Security & Compliance Glossary

Attestation

A formal report in which an independent party expresses an opinion on management's assertions about its controls. In a SOC 2 engagement, a licensed CPA firm performs the attestation and issues a report with their opinion. This is distinct from a certification, which results in a pass/fail certificate against a published standard (as with ISO 27001).

Related: SOC 2 vs ISO 27001, SOC 2 Type I / II

EDR , Endpoint Detection and Response

Software that continuously monitors endpoints, laptops, desktops, and servers, to detect, investigate, and respond to threats. EDR goes beyond traditional signature-based antivirus by watching behavior and giving responders the data to contain an incident. "XDR" extends the same idea across email, network, and cloud signals.

Encryption at rest & in transit

At rest means stored data, on disks, in databases, in backups, is encrypted so it can't be read if the storage is stolen or copied. In transit means data is encrypted while moving across a network, typically using TLS, so it can't be intercepted in flight. Most security questionnaires ask about both.

Incident Response Plan , IRP

Documented procedures for detecting, responding to, containing, and recovering from security incidents, including who is notified, on what timeline, and who has authority to act. Insurers and auditors expect this to be written down before an incident, not improvised during one.

Least privilege

The principle that users and systems should be granted only the minimum access needed to perform their function, and nothing more. Limiting standing administrative rights is one of the highest-impact ways to reduce the blast radius of a compromised account.

MFA , Multi-Factor Authentication

Authentication that requires two or more verification factors from different categories: something you know (a password), something you have (a phone or hardware key), or something you are (a fingerprint or face). Two factors from the same category, two passwords, is not MFA. It is one of the single most effective controls against account takeover, which is why it appears on nearly every cyber insurance application.

Related: Phishing-resistant MFA

PCI DSS , Payment Card Industry Data Security Standard

A set of security requirements for organizations that store, process, or transmit branded credit card data, governed by the PCI Security Standards Council. The current version is v4.0.1; the previous v3.2.1 was retired, and v4.0's future-dated requirements became mandatory on March 31, 2025.

Related: PCI DSS Compliance Checklist

Penetration test

An authorized, simulated attack against your systems, applications, or network, performed by skilled testers who try to find and often exploit vulnerabilities the way a real attacker would. A pen test is deeper and more manual than a vulnerability scan and usually produces prioritized findings with proof of impact.

Related: Vulnerability scan

Phishing-resistant MFA

MFA that resists phishing and credential interception, such as FIDO2/WebAuthn passkeys and hardware security keys. By contrast, SMS codes and TOTP one-time codes are not considered phishing-resistant, attackers can capture or relay them in real time. NIST and CISA guidance increasingly point organizations toward phishing-resistant methods for high-value accounts.

RPO / RTO , Recovery Point / Recovery Time Objective

RPO (Recovery Point Objective) is the maximum acceptable amount of data loss, measured as time, for example, "no more than one hour of data." RTO (Recovery Time Objective) is the maximum acceptable downtime before operations are restored. Together they define your backup and disaster-recovery targets.

SIEM , Security Information and Event Management

A system that aggregates and correlates log and event data from across your environment, servers, endpoints, network gear, cloud services, into one place for monitoring, alerting, and analysis. A SIEM is how teams spot patterns that no single log would reveal and reconstruct what happened during an incident.

SOC 2 Type I vs Type II

A Type I report assesses whether controls are suitably designed at a single point in time. A Type II report assesses both the design and the operating effectiveness of those controls over a period, commonly 3 to 12 months. Most buyers ask for Type II because it shows the controls actually worked over time.

Related: SOC 2 vs ISO 27001, Attestation

SSO , Single Sign-On

An authentication method that lets a user access multiple applications with a single authenticated session, typically through an identity provider. SSO reduces password sprawl and gives you one place to enforce MFA and de-provision access when someone leaves.

Vulnerability scan

An automated scan that checks systems against a database of known vulnerabilities and misconfigurations. It is broader but shallower than a penetration test, great for routine coverage, but it doesn't prove exploitability the way a skilled tester does.

Related: Penetration test

WISP , Written Information Security Program

A documented plan describing the administrative, technical, and physical safeguards an organization uses to protect sensitive and personal information. Several laws require one, including Massachusetts 201 CMR 17.00 and the FTC Safeguards Rule, and many insurers and contracts now ask for it. (Not to be confused with the telecom term Wireless Internet Service Provider.)

Related: Do I need a WISP?

Zero Trust

A security model that assumes no implicit trust based on network location and continuously verifies every request, summarized as "never trust, always verify." Instead of a trusted internal network behind a perimeter, each access decision is evaluated on identity, device health, and context. NIST SP 800-207 is the reference architecture.