Glossary

What is an asset-based risk assessment? An asset-based risk assessment is an important part of risk management. An asset-based risk assessment is a process of identifying and assessing the risks to your company’s assets. This includes both tangible and intangible assets, such as people, processes, information, systems, and physical infrastructure. The goal of an asset-based …

You’ve likely heard the term “vendor risk” before, but what does it actually mean? Put simply, vendor risk is the potential that a third party could negatively impact your organization – whether through compromised data, disrupted operations, or some other issue. Given the importance of protecting your business from any potential risks, it’s no surprise …

When working with third-party vendors, it’s important to have a comprehensive vendor risk management (VRM) program in place to ensure that your data and systems are protected. But what is VRM, and what does it entail? In essence, VRM is the process of assessing and managing the risks associated with third-party vendors. This includes assessing …

Who is the Information Systems Audit and Control Association (ISACA)? ISACA (formerly the Information Systems Audit and Control Association) is a non-profit, international professional association focused on information technology, assurance, security, and governance. It provides frameworks, educational resources and certifications on information systems audit, control, governance, and security to empower individuals and organizations to create …

What is HR compliance? HR legal compliance is the process of ensuring that a company adheres to all applicable laws and regulations related to human resources (HR) management. This includes security compliance requirements, employment laws, labor standards, workplace safety rules, anti-discrimination policies, recordkeeping requirements, and other relevant regulations. HR legal compliance also involves developing internal …

What is user access review? User access review is a process where privileged users, such as system administrators, are periodically asked to review and confirm that each user has the correct access rights for their job. The purpose of this review is to help ensure that users have appropriate access privileges and that any changes …

What is a vendor risk assessment? A vendor risk assessment is a process for evaluating the potential risks associated with engaging and working with third-party vendors. It seeks to identify any weaknesses or gaps in security, compliance, business continuity processes, and other areas that could potentially lead to harm or disruption of operations. The goal …

What is InfoSec compliance? Infosec compliance is the process of following industry-specific laws, regulations, and standards related to information security. It involves implementing policies and procedures to ensure that an organization’s data is secure from unauthorized access or modification. Compliance also includes regularly testing systems for vulnerabilities and responding quickly to any threats that are …

What is GRC? GRC stands for Governance, Risk Management, and Compliance. It is a framework used to ensure that an organization efficiently manages risk and complies with relevant regulations and laws. GRC compliance includes processes such as internal audits, policies and procedures, training programs, monitoring systems, and reporting systems. GRC (Governance, Risk and Compliance) is …

What is a gap analysis?  A gap analysis in compliance is an assessment of the difference between an organization’s current state of compliance and its desired level or standard. It is a process used to identify potential areas for improvement by comparing actual performance with expected performance. The goal of a gap analysis in compliance …

What is compliance management software Compliance has become a hot topic in today’s world. When organizations hear the word “compliance” they tend to think of ways to shortcut this process. Compliance software is the answer to that shortcut and can be essential for organizations looking for more effective and efficient ways to comply with the …

Overview of security compliance The concept of security and compliance used in the same sentence has become a common theme in recent years. The word ‘security’ specifically in the information technology arena brings up several topics, especially the relevant risks that are associated with these topics, for example: The list goes on and on, but …

Sometimes, a third-party contractor only needs access to certain company databases or permissions. Or, a third party’s services may only be required on certain days of the week. In order to sort out these technicalities, it is necessary for outsourcers to create a vendor management policy statement. What is a vendor management policy? A vendor …

Example A company’s offices could follow airtight security practices and have a comprehensive keycard system that keeps unwanted and potentially malicious visitors out. But none of that will matter if one of the hired painters leaves their keycard on the bus, and that card finds itself in the possession of a competitor or some other …

What is a self-assessment questionnaire? A self-assessment questionnaire (SAQ) is an important step towards auditing success when aiming for compliance of a varying degree based on results from an SAQ assessment. The goal of the questionnaires is to prepare your organization for what the audit will entail and to make sure you are set up …

As a leader in a developing company, you are well aware that creating a compliance program is something you will have to deal with at some time as you grow. Because industry standards frequently have overlapping criteria, an organization may establish a single policy or a set of rules that meets various needs. It’s vital …

An audit trail, or sometimes referred to as an audit log, is a documented flow of transactions, security relevant records, or data changes that are date and time stamped. It keeps a sequential record of the history and details around the change. Depending on the area of expertise, audit trails/logs come in different shapes and …

It is a very well known fact that all organizations require written policies, procedures, and rules in order to achieve compliance. Think about a practical example of building a house. For any solid structure to be developed, you need a solid foundation. The policies are the foundation of an organization. Policies are the principles and …

“The Cloud” is terminology that is so commonly used nowadays. Cloud computing refers to the availability of resources required by computer systems, including and specifically related to data storage and computing power without the user/organization having direct management. When we talk about cloud compliance, we are referring to the procedures, policies, and practices that monitor …

For many companies, meeting security and compliance requirements at the same time can be a daunting task. For one thing, many companies do not have their own compliance capabilities. Rather, the security team does the compliance work. They are responsible for time-consuming audit requests, documenting and making changes to internal controls, etc. The preparation is …

Nowadays, there is a plethora of vendor tools, services, and products that exist for almost every business requirement and focus area of an organization, and it is often easier, and more cost effective to use a vendor’s established product or service rather than spending the time and money developing your own. However, using one of …

A set of criteria that is developed by an organization that achieves some objective or outcome with the intended purpose of having some type of benefit to the organization. Compliance frameworks allow you to take parts of your organization’s procedures, policies, and other documentation and compile them all into one cohesive entity. There are always …

Data security controls are any parameters used to prevent and safeguard data within your company. You can use them on an individual level (to protect personnel files) or at a larger scale (to protect sensitive corporate information). Such controls can be in the form of policies, rules, systems, or any other for the sake of …

A policy that specifies the required tagging of data stored by a company. This data is usually specific in nature such as PCI data, Health Information, and Personally Identifiable Information.  If you have ever worked for a large enterprise, you know how daunting it can be to get up to speed on things. Things are …

Information security policies or also known as IT security policies, allow an organization’s management team to implement administrative controls and ensure that standards are set for information security across the organization.  The policy should also be able to help an organization avoid a data breach, which is any incident that compromises the security of personal …

What is data compliance? Data compliance is a practice and a process. It refers to the adherence of protocols and standards that are designed to safeguard personal data and information. Data compliance requirements and regulations define (1) how data is collected, used, processed, and stored, and (2) the processes to ensure the data is protected …

Security questionnaires are very common among business to business transactions. These often occur before a business decision is made regarding a product or service to be implemented by an organization. Why are security questionnaires so important? A well-designed questionnaire is based on industry best practices, which it uses to determine if your organization’s security policies …