IT Compliance Acronym Glossary

This article is a reference resource for IT compliance and security. It is not professional advice. Consult professionals for guidance specific to your situation.

Compliance and security operate in an alphabet soup of acronyms. Your auditor asks about your SIEM and EDR posture. A customer requires SOC 2 Type 2 within your SLA. Your board asks about CISO hiring and you're not sure if they mean CMMC. Your risk assessment turned up CVEs that exceed your RTO. If you're new to compliance or security, or if you're moving between specialties, these acronyms can be a barrier to understanding the conversation.

This glossary is organized not alphabetically but by category, because understanding which acronyms belong together helps you make sense of the field. You'll find framework names, control types, tool categories, severity measures, and roles. Each acronym gets its expansion, a brief explanation of what it means, and context for when you'll encounter it.

Framework and Regulatory Acronyms

When people talk about compliance frameworks, they're referring to formal standards or regulations that define what your organization must do. SOC 2, which stands for System and Organization Controls 2, is a market-driven audit standard managed by the American Institute of Certified Public Accountants (AICPA) that verifies whether service organizations control customer data appropriately. It's what customers ask for when they want proof you protect their information.

HIPAA—the Health Insurance Portability and Accountability Act—is federal law governing healthcare data. If you handle protected health information (PHI), HIPAA applies. It requires specific controls around privacy, security, and breach notification. If you're in healthcare or work with healthcare data, HIPAA is not optional.

PCI DSS stands for Payment Card Industry Data Security Standard. If you accept, process, or store credit card data, PCI DSS applies. Card networks (Visa, Mastercard, etc.) impose it on merchants and service providers. Like HIPAA, it's mandatory if the data applies to you.

CMMC—the Cybersecurity Maturity Model Certification—is a defense contracting standard. If you work with the U.S. Department of Defense or are a subcontractor in the defense industrial base, you will need CMMC certification. It's becoming table stakes for defense contracts.

NIST stands for the National Institute of Standards and Technology. When people refer to NIST in compliance contexts, they usually mean the NIST Cybersecurity Framework, which is guidance (not mandatory) on how to manage cybersecurity risk. It organizes security functions into identify, protect, detect, respond, and recover. NIST CyberSecurity Framework is increasingly referenced in regulations and executive orders.

ISO 27001 is an international standard for information security management systems. It's a general-purpose framework that any organization can pursue to demonstrate comprehensive information security governance. Unlike SOC 2, which is focused on customer trust, ISO 27001 is about building a formal information security program.

GDPR stands for General Data Protection Regulation. It's European privacy law that applies to any organization handling personal data from EU residents, regardless of where your organization is located. GDPR is about individual rights and organizational accountability for data handling.

Control and Technical Acronyms

MFA—multi-factor authentication—requires more than one method to prove who you are. Instead of just a password, you also provide a second factor like a code from an authenticator app, a hardware key, or a biometric. MFA is a foundational control that significantly reduces compromise risk.

EDR stands for Endpoint Detection and Response. It's software running on servers and workstations that logs all activity—processes, network connections, file changes—and sends that data to a security console for analysis. EDR lets you detect suspicious behavior and respond by isolating machines or killing malicious processes.

PAM is Privileged Access Management. It controls how administrators and service accounts access critical systems. Rather than having an administrator password that everyone knows, PAM enforces that privileged access goes through a gateway that logs all actions, verifies identity, and can restrict what actions are allowed. PAM is essential for controlling administrative risk.

RBAC stands for Role-Based Access Control. Instead of assigning permissions individually to each user, RBAC groups permissions into roles (like "database administrator" or "report reader") and assigns users to roles. A user can access what their role allows. This makes access control manageable at scale.

DLP is Data Loss Prevention. DLP tools monitor data in motion (being sent via email or cloud uploads) and at rest (stored on devices or servers) and can block or alert when sensitive data is being exfiltrated or mishandled. DLP is essential in regulated industries where preventing data leakage is a control requirement.

PKI stands for Public Key Infrastructure. It's the system that issues, stores, and verifies digital certificates that enable encryption and authentication. When two systems need to trust each other, PKI certificates are often how they verify identity.

BYOD means Bring Your Own Device. It refers to a policy that allows employees to use personal devices for work. BYOD creates security challenges around visibility and control, which is why it appears in compliance discussions.

Tool and Platform Acronyms

SIEM stands for Security Information and Event Management. It's a platform that aggregates logs from across your environment—firewalls, servers, applications, identity systems—normalizes them, and analyzes them for security patterns. A SIEM is your window into what's happening across your infrastructure, but it requires expertise to tune properly.

XDR is Extended Detection and Response. It's the evolution of SIEM—it unifies detection signals from endpoints, networks, cloud services, and applications into a single platform that can correlate events and automate response. XDR is more modern than SIEM but also more complex.

GRC stands for Governance, Risk, and Compliance. A GRC platform is software that manages your compliance program—control assessments, risk registers, audit workflows, policy management, and evidence collection. It's not a security tool in the traditional sense but an operational tool for running compliance.

SOAR is Security Orchestration, Automation, and Response. It's a platform that automates security response workflows. When your SIEM detects a suspicious login, SOAR can automatically revoke the user's token, disable their account, and kick off an investigation. SOAR reduces manual work in incident response.

WAF stands for Web Application Firewall. It's a security tool that sits in front of web applications and filters inbound traffic, blocking attacks like SQL injection and cross-site scripting before they reach your application code.

VPN—Virtual Private Network—creates an encrypted tunnel so that traffic from your device can route through a secure gateway. VPNs are commonly used to allow remote workers secure access to internal systems.

CASB is Cloud Access Security Broker. It sits between users and cloud services (like Salesforce or Microsoft 365) and monitors and controls how data is accessed. A CASB can prevent employees from sharing files with external parties or alert on unusual access patterns.

Severity and Impact Acronyms

CVE stands for Common Vulnerabilities and Exposures. It's a numbered identifier for known security flaws. CVE-2023-1234 refers to a specific vulnerability that researchers have publicly documented. When you hear that your systems have CVEs, it means you have known security flaws that need patching.

CVSS is the Common Vulnerability Scoring System. It's a standard way to score the severity of a vulnerability on a scale from 0 (no impact) to 10 (critical). A vulnerability might have a CVSS of 7.5 (high) or 5.2 (medium). CVSS helps prioritize which vulnerabilities to patch first, though it doesn't account for context—whether the vulnerability applies to you or how exposed the vulnerable system is.

MTTR stands for Mean Time To Repair or Mean Time To Respond. It's the average time from when you detect an incident to when you've remediated it. MTTR is a key metric for security operations—the goal is to keep it as low as possible.

RTO is Recovery Time Objective. It's the maximum time your organization can tolerate a system being down. If your RTO for your payment system is four hours, you must restore it within four hours or you breach your commitments. RTO drives recovery priority in a disaster.

RPO is Recovery Point Objective. It's the maximum amount of data loss you can tolerate. If your RPO is one hour, you must restore from a backup no more than one hour old. If your data is lost and the most recent backup is three hours old, you failed your RPO.

Organizational and Role Acronyms

CISO stands for Chief Information Security Officer. The CISO is the executive responsible for the organization's security program and reports to the CEO or CIO. Every organization of substantial size should have a CISO, though not all have them.

vCISO stands for virtual Chief Information Security Officer. It's a fractional or outsourced CISO role—typically a consultant or external firm providing CISO-level guidance and accountability without being a full-time employee. Small and mid-market organizations often use a vCISO to get executive-level security leadership without the cost of a full-time hire.

CISM stands for Certified Information Security Manager. It's a professional certification managed by ISACA that verifies expertise in security management. Someone with a CISM has demonstrated knowledge of security strategy, risk management, and incident response.

CISSP is Certified Information Systems Security Professional. It's an industry-standard security certification managed by ISC² that requires both knowledge and practical experience. A CISSP holder has demonstrated deep security expertise across domains like access control, cryptography, and governance.

SOC stands for Security Operations Center. It's the team (or virtual team) that monitors your environment 24/7 for security incidents. A SOC watches your SIEM, investigates alerts, and responds to incidents. Organizations can have an internal SOC, use a managed SOC from a third-party provider (MSOC), or use a managed detection and response (MDR) provider.

CIO stands for Chief Information Officer. The CIO is the executive responsible for the entire IT function, including infrastructure, applications, and security. The CISO reports to the CIO in many organizations.

Technical Abbreviations in Context

IDS is Intrusion Detection System. It's a network security tool that monitors traffic for signs of attacks. When it detects something suspicious, it alerts a security team. An IDS is "passive"—it detects but doesn't block.

IPS is Intrusion Prevention System. It's the active version of IDS—it not only detects attacks but also blocks them automatically. Many modern firewalls include IPS capabilities.

VPC stands for Virtual Private Cloud. It's a network boundary in cloud environments (like AWS or Azure) where you provision virtual machines and other resources. Understanding VPCs is important for cloud security because they define network isolation.

IAM stands for Identity and Access Management. It's the systems and processes that verify who you are (authentication) and what you're allowed to do (authorization). IAM is foundational to security—weak IAM is why most breaches happen.

SSO stands for Single Sign-On. It's an authentication system that allows you to log in once and then access multiple applications without re-authenticating. Okta and Ping are common SSO platforms.

Using This Glossary

This glossary is meant to be searchable when you encounter unfamiliar acronyms. When someone mentions CVSS scores or asks about CASB deployment, you can look up what the acronym means and understand the context. Most of these acronyms appear throughout compliance and security conversations, and knowing what they stand for and what problem they solve puts you on equal footing in technical discussions.

Fully Compliance provides educational content about IT compliance and security terminology. Standards and tools evolve—consult qualified professionals for current guidance on specific implementations.