Browse Definitions :

Compliance, risk and governance

This glossary contains definitions related to compliance. Some definitions explain the meaning of words used in compliance regulations. Other definitions are related to the strategies that compliance officers use to mitigate risk and create a manageable compliance infrastructure.

NER - TEL

  • NERC CIP (critical infrastructure protection) - The NERC CIP (critical infrastructure protection) plan is a set of requirements designed to secure assets vital to reliably operating North America's bulk electric system.
  • Nintex Sign - Nintex Sign is a native electronic signature capability that is powered by Adobe Sign.
  • NIST Privacy Framework - The NIST Privacy Framework is a voluntary tool created by the National Institute of Standards and Technology, which lays out strategies for private sector organizations to improve their data risk management practices.
  • non-renewable resource - A non-renewable resource is one that either does not regenerate or does not regenerate quickly enough to serve some human purpose in a sustainable way.
  • oligopoly - An oligopoly is a small group of companies that dominate a given market.
  • ONC (Office of the National Coordinator for Health Information Technology) - The Office of the National Coordinator for Health Information Technology, abbreviated ONC, is an entity within the U.
  • Open Internet Order of 2010 - The Open Internet Order of 2010 is a set of rules proposed by the United States Federal Communications Commission (FCC) with the purpose of maintaining an open and neutral internet that supports free speech and generally treats all traffic as equal.
  • operational costs - Definition - In information technology, operational costs document the price of running of IT services on a day-to-day basis.
  • operational level agreement (OLA) - An operational level agreement (OLA) is a contract that defines how various IT groups within a company plan to deliver a service or set of services.
  • operational risk - Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business operations.
  • Opex (operational expenditure) - An operational expenditure (Opex) is the money a company spends on an ongoing, day-to-day basis in order to run a business or system.
  • opposition research (oppo) - Opposition research, also known as oppo research and sometimes just oppo, is the process of seeking out information to use against an adversary such as a political opponent or business competitor.
  • opt-out - Opt-out communications are messages sent for marketing, promotion or fundraising that include an option for the recipient to be removed from any future messages.
  • Organization for Economic Cooperation and Development (OECD) - The Organization for Economic Cooperation and Development (OECD) is a collaborative inter-governmental body dedicated to furthering economic progress and world trade.
  • PA-DSS (Payment Application Data Security Standard) - Payment Application Data Security Standard (PA-DSS) is a set of requirements that are intended to help software vendors develop secure payment applications that support PCI DSS compliance.
  • partnership - In a partnership, all profits and losses pass through to partners and are reported on their individual tax returns.
  • patent troll - A patent troll is an individual or an organization that purchases and holds patents for unscrupulous purposes such as stifling competition or launching patent infringement suits.
  • PCAOB (Public Company Accounting Oversight Board) - The Public Company Accounting Oversight Board (PCAOB) is a Congressionally-established nonprofit that assesses audits of public companies in the United States to protect investors' interests.
  • PCI assessment - A PCI assessment is an audit of the 12 credit card transaction compliance requirements required by the Payment Card Industry Data Security Standard.
  • PCI DSS 12 requirements - PCI DSS 12 requirements is a set of security controls that businesses are required to implement to protect credit card data and comply with the Payment Card Industry Data Security Standard (PCI DSS).
  • PCI DSS 2.0 - PCI DSS 2.0 (Payment Card Industry Data Security Standard Version 2.
  • PCI DSS compliance (Payment Card Industry Data Security Standard compliance) - Payment Card Industry Data Security Standard (PCI DSS) compliance is adherence to the set of policies and procedures developed to protect credit, debit and cash card transactions and prevent the misuse of cardholders' personal information.
  • PCI DSS merchant levels - Merchant levels are used by the payment card industry (PCI) to determine risk levels and determine the appropriate level of security for their businesses.
  • PCI gap assessment - A PCI gap assessment is the identification, analysis and documentation of areas of non-compliance with the Payment Card Industry Data Security Standard (PCI DSS).
  • PCI policy - A PCI policy is a type of security policy that covers how an organization addresses the 12 requirements of the Payment Card Industry Data Security Standard (PCI DSS).
  • PCI QSA - Payment Card Industry Qualified Security Assessor (PCI QSA) is a designation conferred by the PCI Security Standards Council to individuals it deems qualified to perform PCI assessments and consulting services.
  • PCI Security Standards Council - The PCI Security Standards Council is an organization created by the major credit card companies in an effort to better protect credit card holder data.
  • personally identifiable financial information (PIFI) - Personally identifiable financial information (PIFI) is any type of personally identifiable information (PII) that is linked to that person's finances.
  • personally identifiable information (PII) - Personally identifiable information (PII) is any data that could potentially identify a specific individual.
  • policy engine - A policy engine is a software component that allows an organization to create, monitor and enforce rules about how network resources and the organization's data can be accessed.
  • predictive coding - Predictive coding software can be used to automate portions of an e-discovery document review.
  • privacy compliance - Privacy compliance is a company's accordance with established personal information protection guidelines, specifications or legislation.
  • privacy impact assessment (PIA) - A privacy impact assessment (PIA) is an analysis of how an individual's or groups of individuals' personally identifiable information is collected, used, shared and maintained by an organization.
  • Privacy Shield (EU-US Privacy Shield) - EU-US Privacy Shield is a framework for adherence to E.
  • protected health information (PHI) or personal health information - Protected health information (PHI), also referred to as personal health information, is the demographic information, medical histories, test and laboratory results, mental health conditions, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.
  • PTO (paid time off, personal time off) - Paid time off (PTO) is a human resource management (HRM) policy that provides employees with a pool of bankable hours that can be used for any purpose.
  • Public Relations Society of America (PRSA) - The Public Relations Society of America (PRSA) is the world's largest association for public relations (PR) professionals, overseeing more than 21,000 members.
  • public sector - The public sector is the segment of an economic system that is controlled by government; it contrasts with the private sector, which is run by private citizens.
  • pure risk - Pure risk refers to risks that are beyond human control and result in a loss or no loss with no possibility of financial gain.
  • Qualified Security Assessor (QSA) - A Qualified Security Assessor (QSA) is a person who has been certified by the PCI Security Standards Council to audit merchants for Payment Card Industry Data Security Standard (PCI DSS) compliance.
  • Quick Start Glossary: PCI DSS (Payment Card Industry Data Security Standard) - Payment Card Industry Data Security Standard (PCI DSS): Print the glossary out for a fast reference or access online to see full definitions and further resources.
  • quiet period - A quiet period is a measure of time during which corporate insiders are restricted from disclosing information relative to the performance or prospective performance of a company before that information is made public.
  • records management - Records management (RM) is the administration of records and documented information for the entirety of its lifecycle, which includes creation, maintenance, use, storage, retrieval and disposal.
  • Red Flags Rule (RFR) - The Red Flags Rule (RFR) is a set of United States federal regulations that require certain businesses and organizations to develop and implement documented plans to protect consumers from identity theft.
  • Reduce, reuse, recycle (R3) - Reduce, reuse and recycle (R3) are the three essential components of environmentally-responsible consumer behavior.
  • RegTech - RegTech, or regulatory technology, is a term used to describe technology that is used to help streamline the process of regulatory compliance.
  • Regulation Fair Disclosure (Regulation FD or Reg FD) - Regulation Fair Disclosure is a rule passed by the U.
  • Regulation SCI (Regulation Systems Compliance and Integrity) - Regulation SCI is a set of compliance rules designed by the SEC to monitor and regulate the technology infrastructure of U.
  • regulatory compliance - Regulatory compliance is an organization's adherence to laws, regulations, guidelines and specifications relevant to its business processes.
  • relationship marketing - Relationship marketing is a customer relationship management strategy designed to encourage strong, lasting customer connections to a brand.
  • remote deposit capture (RDC) - Remote deposit capture (RDC) is a system that allows a customer to scan checks remotely and transmit the check images to a bank for deposit, usually via an encrypted Internet connection.
  • removable media - Removable media is any type of storage device that can be removed from a computer while the system is running.
  • Report on Compliance (ROC) - A Report on Compliance (ROC) is a form that must be completed by all Level 1 Visa merchants undergoing a PCI DSS (Payment Card Industry Data Security Standard) audit.
  • residual risk - Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made.
  • risk assessment - Risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business.
  • risk assessment framework (RAF) - A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.
  • risk avoidance - Risk avoidance is the elimination of hazards, activities and exposures that can negatively affect an organization and its assets.
  • risk exposure - Risk exposure is the quantified potential loss from business activities currently underway or planned.
  • risk intelligence (RQ) - Risk intelligence (RQ) is a term used to describe predictions made around uncertainties and future threat probabilities.
  • risk map (risk heat map) - A risk map (risk heat map) is a data visualization tool for communicating specific risks an organization faces.
  • risk profile - A risk profile is a quantitative analysis of the types of threats an organization, asset, project or individual faces.
  • risk reporting - Risk reporting is a method of identifying risks tied to or potentially impacting an organization's business processes.
  • S corporation (S corp) - Like a C corporation, the S corp is considered a separate entity under the law.
  • Sarbanes-Oxley Act - The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies.
  • Secure Electronic Transaction (SET) - Secure Electronic Transaction (SET) is a system and electronic protocol to ensure the integrity and security of transactions conducted over the internet.
  • Securities and Exchange Commission (SEC) - The Securities and Exchange Commission (SEC) is the U.
  • security audit - A security audit is a systematic evaluation of the security of a company's information system by measuring how well it conforms to an established set of criteria.
  • security information management (SIM) - Security information management (SIM) is the practice of collecting, monitoring and analyzing security-related data from computer logs.
  • segregation of duties (SoD) - Segregation of duties (SoD) is an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task.
  • sensitive information - Sensitive information is data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization.
  • serious reportable event (SRE) - A serious reportable event (SRE) is an incident involving death or serious harm to a patient resulting from a lapse or error in a healthcare facility.
  • seven wastes - The seven wastes are categories of unproductive manufacturing practices identified by Taiichi Ohno, the father of the Toyota Production System (TPS).
  • severance agreement - A severance agreement is a contract between an employer and employee documenting the rights and responsibilities of both parties in the event of job termination.
  • severance package - A severance package is the contracted pay and benefits provided to an employee whose job is terminated.
  • shadow app - A shadow app is a software program that is not supported by an employee's information technology (IT) department.
  • shadow IT - Shadow IT is hardware or software that is not supported by an organization's IT department.
  • Shared Assessments Program - Shared Assessments is a third party risk membership program that provides organizations with a way to obtain a detailed report about a service provider's controls (people, process and procedures) and a procedure for verifying that the information in the report is accurate.
  • shrink wrap license - A shrink wrap license is an end user agreement (EULA) that is enclosed with software in plastic-wrapped packaging.
  • SLAPP - A SLAPP suit is a legal action undertaken or threatened to make the target stop any public activities in opposition to the interests of the person or organization bringing the suit.
  • SNOMED CT (Systematized Nomenclature of Medicine -- Clinical Terms) - SNOMED CT (Systematized Nomenclature of Medicine -- Clinical Terms) is a standardized, multilingual vocabulary of clinical terminology that is used by physicians and other health care providers for the electronic exchange of clinical health information.
  • Soc 1 (Service Organization Control 1) - A Service Organization Control 1 or Soc 1 (pronounced "sock one") report is written documentation of the internal controls that are likely to be relevant to an audit of a customer’s financial statements.
  • Soc 2 (Service Organization Control 2) - A Service Organization Control 2 (Soc 2) reports on various organizational controls related to security, availability, processing integrity, confidentiality or privacy.
  • Soc 3 (Service Organization Control 3) - A Service Organization Control 3 (Soc 3) report outlines information related to a service organization’s internal controls in security, availability, processing integrity, confidentiality or privacy.
  • softlifting - Softlifting is a common type of software piracy in which a legally licensed software program is installed or copied in violation of its licensing agreement.
  • sole proprietorship - A sole proprietorship is an unincorporated business owned by a single individual or a couple who files a single tax return.
  • SOX Section 404 (Sarbanes-Oxley Act Section 404) - SOX Section 404 (Sarbanes-Oxley Act Section 404) mandates that all publicly-traded companies must establish internal controls and procedures for financial reporting.
  • spin (PR, marketing) - Spin, in the context of public relations (PR) and journalism, is the selective assembly of fact and the shaping of nuance to support a particular view of a story.
  • spoliation - Spoliation is the destruction, alteration, or mutilation of evidence that may pertain to legal action.
  • SSAE 16 - The Statement on Standards for Attestation Engagements No.
  • standard - A standard is a generally agreed-upon technology, method or format for a given application.
  • standard operating procedure (SOP) - A standard operating procedure (SOP) is a set of written instructions that describes the step-by-step process that must be taken to properly perform a routine activity.
  • statutory reporting - Statutory reporting is the mandatory submission of financial and non-financial information to a government agency.
  • Stop Online Piracy Act (SOPA) and PIPA - The Stop Online Piracy Act (SOPA), also known as House Bill 3261, is legislation introduced in the United States House of Representatives to enforce current laws that make stealing intellectual property and trafficking in counterfeit goods illegal.
  • structured content - Structured content is a modular approach to managing digital content that uses metadata tags and automation to publish content from a single source to multiple distribution channels.
  • supply chain security - Supply chain security is the part of supply chain management that focuses on the risk management of external suppliers, vendors, logistics and transportation.
  • surveillance capitalism - Surveillance capitalism is the monetization of data captured through monitoring people's movements and behaviors online and in the physical world.
  • sustainability risk management (SRM) - Sustainability risk management (SRM) is a business strategy that aligns profit goals with a company's environmental policies.
  • SWIFT FIN message - SWIFT FIN is a message type (MT) that transmits financial information from one financial institution to another.
  • take-down request - A take-down request, also called a notice and take down request, is a procedure for asking an Internet Service Provider (ISP) or search engine to remove or disable access to illegal, irrelevant or outdated information.
  • Telephone Consumer Protection Act (TCPA) - The Telephone Consumer Protection Act (TCPA) of 1991 is a federal law that places restrictions on telephone solicitations and robocalls.
SearchCompliance
  • ISO 31000 Risk Management

    The ISO 31000 Risk Management framework is an international standard that provides businesses with guidelines and principles for ...

  • pure risk

    Pure risk refers to risks that are beyond human control and result in a loss or no loss with no possibility of financial gain.

  • risk reporting

    Risk reporting is a method of identifying risks tied to or potentially impacting an organization's business processes.

SearchSecurity
SearchHealthIT
SearchDisasterRecovery
  • What is risk mitigation?

    Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business.

  • fault-tolerant

    Fault-tolerant technology is a capability of a computer system, electronic system or network to deliver uninterrupted service, ...

  • synchronous replication

    Synchronous replication is the process of copying data over a storage area network, local area network or wide area network so ...

SearchStorage
Close