Ga naar hoofdinhoud

Glossary of Compliance Terms

Welcome to the Compliance Terminology, your go-to guide for all things compliance! πŸŽ‰

If you've ever felt like compliance is a mysterious forest filled with acronyms and regulations, then you're not alone. But fear not, our glossary is here to help you navigate this complex terrain with ease. Whether you're a seasoned compliance expert or a newcomer curious about what makes compliance tick, this glossary is designed for you.

We've collected the most important terms and concepts you need to know to survive and thrive in the compliance world. From InfoSec to GDPR, our glossary covers everything from A to Z. We break down the jargon, untangle the acronyms, and explain each term in simple, straightforward language.

So, whether you're preparing for an audit, studying for a certification, or just curious about what compliance is all about, take a journey through our glossary. Get ready to become a compliance aficionado, no legal degree required! 🌟

General Compliance​

Compliance​

Compliance refers to a company's conformity with regulatory standards set by government bodies and internal policies. It involves ensuring that a company meets legal and ethical standards to avoid penalties, fines, or reputation damage. Compliance covers a range of areas, including data protection, financial reporting, workplace safety, and anti-corruption practices. Companies typically establish compliance programs to monitor, enforce, and improve their adherence to these standards.

Risk Management​

Risk management is the process of identifying, assessing, and mitigating risks to minimize their impact on an organisation. It involves evaluating potential risks and implementing strategies to control or reduce them. For example: A retail store faces the risk of theft, which could impact its profits. To mitigate this risk, the store installs security cameras and alarms, trains employees to spot suspicious behavior, and purchases theft insurance. These steps reduce the likelihood of theft and provide a safety net in case it occurs.

Audit Trail​

An audit trail is a chronological record of all transactions, changes, or activities within a system or process. It details who did what, when, and why, providing a clear path for tracing and verifying events. Audit trails are crucial for maintaining accountability, security, and compliance, enabling organisations to detect errors, fraud, or unauthorized access.

General Concepts​

Control​

A control is a measure or mechanism designed to manage risk, ensure compliance, or maintain operational integrity. Controls can be policies, procedures, processes, or technical solutions that help achieve these goals. Example: A company implements a password policy requiring employees to use strong passwords and change them regularly. This control helps prevent unauthorized access to sensitive information by reducing the risk of password-related security breaches.

Assets​

An asset is anything of value that is owned or controlled by an organisation and is expected to provide future benefits. Assets can be tangible, like physical property or equipment, or intangible, like patents, trademarks, or intellectual property. Example: A tech company owns a fleet of laptops used by its employees. These laptops are considered assets because they have monetary value and are critical to the company's operations. As assets, they are tracked, maintained, and protected to ensure they continue providing value to the organisation.

Information Asset​

Information assets are valuable data and information owned or controlled by an organisation. These can include a wide range of resources, such as:

  1. Digital Data: Databases containing customer, employee, or proprietary business information. Documents and files stored electronically, including emails, reports, and spreadsheets. Intellectual property like patents, copyrights, and trade secrets.

  2. Physical Records: Paper documents, such as contracts, legal documents, and operational records.

  3. Software and Applications: Proprietary software developed in-house. Licensed third-party applications and tools essential for business operations.

  4. Hardware: Computers, servers, and networking equipment that store or transmit information.

  5. Operational Processes: Business processes and procedures documented and used for organisational activities.

  6. Personnel Knowledge: Expertise and know-how possessed by employees and contractors, often documented in training materials or procedural manuals.

  7. Communication Channels: Internal and external communication systems, including intranets, extranets, and communication platforms.

These assets are critical to an organisation’s operations and competitive advantage, and their protection is a fundamental aspect of information security management systems (ISMS) like ISO27001.

Risk​

Risk is the chance that something bad might happen, leading to loss, damage, or unwanted outcomes. It involves uncertainty about what could go wrong and how much harm it might cause. Example: A construction company knows that bad weather could delay their projects. If it rains a lot, work might stop, causing extra costs and slowing things down. By understanding this risk, the company can make backup plans, like using weatherproof materials and adjusting work schedules, to reduce the impact.

Issue​

In compliance, an issue refers to any situation, event, or condition that indicates a failure to meet regulatory requirements, internal policies, or industry standards. An issue might result from non-compliance, errors, or unethical practices and can lead to risks such as fines, legal action, reputation damage, or operational disruptions. Example: A bank finds out that some employees aren't following anti-money laundering rules, which is a compliance issue. This could lead to penalties if not fixed, so the bank investigates, corrects the behavior, and strengthens controls to avoid future issues.

Regulations and Standards​

Regulatory Compliance​

Regulatory compliance is the process of ensuring that an organisation follows laws, regulations, rules, and guidelines established by governmental or regulatory bodies. It involves adhering to legal requirements specific to the industry or sector in which the organisation operates. Regulatory compliance covers a wide range of topics, including data protection, health and safety, financial reporting, environmental standards, and employment laws.

Industry Standards​

An industry standard is like a benchmark or guideline that companies within a specific industry follow to achieve a certain level of quality, safety, or performance. It represents the accepted practices, protocols, or specifications that organisations use as a reference point for designing, manufacturing, or delivering products and services. Industry standards are developed collaboratively by experts, industry associations, or standardization bodies to ensure consistency, interoperability, and compatibility across different products and systems within the industry. Adhering to industry standards helps companies meet customer expectations, maintain competitiveness, and facilitate communication and collaboration within the industry.

Auditing and Reporting​

Audit​

An audit is a structured and formal examination of an organisation's activities, processes, or systems to ensure they adhere to relevant laws, regulations, standards, or internal policies. It typically involves reviewing documents, observing operations, interviewing personnel, and testing controls to assess compliance. The goal is to identify any gaps, risks, or areas for improvement to ensure the organisation meets its regulatory obligations and operates in a legally compliant manner. Audits can be conducted by internal teams or external agencies and often result in reports with findings and recommendations for corrective actions.

Compliance Reporting​

Compliance reporting is providing all the documentation to show that you followed all the rules. It involves documenting and reporting on how well your organisation is sticking to laws, regulations, or industry standards. For example, if there's a rule about how companies handle customer data, compliance reporting would involve showing that your company is doing everything it's supposed to do to protect that data. This helps ensure that businesses are behaving responsibly and following the rules set by authorities or industry bodies.

Data​

Data Protection​

Data protection means keeping important information safe from people who shouldn't see it. It's like putting a lock on your personal diary, so only you can read it. This involves following rules and using tools like passwords and special codes to keep data secure. By doing this, we can keep our information safe and make sure it doesn't end up in the wrong hands.

Data Breach​

A data breach is a security incident where sensitive, confidential, or protected information is accessed or disclosed without authorization. It often involves hackers exploiting vulnerabilities in computer systems or networks to gain access to data. Breaches can result in the exposure of personal information, financial data, or trade secrets, leading to potential harm for individuals and organisations. Preventative measures such as encryption, strong passwords, and regular security audits are crucial in mitigating the risk of data breaches.

Data Privacy​

Data privacy is about having control over who gets to see your personal information. It's like keeping your secrets safe and only sharing them with people you trust. This involves companies and organisations following rules and respecting your wishes about how they use your data. By protecting your privacy, you can feel more comfortable knowing your information is being handled responsibly and only used in ways you agree with.

PII (Personally Identifiable Information)​

Personally Identifiable Information (PII) is any data that can be used to identify a specific individual. This includes things like names, addresses, phone numbers, social security numbers, and email addresses. For example, if you sign up for a service online and provide your name, email address, and phone number, that information is considered PII because it can be used to identify you personally. Protecting PII is important to prevent identity theft and maintain privacy. Let's consider a less obvious example of PII: a combination of seemingly innocuous data points. Imagine a fitness app that tracks your jogging routes, heart rate, and workout times. Individually, these data points may not seem revealing, but when combined, they could potentially identify you. For instance, if your jogging route starts and ends at your home address, and your workout times consistently match your work schedule, someone could use this information to deduce your identity and daily routine. So, even seemingly harmless data points can become PII when combined in certain contexts.

Security Measures​

Information Security (InfoSec)​

InfoSec, short for Information Security, is all about keeping information safe from bad guys. It involves using special tools and following rules to protect data from things like hackers and computer viruses. InfoSec is important because it helps keep our personal information, like passwords and bank details, safe from being stolen or misused. By practicing good InfoSec, we can trust that our online activities are secure and our data is protected.

Access Control​

Access control is about deciding who can use certain things or see certain information. It's like having keys to unlock different doors: some people have keys to some doors, while others don't. By setting up rules and tools to manage who can access what, organisations can keep their important stuff safe and make sure only the right people can get to it. Let's say you have a building with different rooms, each containing valuable items. Access control would be like having different levels of keys or security badges. Employees might have keys or badges that only work for the rooms they need to enter for their jobs. For instance, the IT department might have access to the server room, while the marketing team can only enter the conference rooms. This way, only authorized personnel can access specific areas, keeping the building and its contents secure.

Encryption​

Encryption is like putting your message in a secret code so that only the person who knows the code can understand it. It scrambles your information into gibberish that looks like random letters or numbers to anyone who doesn't have the key to decode it. This keeps your data safe, especially when it's traveling over the internet or stored on a device. Without the right key, even if someone intercepts your message, they can't make sense of it.

Two-Factor Authentication (2FA)​

Two-Factor Authentication (2FA) adds an extra layer of security to your accounts, like having two locks on a door instead of just one. It works by asking for two different types of proof that you're really you before letting you in. For example, after entering your password, you might also need to enter a code sent to your phone. This makes it much harder for hackers to get into your accounts, even if they know your password.

Types of Attacks​

Phishing​

Phishing is like a sneaky trick where someone tries to steal your personal information by pretending to be someone else, like a bank or a company you trust. They might email or send a message that looks real, asking for your passwords or credit card details. But if you give them what they want, they can use it to steal your money or identity. It's important to be careful and never share sensitive information with anyone you're not sure about. Here are some common methods and examples used in phishing attacks:

  • Phishing: Through email
  • Spear Phishing: Targets a specific person in a company
  • Smishing: Through SMS
  • Vishing: Through voice communication, such as phone calls. They may impersonate customer service representatives, tech support agents, or even government officials.
  • Pharming: This involves redirecting users to fake websites designed look like the real ones to collect login details.
  • Business Email Compromise (BEC): In BEC attacks, scammers target employees with access to financial transactions while pretending to be executives or trusted partners to request wire transfers, invoice payments, or sensitive information.

Spam​

Spam is junk mail, but for your email inbox. It's unwanted messages that flood your inbox with things like ads, scams, or irrelevant content. Spam filters help catch most of it, but some might still slip through.

Zero-Day Attack​

A zero-day attack is a surprise attack that takes advantage of a security hole before anyone knows it exists. Imagine a thief finding a secret way into a house that nobody knew about yet. They can break in and steal things before the homeowner has a chance to fix the hidden entrance. Similarly, in the digital world, hackers exploit unknown weaknesses in software or systems before developers can patch them.

Malware​

Malware is a computer virus, it's software designed to cause harm to your device or steal your information. Malware can come in different forms, such as viruses, worms, or spyware, and it often gets onto your device without you realizing it, sometimes through downloads or email attachments. To stay safe, it's important to have good antivirus software and be cautious about what you click on or download online.

Ransomware​

Ransomware is a type of malicious software that locks you out of your computer or encrypts your files until you pay a ransom to the attacker. It's like someone putting a digital lock on your files and demanding money to unlock them. Once ransomware infects your device, it can prevent you from accessing important documents, photos, or even your entire system. Attackers often demand payment in cryptocurrency, making it harder to trace. It's essential to regularly back up your files and be cautious when opening email attachments or clicking on suspicious links to avoid ransomware attacks.

DDos Attack​

A Distributed Denial of Service (DDoS) attack is when a large number of computers flood a website or online service with so much traffic that it crashes or becomes unavailable. It's like a massive crowd blocking the entrance to a store, preventing others from getting in and making it impossible for the store to operate. In a DDoS attack, hackers often use networks of infected computers, called botnets, to overwhelm the target with traffic. These attacks can disrupt businesses, websites, or even entire networks, causing inconvenience and financial loss.

Technological Solutions​

NIST (National Institute of Standards and Technology)​

The National Institute of Standards and Technology (NIST) is a U.S. federal agency that plays a key role in shaping cybersecurity standards and best practices. It develops guidelines, frameworks, and tools to help organisations better protect their information systems from cyber threats. NIST's cybersecurity publications, such as the Cybersecurity Framework and Special Publications, provide valuable resources for improving cybersecurity posture across government, industry, and academia. By promoting standards and guidelines, NIST helps bolster the nation's cybersecurity defenses and resilience against cyberattacks.

SIEM (Security Information and Event Management)​

SIEM stands for Security Information and Event Management. It's a software solution that helps organisations collect, analyze, and manage security-related data from various sources in real-time. Think of it as a security control center that monitors and alerts you about suspicious activities or potential security threats across your network. SIEM combines security information management (SIM) and security event management (SEM) capabilities to provide a comprehensive view of an organisation's security posture. By centralizing and correlating security data, SIEM helps improve threat detection, incident response, and regulatory compliance efforts.

AI (Artificial Intelligence) and ML (Machine Learning) in Cybersecurity​

In cybersecurity, AI (Artificial Intelligence) and machine learning play crucial roles in enhancing threat detection, incident response, and overall defense mechanisms. Here's how:

  • Threat Detection: AI and machine learning algorithms can analyze vast amounts of data from various sources, such as network traffic, system logs, and user behavior, to identify patterns indicative of cyber threats. These algorithms can detect anomalies or suspicious activities that might signal a potential security breach, such as unusual login attempts or unexpected data access patterns.
  • Behavioral Analysis: AI-powered systems can learn the normal behavior of users, devices, and networks, allowing them to detect deviations or abnormalities that could indicate malicious activity. For example, machine learning algorithms can identify deviations from typical user behavior, such as unusual file access or data transfer patterns, which may signal insider threats or compromised accounts.
  • Threat Intelligence: AI can help analyze and interpret vast amounts of threat intelligence data, including malware signatures, known vulnerabilities, and indicators of compromise (IOCs). Machine learning algorithms can continuously learn from new threat data to improve their ability to recognize and respond to emerging threats in real-time.
  • Automated Response: AI-driven automation can accelerate incident response by autonomously executing predefined actions or mitigation measures in response to security events. For example, AI-powered systems can automatically quarantine infected devices, block malicious IP addresses, or apply security patches to vulnerable systems to mitigate the impact of cyberattacks.
  • Adaptive Defense: Machine learning algorithms can adapt and evolve over time based on new data and insights, allowing cybersecurity systems to stay ahead of evolving threats. By continuously learning from new attack patterns and vulnerabilities, AI-driven defense mechanisms can proactively adjust their strategies to effectively combat emerging cyber threats.

Overall, AI and machine learning technologies play a crucial role in augmenting human capabilities, improving threat detection and response times, and enhancing the overall resilience of cybersecurity defenses in the face of increasingly sophisticated cyber threats.

Regulations​

GDPR (General Data Protection Regulation)​

This is a set of rules created by the European Union to protect the personal data of individuals. It applies to any organisation that collects, processes, or stores personal data of EU citizens, regardless of where the organisation is located. The GDPR outlines requirements for obtaining consent, ensuring data security, and giving individuals control over their own data.

PCI DSS (Payment Card Industry Data Security Standard)​

PCI DSS is a security standard developed by major credit card companies to ensure the safe handling of credit card information. It applies to businesses that process, store, or transmit credit card data. Compliance with PCI DSS involves implementing security measures such as encryption, access controls, and regular security testing to protect cardholder data from theft or fraud.

ISO 27001​

ISO 27001 is an international standard for information security management systems (ISMS). It provides a framework for organisations to establish, implement, maintain, and continually improve their information security processes. ISO 27001 helps organisations identify and mitigate security risks, protect sensitive information, and ensure compliance with relevant laws and regulations.

SOX (Sarbanes-Oxley Act)​

The Sarbanes-Oxley Act is a U.S. federal law aimed at improving corporate governance and financial reporting transparency. It was enacted in response to corporate accounting scandals to protect investors and prevent fraudulent financial practices. SOX requires companies to establish internal controls and procedures for financial reporting, as well as provide accurate and reliable financial information.

HIPAA (Health Insurance Portability and Accountability Act)​

HIPAA is a U.S. federal law that protects the privacy and security of patients' health information. It applies to healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle protected health information (PHI). HIPAA sets standards for the electronic exchange, storage, and safeguarding of PHI to ensure patient confidentiality and prevent unauthorized access or disclosure.

FISMA (Federal Information Security Management Act)​

FISMA is a U.S. federal law that mandates federal agencies to develop, implement, and maintain cybersecurity programs to protect their information and information systems. It requires agencies to assess and manage risks, develop security policies and procedures, and provide ongoing security training and awareness for employees. FISMA also requires regular security assessments and reporting to ensure compliance with security standards and guidelines.

Security Roles and Policies​

DPO (Data Protection Officer)​

A Data Protection Officer (DPO) is a designated individual within an organisation who is responsible for overseeing and ensuring compliance with data protection laws and regulations. Their main role is to serve as a point of contact between the organisation, data subjects (individuals whose personal data is being processed), and regulatory authorities.

Security Policy​

A security policy is a set of rules, guidelines, and procedures that an organisation establishes to protect its information assets and ensure the confidentiality, integrity, and availability of data. It serves as a framework for defining and implementing security measures to safeguard against various threats and risks. A well-defined security policy helps organisations mitigate risks, maintain regulatory compliance, and build a strong security posture to protect against cyber threats and vulnerabilities.

CSP (Cyber Security Policy)​

A Cybersecurity Policy is a specific subset of a broader security policy that focuses specifically on safeguarding digital assets, systems, and networks from cyber threats. It outlines the organisation's approach to managing cybersecurity risks and establishes guidelines for protecting against unauthorized access, data breaches, malware, and other cyberattacks. By implementing a Cybersecurity Policy, organisations can enhance their resilience to cyber threats, minimize the impact of cyberattacks, and protect their digital assets and reputation.

Digital Identity​

Digital identity is your online passport or ID cardβ€”it's the digital version of who you are. It's made up of information about you, like your username, email address, or biometric data, that helps websites and online services recognize and verify your identity. For example, when you log into a social media account or make an online purchase, you use your digital identity to prove that you're really you. Digital identity is important for accessing online services securely and protecting your personal information from unauthorized access.

Security Assessment​

Vulnerability Assessment​

The vulnerability assessment is a health checkup for your computer systems and networks. It's a process of identifying and evaluating weaknesses or potential security risks that could be exploited by attackers. This assessment involves scanning systems, networks, and applications to find vulnerabilities such as outdated software, misconfigured settings, or known security flaws. For example, a vulnerability assessment might discover that a web server is running an outdated version of software that could be susceptible to known exploits. By conducting regular vulnerability assessments, organisations can proactively identify and address security weaknesses before they are exploited by malicious actors.

Incident Response Plan​

An incident response plan is a playbook for dealing with emergencies in cybersecurity. It's a detailed set of steps and procedures that an organisation follows when facing a security breach or cyberattack. Think of it as a roadmap that helps guide you through the chaos of an incident, from detecting and containing the threat to recovering and restoring normal operations. For example, the plan might outline who is responsible for what tasks, how to communicate with stakeholders, and what tools to use for forensic analysis. By having a well-defined incident response plan in place, organisations can minimize damage, mitigate risks, and respond effectively to cyber incidents.

Vulnerability​

A vulnerability is like a hole in your defense, making it easier for hackers to attack your system or software. It's a weakness or flaw that could be exploited to breach security measures and gain unauthorized access to sensitive information. For instance, if a software program has a vulnerability that allows remote attackers to execute malicious code, they could potentially take control of your computer. Identifying and patching vulnerabilities is crucial to protecting your digital assets and preventing cyberattacks.

Security Tools and Technologies​

Firewall​

A firewall behaves like a security guard for your computer or network, standing at the entrance and deciding what's allowed to come in and what's not. It works by monitoring incoming and outgoing traffic and blocking anything that doesn't meet certain rules or criteria. For example, if a suspicious program tries to connect to your computer from the internet, the firewall can stop it from getting through. By acting as a barrier between your device and the outside world, a firewall helps keep your system safe from hackers, viruses, and other threats.

Intrusion Detection System (IDS)​

An IDS, or Intrusion Detection System, is a security tool in the context of cybersecurity designed to detect unauthorized access or suspicious activity within a computer network or system. It plays a key role in helping organisations identify potential security threats and take action to prevent or mitigate them. An IDS works by monitoring network traffic, system logs, or other data sources to identify patterns or behaviors indicative of security breaches, such as hacking attempts, malware activity, or policy violations. There are two main types of IDS: Network-based IDS (NIDS) or Host-based IDS (HIDS). They can further be categorized by their detection methods: Signature-based Detection or Anomaly-based Detection.

Endpoint Security​

Endpoint security refers to the practice of securing individual devices that connect to a network, such as computers, smartphones, tablets, servers, and IoT devices. These devices, known as "endpoints," represent potential entry points for cyber threats like malware, ransomware, unauthorized access, or data breaches.

The goal of endpoint security is to protect these devices from a wide range of threats, ensuring the safety and integrity of the network and the data it contains. Key components of endpoint security include: Antivirus and Anti-malware, Firewalls, Endpoint Detection and Response (EDR), Device Management, Data Encryption, Access Controls, Patch Management.

Cloud Compliance​

Cloud compliance refers to the set of policies, procedures, and measures that ensure an organisation's use of cloud services adheres to relevant laws, regulations, standards, and internal guidelines. It involves ensuring that data and operations in cloud environments meet compliance requirements, such as those related to data protection, privacy, security, governance, and industry-specific regulations.

Risk Management​

Risk Assessment​

Risk assessment is the process of identifying, analyzing, and evaluating potential risks that could negatively affect an organisation's operations, assets, or people. It aims to understand the nature and scope of risks, estimate their likelihood and impact, and determine appropriate strategies to manage or mitigate them. Key steps in risk assessment include: Identification of Risks, Risk Analysis, Risk Evaluation, Risk Mitigation Planning, Monitoring and Review. Risk assessment is a critical part of risk management and is used in various contexts, including cybersecurity, workplace safety, environmental protection, and business continuity. It provides a structured approach to identifying and addressing risks, helping organisations make informed decisions and reduce potential adverse outcomes. Risk assessment is the process by which an organisation identifies potential risks and calculates the severity of their impact.

Risk Mitigation​

It involves figuring out ways to either avoid those identified risks or lessen their consequences. For example, if you're planning an outdoor event and there's a chance of rain, you might rent a tent to protect against bad weather. By doing this, you're lowering the risk of the event being ruined by rain. Overall, risk mitigation is about being proactive and prepared to deal with uncertainties in order to achieve success more smoothly.

Policies and Procedures​

Compliance Policy​

A compliance policy is like a rulebook that organisations follow to meet legal and regulatory requirements. It outlines the standards and procedures that the organisation must adhere to in order to comply with relevant laws, regulations, and industry standards. This policy ensures that the organisation operates ethically, legally, and responsibly in areas such as data privacy, financial reporting, and information security. It also helps mitigate risks, avoid penalties, and maintain the trust of customers, partners, and stakeholders. Compliance policies typically include details on roles and responsibilities, processes for monitoring and reporting compliance, and consequences for violations. Overall, a compliance policy serves as a roadmap for ensuring that the organisation meets its legal obligations and upholds ethical standards.

Procedure​

A policy is like a set of rules or guidelines that organisations create to guide their actions and decisions. It outlines what is acceptable or expected behavior within the organisation regarding specific topics, such as cybersecurity, data protection, or employee conduct. Policies help ensure consistency, fairness, and compliance with laws and regulations. They often include details on roles and responsibilities, procedures to follow, and consequences for non-compliance. Overall, policies serve to protect the organisation, its employees, and its stakeholders by establishing clear standards and expectations. In compliance context, procedures are often documented and followed to ensure regulatory compliance.