Cybersecurity and Compliance Terms and Acronyms

The cybersecurity and compliance industries are rife with terms and acronyms. This section is meant to help define and simplify some of the terms and acronyms and make it easier to understand.


Two Factor Authentication (2FA) refers to situations where people must use two different classes of secret or unique information to prove their identity. .


GRC stands for Governance, Risk, and Compliance. It is generally used to refer to the business practice of centrally managing these related topics.


NIST is the United States National Institute of Standards and Technology. As a non-regulatory agency of the US Department of Commerce, NIST leads the US government’s development of standards for industry – including cybersecurity standards.


The NIST Cybersecurity Framework (NIST CSF) is an outline of policies that organizations can implement to protect, detect, and respond to cyber attacks.



The Payment Card Industry (PCI) is a moniker for the organizations that comprise the electronic payment systems facilitated via payment cards such as credit cards, debit cards, and some gift cards.



The PCI Data Security Standard (PCI DSS) is the payment card industry’s set of requirements on how companies must protect payment card information in their possession.

All companies that store, process, or transmit information from credit cards, debit cards, and some gift cards must comply with this standard. While most jurisdictions have not made PCI DSS compliance a legal obligation, banks and payment card industry partnership agreements force this compliance worldwide upon all merchants and their service providers.



Service Organization Control (SOC) 2 is a report produced by AICPA and CICA members for companies that provide services to other organizations. The report is designed to communicate the nature of a company’s controls to ensure they are meeting their contractual obligations. Most companies seek SOC 2 reports to satisfy their client’s concerns around how they will ensure the secrecy and integrity of data shared with the service provider. Complyify helps companies design and meet their SOC 2 controls so they continually receive satisfactory reports from their assessors.



SOC 3 reports are a special derivative of a SOC 2 report. They are issued only to organizations who receive a satisfactory SOC 2 report that is free of exceptions – meaning they have demonstrated the ability to consistently and effectively deliver on their promises to customers. Complyify helps customers meet their SOC 2 obligations without exception,



The Health Insurance and Portability Act of 1996 (HIPAA) required the U.S. Department of Health and Human Services (HHS) to develop regulations to protect the privacy and security of certain types of health information.

The easiest way to measure and manage cybersecurity risk and compliance.