The world of Compliance is far from simple, and many people starting out on their professional journey struggle to understand the many acronyms and technical terms in common use throughout the industry. From GRC, to Normalized Data, to Automated Evidence, we’ve included the most popular industry terms with explanations here. Read on to familiarize yourself with the essential phrases you'll need to know to build a successful Compliance program.
Audit scoping refers to determining the bounds of the audit, including the time frame and activities that will be covered by the audit. Determining the scope of an audit is critical to developing an effective plan and ensuring that the audit meets its objectives.
auditscoping
Automated Evidence refers to data that has been collected from systems through an automated technical solution, rather than manually pulled. When conducting an audit, automated evidence programs rapidly obtain relevant data for the compliance manager, providing them with quick access to nonconformities and anomalies. Automated evidence collection is significantly faster than manual collection and can be used by Compliance teams to make real-time decisions.
automated-evidence
Cloud security compliance includes a number of potential frameworks that typically fit into two distinct categories: 1. Compliance centric, 2. security centric. The former category includes certifications such as STAR, FedRAMP, and SOX, while the latter includes ISO 27001, NIST, and CIS Controls. Most frameworks for cloud security will assess factors such as governance, and change control and solutions will include continuous automated monitoring and reporting, along with vulnerability management.
cloud-security-compliance
Part of a Compliance program, a Compliance framework lays out the strategies an organization uses to ensure that it remains in Compliance with both internal and external regulations. The Compliance framework should provide a set of tools and a common language for stakeholders to conduct and maintain their Compliance processes across departments.
compliance-framework
A Compliance Operating System is a centralized hub for all of a company’s Compliance work. A Compliance OS gives companies the tools to automate and strategically perform the full scope of Compliance tasks, from daily compliance tasks to audit-centered activities, and provides a holistic view of their Compliance posture. The Compliance OS is composed of three layers: a source layer, a data layer, and an application layer, and performs interlayer background processes.
compliance-os
A Compliance Program outlines a company’s ongoing and future processes and activities to address Compliance requirements in order to support growth. Having a program enables companies to take a mature approach to Compliance, and provides an underlying fabric through which Compliance activities can be monitored and leveraged. Establishing a Compliance Program is an important step in a company's maturity and stands in stark contrast to the one-time-project Compliance mindset adopted by many small companies.
compliance-program
With the growing amount of frameworks organizations adopt, all of which are focused in some way on security, most controls overlap with controls of other frameworks. There are two ways to address this reality; either by working in silos, closing frameworks one by one, or by consolidating controls based on similarity, which helps manage them efficiently, one type at a time.
compliance-convergence
Data delegation refers to the ability to control where customer data resides when using 3rd party solutions. With this capability, companies can delegate their data to different functions, such as the anecdotes OS, while keeping it inside their perimeter. This enables highly-sensitive companies to own and retain their data at all times.
data-delegation
The term GRC is an acronym referring to an organization’s approach towards Governance, Risk Management, and Compliance. A company’s GRC team or responsible employees make sure that the business is on track in terms of meeting goals, operating smoothly, predicting and mitigating risks, and adhering to both internal and external restrictions and boundaries. Generally speaking, a company’s GRC strategy includes input from departments such as IT, Finance, Legal, Risk, and more.
grc
Short for The Health Insurance Portability and Accountability Act, HIPAA is the gold standard when it comes to data protection in the healthcare industry. The framework covers three main areas: administrative, physical security, and technical security, and is viewed as a prerequisite for doing business across the industry. Violating the terms can come with fines ranging anywhere from $50,000-$250,000 and violators may also face lawsuits from patients, depending on the state. Even third-parties, service providers, and technology suppliers to the healthcare industry might be required to comply with HIPAA, if not by the regulator itself, then by the organizations being regulated in their contract with the third-party.
HIPAA-Compliance
One of the most popular standards for Information Security ISO 27001 is often the Compliance framework of choice in the financial industry, spanning from banks, to insurance companies, and additional financial institutions. The framework differs from the popular SOC 2 option as in addition to data security, it also certifies that an organization has an operational Information Security Management System (ISMS) in place.
There are other important entries in the ISO 27000 family including:
iso-27001-compliance
InfoSec is short for Information Security, meaning a set of policies or regulations put in place to safeguard a company’s data or other assets from unauthorized access or use. InfoSec regulations ensure that an organization’s sensitive information is secure.
infosec
InfoSec Compliance refers to ensuring that regulations and policies around information security are followed within an organization. Information Security includes restrictions that protect a company’s sensitive information, like data and other Information Technology (IT) assets.
infosec-compliance
Traditionally, Compliance managers used to take screenshots of the UI, which showed settings and proved the existence of controls. On one hand, it was easy to digest. On the other hand, when organizations have a complex tech stack, and each platform has its own set of screenshots to take, this process can take a lot of time.
Now, with APIs built into every platform, the data can be brought via the API in XML / JSON structure. However, that data is not so easy to digest. Normalizing the data means structuring it in a way that reflects the existence of the control. Moreover, with modern types of evidence, the data can be sorted and filtered easily, so auditors can look at samples as much as they want, enlarge the sample size when and where needed, without the need to ask the Compliance manager to "go fetch" more for them. It's all there already, and ready to be looked at.
normalized-data
The Payment Card Industry Data Security Standard is a body of requirements that all companies storing, processing, or transmitting credit card information must adhere to. Organizations found to be in violation of PCI-DSS may be subject to fines and penalties. PCI-DSS is based on a highly technical checklist, so becoming compliant with this regulation takes less time than with other frameworks. Find out more about PCI automation.
state-aware-compliance
PCI-DSS Requirements
Applicable to all SaaS and technology companies, this audit attests that customer data is stored and managed in a secure manner. SOC 2 is one of the most common Compliance frameworks and is usually considered as a “must have” to bid on RFPs, or partner with enterprises big and small. SOC 2 categories assessed include:
People often wonder why the other categories aren't simply included under the category of security as well. This is because SOC 2 is all about security, and the additional categories are laser-focused criteria to be considered when special care is needed for confidentiality and/or process integrity and/or availability and/or privacy
soc-2-compliance
To establish an effective SOC 2 Compliance Checklist, the following steps should be taken:
Set Goals -The organization must clearly define the program’s objectives. They must investigate what is critical to regularly test for, and why. They must also understand which stakeholders (managers, business partners, customers) need access to Compliance reports.
Choose Trust Service Criteria (TSC) - Security is the only TSC classified as mandatory by the AICPA for SOC 2 audits. Based on the focus of the organization, businesses should also consider adopting some of the other Trust Service Criteria.
Integrate SOC 2 with other audits - Because SOC 2 covers a lot of the same ground as other audits for specific industry spaces, businesses should consider integrating their SOC 2 report with other Compliance initiatives to boost efficiency and save resources.
Choose the report that fits the organization best - SOC 2 reports come in 2 types and each organization must select the report that’s right for them:
Both reports are useful, depending on the organization’s unique needs.
soc-2-compliance-checklist
Physical Access Controls - The measures taken to prevent unauthorized users from gaining local, physical access to data.
Risk Mitigation - Determining how to manage and minimize potential risk via:
System Operations - A framework for supervising system operations that can recognize and identify deviations from normal procedures.
Change Management - Developing a system that sets out guidelines for changes and prevents unauthorized changes.
soc-2-requirements
Security Compliance refers to Compliance policies specifically geared towards ensuring that a company remains within the bounds of security standards. This may mean ensuring that a company adheres to secured authentication mechanisms and network access, as well as following policies that protect a company’s Information Technology (IT) assets.
security-compliance
Typically encountered in two forms: 1. Vendor Security Questionnaire, 2. Risk Assessment Questionnaire. The latter, Risk Assessment Questionnaire, is a method for identifying potential threats which involves asking questions to key personnel about both risk and the risk management techniques that are currently deployed by the organization. The former, Vendor Security Questionnaire, is nearly the same, aside from the fact that attention should be paid to the length and involvement, as companies shouldn’t place an unreasonable burden on vendors.
security-questionnaires
As regulations can vary from department to department in a company, a Unified Control Framework serves a master plan for Compliance across an organization. In a UCF, all Compliance management should be included in one set of controls. It should set forth general policies regarding Compliance that apply to every aspect of the business, rather than letting each department develop their own Compliance rules. A UCF provides a holistic, big-picture overview of requirements in each department, so potential conflicts can be quickly spotted and responsibilities assigned transparently.
unified-control-framework
