Laika Compliance Glossary

  • Compliance
    • SOC
    • SOC Type 1
    • SOC Type 2
    • SOC 1
    • SOC 2
    • SOC 3
    • ICFR
    • SSAE 18
    • ISO / IEC 27001
    • GDPR
    • HIPAA Privacy Rule
    • CCPA
    • HITECH
    • HITRUST
    • PCI DSS
    • KYC
    • AML
    • BSA
      • Compliance

        Compliance refers to the effort of an organization to ensure it is abiding by industry regulations and government legislation.

      • SOC

        System and Organization Controls refers to reports generated by auditors as defined by the American Institute of Certified Public Accountants (AICPA). These regulations are designed for businesses that offer systems as a service to other organizations. SOC is based on 5 Trust Service Principles: privacy, security, availability, processing integrity, and confidentiality.

      • SOC Type 1

        Describes a service organization’s system and the controls that meet relevant trust principles. 

      • SOC Type 2

        Examines the operational effectiveness of controls over time, usually from 6-12 months. 

      • SOC 1

        Service Organization Control 1 evaluates the effect of service organization controls on financial statements. For example, how effective are auditors in evaluating tax statements?

      • SOC 2

        Service Organization Control 2 is a procedure that examines service providers. The audit determines if they are securely managing 3rd party data to protect information and ensure privacy. Compliance with SOC 2 is usually a requirement when considering at SaaS providers.

      • SOC 3

        Service Organization Control 3 is a public report of internal controls over security, availability, processing integrity, and confidentiality. Like all SOC, it was established by the Auditing Standards Board of the American Institute of Certified Public Accountants’ (AICPA) Trust Service Criteria (TSC).

      • ICFR

        Internal Control over Financial Reporting is a procedure that provides evidence of the reliability of financial reporting and statements

      • SSAE 18

        Statement on Standards for Attestation Engagements is another auditing standard published by the AICPA. SSAE 18 is the rules for attestation of internal controls and issuing a SOC report.

      • ISO / IEC 27001

        The International Organization for Standardization and the International Electrotechnical Commission jointly established best practices for information security management systems. These standards were designed to be applicable to a variety of businesses, to assess and treat threats and vulnerabilities on a continuous basis.

      • GDPR

        General Data Protection Regulation was passed by the European Union to address the collection and processing of individuals’ personal data. 

      • HIPAA Privacy Rule

        Health Information Portability and Accountability Act ordered the creation of a Privacy Rule to protect personal health information. These standards address the use and disclosure of individuals’ health information by covered entities, e.g. healthcare providers and clearinghouses, health plan entities, and business associates. 

      • CCPA

        California Consumer Privacy Act is a state law that secures the right to know which personal information businesses have collected, delete that information, and opt-out of the sale of personal data. While this law technically only applies to California residents, because of the transient nature of consumers, many businesses have implemented best practices in compliance with CCPA. 

      • HITECH

        Health Information Technology for Economic and Clinical Health Act promotes the adoption and use of health information technology. 

      • HITRUST

        HITRUST CSF is a business that originally developed Health Information Trust Common Security Framework intended for businesses that create, access, store, or transfer data. It is largely used to comply with ISO 27001 and HIPPA.

      • PCI DSS

        Payment Card Industry Data Security Standard ensures that businesses who process, store, or transmit credit card information maintain and demonstrate a secure digital environment. Compliance with PCI DSS has four levels, determined by the number of credit card transactions and security infrastructure demanded by partners. 

      • KYC

        Know Your Customer or Know Your Client refers to guidelines that require financial services to verify identity, suitability, and risks in maintaining a business partnership with customers or clients. KYC is a specific control that contributes to an Anti-Money Laundering policy. 

      • AML

        Anti-Money Laundering compliance focuses on practices that discourage and prevent fraud or crime through money laundering; it prevents criminals from disguising the origin of money in transactions. 

      • BSA

        Bank Secrecy Act was established in 1970 by the US government and requires banks to assist the government in detecting and catching money laundering. It is also known as Anti-Money Laundering.

  • Management and Data
    • ISMS
    • Vendor Management System
    • PHI
    • PII
      • Management and Data

      • ISMS

        Information Security Management System is a systematic approach to securely managing people, technology, and processes to protect organizational information. It helps with the implementation of various compliance frameworks, e.g. ISO 27001 and PCI DSS. The goal of ISMS is to mitigate the risk of a breach while building plans for business continuity. 

      • Vendor Management System

        Vendor Assessment System is a web-based system for businesses to select and manage suppliers, procure services, negotiate contracts, control costs, and reduce risks.

      • PHI

        Personal Health Information is protected by the HIPAA Privacy Rule; this refers to any identifiable information about your medical history, such as diagnoses, treatment, and prescription information. 

      • PII

        Personally Identifiable Information is protected by various privacy regulations; it refers to any data that can be used to identify an individual. Examples include name, social security number, birth date and location, and biometric information.  

  • Audit
    • AICPA
    • Controls
    • Attestation
    • Policies
    • Procedures
    • Gap Analysis
    • Framework
    • Risk Assessment
      • Audit

        An audit is an inspection of accounts by an independent organization.

      • AICPA

        American Institute of Certified Public Accountants is the governing body that chooses the regulations and standards for audits, like SOC / SSAE. 

      • Controls

        A compliance control is an activity that a business needs to perform to satisfy compliance framework requirements to mitigate risk.

      • Attestation

        Attestation is a legal acknowledgment of adherence to compliance regulations, most frequently heard in reference to PCI DSS

      • Policies

        Internal agreed-upon rules for all members of the organization

      • Procedures

        Step-by-step guide for complying with a policy

      • Gap Analysis

        A compliance gap analysis will assess existing policies and practices to determine corrective actions to meet regulations and requirements of various compliance programs

      • Framework

        A compliance framework is a structured set of guidelines to aggregate information and implement applicable requirements, e.g. SOC2, SOC2, ISO27001, HIPAA, PCI, BSA/AML/KYC, Lending

      • Risk Assessment

        Risk assessment is the process of identifying events that could negatively impact an organization, assets, or environment.

  • Tools and People
    • VPN
    • SaaS
    • OAuth
    • MFA
    • CCO
    • CISO
    • Whistleblower
    • DDQ
      • Tools and People

      • VPN

        Virtual Private Networks extend secure connections to another network over the internet. They are commonly used to access regionally-defined websites and protect browsing activities. 

      • SaaS

        Software as a Service refers to any type of software platform provided to customers as a service-based offering, e.g. management of customer and company data.

      • OAuth

        Open Authorization allows you to exchange information between systems without giving away your password. For example, allowing Facebook to gather information from your Netflix account. 

      • MFA

        Multi-factor authentication refers to any 2+ step process to log into a secure digital environment, e.g. requiring an OAuth. 

      • CCO

        Chief Compliance Officer; similar to a CISO, your chief of compliance should oversee your company’s information security and privacy policies, practices, and procedures. 

      • CISO

        Chief Information Security Officer; this is the point person for all information security policies, procedures, and practices within your company. Don’t have a CISO? Laika’s got you covered.

      • Whistleblower

        Many information security regulations ask businesses to create a system through which employees can alert the appropriate committees when there are weaknesses or breaches in information security.

      • DDQ

        Distributing Due Diligence Questionnaires (also known as security questionnaires) is a common practice when choosing vendors or partners. This questionnaire, though not completely standardized, will determine if a business has appropriate security in place to protect consumer and company data.  

    Compliance

    Compliance refers to the effort of an organization to ensure it is abiding by industry regulations and government legislation.

  • SOC

    System and Organization Controls refers to reports generated by auditors as defined by the American Institute of Certified Public Accountants (AICPA). These regulations are designed for businesses that offer systems as a service to other organizations. SOC is based on 5 Trust Service Principles: privacy, security, availability, processing integrity, and confidentiality.

  • SOC Type 1

    Describes a service organization’s system and the controls that meet relevant trust principles. 

  • SOC Type 2

    Examines the operational effectiveness of controls over time, usually from 6-12 months. 

  • SOC 1

    Service Organization Control 1 evaluates the effect of service organization controls on financial statements. For example, how effective are auditors in evaluating tax statements?

  • SOC 2

    Service Organization Control 2 is a procedure that examines service providers. The audit determines if they are securely managing 3rd party data to protect information and ensure privacy. Compliance with SOC 2 is usually a requirement when considering at SaaS providers.

  • SOC 3

    Service Organization Control 3 is a public report of internal controls over security, availability, processing integrity, and confidentiality. Like all SOC, it was established by the Auditing Standards Board of the American Institute of Certified Public Accountants’ (AICPA) Trust Service Criteria (TSC).

  • ICFR

    Internal Control over Financial Reporting is a procedure that provides evidence of the reliability of financial reporting and statements

  • SSAE 18

    Statement on Standards for Attestation Engagements is another auditing standard published by the AICPA. SSAE 18 is the rules for attestation of internal controls and issuing a SOC report.

  • ISO / IEC 27001

    The International Organization for Standardization and the International Electrotechnical Commission jointly established best practices for information security management systems. These standards were designed to be applicable to a variety of businesses, to assess and treat threats and vulnerabilities on a continuous basis.

  • GDPR

    General Data Protection Regulation was passed by the European Union to address the collection and processing of individuals’ personal data. 

  • HIPAA Privacy Rule

    Health Information Portability and Accountability Act ordered the creation of a Privacy Rule to protect personal health information. These standards address the use and disclosure of individuals’ health information by covered entities, e.g. healthcare providers and clearinghouses, health plan entities, and business associates. 

  • CCPA

    California Consumer Privacy Act is a state law that secures the right to know which personal information businesses have collected, delete that information, and opt-out of the sale of personal data. While this law technically only applies to California residents, because of the transient nature of consumers, many businesses have implemented best practices in compliance with CCPA. 

  • HITECH

    Health Information Technology for Economic and Clinical Health Act promotes the adoption and use of health information technology. 

  • HITRUST

    HITRUST CSF is a business that originally developed Health Information Trust Common Security Framework intended for businesses that create, access, store, or transfer data. It is largely used to comply with ISO 27001 and HIPPA.

  • PCI DSS

    Payment Card Industry Data Security Standard ensures that businesses who process, store, or transmit credit card information maintain and demonstrate a secure digital environment. Compliance with PCI DSS has four levels, determined by the number of credit card transactions and security infrastructure demanded by partners. 

  • KYC

    Know Your Customer or Know Your Client refers to guidelines that require financial services to verify identity, suitability, and risks in maintaining a business partnership with customers or clients. KYC is a specific control that contributes to an Anti-Money Laundering policy. 

  • AML

    Anti-Money Laundering compliance focuses on practices that discourage and prevent fraud or crime through money laundering; it prevents criminals from disguising the origin of money in transactions. 

  • BSA

    Bank Secrecy Act was established in 1970 by the US government and requires banks to assist the government in detecting and catching money laundering. It is also known as Anti-Money Laundering.

    Management and Data

  • ISMS

    Information Security Management System is a systematic approach to securely managing people, technology, and processes to protect organizational information. It helps with the implementation of various compliance frameworks, e.g. ISO 27001 and PCI DSS. The goal of ISMS is to mitigate the risk of a breach while building plans for business continuity. 

  • Vendor Management System

    Vendor Assessment System is a web-based system for businesses to select and manage suppliers, procure services, negotiate contracts, control costs, and reduce risks.

  • PHI

    Personal Health Information is protected by the HIPAA Privacy Rule; this refers to any identifiable information about your medical history, such as diagnoses, treatment, and prescription information. 

  • PII

    Personally Identifiable Information is protected by various privacy regulations; it refers to any data that can be used to identify an individual. Examples include name, social security number, birth date and location, and biometric information.  

    Audit

    An audit is an inspection of accounts by an independent organization.

  • AICPA

    American Institute of Certified Public Accountants is the governing body that chooses the regulations and standards for audits, like SOC / SSAE. 

  • Controls

    A compliance control is an activity that a business needs to perform to satisfy compliance framework requirements to mitigate risk.

  • Attestation

    Attestation is a legal acknowledgment of adherence to compliance regulations, most frequently heard in reference to PCI DSS

  • Policies

    Internal agreed-upon rules for all members of the organization

  • Procedures

    Step-by-step guide for complying with a policy

  • Gap Analysis

    A compliance gap analysis will assess existing policies and practices to determine corrective actions to meet regulations and requirements of various compliance programs

  • Framework

    A compliance framework is a structured set of guidelines to aggregate information and implement applicable requirements, e.g. SOC2, SOC2, ISO27001, HIPAA, PCI, BSA/AML/KYC, Lending

  • Risk Assessment

    Risk assessment is the process of identifying events that could negatively impact an organization, assets, or environment.

    Tools and People

  • VPN

    Virtual Private Networks extend secure connections to another network over the internet. They are commonly used to access regionally-defined websites and protect browsing activities. 

  • SaaS

    Software as a Service refers to any type of software platform provided to customers as a service-based offering, e.g. management of customer and company data.

  • OAuth

    Open Authorization allows you to exchange information between systems without giving away your password. For example, allowing Facebook to gather information from your Netflix account. 

  • MFA

    Multi-factor authentication refers to any 2+ step process to log into a secure digital environment, e.g. requiring an OAuth. 

  • CCO

    Chief Compliance Officer; similar to a CISO, your chief of compliance should oversee your company’s information security and privacy policies, practices, and procedures. 

  • CISO

    Chief Information Security Officer; this is the point person for all information security policies, procedures, and practices within your company. Don’t have a CISO? Laika’s got you covered.

  • Whistleblower

    Many information security regulations ask businesses to create a system through which employees can alert the appropriate committees when there are weaknesses or breaches in information security.

  • DDQ

    Distributing Due Diligence Questionnaires (also known as security questionnaires) is a common practice when choosing vendors or partners. This questionnaire, though not completely standardized, will determine if a business has appropriate security in place to protect consumer and company data.  

Enterprise-ready compliance that never slows you down

Request a Demo

Sign up for our newsletter