Compliance Glossary

Compliance Glossary

Key terms and definitions for SOC 2, GDPR, HIPAA, ISO 27001, PCI DSS, CCPA, and NIST CSF compliance. Everything you need to understand the compliance landscape.

A B C D E F G H IJKL M NOP Q R S TUVWXYZ

A

Access Control

Access control encompasses the policies, procedures, and technical mechanisms that regulate who can view or use resources within a computing environment. It ensures that only authorized individuals can access specific systems, data, or physical locations based on their role and need.

AICPA

The American Institute of Certified Public Accountants (AICPA) is the national professional organization of CPAs in the United States. The AICPA develops and maintains the SOC reporting framework, including SOC 1, SOC 2, and SOC 3 standards used to evaluate service organizations.

Asset Management

Asset management in information security involves maintaining an accurate inventory of all hardware, software, data, and cloud resources an organization uses. It ensures all assets are identified, classified, assigned ownership, and protected according to their value and sensitivity.

Audit Readiness

Audit readiness refers to an organization's state of preparedness for a compliance audit, including having all required policies documented, controls implemented and operating effectively, evidence organized and accessible, and personnel prepared to engage with auditors.

B

Breach Notification

Breach notification is the legal requirement for organizations to inform regulatory authorities and affected individuals when a security incident results in unauthorized access to protected data. Notification timelines and requirements vary significantly by framework and jurisdiction.

Business Continuity

Business continuity planning (BCP) involves developing strategies and procedures to ensure that essential business functions can continue during and after a disaster or significant disruption. It addresses people, processes, technology, and facilities holistically.

C

California Privacy Rights Act

The California Privacy Rights Act (CPRA) is a ballot initiative approved by California voters in November 2020 that significantly amended and expanded the CCPA. It created the California Privacy Protection Agency, introduced new consumer rights, and established requirements for sensitive personal information, effective January 1, 2023.

Cardholder Data Environment

The Cardholder Data Environment (CDE) encompasses all people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data. Properly scoping the CDE is the critical first step in PCI DSS compliance.

Change Management

Change management is the structured process for reviewing, approving, implementing, and documenting changes to IT systems, infrastructure, and applications. It aims to minimize the risk of unintended disruptions while enabling necessary system evolution.

Compliance Automation

Compliance automation uses technology to streamline and automate the repetitive tasks involved in maintaining regulatory compliance, including evidence collection, control monitoring, policy management, and audit preparation. Tools like Vanta, Drata, and Secureframe are leading platforms in this space.

Continuous Compliance

Continuous compliance is an approach to maintaining regulatory compliance on an ongoing basis through real-time monitoring, automated evidence collection, and proactive remediation rather than periodic point-in-time assessments. It shifts compliance from an annual project to an operational discipline.

Control Mapping

Control mapping is the process of aligning security controls across multiple compliance frameworks to identify overlap, reduce duplicate effort, and maintain a unified control environment. It creates a matrix showing how each control satisfies requirements across SOC 2, ISO 27001, HIPAA, PCI DSS, and other standards.

D

Data Broker

A data broker is a business that knowingly collects and sells to third parties the personal information of consumers with whom it does not have a direct relationship. Under CCPA/CPRA, data brokers must register with the California Attorney General and comply with heightened consumer rights requirements.

Data Classification

Data classification is the process of categorizing data based on its sensitivity level and the impact of unauthorized disclosure. Common tiers include Public, Internal, Confidential, and Restricted, each with corresponding handling and protection requirements.

Data Processing Agreement

A Data Processing Agreement (DPA) is a legally binding contract between a data controller and a data processor that specifies the terms for processing personal data. Under GDPR Article 28, a DPA is mandatory whenever a controller engages a processor.

Data Retention

Data retention policies define how long different categories of data are stored, where they are stored, and when and how they are securely disposed of. Proper retention schedules balance legal obligations, business needs, and privacy requirements.

Data Subject Access Request

A Data Subject Access Request (DSAR) is a formal request made by an individual to an organization asking what personal data is held about them, how it is processed, and to whom it has been disclosed. Under GDPR, organizations must respond within 30 days.

Detect Function

The Detect function in NIST CSF focuses on developing and implementing activities to identify the occurrence of cybersecurity events in a timely manner. It encompasses anomalies and events detection, continuous security monitoring, and detection process maintenance.

Disaster Recovery

Disaster recovery (DR) encompasses the policies, tools, and procedures for recovering IT infrastructure, systems, and data after a catastrophic event. It defines Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical systems.

Do Not Sell

Do Not Sell refers to the CCPA/CPRA requirement for businesses to provide a clear and conspicuous link titled "Do Not Sell or Share My Personal Information" on their website homepage. This mechanism enables California consumers to exercise their right to opt-out of data sales and sharing.

E

Encryption at Rest

Encryption at rest refers to the protection of data stored on physical or virtual storage media using cryptographic algorithms. It ensures that data remains unreadable to unauthorized parties even if the storage medium is physically compromised or improperly decommissioned.

Encryption in Transit

Encryption in transit protects data as it moves between systems, networks, or endpoints by encrypting the communication channel. TLS (Transport Layer Security) is the most common protocol used to secure data in transit over networks.

Evidence Collection

Evidence collection in compliance refers to the systematic gathering and preservation of artifacts that demonstrate controls are designed and operating effectively. Evidence types include system screenshots, configuration exports, log samples, policy documents, training records, and access review results.

F

Framework Profile

A framework profile in NIST CSF represents an organization's alignment of its cybersecurity activities with business requirements, risk tolerances, and resources. Profiles describe both the current state and the target state, with the gap between them driving cybersecurity improvement priorities.

G

Gap Analysis

A gap analysis in compliance is a systematic assessment comparing an organization's current security controls and practices against the requirements of a target framework to identify deficiencies that must be addressed before certification or compliance can be achieved.

GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union that governs how personal data of EU residents is collected, processed, stored, and transferred. It became enforceable on May 25, 2018, and applies to any organization worldwide that processes EU resident data.

H

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that sets standards for protecting sensitive patient health information. It applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates who handle Protected Health Information.

I

Identify Function

The Identify function in NIST CSF focuses on developing organizational understanding of cybersecurity risks to systems, assets, data, and capabilities. It encompasses asset management, business environment understanding, governance, risk assessment, risk management strategy, and supply chain risk management.

Implementation Tiers

Implementation tiers in NIST CSF describe the degree of rigor and sophistication in an organization's cybersecurity risk management practices. The four tiers are Partial (Tier 1), Risk Informed (Tier 2), Repeatable (Tier 3), and Adaptive (Tier 4), each representing progressively greater integration of cybersecurity into overall risk management.

Incident Response

Incident response is a structured approach to detecting, containing, eradicating, and recovering from security incidents. A well-defined incident response plan outlines roles, communication procedures, escalation paths, and post-incident review processes.

ISMS

An Information Security Management System (ISMS) is a systematic framework of policies, processes, and controls that an organization implements to manage and reduce information security risks. It encompasses people, processes, and technology in a holistic approach to security governance.

ISO 27001

ISO 27001 is an international standard published by the International Organization for Standardization (ISO) that specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It follows a risk-based approach to managing sensitive information.

L

Least Privilege

The principle of least privilege dictates that users, systems, and processes should be granted only the minimum level of access necessary to perform their legitimate functions. Access rights should be regularly reviewed and promptly revoked when no longer needed.

M

Multi-Factor Authentication

Multi-factor authentication (MFA) is a security mechanism that requires users to provide two or more independent verification factors to access a system. Factors include something you know (password), something you have (security token), and something you are (biometric).

N

Network Security

Network security encompasses the technologies, policies, and practices designed to protect the integrity, confidentiality, and availability of network infrastructure and data in transit. It includes firewalls, intrusion detection, network segmentation, and monitoring.

Network Segmentation

Network segmentation is the practice of dividing a computer network into smaller, isolated segments using firewalls, VLANs, or other access controls. In PCI DSS contexts, it isolates the cardholder data environment from the rest of the network to reduce compliance scope.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) is a voluntary framework developed by the National Institute of Standards and Technology for managing cybersecurity risk. Version 2.0, released in 2024, organizes cybersecurity activities into six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.

NIST Framework

The NIST Cybersecurity Framework (CSF) is a voluntary framework developed by the US National Institute of Standards and Technology for managing cybersecurity risk. It organizes security activities into six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.

P

Payment Card Industry

The Payment Card Industry (PCI) refers to the ecosystem of organizations involved in payment card transactions, including card brands (Visa, Mastercard, Amex, Discover, JCB), issuing banks, acquiring banks, payment processors, and merchants. The PCI Security Standards Council governs security standards for this ecosystem.

PCI Compliance

PCI compliance refers to an organization's adherence to PCI DSS requirements for protecting cardholder data. Compliance is validated annually through either a QSA assessment (Level 1) or Self-Assessment Questionnaire (Levels 2-4), and quarterly through network vulnerability scans by an Approved Scanning Vendor.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards mandated by major credit card brands to protect cardholder data. It applies to any organization that stores, processes, or transmits credit card information regardless of size.

Penetration Testing

Penetration testing is a simulated cyberattack conducted by authorized security professionals to identify vulnerabilities in systems, networks, and applications before malicious actors can exploit them. It goes beyond automated scanning by attempting actual exploitation.

Physical Security

Physical security controls protect an organization's facilities, equipment, and physical assets from unauthorized access, theft, damage, and environmental threats. This includes office access controls, server room protections, visitor management, and environmental monitoring.

Point-to-Point Encryption

Point-to-Point Encryption (P2PE) is a PCI SSC-validated standard that encrypts cardholder data from the point of interaction (payment terminal) until it reaches the secure decryption environment at the payment processor. P2PE solutions can significantly reduce PCI DSS scope for merchants.

Privacy Impact Assessment

A Privacy Impact Assessment (PIA), known as a Data Protection Impact Assessment (DPIA) under GDPR, is a systematic process for evaluating how a proposed project or system will affect individual privacy. It identifies privacy risks and recommends mitigations.

Privacy Policy

A privacy policy is a public-facing legal document that describes how an organization collects, uses, shares, and protects personal information. It must be transparent, accurate, and compliant with applicable privacy laws in all jurisdictions where the organization operates.

Protect Function

The Protect function in NIST CSF addresses the implementation of appropriate safeguards to ensure delivery of critical services. It covers identity management, access control, awareness training, data security, information protection processes, maintenance, and protective technology.

Q

Qualified Security Assessor

A Qualified Security Assessor (QSA) is an independent security professional certified by the PCI Security Standards Council to validate an organization's compliance with PCI DSS. QSAs conduct on-site assessments and produce the Report on Compliance (ROC) required for Level 1 merchants.

R

Recover Function

The Recover function in NIST CSF focuses on developing and implementing activities to maintain resilience and restore services impaired by cybersecurity incidents. It addresses recovery planning, improvements to prevent recurrence, and communications during recovery.

Respond Function

The Respond function in NIST CSF addresses developing and implementing activities to take action regarding detected cybersecurity incidents. It covers response planning, communications, analysis, mitigation, and improvements derived from lessons learned.

Right to Delete

The right to delete under CCPA/CPRA allows California consumers to request that a business delete any personal information it has collected about them. Businesses must comply within 45 days, with limited exceptions for legal obligations, security, and completing transactions.

Right to Know

The right to know under CCPA/CPRA grants California consumers the right to request that a business disclose what personal information it has collected, the sources of that information, the business purposes for collecting it, and the third parties with whom it has been shared or sold.

Right to Opt-Out

The right to opt-out under CCPA/CPRA allows California consumers to direct businesses to stop selling or sharing their personal information with third parties. Businesses must honor opt-out requests and provide a clear "Do Not Sell or Share My Personal Information" link on their website.

Risk Assessment

Risk assessment is the systematic process of identifying, analyzing, and evaluating information security risks to an organization. It involves determining the likelihood and impact of threats exploiting vulnerabilities, then prioritizing risks for treatment through mitigation, transfer, avoidance, or acceptance.

Role-Based Access Control

Role-Based Access Control (RBAC) is an access management model where permissions are assigned to roles rather than individual users, and users are assigned to roles based on their job functions. This simplifies administration and ensures consistent access provisioning.

S

Self-Assessment Questionnaire

A Self-Assessment Questionnaire (SAQ) is a PCI DSS validation tool for merchants and service providers who are not required to undergo a full on-site QSA assessment. There are multiple SAQ types (A, A-EP, B, B-IP, C, C-VT, D, P2PE) based on how the organization handles cardholder data.

Sensitive Personal Information

Sensitive personal information under CPRA includes specific categories requiring heightened protections: government IDs, financial account credentials, precise geolocation, racial or ethnic origin, religious beliefs, union membership, mail/email/text content, genetic data, biometrics, health data, and sex life or orientation.

Service Provider (CCPA)

Under CCPA/CPRA, a service provider is a business that processes personal information on behalf of another business pursuant to a written contract that limits data use to specified business purposes. Service providers are distinct from third parties and contractors, with different compliance obligations.

SOC 2 Type II

SOC 2 Type II is an auditing standard developed by the AICPA that evaluates the effectiveness of an organization's controls over a sustained period, typically 6 to 12 months. Unlike Type I which only assesses control design at a point in time, Type II verifies that controls are operating effectively throughout the observation window.

SOX Compliance

The Sarbanes-Oxley Act (SOX) is a US federal law that establishes requirements for financial reporting, internal controls, and corporate governance for publicly traded companies. Section 404 requires management assessment and external audit of internal controls over financial reporting.

T

Tokenization

Tokenization is the process of replacing sensitive data with a non-sensitive substitute called a token that has no exploitable value on its own. In the context of payment processing, tokenization replaces primary account numbers with unique tokens that cannot be reversed without access to the tokenization system.

Trust Services Criteria

Trust Services Criteria (TSC) are a set of five principles defined by the AICPA that form the basis for SOC 2 audits. The five categories are Security, Availability, Processing Integrity, Confidentiality, and Privacy, each containing specific control objectives that organizations must address.

V

Vendor Management

Vendor management in compliance refers to the processes and controls used to assess, monitor, and mitigate risks associated with third-party service providers who access an organization's data or systems. It includes due diligence, contractual requirements, and ongoing monitoring.

Vulnerability Management

Vulnerability management is the continuous process of identifying, classifying, prioritizing, remediating, and mitigating security vulnerabilities in systems and software. It includes regular scanning, patch management, and risk-based prioritization.

Z

Zero Trust

Zero Trust is a security model based on the principle that no user, device, or network should be inherently trusted, regardless of location. Every access request must be continuously verified based on identity, device posture, and context before granting access.

Ready to generate compliance docs?

PoliWriter turns compliance jargon into polished, audit-ready policies customized to your organization. Get started in minutes.

Get Started Free