Free resource
Security & GRC Glossary
Plain-English definitions for the security, GRC and compliance terms you’ll meet on the way to SOC 2, ISO 27001, HIPAA and PCI-DSS. No jargon without explanation.
- Access Control List (ACL)
- A set of rules defining which users or systems can access a resource and what actions they can perform. AWS security groups are a type of ACL.
- Attack Surface
- The sum of all points where an attacker could try to enter or extract data from a system. Reducing it is a core principle of defense-in-depth.
- Attack Surface Management (ASM)
- The continuous process of discovering, inventorying and monitoring an organization’s external-facing assets to identify and reduce exposure.
- Audit Trail
- A chronological record of system activity that lets you reconstruct events. Required by ISO 27001 A.8.15, SOC 2 CC7.2, HIPAA §164.312(b) and PCI DSS Req 10.
- Business Associate Agreement (BAA)
- Under HIPAA, a contract between a covered entity and a business associate setting out each party’s duties for protecting ePHI. Required before sharing ePHI.
- Breach & Attack Simulation (BAS)
- Continuous, automated simulation of real attack techniques against your environment to verify that controls actually detect and stop them — not just that they exist.
- Business Continuity Plan (BCP)
- Documentation of how an organization keeps operating during and after a disruption. Distinct from Disaster Recovery (DR), which focuses on IT systems.
- CIS Benchmark
- Prescriptive security-hardening standards from the Center for Internet Security. Level 1 = basic hygiene; Level 2 = stricter, may affect usability.
- Compliance
- Adherence to laws, regulations and standards. Compliance is a minimum bar, not a guarantee of security.
- Continuous Control Monitoring (CCM)
- Automatically and repeatedly checking that controls still operate effectively, rather than testing once a year — catching drift in hours, not at the next audit.
- Control
- A safeguard or countermeasure (technical, administrative or physical) that reduces risk to an acceptable level.
- CVE (Common Vulnerabilities and Exposures)
- A public catalog of known security vulnerabilities, each with a unique identifier (e.g. CVE-2024-12345).
- CVSS (Common Vulnerability Scoring System)
- A 0–10 severity score for vulnerabilities. 9.0–10.0 = Critical, 7.0–8.9 = High.
- Defense in Depth
- Layering multiple, independent security controls so that if one fails, others still protect the asset.
- ePHI (Electronic Protected Health Information)
- Health information that identifies an individual, stored or transmitted electronically. The data HIPAA’s Security Rule protects.
- Evidence (audit context)
- The artifacts — policies, logs, screenshots, tickets, scan results — that prove a control was operating during the audit period.
- Gap Assessment
- A review that compares your current controls against a framework’s requirements to find what’s missing before a formal audit.
- GRC (Governance, Risk & Compliance)
- The discipline of aligning security governance, risk management and regulatory compliance into one program.
- HIPAA
- US law governing the privacy and security of protected health information, via its Privacy Rule and Security Rule.
- iASM (Internal Attack Surface Management)
- Continuous discovery and monitoring of internal/cloud assets and their attack paths — the inside view ASM tools usually miss.
- Incident Response Plan (IRP)
- A documented, tested procedure for detecting, containing, eradicating and recovering from security incidents.
- ISO 27001
- The international standard for an Information Security Management System (ISMS); the 2022 revision updated its Annex A control set.
- Least Privilege
- Granting users and systems only the minimum access required for their role — a foundational access-control principle.
- Log Retention
- How long security and audit logs are kept. One year is a common minimum (e.g., PCI DSS Req 10).
- MFA (Multi-Factor Authentication)
- Requiring two or more independent factors to authenticate, dramatically reducing account-takeover risk.
- MITRE ATT&CK
- A knowledge base of real adversary tactics and techniques, widely used to map detections and BAS results.
- NIST CSF
- The NIST Cybersecurity Framework — a risk-based structure (Govern, Identify, Protect, Detect, Respond, Recover) for managing cyber risk.
- NVD (National Vulnerability Database)
- NIST’s repository of CVE data enriched with CVSS scores and other metadata.
- PCI DSS
- The Payment Card Industry Data Security Standard — security requirements for any organization that stores, processes or transmits cardholder data.
- Penetration Testing
- A simulated attack by skilled testers to find exploitable weaknesses; often an annual requirement for SOC 2 and PCI DSS.
- POA&M (Plan of Action & Milestones)
- A tracked plan documenting known weaknesses, remediation steps, owners and target dates.
- RBAC (Role-Based Access Control)
- Assigning permissions to roles, then roles to users — simplifying least-privilege at scale.
- Risk
- The combination of how likely a threat is to exploit a vulnerability and the impact if it does.
- Risk Acceptance
- A documented, management-approved decision to accept a residual risk rather than treat it further.
- Risk Register
- The living record of identified risks with their scores, owners, treatment decisions and status.
- SAST (Static Application Security Testing)
- Analyzing source code for security flaws without running it — typically wired into CI/CD.
- SBOM (Software Bill of Materials)
- A formal inventory of the components and dependencies in a piece of software, used to track supply-chain risk.
- SOC 2
- An AICPA report on a service organization’s controls across the Trust Services Criteria (security, availability, confidentiality, processing integrity, privacy).
- SOC 2 Type II
- A SOC 2 report that tests whether controls operated effectively over a period (typically 6–12 months), not just at a point in time.
- TLS (Transport Layer Security)
- The protocol that encrypts data in transit. TLS 1.2+ is expected; SSLv3/TLS 1.0–1.1 are deprecated.
- Threat Intelligence
- Curated information about current and emerging threats used to inform detection and defense.
- Trust Services Criteria (TSC)
- The five SOC 2 categories: Security (Common Criteria), Availability, Confidentiality, Processing Integrity and Privacy.
- Vulnerability
- A weakness in a system that a threat could exploit to cause harm.
- Vulnerability Management
- The ongoing cycle of discovering, prioritizing, remediating and verifying vulnerabilities against defined SLAs.
Turn these terms into an audit-ready program
CATAAM automates the evidence, monitoring and security testing behind every term here.
Book a 5-min demo