Compliance & Frameworks terms

30 terms

• Compliance

  The discipline of meeting legal, regulatory, contractual, and internal security requirements through documented controls, evidence collection, and ongoing assessment.

• NIST Cybersecurity Framework

  A voluntary risk-based framework published by the U.S. National Institute of Standards and Technology that organizes cybersecurity outcomes into six core functions.

• NIST SP 800-53

  A NIST publication providing a comprehensive catalog of security and privacy controls for U.S. federal information systems and many private-sector adopters.

• NIST SP 800-171

  A NIST publication defining security requirements for protecting Controlled Unclassified Information (CUI) stored or processed by non-federal organizations.

• ISO/IEC 27001

  The international standard specifying requirements for an Information Security Management System (ISMS), against which organizations can be formally certified.

• ISO/IEC 27002

  An international code of practice that provides detailed guidance and implementation advice for the information security controls listed in ISO/IEC 27001 Annex A.

• CIS Controls

  A prioritized set of best-practice cybersecurity safeguards maintained by the Center for Internet Security to defend against the most common cyberattacks.

• MITRE ATT&CK

  A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.

• MITRE D3FEND

  A MITRE knowledge graph of defensive cybersecurity countermeasures and the digital artifacts they observe or modify, complementing MITRE ATT&CK.

• PCI DSS

  A global information-security standard for organizations that store, process, or transmit payment card data, maintained by the PCI Security Standards Council.

• GDPR

  The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.

• CCPA

  The California Consumer Privacy Act, a U.S. state privacy law granting California residents rights over their personal information held by businesses.

• HIPAA

  The U.S. Health Insurance Portability and Accountability Act, which sets national standards for protecting individually identifiable health information.

• Sarbanes-Oxley Act (SOX)

  U.S. federal law from 2002 that imposes governance, internal-control, and reporting requirements on publicly traded companies to protect investors.

• Gramm-Leach-Bliley Act (GLBA)

  A U.S. federal law requiring financial institutions to protect the security and confidentiality of customer non-public personal information.

• FERPA

  FERPA — definition coming soon.

• FISMA

  FISMA — definition coming soon.

• FedRAMP

  FedRAMP — definition coming soon.

• CMMC

  CMMC — definition coming soon.

• SOC 2

  SOC 2 — definition coming soon.

• COBIT

  COBIT — definition coming soon.

• ITIL

  ITIL — definition coming soon.

• OWASP Top 10

  OWASP Top 10 — definition coming soon.

• SANS Top 25

  SANS Top 25 — definition coming soon.

• CVE Numbering Authority (CNA)

  CVE Numbering Authority (CNA) — definition coming soon.

• Trike

  Trike — definition coming soon.

• DREAD Model

  DREAD Model — definition coming soon.

• STRIDE Model

  STRIDE Model — definition coming soon.

• NIST Risk Management Framework

  NIST Risk Management Framework — definition coming soon.

• Data Protection Impact Assessment

  Data Protection Impact Assessment — definition coming soon.