The American Institute of Certified Public Accountants (AICPA) oversees the System and Organizational Controls (SOC) recommendations and standards for compliance, auditing, and reporting.
An Attestation of Compliance (AOC) a form used by merchants and service providers to document compliance with the Payment Card Industry Data Security Standard (PCI DSS).
The California Consumer Privacy Act (CCPA) expands California's data privacy provisions ito increase protection of consumer information.
Compliance as a service (CaaS) combines cloud-based software and services that enables compliance without prohibitive capital investments.
Compliance automation software \uses automation to ease and improve compliance with best practices, regulations, and standards.
Compliance risk management is the Identification, assessment, mitigation, and monitoring of the risks of non-compliance with key regulations and standards.
Comprehensive assessment provides detailed information about an organization's adherence to the SOC 2 Trust Services Criteria.
Controls are the policies, procedures, processes, and systems employed to meet specific requirements or criteria, such as those for SOC 2 compliance.
Cybersecurity is the coordinated management of people, processes, and technologies in ways that maximize protection of information systems and data from threats and unauthorized access.
An acronym for "governance, risk, and compliance" that refers to a consolidated approach to these three critical elements of business management and operations.
An information security management system (ISMS) is a systematic approach to managing information security and customer data protection.
A team of senior leaders within an organization responsible for management of that organization's information security management system (ISMS).
ISO 27001 defines requirements from the International Organization for Standardization (ISO) designed to reduce risks to information systems and customer data.
The 114 security controls from which companies can choose to craft their specific ISO 27001-compliant security strategies.
The ISO 27001 Security Standard defines information security management system (ISMS) requirements and best practices for their management.
Pen testing is a method for determination of how vulnerable an information infrastructure is to unauthorized access.
Policies are formal declarations of how a company addresses specific elements of information system security and compliance with regulations and standards.
Risk assessment is a detailed evaluation of the risks that could affect all elements of the business information infrastructure, with a focus on information systems and critical data.
A security questionnaire is a tool enterprises use to evaluate the security practices of current and potential business partners.
SOC 1 audits focus on a company's financial controls and policies, and are sometimes conducted as first steps toward SOC 2 compliance.
SOC 2 audits focus on detailed assessments of measures and policies intended to protect customer data.
A SOC 2 auditor is an independent CPA certified to asses and report on the controls in place at a service organization and the effectiveness of those controls at achieving SOC 2 compliance.
A SOC 2+ report addresses multiple industry standards and regulations beyond the AICPA's System and Organization Controls (SOC) framework.
A SOC 3 audit report basically provides a less technically detailed version of the information contained in a SOC 2 report.
SOC reports document the results of audits of an organization's compliance with the AICPA's System and Organization Controls (SOC) recommendations and standards.
Five Trust Services Criteria -- Security, Availability, Processing Integrity, Confidentiality, and Privacy -- make up the foundation of the AICPA's System and Organization Controls (SOC) recommendations, including SOC 2.
SSAE 16 is the Statement on Standards for Attestation Engagements No. 16, a set of AICPA-developed auditing standards and guidance for applying them.
SSAE 18 is the Statement on Standards for Attestation Engagements No. 18, the current successor to SSAE 16.
A Statement of Applicability (SOA) compares the specific elements of an organization's ISMS with the ISO 27001 Annex A control set.
Vendor assessment is evaluation of the security practices of current and potential vendors.
A company's vendor management policy details the security requirements all third-party vendors and business partners must meet.
Vulnerability management is assessment of the elements of an information system most likely to be subject to a cybersecurity threat or attack.