Compliance Management Definitions

This glossary explains the meaning of key words and phrases that information technology (IT) and business professionals use when discussing compliance strategy and related software products. You can find additional definitions by visiting WhatIs.com or using the search box below.

  • A

    access list (AL)

    An access list (AL) is a list of permissions used in physical and information technology (IT) security to control who is allowed contact with a corporate asset.  The asset can be a building, a room or a computer file. 

  • agreed-upon procedures (AUP)

    Agreed-upon procedures are the standards a company or client outlines when it hires an external party to perform an audit on specific tests or business process and then report on the results.

  • AICPA (American Institute of Certified Public Accountants)

    The AICPA (American Institute of Certified Public Accountants) is a member association for the accounting profession that sets ethical standards for accountants, as well as U.S. auditor standards for private companies, nonprofit organizations and the government.

  • Altman Z-score

    The Altman Z-score is a statistic that is useful for evaluating the financial health of a publicly traded manufacturing company. 

  • audit log (AL)

    An audit log is a document that records an event in an information (IT) technology system.

  • audit program (audit plan)

    An audit program, also called an audit plan, is an action plan that documents what procedures an auditor will follow to validate that an organization is in conformance with compliance regulations.

  • autoclassification

    Autoclassification is an intelligent technology found in some content management systems (CMS) wherein documents are scanned and automatically assigned categories and keywords based on the content within the documents.

  • B

    Basel Committee on Banking Supervision (BCBS)

    The Basel Committee on Banking Supervision (BCBS) is a group of international banking authorities who work to strengthen the regulation, supervision and practices of banks and improve financial stability worldwide.

  • C

    California Consumer Privacy Act (CCPA)

    The California Consumer Privacy Act (CCPA) is legislation in the state of California that supports an individual's right to control their own personally identifiable information (PII).

  • Can Spam Act of 2003

    The Can Spam Act of 2003 is a commonly used name for the United States Federal law more formally known as S. 877 or the "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003." The law took effect on January 1, 2004. The Can Spam Act allows courts to set damages of up to $2 million when spammers break the law.

  • Center for Internet Security (CIS)

    The Center for Internet Security (CIS) is a nonprofit organization focused on improving public- and private-sector cybersecurity readiness and response.

  • Certified Information Systems Risk and Compliance Professional (CISRCP)

    A Certified Information Systems Risk and Compliance Professional (CISRCP) is a person in the information technology (IT) field that has passed an examination on risk and compliance topics developed by the International Association of Risk and Compliance Professionals (IARCP).

  • chief risk officer (CRO)

    The chief risk officer (CRO) is the corporate executive tasked with assessing and mitigating significant competitive, regulatory and technological threats to an enterprise's capital and earnings.

  • CISP-PCI (Cardholder Information Security Program - Payment Card Industry Data Security Standard)

    CISP (Cardholder Information Security Program) and PCI (Payment Card Industry Data Security Standard) are specifications developed and used by credit card companies for the purpose of ensuring and enhancing the privacy and security of financial data... (Continued)

  • cloud computing security

    Cloud computing security is the set of control-based technologies and policies designed to adhere to regulatory compliance rules and protect information, data applications and infrastructure associated with cloud computing use.

  • COBIT 5

    COBIT 5 is the fifth iteration of a popular framework that's used for managing and governing information technology (IT).

  • Common Criteria Evaluation and Validation Scheme for IT Security (CCEVS)

    Common Criteria Evaluation and Validation Scheme for IT Security (CCEVS) is program for evaluating IT products' conformance to international IT security standards. 

  • compliance as a service (CaaS)

    Compliance as a Service (CaaS) is a cloud service service level agreement (SLA) that specified how a managed service provider (MSP) will help an organization meet its regulatory compliance mandates.

  • compliance audit

    A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines.

  • compliance burden

    Compliance burden, also called regulatory burden, is the administrative cost of a regulation in terms of dollars, time and complexity.

  • compliance framework

    A compliance framework is a structured set of guidelines that details an organization's processes for maintaining accordance with established regulations, specifications or legislation.

  • compliance risk

    Compliance risk is exposure to legal penalties, financial forfeiture and material loss an organization faces when it fails to act in accordance with industry laws and regulations, internal policies or prescribed best practices.

  • compliance validation

    In compliance, validation is a formal procedure to determine how well an official or prescribed plan or course of action is being carried out. Continued...

  • Computer Fraud and Abuse Act (CFAA)

    The Computer Fraud and Abuse Act (CFAA) of 1986 is United States legislation that made it a federal crime to access a protected computer without proper authorization.

  • COMSEC (communications security)

    Communications security (COMSEC) is the prevention of unauthorized access to telecommunications traffic, or to any information that is transmitted or transferred.

  • conduct risk

    Conduct risk is the prospect of financial loss to an organization that is caused by the actions of an organization's administrators and employees.

  • control framework

    A control framework is a data structure that organizes and categorizes an organization’s internal controls, which are practices and procedures established to create business value and minimize risk.

  • COPPA (Children's Online Privacy Protection Act )

    The Children's Online Privacy Protection Act (COPPA) is a law passed by the U.S. Congress in 1998 to specifically protect the privacy of children under the age of 13 by requesting parental consent for the collection or use of any personal information of Web site users. The Act officially took effect in April 2000. COPPA specifies what a number of steps that Web site operators take. (...continued)

  • corporate governance

    Corporate governance is the combination of rules, processes or laws by which businesses are operated, regulated or controlled.

  • corporate social responsibility (CSR)

    Corporate social responsibility is an umbrella term used to describe voluntary corporate initiatives concerned with community development, the environment and human rights. 

  • Credit CARD Act (Credit Card Accountability, Responsibility, and Disclosure Act of 2009)

    The Credit CARD Act is legislation governing the behavior of credit card companies in the United States. The self-stated purpose of the Act is "To amend the Truth in Lending Act to establish fair and transparent practices relating to the extension of credit under an open end consumer credit plan, and for other purposes." The Act is more formally known as the Credit Card Accountability, Responsibility, and Disclosure Act of 2009.

  • cyborg anthropologist

    A cyborg anthropologist is an individual who studies the interaction between humans and technology, observing how technology can shape humans' lives. Cyborg anthropology as a discipline originated at the 1993 annual meeting of the American Anthropological Association.

  • D

    data governance policy

    A data governance policy is a documented set of guidelines for ensuring that an organization's data and information assets are managed consistently and used properly.

  • data protection impact assessment (DPIA)

    A data protection impact assessment (DPIA) is a process designed to help organizations determine how data processing systems, procedures or technologies affect individuals’ privacy and eliminate any risks that might violate compliance.

  • Dodd-Frank Act

    The Dodd-Frank Act (fully known as the Dodd-Frank Wall Street Reform and Consumer Protection Act) is a United States federal law that places regulation of the financial industry in the hands of the government.

  • Dossia

    Dossia is a Web-based framework for storing and managing personal health records (PHR). With Dossia, a qualified individual can aggregate his medical data from insurance claims and pharmacy records and store them in a private, encrypted electronic health record that can be securely accessed over the Internet.

  • E

    EDRM (electronic discovery reference model)

    The Electronic Discovery Reference Model (EDRM) is a framework that outlines standards for the recovery and discovery and of digital data.

  • Electronic Communications Privacy Act (ECPA)

    The Electronic Communications Privacy Act (ECPA) is a United States federal statute that prohibits a third party from intercepting or disclosing communications without authorization.

  • electronically stored information (ESI)

    Electronically stored information (ESI) is data created, altered, communicated and stored in digital form.

  • enterprise document management (EDM)

    Enterprise document management is a strategy for overseeing an organization's paper and electronic documents so they can be easily retrieved in the event of a compliance audit or subpoena.

  • enterprise security governance

    Enterprise security governance is a company's strategy to reduce risk by protecting systems and information, as well as its execution of that strategy.

  • Event log management software (ELMS)

    Event log management software (ELMS) is an application used to monitor change management and prepare for compliance audits at enterprises.

  • event log manager (ELM)

    An event log manager (ELM) is an application that tracks changes in an organization's IT infrastructure.

  • F

    Fair Credit Reporting Act (FCRA)

    The Fair Credit Reporting Act (FCRA) is United States federal legislation that promotes accuracy, fairness and privacy for data used by consumer reporting agencies.

  • FASAB (Federal Accounting Standards Advisory Board)

    The Federal Accounting Standards Advisory Board (FASAB) is an advisory committee that develops accounting standards for U.S. government agencies.

  • FFIEC compliance (Federal Financial Institutions Examination Council)

    FFIEC compliance is conformance to a set of standards for online banking issued in October 2005 by the Federal Financial Institutions Examination Council (FFIEC)... (Continued)

  • Financial Industry Regulatory Authority (FINRA)

    The Financial Industry Regulatory Authority (FINRA) is an independent regulator securities firms doing business in the United States. Securities are financial instruments, such as stocks or bonds, that can be traded freely on the open market. 

  • FPCA (Foreign Corrupt Practices Act)

    The Foreign Corrupt Practices Act (FCPA) is a federal U.S. law aimed at preventing the bribery of foreign government officials in an effort to obtain or retain business.

  • FTC (Federal Trade Commission)

    The FTC (Federal Trade Commission) is a United States federal regulatory agency designed to monitor and prevent anticompetitive, deceptive or unfair business practices.

  • G

    Generally Accepted Recordkeeping Principles (the Principles)

    Generally Accepted Recordkeeping Principles is a framework for managing records in a way that supports an organization's immediate and future regulatory, legal, risk mitigation, environmental and operational requirements.

  • geolocation data

    Geolocation data is information associated with an electronic device that can be used to identify its physical location. The most common example of geolocation data is an IP address.

  • Governance, Risk and Compliance (GRC)

    Governance, risk and compliance (GRC) is a combined area of focus developed to cover an organization's strategy to handle any interdependencies between the three components.

  • Government Accountability Office (GAO)

    The U.S. Government Accountability Office (GAO) is an independent, nonpartisan agency that works for Congress to investigate how the federal government spends taxpayer dollars.

  • H

    HIPAA covered entity

    A HIPAA covered entity is any organization or corporation that directly handles Personal Health Information (PHI) or Personal Health Records (PHR).

  • I

    information assurance

    Information assurance (IA) is the practice of protecting against and managing risk related to the use, storage and transmission of data and information systems.

  • information governance

    Information governance is a holistic approach to managing corporate information by implementing processes, roles, controls and metrics that treat information as a valuable business asset.

  • inherent risk

    Inherent risk is a category of threat that describes potential losses or pitfalls that exist before internal security controls or mitigating factors are implemented.

  • internal audit (IA)

    An internal audit (IA) is an organizational initiative to monitor and analyze its own business operations in order to determine how well it conforms to a set of specific criteria.

  • internal control

    An internal control is a business practice, policy or procedure that is established within an organization to create value or minimize risk.

  • International Accounting Standards Board

    The International Accounting Standards Board is the independent standard-setting body of the IFRS Foundation.

  • ISACA

    ISACA is an independent, nonprofit, global association that engages in the development, adoption and use of globally accepted information system (IS) knowledge and practices.

  • ISO 27002 (International Organization for Standardization 27002)

    The ISO 27002 standard is a collection of information security guidelines that are intended to help an organization implement, maintain, and improve its information security management.

  • IT audit (information technology audit)

    An IT audit is the examination and evaluation of an organization's information technology infrastructure, policies and operations.

  • IT controls

    An IT control is a procedure or policy that provides a reasonable assurance that the information technology (IT) used by an organization operates as intended, that data is reliable and that the organization is in compliance with applicable laws and regulations. Continued...

  • IT Governance Institute (ITGI)

    The IT Governance Institute (ITGI) is an arm of ISACA that provides research, publications and resources on IT governance and related topics.

  • M

    mobile governance

    Mobile governance refers to the processes and policies used to manage mobile device access to an organization's network or its data.

  • N

    NERC CIP (critical infrastructure protection)

    The NERC CIP (critical infrastructure protection) plan is a set of requirements designed to secure assets vital to reliably operating North America's bulk electric system.

  • O

    Occupational Safety and Health Administration (OSHA)

    Occupational Safety and Health Administration (OSHA) is a federal organization (part of the Department of Labor) that ensures safe and healthy working conditions for Americans by enforcing standards and providing workplace safety training.

  • Office of Management and Budget (OMB)

    The Office of Management and Budget (OMB) is the business division of the Executive Office of the President of the United States that administers the United States federal budget and oversees the performance of federal agencies.

  • online risk

    Online risk is the vulnerability of an organization's internal resources that arises from the organization using the Internet to conduct business.

  • operational risk

    Operational risk is the prospect of loss resulting from inadequate or failed procedures, systems or policies. 

  • OPSEC (operational security)

    OPSEC (operational security) is an analytical process that identifies assets such as sensitive corporate information or trade secrets, and determines the controls required to protect these assets.

  • P

    PCAOB (Public Company Accounting Oversight Board)

    The Public Company Accounting Oversight Board (PCAOB) is a Congressionally-established nonprofit that assesses audits of public companies in the United States to protect investors' interests.

  • PCI DSS (Payment Card Industry Data Security Standard)

    The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.

  • PCI DSS compliance (Payment Card Industry Data Security Standard compliance)

    Payment Card Industry Data Security Standard (PCI DSS) compliance is adherence to the set of policies and procedures developed to protect credit, debit and cash card transactions and prevent the misuse of cardholders' personal information.

  • predictive coding

    Predictive coding software can be used to automate portions of an e-discovery document review. The goal of predictive coding is to reduce the number of irrelevant and non-responsive documents that need to be reviewed manually.

  • privacy compliance

    Privacy compliance is a company's accordance with established personal information protection guidelines, specifications or legislation.

  • privacy impact assessment (PIA)

    A privacy impact assessment (PIA) is an analysis of how an individual's or groups of individuals' personally identifiable information is collected, used, shared and maintained by an organization.

  • privacy plan

    A privacy plan is an organizational directive that outlines how the organization will protect the personal information of its customers and clients. A privacy plan tends to be an internal document, as opposed to a privacy policy, which is an outward-facing description of how an organization collects, processes and uses data.

  • pure risk (absolute risk)

    Pure risk, also called absolute risk, is a category of threat that is beyond human control and has only one possible outcome if it occurs: loss.

  • R

    records management

    Records management (RM) is the administration of records and documented information for the entirety of its lifecycle, which includes creation, maintenance, use, storage, retrieval and disposal.

  • records retention schedule

    A records retention schedule is a policy that depicts how long data items must be kept, as well as the disposal guidelines for these data items.

  • Red Flags Rule (RFR)

    The Red Flags Rule (RFR) is a set of United States federal regulations that require certain businesses and organizations to develop and implement documented plans to protect consumers from identity theft.

  • RegTech

    RegTech, or regulatory technology, is a term used to describe technology that is used to help streamline the process of regulatory compliance.

  • Regulation Fair Disclosure (Regulation FD or Reg FD)

    Regulation Fair Disclosure is a rule passed by the U.S. Securities and Exchange Commission that aims to prevent selective disclosure of information by requiring publicly traded companies to make public disclosure of material, nonpublic information.

  • Regulation SCI (Regulation Systems Compliance and Integrity)

    Regulation SCI is a set of compliance rules designed by the SEC to monitor and regulate the technology infrastructure of U.S. securities markets.

  • regulatory compliance

    Regulatory compliance is an organization's adherence to laws, regulations, guidelines and specifications relevant to its business processes.

  • residual risk

    Residual risk is a threat that remains after an organization has implemented security controls to comply with legal requirements.

  • risk appetite

    Risk appetite is a concept that helps guide organizational risk management activities by allowing officials to establish a baseline level of risk an organization is prepared to accept before taking an action, as well as evaluate the likelihood and impact of certain threats.

  • risk assessment

    Risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business.

  • risk avoidance

    Risk avoidance is the risk assessment technique that entails eliminating hazards, activities and exposures that place an organization's valuable assets at risk.

  • risk exposure

    Risk exposure is a quantified loss potential of business actions, and is usually calculated based on the probability of the incident occurring multiplied by its potential losses.

  • risk intelligence (RQ)

    Risk intelligence (RQ) is a term used to describe predictions made around uncertainties and future threat probabilities.

  • risk management

    Risk management is the process of identifying, assessing and controlling threats to an organization's capital and earnings.

  • risk map (risk heat map)

    A risk map, also known as a risk heat map, is a data visualization tool for communicating specific risks an organization faces. A risk map helps companies identify and prioritize the risks associated with their business.

  • risk profile

    A risk profile is a quantitative analysis of the types of threats an organization, asset, project or individual faces. 

  • S

    Secure File Transfer Protocol (SSH File Transfer Protocol)

    SFTP is a term that refers to either Secure File Transfer Protocol or SSH File Transfer Protocol, and is a computing network protocol for accessing and managing files on remote systems.

  • Securities and Exchange Act of 1934 (Exchange Act)

    The Securities and Exchange Act of 1934 (Exchange Act) is a law that governs secondary trading and stock exchanges.

  • Senate Judiciary Committee (SJC)

    The U.S. Senate Judiciary Committee is in charge of conducting hearings prior to Senate votes on confirmation of federal judges and has broad jurisdiction over federal criminal law.

  • Shared Assessments Program

    Shared Assessments is a third party risk membership program that provides organizations with a way to obtain a detailed report about a service provider's controls (people, process and procedures) and a procedure for verifying that the information in the report is accurate.

-ADS BY GOOGLE

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close