compliance requirements or rules you need to know:

PCI DSS Standards

The PCI Data Security Standard (PCI DSS) safeguards cardholder data and sensitive authentication information when processed, stored, or transmitted. The PCI DSS universe is built of 3 important components. They are: PCI Data Security Standard (PCI DSS) This component applies to any company that deals with cardholder data, whether it’s storing, processing, or transmitting it….

PCI Environment

PCI Environment is a global security standard that applies to organizations that process cardholder data or sensitive authentication data. This standard sets a minimum level of security to protect consumers and reduce fraud and data breaches in the payment industry. It’s relevant for any organization that accepts or processes payment cards. Is PCI compliance legally…

PCI Patch Management

PCI patch management is an important aspect of PCI Requirement 6.2. According to the rule, an auditor should review your company’s policies and procedures to confirm the existence of a patch management process. The specific section that addresses the patching is 6.3 – “Security vulnerabilities are identified and addressed.” However, while you can see that…

PCI PTS

PTS stands for PIN Transaction Security. It’s a set of security evaluations created by the Payment Card Industry Security Standard Council (PCI SSC). PTS safeguards cardholder data at interaction points (like payment terminals) and hardware security modules (HSMs). Why is PCI PTS Important? In the payment industry, trust is important. Organizations must be reliable to…

PCI QSA

The PCI Security Standards Council has a program called Qualified Security Assessors (QSAs) for security companies. QSAs need to get certified and re-certified each year. The founders of the Council trust QSAs certified by them with the task of auditing companies to ensure adherence to the PCI DSS standard. PCI Security Standards Council has set…

PCI Security

PCI security drafts the guidelines organizations must adhere to to comply with the Payment Card Industry Data Security Standard (PCI DSS). These guidelines ensure that any company processing credit card information has and maintains a secure environment to protect cardholder data. PCI DSS was established in 2006. The PCI Security Standards Council (PCI SSC), created…

PCI SSC

PCI SSC is the acronym for Payment Card Industry Security Standards Council. The council was created by the collective efforts of American Express, JCB International, Master Card, Visa Inc, and Discover Financial Services on Sep 7th, 2006. The primary purpose of PCI SSC was to manage the Payment Card Industry Data Security Standard (PCI DSS)…

PCI SSF

PCI SSF, or the PCI Software Security Framework, has a significant impact on software vendors. It blends traditional and modern security requirements and is designed to work with the latest technology and development methods. It covers old and new security practices for payment applications. PCI SSF allows software vendors to offer PCI-validated payment software. This…

PCI Validation

PCI Validation is a part of handling cardholder data. You might be a small startup or a big company, but you need to follow the PCI DSS as part of your contract. However, it’s not a one-time thing; you must stay compliant and validate it yearly. Hence, to validate your PCI compliance, you must keep…

PDCA Cycle

The Plan-Do-Check-Act (PDCA/PDSA) cycle is a simple and effective approach with a continuous loop of planning, doing, checking (or studying), and acting, and it is generally used for testing improvement measures on a smaller scale before scaling procedures and working practices.

Perimeter Security

In the cybersecurity and IT environment, perimeter security protects a company’s network boundaries from unwelcome guests like hackers and intruders. It involves keeping an eye out for potential threats, analyzing patterns, and responding effectively. Why does perimeter security matter? Perimeter security is your first line of defense in the digital world. It’s vital because, instead…

Personal Data Filing System

A personal Data Filing System is any structured set of personal information which are accessible as per specific criteria, whether decentralized, centralized, or dispersed on a functional or geographical basis.

Personal Data Protection Act

Any corporate body that deals with possesses, or handles any “sensitive personal data” or such information should maintain standard security practices and procedures relating to such data.

PHI

Protected Health Information (PHI) refers to any data in a medical data record that can be used to identify an individual. This data was created, used, or disclosed during the course of offering health services to a patient. The Privacy Rule of HIPAA extensively covers the rights an individual has over this information. Covered entities…

Physical Safeguards

A wide range of physical security measures that prevent unauthorised access to covered entity’s physical assets and electronic information assets. This protection is ensured from both natural and environmental hazards or any kind of intentional encroachment. Examples include installing security cameras, fire safety systems, biometric access controls etc.

Physical Safeguards

Physical safeguards as the physical measures, procedures, and policies to protect a covered entity’s electronic information systems and related equipment and buildings from natural and unnatural hazards and unauthorized intrusion.

PII

PII refers to Personally Identifiable Information or any information used to identify a person. SOC 2 requires businesses that handle sensitive data to implement appropriate controls to ensure PII’s confidentiality, integrity, and availability. Examples of PII in a SOC 2 report include names, addresses, telephone numbers, email addresses, social security numbers, and financial information such…

Privacy

Privacy is one of the five trust service criteria of SOC 2. It is information an entity collects, uses, retains, discloses, and disposes to meet its objectives. The privacy principle aims to service organizations who handle sensitive personal information do so in a responsible and trustworthy manner. They should have appropriate controls in place to…

Privacy Official

An authorised point of contact for handling privacy-issues and concerns to ensure confidentiality and security of protected information. So, any breach related complaints will be made to the Privacy official.

Privacy Official

The HIPAA (Health Insurance Portability and Accountability Act) Privacy Officer is responsible for developing, managing, and implementing processes to ensure the organizations are in compliance with applicable federal as well as state HIPAA regulations and guidelines, particularly for the organizations having access to and using protected health information (PHI).

Processing Integrity

Processing Integrity is one of the five trust service criteria of SOC 2. It refers to how complete, valid, accurate, timely, and authorized your system processing is. It seeks to address whether your system meets the goal without error, delay, omission, or unauthorized manipulation. Processing integrity is addressed at the functional or system level. The…

Public Health Activities

Public health activities include the reporting of disease or injury; conducting public health surveillance; reporting vital events (e.g., births or deaths); reporting child abuse and neglect; investigations or interventions; and monitoring adverse outcomes related to drugs, food (including dietary supplements), biological products, and medical devices. Covered entities may report adverse activities related to public agencies or…

Purpose Limitation

In practice, organizations must: – Clearly define the purpose of collecting personal data and their intention – Specify your purposes by complying with documentation obligations; – Perform transparency obligations to communicate to individuals about your purposes for collecting personal data; and – Ensure that if you plan to disclose or use personal data for any…

QSA

A QSA, or Qualified Security Assessor is an AICPA (American Institute of Certified Public Accountants) trained professional. They assess your organization’s systems and controls as required by a SOC 2 standard. QSAs are responsible for conducting independent assessments of your organization and preparing a report based on the findings and observations. They would review your…

Qualitative Risk Assessment

Qualitative risk assessment is the process of identifying risks and analyzing the impact they would have on a project. Project managers can prioritize risk as per probability and impact while detecting the main areas of risk exposure and improving understanding of project risks.

Quality Control

SOC 2 quality control refers to the measures and policies a service organization should implement to ensure that their systems, processes, and controls meet the SOC 2 standards. These measures can include internal audits, control testing, or a review of policies and procedures as often as needed. Quality control aims to ensure that you offer…

Quality Report

A SOC 2 quality report is a document that service organizations use to demonstrate that they have adequate controls, policies, and processes in place to secure customer data. These controls are related to the five trust principles: security, availability, processing integrity, confidentiality, and privacy. Security is the most important and compulsory criterion, while others can…

Quantitative Risk Assessment

Quantitative risk assessment provides numerical characterizations of risk and relies primarily on the use of good methods, techniques, and models from the multiple disciplines employed by USACE. Thus, it comprises good economics, engineering, and environmental analysis.

Recovery Time Objective

The Recovery Time Objective (RTO) is the time duration during or after a disaster that can elapse without an enterprise restoring its processes or services to acceptable levels before it will experience unendurable consequences associated with the disruption.

Registration

During the 2 to 3 months your company is still building its quality system, you’ll need to begin searching for an ISO registrar on the ANSI-ASQ National Accreditation Board (ANAB) to select the registrar right for you. Registrars must fulfill the requirements of the ISO Accreditation Bodies.

Regulatory Standard

Regulatory compliance standards ensure a company follows industry regulations, standards, and legal requirements for information security and data privacy. There are so many regulations that if the US regulations is a country, it would be the world’s eighth largest economy. Importance of regulatory standards in cybersecurity Cyberattacks can target any organization, whether you are a…

Reliability

The capacity of a system or component to function under specifically stated conditions for a specified period of time.

Residual Risk

Residual risk is the risk posed to an enterprise after security measures have been put into place.

Resilience

Cyber resilience is an enterprise’s ability to enable business acceleration (enterprise resiliency) by preparing for, countering, and recovering from cyber threats and adapting to known and unknown crises, adversities, threats, and challenges.

Restricted

An authenticator class, type, or instantiation has added risk of false acceptance associated with its use that is, therefore, subject to added requirements.

Right of Access

California customers have the ability to obtain particular information about the personal data gathered about them from businesses under the CCPA right of access, sometimes known as the right to know. This information includes: Under the CCPA, the Right of Access grants the residents of California the following entitlements: Companies are required to disclose the…

Right of Data Portability

The right of data portability is a privacy right that allows individuals to request their personal data from a service provider in a structured, easily understood, and machine-readable format. With this right, customers can transfer their data to another service provider without hindrance. Under CCPA (California Consumer Privacy Act), the right of data portability falls…

Risk Appetite – Risk Management

Risk appetite refers to the level and type of risk an organization will embrace to achieve its strategic goals. Companies will have varying risk appetites based on industry, culture, and objectives. Typically, a board of directors approves a risk appetite statement that captures the organization’s stance on risk and willingness to confront it in specific…

Risk Assessment

A systematised procedure that involves identifying the current and potential risks, and analysing the magnitude of each risk to manage the threats accordingly. It helps take better and well-informed decisions.

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.

ISO 27001 BCP

ISO 27001 Business Continuity Planning (BCP) is a part of the overall objective of ISO 27001, i.e., providing a strong and reliable information security framework for your organization. It refers to the structured approach to upholding an organization’s ability to continue its business operations efficiently during security upheaval and afterward. The key steps involved in…

Mar 14, 2024

Regulatory Standard

Regulatory compliance standards ensure a company follows industry regulations, standards, and legal requirements for information security and data privacy. There are so many regulations that if the US regulations is a country, it would be the world’s eighth largest economy. Importance of regulatory standards in cybersecurity Cyberattacks can target any organization, whether you are a…

Mar 04, 2024

Business Impact Analysis

A Business Impact Analysis (BIA) is a critical process that predicts the potential consequences of a disruption to your business. It collects information necessary for creating proper recovery strategies. The extent and complexity of your BIA should align with your organization’s size and intricacy. Larger and more complex institutions may have a more detailed list…

Mar 04, 2024

PCI DSS Overview

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security guidelines established in 2004 by none other than the major credit card companies like MasterCard, Visa, Discover Financial Services, JCB International, and American Express. To get to know what PCI DSS involves in one go, take a look at the six…

Mar 04, 2024

APT- Advanced Persistent Threat

An Advanced Persistent Threat (APT) is a highly sophisticated and long-lasting cyberattack strategy. In an APT, intruders infiltrate a network covertly, aiming to steal sensitive data over an extended period while avoiding detection. Key APT objectives: GhostNet APT One notable example of an APT is GhostNet. Discovered in March 2009, GhostNet is considered one of…

Mar 04, 2024

CMMC Assessment Scope

Determining the scope of your CMMC assessment is a need for a successful certification process. It sets the groundwork by outlining what you need to evaluate. This approach reduces the assessment’s duration and minimizes the impact of security controls on your workforce. This is why it is essential to account for every asset, whether within…

Mar 04, 2024