Compliance Glossary Terms

The world of Compliance is far from simple, and many people starting out on their professional journey struggle to understand the many acronyms and technical terms in common use throughout the industry. From GRC, to Normalized Data, to Automated Evidence, we’ve included the most popular industry terms with explanations here. Read on to familiarize yourself with the essential phrases you'll need to know to build a successful Compliance program.

Glossary >

Audit Scoping

Audit scoping refers to determining the bounds of the audit, including the time frame and activities that will be covered by the audit. Determining the scope of an audit is critical to developing an effective plan and ensuring that the audit meets its objectives.


auditscoping

Automated Evidence

Automated Evidence refers to data that has been collected from systems through an automated technical solution, rather than manually pulled. When conducting an audit, automated evidence programs rapidly obtain relevant data for the compliance manager, providing them with quick access to nonconformities and anomalies. Automated evidence collection is significantly faster than manal collection and can be used by compliance managers to make real-time decisions.


automated-evidence

Cloud Security Compliance

Cloud security compliance includes a number of potential frameworks that typically fit into two distinct categories: 1. compliance centric, 2. security  centric. The former category includes certifications such as STAR, FedRAMP, and SOX, while the latter includes ISO 27001, NIST, and CIS Controls. Most frameworks for cloud security will assess factors such as governance, and change control and solutions will include continuous automated monitoring and reporting, along with vulnerability management. 


cloud-security-compliance

Compliance Framework

Part of a compliance program, a compliance framework lays out the strategies an organization uses to ensure that it remains in compliance with both internal and external regulations. The compliance framework should provide a set of tools and a common language for stakeholders to conduct and maintain their compliance processes across departments.


compliance-framework

Compliance Program

A compliance program maps out a company’s strategy for making sure it adheres to internal and external restrictions and regulations. This includes aspects as varied as conducting internal auditing to ensure that policies are being followed, to investigating that users are engaging with sensitive data through the proper channels, to analyzing and tracking possible breaches of policy. Compliance programs differ based on an organization’s space - for example, due to legal requirements, a medical company’s compliance program will look different from that of an insurance company.


compliance-program

Controls Convergence

With the growing amount of frameworks organizations adopt, all of which are focused in some way on security, most controls overlap with controls of other frameworks. There are two ways to address this reality; either by working in silos, closing frameworks one by one, or by consolidating controls based on similarity, which helps manage them efficiently, one type at a time.

compliance-convergence

GRC

The term GRC is an acronym referring to an organization’s approach towards Governance, Risk Management, and Compliance. A company’s GRC team or responsible employees make sure that the business is on track in terms of meeting goals, operating smoothly, predicting and mitigating risks, and adhering to both internal and external restrictions and boundaries. Generally speaking, a company’s GRC strategy includes input from departments such as IT, Finance, Legal, Risk, and more.


grc

HIPAA Compliance

Short for The Health Insurance Portability and Accountability Act, HIPAA is the gold standard when it comes to data protection in the healthcare industry. The framework covers three main areas: administrative, physical security, and technical security, and is viewed as a prerequisite for doing business across the industry. Violating the terms can come with fines ranging anywhere from $50,000-$250,000 and violators may also face lawsuits from patients, depending on the state. Even third-parties, service providers, and technology suppliers to the healthcare industry might be required to comply with HIPAA, if not by the regulator itself, then by the organizations being regulated in their contract with the third-party.

HIPAA-Compliance

ISO 27001 Compliance

One of the most popular standards for Information Security ISO 27001 is often the compliance framework of choice in the financial industry, spanning from banks, to insurance companies, and additional financial institutions. The framework differs from the popular SOC 2 option as in addition to data security, it also certifies that an organization has an operational Information Security Management System (ISMS) in place.

There are other important entries in the ISO 27000 family including:


  • ISO 27002 - Code of practice for ISO 27001
  • ISO 27005 - Techniques for security risk management
  • ISO 27017 - Code of practice for cloud services (both customers-of and providers)
  • ISO 27018 - Code of practice for protecting PII, when using public cloud services
  • ISO 27032 - Techniques for cybersecurity
  • ISO 27701 - Extension of ISO 27001 and its code of practice (ISO 27002) for privacy information management (in a way, ISO27k flavored for GDPR or something similar)


iso-27001-compliance

InfoSec

Infosec is short for Information Security, meaning a set of policies or regulations put in place to safeguard a company’s data or other assets from unauthorized access or use. Infosec regulations ensure that an organization’s sensitive information is secure.


infosec

InfoSec Compliance

InfoSec Compliance refers to ensuring that regulations and policies around information security are followed within an organization. Information Security includes restrictions that protect a company’s sensitive information, like data and other Information Technology (IT) assets. 


infosec-compliance

Normalized Data

Traditionally, compliance managers used to take screenshots of UI, which showed settings and proved the existence of controls. On one hand, it was easy to digest. On the other hand, when organizations have a complex IT stack, and each platform has its own set of screenshots to take, this process can take a lot of time.


Now, with APIs built into every platform, the data can be brought via the API in XML / JSON structure. However, that data is not so easy to digest. Normalizing the data means structuring it in a way that reflects the existence of the control. Moreover, with modern types of evidence, the data can be sorted and filtered easily, so auditors can look at samples as much as they want, enlarge the sample size when and where needed, without the need to ask the compliance manager to "go fetch" more for them. It's all there already, and ready to be looked at.



normalized-data

PCI-DSS Compliance

The Payment Card Industry Data Security Standard is a body of requirements that all companies storing, processing, or transmitting credit card information must adhere to. Organizations found to be in violation of PCI-DSS may be subject to fines and penalties. PCI-DSS is based on a highly technical checklist, so becoming compliant with this regulation takes less time than with other frameworks.

state-aware-compliance

PCI-DSS Requirements
  • Use firewalls to protect systems
  • Remove vendor default passwords and settings
  • Protect cardholder data stored on systems
  • Encrypt cardholder data across open, public networks
  • Regularly update and be sure to use reputable anti-virus software
  • Regularly update and all patch systems
  • Limit access to cardholder data
  • Assign a unique identifier to anyone with system access
  • Limit physical access to workplace and cardholder data
  • Deploy logging and log management
  • Perform regular vulnerability scans and penetration tests
  • Create and document risk assessments and Information Security policies

PCI-DSS Requirements

SOC 2 Compliance

Applicable to all SaaS and technology companies, this audit attests that customer data is stored and managed in a secure manner. SOC 2 is one of the most common compliance frameworks and is usually considered as a “must have” to bid on RFPs, or partner with enterprises big and small. SOC 2 categories assessed include:

  • Availability - How the business ensures the uptime of systems.  
  • Confidentiality - How the business ensures that data they hold remains confidential.
  • Processing Integrity - How the business ensures that processing is, in the words of the AICPA, complete, valid, accurate, timely, and authorized.
  • Privacy - How the business collects, uses, shares, stores, and deletes personally identifiable information (PII).

People often wonder why the other categories aren't simply included under the category of security as well. This is because SOC 2 is all about security, and the additional categories are laser-focused criteria to be considered when special care is needed for confidentiality and/or process integrity and/or availability and/or privacy


soc-2-compliance

SOC 2 Compliance Checklist

To establish an effective SOC 2 compliance program, the following steps should be taken:


Set Goals -The organization must clearly define the program’s objectives. They must investigate what is critical to regularly test for, and why. They must also understand which stakeholders (managers, business partners, customers) need access to compliance reports.


Choose Trust Service Criteria (TSC) - Security is the only TSC classified as mandatory by the AICPA for SOC 2 audits. Based on the focus of the organization, businesses should also consider adopting some of the other Trust Service Criteria.


Integrate SOC 2 with other audits - Because SOC 2 covers a lot of the same ground as other audits for specific industry spaces,  businesses should consider integrating their SOC 2 report with other compliance initiatives to boost efficiency and save resources.


Choose the report that fits the organization best - SOC 2 reports come in 2 types and each organization must select the report that’s right for them:


  • SOC 2 Type 1 - This report highlights the organization’s systems and whether its design is living up to company expectations. Like a blood test, it provides a picture of where the organization’s systems are standing at a particular moment in time. This report is essentially a glance into how systems are operating, giving quick results.
  • SOC 2 Type 2 - This report focuses on the efficacy of the company’s system over a longer period of time. It also analyzes how effectively the system is designed and how smoothly it’s operating. SOC 2 Type 2 delves deeper, helping provide an understanding of its long-term functioning.

Both reports are useful, depending on the organization’s unique needs.

soc-2-compliance-checklist

SOC 2 Requirements

Physical Access Controls - The measures taken to prevent unauthorized users from gaining local, physical access to data.


Risk Mitigation - Determining how to manage and minimize potential risk via:


  • Mitigation - This is the common measure, when the organization decides to invest time and effort to reduce the risk level to an acceptable level.
  • Acceptance - This refers to accepting the risk level as-is. It can be because it's low enough (i.e.: after being mitigated to this level) or because nothing can be done to make it better and the probability of the risk occurring is so unlikely that there’s no reason to invest (i.e.: putting controls in place against a tornado in countries where they are unlikely to occur).
  • Transfer - This usually refers to buying insurance, which transfers the cost of the risk, if it ever occurs, from the organization to the insurance company.
  • Avoidance - Sometimes the risk is so high, that management agrees to avoid the business entirely, thus avoiding the risks that come with it (i.e.: not buying a company after a due diligence process during M&A to avoid the risks that come with that acquisition).

System Operations - A framework for supervising system operations that can recognize and identify deviations from normal procedures.


Change Management - Developing a system that sets out guidelines for changes and prevents unauthorized changes.

soc-2-requirements

Security Compliance

Security Compliance refers to compliance policies specifically geared towards ensuring that a company remains within the bounds of security standards. This may mean ensuring that a company adheres to secured authentication mechanisms and network access, as well as following policies that protect a company’s Information Technology (IT) assets.

security-compliance

Security Questionnaires

Typically encountered in two forms: 1. Vendor Security Questionnaire, 2. Risk Assessment Questionnaire. The latter, Risk Assessment Questionnaire, is a method for identifying potential threats which involves asking questions to key personnel about both risk and the risk management techniques that are currently deployed by the organization. The former, Vendor Security Questionnaire, is nearly the same, aside from the fact that attention should be paid to the length and involvement, as companies shouldn’t place an unreasonable burden on vendors.


security-questionnaires

Unified Control Framework

As regulations can vary from department to department in a company, a Unified Control Framework serves a master plan for compliance across an organization. In a UCF, all compliance management should be included in one set of controls. It should set forth general policies regarding compliance that apply to every aspect of the business, rather than letting each department develop their own compliance rules. A UCF provides a holistic, big-picture overview of requirements in each department, so potential conflicts can be quickly spotted and responsibilities assigned transparently.


unified-control-framework