We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Encyclopedia

Compliance & security, defined

The terms that come up in every audit and security programme — explained in plain English by CERT-In empanelled auditors.

3ABCDEFGHIKLMNPQRSTVWXZ
3
3-D SecureSecurity

An authentication protocol (e.g., the “Verified by Visa” experience) that adds a verification step to online card payments to reduce fraud.

A
Access ReviewGRC

A periodic check that every user still needs the access they hold — the evidence auditors ask for to prove least-privilege is real, not assumed.

Audit TrailGRC

An immutable, time-stamped record of who did what and when, so any action can be reconstructed and defended during an audit or investigation.

ADMFramework

The Architecture Development Method — the step-by-step core of TOGAF for developing and governing enterprise architecture.

ASVTesting

Approved Scanning Vendor — a PCI SSC-approved provider that performs the external vulnerability scans PCI DSS requires quarterly.

ASVSFramework

The OWASP Application Security Verification Standard — a detailed, testable set of application security requirements at three assurance levels.

Attack SurfaceSecurity

The total set of points where an attacker could try to enter or extract data — reducing it is a core defensive goal.

AttestationGRC

A formal statement, often independently examined, that controls or facts meet stated criteria — e.g., a SOC 2 report or a SWIFT KYC-SA attestation.

B
BCPGRC

Business Continuity Plan — documented procedures to keep critical activities running or recover them quickly after a disruption.

BIAGRC

Business Impact Analysis — identifies critical activities and the impact of their disruption over time, setting RTO and RPO targets.

BOLASecurity

Broken Object Level Authorization — the top API security risk, where a user can access objects they shouldn’t by manipulating identifiers.

Business AssociateRegulation

Under HIPAA, a vendor that handles protected health information for a covered entity — bound by a Business Associate Agreement (BAA).

C
CERT-InRegulation

India’s national computer emergency response team. CERT-In empanelment authorises a firm to perform security audits recognised by Indian regulators.

ConsentPrivacy

Under the DPDP Act, permission to process personal data that must be free, specific, informed and withdrawable — with proof of every consent event.

ControlGRC

A safeguard — technical, procedural or physical — put in place to reduce a specific risk. Compliance frameworks are essentially structured sets of controls.

CVSSTesting

The Common Vulnerability Scoring System — a 0–10 severity score that helps teams prioritise which vulnerabilities to fix first.

CAIQFramework

Consensus Assessments Initiative Questionnaire — the CSA self-assessment aligned to the Cloud Controls Matrix.

CCMPGRC

Cyber Crisis Management Plan — an organisation’s plan to detect, respond to, contain and recover from a major cyber incident, expected by RBI.

CDEFramework

Cardholder Data Environment — every system that stores, processes or transmits payment card data, plus connected systems; the core of PCI scope.

CIS BenchmarksFramework

Consensus secure-configuration baselines for operating systems, cloud and applications, published by the Center for Internet Security.

CISOGRC

Chief Information Security Officer — the executive accountable for an organisation’s information-security strategy and programme.

CMDBGRC

Configuration Management Database — a record of IT assets (configuration items) and their relationships, underpinning change and asset control.

CMMCFramework

Cybersecurity Maturity Model Certification — the US DoD programme verifying contractors protect FCI and CUI, built on NIST 800-171.

COBITFramework

ISACA’s framework for the governance and management of enterprise IT — 40 objectives across five domains.

Compensating ControlSecurity

An alternative control used when a required control is not feasible, providing a similar level of protection with documented justification.

CSPMSecurity

Cloud Security Posture Management — continuous checking of cloud configurations against best practice to catch misconfigurations.

CUIRegulation

Controlled Unclassified Information — US government information requiring safeguarding under NIST 800-171 and CMMC.

CVESecurity

Common Vulnerabilities and Exposures — a standard identifier for a specific, publicly known security vulnerability.

CWESecurity

Common Weakness Enumeration — a standard identifier for a type of software weakness (e.g., CWE-79 is cross-site scripting).

D
DASTTesting

Dynamic Application Security Testing — probing a running application from the outside to find exploitable flaws in real conditions.

Data PrincipalPrivacy

The individual whose personal data is being processed — the DPDP Act’s term for the person the data is about.

Data ProcessorPrivacy

A party that processes personal data on behalf of another. A processor’s breach can still be your notification obligation.

DPDP ActRegulation

India’s Digital Personal Data Protection Act — the national law governing how organisations collect, use, store and protect personal data.

Data FiduciaryPrivacy

Under the DPDP Act, the entity that determines the purpose and means of processing personal data — equivalent to a GDPR controller.

Data LocalisationRegulation

A legal requirement to store (and sometimes process) data within a country’s borders — e.g., RBI’s payment-data localisation directive.

DDoSSecurity

Distributed Denial of Service — flooding a system with traffic from many sources to make it unavailable.

DLPSecurity

Data Loss Prevention — controls that detect and stop sensitive data from leaving an organisation improperly.

DPIAPrivacy

Data Protection Impact Assessment — a structured assessment of privacy risks for high-risk processing, required by GDPR and for DPDP SDFs.

DPOPrivacy

Data Protection Officer — the role accountable for privacy compliance; mandatory for Significant Data Fiduciaries under the DPDP Act.

DRGRC

Disaster Recovery — the technology-focused process of restoring IT systems and data after a disruptive event.

E
EncryptionSecurity

Converting data into an unreadable form that only an authorised key can reverse — protecting information in transit and at rest.

EvidenceGRC

The proof that a control is actually operating — screenshots, configs, logs or records collected and mapped to the requirement it satisfies.

ECCFramework

Essential Cybersecurity Controls — Saudi Arabia’s mandatory baseline controls issued by the National Cybersecurity Authority (NCA).

Escrow AccountGRC

A bank account through which a payment aggregator must route funds without using them, per RBI PA-PG guidelines.

Essential EightFramework

The Australian Signals Directorate’s eight prioritised mitigation strategies against common cyber attacks.

F
FirewallSecurity

A control that filters network traffic against a defined ruleset, allowing legitimate connections and blocking the rest.

FCIRegulation

Federal Contract Information — US government contract information requiring basic safeguarding under CMMC Level 1.

FedRAMPFramework

The US programme for authorising cloud services for government use, built on NIST 800-53 baselines.

FIPRegulation

Financial Information Provider — in India’s Account Aggregator ecosystem, an institution that holds and shares customer financial data on consent.

FIURegulation

Financial Information User — in the Account Aggregator ecosystem, an institution that consumes shared financial data to provide services.

G
GDPRRegulation

The EU’s General Data Protection Regulation — a strict, extraterritorial data-protection law with significant penalties for non-compliance.

GRCGRC

Governance, Risk and Compliance — the discipline of running policy, risk management and regulatory obligations as one coordinated programme.

H
HIPAARegulation

The US health-sector law setting privacy and security standards for protected health information (PHI).

HardeningSecurity

Reducing a system’s attack surface by removing unnecessary services, changing defaults and applying secure configuration.

HITRUSTFramework

A certifiable security framework that harmonises HIPAA, ISO, NIST and PCI — common in US healthcare.

HSMSecurity

Hardware Security Module — a tamper-resistant device that securely generates, stores and uses cryptographic keys.

I
IAMSecurity

Identity and Access Management — the systems and policies that decide who can access what, and prove it.

Incident ResponseSecurity

The planned process for detecting, containing, investigating and recovering from a security incident — and learning from it.

ISO 27001Framework

The international standard for an Information Security Management System (ISMS) — a risk-based programme for protecting information.

ICSSecurity

Industrial Control Systems — the operational technology running physical processes in manufacturing, utilities and infrastructure (see IEC 62443).

IDORSecurity

Insecure Direct Object Reference — accessing data by manipulating an identifier because authorisation is not properly enforced.

IEC 62443Framework

The leading standard series for the cybersecurity of industrial automation and control systems (OT).

ISMSFramework

Information Security Management System — the risk-based system of policies, processes and controls certified by ISO 27001.

ITGCFramework

IT General Controls — foundational controls over access, change and operations that underpin reliable financial systems (key to SOX).

K
KRIGRC

Key Risk Indicator — a metric that signals rising risk exposure, used to monitor and escalate risks proactively.

L
Least PrivilegeSecurity

Granting users and systems only the minimum access needed to do their job — a core access-control principle.

M
MFASecurity

Multi-Factor Authentication — requiring more than one proof of identity (e.g. password plus device) before granting access.

MASVSFramework

The OWASP Mobile Application Security Verification Standard — testable security requirements for mobile apps.

Maturity ModelGRC

A scale (often 0–5) describing how well-defined, managed and optimised a process or control is, used to set targets and measure progress.

MITRE ATLASFramework

A knowledge base of adversarial threats to AI and machine-learning systems, extending ATT&CK into the AI domain.

MITRE ATT&CKFramework

A knowledge base of real-world adversary tactics and techniques, used for detection, threat hunting and red teaming.

MTTDSecurity

Mean Time to Detect — the average time to identify a security incident; a key metric for detection capability.

MTTRSecurity

Mean Time to Respond or Recover — the average time to contain or recover from an incident.

N
NIST CSFFramework

The US National Institute of Standards and Technology Cybersecurity Framework — a widely used, risk-based control framework.

NBFCRegulation

Non-Banking Financial Company — an RBI-regulated financial institution subject to graded IT governance and cyber expectations.

NESARegulation

The UAE Information Assurance standards (historically under NESA) for government and critical entities.

P
PCI DSSFramework

The Payment Card Industry Data Security Standard — mandatory controls for any organisation that stores, processes or transmits cardholder data.

Penetration TestTesting

An authorised, simulated attack by security experts to find and demonstrate real, exploitable weaknesses before an attacker does.

PIIPrivacy

Personally Identifiable Information — any data that can identify a specific individual, directly or in combination.

P2PEFramework

Point-to-Point Encryption — encrypting card data from the payment terminal to a secure decryption environment, reducing PCI scope.

PA-PGRegulation

RBI’s guidelines regulating Payment Aggregators and Payment Gateways, including authorisation and an annual System Audit.

PHIPrivacy

Protected Health Information — health data protected under HIPAA’s Privacy and Security Rules.

PIMSFramework

Privacy Information Management System — the privacy management system certified by ISO 27701, extending ISO 27001.

POA&MGRC

Plan of Action and Milestones — a tracked list of open security gaps with owners and remediation dates (used in NIST/FedRAMP/CMMC).

PPIRegulation

Prepaid Payment Instrument — wallets and prepaid cards regulated by RBI’s MD-PPI, subject to periodic system audit.

Purple TeamTesting

A collaborative exercise where offensive (red) and defensive (blue) teams work together to improve detection and response.

Q
QSAFramework

A Qualified Security Assessor — an individual or firm authorised by the PCI Council to validate PCI DSS compliance.

R
RBACSecurity

Role-Based Access Control — granting permissions by job role rather than per person, so access stays consistent and reviewable.

Risk AssessmentGRC

A structured evaluation of what could go wrong, how likely it is and how much it would hurt — the basis for where to invest in security.

RoPAPrivacy

Records of Processing Activities — the inventory of what personal data you hold, where it flows and why, that data-protection laws expect you to maintain.

Red TeamTesting

An objective-driven adversary-emulation exercise that tests people, process and technology the way a real attacker would.

RMFFramework

The NIST Risk Management Framework — a seven-step process to categorise, select, implement, assess, authorise and monitor system controls.

ROCGRC

Report on Compliance — the formal PCI DSS assessment report produced by a QSA for Level 1 merchants and service providers.

RPOGRC

Recovery Point Objective — the maximum acceptable amount of data loss, measured in time, after a disruption.

RTOGRC

Recovery Time Objective — the maximum acceptable time to restore a critical activity after a disruption.

S
SASTTesting

Static Application Security Testing — analysing source code for insecure patterns early in development, before the app is even run.

SIEMSecurity

Security Information and Event Management — a system that aggregates and analyses logs to detect and alert on threats.

SoDGRC

Segregation of Duties — splitting sensitive tasks across people so no single individual can complete a high-risk action alone.

SOC 2Framework

An attestation report on how well a service organisation manages security, availability, confidentiality, processing integrity and privacy.

SABSAFramework

A business-driven, risk-based methodology for developing enterprise security architecture, often used with TOGAF.

SADSecurity

Sensitive Authentication Data — full track data, card verification values and PINs that must never be stored after authorisation under PCI DSS.

SAQGRC

Self-Assessment Questionnaire — the PCI DSS self-validation form; the correct SAQ type depends on how you accept card payments.

SARGRC

System Audit Report — the annual audit a CERT-In empanelled auditor produces for RBI-authorised payment system operators.

SBOMSecurity

Software Bill of Materials — an inventory of the components and dependencies in a piece of software, aiding vulnerability management.

SDFRegulation

Significant Data Fiduciary — a DPDP Act designation carrying extra duties (DPO, DPIA, independent audit) based on volume and risk.

SegmentationSecurity

Isolating parts of a network so that a compromise in one zone cannot easily spread — a key way to reduce PCI scope and limit blast radius.

SLAGRC

Service Level Agreement — a documented commitment to service performance (e.g., uptime, response times) between provider and customer.

SoAGRC

Statement of Applicability — the central ISO 27001 document listing which Annex A controls apply, why, and their status.

SPRSRegulation

Supplier Performance Risk System — where US contractors submit their NIST 800-171 self-assessment score for CMMC.

SSRFSecurity

Server-Side Request Forgery — tricking a server into making unintended requests, potentially reaching internal systems.

STARFramework

The CSA Security, Trust, Assurance and Risk programme — a registry and certification/attestation for cloud providers’ security.

T
Trust CenterGRC

A shareable page where an organisation publishes its security and compliance posture so customers can self-serve due diligence.

Threat ModellingSecurity

A structured exercise to identify how a system could be attacked and which defences matter most — done early in design.

TISAXFramework

The automotive industry’s information-security assessment and exchange standard, based on the VDA ISA and aligned to ISO 27001.

TOGAFFramework

The Open Group Architecture Framework — the leading enterprise-architecture framework and method (the ADM).

TokenisationSecurity

Replacing sensitive data (like a card number) with a non-sensitive token, so systems handle tokens instead of real data and reduce scope.

TPAPRegulation

Third-Party Application Provider — a UPI app (e.g., a payment app) that must pass NPCI-mandated security audits.

TPRAGRC

Third-Party Risk Assessment — evaluating the security and compliance risk a vendor introduces before and during the relationship.

TSCFramework

Trust Services Criteria — the AICPA criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) behind a SOC 2 report.

V
VAPTTesting

Vulnerability Assessment and Penetration Testing — combining automated scanning with expert manual testing to find and prove security gaps.

Vendor RiskGRC

The risk introduced by third parties with access to your data or systems — assessed and monitored because their breach becomes your problem.

VulnerabilitySecurity

A weakness in a system that could be exploited to compromise its security — the thing testing is designed to surface.

W
WAFSecurity

Web Application Firewall — filters and monitors HTTP traffic to protect applications from common attacks like injection and XSS.

X
XSSSecurity

Cross-Site Scripting — injecting malicious scripts into web pages viewed by other users; a common and high-impact web flaw.

Z
Zero TrustSecurity

A security model that trusts nothing by default — every request is verified regardless of where it comes from, inside the network or out.