Security & compliance glossary

MFA — Multi-factor authentication. A second login step beyond your password. The second factor is usually a code from a text message, an authenticator app (Google Authenticator, Duo, Microsoft Authenticator), or a hardware security key. Required by nearly every modern auditor and underwriter.

SSO — Single sign-on. One login that grants access to many connected applications. Lets a company enforce MFA, password rules, and offboarding in one place instead of inside every individual app.

PAM — Privileged access management. Extra controls applied to administrator accounts: vaulted credentials, session recording, and just-in-time access. Reduces the damage a stolen admin password can do.

Least privilege. The principle that every user and system gets only the access they need to do their job — nothing more. The opposite of "everyone is admin."

RBAC — Role-based access control. Permissions assigned by job role (e.g., "Engineer," "Sales Rep") rather than per-person. Makes onboarding, offboarding, and access reviews far simpler.

EDR — Endpoint detection and response. Modern security software on laptops and servers that watches for and responds to attacks in real time. Common products: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Sophos Intercept X. Considered the modern replacement for traditional antivirus.

XDR — Extended detection and response. EDR that also pulls in signals from email, cloud, identity, and network sources to correlate threats across the whole environment.

Endpoint hardening. Locking down a device so attackers cannot easily run malicious software. Includes disabling unused features, restricting USB drives, requiring disk encryption, and limiting which applications can run.

MDM — Mobile device management. Centralized control over phones, tablets, and laptops — enforce encryption, require passcodes, deploy software, and remotely wipe lost devices.

DMARC — Domain-based Message Authentication, Reporting, and Conformance. An email setting that tells receiving mail servers what to do with messages claiming to come from your domain but failing authentication. Properly configured DMARC stops attackers from spoofing your domain.

SPF — Sender Policy Framework. A DNS record listing the mail servers authorized to send email for your domain. One of the two pieces DMARC checks.

DKIM — DomainKeys Identified Mail. A cryptographic signature attached to outgoing email that proves the message actually came from your domain and was not modified in transit. The other piece DMARC checks.

Secure email gateway. A service that filters inbound and outbound email for phishing, malware, and data leaks. Examples: Proofpoint, Mimecast, Microsoft Defender for Office 365.

Phishing simulation. Periodic fake phishing emails sent to staff as ongoing training. Tracks who clicks, who reports, and improves awareness over time.

RDP — Remote Desktop Protocol. A Windows feature that lets you control a computer remotely as if you were sitting at it. Attackers actively scan the internet for exposed RDP. Insurers and auditors care a lot whether you have RDP exposed.

VPN — Virtual private network. An encrypted tunnel that lets remote workers reach internal systems as if they were on the office network.

Network segmentation. Splitting a flat network into separate zones (user devices, production systems, sensitive data, etc.) so that compromising one zone does not automatically grant access to all the others.

Zero Trust. A security model that assumes no user, device, or network connection is automatically trustworthy — every access request is verified based on identity, device health, and context. Replaces the older "trusted internal network" assumption.

WAF — Web application firewall. A filter sitting in front of a web application that blocks common attacks (SQL injection, cross-site scripting, abusive traffic).

Immutable backups. Backups that cannot be modified or deleted, even by an administrator, for a defined retention period. Designed specifically to survive ransomware attacks that try to destroy backups before encrypting production data.

Air-gapped backups. Backups physically or logically disconnected from the production network. Achieves the same protection as immutability through isolation.

RTO — Recovery time objective. The maximum acceptable time a business function can be down before it causes serious harm. Drives how fast your restore process must be.

RPO — Recovery point objective. The maximum acceptable amount of data loss measured in time (e.g., "we cannot lose more than four hours of data"). Drives how frequently you back up.

Vulnerability scanning. Automated tools that scan systems for known security weaknesses based on published vulnerability databases. Catalogs what is missing patches, misconfigured, or exposed.

Patching cadence. How often you apply software updates that fix known security holes. Typical underwriter expectation: critical patches within 30 days, often faster for high-severity vulnerabilities.

Penetration test (pen test). An authorized human attacker tries to break into your systems to find weaknesses that automated scanners miss. Usually done annually or before major releases.

CVE — Common Vulnerabilities and Exposures. The public catalog of known security vulnerabilities. Each entry has a unique ID (e.g., CVE-2024-12345) and a severity score so teams can prioritize.

IR plan — Incident response plan. A written playbook describing exactly what to do during a security incident: who to call, what to investigate, how to contain damage, when to notify customers and regulators.

Tabletop exercise. A scripted walk-through of an incident scenario where the response team practices the IR plan without touching real systems. Surfaces gaps before a real incident does.

SIEM — Security information and event management. A central system that collects logs from across your environment (servers, cloud, email, endpoints) and alerts on suspicious patterns.

SOC (Security Operations Center). A team — internal or outsourced — that monitors security alerts around the clock. Note: this is a different "SOC" than SOC 2 (the audit standard). They are unrelated.

MDR — Managed detection and response. An outsourced service that combines EDR/SIEM tools with a human team that monitors, investigates, and responds to threats on your behalf.

Encryption at rest. Data is encrypted while sitting on disk (databases, backups, file storage). If the storage media is stolen, the data is unreadable without the key.

Encryption in transit. Data is encrypted while moving between systems (web browsers, APIs, mail servers). HTTPS, TLS, and SSH are all examples.

PII — Personally identifiable information. Any information that can identify a specific person (name, email, address, government ID number). Triggers privacy obligations.

PHI — Protected health information. Health-related personal information regulated by HIPAA. Stricter handling requirements than ordinary PII.

PCI — Payment Card Industry. Refers to PCI DSS, the security standard for organizations that handle credit card data.

Data classification. The practice of labeling data by sensitivity (public, internal, confidential, restricted) so that controls can be applied appropriately to each tier.

SOC 2. An audit standard from the AICPA that evaluates how a service organization protects customer data across security, availability, processing integrity, confidentiality, and privacy. Common first audit for SaaS companies. Not the same as SOC (the operations center).

ISO 27001. An international standard for an information security management system (ISMS). Often requested by global enterprise customers.

NIST CSF — NIST Cybersecurity Framework. A widely-used U.S. government framework that organizes security work into six functions: govern, identify, protect, detect, respond, recover.

NIST SP 800-171. The control set required for protecting Controlled Unclassified Information (CUI) in non-federal systems. The technical foundation of CMMC Level 2.

CMMC — Cybersecurity Maturity Model Certification. The Department of Defense's certification program for contractors handling federal contract information or CUI.

CIS Controls. A prioritized set of safeguards from the Center for Internet Security designed to defend against the most common attacks.

HIPAA. U.S. healthcare privacy and security regulation governing PHI handling.

GDPR. European Union regulation governing the protection of personal data and the rights of data subjects.

Ransomware. Malware that encrypts a victim's data and demands payment for the decryption key. Often combined with data theft and extortion ("pay or we publish").

BEC — Business email compromise. Fraud where an attacker uses a hijacked or spoofed executive or vendor email account to redirect payments or trick staff into sending money or sensitive data.

Phishing. Fraudulent messages (email, text, voice) designed to trick recipients into clicking malicious links, downloading malware, or giving up credentials.

Spear phishing. Phishing targeted at a specific person or company using personalized details, usually harder to detect than mass phishing.

Social engineering. Tricking people (rather than systems) into giving up access or moving money. Phishing, BEC, and pretexting calls are all forms of social engineering.

Insider threat. Security risk originating from current or former employees, contractors, or partners — whether malicious or accidental.

CISO — Chief Information Security Officer. Executive responsible for an organization's information security program and risk posture.

vCISO — Virtual / fractional CISO. An outsourced senior security leader who provides CISO-level guidance on a part-time or project basis, typically for companies not yet large enough to justify a full-time CISO.

DPO — Data Protection Officer. A role required under GDPR for certain organizations, responsible for monitoring compliance with data protection law.

GRC — Governance, risk, and compliance. The function that manages security policies, risk assessments, audits, and regulatory obligations.