The world of cybersecurity and audit is full of confusing terms and acronyms, often with little explanation. This chart is intended to help serve as a glossary for the terms and acronyms you will find on this site!
ASV | Approved Scanning Vendors |
AT 101 | Attestation Standards section 101 |
Audit | An examination of the management controls within an Information technology infrastructure |
AWS | Amazon Web Services |
BCP | Business Continuity Planning |
BIA | Business Impact Analysis |
CEH | Certified Ethical Hacker |
CGEIT | Certified in the Governance of Enterprise IT |
CISA | Certified Information Systems Auditor |
CISSP | Certified Information Systems Security Professional |
CoBiT® | Control Objectives for Information and Related Technologies |
CRISC | Certified in Risk and Information Systems Control |
CUI | Controlled Unclassified Information |
DFARS | Defense Federal Acquisition Regulation Supplement |
DoD | United States Department of Defense |
DSS | Data Security Standard |
EHR | Electronic Health Record |
ePHI | Electronic Protected Health Information |
FDIC | Federal Deposit Insurance Corporation |
FFIEC | Federal Financial Institutions Examination Council |
FISMA | Federal Information Security Management Act, a US federal law enacted in 2002 requiring federal agencies to conduct annual reviews of the agency's information security program and report the results to Office of Management and Budget |
GDPR | General Data Protection Regulation, a EU law enacted in 2018 to give control to individuals over their personal data and to simplify the regulatory environment for international business |
GIAC | Global Information Assurance Certification |
GLBA | Gramm-Leach-Bliley Act, a US federal law enacted in 1999 requiring financial institutions to explain how they share and protect their customers’ private data |
HIPAA | Health Insurance Portability and Accountability Act, a US act enacted in 1996 to modernize the flow of healthcare information, and to define how client information maintained by the healthcare and insurance industries should be protected from fraud and theft |
HITECH | Health Information Technology for Economic and Clinical Health Act, a US act enacted in 2009 to promote and expand the adoption of health information technology |
IEC | International Electrotechnical Commission |
ISO | International Organization for Standardization or Information Security Officer |
IT | Information Technology |
KBP | Key Business Processes |
MACRA | Medicare Access and CHIP Reauthorization Act, a US statute enacted in 2015 changing the payment system for doctors who treat Medicare patients |
MIPS | Merit-Based Incentive Payment System |
NIST | National Institute of Standards and Technology |
OSSTMM | Open Source Security Testing Methodology Manual |
PCI | Payment Card Industry |
Pen Test | Short for "Penetration Testing" |
PHI | Protected Health Information |
QSA | Qualified Security Assessor |
ROC | Report on Compliance |
RPO | Recovery Point Objectives |
RTO | Recovery Time Objectives |
SaaS | Software as a service |
SAS | Statement on Auditing Standards |
SOC | Service Organization Controls |
SEC | Securities and Exchange Commission |
SOX | Sarbanes–Oxley Act, a US federal law enacted in 2002 bringing major changes to the regulation of financial practice and corporate governance |
SSAE | Statement on Standards for Attestation Engagements |
TSC | Trust Services Criteria |
TSP | Trust Services Principles |
VM | Vendor Management |