Browse Definitions :

Compliance, risk and governance

This glossary contains definitions related to compliance. Some definitions explain the meaning of words used in compliance regulations. Other definitions are related to the strategies that compliance officers use to mitigate risk and create a manageable compliance infrastructure.
  • Gramm-Leach-Bliley Act (GLBA) - The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways financial institutions deal with the private information of individuals.
  • hard drive shredder - A hard drive shredder is a mechanical device that physically destroys old hard drives in such a way that the data they contain cannot be recovered.
  • Health IT (health information technology) - Health IT (health information technology) is the area of IT involving the design, development, creation, use and maintenance of information systems for the healthcare industry.
  • HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 - The HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 is legislation that was created to stimulate the adoption of electronic health records (EHR) and the supporting technology in the United States.
  • homomorphic encryption - Homomorphic encryption is the conversion of data into ciphertext that can be analyzed and worked with as if it were still in its original form.
  • ICD-10 (International Classification of Diseases, 10th Revision) - The International Classification of Diseases, 10th Revision (ICD-10), is a global standard for classifying and coding mortality and morbidity data.
  • ICD-10-PCS (International Classification of Diseases, 10th Revision, Procedure Coding System) - The International Classification of Diseases, 10th Revision, Procedure Coding System (ICD-10-PCS) is an American adaptation of the World Health Organization's ICD-10 system, tailored for procedural coding in inpatient and hospital settings.
  • ICD-9-CM (International Classification of Diseases, Ninth Revision, Clinical Modification) - ICD-9-CM is the current medical coding standard used in hospitals in the United States.
  • implied consent - Implied consent is an assumption of permission to do something that is inferred from an individual's actions rather than explicitly provided.
  • information assurance (IA) - Information assurance (IA) is the practice of protecting physical and digital information and the systems that support the information.
  • information governance - Information governance is a holistic approach to managing corporate information by implementing processes, roles, controls and metrics that treat information as a valuable business asset.
  • information lifecycle management (ILM) - Information lifecycle management (ILM) is a comprehensive approach to managing an organization's data and associated metadata, starting with its creation and acquisition through when it becomes obsolete and is deleted.
  • information security management system (ISMS) - An information security management system (ISMS) is a set of policies and procedures for systematically managing an organization's sensitive data.
  • Information Technology Amendment Act 2008 (IT Act 2008) - The Information Technology Amendment Act 2008 (IT Act 2008) is a substantial addition to India's Information Technology Act 2000.
  • integrated risk management (IRM) - Integrated risk management (IRM) is a set of proactive, businesswide practices that contribute to an organization's security, risk tolerance profile and strategic decisions.
  • intellectual property (IP) - Intellectual property (IP) is a term for any intangible asset that is the product of someone's mind.
  • Internet Engineering Task Force (IETF) - The Internet Engineering Task Force (IETF) is the body that defines standard operating internet protocols such as TCP/IP.
  • ISO 22317 (International Standards Organization 22317) - ISO 22317 is the first formal standard to address the business impact analysis process.
  • ISO 31000 Risk Management - The ISO 31000 Risk Management framework is an international standard that provides organizations with guidelines and principles for risk management.
  • ISO date format - The International Organization for Standardization (ISO) date and time format is a standard way to express a numeric calendar date -- and optionally time -- in a format that eliminates ambiguity between entities.
  • IT incident management - IT incident management is an area of IT service management (ITSM) wherein IT teams return a service to normal as quickly as possible after a disruption with as little negative impact on the business as possible.
  • ITAR and EAR compliance - The International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR) are two important U.
  • ITIL (Information Technology Infrastructure Library) - ITIL (Information Technology Infrastructure Library) is a framework designed to standardize the selection, planning, delivery, maintenance and overall lifecycle of IT services within a business.
  • key risk indicator (KRI) - A key risk indicator (KRI) is a metric for measuring the likelihood that the combined probability of an event and its consequence will exceed the organization's risk appetite and have a profoundly negative impact on an organization's ability to be successful.
  • legal health record (LHR) - A legal health record (LHR) refers to documentation about a patient's personal health information that is created by a healthcare organization or provider.
  • limitation of liability clause - A limitation of liability clause is the section in a service-level agreement (SLA) that specifies the amounts and types of damages that each party will be obliged to provide to the other in particular circumstances.
  • limited liability company (LLC) - A limited liability company (LLC) is a hybrid unincorporated business structure that combines the pass-through tax model of partnerships and sole proprietorships with the protection of individual assets provided by the C corporation.
  • litigation hold (legal hold, preservation order or hold order) - A litigation hold -- also known as legal hold, preservation order or hold order -- is an internal process that an organization undergoes to preserve all data that might relate to a legal action involving the organization.
  • log (log file) - A log, in a computing context, is the automatically produced and time-stamped documentation of events relevant to a particular system.
  • market concentration - Market concentration is the distribution of a given market among the participating companies.
  • Massachusetts data protection law - What is the Massachusetts data protection law?The Massachusetts data protection law is legislation that stipulates security requirements for organizations that handle the private data of residents.
  • medical scribe - A medical scribe is a professional who specializes in documenting patient encounters in real time under the direction of a physician.
  • Microsoft Operations Framework (MOF) - Microsoft Operations Framework (MOF) is a series of 23 documents that guide IT professionals through the processes of creating, implementing and managing efficient and cost-effective services.
  • mobile malware - Mobile malware is malicious software specifically written to attack mobile devices such as smartphones, tablets, and smartwatches.
  • net zero - Net zero refers to a state in which all human-caused greenhouse gas emissions are counterbalanced so humanity no longer adds carbon to the atmosphere.
  • NIST Cybersecurity Framework - The NIST Cybersecurity Framework (CSF) provides guidance on how to manage and reduce IT infrastructure security risk.
  • North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) - The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plan is a set of standards aimed at regulating, enforcing, monitoring and managing the security of the Bulk Electric System (BES) in North America.
  • ONC (Office of the National Coordinator for Health Information Technology) - The Office of the National Coordinator for Health Information Technology, abbreviated ONC, is an entity within the U.
  • operational risk - Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business operations.
  • operational-level agreement (OLA) - An operational-level agreement (OLA) is a contract that defines how various IT groups within a company plan to deliver a service or set of services.
  • Opex (operational expenditure) - Opex (operational expenditure) is the money a company or organization spends on an ongoing, day-to-day basis to run its business.
  • PA-DSS (Payment Application Data Security Standard) - Payment Application Data Security Standard (PA-DSS) is a set of requirements intended to help software vendors develop secure payment applications for credit card transactions.
  • PCAOB (Public Company Accounting Oversight Board) - The Public Company Accounting Oversight Board (PCAOB) is a congressionally established nonprofit that assesses audits of public companies in the United States to protect investors' interests.
  • PCI assessment - A PCI assessment is an audit of the 12 credit card transaction compliance requirements required by the Payment Card Industry Data Security Standard.
  • PCI DSS 12 requirements - The PCI DSS 12 requirements are a set of security controls businesses must implement to protect credit card data and comply with the Payment Card Industry Data Security Standard (PCI DSS).
  • PCI DSS merchant levels - Payment Card Industry Data Security Standard (PCI DSS) merchant levels rank merchants based on their number of transactions per year to outline compliance verification requirements.
  • personally identifiable information (PII) - Personally identifiable information (PII) is any data that could potentially identify a specific individual.
  • principle of least privilege (POLP) - The principle of least privilege (POLP) is a concept in computer security that limits users' access rights to only what is strictly required to do their jobs.
  • privacy compliance - Privacy compliance is a company's accordance with established personal information protection guidelines, specifications or legislation.
  • privacy impact assessment (PIA) - A privacy impact assessment (PIA) is a method for identifying and assessing privacy risks throughout the development lifecycle of a program or system.
  • privacy policy - A privacy policy is a legal document that explains how an organization handles any customer, client or employee information gathered in its operations.
  • privileged identity management (PIM) - Privileged identity management (PIM) is the monitoring and protection of superuser accounts that hold expanded access to an organization's IT environments.
  • problem list - A problem list is a document that states the most important health problems facing a patient such as nontransitive illnesses or diseases, injuries suffered by the patient, and anything else that has affected the patient or is currently ongoing with the patient.
  • profit and loss statement (P&L) - A profit and loss statement (P&L), also called an income statement or statement of operations, is a financial report that shows a company's revenues, expenses and net profit or loss over a given period of time.
  • protected health information (PHI) or personal health information - Protected health information (PHI), also referred to as personal health information, is the demographic information, medical histories, test and laboratory results, mental health conditions, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.
  • PTO (paid time off, personal time off) - Paid time off (PTO) is a human resource management (HRM) policy that provides employees with a pool of bankable hours that can be used for any purpose.
  • pure risk - Pure risk refers to risks that are beyond human control and result in a loss or no loss with no possibility of financial gain.
  • records management - Records management is the supervision and administration of digital or paper records, regardless of format.
  • Regulation SCI (Regulation Systems Compliance and Integrity) - Regulation SCI is a set of compliance rules designed by the SEC to monitor and regulate the technology infrastructure of U.
  • regulatory compliance - Regulatory compliance is an organization's adherence to laws, regulations, guidelines and specifications relevant to its business processes.
  • relationship marketing - Relationship marketing is a facet of customer relationship management (CRM) that focuses on customer loyalty and long-term customer engagement rather than shorter-term goals like customer acquisition and individual sales.
  • remote deposit capture (RDC) - Remote deposit capture (RDC) is a system that allows a customer to scan checks remotely and transmit the check images to a bank for deposit, usually via an encrypted Internet connection.
  • remote wipe - Remote wipe is a security feature that allows a network administrator or device owner to send a command that remotely deletes data from a computing device.
  • Report on Compliance (ROC) - A Report on Compliance (ROC) is a form that must be completed by all Level 1 Visa merchants undergoing a PCI DSS (Payment Card Industry Data Security Standard) audit.
  • residual risk - Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made.
  • risk appetite - Risk appetite is the amount of risk an organization or investor is willing to take in pursuit of objectives it deems have value.
  • risk assessment - Risk assessment is the process of identifying hazards that could negatively affect an organization's ability to conduct business.
  • risk assessment framework (RAF) - A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.
  • risk avoidance - Risk avoidance is the elimination of hazards, activities and exposures that can negatively affect an organization and its assets.
  • risk exposure - Risk exposure is the quantified potential loss from business activities currently underway or planned.
  • risk map (risk heat map) - A risk map (risk heat map) is a data visualization tool for communicating specific risks an organization faces.
  • risk profile - A risk profile is a quantitative analysis of the types of threats an organization, asset, project or individual faces.
  • risk reporting - Risk reporting is a method of identifying risks tied to or potentially impacting an organization's business processes.
  • Sarbanes-Oxley Act - The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies.
  • Sarbanes-Oxley Act (SOX) Section 404 - Sarbanes-Oxley Act (SOX) Section 404 mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test, and maintain those controls and procedures to ensure their effectiveness.
  • Secure Electronic Transaction (SET) - Secure Electronic Transaction (SET) is a system and electronic protocol to ensure the integrity and security of transactions conducted over the internet.
  • Securities and Exchange Commission (SEC) - The Securities and Exchange Commission (SEC) is the U.
  • security audit - A security audit is a systematic evaluation of the security of a company's information system by measuring how well it conforms to an established set of criteria.
  • security information management (SIM) - Security information management (SIM) is the practice of collecting, monitoring and analyzing security-related data from computer logs and various other data sources.
  • segregation of duties (SoD) - Segregation of duties (SoD) is an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task.
  • sensitive information - Sensitive information is data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization.
  • seven wastes - The seven wastes are categories of unproductive manufacturing practices identified by Taiichi Ohno, the father of the Toyota Production System (TPS).
  • Small Disadvantaged Business (SDB) - A Small Disadvantaged Business (SDB) is a small business that is at least 51% owned and controlled by one or more socially and economically disadvantaged individuals.
  • SNOMED CT (Systematized Nomenclature of Medicine -- Clinical Terms) - SNOMED CT (Systematized Nomenclature of Medicine -- Clinical Terms) is a standardized, multilingual vocabulary of clinical terminology that is used by physicians and other health care providers for the electronic exchange of health information.
  • SOC 1 (System and Organization Controls 1) - System and Organization Controls 1, or SOC 1 (pronounced "sock one"), aims to control objectives within a SOC 1 process area and documents internal controls relevant to an audit of a user entity's financial statements.
  • SOC 2 (System and Organization Controls 2) - SOC 2 (System and Organization Controls 2), pronounced "sock two," is a voluntary compliance standard for ensuring that service providers properly manage and protect the sensitive data in their care.
  • SOC 3 (System and Organization Controls 3) - A System and Organization Controls 3 (SOC 3) report outlines information related to a service organization's internal controls for security, availability, processing integrity, confidentiality and privacy.
  • social media policy - A social media policy is a corporate code of conduct that provides guidelines for employees who post content on the internet either as part of their job or as a private person.
  • speculative risk - Speculative risk is a type of risk the risk-taker takes on voluntarily and will result in some degree of profit or loss.
  • spoliation - Spoliation is the destruction, alteration, or mutilation of evidence that may pertain to legal action.
  • SSAE 16 - The Statement on Standards for Attestation Engagements No.
  • standard operating procedure (SOP) - A standard operating procedure (SOP) is a set of written instructions that describes the step-by-step process that must be taken to properly perform a routine activity.
  • supply chain security - Supply chain security is the part of supply chain management that focuses on the risk management of external suppliers, vendors, logistics and transportation.
  • surveillance capitalism - Surveillance capitalism is an economic theory proposed by Harvard Business School Professor Emerita Shoshana Zuboff in 2014 that describes the modern, mass monetization of individuals' raw personal data in order to predict and modify their behavior.
  • sustainability risk management (SRM) - Sustainability risk management (SRM) is a business strategy that aligns profit goals with a company's environmental, social and governance (ESG).
  • SWIFT FIN message - SWIFT FIN is a message type (MT) that transmits financial information from one financial institution to another.
  • takedown request - A takedown request, also called a DMCA takedown or a notice and take down request, is a procedure for asking an internet service provider (ISP) or search engine to remove or disable access to illegal, irrelevant or outdated information.
  • Telephone Consumer Protection Act (TCPA) - The Telephone Consumer Protection Act (TCPA) of 1991 is a federal law that places restrictions on telephone solicitations and robocalls.
  • think tank - A think tank is an organization that gathers a group of interdisciplinary scholars to perform research around particular policies, issues or ideas.
  • three lines model - The three lines model is a risk management approach to help organizations identify and manage risks effectively by creating three distinct lines of defense.
Networking
Security
  • identity management (ID management)

    Identity management (ID management) is the organizational process for ensuring individuals have the appropriate access to ...

  • fraud detection

    Fraud detection is a set of activities undertaken to prevent money or property from being obtained through false pretenses.

  • single sign-on (SSO)

    Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials -- for ...

CIO
  • IT budget

    IT budget is the amount of money spent on an organization's information technology systems and services. It includes compensation...

  • project scope

    Project scope is the part of project planning that involves determining and documenting a list of specific project goals, ...

  • core competencies

    For any organization, its core competencies refer to the capabilities, knowledge, skills and resources that constitute its '...

HRSoftware
  • Workday

    Workday is a cloud-based software vendor that specializes in human capital management (HCM) and financial management applications.

  • recruitment management system (RMS)

    A recruitment management system (RMS) is a set of tools designed to manage the employee recruiting and hiring process. It might ...

  • core HR (core human resources)

    Core HR (core human resources) is an umbrella term that refers to the basic tasks and functions of an HR department as it manages...

Customer Experience
  • martech (marketing technology)

    Martech (marketing technology) refers to the integration of software tools, platforms, and applications designed to streamline ...

  • transactional marketing

    Transactional marketing is a business strategy that focuses on single, point-of-sale transactions.

  • customer profiling

    Customer profiling is the detailed and systematic process of constructing a clear portrait of a company's ideal customer by ...

Close