Security Glossary
Data Backups
Indicates that an organization has automated and recurring backup procedures.
See complete definitionData Breach Notification
Indicates that an organization has specific policies related to the notification of users following unauthorized access to data.
See complete definitionData Encrypted In-Transit
Encryption and protection for data as it moves from one location to another.
See complete definitionData Processing Addendum (DPA)
A contract between data controllers and data processors or data processors and subprocessors.
See complete definitionData Protection Officer (DPO)
A designated role in an organization for ensuring compliance regarding privacy laws and regulations on personal data.
See complete definitionData Protection Officer (DPO) Email
The email address to reach a Data Protection Officer.
See complete definitionData Redundancy
Indicates that the same data is stored in two or more separate places.
See complete definitionData Removal Requests
The right of individuals to have their personal data erased upon request.
See complete definitionData Retention Policy
A policy concerning what data should be stored or archived, where that should happen, and for exactly how long.
See complete definitionDenial of Service (DoS) Protection
Measures taken to protect against Denial of Service attacks, wherein attackers flood the target host/network with incoming traffic until the target is unable to respond or crashes.
See complete definitionDisaster Recovery Plan
A document that contains outlines a company's response to unplanned incidents such as natural disasters.
See complete definitionDynamic Application Security Testing (DAST)
A method of security testing that emphasizes attacking an application from the outside to find security vulnerabilities.
See complete definitionEU-US Privacy Shield
A framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States.
See complete definitionEmployee Background Checks
Employers run background checks to avoid hiring someone who may pose a threat to the workplace or become a liability to the employer.
See complete definitionEmployee Security Training
A strategy used by IT and security professionals to prevent and mitigate user risk.
See complete definitionEmployee Workstations Automatically Locked
The policy of automatically locking employee devices after a period of inactivity and requiring a password to unlock it.
See complete definitionEmployee Workstations Encrypted
The policy of encrypting employee hard drives to prevent unauthorized access to data stored on their devices.
See complete definitionEnvironmental Safeguards
Indicates that a company utilizes environmental and physical controls that work together to protect physical and digital assets from theft and damage.
See complete definitionEnvironmental Safeguards - Data Center
Indicates a processor's data center implements environmental safeguards.
See complete definitionFDA 21 CFR Part 11
The FDA's regulations for electronic documentation and electronic signatures.
See complete definitionFISMA
The Federal Information Security Management Act (FISMA) of 2002 is a framework of security standards to protect government information that is handled by third-party vendors, contractors, and partners.
See complete definitionFISMA - Data Center
Indicates that a processor's data storage solution is protected by a security infrastructure that meets the standards of the FISMA framework.
See complete definitionFISMA - High
A compliance level reserved for third-parties handling the highest-impact data, or that which if compromised would have severe or catastrophic implications.
See complete definitionFISMA - High - Data Center
Indicates that a processor's data storage solution is protected by a security infrastructure that meets the standards of the FISMA - High certification.
See complete definitionC5
The Cloud Computing Compliance Criteria Catalogue, also referred to as C5:2020.
See complete definitionC5 Attestation
A report issued by an independent third-party that acts as verification of an organization's compliance with C5 requirements.
See complete definitionCCPA
The California Consumer Privacy Act is a state statute intended to enhance privacy rights and consumer protections for residents of California, in the United States.
See complete definitionCOPPA
The Children's Online Privacy Protection Act (COPPA) is a policy on the collection of data of users under the age of 13, relating to the laws surrounding marketing to underage individuals.
See complete definitionCSA C-STAR Assessment
A robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards.
See complete definitionCSA GDPR Code of Conduct Certification
A certification based on a third-party evaluation of the compliance of a cloud services provider's services to the GDPR.
See complete definitionCSA GDPR Code of Conduct Self-Assessment
A self-assessment that can be completed by a cloud service provider to evaluate the compliance of its services to the GDPR.
See complete definitionCSA STAR
The Cloud Security Alliance's Security, Trust & Assurance Registry Certification is a rigorous third-party independent assessment of the security of a cloud service provider.
See complete definitionCSA STAR - Level 1
A free way for any CSP to provide their customers with the security assurances that a STAR certification offers.
See complete definitionCSA STAR - Level 1 Continuous
A continuously audited version of the CSA STAR - Level 1 certification.
See complete definitionCSA STAR - Level 2
Helps cloud service providers offer more transparency and assurance than Level 1.
See complete definitionCSA STAR - Level 2 Continuous
A continuously audited version of the the CSA STAR - Level 2 certification.
See complete definitionCSA STAR - Level 3
Automating the process of validating security control effectiveness in real-time.
See complete definitionCSA STAR Attestation
Provides guidelines for CPAs to use to conduct SOC 2 engagements.
See complete definitionCSA STAR Certification
Based on a third-party audit of a cloud service provider's security.
See complete definitionCSA STAR Self-Assessment
Used to document the security controls provided by cloud computing offerings.
See complete definitionConsensus Assessment Initiative Questionnaire (CAIQ)
The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider.
See complete definitionEU-US Privacy Shield
A framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States.
See complete definitionFDA 21 CFR Part 11
The FDA's regulations for electronic documentation and electronic signatures.
See complete definitionFISMA
The Federal Information Security Management Act (FISMA) of 2002 is a framework of security standards to protect government information that is handled by third-party vendors, contractors, and partners.
See complete definitionFISMA - Data Center
Indicates that a processor's data storage solution is protected by a security infrastructure that meets the standards of the FISMA framework.
See complete definitionFISMA - High
A compliance level reserved for third-parties handling the highest-impact data, or that which if compromised would have severe or catastrophic implications.
See complete definitionFISMA - High - Data Center
Indicates that a processor's data storage solution is protected by a security infrastructure that meets the standards of the FISMA - High certification.
See complete definitionFISMA - Low
A compliance level reserved for third parties handling information that, if compromised, would have minimally-impactful implications.
See complete definitionFISMA - Low - Data Center
Indicates that a processor's data storage solution is protected by a security infrastructure that meets the standards of the FISMA - Low certification.
See complete definitionFISMA - Moderate
A compliance level reserved for third parties handling information that, if compromised, would have moderately severe implications.
See complete definitionFISMA - Moderate - Data Center
Indicates that a processor's data storage solution is protected by a security infrastructure that meets the standards of the FISMA - Moderate certification.
See complete definitionFedRAMP
A government-wide program that promotes the adoption of secure cloud services across the United States federal government.
See complete definitionFedRAMP - High
High (Impact) data is usually in Law Enforcement and Emergency Services systems, Financial systems, Health systems, and any other system where loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
See complete definitionFedRAMP - Low
Low (Impact) is most appropriate for cloud security offerings where the loss of confidentiality, integrity, and availability would result in limited adverse effects on an agency’s operations, assets, or individuals.
See complete definitionFedRAMP - Moderate
Moderate (Impact) is most appropriate for cloud security offerings where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency’s operations, assets, or individuals.
See complete definitionFedRAMP Authorization Report
A report which is comprised of two parts: first, a full security assessment which is an independent audit focused on a number of parameters, and secondly, an agency authorization process is undergone.
See complete definitionFedRAMP Authorized
Indicates an organization is compliant with the FedRAMP set of security standards.
See complete definitionGDPR
A regulation in EU law on data protection and privacy in the European Union and the European Economic Area.
See complete definitionHIPAA
The Health Insurance Portability and Accountability Act designed to protect patient personally identifiable information and healthcare information from nonconsensual disclosure.
See complete definitionHITECH
The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 was enacted to promote and expand the adoption of electronic health records.
See complete definitionISO 22301
An international standard that provides a robust framework for developing effective incident response and recovery procedures to ensure your organization can recover quickly in the event of a disruption.
See complete definitionISO 27017
A security standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems.
See complete definitionISO 27018
The first international standard created specifically for data privacy in cloud computing.
See complete definitionISO 27032
An international standard that provides guidance for improving the state of Cybersecurity.
See complete definitionPCI-DSS - Data Center
Signifies that the processor's data storage satisfies the Payment Card Industry Data Security Standard,
See complete definitionPCI-DSS - Level 1 - Data Center
Signifies that the processor's data storage satisfies Level 1 of the Payment Card Industry Data Security Standard.
See complete definitionPCI-DSS - Level 2 - Data Center
Signifies that the processor's data storage satisfies Level 2 of the Payment Card Industry Data Security Standard.
See complete definitionPCI-DSS - Level 3 - Data Center
Signifies that the processor's data storage satisfies Level 3 of the Payment Card Industry Data Security Standard.
See complete definitionPCI-DSS - Level 4 - Data Center
Signifies that the processor's data storage satisfies Level 4 of the Payment Card Industry Data Security Standard.
See complete definitionPECR
A UK law also known as the Privacy and Electronic Communications Regulations.
See complete definitionPOPIA
A South African regulation also known as the Protection of Personal Information Act
See complete definitionSOC 1
A set of compliance requirements that applies to companies' internal control over financial reporting.
See complete definitionSOC 1 - Data Center
Signifies that a processor's data storage has undergone and passed a SOC 1 audit and obtained the corresponding report.
See complete definitionSOC 1 Type I
An audit and corresponding report focus on describing a service organization’s control processes.
See complete definitionSOC 1 Type I - Data Center
Signifies that a processor's data storage has undergone and passed a SOC 1 Type I audit and obtained the corresponding report.
See complete definitionSOC 1 Type I Report
A document detailing the SOC 1 Type I audit of a company by an independent entity.
See complete definitionSOC 1 Type II - Data Center
Signifies that a processor's data storage has undergone and passed a SOC 1 Type II audit and obtained the corresponding report.
See complete definitionSOC 1 Type II Report
A document detailing the SOC 1 Type II audit of a company by an independent entity.
See complete definitionSOC 2
A set of compliance requirements that applies to companies' handling of cloud-based customer data.
See complete definitionSOC 2 - Data Center
Signifies that a processor's data storage has undergone and passed a SOC 2 audit and obtained the corresponding report.
See complete definitionSOC 2 Type I
A certification describing a service organization’s control processes.
See complete definitionSOC 2 Type I - Data Center
Signifies that a processor's data storage has undergone and passed a SOC 2 Type I audit and obtained the corresponding report.
See complete definitionSOC 2 Type I Report
A document detailing the SOC 2 Type I audit of a company by an independent entity.
See complete definitionSOC 2 Type II
A certification describing how a product safeguards customer data and how effective those measures are.
See complete definitionSOC 2 Type II - Data Center
Signifies that a processor's data storage has undergone and passed a SOC 2 Type II audit.
See complete definitionSOC 2 Type II Report
A document detailing the SOC 2 Type II audit of a company by an independent entity.
See complete definitionSOC 3
A standard outlining a service organization's internal controls for the AICPA's five Trust Principles.
See complete definitionSOC 3 - Data Center
Signifies that a processor's data storage solution has a SOC 3 report.
See complete definitionSwiss-US Privacy Shield
A framework for regulating transatlantic exchanges of personal data.
See complete definitionePrivacy
An EU directive focused on protecting the confidentiality of electronic communication that occurs between parties.
See complete definitionADFS SSO
Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution created by Microsoft....
See complete definitionApple SSO
Give users the ability to sign into applications with their Apple ID.
See complete definitionAudit Logs
Describes an organization's ability to document activities that impact operations, procedures, or events that occur within its software.
See complete definitionFacebook SSO
A Single Sign-On (SSO) solution created by Facebook. It give users the ability to sign into applications with their Facebook credentials.
See complete definitionGitHub SSO
A Single Sign-On (SSO) solution created by GitHub. It give users the ability to sign into applications with their GitHub credentials.
See complete definitionGoogle SSO
A Single Sign-On (SSO) solution created by Google. It give users the ability to sign into applications with their Google credentials.
See complete definitionIP-Based Access Control
A control that restricts access to applications or resources based on IP address.
See complete definitionLDAP SSO
A software protocol for authenticating users on an AD network, and it enables anyone to locate resources on the Internet or on a corporate intranet.
See complete definitionMulti-Factor Authentication
An electronic authentication method requiring two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherence.
See complete definitionProduct Security Roadmap
A useful tool to exemplify the actions being taken to secure a product.
See complete definitionRole-Based Access Control (RBAC)
Ability to restrict access based on a person's position.
See complete definitionData Backups
Indicates that an organization has automated and recurring backup procedures.
See complete definitionData Breach Notification
Indicates that an organization has specific policies related to the notification of users following unauthorized access to data.
See complete definitionData Encrypted In-Transit
Encryption and protection for data as it moves from one location to another.
See complete definitionData Processing Addendum (DPA)
A contract between data controllers and data processors or data processors and subprocessors.
See complete definitionData Protection Officer (DPO)
A designated role in an organization for ensuring compliance regarding privacy laws and regulations on personal data.
See complete definitionData Protection Officer (DPO) Email
The email address to reach a Data Protection Officer.
See complete definitionData Redundancy
Indicates that the same data is stored in two or more separate places.
See complete definitionData Removal Requests
The right of individuals to have their personal data erased upon request.
See complete definitionData Retention Policy
A policy concerning what data should be stored or archived, where that should happen, and for exactly how long.
See complete definitionPasswords Encrypted
The practice of translating login credentials into a secure format for storage.
See complete definitionPrivacy Policy
Explains how a website or organization will collect, store, protect, and utilize PII.
See complete definitionWeb Cookies
Small blocks of data, created by a web server and placed onto a user’s device.
See complete definitionIncident Response Plan (IRP)
A set of instructions to help employees detect, respond to, and recover from network security incidents in areas like: cybercrime, data loss, and service outages.
See complete definitionAuto Scaling
A cloud computing pattern/technique for dynamically allocating and deallocating computing resources.
See complete definitionDenial of Service (DoS) Protection
Measures taken to protect against Denial of Service attacks, wherein attackers flood the target host/network with incoming traffic until the target is unable to respond or crashes.
See complete definitionInfrastructure Redundancy
The process of adding additional instances of network devices and lines of communication to help ensure network availability and decrease the risk of failure along any critical data paths.
See complete definitionQuality Assurance Testing
Quality Assurance (QA) testing ensures that an organization delivers the best products or services possible.
See complete definitionService Monitoring
A system or set of tools used to check on the health of servers in a network.
See complete definitionBusiness Continuity Plan
Outlines how a business will continue operating during an unplanned disruption in service.
See complete definitionDisaster Recovery Plan
A document that contains outlines a company's response to unplanned incidents such as natural disasters.
See complete definitionEnvironmental Safeguards
Indicates that a company utilizes environmental and physical controls that work together to protect physical and digital assets from theft and damage.
See complete definitionEnvironmental Safeguards - Data Center
Indicates a processor's data center implements environmental safeguards.
See complete definitionBug Bounty
A policy surrounding the potential for individuals to receive recognition or compensation for discovering and reporting bugs.
See complete definitionDynamic Application Security Testing (DAST)
A method of security testing that emphasizes attacking an application from the outside to find security vulnerabilities.
See complete definitionPenetration Testing
Testing is a simulated cyberattack on a system performed for the purpose of testing the system's security
See complete definitionStatic Application Security Testing (SAST)
Static Application Security Testing (SAST) is a testing methodology that emphasizes analyzing source code to find security vulnerabilities.
See complete definitionVulnerability Scanning
Assesses computers, servers, networks, or applications for known security weaknesses.
See complete definitionConfidentiality Agreements
Indicates that an organization has procedures and policies relating to NDAs and employee confidentiality agreements.
See complete definitionEmployee Background Checks
Employers run background checks to avoid hiring someone who may pose a threat to the workplace or become a liability to the employer.
See complete definitionEmployee Security Training
A strategy used by IT and security professionals to prevent and mitigate user risk.
See complete definitionEmployee Workstations Automatically Locked
The policy of automatically locking employee devices after a period of inactivity and requiring a password to unlock it.
See complete definitionEmployee Workstations Encrypted
The policy of encrypting employee hard drives to prevent unauthorized access to data stored on their devices.
See complete definitionLimited Employee Access (Principle of Least Privilege)
The idea that at any user, program, or process should have only the bare minimum privileges necessary to perform its function.
See complete definitionPersonnel Screening
The practice of analyzing the background of job applicants to ensure their credibility and fit for a role.
See complete definitionPhysical Access Control
A system to ensure only authorized individuals are granted access to a company's premises.
See complete definitionPhysical Access Control - Data Center
A functioning Physical Access Control System for a processor’s data storage.
See complete definitionSecure Remote Network Access
Any security policy or technology that allows employees to connect to a company's internal network and prevents unauthorized access.
See complete definitionC5 - Data Center
Indicates that a processor’s data storage solution meets the minimum standards of the C5 framework.
See complete definitionMulti-Tenant Architecture
An architecture which allows a single instance of a software application to serve multiple customers.
See complete definitionSingle-Tenant Architecture
A single instance of the software and supporting infrastructure serve a single customer.
See complete definitionZero-Trust Architecture
A security framework requiring all users to be authenticated, authorized, and continuously validated.
See complete definitionJoin 300+ companies using Trustpage to communicate security.
Following the acquisition of Trustpage by Vanta, the information collected by Trustpage is now governed by Vanta's Privacy Policy.