The ecosystem of cybersecurity, compliance, and privacy uses a plethora of abbreviations, phrases, and assumed knowledge. Whether you’re an industry expert or just getting started, sorting through the alphabet soup of terminology is an ongoing challenge.
Here’s everything you need to stay up to date on security acronyms, terms, and more.
Security Terms A-B
ACL: Access Control List
An ACL is a set of rules to determine which users or systems can access certain resources in a network. It uses access management (restrictions and permissions) to safeguard sensitive data and maintain system integrity.
AOC: Attestation of Compliance
An AOC is a document certifying an organization’s compliance with specific security standards and regulations, such as PCI DSS. It must be submitted by a QSA (Qualified Security Assessor) or vendor. The Attestation of Compliance assures stakeholders of preventative security measures to protect sensitive information.
API: Application Programming Interface
An API is a software interface that allows two applications to talk to each other. The Application Programming Interface sits between an application and a web server, acting as an intermediary layer that processes data transfer between systems.
APT: Advanced Persistent Threat
An APT is a prolonged, targeted cyberattack where an intruder remains undetected for an extended period after gaining access to a network. Advanced Persistent Threats are usually more sophisticated and under the radar, scheming to steal sensitive data or disrupt operations.
ATP: Advanced Threat Protection
ATP is the set of security solutions designed to prevent, detect, and respond to sophisticated cyber threats to your organization. Advanced Threat Protection uses a combination of cloud security and endpoint security, giving you real-time threat visibility with predictive security measures (often powered by AI) and rapid response.
BC/DR: Business Continuity and Disaster Recovery
BC/DR represents a set of approaches or processes that help an organization recover from a disaster and resume its routine business operations. These plans involve preparing for various scenarios, from natural disasters to cyberattacks, to minimize downtime and data loss.
Brute Force Attack
A Brute Force Attack is a trial-and-error hacking method where every possible password or passphrase are systematically guessed.
Security Terms C-D
CAIQ: Consensus Assessment Initiative Questionnaire
The CAIQ is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider.
CCPA: California Consumer Privacy Act
The CCPA is a California State Statute passed in 2020, allowing consumers to have more control over data shared with websites. This mandates businesses to comply with requests for personal data (such as names and website history) to be accessed, deleted, or opted out of selling.
CDE: Cardholder Data Environment
The CDE refers to the components, processes, and networks that process and store cardholder data. Protecting the Cardholder Data Environment is part of maintaining PCI DSS compliance, ensuring payment information remains secure.
Cloud Compliance Framework
A cloud compliance framework helps organizations adhere to regulatory, security, and operations best practices for cloud-based systems. Using a cloud compliance framework builds a proactive security and compliance posture while minimizing financial/reputation risk from security lapses. Examples of these frameworks include: ISO, NIST, FedRAMP, ISO, CSA CCM, CSA STAR, and more.
CMS: Credential Management System
A CMS is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI). It ensures only authorized individuals can access sensitive information.
Compliance Audit
The compliance audit assesses the entirety of an organization’s compliance posture with a compliance framework (like SOC 2) or mandated requirements/regulations (like GDPR and HIPAA). Compliance audits require the documentation of internal controls to an auditor.
CSA: Cloud Security Alliance
The CSA is an organization of thousands of cloud service providers providing thought leadership and best practices in security and cloud computing. The Cloud Security Alliance also maintains the popular CAIQ.
CSF (CSF 2.0): Cybersecurity Framework (NIST)
The CSF (in version 2.0 as of 2024) is the NIST’s guide for mitigating risk through six core functions — govern, identify, protect, detect, respond, and recover. The CSF 2.0 is not prescriptive, but rather a repository of resources and links for enabling organizations to achieve their desired cybersecurity outcomes.
CUI: Controlled Unclassified Information
CUI is government information (whether created or owned) that’s both unclassified, yet requires safeguarding and permission controls. Controlled Unclassified Information is determined by federal regulations and policies.
DDoS: Distributed Denial of Service
A DDoS attack is designed to disrupt a website or network by bombarding it with traffic. Hackers and others use these attacks for a variety of reasons including revenge, extortion, plus financial and political gain.
DLP: Data Loss Prevention
DLP tools are used by organizations to block attempts to exfiltrate sensitive information outside of the organization’s network. For example, many organizations employ DLP to ensure that emails with personal information such as social security numbers or credit card numbers are blocked.
DNS: Domain Name Systems
The Domain Name System (DNS) is like a phone contacts list — it converts domain names into IP addresses, allowing your browser to load webpages.
Security Terms E-H
EDR: Endpoint Detection & Response
EDR solutions are used to secure end users devices such as laptops by detecting potential malware or other attempts to exploit the device. They are typically considered to be the successor to traditional signature-based antivirus software and use a combination of signatures and machine learning to detect advanced threats.
ERM: Enterprise Risk Management
ERM is the holistic strategy for identifying and managing risks across the entire organization. Enterprise risk management involves a comprehensive analysis of the tolerance and response strategies for financial, operational, technology, legal, regulatory, reputational, and strategic risks.
FedRAMP: Federal Risk and Authorization Management Program
FedRAMP standardizes the security assessment, authorization, and continuous monitoring of cloud services used by federal agencies. It ensures that cloud providers meet rigorous security requirements, protecting federal data.
GDPR: General Data Protection Regulation
The GDPR is a European Union regulation that enhances data protection and privacy for individuals. It imposes strict guidelines on data handling, giving individuals greater control over their personal information and ensuring its secure processing.
GRC: Governance, Risk, and Compliance
GRC encompasses the strategies and processes used to manage an organization's overall governance, risk management, and compliance. Effective Governance, Risk, and Compliance ensures that businesses operate ethically, manage risks proactively, and comply with relevant regulations.
GRC Software
GRC software includes tools or applications for managing governance, risk, and compliance strategy. GRC software is compliant with internal/external standards, helping organizations manage and assess risk, consolidate user access, and streamline GRC efforts.
HIPAA: Health Insurance Portability and Accountability Act
HIPAA is a federal law that sets the standard to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. Organizations with access to protected information must comply with HIPAA by maintaining confidentiality, integrity, and approved access of data.
Security Terms I-M
IAM: Identity and Access Management
IAM solutions manage user identification and control resource access. Identity and access management solutions help secure systems through user authorization, relative to sensitive data and actions with that data.
IDS/IPS: Intrusion Detection System/Intrusion Prevention System
IDS and IPS tools can be used at the network or host level to monitor and identify anomalies in a network. An IDS (intrusion detection system) generates alerts for users to review, and an IPS (intrusion prevention system) actively blocks and mitigates malicious activity.
IOC: Indicators of Compromise
IOCs are the data or evidence that indicate a security breach. These indicators highlight both past or ongoing threats — examples include malicious IP addresses, hashes, TTPs, domains, and anything out-of-the-ordinary activity.
ISA: International Society of Automation
The ISA develops worldwise cybersecurity standards relative to automation systems and applications. Specifically, the ISA/IEC 62443 standards are endorsed by United Nations, which helps organizations integrate security into the operations lifecycle.
ISO: International Organization for Standardization
An international standard-setting body that maintains various technical, industrial, and commercial standards. ISO 27001, which focuses on Information Security Management, is one of the most popular standards that organizations outside of North America become certified for, defining standards for an ISMS (information management system).
ISP: Information Security Policy
An ISP includes the rules and guidelines of how an organization manages and protects its information assets. The information security policy includes documentation around confidentiality, integrity, and availability, outlining the security posture for teams to understand and align to.
IRM: Integrated Risk Management
IRM is the comprehensive approach to how an organization manages risks. Mainly, integrated risk management involves embedding standard risk management practices into business operations, fundamentally improving decision making and adaptability to risk scenarios.
JSON: JavaScript Object Notation
JSON is an open standard data-interchange format that’s easy for both humans to write and read, and for machines to parse and produce. It uses name-value or “object” pairing, along with an ordered list of values “array,” to structure data in a language-independent, universal format.
MDM: Mobile Device Management
MDM solutions are used to centrally manage and secure end user devices such as laptops and smartphones. Mobile device management involves deploying standardized configuration profiles, enforcing basic controls such as password complexity, disk encryption, and updates.
Security Terms N-Q
NIST: National Institute of Standards and Technology
NIST creates and promotes cybersecurity standards, frameworks, and guidelines to reduce cyber risk. NIST's Cybersecurity Framework provides core functions to help organizations mitigate risk (see CSF).
PCI DSS: Payment Card Industry Data Security Standard
PCI DSS is a set of security standards ensuring a security environment for any company that accepts, processes, stores, or transmits credit card information. The PCI DSS is a combined standard of five major card brands — Visa, Mastercard, American Express, Discover, and JCB — which started in 2004.
PHI: Protected/Personal Health Information
PHI is any health information — demographic, historical, test/laboratory results, mental health conditions, insurance, etc. — collected to identify an individual and determine appropriate care.
PKI: Public Key Infrastructure
PKI is used in the issuance of digital certificates to protect sensitive data. It provides unique digital identities for users, devices and applications, and secures end-to-end communications and authentication.
QSA: Qualified Security Assessor
A QSA audits vendors and merchants for PCI DSS (as certified by the PCI Security Standards Council). QSAs evaluate security standards, identify cybersecurity gaps, and validate business compliance with PCI DSS requirements.
Security Terms R-S
RBAC: Role-Based Access Control
RBAC is a mechanism that restricts system access. Role-based access control works on preset permissions and privileges, enabling system access and capabilities to authorized users while preventing access or certain capabilities to unauthorized users.
REST: Representational State Transfer
REST is an architectural style for software which creates stateless, reliable web-based applications, by which computer systems on the internet communicate with one another.
ROC: Report on Compliance
A ROC is a documented summary of a PCI DSS assessment. It outlines compliance status, any deficiencies or gaps in a security posture, and recommends further action (when necessary) to achieve full compliance.
SAML: Security Assertion Markup Language
SAML works by exchanging user information — logins, authentication state, identifiers, and other relevant attributes — between the identity and service provider. By enabling the user to log in once with a single set of credentials, it streamlines the authentication process.
SAQ: Self-Assessment Questionnaire
The SAQ is a validation tool for merchants and service providers not required to do on-site data security assessments for PCI DSS — organizations with lower transaction volumes ( < 300,000 yearly). These entities use a self-assessment questionnaire to self-evaluate their security practices and compliance.
SCIM: System for Cross-Domain Identity Management
SCIM is a standard protocol for automating how user identity information is exchanged. It uses API through REST with data formatted through JSON or XML to automate and simplify data provisioning across applications and systems, ensuring consistent, secure identity data.
SDLC: Software Development Life Cycle
SDLC is a structured process for creating high-quality software, at low costs, in the shortest possible production time. The SDLC works to plan, design, test, and deploy software with a variety of methodologies — waterfall, iterative, spiral, agile — to consistently meet and exceed customer expectations.
SIEM: Security Information and Event Management
SIEM is technology that supports threat detection, compliance, and security incident management. Using the collection and analysis (both near real time and historical) of security events, plus other event and contextual data sources, organizations improve visibility and preparedness for cyberattacks.
SIG: Standardized Information Gathering
A repository of third-party information security and privacy questions, indexed to multiple regulations and control frameworks. The SIG Questionnaire covers 19 risk domains as part of TPRM strategy, coming in three varieties — SIG Core, SIG Lite (streamlined), and Custom SIG.
SLA: Service-Level Agreement
An SLA sets expectations between the service provider and the customer. Service-level agreements describe the products or services to be delivered, the single point of contact for end-user problems, and the metrics by which the effectiveness of the process is monitored and approved.
SOC 1: Systems and Organization Controls
A SOC 1 report is for organizations whose internal security controls can impact a customer’s financial statements such as payroll, claims, or payment processing companies. SOC 1 reports can assure customers that their financial information is being handled securely.
SOC 2: Systems and Organization Controls
A SOC 2 report is a security framework specifying how organizations should safeguard customer data. The American Institute of CPAs (AICPA) built SOC 2 around security, availability, processing integrity, confidentiality, and privacy (the five Trust Services Criteria).
SaaS vendors may be asked by customers’ legal, security, and procurement departments to provide copies of their SOC 2 report. SOC 2 does not correlate with legal regulations, in contrast to frameworks such as HIPAA, GDPR, and CCPA. Instead, it helps organizations prove their internal controls protect customer data.
SOC 2 Type 1
A SOC 2 Type 1 report evaluates cybersecurity at a given singular point.
SOC 2 Type 2
A SOC 2 Type 2 report evaluates cybersecurity systems over a time period (usually 3 months to a year).
SOC 3: Systems and Organization Controls
A SOC 3 is a general/public use report that covers an organization’s internal controls over security, availability, processing integrity, and confidentiality. It’s less in-depth than a SOC 2, allowing organizations to build transparency into their trust posture without compromising data integrity.
SQL: Structured Query Language
SQL standardized programming language used to store and manage relational databases, as well as perform various operations on the data in them.
SSO: Single Sign-On
SSO is an authentication method enabling users to securely authenticate with multiple applications and websites with one set of credentials.
SSL: Secure Sockets Layer
SSL is an encryption-based security protocol, which uses certificates to establish secure connection between a browser/device and a server/website. TLS is the director evolution of SSL, but many TLS connections are still referred to as SSL.
Security Terms T-X
TISAX: Trusted Information Security Asset Exchange
TISAX is an information exchange for organizations in the automotive industry, founded by the German Association of the Automotive Industry and managed by the ENX Association. Its standards are based on the ISO/IEC 27001 and 27002. Vendors working with TISAX members are usually required to share their existing assessment or complete a new assessment in due diligence.
TLS: Transport Layer Security
TLS is the successor to Secure Sockets Layer (SSL) and is a cryptographic protocol used to encrypt data in-transit over networks. Transport layer security is responsible for the secure delivery of data, but not necessarily end system security.
TPRM: Third Party Risk Management
TPRM identifies, manages, and mitigates risks associated with service providers or other external parties who may access a company's information assets. Third party risk management involves monitoring external party activity, instituting controls for organization security, and not introducing unnecessary friction in data sharing systems.
Trust Center
A Trust Center (also known as a security portal) serves as a customer-facing home for security postures. Trust Centers are most often used to expedite the buyer security review process, automating labor and time-intensive procedures. By reducing friction for buyers to retrieve security information and providing sellers with highly customized access controls, Trust Centers act as the highly visible source of truth for organizations.
VPN: Virtual Private Network
A VPN extends a private network, establishing a secure, encrypted connection while using a public network. Virtual private networks help maintain the security of sensitive information, access, and network permissions.
VRM: Vendor Risk Management
Vendor risk management (including third party vendor management or enterprise vendor risk management) highlights the impact risks on business operations, reputation, and customer satisfaction. It is a subsidiary of TPRM specific to vendors, service providers (SaaS), and suppliers.
VSA: The Vendor Security Alliance
A coalition of companies committed to improving Internet security.
VSA, established by Airbnb, Atlassian, Docker, Dropbox, and Uber, is now a collective of companies and members committed to standardized assessments and resources for vendor cybersecurity.
VSA Core: The Vendor Security Alliance Core
The VSA Core Questionnaire, released in October 2019, covers critical questions on vendor security and privacy, including US Privacy (data breach notification requirements and the CCPA), plus EU Privacy (GDPR).
VSA Full or VSAQ: The Vendor Security Alliance Questionnaire
The VSAQ or VSA questionnaire is an in-depth assessment of an organization’s service overview, data protection and access control, policies and standards, proactive security, reactive security, software supply chain, customer facing application security, and compliance.
WAF: Web Application Firewall
A WAF protects web applications — by filtering/monitoring HTTP traffic — from a variety of application layer attacks such as cross-site scripting (XSS), SQL injection, and cookie poisoning, among others.
XML: Extensible Markup Language
XML provides a similar markup language to HTML without predefined tags. XML is used define the structure and meaning of data, allowing organizations to share data between different systems and applications.
XSS: Cross-Site Scripting
An XSS attack involves injecting malicious executable scripts into the code of a trusted application or website. Attackers launch XSS attacks by sending a harmful link, enabling access to cookies, session tokens, and sensitive information in-browser.
SafeBase is the leading Trust Center Platform designed for friction-free security reviews. With an enterprise-grade Trust Center, SafeBase automates the security review process and transforms how companies communicate their security and trust posture.
If you want to see how fast-growing companies like LinkedIn, Asana, and Jamf take back the time their teams spend on security questionnaires, create better buying experiences, and position security as the revenue-driver it is, schedule a demo.
