Compliance Glossary
Common terms, acronyms, and definitions used across our compliance frameworks.
| Term | Category | Definition |
|---|---|---|
| Acceptable Use Policy (AUP) | Governance | An Acceptable Use Policy (AUP) is a documented set of rules that defines how people may (and may not) use an organization’s systems, applications, networks, data, and digital services. Similar policies are commonly expected in information security management systems and cybersecurity programs (for example, ISO/IEC 27001-aligned ISMS programs and NIST-aligned security policies). It establishes clear expectations for employees, contractors, and other authorized users about secure, lawful, and ethical use of technology resources—covering topics like account use, device handling, internet and email activity, data access and sharing, software installation, and acceptable behavior on corporate platforms. In the context of ISO/IEC 42001 (an artificial intelligence management system standard), an AUP commonly extends to acceptable use of AI capabilities as well, including approved AI tools, permitted data types for prompts and uploads, restrictions on sensitive or regulated data, requirements to verify AI outputs before use, and safeguards against misuse such as generating harmful content, bypassing controls, or introducing data leakage. A strong AUP supports governance and risk management by reducing ambiguity, enabling consistent enforcement, and providing a basis for monitoring, training, incident response, and corrective action. It is often paired with user acknowledgement, role-based access controls, and exception handling so the organization can manage real-world needs without weakening security or compliance. |
| Access Control and Validation Procedures | Security | Access control and validation procedures are the documented processes an organization uses to grant, modify, review, test, and remove access to systems, applications, data, networks, and physical environments. Access control defines who is allowed to do what, under which conditions, and with what level of privilege. Validation procedures confirm that those access rules are working as intended and remain aligned with business needs, job responsibilities, security policies, and applicable compliance obligations. In practice, this includes user provisioning, role assignments, least privilege reviews, privileged access controls, authentication requirements, periodic user access reviews, access removal during offboarding, and testing to confirm that unauthorized users cannot access restricted resources. These procedures help organizations reduce the risk of data exposure, fraud, operational disruption, insider misuse, and audit failure. They are relevant to startups building basic controls, scaleups formalizing governance, and enterprises managing complex identity, application, and infrastructure environments. |
| Access Control Policy | Security | An Access Control Policy is a formal set of rules that defines who (people, services, devices) can access which information and systems, under what conditions, and how that access is granted, changed, and removed. It translates security objectives—like least privilege and segregation of duties—into practical requirements for identity management, authentication, authorization, and ongoing oversight. A strong access control policy specifies access models (such as role-based or attribute-based access), how roles and permissions are designed and approved, and how privileged or administrative access is restricted and monitored. It also covers the full access lifecycle: onboarding and provisioning, access requests, approvals, periodic reviews, access changes due to job moves, and timely deprovisioning when access is no longer required. The policy typically includes rules for remote access, third-party access, service accounts, emergency or break-glass access, and access to sensitive environments (like production). It is a cornerstone governance document for demonstrating that access is controlled, auditable, and aligned to business need, reducing the risk of unauthorized access, data exposure, and operational disruption. |
| Access Control | Security | Access control is a security technique used to regulate who or what can view or use resources in a computing environment. It ensures that only authorized individuals, devices, or systems can access specific information or systems. Access control is a fundamental component of information security, preventing unauthorized access, and protecting sensitive data. It encompasses mechanisms such as user authentication, authorization, and policies that define user roles, privileges, and access levels. This term is relevant in global data protection and compliance standards, including ISO/IEC 27001:2022, where it is used to manage access rights and protect information security within organizations. |
| Accounting of Disclosures | Privacy | Accounting of disclosures is a HIPAA privacy concept that refers to a record an organization maintains showing certain disclosures of protected health information outside the organization. In practice, it helps demonstrate when information was shared, with whom it was shared, what was shared, why it was disclosed, and whether the disclosure followed approved privacy and compliance procedures. The purpose is to create transparency and accountability around information sharing, especially when data leaves the normal treatment, payment, healthcare operations, or internal business context. An accounting of disclosures is not simply a technical system log; it is a compliance record that connects a disclosure event to the business purpose, recipient, date, and supporting documentation. Similar accountability concepts appear in other privacy, data protection, and security frameworks as records of processing, disclosure logs, data sharing registers, audit trails, or third-party sharing records. For healthcare organizations, digital health startups, service providers, and enterprise health technology teams, maintaining an accurate accounting of disclosures supports privacy governance, incident review, patient trust, and regulatory readiness. |
| Addressable Implementation Specification | Governance | An addressable implementation specification is a security or compliance requirement that an organization must actively evaluate, but may implement in different ways depending on its risk profile, operating environment, resources, and business context. It does not mean the requirement can be ignored. Instead, the organization must determine whether the specified safeguard is reasonable and appropriate, implement it when suitable, or document why an equivalent alternative control provides comparable protection. This concept helps compliance programs balance prescriptive expectations with practical risk management. For example, a small startup, a regulated SaaS provider, and a large enterprise may all need to address the same control objective, but they may satisfy it through different technical, administrative, or procedural measures. A well-managed addressable implementation specification should be tied to a risk assessment, control rationale, implementation decision, ownership, review cadence, and supporting evidence. The goal is to show that the organization made a deliberate, defensible decision rather than treating flexibility as an exemption. |
| Addressable Specification | Governance | An addressable specification is a security, privacy, or compliance requirement that an organization must actively evaluate rather than blindly implement in the same way for every environment. The term is often used to describe a control expectation that is flexible, risk-based, and context-dependent. It does not mean the requirement can be ignored. Instead, the organization must determine whether the specification is reasonable and appropriate based on factors such as business size, system architecture, data sensitivity, threat exposure, cost, operational complexity, and existing safeguards. If the organization implements the specification as written, it should maintain evidence showing how the control works. If it uses an alternative control, it should document why the substitute provides comparable protection. If it does not implement the specification, it should document the rationale and risk acceptance. Addressable specifications help compliance teams avoid checkbox implementation while still requiring disciplined analysis, approval, and evidence. |
| Administrative Safeguards | Governance | Administrative safeguards are the governance, management, and people-focused measures an organization uses to reduce information security and compliance risk. They define how security responsibilities are assigned, how risks are assessed, how policies are approved, how personnel are trained, how access is reviewed, how incidents are escalated, and how compliance activities are monitored over time. Unlike technical safeguards, which rely on systems and tools, administrative safeguards focus on decisions, processes, accountability, and documented operating practices. They help organizations translate security expectations into repeatable work: assigning control owners, approving procedures, reviewing vendors, tracking exceptions, documenting risk treatment decisions, and ensuring employees understand their responsibilities. Effective administrative safeguards should be proportionate to the organization’s size, industry, data sensitivity, and regulatory exposure. A startup may begin with clear policies, role assignments, and basic security training, while a larger enterprise may need formal committees, risk registers, audit programs, and recurring control reviews. In every case, administrative safeguards create the management structure that makes security controls consistent, measurable, and defensible. |
| Agent | Security | An agent is a software component installed on an endpoint, server, cloud workload, or other managed system to collect data, enforce controls, report status, or perform approved security and operational tasks. In information security and GRC programs, agents are commonly used to support asset inventory, endpoint monitoring, vulnerability detection, configuration checks, log collection, policy enforcement, and compliance evidence collection. An agent typically runs with defined permissions and communicates with a central management platform or security service using authenticated and encrypted connections. Because agents can have broad visibility into systems, organizations should manage them carefully through secure deployment, version control, least privilege, tamper protection, update procedures, and monitoring. Agent-based approaches can provide detailed, near-real-time visibility, but they also introduce operational considerations such as performance impact, compatibility, privacy, and change management. A well-governed agent program helps security and compliance teams maintain reliable system data, demonstrate control operation, and respond more quickly to risk across startups, scaleups, and enterprises. |
| Appellate Tribunal | Enforcement | An appellate tribunal is a specialized quasi-judicial body established to hear and adjudicate appeals against orders, directions, or penalties issued by a primary regulatory authority. When organizations or individuals ask what is appellate tribunal, the answer lies in its function as an independent oversight mechanism that ensures administrative decisions are legally sound and procedurally fair. In the context of data privacy, the appellate tribunal India and similar bodies globally act as the first level of judicial review above the data protection regulator. They possess the powers of a civil court to summon witnesses, review evidence, and enforce attendance. The appellate tribunal meaning encompasses the authority to confirm, modify, or set aside regulatory orders, ensuring that strict enforcement actions are balanced with the right to a fair hearing and due process before matters escalate to the higher judiciary. |
Showing 1 to 10 of 212 results
Rows per page:
...
