- CISSP-ISSMP
- Information Systems Security Management Professional — an ISC2 advanced concentration for CISSPs who build, lead, and govern an enterprise security program; it tests management, not hands-on technical depth.
- Security governance
- The system of leadership, structures, and processes by which senior management directs and oversees the security program so it supports — and is accountable to — business objectives.
- Tone at the top
- The visible commitment of executives and the board to security; it sets the culture and is the single biggest driver of whether a security program succeeds.
- Strategic alignment
- Ensuring the security program's goals, investments, and metrics directly support the organization's mission and business strategy rather than operating as a siloed IT function.
- Security strategic plan
- A long-term (3–5 year) plan that defines the security program's vision, goals, and roadmap in alignment with business strategy; tactical and operational plans flow from it.
- Policy vs. standard vs. procedure vs. guideline
- Policy = high-level mandatory intent; standard = mandatory specific requirement; procedure = mandatory step-by-step; guideline = recommended, optional best practice.
- Security policy framework
- The hierarchy of governance documents (policies → standards → baselines → procedures → guidelines) that translates management intent into enforceable, repeatable controls.
- Security program charter
- The authorizing document, signed by senior management, that establishes the security program's mission, authority, scope, and reporting lines.
- RACI matrix
- A responsibility-assignment chart marking who is Responsible, Accountable, Consulted, and Informed for each task — clarifying security roles and preventing gaps or overlap.
- Accountable vs. responsible
- Accountable = the single owner answerable for the outcome (cannot be delegated); responsible = those who do the work. Management is accountable for security; staff are responsible.
- Security steering committee
- A cross-functional group of business and IT leaders that sets security priorities, approves policy, and aligns the program with enterprise objectives.
- Security awareness vs. training vs. education
- Awareness changes behavior (the what); training builds a job skill (the how); education builds understanding and reasoning (the why) — increasing depth in that order.
- Security awareness program
- An ongoing effort to keep every employee mindful of threats and their security responsibilities; the human layer is the most-exploited and most-trainable control.
- Security metrics (KPIs/KRIs)
- Key Performance Indicators measure how well the program runs; Key Risk Indicators give early warning of rising risk. Good metrics are tied to business goals and drive decisions.
- Security balanced scorecard
- A management tool that reports security performance across financial, customer, internal-process, and learning-and-growth perspectives to communicate value to executives.
- Return on Security Investment (ROSI)
- A metric estimating the financial benefit of a control relative to its cost — typically (reduction in ALE − cost of control) ÷ cost of control.
- Total Cost of Ownership (TCO)
- The full lifecycle cost of a security control or system — acquisition plus operation, maintenance, training, and disposal — used to compare investment options.
- Capital expenditure (CapEx) vs. operating expenditure (OpEx)
- CapEx = up-front purchases of long-lived assets (appliances); OpEx = recurring run costs (subscriptions, staff). The mix shapes security budgeting and cloud decisions.
- Security budget justification
- Translating security needs into business language — risk reduction, compliance, and ROSI — so executives fund the program; a core ISSMP leadership skill.
- Security culture
- The shared attitudes and behaviors that make security a normal part of how people work; built through leadership, awareness, accountability, and consistent reinforcement.
- Job rotation
- Periodically moving staff between roles to detect fraud, reduce dependence on any one person, and cross-train — a managerial/administrative control.
- Mandatory vacation
- Requiring employees to take leave so that someone else performs their duties, which can surface concealed fraud or errors; an administrative detective control.
- Separation of duties (SoD)
- Dividing a sensitive task so no single person can complete it alone, reducing fraud and error; collusion would be required to abuse it.
- Least privilege
- Granting each user, process, and role only the minimum access needed to perform its function — limiting the damage from compromise or misuse.
- Need to know
- Restricting access to information to those whose duties require it, even among users with the same clearance level; narrower than least privilege.
- Onboarding (security)
- Provisioning access, conveying policy, and completing background and awareness steps when a person joins, so access is granted correctly from day one.
- Offboarding (security)
- Promptly revoking access, recovering assets, and disabling accounts when a person leaves — a top cause of insider risk when done late or incompletely.
- Background investigation
- Pre-employment screening (criminal, credit, references) proportional to the role's sensitivity; a preventive personnel control against insider risk.
- Insider threat program
- A coordinated effort (HR, legal, security) to deter, detect, and respond to malicious or negligent insiders using monitoring, analytics, and reporting channels.
- Communication plan (security)
- A defined approach for who reports security information to whom, how often, and through what channel — ensuring management visibility and timely escalation.
- Stakeholder management
- Identifying parties affected by security decisions (executives, owners, users, regulators) and managing their expectations and engagement throughout the program.
- Change leadership
- Guiding people through the human side of security change — communicating the why, addressing resistance, and reinforcing new behaviors so controls stick.
- Security maturity model
- A staged framework (e.g., CMMI-style levels) that rates how repeatable, measured, and optimized a security program is, guiding improvement priorities.
- ISO/IEC 27014
- The ISO standard on governance of information security, defining how the governing body should direct and evaluate the security program.
- Risk appetite
- The broad amount and type of risk an organization is willing to pursue or retain to meet its objectives; set by the board and senior management.
- Performance management (security staff)
- Setting objectives, measuring results, and developing security personnel so the team's capabilities match the program's goals.
- Build vs. buy decision
- A management choice between developing a security capability in-house or acquiring it; weighed on cost, expertise, time-to-value, and control.
- Security program scope
- The defined boundary of what the program protects (systems, data, locations, lines of business); a clear scope prevents gaps and over-reach.
- Due diligence
- Doing the research, planning, and ongoing investigation needed to understand and protect the organization — the homework before acting.
- Due care
- Acting on due diligence by implementing and maintaining reasonable controls — what a prudent person would do; together they form the prudent-person rule.
- Security organizational structure
- How the security function is positioned and staffed (centralized, decentralized, or hybrid; CISO reporting line) to balance authority, independence, and business reach.
- Systems Development Life Cycle (SDLC)
- The structured phases through which a system is conceived, built, operated, and retired; security must be integrated into every phase, not bolted on at the end.
- Security in the SDLC
- Embedding requirements, design review, secure coding, testing, and accreditation activities throughout the lifecycle so flaws are caught when they are cheapest to fix.
- Requirements phase (security)
- Defining security and privacy requirements early — classification, regulatory needs, and control objectives — so they shape design rather than being retrofitted.
- Secure design principles
- Foundational rules (defense in depth, least privilege, fail securely, economy of mechanism, complete mediation) applied during architecture to reduce attack surface.
- Threat modeling
- Systematically identifying and prioritizing threats to a system during design (e.g., with STRIDE) so the right mitigations are built in.
- STRIDE
- A threat-modeling taxonomy: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege.
- DREAD
- A risk-rating model for threats: Damage, Reproducibility, Exploitability, Affected users, Discoverability — used to prioritize what to fix first.
- Secure coding standards
- Mandated coding practices (input validation, output encoding, parameterized queries) that prevent classes of vulnerabilities such as injection and overflow.
- Static application security testing (SAST)
- Analyzing source code or binaries without executing them to find vulnerabilities early in development (white-box testing).
- Dynamic application security testing (DAST)
- Testing a running application from the outside to find vulnerabilities at runtime (black-box testing); complements SAST.
- Security testing gate
- A checkpoint in the SDLC where a build must pass defined security tests before it advances — enforcing that security is verified, not assumed.
- Certification (system)
- The technical evaluation of a system's controls against requirements to confirm they are implemented and effective; precedes accreditation.
- Accreditation (system)
- Management's formal decision (the authorizing official's) to accept the residual risk and authorize a system to operate.
- Authorization to Operate (ATO)
- The formal approval, signed by the authorizing official, that a system may go live with its risk accepted — the outcome of accreditation.
- NIST Risk Management Framework (RMF)
- A seven-step process (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor) for managing system security risk across the lifecycle (NIST SP 800-37).
- Continuous monitoring
- Ongoing assessment of controls, configurations, and risk after authorization so security keeps pace with change rather than being a point-in-time check.
- Configuration management
- Identifying, controlling, and recording the state of system components so changes are deliberate and the secure baseline is preserved.
- Security baseline
- A documented minimum set of security settings for a system or component; deviations must be justified and approved.
- Change management
- A controlled process to request, assess, approve, implement, and document changes so they do not introduce unmanaged risk.
- Change Advisory Board (CAB)
- The group that reviews and approves significant changes, weighing risk, impact, and rollback before authorizing implementation.
- Patch management
- The process of identifying, testing, and deploying software updates to remediate vulnerabilities within risk-based timelines.
- Vulnerability management
- The ongoing cycle of discovering, prioritizing, remediating, and verifying vulnerabilities across the environment — distinct from one-off scanning.
- Secure decommissioning
- The end-of-life phase that revokes access, sanitizes media, and retires assets so retired systems leave no exploitable data or trust behind.
- Data remanence
- Residual data that persists on media after deletion or formatting and may be recoverable; defeated by proper sanitization.
- Media sanitization
- Removing data so it cannot be recovered, via clearing (overwrite for reuse), purging (degauss/strong overwrite to release), or destruction (NIST SP 800-88).
- Supply chain risk management (SCRM)
- Managing security risk introduced by vendors, components, and software dependencies across acquisition, integration, and maintenance.
- Third-party / vendor risk assessment
- Evaluating a supplier's security posture before and during engagement (questionnaires, audits, SOC 2 reports) to manage outsourced risk.
- Software Bill of Materials (SBOM)
- A formal inventory of the components and dependencies in a software product, enabling rapid response when a component vulnerability is disclosed.
- Secure acquisition
- Building security requirements, evaluation criteria, and contractual obligations into procurement so purchased products and services meet the organization's standards.
- Service Level Agreement (SLA)
- A contract clause defining measurable service commitments (availability, response times); for security, it can mandate patch windows and incident notification.
- Risk
- The likelihood that a threat exploits a vulnerability, combined with the resulting impact on an asset; the core unit security management measures and treats.
- Threat
- Any potential event or actor that could cause harm to an asset by exploiting a vulnerability.
- Vulnerability
- A weakness in a system, process, or control that a threat can exploit.
- Asset (security)
- Anything of value to the organization — data, systems, people, reputation — whose protection drives the risk program.
- Risk management lifecycle
- A continuous loop: identify assets and threats, assess risk, choose a treatment, implement controls, and monitor — risk is reduced but never eliminated.
- Risk assessment
- The process of identifying risks and estimating their likelihood and impact, producing a prioritized view to guide treatment (NIST SP 800-30).
- Qualitative risk analysis
- A subjective approach ranking risks high/medium/low using scales and expert judgment; fast and good for prioritization but not expressed in dollars.
- Quantitative risk analysis
- An objective, dollar-based approach using formulas (SLE, ARO, ALE) to express risk financially and cost-justify controls.
- Exposure Factor (EF)
- The percentage of an asset's value lost if a specific risk event occurs; expressed as a decimal in the SLE formula.
- Single Loss Expectancy (SLE)
- The expected monetary loss from one occurrence of a risk: SLE=Asset Value×EF.
- Annualized Rate of Occurrence (ARO)
- The expected number of times a specific risk event will occur in one year; an event every 25 years is an ARO of 0.04.
- Annualized Loss Expectancy (ALE)
- The expected yearly cost of a risk: ALE=SLE×ARO. It is the basis for cost-justifying a control.
- Cost-benefit of a control
- A control is justified only when its annual cost is less than the reduction in ALE it provides; spending more than the expected loss is not prudent.
- Risk mitigation
- Reducing risk to an acceptable level by implementing controls that lower likelihood or impact.
- Risk transference
- Shifting the financial impact of a risk to a third party, such as through insurance or outsourcing.
- Risk avoidance
- Eliminating a risk by ceasing the activity that creates it.
- Risk acceptance
- A documented, management-approved decision to tolerate a risk and its potential impact; ignoring a risk is not acceptance.
- Residual risk
- The risk that remains after controls are applied; senior management must formally accept it.
- Inherent risk
- The level of risk that exists before any controls are applied — the starting point for choosing treatments.
- Risk register
- A living record of identified risks with their owner, likelihood, impact, treatment, and status — the central artifact of risk management.
- Risk owner
- The individual accountable for managing a specific risk and its treatment decisions — typically a business leader, not the security team alone.
- Key Risk Indicator (KRI)
- A metric that provides early warning that risk exposure is rising toward an unacceptable level, prompting action before an incident occurs.
- Risk tolerance
- The acceptable variation around risk appetite for a specific objective — the practical threshold at which a risk must be treated.
- Risk threshold
- The defined point at which a risk's level triggers escalation or a required treatment decision.
- Control types (by function)
- Preventive (stop), detective (find), corrective (fix), deterrent (discourage), recovery (restore), and compensating (alternative) controls.
- Control categories
- Administrative (policies, training), technical/logical (encryption, access control), and physical (locks, guards) — defense in depth combines all three.
- Compensating control
- An alternative control deployed when a required control is impractical, providing equivalent protection and a documented justification.
- Defense in depth
- Layering multiple, overlapping controls so that if one fails, others still protect the asset.
- NIST SP 800-30
- The NIST guide for conducting risk assessments, defining the process of identifying threats, vulnerabilities, likelihood, and impact.
- NIST SP 800-37
- The NIST Risk Management Framework, the seven-step process for authorizing and continuously monitoring system risk.
- NIST SP 800-39
- The NIST guide to managing information security risk at the organization, mission, and information-system tiers.
- ISO/IEC 27005
- The ISO standard providing guidelines for information security risk management within an ISMS.
- ISO 31000
- The ISO standard on enterprise risk management principles and guidelines, applicable beyond information security.
- Enterprise Risk Management (ERM)
- An organization-wide approach that treats security risk as one component of total business risk, integrated with strategy and governance.
- Risk heat map
- A visual grid plotting risks by likelihood and impact to communicate priorities to executives at a glance.
- FAIR model
- Factor Analysis of Information Risk — a quantitative framework that decomposes risk into loss frequency and loss magnitude for financial analysis.
- Risk-based decision making
- Prioritizing security effort and spending where they reduce the most risk per dollar, rather than treating all assets equally.
- Threat intelligence
- Evidence-based knowledge about adversaries, their tactics, and indicators, used to anticipate and prioritize defenses and inform risk decisions.
- Quantitative vs. qualitative — when to use
- Use qualitative for fast, broad prioritization and when data is scarce; use quantitative when financial justification and precise comparison are needed.
- Risk treatment plan
- A documented plan recording, for each significant risk, the chosen treatment, owner, controls, timeline, and acceptance — the bridge from assessment to action.
- Security operations (SecOps)
- The day-to-day running of security: monitoring, detection, response, vulnerability handling, and control maintenance that keep the program effective over time.
- Security Operations Center (SOC)
- The team and facility that continuously monitors, detects, and responds to security events across the enterprise.
- SIEM
- Security Information and Event Management — a system that aggregates and correlates logs across sources for detection, alerting, and investigation.
- SOAR
- Security Orchestration, Automation, and Response — tooling that automates and coordinates incident workflows to speed and standardize response.
- Continuous monitoring (operations)
- Ongoing collection and analysis of security data so threats and control failures are detected as they happen, not at the next audit.
- Logging and log management
- Capturing, protecting, and retaining event records so activity can be detected, investigated, and proven; logs must be tamper-resistant and time-synced.
- Incident
- An event that actually or potentially harms confidentiality, integrity, or availability and warrants a response; distinct from a routine event.
- Event vs. incident
- An event is any observable occurrence; an incident is an event with adverse security consequences that triggers the response process.
- Incident response lifecycle (NIST)
- Preparation → Detection & Analysis → Containment, Eradication & Recovery → Post-Incident Activity (NIST SP 800-61).
- Preparation (IR)
- Building the capability before an incident — plans, tools, training, and communications — so response is fast and coordinated when it counts.
- Detection and analysis (IR)
- Identifying that an incident has occurred and determining its scope, type, and severity so response can be prioritized correctly.
- Containment
- Limiting the spread and damage of an incident (short-term and long-term) before eradication — stop the bleeding first.
- Eradication
- Removing the cause of the incident — malware, compromised accounts, and the exploited weakness — from the environment.
- Recovery (IR)
- Restoring affected systems to normal operation and verifying they are clean and monitored before returning them to production.
- Post-incident activity (lessons learned)
- Reviewing the incident and the response to improve plans, controls, and training; the step teams most often skip.
- Computer Security Incident Response Team (CSIRT)
- The designated, trained team responsible for handling security incidents end to end and coordinating across the organization.
- Incident severity classification
- Rating incidents by impact and urgency so response effort, escalation, and notification match the seriousness.
- Escalation procedures
- Defined criteria and paths for raising an incident to higher authority or specialized teams when thresholds are met.
- Chain of custody
- Documentation showing who handled evidence, when, and how — preserving its integrity and admissibility for legal use.
- Digital forensics
- The disciplined collection, preservation, examination, and analysis of digital evidence in a defensible manner.
- Order of volatility
- Collecting evidence from most-volatile to least (CPU/registers and cache → RAM → network state → disk → archives) to avoid losing transient data.
- Evidence preservation
- Protecting original evidence (write-blocking, hashing, imaging) so analysis is done on copies and integrity can be proven.
- Breach notification
- The legal and contractual obligation to inform affected parties and regulators within required timeframes after a data breach.
- Threat hunting
- Proactively searching the environment for adversary activity that evaded automated detection, guided by hypotheses and intelligence.
- Indicators of Compromise (IoC)
- Forensic artifacts (hashes, IPs, domains, behaviors) that signal a system may be breached and feed detection and hunting.
- MITRE ATT&CK
- A knowledge base of real-world adversary tactics and techniques used to map detections, assess coverage, and guide response.
- Cyber Kill Chain
- Lockheed Martin's model of attack stages (recon → weaponization → delivery → exploitation → installation → C2 → actions) used to disrupt attacks early.
- Vulnerability scan vs. penetration test
- A scan finds known weaknesses automatically without exploiting them; a pen test authorizedly exploits weaknesses to prove real impact.
- Penetration testing oversight
- Managing scope, rules of engagement, authorization, and reporting for tests so they are safe, legal, and produce actionable results.
- Security audit
- An independent, systematic evaluation of controls against a standard or policy, producing findings and recommendations.
- Continuous improvement (operations)
- Using metrics, audits, and lessons learned to refine operations over time so detection and response capability keeps maturing.
- Security monitoring metrics
- Operational measures such as mean time to detect (MTTD) and mean time to respond (MTTR) that gauge and drive SOC performance.
- Managed Security Service Provider (MSSP)
- A third party that delivers security operations (monitoring, detection, response) under contract; managed via SLAs and oversight.
- Contingency management
- The discipline of preparing for, responding to, and recovering from disruptions through business continuity and disaster recovery planning.
- Business Continuity Plan (BCP)
- A plan to keep critical business functions operating during and after a disruption; broader than DR, which focuses on IT.
- Disaster Recovery Plan (DRP)
- The procedures to restore IT systems, data, and infrastructure after a disruptive event; a subset of the overall BCP.
- BCP vs. DRP
- BCP keeps the whole business running (people, processes, facilities); DRP restores the IT systems that support it. DRP serves the BCP.
- Business Impact Analysis (BIA)
- The analysis that identifies critical functions and sets recovery objectives (MTD, RTO, RPO); it is the heart of continuity planning.
- Critical business function
- A process whose loss would cause unacceptable harm; identifying these in the BIA prioritizes recovery effort and resources.
- Maximum Tolerable Downtime (MTD)
- The longest a function can be unavailable before the organization suffers unacceptable harm; it bounds the RTO.
- Recovery Time Objective (RTO)
- The target time to restore a system or function after a disruption; it must be shorter than the MTD.
- Recovery Point Objective (RPO)
- The maximum acceptable amount of data loss measured backward in time; it drives how often you back up.
- RTO vs. RPO
- RTO is about TIME to recover; RPO is about DATA you can afford to lose. A 4-hour RTO means restore within 4 hours; a 1-hour RPO means back up at least hourly.
- Work Recovery Time (WRT)
- The time needed after systems are restored to validate data and resume normal business operations; RTO + WRT must fit within the MTD.
- Mean Time Between Failures (MTBF)
- The average operational time between failures of a component; used in availability planning to predict reliability.
- Mean Time To Repair (MTTR)
- The average time to restore a failed component to service; lower MTTR supports tighter RTOs.
- Hot site
- A fully equipped, staffed alternate site offering near-real-time failover — the fastest recovery and the most expensive option.
- Warm site
- An alternate site with hardware and connectivity in place but data restored on demand — moderate cost and recovery speed.
- Cold site
- An alternate site with power, cooling, and space only — the cheapest option but the slowest to bring online.
- Mirror / redundant site
- A fully redundant copy of the production environment with real-time data replication for immediate failover; the costliest, fastest option.
- Reciprocal agreement
- A mutual-aid arrangement where two organizations agree to host each other's operations after a disaster; low cost but hard to enforce and capacity-limited.
- Full backup
- A backup of all selected data; fastest to restore from (one set) but slowest and largest to create.
- Incremental backup
- Backs up only data changed since the last backup of any type; fast to create but slow to restore (full plus every increment).
- Differential backup
- Backs up data changed since the last full backup; slower to create than incremental but faster to restore (full plus one differential).
- 3-2-1 backup rule
- Keep three copies of data, on two different media types, with one copy offsite — a resilient backup strategy against most failure modes.
- Backup vs. archive
- A backup is a recoverable copy for restoration; an archive is long-term retention of data no longer in active use, often for compliance.
- Plan testing — checklist
- The least disruptive BCP test: reviewers verify the plan's contents and contacts on paper without activating anything.
- Plan testing — tabletop / structured walk-through
- Team members talk through their roles in a simulated scenario to find gaps without touching production systems.
- Plan testing — simulation
- A more realistic test that exercises response steps in a controlled scenario without affecting live operations.
- Plan testing — parallel
- Recovery systems are brought up and run alongside production to confirm they work, without taking production offline.
- Plan testing — full interruption
- Production is actually failed over to recovery systems — the most thorough and most risky test; requires management approval.
- ISC2 Code of Ethics
- Four canons every member must follow, applied in order: protect society and the infrastructure; act honorably; provide diligent service to principals; advance and protect the profession.
- Canon precedence (ISC2 ethics)
- When canons conflict, the earlier canon outranks the later — protecting society and the public good comes before all others.
- Regulatory compliance
- Conforming to laws and regulations (e.g., HIPAA, GDPR, SOX, PCI DSS) that apply to the organization's data and industry; non-compliance carries legal and financial penalties.
- GDPR
- The EU General Data Protection Regulation governing personal-data processing of EU residents; defines controller/processor duties, breach notice, and large fines.
- HIPAA
- The U.S. law protecting the privacy and security of protected health information (PHI), with administrative, physical, and technical safeguard requirements.
- PCI DSS
- The Payment Card Industry Data Security Standard — a contractual framework of controls for organizations handling cardholder data.
- Sarbanes-Oxley (SOX)
- U.S. law requiring internal controls over financial reporting for public companies, with IT general controls implications for security.
- Nondisclosure agreement (NDA)
- A contract binding an employee or partner to protect confidential information; a legal/administrative control supporting confidentiality.
- Acceptable Use Policy (AUP)
- A policy defining how employees may use organizational systems and data; sets expectations and the basis for disciplinary action.
- Conflict of interest
- A situation where a person's private interest could improperly influence their duties; managed through disclosure, separation of duties, and ethics policy.
- Compliance program
- An organized framework of policies, controls, monitoring, and reporting that demonstrates the organization meets its legal, regulatory, and contractual security obligations.
- Due diligence vs. due care (legal)
- Due diligence is investigating and planning to meet obligations; due care is the prudent action taken. Courts use both to judge whether an organization was negligent.
- Negligence (security)
- Failing to exercise the due care a reasonable organization would, which can create legal liability after a breach.
- Liability
- Legal responsibility for harm; security management limits liability by demonstrating due care and meeting the standard of a prudent person.
- Standard of care
- The level of caution a reasonable organization in the same industry would exercise; falling below it can establish negligence.
- Intellectual property — types
- Protections for creations: copyright (works), trademark (brand marks), patent (inventions), and trade secret (confidential business value).
- Trade secret
- Confidential business information that derives value from secrecy; protected by reasonable safeguards (NDAs, access control) rather than registration.
- Privacy vs. security
- Security protects data from unauthorized access; privacy governs the appropriate collection, use, and sharing of personal data. They overlap but are not the same.
- Personally Identifiable Information (PII)
- Data that can identify an individual; its handling is governed by privacy laws and requires protection commensurate with sensitivity.
- Data controller vs. data processor
- Under privacy law, the controller decides why and how personal data is processed; the processor acts only on the controller's documented instructions.
- CCPA
- The California Consumer Privacy Act granting California residents rights over their personal data, including access, deletion, and opt-out of sale.
- GLBA
- The Gramm-Leach-Bliley Act requiring U.S. financial institutions to protect customer financial information and explain their data-sharing practices.
- FISMA
- The U.S. Federal Information Security Modernization Act requiring federal agencies to implement risk-based security programs, often using the NIST RMF.
- SOC 2
- An AICPA audit report on a service organization's controls for security, availability, processing integrity, confidentiality, and privacy (Trust Services Criteria).
- ISO/IEC 27001
- The international standard specifying requirements for an Information Security Management System (ISMS) and the basis for ISMS certification.
- Regulatory vs. contractual compliance
- Regulatory compliance is mandated by law (HIPAA, GDPR); contractual compliance is required by agreements (PCI DSS, SLAs). Both must be managed.
- Legal hold
- A directive to preserve all potentially relevant data when litigation is anticipated, suspending normal deletion; violating it risks sanctions.
- eDiscovery
- The legal process of identifying, preserving, and producing electronically stored information for litigation or investigation.