Terms

AICPA

AICPA is the acronym for the American Institute of Certified Public Accountants. The AICPA is the originator of the SOC (System and Organization Controls) audit and reporting standards.

What is the AICPA?

CMMC

The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defense industrial base...

What is CMMC?

Compliance Risk Management

Compliance risk management describes an organization's strategy for managing the risk of non-compliance with pertinent regulations.

What is Compliance Risk Management?

Compliance Automation Software

Compliance automation software describes the software tools an organization employs to monitor its internal systems and controls, in order to comply with required standards and regulations.

What is Compliance Automation Software?

Cybersecurity

Cybersecurity is the work of protecting data, information, programs, systems, networks, and devices from unauthorized or malicious access and use by external sources on the internet.

What is Cybersecurity?

FedRAMP

The Federal Risk and Authorization Management Program is a US government-wide program that provides a standardized approach to security assessment...

What is FedRAMP?

GDPR

The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area.

What is GDPR?

GRC

Governance, risk and compliance (GRC) refers to a company's strategy for managing their overall governance, enterprise risk management and compliance with regulations.

What does GRC stand for?

HIPAA

HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed by Congress in 1996 with the goal of improving health care portability and the handling of confidential health information.

What is HIPAA?

HIPAA Employee Training

HIPAA compliance is required of organizations and employees who work in or with the healthcare industry, or who have access to protected health information (PHI). The goal of HIPAA compliance training is to ensure that organizations and their employees are appropriately protecting the privacy and security of patients' PHI.

What is HIPAA employee training?

HIPAA Rules

The Health Insurance Portability and Accountability Act (HIPAA) is composed of a number of standards or rules by which compliance can be monitored. Among additional rules, the HIPAA Rules include the Privacy, Security, and Breach Notification Rules.

What are the HIPAA rules?

HIPAA Breach

A HIPAA breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted by HIPAA regulations, which compromises the security or privacy of the PHI.

What is a HIPAA breach?

ISO 27001

ISO 27001 is a set of requirements for an information security management system (ISMS) that helps keep consumer data safe by applying a risk management process to an organization's people, process, and IT systems.

What is ISO 27001?

ISO 27001 Security Standard

The ISO27001 security standard is a set of best practices that support organizations in managing their information security by addressing people, processes, and technology.

What is the ISO 27001 security standard?

IT Security Policy

An information technology (IT) security policy establishes rules and procedures for the individuals who interact with an organization's IT assets and resources. The goal of an effective IT security policy is to protect information technology systems from any unauthorized access, use, alteration, or destruction, and to provide guidance in the case of the compromise of any systems.

What is an IT security policy?

Protected Health Information

Protected health information (PHI) describes health data that is created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations, and payment for healthcare services.

What is protected health information?

Risk Assessment

A cyber security risk assessment identifies the information assets that could be affected by a cyber attack (such as hardware, systems, laptops, customer data and intellectual property). It then identifies the risks that could affect those assets.

What is risk assessment?

Security Questionnaire

A security questionnaire is a tool that an enterprise may circulate to a service organization to evaluate and validate its security practices before choosing to do business with that organization.

What is a security questionnaire?

SOC 1

A SOC 1 report is documentation of the internal controls that are likely to be relevant to an audit of a customer's financial reporting.

What is SOC 1?

SOC 2

SOC 2 defines controls for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.

What is SOC 2?

SOC 2 Auditor

SOC auditors are independent CPAs who work with the SOC (System and Organization Controls) suite to evaluate and report on the controls in place at a service organization, relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.

What is a SOC 2 auditor?

SOC 3

A SOC 3 report covers the same basic materials and concerns of a SOC 2 report, but it only distributes the auditor's report without including description of the tests and their results or any opinions on the processes and results.

What is SOC 3?

SOC Reports

A service organization controls (SOC) report is a way to verify that an organization is following specific best practices related to protecting their clients' data.

What are SOC reports?

Trust Services Criteria (TSC)

The five Trust Services Criteria comprise the evaluation structure of a SOC 2 audit and report. The Trust Services Criteria are applied to report on the suitability of the design and operating effectiveness of controls relevant to the Security, Availability, Processing Integrity, Confidentiality, and Privacy of an organization's information and systems.

What are Trust Services Criteria?

SSAE 16

The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of auditing standards and guidance on using the standards, published by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).

What is SSAE 16?

SSAE 18

SSAE 18 is a series of enhancements aimed to increase the usefulness and quality of SOC reports, now, superseding SSAE 16.

What is SSAE 18?

Vendor Assessment

Vendor assessment describes an organization's program of assessing its vendors' management of that organization's information, and whether vendors are implementing and maintaining appropriate security controls.

What is vendor assessment?

Vendor Management Policy

A vendor management policy reviews all of an organization's vendors — each third-party, contractor, or associate with whom an organization does business — and establishes requirements for the level of information security that vendors should maintain.

What is a vendor management policy?

Vendor Review

Vendor review is a process by which an organization can understand the potential risks of utilizing a vendor's product or service, as well as an ongoing process to ensure that quality security practices are being maintained in an ongoing fashion.

What is a vendor review?

Vulnerability Management

Vulnerability management is xxxxxx......

What is vulnerability management?

Drata Customer Case Studies

try chameleon team
How Chameleon Leveled Up Their Security Program
Chameleon
drata trust and will
How Trust & Will Prioritized Security While Doubling in Size
Trust & Will
drata demoflow
How Demoflow Used Drata to Get Enterprise-Ready Quickly
Demoflow

Subscribe & receive the latest content.

Put SOC 2 on Autopilot

Get Started Today

Close more sales and build trust faster while eliminating the hundreds of hours of manual work that used to go into maintaining your SOC 2 report.

Get Started