Hyperproof Compliance Glossary

The world of compliance is complex and can be difficult to navigate — let us help you
stay in the know about compliance and security terms and concepts.

Showing

Show all terms

Audit Fatigue Audit fatigue, also known as assessment fatigue, is the feeling of tiredness, weariness, frustration or exhaustion that people experience after they’ve been pulled away from their regular tasks repeatedly in order to participate in compliance efforts.Read More ›
Audit readiness assessment The readiness assessment is a process that should be done months in advance of an audit. It involves inviting your selected auditor to your office to interview key personnel within your organization.Read More ›
CCPA A wide-ranging privacy law that went into effect on January 1st, 2020. It regulates how businesses collect, use, and disclose just about any kind of information that relates to an individual. It covers any business that earns $25 million in revenue per year overall, or sells 50,000 consumer records per year, or derives 50% of its annual revenue from selling personal information. The CCPA requires businesses to implement new policies and procedures to ensure the protection of personal information for Californian residents. What’s more, the law expands what’s considered “personal information” and includes data elements not previously considered personal information under any U.S. law. It also gives California residents some new rights to make data requests to businesses that handle their data.Read More ›
Cloud compliance frameworks Cloud compliance is the principle that cloud-delivered systems need to be compliant with the standards their customers require. Your customers may have to comply with many regulations around data protection, such as HIPAA, PCI DSS, GDPR, ISO/IEC 27001, NIST, SOX, and more. Cloud compliance is about ensuring that cloud computing services meet compliance requirements.Read More ›
CMMC The CMMC is intended to serve as a verification mechanism to ensure that all appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene and protect controlled unclassified information (CUI) and Federal Contract Information (FCI) that resides on the Department’s industry partners’ networks.Read More ›
Common Controls Framework (CCF) A comprehensive set of control requirements, aggregated, correlated and rationalized from the vast array of industry information security and privacy standards. Utilizing a CCF enables an organization to meet the requirements of these security, privacy, and other compliance programs while minimizing the risk of becoming “over controlled”. Read More ›
Compliance audit A compliance audit is a comprehensive review and evaluation of a business or organization’s compliance with a voluntary compliance framework (e.g., SOC 2, ISO 27001) or a set of regulatory requirements (e.g., GDPR or HIPAA). Read More ›
Compliance automation Compliance automation is about using technology to eliminate as much manual, administrative work as possible from compliance activities — so an organization scales their activities and resources to meet the demands of an increasing compliance scope. Read More ›
Compliance Maturity Assessment A tool created by Hyperproof that organizations can use to self-assess where they are in their compliance journey.Read More ›
Compliance Operations Compliance Operations is an operating model and a methodology that recognizes that managing information security compliance and security assurance programs consistently and on a day-to-day basis is a critical component of effective IT risk management. It operates on the understanding that cyber risks can change by the minute, regulatory volatility isn’t going away, and zero trust is now the default security (and B2B purchase) model.Read More ›
Compliance Operations Platform A platform for managing daily compliance operations -- a place for making project plans, getting work done, tracking progress, and identifying areas for improvement. The platform will help to improve the way you plan information security, data privacy, and compliance projects, execute them and monitor progress and keep records.Read More ›
Compliance program A compliance program is a set of internal policies and procedures within a company to comply with laws, rules, and regulations or to uphold the business’ reputation. Where requirements of a regulatory authority do not apply, a compliance program within an organization addresses conduct of employees to abide by internal policies (e.g. spending corporate funds or keeping confidentiality) and, more importantly, to maintain the firm’s reputation among its customers, suppliers, employees, and even the community where the business is located. Read More ›
Continuous compliance Continuous compliance is an approach that helps you manage risks more effectively. With continuous compliance, risks are re-assessed on a regular basis, control processes are consistently performed, and evidence from control processes are evaluated and actioned accordingly. By evaluating control processes on a continuous basis, organizations have an opportunity to refine their risk management strategies in real-time.Read More ›
CUI (Controlled Unclassified Information) CUI is government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. It’s also not corporate intellectual property unless created for or included in requirements related to a government contract.Read More ›
Cyber risk Cyber risk can be understood as the potential (chance) of exposing a business’s information and communications systems to dangerous actors, elements, or circumstances capable of causing loss or damage. Risk implies a degree of probability or the chance of an event occurring. Cyber risk is based on the probability of a bad event happening to your business’s information systems, leading to the loss of confidentiality, integrity, and availability of information.Read More ›
Cybersecurity incident response plan A Cybersecurity Incident Response Plan is a document that gives IT and cybersecurity professionals instructions on how to respond to a serious security incident, such as a data breach, data leak, ransomware attack, or loss of sensitive information.Read More ›
Cybersecurity risk management Cybersecurity risk management is an ongoing process of identifying, analyzing, evaluating, and addressing your organization’s cybersecurity threats. Read More ›
Cybersecurity risk management framework Cybersecurity risk management is an ongoing process of identifying, analyzing, evaluating, and addressing your organization’s cybersecurity threats. Read More ›
Data classification policy A data classification policy is a comprehensive plan used to categorize a company’s stored information based on its sensitivity level, ensuring proper handling and lowering organizational risk. A data classification policy identifies and helps protect sensitive/confidential data with a framework of rules, processes, and procedures for each class. Read More ›
Data security controls Data security controls facilitate risk management plans by minimizing, avoiding, detecting, or responding to risks in networks, hardware, software, data, and other systems. At a high-level, they can usually be categorized into internal controls or incident-focused controls.Read More ›
Endpoint security Endpoint security is a multi-layered initiative focused on blocking threats and securing network endpoints. Endpoint solutions operate from centralized software with installs on each device. Endpoint platforms mirror larger systems with firewalls, access control, and vulnerability assessment to neutralize threats. Read More ›
FedRAMP The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for all cloud products and services. It was created by the Joint Authorization Board (JAB) with representatives from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense (DoD).Read More ›
GDPR Any organization that does business in Europe or is expanding to Europe is legally required to comply with the European Union’s General Data Protection Regulation (GDPR). GDPR requires organizations inside and outside Europe to secure all EU citizens’ Personally Identifying Information (PII) collected, processed or stored by the business. Therefor, an organization needs to know where data is sourced and who it's for.Read More ›
Governance, Risk and Compliance A combination of policies, procedures, and activities intended to advance and manage business objectives while mitigating risk and ensuring compliance with requirements specific to an organization.Read More ›
GRC Software An application or suite of applications designed to assist organizations in the management, review, and testing of controls specific to mitigating risk, complying with relevant internal and external requirements, and supporting security assurance activities.Read More ›
HIPAA The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. HIPAA requires that covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment and operations) must meet a set of rules.Read More ›
Information security policy A high-level document describing an organization's requirements and objectives related to information security.Read More ›
Information security risk assessment Information security risk assessments focus on identifying the threats facing your information systems, networks and data, and assessing the potential consequences you’d face should these adverse events occur. Risk assessments should be conducted on a regular basis (e.g. annually) and whenever major changes occur within your organization (e.g., acquisition, merger, re-organization, when a leader decides to implement new technology to handle a key business process, when employees suddenly move from working in an office to working remotely). Read More ›
Integrated risk management Integrated risk management (IRM) is a holistic, organization-wide approach to addressing risk which welcomes input from various functions, including risk management, cybersecurity, compliance, and various business units. It’s designed to provide a holistic view of risk across the enterprise and streamline the risk assessment and remediation process. This model leverages agile principles, automation, a security-aware culture, and cross-departmental collaboration to outpace the more traditional, compliance-driven model.Read More ›
Internal audit Company employees carry out internal audits to gauge overall risks to compliance and security and determine whether the company is following internal guidelines. Internal audits should occur throughout the year. Management teams can use the reports generated from internal audits to identify areas that require improvement. Internal audits measure company objectives against output and strategic risks.Read More ›
Internal controls Jonathan Marks, a well-known professional in the forensics, audit, and internal control space, defines internal controls as, “…a process of interlocking activities designed to support the policies and procedures detailing the specific preventive, detective, corrective, directive, and corroborative actions required to achieve the desired process outcomes of the objective(s).” Internal controls are processes that mitigate risk and reduce the chance of an unwanted risk outcome.Read More ›
ISO 27001 Developed by the International Organization for Standardization, ISO 27001 is an information security standard providing requirements for an information management system (ISMS). ISO 27001 defines what an information security management system (ISMS) is, what is required to be included within an ISMS, and how management should implement, monitor, and maintain an ISMS.Read More ›
IT General Controls (ITGCs) ITGCs are controls that govern how technology is designed, implemented, and used in your organization. ITGCs shape everything from configuration management to password policy, application development to user account creation. They govern issues such as how technology is acquired and developed, or how security protocols are rolled out across the enterprise.Read More ›
Monitoring Data security controls facilitate risk management plans by minimizing, avoiding, detecting, or responding to risks in networks, hardware, software, data, and other systems. At a high-level, they can usually be categorized into internal controls or incident-focused controls. Monitoring may consist of ongoing activities, separate evaluations or a combo of the two.Read More ›
NIST Cybersecurity Framework The NIST Cybersecurity Framework (CF) is a list of standards, guidelines, and practices designed to help organizations better manage and reduce cyber risk of all types - including malware, password theft, phishing attacks, DDoS, traffic interception, social engineering and others. The National Institute of Standards and Technology created the framework by collaborating with government and industry groups with the framework designed to complement existing organizational cybersecurity operations. NIST CF rests on industry best practices gathered from various other documents and standards like ISO 27001 and COBIT 5.Read More ›
NIST Privacy Framework Created by the National Institute of Standards and Technology (NIST), the Privacy Framework is a voluntary tool any organization can use to create or improve a privacy program. Effective privacy risk management can help you build trust in your products and services, communicate better about your privacy practices, and meet your compliance obligations.Read More ›
NIST SP 800-53 Developed by computer security and privacy experts at the National Institute of Standards and Technology (NIST), NIST Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, is a collection of specific safeguarding measures that can be used to protect an organization’s operations and data and the privacy of individuals. In fact, NIST SP 800-53 is considered the gold standard for information security and is cross-referenced by many other industry-accepted security standards.Read More ›
Operational Control Typically, these are controls that are performed by staff in the management and administration of an information system, following an established process or procedure, and generally recur on a daily or other event-driven basis.Read More ›
PCI Audit A PCI audit is a vigorous inspection of a merchant’s adherence to PCI DSS requirements, consisting of numerous individual controls or safeguards for protecting cardholder information (e.g., Primary Account Number, CAV/CID/CVC2/CVV2, etc.) and systems that interact with payment processing, which we will discuss later. Read More ›
PCI DSS PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to help all organizations who handle credit card transactions maintain a secure environment. The standard was developed by the PCI Security Standards Council, an independent body founded by major card brands including Visa, MasterCard, and Discover.Read More ›
Ransomware Ransomware is a malware variant designed to secretly infiltrate computer systems, infect and encrypt files, then hold the data hostage until a ransom is paid in untraceable currency. This type of malware attempts to spread throughout connected systems or shared devices within the victim’s network.Read More ›
Risk management approach A successful risk management approach will involve developing the necessary security controls to keep all high-risk threats in check, allowing your most important processes to remain functional. Read More ›
Risk management software Risk management software helps you identify, assess, and document risks associated with running various business processes and IT assets, communicate about risks, and efficiently manage risk mitigation tasks.Read More ›
Risk register A risk register is an information repository an organization creates to document the risks they face and the responses they’re taking to address the risks. At a minimum, each risk documented in the risk register should contain a description of a particular risk, the likelihood of it happening, its potential impact from a cost standpoint, how it ranks overall in priority relevant to all other risks, the response, and who owns the risk.Read More ›
Secure software development Secure software development is a methodology (often associated with DevSecOps) for creating software that incorporates security into every phase of the software development life cycle (SDLC). Security is baked into the code from inception rather than addressed after testing reveals critical product flaws. Security becomes part of the planning phase, incorporated long before a single line of code is written.Read More ›
Security questionnaire Security questionnaires are lists of often complex and technical questions, usually compiled by IT teams, to determine a company’s security and compliance posture. Distributing security questionnaires to vendor partners is considered a cybersecurity best practice across most industries today.Read More ›
SOC 2 Developed by the American Institute of CPAs (AICPA), a SOC 2 report provides insight into internal controls that exist within an organization to address risks related to security, availability, processing integrity, confidentiality and/or privacy. The report is independently validated by a CPA and uses specific criteria, methodology and expectations that enable consistency in comparison across organizations. Before a SOC 2 report is issued, an independent CPA conducts an assessment of the scope, design, and (for Type 2 reports) the effectiveness of internal control processes. The scope of a SOC 2 report is determined by your organization and your SOC 2 assessor.Read More ›
Software supply chain attacks A software supply chain attack occurs when a threat actor infiltrates a vendor network and employs malicious code to compromise the software product before the vendor sends it to their customers. The affected software and data then compromise the customer’s system and data, creating malicious options for the threat actors. Security measures of both the vendor and their customers can be circumvented, allowing unauthorized privileged and persistent access to the target’s networks. Read More ›
SOX The Sarbanes-Oxley Act of 2002 (SOX), passed by Congress and enforced by the Security Exchange Commission (SEC), is designed to protect shareholders and the general public from accounting errors and fraudulent practices used by businesses and to improve the accuracy of corporate disclosures. IT compliance and IT security professionals need to pay close attention to SOX because the regulation has clear implications for data management, reporting, and security. Read More ›
SSPA Microsoft believes that security and privacy are critical to its mission and requires their suppliers who handle confidential data to meet a strict set of standards. If you’re doing business with Microsoft and processing Personal Data or Microsoft Confidential Data in the performance of your service, you will need to enroll in Microsoft’s Supplier Privacy & Assurance Standards (SSPA) program. As a supplier, you will need to understand a set of Data Protection Requirements (DPR), attest to the DPR, and gain independent assurance by completing an assessment against the DPR.Read More ›
System Security Plan (SSP) A critical component that must be included in the security package for a system or service seeking a FISMA or FedRAMP ATO. The SSP provides a detailed description of an information system and how the system's controls satisfy in-scope requirements identified, and possibly tailored, by an authorizing agency.Read More ›
Third party risk Third-party risk is the likelihood that your organization will experience an adverse event (e.g., data breach, operational disruption, reputational damage) when you choose to outsource certain services or use software built by third-parties to accomplish certain tasks. Third parties include any separate business or individual providing software, physical goods, or supplies or services. Third-parties include software vendors, suppliers, staffing agencies, consultants, and contractors.Read More ›
Third party risk management (TPRM) Third Party Risk Management is a discipline around analyzing and controlling risks associated with outsourcing third-party vendors or service providers. Third-party and vendor risk assessments is an exercise you can conduct to help your organization to determine how much risk exposure you’d take on if you were to outsource a business process or entrust your data to a third party.Read More ›
Virtual compliance officer A virtual compliance officer is a senior professional who can provide information security strategy guidance and oversight and do the work needed to build, implement, and manage information security programs for continuous compliance without the cost of a full-time Chief Compliance Officer.Read More ›
Zero Trust Security Zero Trust is a cybersecurity strategy based on eliminating any trust within an environment regardless of location. Everyone and everything read as a threat until proven otherwise. All users and devices must be authenticated and authorized before being allowed access to valuable resources. Read More ›