Encyclopedia

Compliance & security, defined

The terms that come up in every audit and security programme — explained in plain English by CERT-In empanelled auditors.

ACDEFGHIMNPQRSTVZ
A
Access ReviewGRC

A periodic check that every user still needs the access they hold — the evidence auditors ask for to prove least-privilege is real, not assumed.

Audit TrailGRC

An immutable, time-stamped record of who did what and when, so any action can be reconstructed and defended during an audit or investigation.

C
CERT-InRegulation

India’s national computer emergency response team. CERT-In empanelment authorises a firm to perform security audits recognised by Indian regulators.

ConsentPrivacy

Under the DPDP Act, permission to process personal data that must be free, specific, informed and withdrawable — with proof of every consent event.

ControlGRC

A safeguard — technical, procedural or physical — put in place to reduce a specific risk. Compliance frameworks are essentially structured sets of controls.

CVSSTesting

The Common Vulnerability Scoring System — a 0–10 severity score that helps teams prioritise which vulnerabilities to fix first.

D
DASTTesting

Dynamic Application Security Testing — probing a running application from the outside to find exploitable flaws in real conditions.

Data PrincipalPrivacy

The individual whose personal data is being processed — the DPDP Act’s term for the person the data is about.

Data ProcessorPrivacy

A party that processes personal data on behalf of another. A processor’s breach can still be your notification obligation.

DPDP ActRegulation

India’s Digital Personal Data Protection Act — the national law governing how organisations collect, use, store and protect personal data.

E
EncryptionSecurity

Converting data into an unreadable form that only an authorised key can reverse — protecting information in transit and at rest.

EvidenceGRC

The proof that a control is actually operating — screenshots, configs, logs or records collected and mapped to the requirement it satisfies.

F
FirewallSecurity

A control that filters network traffic against a defined ruleset, allowing legitimate connections and blocking the rest.

G
GDPRRegulation

The EU’s General Data Protection Regulation — a strict, extraterritorial data-protection law with significant penalties for non-compliance.

GRCGRC

Governance, Risk and Compliance — the discipline of running policy, risk management and regulatory obligations as one coordinated programme.

H
HIPAARegulation

The US health-sector law setting privacy and security standards for protected health information (PHI).

I
IAMSecurity

Identity and Access Management — the systems and policies that decide who can access what, and prove it.

Incident ResponseSecurity

The planned process for detecting, containing, investigating and recovering from a security incident — and learning from it.

ISO 27001Framework

The international standard for an Information Security Management System (ISMS) — a risk-based programme for protecting information.

M
MFASecurity

Multi-Factor Authentication — requiring more than one proof of identity (e.g. password plus device) before granting access.

N
NIST CSFFramework

The US National Institute of Standards and Technology Cybersecurity Framework — a widely used, risk-based control framework.

P
PCI DSSFramework

The Payment Card Industry Data Security Standard — mandatory controls for any organisation that stores, processes or transmits cardholder data.

Penetration TestTesting

An authorised, simulated attack by security experts to find and demonstrate real, exploitable weaknesses before an attacker does.

PIIPrivacy

Personally Identifiable Information — any data that can identify a specific individual, directly or in combination.

Q
QSAFramework

A Qualified Security Assessor — an individual or firm authorised by the PCI Council to validate PCI DSS compliance.

R
RBACSecurity

Role-Based Access Control — granting permissions by job role rather than per person, so access stays consistent and reviewable.

Risk AssessmentGRC

A structured evaluation of what could go wrong, how likely it is and how much it would hurt — the basis for where to invest in security.

RoPAPrivacy

Records of Processing Activities — the inventory of what personal data you hold, where it flows and why, that data-protection laws expect you to maintain.

S
SASTTesting

Static Application Security Testing — analysing source code for insecure patterns early in development, before the app is even run.

SIEMSecurity

Security Information and Event Management — a system that aggregates and analyses logs to detect and alert on threats.

SoDGRC

Segregation of Duties — splitting sensitive tasks across people so no single individual can complete a high-risk action alone.

SOC 2Framework

An attestation report on how well a service organisation manages security, availability, confidentiality, processing integrity and privacy.

T
Trust CenterGRC

A shareable page where an organisation publishes its security and compliance posture so customers can self-serve due diligence.

V
VAPTTesting

Vulnerability Assessment and Penetration Testing — combining automated scanning with expert manual testing to find and prove security gaps.

Vendor RiskGRC

The risk introduced by third parties with access to your data or systems — assessed and monitored because their breach becomes your problem.

VulnerabilitySecurity

A weakness in a system that could be exploited to compromise its security — the thing testing is designed to surface.

Z
Zero TrustSecurity

A security model that trusts nothing by default — every request is verified regardless of where it comes from, inside the network or out.