Glossary

No more busy-work or security theater. We strive to make complex standards achievable by any technology-powered organization.

  • All
  • Compliance
  • Compliance
  • Compliance
  • Compliance
  • Compliance
  • Compliance
  • Cybersecurity
  • Cybersecurity
  • Cybersecurity
  • Cybersecurity
  • Cybersecurity
  • Cybersecurity
  • Cybersecurity
  • HIPAA
  • HIPAA
  • HIPAA
  • HIPAA
  • HIPAA
  • HIPAA
  • HIPAA
  • HIPAA
  • HIPAA
  • HIPAA
  • ISO
  • ISO
  • ISO
  • ISO
  • ISO
  • ISO
  • ISO
  • ISO
  • ISO
  • ISO
  • ISO
  • ISO
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2
  • SOC 2

AICPA

SOC 2

American Institute of Certified Public Accountants (AICPA). They set auditing standards and devised the SOC framework. They own the rights to use the SOC 2 logo.

Annex A Controls

ISO

ISO 27002:2022 outlines a list of 93 controls across 4 themes: People, Physical, Technological, and Organizational.  These controls are recommended for a functioning ISMS. The prior version of Annex A (or ISO 27002:2013) included 114 controls across 14 domains.

Asset

ISO

An asset is something that has value to a business. An asset extends beyond physical items to include people, information, reputation, intellectual property (IP), and software.

Asset Management

ISO

Obtaining and updating an accurate inventory of all IT assets, including the discovery of security gaps related to the asset operations and configuration. Asset management also involves enforcing security requirements to address identified security gaps.

Attestation

SOC 2

The end result of the SOC 2 audit. The SOC 2 report is an attestation report (not a certification). For example, the SOC 2 auditor will attest that controls have been appropriately designed.

Breach Notification Rule

HIPAA

The HIPAA Breach Notification Rule requires companies to notify patients when their PHI is impermissibly used or disclosed (or “breached”).

Read More

Business Associates

HIPAA

Business Associates under HIPAA are any individual, organization, or agency that performs certain functions that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity (ex: SaaS platforms, IT contractors, cloud storage, CPA firms).

Certification

Compliance

The end result of the ISO process and granted by one of a handful of certifying organizations. 

Clause

ISO

Clauses are a collection of ‘shall’ statements that describe how to establish, run and continually improve an ISMS program.

Control

Compliance

A specific procedure or protocol that is in place to address a risk. Controls have an owner, an action and can have a time frame.  We wrote a great blog about controls, check it out!

Read More

Control Mapping

Compliance

The activity of applying your relevant controls to a framework such as SOC 2, ISO 27001, or HIPAA or even regulations such as CCPA and GDPR. This is a time-consuming activity, but with Strike Graph we've already done this for you.

Corrective Action

ISO

The activities that are undertaken by the organization to get a nonconformity back into conformance. 

Coverage

SOC 2

How many controls you have mapped to each criteria. The auditor will subjectively assess whether you have enough coverage.

Covered Entities

HIPAA

Covered Entities under HIPAA are any individual, organization, or agency that provides treatment, payment, or operations in healthcare (ex: healthcare providers - doctors, pharmacies, nurses, nursing homes; Health plans - insurance companies, goverment plans; Healthcare clearinghouses - electronic stations that allow healthcare providers to transmit claims to insurance companies).

CPA

Compliance

Certified Public Accountant. The only individual (or CPA firm) that can sign off on a SOC 2 report.

Cyberattack

Cybersecurity

An attack is an attempt by malicious criminals to compromise an asset by destroying, altering, or gaining unauthorized access.

Cybersecurity

Cybersecurity

The nuts and bolts practices that protect networks from threats that come over the internet. A subset of IT Security.

Electronic Protected Health Information (ePHI)

HIPAA

Defined in HIPAA regulation as any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or media. ePHI includes any of the 18 distinct demographics that can be used to identify a patient. 

Enforcement Rule

HIPAA

The HIPAA Enforcement Rule allows the Office of Civil Rights (OCR) to investigate any violations of HIPAA, perform Privacy and Security Rule compliance audits, and issues fine penalities to those that do not comply with the Rules. 

Read More

Evidence

Compliance

How to prove a control is in place or being performed. Evidence can come in many forms, the most common being system generated reports, system screenshots, change tickets, and policy and procedures documents.

Framework

Cybersecurity

The set of objectives, principles, and requirements that comprise a certification or attestation requirement. For example, Strike Graph has solutions to help meet the SOC 2ISO 27001 and HIPAA frameworks.

Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009

HIPAA

Reinforcement of compliance for business associates of covered entities to HIPAA.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA

A Federal law to enforce privacy and security of electronic patient health information (ePHI) for covered entities and their business associates from being disclosed without the patient's consent or knowledge. 

Information Asset

ISO

Information or data that is of value to an organization. Examples include patient records, employees’ information, intellectual property, and company data.

Information Security

Cybersecurity

Measures, procedures, processes, and technologies that businesses deploy to ensure the confidentiality, integrity, and availability of information.

Information Security Incident

Cybersecurity

A suspected, attempted, successful, or imminent threat of unauthorized access, modification, use, disclosure, or destruction of information assets. Information security incident also refers to interference with information technology operation or violation of acceptable use policy.

Information Security Management System (ISMS)

ISO

A formal security program that is continuously improved upon, refined and monitored.  

Internal Audit

ISO

An independent assessment of the ISMS as a whole or any subset of controls. An internal audit is required as part of a functioning ISMS.

ISO (International Standards Organization)

ISO

An international body that creates, maintains and publishes frameworks that include everything from quality assurance to data privacy. 

ISO IEC 27001:2013

ISO

This is the official name of the current ISO 27001 framework. This framework was last updated in 2013, but a new version may be released as soon as December of 2021. The framework provides guidance and controls to establish and maintain an information security management system.

IT Security

Cybersecurity

IT security refers to the practices that an organization puts in place to secure data. The goal is to ensure the confidentiality, availability and integrity of company information. Often seen interchangeably with Information Security.

Nonconformity

ISO

Something that is not aligned with an Annex control, a Clause or even a regulation or company process. Nonconformities can be identified by auditors, through incidents, by external parties and other means..

Point of Focus

SOC 2

Areas to consider for each Trust Services Criteria. They are as close as SOC 2 gets to requirements, however, think of them as hints on how to meet each criteria.

Privacy Rule

HIPAA

The HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

Read More

Qualified opinion

SOC 2

A term used by your auditor to describe their opinion or conclusion about your controls. The auditor liked what you did, but with (an) exception(s), which they explain. Qualified opinions do not mean you ‘failed’ your report and are not necessarily a bad thing, but they do indicate that the design or operation of controls did not meet the auditors’ expectations.

Risk

Compliance

A scenario that leads to an unexpected outcome. Often composed of threats or vulnerabilities to assets or a ‘what could go wrong’ statement. Strike Graph uses a risk assessment to identify control gaps and right size compliance efforts.

Section 3 (aka System Description)

SOC 2

A section of the SOC 2 report prepared by you (i.e. management). Anything in this section is fair game for an audit. This section covers topics relevant to your system or product such the people, processes, technology and data that make up the environment or system that support your service.

Section 5

SOC 2

An optional section of the SOC 2 Report where you (as management) can explain any issues, test exceptions or events occurring subsequent to the end of the audit.

Security Rule

HIPAA

The foundation to ensure integrity, confidentiality, and security of ePHI. 

SOC

SOC 2

System Organization Controls. A a set of reports where CPAs form an opinion (or attest) on controls.

  • SOC 1 - For services that impact financial reporting

  • SOC 2 - For IT systems that process data

  • SOC 3 - A public facing SOC 2 report.

Read More

SOC 2 Type 1

SOC 2

Tests the design of controls as of a point in time.

SOC 2 Type 2

SOC 2

Tests everything in a Type 1 as well as the functioning or operation of controls over a period of time. The time period is typically 12 months, but can be as little as 3 months.

Statement of Applicability

ISO

A required ISMS document showing which Annex controls are in scope. This list is shared with Auditors and Assessors. 

Test Exception

SOC 2

An anomaly in the design or operation of a control found by the auditor. Something to avoid, but often unavoidable. 

Threat

Cybersecurity

A potential cause of an incident that may result in a breach of information security or compromise of operations.

Read More

Trust Services Criteria (“TSC”)

SOC 2

A set of guidelines for meeting the SOC 2 standards. 

  • Security - Also known as Common Criteria. A collection of both operational and security criteria.

  • Availability - How the system stays up and running.

  • Processing Integrity - How data is manipulated to produce the correct or expected result.

  • Confidentiality - How data is kept secret.

  • Privacy - How Personal data is kept secret and protected.

Unqualified opinion

SOC 2

When an auditor finds no issues with your control design and operation the offer an unqualified opinion. This is what everyone strives for and indicates a ‘clean’ report from the auditor.

U.S. Department of Health and Human Services (HHS) and Office for Civil Rights (OCR)

HIPAA

The governing bodies of HIPAA that conduct periodic audits to ensure that covered entities and their business associates comply with the requirements of HIPAA's regulations.

No Result Found.