Compliance, risk and governance
This glossary contains definitions related to compliance. Some definitions explain the meaning of words used in compliance regulations. Other definitions are related to the strategies that compliance officers use to mitigate risk and create a manageable compliance infrastructure.- accountability - Accountability is an assurance that an individual or an organization is evaluated on its performance or behavior related to something for which it is responsible.
- agreed-upon procedures (AUP) - Agreed-upon procedures are the standards a company or client outlines when it hires an external party to perform an audit on specific tests or business process and then report on the results.
- Allscripts - Allscripts is a vendor of electronic health record systems for physician practices, hospitals and healthcare systems.
- Amazon Simple Storage Service (Amazon S3) - Amazon Simple Storage Service (Amazon S3) is a scalable, high-speed, web-based cloud storage service.
- anti-competitive practice - An anti-competitive practice is an action conducted by one or more businesses to make it difficult or impossible for other companies to enter or succeed in their market.
- antitrust - Antitrust is a group of laws established to regulate business practices in order to ensure that fair competition occurs in an open-market economy for the benefit of consumers.
- audit program (audit plan) - An audit program, also called an audit plan, is an action plan that documents what procedures an auditor will follow to validate that an organization is in conformance with compliance regulations.
- Bank Secrecy Act (BSA) - The Bank Secrecy Act (BSA), also known as the Currency and Foreign Transactions Reporting Act, is legislation passed by the United States Congress in 1970 that requires U.
- Big 4 - The Big 4 are the four largest international accounting and professional services firms.
- blockchain - Blockchain is a record-keeping technology designed to make it impossible to hack the system or forge the data stored on it, thereby making it secure and immutable.
- business continuity - Business continuity is an organization's ability to maintain critical business functions during and after a disaster has occurred.
- business continuity policy - A business continuity policy is a set of standards and guidelines that an organization enforces to ensure resilience and proper risk management.
- business process outsourcing (BPO) - Business process outsourcing (BPO) is a business practice in which an organization contracts with an external service provider to perform an essential business function or task.
- business resilience - Business resilience is the ability an organization has to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets and overall brand equity.
- Capex (capital expenditure) - A capital expenditure (Capex) is money invested by a company to acquire or upgrade fixed, physical, non-consumable assets, such as buildings and equipment or a new business.
- carbon accounting - Carbon accounting is the process of calculating and tracking the amount of carbon dioxide (CO2) and other greenhouse gas (GHG) emissions both produced and removed from the biosphere by an organization.
- cardholder data (CD) - Cardholder data (CD) is any personally identifiable information (PII) associated with a person who has a credit or debit card.
- cardholder data environment (CDE) - A cardholder data environment (CDE) is a computer system or networked group of IT systems that processes, stores or transmits cardholder data or sensitive payment authentication data.
- CERT-In (the Indian Computer Emergency Response Team) - CERT-In (the Indian Computer Emergency Response Team) is a government-mandated information technology (IT) security organization.
- chief data officer (CDO) - A chief data officer (CDO) in many organizations is a C-level executive whose position has evolved into a range of strategic data management responsibilities related to the business to derive maximum value from the data available to the enterprise.
- chief privacy officer (CPO) - A chief privacy officer (CPO) is a corporate executive charged with developing and implementing policies designed to protect employee and customer data from unauthorized access.
- chief risk officer (CRO) - The chief risk officer (CRO) is the corporate executive tasked with assessing and mitigating significant competitive, regulatory and technological threats to an enterprise's capital and earnings.
- chief trust officer - A chief trust officer (CTrO) in the IT industry is an executive job title given to the person responsible for building confidence around the use of customer information.
- Class C2 - Class C2 is a security rating established by the U.
- clean desk policy (CDP) - A clean desk policy (CDP) is a corporate directive that specifies how employees should leave their working space when they leave the office.
- clinical decision support system (CDSS) - A clinical decision support system (CDSS) is an application that analyzes data to help healthcare providers make decisions and improve patient care.
- clinical documentation - Clinical documentation (CD) is the creation of a digital or analog record detailing a medical treatment, medical trial or clinical test.
- clinical trial - A clinical trial, also known as a clinical research study, is a protocol to evaluate the effects and efficacy of experimental medical treatments or behavioral interventions on health outcomes.
- cloud audit - A cloud audit is an assessment of a cloud computing environment and its services, based on a specific set of controls and best practices.
- COBIT - COBIT is an IT governance framework for businesses wanting to implement, monitor and improve IT management best practices.
- competition law - Competition law is the body of legislation intended to prevent market distortion caused by anti-competitive practices on the part of businesses.
- compliance - Compliance is the state of being in accordance with established guidelines or specifications, or the process of becoming so.
- compliance as a service (CaaS) - Compliance as a service (CaaS) is a cloud service that specifies how a managed service provider (MSP) helps an organization meet its regulatory compliance mandates.
- compliance audit - A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines.
- compliance automation - Compliance automation, also known as automated compliance, is the practice of using technology -- such as applications with artificial intelligence features -- to perform and simplify compliance procedures.
- compliance framework - A compliance framework is a structured set of guidelines that details an organization's processes for maintaining accordance with established regulations, specifications or legislation.
- compliance officer - Compliance officers are employees tasked with ensuring a company follows its internal rules and best-practice policies while always complying with applicable external laws and government regulations.
- Computer Fraud and Abuse Act (CFAA) - The Computer Fraud and Abuse Act (CFAA) of 1986 is United States legislation that imposes criminal penalties on individuals who intentionally access a protected computer without proper authorization or whose access exceeds their authorization.
- consumer privacy (customer privacy) - Consumer privacy, also known as customer privacy, involves the handling and protection of the sensitive personal information provided by customers in the course of everyday transactions.
- container (disambiguation) - This page explains how the term container is used in software development, storage, data center management and mobile device management.
- content services platform - A content services platform is cloud-based SaaS software that enables users to create, share, collaborate on and store text, audio and video content.
- contingency plan - A contingency plan is a course of action designed to help an organization respond effectively to a significant future incident, event or situation that may or may not happen.
- Continuity of Care Document (CCD) - A Continuity of Care Document (CCD) is an electronic, patient-specific document detailing a patient's medical history.
- Continuity of Care Record (CCR) - The Continuity of Care Record, or CCR, provides a standardized way to create electronic snapshots about a patient's health information.
- control framework - A control framework is a data structure that organizes and categorizes an organization’s internal controls, which are practices and procedures established to create business value and minimize risk.
- COPPA (Children's Online Privacy Protection Act ) - The Children's Online Privacy Protection Act of 1998 (COPPA) is a federal law that imposes specific requirements on operators of websites and online services to protect the privacy of children under 13.
- copyright - Copyright is a legal term describing ownership of control of the rights to the use and distribution of certain works of creative expression, including books, video, motion pictures, musical compositions and computer programs.
- core banking system - A core banking system is the software that banks use to manage their most critical processes, such as customer accounts, transactions and risk management.
- corporate governance - Corporate governance is the combination of rules, processes and laws by which businesses are operated, regulated and controlled.
- COSO Framework - The COSO Framework is a system used to establish internal controls to be integrated into business processes.
- critical infrastructure - Critical infrastructure is the collection of systems, networks and public works that a government considers essential to its functioning and safety of its citizens.
- cyber resilience - Cyber resilience is the ability of a computing system to identify, respond and recover quickly should it experience a security incident.
- cybersecurity - Cybersecurity is the practice of protecting internet-connected systems such as hardware, software and data from cyberthreats.
- data breach - A data breach is a cyber attack in which sensitive, confidential or otherwise protected data has been accessed or disclosed in an unauthorized fashion.
- data classification - Data classification is the process of organizing data into categories that make it easy to retrieve, sort and store for future use.
- data compliance - Data compliance is a process that identifies the applicable governance for data protection, security, storage and other activities and establishes policies, procedures and protocols ensuring data is fully protected from unauthorized access and use, malware and other cybersecurity threats.
- data integrity - Data integrity is the assurance that digital information is uncorrupted and can only be accessed or modified by those authorized to do so.
- data lifecycle management (DLM) - Data lifecycle management (DLM) is a policy-based approach to managing the flow of an information system's data throughout its lifecycle: from creation and initial storage to when it becomes obsolete and is deleted.
- data masking - Data masking is a method of creating a structurally similar but inauthentic version of an organization's data that can be used for purposes such as software testing and user training.
- Data Protection Act 2018 (DPA 2018) - The Data Protection Act 2018 (DPA 2018) is a legislative framework in the United Kingdom governing the processing of personal data.
- data protection impact assessment (DPIA) - A data protection impact assessment (DPIA) is a process designed to help organizations determine how data processing systems, procedures or technologies affect individuals' privacy and eliminate any risks that might violate compliance.
- data protection management (DPM) - Data protection management (DPM) is the administration, monitoring and management of backup processes to ensure backup tasks run on schedule and data is securely backed up and recoverable.
- data sovereignty - Data sovereignty is the concept that information that has been generated, processed, converted and stored in binary digital form is subject to the laws of the country in which it was generated.
- data structure - A data structure is a specialized format for organizing, processing, retrieving and storing data.
- Digital Millennium Copyright Act (DMCA) - The Digital Millennium Copyright Act (DMCA) is a controversial United States digital rights management (DRM) law enacted October 28, 1998 by then-President Bill Clinton.
- disaster recovery plan (DRP) - A disaster recovery plan (DRP) is a documented, structured approach that describes how an organization can quickly resume operations after an unplanned incident.
- document sanitization - Document sanitization is the process of cleaning a document to ensure that only the intended information can be accessed from it.
- Dodd-Frank Act - The Dodd-Frank Act (fully known as the Dodd-Frank Wall Street Reform and Consumer Protection Act) is a United States federal law that places regulation of the financial industry in the hands of the government.
- E-Sign Act (Electronic Signatures in Global and National Commerce Act) - The E-Sign Act (Electronic Signatures in Global and National Commerce Act) is a U.
- Electronic Communications Privacy Act (ECPA) - The Electronic Communications Privacy Act (ECPA) is a United States federal statute that prohibits a third party from intercepting or disclosing communications without authorization.
- Electronic Discovery Reference Model (EDRM) - The Electronic Discovery Reference Model (EDRM) is a conceptual framework that outlines activities for the recovery and discovery of digital data.
- electronic protected health information (ePHI) - Electronic protected health information (ePHI) is protected health information that is produced, saved, transferred or received in an electronic form.
- electronically stored information (ESI) - Electronically stored information (ESI) is data that is created, altered, communicated and stored in digital form.
- encryption key management - Encryption key management is the practice of generating, organizing, protecting, storing, backing up and distributing encryption keys.
- enterprise document management (EDM) - Enterprise document management (EDM) is a strategy for overseeing an organization's paper and electronic documents so they can be easily retrieved in the event of a compliance audit or subpoena.
- enterprise information management (EIM) - Enterprise information management (EIM) is the set of business processes, disciplines and practices used to manage the information created from an organization's data as an enterprise asset.
- enterprise risk management (ERM) - Enterprise risk management (ERM) is the process of planning, organizing, directing and controlling the activities of an organization to minimize the harmful effects of risk on its capital and earnings.
- FACTA (Fair and Accurate Credit Transactions Act) - FACTA (Fair and Accurate Credit Transactions Act) is an amendment to FCRA (Fair Credit Reporting Act ) that was added, primarily, to protect consumers from identity theft.
- Fair Credit Reporting Act (FCRA) - The Fair Credit Reporting Act (FCRA) is United States federal legislation that promotes accuracy, fairness and privacy for data used by consumer reporting agencies.
- Fair Information Practices (FIP) - FIP (Fair Information Practices) is a general term for a set of standards governing the collection and use of personal data and addressing issues of privacy and accuracy.
- Federal Information Security Modernization Act (FISMA) - ): The Federal Information Security Modernization Act (FISMA) is United States legislation that defines a framework of guidelines and security standards to protect government information technology operations from cyberthreats.
- FMEA (Failure Mode and Effects Analysis) - FMEA (failure mode and effects analysis) is a step-by-step approach for collecting knowledge about possible points of failure in a design, manufacturing process, product or service.
- forensic image - A forensic image (forensic copy) is a bit-by-bit, sector-by-sector direct copy of a physical storage device, including all files, folders and unallocated, free and slack space.
- FTC (Federal Trade Commission) - The FTC, or Federal Trade Commission, is a United States federal regulatory agency designed to monitor and prevent anticompetitive, deceptive or unfair business practices.
- GAAP (generally accepted accounting principles) - GAAP (generally accepted accounting principles) is a collection of commonly followed accounting rules and standards for financial reporting.
- GAFA (the big four) - GAFA is an acronym for Google, Apple, Facebook and Amazon (the second and fourth companies are sometimes reversed in order).
- gag order - A gag order is a stipulation that those so-ordered will not divulge information learned in a particular situation, such as a court, a public office or a corporate environment.
- Generally Accepted Recordkeeping Principles (the Principles) - Generally Accepted Recordkeeping Principles is a framework for managing records in a way that supports an organization's immediate and future regulatory, legal, risk mitigation, environmental and operational requirements.
- geo-blocking - Geo-blocking is blocking something based on its location.
- good automated manufacturing practice (GAMP) - Good automated manufacturing practice (GAMP) is a set of guidelines manufacturers and other automation users follow to maintain operational efficiency and reliability.
- governance, risk and compliance (GRC) - Governance, risk and compliance (GRC) refers to an organization's strategy for handling the interdependencies among the following three components: corporate governance policies, enterprise risk management programs, and regulatory and company compliance.
- Gramm-Leach-Bliley Act (GLBA) - The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways financial institutions deal with the private information of individuals.
- hard drive shredder - A hard drive shredder is a mechanical device that physically destroys old hard drives in such a way that the data they contain cannot be recovered.
- Health IT (health information technology) - Health IT (health information technology) is the area of IT involving the design, development, creation, use and maintenance of information systems for the healthcare industry.
- homomorphic encryption - Homomorphic encryption is the conversion of data into ciphertext that can be analyzed and worked with as if it were still in its original form.
- ICD-10 (International Classification of Diseases, 10th Revision) - The International Classification of Diseases, 10th Revision (ICD-10), is a global standard for classifying and coding mortality and morbidity data.
- ICD-10-CM (Clinical Modification) - The ICD-10-CM (International Classification of Diseases, 10th Revision, Clinical Modification) is a system used by physicians and other healthcare providers to classify and code all diagnoses, symptoms and procedures related to inpatient and outpatient medical care in the United States.
- ICD-10-PCS (International Classification of Diseases, 10th Revision, Procedure Coding System) - The International Classification of Diseases, 10th Revision, Procedure Coding System (ICD-10-PCS) is an American adaptation of the World Health Organization's ICD-10 system, tailored for procedural coding in inpatient and hospital settings.
- implied consent - Implied consent is an assumption of permission to do something that is inferred from an individual's actions rather than explicitly provided.
- information assurance (IA) - Information assurance (IA) is the practice of protecting physical and digital information and the systems that support the information.