Security & Compliance Glossary

The process of granting or denying specific requests for accessing resources. Implemented through identification, authentication and authorisation, access control underpins SOC 2, ISO 27001 and most other security frameworks.

A complete, continuously maintained list of all hardware, software, data and cloud resources owned or operated by an organization. The starting point for almost every compliance program.

A chronological, tamper-resistant record of system activities — used to detect suspicious behaviour, investigate incidents and demonstrate compliance during audits.

The process of verifying the identity of a user, system or service — typically with passwords, MFA, certificates or biometrics.

The process of granting or denying access rights to authenticated users, based on policies, roles or attributes.

Processes and technology to copy and restore data after loss, corruption or ransomware. Tested recovery time objectives (RTO) and recovery point objectives (RPO) are required for SOC 2 and ISO 27001.

A documented program describing how an organization will continue critical operations during disruption — staffing, facilities, vendors, technology and communications.

A prioritised set of 18 cybersecurity safeguards from the Center for Internet Security — widely used as a baseline that maps to NIST, SOC 2 and ISO.

A control point that sits between cloud service users and providers — enforcing visibility, compliance, data security and threat protection.

Adherence to a defined set of laws, regulations or standards. In security, common targets include SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR and DPDP.

The process of defining, baselining and tracking the configuration of systems and software — key to detecting drift and unauthorised change.

The categorisation of data by sensitivity (public, internal, confidential, restricted) so the right protections can be applied.

Tools and processes that detect and block sensitive data from leaving an organisation through email, endpoints, cloud storage or other channels.

A request from an individual to access, correct or delete their personal data. Both GDPR and DPDP require organisations to respond within statutory timelines.

A culture and toolset that embeds security into every stage of the software delivery lifecycle — from design through build, test, deploy and run.

The technical subset of business continuity — restoring IT systems and data after a major disruption such as ransomware, outage or natural disaster.

India’s Digital Personal Data Protection Act, 2023 — sets rules for processing personal data of Indian residents, including consent, notice, retention and Significant Data Fiduciary obligations.

The encoding of stored data so it cannot be read without a decryption key — a core control under SOC 2, ISO 27001, HIPAA, PCI DSS and most modern frameworks.

The encoding of data while moving between systems — typically TLS 1.2+ for web traffic and mTLS for service-to-service communication.

Technology that monitors endpoints for malicious behaviour, automates response, and gives investigators rich telemetry for hunting and forensics.

The US Federal Risk and Authorization Management Program — standardises security assessment, authorization and continuous monitoring for cloud services used by US federal agencies.

The EU General Data Protection Regulation — protects personal data of individuals in the European Union, with penalties up to 4% of global turnover for non-compliance.

The integrated discipline of aligning IT and security activities with business goals, managing risk, and meeting regulatory requirements.

The process of reducing the attack surface of a system by removing unnecessary services, applying CIS or vendor benchmarks, and tightening configuration.

The US Health Insurance Portability and Accountability Act — sets privacy and security standards for protected health information (PHI) handled by covered entities and business associates.

A system that creates, maintains and manages identity information — and provides authentication services to applications. Examples: Okta, Azure AD, Google Workspace.

A documented, tested process for detecting, containing, eradicating and recovering from security incidents — and learning from them.

A systematic approach to managing sensitive company information — the core construct certified by ISO/IEC 27001.

A current or former employee, contractor or partner who misuses authorised access — intentionally or accidentally — to harm the organisation.

A device or software that monitors a network or system for malicious activity or policy violations and reports them to a security team.

The international standard for an Information Security Management System (ISMS) — the most widely recognised security certification globally.

The principle that any user, program or process should have only the minimum access rights needed to perform its function — a SOC 2 and ISO 27001 staple.

A 24/7 security service that combines technology and human analysts to detect, investigate and respond to threats on behalf of the customer.

A security control requiring two or more independent factors (something you know, have, or are) to authenticate — drastically reducing the risk of credential compromise.

Dividing a network into isolated segments to limit the blast radius of attacks and constrain lateral movement.

A risk-based framework from the US National Institute of Standards and Technology — organises security activities into Identify, Protect, Detect, Respond and Recover (and now Govern in CSF 2.0).

The process of identifying, acquiring, installing and verifying patches for software and firmware — closing known vulnerabilities before attackers exploit them.

The Payment Card Industry Data Security Standard — protects cardholder data through 12 requirements covering people, process and technology.

An authorised, simulated attack on a system, network or application to identify exploitable vulnerabilities — required for many compliance programs.

Information that, alone or in combination, can identify an individual — name, email, government ID, IP address, biometric data and more.

Social engineering using deceptive messages to trick people into revealing credentials, transferring money or installing malware.

Layering complementary security controls so that the failure of any single control does not result in compromise.

A structured analysis of how personal data is collected, used, shared and protected — and the risks to individuals — required by GDPR, DPDP and similar regimes.

Tools and processes for securing, controlling and monitoring access by privileged accounts — admin, root, service accounts.

Malware that encrypts data and demands payment for the decryption key. Modern variants also exfiltrate data and threaten public release.

An adversarial security exercise that simulates a real-world attacker against an organisation’s people, processes and technology.

A structured process to identify, analyse and evaluate risks to information assets — and decide how to treat them.

A development process that integrates security activities — threat modelling, secure coding, code review, SAST/SCA, DAST — at every phase.

A platform that aggregates logs from across an environment, correlates events, and produces alerts for the SOC.

The team and platform responsible for continuously monitoring, detecting, investigating and responding to cybersecurity incidents.

An audit report developed by the AICPA that evaluates a service organisation’s controls relevant to security, availability, processing integrity, confidentiality and privacy.

A user authentication scheme that allows users to log in once and access multiple applications — reducing password fatigue and improving security.

An ISO 27001 document that lists which Annex A controls are applicable, why each is included or excluded, and where each is implemented.

A structured process to identify potential threats to a system early in design — STRIDE, attack trees and abuse cases are common methods.

The set of principles used in SOC 2 audits — Security (always required), plus optional Availability, Processing Integrity, Confidentiality and Privacy.

The discipline of identifying, assessing and continuously monitoring risks introduced by third-party suppliers and service providers.

A part-time or fractional Chief Information Security Officer service — strategic leadership without a full-time hire.

The continuous process of identifying, classifying, prioritising, remediating and reporting vulnerabilities across the technology estate.

A security control that filters and monitors HTTP(S) traffic to a web application — protecting against OWASP Top 10 attacks like SQLi and XSS.

A security model based on “never trust, always verify” — requiring authentication, authorisation and continuous validation for every transaction across users, devices and workloads.