Glossary

No more busy-work or security theater. We strive to make complex standards achievable by any technology-powered organization.

  • All
  • Compliance
  • Compliance
  • Compliance
  • Compliance
  • Compliance
  • Compliance
  • Compliance
  • Cybersecurity
  • Cybersecurity
  • Cybersecurity
  • Cybersecurity
  • Cybersecurity
  • Cybersecurity
  • Cybersecurity
  • Cybersecurity
  • Cybersecurity
  • Cybersecurity
  • Cybersecurity
  • Cybersecurity
  • Cybersecurity
  • Cybersecurity
  • Cybersecurity
  • HIPAA
  • HIPAA
  • HIPAA
  • HIPAA
  • HIPAA
  • HIPAA
  • HIPAA
  • HIPAA
  • HIPAA
  • HIPAA
  • ISO
  • ISO
  • ISO
  • ISO
  • ISO
  • ISO
  • ISO
  • ISO
  • ISO
  • ISO
  • ISO
  • ISO
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • TrustOps
  • TrustOps
  • TrustOps
  • TrustOps
  • TrustOps
  • TrustOps
  • TrustOps
  • TrustOps
  • TrustOps
  • TrustOps

American Institute of Certified Public Accountants (AICPA)

SOC 2

The American Institute of Certified Public Accountants (AICPA) sets auditing standards and devised the SOC framework. 

Annex A controls

ISO

ISO 27002:2022 outlines a list of 93 controls across four themes: people, physical, technological, and organizational. These controls are recommended for a functioning information security management system (ISMS). The prior version of Annex A (or ISO 27002:2013) included 114 controls across 14 domains.

Asset

ISO

An asset is something that has value to a business. The term extends beyond physical items to include people, information, reputation, intellectual property (IP), and software.

Asset management

ISO

Asset management is the process of obtaining and updating an accurate inventory of all IT assets, including the discovery of security gaps related to the asset operations and configuration. Asset management also involves enforcing security requirements to address identified security gaps.

Attestation

SOC 2

Attestation is the end result of a SOC 2 audit. The SOC 2 report is an attestation report (not a certification). A SOC 2 auditor attests — rather than certifies — that controls have been appropriately designed.

Breach Notification Rule

HIPAA

The HIPAA Breach Notification Rule requires companies to notify patients when their PHI is impermissibly used or disclosed — or “breached.”

Business associates (HIPAA definition)

HIPAA

Business associates under HIPAA are any individual, organization, or agency (e.g., SaaS platforms, IT contractors, cloud storage, CPA firms) that performs certain functions that involve the use or disclosure of protected health information (PHI) on behalf of, or to provide services to, a covered entity.

Certification

Compliance

Certification is the end result of the ISO process. It is granted by one of a handful of certifying organizations. 

Chief trust officer (CTrO)

TrustOps

The individual responsible for oversight of all trust operations activities. A C-suite member.

Clause

ISO

Clauses are a collection of shall statements that describe how to establish, run, and continually improve an information security management system (ISMS) program.

Control

Compliance

A specific procedure or protocol that is in place to address a cybersecurity risk. Controls always have an owner and an action and may have a time frame.

Read More

Control mapping

Compliance

The activity of applying your relevant controls to a framework (e.g., SOC 2, ISO 27001, or HIPAA) or even regulations, such as CCPA and GDPR. Typically this is a time-consuming activity, but Strike Graph's platform makes it fast and easy.

Corrective action

ISO

The activities that are undertaken by an organization to get a nonconformity back into conformance.

Coverage

SOC 2

The number of controls mapped to each SOC 2 criteria. Auditors subjectively assess whether an organization has enough coverage.

Covered entities (HIPAA definition)

HIPAA

Covered entities under HIPAA are any individual, organization, or agency that provides treatment, payment, or operations in healthcare. This includes healthcare providers (e.g.,  doctors, pharmacies, nurses, nursing homes, health plans (e.g., insurance companies and government plans), and healthcare clearinghouses (e.g., electronic stations that allow healthcare providers to transmit claims to insurance companies).

Certified public accountant (CPA)

Compliance

A certified public accountant is certified to provide accounting services in their location of licensure. Only CPAs or CPA firms can sign off on a SOC 2 report.

Cyberattack

Cybersecurity

A cyberattack is an attempt by malicious criminals to compromise an asset by destroying, altering, or gaining unauthorized access.

Cybersecurity

Cybersecurity

Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks on-line. Cybersecurity is a subset of IT Security.

Digital trust

TrustOps

Digital trust is a belief and expectation that an organization’s digital technologies and services will employ effective cybersecurity practices to protect your data. 

Digital trust dividends

TrustOps

Digital trust dividends are earned by an organization when a customer or other stakeholder demonstrates trust. Trust dividends include a measurable increase in revenue, ability to bounce back quickly from a security incident or breach, shortened sales cycle, brand recognition, and customer loyalty.

Distributed denial of service (DDoS)

Cybersecurity

Distributed denial of service is a cybercrime that occurs when an attacker floods the capacity of a network’s resources, which renders the network inaccessible to its users. The attacker achieves this by overloading the target with internet traffic, causing it to shut down and become unusable.

Electronic Protected Health Information (ePHI)

HIPAA

Defined in HIPAA regulation as any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or media. ePHI includes any of the 18 distinct demographics that can be used to identify a patient.

Enforcement Rule

HIPAA

The HIPAA Enforcement Rule allows the Office of Civil Rights (OCR) to investigate any violations of HIPAA, perform Privacy and Security Rule compliance audits, and issue fine penalties to those that do not comply with the rules.

ESG (environmental, social, and governance)

TrustOps

These terms refer to the three central factors typically used in evaluating the sustainability and ethical impact of a company or an investment. Companies that adhere to environmental, social and governance standards agree to conduct themselves ethically in those three areas.

Evidence

Compliance

Evidence is how an organization proves a control is in place or being performed. Evidence can come in many forms. The most common are system generated reports, system screenshots, change tickets, and policy and procedures documents.

Framework

Cybersecurity

The set of objectives, principles, and requirements that comprise a certification or attestation requirement. The framework is oftentimes set by a governing body. Strike Graph supports multiple frameworks, including SOC 2ISO 27000, ISO 27701, HIPAA, PCI DSS, GDPR, and CCPA.

GRC (governance, risk, and compliance)

TrustOps

This refers to a  structured approach to align IT operations and compliance activities with business goals while managing risks and meeting all industry and government regulations.

Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009

HIPAA

Reinforcement of compliance for business associates of covered entities to HIPAA.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.

Information asset

ISO

Information or data that is of value to an organization (e.g., patient records, employees’ information, intellectual property, or company data).

Information security

Cybersecurity

Measures, procedures, processes, and technologies that businesses deploy to ensure the confidentiality, integrity, and availability of information.

Information security incident

Cybersecurity

A suspected, attempted, successful, or imminent threat of unauthorized access, modification, use, disclosure, or destruction of information assets. The term information security incident also refers to interference with information technology operation or violation of acceptable use policy.

Information security management system (ISMS)

ISO

A formal security program that is continuously improved upon, refined, and monitored.

Internal audit

ISO

An independent assessment of an organization’s information security management system (ISMS) as a whole or of any subset of controls. An internal audit is required as part of a functioning ISMS.

International Standards Organization (ISO)

ISO

The International Standards Organization (ISO) is an international body that creates, maintains, and publishes frameworks that include everything from quality assurance to data privacy.

ISO IEC 27001:2013

ISO

This is the official name of the current ISO 27001 framework. This framework was last updated in 2013, but a new version may be released soon. The framework provides guidance and controls to establish and maintain an information security management system.

Information technology (IT) security

Cybersecurity

Information technology (IT) security refers to the collection of both IT and business practices that an organization puts in place to secure data. The goal is to ensure the confidentiality, availability, and integrity of company information. IT security includes overarching data handling practices, both over the web and for physical locations where data is stored. 

IT compliance

Compliance

The collection of activities undertaken to meet IT compliance and IT aspects of an entity’s legal or regulatory requirements.

Multi-factor authentication (MFA)

Cybersecurity

Multi-factor authentification is a method of security and authentication that requires a user to provide multiple verification credentials in order to access a resource or service. 

Nonconformity

ISO

A nonconformity is something that is not aligned with an annex control, a clause, or even a regulation or company process. Nonconformities can be identified by auditors, through incidents, by external parties, and other means.

Penetration test

Cybersecurity

A penetration test is the process of performing a simulated cyberattack in order to assess the security of a computer system or network. Also referred to as a pen test, the simulation looks for weaknesses that a hacker could exploit, which helps the organization strengthen any vulnerabilities.

Point of focus

SOC 2

Points of focus are areas to consider for each Trust Services Criteria. They are as close as SOC 2 gets to requirements. Think of them as hints on how to meet each criteria.

Principle of least privilege

Cybersecurity

The principle of least privilege is the concept of limiting the access and privileges of user accounts to what is essential to perform the requirements of their job. 

Privacy Rule

HIPAA

The HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of protected health information (PHI) and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections.

Qualified opinion

SOC 2

Qualified opinion is a term used by auditors to describe their opinion or conclusion about a company’s controls. A qualified opinion means the auditor liked what the company did, but with exception(s), which they explain. Qualified opinions do not mean a company failed its report and are not necessarily a bad thing, but they do indicate that the design or operation of controls did not meet the auditors’ expectations.

Risk

Compliance

A scenario that leads to an unexpected outcome. A risk is often composed of threats or vulnerabilities to assets and can be defined using a what-could-go-wrong statement. Strike Graph uses a risk assessment to identify control gaps and rightsize compliance efforts.

SDLC: Software Development Lifecycle

Cybersecurity

The standard business process for developing software applications: planning, building, testing, deploying, and maintaining

Security Rule

HIPAA

The HIPAA Security Rule is the foundation that ensures integrity, confidentiality, and security of electronic protected health information (ePHI).

Security questionnaire (aka vendor questionnaire)

Cybersecurity

A list of questions and requirements companies give to potential vendors to verify that their data security and privacy measures are sufficient. 

Secure shell (SSH)

Cybersecurity

A secure shell is a protocol for encryption of a network in order to allow secure system administration over unsecured networks.

Secure sockets layer (SSL)

Cybersecurity

A secure sockets layer is the standard security protocol for creating a secure internet connection and protecting data that is sent from one system to another.

System and Organization Controls (SOC)

SOC 2
A set of reports in which CPAs form an opinion (or attest) on controls. SOC 1 is for services that impact financial reporting. SOC 2 is for IT systems that process data. SOC 3 is a public-facing SOC 2 report. 

SOC 2 Section 3 (system description)

SOC 2

A section of the SOC 2 report prepared by a company’s management team. Anything in this section is fair game for an audit. Section 3 covers topics relevant to a company’s system or product, including people, processes, technology, and data that make up the environment or system that support the company’s services.

SOC 2 Section 5

SOC 2

An optional section of the SOC 2 report where a company’s management team can explain any issues, test exceptions, or events that occurred subsequent to the end of the audit.

SOC 2 Type 1

SOC 2

Tests the design of controls as of a point in time.

SOC 2 Type 2

SOC 2

Tests everything in SOC 2 Type 1 as well as the functioning or operation of controls over a period of time. The time period is typically 12 months but can be as little as three months.

Statement of Applicability

ISO

An information security management system (ISMS) document required for ISO showing which Annex controls are in scope. This list is shared with auditors and assessors.

Test exception

SOC 2

An anomaly in the design or operation of a control found by the auditor. Something to avoid, but often unavoidable.

Threat

Cybersecurity

A potential cause of an incident that may result in a breach of information security or compromise of operations.

Trust

TrustOps

“Firm belief in the reliability, truth, ability, or strength of someone or something” (Oxford Languages). From an information security and data privacy perspective, trust is specifically digital trust — the end user’s belief that the organization will employ appropriate and effective cyber security practices to protect all information. 

Trust asset

TrustOps

A tangible report, certification, or other artifact that can be shared with stakeholders in order to earn their trust in regards to information security and data protection. 

Trust by design

TrustOps

The integration of trust concepts into the change-management process. Trust by design includes security and privacy by design and considers how changes may impact customer trust.    

Trust maturity model (or curve)

TrustOps

The trust maturity model demonstrates the activities and outcomes an organization should achieve as they evolve toward robust Trust Operations practices.  

Trust operations (or TrustOps)

TrustOps

Trust Operations, or TrustOps, is the strategic integration of all activities that ensure a business fulfills its data protection and information security promises to customers and stakeholders. TrustOps activities may encompass information security, IT compliance, risk management, data privacy practices, or customer research. The goal of TrustOps is to maintain revenue and customer loyalty through the integration of activities that directly impact Trust.

Trust Services Criteria (TSC)

SOC 2

A set of guidelines for meeting the SOC 2 standards:

  • Security — Also known as common criteria, a collection of both operational and security criteria
  • Availability — How the system stays up and running
  • Processing Integrity — How data is manipulated to produce the correct or expected result
  • Confidentiality — How data is kept secret
  • Privacy — How personal data is kept secret and protected

Unqualified opinion

SOC 2

When an auditor finds no issues with control design and operation, they offer an unqualified opinion. This is what all organizations strive for and indicates a clean report from the auditor.

U.S. Department of Health and Human Services (HHS) and Office for Civil Rights (OCR)

HIPAA

The governing bodies of HIPAA that conduct periodic audits to ensure that covered entities and their business associates comply with the requirements of HIPAA's regulations.

No Result Found.