Information Security Glossary

Commonly-used Information Security terms and their definitions


Inspection of an organization’s compliance, such as security processes and controls, that is normally conducted by a third party assessor and may be used to assure clients of information safety.

Business Associate of a Covered Entity

A person or entity who performs function or activities for a covered entity and has access to protected health information.

Cloud Compliance/Cloud Security Compliance

The ability of cloud service providers to protect information through effective security provisions and control.

Cloud Management

Software and technologies that are used to operate and monitor applications, data, and services in the cloud.

Cloud Management Platform

Products that work together to help manage the different public, private, and hybrid cloud environments.

Compensating Control (Alternative Control)

Short term mechanisms used to satisfy compliance requirements for security measures that are too difficult or impractical to implement immediately.

Compliance Automation

Automating of the workflow involved with compliance using a software platform that groups tasks into a single process making them easy to schedule and run on a regular basis.

Compliance Data

All the information collected that proves compliance, such as written policies, procedures, and monitoring documentation.

Compliance Management

Manner through which an organization ensures that employees follow the rules.

Compliance Tools

Any software being used to help manage the compliance, see also compliance automation.


Procedure or policy used to ensure an organization follows all standards, laws, or regulations. Includes three categories: preventative, detective, and responsive.

Corrective Controls

Procedures and policies that organization use to detect and notify management of any access to unauthorized information.

Covered Entity

Health plans, health care clearinghouses, and health care providers who transmit electronic health information as defined by HIPAA.

Cyber Attack

When hackers attempt to gain access to or destroy an organization’s systems or network.

Cyber Security

The field of protecting information stored on computers, networks, programs, or other data locations from unauthorized access which can change or destroy the information.

Data Breach

When an unauthorized individual potentially or in reality views, steals, or uses sensitive, protected, or confidential information.

Data Security

Steps taken to protect digital information and privacy from unauthorized access to computers, databases, and websites. Similar to cybersecurity but also encompasses keeping information safe from corruption and loss.

Data Subject

A natural person identifiable by their information as part of the GDPR.

Detective Control

Internal controls used to find problems with processes before a problem occurs. Used to ensure preventative controls are working.

Enterprise Risk Management (ERM)

The process of trying to minimize risk by planning, organizing, leading, and controlling an organization’s activities.

Federal Risk and Authorization Management Program (FedRAMP)

An extension of the NIST 800-53 prescriptive controls for federal agencies specifically tailored to cloud service providers who work with the federal government.

General Data Protection Regulation (GDPR)

Legal framework in the European Union setting guidelines about how to collect and process personal information.


Abbreviation for Governance, Risk management, and Compliance; refers to an organizations coordinated strategy to review regulatory risks and set up a program to continue to monitor compliance.

GRC automation/GRC tool/GRC software

Used interchangeably to explain the various ways that technology can be incorporated into the policy creation and distribution, control tracking, and assessing risk.

Health Insurance Portability and Accountability Act of 1996 (HIPAA/HIPAA Compliance)

Law designed to protect patients’ medical information and other health information and to create privacy controls over the information.

Information Security Compliance

The reporting function that proves an organization meets the required standards.

Information Security Controls

Measures taken to avoid, detect, counteract, or minimize an organization’s identified security risks; applies to physical property, information, computer systems, or other assets.

Information Security Management System

The set of policies and procedures outlining all legal, physical, and technical controls in an organization’s information risk management processes.

Information Security Risk

Process of reviewing and responding to events that may cause a failure in confidentiality, integrity, or availability of an information system.

Information Security/InfoSec

Broad term for protecting against unauthorized use of information with a focus on electronic data or the steps taken to protect the information.

Information Technology

Study or use of systems, especially electronic systems, for storing, receiving, or sending information.

Infrastructure as a Service (IaaS)

Cloud computing offering virtualized computing resources over the internet.

International Organization for Standardization (ISO)

International organization that sets standards used by industries to create best practices.

ISO 27001 (ISO/IEC 27001:2005)

Specification for information security management system.

IT Risk Management

Applying risk management methods to the ownership, use, operations, involvement, influence, and adoption of IT within an organization.

National Institute of Standards and Technology (NIST)

Non-regulatory federal agency that maintains standards.

Non-technical Controls

Policies, procedures, and processes used by management and operations to promote personnel, physical, and environmental security.

Payment Card Industry Data Security Standard (PCI Compliance/PCI DSS Compliance)

Security standards designed to make sure that all companies accepting, processing, storing, or transmitting credit card information maintain a secure environment.


Payment Card Industry; an industry group that works to create information security standards.

Personal Data

Term within the GDPR that defines information that identifies a natural person, directly or indirectly.

Platform as a Service (PaaS)

Cloud computing using a web-based platform that allows developers to build applications and services of the internet.

Preventative control

Internal controls intended to keep errors or irregularities from happening and may be a lot of work to design and implement.

Protected Health Information

Information about health status, health care provided, or payment of said service, created or collected by a “covered entity” under HIPAA.

Risk Assessment

Formal process of evaluating potential risks, how likely the risk is, and determining what the organization’s tolerance for the risk.

Risk Management

Process of continuously identifying, analyzing, evaluating and treaing loss exposures while monitoring risk control and financial resources to mitigate the negative effects of loss.

Sarbanes Oxley Act of 2002 (SOX)

Act passed in 2002 to protect investors from fraudulent accounting measures; incorporates sections that require reporting of IT controls.

Security Awareness

Knowledge and attitude that organization’s members possess in terms of protecting the physical and electronic information assets.

Security Awareness Program

Formal training process for educating employees about computer security, most importantly corporate policies and procedures.

Security Risk Analysis

Defining and analyzing impact that potential natural disasters or human-caused events can have on individuals, businesses, or government agencies.

Service Organization Controls Report (SOC Report)

Formerly SSAE 16; indicates controls a service organization has in place.

SOC 1 Report

Report used by service organizations to show users that they are continuously evaluating and reviewing controls around financial reporting and that the controls are working.

SOC 2 Report

Report used by service organizations to show users that they are continuously evaluating their security, availability, processing integrity, confidentiality, and privacy controls.

SOC 3 Report

Report used by service organizations to show general audience that they are continuously evaluating their security, availability, processing integrity, confidentiality, and privacy controls; shorter than a SOC 2 and more generalized.

Software as a Service (SaaS)

Type of cloud computing using a web-based third party provider to host applications

SOX 404

Section of SOX requiring internal controls and procedures for documenting financial reporting, inclusive of testing and maintaining controls and procedures to make sure they are effective.

Vendor Management

Process of ensuring that vendor and business partners are meeting the standards of the hiring organization.