Every industry has its share of jargon, but arguably none more so than security and compliance. With acronyms like CCPA, SOC, and HIPAA, it can be hard for non-security and compliance professionals to quickly get up to speed on what auditors are referring to.
That’s why we’ve put together this glossary, covering the most important security and compliance terms and acronyms.
CCPA: California Consumer Privacy Act
Enacted in 2018, the CCPA created new consumer rights regarding the collection of personal data by businesses. It covers the access to, sharing of, and deletion of personal information. These rights include the right to know what data is collected, stored and shared, the right to delete personal information held by businesses (including business service providers), the right to opt-out of the sale of personal information, and the right to non-discrimination in terms of price or service.
Resources:
Controls
Preventative, detective, and corrective measures designed to mitigate or minimize security risks. These can be physical, procedural, technical, legal and regulatory in nature depending on the type of assets being protected. Systems of controls are often referred to as frameworks or standards. Controls are used to maintain confidentiality, integrity and availability of information an organization may handle.
ESG Policy: Environmental, Social, and Governance Policy
Three core factors that outline the environmental, societal, and sustainability impacts that investment in an organization may have. This is used to predict the future success of such organizations in terms of risk and return. ESG Policy covers a wide range of factors including human rights, animal rights, diversity, climate change, sustainability, consumer protection, management structure and compensation.
Resources:
GDPR: General Data Protection Regulation
A regulation in European Union law that regards data protection and privacy. This regulation covers EU members as well as the European Economic Area (EEA). The regulation also handles the transfer of personal information outside of the EU and EEA. Proper information handling under one of the six lawful bases outlined by the regulations (consent, contract, public task, vital interest, legitimate interest or legal requirement) must be met before personal data can be processed.
Resources:
- The Basics of GDPR
- GDPR: What a Fine Regulation! 12 Learnings from the Past 12 Months
- GDPR Requirements for Startups
GRC: Governance, Risk Management and Compliance
An organization’s approach to assessing their capabilities for achieving objectives as well as managing information, audits, risk, compliance and various departments within the organization. GRC touches on how the executives direct and control the organization (governance), enacts policy to identify and mitigate risks (risk management), and ensures that it meets and maintains requirements (compliance).
HIPAA: Health Insurance Portability and Accountability Act
An Act passed to modernize the flow of healthcare information in the United States. The Act was also designed to protect personal identifiable information, as well as establish standards and protections for insurance companies against theft and fraud. The Act comprises five Titles that outline its regulations and protections. Title I protects health insurance coverage for workers and families during work transition. Title II involves Administration Simplification to establish standards for electronic healthcare transactions. Title III handles guidelines for pre-tax medical spending accounts. Title IV sets guidelines for group plans. Title V handles company-owned life insurance policies.
Resources:
ISO/IEC 27001: International Organization for Standardization/International Electrotechnical Commission
An international standard that is recognized globally to manage risks to information security. This standard can give an organization credibility and prove that they are protecting client and employee information as well as managing risks effectively. This standard can be used by any organization, large or small.
Resources:
- What Is ISO 27001 Certification?
- Is ISO 27001 Certification Right for my Business?
- ISO 27001 vs SOC 2 Certification: Six Similarities and Differences
- The Ultimate Survival Guide to ISO 27001
PCI DSS: Payment Card Industry Data Security Standard
Global standards administered by the Payment Card Industry Security Standards Council and required by the major credit card providers to ensure that businesses comply with safe handling of credit card data. PCI DSS applies to any organization that accepts or processes payments, and involves transmitting and storing credit card data securely as well as confirming annually that the requirements are being met. There are four levels of compliance depending on the type of organization implementing them.
Resources:
SOC: System and Organization Controls
Validated reports of internal controls for service organizations that are defined, implemented and regulated by the American Institute of Certified Public Accountants. Three types exist (SOC 1, SOC 2, SOC 3) with two levels of reporting (Type 1 and Type 2). SOC focuses on controls grouped into categories called the Trust Service Principles (TSP) or the Trust Service Criteria (TSC).
SOC 1
Controls designed for internal financial processing reports. Distribution is limited to user entities and their independent auditors. The report includes descriptions of the organization’s system, the description of controls, and auditor opinions on various elements of the report in terms of fairness, effectiveness and design. Encompasses multiple auditing standards.
SOC 2
Controls designed for compliance and operations with distribution limited to customers and business partners. This report includes controls encompassing elements of the Trust Service Principles, and focuses on showcasing the organization’s system and controls. It also includes auditor opinions on fairness, effectiveness and design of the implemented controls. Uses CSAE 3000 as an auditing standard.
Resources:
- What Is a SOC 2 Audit?
- SOC 2 Type 1 vs Type 2: What’s the Difference?
- How Long Does SOC 2 Take?
- How Much Do SOC 2 Type 1 and 2 Actually Cost?
- The Ultimate Survival Guide to SOC 2 Compliance
SOC 3
Controls designed for compliance and operations with unrestricted distribution intended for general use. This report includes controls encompassing elements of the Trust Service Principles, and focuses on showcasing the organization’s system and controls. The system description remains unaudited and the service auditor provides opinions on control effectiveness. Uses CSAE 3000 as an auditing standard.
Trust Service Principles (Trust Service Criteria)
An element of SOC reports that focuses on controls that apply to five overlapping categories: Privacy, Security, Availability, Processing Integrity, and Confidentiality. Privacy ensures that personal information is collected, used, stored, shared and destroyed properly. Security encompasses both physical and virtual protections, and prevents unauthorized access. Availability ensures that the controls are in place and ready for operation or use. Processing Integrity involves quality assurance and proper monitoring of processes, especially in regards to handling credit card information. Confidentiality ensures that information designated as confidential is protected by the system.
Type 1
Shows an organization has best practice security processes and is working on implementing them. Costs less and takes less time to complete, but certification lasts a short amount of time before the organization must be audited again.
Type 2
Shows an organization understands and has implemented best security processes. Costs more and takes longer to complete, but certifies the organization for a longer period of time. Used when the organization is not in a hurry to get certified.