| Term |
Definition |
| ADFS SSO |
Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution created by Microsoft. As a component of Windows Server operating systems, it provides users with authenticated access to applications. |
| Apple SSO |
Sign in with Apple is a Single Sign-On (SSO) solution created by Apple. It give users the ability to sign into applications with their Apple ID. |
| Audit Logs |
Describes an organization's ability to document activities that impact operations, procedures, or events that occur within its software. |
| Auto Scaling |
A cloud computing pattern/technique for dynamically allocating and deallocating computing resources such as server capacities or virtual machines based on demand. |
| Bug Bounty |
A policy surrounding the potential for individuals to receive recognition or compensation for discovering and reporting bugs or security vulnerabilities with a specific set of rules and procedures. |
| Business Continuity Plan |
A business continuity plan (BCP) is a document that outlines how a business will continue operating during an unplanned disruption in service. It’s more comprehensive than a disaster recovery plan and contains contingencies for business processes, assets, human resources and business partners – every aspect of the business that might be affected. |
| C5 |
The Cloud Computing Compliance Criteria Catalogue, also referred to as C5:2020, was developed by the German Federal Office for Information Security (BSI) as a way to assess the information security of cloud services that leverage internationally recognized security standards like ISO/IEC 27001, in order to set a consistent audit baseline that helps establish a framework of trust between cloud providers and their customers. |
| C5 - Data Center |
Indicates that a processor’s data storage solution meets the minimum standards of the C5 framework. |
| C5 Attestation |
A report issued by an independent third-party that acts as verification of an organization's compliance with C5 requirements. |
| CCPA |
The California Consumer Privacy Act is a state statute intended to enhance privacy rights and consumer protections for residents of California, in the United States. |
| Confidentiality Agreements |
Indicates that an organization has procedures and policies relating to NDAs and employee confidentiality agreements. |
| COPPA |
The Children's Online Privacy Protection Act (COPPA) is a policy on the collection of data of users under the age of 13, relating to the laws surrounding marketing to underage individuals. |
| CSA C-STAR Assessment |
A robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards. |
| CSA GDPR Code of Conduct Certification |
A certification based on a third-party evaluation of the compliance of a cloud services provider's services to the GDPR, designed to offer both a compliance tool for GDPR compliance and transparency guidelines regarding the level of data protection offered by the cloud service provider. |
| CSA GDPR Code of Conduct Self-Assessment |
A self-assessment that can be completed by a cloud service provider to evaluate the compliance of its services to the GDPR. After the self-assessment is published on the Registry, it will remain valid for 1 year. The Self-Assessment requires the publication of a (1) Code of Conduct Statement of Adherence and (2) the PLA Code of Practice Template and must be updated when a change is made to company policies or practices that affect the assessed service. |
| CSA STAR |
The Cloud Security Alliance's Security, Trust & Assurance Registry Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The STAR Certification is based on achieving ISO/IEC 27001, as well as a specified set of criteria detailed in the Cloud Controls Matrix (CCM). |
| CSA STAR - Level 1 |
A free way for any CSP to provide their customers with the security assurances that a STAR certification offers. To earn a Level 1 certification, cloud service providers must self-assess their security practices and controls against the CSA’s best practices (using either the Consensus Assessments Initiative Questionnaire [CAIQ] or the Cloud Controls Matrix [CCM]) and send their assessment to the CSA for verification. |
| CSA STAR - Level 1 Continuous |
A continuously audited version of the CSA STAR - Level 1 certification. Continuous auditing focuses on testing for the occurrence of a risk and the on-going effectiveness of a control. |
| CSA STAR - Level 2 |
Helps cloud service providers offer more transparency and assurance than Level 1 in two ways. First, it requires an assessment of a CSP’s security controls to be completed by a CSA-certified third party (a list of which the CSA maintains on their website). Second, it’s designed to enhance the security controls of other standards and certifications that a CSP might follow (ones that are industry or geographically specific to their business) for the cloud. |
| CSA STAR - Level 2 Continuous |
A continuously audited version of the the CSA STAR - Level 2 certification. Continuous auditing focuses on testing for the occurrence of a risk and the on-going effectiveness of a control. |
| CSA STAR - Level 3 |
Where STAR Levels 1 and 2 offer a continuous option to increase transparency and assurance through periodic self-assessment, CSA STAR Level 3 takes “continuous” one step further by automating the process of validating security control effectiveness in real-time. |
| CSA STAR Attestation |
Provides guidelines for CPAs to use to conduct SOC 2 engagements; it is based on criteria from the AICPA and the CSA Cloud Controls Matrix (CCM). Attestation listings expire after one year unless they are updated. |
| CSA STAR CAIQ |
The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider. The CAIQ was developed to create commonly accepted industry standards to document the security controls in infrastructure-as-a-service, platform-as-a-service and software-as-a service applications. |
| CSA STAR Certification |
Based on a third-party audit of a cloud service provider's security. It leverages the requirements of the ISO/IEC 27001:2013 standard and the CSA Cloud Controls Matrix. Certificates follow the ISO/IEC 27001 protocol and expire after three years unless they are updated. |
| CSA STAR Self-Assessment |
Used to document the security controls provided by cloud computing offerings, and helps users assess the security of cloud providers. On an annual basis, cloud providers complete a Consensus Assessments Initiative Questionnaire (CAIQ) to document their compliance with the Cloud Controls Matrix (CCM). This information is made publicly available to promote industry transparency and provide visibility into security practices. |
| Data Backups |
Indicates that an organization has automated and recurring backup procedures designed to protect against data loss. |
| Data Breach Notification |
Indicates that an organization has specific policies related to the notification of users following unauthorized access to data. |
| Data Encrypted At-Rest |
Protects stored data. If an attacker obtains a hard drive with encrypted data but not the encryption keys, then the attacker must surpass the encryption to read the data. |
| Data Encrypted In-Transit |
Protects data as it moves from one location to another, as when you send an email, browse the Internet, or upload/download documents to and from the cloud. |
| Data Processing Addendum (DPA) |
A contract between data controllers and data processors or data processors and subprocessors that is intended to ensure that each entity in the partnership is operating in compliance with the GDPR or other applicable privacy laws in order to protect the interests of both parties. |
| Data Protection Officer (DPO) |
A designated role in an organization for ensuring compliance regarding privacy laws and regulations on personal data. Under certain conditions, the GDPR requires organizations to appoint a DPO. |
| Data Protection Officer (DPO) Email |
The email address to reach a Data Protection Officer. |
| Data Redundancy |
Indicates that the same data is stored in two or more separate places. |
| Data Removal Requests |
The GDPR introduced the right of individuals to have their personal data erased upon request. Since its introduction, this concept has been adopted by almost all other new privacy regulations. Also known as "the right to be forgotten," the right to erasure requires that a company remove a customer's data within one month of a verbal or written request. Data Removal Requests mean that a company has implemented a process for customers to make these requests and that the company honors them, in compliance with the GDPR and other regulations. |
| Data Retention Policy |
A policy concerning what data should be stored or archived, where that should happen, and for exactly how long. Once the retention time period for a particular data set expires, it can be deleted or moved as historical data to secondary or tertiary storage, depending on the requirements. |
| Denial of Service (DoS) Protection |
Measures taken to protect against Denial of Service attacks, wherein attackers flood the target host/network with incoming traffic until the target is unable to respond or crashes. |
| Disaster Recovery Plan |
A disaster recovery plan (DPR) is a document that contains outlines a company's response to unplanned incidents such as natural disasters, power outages, cyber attacks and any other disruptive events. The DPR contains strategies for minimizing the effects of a disaster so that the company can continue to operate or quickly resume key operations. |
| Dynamic Application Security Testing (DAST) |
A method of security testing that emphasizes attacking an application from the outside to find security vulnerabilities. |
| Employee Background Checks |
Employers run background checks to avoid hiring someone who may pose a threat to the workplace or become a liability to the employer. An employment background check can include, but is not limited to, a person’s work history, education, credit history, motor vehicle reports (MVRs), criminal record, medical history, use of social media, and drug screening. |
| Employee Security Training |
A strategy used by IT and security professionals to prevent and mitigate user risk. These programs are designed to help users and employees understand the role they play in helping to combat information security breaches. |
| Employee Workstations Automatically Locked |
The policy of automatically locking employee devices after a period of inactivity and requiring a password to unlock it. |
| Employee Workstations Encrypted |
The policy of encrypting employee hard drives to prevent unauthorized access to data stored on their devices. |
| Environmental Safeguards |
Indicates that a company utilizes environmental and physical controls that work together to protect physical and digital assets from theft and damage. |
| Environmental Safeguards - Data Center |
Indicates a processor's data center implements environmental safeguards. |
| ePrivacy |
An EU directive focused on protecting the confidentiality of electronic communication that occurs between parties. This includes non-personal information exchanged. |
| EU-US Privacy Shield |
A framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. |
| Facebook SSO |
A Single Sign-On (SSO) solution created by Facebook. It give users the ability to sign into applications with their Facebook credentials. |
| FedRAMP |
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that promotes the adoption of secure cloud services across the United States federal government by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP empowers agencies to use modern cloud technologies, with emphasis on security and protection of federal information. |
| FedRAMP - High |
High (Impact) data is usually in Law Enforcement and Emergency Services systems, Financial systems, Health systems, and any other system where loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
| FedRAMP - Low |
Low (Impact) is most appropriate for cloud security offerings where the loss of confidentiality, integrity, and availability would result in limited adverse effects on an agency’s operations, assets, or individuals. |
| FedRAMP - Moderate |
Moderate (Impact) is most appropriate for cloud security offerings where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency’s operations, assets, or individuals. Serious adverse effects could include significant operational damage to agency assets, financial loss, or individual harm that is not loss of life or physical in nature. |
| FedRAMP Authorization Report |
A report which is comprised of two parts: first, a full security assessment which is an independent audit focused on a number of parameters, and secondly, an agency authorization process is undergone. |
| FedRAMP Authorized |
Indicates an organization is compliant with the FedRAMP set of security standards. |
| FISMA |
The Federal Information Security Management Act (FISMA) of 2002 is a framework of security standards to protect government information that is handled by third-party vendors, contractors, and partners. |
| FISMA - Data Center |
Indicates that a processor's data storage solution is protected by a security infrastructure that meets the standards of the FISMA framework. |
| FISMA - High |
A compliance level reserved for third-parties handling the highest-impact data, or that which if compromised would have severe or catastrophic implications. |
| FISMA - High - Data Center |
Indicates that a processor's data storage solution is protected by a security infrastructure that meets the standards of the FISMA - Low certification. |
| FISMA - Low |
A compliance level reserved for third parties handling information that, if compromised, would have moderately severe implications. |
| FISMA - Low - Data Center |
Indicates that a processor's data storage solution is protected by a security infrastructure that meets the standards of the FISMA - Low certification. |
| FISMA - Moderate |
A compliance level reserved for third parties handling information that, if compromised, would have moderately severe implications. |
| FISMA - Moderate - Data Center |
Indicates that a processor's data storage solution is protected by a security infrastructure that meets the standards of the FISMA - Moderate certification. |
| GDPR |
The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the European Union and European Economic Area (EEA). |
| GitHub SSO |
A Single Sign-On (SSO) solution created by GitHub. It give users the ability to sign into applications with their GitHub credentials. |
| Google SSO |
A Single Sign-On (SSO) solution created by Google. It give users the ability to sign into applications with their Google credentials. |
| HIPAA |
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was designed to protect patient personally identifiable information (PII) and health information from nonconsensual disclosure. |
| HITECH |
The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 was enacted to promote and expand the adoption of electronic health records. |
| Incident Response Plan (IRP) |
A set of instructions to help employees detect, respond to, and recover from network security incidents in areas like: cybercrime, data loss, and service outages. |
| Infrastructure Redundancy |
The process of adding additional instances of network devices and lines of communication to help ensure network availability and decrease the risk of failure along any critical data paths. |
| Inherited Subprocessors |
A Subprocessor is a third party data processor who has or potentially will have access to or process service and potentially personal data. Inherited subprocessors are the subprocessors of an organization's subprocessors, and are important to note since those services may also receive the organization's customer data. |
| IP-Based Access Control |
A control that restricts access to applications or resources based on IP address. |
| ISO 22301 |
An international standard that provides a robust framework for developing effective incident response and recovery procedures to ensure your organization can recover quickly in the event of a disruption. |
| ISO 27001 |
An international standard on how to manage information security. The standard was originally published jointly by the International Organization for Standardization and the International Electrotechnical Commission in 2005 and then revised in 2013. |
| ISO 27001 Certificate |
The certificate obtained from ISO 27001 compliance. |
| ISO 27017 |
A security standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems. |
| ISO 27017 Certificate |
The certificate obtained from ISO 27001 compliance. |
| ISO 27018 |
The first international standard created specifically for data privacy in cloud computing. Its main objective, according to the International Organization for Standardization (ISO), is to establish “commonly accepted control objectives, controls, and guidelines for implementing measures to protect Personally Identifiable Information (PII).” |
| ISO 27018 Certificate |
The certificate obtained from ISO 27018 compliance. |
| ISO 27032 |
An international standard that provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular: information security, network security, internet security, and critical information infrastructure protection (CIIP). |
| ISO 27032 Certificate |
The certificate obtained from ISO 27032 compliance. |
| ISO 27701 |
A data privacy extension to ISO/IEC 27001 & 27002. It provides a framework for organizations to implement a system to support compliance with the GDPR, CCPA, and other data privacy compliance requirements. |
| ISO 27701 Certificate |
The certificate obtained from ISO 27701 compliance. |
| LDAP SSO |
Lightweight Directory Access Protocol (LDAP) Single Sign-On (SSO) is a software protocol for authenticating users on an AD network, and it enables anyone to locate resources on the Internet or on a corporate intranet. LDAP SSO also lets system admins set permissions to control access to the LDAP database, thereby ensuring that data stays private. |
| Limited Employee Access (Principle of Least Privilege) |
The idea that at any user, program, or process should have only the bare minimum privileges necessary to perform its function. |
| LinkedIn SSO |
A Single Sign-On (SSO) solution created by LinkedIn. It give users the ability to sign into applications with their LinkedIn credentials. |
| Microsoft SSO |
A Single Sign-On (SSO) solution created by Microsoft. It give users the ability to sign into applications with their Microsoft credentials. |
| Multi-Factor Authentication |
An electronic authentication method in which a computer user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherence. |
| Multi-Tenant Architecture |
An architecture which allows a single instance of a software application to serve multiple customers. |
| Passwords Encrypted |
The practice of translating login credentials into a secure format for storage, such that even if a malicious party gained access to them, they would be unable to use them to obtain login access. |
| PCI-DSS |
The Payment Card Industry Data Security Standard—an information security standard that applies to companies that store and handle credit card information from the most common providers and schemes. |
| PCI-DSS - Data Center |
Signifies that the processor's data storage satisfies the Payment Card Industry Data Security Standard, and is the result of collaboration between the five largest credit card brands: Visa, MasterCard, American Express, Discover and JCB. |
| PCI-DSS - Level 1 |
The Payment Card Industry Data Security Standard, as it applies to merchants that handle over 6 million credit card transactions annually. |
| PCI-DSS - Level 1 - Data Center |
Signifies that the processor's data storage satisfies Level 1 of the Payment Card Industry Data Security Standard. |
| PCI-DSS - Level 2 |
The Payment Card Industry Data Security Standard, as it applies to merchants that handle between 1 and 6 million credit card transactions annually. |
| PCI-DSS - Level 2 - Data Center |
Signifies that the processor's data storage satisfies Level 2 of the Payment Card Industry Data Security Standard. |
| PCI-DSS - Level 3 |
The Payment Card Industry Data Security Standard, as it applies to merchants that handle between 20,000 and 1 million credit card transactions annually. |
| PCI-DSS - Level 3 - Data Center |
Signifies that the processor's data storage satisfies Level 3 of the Payment Card Industry Data Security Standard. |
| PCI-DSS - Level 4 |
The Payment Card Industry Data Security Standard, as it applies to merchants that handle less than 20,000 credit card transactions annually. |
| PCI-DSS - Level 4 - Data Center |
Signifies that the processor's data storage satisfies Level 4 of the Payment Card Industry Data Security Standard. |
| PECR |
The Privacy and Electronic Communications Regulations, a law in the United Kingdom which restricts the practice of sending direct marketing materials via electronic means. One key tenet of the PECR is requiring companies to obtain opt-in consent from parties before sending them direct marketing materials. |
| Penetration Testing |
Also called a pen test, penetration testing is a simulated cyberattack on a system performed for the purpose of testing the system's security. |
| Personnel Screening |
The practice of analyzing the background of job applicants to ensure their credibility and fit for a role. This could include but is not limited to credit history, criminal records, and previous employment/education records. |
| Physical Access Control |
A system to ensure only authorized individuals are granted access to a company's premises. This often includes the use of electronic credentials to grant specific individuals access to certain physical spaces and systems. |
| Physical Access Control - Data Center |
Signifies that a processor's data storage employs a functioning Physical Access Control System. |
| POPIA |
The Protection of Personal Information Act is a regulation in South African law on data protection and privacy in South Africa. It also addresses the transfer of personal data outside of South Africa. |
| Primary Subprocessors |
A Subprocessor is a third party data processor who has or potentially will have access to or process service and potentially personal data. |
| Privacy Policy |
A document that explains how a website or organization will collect, store, protect, and utilize personal information provided by its users. |
| Quality Assurance Testing |
Quality Assurance (QA) testing ensures that an organization delivers the best products or services possible. |
| Responsible Disclosure |
A vulnerability disclosure model in which a vulnerability or an issue is disclosed only after a period of time that allows for the vulnerability or issue to be patched or mended. |
| Role-Based Access Control (RBAC) |
The ability to restrict access based on a person's position within an organization. |
| Salesforce SSO |
A single sign-on (SSO) solution created by Salesforce. It give users the ability to sign into applications with their Salesforce credentials. |
| SAML SSO |
Security assertion markup language (SAML) single sign-on (SSO) works by transferring a user’s identity from an Identity Provider to a service provider through signed documents. SAML the underlying protocol that makes web-based SSO possible. |
| Sarbanes-Oxley (SOX) - Data Center |
Definition coming soon! |
| SCIM User Management |
The System for Cross-Domain user management is an open standard which provides a schema designed to manage user-identity information. It can be used to be used to automatically provision/de-provision accounts for users in external systems such as G Suite or Office 365. |
| Secure Remote Network Access |
Any security policy or technology that allows employees to connect to a company's internal network and prevents unauthorized access. |
| Self-Serve User Management |
Definition coming soon! |
| Service Monitoring |
A system or set of tools used to check on the health of servers in a network. |
| Single-Tenant Architecture |
A single instance of the software and supporting infrastructure serve a single customer. With single tenancy, each customer has his or her own independent database and instance of the software. |
| SOC 1 |
SOC 1 is a set of compliance requirements that applies to companies' internal control over financial reporting. An audit against these controls and the resulting report provide written documentation of an organization's internal controls that are potentially relevant to audits of their customers' financial statements. |
| SOC 1 - Data Center |
Signifies that a processor's data storage has undergone and passed a SOC 1 audit and obtained the corresponding report. |
| SOC 1 Type I |
A SOC 1 Type I audit and corresponding report focus on describing a service organization’s control processes and the suitability of how those controls are designed to achieve the SOC 1 objectives as of specific dates. |
| SOC 1 Type I - Data Center |
Signifies that a processor's data storage has undergone and passed a SOC 1 Type I audit and obtained the corresponding report. |
| SOC 1 Type I Report |
A document detailing the SOC 1 Type I audit of a company by an independent entity. |
| SOC 1 Type II |
A SOC 1 Type II audit and corresponding report contain all of the content of a SOC 1 Type I report, plus the addition of an evaluation of the effectiveness of the SOC 1 control processes throughout a specific time period. |
| SOC 1 Type II - Data Center |
Signifies that a processor's data storage has undergone and passed a SOC 1 Type II audit and obtained the corresponding report. |
| SOC 1 Type II Report |
A document detailing the SOC 1 Type II audit of a company by an independent entity. |
| SOC 2 |
SOC 2 is a set of compliance requirements that applies to companies' handling of cloud-based customer data as it relates to operations and compliance. An audit against these controls and the resulting report provide written documentation of how they handle and store consumer data in the cloud based on the criteria of and one or all five of the AICPA's Trust Principles (availability, security, processing integrity, confidentiality and privacy), and the methods by which these criteria were tested. |
| SOC 2 - Data Center |
Signifies that a processor's data storage has undergone and passed a SOC 2 audit and obtained the corresponding report. |
| SOC 2 Type I |
A certification describing a service organization’s control processes and the suitability of how those controls are designed to achieve the SOC 2 objectives as of specific dates. |
| SOC 2 Type I - Data Center |
Signifies that a processor's data storage has undergone and passed a SOC 2 Type I audit and obtained the corresponding report. |
| SOC 2 Type I Report |
A document detailing the SOC 2 Type I audit of a company by an independent entity. |
| SOC 2 Type II |
A certification describing how a product safeguards customer data and how effective those measures are. |
| SOC 2 Type II - Data Center |
Signifies that a processor's data storage has undergone and passed a SOC 2 Type II audit and obtained the corresponding report. |
| SOC 2 Type II Report |
A document detailing the SOC 2 Type II audit of a company by an independent entity. |
| SOC 3 |
Service Organization Controls 3 is a standard outlining a service organization's internal controls for the AICPA's five Trust Principles. It contains the same information and standards as SOC 2 but is targeted at a general audience. |
| SOC 3 - Data Center |
Signifies that a processor's data storage solution has a SOC 3 report. |
| SOC 3 Report |
A report that contains the same information as a SOC 2 report, but is intended for a general audience and therefore goes into less detail. |
| SSO |
An authentication scheme that lets users log in to several independent but related systems using a single credential without re-authenticating. |
| Static Application Security Testing (SAST) |
A testing methodology that emphasizes analyzing source code to find security vulnerabilities that make applications susceptible to attack. These scans are done on an application before the code is compiled. |
| Status Page |
A webpage that displays information about outages and scheduled maintenance. |
| Subprocessor |
A third party data processor who has or potentially will have access to or process service and potentially personal data. |
| Swiss-US Privacy Shield |
A framework for regulating transatlantic exchanges of personal data for commercial purposes between the Swiss Administration and the United States. |
| TRUSTe |
An Enterprise Privacy & Data Governance Practices Assessment Criteria. |
| Twitter SSO |
A Single Sign-On (SSO) solution created by Twitter. It give users the ability to sign into applications with their Twitter credentials. |
| Vulnerability Scanning |
Measures taken to use a computer program that assesses computers, servers, networks, or applications for known security weaknesses. |
| Zero-Trust Architecture |
A security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. |
