AICPA »

The American Institute of Certified Public Accountants (AICPA) oversees the System and Organizational Controls (SOC) recommendations and standards for compliance, auditing, and reporting.

Attestation of Compliance (AOC) »

An Attestation of Compliance (AOC) a form used by merchants and service providers to document compliance with the Payment Card Industry Data Security Standard (PCI DSS).

California Consumer Privacy Act »

The California Consumer Privacy Act (CCPA) expands California's data privacy provisions ito increase protection of consumer information.

Compliance as a Service »

Compliance as a service (CaaS) combines cloud-based software and services that enables compliance without prohibitive capital investments.

Compliance Automation Software »

Compliance automation software \uses automation to ease and improve compliance with best practices, regulations, and standards.

Compliance Risk Management »

Compliance risk management is the Identification, assessment, mitigation, and monitoring of the risks of non-compliance with key regulations and standards.

Comprehensive Assessment »

Comprehensive assessment provides detailed information about an organization's adherence to the SOC 2 Trust Services Criteria.

Controls »

Controls are the policies, procedures, processes, and systems employed to meet specific requirements or criteria, such as those for SOC 2 compliance.

Cybersecurity »

Cybersecurity is the coordinated management of people, processes, and technologies in ways that maximize protection of information systems and data from threats and unauthorized access.

GRC »

An acronym for "governance, risk, and compliance" that refers to a consolidated approach to these three critical elements of business management and operations.

Information Security Management System (ISMS) »

An information security management system (ISMS) is a systematic approach to managing information security and customer data protection.

ISMS Governing Body »

A team of senior leaders within an organization responsible for management of that organization's information security management system (ISMS).

ISO 27001 »

ISO 27001 defines requirements from the International Organization for Standardization (ISO) designed to reduce risks to information systems and customer data.

ISO 27001 Annex A Controls »

The 114 security controls from which companies can choose to craft their specific ISO 27001-compliant security strategies.

ISO 27001 Security Standard »

The ISO 27001 Security Standard defines information security management system (ISMS) requirements and best practices for their management.

Pen Testing »

Pen testing is a method for determination of how vulnerable an information infrastructure is to unauthorized access.

Policies »

Policies are formal declarations of how a company addresses specific elements of information system security and compliance with regulations and standards.

Risk Assessment »

Risk assessment is a detailed evaluation of the risks that could affect all elements of the business information infrastructure, with a focus on information systems and critical data.

Security Questionnaire »

A security questionnaire is a tool enterprises use to evaluate the security practices of current and potential business partners.

SOC 1 »

SOC 1 audits focus on a company's financial controls and policies, and are sometimes conducted as first steps toward SOC 2 compliance.

SOC 2 »

SOC 2 audits focus on detailed assessments of measures and policies intended to protect customer data.

SOC 2 Auditor »

A SOC 2 auditor is an independent CPA certified to asses and report on the controls in place at a service organization and the effectiveness of those controls at achieving SOC 2 compliance.

SOC 2+ »

A SOC 2+ report addresses multiple industry standards and regulations beyond the AICPA's System and Organization Controls (SOC) framework.

SOC 3 »

A SOC 3 audit report basically provides a less technically detailed version of the information contained in a SOC 2 report.

SOC Reports »

SOC reports document the results of audits of an organization's compliance with the AICPA's System and Organization Controls (SOC) recommendations and standards.

SOC Trust Services Criteria (TSC) »

Five Trust Services Criteria -- Security, Availability, Processing Integrity, Confidentiality, and Privacy -- make up the foundation of the AICPA's System and Organization Controls (SOC) recommendations, including SOC 2.

SSAE 16 »

SSAE 16 is the Statement on Standards for Attestation Engagements No. 16, a set of AICPA-developed auditing standards and guidance for applying them.

SSAE 18 »

SSAE 18 is the Statement on Standards for Attestation Engagements No. 18, the current successor to SSAE 16.

Statement of Applicability (SoA) »

A Statement of Applicability (SOA) compares the specific elements of an organization's ISMS with the ISO 27001 Annex A control set.

Vendor Assessment »

Vendor assessment is evaluation of the security practices of current and potential vendors.

Vendor Management Policy »

A company's vendor management policy details the security requirements all third-party vendors and business partners must meet.

Vulnerability Management »

Vulnerability management is assessment of the elements of an information system most likely to be subject to a cybersecurity threat or attack.