The Audit Defense Glossary

Agent-to-Agent protocol enabling AI systems to communicate and delegate tasks across organizational boundaries. A2A creates new governance requirements because automated agent interactions bypass traditional human approval workflows.

Security mechanism that restricts system access based on identity, role, or clearance level. SOC 2 maps access controls to CC6.1, where 68% of findings cite accounts active more than 30 days after employee departure.

HIPAA Security Rule category covering policies, procedures, and workforce management that protect ePHI. Administrative safeguards include risk analysis, workforce training, contingency planning, and security management processes.

Organizational framework of policies, oversight structures, and accountability mechanisms that govern AI system development and deployment. Effective AI governance addresses bias, transparency, data privacy, and regulatory compliance across the entire AI lifecycle.

Structured evaluation of threats and impacts associated with AI system deployment. The NIST AI RMF organizes AI risk assessment around four functions: Govern, Map, Measure, and Manage.

Systematic process of identifying, assessing, and mitigating risks from AI systems throughout their lifecycle. ISO 42001 and NIST AI RMF provide the two primary frameworks for structuring AI risk management programs.

Documented catalog of all AI models, algorithms, and automated decision systems deployed within an organization. The EU AI Act requires organizations to maintain inventories that classify each system by risk tier.

Requirement that AI systems disclose their capabilities, limitations, and decision-making processes to affected parties. The EU AI Act mandates transparency obligations for all AI systems interacting with humans.

American Institute of Certified Public Accountants, the professional organization that develops the Trust Services Criteria underpinning SOC 2 audits. AICPA sets the standards that CPA firms use to evaluate service organization controls.

Structured evaluation of how an AI system affects individuals and groups, examining bias, fairness, and civil liberties implications. Required under multiple regulatory frameworks including the EU AI Act for high-risk systems.

Application Programming Interface, a standardized connection point that allows software systems to exchange data. In GRC engineering, APIs connect compliance platforms with cloud providers, identity systems, and evidence repositories.

Approved Scanning Vendor, a company authorized by the PCI Security Standards Council to perform external vulnerability scans. PCI DSS requires ASV scans at least quarterly for organizations handling cardholder data.

State of preparedness where an organization can produce sufficient evidence to satisfy audit requirements on demand. Audit readiness transforms compliance from a periodic scramble into a continuous operating state.

Chronological record of system activities providing documentary evidence of operations, user actions, and data changes. SOC 2 auditors evaluate audit trails under CC7.2 to verify that anomalies are detected and investigated.

One of five SOC 2 Trust Services Criteria, requiring that systems operate and are accessible as committed in service-level agreements. Availability controls cover disaster recovery, capacity planning, and incident response.

Amazon Web Services, the cloud infrastructure platform used by a majority of SOC 2 audit candidates. AWS provides shared responsibility documentation and compliance artifacts through AWS Artifact for audit preparation.

Business Associate Agreement, a HIPAA-mandated contract between a covered entity and any vendor that handles PHI. Without a signed BAA, sharing PHI with a third party constitutes a HIPAA violation regardless of actual data handling practices.

Authentication methods using unique biological characteristics such as fingerprints, facial recognition, or iris patterns. The EU AI Act classifies real-time biometric identification in public spaces as a prohibited AI practice.

HIPAA requirement that covered entities notify affected individuals within 60 days of discovering a breach of unsecured PHI. Breaches affecting 500 or more individuals also require notification to HHS and prominent media outlets.

Any person or organization performing functions involving PHI on behalf of a HIPAA covered entity. Business associates carry direct HIPAA liability and face the same penalty structure as covered entities for violations.

Cloud Access Security Broker, a security enforcement point between users and cloud services that applies data loss prevention, access control, and threat protection policies. CASBs provide visibility into shadow IT and unsanctioned SaaS usage.

California Consumer Privacy Act, state legislation granting California residents rights over their personal information including access, deletion, and opt-out of data sales. CCPA applies to businesses exceeding $25 million in annual revenue or handling data of 100,000+ consumers.

Structured process for evaluating, approving, and deploying modifications to IT systems while maintaining compliance controls. SOC 2 maps change management to CC8.1, requiring documented approval workflows and post-deployment validation.

Continuous Integration and Continuous Deployment, the automated pipeline for building, testing, and releasing software changes. GRC engineering embeds compliance checks directly into CI/CD pipelines using policy-as-code tools like OPA.

Center for Internet Security, a nonprofit that publishes security benchmarks and hardening guidelines for operating systems, cloud platforms, and applications. CIS Benchmarks are the most widely adopted baseline for cloud security configurations.

Chief Information Security Officer, the executive responsible for an organization's information security strategy, risk management, and compliance posture. The CISO role has expanded to include AI governance and board-level reporting in most enterprises.

Cybersecurity Maturity Model Certification, a DoD framework requiring defense contractors to meet verified cybersecurity standards before receiving contract awards. CMMC 2.0 defines three maturity levels, with Level 2 aligning to NIST SP 800-171.

Cloud-Native Application Protection Platform, a unified security tool combining CSPM, CWPP, and runtime protection for cloud workloads. CNAPPs replace fragmented point solutions with a single view of cloud security posture.

Use of technology to automate evidence collection, control testing, and audit preparation across regulatory frameworks. Organizations using compliance automation reduce audit preparation time from weeks to days and cut manual effort by 60-80%.

An organization's current state of adherence to applicable regulatory requirements and internal control standards. Compliance posture is measured through continuous monitoring rather than periodic audits in mature GRC programs.

One of five SOC 2 Trust Services Criteria, requiring that information designated as confidential is protected as committed. Confidentiality controls cover encryption, access restrictions, and data handling procedures for sensitive information.

Process of demonstrating that an AI system meets applicable regulatory requirements such as the EU AI Act. Conformity assessment for high-risk AI systems requires third-party evaluation before market placement in the EU.

Automated, ongoing observation of systems and controls to detect security threats and compliance deviations in real time. Continuous monitoring replaces quarterly manual reviews with automated evidence collection and alerting.

A gap where a security control is missing, inadequately designed, or not operating effectively. Auditors classify control deficiencies by severity: a significant deficiency affects the audit opinion while an observation is informational.

Structured set of security and compliance controls that organizations implement to meet regulatory and business objectives. Common control frameworks include NIST CSF, ISO 27001, SOC 2 TSC, and CIS Controls.

Documented plan specifying how an organization will address identified compliance violations or security gaps within a defined timeline. HHS OCR requires corrective action plans in most HIPAA enforcement settlements.

Committee of Sponsoring Organizations of the Treadway Commission, the body that developed the internal controls framework used in financial and compliance auditing. COSO's framework underpins SOC 2 Trust Services Criteria.

Under HIPAA, a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. Covered entities bear primary responsibility for HIPAA compliance and face penalties up to $2.13 million per violation category annually.

Certified in Risk and Information Systems Control, an ISACA certification for professionals managing enterprise IT risk. CRISC holders specialize in identifying, assessing, and responding to information system risks.

Cloud Security Alliance, the industry body that publishes the Cloud Controls Matrix (CCM) and administers the STAR certification program. CSA CCM maps controls across 17 domains for cloud service providers.

Cybersecurity Framework, most commonly referring to NIST CSF, a voluntary framework of standards and best practices for managing cybersecurity risk. NIST CSF 2.0 added a Govern function to the original five: Identify, Protect, Detect, Respond, Recover.

Cloud Security Posture Management, automated tooling that continuously scans cloud environments for misconfigurations, compliance violations, and security risks. CSPM tools typically cover AWS, Azure, and GCP with pre-built policy libraries.

Common Vulnerabilities and Exposures, the global identification system that assigns unique IDs to publicly disclosed security vulnerabilities. Security teams use CVE identifiers to track, prioritize, and verify that specific vulnerabilities are patched.

Common Vulnerability Scoring System, a standardized 0-10 scale for rating the severity of security vulnerabilities. CVSS scores above 9.0 are classified as Critical and typically require patching within 24-48 hours under most vulnerability management policies.

Cloud Workload Protection Platform, security tooling that protects server workloads running in cloud, hybrid, and multi-cloud environments. CWPPs provide runtime protection, vulnerability management, and compliance monitoring at the workload level.

Process of categorizing data by sensitivity level to apply appropriate security controls and access restrictions. Common tiers include Public, Internal, Confidential, and Restricted, each with defined handling requirements.

Data Loss Prevention, technology that monitors and controls data transfers to prevent unauthorized exfiltration of sensitive information. DLP systems scan email, cloud storage, USB devices, and network traffic for policy violations. Required under HIPAA, PCI DSS, and SOC 2.

Data Processing Agreement, a contract required under GDPR between data controllers and processors that specifies how personal data will be handled. DPAs must define processing purposes, data categories, retention periods, and subprocessor arrangements.

Data Protection Impact Assessment, a GDPR-required evaluation of processing activities that pose high risk to individuals' privacy rights. DPIAs must be completed before processing begins and documented for supervisory authority review.

Data Protection Officer, the designated individual responsible for overseeing GDPR compliance within an organization. DPO appointment is mandatory for public authorities and organizations conducting large-scale systematic monitoring.

Endpoint Detection and Response, security technology that continuously monitors endpoint devices for threats and provides automated investigation and remediation. EDR captures process execution, file changes, and network connections for forensic analysis.

Protection of stored data by converting it to ciphertext using encryption algorithms. AES-256 is the standard for encryption at rest, required by HIPAA, PCI DSS, and SOC 2 for sensitive data storage.

Protection of data as it moves between systems using protocols like TLS 1.2 or higher to prevent interception. PCI DSS 4.0 requires TLS 1.2 as the minimum for all cardholder data transmissions.

Electronic Protected Health Information, any PHI created, stored, transmitted, or received in electronic form. The HIPAA Security Rule specifically governs ePHI through administrative, physical, and technical safeguard requirements.

The European Union's Artificial Intelligence Act, the world's first regulatory framework for AI systems. The EU AI Act classifies AI by risk tier: prohibited, high-risk, limited-risk, and minimal-risk, with obligations scaling accordingly. Penalties reach 7% of global annual turnover.

Factor Analysis of Information Risk, a quantitative risk analysis model that expresses cybersecurity risk in financial terms. FAIR replaces subjective risk matrices with probability distributions and dollar estimates.

Federal Risk and Authorization Management Program, the standardized security assessment framework for cloud services used by U.S. federal agencies. FedRAMP authorization requires 325+ controls at the Moderate baseline.

Federal Information Processing Standards, U.S. government standards for cryptographic modules and data security. HIPAA requires FIPS 140-2 validated encryption for protecting ePHI at rest and in transit.

Fundamental Rights Impact Assessment, an evaluation required by the EU AI Act for high-risk AI systems to assess potential effects on fundamental rights. FRIAs examine discrimination, privacy, freedom of expression, and due process impacts.

Assessment comparing current security posture against a target framework to identify control deficiencies. Gap analysis is the standard first step in compliance programs, typically completed 6-12 months before the target audit date.

Generally Accepted Privacy Principles, a framework developed by AICPA and CICA for managing personal information. GAPP defines 10 privacy principles that map to the Privacy criterion in SOC 2 engagements.

Google Cloud Platform, a cloud infrastructure provider offering compute, storage, and AI services with built-in compliance tooling. GCP's Assured Workloads service enforces data residency and regulatory compliance controls.

General Data Protection Regulation, the EU privacy law governing how organizations collect, process, and store personal data of EU residents. GDPR enforces fines up to 4% of global annual turnover or 20 million euros, whichever is higher.

Governance, Risk, and Compliance, the integrated discipline of aligning organizational objectives with risk management and regulatory adherence. GRC engineering automates these three functions through platforms, APIs, and policy-as-code.

Software that centralizes governance, risk management, and compliance operations into a unified system. GRC platforms like Vanta, Drata, and Anecdotes automate evidence collection, control monitoring, and audit preparation across multiple frameworks.

U.S. Department of Health and Human Services, the federal agency responsible for HIPAA enforcement through its Office for Civil Rights (OCR). HHS publishes breach reports, enforcement actions, and compliance guidance for healthcare organizations.

AI systems classified under the EU AI Act as posing significant risks to health, safety, or fundamental rights. High-risk categories include biometric identification, critical infrastructure, and employment decisions. These systems require conformity assessment before deployment.

Health Insurance Portability and Accountability Act, the federal law establishing standards for protecting patient health information. HIPAA comprises the Privacy Rule, Security Rule, and Breach Notification Rule, with penalties reaching $2.13 million per violation category annually.

HIPAA-specific requirement to evaluate threats to ePHI and determine the likelihood and impact of potential breaches. HHS OCR cites failure to conduct risk assessments as the most common finding in enforcement actions.

Health Information Trust Alliance, an organization that publishes the HITRUST CSF, a certifiable security framework incorporating requirements from HIPAA, NIST, ISO, and PCI DSS. HITRUST certification is increasingly required by healthcare payers and large covered entities.

Infrastructure as a Service, a cloud computing model providing virtualized computing resources over the internet. In IaaS environments, the customer is responsible for operating system, application, and data security under the shared responsibility model.

Identity and Access Management, the discipline of ensuring the right individuals access the right resources at the right time. IAM controls cover authentication, authorization, provisioning, and deprovisioning across all systems.

Intrusion Detection System, a monitoring tool that analyzes network traffic or system activity for signs of malicious behavior. IDS generates alerts but does not block threats, distinguishing it from IPS which takes automated preventive action.

Formal evaluation of how a proposed system, policy, or change affects stakeholders, operations, or compliance obligations. In AI governance, impact assessments evaluate algorithmic fairness, privacy implications, and potential harms to affected populations.

Organized approach to detecting, containing, and recovering from security incidents to minimize damage and restore operations. SOC 2 auditors evaluate incident response under CC7.3, CC7.4, and CC7.5 for detection, analysis, and remediation effectiveness.

Intrusion Prevention System, a network security tool that monitors traffic and automatically blocks detected threats. IPS extends IDS capabilities by taking real-time enforcement actions rather than only generating alerts.

Incident Response Plan, a documented procedure defining how an organization detects, responds to, and recovers from security incidents. SOC 2 requires a tested IRP with defined roles, communication protocols, and escalation procedures.

International standard for information security management systems (ISMS), requiring organizations to systematically manage security risks. ISO 27001:2022 certification involves 93 controls across organizational, people, physical, and technological domains.

International standard for AI management systems (AIMS), published in 2023 as the first certifiable framework for AI governance. ISO 42001 requires organizations to establish policies, risk assessments, and controls for responsible AI use.

Known Exploited Vulnerabilities catalog, maintained by CISA, listing vulnerabilities confirmed to be actively exploited in the wild. Federal agencies must remediate KEV entries within CISA-defined timelines, and private organizations use KEV as a patching priority signal.

Security principle granting users only the minimum access permissions required to perform their job functions. Least privilege reduces blast radius when accounts are compromised and is a foundational requirement across SOC 2, HIPAA, and PCI DSS.

Large Language Model, an AI system trained on massive text datasets to generate, analyze, and transform human language. LLMs introduce governance challenges including hallucination risk, data privacy exposure, and prompt injection vulnerabilities.

Written statement by service organization management that its system description is accurate and controls are suitably designed and operating effectively. The management assertion is a required component of every SOC 2 report.

Mobile Device Management, technology for securing and managing smartphones, tablets, and laptops that access organizational data. HIPAA compliance requires MDM to enforce encryption, remote wipe, and access controls on devices storing ePHI.

Managed Detection and Response, a security service combining technology and human expertise to monitor, detect, and respond to threats. MDR providers operate 24/7 SOCs and deliver faster response times than most in-house security teams.

Multi-Factor Authentication, a security method requiring two or more verification factors to access a system. MFA is mandatory under HIPAA Security Rule, PCI DSS 4.0, and SOC 2 for any system containing sensitive data.

HIPAA principle requiring covered entities to limit PHI access and disclosure to the minimum amount needed for the intended purpose. The standard applies to all uses and disclosures except treatment and payment when requested by the individual.

Documentation artifact describing an AI model's intended use, training data, performance metrics, limitations, and ethical considerations. Model cards are a best practice under both ISO 42001 and the NIST AI RMF for AI transparency.

Mean Time to Contain, the average duration from incident detection to successful containment of the threat. MTTC is a key security operations metric, with top-performing teams targeting containment within 1 hour of detection.

Mean Time to Detect, the average duration from when a security incident begins to when it is identified. Industry median MTTD is 204 days for data breaches according to IBM, making detection speed the highest-leverage security investment.

Mean Time to Remediate, the average duration from incident detection to full resolution. MTTR measures the effectiveness of incident response processes and is tracked as a key performance indicator in SOC operations.

National Institute of Standards and Technology, the U.S. agency that publishes cybersecurity frameworks, standards, and guidelines. NIST publications including the CSF, SP 800-53, and AI RMF form the foundation of most federal and private-sector security programs.

NIST Artificial Intelligence Risk Management Framework, a voluntary framework for managing AI risks across the development lifecycle. NIST AI RMF 1.0 organizes AI risk management into four core functions: Govern, Map, Measure, and Manage.

NIST Cybersecurity Framework, a voluntary framework providing a common language for managing cybersecurity risk. NIST CSF 2.0 includes six functions: Govern, Identify, Protect, Detect, Respond, and Recover.

NIST Special Publication 800-53, the catalog of security and privacy controls for federal information systems. SP 800-53 Rev. 5 contains over 1,000 controls across 20 families and serves as the baseline for FedRAMP and FISMA compliance.

Office for Civil Rights, the HHS division responsible for HIPAA enforcement including complaint investigation, compliance audits, and penalty assessment. OCR publishes all breaches affecting 500+ individuals on the public Breach Portal.

Open Policy Agent, an open-source policy engine that enables policy-as-code enforcement across Kubernetes, APIs, and CI/CD pipelines. OPA evaluates compliance policies in real time, preventing non-compliant configurations from reaching production.

Open Security Controls Assessment Language, a NIST-developed machine-readable format for expressing security control catalogs, baselines, and assessment results. OSCAL enables automated compliance validation across frameworks including FedRAMP and NIST SP 800-53.

Offensive Security Certified Professional, a hands-on penetration testing certification requiring a 24-hour practical exam. OSCP validates the ability to identify vulnerabilities and execute exploits against live systems.

Offensive Security Web Expert, an advanced certification for web application penetration testing. OSWE validates expertise in identifying and exploiting web application vulnerabilities through source code analysis.

Open Worldwide Application Security Project, a nonprofit foundation producing freely available security tools, standards, and knowledge bases. The OWASP Top 10 is the most widely referenced list of critical web application security risks.

Privileged Access Management, controls that secure, monitor, and audit access for accounts with elevated system permissions. PAM solutions enforce just-in-time access, session recording, and credential vaulting for administrator accounts.

Process of testing and applying software updates to fix known vulnerabilities and maintain system security. Most compliance frameworks require critical patches within 14-30 days and CISA KEV patches within defined timelines.

Payment Card Industry Data Security Standard, the set of security requirements for organizations that store, process, or transmit cardholder data. PCI DSS compliance is enforced by payment brands (Visa, Mastercard) and validated through annual assessments.

The current version of the Payment Card Industry Data Security Standard, effective March 2024. PCI DSS 4.0 introduces customized validation approaches, targeted risk analyses, and enhanced authentication requirements including MFA for all access to cardholder data.

Authorized simulated cyberattack against systems to identify exploitable vulnerabilities before adversaries do. SOC 2 auditors evaluate penetration testing evidence under CC4.1, and PCI DSS requires annual penetration tests by qualified assessors.

Protected Health Information, any individually identifiable health information held by a HIPAA covered entity or business associate. PHI encompasses 18 specific identifiers including names, dates, Social Security numbers, and medical record numbers.

HIPAA Security Rule category covering physical measures that protect electronic information systems and facilities from unauthorized access. Physical safeguards include facility access controls, workstation security, and device disposal procedures.

Personally Identifiable Information, any data that can identify a specific individual either directly or in combination with other data. PII protection is required under CCPA, GDPR, and state privacy laws, with definitions varying by jurisdiction.

One of five SOC 2 Trust Services Criteria, addressing how personal information is collected, used, retained, disclosed, and disposed. Privacy controls map to GAPP principles and overlap with GDPR and CCPA requirements.

HIPAA regulation establishing national standards for protecting individuals' medical records and personal health information. The Privacy Rule governs who can access PHI, how it can be used, and when patient authorization is required.

AI applications banned under the EU AI Act as posing unacceptable risk to fundamental rights. Prohibited practices include social scoring, real-time biometric identification in public spaces, and AI systems that exploit vulnerabilities of specific groups.

Quality Management System, a formalized system documenting processes, procedures, and responsibilities for achieving quality objectives. ISO 42001 AI management systems borrow QMS principles from ISO 9001 for governing AI quality and performance.

An auditor's opinion that controls are effective except for specific identified exceptions. A qualified SOC 2 opinion signals to customers that material control deficiencies exist, often triggering vendor review processes.

Responsibility matrix defining who is Responsible, Accountable, Consulted, and Informed for each task or decision. RACI charts are essential in compliance programs to establish clear ownership of controls and audit evidence.

Retrieval-Augmented Generation, an AI architecture that grounds language model outputs in retrieved factual data from external sources. RAG reduces hallucination risk by providing the model with verified source material before generating responses.

Role-Based Access Control, an access management model where permissions are assigned to organizational roles rather than individual users. RBAC simplifies access provisioning and deprovisioning, which SOC 2 auditors evaluate under CC6.1 and CC6.3.

Process of addressing identified security vulnerabilities or compliance gaps through corrective actions. Remediation tracking with defined timelines, owners, and validation steps is a core audit expectation across all compliance frameworks.

Systematic identification and evaluation of risks to ePHI confidentiality, integrity, and availability. HIPAA's Security Rule requires documented risk analysis as the foundation of all subsequent security decisions and safeguard selections.

Structured process of identifying, analyzing, and evaluating organizational risks to inform control selection and resource allocation. Risk assessments combine threat identification, vulnerability analysis, and impact estimation to prioritize security investments.

Documented inventory of identified risks including likelihood, impact, risk owner, and treatment strategy. The risk register is a living document reviewed quarterly by most organizations and is a standard audit artifact for SOC 2 and ISO 27001.

Risk Management Framework, a structured approach for integrating security and risk management into system development lifecycles. NIST RMF (SP 800-37) defines seven steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor.

Software as a Service, a cloud delivery model where applications are hosted by a provider and accessed via the internet. SaaS vendors handling sensitive data are primary targets for SOC 2 audits because customers cannot inspect the underlying infrastructure.

Secure Access Service Edge, a cloud architecture combining network security functions (SWG, CASB, FWaaS) with WAN capabilities into a unified service. SASE replaces traditional VPN-based access for distributed workforces.

Securities and Exchange Commission, the U.S. regulator requiring public companies to disclose material cybersecurity incidents within four business days. SEC cybersecurity rules adopted in 2023 also require annual disclosure of cybersecurity governance and risk management processes.

Structured education programs that teach employees to recognize and respond to security threats like phishing, social engineering, and data handling violations. HIPAA, PCI DSS, and SOC 2 all require documented security awareness training at least annually.

HIPAA regulation establishing national standards for protecting ePHI through required administrative, physical, and technical safeguards. The Security Rule specifies both required and addressable implementation specifications.

Unauthorized use of AI tools by employees without organizational approval, creating unmonitored risk exposure. Shadow AI bypasses data governance controls and can expose sensitive data through prompts to external AI services.

Cloud security framework dividing security obligations between the provider and customer. The provider secures infrastructure (physical, network, hypervisor) while the customer secures data, identity, access, and application configurations.

Security Information and Event Management, a platform that aggregates and analyzes security log data from across an organization to detect threats. SIEM is a core detection control for SOC 2 (CC7.2) and provides the correlation engine for incident response.

Service Level Agreement, a contractual commitment defining performance standards, uptime guarantees, and remediation procedures between service providers and customers. SOC 2 Availability criteria directly reference SLA commitments.

Security Orchestration, Automation, and Response, a platform that automates incident response workflows by integrating security tools and executing predefined playbooks. SOAR reduces manual response effort and accelerates MTTC.

Centralized facility where security analysts monitor, detect, and respond to cybersecurity incidents in real time. SOCs operate 24/7 using SIEM, EDR, and threat intelligence feeds to maintain continuous security monitoring.

Service Organization Control 2, an audit framework developed by AICPA that evaluates a service organization's controls across five Trust Services Criteria. SOC 2 reports are the standard due diligence requirement for SaaS vendors handling customer data.

A SOC 2 audit that tests both design and operating effectiveness of controls over a period typically of six months or longer. Type II reports carry more weight than Type I because they demonstrate sustained compliance, not a single-day snapshot.

Single Sign-On, an authentication scheme allowing users to access multiple applications with one set of credentials. SSO reduces password fatigue and improves security by centralizing authentication, enabling consistent MFA enforcement.

Simulation-based discussion exercise where key stakeholders walk through an incident response scenario without executing actual technical procedures. Tabletop exercises test decision-making, communication protocols, and plan gaps in a low-risk environment.

Required documentation under the EU AI Act proving that high-risk AI systems meet regulatory requirements. Technical documentation must cover system architecture, training data, testing methodology, and performance metrics before market placement.

HIPAA Security Rule category covering technology-based protections for ePHI including access controls, encryption, audit controls, and transmission security. Technical safeguards require both implementation and documented procedures.

Transport Layer Security, a cryptographic protocol securing data in transit between systems over a network. TLS 1.2 is the minimum acceptable version for HIPAA, PCI DSS 4.0, and most compliance frameworks. TLS 1.3 is recommended.

The five AICPA-defined categories that form the basis of SOC 2 audits: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. Security is the only mandatory criterion. Organizations select additional criteria based on their service commitments.

The two forms of SOC 2 audit reports. Type I evaluates control design at a single point in time. Type II evaluates both design and operating effectiveness over a minimum six-month observation period. Type II is the standard enterprise requirement.

Virtual Private Network, a technology creating encrypted tunnels for secure remote access to organizational networks. HIPAA-compliant VPNs require AES-256 encryption and MFA authentication for all workforce members accessing ePHI remotely.

Vendor Risk Management, the process of assessing and monitoring third-party vendors for security, compliance, and operational risks. VRM programs evaluate vendors through security questionnaires, SOC 2 reports, and continuous monitoring.

Continuous process of identifying, classifying, prioritizing, and remediating software vulnerabilities across an organization's infrastructure. Mature vulnerability management programs combine automated scanning, risk-based prioritization, and defined SLAs for remediation timelines.

Web Application Firewall, a security tool that filters and monitors HTTP traffic between web applications and the internet. WAFs protect against OWASP Top 10 threats including SQL injection, cross-site scripting, and request forgery.

HIPAA requirement that all workforce members receive training on policies and procedures for protecting PHI. Training must occur at hiring, periodically thereafter, and whenever material changes to policies are implemented.

Extended Detection and Response, a security platform unifying threat data from endpoints, networks, cloud workloads, and email into a single detection and investigation interface. XDR correlates signals across vectors that SIEM and EDR handle separately.

Zero-Day Response, the security operations process for responding to vulnerabilities that are exploited before a vendor patch is available. Zero-day response requires compensating controls, network segmentation, and accelerated detection.

Security model requiring strict identity verification for every person and device attempting to access resources, regardless of network location. Zero trust operates on "never trust, always verify" and eliminates implicit trust based on network perimeters.

Zero Trust Network Access, a technology that provides secure remote access by verifying identity and context before granting application-level access. ZTNA replaces traditional VPN by connecting users to specific applications rather than entire networks.