Get started

Get started

Bring yourself up to speed with our introductory content.

• ISO 31000 Risk Management

  The ISO 31000 Risk Management framework is an international standard that provides businesses with guidelines and principles for risk management from the International Organization for Standardization. Continue Reading

• pure risk

  Pure risk refers to risks that are beyond human control and result in a loss or no loss with no possibility of financial gain. Continue Reading

• risk reporting

  Risk reporting is a method of identifying risks tied to or potentially impacting an organization's business processes. Continue Reading

• risk map (risk heat map)

  A risk map (risk heat map) is a data visualization tool for communicating specific risks an organization faces. Continue Reading

• risk assessment

  Risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business. Continue Reading

• Definitions to Get Started

  • ISO 31000 Risk Management
  • pure risk
  • risk reporting
  • risk map (risk heat map)

  • risk profile
  • governance, risk management and compliance (GRC)
  • residual risk
  • risk assessment

  View All Definitions

• risk profile

  A risk profile is a quantitative analysis of the types of threats an organization, asset, project or individual faces.Continue Reading

• operational risk

  Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business operations.Continue Reading

• governance, risk management and compliance (GRC)

  Governance, risk and compliance (GRC) refers to an organization's strategy for handling the interdependencies between corporate governance policies, enterprise risk management (ERM) programs, and regulatory and company compliance.Continue Reading

• residual risk

  Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made.Continue Reading

• risk exposure

  Risk exposure is the quantified potential loss from business activities currently underway or planned.Continue Reading

• chief risk officer (CRO)

  The chief risk officer (CRO) is the corporate executive tasked with assessing and mitigating significant competitive, regulatory and technological threats to an enterprise's capital and earnings.Continue Reading

• risk avoidance

  Risk avoidance is the elimination of hazards, activities and exposures that can negatively affect an organization and its assets.Continue Reading

• What is risk appetite?

  Risk appetite is the amount of risk an organization is willing to take in pursuit of objectives it deems have value.Continue Reading

• OPSEC (operations security)

  OPSEC (operations security) is a security and risk management process and strategy that classifies information, then determines what is required to protect sensitive information and prevent it from getting into the wrong hands.Continue Reading

• smart contract

  A smart contract is a decentralized application that executes business logic in response to events.Continue Reading

• compliance risk

  Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting from its failure to act in accordance with industry laws and regulations, internal policies or prescribed best practices.Continue Reading

• information governance

  Information governance is a holistic approach to managing corporate information by implementing processes, roles, controls and metrics that treat information as a valuable business asset.Continue Reading

• enterprise document management (EDM)

  Enterprise document management (EDM) is a strategy for overseeing an organization's paper and electronic documents so they can be easily retrieved in the event of a compliance audit or subpoena.Continue Reading

• Top cloud compliance standards and how to use them

  Get guidance on how to select relevant cloud compliance standards, along with tips on evaluating third-party providers' cloud compliance and governance efforts.Continue Reading

• How to conduct an IoT audit for compliance

  To effectively prepare for and conduct an IoT audit, organizations need to understand which IT controls are in scope. Get actionable guidance on the audit process in this tip.Continue Reading

• Data protection impact assessment tips and templates

  Conducting a data protection impact assessment is key to evaluating potential risk factors that could pose a serious threat to individuals and their personal information.Continue Reading

• The 5 CMMC levels and how to achieve compliance

  While the CMMC certification process is still in development, IT leaders should get familiar with the five CMMC levels and learn how to comply with the security maturity model.Continue Reading

• What is the Dodd-Frank voice recording rule for the swaps market?

  A Dodd-Frank rule requires swaps dealers to record voice communications, which regulators designed to deter illicit financial activity and improve financial compliance.Continue Reading

• PCI DSS (Payment Card Industry Data Security Standard)

  The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal ...Continue Reading

• compliance framework

  A compliance framework is a structured set of guidelines that details an organization's processes for maintaining accordance with established regulations, specifications or legislation.Continue Reading

• regulatory compliance

  Regulatory compliance is an organization's adherence to laws, regulations, guidelines and specifications relevant to its business processes.Continue Reading

• privacy compliance

  Privacy compliance is a company's accordance with established personal information protection guidelines, specifications or legislation.Continue Reading

• data governance policy

  A data governance policy is a documented set of guidelines for ensuring that an organization's data and information assets are managed consistently and used properly.Continue Reading

• Approach customer engagement by first asking good questions

  Organizations need to align their customer strategy with their technology and know how to gather and use the right customer data when integrating all the components.Continue Reading

• Fashion a first-rate customer experience management program

  Learn how to choose and implement the strategy, policies and digital tools that deliver customer satisfaction while keeping essential data and systems secure.Continue Reading

• compliance as a service (CaaS)

  Compliance as a Service (CaaS) is a cloud service service level agreement (SLA) that specified how a managed service provider (MSP) will help an organization meet its regulatory compliance mandates.Continue Reading

• Dodd-Frank Act

  The Dodd-Frank Act (fully known as the Dodd-Frank Wall Street Reform and Consumer Protection Act) is a United States federal law that places regulation of the financial industry in the hands of the government.Continue Reading

• Can holistic cybersecurity deliver the needed protection?

  A holistic approach to cybersecurity can provide continuous monitoring -- or create holes a hacker can breach. What makes the difference? It comes down to implementation.Continue Reading

• What holistic network security tools offer an organization

  Tools that provide a holistic approach to monitoring the IT infrastructure come in a variety of configurations and delivery models. Learn what's available.Continue Reading

• EU GDPR terms to know

  Compliance regulations can be complicated to follow, particularly in the new age of data privacy. Here's a breakdown of the must-know terms for companies who are subject to GDPR.Continue Reading

• corporate governance

  Corporate governance is the combination of rules, processes or laws by which businesses are operated, regulated or controlled.Continue Reading

• AI cybersecurity benefits are real, but not automatic

  Smart tech promises security and other benefits, but they don't come automatically. Learn how these tools work and where they can work best in your organization.Continue Reading

• AI security tech is making waves in incident response

  Experts weigh in on the latest smart cybersecurity tools -- how they work, the implications for your IT security team and whether the investment is worth the expense.Continue Reading

• CCPA compliance begins with data inventory assessment

  In this SearchCIO Q&A, multiple experts sound off on major questions businesses have about CCPA compliance ahead of its January 2020 enforcement date.Continue Reading

• compliance audit

  A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines.Continue Reading

• Whistleblower Protection Act

  The Whistleblower Protection Act of 1989 is a law that protects federal government employees in the United States from retaliatory action for voluntarily disclosing information about dishonest or illegal activities occurring in a government ...Continue Reading

• Identify gaps in cybersecurity processes to reduce organizational risk

  Organizational risk is a given at modern companies. But as threats persist, identifying preventable cybersecurity gaps presents an opportunity to strengthen enterprise defenses.Continue Reading

• Key elements of an effective incident response playbook

  In this book excerpt, cybersecurity expert and author Bryce Austin highlights the importance of creating an effective incident response plan and delineates its key elements.Continue Reading

• FAQ: How is the Privacy Shield Framework being enforced?

  The FTC has issued its first enforcement actions for companies found in violation of the EU-U.S. Privacy Shield Framework, but are the rules doing enough to protect consumer data?Continue Reading

• internal audit (IA)

  An internal audit (IA) is an organizational initiative to monitor and analyze its own business operations in order to determine how well it conforms to a set of specific criteria.Continue Reading

• FAQ: How does EU GDPR compliance change data protection processes?

  In this FAQ, learn how compliance with the EU's General Data Protection Regulation requires companies to rethink their data protection policies and processes.Continue Reading

• Cybersecurity governance falls short amid rising security budgets

  Companies still struggle to adapt risk management strategies to face modern threats, but maturing their cybersecurity governance processes is a step in the right direction.Continue Reading

• audit program (audit plan)

  An audit program, also called an audit plan, is an action plan that documents what procedures an auditor will follow to validate that an organization is in conformance with compliance regulations.Continue Reading

• PCI DSS compliance (Payment Card Industry Data Security Standard compliance)

  Payment Card Industry Data Security Standard (PCI DSS) compliance is adherence to the set of policies and procedures developed to protect credit, debit and cash card transactions and prevent the misuse of cardholders' personal information.Continue Reading

• Ransomware detection: Can employees help?

  As ransomware attacks continue to escalate, should organizations make employees an integral part of their ransomware detection and prevention strategy?Continue Reading

• PCAOB (Public Company Accounting Oversight Board)

  The Public Company Accounting Oversight Board (PCAOB) is a Congressionally-established nonprofit that assesses audits of public companies in the United States to protect investors' interests.Continue Reading

• Shared Assessments Program

  Shared Assessments is a third party risk membership program that provides organizations with a way to obtain a detailed report about a service provider's controls (people, process and procedures) and a procedure for verifying that the information in...Continue Reading

• cyborg anthropologist

  A cyborg anthropologist is an individual who studies the interaction between humans and technology, observing how technology can shape humans' lives. Cyborg anthropology as a discipline originated at the 1993 annual meeting of the American ...Continue Reading

• RegTech

  RegTech, or regulatory technology, is a term used to describe technology that is used to help streamline the process of regulatory compliance.Continue Reading

• Information security regulations may target IoT, drones

  Calls are growing louder for information security regulations to target consumer-centric technology such as the IoT and drones, but legislating their use could prove difficult.Continue Reading

• conduct risk

  Conduct risk is the prospect of financial loss to an organization that is caused by the actions of an organization's administrators and employees.Continue Reading

• FTC (Federal Trade Commission)

  The FTC (Federal Trade Commission) is a United States federal regulatory agency designed to monitor and prevent anticompetitive, deceptive or unfair business practices.Continue Reading

• Big data security, privacy becomes a concern for marketing analytics

  The proliferation of IoT devices has resulted in an upsurge in data-driven marketing, which in turn can fuel data security, privacy and ethics concerns, experts say.Continue Reading

• 2016 GRC conference calendar for IT leaders

  Attending a GRC conference can keep you up to speed on compliance regulations, risk management strategies and governance trends. Check out our list of upcoming GRC conferences.Continue Reading

• Securities and Exchange Act of 1934 (Exchange Act)

  The Securities and Exchange Act of 1934 (Exchange Act) is a law that governs secondary trading and stock exchanges.Continue Reading

• Data protection requirements start with firm grasp of GRC needs

  Corporate data protection requirements are complex, but determining a company's unique GRC needs is an essential first step to information security.Continue Reading

• Regulation Fair Disclosure (Regulation FD or Reg FD)

  Regulation Fair Disclosure is a rule passed by the U.S. Securities and Exchange Commission that aims to prevent selective disclosure of information by requiring publicly traded companies to make public disclosure of material, nonpublic information.Continue Reading

• predictive coding

  Predictive coding software can be used to automate portions of an e-discovery document review. The goal of predictive coding is to reduce the number of irrelevant and non-responsive documents that need to be reviewed manually.Continue Reading

• For reliable digital evidence, information governance strategy required

  Computers are increasingly called as witnesses in court cases, forcing companies to ensure information governance processes are able to produce reliable digital evidence.Continue Reading

• Five steps to establishing a big data governance policy

  Modern companies generate and store an unprecedented amount of big data, but an information governance policy can help businesses stay compliant and reap the benefits of their digital assets.Continue Reading

• SEC's Regulation SCI: A visual timeline

  The SEC adopted Regulation SCI to bolster the technological infrastructure of the U.S. securities market. Take a look at the milestones in the history of Reg SCI, including when it was first proposed, the tech failures that inspired it and more.Continue Reading

• Data governance due diligence key to GRC automation success

  Information governance expert Jeffrey Ritter discusses how companies can successfully align GRC automation with existing data governance processes.Continue Reading

• Mobility gets boost from automated compliance management systems

  In this tip, learn how automated compliance management can overcome enterprise mobility complications and save valuable company resources.Continue Reading

• Regulation SCI (Regulation Systems Compliance and Integrity)

  Regulation SCI is a set of compliance rules designed by the SEC to monitor and regulate the technology infrastructure of U.S. securities markets.Continue Reading

• Data currency: Five steps to get max value from digital assets

  In this tip, learn digital information management strategies to take advantage of the growing data as currency movement.Continue Reading

• Cloud compliance, data protection top reasons for encryption

  Securosis founder Rich Mogull discusses various cloud computing models and the top reasons for encryption processes in part one of this webcast.Continue Reading

• COBIT 5

  COBIT 5 is the fifth iteration of a popular framework that's used for managing and governing information technology (IT).Continue Reading

• What changes are businesses experiencing under PCI DSS version 3.0?

  New compliance requirements under PCI DSS version 3.0 strive to make cardholder data security part of companies' everyday business processes.Continue Reading

• agreed-upon procedures (AUP)

  Agreed-upon procedures are the standards a company or client outlines when it hires an external party to perform an audit on specific tests or business process and then report on the results.Continue Reading

• mobile governance

  Mobile governance refers to the processes and policies used to manage mobile device access to an organization's network or its data.Continue Reading

• Why your mobile device management policy must include wearables

  Wearable technology has started to creep into the business world, but companies must overcome the data governance complications to reap any benefits.Continue Reading

• COMSEC (communications security)

  Communications security (COMSEC) is the prevention of unauthorized access to telecommunications traffic, or to any information that is transmitted or transferred.Continue Reading

• Altman Z-score

  The Altman Z-score is a statistic that is useful for evaluating the financial health of a publicly traded manufacturing company. Continue Reading

• autoclassification

  Autoclassification is an intelligent technology found in some content management systems (CMS) wherein documents are scanned and automatically assigned categories and keywords based on the content within the documents.Continue Reading

• Certified Information Systems Risk and Compliance Professional (CISRCP)

  A Certified Information Systems Risk and Compliance Professional (CISRCP) is a person in the information technology (IT) field that has passed an examination on risk and compliance topics developed by the International Association of Risk and ...Continue Reading

• records retention schedule

  A records retention schedule is a policy that depicts how long data items must be kept, as well as the disposal guidelines for these data items.Continue Reading

• total risk

  Total risk is an assessment that identifies all of the risk factors, including potential internal and external threats and liabilities, associated with pursuing a specific plan or project or buying or selling an investment.Continue Reading

• information assurance

  Information assurance (IA) is the practice of protecting against and managing risk related to the use, storage and transmission of data and information systems.Continue Reading

• International Accounting Standards Board

  The International Accounting Standards Board is the independent standard-setting body of the IFRS Foundation.Continue Reading

• records management

  Records management (RM) is the administration of records and documented information for the entirety of its lifecycle, which includes creation, maintenance, use, storage, retrieval and disposal.Continue Reading

• unknowable risk

  An unknowable risk is a potential threat to an organization's processes that is not known and cannot be quantified or controlled.Continue Reading

• Three steps to keep IT policies and procedures regulatory compliant

  Corporate compliance and risk management expert Jeffrey Jenkins shares how he ensures IT policies and procedures remain in sync with current compliance regulations.Continue Reading

• IT Governance Institute (ITGI)

  The IT Governance Institute (ITGI) is an arm of ISACA that provides research, publications and resources on IT governance and related topics.Continue Reading

• FCC proposals continue to spark net neutrality debate

  Recent FCC proposals have led to contentious net neutrality debates, as stakeholders remain concerned about how they will change broadband services.Continue Reading

• Can automated segregation of duties benefit regulatory compliance?

  In this feature, Michael Rasmussen explains why automated SoD reduces compliance costs as well as the potential for fraud and lawsuits.Continue Reading

• Six steps to build an effective enterprise risk management program

  Follow these six steps to develop an enterprise risk management program that maps risks and establishes countermeasures.Continue Reading

• IT audit (information technology audit)

  An IT audit is the examination and evaluation of an organization's information technology infrastructure, policies and operations.Continue Reading

• VAL IT (value from IT investments)

  VAL IT (value from IT investments) is a framework that outlines governance best practices for information technology-enabled business investments.Continue Reading

• systemic risk

  Systemic risk is a category of risk that describes threats to a system, market or economic segment.Continue Reading

• inherent risk

  Inherent risk is a category of threat that describes potential losses or pitfalls that exist before internal security controls or mitigating factors are implemented.Continue Reading

• speculative risk

  Speculative risk is a category of risk that can be taken on voluntarily and will either result in a profit or loss. Continue Reading

• Generally Accepted Recordkeeping Principles (the Principles)

  Generally Accepted Recordkeeping Principles is a framework for managing records in a way that supports an organization's immediate and future regulatory, legal, risk mitigation, environmental and operational requirements.Continue Reading

• Center for Internet Security (CIS)

  The Center for Internet Security (CIS) is a nonprofit organization focused on improving public- and private-sector cybersecurity readiness and response.Continue Reading

• Common Criteria Evaluation and Validation Scheme for IT Security (CCEVS)

  Common Criteria Evaluation and Validation Scheme for IT Security (CCEVS) is program for evaluating IT products' conformance to international IT security standards. Continue Reading

• Government Accountability Office (GAO)

  The U.S. Government Accountability Office (GAO) is an independent, nonpartisan agency that works for Congress to investigate how the federal government spends taxpayer dollars.Continue Reading