GRC terms explained

What is Access Control?

Access control restricts system and data access to authorized users. Learn RBAC, MFA, least privilege, and requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.

What is an Approved Scanning Vendor (ASV)?

An ASV is a PCI SSC-certified company that runs external vulnerability scans. Learn when ASV scans are required, how to pass, and what happens if you fail.

What is an Audit Trail?

An audit trail is a chronological record of system activities that provides evidence of who did what, when, and where for security and compliance purposes.

What is Breach Notification?

Breach notification under HIPAA requires organizations to notify individuals, HHS, and sometimes media when unsecured PHI is compromised. Learn the requirements.

What is a Business Associate?

A HIPAA business associate is any vendor or partner that creates, receives, or transmits PHI on behalf of a covered entity. Learn your obligations.

What is a Business Associate Agreement (BAA)?

A Business Associate Agreement (BAA) is a HIPAA-required contract between covered entities and vendors who handle PHI. Learn what a BAA must include.

What is Business Continuity?

Business continuity planning ensures an organization can maintain essential operations during and after a disruptive event. Learn the key components and frameworks.

What is a Cardholder Data Environment?

The Cardholder Data Environment (CDE) encompasses all systems that store, process, or transmit cardholder data. Learn how to define and secure your CDE.

What is a Certification Body?

A certification body is an accredited organization that audits and certifies companies against standards like ISO 27001. Learn how to choose the right one.

What is Change Management?

Change management is the process of controlling modifications to systems and infrastructure to prevent unauthorized changes and maintain security and stability.

What is Continuous Monitoring?

Continuous monitoring tracks security controls in real time to detect threats and verify compliance. Learn how to implement it for SOC 2, ISO 27001, and NIST CSF.

What is a Control Framework?

A control framework is a structured set of security controls and guidelines that organizations use to build and evaluate their security programs.

What are Control Objectives?

Control objectives define the specific goals a security control is designed to achieve. Learn how they apply across SOC 2, ISO 27001, and other frameworks.

What is a Covered Entity?

A covered entity under HIPAA is a health plan, healthcare provider, or healthcare clearinghouse that transmits health information electronically.

What is Data Classification?

Data classification is the process of categorizing data by sensitivity level to apply appropriate security controls. Learn how to build a classification scheme.

What is Disaster Recovery?

Disaster recovery is the process of restoring IT systems and data after a disruption. Learn about DR planning, RTO, RPO, and compliance requirements.

What is Encryption?

Encryption transforms data into unreadable ciphertext to protect confidentiality. Learn about encryption at rest, in transit, and compliance requirements.

What is Evidence Collection?

Evidence collection is the process of gathering documentation that proves security controls are implemented and operating effectively for compliance audits.

What is a Firewall?

A firewall is a security system that monitors and controls network traffic based on predefined rules, acting as a barrier between trusted internal networks and untrusted external ones.

What is a Framework?

A framework is a structured set of guidelines and controls organizations follow to manage security and compliance. Common examples include ISO 27001, SOC 2, and NIST CSF.

What is GRC?

GRC stands for governance, risk, and compliance. Learn how GRC programs help organizations manage risk, meet regulatory requirements, and align security with business goals.

What is HIPAA?

HIPAA is the US federal law protecting health information. Learn about the Privacy Rule, Security Rule, BAAs, PHI safeguards, and penalties for non-compliance.

What is Incident Response?

Incident response is the organized process of detecting, containing, and recovering from security incidents. Learn the phases, team roles, and compliance needs.

What is an ISMS?

An ISMS is a systematic framework for managing information security risks. Learn how an ISMS works, its components, and how it relates to ISO 27001 certification.

What is ISO 27001?

ISO 27001 is the international standard for information security management systems (ISMS). Learn about certification requirements, Annex A controls, and how to prepare.

What is ISO 27001 Annex A?

ISO 27001 Annex A lists 93 security controls in 4 themes. Learn each control category, how they map to your Statement of Applicability, and implementation tips.

What is ISO 27002?

ISO 27002 provides detailed implementation guidance for the security controls listed in ISO 27001 Annex A. Learn how it complements your ISMS implementation.

What is Job Separation?

Job separation (segregation of duties) is the practice of dividing critical responsibilities among multiple people to reduce the risk of fraud or error.

What is Key Management?

Key management covers creating, storing, rotating, and retiring cryptographic keys. Learn requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.

What is Least Privilege?

Least privilege is a security principle that limits user access to only what they need to perform their job — nothing more.

What is Log Management?

Log management is the process of collecting, storing, and analyzing system activity records to detect security incidents and support compliance audits.

What is Malware?

Malware is malicious software designed to damage, disrupt, or gain unauthorized access to systems. It includes viruses, ransomware, spyware, and trojans.

What is Monitoring?

Monitoring is the continuous observation of systems and controls to detect threats, unusual activity, or compliance gaps in real time.

What is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) is a login method that requires users to verify their identity using two or more factors, such as a password plus a code sent to their phone.

What is Network Security?

Network security refers to the tools, policies, and practices used to protect the integrity and confidentiality of a computer network and its data.

What is NIST?

NIST (National Institute of Standards and Technology) is a US government agency that publishes widely used cybersecurity frameworks and guidelines, including the NIST Cybersecurity Framework (CSF).

What is Offboarding?

Offboarding is the formal process of revoking an employee's or contractor's access to systems and data when they leave an organization.

What is Operational Risk?

Operational risk is the potential for loss or disruption caused by failed internal processes, human errors, system failures, or external events.

What is PCI DSS?

PCI DSS is the security standard for organizations that handle credit card data. Learn about compliance levels, requirements, and what changed in PCI DSS 4.0.

What is PCI Scope?

PCI scope defines which systems, people, and processes are subject to PCI DSS requirements. Learn how to accurately determine and reduce your PCI scope.

What is Penetration Testing?

Penetration testing is a simulated cyberattack that identifies vulnerabilities in your systems before real attackers can exploit them. Learn the types and process.

What is a Primary Account Number (PAN)?

The PAN is the card number that triggers PCI DSS scope. Learn how to mask, tokenize, and encrypt PAN data to meet PCI DSS requirements.

What is Protected Health Information (PHI)?

Protected Health Information (PHI) is any individually identifiable health data covered by HIPAA. Learn what qualifies as PHI and how to protect it.

What is a Qualified Security Assessor (QSA)?

A Qualified Security Assessor (QSA) is a PCI SSC-certified professional who conducts on-site PCI DSS assessments. Learn how QSAs work and how to choose one.

What is Remediation?

Compliance remediation is the process of fixing security gaps and audit findings. Learn how to prioritize, track, and close remediation items efficiently.

What is a Risk Register?

A risk register is a centralized document that records identified risks, their likelihood, impact, treatment, and ownership. Learn how to build and maintain one.

What is a Risk Treatment Plan?

A risk treatment plan documents how an organization will address identified risks through mitigation, acceptance, transfer, or avoidance strategies.

What is Security Awareness Training?

Security awareness training educates employees about cybersecurity threats and best practices. Learn what to include and how it satisfies compliance requirements.

What is a Self-Assessment Questionnaire (SAQ)?

A PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool for merchants and service providers to self-evaluate their cardholder data security.

What is a Service Auditor?

A service auditor is a CPA firm that performs SOC 2 and other attestation engagements. Learn how to select an auditor and what to expect during the audit process.

What is SOC 2?

SOC 2 is an auditing framework for service organizations based on five Trust Services Criteria. Learn about SOC 2 Type I vs Type II, audit timelines, and what it takes to get compliant.

What is SOC 2 Type I?

A SOC 2 Type I report evaluates whether an organization's controls are properly designed at a specific point in time. Learn how it differs from Type II.

What is SOC 2 Type II?

A SOC 2 Type II report evaluates whether controls operated effectively over a period of time. Learn about observation periods, audit processes, and requirements.

What is SSAE 18?

SSAE 18 is the attestation standard governing SOC 1, SOC 2, and SOC 3 audits in the United States. Learn how it shapes audit requirements and reporting.

What is a Statement of Applicability?

The Statement of Applicability (SoA) documents which ISO 27001 Annex A controls apply to your organization and why. Learn its role in certification audits.

What is a Surveillance Audit?

A surveillance audit is an annual check by a certification body to verify that your ISO 27001 ISMS continues to operate effectively. Learn what to expect.

What is the HITECH Act?

The HITECH Act strengthened HIPAA by extending requirements to business associates, increasing penalties, and mandating breach notification. Learn the key provisions.

What is the Minimum Necessary Rule?

The Minimum Necessary Rule requires that access to PHI be limited to the minimum amount needed for a specific purpose. Learn how to implement it under HIPAA.

What is Third-Party Risk?

Third-party risk is the potential for security incidents, data breaches, or operational disruption originating from your vendors and service providers.

What is Tokenization?

Tokenization replaces sensitive data like credit card numbers with non-sensitive tokens to reduce PCI DSS scope and protect cardholder data.

What is Trust Services Criteria?

Trust Services Criteria (TSC) are the five categories used in SOC 2 audits to evaluate security, availability, processing integrity, confidentiality, and privacy.

What are User Entity Controls?

User entity controls (UECs) are controls that a service organization's customers must implement for the overall control environment to be effective.

What is Vendor Risk Management?

Vendor risk management (VRM) is the process of assessing and monitoring security risks from third-party vendors. Learn how to build an effective VRM program.

What is Web Application Security?

Web application security is the practice of protecting websites and web apps from attacks such as SQL injection, cross-site scripting (XSS), and unauthorized access.

What is Workforce Security?

Workforce security refers to the policies and controls that ensure employees and contractors handle sensitive information responsibly and securely.