Glossary

You’ve likely heard of reports on compliance, but what are they, exactly? And more importantly, what do they mean for your business? A report on compliance, or RoC, is a document that summarizes a merchant’s compliance with the Payment Card Industry Data Security Standard (PCI DSS). The report is compiled by a Qualified Security Assessor …

A Qualified Security Assessor, or QSA, is a security company who has been certified by the PCI Security Standards Council (SSC) to perform PCI DSS assessments. A QSA’s primary responsibility is to assess the security of an organization’s payment card processing environment in accordance with the PCI DSS. What are the requirements for becoming QSA …

What is an asset-based risk assessment? An asset-based risk assessment is an important part of risk management. An asset-based risk assessment is a process of identifying and assessing the risks to your company’s assets. This includes both tangible and intangible assets, such as people, processes, information, systems, and physical infrastructure. The goal of an asset-based …

As an ASV, you’ll join an elite group of businesses that have been qualified by the PCI Security Standards Council (PCI SSC) to conduct point-of-sale (POS) scanning and vulnerability assessments. What is an Approved Scanning Vendor (ASV)? An Approved Scanning Vendor, or ASV, is someone that is approved by the PCI Security Standards Council to  …

An ISO 27001 internal audit is a critical part of the ISO 27001 readiness process. It is an in-depth review of your organization’s Information Security Management System (ISMS)before undergoing the ISO 27001 audit with an external auditor.  An ISO 27001 internal audit can help you identify any areas where your ISMS could use improvement and …

You’ve likely heard the term “vendor risk” before, but what does it actually mean? Put simply, vendor risk is the potential that a third party could negatively impact your organization – whether through compromised data, disrupted operations, or some other issue. Given the importance of protecting your business from any potential risks, it’s no surprise …

When working with third-party vendors, it’s important to have a comprehensive vendor risk management (VRM) program in place to ensure that your data and systems are protected. But what is VRM, and what does it entail? In essence, VRM is the process of assessing and managing the risks associated with third-party vendors. This includes assessing …

When you’re working with ISO 27001, you’ll need to create a risk treatment plan. There are a few things to keep in mind when creating your risk treatment plan. The first is that you’ll need to consider all the risks associated with your organization. Next, you’ll need to select the appropriate risk treatment options. Finally, …

When it comes to HIPAA compliance, there’s a lot of confusion around who is and isn’t a covered entity. That’s why we’re breaking it down for you. HIPAA covered entities are any organization or individual that creates, receives, maintains, or transmits protected health information in the course of carrying out its activities and functions.  In …

What is ISO 27017? The ISO 27017 framework is an international standard that outlines best practices for cloud security. It provides organizations with guidelines on how to protect their information systems and data when using a cloud service provider. ISO 27017 focuses on the security of personal data, and covers topics such as access control, …

What is a system description?  Generally speaking, a system description is a section of a technical document or report that provides an overview of the system, its structure and components, and explains how it works. It may also provide information about related systems and technologies used in conjunction with the main system. System descriptions are …

What is ISO/IEC 27018? ISO/IEC 27018 is an international standard published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). The standard outlines best practices for protecting personally identifiable information (PII) in cloud computing environments. It was developed to ensure that cloud service providers maintain adequate security measures when handling PII belonging …

What is an ISMS?  An Information Security Management System (ISMS) is a set of policies, processes, and procedures that help organizations to protect their information assets. It helps to identify, analyze and manage the security risks associated with the use, processing, storage and transmission of an organization’s sensitive data.  An ISMS agreement is between two …

Who is the Information Systems Audit and Control Association (ISACA)? ISACA (formerly the Information Systems Audit and Control Association) is a non-profit, international professional association focused on information technology, assurance, security, and governance. It provides frameworks, educational resources and certifications on information systems audit, control, governance, and security to empower individuals and organizations to create …

What is HR compliance? HR legal compliance is the process of ensuring that a company adheres to all applicable laws and regulations related to human resources (HR) management. This includes security compliance requirements, employment laws, labor standards, workplace safety rules, anti-discrimination policies, recordkeeping requirements, and other relevant regulations. HR legal compliance also involves developing internal …

What is user access review? User access review is a process where privileged users, such as system administrators, are periodically asked to review and confirm that each user has the correct access rights for their job. The purpose of this review is to help ensure that users have appropriate access privileges and that any changes …

What is a vendor risk assessment? A vendor risk assessment is a process for evaluating the potential risks associated with engaging and working with third-party vendors. It seeks to identify any weaknesses or gaps in security, compliance, business continuity processes, and other areas that could potentially lead to harm or disruption of operations. The goal …

What is InfoSec compliance? Infosec compliance is the process of following industry-specific laws, regulations, and standards related to information security. It involves implementing policies and procedures to ensure that an organization’s data is secure from unauthorized access or modification. Compliance also includes regularly testing systems for vulnerabilities and responding quickly to any threats that are …

Are you curious about SOC 2 bridge letters? If so, you’re in the right place. We’ll dive deep and provide you with an overview of what a SOC 2 bridge letter is, who issues them, and how long they last. A bridge letter is an important document in the world of system and organization controls …

What are SOC Trust Services Criteria? The SOC (Service Organization Control) Trust Services Criteria is a set of standards established by the AICPA (American Institute of Certified Public Accountants) for service organizations. These criteria are designed to provide assurance that a service organization has implemented proper internal controls over its operations.  The Trust Services Criteria …

What is GRC? GRC stands for Governance, Risk Management, and Compliance. It is a framework used to ensure that an organization efficiently manages risk and complies with relevant regulations and laws. GRC compliance includes processes such as internal audits, policies and procedures, training programs, monitoring systems, and reporting systems. GRC (Governance, Risk and Compliance) is …

What is a statement of applicability?  A Statement of Applicability is a document used in information security management that outlines the applicable control objectives and controls for an organization. It is typically created as part of an Information Security Management System (ISMS) to identify which specific standards, laws, regulations, and best practices should be implemented …

What is a gap analysis?  A gap analysis in compliance is an assessment of the difference between an organization’s current state of compliance and its desired level or standard. It is a process used to identify potential areas for improvement by comparing actual performance with expected performance. The goal of a gap analysis in compliance …

What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a federal law that provides privacy standards to protect medical information about individuals, as well as security measures to safeguard the integrity of electronic protected health information (ePHI). HIPAA requires healthcare providers, insurers, and other entities that handle …

What is the carved-out vs inclusive method? Simply put, these are two different methods for SOC reporting of your subservice organizations specifically. Subservice organizations include managed service organizations, data center providers, cloud providers, etc. Think about modern-day businesses. It is no longer common practice to develop your own system end-to-end. You would rather make use …

SOC 2 attestation, explained Breaking it down into definitions, an ‘attestation’ is defined as “a declaration that something exists”, and “evidence or proof of something”. A synonym for attestation is the word ‘vouch’. That is the best way to simplify this. What is a SOC 2 attestation report in the compliance and audit world? Well, …

By now, you should be very familiar with a SOC 2 report. In terms of classification of the report itself, a SOC 2 report is a private report. The nature of the report means that it contains sensitive information about the organization and their control environment, including systems used, specific control information, management assertion information, …

What SOC 2 compliance testing procedures does an auditor follow? This question can only be answered at a high-level. The reason for this is that the specific methodology of each auditing company varies. In all instances, the testing procedures that are defined, address the same requirements (i.e. a specific control is tested in a similar …

Overview of subservice organizations As part of the SOC 1 or SOC 2 process, an organization needs to go through an exercise to identify vendors that are performing a service to the organization. Once those vendors are identified, the organization needs to understand which of those services performed have an impact on the control environment …

Overview of SOC 1 compliance Outsourcing is a growing trend and companies increasingly depend on third-party providers to deliver critical services. Ten years ago, companies may have used only one or two major third-party services providers, now often depend on many providers to deliver any number of services. Third-party providers are becoming an increasingly growing …

SOC 2 standard SOC stands for Service Organization Controls (SOC). The controls that you design and implement inside your control environment will vary based upon the people, technology, and products your company develops. SOC 2 is based on five principles, which are: SOC 2 requirements When reviewing the nine SOC 2 trust service criteria (TSC) …

The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is a set of rules that specify how protected health information may be used and disclosed legally (PHI). The Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS) both enforce HIPAA compliance laws (OCR). The OCR’s responsibility in preserving …

What are HIPAA rules and regulations? The HIPAA laws and regulations include instructions on how to secure protected health information (PHI), use it appropriately, and respond in the event of a PHI breach. The HIPAA Privacy Rules, Security Rules, and Breach Notification Rules make up the three main parts of the HIPAA Rules and Regulations. …

Overview of the ISO 27701 standard With recent attention being paid to data privacy concerns, you may be considering ISO 27701 certification. If so, you’ve come to the right place! We’ll explain what ISO 27701 is, how it relates to ISO 27001, and how to get started on the ISO 27701 certification journey. ISO 27701 …

What is compliance management software Compliance has become a hot topic in today’s world. When organizations hear the word “compliance” they tend to think of ways to shortcut this process. Compliance software is the answer to that shortcut and can be essential for organizations looking for more effective and efficient ways to comply with the …

What is the AICPA? The AICPA (American Institute of Certified Public Accountants) is the US’s organization of Professional CPAs (Certified Public Accountants). The AICPA is the founder and originator of the SOC reporting standard and audit. Furthermore, the AICPA is a very influential body of professional accountants, and they combine the skills and expertise of …

Overview of security compliance The concept of security and compliance used in the same sentence has become a common theme in recent years. The word ‘security’ specifically in the information technology arena brings up several topics, especially the relevant risks that are associated with these topics, for example: The list goes on and on, but …

What is a SOC report? SOC stands for Service Organizations Controls. A SOC report provides a detailed assessment of the controls, processes, and implementation thereof within an organization. A SOC report is one the easiest and most effective ways to verify and ensure that an organization is following industry best standards and that the controls …

Think of the audit period as the time duration over which the policies/procedures/IT control environment/etc. are evaluated. An audit period is relevant in the world of compliance and auditing. Before a potential business partner or customer enters into contract agreements, paying money, and handing over important information, they want to be assured that the company …

When it comes down to collecting evidence for the SOC 2 audit itself, there are a few key points that one needs to remember. Obtaining and submitting the incorrect audit evidence can cause audit headaches as it will most times mean having to recapture, extract, and submit the evidence again – showing the necessary key …

SOC 2 is based on the American Institute of Certified Public Accountants (AICPA) standards to provide an audit opinion on the security, availability, processing integrity, confidentiality, and/ or privacy of a service organization’s controls.  What is a SOC 2 audit opinion? An audit opinion is the audit result or the audit outcome of a SOC …

Sometimes, a third-party contractor only needs access to certain company databases or permissions. Or, a third party’s services may only be required on certain days of the week. In order to sort out these technicalities, it is necessary for outsourcers to create a vendor management policy statement. What is a vendor management policy? A vendor …

Example A company’s offices could follow airtight security practices and have a comprehensive keycard system that keeps unwanted and potentially malicious visitors out. But none of that will matter if one of the hired painters leaves their keycard on the bus, and that card finds itself in the possession of a competitor or some other …

What is a self-assessment questionnaire? A self-assessment questionnaire (SAQ) is an important step towards auditing success when aiming for compliance of a varying degree based on results from an SAQ assessment. The goal of the questionnaires is to prepare your organization for what the audit will entail and to make sure you are set up …

What is a SOC 2 readiness assessment? A SOC 2 readiness assessment is exactly what the word implies: an assessment that is performed to see if a company or more specifically, the control environment of the company’s product, is ready for a SOC 2 audit. The objective of the report is to summarize the current …

IPE audit evidence IPE, or Information Produced/Provided by the Entity, is a term used in compliance and auditing that regards the actual information used by the auditor in order to assess, test, and draw conclusions about controls, and ultimately, the audit opinion. There is no clear-cut, oxford-dictionary definition of what constitutes IPE, or IPE audit …

Complementary user entity controls (CUEC) are controls that reside at the user entity level of a service organization. User entities are organizations that utilize the services of a service organization. Essentially what it means is that there is a shared responsibility between two parties to ensure the control criteria is being achieved. Think of CUECs …

As a leader in a developing company, you are well aware that creating a compliance program is something you will have to deal with at some time as you grow. Because industry standards frequently have overlapping criteria, an organization may establish a single policy or a set of rules that meets various needs. It’s vital …

An audit trail, or sometimes referred to as an audit log, is a documented flow of transactions, security relevant records, or data changes that are date and time stamped. It keeps a sequential record of the history and details around the change. Depending on the area of expertise, audit trails/logs come in different shapes and …

It is a very well known fact that all organizations require written policies, procedures, and rules in order to achieve compliance. Think about a practical example of building a house. For any solid structure to be developed, you need a solid foundation. The policies are the foundation of an organization. Policies are the principles and …

“The Cloud” is terminology that is so commonly used nowadays. Cloud computing refers to the availability of resources required by computer systems, including and specifically related to data storage and computing power without the user/organization having direct management. When we talk about cloud compliance, we are referring to the procedures, policies, and practices that monitor …

For many companies, meeting security and compliance requirements at the same time can be a daunting task. For one thing, many companies do not have their own compliance capabilities. Rather, the security team does the compliance work. They are responsible for time-consuming audit requests, documenting and making changes to internal controls, etc. The preparation is …

Nowadays, there is a plethora of vendor tools, services, and products that exist for almost every business requirement and focus area of an organization, and it is often easier, and more cost effective to use a vendor’s established product or service rather than spending the time and money developing your own. However, using one of …

What does a SOC 2 auditor do? An auditor who has been accredited by the AICPA can attest and report on if controls were suitably designed, and effectively implemented during the audit period for an organization. Not all accountants are CPAs, so when hiring an auditor it is important to be sure they are commissioned …

A standard that was developed in 2013 by the International Organization for Standardization and IEC (International Electrotechnical Commission). What is the purpose of the ISO 27001 framework? ISO/IEC 27001 is an international standard on how to manage information security. This standard formally specifies an Information Security Management System (ISMS) to be established, maintained, and continuously …

A set of criteria that is developed by an organization that achieves some objective or outcome with the intended purpose of having some type of benefit to the organization. Compliance frameworks allow you to take parts of your organization’s procedures, policies, and other documentation and compile them all into one cohesive entity. There are always …

Data security controls are any parameters used to prevent and safeguard data within your company. You can use them on an individual level (to protect personnel files) or at a larger scale (to protect sensitive corporate information). Such controls can be in the form of policies, rules, systems, or any other for the sake of …

A policy that specifies the required tagging of data stored by a company. This data is usually specific in nature such as PCI data, Health Information, and Personally Identifiable Information.  If you have ever worked for a large enterprise, you know how daunting it can be to get up to speed on things. Things are …

A SOC 2 Type II report assesses the design and operating effectiveness of an organization’s controls over a period of time. A SOC 2 Type II report is a report on an organization’s internal controls, capturing how a company safeguards customer data and how well those controls are operating. SOC 2 Type II Trust Principles …

Information security policies or also known as IT security policies, allow an organization’s management team to implement administrative controls and ensure that standards are set for information security across the organization.  The policy should also be able to help an organization avoid a data breach, which is any incident that compromises the security of personal …

The ISO 27001 standard has continued to be a popular option despite the ever-expanding list of industry-specific solutions due to its applicability across both business sectors and continents. The ISO 27000 series The deployment and maintenance of an information security management system are the primary focus of the ISO 27001 standard, which is officially known …

What is data compliance? Data compliance is a practice and a process. It refers to the adherence of protocols and standards that are designed to safeguard personal data and information. Data compliance requirements and regulations define (1) how data is collected, used, processed, and stored, and (2) the processes to ensure the data is protected …

Security questionnaires are very common among business to business transactions. These often occur before a business decision is made regarding a product or service to be implemented by an organization. Why are security questionnaires so important? A well-designed questionnaire is based on industry best practices, which it uses to determine if your organization’s security policies …