Download now
The ecosystem of cybersecurity, compliance, and privacy uses a plethora of abbreviations, phrases, and assumed knowledge. Whether you’re an industry expert or just getting started, sorting through the alphabet soup of terminology is an ongoing challenge.
Here’s everything you need to stay up to date on security acronyms, terms, and more.
An ACL is a set of rules to determine which users or systems can access certain resources in a network. It uses access management (restrictions and permissions) to safeguard sensitive data and maintain system integrity.
An AOC is a document certifying an organization’s compliance with specific security standards and regulations, such as PCI DSS. It must be submitted by a QSA (Qualified Security Assessor) or vendor. The Attestation of Compliance assures stakeholders of preventative security measures to protect sensitive information.
An API is a software interface that allows two applications to talk to each other. The Application Programming Interface sits between an application and a web server, acting as an intermediary layer that processes data transfer between systems.
An APT is a prolonged, targeted cyberattack where an intruder remains undetected for an extended period after gaining access to a network. Advanced Persistent Threats are usually more sophisticated and under the radar, scheming to steal sensitive data or disrupt operations.
ATP is the set of security solutions designed to prevent, detect, and respond to sophisticated cyber threats to your organization. Advanced Threat Protection uses a combination of cloud security and endpoint security, giving you real-time threat visibility with predictive security measures (often powered by AI) and rapid response.
An audit is a formal process to review and assess compliance with security, regulatory, and governance requirements. Audits — internal or external — are crucial for identifying gaps in systems and processes.
BC/DR represents a set of approaches or processes that help an organization recover from a disaster and resume its routine business operations. These plans involve preparing for various scenarios, from natural disasters to cyberattacks, to minimize downtime and data loss.
A breach is a security incident where unauthorized access to sensitive data or systems occurs. Breaches may result in data theft, reputation damage, and regulatory penalties, along with a lapse in customer trust.
A Brute Force Attack is a trial-and-error hacking method where every possible password or passphrase are systematically guessed.
The CAIQ is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider.
The CCPA is a California State Statute passed in 2020, allowing consumers to have more control over data shared with websites. This mandates businesses to comply with requests for personal data (such as names and website history) to be accessed, deleted, or opted out of selling.
The CDE refers to the components, processes, and networks that process and store cardholder data. Protecting the Cardholder Data Environment is part of maintaining PCI DSS compliance, ensuring payment information remains secure.
A cloud compliance framework helps organizations adhere to regulatory, security, and operations best practices for cloud-based systems. Using a cloud compliance framework builds a proactive security and compliance posture while minimizing financial/reputation risk from security lapses. Examples of these frameworks include: ISO, NIST, FedRAMP, ISO, CSA CCM, CSA STAR, and more.
Cloud security is the set of policies, controls, and technologies which protect cloud-based systems, data, and infrastructure. As modern business relies on the cloud, a robust cloud security strategy is integral to cybersecurity.
A CMS is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI). It ensures only authorized individuals can access sensitive information.
Compliance is defined by the adherence to laws, regulations, and internal policies governing an organization’s operations. Compliance ensures companies meet certain standards, obligations, and ethical practices from a legal or operational perspective.
The compliance audit assesses the entirety of an organization’s compliance posture with a compliance framework (like SOC 2) or mandated requirements/regulations (like GDPR and HIPAA). Compliance audits require the documentation of internal controls to an auditor.
The CSA is an organization of thousands of cloud service providers providing thought leadership and best practices in security and cloud computing. The Cloud Security Alliance also maintains the popular CAIQ.
The CSF (in version 2.0 as of 2024) is the NIST’s guide for mitigating risk through six core functions — govern, identify, protect, detect, respond, and recover. The CSF 2.0 is not prescriptive, but rather a repository of resources and links for enabling organizations to achieve their desired cybersecurity outcomes.
CUI is government information (whether created or owned) that’s both unclassified, yet requires safeguarding and permission controls. Controlled Unclassified Information is determined by federal regulations and policies.
Cybersecurity is the collective of how an organization protects its systems, networks, and data from digital attacks, breaches, or damage. Cybersecurity strategy helps prevent unauthorized access or disruption of services and builds customer trust for organizations.
A DDoS attack is designed to disrupt a website or network by bombarding it with traffic. Hackers and others use these attacks for a variety of reasons including revenge, extortion, plus financial and political gain.
DLP tools are used by organizations to block attempts to exfiltrate sensitive information outside of the organization’s network. For example, many organizations employ DLP to ensure that emails with personal information such as social security numbers or credit card numbers are blocked.
The Domain Name System (DNS) is like a phone contacts list — it converts domain names into IP addresses, allowing your browser to load webpages.
Disaster recovery (DR) is the plan, systems, and processes put in place to recover IT systems and data following a disaster. DR is essential to business continuity and minimizes the impact of unexpected disruptions.
EDR solutions are used to secure end users devices such as laptops by detecting potential malware or other attempts to exploit the device. They are typically considered to be the successor to traditional signature-based antivirus software and use a combination of signatures and machine learning to detect advanced threats.
Encryption is a method of converting data into a coded format that, only readable by authorized parties. Encryption is a building block to safeguard sensitive information, especially for data transmission (when data is most vulnerable).
ERM is the holistic strategy for identifying and managing risks across the entire organization. Enterprise risk management involves a comprehensive analysis of the tolerance and response strategies for financial, operational, technology, legal, regulatory, reputational, and strategic risks.
FedRAMP standardizes the security assessment, authorization, and continuous monitoring of cloud services used by federal agencies. It ensures that cloud providers meet rigorous security requirements, protecting federal data.
A firewall is a system for monitoring and controlling incoming and outgoing network traffic, based on predefined security rules. Firewalls prevent unauthorized access to networks and serve as the first line of defense against cybersecurity attacks.
The GDPR is a European Union regulation that enhances data protection and privacy for individuals. It imposes strict guidelines on data handling, giving individuals greater control over their personal information and ensuring its secure processing.
GRC encompasses the strategies and processes used to manage an organization's overall governance, risk management, and compliance. Effective Governance, Risk, and Compliance ensures that businesses operate ethically, manage risks proactively, and comply with relevant regulations.
GRC software includes tools or applications for managing governance, risk, and compliance strategy. GRC software is compliant with internal/external standards, helping organizations manage and assess risk, consolidate user access, and streamline GRC efforts.
HIPAA is a federal law that sets the standard to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. Organizations with access to protected information must comply with HIPAA by maintaining confidentiality, integrity, and approved access of data.
A honeypot is a decoy cybersecurity mechanism that attracts cyberattackers by simulating a vulnerable system or network. Honeypots help organizations gain insight on hacker attack methods in real time.
IAM solutions manage user identification and control resource access. Identity and access management solutions help secure systems through user authorization, relative to sensitive data and actions with that data.
IDS and IPS tools can be used at the network or host level to monitor and identify anomalies in a network. An IDS (intrusion detection system) generates alerts for users to review, and an IPS (intrusion prevention system) actively blocks and mitigates malicious activity.
IOCs are the data or evidence that indicate a security breach. These indicators highlight both past or ongoing threats — examples include malicious IP addresses, hashes, TTPs, domains, and anything out-of-the-ordinary activity.
The ISA develops worldwise cybersecurity standards relative to automation systems and applications. Specifically, the ISA/IEC 62443 standards are endorsed by United Nations, which helps organizations integrate security into the operations lifecycle.
An international standard-setting body that maintains various technical, industrial, and commercial standards. ISO 27001, which focuses on Information Security Management, is one of the most popular standards that organizations outside of North America become certified for, defining standards for an ISMS (information management system).
An ISP includes the rules and guidelines of how an organization manages and protects its information assets. The information security policy includes documentation around confidentiality, integrity, and availability, outlining the security posture for teams to understand and align to.
IRM is the comprehensive approach to how an organization manages risks. Mainly, integrated risk management involves embedding standard risk management practices into business operations, fundamentally improving decision making and adaptability to risk scenarios.
JIT is a security strategy that provides temporary access to critical systems. JIT access minimizes unauthorized access windows by limiting the duration of user permissions.
JSON is an open standard data-interchange format that’s easy for both humans to write and read, and for machines to parse and produce. It uses name-value or “object” pairing, along with an ordered list of values “array,” to structure data in a language-independent, universal format.
Malware stands for malicious software, which can damage, disrupt, or gain access to systems. Common methods of malware include viruses, ransomware, and spyware.
MDM solutions are used to centrally manage and secure end user devices such as laptops and smartphones. Mobile device management involves deploying standardized configuration profiles, enforcing basic controls such as password complexity, disk encryption, and updates.
NIST creates and promotes cybersecurity standards, frameworks, and guidelines to reduce cyber risk. NIST's Cybersecurity Framework provides core functions to help organizations mitigate risk (see CSF).
A nonprofit organization that provides free guidelines and tools to improve software security. OWASP is best known for its list of the top ten web application vulnerabilities.
OTA updates are software updates delivered wirelessly to devices like phones, computers, and IoT gadgets. OTA update security prevents unauthorized tampering with software.
PCI DSS is a set of security standards ensuring a security environment for any company that accepts, processes, stores, or transmits credit card information. The PCI DSS is a combined standard of five major card brands — Visa, Mastercard, American Express, Discover, and JCB — which started in 2004.
Pen testing is a method to evaluate a system’s security via cyberattack simulation. A PenTest helps identify vulnerabilities in real-time environments and improve contingencies.
PHI is any health information — demographic, historical, test/laboratory results, mental health conditions, insurance, etc. — collected to identify an individual and determine appropriate care.
Phishing is an impersonation-based cyberattack where legitimate identifiers and entities are used to deceive users into sharing sensitive information, like passwords or credit card numbers.
PKI is used in the issuance of digital certificates to protect sensitive data. It provides unique digital identities for users, devices and applications, and secures end-to-end communications and authentication.
A QSA audits vendors and merchants for PCI DSS (as certified by the PCI Security Standards Council). QSAs evaluate security standards, identify cybersecurity gaps, and validate business compliance with PCI DSS requirements.
Ransomware is a type of malware that captures a victim's data and demands payment (ransom) to release it. Businesses have become the primary target for ransomware attacks, given the number of opportunities for information targeting in an organization.
RBAC is a mechanism that restricts system access. Role-based access control works on preset permissions and privileges, enabling system access and capabilities to authorized users while preventing access or certain capabilities to unauthorized users.
REST is an architectural style for software which creates stateless, reliable web-based applications, by which computer systems on the internet communicate with one another.
Risk assessment is how an organization identifies and evalutes risks to its security, compliance, or operations. Enterprise, third party, and vendor risk assessments work together to create mitigation strategies for potential weaknesses or vulnerabilities in a security posture.
A ROC is a documented summary of a PCI DSS assessment. It outlines compliance status, any deficiencies or gaps in a security posture, and recommends further action (when necessary) to achieve full compliance.
SAML works by exchanging user information — logins, authentication state, identifiers, and other relevant attributes — between the identity and service provider. By enabling the user to log in once with a single set of credentials, it streamlines the authentication process.
The SAQ is a validation tool for merchants and service providers not required to do on-site data security assessments for PCI DSS — organizations with lower transaction volumes ( < 300,000 yearly). These entities use a self-assessment questionnaire to self-evaluate their security practices and compliance.
SCIM is a standard protocol for automating how user identity information is exchanged. It uses API through REST with data formatted through JSON or XML to automate and simplify data provisioning across applications and systems, ensuring consistent, secure identity data.
SDLC is a structured process for creating high-quality software, at low costs, in the shortest possible production time. The SDLC works to plan, design, test, and deploy software with a variety of methodologies — waterfall, iterative, spiral, agile — to consistently meet and exceed customer expectations.
SIEM is technology that supports threat detection, compliance, and security incident management. Using the collection and analysis (both near real time and historical) of security events, plus other event and contextual data sources, organizations improve visibility and preparedness for cyberattacks.
A repository of third-party information security and privacy questions, indexed to multiple regulations and control frameworks. The SIG Questionnaire covers 19 risk domains as part of TPRM strategy, coming in three varieties — SIG Core, SIG Lite (streamlined), and Custom SIG.
An SLA sets expectations between the service provider and the customer. Service-level agreements describe the products or services to be delivered, the single point of contact for end-user problems, and the metrics by which the effectiveness of the process is monitored and approved.
A SOC 1 report is for organizations whose internal security controls can impact a customer’s financial statements such as payroll, claims, or payment processing companies. SOC 1 reports can assure customers that their financial information is being handled securely.
A SOC 2 report is a security framework specifying how organizations should safeguard customer data. The American Institute of CPAs (AICPA) built SOC 2 around security, availability, processing integrity, confidentiality, and privacy (the five Trust Services Criteria).
SaaS vendors may be asked by customers’ legal, security, and procurement departments to provide copies of their SOC 2 report. SOC 2 does not correlate with legal regulations, in contrast to frameworks such as HIPAA, GDPR, and CCPA. Instead, it helps organizations prove their internal controls protect customer data.
A SOC 2 Type 1 report evaluates cybersecurity at a given singular point.
A SOC 2 Type 2 report evaluates cybersecurity systems over a time period (usually 3 months to a year).
A SOC 3 is a general/public use report that covers an organization’s internal controls over security, availability, processing integrity, and confidentiality. It’s less in-depth than a SOC 2, allowing organizations to build transparency into their trust posture without compromising data integrity.
SQL standardized programming language used to store and manage relational databases, as well as perform various operations on the data in them.
SSO is an authentication method enabling users to securely authenticate with multiple applications and websites with one set of credentials.
SSL is an encryption-based security protocol, which uses certificates to establish secure connection between a browser/device and a server/website. TLS is the director evolution of SSL, but many TLS connections are still referred to as SSL.
2FA is a security method requiring two separate forms of identification for access. Typically, 2FA may combine known information (like a password) with a guarded asset (like a phone/security key).
TISAX is an information exchange for organizations in the automotive industry, founded by the German Association of the Automotive Industry and managed by the ENX Association. Its standards are based on the ISO/IEC 27001 and 27002. Vendors working with TISAX members are usually required to share their existing assessment or complete a new assessment in due diligence.
TLS is the successor to Secure Sockets Layer (SSL) and is a cryptographic protocol used to encrypt data in-transit over networks. Transport layer security is responsible for the secure delivery of data, but not necessarily end system security.
Tokenization is replacing sensitive data with unique identification markers (tokens), so essential information is retained without compromising security.
TPRM identifies, manages, and mitigates risks associated with service providers or other external parties who may access a company's information assets. Third party risk management involves monitoring external party activity, instituting controls for organization security, and not introducing unnecessary friction in data sharing systems.
A Trust Center (also known as a security portal) serves as a customer-facing home for security postures. Trust Centers are most often used to expedite the buyer security review process, automating labor and time-intensive procedures. By reducing friction for buyers to retrieve security information and providing sellers with highly customized access controls, Trust Centers act as the highly visible source of truth for organizations.
A VPN extends a private network, establishing a secure, encrypted connection while using a public network. Virtual private networks help maintain the security of sensitive information, access, and network permissions.
Vendor risk management (including third party vendor management or enterprise vendor risk management) highlights the impact risks on business operations, reputation, and customer satisfaction. It is a subsidiary of TPRM specific to vendors, service providers (SaaS), and suppliers.
A coalition of companies committed to improving Internet security.
VSA, established by Airbnb, Atlassian, Docker, Dropbox, and Uber, is now a collective of companies and members committed to standardized assessments and resources for vendor cybersecurity.
The VSA Core Questionnaire, released in October 2019, covers critical questions on vendor security and privacy, including US Privacy (data breach notification requirements and the CCPA), plus EU Privacy (GDPR).
The VSAQ or VSA questionnaire is an in-depth assessment of an organization’s service overview, data protection and access control, policies and standards, proactive security, reactive security, software supply chain, customer facing application security, and compliance.
A WAF protects web applications — by filtering/monitoring HTTP traffic — from a variety of application layer attacks such as cross-site scripting (XSS), SQL injection, and cookie poisoning, among others.
XML provides a similar markup language to HTML without predefined tags. XML is used define the structure and meaning of data, allowing organizations to share data between different systems and applications.
An XSS attack involves injecting malicious executable scripts into the code of a trusted application or website. Attackers launch XSS attacks by sending a harmful link, enabling access to cookies, session tokens, and sensitive information in-browser.
A zero-day exploit occurs when a security flaw in software is exploited before a fix is released from the software vendor. The challenge and danger in zero-day exploits come from their difficulty to detect.
Zero trust architecture assumes no user or system has trust by default, whether internal or external to the network. Zero trust principles require continuous verification of identities and strict access controls, such as in government systems.
SafeBase is the leading Trust Center Platform designed for friction-free security reviews. With an enterprise-grade Trust Center, SafeBase automates the security review process and transforms how companies communicate their security and trust posture.
If you want to see how fast-growing companies like LinkedIn, Asana, and Jamf take back the time their teams spend on security questionnaires, create better buying experiences, and position security as the revenue-driver it is, schedule a demo.
