Get started
Bring yourself up to speed with our introductory content.
Get started
Bring yourself up to speed with our introductory content.
enterprise document management (EDM)
Enterprise document management (EDM) is a strategy for overseeing an organization's paper and electronic documents so they can be easily retrieved in the event of a compliance audit or subpoena. Continue Reading
Top cloud compliance standards and how to use them
Get guidance on how to select relevant cloud compliance standards, along with tips on evaluating third-party providers' cloud compliance and governance efforts. Continue Reading
How to conduct an IoT audit for compliance
To effectively prepare for and conduct an IoT audit, organizations need to understand which IT controls are in scope. Get actionable guidance on the audit process in this tip. Continue Reading
-
Data protection impact assessment tips and templates
Conducting a data protection impact assessment is key to evaluating potential risk factors that could pose a serious threat to individuals and their personal information. Continue Reading
The 5 CMMC levels and how to achieve compliance
While the CMMC certification process is still in development, IT leaders should get familiar with the five CMMC levels and learn how to comply with the security maturity model. Continue Reading
risk assessment
Risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business.Continue Reading
What is the Dodd-Frank voice recording rule for the swaps market?
A Dodd-Frank rule requires swaps dealers to record voice communications, which regulators designed to deter illicit financial activity and improve financial compliance.Continue Reading
PCI DSS (Payment Card Industry Data Security Standard)
The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal ...Continue Reading
risk management
Risk management is the process of identifying, assessing and controlling threats to an organization's capital and earnings.Continue Reading
compliance framework
A compliance framework is a structured set of guidelines that details an organization's processes for maintaining accordance with established regulations, specifications or legislation.Continue Reading
-
regulatory compliance
Regulatory compliance is an organization's adherence to laws, regulations, guidelines and specifications relevant to its business processes.Continue Reading
privacy compliance
Privacy compliance is a company's accordance with established personal information protection guidelines, specifications or legislation.Continue Reading
data governance policy
A data governance policy is a documented set of guidelines for ensuring that an organization's data and information assets are managed consistently and used properly.Continue Reading
Approach customer engagement by first asking good questions
Organizations need to align their customer strategy with their technology and know how to gather and use the right customer data when integrating all the components.Continue Reading
Fashion a first-rate customer experience management program
Learn how to choose and implement the strategy, policies and digital tools that deliver customer satisfaction while keeping essential data and systems secure.Continue Reading
compliance as a service (CaaS)
Compliance as a Service (CaaS) is a cloud service service level agreement (SLA) that specified how a managed service provider (MSP) will help an organization meet its regulatory compliance mandates.Continue Reading
Dodd-Frank Act
The Dodd-Frank Act (fully known as the Dodd-Frank Wall Street Reform and Consumer Protection Act) is a United States federal law that places regulation of the financial industry in the hands of the government.Continue Reading
Can holistic cybersecurity deliver the needed protection?
A holistic approach to cybersecurity can provide continuous monitoring -- or create holes a hacker can breach. What makes the difference? It comes down to implementation.Continue Reading
What holistic network security tools offer an organization
Tools that provide a holistic approach to monitoring the IT infrastructure come in a variety of configurations and delivery models. Learn what's available.Continue Reading
Governance, Risk and Compliance (GRC)
Governance, risk and compliance (GRC) is a combined area of focus developed to cover an organization's strategy to handle any interdependencies between the three components.Continue Reading
EU GDPR terms to know
Compliance regulations can be complicated to follow, particularly in the new age of data privacy. Here's a breakdown of the must-know terms for companies who are subject to GDPR.Continue Reading
corporate governance
Corporate governance is the combination of rules, processes or laws by which businesses are operated, regulated or controlled.Continue Reading
AI cybersecurity benefits are real, but not automatic
Smart tech promises security and other benefits, but they don't come automatically. Learn how these tools work and where they can work best in your organization.Continue Reading
AI security tech is making waves in incident response
Experts weigh in on the latest smart cybersecurity tools -- how they work, the implications for your IT security team and whether the investment is worth the expense.Continue Reading
CCPA compliance begins with data inventory assessment
In this SearchCIO Q&A, multiple experts sound off on major questions businesses have about CCPA compliance ahead of its January 2020 enforcement date.Continue Reading
compliance audit
A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines.Continue Reading
Whistleblower Protection Act
The Whistleblower Protection Act of 1989 is a law that protects federal government employees in the United States from retaliatory action for voluntarily disclosing information about dishonest or illegal activities occurring in a government ...Continue Reading
Identify gaps in cybersecurity processes to reduce organizational risk
Organizational risk is a given at modern companies. But as threats persist, identifying preventable cybersecurity gaps presents an opportunity to strengthen enterprise defenses.Continue Reading
smart contract
A smart contract, also known as a cryptocontract, is a computer program that directly controls the transfer of digital currencies or assets between parties under certain conditions.Continue Reading
Key elements of an effective incident response playbook
In this book excerpt, cybersecurity expert and author Bryce Austin highlights the importance of creating an effective incident response plan and delineates its key elements.Continue Reading
Gearing up to meet GDPR compliance requirements
In this webcast, attorney Nicholas Merker discusses the necessary steps companies should be taking to meet the EU's looming GDPR compliance requirements.Continue Reading
risk map (risk heat map)
A risk map, also known as a risk heat map, is a data visualization tool for communicating specific risks an organization faces. A risk map helps companies identify and prioritize the risks associated with their business.Continue Reading
FAQ: How is the Privacy Shield Framework being enforced?
The FTC has issued its first enforcement actions for companies found in violation of the EU-U.S. Privacy Shield Framework, but are the rules doing enough to protect consumer data?Continue Reading
GDPR rules putting a spotlight on consumer data privacy
Nick Merker, a partner at Ice Miller law firm, discusses how GDPR rules are influencing data privacy efforts and offers tips about how U.S. companies can remain GDPR compliant.Continue Reading
internal audit (IA)
An internal audit (IA) is an organizational initiative to monitor and analyze its own business operations in order to determine how well it conforms to a set of specific criteria.Continue Reading
FAQ: How does EU GDPR compliance change data protection processes?
In this FAQ, learn how compliance with the EU's General Data Protection Regulation requires companies to rethink their data protection policies and processes.Continue Reading
pure risk (absolute risk)
Pure risk, also called absolute risk, is a category of threat that is beyond human control and has only one possible outcome if it occurs: loss.Continue Reading
Cybersecurity governance falls short amid rising security budgets
Companies still struggle to adapt risk management strategies to face modern threats, but maturing their cybersecurity governance processes is a step in the right direction.Continue Reading
audit program (audit plan)
An audit program, also called an audit plan, is an action plan that documents what procedures an auditor will follow to validate that an organization is in conformance with compliance regulations.Continue Reading
PCI DSS compliance (Payment Card Industry Data Security Standard compliance)
Payment Card Industry Data Security Standard (PCI DSS) compliance is adherence to the set of policies and procedures developed to protect credit, debit and cash card transactions and prevent the misuse of cardholders' personal information.Continue Reading
Ransomware detection: Can employees help?
As ransomware attacks continue to escalate, should organizations make employees an integral part of their ransomware detection and prevention strategy?Continue Reading
Mobile endpoints require new look at cybersecurity awareness training
In this webcast, learn how non-traditional mobile endpoints are forcing organizations to re-examine their data protection techniques, including cybersecurity awareness training.Continue Reading
PCAOB (Public Company Accounting Oversight Board)
The Public Company Accounting Oversight Board (PCAOB) is a Congressionally-established nonprofit that assesses audits of public companies in the United States to protect investors' interests.Continue Reading
Shared Assessments Program
Shared Assessments is a third party risk membership program that provides organizations with a way to obtain a detailed report about a service provider's controls (people, process and procedures) and a procedure for verifying that the information in...Continue Reading
cyborg anthropologist
A cyborg anthropologist is an individual who studies the interaction between humans and technology, observing how technology can shape humans' lives. Cyborg anthropology as a discipline originated at the 1993 annual meeting of the American ...Continue Reading
RegTech
RegTech, or regulatory technology, is a term used to describe technology that is used to help streamline the process of regulatory compliance.Continue Reading
Information security regulations may target IoT, drones
Calls are growing louder for information security regulations to target consumer-centric technology such as the IoT and drones, but legislating their use could prove difficult.Continue Reading
conduct risk
Conduct risk is the prospect of financial loss to an organization that is caused by the actions of an organization's administrators and employees.Continue Reading
information governance
Information governance is a holistic approach to managing corporate information by implementing processes, roles, controls and metrics that treat information as a valuable business asset.Continue Reading
FTC (Federal Trade Commission)
The FTC (Federal Trade Commission) is a United States federal regulatory agency designed to monitor and prevent anticompetitive, deceptive or unfair business practices.Continue Reading
chief risk officer (CRO)
The chief risk officer (CRO) is the corporate executive tasked with assessing and mitigating significant competitive, regulatory and technological threats to an enterprise's capital and earnings.Continue Reading
Big data security, privacy becomes a concern for marketing analytics
The proliferation of IoT devices has resulted in an upsurge in data-driven marketing, which in turn can fuel data security, privacy and ethics concerns, experts say.Continue Reading
OPSEC (operational security)
OPSEC (operational security) is an analytical process that identifies assets such as sensitive corporate information or trade secrets, and determines the controls required to protect these assets.Continue Reading
2016 GRC conference calendar for IT leaders
Attending a GRC conference can keep you up to speed on compliance regulations, risk management strategies and governance trends. Check out our list of upcoming GRC conferences.Continue Reading
Securities and Exchange Act of 1934 (Exchange Act)
The Securities and Exchange Act of 1934 (Exchange Act) is a law that governs secondary trading and stock exchanges.Continue Reading
Making the business case for cybersecurity spending
Cybersecurity has become essential to protect data assets, but it is also helping businesses ensure corporate information is accurate and reliable.Continue Reading
Data protection requirements start with firm grasp of GRC needs
Corporate data protection requirements are complex, but determining a company's unique GRC needs is an essential first step to information security.Continue Reading
Regulation Fair Disclosure (Regulation FD or Reg FD)
Regulation Fair Disclosure is a rule passed by the U.S. Securities and Exchange Commission that aims to prevent selective disclosure of information by requiring publicly traded companies to make public disclosure of material, nonpublic information.Continue Reading
predictive coding
Predictive coding software can be used to automate portions of an e-discovery document review. The goal of predictive coding is to reduce the number of irrelevant and non-responsive documents that need to be reviewed manually.Continue Reading
For reliable digital evidence, information governance strategy required
Computers are increasingly called as witnesses in court cases, forcing companies to ensure information governance processes are able to produce reliable digital evidence.Continue Reading
Five steps to establishing a big data governance policy
Modern companies generate and store an unprecedented amount of big data, but an information governance policy can help businesses stay compliant and reap the benefits of their digital assets.Continue Reading
SEC's Regulation SCI: A visual timeline
The SEC adopted Regulation SCI to bolster the technological infrastructure of the U.S. securities market. Take a look at the milestones in the history of Reg SCI, including when it was first proposed, the tech failures that inspired it and more.Continue Reading
Data governance due diligence key to GRC automation success
Information governance expert Jeffrey Ritter discusses how companies can successfully align GRC automation with existing data governance processes.Continue Reading
Mobility gets boost from automated compliance management systems
In this tip, learn how automated compliance management can overcome enterprise mobility complications and save valuable company resources.Continue Reading
Regulation SCI (Regulation Systems Compliance and Integrity)
Regulation SCI is a set of compliance rules designed by the SEC to monitor and regulate the technology infrastructure of U.S. securities markets.Continue Reading
Data currency: Five steps to get max value from digital assets
In this tip, learn digital information management strategies to take advantage of the growing data as currency movement.Continue Reading
Cloud compliance, data protection top reasons for encryption
Securosis founder Rich Mogull discusses various cloud computing models and the top reasons for encryption processes in part one of this webcast.Continue Reading
How to choose the right volume storage encryption system
In part two of this webcast series, Securosis founder Rich Mogull discusses the main components of an encryption system and options for encrypting volume storage.Continue Reading
COBIT 5
COBIT 5 is the fifth iteration of a popular framework that's used for managing and governing information technology (IT).Continue Reading
What changes are businesses experiencing under PCI DSS version 3.0?
New compliance requirements under PCI DSS version 3.0 strive to make cardholder data security part of companies' everyday business processes.Continue Reading
agreed-upon procedures (AUP)
Agreed-upon procedures are the standards a company or client outlines when it hires an external party to perform an audit on specific tests or business process and then report on the results.Continue Reading
mobile governance
Mobile governance refers to the processes and policies used to manage mobile device access to an organization's network or its data.Continue Reading
Why your mobile device management policy must include wearables
Wearable technology has started to creep into the business world, but companies must overcome the data governance complications to reap any benefits.Continue Reading
COMSEC (communications security)
Communications security (COMSEC) is the prevention of unauthorized access to telecommunications traffic, or to any information that is transmitted or transferred.Continue Reading
Altman Z-score
The Altman Z-score is a statistic that is useful for evaluating the financial health of a publicly traded manufacturing company. Continue Reading
autoclassification
Autoclassification is an intelligent technology found in some content management systems (CMS) wherein documents are scanned and automatically assigned categories and keywords based on the content within the documents.Continue Reading
Certified Information Systems Risk and Compliance Professional (CISRCP)
A Certified Information Systems Risk and Compliance Professional (CISRCP) is a person in the information technology (IT) field that has passed an examination on risk and compliance topics developed by the International Association of Risk and ...Continue Reading
records retention schedule
A records retention schedule is a policy that depicts how long data items must be kept, as well as the disposal guidelines for these data items.Continue Reading
total risk
Total risk is an assessment that identifies all of the risk factors, including potential internal and external threats and liabilities, associated with pursuing a specific plan or project or buying or selling an investment.Continue Reading
information assurance
Information assurance (IA) is the practice of protecting against and managing risk related to the use, storage and transmission of data and information systems.Continue Reading
International Accounting Standards Board
The International Accounting Standards Board is the independent standard-setting body of the IFRS Foundation.Continue Reading
records management
Records management (RM) is the administration of records and documented information for the entirety of its lifecycle, which includes creation, maintenance, use, storage, retrieval and disposal.Continue Reading
unknowable risk
An unknowable risk is a potential threat to an organization's processes that is not known and cannot be quantified or controlled.Continue Reading
Three steps to keep IT policies and procedures regulatory compliant
Corporate compliance and risk management expert Jeffrey Jenkins shares how he ensures IT policies and procedures remain in sync with current compliance regulations.Continue Reading
IT Governance Institute (ITGI)
The IT Governance Institute (ITGI) is an arm of ISACA that provides research, publications and resources on IT governance and related topics.Continue Reading
FCC proposals continue to spark net neutrality debate
Recent FCC proposals have led to contentious net neutrality debates, as stakeholders remain concerned about how they will change broadband services.Continue Reading
Can automated segregation of duties benefit regulatory compliance?
In this feature, Michael Rasmussen explains why automated SoD reduces compliance costs as well as the potential for fraud and lawsuits.Continue Reading
Six steps to build an effective enterprise risk management program
Follow these six steps to develop an enterprise risk management program that maps risks and establishes countermeasures.Continue Reading
IT audit (information technology audit)
An IT audit is the examination and evaluation of an organization's information technology infrastructure, policies and operations.Continue Reading
VAL IT (value from IT investments)
VAL IT (value from IT investments) is a framework that outlines governance best practices for information technology-enabled business investments.Continue Reading
compliance risk
Compliance risk is exposure to legal penalties, financial forfeiture and material loss an organization faces when it fails to act in accordance with industry laws and regulations, internal policies or prescribed best practices.Continue Reading
Next generation of threats requires new approach to PCI security
In this Q&A, learn how increasingly sophisticated cyberthreats should influence organizations' information protection and PCI security strategy.Continue Reading
systemic risk
Systemic risk is a category of risk that describes threats to a system, market or economic segment.Continue Reading
inherent risk
Inherent risk is a category of threat that describes potential losses or pitfalls that exist before internal security controls or mitigating factors are implemented.Continue Reading
Security-related information sharing boosts corporate data protection
Former eBay CISO David Cullinane discusses why new threats make security-related information sharing an integral part of corporate data protection.Continue Reading
speculative risk
Speculative risk is a category of risk that can be taken on voluntarily and will either result in a profit or loss. Continue Reading
residual risk
Residual risk is a threat that remains after an organization has implemented security controls to comply with legal requirements.Continue Reading
Generally Accepted Recordkeeping Principles (the Principles)
Generally Accepted Recordkeeping Principles is a framework for managing records in a way that supports an organization's immediate and future regulatory, legal, risk mitigation, environmental and operational requirements.Continue Reading
Center for Internet Security (CIS)
The Center for Internet Security (CIS) is a nonprofit organization focused on improving public- and private-sector cybersecurity readiness and response.Continue Reading
risk exposure
Risk exposure is a quantified loss potential of business actions, and is usually calculated based on the probability of the incident occurring multiplied by its potential losses.Continue Reading