Compliance, risk and governance

This glossary contains definitions related to compliance. Some definitions explain the meaning of words used in compliance regulations. Other definitions are related to the strategies that compliance officers use to mitigate risk and create a manageable compliance infrastructure.

HIT - TRA

HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 - The HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 is legislation that was created to stimulate the adoption of electronic health records (EHR) and the supporting technology in the United States.
homomorphic encryption - Homomorphic encryption is the conversion of data into ciphertext that can be analyzed and worked with as if it were still in its original form.
human resource management (HRM) - Human resource management (HRM) is the practice of recruiting, hiring, deploying and managing an organization's employees.
ICD-9-CM (International Classification of Diseases, Ninth Revision, Clinical Modification) - ICD-9-CM is the current medical coding standard used in hospitals in the United States.
implied consent - Implied consent is an assumption of permission to do something that is inferred from an individual's actions rather than explicitly provided.
information governance - Information governance is a holistic approach to managing corporate information by implementing processes, roles, controls and metrics that treat information as a valuable business asset.
information lifecycle management (ILM) - Information lifecycle management (ILM) is a comprehensive approach to managing an organization's data and associated metadata, starting with its creation and acquisition through when it becomes obsolete and is deleted.
information security management system (ISMS) - An information security management system (ISMS) is a set of policies and procedures for systematically managing an organization's sensitive data.
Information Technology Amendment Act 2008 (IT Act 2008) - The Information Technology Amendment Act 2008 (IT Act 2008) is a substantial addition to India's Information Technology Act 2000.
intellectual property (IP) - Intellectual property (IP) is a term for any intangible asset -- something proprietary that doesn't exist as a physical object but has value.
Internet Engineering Task Force (IETF) - The Internet Engineering Task Force (IETF) is the body that defines standard operating internet protocols such as TCP/IP.
ISO 22317 (International Standards Organization 22317) - ISO 22317 is the first formal standard to address the business impact analysis process.
ISO 31000 Risk Management - The ISO 31000 Risk Management framework is an international standard that provides businesses with guidelines and principles for risk management from the International Organization for Standardization.
ISO date format - The International Organization for Standardization (ISO) date and time format is a standard way to express a numeric calendar date -- and optionally time -- in a format that eliminates ambiguity between entities.
IT audit (information technology audit) - An IT audit is the examination and evaluation of an organization's information technology infrastructure, policies and operations.
IT incident management - IT incident management is an area of IT service management (ITSM) wherein IT teams return a service to normal as quickly as possible after a disruption with as little negative impact on the business as possible.
ITAR and EAR compliance - The International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR) are two important U.
ITIL (Information Technology Infrastructure Library) - ITIL (Information Technology Infrastructure Library) is a framework designed to standardize the selection, planning, delivery, maintenance and overall lifecycle of IT services within a business.
key risk indicator (KRI) - A key risk indicator (KRI) is a metric for measuring the likelihood that the combined probability of an event and its consequence will exceed the organization's risk appetite and have a profoundly negative impact on an organization's ability to be successful.
Kyoto Protocol - The Kyoto Protocol, also known as the Kyoto Accord, is an international treaty among industrialized nations that sets mandatory limits on greenhouse gas emissions.
limitation of liability clause - A limitation of liability clause is the section in a service-level agreement (SLA) that specifies the amounts and types of damages that each party will be obliged to provide to the other in particular circumstances.
limited liability company (LLC) - A limited liability company (LLC) is a hybrid unincorporated business structure that combines the pass-through tax model of partnerships and sole proprietorships with the protection of individual assets provided by the C corporation.
litigation hold (legal hold, preservation order or hold order) - A litigation hold -- also known as legal hold, preservation order or hold order -- is an internal process that an organization undergoes to preserve all data that might relate to a legal action involving the organization.
log (log file) - A log, in a computing context, is the automatically produced and time-stamped documentation of events relevant to a particular system.
managed file transfer (MFT) - Managed file transfer (MFT) is a type of software used to provide secure internal, external and ad-hoc data transfers through a network.
market concentration - Market concentration is the distribution of a given market among the participating companies.
mass notification system (MNS) - A mass notification system is a platform that sends one-way messages to inform employees and the public of an emergency.
Massachusetts data protection law - What is the Massachusetts data protection law?The Massachusetts data protection law is legislation that stipulates security requirements for organizations that handle the private data of residents.
Microsoft Operations Framework (MOF) - Microsoft Operations Framework (MOF) is a series of 23 documents that guide IT professionals through the processes of creating, implementing and managing efficient and cost-effective services.
mobile malware - Mobile malware is malicious software specifically written to attack mobile devices such as smartphones, tablets, and smartwatches.
North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) - The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plan is a set of standards aimed at regulating, enforcing, monitoring and managing the security of the Bulk Electric System (BES) in North America.
ONC (Office of the National Coordinator for Health Information Technology) - The Office of the National Coordinator for Health Information Technology, abbreviated ONC, is an entity within the U.
operational level agreement (OLA) - An operational level agreement (OLA) is a contract that defines how various IT groups within a company plan to deliver a service or set of services.
operational risk - Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business operations.
Opex (operational expenditure) - Opex (operational expenditure) is the money a company or organization spends on an ongoing, day-to-day basis to run its business.
PA-DSS (Payment Application Data Security Standard) - Payment Application Data Security Standard (PA-DSS) is a set of requirements intended to help software vendors develop secure payment applications for credit card transactions.
PCAOB (Public Company Accounting Oversight Board) - The Public Company Accounting Oversight Board (PCAOB) is a Congressionally-established nonprofit that assesses audits of public companies in the United States to protect investors' interests.
PCI assessment - A PCI assessment is an audit of the 12 credit card transaction compliance requirements required by the Payment Card Industry Data Security Standard.
PCI DSS 12 requirements - PCI DSS 12 requirements is a set of security controls that businesses are required to implement to protect credit card data and comply with the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS compliance (Payment Card Industry Data Security Standard compliance) - Payment Card Industry Data Security Standard (PCI DSS) compliance is adherence to the set of policies and procedures developed to protect credit, debit and cash card transactions and prevent the misuse of cardholders' personal information.
PCI DSS merchant levels - Merchant levels are used by the payment card industry (PCI) to determine risk levels and determine the appropriate level of security for their businesses.
personally identifiable information (PII) - Personally identifiable information (PII) is any data that could potentially identify a specific individual.
policy engine - A policy engine is a software component that allows an organization to create, monitor and enforce rules about how network resources and the organization's data can be accessed.
privacy compliance - Privacy compliance is a company's accordance with established personal information protection guidelines, specifications or legislation.
privacy impact assessment (PIA) - A privacy impact assessment (PIA) is an analysis of how an individual's or groups of individuals' personally identifiable information is collected, used, shared and maintained by an organization.
problem list - A problem list is a document that states the most important health problems facing a patient such as nontransitive illnesses or diseases, injuries suffered by the patient, and anything else that has affected the patient or is currently ongoing with the patient.
protected health information (PHI) or personal health information - Protected health information (PHI), also referred to as personal health information, is the demographic information, medical histories, test and laboratory results, mental health conditions, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.
PTO (paid time off, personal time off) - Paid time off (PTO) is a human resource management (HRM) policy that provides employees with a pool of bankable hours that can be used for any purpose.
public sector - The public sector is the segment of an economic system that is controlled by government; it contrasts with the private sector, which is run by private citizens.
pure risk - Pure risk refers to risks that are beyond human control and result in a loss or no loss with no possibility of financial gain.
quiet period - A quiet period is a measure of time during which corporate insiders are restricted from disclosing information relative to the performance or prospective performance of a company before that information is made public.
records management - Records management (RM) is the administration of records and documented information for the entirety of its lifecycle, which includes creation, maintenance, use, storage, retrieval and disposal.
RegTech - RegTech, or regulatory technology, is a term used to describe technology that is used to help streamline the process of regulatory compliance.
Regulation Fair Disclosure (Regulation FD or Reg FD) - Regulation Fair Disclosure is a rule passed by the U.
Regulation SCI (Regulation Systems Compliance and Integrity) - Regulation SCI is a set of compliance rules designed by the SEC to monitor and regulate the technology infrastructure of U.
regulatory compliance - Regulatory compliance is an organization's adherence to laws, regulations, guidelines and specifications relevant to its business processes.
relationship marketing - Relationship marketing is a facet of customer relationship management (CRM) that focuses on customer loyalty and long-term customer engagement rather than shorter-term goals like customer acquisition and individual sales.
remote deposit capture (RDC) - Remote deposit capture (RDC) is a system that allows a customer to scan checks remotely and transmit the check images to a bank for deposit, usually via an encrypted Internet connection.
Report on Compliance (ROC) - A Report on Compliance (ROC) is a form that must be completed by all Level 1 Visa merchants undergoing a PCI DSS (Payment Card Industry Data Security Standard) audit.
residual risk - Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made.
risk assessment - Risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business.
risk assessment framework (RAF) - A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.
risk avoidance - Risk avoidance is the elimination of hazards, activities and exposures that can negatively affect an organization and its assets.
risk exposure - Risk exposure is the quantified potential loss from business activities currently underway or planned.
risk intelligence (RQ) - Risk intelligence (RQ) is a term used to describe predictions made around uncertainties and future threat probabilities.
risk map (risk heat map) - A risk map (risk heat map) is a data visualization tool for communicating specific risks an organization faces.
risk profile - A risk profile is a quantitative analysis of the types of threats an organization, asset, project or individual faces.
risk reporting - Risk reporting is a method of identifying risks tied to or potentially impacting an organization's business processes.
Sarbanes-Oxley Act - The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies.
Sarbanes-Oxley Act (SOX) Section 404 - Sarbanes-Oxley Act (SOX) Section 404 mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test, and maintain those controls and procedures to ensure their effectiveness.
Secure Electronic Transaction (SET) - Secure Electronic Transaction (SET) is a system and electronic protocol to ensure the integrity and security of transactions conducted over the internet.
Securities and Exchange Commission (SEC) - The Securities and Exchange Commission (SEC) is the U.
security audit - A security audit is a systematic evaluation of the security of a company's information system by measuring how well it conforms to an established set of criteria.
security information management (SIM) - Security information management (SIM) is the practice of collecting, monitoring and analyzing security-related data from computer logs and various other data sources.
segregation of duties (SoD) - Segregation of duties (SoD) is an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task.
sensitive information - Sensitive information is data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization.
serious reportable event (SRE) - A serious reportable event (SRE) is an incident involving death or serious harm to a patient resulting from a lapse or error in a healthcare facility.
seven wastes - The seven wastes are categories of unproductive manufacturing practices identified by Taiichi Ohno, the father of the Toyota Production System (TPS).
SNOMED CT (Systematized Nomenclature of Medicine -- Clinical Terms) - SNOMED CT (Systematized Nomenclature of Medicine -- Clinical Terms) is a standardized, multilingual vocabulary of clinical terminology that is used by physicians and other health care providers for the electronic exchange of clinical health information.
SOC 1 (System and Organization Controls 1) - System and Organization Controls 1, or SOC 1 (pronounced "sock one"), aims to control objectives within a SOC 1 process area and documents internal controls relevant to an audit of a user entity's financial statements.
Soc 2 (Service Organization Control 2) - A Service Organization Control 2 (Soc 2) reports on various organizational controls related to security, availability, processing integrity, confidentiality or privacy.
SOC 3 (System and Organization Controls 3) - A System and Organization Controls 3 (SOC 3) report outlines information related to a service organization's internal controls for security, availability, processing integrity, confidentiality and privacy.
social media policy - A social media policy is a corporate code of conduct that provides guidelines for employees who post content on the internet either as part of their job or as a private person.
spin (PR, marketing) - Spin, in the context of public relations (PR) and journalism, is the selective assembly of fact and the shaping of nuance to support a particular view of a story.
spoliation - Spoliation is the destruction, alteration, or mutilation of evidence that may pertain to legal action.
SSAE 16 - The Statement on Standards for Attestation Engagements No.
standard - A standard is a generally agreed-upon technology, method or format for a given application.
standard operating procedure (SOP) - A standard operating procedure (SOP) is a set of written instructions that describes the step-by-step process that must be taken to properly perform a routine activity.
statutory reporting - Statutory reporting is the mandatory submission of financial and non-financial information to a government agency.
supply chain security - Supply chain security is the part of supply chain management that focuses on the risk management of external suppliers, vendors, logistics and transportation.
surveillance capitalism - Surveillance capitalism is an economic theory proposed by Harvard Business School Professor Emerita Shoshana Zuboff in 2014 that describes the modern, mass monetization of individuals' raw personal data in order to predict and modify their behavior.
sustainability risk management (SRM) - Sustainability risk management (SRM) is a business strategy that aligns profit goals with a company's environmental policies.
SWIFT FIN message - SWIFT FIN is a message type (MT) that transmits financial information from one financial institution to another.
takedown request - A takedown request, also called a DMCA takedown or a notice and take down request, is a procedure for asking an internet service provider (ISP) or search engine to remove or disable access to illegal, irrelevant or outdated information.
Telephone Consumer Protection Act (TCPA) - The Telephone Consumer Protection Act (TCPA) of 1991 is a federal law that places restrictions on telephone solicitations and robocalls.
think tank - A think tank is an organization that gathers a group of interdisciplinary scholars to perform research around particular policies, issues or ideas.
tokenization - Tokenization is the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.
Top searches of 2008 - What were people searching the WhatIs.
total risk - Total risk is an assessment that identifies all of the risk factors, including potential internal and external threats and liabilities, associated with pursuing a specific plan or project or buying or selling an investment.
transparency - Transparency is the quality of being easily seen through, while transparency in a business or governance context refers to being open and honest.

ACC - HEA

TRI - WHA