Glossary

Cybersecurity and Compliance Terms in Plain Language

Use these definitions to understand common requirements, safeguards, evidence practices, and operating responsibilities.

Access review

A periodic check confirming that users and administrators still have appropriate access based on their current responsibilities.

Business continuity

The plans and capabilities used to keep essential operations functioning during disruption.

Control

A safeguard or process designed to reduce risk or satisfy a security requirement.

Control owner

The person accountable for ensuring a control is designed, implemented, reviewed, and maintained.

Cyber insurance

Insurance coverage addressing specified cyber-related losses, subject to policy terms, exclusions, and representations.

Data loss prevention

Policies and technology used to detect or restrict inappropriate handling and sharing of sensitive information.

EDR

Endpoint detection and response technology used to monitor devices, detect suspicious activity, and support investigation and containment.

Encryption

A method of transforming information so it cannot be read without the appropriate cryptographic key.

Evidence

A record showing that a control, review, decision, or activity occurred, including source, date, context, and approval where needed.

HIPAA Security Rule

Federal requirements for administrative, physical, and technical safeguards protecting electronic protected health information.

Incident response

The organized process for identifying, containing, investigating, communicating, recovering from, and documenting a security event.

Least privilege

Providing only the access required to perform an authorized responsibility.

MDR

Managed detection and response, a service combining security monitoring, investigation, and response support.

MFA

Multifactor authentication, which requires more than one type of verification before access is granted.

Recovery time objective

The target period for restoring a system or business function after disruption.

Residual risk

The risk remaining after safeguards and other treatments have been applied.

Risk assessment

A structured process for identifying threats, vulnerabilities, impact, likelihood, existing safeguards, and treatment priorities.

Security questionnaire

A set of questions used by customers, partners, insurers, or other parties to evaluate security practices and supporting evidence.

SOC 2

An independent CPA examination and report concerning controls relevant to selected Trust Services Criteria.

Vendor risk

Security, privacy, operational, and compliance risk introduced by service providers and other external dependencies.

WISP

A written information security plan describing how an organization protects covered information and maintains its security program.

Zero Trust

A security approach that continuously verifies identity, device, context, and authorization rather than relying on network location alone.

Need help applying a term to a real requirement?

Discuss the customer request, framework, insurer question, or security concern creating uncertainty.

Book a Compliance Clarity Call