Frame 27

Compliance

SOC Assessments
PCI DSS
ISO 27001
HITRUST
CSA STAR
CMMC

Cybersecurity

Penetration Testing
Cyber Risk Assessment
Managed Security
Security Awareness Training

Privacy

GDPR
CCPA
HIPAA

Industry

Healthcare
Financial
Retail
Education
Energy and Utilities
View All Industries
Ghostwatch Security

Managed
Security

Cost-Effective Security That Scales

Always-on protection, expert insight, and cutting-edge technology – transforming risk into resilience.
GhostWatch 1

Managed
Compliance

Compliance, Without the Chaos

Combines expert insight with intelligent automation – removing the risk from compliance, keeping you aligned in real time, and audit-ready.
iTrust white 1

The Trusted Security Testing Platform

Security Testing, Without the Guesswork

Reimagined security testing – automated speed, expert precision, and real-time insights in one powerful, collaborative platform.
Resources
  • All Resources

    Your central hub for security and compliance content.

  • Blog

    Stay informed with expert insights and practical advice on cybersecurity, privacy, and compliance challenges.

  • News

    Get the latest company updates, industry developments, and regulatory changes impacting the cybersecurity landscape.

  • Whitepapers

    Access in-depth research and strategic guidance on risk management, regulatory compliance, and cybersecurity best practices.

  • Case Studies

    See how organizations like yours solved complex cybersecurity and compliance challenges with TrustNet’s solutions.

Knowledge Hub
Guides
  • All Guides

    Get practical step-by-step guides designed to help you navigate audits, improve security posture, and meet compliance requirements.

Edit Template
Frame 27
Talk to an Expert

TrustNet Cybersecurity & Compliance Glossary

Your quick reference for common security, privacy, and compliance terms and acronyms.

#

Triple-DES (Data Encryption Standard)

A

Authentication, Authorization, and Accounting

Security methods used to ensure that only authorized individuals can access specific systems, data, or resources. It helps prevent unauthorized actions and data breaches.

Also referred to as “user ID,” “account ID,” or “application ID.” Used to identify an individual or process on a computer system. See Authentication Credentials and Authentication Factor.

Account data consists of cardholder data and/or sensitive authentication data. See Cardholder Data and Sensitive Authentication Data.

Access Control List

Also referred to as “merchant bank,” “acquiring bank,” or “acquiring financial institution.” Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance. See Payment Processor.

Elevated or increased privileges granted to an account for that account to manage systems, networks, and/or applications. Administrative access can be assigned to an individual’s account or a built-in system account. Accounts with administrative access are often referred to as “superuser,” “root,” “administrator,” “admin,” “sysadmin,” or “supervisor-state,” depending on the particular operating system and organizational structure.

A symmetric encryption algorithm used to encrypt and decrypt data, making it secure both "at rest" (stored data) and "in transit" (data being transmitted)

In the context of SOC 2, this is the least desirable opinion, indicating that the auditor found significant deficiencies in the service organization's controls and that the organization is not meeting the relevant criteria. This opinion suggests that the user entity should not rely on the vendor's systems.

Acronym for “Advanced Encryption Standard.” See Strong Cryptography.

The U.S. professional body that created the SOC reporting framework. AICPA sets the standards for service organization audits like SOC 1, SOC 2, and SOC 3.

Acronym for “American National Standards Institute.”

Software that is designed to detect, and remove, block, or contain various forms of malicious software.

Acronym for “Attestation of Compliance.” The AOC is the official PCI SSC form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC).

Application Programming Interface

Includes all purchased, custom, and bespoke software programs or groups of programs, including both internal and external (for example, web) applications.

Also referred to as “service accounts.” Accounts that execute processes or perform tasks on a computer system or in an application. These accounts usually have elevated privileges that are required to perform specialized tasks or functions and are not typically accounts used by an individual.

A vendor certified to run external vulnerability scans as part of PCI DSS compliance requirements.

A formal, periodic process of reviewing and validating users' access rights to systems, applications, and data to ensure they are appropriate based on the users’ roles, responsibilities, and employment status.

Acronym for “Approved Scanning Vendor.” Company approved by the PCI SSC to conduct external vulnerability scanning services.

Automated Teller Machine

Also referred to as “audit trail.” Chronological record of system activities. Provides an independently verifiable trail sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding or leading to operation, procedure, or event in a transaction from inception to final results.

The auditor’s formal conclusion on the effectiveness of controls (in IT audits) or fairness of financial statements (in financial audits). Audit opinions come in four possible variations: unqualified, qualified, adverse, and disclaimer of opinion.

This is the specific timeframe for which the audit is being conducted. It defines the beginning and end dates of the period under review.

A clear, documented sequence of events or records showing how a transaction or activity was initiated, processed, and completed. It supports transparency and traceability for audit purposes.

Process of verifying identity of an individual, device, or process. Authentication typically occurs with one or more authentication factors. See Account, Authentication Credential, and Authentication Factor.

Combination of the user ID or account ID plus the authentication factor(s) used to authenticate an individual, device, or process. See Account and Authentication Factor.

Method of authentication used to verify the identity of an individual, device, or process. Factors include something you know (password), something you have (token), and something you are (biometric).

In the context of access control, the process of granting privileges to access data and perform actions based on identity.

The use of technology to automatically gather documentation and proof (like logs or screenshots) needed to demonstrate compliance with security frameworks.

Focuses on whether systems are available for operation and use as committed or agreed. It’s about uptime and performance.

B

Duplicate copy of data made for archiving purposes or for protecting against damage or loss.
Business-As-Usual
Standardized configuration of a system or device that has been formally reviewed and approved.

Business Impact Analysis

Authentication factor based on a physical characteristic of the user, such as a fingerprint, retina pattern, or voice pattern.

Business Process Analysis

An incident that results in unauthorized access to data, applications, services, networks, or devices.

A letter from a service organization to extend assurance from the end of an audit reporting period to a more current date.

A legally required HIPAA contract that ensures a third-party vendor will safeguard patient health information when working with a healthcare provider.

Documented procedures and processes for maintaining business operations in the event of disruptions or disasters.

C

Certificate Authority

Card Authentication Data

A California law that gives residents rights over how their personal information is collected, used, and shared. It requires transparency and opt-out mechanisms.

Individual to whom a payment card is issued or any individual authorized to use the payment card.

At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date, or service code.

The people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data.

This method excludes the subservice organization’s controls from the scope of the SOC report. User entities (customers) must obtain assurance separately about the subservice organization, typically by requesting their SOC reports.

Cardholder Authentication Verification Value

Cardholder Data

Cardholder Data Environment

Entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate.

Processes and controls that ensure changes to IT systems, applications, and infrastructure are implemented safely and effectively.

Confidentiality, Integrity, and Availability

Data that has been encrypted and is unreadable without the decryption key.

The process of ensuring that cloud-based systems and services meet required legal, regulatory, and industry standards such as SOC 2, ISO 27001, or HIPAA.

A cybersecurity control framework from CSA that maps security controls to cloud-specific risks and industry standards.

A set of policies, controls, and tools designed to protect cloud infrastructure, data, and applications from cyber threats and unauthorized access.

A cloud-specific assurance framework that evaluates the security and transparency of cloud service providers. Builds on ISO 27001 with additional cloud-focused controls.

Control Objectives for Information and Related Technologies

A third-party data center where organizations can lease space, power, cooling, and network connectivity to house their servers and other IT equipment.

A widely recognized and industry-standard model for establishing and maintaining effective internal controls within organizations.

A specific set of criteria used within the SOC 2 (System and Organization Controls 2) framework for evaluating a service organization's controls related to security. Specifically, it represents the criteria under the Security Trust Services Category, which is the only mandatory category for a SOC 2 audit.

Alternative controls put in place to meet the spirit and intent of the original security requirement when the original control cannot be implemented.

Controls that subservice organizations (vendors of the service organization) are expected to implement to ensure the overall system of controls operates effectively.

Controls that user entities (customers of the service organization) are expected to implement to ensure the overall system of controls operates effectively.

The use of technology to streamline evidence collection, control mapping, and audit readiness.

Addresses how sensitive information is protected from unauthorized disclosure throughout its lifecycle.

Process of controlling changes to the system configuration, including changes to system software, hardware, and documentation.

A software development practice where code changes are automatically tested and deployed, enabling faster and more reliable software releases.

The ongoing process of detecting, reporting, and responding to security threats or changes in system configuration in real time or near real time.

A broader issue indicating that a control is not designed or operating effectively, increasing the risk of failure to meet control objectives.

Commercial off-the-Shelf

Systems that are essential to the operation of an organization and must be maintained for business continuity.

Certificate Revocation List

Value used to control cryptographic operations, such as encryption, decryption, signature generation, or signature verification.

Common Vulnerability Scoring System

A structured process for identifying, analyzing, and prioritizing cyber threats to inform decision-making and improve security posture.

The practice of protecting systems, networks, and data from digital attacks through technologies, processes, and controls.

A U.S. Department of Defense framework that evaluates and certifies cybersecurity practices for government contractors. CMMC is required for handling Controlled Unclassified Information (CUI).

D

Dual Authentication
Discretionary Access Control
The conversion of readable data into an unreadable format to prevent unauthorized access. It’s a fundamental method for securing data both at rest and in transit.

Process of converting plaintext data into ciphertext to protect it from unauthorized access.

A visual representation that shows how data moves through a system, including its sources, destinations, processes, and data storage points.

A strategy and set of tools that prevent sensitive data from being accidentally or maliciously leaked, lost, or accessed by unauthorized users.

Set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users.

Database Management System

A physical or logical subnetwork that separates an internal local area network (LAN) from other untrusted networks, typically the Internet.

Controls designed to identify errors or undesirable events after they have occurred. Examples include user access reviews, vulnerability scanning, intrusion detection systems, etc.

Mathematical scheme for verifying the authenticity of digital messages or documents.

Documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster.

In the context of SOC 2, this opinion is issued when the auditor is unable to form an opinion due to limitations in scope or lack of sufficient evidence.

Data Loss Prevention

Demilitarized Zone

Domain Name System

Denial of Service

Data Security Standard

Process of using two or more separate entities (usually persons) operating in concert to protect sensitive functions or information.

Derived Unique Key Per Transaction

A type of black-box testing that analyzes running applications for vulnerabilities by simulating external attacks without access to the source code.

E

Evaluation Assurance Level

Elliptic Curve Cryptography

Elliptic Curve Digital Signature Algorithm

Encrypted File System

Electronic Funds Transfer

PHI that is created, stored, transmitted, or received in an electronic format.

Europay, MasterCard, and Visa

Process of converting information or data into a code, especially to prevent unauthorized access.

The point when a product or software is no longer supported by the vendor, often increasing cybersecurity risk if continued in use.

Encryption of data from one end of a transmission to the other.

A law that protects the personal data of individuals in the EU. It requires organizations to handle personal data responsibly and transparently.

Process of tracking and analyzing events to identify potential security incidents.

A deviation from the expected control behavior or procedure found during testing. Multiple exceptions may lead to a control deficiency, depending on their impact and frequency.

Process of responding to and resolving exceptions, errors, or unexpected conditions in a system.

Targets internet-facing assets like web apps and firewalls to test perimeter defenses.

F

Automatic switching to a redundant or standby system upon the failure or abnormal termination of the currently active system.

A U.S. government framework that standardizes the security assessment of cloud products and services used by federal agencies.

A security control that continuously monitors and alerts on unauthorized or unexpected changes to critical system files, configurations, or applications.

Federal Information Processing Standard

Network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules.

File Transfer Protocol

Fear, Uncertainty, and Doubt

Encryption technology that encrypts all data on a disk drive.

G

A pre-audit evaluation that identifies missing policies, controls, or documentation needed to meet compliance requirements.

Governance, Risk, and Compliance

Graphical User Interface

H

The process of securing a system by reducing its attack surface, typically by disabling unnecessary services and applying security configurations.

A certifiable security and privacy framework that incorporates HIPAA, ISO, NIST, and others to help organizations manage compliance across multiple standards.

Systems for maintaining proper temperature, humidity, and air quality in facilities. In data centers, they ensure the reliable operation of IT equipment, preventing overheating, condensation, and particulate contamination.

Host-based Intrusion Detection System

Host-based Intrusion Prevention System

Hypertext Markup Language

Hypertext Transfer Protocol

Hypertext Transfer Protocol Secure

Hypertext Transfer Protocol Secure

I

A structured process for identifying, managing, and recovering from cybersecurity incidents like breaches or malware attacks.

Documented plan detailing the procedures and processes for detecting, responding to, and recovering from security incidents.

This method includes the subservice organization’s controls within the scope of the SOC audit and testing. The auditor assesses and tests relevant controls at both the service organization and the subservice organization.

Any data, documents, reports, or evidence generated by the company’s systems or personnel that are used by auditors to perform control testing. For reliability, auditors evaluate the source, completeness, and accuracy of the IPE.

A framework of policies, procedures, and controls for managing and protecting an organization’s sensitive data, required for ISO 27001 compliance.

Set of rules and practices that specify how an organization manages and protects its information assets.

Cloud computing model that provides on-demand access to computing resources like virtual machines, storage, and networks over the internet.

An audit of IT controls that is typically integrated with an audit of financial statements

Simulates an insider threat or breach from within the network.

A global body that develops standards across many industries, including ISO 27001, which governs information security.

A global assurance standard developed by the International Auditing and Assurance Standards Board (IAASB), used to evaluate controls at a service organization. Similar in purpose to SSAE 18, but used internationally (outside the U.S.) and focuses on internal controls over financial reporting.

Device or software application that monitors network or system activities for malicious activities or policy violations.

Network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits.

Internet Protocol

Intrusion Prevention System

Internet Protocol Security

Information Security Management System

International Organization for Standardization

An international standard for managing information security. It helps organizations protect data through risk management, policies, controls, and audits.

Internet Service Provider

Information Technology

Controls that operate within specific applications to ensure the accuracy, integrity, and completeness of data processed by those applications. Examples include edit checks, validation rules, data matching, and workflow approvals within an application.

Controls that focus on the broader IT environment, ensuring the reliability and security of the underlying infrastructure. Examples include access controls, change management, data backup and recovery, incident management, and job scheduling.

Information Technology General Controls

Initialization Vector

K

Process of managing cryptographic keys, including their generation, storage, distribution, and destruction.

Key Risk Indicator

L

Local Area Network

Lightweight Directory Access Protocol

The principle of granting users, applications, or systems only the minimum access rights or permissions necessary to perform their required functions.

M

Media Access Control

Malicious software designed to harm, exploit, or otherwise compromise information systems.

End-to-end support to help organizations meet compliance requirements for standards like SOC 2, PCI DSS, HIPAA, and more—ongoing, automated, and expert-led.

N

Network Access Control

Network Address Translation

A set of guidelines and best practices developed by NIST to help organizations manage and reduce cybersecurity risk based on business needs, risk tolerance, and resources.

O

Software or IT infrastructure hosted and managed internally on a company’s own physical premises.

Operating System

P

Point-to-Point Encryption

Payment Application Data Security Standard

Primary Account Number

Q

Qualified Security Assessor

In the context of SOC 2, this opinion suggests that while most of the controls are functioning correctly, there are some exceptions or limitations that prevent the auditor from issuing an unqualified opinion. These exceptions are not severe enough to warrant an adverse opinion but still need to be addressed.

R

Random Access Memory

A preliminary evaluation designed to gauge an organization's preparedness for an upcoming audit. It identifies potential gaps in processes, controls, and documentation, allowing for remediation before the formal audit begins.

A high, but not absolute, level of assurance that controls are designed and operating effectively (in IT audit) or that financial statements are presented fairly and are free from material misstatement (in financial audit).

S

Software as a Service

Sensitive Authentication Data

A method where a subset of items (e.g., changes, user accounts, incidents) is selected to test the effectiveness of a control.

T

Terminal Access Controller Access-Control System Plus

Transmission Control Protocol/Internet Protocol

Transparent Data Encryption

U

User Acceptance Testing

A device that provides backup power to critical equipment during power outages or fluctuations.

In the context of SOC 2, this is the "clean" opinion, indicating that the auditor found the service organization's controls to be suitably designed and operating effectively.

V

A review process to evaluate the cybersecurity and compliance practices of third-party vendors, often involving questionnaires or audits.

Encrypted network connection that helps ensure that sensitive data is safely transmitted.

Virtual Local Area Network

W

Web Application Firewall

A procedure where the auditor follows a single transaction or process from its origin to completion to understand the entity's internal control design and identify potential risks.

Wide Area Network

Z

A modern security model that assumes no user or device is trusted by default, even inside the network. Every access request must be verified.