A periodic check that every user still needs the access they hold — the evidence auditors ask for to prove least-privilege is real, not assumed.
An immutable, time-stamped record of who did what and when, so any action can be reconstructed and defended during an audit or investigation.
India’s national computer emergency response team. CERT-In empanelment authorises a firm to perform security audits recognised by Indian regulators.
Under the DPDP Act, permission to process personal data that must be free, specific, informed and withdrawable — with proof of every consent event.
A safeguard — technical, procedural or physical — put in place to reduce a specific risk. Compliance frameworks are essentially structured sets of controls.
The Common Vulnerability Scoring System — a 0–10 severity score that helps teams prioritise which vulnerabilities to fix first.
Dynamic Application Security Testing — probing a running application from the outside to find exploitable flaws in real conditions.
The individual whose personal data is being processed — the DPDP Act’s term for the person the data is about.
A party that processes personal data on behalf of another. A processor’s breach can still be your notification obligation.
India’s Digital Personal Data Protection Act — the national law governing how organisations collect, use, store and protect personal data.
Converting data into an unreadable form that only an authorised key can reverse — protecting information in transit and at rest.
The proof that a control is actually operating — screenshots, configs, logs or records collected and mapped to the requirement it satisfies.
A control that filters network traffic against a defined ruleset, allowing legitimate connections and blocking the rest.
The EU’s General Data Protection Regulation — a strict, extraterritorial data-protection law with significant penalties for non-compliance.
Governance, Risk and Compliance — the discipline of running policy, risk management and regulatory obligations as one coordinated programme.
The US health-sector law setting privacy and security standards for protected health information (PHI).
Identity and Access Management — the systems and policies that decide who can access what, and prove it.
The planned process for detecting, containing, investigating and recovering from a security incident — and learning from it.
The international standard for an Information Security Management System (ISMS) — a risk-based programme for protecting information.
Multi-Factor Authentication — requiring more than one proof of identity (e.g. password plus device) before granting access.
The US National Institute of Standards and Technology Cybersecurity Framework — a widely used, risk-based control framework.
The Payment Card Industry Data Security Standard — mandatory controls for any organisation that stores, processes or transmits cardholder data.
An authorised, simulated attack by security experts to find and demonstrate real, exploitable weaknesses before an attacker does.
Personally Identifiable Information — any data that can identify a specific individual, directly or in combination.
A Qualified Security Assessor — an individual or firm authorised by the PCI Council to validate PCI DSS compliance.
Role-Based Access Control — granting permissions by job role rather than per person, so access stays consistent and reviewable.
A structured evaluation of what could go wrong, how likely it is and how much it would hurt — the basis for where to invest in security.
Records of Processing Activities — the inventory of what personal data you hold, where it flows and why, that data-protection laws expect you to maintain.
Static Application Security Testing — analysing source code for insecure patterns early in development, before the app is even run.
Security Information and Event Management — a system that aggregates and analyses logs to detect and alert on threats.
Segregation of Duties — splitting sensitive tasks across people so no single individual can complete a high-risk action alone.
An attestation report on how well a service organisation manages security, availability, confidentiality, processing integrity and privacy.
A shareable page where an organisation publishes its security and compliance posture so customers can self-serve due diligence.
Vulnerability Assessment and Penetration Testing — combining automated scanning with expert manual testing to find and prove security gaps.
The risk introduced by third parties with access to your data or systems — assessed and monitored because their breach becomes your problem.
A weakness in a system that could be exploited to compromise its security — the thing testing is designed to surface.
A security model that trusts nothing by default — every request is verified regardless of where it comes from, inside the network or out.
