Compliance, risk and governance

This glossary contains definitions related to compliance. Some definitions explain the meaning of words used in compliance regulations. Other definitions are related to the strategies that compliance officers use to mitigate risk and create a manageable compliance infrastructure.
  • market concentration - Market concentration is the distribution of a given market among the participating companies.
  • medical scribe - A medical scribe is a professional who specializes in documenting patient encounters in real time under the direction of a physician.
  • Microsoft Operations Framework (MOF) - Microsoft Operations Framework (MOF) is a series of 23 documents that guide IT professionals through the processes of creating, implementing and managing efficient and cost-effective services.
  • mobile malware - Mobile malware is malicious software specifically written to attack mobile devices such as smartphones, tablets, and smartwatches.
  • net zero - Net zero refers to a state in which all human-caused greenhouse gas emissions are counterbalanced so humanity no longer adds carbon to the atmosphere.
  • NIST Cybersecurity Framework - The NIST Cybersecurity Framework (CSF) provides guidance on how to manage and reduce IT infrastructure security risk.
  • North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) - The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plan is a set of standards aimed at regulating, enforcing, monitoring and managing the security of the Bulk Electric System (BES) in North America.
  • ONC (Office of the National Coordinator for Health Information Technology) - The Office of the National Coordinator for Health Information Technology, abbreviated ONC, is an entity within the U.
  • operational risk - Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business operations.
  • operational-level agreement (OLA) - An operational-level agreement (OLA) is a contract that defines how various IT groups within a company plan to deliver a service or set of services.
  • Opex (operational expenditure) - Opex (operational expenditure) is the money a company or organization spends on an ongoing, day-to-day basis to run its business.
  • PA-DSS (Payment Application Data Security Standard) - Payment Application Data Security Standard (PA-DSS) is a set of requirements intended to help software vendors develop secure payment applications for credit card transactions.
  • PCAOB (Public Company Accounting Oversight Board) - The Public Company Accounting Oversight Board (PCAOB) is a congressionally established nonprofit that assesses audits of public companies in the United States to protect investors' interests.
  • PCI assessment - A PCI assessment is an audit of the 12 credit card transaction compliance requirements required by the Payment Card Industry Data Security Standard.
  • PCI DSS merchant levels - Payment Card Industry Data Security Standard (PCI DSS) merchant levels rank merchants based on their number of transactions per year to outline compliance verification requirements.
  • personally identifiable information (PII) - Personally identifiable information (PII) is any data that could potentially identify a specific individual.
  • principle of least privilege (POLP) - The principle of least privilege (POLP) is a concept in computer security that limits users' access rights to only what is strictly required to do their jobs.
  • privacy compliance - Privacy compliance is a company's accordance with established personal information protection guidelines, specifications or legislation.
  • privacy impact assessment (PIA) - A privacy impact assessment (PIA) is a method for identifying and assessing privacy risks throughout the development lifecycle of a program or system.
  • privacy policy - A privacy policy is a legal document that explains how an organization handles any customer, client or employee information gathered in its operations.
  • privileged identity management (PIM) - Privileged identity management (PIM) is the monitoring and protection of superuser accounts that hold expanded access to an organization's IT environments.
  • problem list - A problem list is a document that states the most important health problems facing a patient such as nontransitive illnesses or diseases, injuries suffered by the patient, and anything else that has affected the patient or is currently ongoing with the patient.
  • profit and loss statement (P&L) - A profit and loss statement (P&L), also called an income statement or statement of operations, is a financial report that shows a company's revenues, expenses and net profit or loss over a given period of time.
  • pure risk - Pure risk refers to risks that are beyond human control and result in a loss or no loss with no possibility of financial gain.
  • Regulation SCI (Regulation Systems Compliance and Integrity) - Regulation SCI (Regulation Systems Compliance and Integrity) is a set of rules adopted by the U.
  • regulatory compliance - Regulatory compliance is an organization's adherence to laws, regulations, guidelines and specifications relevant to its business processes.
  • remote wipe - Remote wipe is a security feature that allows a network administrator or device owner to send a command that remotely deletes data from a computing device.
  • Report on Compliance (ROC) - A Report on Compliance (ROC) is a form that must be completed by all Level 1 Visa merchants undergoing a PCI DSS (Payment Card Industry Data Security Standard) audit.
  • residual risk - Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made.
  • risk assessment - Risk assessment is the process of identifying hazards that could negatively affect an organization's ability to conduct business.
  • risk assessment framework (RAF) - A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.
  • risk avoidance - Risk avoidance is the elimination of hazards, activities and exposures that can negatively affect an organization and its assets.
  • Sarbanes-Oxley Act (SOX) Section 404 - Sarbanes-Oxley Act (SOX) Section 404 mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test, and maintain those controls and procedures to ensure their effectiveness.
  • Secure Electronic Transaction (SET) - Secure Electronic Transaction (SET) is a system and electronic protocol to ensure the integrity and security of transactions conducted over the internet.
  • Securities and Exchange Commission (SEC) - The Securities and Exchange Commission (SEC) is the U.
  • security audit - A security audit is a systematic evaluation of the security of a company's information system by measuring how well it conforms to an established set of criteria.
  • security information management (SIM) - Security information management (SIM) is the practice of collecting, monitoring and analyzing security-related data from computer logs and various other data sources.
  • sensitive information - Sensitive information is data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization.
  • seven wastes - The seven wastes are categories of unproductive manufacturing practices identified by Taiichi Ohno, the father of the Toyota Production System (TPS).
  • Small Disadvantaged Business (SDB) - A Small Disadvantaged Business (SDB) is a small business that is at least 51% owned and controlled by one or more socially and economically disadvantaged individuals.
  • SNOMED CT (Systematized Nomenclature of Medicine -- Clinical Terms) - SNOMED CT (Systematized Nomenclature of Medicine -- Clinical Terms) is a standardized, multilingual vocabulary of clinical terminology that is used by physicians and other health care providers for the electronic exchange of health information.
  • SOC 1 (System and Organization Controls 1) - System and Organization Controls 1, or SOC 1 (pronounced "sock one"), aims to control objectives within a SOC 1 process area and documents internal controls relevant to an audit of a user entity's financial statements.
  • SOC 2 (System and Organization Controls 2) - SOC 2 (System and Organization Controls 2), pronounced "sock two," is a voluntary compliance standard for ensuring that service providers properly manage and protect the sensitive data in their care.
  • SOC 3 (System and Organization Controls 3) - A System and Organization Controls 3 (SOC 3) report outlines information related to a service organization's internal controls for security, availability, processing integrity, confidentiality and privacy.
  • social media policy - A social media policy is a corporate code of conduct that provides guidelines for employees who post content on the internet either as part of their job or as a private person.
  • speculative risk - Speculative risk is a type of risk the risk-taker takes on voluntarily and will result in some degree of profit or loss.
  • spoliation - Spoliation is the destruction, alteration, or mutilation of evidence that may pertain to legal action.
  • SSAE 16 - The Statement on Standards for Attestation Engagements No.
  • standard operating procedure (SOP) - A standard operating procedure is a set of step-by-step instructions for performing a routine activity.
  • supply chain security - Supply chain security is the part of supply chain management that focuses on the risk management of external suppliers, vendors, logistics and transportation.
  • surveillance capitalism - Surveillance capitalism is an economic theory proposed by Harvard Business School Professor Emerita Shoshana Zuboff in 2014 that describes the modern, mass monetization of individuals' raw personal data in order to predict and modify their behavior.
  • SWIFT FIN message - SWIFT FIN is a message type (MT) that transmits financial information from one financial institution to another.
  • takedown request - A takedown request, also called a DMCA takedown or a notice and take down request, is a procedure for asking an internet service provider (ISP) or search engine to remove or disable access to illegal, irrelevant or outdated information.
  • Telephone Consumer Protection Act (TCPA) - The Telephone Consumer Protection Act (TCPA) of 1991 is a federal law that places restrictions on telephone solicitations and robocalls.
  • three lines model - The three lines model is a risk management approach to help organizations identify and manage risks effectively by creating three distinct lines of defense.
  • tokenization - Tokenization is the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.
  • Top searches of 2008 - What were people searching the WhatIs.
  • total risk - Total risk is an assessment that identifies all the risk factors associated with pursuing a specific course of action.
  • transparency - Transparency is the quality of being easily seen through, while transparency in a business or governance context refers to being open and honest.
  • VUCA (volatility, uncertainty, complexity and ambiguity) - VUCA is an acronym that stands for volatility, uncertainty, complexity and ambiguity -- qualities that make a situation or condition difficult to analyze, respond to or plan for.
  • What are agreed-upon procedures (AUPs)? - Agreed-upon procedures are a standard a company or client outlines in an engagement letter or other written agreement when it hires an external party to perform an audit on a specific test or business process.
  • What is a business continuity policy? - A business continuity policy is the set of standards and guidelines an organization enforces to ensure resilience and proper risk management.
  • What is a Certified Information Systems Auditor (CISA)? - Certified Information Systems Auditor (CISA) is a certification and globally recognized standard for appraising an IT auditor's knowledge, expertise and skill in assessing vulnerabilities and instituting IT controls in an enterprise environment.
  • What is a cloud access security broker (CASB)? - A cloud access security broker (CASB) is a software tool or service that sits between an organization's on-premises infrastructure and a cloud provider's infrastructure.
  • What is a cloud service provider? - A cloud service provider, or CSP, is a company that offers components of cloud computing -- typically in an as-a-service model like infrastructure as a service (IaaS), software as a service (SaaS) or platform as a service (PaaS).
  • What is a copyright? - Copyright is a legal term describing ownership or control of the rights to use and distribute certain works of creative expression, including books, video, motion pictures, musical compositions and computer programs.
  • What is a disaster recovery plan (DRP)? - A disaster recovery plan (DRP) is a documented, structured approach that describes how an organization can quickly resume operations after an unplanned incident.
  • What is a key risk indicator (KRI) and why is it important? - A key risk indicator (KRI) is a metric for measuring the likelihood that the combined probability of an event and its consequences will exceed the organization's risk appetite.
  • What is a private cloud? Definition and examples - Private cloud is a type of cloud computing that delivers advantages similar to public cloud, including scalability and self-service, but through a proprietary architecture.
  • What is a risk map (risk heat map)? - A risk map, or risk heat map, is a data visualization tool for communicating specific risks an organization faces.
  • What is a risk profile? Definition, examples and types - A risk profile is a quantitative analysis of the types of threats an organization, asset, project or individual faces.
  • What is a think tank? - A think tank is an organization that gathers a group of interdisciplinary scholars to perform research around particular policies, issues or ideas.
  • What is an ESG score? - An ESG score is a way to assign a quantitative metric, such as a numerical score or letter rating, to the environmental, social and governance (ESG) efforts or an organization.
  • What is augmented intelligence? - Augmented intelligence is the use of technology to enhance a human's ability to execute tasks, perform analysis and make decisions.
  • What is BCDR? Business continuity and disaster recovery guide - Business continuity (BC) and disaster recovery (DR) are closely related practices that support an organization's ability to remain operational after an adverse event.
  • What is blockchain? Definition, examples and how it works - Blockchain is a distributed ledger technology (DLT) that's shared across a network of computers to keep a digital record of transactions.
  • What is business resilience? - Business resilience is an organization's ability to adapt quickly to disruptions while maintaining continuous business operations and safeguarding people, assets and overall brand equity.
  • What is business sustainability? - Business sustainability, also known as corporate sustainability, is the management of environmental, social and financial concerns by a company to ensure responsible, ethical and ongoing success.
  • What is cloud asset management? - Cloud asset management is the practice of tracking and managing the resources used in an organization's cloud-based services.
  • What is compliance risk? - Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting from its failure to act in accordance with industry laws and regulations, internal policies or prescribed best practices.
  • What is corporate governance? - Corporate governance is the combination of rules, processes and laws by which businesses are operated, regulated and controlled.
  • What is corporate social responsibility (CSR)? - Corporate social responsibility (CSR) is a strategy undertaken by companies to not just grow profits, but also to take an active and positive social role in the world around them.
  • What is cybersecurity? - Cybersecurity is the practice of protecting internet-connected systems such as hardware, software and data from cyberthreats.
  • What is data democratization? - Data democratization makes information in a digital format accessible to the average end user.
  • What is data privacy? - Data privacy, also called information privacy, is an aspect of data protection that addresses the proper storage, access, retention, immutability and security of sensitive data.
  • What is emergent medical data? - Emergent medical data (EMD) is health information gathered about an individual from seemingly unrelated online user behavior data.
  • What is enterprise content management? Guide to ECM - Enterprise content management is a set of defined processes, strategies and tools that enables a business to obtain, organize, store and deliver critical information to its employees, business stakeholders and customers.
  • What is ESG (environmental, social and governance)? - Environmental, social and governance (ESG) is a framework used to assess an organization's business practices and performance on various sustainability and ethical issues.
  • What is ESG reporting? - ESG reporting is a type of corporate disclosure that details the environmental, social and governance (ESG) promises, efforts and progress of an organization.
  • What is GDPR? Compliance and conditions explained - The General Data Protection Regulation (GDPR) is legislation that updated and unified data privacy laws across the European Union (EU).
  • What is HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009? - The HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 is legislation that was created to stimulate the adoption of electronic health records (EHR) and the supporting technology in the United States.
  • What is ICD-9-CM (International Classification of Diseases, Ninth Revision, Clinical Modification)? - The International Classification of Diseases, Ninth Revision, Clinical Modification, also known simply as ICD-9-CM, is the U.
  • What is information security management system (ISMS)? - An information security management system (ISMS) is a set of policies and procedures for systematically managing an organization's sensitive data.
  • What is ITIL? A guide to the IT Infrastructure Library - ITIL (Information Technology Infrastructure Library) is a framework designed to standardize the selection, planning, delivery, maintenance and overall lifecycle of IT services within a business.
  • What is network configuration management (NCM)? - Network configuration management (NCM) is the process of organizing and maintaining information about all the components in a computer network.
  • What is OPSEC (operations security)? - OPSEC (operations security) is an analytical process that military, law enforcement, government and private organizations use to prevent sensitive or proprietary information from being accessed inappropriately.
  • What is PHI (protected or personal health information)? - Protected health information (PHI), also referred to as 'personal health information,' is the demographic information, medical histories, test and laboratory results, physical and mental health conditions, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.
  • What is records management? - Records management is the supervision and administration of digital or paper records, regardless of format.
  • What is relationship marketing? - Relationship marketing is a facet of customer relationship management (CRM) that focuses on customer loyalty and long-term customer engagement rather than shorter-term goals like customer acquisition and individual sales.
  • What is risk appetite? - Risk appetite is the amount of risk an organization or investor is willing to take in pursuit of objectives it deems have value.