Reference
Glossary
Reference

Glossary

The vocabulary of GRC, in plain English first. Use search and filters to find what you need quickly.

89 terms
Asset
Risk

Anything of value to the organization — data, systems, people, facilities, intellectual property.

Why it matters: Risk only exists in relation to an asset. You cannot rate a risk without naming the asset at stake.

Example: The customer database is an asset; the marketing blog usually is not.

Asset InventoryCMDBData Classification
Asset Inventory
Risk

The authoritative list of assets in scope for a security program, including ownership and classification.

Why it matters: First control in nearly every framework. Without it, every other control has gaps.

CMDBData Classification
Authority to Operate (ATO)
Frameworks

A formal management decision by a senior official authorizing a system to operate and accepting the residual risk.

Why it matters: The deliverable that ends the NIST RMF process; required to operate federal systems.

NIST RMFPOA&MSSP
Annex A
Frameworks

The reference list of 93 information security controls in ISO/IEC 27001:2022.

Why it matters: The catalog you pull from when building the Statement of Applicability.

ISO 27001Statement of Applicability
Attestation
Audit

A formal assurance report issued by a licensed practitioner (e.g., a CPA firm) about an assertion by management.

Why it matters: SOC 2 is an attestation, not a certification — the wording matters in contracts.

SOC 2Certification
Audit Trail
Audit

A chronological record of activity sufficient to reconstruct who did what when.

Why it matters: Foundational for forensics and most logging-related controls.

LoggingDetective Control
Authentication
Controls

Verifying that an entity is who it claims to be.

Why it matters: Half of access control (the other half is authorization).

AuthorizationMFASSO
Authorization
Controls

Determining what an authenticated entity is allowed to do.

Why it matters: Most least-privilege failures are authorization failures, not authentication failures.

Least PrivilegeRBACABAC
BAA (Business Associate Agreement)
Vendor

Contract required under HIPAA between a covered entity and a vendor that handles ePHI on its behalf.

Why it matters: Without a BAA, the vendor relationship is non-compliant with HIPAA.

HIPAAePHIVendor Risk
Baseline
Controls

A minimum standard configuration or control set applied across like systems.

Why it matters: Drift from baseline is one of the most common audit findings.

Configuration ManagementHardening
Breach
Privacy

Unauthorized access, acquisition, use, or disclosure of protected data.

Why it matters: Defined precisely by regulation (GDPR, HIPAA, state laws) — definitions trigger notification clocks.

IncidentGDPRHIPAA
Business Continuity Plan (BCP)
Operations

Documented plan to maintain or restore business operations during and after a disruption.

Why it matters: Required by most frameworks; tested annually at minimum.

DRBIARTORPO
Business Impact Analysis (BIA)
Operations

Analysis identifying critical processes and the impact of their disruption over time.

Why it matters: Drives RTO/RPO targets and BCP/DR investment priorities.

BCPRTORPO
CCPA / CPRA
Privacy

California Consumer Privacy Act and its successor; grants California residents privacy rights similar to GDPR.

Why it matters: The most influential U.S. state privacy law; many other states model on it.

GDPRPrivacy
CIA Triad
Risk

Confidentiality, Integrity, Availability — the three foundational properties of information security.

Why it matters: Risks and controls are usually framed around which of the three they protect.

ConfidentialityIntegrityAvailability
CMMC
Frameworks

Cybersecurity Maturity Model Certification — the U.S. DoD's certification program for defense contractors.

Why it matters: Required to bid on most DoD contracts.

NIST SP 800-171CUIFCI
Compensating Control
Controls

An alternative control that achieves the intent of a primary control when the primary control cannot be implemented.

Why it matters: Common in PCI DSS and exception management.

ExceptionPCI DSS
Configuration Management
Controls

Establishing, maintaining, and verifying the configuration of systems against a baseline.

Why it matters: Drift from baseline is a leading audit finding.

BaselineChange Management
Control
Controls

A safeguard or countermeasure that reduces risk by preventing, detecting, or correcting an event.

Why it matters: Controls are the building blocks of every security program and audit.

Preventive ControlDetective ControlCorrective Control
Control Owner
Controls

The person accountable for the design and operation of a control.

Why it matters: Auditors test by interviewing owners. Unowned controls are unmanageable.

RACI
Crosswalk
Frameworks

A mapping that shows where requirements in one framework correspond to another.

Why it matters: Lets one control satisfy many requirements; reduces audit effort.

UCFControl Mapping
CUI
Frameworks

Controlled Unclassified Information — U.S. government information requiring safeguarding per law or policy.

Why it matters: Drives CMMC Level 2 scope.

CMMCFCINIST SP 800-171
Data Classification
Risk

Categorizing data by sensitivity to determine handling and protection requirements.

Why it matters: Drives encryption, access, retention, and destruction decisions.

Asset InventoryData Loss Prevention
Data Subject
Privacy

An identified or identifiable natural person whose personal data is processed.

Why it matters: GDPR rights belong to data subjects.

GDPRDSAR
DSAR
Privacy

Data Subject Access Request — an individual's request to know what personal data an org holds about them.

Why it matters: GDPR requires response within one month.

GDPRData Subject
Detective Control
Controls

A control that identifies when an event has occurred (e.g., logging, monitoring, IDS).

Why it matters: One leg of the prevent/detect/correct triad.

Preventive ControlCorrective Control
Defense in Depth
Controls

Layered controls so the failure of any one does not result in compromise.

Why it matters: Justification for controls that look 'redundant.'

Layered Security
DPIA
Privacy

Data Protection Impact Assessment — required under GDPR for high-risk processing.

Why it matters: Demonstrates accountability and surfaces privacy risks before they become incidents.

GDPRPrivacy
DPO
Privacy

Data Protection Officer — required role for some organizations under GDPR.

Why it matters: Independent advisor reporting to the highest management level.

GDPR
Encryption at Rest / in Transit
Controls

Protecting data while stored on disk (rest) and while moving across networks (transit).

Why it matters: Mandated by nearly every framework and most contracts.

CryptographyKMS
ePHI
Privacy

Electronic Protected Health Information — any individually identifiable health information in electronic form.

Why it matters: The data class regulated by the HIPAA Security Rule.

HIPAAPHI
Evidence
Audit

Documentation proving a control operated as designed during the audit period.

Why it matters: The currency of audit work. No evidence = control failure regardless of reality.

PBCAudit
Exception
Compliance

A documented, time-bound deviation from a policy or control with compensating measures.

Why it matters: Formalizes 'we can't comply yet' into managed risk.

Compensating ControlRisk Acceptance
External Audit
Audit

An audit performed by an independent third party (vs. internal audit).

Why it matters: Required for SOC 2, ISO 27001 certification, FedRAMP.

Internal AuditAuditor
FCI
Frameworks

Federal Contract Information — info not for public release generated for or provided under a federal contract.

Why it matters: Drives CMMC Level 1 scope.

CMMCCUI
FedRAMP
Frameworks

U.S. government program standardizing security assessment for cloud services used by federal agencies.

Why it matters: Required to sell cloud services to U.S. federal agencies.

NIST RMFATO3PAO
Finding
Audit

An auditor's documented observation that a control failed or is deficient.

Why it matters: Findings drive remediation work and can lead to qualified opinions.

ExceptionRemediation
Framework
Frameworks

A structured set of guidelines for managing security or compliance (e.g., NIST CSF, ISO 27001).

Why it matters: Provides shared vocabulary and scope.

StandardControl
GDPR
Privacy

General Data Protection Regulation — EU regulation governing the processing of personal data.

Why it matters: Applies extraterritorially; fines up to 4% of global turnover.

Data SubjectDPIAROPA
Governance
Frameworks

The structures, roles, and policies that direct and control an organization's security program.

Why it matters: The 'G' in GRC and now a top-level CSF 2.0 Function.

PolicyRisk Appetite
Hardening
Controls

Reducing a system's attack surface through configuration changes.

Why it matters: Operationalizes baselines like CIS Benchmarks.

BaselineCIS Benchmarks
HIPAA
Frameworks

Health Insurance Portability and Accountability Act — U.S. law governing protected health information.

Why it matters: Dominant framework for U.S. healthcare GRC.

ePHIBAA
Incident
Operations

An event that compromises or threatens to compromise the CIA of information.

Why it matters: Triggers IR plan, communications, and post-incident review.

BreachEvent
Information Security Management System (ISMS)
Frameworks

A documented system of policies, processes, and procedures for managing information security risks, per ISO 27001.

Why it matters: The thing that gets certified in ISO 27001.

ISO 27001PDCA
Inherent vs Residual Risk
Risk

Inherent = risk with no controls; Residual = risk remaining after controls.

Why it matters: Control effectiveness is the gap between the two.

Control Effectiveness
Internal Audit
Audit

Independent assurance activity performed by employees of the organization.

Why it matters: Catches issues before external auditors do.

External Audit
ISO 27001
Frameworks

International standard for an Information Security Management System (ISMS).

Why it matters: Most widely recognized international security certification.

ISMSAnnex AStatement of Applicability
ITGC
Audit

IT General Controls — foundational controls (access, change, ops) tested for financial-statement audits.

Why it matters: Heart of SOX IT audits; overlaps heavily with SOC 1.

SOXSOC 1
Key Performance Indicator (KPI)
Operations

A measurable value showing how effectively an objective is being met.

Why it matters: Drives metrics reporting to leadership.

MetricsKRI
Key Risk Indicator (KRI)
Risk

A measurable signal that risk exposure is increasing.

Why it matters: Early warning for board-level risk reporting.

KPIRisk
Least Privilege
Controls

Granting only the minimum access needed to perform a job function.

Why it matters: Cited in almost every access-related framework requirement.

AuthorizationRBAC
Logging
Controls

Generating and retaining records of system and user activity.

Why it matters: Foundation of detection, forensics, and most compliance audit trails.

Audit TrailSIEM
Material Weakness
Audit

A deficiency severe enough that a material misstatement may not be prevented or detected.

Why it matters: Most serious audit conclusion; usually triggers public disclosure for SOX.

Significant Deficiency
MFA
Controls

Multi-Factor Authentication — requires two or more independent factors.

Why it matters: Highest-impact, lowest-cost preventive control.

AuthenticationPhishing-Resistant MFA
NIST CSF
Frameworks

NIST Cybersecurity Framework — voluntary framework with six Functions.

Why it matters: Most widely adopted umbrella framework in industry.

NIST RMFProfile
NIST RMF
Frameworks

NIST Risk Management Framework — seven-step process for managing federal system risk.

Why it matters: Backbone of FedRAMP, FISMA, DoD RMF.

ATOSSPPOA&M
NIST SP 800-53
Frameworks

Catalog of security and privacy controls for federal systems.

Why it matters: The control catalog NIST RMF selects from.

NIST RMFBaseline
NIST SP 800-171
Frameworks

110 controls for protecting Controlled Unclassified Information (CUI) in non-federal systems.

Why it matters: Foundation of CMMC Level 2.

CMMCCUI
Nonconformity
Audit

ISO 27001 term for a failure to meet a requirement; can be major or minor.

Why it matters: Majors can block certification.

ISO 27001Finding
PBC
Audit

Provided By Client — the list of documents/evidence an auditor requests.

Why it matters: Your audit project plan revolves around the PBC.

EvidenceAudit
PCI DSS
Frameworks

Payment Card Industry Data Security Standard — protects cardholder data.

Why it matters: Mandatory for any org handling card data; card brands enforce.

CDEPANQSA
POA&M
Frameworks

Plan of Action and Milestones — the running list of open weaknesses and remediation plans for a federal system.

Why it matters: Required for ATO maintenance; reviewed continuously.

NIST RMFATO
Policy
Controls

High-level statement of management intent; the 'must' at the top of the documentation hierarchy.

Why it matters: Sets the floor for control expectations.

StandardProcedure
Preventive Control
Controls

A control that stops an event from happening.

Why it matters: One leg of the prevent/detect/correct triad.

Detective Control
Privacy
Privacy

The rights and expectations of individuals over the collection, use, and disclosure of their personal information.

Why it matters: Distinct from security: you can be secure and still violate privacy.

GDPRCCPA
Procedure
Controls

Step-by-step instructions implementing a standard.

Why it matters: Where 'we said we'd do this' becomes 'here's how we actually do it.'

PolicyStandard
Qualified Security Assessor (QSA)
Frameworks

Auditor authorized by the PCI SSC to perform PCI DSS Reports on Compliance.

Why it matters: Required for Level 1 merchants and many service providers.

PCI DSS
RACI
Operations

Responsibility matrix: Responsible, Accountable, Consulted, Informed.

Why it matters: Clarifies who does what for a control or process.

Control Owner
RBAC
Controls

Role-Based Access Control — access rights granted based on roles, not individuals.

Why it matters: Most common access model in enterprises.

ABACLeast Privilege
Recovery Point Objective (RPO)
Operations

Maximum acceptable data loss measured in time.

Why it matters: Drives backup frequency.

RTOBCP
Recovery Time Objective (RTO)
Operations

Maximum acceptable time to restore a service after disruption.

Why it matters: Drives DR architecture investment.

RPODR
Risk
Risk

The effect of uncertainty on objectives, usually expressed as likelihood × impact.

Why it matters: The central object the GRC team manages.

Inherent vs Residual RiskRisk Register
Risk Acceptance
Risk

Formal decision to tolerate a risk without further treatment.

Why it matters: Must be approved by someone with the authority to accept that level of risk.

Risk TreatmentException
Risk Appetite
Risk

The amount of risk an organization is willing to pursue or retain.

Why it matters: Sets the boundary between 'accept' and 'treat.'

Risk ToleranceGovernance
Risk Register
Risk

The catalog of identified risks with ratings, owners, treatments, and status.

Why it matters: Single source of truth for risk management.

RiskTreatment
Risk Treatment
Risk

The decision and actions to address a risk: treat, transfer, tolerate, terminate.

Why it matters: Every risk needs an explicit treatment decision.

Risk Acceptance
ROPA
Privacy

Record of Processing Activities — GDPR Article 30 register of all personal data processing.

Why it matters: First thing a regulator asks for.

GDPR
SOC 1 / SOC 2 / SOC 3
Frameworks

AICPA attestation reports: SOC 1 for financial-reporting controls, SOC 2 for Trust Services Criteria, SOC 3 for public-use security marketing.

Why it matters: Most B2B SaaS deals reference SOC 2.

TSCAttestation
SOX
Frameworks

Sarbanes-Oxley Act — U.S. law requiring public companies to maintain effective internal controls over financial reporting.

Why it matters: Drives ITGC testing in public companies.

ITGCSOC 1
Standard
Controls

Mandatory rules implementing a policy (e.g., 'all admin access must use phishing-resistant MFA').

Why it matters: Bridges policy intent and operational procedure.

PolicyProcedure
Statement of Applicability (SoA)
Frameworks

ISO 27001 document listing every Annex A control with applicability and justification.

Why it matters: Central artifact reviewed in every ISO 27001 audit.

ISO 27001Annex A
System Security Plan (SSP)
Frameworks

Master document describing a system and how each control is implemented; required for NIST RMF and CMMC.

Why it matters: The single document an assessor reads first.

NIST RMFCMMC
Tabletop Exercise
Operations

Discussion-based exercise walking through response to a hypothetical scenario.

Why it matters: Cheap, frequent, surfaces gaps in plans and roles.

IR PlanBCP
Threat
Risk

A potential cause of an unwanted incident.

Why it matters: Half of the threat × vulnerability calculation.

VulnerabilityThreat Modeling
Threat Intelligence
Risk

Information about adversaries' tactics, techniques, and indicators.

Why it matters: Informs risk scoring and detection engineering.

Threat
Trust Services Criteria (TSC)
Frameworks

The five SOC 2 categories: Security, Availability, Processing Integrity, Confidentiality, Privacy.

Why it matters: What every SOC 2 control maps to.

SOC 2
Vendor Risk
Vendor

Risk introduced by third parties that process data or provide services.

Why it matters: Many breaches originate with vendors; customers expect TPRM programs.

TPRMFourth Party
Vulnerability
Risk

A weakness that a threat can exploit.

Why it matters: Risk = threat × vulnerability × impact.

ThreatPatch Management
Walkthrough
Audit

Auditor's session with a control owner to understand how a control is performed.

Why it matters: Sets the auditor's expectations for evidence; usually precedes testing.

AuditControl Owner