The Ultimate InfoSec & Compliance Glossary
Jargon-Free Definitions of Compliance Terms
Ensure you're speaking the same language
Clear, jargon-free definitions for the terms that matter to your security, risk, and audit success
Compliance frameworks and security conversations are full of acronyms and industry lingo that can slow you down or leave you guessing.
Whether you're prepping for an audit, building a risk management program, or just trying to make sense of your GRC responsibilities, this glossary breaks down the must-know InfoSec and compliance terms in plain language.
Glossary of Security & Compliance Terms
Security & compliance shouldn’t feel like learning a new language. This glossary is your go-to reference for understanding key terms, acronyms, and concepts.
General Terms Laws, Regulations, & Standards Teams & Committees
General Terms
Term |
Definition |
| Accountability | Ensuring that individuals and systems can be held responsible for their actions and access to systems or data. |
| Accounting | The process of tracking user activities and resource usage to support security auditing and analysis. |
| Administrative | Relating to the roles, privileges, or tasks associated with managing systems, users, and security policies. |
| Administrator | A user with elevated privileges who can configure, manage, or alter systems, applications, or security settings. |
| Alert | A notification generated by a security system or monitoring tool indicating a potential security event, threat, or anomaly that may require investigation or action. |
| Alerting | The process or mechanism of generating and delivering alerts to appropriate personnel or systems based on predefined rules or thresholds. |
| Anomaly | Unusual pattern or behavior that may indicate a security threat, vulnerability, or system issue. |
| Assessment |
1. A formal review of an organization’s security controls, policies, and practices to determine their effectiveness, identify gaps, and verify compliance with defined standards or regulatory requirements. (see also, Audit) 2. A systematic evaluation of security risks, controls, or compliance—such as a risk assessment, gap assessment, or vulnerability scan. |
| Asset | Any data, device, system, or resource that has value to the organization and requires protection. |
| Attack | A deliberate attempt to exploit vulnerabilities in a system to compromise its confidentiality, integrity, or availability. |
| Audit |
1. A formal review of an organization’s security controls, policies, and practices to determine their effectiveness, identify gaps, and verify compliance with defined standards or regulatory requirements. (see also, Assessment) 2. The process of reviewing and analyzing recorded system activities to verify compliance, detect anomalies, investigate incidents, and ensure accountability. |
| Audit Log | A chronological record of system and user activities used to detect, investigate, and respond to security incidents. |
| Audit Logging | The process of capturing and storing detailed records of system and user activities for accountability and forensic purposes. |
| Auditor | An independent individual or organization responsible for evaluating whether an entity's cybersecurity controls, policies, and practices meet specified compliance requirements or standards. |
| Authentication | The process of verifying the identity of a user, system, or device before granting access to resources or information. |
| Authorization | The process of granting or denying access to systems, resources, or data based on defined policies or user roles. |
| Availability | Ensuring that systems, data, and services are accessible and usable by authorized users when needed, without disruption or delay. |
| Bad Actor | An individual—internal or external—who intentionally engages in unauthorized or malicious activity to exploit systems, data, or resources. |
| Baseline Configuration | A formally approved configuration of a system or asset that serves as a reference point for future changes and compliance verification. |
| Breach | An incident resulting in the unauthorized access, disclosure, or exfiltration of protected data or systems. |
| Business Continuity and Disaster Recovery (BC/DR) | A set of plans and processes to ensure critical business operations can continue during and after a disruption, and to restore systems, data, and infrastructure following a disaster or major incident. |
| Certification | A formal recognition that an organization or system meets the requirements of a specific security or compliance standard (e.g., ISO 27001, SOC 2). |
| Ciphertext | The result of encrypting plaintext, making it readable again only with the correct decryption key. |
| Class of Exploit | A category describing how a vulnerability is exploited, such as remote code execution, privilege escalation, or denial of service. |
| Client | A client engages in a more long-term, collaborative relationship with a business, often receiving professional services or advice. |
| Client Confidential | Electronic data provided by clients or customers that contains PII, PHI, ePHI or other data contractually identified as being Client Confidential. |
| Compliance | Adherence to laws, regulations, standards, and internal policies designed to ensure security, privacy, and risk management requirements are met. |
| Compliance Officer | Designs, implements, and monitors an organization's compliance program according to internal policies, external laws, regulations, and industry standards. |
| Conditional | Only applies under specific circumstances, such as the presence of sensitive data, third-party relationships, or system types. |
| Confidentiality | The protection of information from unauthorized access or disclosure, ensuring only authorized individuals or systems can view sensitive data. |
| Configuration Management (CM) | A structured process for establishing and maintaining the integrity of systems by controlling and documenting changes to hardware, software, firmware, and documentation throughout the system lifecycle. |
| Consultant | An expert hired to provide advice and guidance, typically on a temporary or project basis. |
| Contractor | An individual or organization hired for specific projects or tasks, typically on a temporary basis, often with more autonomy than employees. |
| Cost | The potential financial, operational, legal, or reputational impact resulting from a cybersecurity incident or security control failure. |
| Cryptography | The study and practice of techniques for secure communication, including encryption, decryption, and hashing. |
| Customer | A customer is someone who buys products or services from a business, often through one-off transactions. |
| Data | Information stored, processed, or transmitted in digital form, which may include sensitive, confidential, or regulated content. |
| Data Loss Prevention | Technologies and processes used to prevent unauthorized access, transfer, or destruction of sensitive data. |
| Data Privacy Officer (DPA) | Designated individual responsible for overseeing an organization’s data protection strategy and ensuring compliance with privacy laws and regulations such as HIPAA or GDPR. |
| Data Processing Agreement (DPA) | A legal document outlining how a supplier processes personal data on behalf of the controller, often used to comply with data protection regulations. |
| Decryption | A process of transforming data from an unreadable format (ciphertext) back to a readable format, typically using an decryption key. |
| Denial of Service (DoS) | A cyberattack that disrupts or prevents legitimate users from accessing a system, service, or resource. |
| Detection | The ability to identify potential security threats, events, or violations within systems or networks through automated or manual means. |
| Distributed Denial of Service (DDoS) | A coordinated attack where multiple systems flood a target with traffic to disrupt services or make them unavailable. |
| Due Diligence | The process of evaluating a supplier’s security posture, compliance status, and business practices before engagement. |
| Electronic Protected Health Information (ePHI) | Electronic Protected Health Information as defined by HIPAA. |
| Employee | An individual who works under the direction and supervision of an organization in exchange for compensation, typically in the form of wages, salary, or benefits. |
| Encryption | A process of transforming data into an unreadable format (ciphertext) that cannot be opened without the encryption key. |
| Entity | An individual, system, or organization that interacts with or accesses an information system. |
| Event | Any observable activity in a system or network that may be relevant to security (e.g., login attempts, file changes, or network connections). In the context of incident response, an event may indicate abnormal or suspicious activity and is reported to the CIRT for investigation to determine if it qualifies as a security incident. |
| Evidence | Data or records used to support investigations, audits, or forensic analysis of cybersecurity events. |
| Exploit | A piece of code or technique that takes advantage of a vulnerability to perform unauthorized actions on a system or asset. |
| Forensics | The collection, analysis, and preservation of digital evidence to investigate and understand security incidents. |
| Gap | A deficiency or shortcoming in an organization's security controls, policies, or procedures that could expose it to risk or exploitation. |
| Governance | The framework of policies, roles, and processes that ensure effective and compliant security management. |
| Governance, Risk, and Compliance (GRC) | A coordinated framework that enables organizations to align objectives (governance), manage risks, and meet regulatory and internal compliance requirements effectively. |
| Hack | An unauthorized action or technique used to gain access to systems or data. |
| Hacker | An individual who uses technical skills to gain unauthorized access to or manipulate systems or data. |
| Hash | A one-way transformation used to verify data integrity or store passwords securely; it cannot be reversed to retrieve the original data. |
| Hashing | A one-way process that converts data into a fixed-size value (hash) and cannot be reversed. |
| Identification | The process of claiming or asserting a user or system identity, typically through a unique identifier such as a username, user ID, or device ID. |
| Impact | The extent of harm or damage that could result from a successful attack or security incident. Used in assigning a quantitative value to a risk. |
| Incident | A confirmed security event that compromises the confidentiality, integrity, or availability of an organization's systems or data. |
| Information Security Management Program (ISMP) | A structured framework of policies, procedures, processes, and controls designed to systematically manage and protect an organization’s sensitive information. Same as ISMS. |
| Information Security Management System (ISMS) | A structured framework of policies, procedures, processes, and controls designed to systematically manage and protect an organization’s sensitive information. Same as ISMP. |
| Information Security Officer (ISO) | Designated individual responsible for establishing, implementing, and maintaining an organization's information security program. Sometimes known as a CISO. |
| Information Systems | Any computing resources, software, and data required that perform processing on behalf of clients. |
| Integrity | The assurance that information is accurate, complete, and has not been altered or tampered with, whether intentionally or accidentally. |
| Law | A legally binding rule enacted by a government authority that mandates specific requirements, behaviors, processes, or protections, including those related to cybersecurity or privacy. |
| Likelihood | The probability that a given threat will exploit a vulnerability and result in an adverse event. Used in assigning a quantitative value to a risk. |
| Log | A recorded entry capturing an event or activity within a system for monitoring or auditing purposes. |
| Logging | The act of generating and storing log entries that detail system or user activities. |
| Malicious User | An individual who intentionally misuses their access or privileges to harm systems, data, or operations. |
| Malware | Malicious software, such as viruses, worms, ransomware, or spyware, designed to disrupt, damage, or gain unauthorized access to systems or data. |
| Managed Service Provider (MSP) | A third-party organization that delivers outsourced IT services, such as infrastructure management, security, and support, under a defined service agreement. |
| Maximum Acceptable Outage (MAO) | The maximum time the function can be unavailable before unacceptable damage occurs. (see also Maximum Tolerable Downtime) |
| Maximum Tolerable Downtime (MTD) | The maximum time the function can be unavailable before unacceptable damage occurs. (see also Maximum Acceptable Outage) |
| Media | Physical or digital storage devices (e.g., hard drives, flash drives, CDs) that contain or transmit data, often subject to handling, encryption, and disposal controls to protect sensitive information. |
| Method | A specific technique or procedure used to carry out an attack or exploit a vulnerability. |
| Mitigate | To implement controls or measures that reduce the likelihood or impact of a cybersecurity risk. |
| Mobile Device | A portable computing device (e.g., smartphone, tablet, laptop). |
| Monitoring | The continuous observation of systems and networks to ensure normal operation and detect security events, compliance violations, or other potential issues. |
| Multi-Factor Authentication (MFA) | A security mechanism that requires two or more verification factors to authenticate a user's identity. |
| Non-Disclosure Agreement (NDA) | A legal contract requiring parties to protect confidential information shared between them. |
| Offboarding (Employee) | The process of formally ending an employee's employment by revoking access, recovering assets, completing exit tasks, and ensuring knowledge transfer and compliance. |
| Offboarding (Supplier) | The process of terminating a supplier relationship, including revoking access and securely managing data and assets. |
| Onboarding (Employee) | The process of integrating a new hire into the organization by providing the tools, training, and information needed to succeed in their role. |
| Onboarding (Supplier) | The process of formally approving, contracting with, and integrating a supplier into the organization’s operations. |
| Optional | Not required or recommended, but may be implemented at the organization’s discretion to improve efficiency, automation, or maturity. |
| Organization | An organization is a structured group with a common purpose, like a company, a non-profit, or a government entity. |
| Penetration Test | A simulated cyberattack conducted by ethical hackers to identify exploitable vulnerabilities in systems, applications, or networks, assessing the effectiveness of security defenses. |
| People and Culture (formerly Human Resources) | The department or function responsible for managing the employee lifecycle, including hiring, onboarding, and compliance with employment laws. |
| Personally Identifiable Information (PII) | Information that can be used to identify, contact, or locate an individual, either alone or when combined with other data. Examples include names, addresses, Social Security numbers, phone numbers, and email addresses. |
| Pharming | An attack that redirects users from legitimate websites to fraudulent ones without their knowledge. |
| Phishing | A deceptive attempt to trick users into providing sensitive information by impersonating a trusted entity. |
| Policy | A formal statement that defines an organization's rules and expectations regarding security, compliance, and acceptable use. It defines what needs to be done and why. |
| Privacy | The right and practice of controlling how personal or sensitive information is collected, used, shared, and stored, in accordance with legal and ethical obligations. |
| Probe | An attempt to gather information about a system or network to identify vulnerabilities or weaknesses. |
| Procedure | Instructions that translate high-level policies into actionable tasks that ensure consistent execution, compliance, and accountability across the organization. It defines who performs a task and when, where, and how it is done. |
| Processing Integrity | The assurance that systems process data accurately, completely, and in a timely and authorized manner, without errors or unauthorized manipulation. |
| Production Environment | The live system or application environment where services are delivered to end users or customers. Changes to production require formal approval and testing. |
| Protected Health Information (PHI) | Health-related information protected under HIPAA, including medical records, diagnoses, and treatment history. |
| Quality Assurance (QA) | The systematic process of determining whether a product or service meets specified requirements. |
| Quality Management System (QMS) | A structured system of procedures and processes to ensure consistent quality and compliance, including in cybersecurity. |
| Recommended | Advised or encouraged because it aligns with best practices or enhances security, but is not strictly mandated. |
| Recovery Decision Objective (RDO) | The maximum allowable time after a disruption or incident within which a decision must be made about whether to recover systems, initiate contingency plans, or escalate to alternate recovery strategies. |
| Recovery Point Objective (RPO) | The maximum tolerable data loss, expressed in time (e.g., no more than 4 hours of lost data) |
| Recovery Time Objective (RTO) | The target time to restore data or functionality after a disruption. |
| Regulation | A rule issued by a government agency that interprets and enforces laws, often detailing how organizations must implement cybersecurity practices. |
| Remote Access Software (RAS) | Applications that enable users to connect to and control systems from a distant location over a network. |
| Remote to Local | A class of exploit where an external attacker gains local access to a system through a remote connection. |
| Request for Change (RFC) | A formal proposal to modify an existing system, configuration, or process. RFCs are reviewed and approved according to change management procedures. |
| Request for Proposal (RFP) | A document issued to solicit proposals from potential suppliers for specific services or products. |
| Required | Mandated by law, regulation, or a compliance framework and must be implemented to achieve or maintain compliance. |
| Resource | A component—such as data, systems, applications, or services—that can be accessed or used by users within a computing environment. |
| Risk | The potential for loss, damage, or disruption to an organization due to the exploitation of a threat or vulnerability. |
| Rollback Plan | A documented procedure that enables restoration of a system or configuration to a previous stable state if a change fails or causes unexpected issues. |
| Scan | An automated process of examining systems or networks for open ports, services, or vulnerabilities. |
| Security | The practice of implementing technical, administrative, and physical safeguards to protect systems, networks, and data from threats, vulnerabilities, and unauthorized access. |
| Sensitive Data | A broader category that includes confidential data as well as any information that, if mishandled, could expose the organization to risk, including PII, PHI, and proprietary data. |
| Service | A specific capability or functionality delivered to users, typically through an application, system, or platform. |
| Service Level Agreement (SLA) | A contractual agreement that defines the expected level of service between a vendor and the client. |
| Significant Change | A change that is likely to affect the security state of the information system. |
| Single Sign-On (SSO) | An authentication process that allows users to access multiple systems or services with a single login credential. |
| Smishing | A form of phishing that uses SMS text messages to deceive users into providing sensitive information. |
| Spearphishing | A highly targeted phishing attack aimed at a specific individual or organization. |
| Spoofing | The act of impersonating another device, user, or system to gain unauthorized access or deceive recipients. |
| Spyware | Malicious software that secretly gathers user information without consent, often for surveillance or theft. |
| Staff | Employees or contractors who have access to organizational systems, resources, or data. |
| Standard | A published set of recommended practices or technical specifications—often developed by an SDO—that guide consistent and effective cybersecurity implementation, typically voluntary unless referenced by law or regulation. |
| Standards Developing Organization (SDO) | An entity that develops, publishes, and disseminates standards to help ensure organizations implement and operate a minimum level of administrative, physical, and technical security and privacy controls. |
| Supplier Risk Management Policy (SRMP) | The formal policy that defines how supplier risks are assessed, managed, and monitored throughout the supplier lifecycle. |
| System | A computing device or collection of devices—including desktops, laptops, servers, or mobile devices—that store, process, or transmit information. |
| Third-Party Risk Management (TPRM) | A broader risk management discipline that encompasses all external entities—including suppliers, vendors, contractors, partners, and service providers—whose actions or access may pose risks to the organization. |
| Threat | A person, entity, or event—malicious or accidental—with the potential to cause harm to an organization's data, assets, systems, or operations. |
| Ticket | A tracked record in a support or incident management system used to document, monitor, and resolve issues or requests. |
| Unauthorized User | An individual who accesses a system or data without proper approval or credentials. |
| Uncontrolled Documents | Documents that are not a part of your QMS, ISMS, or Compliance program. |
| User | Any individual who is authorized to access and interact with a system, application, or resource. |
| User to Root | A class of exploit where a user with limited privileges escalates access to administrative or root-level permissions. |
| Vendor Risk Management (VRM) | The management of risks related to vendors that deliver services, software, or IT solutions—particularly those with access to systems, data, or infrastructure critical to business functions. |
| Virus | A type of malware that attaches itself to files or programs and spreads to other systems, often causing harm. |
| Vishing | A form of phishing that uses voice calls or voicemail messages to trick individuals into revealing sensitive information. |
| Vulnerability | A flaw or weakness in a system, process, or control that can be exploited by a threat to gain unauthorized access or cause harm. |
| Vulnerability Scan | An automated process that identifies known security weaknesses in systems, applications, or networks by comparing configurations and software versions against a database of vulnerabilities. |
| Whaling | A targeted phishing attack aimed at high-level executives or individuals with privileged access. |
| Whistleblower | A person who informs on a person or organization engaged in an illicit activity. |
| Work Instructions | Detailed, task-specific procedures that guide individuals on how to perform an activity in a consistent, secure, and compliant manner. More detailed than Procedures. |
| Work Product | Any output or deliverable resulting from a work activity, such as documents, reports, or configurations. May or may not be considered evidence within your compliance program. |
| Workforce | All individuals engaged in work for an organization, including employees, contractors, and temporary staff. |
| Workforce Member | Any employee, consultant, contractor or partner who does work on behalf of the organization. |
Laws, Regulations, & Standards
Term |
Definition |
| Federal Trade Commission (FTC) | Enforces a variety of antitrust and consumer protection laws affecting virtually every area of commerce. |
| Office for Civil Rights (OCR) | Responsible for enforcing HIPAA. This includes investigating complaints, conducting compliance reviews, and taking enforcement actions against violations. |
| U.S. Citizenship and Immigration Services (USCIS) | Oversees the I-9 process to help organizations verify employee's identity and employment authorization. |
| U.S. Department of Defense (DOD) | A US government agency whose mission is to deter war and protect the United States from threats by maintaining military readiness. Organizations that work with the DOD must demonstrate compliance with CMMC. |
| U.S. Equal Employment Opportunity Commission (EEOC) | Enforces laws prohibiting employment discrimination. |
| Department of Health & Human Services (HHS) | A cabinet-level department of the executive branch of the US federal government. Responsible tor establishing HIPAA regulations. Coordinates with OCR for enforcement of the regulations. |
| National Institute of Standards and Technology (NIST) | A non-regulatory government agency that develops and promotes cybersecurity standards, guidelines, and best practices for organizations. |
| I-9 (Employment Eligibility Verification) | A U.S. form used to verify the identity and employment authorization of individuals hired for employment in the United States. |
| Immigration Reform and Control Act (IRCA) | Federal law requires that every employer who recruits, refers for a fee, or hires an individual for employment in the U.S. must complete Form I-9 for Employment Eligibility Verification. |
| CIS Critical Security Controls (CSC) | A publication of best practice for computer security. There is no certification associated with this framework. |
| Cybersecurity Maturity Model Certification (CMMC) | A framework developed by the DoD to ensure that defense contractors and subcontractors adequately protect sensitive government information. If you are a DoD contractor or subcontractor you are required to be certified to CMMC. |
| Federal Risk and Authorization Management Program (FedRAMP) | A framework developed by the U.S. government to provide a standardized, reusable approach to security assessment and authorization for cloud service offerings. If you are a CSP selling to any federal agency you are required to be certified to FedRAMP. |
| HITRUST | A meta-framework that consolidates various security and privacy standards, regulations, and best practices into a single, certifiable model. Formerly known as the Health Information Trust Alliance. |
| ISO/IEC 27001 (ISO 27001) | An internationally recognized standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). |
| NIST Cybersecurity Framework (NIST CSF) | A set of voluntary guidelines and best practices developed by NIST to help organizations manage and reduce cybersecurity risks. Compliance is demonstrated through a self-assessment as opposed to through a 3rd party auditor. |
| NIST Risk Management Framework (RMF) | A structured, risk-based approach developed by NIST to help organizations manage the security and privacy risks associated with their information systems. |
| Payment Card Industry Data Security Standard (PCI DSS) | A set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. |
| System and Organization Controls 2 (SOC 2) | A framework developed by the AICPA for managing customer data based on five "trust service criteria": security, availability, processing integrity, confidentiality, and privacy. |
| Americans with Disabilities Act (ADA) | A U.S. law prohibiting discrimination against individuals with disabilities in all areas of public life, including employment. |
| California Consumer Privacy Act (CCPA) | A state law that grants California residents increased control over their personal information held by businesses. |
| Equal Employment Opportunity Laws (EEO) | The principle that all individuals should have equal treatment in all employment-related actions without regard to race, color, religion, sex, or other protected characteristics. |
| Family Educational Rights and Privacy Act (FERPA) | A US federal law that protects the privacy of student education records. |
| FTC Safeguards Rule | Requires financial institutions to implement and maintain safeguards to protect the security and confidentiality of customer information. Part of the Gramm-Leach-Bliley Act. |
| Health Insurance Portability and Accountability Act (HIPAA) | Requires the protection and confidential handling of protected health information (PHI) by covered entities and their business associates. |
| General Data Protection Regulation (GDPR) | A comprehensive European Union regulation that governs how organizations collect, process, and protect personal data of individuals in the EU and EEA. |
| HIPAA Breach Notification Rule | Requires covered entities and business associates to notify affected individuals, the government, and sometimes the media after a breach of unsecured protected health information (PHI). |
| HIPAA Privacy Rule | Establishes standards for the use and disclosure of individuals’ protected health information (PHI) and grants patients rights over their health data. |
| HIPAA Security Rule | Sets standards for safeguarding electronic protected health information (ePHI) through administrative, physical, and technical safeguards. |
| American Institute of Certified Public Accountants (AICPA) | The national professional organization for Certified Public Accountants (CPAs) in the United States and SDO for the SOC 2 framework. |
| Center for Internet Security (CIS) | Publishes the CIS Critical Security Controls (CSC) to help organizations better defend against known attacks by distilling key security concepts into actionable controls. |
| HITRUST Alliance (HITRUST) | Formerly known as the Health Information Trust Alliance. SDO for the HITRUST Framework. |
| International Electrotechnical Commission (IEC) | Focuses on standards for electrical, electronic, and related technologies. Collaborates with ISO on the ISO/IEC 27001 framework and others. |
| International Organization for Standardization (ISO) | A global body that develops and publishes standards for various industries and technologies. Collaborates with IEC on the ISO/IEC 27001 framework and others. |
| ISO/IEC (ISO/IEC) | A joint standards organization that collaborate to publish the ISO/IEC 27001 framework. |
| Open Web Application Security Project (OWASP) | An international non-profit organization dedicated to web application security. |
| NIST SP 800-171 | Provides guidelines for non-federal organizations and systems that handle CUI. Serves as the technical controls for CMMC Level 2 certification. |
| NIST SP 800-53 | A catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets |
| OWASP Top Ten | A standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. |
| Certified Third-Party Assessment Organization (C3PAO) | An independent organization authorized to assess and validate whether a system or service meets specific security and compliance standards, such as those required by FedRAMP. |
| CMMC Level 1 | Level 1 focuses on protecting FCI through basic cyber hygiene practices, requiring 17 practices and annual self-assessments. |
| CMMC Level 2 | Level 2 is designed to protect CUI and requires adherence to 110 practices based on NIST SP 800-171, with triennial third-party assessments and annual self-assessments for select programs. |
| Controlled Unclassified Information (CUI) | Information created or possessed by the government—or by an entity on its behalf—that requires safeguarding or limited dissemination under law, regulation, or government-wide policy. It does not include classified information. |
| Federal Contract Information (FCI) | Any information that is created or collected by or for the Government and “not intended for public release”. |
| SPRS Score | Measures your current cybersecurity compliance with NIST 800-171. The SPRS score is a tool used by the Department of Defense (DoD) to measure the risk of a contractor's cybersecurity position in protecting sensitive DoD information (CDI/CUI). |
| Supplier Performance Risk System (SPRS) | The location for vendors to certify CMMC Level 1 and Level 2 compliance and for the defense acquisition community to review. |
| Cloud Service Provider (CSP) | Organizations that offer cloud-based services to federal agencies. |
| Trust Services Criteria (TSC) | The criteria defined by the AICPA for evaluating the security, availability, processing integrity, confidentiality, and privacy of systems in SOC 2 engagements. |
Teams & Committees
Term |
Definition |
| Change Control Board (CCB) | A designated group of stakeholders responsible for evaluating, approving, rejecting, or deferring change requests based on their risk, impact, and alignment with business objectives. |
| Critical Incident Response Team (CIRT) | A designated group responsible for responding to and managing high-impact security incidents or emergencies to minimize damage, restore operations, and ensure compliance with reporting requirements. |
| Information Security Management Committee (ISMC) | A cross-functional group responsible for overseeing the development, implementation, and monitoring of an organization’s information security strategy, policies, and risk management efforts. |
| Risk Management Committee (RMC) | A group of designated stakeholders responsible for identifying, evaluating, and monitoring organizational risks, and for guiding risk mitigation strategies in alignment with business objectives and regulatory requirements. |
Need Help Getting Started?
Not every organization has the resources to build a compliance practice from the ground up.
So, we created a plug-and-play Security & Compliance Program to help you build a scalable compliance program 4x faster.
Everyone Secure.
Learn more by speaking to one of our experts.
Copyright ©2025 OSTENDIO, INC. · All rights reserved · Privacy Policy · Terms Of Use · Acceptable Use Policy