Get started
Bring yourself up to speed with our introductory content.
Get started
Bring yourself up to speed with our introductory content.
compliance risk
Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting from its failure to act in accordance with industry laws and regulations, internal policies or prescribed best practices. Continue Reading
information governance
Information governance is a holistic approach to managing corporate information by implementing processes, roles, controls and metrics that treat information as a valuable business asset. Continue Reading
enterprise document management (EDM)
Enterprise document management (EDM) is a strategy for overseeing an organization's paper and electronic documents so they can be easily retrieved in the event of a compliance audit or subpoena. Continue Reading
-
Top cloud compliance standards and how to use them
Get guidance on how to select relevant cloud compliance standards, along with tips on evaluating third-party providers' cloud compliance and governance efforts. Continue Reading
How to conduct an IoT audit for compliance
To effectively prepare for and conduct an IoT audit, organizations need to understand which IT controls are in scope. Get actionable guidance on the audit process in this tip. Continue Reading
Data protection impact assessment tips and templates
Conducting a data protection impact assessment is key to evaluating potential risk factors that could pose a serious threat to individuals and their personal information.Continue Reading
The 5 CMMC levels and how to achieve compliance
While the CMMC certification process is still in development, IT leaders should get familiar with the five CMMC levels and learn how to comply with the security maturity model.Continue Reading
risk assessment
Risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business.Continue Reading
What is the Dodd-Frank voice recording rule for the swaps market?
A Dodd-Frank rule requires swaps dealers to record voice communications, which regulators designed to deter illicit financial activity and improve financial compliance.Continue Reading
PCI DSS (Payment Card Industry Data Security Standard)
The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal ...Continue Reading
-
risk management
Risk management is the process of identifying, assessing and controlling threats to an organization's capital and earnings.Continue Reading
compliance framework
A compliance framework is a structured set of guidelines that details an organization's processes for maintaining accordance with established regulations, specifications or legislation.Continue Reading
regulatory compliance
Regulatory compliance is an organization's adherence to laws, regulations, guidelines and specifications relevant to its business processes.Continue Reading
privacy compliance
Privacy compliance is a company's accordance with established personal information protection guidelines, specifications or legislation.Continue Reading
data governance policy
A data governance policy is a documented set of guidelines for ensuring that an organization's data and information assets are managed consistently and used properly.Continue Reading
Approach customer engagement by first asking good questions
Organizations need to align their customer strategy with their technology and know how to gather and use the right customer data when integrating all the components.Continue Reading
Fashion a first-rate customer experience management program
Learn how to choose and implement the strategy, policies and digital tools that deliver customer satisfaction while keeping essential data and systems secure.Continue Reading
compliance as a service (CaaS)
Compliance as a Service (CaaS) is a cloud service service level agreement (SLA) that specified how a managed service provider (MSP) will help an organization meet its regulatory compliance mandates.Continue Reading
Dodd-Frank Act
The Dodd-Frank Act (fully known as the Dodd-Frank Wall Street Reform and Consumer Protection Act) is a United States federal law that places regulation of the financial industry in the hands of the government.Continue Reading
Can holistic cybersecurity deliver the needed protection?
A holistic approach to cybersecurity can provide continuous monitoring -- or create holes a hacker can breach. What makes the difference? It comes down to implementation.Continue Reading
What holistic network security tools offer an organization
Tools that provide a holistic approach to monitoring the IT infrastructure come in a variety of configurations and delivery models. Learn what's available.Continue Reading
Governance, Risk and Compliance (GRC)
Governance, risk and compliance (GRC) is a combined area of focus developed to cover an organization's strategy to handle any interdependencies between the three components.Continue Reading
EU GDPR terms to know
Compliance regulations can be complicated to follow, particularly in the new age of data privacy. Here's a breakdown of the must-know terms for companies who are subject to GDPR.Continue Reading
corporate governance
Corporate governance is the combination of rules, processes or laws by which businesses are operated, regulated or controlled.Continue Reading
AI cybersecurity benefits are real, but not automatic
Smart tech promises security and other benefits, but they don't come automatically. Learn how these tools work and where they can work best in your organization.Continue Reading
AI security tech is making waves in incident response
Experts weigh in on the latest smart cybersecurity tools -- how they work, the implications for your IT security team and whether the investment is worth the expense.Continue Reading
CCPA compliance begins with data inventory assessment
In this SearchCIO Q&A, multiple experts sound off on major questions businesses have about CCPA compliance ahead of its January 2020 enforcement date.Continue Reading
compliance audit
A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines.Continue Reading
Whistleblower Protection Act
The Whistleblower Protection Act of 1989 is a law that protects federal government employees in the United States from retaliatory action for voluntarily disclosing information about dishonest or illegal activities occurring in a government ...Continue Reading
Identify gaps in cybersecurity processes to reduce organizational risk
Organizational risk is a given at modern companies. But as threats persist, identifying preventable cybersecurity gaps presents an opportunity to strengthen enterprise defenses.Continue Reading
smart contract
A smart contract, also known as a cryptocontract, is a computer program that directly controls the transfer of digital currencies or assets between parties under certain conditions.Continue Reading
Key elements of an effective incident response playbook
In this book excerpt, cybersecurity expert and author Bryce Austin highlights the importance of creating an effective incident response plan and delineates its key elements.Continue Reading
risk map (risk heat map)
A risk map, also known as a risk heat map, is a data visualization tool for communicating specific risks an organization faces. A risk map helps companies identify and prioritize the risks associated with their business.Continue Reading
FAQ: How is the Privacy Shield Framework being enforced?
The FTC has issued its first enforcement actions for companies found in violation of the EU-U.S. Privacy Shield Framework, but are the rules doing enough to protect consumer data?Continue Reading
internal audit (IA)
An internal audit (IA) is an organizational initiative to monitor and analyze its own business operations in order to determine how well it conforms to a set of specific criteria.Continue Reading
FAQ: How does EU GDPR compliance change data protection processes?
In this FAQ, learn how compliance with the EU's General Data Protection Regulation requires companies to rethink their data protection policies and processes.Continue Reading
pure risk (absolute risk)
Pure risk, also called absolute risk, is a category of threat that is beyond human control and has only one possible outcome if it occurs: loss.Continue Reading
Cybersecurity governance falls short amid rising security budgets
Companies still struggle to adapt risk management strategies to face modern threats, but maturing their cybersecurity governance processes is a step in the right direction.Continue Reading
audit program (audit plan)
An audit program, also called an audit plan, is an action plan that documents what procedures an auditor will follow to validate that an organization is in conformance with compliance regulations.Continue Reading
PCI DSS compliance (Payment Card Industry Data Security Standard compliance)
Payment Card Industry Data Security Standard (PCI DSS) compliance is adherence to the set of policies and procedures developed to protect credit, debit and cash card transactions and prevent the misuse of cardholders' personal information.Continue Reading
Ransomware detection: Can employees help?
As ransomware attacks continue to escalate, should organizations make employees an integral part of their ransomware detection and prevention strategy?Continue Reading
PCAOB (Public Company Accounting Oversight Board)
The Public Company Accounting Oversight Board (PCAOB) is a Congressionally-established nonprofit that assesses audits of public companies in the United States to protect investors' interests.Continue Reading
Shared Assessments Program
Shared Assessments is a third party risk membership program that provides organizations with a way to obtain a detailed report about a service provider's controls (people, process and procedures) and a procedure for verifying that the information in...Continue Reading
cyborg anthropologist
A cyborg anthropologist is an individual who studies the interaction between humans and technology, observing how technology can shape humans' lives. Cyborg anthropology as a discipline originated at the 1993 annual meeting of the American ...Continue Reading
RegTech
RegTech, or regulatory technology, is a term used to describe technology that is used to help streamline the process of regulatory compliance.Continue Reading
Information security regulations may target IoT, drones
Calls are growing louder for information security regulations to target consumer-centric technology such as the IoT and drones, but legislating their use could prove difficult.Continue Reading
conduct risk
Conduct risk is the prospect of financial loss to an organization that is caused by the actions of an organization's administrators and employees.Continue Reading
FTC (Federal Trade Commission)
The FTC (Federal Trade Commission) is a United States federal regulatory agency designed to monitor and prevent anticompetitive, deceptive or unfair business practices.Continue Reading
chief risk officer (CRO)
The chief risk officer (CRO) is the corporate executive tasked with assessing and mitigating significant competitive, regulatory and technological threats to an enterprise's capital and earnings.Continue Reading
Big data security, privacy becomes a concern for marketing analytics
The proliferation of IoT devices has resulted in an upsurge in data-driven marketing, which in turn can fuel data security, privacy and ethics concerns, experts say.Continue Reading
OPSEC (operational security)
OPSEC (operational security) is an analytical process that identifies assets such as sensitive corporate information or trade secrets, and determines the controls required to protect these assets.Continue Reading
2016 GRC conference calendar for IT leaders
Attending a GRC conference can keep you up to speed on compliance regulations, risk management strategies and governance trends. Check out our list of upcoming GRC conferences.Continue Reading
Securities and Exchange Act of 1934 (Exchange Act)
The Securities and Exchange Act of 1934 (Exchange Act) is a law that governs secondary trading and stock exchanges.Continue Reading
Data protection requirements start with firm grasp of GRC needs
Corporate data protection requirements are complex, but determining a company's unique GRC needs is an essential first step to information security.Continue Reading
Regulation Fair Disclosure (Regulation FD or Reg FD)
Regulation Fair Disclosure is a rule passed by the U.S. Securities and Exchange Commission that aims to prevent selective disclosure of information by requiring publicly traded companies to make public disclosure of material, nonpublic information.Continue Reading
predictive coding
Predictive coding software can be used to automate portions of an e-discovery document review. The goal of predictive coding is to reduce the number of irrelevant and non-responsive documents that need to be reviewed manually.Continue Reading
For reliable digital evidence, information governance strategy required
Computers are increasingly called as witnesses in court cases, forcing companies to ensure information governance processes are able to produce reliable digital evidence.Continue Reading
Five steps to establishing a big data governance policy
Modern companies generate and store an unprecedented amount of big data, but an information governance policy can help businesses stay compliant and reap the benefits of their digital assets.Continue Reading
SEC's Regulation SCI: A visual timeline
The SEC adopted Regulation SCI to bolster the technological infrastructure of the U.S. securities market. Take a look at the milestones in the history of Reg SCI, including when it was first proposed, the tech failures that inspired it and more.Continue Reading
Data governance due diligence key to GRC automation success
Information governance expert Jeffrey Ritter discusses how companies can successfully align GRC automation with existing data governance processes.Continue Reading
Mobility gets boost from automated compliance management systems
In this tip, learn how automated compliance management can overcome enterprise mobility complications and save valuable company resources.Continue Reading
Regulation SCI (Regulation Systems Compliance and Integrity)
Regulation SCI is a set of compliance rules designed by the SEC to monitor and regulate the technology infrastructure of U.S. securities markets.Continue Reading
Data currency: Five steps to get max value from digital assets
In this tip, learn digital information management strategies to take advantage of the growing data as currency movement.Continue Reading
COBIT 5
COBIT 5 is the fifth iteration of a popular framework that's used for managing and governing information technology (IT).Continue Reading
What changes are businesses experiencing under PCI DSS version 3.0?
New compliance requirements under PCI DSS version 3.0 strive to make cardholder data security part of companies' everyday business processes.Continue Reading
agreed-upon procedures (AUP)
Agreed-upon procedures are the standards a company or client outlines when it hires an external party to perform an audit on specific tests or business process and then report on the results.Continue Reading
mobile governance
Mobile governance refers to the processes and policies used to manage mobile device access to an organization's network or its data.Continue Reading
Why your mobile device management policy must include wearables
Wearable technology has started to creep into the business world, but companies must overcome the data governance complications to reap any benefits.Continue Reading
COMSEC (communications security)
Communications security (COMSEC) is the prevention of unauthorized access to telecommunications traffic, or to any information that is transmitted or transferred.Continue Reading
Altman Z-score
The Altman Z-score is a statistic that is useful for evaluating the financial health of a publicly traded manufacturing company. Continue Reading
autoclassification
Autoclassification is an intelligent technology found in some content management systems (CMS) wherein documents are scanned and automatically assigned categories and keywords based on the content within the documents.Continue Reading
Certified Information Systems Risk and Compliance Professional (CISRCP)
A Certified Information Systems Risk and Compliance Professional (CISRCP) is a person in the information technology (IT) field that has passed an examination on risk and compliance topics developed by the International Association of Risk and ...Continue Reading
records retention schedule
A records retention schedule is a policy that depicts how long data items must be kept, as well as the disposal guidelines for these data items.Continue Reading
total risk
Total risk is an assessment that identifies all of the risk factors, including potential internal and external threats and liabilities, associated with pursuing a specific plan or project or buying or selling an investment.Continue Reading
information assurance
Information assurance (IA) is the practice of protecting against and managing risk related to the use, storage and transmission of data and information systems.Continue Reading
International Accounting Standards Board
The International Accounting Standards Board is the independent standard-setting body of the IFRS Foundation.Continue Reading
records management
Records management (RM) is the administration of records and documented information for the entirety of its lifecycle, which includes creation, maintenance, use, storage, retrieval and disposal.Continue Reading
unknowable risk
An unknowable risk is a potential threat to an organization's processes that is not known and cannot be quantified or controlled.Continue Reading
Three steps to keep IT policies and procedures regulatory compliant
Corporate compliance and risk management expert Jeffrey Jenkins shares how he ensures IT policies and procedures remain in sync with current compliance regulations.Continue Reading
IT Governance Institute (ITGI)
The IT Governance Institute (ITGI) is an arm of ISACA that provides research, publications and resources on IT governance and related topics.Continue Reading
FCC proposals continue to spark net neutrality debate
Recent FCC proposals have led to contentious net neutrality debates, as stakeholders remain concerned about how they will change broadband services.Continue Reading
Can automated segregation of duties benefit regulatory compliance?
In this feature, Michael Rasmussen explains why automated SoD reduces compliance costs as well as the potential for fraud and lawsuits.Continue Reading
Six steps to build an effective enterprise risk management program
Follow these six steps to develop an enterprise risk management program that maps risks and establishes countermeasures.Continue Reading
IT audit (information technology audit)
An IT audit is the examination and evaluation of an organization's information technology infrastructure, policies and operations.Continue Reading
VAL IT (value from IT investments)
VAL IT (value from IT investments) is a framework that outlines governance best practices for information technology-enabled business investments.Continue Reading
systemic risk
Systemic risk is a category of risk that describes threats to a system, market or economic segment.Continue Reading
inherent risk
Inherent risk is a category of threat that describes potential losses or pitfalls that exist before internal security controls or mitigating factors are implemented.Continue Reading
speculative risk
Speculative risk is a category of risk that can be taken on voluntarily and will either result in a profit or loss. Continue Reading
residual risk
Residual risk is a threat that remains after an organization has implemented security controls to comply with legal requirements.Continue Reading
Generally Accepted Recordkeeping Principles (the Principles)
Generally Accepted Recordkeeping Principles is a framework for managing records in a way that supports an organization's immediate and future regulatory, legal, risk mitigation, environmental and operational requirements.Continue Reading
Center for Internet Security (CIS)
The Center for Internet Security (CIS) is a nonprofit organization focused on improving public- and private-sector cybersecurity readiness and response.Continue Reading
risk exposure
Risk exposure is a quantified loss potential of business actions, and is usually calculated based on the probability of the incident occurring multiplied by its potential losses.Continue Reading
Common Criteria Evaluation and Validation Scheme for IT Security (CCEVS)
Common Criteria Evaluation and Validation Scheme for IT Security (CCEVS) is program for evaluating IT products' conformance to international IT security standards. Continue Reading
Government Accountability Office (GAO)
The U.S. Government Accountability Office (GAO) is an independent, nonpartisan agency that works for Congress to investigate how the federal government spends taxpayer dollars.Continue Reading
risk avoidance
Risk avoidance is the risk assessment technique that entails eliminating hazards, activities and exposures that place an organization's valuable assets at risk.Continue Reading
EDRM (electronic discovery reference model)
The Electronic Discovery Reference Model (EDRM) is a framework that outlines standards for the recovery and discovery and of digital data.Continue Reading
GRC professionals' salaries increase as demand for their skills rises
As businesses expand their IT security and compliance focus, GRC professionals are seeing salary increases with their broadened responsibilities.Continue Reading
FASAB (Federal Accounting Standards Advisory Board)
The Federal Accounting Standards Advisory Board (FASAB) is an advisory committee that develops accounting standards for U.S. government agencies.Continue Reading
privacy impact assessment (PIA)
A privacy impact assessment (PIA) is an analysis of how an individual's or groups of individuals' personally identifiable information is collected, used, shared and maintained by an organization.Continue Reading
Preparation underway for Dodd-Frank conflict mineral disclosures
Dodd-Frank conflict mineral provisions create new disclosure rules for public companies. In this tip, learn how to prepare for the regulations.Continue Reading