Compliance, risk and governance

This glossary contains definitions related to compliance. Some definitions explain the meaning of words used in compliance regulations. Other definitions are related to the strategies that compliance officers use to mitigate risk and create a manageable compliance infrastructure.
  • information governance - Information governance is a holistic approach to managing corporate information by implementing processes, roles, controls and metrics that treat information as a valuable business asset.
  • information lifecycle management (ILM) - Information lifecycle management (ILM) is a comprehensive approach to managing an organization's data and associated metadata, starting with its creation and acquisition through when it becomes obsolete and is deleted.
  • information security management system (ISMS) - An information security management system (ISMS) is a set of policies and procedures for systematically managing an organization's sensitive data.
  • Information Technology Amendment Act 2008 (IT Act 2008) - The Information Technology Amendment Act 2008 (IT Act 2008) is a substantial addition to India's Information Technology Act 2000.
  • integrated risk management (IRM) - Integrated risk management (IRM) is a set of proactive, businesswide practices that contribute to an organization's security, risk tolerance profile and strategic decisions.
  • intellectual property (IP) - Intellectual property (IP) is a term for any intangible asset that is the product of someone's mind.
  • Internet Engineering Task Force (IETF) - The Internet Engineering Task Force (IETF) is the body that defines standard operating internet protocols such as TCP/IP.
  • ISO 31000 Risk Management - The ISO 31000 Risk Management framework is an international standard that provides organizations with guidelines and principles for risk management.
  • ISO date format - The International Organization for Standardization (ISO) date and time format is a standard way to express a numeric calendar date -- and optionally time -- in a format that eliminates ambiguity between entities.
  • ISO/TS 22317 (International Organization for Standardization Technical Standard 22317) - ISO/TS 22317 is the first formal standard to address the business impact analysis process.
  • IT incident management - IT incident management is a component of IT service management (ITSM) that aims to rapidly restore services to normal following an incident while minimizing adverse effects on the business.
  • ITAR and EAR compliance - The International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR) are two important U.
  • key risk indicator (KRI) - A key risk indicator (KRI) is a metric for measuring the likelihood that the combined probability of an event and its consequence will exceed the organization's risk appetite and have a profoundly negative impact on an organization's ability to be successful.
  • legal health record (LHR) - A legal health record (LHR) refers to documentation about a patient's personal health information that is created by a healthcare organization or provider.
  • limitation of liability clause - A limitation of liability clause is the section in a service-level agreement (SLA) that specifies the amounts and types of damages that each party will be obliged to provide to the other in particular circumstances.
  • limited liability company (LLC) - A limited liability company (LLC) is a business structure in the United States that provides its owners with limited liability protection while allowing the flexibility of being taxed as a partnership or sole proprietorship.
  • litigation hold (legal hold, preservation order or hold order) - A litigation hold -- also known as legal hold, preservation order or hold order -- is an internal process that an organization undergoes to preserve all data that might relate to a legal action involving the organization.
  • log file - A log file, or simply a log, in a computing context is the automatically produced and timestamped documentation of events relevant to a particular system.
  • market concentration - Market concentration is the distribution of a given market among the participating companies.
  • Massachusetts data protection law - What is the Massachusetts data protection law?The Massachusetts data protection law is legislation that stipulates security requirements for organizations that handle the private data of residents.
  • medical scribe - A medical scribe is a professional who specializes in documenting patient encounters in real time under the direction of a physician.
  • Microsoft Operations Framework (MOF) - Microsoft Operations Framework (MOF) is a series of 23 documents that guide IT professionals through the processes of creating, implementing and managing efficient and cost-effective services.
  • mobile malware - Mobile malware is malicious software specifically written to attack mobile devices such as smartphones, tablets, and smartwatches.
  • net zero - Net zero refers to a state in which all human-caused greenhouse gas emissions are counterbalanced so humanity no longer adds carbon to the atmosphere.
  • NIST Cybersecurity Framework - The NIST Cybersecurity Framework (CSF) provides guidance on how to manage and reduce IT infrastructure security risk.
  • North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) - The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plan is a set of standards aimed at regulating, enforcing, monitoring and managing the security of the Bulk Electric System (BES) in North America.
  • ONC (Office of the National Coordinator for Health Information Technology) - The Office of the National Coordinator for Health Information Technology, abbreviated ONC, is an entity within the U.
  • operational risk - Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business operations.
  • operational-level agreement (OLA) - An operational-level agreement (OLA) is a contract that defines how various IT groups within a company plan to deliver a service or set of services.
  • Opex (operational expenditure) - Opex (operational expenditure) is the money a company or organization spends on an ongoing, day-to-day basis to run its business.
  • PA-DSS (Payment Application Data Security Standard) - Payment Application Data Security Standard (PA-DSS) is a set of requirements intended to help software vendors develop secure payment applications for credit card transactions.
  • PCAOB (Public Company Accounting Oversight Board) - The Public Company Accounting Oversight Board (PCAOB) is a congressionally established nonprofit that assesses audits of public companies in the United States to protect investors' interests.
  • PCI assessment - A PCI assessment is an audit of the 12 credit card transaction compliance requirements required by the Payment Card Industry Data Security Standard.
  • PCI DSS 12 requirements - The PCI DSS 12 requirements are a set of security controls businesses must implement to protect credit card data and comply with the Payment Card Industry Data Security Standard (PCI DSS).
  • PCI DSS merchant levels - Payment Card Industry Data Security Standard (PCI DSS) merchant levels rank merchants based on their number of transactions per year to outline compliance verification requirements.
  • personally identifiable information (PII) - Personally identifiable information (PII) is any data that could potentially identify a specific individual.
  • principle of least privilege (POLP) - The principle of least privilege (POLP) is a concept in computer security that limits users' access rights to only what is strictly required to do their jobs.
  • privacy compliance - Privacy compliance is a company's accordance with established personal information protection guidelines, specifications or legislation.
  • privacy impact assessment (PIA) - A privacy impact assessment (PIA) is a method for identifying and assessing privacy risks throughout the development lifecycle of a program or system.
  • privacy policy - A privacy policy is a legal document that explains how an organization handles any customer, client or employee information gathered in its operations.
  • privileged identity management (PIM) - Privileged identity management (PIM) is the monitoring and protection of superuser accounts that hold expanded access to an organization's IT environments.
  • problem list - A problem list is a document that states the most important health problems facing a patient such as nontransitive illnesses or diseases, injuries suffered by the patient, and anything else that has affected the patient or is currently ongoing with the patient.
  • profit and loss statement (P&L) - A profit and loss statement (P&L), also called an income statement or statement of operations, is a financial report that shows a company's revenues, expenses and net profit or loss over a given period of time.
  • PTO (paid time off, personal time off) - Paid time off (PTO) is a human resource management (HRM) policy that provides employees with a pool of bankable hours that can be used for any purpose.
  • pure risk - Pure risk refers to risks that are beyond human control and result in a loss or no loss with no possibility of financial gain.
  • Regulation SCI (Regulation Systems Compliance and Integrity) - Regulation SCI (Regulation Systems Compliance and Integrity) is a set of rules adopted by the U.
  • regulatory compliance - Regulatory compliance is an organization's adherence to laws, regulations, guidelines and specifications relevant to its business processes.
  • remote wipe - Remote wipe is a security feature that allows a network administrator or device owner to send a command that remotely deletes data from a computing device.
  • Report on Compliance (ROC) - A Report on Compliance (ROC) is a form that must be completed by all Level 1 Visa merchants undergoing a PCI DSS (Payment Card Industry Data Security Standard) audit.
  • residual risk - Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made.
  • risk appetite - Risk appetite is the amount of risk an organization or investor is willing to take in pursuit of objectives it deems have value.
  • risk assessment - Risk assessment is the process of identifying hazards that could negatively affect an organization's ability to conduct business.
  • risk assessment framework (RAF) - A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.
  • risk avoidance - Risk avoidance is the elimination of hazards, activities and exposures that can negatively affect an organization and its assets.
  • risk exposure - Risk exposure is the quantified potential loss from business activities currently underway or planned.
  • risk map (risk heat map) - A risk map (risk heat map) is a data visualization tool for communicating specific risks an organization faces.
  • risk profile - A risk profile is a quantitative analysis of the types of threats an organization, asset, project or individual faces.
  • risk reporting - Risk reporting is a method of identifying risks tied to or potentially impacting an organization's business processes.
  • Sarbanes-Oxley Act - The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies.
  • Sarbanes-Oxley Act (SOX) Section 404 - Sarbanes-Oxley Act (SOX) Section 404 mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test, and maintain those controls and procedures to ensure their effectiveness.
  • Secure Electronic Transaction (SET) - Secure Electronic Transaction (SET) is a system and electronic protocol to ensure the integrity and security of transactions conducted over the internet.
  • Securities and Exchange Commission (SEC) - The Securities and Exchange Commission (SEC) is the U.
  • security audit - A security audit is a systematic evaluation of the security of a company's information system by measuring how well it conforms to an established set of criteria.
  • security information management (SIM) - Security information management (SIM) is the practice of collecting, monitoring and analyzing security-related data from computer logs and various other data sources.
  • segregation of duties (SoD) - Segregation of duties (SoD) is an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task.
  • sensitive information - Sensitive information is data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization.
  • seven wastes - The seven wastes are categories of unproductive manufacturing practices identified by Taiichi Ohno, the father of the Toyota Production System (TPS).
  • Small Disadvantaged Business (SDB) - A Small Disadvantaged Business (SDB) is a small business that is at least 51% owned and controlled by one or more socially and economically disadvantaged individuals.
  • SNOMED CT (Systematized Nomenclature of Medicine -- Clinical Terms) - SNOMED CT (Systematized Nomenclature of Medicine -- Clinical Terms) is a standardized, multilingual vocabulary of clinical terminology that is used by physicians and other health care providers for the electronic exchange of health information.
  • SOC 1 (System and Organization Controls 1) - System and Organization Controls 1, or SOC 1 (pronounced "sock one"), aims to control objectives within a SOC 1 process area and documents internal controls relevant to an audit of a user entity's financial statements.
  • SOC 2 (System and Organization Controls 2) - SOC 2 (System and Organization Controls 2), pronounced "sock two," is a voluntary compliance standard for ensuring that service providers properly manage and protect the sensitive data in their care.
  • SOC 3 (System and Organization Controls 3) - A System and Organization Controls 3 (SOC 3) report outlines information related to a service organization's internal controls for security, availability, processing integrity, confidentiality and privacy.
  • social media policy - A social media policy is a corporate code of conduct that provides guidelines for employees who post content on the internet either as part of their job or as a private person.
  • speculative risk - Speculative risk is a type of risk the risk-taker takes on voluntarily and will result in some degree of profit or loss.
  • spoliation - Spoliation is the destruction, alteration, or mutilation of evidence that may pertain to legal action.
  • SSAE 16 - The Statement on Standards for Attestation Engagements No.
  • standard operating procedure (SOP) - A standard operating procedure is a set of step-by-step instructions for performing a routine activity.
  • supply chain security - Supply chain security is the part of supply chain management that focuses on the risk management of external suppliers, vendors, logistics and transportation.
  • surveillance capitalism - Surveillance capitalism is an economic theory proposed by Harvard Business School Professor Emerita Shoshana Zuboff in 2014 that describes the modern, mass monetization of individuals' raw personal data in order to predict and modify their behavior.
  • sustainability risk management (SRM) - Sustainability risk management (SRM) is a business strategy that aligns profit goals with a company's environmental, social and governance (ESG).
  • SWIFT FIN message - SWIFT FIN is a message type (MT) that transmits financial information from one financial institution to another.
  • takedown request - A takedown request, also called a DMCA takedown or a notice and take down request, is a procedure for asking an internet service provider (ISP) or search engine to remove or disable access to illegal, irrelevant or outdated information.
  • Telephone Consumer Protection Act (TCPA) - The Telephone Consumer Protection Act (TCPA) of 1991 is a federal law that places restrictions on telephone solicitations and robocalls.
  • think tank - A think tank is an organization that gathers a group of interdisciplinary scholars to perform research around particular policies, issues or ideas.
  • three lines model - The three lines model is a risk management approach to help organizations identify and manage risks effectively by creating three distinct lines of defense.
  • tokenization - Tokenization is the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.
  • Top searches of 2008 - What were people searching the WhatIs.
  • total risk - Total risk is an assessment that identifies all the risk factors associated with pursuing a specific course of action.
  • transparency - Transparency is the quality of being easily seen through, while transparency in a business or governance context refers to being open and honest.
  • unknown unknown - An unknown unknown is unidentified information.
  • VUCA (volatility, uncertainty, complexity and ambiguity) - VUCA is an acronym that stands for volatility, uncertainty, complexity and ambiguity -- qualities that make a situation or condition difficult to analyze, respond to or plan for.
  • What is a Certified Information Systems Auditor (CISA)? - Certified Information Systems Auditor (CISA) is a certification and globally recognized standard for appraising an IT auditor's knowledge, expertise and skill in assessing vulnerabilities and instituting IT controls in an enterprise environment.
  • What is a cloud access security broker (CASB)? - A cloud access security broker (CASB) is a software tool or service that sits between an organization's on-premises infrastructure and a cloud provider's infrastructure.
  • What is a private cloud? - Private cloud is a type of cloud computing that delivers similar advantages to public cloud, including scalability and self-service, but through a proprietary architecture.
  • What is an ESG score? - An ESG score is a way to assign a quantitative metric, such as a numerical score or letter rating, to the environmental, social and governance (ESG) efforts or an organization.
  • What is augmented intelligence? - Augmented intelligence is the use of technology to enhance a human's ability to execute tasks, perform analysis and make decisions.
  • What is BCDR? Business continuity and disaster recovery guide - Business continuity (BC) and disaster recovery (DR) are closely related practices that support an organization's ability to remain operational after an adverse event.
  • What is business sustainability? - Business sustainability, also known as corporate sustainability, is the management of environmental, social and financial concerns by a company to ensure responsible, ethical and ongoing success.
  • What is compliance risk? - Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting from its failure to act in accordance with industry laws and regulations, internal policies or prescribed best practices.
  • What is corporate social responsibility (CSR)? - Corporate social responsibility (CSR) is a strategy undertaken by companies to not just grow profits, but also to take an active and positive social role in the world around them.