Access Governance[AG]
Access Governance (AG) is an aspect of information technology (IT) security management that seeks to reduce the risks associated with excessive access rights, inactive users, and orphan accounts.
Access Recertification[AG] Access recertification is an information technology (IT) control that involves auditing user access rights to determine if they are correct and adhere to the organization’s internal policies and compliance regulations.
Accountability Accountability means being held responsible or answerable for one's actions (or perhaps lack of action where one should have been taken).
Accounting Error An accounting error is a non-fraudulent discrepancy in financial documentation.
Agreed-upon Procedures [AUP] Agreed-upon procedures are the standards a company or client outlines when it hires an external party to perform an audit on specific tests or business process and then report on the results.
American National Standards Institute [ANSI][AUP] A private non-profit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States.
Audit An examination performed by an independent third party that verifies the guidelines outlined by a regulatory body.
Audit Log [AL] An audit log is a document that records an event in an information (IT) technology system.
Audit Program [Audit Plan] An audit program, also called an audit plan, is an action plan that documents what procedures an auditor will follow to validate that an organization is in conformance with compliance regulations.
Bank Secrecy Act [BSA]
The Bank Secrecy Act (BSA), also known as the Currency and Foreign Transactions Reporting Act, is legislation passed by the United States Congress in 1970.
Benchmarking Analyzing your data year over year by comparing one's own business processes and performance against the industry standard to reveal compliance program effectiveness and determine needed improvements.

A blockchain is a digitized, decentralized, public ledger of all cryptocurrency transactions. Growing as completed blocks, the most recent transactions are recorded and added to the chain in chronological order allowing market participants to track digital currency transactions without central recordkeeping. Each node (a computer connected to the network) gets a copy of the blockchain that is downloaded automatically.

Originally developed as the accounting method for the virtual currency Bitcoin, blockchains use what is now known as distributed ledger technology (DLT). This technology creates indelible records that cannot be changed, as the authenticity can be verified by the entire community using the blockchain instead of a single centralized authority.

Bribe An incentive given or offered to a person or organization to encourage that person/organization to take an action that benefits the giver.
Business Continuity Policy A business continuity policy is a set of standards and guidelines that an organization enforces to ensure resilience and proper risk managemen
Canadian Anti-Spam Legislation [CASL]
An incentive given or offered to a person or organization to encourage that person/organization to take an action that benefits the giver.Canadian anti-spam legislation (CASL) is enacted regulations that require marketers and fundraisers that communicate through email, text messages, or social media to obtain permission from recipients in that country.
Capital Expenditure [Capex] A capital expenditure (Capex) is money invested by a company to acquire or upgrade fixed, physical, non-consumable assets, such as buildings and equipment or a new business.
Cartel A cartel is a body of independent producers that work together to decide production levels and prices.
CE Marking A symbol that indicates a product's compliance with EU legislation and enables the free movement of products within the European market. CE marking is a manufacturer's declaration that the product meets the requirements of the applicable EC directives.
CENELEC A symbol that indicates a product's compliance with EU legislation and enables the free movement of products within the European market. CE marking is a manufacturer's declaration that the product meets the requirements of the applicable EC directives.The European Committee for Electrotechnical Standardization. A body developing electrotechnical standards for the Single European Market / European Economic Area in order to help facilitate trade between countries, create new markets, cut compliance costs and support the development of a Single European Market. CENELEC’s 19 member countries and 11 affiliate countries aim to adopt and implement the required standards, which are mostly identical to the International Electrotechnical Commission (IEC) standards. CENELEC works in co-operation with Comité Européen de Normalisation (CEN) and European Telecommunications Standards Institute (ETSI).
Center for Internet Security [CIS] The Center for Internet Security (CIS) is a nonprofit organization focused on improving public- and private-sector cybersecurity readiness and response.
CFR The Code of Federal Regulations (CFR) is an annual codification of the general and permanent rules published in the Federal Register by the executive departments and agencies of the Federal Government of the United States.
Chief Data Officer [CDO] A chief data officer (CDO) is a C-level executive who is responsible for an organization's data use and data governance.
Chief Privacy Officer The chief risk officer (CRO) is the corporate executive tasked with assessing and mitigating significant competitive, regulatory, and technological threats to an enterprise's capital and earnings. The position is sometimes called chief risk management officer or simply risk management officer.
Clean Desk Policy [CDP] A symbol that indicates a product's compliance with EU legislation and enables the free movement of products within the European market. CE marking is a manufacturer's declaration that the product meets the requirements of the applicable EC directives.
Cloud Audit A cloud audit is a periodic examination an organization does to assess and document its cloud vendor's performance.
Code of Conduct or Code of Ethics An organization’s Code of Conduct is its policy of all policies. It’s a central guide and reference for users in support of day-to-day decision-making. It is meant to clarify an organization's mission, values, and principles, linking them with standards of professional conduct. As a reference, it can be used to locate relevant documents, services, and other resources related to ethics within the organization.
COBIT COBIT is an IT governance framework for businesses wanting to implement, monitor and improve IT management best practices.
COBIT 5 COBIT 5 is the fifth iteration of a popular framework that's used for managing and governing information technology (IT).
Competition Law Competition law is the body of legislation intended to prevent market distortion caused by anti-competitive practices on the part of>
Compliance Compliance is either a state of being in accordance with established guidelines or specifications, or the process of becoming so.
Compliance Audit A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Independent accounting, security, or IT consultants evaluate the strength and thoroughness of compliance preparedness. Auditors review security policies, user access controls, and risk management procedures over the course of a compliance audit.
Compliance Burden Compliance burden, also called regulatory burden, is the administrative cost of regulation in terms of dollars, time, and complexity.
Compliance Framework A compliance framework is a structured set of guidelines that details an organization's processes for maintaining accordance with established regulations, specifications, or legislation.
Compliance Risk Compliance risk is exposure to legal penalties, financial forfeiture, and material loss an organization faces when it fails to act in accordance with industry laws and regulations, internal policies or prescribed best practices.
Compliance Validation In compliance, validation is a formal procedure to determine how well an official or prescribed plan or course of action is being carried out.
Computer Fraud and Abuse Act [CFAA] The Computer Fraud and Abuse Act (CFAA) of 1986 is United States legislation that made it a federal crime to access a protected computer without proper authorization.
Confidentiality Confidentiality is a set of rules or a promise that limits access or places restrictions on certain types of information.
Consumer Privacy Consumer privacy, also known as customer privacy, involves the handling and protection of the sensitive personal information provided by customers in the course of everyday transactions.
Control Framework A control framework is a data structure that organizes and categorizes an organization’s internal controls, which are practices and procedures established to create business value and minimize risk.
Children's Online Privacy Protection Act [COPPA] IThe Children's Online Privacy Protection Act of 1998 (COPPA) is a federal law that imposes specific requirements on operators of websites and online services to protect the privacy of children under 13.
Copyright Copyright is a legal term describing ownership of control of the rights to the use and distribution of certain works of creative expression, including books, video, motion pictures, musical compositions, and computer programs.
Corporate Governance Corporate governance is a term that refers broadly to the rules, processes, or laws by which businesses are operated, regulated, and controlled. The term can refer to internal factors defined by the officers, stockholders, or constitution of a corporation, as well as to external forces such as consumer groups, clients, and government regulations.
Corporate Social Responsibility [CSR] Corporate social responsibility is an umbrella term used to describe voluntary corporate initiatives concerned with community development, the environment, and human rights.
COSO Framework The COSO Framework is a system used to establish internal controls to be integrated into business processes.
Cyber Security Cyber security is the body of technologies, processes, and practices designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access.
Data Breach
A data breach is a cyber attack in which sensitive, confidential, or otherwise protected data has been accessed and/or disclosed in an unauthorized fashion.
Data Classification Data classification is the process of organizing data into categories that make it is easy to retrieve, sort, and store for future use.
Data Lifecycle Management [DLM] Data lifecycle management (DLM) is a policy-based approach to managing the flow of an information system's data throughout its lifecycle: from creation and initial storage to when it becomes obsolete and is deleted.
Data Masking Data masking is a method of creating a structurally similar but inauthentic version of an organization's data that can be used for purposes such as software testing and user training.
Data Privacy [Information Privacy] Data privacy, also called information privacy, is the aspect of information technology (IT) that deals with the ability an organization or individual has to determine what data in a computer system can be shared with third parties.
Data Protection Impact Assessment [DPIA] A data protection impact assessment (DPIA) is a process designed to help organizations determine how data processing systems, procedures or technologies affect individuals’ privacy and eliminate any risks that might violate compliance.
Data Protection Management [DPM] Data protection management (DPM) comprises the administration, monitoring and management of backup processes to ensure backup tasks run on schedule and data is securely backed up and recoverable.
Data Sovereignty Data sovereignty is the concept that information which has been converted and stored in binary digital form is subject to the laws of the country in which it is located.
Digital Millennium Copyright Act [DMCA] The Digital Millennium Copyright Act (DMCA) is a controversial United States digital rights management (DRM) law enacted October 28, 1998 by then-President Bill Clinton.
Declaration of Conformity A signed document regarding the compliance of a product with European safety standards and legislation.
Document Capture Document capture is any one of several processes used to convert a physical document to another format, typically a digital representation.
Document Sanitization In addition to making sure the document text doesn’t openly divulge anything it shouldn’t, document sanitization includes removing document metadata that could pose a privacy or security risk.
Dodd-Frank Act The Dodd-Frank Act (fully known as the Dodd-Frank Wall Street Reform and Consumer Protection Act) is a United States federal law that places regulation of the financial industry in the hands of the government. The legislation, enacted in July 2010, aims to prevent another significant financial crisis by creating new financial regulatory processes that enforce transparency and accountability while implementing rules for consumer protection.
The decisions, choices, and actions (behaviors) we make that reflect and enact our values.
Ethical Dilemmas Situations that require ethical judgment calls. Often, there is more than one right answer and no win-win solution in which we get everything we want.
Electronic Commerce [EC Directive] Regulations 2002 The Electronic Commerce (EC Directive) Regulations 2002 establishes legal rules that online retailers and service providers must comply with when dealing with consumers in the 27 member countries of the European Union (EU).
Electronic Communications Privacy Act [ECPA] The Electronic Communications Privacy Act (ECPA) is a United States federal statute that prohibits a third party from intercepting or disclosing communications without authorization.
Electronic Signatures in Global and National Commerce Act [e-signature bill] The Electronic Signatures in Global and National Commerce Act (often referred to as the e-signature bill) specifies that in the United States, the use of a digital signature is as legally valid as a traditional signature written in ink on paper.
Enterprise Content Management [ECM] Enterprise content management (ECM) is a set of defined processes, strategies, and tools that allows a business to effectively obtain, organize, store and deliver critical information to its employees, business stakeholders, and customers.
Enterprise Information Management [EIM] Enterprise information management (EIM) is the set of business processes, disciplines and practices used to manage the information created from an organization's data as an enterprise asset.
Enterprise Risk Management [ERM] Enterprise risk management is the process of planning, organizing, directing, and controlling the activities of an organization to minimize the deleterious effects of risk on its capital and earnings.
Event Log Management Software [ELMS]

Event log management software (ELMS) is an application used to monitor change management and prepare for compliance audits at enterprises.event log manager (ELM)

An event log manager (ELM) is an application that tracks changes in an organization's IT infrastructure.

Express Consent Express consent is permission for something that is given specifically, either verbally or in writing.
Fair and Accurate Credit Transactions Act [FACTA]
FACTA (Fair and Accurate Credit Transactions Act) is an amendment to FCRA (Fair Credit Reporting Act ) that was added, primarily, to protect consumers from identity theft.
Fair Credit Reporting Act (FCRA) The Fair Credit Reporting Act (FCRA) is United States federal legislation that promotes accuracy, fairness, and privacy for data used by consumer reporting agencies.
Fair Information Practices [FIP] FIP (Fair Information Practices) is a general term for a set of standards governing the collection and use of personal data and addressing issues of privacy and accuracy.
Federal Communications Commission [FCC] The FCC (Federal Communications Commission) is the government body responsible for maintaining laws, censorship, and broadcast licensing pertaining to interstate and international communications in the United States.
Federal Information Security Management Act [FISMA] The Federal Information Security Management Act (FISMA) is United States legislation that defines a framework of guidelines and security standards to protect government information, operations, and assets.
Federal Trade Commission [FTC] The FTC (Federal Trade Commission) is a United States federal regulatory agency designed to monitor and prevent anticompetitive, deceptive or unfair business practices.
Financial Industry Regulatory Authority [FINRA] The Financial Industry Regulatory Authority (FINRA) is an independent regulator securities firms doing business in the United States.
Foreign Corrupt Practices Act [FCPA] The Foreign Corrupt Practices Act is a federal law enacted in 1977 to prohibit companies from paying bribes to foreign government officials and political figures for the purpose of obtaining business.
Fraud To intentionally lie or cheat to get something to which one is not entitled.
General Data Protection Regulation [GDPR]
The General Data Protection Regulation (GDPR) is a legal framework that sets new guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR lays out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. The General Data Protection Regulation applies to all organizations that deal with EU citizen data, making it a critical regulation for corporate compliance officers at banks, insurers, and other financial organizations. On May 25, 2018, GDPR will come into full effect across the EU.
Governance The act, process, or power of exercising authority or control in an organizational setting.
Governance, Risk and Compliance [GRC] Governance, Risk, and Compliance (GRC) is a combined area of focus within an organization that developed because of interdependencies between the three components. GRC software products, available from a number of vendors, typically facilitate compliance with legal requirements, such as those specified in the Sarbanes-Oxley Act (SOX) or occupational health and safety regulations.
Gramm-Leach-Bliley Act [GLBA] Federal legislation enacted in the United States to control the ways that financial institutions deal with the private information of individuals.
A common reporting system giving anonymous telephone access to employees seeking to report possible instances of wrongdoing.
Index Fund
An index fund is a type of mutual fund collection that follows the trend of a given security or market index, which represents a number of sectors of a market and offers comprehensive exposure to several markets.
Information Governance Information governance is a holistic approach to managing corporate information by implementing processes, roles, controls, and metrics that treat information as a valuable business asset.
Information Lifecycle Management [ILM] Information lifecycle management (ILM) is a comprehensive approach to managing an organization's data and associated metadata, starting with its creation and acquisition through when it becomes obsolete and is deleted.
Intellectual Property [IP] Intellectual property (IP) is a term for any intangible asset -- something proprietary that doesn't exist as a physical object but has value.
Internal Control An internal control is a business practice, policy or procedure that is established within an organization to create value or minimize risk.
International Accounting Standards Board The International Accounting Standards Board is the independent standard-setting body of the IFRS Foundation.
International Electrotechnical Commission [IEC] A non-profit, non-governmental international standards organization that prepares and publishes International Standards for all electrical, electronic, and related technologies – collectively known as “electrotechnology”. IEC standards cover a vast range of technologies from power generation, transmission, and distribution to home appliances and office equipment, semiconductors, fiber optics, batteries, solar energy, nanotechnology, and marine energy as well as many others. The IEC also manages three global conformity assessment systems that certify whether equipment, system, or components conform to its International Standards.
Internal Control Internal control is a business practice, policy, or procedure that is established within an organization to create value or minimize risk.
Internet Engineering Task Force [IETF] The Internet Engineering Task Force (IETF) is the body that defines standard operating internet protocols such as TCP/IP.
ISAE 3402 ISAE (International Standards for Assurance Engagements) 3402 is a global assurance standard for reporting on controls at service organizations.
International Standards Organization 22317 [ISO 22317] ISO 22317 is the first formal standard to address the business impact analysis process.
ISO 31000 Risk Management The ISO 31000 Risk Management framework is an international standard that provides businesses with guidelines and principles for risk management from the International Organization for Standardization.
ISO/IEC 17799: Code of Practice for Information Security Management ISO/IEC 17799: Code of Practice for Information Security Management is a generic set of best practices for the security of information systems.
ISO/IEC 38500 ISO/IEC 38500 is an international standard created to guide corporate governance of information technology (IT).
IT Audit An IT audit is the examination and evaluation of an organization's information technology infrastructure, policies, and operations.
IT Incident Management IT incident management is an area of IT service management (ITSM) wherein the IT team returns a service to normal as quickly as possible after a disruption, in a way that aims to create as little negative impact on the business as possible.
Massachusetts Data Protection Law
The Massachusetts data protection law is legislation that stipulates security requirements for organizations that handle the private data of residents.
Metadata Security Metadata is defined as “data about data.
Microsoft Operations Framework [MOF] Microsoft Operations Framework (MOF) is a series of 23 documents that guide IT professionals through the processes of creating, implementing, and managing efficient and cost-effective services.
National Institute of Standards and Technology [NIST]
The NIST Privacy Framework is a voluntary tool created by the National Institute of Standards and Technology, which lays out strategies for private sector organizations to improve their data risk management practices. It is a unit of the US Commerce Department that promotes and maintains measurement standards.
Payment Application Data Security Standard [PA-DSS]
Payment Application Data Security Standard (PA-DSS) is a set of requirements intended to help software vendors develop secure payment applications for credit card transactions.
Public Company Accounting Oversight Board [PCAOB] The Public Company Accounting Oversight Board (PCAOB) is a Congressionally-established nonprofit that assesses audits of public companies in the United States to protect investors' interests.
Payment Card Industry Data Security Standard Compliance [PCI DSS Compliance] Payment Card Industry Data Security Standard (PCI DSS) compliance is adherence to the set of policies and procedures developed to protect credit, debit, and cash card transactions and prevent the misuse of cardholders' personal information.
PCI DSS Merchant Levels Merchant levels are used by the payment card industry (PCI) to determine risk levels and determine the appropriate level of security for their businesses.
PCI Gap Assessment A PCI gap assessment is the identification, analysis, and documentation of areas of non-compliance with the Payment Card Industry Data Security Standard (PCI DSS).
PCI Policy Payment Card Industry Qualified Security Assessor (PCI QSA) is a designation conferred by the PCI Security Standards Council to individuals it deems qualified to perform PCI assessments and consulting services.
PCI QSA Payment Card Industry Qualified Security Assessor (PCI QSA) is a designation conferred by the PCI Security Standards Council to individuals it deems qualified to perform PCI assessments and consulting services.
PCI Security Standards Council The PCI Security Standards Council is an organization created by the major credit card companies in an effort to better protect credit cardholder data.
Personally Identifiable Information [PII] Personally identifiable information (PII) is any data that could potentially identify a specific individual.
Policy Engine A policy engine is a software component that allows an organization to create, monitor, and enforce rules about how network resources and the organization's data can be accessed.
Privacy Compliance Privacy compliance is a company's accordance with established personal information protection guidelines, specifications, or legislation.
Privacy Impact Assessment [PIA] A privacy impact assessment (PIA) is an analysis of how an individual's or groups of individuals' personally identifiable information is collected, used, shared, and maintained by an organization.
Radio Technical Commission for Aeronautics [RTCA]
A US volunteer organization that develops technical guidance for use by government regulatory authorities and by industry. It has over 200 committees and overall acts as an advisory body to the FAA.
Ransomware Ransomware is a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid.
Red Flags Rule [RFR] The Red Flags Rule (RFR) is a set of United States federal regulations that require certain businesses and organizations to develop and implement documented plans to protect consumers from identity theft.
Regulatory Compliance Regulatory compliance is an organization's adherence to laws, regulations, guidelines, and specifications relevant to its business. Violations of compliance regulations often result in legal punishment, including federal fines.
RegTech RegTech, or regulatory technology, is a term used to describe technology that is used to help streamline the process of regulatory compliance.
Remote Deposit Capture [RDC] Remote deposit capture (RDC) is a system that allows a customer to scan checks remotely and transmit the check images to a bank for deposit, usually via an encrypted Internet connection.
Risk Assessment Risk assessment is the process of identifying variables that have the potential to negatively impact an organization’s ability to conduct business.
Risk Assessment Framework [RAF] A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.
Risk Avoidance Risk avoidance is the elimination of hazards, activities and exposures that can negatively affect an organization and its assets.
Risk Exposure Risk exposure is a quantified loss potential of business. Risk exposure is usually calculated by multiplying the probability of an incident occurring by its potential losses.
Risk Intelligence [RQ] Risk intelligence (RQ) is a term used to describe predictions made around uncertainties and future threat probabilities.
Risk Heat Map A risk heat map is a data visualization tool for communicating specific risks an organization faces.
Risk Profile A risk profile is a quantitative analysis of the types of threats an organization, asset, project or individual faces.
Risk Reporting Risk reporting is a method of identifying risks tied to or potentially impacting an organization's business processes.
Sarbanes-Oxley Act [SOX]
The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures. The U.S. Securities and Exchange Commission (SEC) administers the act, which sets deadlines for compliance and publishes rules on requirements.
Secure Electronic Transaction [SET] Secure Electronic Transaction (SET) is a system and electronic protocol to ensure the integrity and security of transactions conducted over the internet.
Security Audit A security audit is a systematic evaluation of the security of a company's information system by measuring how well it conforms to an established set of criteria.
Security Information Management [SIM] Security information management (SIM) is the practice of collecting, monitoring, and analyzing security-related data from computer logs and various other data sources.
Sensitive Information Sensitive information is data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization.
Shared Assessments Program Shared Assessments is a third party risk membership program that provides organizations with a way to obtain a detailed report about a service provider's controls (people, process and procedures) and a procedure for verifying that the information in the report is accurate.
Softlifting Softlifting is a common type of software piracy in which a legally licensed software program is installed or copied in violation of its licensing agreement.
Standard Operating Procedure [SOP] A standard operating procedure (SOP) is a set of written instructions that describes the step-by-step process that must be taken to properly perform a routine activity.
Statutory Reporting Statutory reporting is the mandatory submission of financial and non-financial information to a government agency.
Supply Chain Security Supply chain security is the part of supply chain management that focuses on the risk management of external suppliers, vendors, logistics, and transportation.
Sustainability Risk Management [SRM] Sustainability risk management (SRM) is a business strategy that aligns profit goals with a company's environmental policies.
SWIFT FIN Message SWIFT FIN is a message type (MT) that transmits financial information from one financial institution to another.
Take-Down Request
A take-down request, also called a notice and take down request, is a procedure for asking an Internet Service Provider (ISP) or search engine to remove or disable access to illegal, irrelevant or outdated information.
Telephone Consumer Protection Act (TCPA) The Telephone Consumer Protection Act (TCPA) of 1991 is a federal law that places restrictions on telephone solicitations and robocalls.
Tokenization Tokenization is the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.
Transparency Transparency, in a business or governance context, is honesty and openness. Transparency and accountability are generally considered the two main pillars of good corporate governance.
Values-centered Code of Ethics
Offers a set of ethical ideals, such as integrity, trustworthiness, and responsibility, which companies want employees to adopt in their work practices.
VUCA [Volatility, Uncertainty, Complexity and Ambiguity] VUCA is an acronym that stands for volatility, uncertainty, complexity and ambiguity, a combination of qualities that, taken together, characterize the nature of some difficult conditions and situations.
A whistleblower is a person who voluntarily provides information to the general public, or someone in a position of authority, about dishonest or illegal business activities occurring at an organization. This organization could include a government department, a public company, or a private organization.
XCCDF [Extensible Configuration Checklist Description Format]
XCCDF is a specification language for writing security checklists, benchmarks, and related types of documents.