Download now
Download now

The ecosystem of cybersecurity, compliance, and privacy uses a plethora of abbreviations, phrases, and assumed knowledge. Whether you’re an industry expert or just getting started, sorting through the alphabet soup of terminology is an ongoing challenge.

Here’s everything you need to stay up to date on security acronyms, terms, and more.

Security terms glossary: A-Z

A | B | C | D | E

F | G | H | I | J

K | L | M | N | O

P | Q | R | S | T

U | V | W | X | Y | Z

A

ACL: Access Control List

An ACL is a set of rules to determine which users or systems can access certain resources in a network. It uses access management (restrictions and permissions) to safeguard sensitive data and maintain system integrity.

AOC: Attestation of Compliance

An AOC is a document certifying an organization’s compliance with specific security standards and regulations, such as PCI DSS. It must be submitted by a QSA (Qualified Security Assessor) or vendor. The Attestation of Compliance assures stakeholders of preventative security measures to protect sensitive information.

API: Application Programming Interface

An API is a software interface that allows two applications to talk to each other. The Application Programming Interface sits between an application and a web server, acting as an intermediary layer that processes data transfer between systems.

APT: Advanced Persistent Threat

An APT is a prolonged, targeted cyberattack where an intruder remains undetected for an extended period after gaining access to a network. Advanced Persistent Threats are usually more sophisticated and under the radar, scheming to steal sensitive data or disrupt operations.

ATP: Advanced Threat Protection

ATP is the set of security solutions designed to prevent, detect, and respond to sophisticated cyber threats to your organization. Advanced Threat Protection uses a combination of cloud security and endpoint security, giving you real-time threat visibility with predictive security measures (often powered by AI) and rapid response.

Audit

An audit is a formal process to review and assess compliance with security, regulatory, and governance requirements. Audits — internal or external — are crucial for identifying gaps in systems and processes.

(Back to top)

B

BC/DR or BCP: Business Continuity and Disaster Recovery

BC/DR represents a set of approaches or processes that help an organization recover from a disaster and resume its routine business operations. These plans involve preparing for various scenarios, from natural disasters to cyberattacks, to minimize downtime and data loss.

Breach

A breach is a security incident where unauthorized access to sensitive data or systems occurs. Breaches may result in data theft, reputation damage, and regulatory penalties, along with a lapse in customer trust.

Brute Force Attack

A Brute Force Attack is a trial-and-error hacking method where every possible password or passphrase are systematically guessed. 

(Back to top)

C

CAIQ: Consensus Assessment Initiative Questionnaire

The CAIQ is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider.

CCPA: California Consumer Privacy Act

The CCPA is a California State Statute passed in 2020, allowing consumers to have more control over data shared with websites. This mandates businesses to comply with requests for personal data (such as names and website history) to be accessed, deleted, or opted out of selling.

CDE: Cardholder Data Environment

The CDE refers to the components, processes, and networks that process and store cardholder data. Protecting the Cardholder Data Environment is part of maintaining PCI DSS compliance, ensuring payment information remains secure.

Cloud Compliance Framework

A cloud compliance framework helps organizations adhere to regulatory, security, and operations best practices for cloud-based systems. Using a cloud compliance framework builds a proactive security and compliance posture while minimizing financial/reputation risk from security lapses. Examples of these frameworks include: ISO, NIST, FedRAMP, ISO, CSA CCM, CSA STAR, and more.

Cloud Security

Cloud security is the set of policies, controls, and technologies which protect cloud-based systems, data, and infrastructure. As modern business relies on the cloud, a robust cloud security strategy is integral to cybersecurity.

CMS: Credential Management System

A CMS is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI). It ensures only authorized individuals can access sensitive information.

Compliance

Compliance is defined by the adherence to laws, regulations, and internal policies governing an organization’s operations. Compliance ensures companies meet certain standards, obligations, and ethical practices from a legal or operational perspective.

Compliance Audit

The compliance audit assesses the entirety of an organization’s compliance posture with a compliance framework (like SOC 2) or mandated requirements/regulations (like GDPR and HIPAA). Compliance audits require the documentation of internal controls to an auditor.

CSA: Cloud Security Alliance

The CSA is an organization of thousands of cloud service providers providing thought leadership and best practices in security and cloud computing. The Cloud Security Alliance also maintains the popular CAIQ.

CSF (CSF 2.0): Cybersecurity Framework (NIST)

The CSF (in version 2.0 as of 2024) is the NIST’s guide for mitigating risk through six core functions — govern, identify, protect, detect, respond, and recover. The CSF 2.0 is not prescriptive, but rather a repository of resources and links for enabling organizations to achieve their desired cybersecurity outcomes.

CUI: Controlled Unclassified Information

CUI is government information (whether created or owned) that’s both unclassified, yet requires safeguarding and permission controls. Controlled Unclassified Information is determined by federal regulations and policies.

Cybersecurity

Cybersecurity is the collective of how an organization protects its systems, networks, and data from digital attacks, breaches, or damage. Cybersecurity strategy helps prevent unauthorized access or disruption of services and builds customer trust for organizations.

(Back to top)

D

DDoS: Distributed Denial of Service

A DDoS attack is designed to disrupt a website or network by bombarding it with traffic. Hackers and others use these attacks for a variety of reasons including revenge, extortion, plus financial and political gain.

DLP: Data Loss Prevention

DLP tools are used by organizations to block attempts to exfiltrate sensitive information outside of the organization’s network. For example, many organizations employ DLP to ensure that emails with personal information such as social security numbers or credit card numbers are blocked.

DNS: Domain Name Systems

The Domain Name System (DNS) is like a phone contacts list — it converts domain names into IP addresses, allowing your browser to load webpages.

DR: Disaster Recovery

Disaster recovery (DR) is the plan, systems, and processes put in place to recover IT systems and data following a disaster. DR is essential to business continuity and minimizes the impact of unexpected disruptions.

(Back to top)

E

EDR: Endpoint Detection & Response

EDR solutions are used to secure end users devices such as laptops by detecting potential malware or other attempts to exploit the device. They are typically considered to be the successor to traditional signature-based antivirus software and use a combination of signatures and machine learning to detect advanced threats.

Encryption

Encryption is a method of converting data into a coded format that, only readable by authorized parties. Encryption is a building block to safeguard sensitive information, especially for data transmission (when data is most vulnerable).

ERM: Enterprise Risk Management

ERM is the holistic strategy for identifying and managing risks across the entire organization. Enterprise risk management involves a comprehensive analysis of the tolerance and response strategies for financial, operational, technology, legal, regulatory, reputational, and strategic risks.

(Back to top)

F

FedRAMP: Federal Risk and Authorization Management Program

FedRAMP standardizes the security assessment, authorization, and continuous monitoring of cloud services used by federal agencies. It ensures that cloud providers meet rigorous security requirements, protecting federal data.

Firewall

A firewall is a system for monitoring and controlling incoming and outgoing network traffic, based on predefined security rules. Firewalls prevent unauthorized access to networks and serve as the first line of defense against cybersecurity attacks.

(Back to top)

G

GDPR: General Data Protection Regulation

The GDPR is a European Union regulation that enhances data protection and privacy for individuals. It imposes strict guidelines on data handling, giving individuals greater control over their personal information and ensuring its secure processing.

GRC: Governance, Risk, and Compliance

GRC encompasses the strategies and processes used to manage an organization's overall governance, risk management, and compliance. Effective Governance, Risk, and Compliance ensures that businesses operate ethically, manage risks proactively, and comply with relevant regulations.

GRC Software

GRC software includes tools or applications for managing governance, risk, and compliance strategy. GRC software is compliant with internal/external standards, helping organizations manage and assess risk, consolidate user access, and streamline GRC efforts.

(Back to top)

H

HIPAA: Health Insurance Portability and Accountability Act

HIPAA is a federal law that sets the standard to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. Organizations with access to protected information must comply with HIPAA by maintaining confidentiality, integrity, and approved access of data.

Honeypot

A honeypot is a decoy cybersecurity mechanism that attracts cyberattackers by simulating a vulnerable system or network. Honeypots help organizations gain insight on hacker attack methods in real time.

(Back to top)

I

IAM: Identity and Access Management  

IAM solutions manage user identification and control resource access. Identity and access management solutions help secure systems through user authorization, relative to sensitive data and actions with that data.

IDS/IPS: Intrusion Detection System/Intrusion Prevention System

IDS and IPS tools can be used at the network or host level to monitor and identify anomalies in a network. An IDS (intrusion detection system) generates alerts for users to review, and an IPS (intrusion prevention system) actively blocks and mitigates malicious activity.

IOC: Indicators of Compromise

IOCs are the data or evidence that indicate a security breach. These indicators highlight both past or ongoing threats — examples include malicious IP addresses, hashes, TTPs, domains, and anything out-of-the-ordinary activity.

ISA: International Society of Automation

The ISA develops worldwise cybersecurity standards relative to automation systems and applications. Specifically, the ISA/IEC 62443 standards are endorsed by United Nations, which helps organizations integrate security into the operations lifecycle.

ISO: International Organization for Standardization

An international standard-setting body that maintains various technical, industrial, and commercial standards. ISO 27001, which focuses on Information Security Management, is one of the most popular standards that organizations outside of North America become certified for, defining standards for an ISMS (information management system).

ISP: Information Security Policy

An ISP includes the rules and guidelines of how an organization manages and protects its information assets. The information security policy includes documentation around confidentiality, integrity, and availability, outlining the security posture for teams to understand and align to.

IRM: Integrated Risk Management

IRM is the comprehensive approach to how an organization manages risks. Mainly, integrated risk management involves embedding standard risk management practices into business operations, fundamentally improving decision making and adaptability to risk scenarios.

(Back to top)

J

JIT (Just-in-Time Access)

JIT is a security strategy that provides temporary access to critical systems. JIT access minimizes unauthorized access windows by limiting the duration of user permissions.

JSON: JavaScript Object Notation

JSON is an open standard data-interchange format that’s easy for both humans to write and read, and for machines to parse and produce. It uses name-value or “object” pairing, along with an ordered list of values “array,” to structure data in a language-independent, universal format.

(Back to top)

M

Malware

Malware stands for malicious software, which can damage, disrupt, or gain access to systems. Common methods of malware include viruses, ransomware, and spyware.

MDM: Mobile Device Management

MDM solutions are used to centrally manage and secure end user devices such as laptops and smartphones. Mobile device management involves deploying standardized configuration profiles, enforcing basic controls such as password complexity, disk encryption, and updates.

(Back to top)

N

NIST: National Institute of Standards and Technology

NIST creates and promotes cybersecurity standards, frameworks, and guidelines to reduce cyber risk. NIST's Cybersecurity Framework provides core functions to help organizations mitigate risk (see CSF).

(Back to top)

O

Open Web Application Security Project (OWASP)

A nonprofit organization that provides free guidelines and tools to improve software security. OWASP is best known for its list of the top ten web application vulnerabilities.

Over-The-Air (OTA) Updates

OTA updates are software updates delivered wirelessly to devices like phones, computers, and IoT gadgets. OTA update security prevents unauthorized tampering with software.

(Back to top)

P

PCI DSS: Payment Card Industry Data Security Standard

PCI DSS is a set of security standards ensuring a security environment for any company that accepts, processes, stores, or transmits credit card information. The PCI DSS is a combined standard of five major card brands — Visa, Mastercard, American Express, Discover, and JCB — which started in 2004.

PenTest (Penetration Testing)

Pen testing is a method to evaluate a system’s security via cyberattack simulation. A PenTest helps identify vulnerabilities in real-time environments and improve contingencies.

PHI: Protected/Personal Health Information

PHI is any health information — demographic, historical, test/laboratory results, mental health conditions, insurance, etc. — collected to identify an individual and determine appropriate care.

Phishing

Phishing is an impersonation-based cyberattack where legitimate identifiers and entities are used to deceive users into sharing sensitive information, like passwords or credit card numbers.

PKI: Public Key Infrastructure

PKI is used in the issuance of digital certificates to protect sensitive data. It provides unique digital identities for users, devices and applications, and secures end-to-end communications and authentication.

(Back to top)

Q

QSA: Qualified Security Assessor

A QSA audits vendors and merchants for PCI DSS (as certified by the PCI Security Standards Council). QSAs evaluate security standards, identify cybersecurity gaps, and validate business compliance with PCI DSS requirements.

(Back to top)

R

Ransomware

Ransomware is a type of malware that captures a victim's data and demands payment (ransom) to release it. Businesses have become the primary target for ransomware attacks, given the number of opportunities for information targeting in an organization.

RBAC: Role-Based Access Control

RBAC is a mechanism that restricts system access. Role-based access control works on preset permissions and privileges, enabling system access and capabilities to authorized users while preventing access or certain capabilities to unauthorized users.

REST: Representational State Transfer

REST is an architectural style for software which creates stateless, reliable web-based applications, by which computer systems on the internet communicate with one another. 

Risk Assessment

Risk assessment is how an organization identifies and evalutes risks to its security, compliance, or operations. Enterprise, third party, and vendor risk assessments work together to create mitigation strategies for potential weaknesses or vulnerabilities in a security posture.

ROC: Report on Compliance

A ROC is a documented summary of a PCI DSS assessment. It outlines compliance status, any deficiencies or gaps in a security posture, and recommends further action (when necessary) to achieve full compliance.

(Back to top)

S

SAML: Security Assertion Markup Language

SAML works by exchanging user information — logins, authentication state, identifiers, and other relevant attributes — between the identity and service provider. By enabling the user to log in once with a single set of credentials, it streamlines the authentication process.

SAQ: Self-Assessment Questionnaire

The SAQ is a validation tool for merchants and service providers not required to do on-site data security assessments for PCI DSS — organizations with lower transaction volumes ( < 300,000 yearly). These entities use a self-assessment questionnaire to self-evaluate their security practices and compliance.

SCIM: System for Cross-Domain Identity Management

SCIM is a standard protocol for automating how user identity information is exchanged. It uses API through REST with data formatted through JSON or XML to automate and simplify data provisioning across applications and systems, ensuring consistent, secure identity data.

SDLC: Software Development Life Cycle

SDLC is a structured process for creating high-quality software, at low costs, in the shortest possible production time. The SDLC works to plan, design, test, and deploy software with a variety of methodologies — waterfall, iterative, spiral, agile — to consistently meet and exceed customer expectations.

SIEM: Security Information and Event Management

SIEM is technology that supports threat detection, compliance, and security incident management. Using the collection and analysis (both near real time and historical) of security events, plus other event and contextual data sources, organizations improve visibility and preparedness for cyberattacks.

SIG: Standardized Information Gathering

A repository of third-party information security and privacy questions, indexed to multiple regulations and control frameworks. The SIG Questionnaire covers 19 risk domains as part of TPRM strategy, coming in three varieties — SIG Core, SIG Lite (streamlined), and Custom SIG.

SLA: Service-Level Agreement

An SLA sets expectations between the service provider and the customer. Service-level agreements describe the products or services to be delivered, the single point of contact for end-user problems, and the metrics by which the effectiveness of the process is monitored and approved.

SOC 1: Systems and Organization Controls

A SOC 1 report is for organizations whose internal security controls can impact a customer’s financial statements such as payroll, claims, or payment processing companies. SOC 1 reports can assure customers that their financial information is being handled securely.

SOC 2: Systems and Organization Controls

A SOC 2 report is a security framework specifying how organizations should safeguard customer data. The American Institute of CPAs (AICPA) built SOC 2 around security, availability, processing integrity, confidentiality, and privacy (the five Trust Services Criteria). 

SaaS vendors may be asked by customers’ legal, security, and procurement departments to provide copies of their SOC 2 report. SOC 2 does not correlate with legal regulations, in contrast to frameworks such as HIPAA, GDPR, and CCPA. Instead, it helps organizations prove their internal controls protect customer data.

SOC 2 Type 1

A SOC 2 Type 1 report evaluates cybersecurity at a given singular point.

SOC 2 Type 2

A SOC 2 Type 2 report evaluates cybersecurity systems over a time period (usually 3 months to a year).  

SOC 3: Systems and Organization Controls

A SOC 3 is a general/public use report that covers an organization’s internal controls over security, availability, processing integrity, and confidentiality. It’s less in-depth than a SOC 2, allowing organizations to build transparency into their trust posture without compromising data integrity.

SQL: Structured Query Language

SQL standardized programming language used to store and manage relational databases, as well as perform various operations on the data in them.

SSO: Single Sign-On

SSO is an authentication method enabling users to securely authenticate with multiple applications and websites with one set of credentials.

SSL: Secure Sockets Layer

SSL is an encryption-based security protocol, which uses certificates to establish secure connection between a browser/device and a server/website. TLS is the director evolution of SSL, but many TLS connections are still referred to as SSL.

(Back to top)

T

2FA or TFA: Two-Factor Authentication

2FA is a security method requiring two separate forms of identification for access. Typically, 2FA may combine known information (like a password) with a guarded asset (like a phone/security key).

TISAX: Trusted Information Security Asset Exchange

TISAX is an information exchange for organizations in the automotive industry, founded by the German Association of the Automotive Industry and managed by the ENX Association. Its standards are based on the ISO/IEC 27001 and 27002. Vendors working with TISAX members are usually required to share their existing assessment or complete a new assessment in due diligence.

TLS: Transport Layer Security

TLS is the successor to Secure Sockets Layer (SSL) and is a cryptographic protocol used to encrypt data in-transit over networks. Transport layer security is responsible for the secure delivery of data, but not necessarily end system security.

Tokenization

Tokenization is replacing sensitive data with unique identification markers (tokens), so essential information is retained without compromising security.

TPRM: Third Party Risk Management

TPRM identifies, manages, and mitigates risks associated with service providers or other external parties who may access a company's information assets. Third party risk management involves monitoring external party activity, instituting controls for organization security, and not introducing unnecessary friction in data sharing systems. 

Trust Center

A Trust Center (also known as a security portal) serves as a customer-facing home for security postures. Trust Centers are most often used to expedite the buyer security review process, automating labor and time-intensive procedures. By reducing friction for buyers to retrieve security information and providing sellers with highly customized access controls, Trust Centers act as the highly visible source of truth for organizations.  

(Back to top)

V

VPN: Virtual Private Network

A VPN extends a private network, establishing a secure, encrypted connection while using a public network. Virtual private networks help maintain the security of sensitive information, access, and network permissions.

VRM: Vendor Risk Management

Vendor risk management (including third party vendor management or enterprise vendor risk management) highlights the impact risks on business operations, reputation, and customer satisfaction. It is a subsidiary of TPRM specific to vendors, service providers (SaaS), and suppliers.

VSA: The Vendor Security Alliance

A coalition of companies committed to improving Internet security.

VSA, established by Airbnb, Atlassian, Docker, Dropbox, and Uber, is now a collective of companies and members committed to standardized assessments and resources for vendor cybersecurity.

VSA Core: The Vendor Security Alliance Core  

The VSA Core Questionnaire, released in October 2019, covers critical questions on vendor security and privacy, including US Privacy (data breach notification requirements and the CCPA), plus EU Privacy (GDPR).

VSA Full or VSAQ: The Vendor Security Alliance Questionnaire

The VSAQ or VSA questionnaire is an in-depth assessment of an organization’s service overview, data protection and access control, policies and standards, proactive security, reactive security, software supply chain, customer facing application security, and compliance.

(Back to top)

W

WAF: Web Application Firewall

A WAF protects web applications — by filtering/monitoring HTTP traffic — from a variety of application layer attacks such as cross-site scripting (XSS), SQL injection, and cookie poisoning, among others.

(Back to top)

X

XML: Extensible Markup Language

XML provides a similar markup language to HTML without predefined tags. XML is used define the structure and meaning of data, allowing organizations to share data between different systems and applications.

XSS: Cross-Site Scripting

An XSS attack involves injecting malicious executable scripts into the code of a trusted application or website. Attackers launch XSS attacks by sending a harmful link, enabling access to cookies, session tokens, and sensitive information in-browser.

(Back to top)

Z

Zero-Day Exploit

A zero-day exploit occurs when a security flaw in software is exploited before a fix is released from the software vendor. The challenge and danger in zero-day exploits come from their difficulty to detect.

Zero Trust Architecture

Zero trust architecture assumes no user or system has trust by default, whether internal or external to the network. Zero trust principles require continuous verification of identities and strict access controls, such as in government systems.

(Back to top)


SafeBase is the leading Trust Center Platform designed for friction-free security reviews. With an enterprise-grade Trust Center, SafeBase automates the security review process and transforms how companies communicate their security and trust posture. 

If you want to see how fast-growing companies like LinkedIn, Asana, and Jamf take back the time their teams spend on security questionnaires, create better buying experiences, and position security as the revenue-driver it is, schedule a demo.