Access Control List
A list of rules that dictates which users or systems have access to a resource.
Application Programming Interface
A software interface that allows 2 applications to talk to each other. An API sits between an application and a web server, acting as an intermediary layer that processes data transfer between systems.
Business Continuity and Disaster Recovery
Represents a set of approaches or processes that helps an organization recover from a disaster and resume its routine business operations.
CAIQ (pronounced cake)
Consensus Assessments Initiative Questionnaire
A survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider.
California Consumer Privacy Act
California State Statute passed in 2020 that allows for consumers to have more control over data shared with websites, such as the ability to request for their personal data such as names and website history to be exported or deleted.
Cloud Security Alliance
An organization of thousands of cloud service providers that provides thought leadership and maintains the popular CAIQ.
Credential Management System
An established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI).
Distributed Denial of Service
An attack designed to disrupt a website or network by bombarding it with traffic. Hackers and others use these attacks for a variety of reasons including revenge, extortion, and financial and political gain.
Data Loss Prevention
DLP tools are used by organizations to block attempts to exfiltrate sensitive information outside of the organization’s network. For example, many organizations employ DLP to ensure that emails with personal information such as social security numbers or credit card numbers are blocked.
Endpoint Detection & Response
EDR solutions are used to secure end users devices such as laptops by detecting potential malware or other attempts to exploit the device. They are typically considered to be the successor to traditional signature-based antivirus software and use a combination of signatures and machine learning to detect advanced threats.
Health Insurance Portability and Accountability Act
A federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.
Intrusion Detection System/Intrusion Prevention System
IDS and IPS tools are used either at the network or host level and are designed to identify anomalies in a network. An IDS generates alerts for users to review, and an IPS actively blocks malicious activity.
International Organization for Standardization
An international standard-setting body that maintains various technical, industrial, and commercial standards. ISO 27001, which focuses on Information Security Management, is one of these standards and is one of the most popular standards that organizations outside of North America become certified for.
Mobile Device Management
Mobile Device Management solutions are used to centrally manage and secure end user devices such as laptops and smartphones by deploying standardized configuration profiles that enforce basic controls such as password complexity, disk encryption, and updates.
Payment Card Industry Data Security Standard
A set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
Protected/Personal Health Information
The demographic information, medical histories, test and laboratory results, mental health conditions, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.
Public Key Infrastructure
Governs the issuance of digital certificates to protect sensitive data, provide unique digital identities for users, devices and applications and secure end-to-end communications.
Role-Based Access Control
A mechanism that restricts system access. It involves setting permissions and privileges to enable access to authorized users.
Security Assertion Markup Language
Works by exchanging user information, such as logins, authentication state, identifiers, and other relevant attributes between the identity and service provider. As a result, it simplifies and secures the authentication process as the user only needs to log in once with a single set of authentication credentials.
Software Development Life Cycle
A structured process that enables the production of high-quality, low-cost software, in the shortest possible production time. The goal of the SDLC is to produce superior software that meets and exceeds all customer expectations and demands.
Security Information and Event Management
Technology that supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources.
Standardized Information Gathering (Questionnaire)
A repository of third-party information security and privacy questions, indexed to multiple regulations and control frameworks.
Sets the expectations between the service provider and the customer and describes the products or services to be delivered, the single point of contact for end-user problems, and the metrics by which the effectiveness of the process is monitored and approved.
Systems and Organization Controls
A SOC 1 report is for organizations whose internal security controls can impact a customer’s financial statements such as payroll, claims, or payment processing companies. SOC 1 reports can assure customers that their financial information is being handled securely.
Systems and Organization Controls
A SOC 2 report is a security framework that specifies how organizations should safeguard customer data. The American Institute of CPAs (AICPA) developed SOC 2 around five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.
Systems and Organization Controls
A SOC 3 report is a public report of internal controls over security, availability, processing integrity, and confidentiality. This report is less detailed than SOC 2.
Structured Query Language
A standardized programming language that is used to manage relational databases and perform various operations on the data in them.
An authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials.
Trusted Information Security Asset Exchange
An information exchange that was founded by the German Association of the Automotive Industry. Vendors who wish to work with TISAX members are usually required to share their existing assessment or complete a new assessment as part of the due diligence process.
Transport Layer Security
TLS is the successor to Secure Sockets Layer (SSL) and is a cryptographic protocol used to encrypt data in-transit over a computer network.
Virtual Private Network
A service that establishes a secure, encrypted connection while using a public network.
The Vendor Security Alliance
A coalition of companies committed to improving Internet security.
The Vendor Security Alliance Core
This questionnaire, first available on October 24th, 2019, comprises the most critical questions on vendor security in addition to privacy. The privacy section covers both US Privacy (data breach notification requirements plus the new California data privacy law (CCPA)), plus EU Privacy (General Data Protection Regulation (GDPR)).
Web Application Firewall
Protects web applications from a variety of application layer attacks such as cross-site scripting (XSS), SQL injection, and cookie poisoning, among others.
An attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.