Commonly-used Information Security terms and their definitions

Audit: inspection of an organization’s compliance, such as security processes and controls, that is normally conducted by a third party assessor and may be used to assure clients of information safety.

Business Associate of a Covered Entity: a person or entity who performs function or activities for a covered entity and has access to protected health information.

Cloud Compliance/Cloud Security Compliance: the ability of cloud service providers to protect information through effective security provisions and control.

Cloud Management: software and technologies that are used to operate and monitor applications, data, and services in the cloud.

Cloud Management Platform: products that work together to help manage the different public, private, and hybrid cloud environments.

Compensating Control (Alternative Control): short term mechanisms used to satisfy compliance requirements for security measures that are too difficult or impractical to implement immediately.

Compliance Automation: automating of the workflow involved with compliance using a software platform that groups tasks into a single process making them easy to schedule and run on a regular basis.

Compliance Data: all the information collected that proves compliance, such as written policies, procedures, and monitoring documentation.

Compliance Management: manner through which an organization ensures that employees follow the rules.

Compliance Tools: any software being used to help manage the compliance, see also compliance automation.

Controls: procedure or policy used to ensure an organization follows all standards, laws, or regulations. Includes three categories: preventative, detective, and responsive.

Corrective Controls: procedures and policies that organization use to detect and notify management of any access to unauthorized information.

Covered Entity: health plans, health care clearinghouses, and health care providers who transmit electronic health information as defined by HIPAA.

Cyber Attack: when hackers attempt to gain access to or destroy an organization’s systems or network.

Cyber Security: the field of protecting information stored on computers, networks, programs, or other data locations from unauthorized access which can change or destroy the information.

Data Breach: when an unauthorized individual potentially or in reality views, steals, or uses sensitive, protected, or confidential information.

Data Security: steps taken to protect digital information and privacy from unauthorized access to computers, databases, and websites. Similar to cybersecurity but also encompasses keeping information safe from corruption and loss.

Data Subject: a natural person identifiable by their information as part of the GDPR.

Detective Control: internal controls used to find problems with processes before a problem occurs. Used to ensure preventative controls are working.

Enterprise Risk Management (ERM): the process of trying to minimize risk by planning, organizing, leading, and controlling an organization’s activities.

Federal Risk and Authorization Management Program (FedRAMP): an extension of the NIST 800-53 prescriptive controls for federal agencies specifically tailored to cloud service providers who work with the federal government.

General Data Protection Regulation (GDPR): legal framework in the European Union setting guidelines about how to collect and process personal information.

GRC: abbreviation for Governance, Risk management, and Compliance; refers to an organizations coordinated strategy to review regulatory risks and set up a program to continue to monitor compliance.

GRC automation/GRC tool/GRC software: used interchangeably to explain the various ways that technology can be incorporated into the policy creation and distribution, control tracking, and assessing risk.

Health Insurance Portability and Accountability Act of 1996 (HIPAA/HIPAA Compliance): law designed to protect patients’ medical information and other health information and to create privacy controls over the information.

Information Security/InfoSec: broad term for protecting against unauthorized use of information with a focus on electronic data or the steps taken to protect the information.

Information Security Compliance: the reporting function that proves an organization meets the required standards.

Information Security Controls: measures taken to avoid, detect, counteract, or minimize an organization’s identified security risks; applies to physical property, information, computer systems, or other assets.

Information Security Risk: process of reviewing and responding to events that may cause a failure in confidentiality, integrity, or availability of an information system.

Information Security Management System: the set of policies and procedures outlining all legal, physical, and technical controls in an organization’s information risk management processes.

Information Technology: study or use of systems, especially electronic systems, for storing, receiving, or sending information.

Infrastructure as a Service (IaaS): cloud computing offering virtualized computing resources over the internet.

International Organization for Standardization (ISO): international organization that sets standards used by industries to create best practices.

ISO 27001 (ISO/IEC 27001:2005): specification for information security management system.

IT Risk Management: applying risk management methods to the ownership, use, operations, involvement, influence, and adoption of IT within an organization.

National Institute of Standards and Technology (NIST): non-regulatory federal agency that maintains standards.

Non-technical Controls: policies, procedures, and processes used by management and operations to promote personnel, physical, and environmental security.

PCI: Payment Card Industry; an industry group that works to create information security standards.

Payment Card Industry Data Security Standard (PCI Compliance/PCI DSS Compliance): security standards designed to make sure that all companies accepting, processing, storing, or transmitting credit card information maintain a secure environment.

Personal Data: term within the GDPR that defines information that identifies a natural person, directly or indirectly.

Platform as a Service (PaaS): cloud computing using a web-based platform that allows developers to build applications and services of the internet.

Preventative control: internal controls intended to keep errors or irregularities from happening and may be a lot of work to design and implement.

Protected Health Information: information about health status, health care provided, or payment of said service, created or collected by a “covered entity” under HIPAA.

Risk Assessment: formal process of evaluating potential risks, how likely the risk is, and determining what the organization’s tolerance for the risk.

Risk Management: process of continuously identifying, analyzing, evaluating and treaing loss exposures while monitoring risk control and financial resources to mitigate the negative effects of loss.

Sarbanes Oxley Act of 2002 (SOX): act passed in 2002 to protect investors from fraudulent accounting measures; incorporates sections that require reporting of IT controls.

SOX 404: section of SOX requiring internal controls and procedures for documenting financial reporting, inclusive of testing and maintaining controls and procedures to make sure they are effective.

Security Awareness: knowledge and attitude that organization’s members possess in terms of protecting the physical and electronic information assets.

Security Awareness Program: formal training process for educating employees about computer security, most importantly corporate policies and procedures.

Security Risk Analysis: defining and analyzing impact that potential natural disasters or human-caused events can have on individuals, businesses, or government agencies.

Service Organization Controls Report (SOC Report): formerly SSAE 16; indicates controls a service organization has in place.

SOC 1 Report: report used by service organizations to show users that they are continuously evaluating and reviewing controls around financial reporting and that the controls are working.

SOC 2 Report: report used by service organizations to show users that they are continuously evaluating their security, availability, processing integrity, confidentiality, and privacy controls.

SOC 3 Report: report used by service organizations to show general audience that they are continuously evaluating their security, availability, processing integrity, confidentiality, and privacy controls; shorter than a SOC 2 and more generalized.

Software as a Service (SaaS): type of cloud computing using a web-based third party provider to host applications

Vendor Management: process of ensuring that vendor and business partners are meeting the standards of the hiring organization.