[{"data":1,"prerenderedAt":14682},["ShallowReactive",2],{"glossary":3},[4,243,429,995,1186,1428,1674,1955,2183,2443,2641,2853,2975,3098,3255,3861,4067,4304,4423,4968,5095,5624,5756,5877,5998,6088,6225,6372,6500,6687,6944,7198,7406,7693,7844,8014,8160,8332,8566,8790,8999,9141,9741,9920,10055,10178,10366,10562,10765,10972,11185,11369,11495,11610,11841,12045,12654,12861,13059,13267,13483,13717,13938,14164,14310,14472],{"id":5,"title":6,"body":7,"description":211,"extension":224,"lastUpdated":225,"meta":226,"navigation":227,"path":228,"relatedFrameworks":229,"relatedTerms":232,"seo":237,"slug":240,"stem":241,"term":14,"__hash__":242},"glossary\u002F8.glossary\u002Fcontrol-objectives.md","Control Objectives",{"type":8,"value":9,"toc":210},"minimark",[10,15,19,24,27,56,60,63,78,81,85,88,120,124,127,147,151,154,187,190,194,197,201],[11,12,14],"h2",{"id":13},"what-are-control-objectives","What are Control Objectives?",[16,17,18],"p",{},"Control objectives are the specific goals or outcomes that a security control is designed to achieve. They define what a control should accomplish rather than how it should be implemented. Control objectives serve as the bridge between high-level security requirements and the specific controls an organization puts in place.",[20,21,23],"h3",{"id":22},"what-role-do-control-objectives-play-in-compliance-frameworks","What role do control objectives play in compliance frameworks?",[16,25,26],{},"Control objectives appear across multiple compliance frameworks:",[28,29,30,38,44,50],"ul",{},[31,32,33,37],"li",{},[34,35,36],"strong",{},"SOC 2"," — control objectives are aligned to Trust Services Criteria points. Each criterion defines an objective, and the organization implements controls to meet that objective.",[31,39,40,43],{},[34,41,42],{},"ISO 27001"," — Annex A contains control objectives organized into categories such as access control, cryptography, and operations security. Each objective has one or more associated controls.",[31,45,46,49],{},[34,47,48],{},"PCI DSS"," — requirements are organized around objectives like protecting cardholder data, maintaining secure systems, and implementing access controls.",[31,51,52,55],{},[34,53,54],{},"NIST CSF"," — functions (Identify, Protect, Detect, Respond, Recover) represent high-level objectives, with categories and subcategories providing more specific objectives.",[20,57,59],{"id":58},"what-is-the-difference-between-control-objectives-and-controls","What is the difference between control objectives and controls?",[16,61,62],{},"It is important to distinguish between control objectives and the controls themselves:",[28,64,65,72],{},[31,66,67,68,71],{},"A ",[34,69,70],{},"control objective"," states the desired outcome (e.g., \"ensure that access to systems is restricted to authorized users\")",[31,73,67,74,77],{},[34,75,76],{},"control"," is the specific mechanism that achieves the objective (e.g., \"multi-factor authentication is required for all user logins\")",[16,79,80],{},"Multiple controls may support a single objective, and a single control may contribute to multiple objectives. This many-to-many relationship is why control mapping is essential for compliance management.",[20,82,84],{"id":83},"how-do-you-write-effective-control-objectives","How do you write effective control objectives?",[16,86,87],{},"Well-written control objectives share several characteristics:",[28,89,90,96,102,108,114],{},[31,91,92,95],{},[34,93,94],{},"Specific"," — clearly state what should be achieved without ambiguity",[31,97,98,101],{},[34,99,100],{},"Measurable"," — define success in terms that can be tested or verified",[31,103,104,107],{},[34,105,106],{},"Aligned to risk"," — address identified risks and threats relevant to the organization",[31,109,110,113],{},[34,111,112],{},"Framework-referenced"," — map to applicable regulatory or framework requirements",[31,115,116,119],{},[34,117,118],{},"Outcome-focused"," — describe the desired state rather than prescribing implementation details",[20,121,123],{"id":122},"what-are-examples-of-control-objectives","What are examples of control objectives?",[16,125,126],{},"Common control objectives include:",[28,128,129,132,135,138,141,144],{},[31,130,131],{},"Access to production systems is restricted to authorized personnel based on job function",[31,133,134],{},"Changes to production systems follow an approved change management process",[31,136,137],{},"Security events are logged, monitored, and responded to in a timely manner",[31,139,140],{},"Sensitive data is encrypted in transit and at rest",[31,142,143],{},"Employees receive security awareness training upon hire and annually thereafter",[31,145,146],{},"Vendor security is assessed before engagement and periodically during the relationship",[20,148,150],{"id":149},"how-do-you-map-controls-to-objectives","How do you map controls to objectives?",[16,152,153],{},"The process of mapping controls to objectives involves:",[155,156,157,163,169,175,181],"ol",{},[31,158,159,162],{},[34,160,161],{},"Identify applicable objectives"," — determine which control objectives are relevant based on your framework scope and risk assessment",[31,164,165,168],{},[34,166,167],{},"Inventory existing controls"," — document current controls, processes, and tools",[31,170,171,174],{},[34,172,173],{},"Map controls to objectives"," — link each control to the objectives it supports",[31,176,177,180],{},[34,178,179],{},"Identify gaps"," — find objectives that lack sufficient supporting controls",[31,182,183,186],{},[34,184,185],{},"Implement new controls"," — design and deploy controls to close identified gaps",[16,188,189],{},"This mapping exercise is fundamental to audit preparation and demonstrates to auditors that your control environment is comprehensive and well-organized.",[20,191,193],{"id":192},"why-do-control-objectives-matter","Why do control objectives matter?",[16,195,196],{},"Control objectives provide structure and purpose to a compliance program. Without clear objectives, organizations risk implementing controls haphazardly — either missing critical areas or over-investing in low-risk areas. Well-defined objectives ensure that every control exists for a reason and contributes to the overall security posture.",[20,198,200],{"id":199},"how-does-episki-help-with-control-objectives","How does episki help with control objectives?",[16,202,203,204,209],{},"episki provides pre-defined control objectives mapped to SOC 2, ISO 27001, and other frameworks. The platform lets you link your controls to objectives, visualize coverage, and identify gaps. When auditors review your program, the objective-to-control mapping demonstrates a mature, structured approach. Learn more on our ",[205,206,208],"a",{"href":207},"\u002Fframeworks","compliance platform",".",{"title":211,"searchDepth":212,"depth":212,"links":213},"",2,[214],{"id":13,"depth":212,"text":14,"children":215},[216,218,219,220,221,222,223],{"id":22,"depth":217,"text":23},3,{"id":58,"depth":217,"text":59},{"id":83,"depth":217,"text":84},{"id":122,"depth":217,"text":123},{"id":149,"depth":217,"text":150},{"id":192,"depth":217,"text":193},{"id":199,"depth":217,"text":200},"md","2026-04-16",{},true,"\u002Fglossary\u002Fcontrol-objectives",[230,231],"soc2","iso27001",[233,234,235,236],"trust-services-criteria","control-framework","annex-a","statement-of-applicability",{"title":238,"description":239},"What are Control Objectives? Definition & Compliance Guide","Control objectives define the specific goals a security control is designed to achieve. Learn how they apply across SOC 2, ISO 27001, and other frameworks.","control-objectives","8.glossary\u002Fcontrol-objectives","SpnIlD6HDVFEkmxROjZuChf2JX-l2Yxt87Vg5QUxGAg",{"id":244,"title":245,"body":246,"description":211,"extension":224,"lastUpdated":225,"meta":418,"navigation":227,"path":419,"relatedFrameworks":420,"relatedTerms":421,"seo":423,"slug":426,"stem":427,"term":251,"__hash__":428},"glossary\u002F8.glossary\u002Fuser-entity-controls.md","User Entity Controls",{"type":8,"value":247,"toc":407},[248,252,255,259,262,265,269,272,310,314,317,320,324,327,353,357,360,386,390,393,396,400],[11,249,251],{"id":250},"what-are-user-entity-controls","What are User Entity Controls?",[16,253,254],{},"User entity controls (UECs) are controls that a service organization expects its customers (user entities) to implement in order for the service organization's own controls to function effectively. They represent the shared responsibility between a service provider and its customers within a SOC 2 or SOC 1 reporting framework.",[20,256,258],{"id":257},"why-do-user-entity-controls-exist","Why do user entity controls exist?",[16,260,261],{},"No service organization operates in complete isolation. The security of a system depends not only on the provider's controls but also on how customers use the service. For example, a SaaS platform may enforce role-based access control, but if the customer assigns administrator privileges to every employee, the control environment breaks down.",[16,263,264],{},"UECs acknowledge this shared responsibility by explicitly listing what the customer must do on their end.",[20,266,268],{"id":267},"what-are-common-examples-of-uecs","What are common examples of UECs?",[16,270,271],{},"User entity controls frequently address:",[28,273,274,280,286,292,298,304],{},[31,275,276,279],{},[34,277,278],{},"Access management"," — customers are responsible for managing their own user accounts, including timely deactivation when employees leave",[31,281,282,285],{},[34,283,284],{},"Password policies"," — customers should enforce strong password requirements for their users",[31,287,288,291],{},[34,289,290],{},"Data handling"," — customers must classify and protect sensitive data according to their own policies before sharing it with the service provider",[31,293,294,297],{},[34,295,296],{},"Configuration management"," — customers are responsible for properly configuring security settings within the platform",[31,299,300,303],{},[34,301,302],{},"Monitoring"," — customers should review audit logs and activity reports provided by the service organization",[31,305,306,309],{},[34,307,308],{},"Incident reporting"," — customers should promptly report suspected security incidents to the service provider",[20,311,313],{"id":312},"where-do-user-entity-controls-appear-in-soc-2-reports","Where do user entity controls appear in SOC 2 reports?",[16,315,316],{},"UECs are documented in the service organization's SOC 2 report, typically in a section titled \"Complementary User Entity Controls\" or similar. The service auditor includes these to clarify the boundaries of the service organization's control environment.",[16,318,319],{},"When a customer reads a SOC 2 report, they should pay close attention to the UECs section. If the customer is not implementing these controls, the overall assurance provided by the SOC 2 report is diminished.",[20,321,323],{"id":322},"what-are-the-service-organization-responsibilities-for-uecs","What are the service organization responsibilities for UECs?",[16,325,326],{},"Service organizations should:",[28,328,329,335,341,347],{},[31,330,331,334],{},[34,332,333],{},"Clearly define UECs"," — be specific about what customers need to do, avoiding vague or overly broad statements",[31,336,337,340],{},[34,338,339],{},"Communicate UECs to customers"," — proactively share UEC expectations during onboarding and in security documentation",[31,342,343,346],{},[34,344,345],{},"Provide enablement"," — offer tools, configurations, and documentation that make it easy for customers to implement UECs",[31,348,349,352],{},[34,350,351],{},"Review regularly"," — update UECs as the platform evolves and new features or risks emerge",[20,354,356],{"id":355},"what-are-the-user-entity-responsibilities-for-uecs","What are the user entity responsibilities for UECs?",[16,358,359],{},"Customers who receive SOC 2 reports from their vendors should:",[28,361,362,368,374,380],{},[31,363,364,367],{},[34,365,366],{},"Review the UECs section"," — understand what controls they are expected to implement",[31,369,370,373],{},[34,371,372],{},"Assess their own compliance"," — verify that their internal processes satisfy the stated UECs",[31,375,376,379],{},[34,377,378],{},"Document their controls"," — if the customer is also subject to audits, demonstrate that vendor UECs are addressed",[31,381,382,385],{},[34,383,384],{},"Follow up on gaps"," — if a UEC cannot be met, discuss alternative mitigations with the service provider",[20,387,389],{"id":388},"how-do-uecs-relate-to-the-shared-responsibility-model","How do UECs relate to the shared responsibility model?",[16,391,392],{},"The concept of user entity controls aligns closely with the shared responsibility model popularized by cloud providers. Just as AWS or Azure define which security responsibilities belong to the provider and which belong to the customer, UECs in a SOC 2 report define the same boundary for any service organization.",[16,394,395],{},"Understanding and implementing UECs is critical for organizations that rely on third-party services and want to maintain a robust security posture.",[20,397,399],{"id":398},"how-does-episki-help-with-user-entity-controls","How does episki help with user entity controls?",[16,401,402,403,209],{},"episki helps service organizations define and document user entity controls as part of their compliance program. For customers evaluating vendors, episki tracks which UECs apply to each vendor relationship and monitors whether your internal controls satisfy those requirements. Learn more on our ",[205,404,406],{"href":405},"\u002Fframeworks\u002Fsoc2","SOC 2 compliance page",{"title":211,"searchDepth":212,"depth":212,"links":408},[409],{"id":250,"depth":212,"text":251,"children":410},[411,412,413,414,415,416,417],{"id":257,"depth":217,"text":258},{"id":267,"depth":217,"text":268},{"id":312,"depth":217,"text":313},{"id":322,"depth":217,"text":323},{"id":355,"depth":217,"text":356},{"id":388,"depth":217,"text":389},{"id":398,"depth":217,"text":399},{},"\u002Fglossary\u002Fuser-entity-controls",[230],[230,422,240,233],"soc2-type-2",{"title":424,"description":425},"What are User Entity Controls? Definition & Compliance Guide","User entity controls (UECs) are controls that a service organization's customers must implement for the overall control environment to be effective.","user-entity-controls","8.glossary\u002Fuser-entity-controls","32EB6hy0vFvSbHlg-xETyvmzqRW8AopUI9_EGmafvAU",{"id":430,"title":431,"body":432,"description":211,"extension":224,"lastUpdated":225,"meta":979,"navigation":227,"path":980,"relatedFrameworks":981,"relatedTerms":986,"seo":989,"slug":992,"stem":993,"term":437,"__hash__":994},"glossary\u002F8.glossary\u002Faccess-control.md","Access Control",{"type":8,"value":433,"toc":965},[434,438,441,445,448,474,478,484,490,496,502,506,509,515,532,538,552,558,569,573,576,628,632,635,649,653,656,679,683,686,735,739,742,862,865,868,897,901,907,910,947,950,953,956,960],[11,435,437],{"id":436},"what-is-access-control","What is Access Control?",[16,439,440],{},"Access control is the set of policies, procedures, and technical mechanisms that regulate who can access systems, data, and resources within an organization. It ensures that only authorized individuals can view, modify, or interact with sensitive information and critical systems. Access control is one of the most fundamental and universally required security controls across every major compliance framework.",[20,442,444],{"id":443},"what-are-the-core-principles-of-access-control","What are the core principles of access control?",[16,446,447],{},"Access control is built on several foundational principles:",[28,449,450,456,462,468],{},[31,451,452,455],{},[34,453,454],{},"Least privilege"," — users are granted only the minimum access necessary to perform their job functions",[31,457,458,461],{},[34,459,460],{},"Separation of duties"," — critical tasks are divided among multiple individuals to prevent any single person from having unchecked authority",[31,463,464,467],{},[34,465,466],{},"Need to know"," — access to information is restricted to those who require it for a specific purpose",[31,469,470,473],{},[34,471,472],{},"Default deny"," — access is denied by default unless explicitly granted",[20,475,477],{"id":476},"what-are-the-types-of-access-control","What are the types of access control?",[16,479,480,483],{},[34,481,482],{},"Role-Based Access Control (RBAC)"," — access is determined by the user's role within the organization. Roles are defined with specific permissions, and users are assigned to roles. This is the most common model in enterprise environments.",[16,485,486,489],{},[34,487,488],{},"Attribute-Based Access Control (ABAC)"," — access decisions are based on attributes of the user, the resource, and the environment (e.g., department, location, time of day, device type).",[16,491,492,495],{},[34,493,494],{},"Discretionary Access Control (DAC)"," — resource owners decide who can access their resources. Common in file systems where owners set permissions.",[16,497,498,501],{},[34,499,500],{},"Mandatory Access Control (MAC)"," — access is controlled by the system based on security labels and clearance levels. Common in government and military environments.",[20,503,505],{"id":504},"what-are-access-control-components","What are access control components?",[16,507,508],{},"A complete access control program addresses:",[16,510,511,514],{},[34,512,513],{},"Authentication"," — verifying the identity of users:",[28,516,517,520,523,526,529],{},[31,518,519],{},"Passwords and passphrases",[31,521,522],{},"Multi-factor authentication (MFA)",[31,524,525],{},"Single sign-on (SSO)",[31,527,528],{},"Biometric authentication",[31,530,531],{},"Certificate-based authentication",[16,533,534,537],{},[34,535,536],{},"Authorization"," — determining what authenticated users can do:",[28,539,540,543,546,549],{},[31,541,542],{},"Permission assignments",[31,544,545],{},"Role definitions",[31,547,548],{},"Access control lists",[31,550,551],{},"Policy enforcement points",[16,553,554,557],{},[34,555,556],{},"Access lifecycle management"," — managing access throughout the user lifecycle:",[28,559,560,563,566],{},[31,561,562],{},"Provisioning (granting access when hired or role changes)",[31,564,565],{},"Review (periodic access certification)",[31,567,568],{},"Deprovisioning (revoking access upon termination or role change)",[20,570,572],{"id":571},"how-do-compliance-frameworks-address-access-control","How do compliance frameworks address access control?",[16,574,575],{},"Every major framework requires access control:",[28,577,578,585,598,612,620],{},[31,579,580,584],{},[34,581,582],{},[205,583,36],{"href":405}," — CC6.1 through CC6.8 cover logical and physical access controls",[31,586,587,592,593,597],{},[34,588,589],{},[205,590,42],{"href":591},"\u002Fframeworks\u002Fiso27001"," — ",[205,594,596],{"href":595},"\u002Fglossary\u002Fannex-a","Annex A"," controls A.5.15 through A.5.18 and A.8.2 through A.8.5 address access management",[31,599,600,606,607,611],{},[34,601,602],{},[205,603,605],{"href":604},"\u002Fframeworks\u002Fhipaa","HIPAA"," — the ",[205,608,610],{"href":609},"\u002Fframeworks\u002Fhipaa\u002Fsecurity-rule","Security Rule"," requires access controls for ePHI (45 CFR 164.312(a))",[31,613,614,619],{},[34,615,616],{},[205,617,48],{"href":618},"\u002Fframeworks\u002Fpci"," — Requirements 7 and 8 address access restriction and user identification",[31,621,622,627],{},[34,623,624],{},[205,625,54],{"href":626},"\u002Fframeworks\u002Fnistcsf"," — PR.AC covers identity management, authentication, and access control",[20,629,631],{"id":630},"what-are-access-reviews","What are access reviews?",[16,633,634],{},"Regular access reviews (also called access certifications) are a critical control:",[28,636,637,640,643,646],{},[31,638,639],{},"Review user access rights periodically (quarterly is common for sensitive systems)",[31,641,642],{},"Verify that access aligns with current job responsibilities",[31,644,645],{},"Identify and remove excessive or unnecessary access",[31,647,648],{},"Document review results and remediation actions",[20,650,652],{"id":651},"what-are-common-access-control-weaknesses","What are common access control weaknesses?",[16,654,655],{},"Even well-designed access control programs can degrade over time without ongoing attention. Watch for these common issues:",[28,657,658,661,664,667,670,673,676],{},[31,659,660],{},"Excessive permissions that accumulate over time (privilege creep)",[31,662,663],{},"Shared or generic accounts that prevent individual accountability",[31,665,666],{},"Delayed deprovisioning when employees leave or change roles",[31,668,669],{},"Lack of MFA on critical systems and remote access paths",[31,671,672],{},"Inconsistent access review processes with no documented remediation",[31,674,675],{},"Service accounts with standing privileged access and no rotation schedule",[31,677,678],{},"Lack of visibility into SaaS application access outside the corporate IdP",[20,680,682],{"id":681},"how-do-you-implement-access-control-in-practice","How do you implement access control in practice?",[16,684,685],{},"Effective access control programs start with planning and build toward automation. The following steps provide a practical roadmap for organizations at any maturity level:",[155,687,688,694,700,706,712,718,729],{},[31,689,690,693],{},[34,691,692],{},"Map your environment"," — inventory all systems, applications, and data repositories that require access controls. You cannot protect what you have not identified. Include SaaS applications, cloud infrastructure, on-premises servers, databases, file shares, and third-party integrations.",[31,695,696,699],{},[34,697,698],{},"Define roles based on job functions"," — create roles that reflect organizational responsibilities, not individual users. Align roles to the principle of least privilege so each role includes only the permissions required for that function. Review role definitions annually and whenever organizational structure changes.",[31,701,702,705],{},[34,703,704],{},"Centralize authentication with SSO"," — implement single sign-on using SAML 2.0 or OpenID Connect (OIDC) to unify identity across cloud and on-premises systems. Centralized authentication reduces password sprawl and gives security teams a single point of enforcement. Ensure all business-critical applications are integrated with your SSO provider before considering the rollout complete.",[31,707,708,711],{},[34,709,710],{},"Layer MFA on all critical systems"," — require multi-factor authentication for remote access, privileged accounts, email, cloud consoles, and any system that touches sensitive data. Phishing-resistant methods such as FIDO2 hardware keys are preferred over SMS-based codes. At a minimum, enforce MFA on identity providers, admin consoles, and VPN access.",[31,713,714,717],{},[34,715,716],{},"Automate provisioning and deprovisioning"," — connect your HR system to your identity provider (IdP) and use SCIM or directory sync to automate account creation, role assignment, and account removal. When an employee is terminated in the HR system, access should be revoked within minutes, not days. Automation eliminates the human error that leads to orphaned accounts and privilege creep.",[31,719,720,723,724,728],{},[34,721,722],{},"Build an access request and approval workflow"," — establish a formal process where users request access with documented business justification, managers approve, and the request is logged for audit. This creates an ",[205,725,727],{"href":726},"\u002Fglossary\u002Faudit-trail","audit trail"," that satisfies compliance requirements.",[31,730,731,734],{},[34,732,733],{},"Monitor and log access events"," — collect authentication and authorization logs centrally. Monitor for anomalies such as failed login attempts, access from unusual locations, and privilege escalation. Logs are essential for incident response and audit evidence.",[20,736,738],{"id":737},"what-are-the-access-control-requirements","What are the access control requirements?",[16,740,741],{},"Different frameworks address the same access control concepts with different control references. The table below maps common requirements to their framework-specific identifiers:",[743,744,745,765],"table",{},[746,747,748],"thead",{},[749,750,751,755,757,759,761,763],"tr",{},[752,753,754],"th",{},"Requirement",[752,756,36],{},[752,758,42],{},[752,760,605],{},[752,762,48],{},[752,764,54],{},[766,767,768,789,808,828,845],"tbody",{},[749,769,770,774,777,780,783,786],{},[771,772,773],"td",{},"Unique user IDs",[771,775,776],{},"CC6.1",[771,778,779],{},"A.5.16",[771,781,782],{},"§164.312(a)(2)(i)",[771,784,785],{},"Req 8.2.1",[771,787,788],{},"PR.AC-1",[749,790,791,794,796,799,802,805],{},[771,792,793],{},"MFA",[771,795,776],{},[771,797,798],{},"A.8.5",[771,800,801],{},"Addressable",[771,803,804],{},"Req 8.4",[771,806,807],{},"PR.AC-7",[749,809,810,813,816,819,822,825],{},[771,811,812],{},"Access reviews",[771,814,815],{},"CC6.2",[771,817,818],{},"A.5.18",[771,820,821],{},"§164.312(a)(1)",[771,823,824],{},"Req 7.2",[771,826,827],{},"PR.AC-4",[749,829,830,832,835,838,840,843],{},[771,831,454],{},[771,833,834],{},"CC6.3",[771,836,837],{},"A.5.15",[771,839,821],{},[771,841,842],{},"Req 7.1",[771,844,827],{},[749,846,847,850,852,854,857,860],{},[771,848,849],{},"Deprovisioning",[771,851,815],{},[771,853,818],{},[771,855,856],{},"§164.312(a)(2)(ii)",[771,858,859],{},"Req 8.2.6",[771,861,788],{},[16,863,864],{},"Organizations subject to multiple frameworks can use this mapping to build a unified access control program that satisfies overlapping requirements without duplicating effort.",[16,866,867],{},"A few notes on framework-specific nuances:",[28,869,870,875,883,890],{},[31,871,872,874],{},[34,873,605],{}," treats MFA as an \"addressable\" implementation specification, meaning covered entities must implement it or document why an equivalent alternative is reasonable. In practice, most organizations implement MFA because the risk of not doing so is difficult to justify.",[31,876,877,882],{},[34,878,879,881],{},[205,880,48],{"href":618}," v4.0"," expanded MFA requirements (Req 8.4) to include all access into the cardholder data environment, not just remote access. Organizations processing card data should verify their MFA coverage meets the updated scope.",[31,884,885,889],{},[34,886,887],{},[205,888,36],{"href":405}," does not prescribe specific technologies but evaluates whether the controls in place are suitably designed and operating effectively. Auditors will look for evidence that access control policies are enforced consistently.",[31,891,892,896],{},[34,893,894],{},[205,895,54],{"href":626}," provides a flexible, risk-based approach. The PR.AC subcategory identifiers map to more detailed controls in NIST SP 800-53, which organizations can reference for implementation guidance.",[20,898,900],{"id":899},"how-does-zero-trust-relate-to-access-control","How does zero trust relate to access control?",[16,902,903,904,209],{},"Traditional access control models assume that users inside the network perimeter can be trusted. Zero trust architecture rejects that assumption entirely: ",[34,905,906],{},"never trust, always verify",[16,908,909],{},"In a zero trust model, every access request is authenticated, authorized, and encrypted regardless of where it originates. Key principles include:",[28,911,912,918,924,935,941],{},[31,913,914,917],{},[34,915,916],{},"Continuous verification"," — access decisions are re-evaluated throughout a session, not just at login. Changes in user behavior, location, or risk score can trigger step-up authentication or session termination.",[31,919,920,923],{},[34,921,922],{},"Micro-segmentation"," — network resources are divided into small, isolated zones so that compromising one segment does not grant lateral access to others.",[31,925,926,929,930,934],{},[34,927,928],{},"Device posture checks"," — the security state of the connecting device (patch level, endpoint protection status, disk ",[205,931,933],{"href":932},"\u002Fglossary\u002Fencryption","encryption",") is evaluated before access is granted.",[31,936,937,940],{},[34,938,939],{},"Identity-centric perimeter"," — the network perimeter is replaced by identity as the primary security boundary. Every user, device, and workload must prove its identity before accessing any resource.",[31,942,943,946],{},[34,944,945],{},"Least privilege enforcement at the session level"," — access grants are scoped to the specific resource and action needed, and they expire when the session ends or conditions change.",[16,948,949],{},"NIST SP 800-207 defines the zero trust architecture and provides guidance on implementation. Many compliance frameworks are increasingly aligning their access control requirements with zero trust principles, making it a forward-looking strategy for organizations building or modernizing their access control programs.",[16,951,952],{},"Zero trust is not a single product but an architectural approach that spans identity, network, endpoints, and data.",[16,954,955],{},"Adopting zero trust does not require replacing your existing access control infrastructure overnight. Most organizations begin by enforcing MFA universally, segmenting their most sensitive assets, and adding device posture checks to their conditional access policies. Over time, these incremental improvements compound into a mature zero trust posture.",[20,957,959],{"id":958},"how-does-episki-help-with-access-control","How does episki help with access control?",[16,961,962,963,209],{},"episki tracks access control policies, monitors review schedules, and documents access provisioning and deprovisioning activities. The platform sends reminders for periodic access reviews and maintains evidence for auditors. Learn more on our ",[205,964,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":966},[967],{"id":436,"depth":212,"text":437,"children":968},[969,970,971,972,973,974,975,976,977,978],{"id":443,"depth":217,"text":444},{"id":476,"depth":217,"text":477},{"id":504,"depth":217,"text":505},{"id":571,"depth":217,"text":572},{"id":630,"depth":217,"text":631},{"id":651,"depth":217,"text":652},{"id":681,"depth":217,"text":682},{"id":737,"depth":217,"text":738},{"id":899,"depth":217,"text":900},{"id":958,"depth":217,"text":959},{},"\u002Fglossary\u002Faccess-control",[982,230,231,983,984,985],"cmmc","hipaa","pci","nistcsf",[987,988,933,426],"minimum-necessary-rule","audit-trail",{"title":990,"description":991},"Access Control in Compliance: RBAC, MFA & Least Privilege","Access control restricts system and data access to authorized users. Learn RBAC, MFA, least privilege, and requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","access-control","8.glossary\u002Faccess-control","06FHtOe5hEs65vhNnMjZcNgPP9NXCQTnLD9llz_jEjM",{"id":996,"title":997,"body":998,"description":211,"extension":224,"lastUpdated":225,"meta":1171,"navigation":227,"path":1172,"relatedFrameworks":1173,"relatedTerms":1174,"seo":1180,"slug":1183,"stem":1184,"term":1003,"__hash__":1185},"glossary\u002F8.glossary\u002Fbreach-notification.md","Breach Notification",{"type":8,"value":999,"toc":1161},[1000,1004,1007,1011,1014,1040,1044,1050,1061,1067,1075,1081,1087,1091,1094,1105,1109,1112,1144,1148,1151,1155],[11,1001,1003],{"id":1002},"what-is-breach-notification","What is Breach Notification?",[16,1005,1006],{},"Breach notification is the process of informing affected individuals, regulatory authorities, and in some cases the media when a breach of Protected Health Information (PHI) occurs. Under HIPAA, the Breach Notification Rule (established by the HITECH Act and finalized in the 2013 Omnibus Rule) sets specific requirements for when and how notifications must be made.",[20,1008,1010],{"id":1009},"what-constitutes-a-breach","What constitutes a breach?",[16,1012,1013],{},"Under HIPAA, a breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. There is a presumption that any impermissible use or disclosure is a breach unless the organization can demonstrate a low probability that PHI was compromised based on a four-factor risk assessment:",[155,1015,1016,1022,1028,1034],{},[31,1017,1018,1021],{},[34,1019,1020],{},"Nature and extent of PHI"," — what types of identifiers and information were involved",[31,1023,1024,1027],{},[34,1025,1026],{},"Unauthorized person"," — who impermissibly used or received the PHI",[31,1029,1030,1033],{},[34,1031,1032],{},"Whether PHI was actually acquired or viewed"," — as opposed to merely being accessible",[31,1035,1036,1039],{},[34,1037,1038],{},"Extent of risk mitigation"," — what steps were taken to reduce the risk of harm",[20,1041,1043],{"id":1042},"what-are-the-notification-requirements","What are the notification requirements?",[16,1045,1046,1049],{},[34,1047,1048],{},"Individual notification"," — covered entities must notify each affected individual whose PHI was breached. Notification must be:",[28,1051,1052,1055,1058],{},[31,1053,1054],{},"In writing, sent by first-class mail (or email if the individual has agreed to electronic communication)",[31,1056,1057],{},"Provided without unreasonable delay and no later than 60 days after discovery of the breach",[31,1059,1060],{},"Inclusive of a description of the breach, types of information involved, steps individuals should take, what the organization is doing in response, and contact information",[16,1062,1063,1066],{},[34,1064,1065],{},"HHS notification"," — covered entities must notify the Department of Health and Human Services:",[28,1068,1069,1072],{},[31,1070,1071],{},"For breaches affecting 500 or more individuals: notification must occur within 60 days, and these breaches are posted on the HHS \"Wall of Shame\"",[31,1073,1074],{},"For breaches affecting fewer than 500 individuals: notification may be submitted annually",[16,1076,1077,1080],{},[34,1078,1079],{},"Media notification"," — for breaches affecting 500 or more individuals in a single state or jurisdiction, the covered entity must notify prominent media outlets in that area within 60 days.",[16,1082,1083,1086],{},[34,1084,1085],{},"Business associate notification"," — business associates must notify the covered entity of a breach without unreasonable delay and no later than 60 days after discovery. The covered entity is then responsible for individual, HHS, and media notifications.",[20,1088,1090],{"id":1089},"what-are-the-exceptions-to-breach-notification","What are the exceptions to breach notification?",[16,1092,1093],{},"Three narrow exceptions exist where an impermissible disclosure does not require notification:",[28,1095,1096,1099,1102],{},[31,1097,1098],{},"Unintentional access by a workforce member acting in good faith within the scope of their authority",[31,1100,1101],{},"Inadvertent disclosure between authorized persons within the same organization",[31,1103,1104],{},"The recipient would not reasonably be able to retain the information",[20,1106,1108],{"id":1107},"how-do-you-prepare-for-breach-notification","How do you prepare for breach notification?",[16,1110,1111],{},"Organizations should prepare before a breach occurs by:",[28,1113,1114,1120,1126,1132,1138],{},[31,1115,1116,1119],{},[34,1117,1118],{},"Developing a breach response plan"," — defining roles, responsibilities, and procedures for breach investigation and notification",[31,1121,1122,1125],{},[34,1123,1124],{},"Establishing an incident response team"," — identifying who will lead the response, including legal counsel, communications, IT, and compliance",[31,1127,1128,1131],{},[34,1129,1130],{},"Creating notification templates"," — pre-drafting notification letters that can be customized quickly",[31,1133,1134,1137],{},[34,1135,1136],{},"Training workforce members"," — ensuring employees know how to recognize and report potential breaches",[31,1139,1140,1143],{},[34,1141,1142],{},"Maintaining contact information"," — keeping current contact information for affected individuals",[20,1145,1147],{"id":1146},"what-are-the-penalties-for-failing-to-notify","What are the penalties for failing to notify?",[16,1149,1150],{},"Failure to provide timely breach notification can result in additional HIPAA penalties on top of penalties for the underlying breach. The tiered penalty structure applies, with willful neglect to notify carrying the highest fines.",[20,1152,1154],{"id":1153},"how-does-episki-help-with-breach-notification","How does episki help with breach notification?",[16,1156,1157,1158,209],{},"episki provides breach notification workflows that guide your team through the investigation, risk assessment, and notification process. The platform tracks timelines to ensure notifications are made within HIPAA-required deadlines and maintains documentation of all breach-related activities. Learn more on our ",[205,1159,1160],{"href":604},"HIPAA compliance page",{"title":211,"searchDepth":212,"depth":212,"links":1162},[1163],{"id":1002,"depth":212,"text":1003,"children":1164},[1165,1166,1167,1168,1169,1170],{"id":1009,"depth":217,"text":1010},{"id":1042,"depth":217,"text":1043},{"id":1089,"depth":217,"text":1090},{"id":1107,"depth":217,"text":1108},{"id":1146,"depth":217,"text":1147},{"id":1153,"depth":217,"text":1154},{},"\u002Fglossary\u002Fbreach-notification",[983],[983,1175,1176,1177,1178,1179],"phi","hitech","covered-entity","business-associate","incident-response",{"title":1181,"description":1182},"What is Breach Notification? Definition & Compliance Guide","Breach notification under HIPAA requires organizations to notify individuals, HHS, and sometimes media when unsecured PHI is compromised. Learn the requirements.","breach-notification","8.glossary\u002Fbreach-notification","qeNCf-qPOFSLtufu4BSsGwe8IoM3trMyih-AmXa0E2k",{"id":1187,"title":1188,"body":1189,"description":211,"extension":224,"lastUpdated":225,"meta":1415,"navigation":227,"path":1416,"relatedFrameworks":1417,"relatedTerms":1418,"seo":1422,"slug":1425,"stem":1426,"term":1194,"__hash__":1427},"glossary\u002F8.glossary\u002Fbusiness-continuity.md","Business Continuity",{"type":8,"value":1190,"toc":1405},[1191,1195,1198,1202,1205,1219,1222,1226,1232,1243,1249,1266,1272,1289,1295,1312,1316,1339,1343,1346,1372,1375,1379,1396,1400],[11,1192,1194],{"id":1193},"what-is-business-continuity","What is Business Continuity?",[16,1196,1197],{},"Business continuity is the capability of an organization to continue delivering products and services at acceptable predefined levels following a disruptive incident. A business continuity plan (BCP) documents the procedures and resources needed to maintain operations during and after events such as natural disasters, cyberattacks, pandemics, infrastructure failures, or supply chain disruptions.",[20,1199,1201],{"id":1200},"what-is-the-difference-between-business-continuity-and-disaster-recovery","What is the difference between business continuity and disaster recovery?",[16,1203,1204],{},"While often discussed together, business continuity and disaster recovery serve different purposes:",[28,1206,1207,1213],{},[31,1208,1209,1212],{},[34,1210,1211],{},"Business continuity"," focuses on maintaining overall business operations — it encompasses people, processes, facilities, and technology",[31,1214,1215,1218],{},[34,1216,1217],{},"Disaster recovery"," focuses specifically on restoring IT systems and data after a disruption",[16,1220,1221],{},"Disaster recovery is a subset of business continuity. A comprehensive business continuity program includes disaster recovery as one of its components.",[20,1223,1225],{"id":1224},"what-are-the-components-of-a-business-continuity-plan","What are the components of a business continuity plan?",[16,1227,1228,1231],{},[34,1229,1230],{},"Business Impact Analysis (BIA)"," — identifies critical business functions, the impact of disrupting them, and the maximum tolerable downtime:",[28,1233,1234,1237,1240],{},[31,1235,1236],{},"Recovery Time Objective (RTO) — the maximum acceptable time to restore a function",[31,1238,1239],{},"Recovery Point Objective (RPO) — the maximum acceptable data loss measured in time",[31,1241,1242],{},"Maximum Tolerable Period of Disruption (MTPD) — the longest the business can survive without the function",[16,1244,1245,1248],{},[34,1246,1247],{},"Risk assessment"," — identifies threats that could disrupt operations and evaluates their likelihood and impact:",[28,1250,1251,1254,1257,1260,1263],{},[31,1252,1253],{},"Natural disasters (earthquakes, floods, severe weather)",[31,1255,1256],{},"Technology failures (hardware failure, software bugs, network outages)",[31,1258,1259],{},"Cyber incidents (ransomware, DDoS attacks, data breaches)",[31,1261,1262],{},"Human factors (key personnel loss, labor disputes)",[31,1264,1265],{},"Supply chain disruptions (vendor failures, logistics breakdowns)",[16,1267,1268,1271],{},[34,1269,1270],{},"Recovery strategies"," — defines how critical functions will be maintained or restored:",[28,1273,1274,1277,1280,1283,1286],{},[31,1275,1276],{},"Alternative work locations or remote work capabilities",[31,1278,1279],{},"Redundant systems and infrastructure",[31,1281,1282],{},"Manual workaround procedures",[31,1284,1285],{},"Third-party recovery services",[31,1287,1288],{},"Communication plans for employees, customers, and stakeholders",[16,1290,1291,1294],{},[34,1292,1293],{},"Plan documentation"," — the written BCP includes:",[28,1296,1297,1300,1303,1306,1309],{},[31,1298,1299],{},"Roles and responsibilities",[31,1301,1302],{},"Contact information for key personnel and vendors",[31,1304,1305],{},"Step-by-step recovery procedures for each critical function",[31,1307,1308],{},"Resource requirements",[31,1310,1311],{},"Communication templates",[20,1313,1315],{"id":1314},"how-do-compliance-frameworks-address-business-continuity","How do compliance frameworks address business continuity?",[28,1317,1318,1323,1328,1333],{},[31,1319,1320,1322],{},[34,1321,42],{}," — control A.5.29 addresses information security during disruption, and A.5.30 addresses ICT readiness for business continuity",[31,1324,1325,1327],{},[34,1326,54],{}," — the Recover function (RC) addresses recovery planning, improvements, and communications",[31,1329,1330,1332],{},[34,1331,36],{}," — the Availability criterion addresses system uptime and recovery capabilities",[31,1334,1335,1338],{},[34,1336,1337],{},"ISO 22301"," — the dedicated international standard for business continuity management systems",[20,1340,1342],{"id":1341},"how-do-you-test-a-business-continuity-plan","How do you test a business continuity plan?",[16,1344,1345],{},"A business continuity plan that has not been tested is unreliable. Testing approaches include:",[28,1347,1348,1354,1360,1366],{},[31,1349,1350,1353],{},[34,1351,1352],{},"Tabletop exercises"," — team discussions walking through scenarios",[31,1355,1356,1359],{},[34,1357,1358],{},"Structured walkthroughs"," — step-by-step review of procedures with assigned teams",[31,1361,1362,1365],{},[34,1363,1364],{},"Simulation tests"," — practicing response to a simulated disruption",[31,1367,1368,1371],{},[34,1369,1370],{},"Full interruption tests"," — actually activating recovery procedures (highest assurance but most disruptive)",[16,1373,1374],{},"Testing should occur at least annually and after significant changes to the business or infrastructure.",[20,1376,1378],{"id":1377},"what-are-common-pitfalls-with-business-continuity","What are common pitfalls with business continuity?",[28,1380,1381,1384,1387,1390,1393],{},[31,1382,1383],{},"BCP exists on paper but is never tested or updated",[31,1385,1386],{},"Critical dependencies on single points of failure are not identified",[31,1388,1389],{},"Communication plans do not account for the disruption itself (e.g., email is down)",[31,1391,1392],{},"Key personnel are not trained on their BCP responsibilities",[31,1394,1395],{},"The plan does not keep pace with business changes",[20,1397,1399],{"id":1398},"how-does-episki-help-with-business-continuity","How does episki help with business continuity?",[16,1401,1402,1403,209],{},"episki helps organizations document their business continuity plans, schedule and track testing exercises, and maintain evidence of BCP activities for auditors. The platform links BCP activities to ISO 27001 and NIST CSF requirements. Learn more on our ",[205,1404,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":1406},[1407],{"id":1193,"depth":212,"text":1194,"children":1408},[1409,1410,1411,1412,1413,1414],{"id":1200,"depth":217,"text":1201},{"id":1224,"depth":217,"text":1225},{"id":1314,"depth":217,"text":1315},{"id":1341,"depth":217,"text":1342},{"id":1377,"depth":217,"text":1378},{"id":1398,"depth":217,"text":1399},{},"\u002Fglossary\u002Fbusiness-continuity",[231,985],[1419,1179,1420,1421],"disaster-recovery","risk-register","risk-treatment-plan",{"title":1423,"description":1424},"What is Business Continuity? Definition & Compliance Guide","Business continuity planning ensures an organization can maintain essential operations during and after a disruptive event. Learn the key components and frameworks.","business-continuity","8.glossary\u002Fbusiness-continuity","dyPU67gMtqXpCCrubDS7MtzzpZM4MS8zudQDFFznv_U",{"id":1429,"title":1430,"body":1431,"description":211,"extension":224,"lastUpdated":225,"meta":1663,"navigation":227,"path":1664,"relatedFrameworks":1665,"relatedTerms":1666,"seo":1668,"slug":1671,"stem":1672,"term":1436,"__hash__":1673},"glossary\u002F8.glossary\u002Fchange-management.md","Change Management",{"type":8,"value":1432,"toc":1652},[1433,1437,1440,1444,1447,1464,1468,1471,1477,1496,1502,1516,1522,1533,1539,1550,1556,1567,1571,1588,1592,1612,1616,1619,1623,1626,1643,1647],[11,1434,1436],{"id":1435},"what-is-change-management","What is Change Management?",[16,1438,1439],{},"Change management is the structured process of planning, approving, implementing, and reviewing changes to an organization's information systems, infrastructure, and applications. The goal is to ensure that changes are made in a controlled manner, minimizing the risk of unintended disruptions, security vulnerabilities, or compliance violations.",[20,1441,1443],{"id":1442},"why-does-change-management-matter","Why does change management matter?",[16,1445,1446],{},"Uncontrolled changes are a leading cause of system outages, security incidents, and compliance failures. Without a formal change management process:",[28,1448,1449,1452,1455,1458,1461],{},[31,1450,1451],{},"Untested changes can introduce bugs or vulnerabilities",[31,1453,1454],{},"Unauthorized modifications can compromise security controls",[31,1456,1457],{},"Conflicting changes can cause system instability",[31,1459,1460],{},"Auditors cannot verify that changes were properly authorized and tested",[31,1462,1463],{},"Troubleshooting becomes difficult without a record of what changed",[20,1465,1467],{"id":1466},"what-are-the-components-of-a-change-management-process","What are the components of a change management process?",[16,1469,1470],{},"An effective change management program includes:",[16,1472,1473,1476],{},[34,1474,1475],{},"Change request"," — a formal submission describing the proposed change, including:",[28,1478,1479,1482,1485,1487,1490,1493],{},[31,1480,1481],{},"Description of the change",[31,1483,1484],{},"Business justification",[31,1486,1247],{},[31,1488,1489],{},"Rollback plan",[31,1491,1492],{},"Testing plan",[31,1494,1495],{},"Implementation timeline",[16,1497,1498,1501],{},[34,1499,1500],{},"Review and approval"," — changes are reviewed by appropriate stakeholders:",[28,1503,1504,1507,1510,1513],{},[31,1505,1506],{},"Technical review for feasibility and impact",[31,1508,1509],{},"Security review for potential risks",[31,1511,1512],{},"Management approval based on risk and priority",[31,1514,1515],{},"Change Advisory Board (CAB) review for significant changes",[16,1517,1518,1521],{},[34,1519,1520],{},"Testing"," — changes are tested in a non-production environment before deployment:",[28,1523,1524,1527,1530],{},[31,1525,1526],{},"Functional testing to verify the change works as intended",[31,1528,1529],{},"Regression testing to confirm existing functionality is not broken",[31,1531,1532],{},"Security testing when the change affects security-relevant systems",[16,1534,1535,1538],{},[34,1536,1537],{},"Implementation"," — changes are deployed following the approved plan:",[28,1540,1541,1544,1547],{},[31,1542,1543],{},"During designated maintenance windows when appropriate",[31,1545,1546],{},"With monitoring for unexpected issues",[31,1548,1549],{},"With rollback procedures ready if problems occur",[16,1551,1552,1555],{},[34,1553,1554],{},"Post-implementation review"," — after deployment, verify:",[28,1557,1558,1561,1564],{},[31,1559,1560],{},"The change achieved its intended outcome",[31,1562,1563],{},"No unintended side effects occurred",[31,1565,1566],{},"Documentation is updated to reflect the change",[20,1568,1570],{"id":1569},"how-do-compliance-frameworks-address-change-management","How do compliance frameworks address change management?",[28,1572,1573,1578,1583],{},[31,1574,1575,1577],{},[34,1576,36],{}," — CC8.1 requires that changes to infrastructure, data, software, and procedures are authorized, designed, developed, configured, documented, tested, approved, and implemented",[31,1579,1580,1582],{},[34,1581,42],{}," — control A.8.32 addresses change management, requiring that changes to information processing facilities and systems be subject to change management procedures",[31,1584,1585,1587],{},[34,1586,48],{}," — Requirement 6.5 requires change control processes for all system components in the cardholder data environment",[20,1589,1591],{"id":1590},"what-are-the-types-of-changes-in-change-management","What are the types of changes in change management?",[28,1593,1594,1600,1606],{},[31,1595,1596,1599],{},[34,1597,1598],{},"Standard changes"," — pre-approved, low-risk, routine changes that follow a documented procedure (e.g., updating a standard software package)",[31,1601,1602,1605],{},[34,1603,1604],{},"Normal changes"," — changes that require the full change management process including review and approval",[31,1607,1608,1611],{},[34,1609,1610],{},"Emergency changes"," — urgent changes needed to resolve incidents or critical issues, typically with streamlined approval followed by retrospective documentation",[20,1613,1615],{"id":1614},"how-does-separation-of-duties-apply-to-change-management","How does separation of duties apply to change management?",[16,1617,1618],{},"A key control within change management is separation of duties — the person who develops a change should not be the same person who approves or deploys it to production. This prevents unauthorized or untested changes from reaching production systems.",[20,1620,1622],{"id":1621},"what-change-management-evidence-do-auditors-look-for","What change management evidence do auditors look for?",[16,1624,1625],{},"Auditors reviewing change management look for:",[28,1627,1628,1631,1634,1637,1640],{},[31,1629,1630],{},"Change request records with documented approvals",[31,1632,1633],{},"Evidence of testing before production deployment",[31,1635,1636],{},"Separation of duties between development, approval, and deployment",[31,1638,1639],{},"Rollback plans for significant changes",[31,1641,1642],{},"Post-implementation reviews",[20,1644,1646],{"id":1645},"how-does-episki-help-with-change-management","How does episki help with change management?",[16,1648,1649,1650,209],{},"episki tracks change management activities, integrates with ticketing and CI\u002FCD systems, and maintains audit-ready evidence of change approvals, testing, and deployment. The platform maps change management controls to SOC 2, ISO 27001, and PCI DSS requirements. Learn more on our ",[205,1651,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":1653},[1654],{"id":1435,"depth":212,"text":1436,"children":1655},[1656,1657,1658,1659,1660,1661,1662],{"id":1442,"depth":217,"text":1443},{"id":1466,"depth":217,"text":1467},{"id":1569,"depth":217,"text":1570},{"id":1590,"depth":217,"text":1591},{"id":1614,"depth":217,"text":1615},{"id":1621,"depth":217,"text":1622},{"id":1645,"depth":217,"text":1646},{},"\u002Fglossary\u002Fchange-management",[982,230,231,984],[988,992,1667,240],"evidence-collection",{"title":1669,"description":1670},"What is Change Management? Definition & Compliance Guide","Change management is the process of controlling modifications to systems and infrastructure to prevent unauthorized changes and maintain security and stability.","change-management","8.glossary\u002Fchange-management","xeecemxPeYwPVCVxeZ0eZXpmSOlKMkCLQoUsX4dbaQA",{"id":1675,"title":1676,"body":1677,"description":211,"extension":224,"lastUpdated":225,"meta":1944,"navigation":227,"path":1945,"relatedFrameworks":1946,"relatedTerms":1947,"seo":1949,"slug":1952,"stem":1953,"term":1682,"__hash__":1954},"glossary\u002F8.glossary\u002Fcontinuous-monitoring.md","Continuous Monitoring",{"type":8,"value":1678,"toc":1933},[1679,1683,1686,1690,1693,1713,1717,1720,1725,1739,1744,1758,1763,1774,1779,1793,1797,1820,1824,1879,1883,1886,1900,1903,1907,1924,1928],[11,1680,1682],{"id":1681},"what-is-continuous-monitoring","What is Continuous Monitoring?",[16,1684,1685],{},"Continuous monitoring is the practice of maintaining ongoing awareness of an organization's security posture, vulnerabilities, and threats through automated and manual observation of systems, controls, and processes. Rather than assessing security at periodic intervals, continuous monitoring provides real-time or near-real-time visibility into the effectiveness of security controls and the current threat landscape.",[20,1687,1689],{"id":1688},"why-does-continuous-monitoring-matter","Why does continuous monitoring matter?",[16,1691,1692],{},"Traditional point-in-time assessments (such as annual audits or quarterly scans) provide snapshots of security posture but miss what happens between assessments. Continuous monitoring fills this gap by:",[28,1694,1695,1698,1701,1704,1707,1710],{},[31,1696,1697],{},"Detecting threats and vulnerabilities as they emerge, not months later",[31,1699,1700],{},"Verifying that controls remain effective on an ongoing basis",[31,1702,1703],{},"Identifying configuration drift and unauthorized changes",[31,1705,1706],{},"Providing evidence of sustained compliance for auditors",[31,1708,1709],{},"Enabling faster response to security incidents",[31,1711,1712],{},"Reducing the risk of surprises during audit cycles",[20,1714,1716],{"id":1715},"what-should-you-monitor-continuously","What should you monitor continuously?",[16,1718,1719],{},"Continuous monitoring spans multiple domains:",[16,1721,1722],{},[34,1723,1724],{},"Security controls:",[28,1726,1727,1730,1733,1736],{},[31,1728,1729],{},"Are access controls still properly configured?",[31,1731,1732],{},"Are encryption mechanisms active and using current standards?",[31,1734,1735],{},"Are security policies being followed?",[31,1737,1738],{},"Are patches being applied within defined timeframes?",[16,1740,1741],{},[34,1742,1743],{},"Systems and infrastructure:",[28,1745,1746,1749,1752,1755],{},[31,1747,1748],{},"Are systems operating normally?",[31,1750,1751],{},"Are there unauthorized configuration changes?",[31,1753,1754],{},"Are there new vulnerabilities affecting your environment?",[31,1756,1757],{},"Are all endpoints protected with current security agents?",[16,1759,1760],{},[34,1761,1762],{},"User activity:",[28,1764,1765,1768,1771],{},[31,1766,1767],{},"Are there unusual access patterns or privilege escalations?",[31,1769,1770],{},"Are terminated users' accounts being deactivated promptly?",[31,1772,1773],{},"Are there failed authentication attempts indicating brute-force attacks?",[16,1775,1776],{},[34,1777,1778],{},"Compliance status:",[28,1780,1781,1784,1787,1790],{},[31,1782,1783],{},"Are all required controls implemented and operating?",[31,1785,1786],{},"Is evidence being collected on schedule?",[31,1788,1789],{},"Are policy reviews and updates happening as planned?",[31,1791,1792],{},"Are vendor assessments current?",[20,1794,1796],{"id":1795},"how-do-compliance-frameworks-address-continuous-monitoring","How do compliance frameworks address continuous monitoring?",[28,1798,1799,1804,1809,1814],{},[31,1800,1801,1803],{},[34,1802,36],{}," — CC4.1 and CC4.2 require ongoing monitoring of the internal control system and evaluation of deficiencies",[31,1805,1806,1808],{},[34,1807,42],{}," — clause 9 (Performance evaluation) requires monitoring, measurement, analysis, and evaluation of the ISMS",[31,1810,1811,1813],{},[34,1812,54],{}," — DE.CM (Continuous Monitoring) specifically addresses monitoring information systems and assets for cybersecurity events",[31,1815,1816,1819],{},[34,1817,1818],{},"NIST SP 800-137"," provides detailed guidance on Information Security Continuous Monitoring (ISCM)",[20,1821,1823],{"id":1822},"how-do-you-implement-continuous-monitoring","How do you implement continuous monitoring?",[155,1825,1826,1832,1855,1861,1867,1873],{},[31,1827,1828,1831],{},[34,1829,1830],{},"Define monitoring objectives"," — determine what needs to be monitored based on risk assessment and compliance requirements",[31,1833,1834,1837,1838],{},[34,1835,1836],{},"Select monitoring tools"," — deploy appropriate technologies:\n",[28,1839,1840,1843,1846,1849,1852],{},[31,1841,1842],{},"SIEM (Security Information and Event Management) for log aggregation and correlation",[31,1844,1845],{},"EDR (Endpoint Detection and Response) for endpoint monitoring",[31,1847,1848],{},"Vulnerability scanners for continuous vulnerability assessment",[31,1850,1851],{},"Configuration management tools for drift detection",[31,1853,1854],{},"GRC platforms for compliance monitoring",[31,1856,1857,1860],{},[34,1858,1859],{},"Establish baselines"," — define normal operating parameters so deviations can be detected",[31,1862,1863,1866],{},[34,1864,1865],{},"Configure alerts"," — set meaningful alert thresholds to balance detection with alert fatigue",[31,1868,1869,1872],{},[34,1870,1871],{},"Define response procedures"," — establish processes for responding to monitoring alerts",[31,1874,1875,1878],{},[34,1876,1877],{},"Review and improve"," — regularly assess monitoring effectiveness and adjust as needed",[20,1880,1882],{"id":1881},"what-is-the-difference-between-continuous-monitoring-and-continuous-compliance","What is the difference between continuous monitoring and continuous compliance?",[16,1884,1885],{},"While related, these concepts differ:",[28,1887,1888,1894],{},[31,1889,1890,1893],{},[34,1891,1892],{},"Continuous monitoring"," focuses on security — detecting threats, vulnerabilities, and anomalies in real time",[31,1895,1896,1899],{},[34,1897,1898],{},"Continuous compliance"," focuses on maintaining compliance posture — ensuring controls remain effective and evidence stays current",[16,1901,1902],{},"An effective program addresses both. Security monitoring feeds compliance evidence, and compliance monitoring ensures security controls do not degrade.",[20,1904,1906],{"id":1905},"what-are-common-challenges-with-continuous-monitoring","What are common challenges with continuous monitoring?",[28,1908,1909,1912,1915,1918,1921],{},[31,1910,1911],{},"Alert fatigue from too many low-priority notifications",[31,1913,1914],{},"Gaps in monitoring coverage across all systems",[31,1916,1917],{},"Insufficient resources to investigate and respond to alerts",[31,1919,1920],{},"Monitoring tools that generate data but lack actionable insights",[31,1922,1923],{},"Difficulty correlating events across disparate systems",[20,1925,1927],{"id":1926},"how-does-episki-help-with-continuous-monitoring","How does episki help with continuous monitoring?",[16,1929,1930,1931,209],{},"episki provides continuous compliance monitoring by tracking control effectiveness, evidence collection status, and policy review schedules. The platform integrates with security tools to pull monitoring data into your compliance program and alerts you when controls need attention. Learn more on our ",[205,1932,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":1934},[1935],{"id":1681,"depth":212,"text":1682,"children":1936},[1937,1938,1939,1940,1941,1942,1943],{"id":1688,"depth":217,"text":1689},{"id":1715,"depth":217,"text":1716},{"id":1795,"depth":217,"text":1796},{"id":1822,"depth":217,"text":1823},{"id":1881,"depth":217,"text":1882},{"id":1905,"depth":217,"text":1906},{"id":1926,"depth":217,"text":1927},{},"\u002Fglossary\u002Fcontinuous-monitoring",[982,230,231,985],[1667,988,1179,1948,234],"remediation",{"title":1950,"description":1951},"Continuous Monitoring for Compliance: Tools & Best Practices","Continuous monitoring tracks security controls in real time to detect threats and verify compliance. Learn how to implement it for SOC 2, ISO 27001, and NIST CSF.","continuous-monitoring","8.glossary\u002Fcontinuous-monitoring","YFq0Sck1IHoKfMLlSRFboyiO1yOmbJP8o3dmYFvhgGk",{"id":1956,"title":1957,"body":1958,"description":211,"extension":224,"lastUpdated":225,"meta":2172,"navigation":227,"path":2173,"relatedFrameworks":2174,"relatedTerms":2175,"seo":2177,"slug":2180,"stem":2181,"term":1963,"__hash__":2182},"glossary\u002F8.glossary\u002Fdata-classification.md","Data Classification",{"type":8,"value":1959,"toc":2162},[1960,1964,1967,1971,1974,2006,2010,2013,2043,2046,2050,2072,2076,2132,2136,2153,2157],[11,1961,1963],{"id":1962},"what-is-data-classification","What is Data Classification?",[16,1965,1966],{},"Data classification is the process of organizing data into categories based on its sensitivity, value, and regulatory requirements so that appropriate security controls can be applied. Rather than applying the same level of protection to all data — which is either too costly or insufficient — classification enables organizations to allocate security resources proportionally to the risk associated with each data category.",[20,1968,1970],{"id":1969},"why-does-data-classification-matter","Why does data classification matter?",[16,1972,1973],{},"Data classification is foundational to an effective security program for several reasons:",[28,1975,1976,1982,1988,1994,2000],{},[31,1977,1978,1981],{},[34,1979,1980],{},"Proportional protection"," — sensitive data receives stronger controls while less sensitive data does not burden operations with unnecessary restrictions",[31,1983,1984,1987],{},[34,1985,1986],{},"Regulatory compliance"," — many regulations require specific handling of certain data types (PHI under HIPAA, PAN under PCI DSS, personal data under GDPR)",[31,1989,1990,1993],{},[34,1991,1992],{},"Access control"," — classification determines who should have access to what data",[31,1995,1996,1999],{},[34,1997,1998],{},"Incident response"," — knowing the classification of compromised data helps determine the severity of an incident and notification requirements",[31,2001,2002,2005],{},[34,2003,2004],{},"Data lifecycle management"," — classification informs retention, archival, and destruction decisions",[20,2007,2009],{"id":2008},"what-are-the-common-data-classification-levels","What are the common data classification levels?",[16,2011,2012],{},"Most organizations use three to five classification levels:",[28,2014,2015,2021,2027,2033],{},[31,2016,2017,2020],{},[34,2018,2019],{},"Public"," — information intended for public consumption with no restrictions (marketing materials, public website content)",[31,2022,2023,2026],{},[34,2024,2025],{},"Internal"," — information for internal use that is not sensitive but should not be shared externally without authorization (internal memos, non-sensitive policies)",[31,2028,2029,2032],{},[34,2030,2031],{},"Confidential"," — sensitive business information that could cause harm if disclosed (financial data, strategic plans, customer lists)",[31,2034,2035,2038,2039,2042],{},[34,2036,2037],{},"Restricted"," or ",[34,2040,2041],{},"Highly Confidential"," — the most sensitive data requiring the strongest protections (PHI, PAN, trade secrets, credentials, encryption keys)",[16,2044,2045],{},"Some organizations add additional levels or use different labels, but the principle remains: categorize data by the impact of unauthorized disclosure.",[20,2047,2049],{"id":2048},"how-do-compliance-frameworks-address-classification","How do compliance frameworks address classification?",[28,2051,2052,2057,2062,2067],{},[31,2053,2054,2056],{},[34,2055,42],{}," — control A.5.12 requires classification of information, and A.5.13 requires labeling. The risk assessment process should consider data sensitivity when evaluating risks.",[31,2058,2059,2061],{},[34,2060,54],{}," — the Identify function (ID.AM-5) addresses classification of resources based on criticality and business value",[31,2063,2064,2066],{},[34,2065,605],{}," — while HIPAA does not prescribe a classification scheme, PHI is inherently a \"restricted\" classification that requires specific safeguards",[31,2068,2069,2071],{},[34,2070,48],{}," — cardholder data (particularly PAN) must be identified and protected with specific controls",[20,2073,2075],{"id":2074},"how-do-you-implement-data-classification","How do you implement data classification?",[155,2077,2078,2084,2090,2096,2102,2108,2114,2120,2126],{},[31,2079,2080,2083],{},[34,2081,2082],{},"Define classification levels"," — establish clear, understandable categories with examples",[31,2085,2086,2089],{},[34,2087,2088],{},"Create a classification policy"," — document the scheme, responsibilities, and handling requirements for each level",[31,2091,2092,2095],{},[34,2093,2094],{},"Inventory data"," — identify what data the organization holds and where it resides",[31,2097,2098,2101],{},[34,2099,2100],{},"Classify data"," — assign classification levels to data based on sensitivity criteria",[31,2103,2104,2107],{},[34,2105,2106],{},"Label data"," — apply labels (metadata, headers, visual markings) to classified data",[31,2109,2110,2113],{},[34,2111,2112],{},"Define handling rules"," — specify how each classification level should be stored, transmitted, shared, and destroyed",[31,2115,2116,2119],{},[34,2117,2118],{},"Train employees"," — ensure all staff understand the classification scheme and their responsibilities",[31,2121,2122,2125],{},[34,2123,2124],{},"Enforce through controls"," — implement technical controls (DLP, access controls, encryption) aligned with classification levels",[31,2127,2128,2131],{},[34,2129,2130],{},"Review periodically"," — reassess classifications as data, regulations, and business needs change",[20,2133,2135],{"id":2134},"what-are-common-challenges-with-data-classification","What are common challenges with data classification?",[28,2137,2138,2141,2144,2147,2150],{},[31,2139,2140],{},"Data is distributed across many systems and formats, making classification difficult",[31,2142,2143],{},"Employees may not consistently apply classification labels",[31,2145,2146],{},"Automated classification tools have limitations, especially with unstructured data",[31,2148,2149],{},"Over-classification can reduce productivity while under-classification creates risk",[31,2151,2152],{},"Classification needs to be maintained as data evolves",[20,2154,2156],{"id":2155},"how-does-episki-help-with-data-classification","How does episki help with data classification?",[16,2158,2159,2160,209],{},"episki helps organizations define data classification policies, map classification levels to security controls, and track compliance with handling requirements. The platform links classification to framework requirements across ISO 27001, NIST CSF, and other standards. Learn more on our ",[205,2161,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":2163},[2164],{"id":1962,"depth":212,"text":1963,"children":2165},[2166,2167,2168,2169,2170,2171],{"id":1969,"depth":217,"text":1970},{"id":2008,"depth":217,"text":2009},{"id":2048,"depth":217,"text":2049},{"id":2074,"depth":217,"text":2075},{"id":2134,"depth":217,"text":2135},{"id":2155,"depth":217,"text":2156},{},"\u002Fglossary\u002Fdata-classification",[982,231,985],[933,992,1175,2176,1420],"pan",{"title":2178,"description":2179},"What is Data Classification? Definition & Compliance Guide","Data classification is the process of categorizing data by sensitivity level to apply appropriate security controls. Learn how to build a classification scheme.","data-classification","8.glossary\u002Fdata-classification","i7_WFqWjV-QN-2udK8JC1fF_Blw81yHdx6_cQyOh7lA",{"id":2184,"title":2185,"body":2186,"description":211,"extension":224,"lastUpdated":225,"meta":2434,"navigation":227,"path":2435,"relatedFrameworks":2436,"relatedTerms":2437,"seo":2438,"slug":1419,"stem":2441,"term":2191,"__hash__":2442},"glossary\u002F8.glossary\u002Fdisaster-recovery.md","Disaster Recovery",{"type":8,"value":2187,"toc":2423},[2188,2192,2195,2199,2205,2211,2217,2221,2224,2250,2253,2257,2260,2309,2313,2316,2353,2357,2379,2383,2386,2411,2414,2418],[11,2189,2191],{"id":2190},"what-is-disaster-recovery","What is Disaster Recovery?",[16,2193,2194],{},"Disaster recovery (DR) is the set of policies, tools, and procedures designed to restore IT infrastructure, systems, and data following a disruptive event. While business continuity addresses the broad ability to maintain operations, disaster recovery focuses specifically on the technology layer — getting systems back online and data restored after an incident.",[20,2196,2198],{"id":2197},"what-are-the-key-disaster-recovery-concepts","What are the key disaster recovery concepts?",[16,2200,2201,2204],{},[34,2202,2203],{},"Recovery Time Objective (RTO)"," — the maximum acceptable amount of time that a system or application can be down after a disaster before the business impact becomes unacceptable. An RTO of 4 hours means the system must be restored within 4 hours.",[16,2206,2207,2210],{},[34,2208,2209],{},"Recovery Point Objective (RPO)"," — the maximum acceptable amount of data loss measured in time. An RPO of 1 hour means the organization can tolerate losing up to 1 hour of data, so backups must occur at least every hour.",[16,2212,2213,2216],{},[34,2214,2215],{},"Recovery Level Objective (RLO)"," — the minimum level of service or functionality that must be restored. Not all features of a system may need to be available immediately.",[20,2218,2220],{"id":2219},"what-are-common-disaster-recovery-strategies","What are common disaster recovery strategies?",[16,2222,2223],{},"DR strategies vary in cost, complexity, and recovery speed:",[28,2225,2226,2232,2238,2244],{},[31,2227,2228,2231],{},[34,2229,2230],{},"Backup and restore"," — the simplest approach: maintain regular backups and restore them to new or repaired infrastructure when needed. Lowest cost but highest RTO.",[31,2233,2234,2237],{},[34,2235,2236],{},"Pilot light"," — maintain a minimal version of the production environment in a secondary location that can be scaled up quickly during a disaster.",[31,2239,2240,2243],{},[34,2241,2242],{},"Warm standby"," — run a scaled-down but fully functional copy of the production environment that can be scaled to full capacity during failover.",[31,2245,2246,2249],{},[34,2247,2248],{},"Hot standby \u002F active-active"," — run full production environments in multiple locations simultaneously. Provides near-zero RTO but at the highest cost.",[16,2251,2252],{},"The right strategy depends on the business's RTO and RPO requirements and budget.",[20,2254,2256],{"id":2255},"what-are-the-components-of-a-disaster-recovery-plan","What are the components of a disaster recovery plan?",[16,2258,2259],{},"A comprehensive DR plan includes:",[28,2261,2262,2268,2274,2279,2285,2291,2297,2303],{},[31,2263,2264,2267],{},[34,2265,2266],{},"Scope"," — which systems and applications are covered",[31,2269,2270,2273],{},[34,2271,2272],{},"RTO and RPO targets"," — recovery objectives for each system",[31,2275,2276,2278],{},[34,2277,1299],{}," — who is responsible for each aspect of recovery",[31,2280,2281,2284],{},[34,2282,2283],{},"Recovery procedures"," — step-by-step instructions for restoring each system",[31,2286,2287,2290],{},[34,2288,2289],{},"Communication plan"," — how to notify stakeholders during a disaster",[31,2292,2293,2296],{},[34,2294,2295],{},"Vendor contacts"," — contact information for infrastructure and service providers",[31,2298,2299,2302],{},[34,2300,2301],{},"Dependencies"," — system interdependencies that affect recovery sequence",[31,2304,2305,2308],{},[34,2306,2307],{},"Testing schedule"," — how and when the plan will be tested",[20,2310,2312],{"id":2311},"how-do-you-manage-backups-for-disaster-recovery","How do you manage backups for disaster recovery?",[16,2314,2315],{},"Backups are the foundation of disaster recovery. Best practices include:",[28,2317,2318,2324,2330,2336,2342,2347],{},[31,2319,2320,2323],{},[34,2321,2322],{},"3-2-1 rule"," — maintain 3 copies of data, on 2 different types of media, with 1 copy offsite",[31,2325,2326,2329],{},[34,2327,2328],{},"Automated backups"," — schedule backups to run automatically at intervals aligned with RPO",[31,2331,2332,2335],{},[34,2333,2334],{},"Encryption"," — encrypt backups to protect data at rest",[31,2337,2338,2341],{},[34,2339,2340],{},"Regular testing"," — periodically restore from backups to verify they work",[31,2343,2344,2346],{},[34,2345,302],{}," — monitor backup jobs for failures and address issues immediately",[31,2348,2349,2352],{},[34,2350,2351],{},"Immutable backups"," — protect backups from ransomware by using immutable storage",[20,2354,2356],{"id":2355},"how-do-compliance-frameworks-address-disaster-recovery","How do compliance frameworks address disaster recovery?",[28,2358,2359,2364,2369,2374],{},[31,2360,2361,2363],{},[34,2362,42],{}," — control A.5.30 addresses ICT readiness for business continuity, including DR planning and testing",[31,2365,2366,2368],{},[34,2367,54],{}," — RC.RP (Recovery Planning) addresses establishing and testing recovery processes",[31,2370,2371,2373],{},[34,2372,36],{}," — the Availability criterion covers system recovery capabilities",[31,2375,2376,2378],{},[34,2377,48],{}," — while not explicitly requiring a DR plan, requirements around data protection and system availability support DR practices",[20,2380,2382],{"id":2381},"how-do-you-test-a-disaster-recovery-plan","How do you test a disaster recovery plan?",[16,2384,2385],{},"DR testing is essential and should include:",[28,2387,2388,2394,2400,2406],{},[31,2389,2390,2393],{},[34,2391,2392],{},"Backup restoration tests"," — regularly restore data from backups to verify integrity",[31,2395,2396,2399],{},[34,2397,2398],{},"Failover tests"," — practice switching to secondary systems",[31,2401,2402,2405],{},[34,2403,2404],{},"Full DR tests"," — simulate a complete disaster and execute the full recovery plan",[31,2407,2408,2410],{},[34,2409,1352],{}," — walk through DR scenarios with the team",[16,2412,2413],{},"Testing should occur at least annually, with backup restoration tests performed more frequently.",[20,2415,2417],{"id":2416},"how-does-episki-help-with-disaster-recovery","How does episki help with disaster recovery?",[16,2419,2420,2421,209],{},"episki tracks disaster recovery plans, backup schedules, test results, and recovery objectives. The platform sends reminders for DR testing, documents test outcomes, and maintains evidence for compliance auditors. Learn more on our ",[205,2422,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":2424},[2425],{"id":2190,"depth":212,"text":2191,"children":2426},[2427,2428,2429,2430,2431,2432,2433],{"id":2197,"depth":217,"text":2198},{"id":2219,"depth":217,"text":2220},{"id":2255,"depth":217,"text":2256},{"id":2311,"depth":217,"text":2312},{"id":2355,"depth":217,"text":2356},{"id":2381,"depth":217,"text":2382},{"id":2416,"depth":217,"text":2417},{},"\u002Fglossary\u002Fdisaster-recovery",[982,231,985],[1425,1179,1420,933],{"title":2439,"description":2440},"What is Disaster Recovery? Definition & Compliance Guide","Disaster recovery is the process of restoring IT systems and data after a disruption. Learn about DR planning, RTO, RPO, and compliance requirements.","8.glossary\u002Fdisaster-recovery","asnxcfYjct8iYic-NvOoNvliB3CqOtNwVc19GAVgxkw",{"id":2444,"title":2334,"body":2445,"description":211,"extension":224,"lastUpdated":225,"meta":2632,"navigation":227,"path":932,"relatedFrameworks":2633,"relatedTerms":2634,"seo":2636,"slug":933,"stem":2639,"term":2450,"__hash__":2640},"glossary\u002F8.glossary\u002Fencryption.md",{"type":8,"value":2446,"toc":2621},[2447,2451,2454,2458,2464,2470,2476,2480,2483,2486,2500,2504,2507,2509,2526,2530,2533,2565,2569,2591,2595,2612,2616],[11,2448,2450],{"id":2449},"what-is-encryption","What is Encryption?",[16,2452,2453],{},"Encryption is the process of converting readable data (plaintext) into an unreadable format (ciphertext) using a cryptographic algorithm and a key. Only authorized parties with the correct decryption key can convert the ciphertext back to plaintext. Encryption is one of the most important technical controls for protecting the confidentiality of sensitive data and is required by virtually every compliance framework.",[20,2455,2457],{"id":2456},"what-are-the-types-of-encryption","What are the types of encryption?",[16,2459,2460,2463],{},[34,2461,2462],{},"Symmetric encryption"," — uses the same key for both encryption and decryption. It is fast and efficient for large volumes of data. Common algorithms include AES-256 (the current standard) and AES-128.",[16,2465,2466,2469],{},[34,2467,2468],{},"Asymmetric encryption"," — uses a pair of keys: a public key for encryption and a private key for decryption. It is used for key exchange, digital signatures, and scenarios where parties cannot share a secret key in advance. Common algorithms include RSA and elliptic curve cryptography (ECC).",[16,2471,2472,2475],{},[34,2473,2474],{},"Hashing"," — technically not encryption (it is one-way and cannot be reversed), but often discussed alongside encryption. Hashing produces a fixed-length output from any input, used for password storage and data integrity verification. Common algorithms include SHA-256 and bcrypt.",[20,2477,2479],{"id":2478},"what-is-encryption-at-rest","What is encryption at rest?",[16,2481,2482],{},"Encryption at rest protects data stored in databases, file systems, backups, and storage media. If a storage device is stolen or improperly decommissioned, encryption prevents unauthorized access to the data.",[16,2484,2485],{},"Common implementations include:",[28,2487,2488,2491,2494,2497],{},[31,2489,2490],{},"Full disk encryption (BitLocker, FileVault, LUKS)",[31,2492,2493],{},"Database encryption (Transparent Data Encryption)",[31,2495,2496],{},"File-level encryption",[31,2498,2499],{},"Cloud storage encryption (most cloud providers offer encryption at rest by default)",[20,2501,2503],{"id":2502},"what-is-encryption-in-transit","What is encryption in transit?",[16,2505,2506],{},"Encryption in transit protects data as it moves between systems over networks. It prevents eavesdropping, man-in-the-middle attacks, and data interception.",[16,2508,2485],{},[28,2510,2511,2514,2517,2520,2523],{},[31,2512,2513],{},"TLS 1.2 or 1.3 for web traffic (HTTPS)",[31,2515,2516],{},"TLS for email (SMTP with STARTTLS)",[31,2518,2519],{},"VPN tunnels for site-to-site or remote access connections",[31,2521,2522],{},"SSH for administrative access",[31,2524,2525],{},"IPsec for network-level encryption",[20,2527,2529],{"id":2528},"how-does-key-management-support-encryption","How does key management support encryption?",[16,2531,2532],{},"Encryption is only as strong as its key management. Poor key management undermines the protection encryption provides. Key management best practices include:",[28,2534,2535,2541,2547,2553,2559],{},[31,2536,2537,2540],{},[34,2538,2539],{},"Key generation"," — use cryptographically secure random number generators",[31,2542,2543,2546],{},[34,2544,2545],{},"Key storage"," — store keys separately from the data they protect, using hardware security modules (HSMs) or key management services",[31,2548,2549,2552],{},[34,2550,2551],{},"Key rotation"," — rotate keys periodically to limit exposure if a key is compromised",[31,2554,2555,2558],{},[34,2556,2557],{},"Key access control"," — restrict key access to authorized personnel and systems",[31,2560,2561,2564],{},[34,2562,2563],{},"Key destruction"," — securely destroy keys when no longer needed",[20,2566,2568],{"id":2567},"what-are-the-encryption-requirements","What are the encryption requirements?",[28,2570,2571,2576,2581,2586],{},[31,2572,2573,2575],{},[34,2574,36],{}," — CC6.1 and CC6.7 address protection of data through encryption and other mechanisms",[31,2577,2578,2580],{},[34,2579,42],{}," — control A.8.24 addresses use of cryptography",[31,2582,2583,2585],{},[34,2584,605],{}," — encryption is an addressable implementation specification for ePHI at rest (45 CFR 164.312(a)(2)(iv)) and a requirement for ePHI in transit (45 CFR 164.312(e)(1))",[31,2587,2588,2590],{},[34,2589,48],{}," — Requirement 3 requires encryption of stored PAN, and Requirement 4 requires encryption of PAN in transit over open networks",[20,2592,2594],{"id":2593},"what-are-common-mistakes-with-encryption","What are common mistakes with encryption?",[28,2596,2597,2600,2603,2606,2609],{},[31,2598,2599],{},"Using outdated algorithms (DES, 3DES, RC4, SSL, TLS 1.0\u002F1.1)",[31,2601,2602],{},"Storing encryption keys alongside encrypted data",[31,2604,2605],{},"Failing to encrypt backups",[31,2607,2608],{},"Not encrypting data in transit within internal networks",[31,2610,2611],{},"Hardcoding keys in application source code",[20,2613,2615],{"id":2614},"how-does-episki-help-with-encryption","How does episki help with encryption?",[16,2617,2618,2619,209],{},"episki tracks your encryption implementations across systems, monitors certificate expirations, and documents encryption policies and key management practices for audit evidence. Learn more on our ",[205,2620,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":2622},[2623],{"id":2449,"depth":212,"text":2450,"children":2624},[2625,2626,2627,2628,2629,2630,2631],{"id":2456,"depth":217,"text":2457},{"id":2478,"depth":217,"text":2479},{"id":2502,"depth":217,"text":2503},{"id":2528,"depth":217,"text":2529},{"id":2567,"depth":217,"text":2568},{"id":2593,"depth":217,"text":2594},{"id":2614,"depth":217,"text":2615},{},[982,230,231,983,984],[2176,1175,2635,992,2180],"tokenization",{"title":2637,"description":2638},"What is Encryption? Definition & Compliance Guide","Encryption transforms data into unreadable ciphertext to protect confidentiality. Learn about encryption at rest, in transit, and compliance requirements.","8.glossary\u002Fencryption","8HTAhzLPBjGJKnlguz6mBT1ob6J8h2KVZGzAJtWJEHM",{"id":2642,"title":2643,"body":2644,"description":211,"extension":224,"lastUpdated":225,"meta":2844,"navigation":227,"path":2845,"relatedFrameworks":2846,"relatedTerms":2847,"seo":2848,"slug":1667,"stem":2851,"term":2649,"__hash__":2852},"glossary\u002F8.glossary\u002Fevidence-collection.md","Evidence Collection",{"type":8,"value":2645,"toc":2834},[2646,2650,2653,2657,2660,2674,2678,2681,2731,2735,2738,2744,2750,2756,2760,2804,2808,2825,2829],[11,2647,2649],{"id":2648},"what-is-evidence-collection","What is Evidence Collection?",[16,2651,2652],{},"Evidence collection is the systematic process of gathering, organizing, and maintaining documentation that demonstrates security controls are implemented and operating effectively. It is a critical activity for any compliance program — without evidence, an organization cannot prove to auditors, customers, or regulators that its controls actually work.",[20,2654,2656],{"id":2655},"why-does-evidence-collection-matter","Why does evidence collection matter?",[16,2658,2659],{},"Controls that exist only in policy documents are insufficient. Auditors and assessors require proof that controls are executed consistently. Evidence collection bridges the gap between \"we have a policy\" and \"we follow the policy.\" Without organized evidence:",[28,2661,2662,2665,2668,2671],{},[31,2663,2664],{},"Audits take longer and cost more due to scrambling for documentation",[31,2666,2667],{},"Control gaps go undetected until audit time",[31,2669,2670],{},"Audit opinions may be qualified due to insufficient evidence",[31,2672,2673],{},"Customer trust erodes when security claims cannot be substantiated",[20,2675,2677],{"id":2676},"what-are-the-types-of-evidence-in-compliance-audits","What are the types of evidence in compliance audits?",[16,2679,2680],{},"Evidence takes many forms depending on the control being demonstrated:",[28,2682,2683,2689,2695,2701,2707,2713,2719,2725],{},[31,2684,2685,2688],{},[34,2686,2687],{},"Screenshots"," — system configurations, access control settings, dashboard views",[31,2690,2691,2694],{},[34,2692,2693],{},"Logs"," — audit logs, access logs, change management logs, security event logs",[31,2696,2697,2700],{},[34,2698,2699],{},"Documents"," — policies, procedures, meeting minutes, training records",[31,2702,2703,2706],{},[34,2704,2705],{},"Tickets"," — change management tickets, incident response tickets, access request tickets",[31,2708,2709,2712],{},[34,2710,2711],{},"Reports"," — vulnerability scan reports, penetration test reports, risk assessment reports",[31,2714,2715,2718],{},[34,2716,2717],{},"Certifications"," — employee training certificates, vendor SOC 2 reports, compliance attestations",[31,2720,2721,2724],{},[34,2722,2723],{},"Configurations"," — infrastructure-as-code files, system configuration exports",[31,2726,2727,2730],{},[34,2728,2729],{},"Interviews"," — auditor interviews with control owners (for live audits)",[20,2732,2734],{"id":2733},"what-are-common-evidence-collection-approaches","What are common evidence collection approaches?",[16,2736,2737],{},"Organizations typically use one of three approaches:",[16,2739,2740,2743],{},[34,2741,2742],{},"Manual collection"," — control owners manually gather screenshots, exports, and documents on a scheduled basis. This is the most common starting point but is labor-intensive and error-prone.",[16,2745,2746,2749],{},[34,2747,2748],{},"Semi-automated collection"," — integrations with key systems (cloud providers, identity providers, ticketing systems) automatically pull evidence, supplemented by manual collection for controls without integration support.",[16,2751,2752,2755],{},[34,2753,2754],{},"Continuous automated collection"," — deep integrations with infrastructure and applications automatically collect and organize evidence on an ongoing basis, with minimal manual intervention.",[20,2757,2759],{"id":2758},"what-are-best-practices-for-evidence-collection","What are best practices for evidence collection?",[28,2761,2762,2768,2774,2780,2786,2792,2798],{},[31,2763,2764,2767],{},[34,2765,2766],{},"Define evidence requirements upfront"," — for each control, specify what evidence is needed, how often it should be collected, and who is responsible",[31,2769,2770,2773],{},[34,2771,2772],{},"Collect continuously, not just before audits"," — evidence collected throughout the period is more credible than evidence gathered in a rush before the audit",[31,2775,2776,2779],{},[34,2777,2778],{},"Timestamp everything"," — evidence must demonstrate when the control was operating, not just that it exists",[31,2781,2782,2785],{},[34,2783,2784],{},"Organize by control"," — structure evidence so it maps directly to controls and framework requirements",[31,2787,2788,2791],{},[34,2789,2790],{},"Maintain chain of custody"," — ensure evidence cannot be tampered with after collection",[31,2793,2794,2797],{},[34,2795,2796],{},"Review evidence quality"," — periodically verify that collected evidence actually demonstrates the control is working",[31,2799,2800,2803],{},[34,2801,2802],{},"Retain evidence appropriately"," — keep evidence for the required retention period (typically matching the audit cycle plus any regulatory requirements)",[20,2805,2807],{"id":2806},"what-are-common-challenges-with-evidence-collection","What are common challenges with evidence collection?",[28,2809,2810,2813,2816,2819,2822],{},[31,2811,2812],{},"Evidence collection is distributed across many teams and systems",[31,2814,2815],{},"Control owners forget to collect on schedule",[31,2817,2818],{},"Evidence quality varies — screenshots may be unclear or incomplete",[31,2820,2821],{},"Evidence becomes stale if not collected at the right frequency",[31,2823,2824],{},"Storing and organizing large volumes of evidence is difficult without proper tooling",[20,2826,2828],{"id":2827},"how-does-episki-help-with-evidence-collection","How does episki help with evidence collection?",[16,2830,2831,2832,209],{},"episki automates evidence collection through integrations with cloud providers, identity systems, and development tools. The platform assigns collection tasks to control owners, sends reminders, validates evidence quality, and organizes everything by control and framework. When audit time arrives, evidence is already collected and organized. Learn more on our ",[205,2833,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":2835},[2836],{"id":2648,"depth":212,"text":2649,"children":2837},[2838,2839,2840,2841,2842,2843],{"id":2655,"depth":217,"text":2656},{"id":2676,"depth":217,"text":2677},{"id":2733,"depth":217,"text":2734},{"id":2758,"depth":217,"text":2759},{"id":2806,"depth":217,"text":2807},{"id":2827,"depth":217,"text":2828},{},"\u002Fglossary\u002Fevidence-collection",[230,231,983,984],[988,422,1952,240],{"title":2849,"description":2850},"What is Evidence Collection? Definition & Compliance Guide","Evidence collection is the process of gathering documentation that proves security controls are implemented and operating effectively for compliance audits.","8.glossary\u002Fevidence-collection","-4Die8_TxT3p7plrS5QfBm3mjx6_FZQa79Sl58zqSnw",{"id":2854,"title":2855,"body":2856,"description":211,"extension":224,"lastUpdated":225,"meta":2965,"navigation":227,"path":2966,"relatedFrameworks":2967,"relatedTerms":2968,"seo":2969,"slug":2972,"stem":2973,"term":2861,"__hash__":2974},"glossary\u002F8.glossary\u002Fgrc.md","Grc",{"type":8,"value":2857,"toc":2956},[2858,2862,2869,2873,2876,2890,2894,2897,2911,2915,2928,2932,2935,2949,2953],[11,2859,2861],{"id":2860},"what-is-grc","What is GRC?",[16,2863,2864,2865,2868],{},"GRC stands for ",[34,2866,2867],{},"governance, risk, and compliance"," — a coordinated approach to aligning IT and security practices with business objectives, managing risk, and meeting regulatory requirements.",[20,2870,2872],{"id":2871},"what-is-governance-in-grc","What is governance in GRC?",[16,2874,2875],{},"Governance defines the policies, roles, and decision-making structures that guide how an organization operates. In a security context, governance includes:",[28,2877,2878,2881,2884,2887],{},[31,2879,2880],{},"Establishing security policies and standards",[31,2882,2883],{},"Assigning ownership for controls and programs",[31,2885,2886],{},"Setting risk appetite and tolerance levels",[31,2888,2889],{},"Board-level oversight of security posture",[20,2891,2893],{"id":2892},"what-is-risk-management-in-grc","What is risk management in GRC?",[16,2895,2896],{},"Risk management is the process of identifying, assessing, and treating threats that could affect the organization. Common activities include:",[28,2898,2899,2902,2905,2908],{},[31,2900,2901],{},"Maintaining a risk register with likelihood and impact scores",[31,2903,2904],{},"Prioritizing remediation based on business impact",[31,2906,2907],{},"Tracking treatment plans with owners and deadlines",[31,2909,2910],{},"Reviewing risk posture on a recurring schedule",[20,2912,2914],{"id":2913},"what-is-compliance-in-grc","What is compliance in GRC?",[16,2916,2917,2918,2920,2921,2920,2923,2925,2926,209],{},"Compliance means meeting the requirements of external standards, regulations, and contractual obligations. Common compliance frameworks include ",[205,2919,36],{"href":405},", ",[205,2922,42],{"href":591},[205,2924,605],{"href":604},", and ",[205,2927,48],{"href":618},[20,2929,2931],{"id":2930},"why-does-grc-matter","Why does GRC matter?",[16,2933,2934],{},"Without a coordinated approach, organizations end up with fragmented policies, duplicated controls, and gaps between what auditors expect and what teams actually do. A GRC program brings these disciplines together so that:",[28,2936,2937,2940,2943,2946],{},[31,2938,2939],{},"Controls are mapped once and reused across frameworks",[31,2941,2942],{},"Risk decisions inform which controls get priority",[31,2944,2945],{},"Evidence is collected continuously rather than scrambled before audits",[31,2947,2948],{},"Leadership has visibility into security posture and compliance status",[20,2950,2952],{"id":2951},"what-is-grc-software","What is GRC software?",[16,2954,2955],{},"GRC platforms like episki centralize controls, evidence, risk registers, and auditor collaboration in one workspace. Instead of managing compliance in spreadsheets, teams can assign owners, track evidence, and run programs across multiple frameworks simultaneously.",{"title":211,"searchDepth":212,"depth":212,"links":2957},[2958],{"id":2860,"depth":212,"text":2861,"children":2959},[2960,2961,2962,2963,2964],{"id":2871,"depth":217,"text":2872},{"id":2892,"depth":217,"text":2893},{"id":2913,"depth":217,"text":2914},{"id":2930,"depth":217,"text":2931},{"id":2951,"depth":217,"text":2952},{},"\u002Fglossary\u002Fgrc",[230,231,983,984,985],[1420,234,988,1667],{"title":2970,"description":2971},"What is GRC? Governance, Risk, and Compliance Explained","GRC stands for governance, risk, and compliance. Learn how GRC programs help organizations manage risk, meet regulatory requirements, and align security with business goals.","grc","8.glossary\u002Fgrc","6r8Pzm3RtrpbRSlELLbyQ2mEbI0Rv-73CiQlZaZiv9g",{"id":2976,"title":2977,"body":2978,"description":211,"extension":224,"lastUpdated":225,"meta":3088,"navigation":227,"path":3089,"relatedFrameworks":3090,"relatedTerms":3091,"seo":3093,"slug":983,"stem":3096,"term":2983,"__hash__":3097},"glossary\u002F8.glossary\u002Fhipaa.md","Hipaa",{"type":8,"value":2979,"toc":3078},[2980,2984,2987,2991,3016,3020,3023,3034,3038,3041,3055,3059,3062,3066,3069,3073],[11,2981,2983],{"id":2982},"what-is-hipaa","What is HIPAA?",[16,2985,2986],{},"HIPAA (Health Insurance Portability and Accountability Act) is a US federal law enacted in 1996 that establishes standards for protecting sensitive patient health information. It applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates.",[20,2988,2990],{"id":2989},"what-are-the-key-hipaa-rules","What are the key HIPAA rules?",[28,2992,2993,2999,3004,3010],{},[31,2994,2995,2998],{},[34,2996,2997],{},"Privacy Rule"," — governs the use and disclosure of protected health information (PHI)",[31,3000,3001,3003],{},[34,3002,610],{}," — requires administrative, physical, and technical safeguards for electronic PHI (ePHI)",[31,3005,3006,3009],{},[34,3007,3008],{},"Breach Notification Rule"," — mandates notification of affected individuals and HHS after a data breach",[31,3011,3012,3015],{},[34,3013,3014],{},"Enforcement Rule"," — establishes investigation and penalty procedures",[20,3017,3019],{"id":3018},"what-is-protected-health-information-phi","What is Protected Health Information (PHI)?",[16,3021,3022],{},"PHI includes any individually identifiable health information, such as:",[28,3024,3025,3028,3031],{},[31,3026,3027],{},"Medical records and diagnoses",[31,3029,3030],{},"Treatment and payment information",[31,3032,3033],{},"Names, addresses, dates of birth, and Social Security numbers when linked to health data",[20,3035,3037],{"id":3036},"what-is-a-business-associate-agreement-baa","What is a Business Associate Agreement (BAA)?",[16,3039,3040],{},"Any vendor that handles PHI on behalf of a covered entity must sign a BAA. This contract:",[28,3042,3043,3046,3049,3052],{},[31,3044,3045],{},"Defines how the vendor can use and disclose PHI",[31,3047,3048],{},"Requires the vendor to implement appropriate safeguards",[31,3050,3051],{},"Establishes breach notification obligations",[31,3053,3054],{},"Makes the vendor directly liable for HIPAA violations",[20,3056,3058],{"id":3057},"what-are-hipaa-penalties","What are HIPAA penalties?",[16,3060,3061],{},"Penalties range from $141 to $2,134,831 per violation depending on the level of negligence, with an annual cap of $2,134,831 per identical violation category. Criminal penalties can include fines up to $250,000 and imprisonment.",[20,3063,3065],{"id":3064},"how-does-hipaa-apply-to-saas-companies","How does HIPAA apply to SaaS companies?",[16,3067,3068],{},"SaaS companies that store, process, or transmit PHI are considered business associates and must comply with HIPAA. Common requirements include encryption at rest and in transit, access controls, audit logging, and incident response procedures.",[20,3070,3072],{"id":3071},"how-does-episki-help-with-hipaa","How does episki help with HIPAA?",[16,3074,3075,3076,209],{},"episki maps safeguards to your systems, tracks BAA renewals, and provides auditor portals for sharing evidence. Learn more on our ",[205,3077,1160],{"href":604},{"title":211,"searchDepth":212,"depth":212,"links":3079},[3080],{"id":2982,"depth":212,"text":2983,"children":3081},[3082,3083,3084,3085,3086,3087],{"id":2989,"depth":217,"text":2990},{"id":3018,"depth":217,"text":3019},{"id":3036,"depth":217,"text":3037},{"id":3057,"depth":217,"text":3058},{"id":3064,"depth":217,"text":3065},{"id":3071,"depth":217,"text":3072},{},"\u002Fglossary\u002Fhipaa",[983],[1175,3092,1177,1183],"baa",{"title":3094,"description":3095},"What is HIPAA? Healthcare Compliance Requirements Explained","HIPAA is the US federal law protecting health information. Learn about the Privacy Rule, Security Rule, BAAs, PHI safeguards, and penalties for non-compliance.","8.glossary\u002Fhipaa","JPFQoMGf21YW7HHj69Pg6GuGjOetXJglTxRpWdM7D-U",{"id":3099,"title":596,"body":3100,"description":211,"extension":224,"lastUpdated":225,"meta":3245,"navigation":227,"path":595,"relatedFrameworks":3246,"relatedTerms":3247,"seo":3250,"slug":235,"stem":3253,"term":3105,"__hash__":3254},"glossary\u002F8.glossary\u002Fannex-a.md",{"type":8,"value":3101,"toc":3235},[3102,3106,3117,3121,3124,3150,3154,3157,3174,3177,3181,3184,3188,3191,3205,3208,3212,3225,3229],[11,3103,3105],{"id":3104},"what-is-iso-27001-annex-a","What is ISO 27001 Annex A?",[16,3107,3108,3109,3111,3112,3116],{},"ISO 27001 Annex A is the normative annex to the ",[205,3110,42],{"href":591}," standard that provides a reference list of information security controls. Organizations use Annex A as a checklist to ensure their ",[205,3113,3115],{"href":3114},"\u002Fframeworks\u002Fiso27001\u002Fisms-implementation","Information Security Management System (ISMS)"," addresses a comprehensive range of security topics. As of the 2022 revision, Annex A contains 93 controls organized into four themes.",[20,3118,3120],{"id":3119},"what-are-the-four-themes","What are the four themes?",[16,3122,3123],{},"The 2022 revision reorganized controls from the previous 14 categories into four themes:",[28,3125,3126,3132,3138,3144],{},[31,3127,3128,3131],{},[34,3129,3130],{},"Organizational controls (37 controls)"," — policies, roles and responsibilities, threat intelligence, information security in project management, supplier relationships, and more",[31,3133,3134,3137],{},[34,3135,3136],{},"People controls (8 controls)"," — screening, terms and conditions of employment, security awareness training, disciplinary processes, and responsibilities after termination",[31,3139,3140,3143],{},[34,3141,3142],{},"Physical controls (14 controls)"," — physical security perimeters, entry controls, securing offices and facilities, equipment protection, and clear desk policies",[31,3145,3146,3149],{},[34,3147,3148],{},"Technological controls (34 controls)"," — user endpoint devices, privileged access management, access restrictions, secure authentication, malware protection, logging, encryption, and secure development",[20,3151,3153],{"id":3152},"how-does-annex-a-fit-into-iso-27001","How does Annex A fit into ISO 27001?",[16,3155,3156],{},"Annex A is not a standalone list of mandatory controls. Instead, it works in conjunction with the risk assessment process defined in clauses 6 and 8 of ISO 27001:",[155,3158,3159,3162,3165,3168,3171],{},[31,3160,3161],{},"The organization performs a risk assessment to identify information security risks",[31,3163,3164],{},"The organization determines how to treat each risk (mitigate, accept, transfer, or avoid)",[31,3166,3167],{},"For risks being mitigated, the organization selects appropriate controls",[31,3169,3170],{},"The organization compares selected controls against Annex A to ensure nothing has been overlooked",[31,3172,3173],{},"The results are documented in the Statement of Applicability",[16,3175,3176],{},"This approach ensures that control selection is risk-driven rather than checkbox-driven. An organization may determine that certain Annex A controls are not applicable based on their specific risk profile, and this is acceptable as long as the justification is documented.",[20,3178,3180],{"id":3179},"how-does-annex-a-relate-to-iso-27002","How does Annex A relate to ISO 27002?",[16,3182,3183],{},"ISO 27002 provides detailed implementation guidance for each Annex A control. While Annex A lists the controls with brief descriptions, ISO 27002 explains the purpose, guidance, and other information for each control. Think of Annex A as the \"what\" and ISO 27002 as the \"how.\"",[20,3185,3187],{"id":3186},"what-changed-in-the-2022-revision-of-annex-a","What changed in the 2022 revision of Annex A?",[16,3189,3190],{},"The 2022 update introduced several changes from the 2013 version:",[28,3192,3193,3196,3199,3202],{},[31,3194,3195],{},"Controls were consolidated from 114 to 93",[31,3197,3198],{},"The 14 categories were replaced with 4 themes",[31,3200,3201],{},"11 new controls were added, including threat intelligence, information security for cloud services, ICT readiness for business continuity, and data masking",[31,3203,3204],{},"Each control now includes attributes (control type, cybersecurity concept, operational capability, and security domain) to aid in filtering and mapping",[16,3206,3207],{},"Organizations certified under the 2013 version had a transition period to update their ISMS to align with the 2022 revision.",[20,3209,3211],{"id":3210},"what-is-the-statement-of-applicability","What is the Statement of Applicability?",[16,3213,3214,3215,3219,3220,3224],{},"The ",[205,3216,3218],{"href":3217},"\u002Fframeworks\u002Fiso27001\u002Fstatement-of-applicability","Statement of Applicability (SoA)"," is the document where an organization records which Annex A controls are applicable, which are not, and the justification for each decision. The SoA is a mandatory document for ",[205,3221,3223],{"href":3222},"\u002Fframeworks\u002Fiso27001\u002Fcertification-process","ISO 27001 certification"," and is a key artifact reviewed during certification audits.",[20,3226,3228],{"id":3227},"how-does-episki-help-with-annex-a","How does episki help with Annex A?",[16,3230,3231,3232,209],{},"episki includes all 93 Annex A controls with mappings to your risk treatment plan and Statement of Applicability. The platform helps you track implementation status, assign ownership, and collect evidence for each applicable control. Learn more on our ",[205,3233,3234],{"href":591},"ISO 27001 compliance page",{"title":211,"searchDepth":212,"depth":212,"links":3236},[3237],{"id":3104,"depth":212,"text":3105,"children":3238},[3239,3240,3241,3242,3243,3244],{"id":3119,"depth":217,"text":3120},{"id":3152,"depth":217,"text":3153},{"id":3179,"depth":217,"text":3180},{"id":3186,"depth":217,"text":3187},{"id":3210,"depth":217,"text":3211},{"id":3227,"depth":217,"text":3228},{},[231],[231,236,3248,240,3249],"iso-27002","isms",{"title":3251,"description":3252},"ISO 27001 Annex A: All 93 Controls Explained (2022)","ISO 27001 Annex A lists 93 security controls in 4 themes. Learn each control category, how they map to your Statement of Applicability, and implementation tips.","8.glossary\u002Fannex-a","7UuJknizYAej4wh0vgz3iQYe-_A9-r5bjizs222-Avw",{"id":3256,"title":3257,"body":3258,"description":211,"extension":224,"lastUpdated":225,"meta":3850,"navigation":227,"path":3851,"relatedFrameworks":3852,"relatedTerms":3853,"seo":3856,"slug":231,"stem":3859,"term":3263,"__hash__":3860},"glossary\u002F8.glossary\u002Fiso27001.md","Iso27001",{"type":8,"value":3259,"toc":3838},[3260,3264,3272,3280,3284,3307,3311,3314,3358,3362,3365,3391,3394,3397,3417,3421,3424,3478,3481,3485,3488,3493,3498,3503,3508,3516,3519,3523,3526,3610,3613,3616,3648,3651,3656,3670,3674,3677,3789,3792,3795,3798,3822,3829,3833],[11,3261,3263],{"id":3262},"what-is-iso-27001","What is ISO 27001?",[16,3265,3266,3267,3271],{},"ISO 27001 is an international standard published by the International Organization for Standardization (ISO) that specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (",[205,3268,3270],{"href":3269},"\u002Fglossary\u002Fisms","ISMS",").",[16,3273,3274,3275,3279],{},"First published in 2005 and most recently revised in 2022, ISO 27001 is the world's most widely adopted information security framework. It takes a risk-based approach: rather than prescribing a fixed checklist, it requires organizations to identify their own security risks and select controls appropriate to their context. Certification is granted by accredited third-party ",[205,3276,3278],{"href":3277},"\u002Fglossary\u002Fcertification-body","certification bodies"," after a formal audit process.",[20,3281,3283],{"id":3282},"what-are-the-key-components-of-iso-27001","What are the key components of ISO 27001?",[28,3285,3286,3291,3297,3302],{},[31,3287,3288,3290],{},[34,3289,3270],{}," — a systematic approach to managing sensitive information through people, processes, and technology",[31,3292,3293,3296],{},[34,3294,3295],{},"Annex A controls"," — a reference set of 93 controls (in the 2022 revision) organized into four themes: organizational, people, physical, and technological",[31,3298,3299,3301],{},[34,3300,3218],{}," — a document listing which Annex A controls apply and justifying any exclusions",[31,3303,3304,3306],{},[34,3305,1247],{}," — a formal process for identifying and treating information security risks",[20,3308,3310],{"id":3309},"what-is-the-iso-27001-certification-process","What is the ISO 27001 certification process?",[16,3312,3313],{},"ISO 27001 certification involves:",[155,3315,3316,3322,3328,3334,3340,3346,3352],{},[31,3317,3318,3321],{},[34,3319,3320],{},"Gap analysis"," — compare current practices against the standard",[31,3323,3324,3327],{},[34,3325,3326],{},"ISMS implementation"," — build policies, controls, and processes",[31,3329,3330,3333],{},[34,3331,3332],{},"Internal audit"," — verify the ISMS works as intended",[31,3335,3336,3339],{},[34,3337,3338],{},"Stage 1 audit"," — external auditor reviews documentation",[31,3341,3342,3345],{},[34,3343,3344],{},"Stage 2 audit"," — external auditor tests operational effectiveness",[31,3347,3348,3351],{},[34,3349,3350],{},"Surveillance audits"," — annual reviews to maintain certification",[31,3353,3354,3357],{},[34,3355,3356],{},"Recertification"," — full audit every three years",[20,3359,3361],{"id":3360},"who-needs-iso-27001","Who needs ISO 27001?",[16,3363,3364],{},"ISO 27001 certification is voluntary — no law mandates it — but it is increasingly expected by enterprise buyers and procurement teams. Organizations that benefit most include:",[28,3366,3367,3373,3379,3385],{},[31,3368,3369,3372],{},[34,3370,3371],{},"Companies targeting international customers"," — ISO 27001 is the de facto security standard in Europe, APAC, and the Middle East. Without it, you may not make it past vendor questionnaires.",[31,3374,3375,3378],{},[34,3376,3377],{},"Regulated industries"," — Financial services, healthcare, and government contractors often require suppliers to hold ISO 27001 certification as a baseline.",[31,3380,3381,3384],{},[34,3382,3383],{},"SaaS and cloud providers"," — Enterprise buyers routinely ask for ISO 27001 during procurement. It signals that your security program is structured and externally validated.",[31,3386,3387,3390],{},[34,3388,3389],{},"Organizations scaling into new markets"," — If you already serve the US with a SOC 2, adding ISO 27001 opens doors globally without rebuilding your program from scratch.",[16,3392,3393],{},"Even when not contractually required, holding the certification reduces the time spent answering security questionnaires and builds trust with prospects before the first sales call.",[16,3395,3396],{},"ISO 27001 is especially valued in:",[28,3398,3399,3405,3411],{},[31,3400,3401,3404],{},[34,3402,3403],{},"Europe"," — GDPR-conscious buyers view it as evidence of mature data protection practices.",[31,3406,3407,3410],{},[34,3408,3409],{},"APAC"," — Markets like Japan, Australia, and Singapore treat it as a baseline requirement for technology vendors.",[31,3412,3413,3416],{},[34,3414,3415],{},"Global enterprises"," — Companies like Google, Microsoft, and Salesforce require ISO 27001 from critical suppliers in their vendor risk management programs.",[20,3418,3420],{"id":3419},"what-changed-in-iso-270012022","What changed in ISO 27001:2022?",[16,3422,3423],{},"The 2022 revision of ISO 27001 (formally ISO\u002FIEC 27001:2022) brought the most significant structural changes since the standard's 2013 edition. The core ISMS requirements in clauses 4–10 received minor wording updates, but Annex A was overhauled:",[28,3425,3426,3432,3438],{},[31,3427,3428,3431],{},[34,3429,3430],{},"Restructured from 14 categories to 4 themes"," — The previous 14-domain layout was replaced with four broad themes: organizational, people, physical, and technological.",[31,3433,3434,3437],{},[34,3435,3436],{},"Consolidated from 114 controls to 93"," — Controls were merged and reorganized, not removed. The reduction reflects overlapping controls being combined into more coherent groupings.",[31,3439,3440,3443,3444],{},[34,3441,3442],{},"11 new controls added"," — The 2022 revision introduced controls that reflect the modern threat landscape, including:\n",[28,3445,3446,3449,3452,3455,3458,3460,3463,3466,3469,3472,3475],{},[31,3447,3448],{},"Threat intelligence",[31,3450,3451],{},"Information security for cloud services",[31,3453,3454],{},"ICT readiness for business continuity",[31,3456,3457],{},"Physical security monitoring",[31,3459,296],{},[31,3461,3462],{},"Information deletion",[31,3464,3465],{},"Data masking",[31,3467,3468],{},"Data leakage prevention",[31,3470,3471],{},"Monitoring activities",[31,3473,3474],{},"Web filtering",[31,3476,3477],{},"Secure coding",[16,3479,3480],{},"Organizations certified under the 2013 edition were required to transition to the 2022 revision by October 31, 2025. New certifications are issued exclusively against the 2022 standard.",[20,3482,3484],{"id":3483},"what-are-the-annex-a-control-themes","What are the Annex A control themes?",[16,3486,3487],{},"The four themes in Annex A group controls by domain rather than by the asset or process they protect. This makes it easier to assign ownership and track implementation progress.",[16,3489,3490,3492],{},[34,3491,3130],{},"\nThese cover governance, policies, and management-level activities. Examples include information security policies, defined roles and responsibilities, threat intelligence, asset management, access control policies, supplier security, and incident management.",[16,3494,3495,3497],{},[34,3496,3136],{},"\nFocused on the human side of security. Examples include pre-employment screening, information security awareness and training, disciplinary processes, responsibilities after termination, remote working arrangements, and confidentiality agreements.",[16,3499,3500,3502],{},[34,3501,3142],{},"\nAddress the protection of physical spaces and equipment. Examples include physical security perimeters, physical entry controls, securing offices and facilities, equipment maintenance, storage media handling, and supporting utility security.",[16,3504,3505,3507],{},[34,3506,3148],{},"\nCover technical safeguards applied to IT systems. Examples include user endpoint devices, privileged access rights, access restriction to information, secure authentication, capacity management, protection against malware, management of technical vulnerabilities, logging, network security, encryption, secure development lifecycle, and data masking.",[16,3509,3510,3511,3515],{},"Together, the 93 controls form the reference set from which you build your ",[205,3512,3514],{"href":3513},"\u002Fglossary\u002Fstatement-of-applicability","Statement of Applicability",". Not every control will apply — the SoA documents which you selected and why you excluded the rest.",[16,3517,3518],{},"A common approach is to assign theme ownership: IT leads technological controls, HR owns people controls, facilities manages physical controls, and a GRC or security team coordinates organizational controls. This clear division of responsibility is one reason the 2022 restructuring was widely welcomed by practitioners.",[20,3520,3522],{"id":3521},"what-is-the-cost-and-timeline-of-iso-27001-certification","What is the cost and timeline of ISO 27001 certification?",[16,3524,3525],{},"ISO 27001 certification is a significant investment in both money and internal effort. Typical ranges depend on organization size, complexity, and existing maturity:",[743,3527,3528,3544],{},[746,3529,3530],{},[749,3531,3532,3535,3538,3541],{},[752,3533,3534],{},"Factor",[752,3536,3537],{},"Small org (\u003C 50 employees)",[752,3539,3540],{},"Mid-size org (50–500)",[752,3542,3543],{},"Enterprise (500+)",[766,3545,3546,3562,3578,3594],{},[749,3547,3548,3553,3556,3559],{},[771,3549,3550],{},[34,3551,3552],{},"Implementation cost",[771,3554,3555],{},"$30K–$50K",[771,3557,3558],{},"$50K–$100K",[771,3560,3561],{},"$100K+",[749,3563,3564,3569,3572,3575],{},[771,3565,3566],{},[34,3567,3568],{},"Timeline to certification",[771,3570,3571],{},"6–9 months",[771,3573,3574],{},"9–12 months",[771,3576,3577],{},"12–18 months",[749,3579,3580,3585,3588,3591],{},[771,3581,3582],{},[34,3583,3584],{},"Certification audit fees",[771,3586,3587],{},"$10K–$20K",[771,3589,3590],{},"$20K–$40K",[771,3592,3593],{},"$40K–$80K",[749,3595,3596,3601,3604,3607],{},[771,3597,3598],{},[34,3599,3600],{},"Annual surveillance audits",[771,3602,3603],{},"$5K–$15K",[771,3605,3606],{},"$15K–$25K",[771,3608,3609],{},"$25K–$50K",[16,3611,3612],{},"These figures include consulting, tooling, auditor fees, and remediation. They do not include the internal time your team spends building policies, gathering evidence, and running internal audits — which is often the largest hidden cost.",[16,3614,3615],{},"The implementation timeline typically breaks down as:",[155,3617,3618,3624,3630,3636,3642],{},[31,3619,3620,3623],{},[34,3621,3622],{},"Months 1–2"," — Scoping, gap analysis, and risk assessment",[31,3625,3626,3629],{},[34,3627,3628],{},"Months 3–6"," — Policy development, control implementation, and staff training",[31,3631,3632,3635],{},[34,3633,3634],{},"Months 7–8"," — Internal audit and management review",[31,3637,3638,3641],{},[34,3639,3640],{},"Months 9–10"," — Stage 1 audit (documentation review)",[31,3643,3644,3647],{},[34,3645,3646],{},"Months 10–12"," — Remediation and Stage 2 audit (operational effectiveness)",[16,3649,3650],{},"After certification, expect ongoing costs for surveillance audits (annually) and a full recertification audit every three years.",[16,3652,3653],{},[34,3654,3655],{},"Tips for reducing cost and timeline:",[28,3657,3658,3661,3664,3667],{},[31,3659,3660],{},"Start with a gap analysis to avoid over-investing in areas you already cover.",[31,3662,3663],{},"Reuse existing policies and evidence from SOC 2 or NIST CSF if you have them.",[31,3665,3666],{},"Use a GRC platform to centralize evidence collection and automate control tracking.",[31,3668,3669],{},"Engage your certification body early for a pre-assessment to surface surprises before the formal audit.",[20,3671,3673],{"id":3672},"how-does-iso-27001-map-to-other-frameworks","How does ISO 27001 map to other frameworks?",[16,3675,3676],{},"If your organization already operates under another framework, ISO 27001 will share significant control overlap. Mapping controls across frameworks reduces duplicate work and accelerates certification timelines.",[743,3678,3679,3693],{},[746,3680,3681],{},[749,3682,3683,3685,3687,3689,3691],{},[752,3684],{},[752,3686,42],{},[752,3688,36],{},[752,3690,54],{},[752,3692,48],{},[766,3694,3695,3714,3732,3751,3770],{},[749,3696,3697,3702,3705,3708,3711],{},[771,3698,3699],{},[34,3700,3701],{},"Type",[771,3703,3704],{},"Certifiable standard",[771,3706,3707],{},"Attestation report",[771,3709,3710],{},"Voluntary framework",[771,3712,3713],{},"Mandatory standard",[749,3715,3716,3720,3723,3726,3729],{},[771,3717,3718],{},[34,3719,2266],{},[771,3721,3722],{},"Global",[771,3724,3725],{},"Primarily North America",[771,3727,3728],{},"US-originated, global adoption",[771,3730,3731],{},"Any org handling cardholder data",[749,3733,3734,3739,3742,3745,3748],{},[771,3735,3736],{},[34,3737,3738],{},"Structure",[771,3740,3741],{},"ISMS + Annex A controls",[771,3743,3744],{},"Trust Services Criteria",[771,3746,3747],{},"6 functions, 22 categories",[771,3749,3750],{},"12 requirements, 300+ sub-requirements",[749,3752,3753,3758,3761,3764,3767],{},[771,3754,3755],{},[34,3756,3757],{},"Validity",[771,3759,3760],{},"3 years with surveillance",[771,3762,3763],{},"Report covers observation period",[771,3765,3766],{},"Self-assessed (no certification)",[771,3768,3769],{},"Annual assessment",[749,3771,3772,3777,3780,3783,3786],{},[771,3773,3774],{},[34,3775,3776],{},"Control count",[771,3778,3779],{},"93 (Annex A)",[771,3781,3782],{},"~60 points of focus",[771,3784,3785],{},"~100 subcategories",[771,3787,3788],{},"300+",[16,3790,3791],{},"The overlap between ISO 27001 and SOC 2 is roughly 70–80% at the control level. NIST CSF aligns even more closely with ISO 27001 since both follow a risk-based approach. PCI DSS is more prescriptive but shares foundational controls around access management, logging, encryption, and incident response.",[16,3793,3794],{},"Organizations that already have one framework in place can typically achieve ISO 27001 certification 30–40% faster by reusing existing policies, evidence, and control implementations.",[16,3796,3797],{},"Key areas of overlap include:",[28,3799,3800,3805,3810,3816],{},[31,3801,3802,3804],{},[34,3803,1992],{}," — covered by all four frameworks, though PCI DSS is the most prescriptive about password complexity and multi-factor authentication.",[31,3806,3807,3809],{},[34,3808,1998],{}," — ISO 27001, NIST CSF, and PCI DSS all require documented incident response plans and regular testing.",[31,3811,3812,3815],{},[34,3813,3814],{},"Risk management"," — ISO 27001 and NIST CSF both center on risk-based decision-making; SOC 2 addresses it through the Common Criteria.",[31,3817,3818,3821],{},[34,3819,3820],{},"Logging and monitoring"," — a universal requirement, with PCI DSS specifying exact log retention periods and ISO 27001 leaving implementation details to the organization.",[16,3823,3824,3825,209],{},"For a detailed breakdown of how controls map across frameworks, see our ",[205,3826,3828],{"href":3827},"\u002Fframeworks\u002Fnistcsf\u002Fmapping-to-other-frameworks","framework mapping guide",[20,3830,3832],{"id":3831},"how-does-episki-help-with-iso-27001","How does episki help with ISO 27001?",[16,3834,3835,3836,209],{},"episki maps controls to Annex A, tracks your Statement of Applicability, and connects evidence across ISO 27001 and other frameworks. Learn more on our ",[205,3837,3234],{"href":591},{"title":211,"searchDepth":212,"depth":212,"links":3839},[3840],{"id":3262,"depth":212,"text":3263,"children":3841},[3842,3843,3844,3845,3846,3847,3848,3849],{"id":3282,"depth":217,"text":3283},{"id":3309,"depth":217,"text":3310},{"id":3360,"depth":217,"text":3361},{"id":3419,"depth":217,"text":3420},{"id":3483,"depth":217,"text":3484},{"id":3521,"depth":217,"text":3522},{"id":3672,"depth":217,"text":3673},{"id":3831,"depth":217,"text":3832},{},"\u002Fglossary\u002Fiso27001",[231],[3249,235,3854,3855],"certification-body","surveillance-audit",{"title":3857,"description":3858},"What is ISO 27001? ISMS Certification Explained","ISO 27001 is the international standard for information security management systems (ISMS). Learn about certification requirements, Annex A controls, and how to prepare.","8.glossary\u002Fiso27001","9KWMfDsDTD7_JZ5rywuy0uGOWxwpgPDmm0DBaiUUC2U",{"id":3862,"title":3863,"body":3864,"description":211,"extension":224,"lastUpdated":225,"meta":4058,"navigation":227,"path":4059,"relatedFrameworks":4060,"relatedTerms":4061,"seo":4062,"slug":3248,"stem":4065,"term":3869,"__hash__":4066},"glossary\u002F8.glossary\u002Fiso-27002.md","Iso 27002",{"type":8,"value":3865,"toc":4048},[3866,3870,3873,3877,3880,3893,3896,3900,3903,3929,3933,3936,3962,3965,3969,3972,4004,4007,4011,4014,4039,4043],[11,3867,3869],{"id":3868},"what-is-iso-27002","What is ISO 27002?",[16,3871,3872],{},"ISO 27002 is an international standard that provides implementation guidance for the information security controls referenced in ISO 27001 Annex A. While ISO 27001 specifies the requirements for an ISMS and lists controls in Annex A, ISO 27002 explains how to implement each control in practice. It is a guidance document, not a certification standard — organizations are certified against ISO 27001, not ISO 27002.",[20,3874,3876],{"id":3875},"how-does-iso-27002-relate-to-iso-27001","How does ISO 27002 relate to ISO 27001?",[16,3878,3879],{},"ISO 27001 and ISO 27002 work together as a pair:",[28,3881,3882,3887],{},[31,3883,3884,3886],{},[34,3885,42],{}," defines the management system requirements and lists controls in Annex A with brief descriptions",[31,3888,3889,3892],{},[34,3890,3891],{},"ISO 27002"," expands on each Annex A control with detailed guidance, purpose statements, and implementation considerations",[16,3894,3895],{},"Think of ISO 27001 Annex A as the \"what\" (which controls to consider) and ISO 27002 as the \"how\" (practical guidance for implementation). When an organization is deciding how to implement a particular Annex A control, ISO 27002 is the primary reference.",[20,3897,3899],{"id":3898},"how-is-iso-270022022-structured","How is ISO 27002:2022 structured?",[16,3901,3902],{},"The 2022 revision of ISO 27002 reorganized its structure to match the updated Annex A in ISO 27001:2022:",[28,3904,3905,3911,3917,3923],{},[31,3906,3907,3910],{},[34,3908,3909],{},"Clause 5: Organizational controls"," (37 controls) — covering policies, asset management, access control, supplier relationships, and more",[31,3912,3913,3916],{},[34,3914,3915],{},"Clause 6: People controls"," (8 controls) — covering hiring, training, awareness, and termination",[31,3918,3919,3922],{},[34,3920,3921],{},"Clause 7: Physical controls"," (14 controls) — covering physical security, equipment, and environmental protection",[31,3924,3925,3928],{},[34,3926,3927],{},"Clause 8: Technological controls"," (34 controls) — covering endpoint security, access management, cryptography, network security, and secure development",[20,3930,3932],{"id":3931},"what-does-each-iso-27002-control-entry-include","What does each ISO 27002 control entry include?",[16,3934,3935],{},"For each of the 93 controls, ISO 27002 provides:",[28,3937,3938,3944,3950,3956],{},[31,3939,3940,3943],{},[34,3941,3942],{},"Control statement"," — what the control requires",[31,3945,3946,3949],{},[34,3947,3948],{},"Purpose"," — why the control exists and what risk it addresses",[31,3951,3952,3955],{},[34,3953,3954],{},"Guidance"," — detailed recommendations for implementation",[31,3957,3958,3961],{},[34,3959,3960],{},"Other information"," — additional context, references, or considerations",[16,3963,3964],{},"This structure makes ISO 27002 a practical handbook for security teams tasked with designing and implementing controls.",[20,3966,3968],{"id":3967},"what-are-iso-27002-control-attributes","What are ISO 27002 control attributes?",[16,3970,3971],{},"ISO 27002:2022 introduced a new concept of control attributes, which allow organizations to filter and view controls from different perspectives:",[28,3973,3974,3980,3986,3992,3998],{},[31,3975,3976,3979],{},[34,3977,3978],{},"Control type"," — preventive, detective, or corrective",[31,3981,3982,3985],{},[34,3983,3984],{},"Information security properties"," — confidentiality, integrity, or availability",[31,3987,3988,3991],{},[34,3989,3990],{},"Cybersecurity concepts"," — mapped to identify, protect, detect, respond, or recover (aligned with NIST CSF)",[31,3993,3994,3997],{},[34,3995,3996],{},"Operational capabilities"," — such as governance, asset management, identity management, or threat management",[31,3999,4000,4003],{},[34,4001,4002],{},"Security domains"," — governance and ecosystem, protection, defense, or resilience",[16,4005,4006],{},"These attributes help organizations map ISO 27002 controls to other frameworks and organize their control environment by operational function.",[20,4008,4010],{"id":4009},"when-should-you-use-iso-27002","When should you use ISO 27002?",[16,4012,4013],{},"ISO 27002 is valuable in several scenarios:",[28,4015,4016,4022,4028,4033],{},[31,4017,4018,4021],{},[34,4019,4020],{},"Implementing ISO 27001"," — as the primary reference for how to implement Annex A controls",[31,4023,4024,4027],{},[34,4025,4026],{},"Designing a security program"," — even without pursuing certification, ISO 27002 provides a comprehensive set of best practices",[31,4029,4030,4032],{},[34,4031,3320],{}," — comparing current controls against ISO 27002 guidance to identify areas for improvement",[31,4034,4035,4038],{},[34,4036,4037],{},"Cross-framework mapping"," — the control attributes facilitate mapping to SOC 2, NIST CSF, and other frameworks",[20,4040,4042],{"id":4041},"how-does-episki-help-with-iso-27002","How does episki help with ISO 27002?",[16,4044,4045,4046,209],{},"episki incorporates ISO 27002 guidance directly into its control library, providing implementation recommendations alongside each Annex A control. This helps your team understand not just what controls are needed but how to implement them effectively. Learn more on our ",[205,4047,3234],{"href":591},{"title":211,"searchDepth":212,"depth":212,"links":4049},[4050],{"id":3868,"depth":212,"text":3869,"children":4051},[4052,4053,4054,4055,4056,4057],{"id":3875,"depth":217,"text":3876},{"id":3898,"depth":217,"text":3899},{"id":3931,"depth":217,"text":3932},{"id":3967,"depth":217,"text":3968},{"id":4009,"depth":217,"text":4010},{"id":4041,"depth":217,"text":4042},{},"\u002Fglossary\u002Fiso-27002",[231],[231,235,236,240,3249],{"title":4063,"description":4064},"What is ISO 27002? Definition & Compliance Guide","ISO 27002 provides detailed implementation guidance for the security controls listed in ISO 27001 Annex A. Learn how it complements your ISMS implementation.","8.glossary\u002Fiso-27002","ChRj7pOjrs_nqVHVnVVqR-k2uwPYJq5pHfejLLKm3AY",{"id":4068,"title":4069,"body":4070,"description":211,"extension":224,"lastUpdated":225,"meta":4295,"navigation":227,"path":4296,"relatedFrameworks":4297,"relatedTerms":4298,"seo":4299,"slug":1179,"stem":4302,"term":4075,"__hash__":4303},"glossary\u002F8.glossary\u002Fincident-response.md","Incident Response",{"type":8,"value":4071,"toc":4285},[4072,4076,4079,4083,4086,4091,4111,4116,4133,4138,4155,4160,4177,4181,4184,4222,4226,4248,4252,4255,4259,4276,4280],[11,4073,4075],{"id":4074},"what-is-incident-response","What is Incident Response?",[16,4077,4078],{},"Incident response (IR) is the organized approach to detecting, managing, and recovering from security incidents such as data breaches, malware infections, unauthorized access, and denial-of-service attacks. An effective incident response program minimizes damage, reduces recovery time, and preserves evidence for investigation and compliance purposes.",[20,4080,4082],{"id":4081},"what-is-the-incident-response-lifecycle","What is the incident response lifecycle?",[16,4084,4085],{},"Most incident response programs follow the NIST SP 800-61 framework, which defines four phases:",[16,4087,4088],{},[34,4089,4090],{},"1. Preparation",[28,4092,4093,4096,4099,4102,4105,4108],{},[31,4094,4095],{},"Develop and document the incident response plan",[31,4097,4098],{},"Establish the incident response team and define roles",[31,4100,4101],{},"Deploy detection and monitoring tools",[31,4103,4104],{},"Conduct training and tabletop exercises",[31,4106,4107],{},"Establish communication channels and escalation procedures",[31,4109,4110],{},"Prepare forensic tools and evidence collection procedures",[16,4112,4113],{},[34,4114,4115],{},"2. Detection and analysis",[28,4117,4118,4121,4124,4127,4130],{},[31,4119,4120],{},"Monitor systems for indicators of compromise (IOCs)",[31,4122,4123],{},"Triage alerts to distinguish real incidents from false positives",[31,4125,4126],{},"Determine the scope, severity, and impact of the incident",[31,4128,4129],{},"Classify the incident (data breach, malware, unauthorized access, etc.)",[31,4131,4132],{},"Document findings and initial assessment",[16,4134,4135],{},[34,4136,4137],{},"3. Containment, eradication, and recovery",[28,4139,4140,4143,4146,4149,4152],{},[31,4141,4142],{},"Contain the incident to prevent further damage (short-term and long-term containment)",[31,4144,4145],{},"Eradicate the root cause (remove malware, close vulnerabilities, revoke compromised credentials)",[31,4147,4148],{},"Recover affected systems to normal operations",[31,4150,4151],{},"Verify that systems are clean and functioning properly",[31,4153,4154],{},"Monitor for signs of recurring activity",[16,4156,4157],{},[34,4158,4159],{},"4. Post-incident activity",[28,4161,4162,4165,4168,4171,4174],{},[31,4163,4164],{},"Conduct a lessons-learned review",[31,4166,4167],{},"Document the incident timeline, actions taken, and outcomes",[31,4169,4170],{},"Identify improvements to prevent similar incidents",[31,4172,4173],{},"Update the incident response plan based on lessons learned",[31,4175,4176],{},"Fulfill any regulatory notification requirements",[20,4178,4180],{"id":4179},"who-should-be-on-the-incident-response-team","Who should be on the incident response team?",[16,4182,4183],{},"An incident response team typically includes:",[28,4185,4186,4192,4198,4204,4210,4216],{},[31,4187,4188,4191],{},[34,4189,4190],{},"Incident commander"," — leads the response effort and makes key decisions",[31,4193,4194,4197],{},[34,4195,4196],{},"Security analysts"," — perform technical investigation and containment",[31,4199,4200,4203],{},[34,4201,4202],{},"IT operations"," — support system recovery and infrastructure changes",[31,4205,4206,4209],{},[34,4207,4208],{},"Legal counsel"," — advise on regulatory obligations and liability",[31,4211,4212,4215],{},[34,4213,4214],{},"Communications"," — manage internal and external communications",[31,4217,4218,4221],{},[34,4219,4220],{},"Executive sponsor"," — provides management authority and resources",[20,4223,4225],{"id":4224},"how-do-compliance-frameworks-address-incident-response","How do compliance frameworks address incident response?",[28,4227,4228,4233,4238,4243],{},[31,4229,4230,4232],{},[34,4231,36],{}," — CC7.3 and CC7.4 require procedures for responding to identified security events and recovering from incidents",[31,4234,4235,4237],{},[34,4236,42],{}," — controls A.5.24 through A.5.28 address incident management planning, assessment, response, and learning",[31,4239,4240,4242],{},[34,4241,605],{}," — the Security Rule requires security incident procedures (45 CFR 164.308(a)(6)), and the Breach Notification Rule mandates notification following PHI breaches",[31,4244,4245,4247],{},[34,4246,54],{}," — the Respond function (RS) addresses response planning, communications, analysis, mitigation, and improvements",[20,4249,4251],{"id":4250},"what-is-an-incident-response-tabletop-exercise","What is an incident response tabletop exercise?",[16,4253,4254],{},"Regular tabletop exercises test the incident response plan in a low-pressure setting. The team walks through a hypothetical scenario, discussing decisions and actions at each stage. Tabletop exercises help identify gaps in the plan, clarify roles, and build team readiness without the stress of a real incident.",[20,4256,4258],{"id":4257},"what-are-common-pitfalls-with-incident-response","What are common pitfalls with incident response?",[28,4260,4261,4264,4267,4270,4273],{},[31,4262,4263],{},"No documented incident response plan",[31,4265,4266],{},"Team members unsure of their roles during an incident",[31,4268,4269],{},"Failure to preserve evidence for investigation",[31,4271,4272],{},"Delayed or incomplete regulatory notification",[31,4274,4275],{},"Not conducting post-incident reviews",[20,4277,4279],{"id":4278},"how-does-episki-help-with-incident-response","How does episki help with incident response?",[16,4281,4282,4283,209],{},"episki provides incident response plan templates, tracks tabletop exercises, and maintains documentation for compliance evidence. The platform includes breach notification workflows with timeline tracking to ensure regulatory deadlines are met. Learn more on our ",[205,4284,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":4286},[4287],{"id":4074,"depth":212,"text":4075,"children":4288},[4289,4290,4291,4292,4293,4294],{"id":4081,"depth":217,"text":4082},{"id":4179,"depth":217,"text":4180},{"id":4224,"depth":217,"text":4225},{"id":4250,"depth":217,"text":4251},{"id":4257,"depth":217,"text":4258},{"id":4278,"depth":217,"text":4279},{},"\u002Fglossary\u002Fincident-response",[982,230,231,983,985],[1183,988,1948,1425,1419],{"title":4300,"description":4301},"What is Incident Response? Definition & Compliance Guide","Incident response is the organized process of detecting, containing, and recovering from security incidents. Learn the phases, team roles, and compliance needs.","8.glossary\u002Fincident-response","3d1Zo1hC_y8Yl5qVJHyBrOH6lbXC5sqShRom8maKwxc",{"id":4305,"title":4306,"body":4307,"description":211,"extension":224,"lastUpdated":225,"meta":4413,"navigation":227,"path":4414,"relatedFrameworks":4415,"relatedTerms":4416,"seo":4417,"slug":4420,"stem":4421,"term":4312,"__hash__":4422},"glossary\u002F8.glossary\u002Fjob-separation.md","Job Separation",{"type":8,"value":4308,"toc":4404},[4309,4313,4316,4320,4323,4327,4353,4357,4374,4378,4381,4395,4399],[11,4310,4312],{"id":4311},"what-is-job-separation","What is Job Separation?",[16,4314,4315],{},"Job separation, also known as segregation of duties (SoD), is the practice of dividing critical responsibilities among multiple people to reduce the risk of fraud, error, or abuse of privilege. The principle ensures that no single individual has end-to-end control over a sensitive process.",[20,4317,4319],{"id":4318},"why-does-job-separation-matter","Why does job separation matter?",[16,4321,4322],{},"When one person controls an entire workflow — such as approving and executing financial transactions, or deploying code and managing production access — the risk of undetected mistakes or intentional misuse increases significantly. Segregation of duties creates natural checkpoints where different individuals must independently verify or authorize actions.",[20,4324,4326],{"id":4325},"what-are-common-examples-of-job-separation","What are common examples of job separation?",[28,4328,4329,4335,4341,4347],{},[31,4330,4331,4334],{},[34,4332,4333],{},"Financial controls"," — the person who requests a purchase should not be the same person who approves payment",[31,4336,4337,4340],{},[34,4338,4339],{},"Change management"," — developers who write code should not be the same people who approve and deploy it to production",[31,4342,4343,4346],{},[34,4344,4345],{},"User access management"," — the person who requests access should not be the one who grants it",[31,4348,4349,4352],{},[34,4350,4351],{},"Audit and review"," — internal auditors should be independent of the processes they audit",[20,4354,4356],{"id":4355},"how-do-compliance-frameworks-address-job-separation","How do compliance frameworks address job separation?",[28,4358,4359,4364,4369],{},[31,4360,4361,4363],{},[34,4362,36],{}," — CC5.2 and CC6.1 address segregation of duties as part of control activities and access controls",[31,4365,4366,4368],{},[34,4367,42],{}," — A.5.3 requires segregation of duties to reduce opportunities for unauthorized modification or misuse",[31,4370,4371,4373],{},[34,4372,48],{}," — Requirement 6.5.6 addresses separation of development, testing, and production environments",[20,4375,4377],{"id":4376},"what-compensating-controls-apply-when-job-separation-is-not-possible","What compensating controls apply when job separation is not possible?",[16,4379,4380],{},"In smaller organizations where strict separation is not always feasible, compensating controls can help:",[28,4382,4383,4386,4389,4392],{},[31,4384,4385],{},"Detailed audit logging of all actions",[31,4387,4388],{},"Regular management review of activity logs",[31,4390,4391],{},"Automated alerts for high-risk activities",[31,4393,4394],{},"Periodic access reviews to verify role appropriateness",[20,4396,4398],{"id":4397},"how-does-episki-help-with-job-separation","How does episki help with job separation?",[16,4400,4401,4402,209],{},"episki maps segregation of duties requirements across frameworks, tracks who has access to what, and provides evidence trails for auditors. Learn more on our ",[205,4403,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":4405},[4406],{"id":4311,"depth":212,"text":4312,"children":4407},[4408,4409,4410,4411,4412],{"id":4318,"depth":217,"text":4319},{"id":4325,"depth":217,"text":4326},{"id":4355,"depth":217,"text":4356},{"id":4376,"depth":217,"text":4377},{"id":4397,"depth":217,"text":4398},{},"\u002Fglossary\u002Fjob-separation",[230,231,984],[992,1420,240],{"title":4418,"description":4419},"What is Job Separation? Definition & Compliance Guide","Job separation (segregation of duties) is the practice of dividing critical responsibilities among multiple people to reduce the risk of fraud or error.","job-separation","8.glossary\u002Fjob-separation","NGlRTvMi7wGdE1a4aqRDvGWJqatS66pV0ZpUqXQPEGI",{"id":4424,"title":4425,"body":4426,"description":211,"extension":224,"lastUpdated":225,"meta":4958,"navigation":227,"path":4959,"relatedFrameworks":4960,"relatedTerms":4961,"seo":4962,"slug":4965,"stem":4966,"term":4431,"__hash__":4967},"glossary\u002F8.glossary\u002Fkey-management.md","Key Management",{"type":8,"value":4427,"toc":4946},[4428,4432,4435,4439,4477,4481,4484,4487,4513,4516,4520,4523,4528,4531,4557,4565,4568,4572,4575,4601,4604,4623,4626,4630,4633,4647,4650,4661,4668,4679,4683,4686,4781,4786,4813,4817,4820,4870,4874,4916,4920,4937,4941],[11,4429,4431],{"id":4430},"what-is-key-management","What is Key Management?",[16,4433,4434],{},"Key management is the process of creating, storing, distributing, rotating, and retiring cryptographic keys used to protect encrypted data. Effective key management ensures that encryption actually delivers the confidentiality and integrity it promises — poorly managed keys can render even strong encryption useless.",[20,4436,4438],{"id":4437},"what-are-the-stages-of-the-key-lifecycle","What are the stages of the key lifecycle?",[28,4440,4441,4447,4453,4459,4465,4471],{},[31,4442,4443,4446],{},[34,4444,4445],{},"Generation"," — creating keys using cryptographically secure methods with appropriate key lengths",[31,4448,4449,4452],{},[34,4450,4451],{},"Distribution"," — securely delivering keys to authorized systems or users",[31,4454,4455,4458],{},[34,4456,4457],{},"Storage"," — protecting keys at rest using hardware security modules (HSMs), key vaults, or other secure storage",[31,4460,4461,4464],{},[34,4462,4463],{},"Rotation"," — periodically replacing keys to limit the impact of a potential compromise",[31,4466,4467,4470],{},[34,4468,4469],{},"Revocation"," — disabling keys that are no longer trusted or have been compromised",[31,4472,4473,4476],{},[34,4474,4475],{},"Destruction"," — securely deleting keys that are no longer needed, ensuring they cannot be recovered",[20,4478,4480],{"id":4479},"why-does-key-management-matter-for-security","Why does key management matter for security?",[16,4482,4483],{},"Encryption is only as strong as the key management behind it. A 256-bit AES key offers no protection if it's stored in the same database as the data it encrypts — an attacker who compromises the database gets both the ciphertext and the key to decrypt it. This is not a theoretical concern; it's one of the most common encryption failures found in penetration tests and compliance assessments.",[16,4485,4486],{},"Key management failures create several categories of risk:",[28,4488,4489,4495,4501,4507],{},[31,4490,4491,4494],{},[34,4492,4493],{},"Exposure of historical data"," — Without regular key rotation, a single key compromise exposes every record encrypted with that key, potentially spanning years of sensitive data. Rotating keys limits the blast radius of any individual compromise.",[31,4496,4497,4500],{},[34,4498,4499],{},"Insider threats"," — If one administrator holds all key material with no split knowledge or dual control, that person can access every encrypted record in the organization. Proper key management distributes trust across multiple individuals.",[31,4502,4503,4506],{},[34,4504,4505],{},"Compliance failures"," — Auditors don't just check that encryption is enabled. They verify that keys are managed according to documented procedures, rotated on schedule, and protected with controls proportional to the sensitivity of the data they protect.",[31,4508,4509,4512],{},[34,4510,4511],{},"Incident response gaps"," — Organizations that lack documented key management procedures often cannot determine which data was exposed during a breach, which keys need emergency rotation, or how to restore encrypted backups after a key custodian leaves the company.",[16,4514,4515],{},"The bottom line: encryption without proper key management is security theater. It checks a box on a checklist without actually reducing risk. Organizations that invest in strong encryption algorithms but neglect key management are protecting data with a lock and then leaving the key under the doormat.",[20,4517,4519],{"id":4518},"what-are-common-key-management-architectures","What are common key management architectures?",[16,4521,4522],{},"There are three primary approaches to key management, each suited to different risk profiles, compliance requirements, and operational maturity levels. The right choice depends on what data you're protecting, which frameworks you're subject to, and how much operational complexity you can absorb.",[4524,4525,4527],"h4",{"id":4526},"cloud-kms","Cloud KMS",[16,4529,4530],{},"Cloud key management services — including AWS KMS, Azure Key Vault, and GCP Cloud KMS — are the most common starting point for organizations running workloads in the cloud. These services provide:",[28,4532,4533,4539,4545,4551],{},[31,4534,4535,4538],{},[34,4536,4537],{},"Envelope encryption"," — Data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a key encryption key (KEK) managed by the cloud provider. This limits the number of calls to the KMS while keeping the master key material protected.",[31,4540,4541,4544],{},[34,4542,4543],{},"Customer-managed keys (CMK)"," — You control key rotation schedules, access policies, and deletion. The cloud provider manages the underlying infrastructure but cannot use the key without your authorization.",[31,4546,4547,4550],{},[34,4548,4549],{},"Provider-managed keys"," — The cloud provider handles all key management automatically. Simpler to operate, but offers less control and may not satisfy compliance requirements that mandate customer-controlled keys.",[31,4552,4553,4556],{},[34,4554,4555],{},"Bring Your Own Key (BYOK)"," — You generate keys in your own environment (often an on-premises HSM) and import them into the cloud KMS. This satisfies requirements for key generation in a controlled environment while still leveraging cloud-native encryption integration.",[16,4558,4559,4560,2038,4562,4564],{},"Cloud KMS is appropriate for most SaaS applications, internal systems, and workloads where the cloud provider is already part of the trust boundary. For organizations subject to ",[205,4561,48],{"href":618},[205,4563,36],{"href":405},", cloud KMS with customer-managed keys typically satisfies key management requirements when combined with proper access policies and rotation schedules.",[16,4566,4567],{},"Most cloud KMS services also provide detailed audit logs of every key operation, which simplifies compliance evidence collection during assessments.",[4524,4569,4571],{"id":4570},"hardware-security-modules-hsms","Hardware Security Modules (HSMs)",[16,4573,4574],{},"HSMs are dedicated hardware devices designed to generate, store, and manage cryptographic keys in a tamper-resistant environment. They are validated against FIPS 140-2 or FIPS 140-3 standards at various levels:",[28,4576,4577,4583,4589,4595],{},[31,4578,4579,4582],{},[34,4580,4581],{},"Level 1"," — Basic security requirements, no physical tamper resistance",[31,4584,4585,4588],{},[34,4586,4587],{},"Level 2"," — Tamper-evident coatings or seals, role-based authentication",[31,4590,4591,4594],{},[34,4592,4593],{},"Level 3"," — Tamper-resistant with active response mechanisms (e.g., zeroization of keys upon detection of physical intrusion)",[31,4596,4597,4600],{},[34,4598,4599],{},"Level 4"," — Full physical security envelope with environmental failure protection",[16,4602,4603],{},"HSMs are required or strongly recommended in several contexts:",[28,4605,4606,4611,4617],{},[31,4607,4608,4610],{},[34,4609,48],{}," — Strongly recommended for protecting cardholder data encryption keys, and effectively required for PIN-based transaction processing",[31,4612,4613,4616],{},[34,4614,4615],{},"Government and defense"," — CMMC, FedRAMP, and similar frameworks often require FIPS 140-2 Level 3 or higher for cryptographic key storage",[31,4618,4619,4622],{},[34,4620,4621],{},"Certificate authorities"," — Root and intermediate CA private keys must be stored in HSMs per industry standards",[16,4624,4625],{},"Cloud-based HSM options (AWS CloudHSM, Azure Dedicated HSM, GCP Cloud HSM) provide FIPS 140-2 Level 3 validated hardware in cloud data centers, bridging the gap between on-premises HSM security and cloud operational convenience.",[4524,4627,4629],{"id":4628},"software-based-key-stores","Software-based key stores",[16,4631,4632],{},"Software-based solutions like HashiCorp Vault, CyberArk Conjur, or application-level key management provide flexibility without dedicated hardware. These tools offer:",[28,4634,4635,4638,4641,4644],{},[31,4636,4637],{},"Centralized secret and key management across multiple applications and environments",[31,4639,4640],{},"Dynamic secrets that are generated on demand and automatically revoked after use",[31,4642,4643],{},"Audit logging of all key access and operations",[31,4645,4646],{},"Integration with identity providers for policy-based access control",[16,4648,4649],{},"Software key stores are appropriate when:",[28,4651,4652,4655,4658],{},[31,4653,4654],{},"Compliance requirements do not mandate HSMs",[31,4656,4657],{},"You need to manage secrets and keys across hybrid or multi-cloud environments",[31,4659,4660],{},"Your threat model does not include sophisticated physical or hardware-level attacks",[16,4662,4663,4664,4667],{},"They are ",[34,4665,4666],{},"not"," appropriate when:",[28,4669,4670,4673,4676],{},[31,4671,4672],{},"Regulations explicitly require hardware-based key protection (e.g., PCI PIN security, certain government classifications)",[31,4674,4675],{},"Your risk assessment identifies nation-state or advanced persistent threats targeting cryptographic material",[31,4677,4678],{},"You need to provide cryptographic proof that keys have never been exposed to software",[20,4680,4682],{"id":4681},"what-are-the-key-management-requirements","What are the key management requirements?",[16,4684,4685],{},"Different compliance frameworks impose different key management requirements. Understanding these differences is critical when an organization is subject to multiple frameworks simultaneously — which is increasingly common. The following table provides a practical comparison across five major frameworks:",[743,4687,4688,4705],{},[746,4689,4690],{},[749,4691,4692,4694,4696,4698,4700,4702],{},[752,4693,754],{},[752,4695,48],{},[752,4697,42],{},[752,4699,605],{},[752,4701,36],{},[752,4703,4704],{},"CMMC",[766,4706,4707,4725,4744,4763],{},[749,4708,4709,4712,4715,4718,4720,4722],{},[771,4710,4711],{},"Documented key management procedures",[771,4713,4714],{},"Req 3.6",[771,4716,4717],{},"A.8.24",[771,4719,801],{},[771,4721,776],{},[771,4723,4724],{},"SC.L2-3.13.10",[749,4726,4727,4730,4733,4736,4739,4741],{},[771,4728,4729],{},"Key rotation schedule",[771,4731,4732],{},"Annual minimum",[771,4734,4735],{},"Risk-based",[771,4737,4738],{},"Not specified",[771,4740,4735],{},[771,4742,4743],{},"Per NIST 800-171",[749,4745,4746,4749,4752,4755,4757,4760],{},[771,4747,4748],{},"Split knowledge \u002F dual control",[771,4750,4751],{},"Required for manual keys",[771,4753,4754],{},"Recommended",[771,4756,4738],{},[771,4758,4759],{},"Expected",[771,4761,4762],{},"Required",[749,4764,4765,4768,4771,4773,4776,4778],{},[771,4766,4767],{},"HSM or equivalent",[771,4769,4770],{},"Strongly recommended",[771,4772,4735],{},[771,4774,4775],{},"Not required",[771,4777,4735],{},[771,4779,4780],{},"Varies by level",[16,4782,4783],{},[34,4784,4785],{},"Reading this table:",[28,4787,4788,4793,4798,4803,4808],{},[31,4789,4790,4792],{},[34,4791,48],{}," is the most prescriptive. Requirement 3.6 specifies exactly what key management procedures must include, from key generation through destruction. Annual key rotation is a minimum baseline, and split knowledge\u002Fdual control is mandatory whenever keys are managed manually.",[31,4794,4795,4797],{},[34,4796,42],{}," takes a risk-based approach. Annex A control A.8.24 requires a policy on the use of cryptographic controls including key management, but the specific controls depend on your risk assessment and Statement of Applicability.",[31,4799,4800,4802],{},[34,4801,605],{}," is the least prescriptive on key management specifically. Encryption of ePHI is an \"addressable\" implementation specification, meaning organizations must implement it or document why an equivalent alternative is appropriate. Key management requirements follow from the encryption decision.",[31,4804,4805,4807],{},[34,4806,36],{}," addresses key management through the Common Criteria, particularly CC6.1 (logical access) and CC6.7 (data transmission). The specific expectations depend on the trust services criteria in scope and the auditor's interpretation.",[31,4809,4810,4812],{},[34,4811,4704],{}," references NIST SP 800-171 for key management requirements. At Level 2, control SC.L2-3.13.10 requires establishing and managing cryptographic keys when cryptography is employed. Higher levels add additional requirements.",[20,4814,4816],{"id":4815},"what-are-common-key-management-mistakes","What are common key management mistakes?",[16,4818,4819],{},"Even organizations with mature security programs make key management errors. These mistakes are found repeatedly in audit findings, penetration test reports, and breach post-mortems. The most frequent include:",[28,4821,4822,4828,4834,4840,4846,4852,4858,4864],{},[31,4823,4824,4827],{},[34,4825,4826],{},"Storing keys alongside encrypted data"," — Placing encryption keys in the same database, file system, or backup as the data they protect. If an attacker gains access to the data store, they get the keys too. Keys must be stored in a separate system with independent access controls.",[31,4829,4830,4833],{},[34,4831,4832],{},"Hardcoding keys in source code"," — Embedding encryption keys, API keys, or other secrets directly in application code. These keys end up in version control history, CI\u002FCD logs, and developer laptops. Use a secrets manager or environment variable injection instead.",[31,4835,4836,4839],{},[34,4837,4838],{},"No key rotation policy"," — Using the same encryption keys indefinitely. Without rotation, a single compromise exposes all data ever encrypted with that key. Define rotation schedules based on data sensitivity and framework requirements.",[31,4841,4842,4845],{},[34,4843,4844],{},"Single person with all key access"," — Concentrating key custody in one individual with no split knowledge or dual control. This creates both a security risk (insider threat) and an operational risk (key unavailability if that person is unreachable).",[31,4847,4848,4851],{},[34,4849,4850],{},"No documented recovery procedures"," — Failing to plan for key loss, corruption, or custodian departure. Organizations discover this gap during an incident, when they cannot decrypt backups or rotate compromised keys because the procedure was never written down or tested.",[31,4853,4854,4857],{},[34,4855,4856],{},"Using weak or predictable key generation"," — Generating keys with insufficient entropy, predictable seeds, or non-cryptographic random number generators. Always use cryptographically secure random number generators (CSPRNGs) and key lengths appropriate for the algorithm and data sensitivity.",[31,4859,4860,4863],{},[34,4861,4862],{},"Ignoring key state tracking"," — Not maintaining an inventory of which keys are active, retired, or compromised. Without a key inventory, organizations cannot answer basic questions during an audit or incident: how many keys exist, who has access, and when they were last rotated.",[31,4865,4866,4869],{},[34,4867,4868],{},"Failing to test key recovery"," — Having a documented recovery procedure that has never been exercised. Recovery procedures degrade over time as infrastructure changes, personnel rotate, and backup systems are modified. Regular testing is the only way to ensure recovery will work when it matters.",[20,4871,4873],{"id":4872},"how-do-compliance-frameworks-address-key-management","How do compliance frameworks address key management?",[28,4875,4876,4887,4896,4906],{},[31,4877,4878,4882,4883],{},[34,4879,4880],{},[205,4881,48],{"href":618}," — Requirement 3.5 and 3.6 detail specific key management procedures for protecting ",[205,4884,4886],{"href":4885},"\u002Fglossary\u002Fpan","cardholder data (PAN)",[31,4888,4889,592,4893,4895],{},[34,4890,4891],{},[205,4892,42],{"href":591},[205,4894,596],{"href":595}," control A.8.24 covers the use of cryptography including key management policies",[31,4897,4898,4902,4903,4905],{},[34,4899,4900],{},[205,4901,605],{"href":604}," — the Security Rule requires ",[205,4904,933],{"href":932}," of ePHI, which implies proper key management",[31,4907,4908,4912,4913],{},[34,4909,4910],{},[205,4911,36],{"href":405}," — CC6.1 and CC6.7 address encryption and key management as part of logical ",[205,4914,4915],{"href":980},"access controls",[20,4917,4919],{"id":4918},"what-are-best-practices-for-key-management","What are best practices for key management?",[28,4921,4922,4925,4928,4931,4934],{},[31,4923,4924],{},"Use hardware security modules (HSMs) or cloud key management services (AWS KMS, Azure Key Vault, GCP Cloud KMS) rather than storing keys in application code or configuration files",[31,4926,4927],{},"Enforce separation of duties so that key custodians cannot access the data those keys protect",[31,4929,4930],{},"Document key rotation schedules and automate rotation where possible",[31,4932,4933],{},"Maintain an inventory of all cryptographic keys, their owners, and their expiration dates",[31,4935,4936],{},"Test key recovery procedures regularly",[20,4938,4940],{"id":4939},"how-does-episki-help-with-key-management","How does episki help with key management?",[16,4942,4943,4944,209],{},"episki tracks key management policies, links them to encryption controls, and monitors rotation schedules to ensure cryptographic practices stay compliant. Learn more on our ",[205,4945,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":4947},[4948],{"id":4430,"depth":212,"text":4431,"children":4949},[4950,4951,4952,4953,4954,4955,4956,4957],{"id":4437,"depth":217,"text":4438},{"id":4479,"depth":217,"text":4480},{"id":4518,"depth":217,"text":4519},{"id":4681,"depth":217,"text":4682},{"id":4815,"depth":217,"text":4816},{"id":4872,"depth":217,"text":4873},{"id":4918,"depth":217,"text":4919},{"id":4939,"depth":217,"text":4940},{},"\u002Fglossary\u002Fkey-management",[982,230,231,984,983],[933,2180,992],{"title":4963,"description":4964},"Key Management: What It Is & Why Compliance Requires It","Key management covers creating, storing, rotating, and retiring cryptographic keys. Learn requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","key-management","8.glossary\u002Fkey-management","1dvRJIXp6Ctc7SOVhg5O-XyVT22CTyhIb0o8RWTqqng",{"id":4969,"title":4970,"body":4971,"description":211,"extension":224,"lastUpdated":225,"meta":5085,"navigation":227,"path":5086,"relatedFrameworks":5087,"relatedTerms":5088,"seo":5089,"slug":5092,"stem":5093,"term":4976,"__hash__":5094},"glossary\u002F8.glossary\u002Fleast-privilege.md","Least Privilege",{"type":8,"value":4972,"toc":5077},[4973,4977,4980,4984,4987,5001,5005,5037,5041,5068,5072],[11,4974,4976],{"id":4975},"what-is-least-privilege","What is Least Privilege?",[16,4978,4979],{},"Least privilege is a security principle that limits user, application, and system access to only the resources and permissions necessary to perform a specific function — nothing more. By minimizing the access footprint, organizations reduce the potential damage from compromised accounts, insider threats, and accidental misuse.",[20,4981,4983],{"id":4982},"why-does-least-privilege-matter","Why does least privilege matter?",[16,4985,4986],{},"Excessive permissions are one of the most common security weaknesses. When users have more access than they need:",[28,4988,4989,4992,4995,4998],{},[31,4990,4991],{},"A compromised account gives attackers a wider attack surface",[31,4993,4994],{},"Accidental changes to sensitive systems become more likely",[31,4996,4997],{},"Insider threats are harder to detect and contain",[31,4999,5000],{},"Audit findings for excessive access are common compliance gaps",[20,5002,5004],{"id":5003},"how-do-you-implement-least-privilege","How do you implement least privilege?",[28,5006,5007,5013,5019,5025,5031],{},[31,5008,5009,5012],{},[34,5010,5011],{},"Start with zero access"," — new accounts should have no permissions by default, with access granted based on documented role requirements",[31,5014,5015,5018],{},[34,5016,5017],{},"Use role-based access control (RBAC)"," — define roles with specific permission sets rather than assigning permissions individually",[31,5020,5021,5024],{},[34,5022,5023],{},"Conduct regular access reviews"," — quarterly reviews of user permissions help identify and remove access that is no longer needed",[31,5026,5027,5030],{},[34,5028,5029],{},"Remove access promptly"," — revoke permissions immediately when employees change roles or leave the organization",[31,5032,5033,5036],{},[34,5034,5035],{},"Apply to systems and applications too"," — service accounts, APIs, and automated processes should also follow least privilege",[20,5038,5040],{"id":5039},"how-do-compliance-frameworks-address-least-privilege","How do compliance frameworks address least privilege?",[28,5042,5043,5048,5053,5058,5063],{},[31,5044,5045,5047],{},[34,5046,36],{}," — CC6.1 through CC6.3 require logical access controls based on least privilege",[31,5049,5050,5052],{},[34,5051,42],{}," — A.5.15 (access control) and A.8.2 (privileged access rights) explicitly reference least privilege",[31,5054,5055,5057],{},[34,5056,605],{}," — the minimum necessary standard (45 CFR 164.502(b)) is the healthcare equivalent of least privilege",[31,5059,5060,5062],{},[34,5061,48],{}," — Requirement 7 restricts access to cardholder data on a need-to-know basis",[31,5064,5065,5067],{},[34,5066,54],{}," — PR.AC-4 addresses access permissions based on least privilege",[20,5069,5071],{"id":5070},"how-does-episki-help-with-least-privilege","How does episki help with least privilege?",[16,5073,5074,5075,209],{},"episki tracks access control policies, schedules periodic access reviews, and documents evidence of least privilege enforcement for auditors. Learn more on our ",[205,5076,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":5078},[5079],{"id":4975,"depth":212,"text":4976,"children":5080},[5081,5082,5083,5084],{"id":4982,"depth":217,"text":4983},{"id":5003,"depth":217,"text":5004},{"id":5039,"depth":217,"text":5040},{"id":5070,"depth":217,"text":5071},{},"\u002Fglossary\u002Fleast-privilege",[982,230,231,983,984,985],[992,4420,426],{"title":5090,"description":5091},"What is Least Privilege? Definition & Compliance Guide","Least privilege is a security principle that limits user access to only what they need to perform their job — nothing more.","least-privilege","8.glossary\u002Fleast-privilege","BuEghGm4HKbs1Es9DQ4mpHlellA4mL_s5KedD9Qs9_s",{"id":5096,"title":5097,"body":5098,"description":211,"extension":224,"lastUpdated":225,"meta":5614,"navigation":227,"path":5615,"relatedFrameworks":5616,"relatedTerms":5617,"seo":5618,"slug":5621,"stem":5622,"term":5103,"__hash__":5623},"glossary\u002F8.glossary\u002Flog-management.md","Log Management",{"type":8,"value":5099,"toc":5602},[5100,5104,5107,5111,5114,5152,5156,5159,5163,5166,5204,5208,5211,5243,5247,5250,5276,5280,5283,5309,5313,5316,5382,5385,5389,5392,5396,5410,5414,5428,5432,5446,5450,5464,5468,5490,5494,5497,5541,5545,5572,5576,5593,5597],[11,5101,5103],{"id":5102},"what-is-log-management","What is Log Management?",[16,5105,5106],{},"Log management is the process of collecting, storing, analyzing, and retaining system activity records to detect security incidents, troubleshoot issues, and support compliance audits. Logs provide a chronological record of events across servers, applications, network devices, and security tools.",[20,5108,5110],{"id":5109},"what-gets-logged-in-a-log-management-program","What gets logged in a log management program?",[16,5112,5113],{},"Effective log management covers:",[28,5115,5116,5122,5128,5134,5140,5146],{},[31,5117,5118,5121],{},[34,5119,5120],{},"Authentication events"," — successful and failed login attempts, password changes, MFA challenges",[31,5123,5124,5127],{},[34,5125,5126],{},"Authorization events"," — access grants, denials, privilege escalations",[31,5129,5130,5133],{},[34,5131,5132],{},"System events"," — configuration changes, service starts and stops, errors",[31,5135,5136,5139],{},[34,5137,5138],{},"Network events"," — firewall decisions, DNS queries, connection attempts",[31,5141,5142,5145],{},[34,5143,5144],{},"Application events"," — user actions, API calls, data access patterns",[31,5147,5148,5151],{},[34,5149,5150],{},"Security events"," — malware detections, vulnerability scan results, intrusion alerts",[20,5153,5155],{"id":5154},"what-is-log-management-architecture","What is log management architecture?",[16,5157,5158],{},"A mature log management program combines multiple components into a pipeline that moves raw event data from source to searchable, retained storage.",[4524,5160,5162],{"id":5161},"log-sources","Log sources",[16,5164,5165],{},"Logs originate from every layer of the technology stack:",[28,5167,5168,5174,5180,5186,5192,5198],{},[31,5169,5170,5173],{},[34,5171,5172],{},"Servers and operating systems"," — Linux auth logs, Windows Event Log, macOS Unified Log",[31,5175,5176,5179],{},[34,5177,5178],{},"Cloud platforms"," — AWS CloudTrail, Azure Activity Log, GCP Admin Activity audit logs",[31,5181,5182,5185],{},[34,5183,5184],{},"SaaS applications"," — Microsoft 365 Unified Audit Log, Google Workspace audit logs, Salesforce event monitoring",[31,5187,5188,5191],{},[34,5189,5190],{},"Endpoints"," — EDR telemetry, local application logs, mobile device management events",[31,5193,5194,5197],{},[34,5195,5196],{},"Network devices"," — firewalls, routers, switches, load balancers, VPN concentrators",[31,5199,5200,5203],{},[34,5201,5202],{},"Security tools"," — IDS\u002FIPS alerts, vulnerability scanners, DLP engines, email gateways",[4524,5205,5207],{"id":5206},"collection-methods","Collection methods",[16,5209,5210],{},"Getting logs from source to a central platform requires reliable collection mechanisms:",[28,5212,5213,5219,5225,5231,5237],{},[31,5214,5215,5218],{},[34,5216,5217],{},"Agents"," — lightweight forwarders installed on hosts (Fluentd, Filebeat, NXLog, Splunk Universal Forwarder) that ship logs in near real time",[31,5220,5221,5224],{},[34,5222,5223],{},"Syslog"," — the legacy standard (RFC 5424) still widely used by network devices; syslog-ng and rsyslog add filtering and reliable delivery",[31,5226,5227,5230],{},[34,5228,5229],{},"API polling"," — scheduled calls to SaaS and cloud provider APIs to pull audit logs (e.g., Microsoft Graph API, AWS CloudTrail Lake queries)",[31,5232,5233,5236],{},[34,5234,5235],{},"Cloud-native streams"," — managed pipelines like AWS Kinesis Data Firehose, Azure Event Hubs, or GCP Pub\u002FSub that deliver logs without managing agents",[31,5238,5239,5242],{},[34,5240,5241],{},"Webhooks"," — event-driven push from SaaS applications that support real-time notification (Slack audit API, GitHub audit log streaming)",[4524,5244,5246],{"id":5245},"centralization","Centralization",[16,5248,5249],{},"Logs are only useful when they are searchable in one place:",[28,5251,5252,5258,5264,5270],{},[31,5253,5254,5257],{},[34,5255,5256],{},"Commercial SIEM"," — Splunk Enterprise Security, Microsoft Sentinel, IBM QRadar provide correlation, detection rules, and case management",[31,5259,5260,5263],{},[34,5261,5262],{},"Cloud-native logging"," — AWS CloudWatch Logs, Azure Monitor, Google Cloud Logging offer tight integration with their respective platforms",[31,5265,5266,5269],{},[34,5267,5268],{},"Open-source stacks"," — the Elastic Stack (Elasticsearch, Logstash, Kibana), Grafana Loki, and OpenSearch provide cost-effective alternatives with community-driven detection content",[31,5271,5272,5275],{},[34,5273,5274],{},"Security data lakes"," — Snowflake, Amazon Security Lake, and similar platforms store massive volumes at low cost using the Open Cybersecurity Schema Framework (OCSF) for normalization",[4524,5277,5279],{"id":5278},"storage-tiers","Storage tiers",[16,5281,5282],{},"Log storage strategies balance search speed against cost and compliance retention:",[28,5284,5285,5291,5297,5303],{},[31,5286,5287,5290],{},[34,5288,5289],{},"Hot storage"," — fully indexed, real-time searchable data for active investigations and alerting (typically 30–90 days)",[31,5292,5293,5296],{},[34,5294,5295],{},"Warm storage"," — recent history available for on-demand search with slightly slower query times (typically 90 days to 12 months)",[31,5298,5299,5302],{},[34,5300,5301],{},"Cold storage"," — compressed, archived logs in object storage (S3, Azure Blob, GCS) retained for compliance and forensic purposes (1–7 years depending on framework requirements)",[31,5304,5305,5308],{},[34,5306,5307],{},"Immutable storage"," — write-once, read-many storage that prevents tampering, critical for audit trail integrity and legal hold requirements",[20,5310,5312],{"id":5311},"what-are-the-log-retention-requirements","What are the log retention requirements?",[16,5314,5315],{},"Different compliance frameworks set varying expectations for how long logs must be kept. The table below summarizes key requirements:",[743,5317,5318,5331],{},[746,5319,5320],{},[749,5321,5322,5325,5328],{},[752,5323,5324],{},"Framework",[752,5326,5327],{},"Minimum retention",[752,5329,5330],{},"Key requirements",[766,5332,5333,5343,5353,5362,5372],{},[749,5334,5335,5337,5340],{},[771,5336,48],{},[771,5338,5339],{},"12 months (3 months immediately available)",[771,5341,5342],{},"Req 10.7 — retain audit trail history",[749,5344,5345,5347,5350],{},[771,5346,36],{},[771,5348,5349],{},"Based on risk assessment",[771,5351,5352],{},"CC7.2 — monitor system components",[749,5354,5355,5357,5359],{},[771,5356,42],{},[771,5358,5349],{},[771,5360,5361],{},"A.8.15 — log retention policy required",[749,5363,5364,5366,5369],{},[771,5365,605],{},[771,5367,5368],{},"6 years for policies; log retention not specified but implied",[771,5370,5371],{},"Audit controls for ePHI access",[749,5373,5374,5376,5379],{},[771,5375,54],{},[771,5377,5378],{},"Based on organizational needs",[771,5380,5381],{},"DE.CM — continuous monitoring",[16,5383,5384],{},"Organizations subject to multiple frameworks should align retention to the most stringent requirement. For most companies handling payment card data alongside health information, a 12-month hot\u002Fwarm retention period with 6-year cold archival provides adequate coverage.",[20,5386,5388],{"id":5387},"what-should-you-alert-on-in-log-management","What should you alert on in log management?",[16,5390,5391],{},"Collecting logs without monitoring them defeats the purpose. Effective alerting focuses on high-fidelity signals across several categories:",[4524,5393,5395],{"id":5394},"authentication-anomalies","Authentication anomalies",[28,5397,5398,5401,5404,5407],{},[31,5399,5400],{},"Brute-force attempts — multiple failed logins against the same account within a short window",[31,5402,5403],{},"Impossible travel — successful logins from geographically distant locations within an implausible time frame",[31,5405,5406],{},"New device or location — first-time access from an unrecognized device, IP range, or country",[31,5408,5409],{},"Credential stuffing patterns — failed logins across many accounts from a small set of source IPs",[4524,5411,5413],{"id":5412},"privilege-escalation","Privilege escalation",[28,5415,5416,5419,5422,5425],{},[31,5417,5418],{},"Sudo or run-as usage outside of expected maintenance windows",[31,5420,5421],{},"Admin role assignments or membership changes in identity providers (Azure AD, Okta, Google Workspace)",[31,5423,5424],{},"Permission changes on sensitive resources — S3 bucket policies, database grants, file share ACLs",[31,5426,5427],{},"Service account creation or key generation",[4524,5429,5431],{"id":5430},"data-exfiltration-signals","Data exfiltration signals",[28,5433,5434,5437,5440,5443],{},[31,5435,5436],{},"Unusual download volumes — user downloading significantly more data than their baseline",[31,5438,5439],{},"Access outside business hours — especially to sensitive repositories, databases, or file shares",[31,5441,5442],{},"Mass file access — sequential reads across large numbers of records in short succession",[31,5444,5445],{},"Outbound data transfers to uncommon destinations — cloud storage services, personal email, file-sharing sites",[4524,5447,5449],{"id":5448},"configuration-changes","Configuration changes",[28,5451,5452,5455,5458,5461],{},[31,5453,5454],{},"Firewall rule modifications — new allow rules, disabled security groups, removed deny entries",[31,5456,5457],{},"Security group changes in cloud environments — opening ports, widening IP ranges",[31,5459,5460],{},"IAM policy changes — new inline policies, permission boundary modifications, role trust policy updates",[31,5462,5463],{},"DNS changes — new records, zone transfers, nameserver modifications",[4524,5465,5467],{"id":5466},"compliance-specific-events","Compliance-specific events",[28,5469,5470,5478,5484,5487],{},[31,5471,5472,5473,5477],{},"Access to ",[205,5474,5476],{"href":5475},"\u002Fglossary\u002Fpci-dss","cardholder data"," environments — any read, write, or copy operation",[31,5479,5480,5481,5483],{},"PHI access in ",[205,5482,605],{"href":3089},"-regulated systems — views, exports, or modifications of protected health information",[31,5485,5486],{},"Encryption key operations — key creation, rotation, deletion, or export",[31,5488,5489],{},"Audit log access or modification attempts — anyone trying to read, delete, or alter the logs themselves",[20,5491,5493],{"id":5492},"what-are-common-log-management-mistakes","What are common log management mistakes?",[16,5495,5496],{},"Even organizations that invest in logging often fall into patterns that undermine the value of their program:",[155,5498,5499,5505,5511,5517,5523,5529,5535],{},[31,5500,5501,5504],{},[34,5502,5503],{},"Logging too much"," — capturing every debug-level event creates massive storage costs and drowns analysts in noise. Focus on security-relevant events and tune verbosity by source.",[31,5506,5507,5510],{},[34,5508,5509],{},"Logging too little"," — the opposite problem is equally dangerous. Missing authentication events, not capturing cloud control plane activity, or skipping DNS logs leaves blind spots that attackers exploit.",[31,5512,5513,5516],{},[34,5514,5515],{},"Not protecting log integrity"," — if an attacker can delete or modify logs, they can cover their tracks. Logs should be forwarded to a separate system with immutable storage, and access to log management platforms should be tightly controlled.",[31,5518,5519,5522],{},[34,5520,5521],{},"No correlation across sources"," — reviewing logs from individual systems in isolation misses the bigger picture. A failed VPN login followed by a successful cloud console login from the same IP tells a story that neither log tells alone.",[31,5524,5525,5528],{},[34,5526,5527],{},"Alert fatigue from untuned rules"," — deploying default SIEM detection rules without tuning them to the environment generates hundreds of false positives per day. Analysts stop investigating, and real incidents get buried.",[31,5530,5531,5534],{},[34,5532,5533],{},"Not testing log pipeline reliability"," — log collection silently fails more often than most teams realize. Agents crash, API tokens expire, syslog forwarding breaks after a network change. Regularly validate that expected log sources are still delivering data.",[31,5536,5537,5540],{},[34,5538,5539],{},"Ignoring time synchronization"," — logs from systems with drifting clocks are nearly impossible to correlate during incident response. Enforce NTP across all log sources and normalize timestamps to UTC.",[20,5542,5544],{"id":5543},"how-do-compliance-frameworks-address-log-management","How do compliance frameworks address log management?",[28,5546,5547,5552,5557,5562,5567],{},[31,5548,5549,5551],{},[34,5550,36],{}," — CC7.1 through CC7.4 require monitoring, detection, and response capabilities that depend on logging",[31,5553,5554,5556],{},[34,5555,42],{}," — A.8.15 (logging) and A.8.16 (monitoring activities) address log collection and analysis",[31,5558,5559,5561],{},[34,5560,605],{}," — the Security Rule requires audit controls to record and examine activity in systems containing ePHI",[31,5563,5564,5566],{},[34,5565,48],{}," — Requirement 10 mandates logging and monitoring all access to network resources and cardholder data",[31,5568,5569,5571],{},[34,5570,54],{}," — DE.CM (continuous monitoring) and DE.AE (anomaly detection) rely on log data",[20,5573,5575],{"id":5574},"what-are-best-practices-for-log-management","What are best practices for log management?",[28,5577,5578,5581,5584,5587,5590],{},[31,5579,5580],{},"Centralize logs in a SIEM or log aggregation platform for correlation and analysis",[31,5582,5583],{},"Set retention periods that meet both compliance requirements and operational needs (typically 90 days to one year)",[31,5585,5586],{},"Protect log integrity with immutable storage or tamper-evident mechanisms",[31,5588,5589],{},"Establish alerting rules for high-risk events like failed authentication spikes or unauthorized access attempts",[31,5591,5592],{},"Regularly review and tune logging to ensure coverage without excessive noise",[20,5594,5596],{"id":5595},"how-does-episki-help-with-log-management","How does episki help with log management?",[16,5598,5599,5600,209],{},"episki documents log management policies, tracks retention schedules, and links logging controls to evidence for audit readiness. Learn more on our ",[205,5601,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":5603},[5604],{"id":5102,"depth":212,"text":5103,"children":5605},[5606,5607,5608,5609,5610,5611,5612,5613],{"id":5109,"depth":217,"text":5110},{"id":5154,"depth":217,"text":5155},{"id":5311,"depth":217,"text":5312},{"id":5387,"depth":217,"text":5388},{"id":5492,"depth":217,"text":5493},{"id":5543,"depth":217,"text":5544},{"id":5574,"depth":217,"text":5575},{"id":5595,"depth":217,"text":5596},{},"\u002Fglossary\u002Flog-management",[982,230,231,983,984,985],[988,1952,1179],{"title":5619,"description":5620},"What is Log Management? Definition & Compliance Guide","Log management is the process of collecting, storing, and analyzing system activity records to detect security incidents and support compliance audits.","log-management","8.glossary\u002Flog-management","B9IH1ixHXCqDKqAdQBwGDpwLFnfLwuxW5KyltQCbFmk",{"id":5625,"title":5626,"body":5627,"description":211,"extension":224,"lastUpdated":225,"meta":5745,"navigation":227,"path":5746,"relatedFrameworks":5747,"relatedTerms":5748,"seo":5750,"slug":5753,"stem":5754,"term":5632,"__hash__":5755},"glossary\u002F8.glossary\u002Fmalware.md","Malware",{"type":8,"value":5628,"toc":5737},[5629,5633,5636,5640,5678,5682,5704,5708,5728,5732],[11,5630,5632],{"id":5631},"what-is-malware","What is Malware?",[16,5634,5635],{},"Malware (malicious software) is any software intentionally designed to damage, disrupt, or gain unauthorized access to computer systems, networks, or data. Malware is one of the most persistent threats organizations face and a primary driver behind many compliance requirements for endpoint protection and monitoring.",[20,5637,5639],{"id":5638},"what-are-the-types-of-malware","What are the types of malware?",[28,5641,5642,5648,5654,5660,5666,5672],{},[31,5643,5644,5647],{},[34,5645,5646],{},"Viruses"," — attach to legitimate programs and spread when the infected program runs",[31,5649,5650,5653],{},[34,5651,5652],{},"Ransomware"," — encrypts data and demands payment for the decryption key",[31,5655,5656,5659],{},[34,5657,5658],{},"Trojans"," — disguise themselves as legitimate software to trick users into installation",[31,5661,5662,5665],{},[34,5663,5664],{},"Spyware"," — silently collects information about user activity and sends it to an attacker",[31,5667,5668,5671],{},[34,5669,5670],{},"Worms"," — self-replicate across networks without requiring user interaction",[31,5673,5674,5677],{},[34,5675,5676],{},"Rootkits"," — hide deep within the operating system to maintain persistent, undetected access",[20,5679,5681],{"id":5680},"how-do-compliance-frameworks-address-malware-protection","How do compliance frameworks address malware protection?",[28,5683,5684,5689,5694,5699],{},[31,5685,5686,5688],{},[34,5687,36],{}," — CC6.8 requires controls to prevent and detect malicious software",[31,5690,5691,5693],{},[34,5692,42],{}," — A.8.7 addresses protection against malware",[31,5695,5696,5698],{},[34,5697,48],{}," — Requirement 5 mandates deploying anti-malware solutions on all commonly affected systems",[31,5700,5701,5703],{},[34,5702,54],{}," — DE.CM-4 specifically addresses malicious code detection",[20,5705,5707],{"id":5706},"what-are-common-malware-defense-strategies","What are common malware defense strategies?",[28,5709,5710,5713,5716,5719,5722,5725],{},[31,5711,5712],{},"Deploy endpoint detection and response (EDR) tools across all endpoints",[31,5714,5715],{},"Keep operating systems and applications patched and up to date",[31,5717,5718],{},"Implement email filtering to block phishing and malicious attachments",[31,5720,5721],{},"Restrict administrative privileges to reduce malware installation risk",[31,5723,5724],{},"Train employees to recognize social engineering and phishing attempts",[31,5726,5727],{},"Maintain tested backup and recovery procedures to mitigate ransomware impact",[20,5729,5731],{"id":5730},"how-does-episki-help-with-malware","How does episki help with malware?",[16,5733,5734,5735,209],{},"episki tracks anti-malware controls, monitors policy compliance, and documents endpoint protection evidence for auditors. Learn more on our ",[205,5736,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":5738},[5739],{"id":5631,"depth":212,"text":5632,"children":5740},[5741,5742,5743,5744],{"id":5638,"depth":217,"text":5639},{"id":5680,"depth":217,"text":5681},{"id":5706,"depth":217,"text":5707},{"id":5730,"depth":217,"text":5731},{},"\u002Fglossary\u002Fmalware",[982,230,231,984,985],[1179,5749,1952],"penetration-testing",{"title":5751,"description":5752},"What is Malware? Definition & Compliance Guide","Malware is malicious software designed to damage, disrupt, or gain unauthorized access to systems. It includes viruses, ransomware, spyware, and trojans.","malware","8.glossary\u002Fmalware","YC-GrrHk9-an6NjJOaLQttw4tAbXovhasUaJzWZ9d-4",{"id":5757,"title":302,"body":5758,"description":211,"extension":224,"lastUpdated":225,"meta":5867,"navigation":227,"path":5868,"relatedFrameworks":5869,"relatedTerms":5870,"seo":5871,"slug":5874,"stem":5875,"term":5763,"__hash__":5876},"glossary\u002F8.glossary\u002Fmonitoring.md",{"type":8,"value":5759,"toc":5859},[5760,5764,5767,5771,5803,5807,5829,5833,5850,5854],[11,5761,5763],{"id":5762},"what-is-monitoring","What is Monitoring?",[16,5765,5766],{},"Monitoring is the continuous observation of systems, networks, and controls to detect threats, unusual activity, or compliance gaps in real time. In a security and compliance context, monitoring goes beyond uptime checks — it encompasses the processes and tools that ensure an organization's security posture remains effective over time.",[20,5768,5770],{"id":5769},"what-are-the-types-of-monitoring","What are the types of monitoring?",[28,5772,5773,5779,5785,5791,5797],{},[31,5774,5775,5778],{},[34,5776,5777],{},"Security monitoring"," — detecting threats, intrusions, and malicious activity through SIEM tools, IDS\u002FIPS, and endpoint detection",[31,5780,5781,5784],{},[34,5782,5783],{},"Compliance monitoring"," — tracking whether controls are operating effectively and whether the organization remains aligned with framework requirements",[31,5786,5787,5790],{},[34,5788,5789],{},"Infrastructure monitoring"," — observing system health, performance, and availability across servers, networks, and cloud services",[31,5792,5793,5796],{},[34,5794,5795],{},"User activity monitoring"," — tracking user behavior to detect insider threats, policy violations, or compromised accounts",[31,5798,5799,5802],{},[34,5800,5801],{},"Vulnerability monitoring"," — continuously scanning for known vulnerabilities across the technology stack",[20,5804,5806],{"id":5805},"how-do-compliance-frameworks-address-monitoring","How do compliance frameworks address monitoring?",[28,5808,5809,5814,5819,5824],{},[31,5810,5811,5813],{},[34,5812,36],{}," — CC7.1 requires the use of detection and monitoring activities to identify anomalies",[31,5815,5816,5818],{},[34,5817,42],{}," — A.8.16 covers monitoring activities across networks and systems",[31,5820,5821,5823],{},[34,5822,48],{}," — Requirement 10 and 11 address logging, monitoring, and regular security testing",[31,5825,5826,5828],{},[34,5827,54],{}," — the Detect function (DE.CM, DE.AE) is entirely focused on continuous monitoring and anomaly detection",[20,5830,5832],{"id":5831},"what-are-best-practices-for-monitoring","What are best practices for monitoring?",[28,5834,5835,5838,5841,5844,5847],{},[31,5836,5837],{},"Define clear thresholds and alerting rules to minimize alert fatigue",[31,5839,5840],{},"Centralize monitoring data for correlation across systems",[31,5842,5843],{},"Establish escalation procedures so alerts lead to timely investigation",[31,5845,5846],{},"Review and tune monitoring rules regularly as the environment changes",[31,5848,5849],{},"Document monitoring coverage and gaps as part of risk assessments",[20,5851,5853],{"id":5852},"how-does-episki-help-with-monitoring","How does episki help with monitoring?",[16,5855,5856,5857,209],{},"episki tracks monitoring controls, documents coverage, and links monitoring evidence to framework requirements for continuous audit readiness. Learn more on our ",[205,5858,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":5860},[5861],{"id":5762,"depth":212,"text":5763,"children":5862},[5863,5864,5865,5866],{"id":5769,"depth":217,"text":5770},{"id":5805,"depth":217,"text":5806},{"id":5831,"depth":217,"text":5832},{"id":5852,"depth":217,"text":5853},{},"\u002Fglossary\u002Fmonitoring",[982,230,231,984,985],[1952,5621,1179],{"title":5872,"description":5873},"What is Monitoring? Definition & Compliance Guide","Monitoring is the continuous observation of systems and controls to detect threats, unusual activity, or compliance gaps in real time.","monitoring","8.glossary\u002Fmonitoring","QXZ4W_vuU7Y88VE8xwlReLlBVCa0cNFk0XPiqgd_4bc",{"id":5878,"title":5879,"body":5880,"description":211,"extension":224,"lastUpdated":225,"meta":5988,"navigation":227,"path":5989,"relatedFrameworks":5990,"relatedTerms":5991,"seo":5992,"slug":5995,"stem":5996,"term":5885,"__hash__":5997},"glossary\u002F8.glossary\u002Fmulti-factor-authentication.md","Multi Factor Authentication",{"type":8,"value":5881,"toc":5980},[5882,5886,5889,5893,5896,5916,5920,5923,5950,5954,5971,5975],[11,5883,5885],{"id":5884},"what-is-multi-factor-authentication","What is Multi-Factor Authentication?",[16,5887,5888],{},"Multi-Factor Authentication (MFA) is a security mechanism that requires users to verify their identity using two or more independent factors before gaining access to a system or application. By combining multiple factors, MFA significantly reduces the risk of unauthorized access even if one factor (such as a password) is compromised.",[20,5890,5892],{"id":5891},"what-are-the-authentication-factors-used-in-mfa","What are the authentication factors used in MFA?",[16,5894,5895],{},"MFA combines factors from different categories:",[28,5897,5898,5904,5910],{},[31,5899,5900,5903],{},[34,5901,5902],{},"Something you know"," — passwords, PINs, security questions",[31,5905,5906,5909],{},[34,5907,5908],{},"Something you have"," — mobile phones (SMS or authenticator apps), hardware tokens, smart cards",[31,5911,5912,5915],{},[34,5913,5914],{},"Something you are"," — biometrics such as fingerprints, facial recognition, or iris scans",[20,5917,5919],{"id":5918},"how-do-compliance-frameworks-address-mfa","How do compliance frameworks address MFA?",[16,5921,5922],{},"MFA is required or strongly recommended across all major frameworks:",[28,5924,5925,5930,5935,5940,5945],{},[31,5926,5927,5929],{},[34,5928,36],{}," — CC6.1 requires multi-factor authentication for access to sensitive systems",[31,5931,5932,5934],{},[34,5933,42],{}," — A.8.5 addresses secure authentication including multi-factor methods",[31,5936,5937,5939],{},[34,5938,605],{}," — while not explicitly mandating MFA, the Security Rule requires access controls that effectively necessitate it for ePHI systems",[31,5941,5942,5944],{},[34,5943,48],{}," — Requirement 8.3 mandates MFA for all remote access to the cardholder data environment",[31,5946,5947,5949],{},[34,5948,54],{}," — PR.AC-7 recommends multi-factor authentication as part of identity management",[20,5951,5953],{"id":5952},"what-are-implementation-best-practices","What are implementation best practices?",[28,5955,5956,5959,5962,5965,5968],{},[31,5957,5958],{},"Require MFA for all user accounts, not just administrators",[31,5960,5961],{},"Prefer authenticator apps or hardware tokens over SMS-based codes (which are vulnerable to SIM swapping)",[31,5963,5964],{},"Implement MFA on VPN, cloud console, email, and any system containing sensitive data",[31,5966,5967],{},"Provide backup recovery methods (recovery codes, backup devices) to prevent lockouts",[31,5969,5970],{},"Monitor and alert on MFA bypass attempts or disabled MFA",[20,5972,5974],{"id":5973},"how-does-episki-help-with-mfa","How does episki help with MFA?",[16,5976,5977,5978,209],{},"episki tracks MFA policies, monitors enforcement across systems, and documents MFA evidence for compliance audits. Learn more on our ",[205,5979,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":5981},[5982],{"id":5884,"depth":212,"text":5885,"children":5983},[5984,5985,5986,5987],{"id":5891,"depth":217,"text":5892},{"id":5918,"depth":217,"text":5919},{"id":5952,"depth":217,"text":5953},{"id":5973,"depth":217,"text":5974},{},"\u002Fglossary\u002Fmulti-factor-authentication",[982,230,231,983,984,985],[992,5092,933],{"title":5993,"description":5994},"What is Multi-Factor Authentication (MFA)? Definition & Compliance Guide","Multi-Factor Authentication (MFA) is a login method that requires users to verify their identity using two or more factors, such as a password plus a code sent to their phone.","multi-factor-authentication","8.glossary\u002Fmulti-factor-authentication","UJQZ8l9dqE7trtvjUWb1iVTulmNQa1j2-kVTUOaUB34",{"id":5999,"title":6000,"body":6001,"description":211,"extension":224,"lastUpdated":225,"meta":6077,"navigation":227,"path":6078,"relatedFrameworks":6079,"relatedTerms":6080,"seo":6082,"slug":6085,"stem":6086,"term":6006,"__hash__":6087},"glossary\u002F8.glossary\u002Fnist.md","Nist",{"type":8,"value":6002,"toc":6070},[6003,6007,6010,6014,6040,6044,6047,6061,6065],[11,6004,6006],{"id":6005},"what-is-nist","What is NIST?",[16,6008,6009],{},"NIST (National Institute of Standards and Technology) is a non-regulatory agency of the United States Department of Commerce that develops and publishes standards, guidelines, and best practices for technology and cybersecurity. NIST's publications are among the most widely referenced resources in information security worldwide, influencing both government and private sector organizations.",[20,6011,6013],{"id":6012},"what-are-the-key-nist-publications","What are the key NIST publications?",[28,6015,6016,6022,6028,6034],{},[31,6017,6018,6021],{},[34,6019,6020],{},"NIST Cybersecurity Framework (CSF)"," — a voluntary framework organized around five core functions (Identify, Protect, Detect, Respond, Recover) that provides a common language for managing cybersecurity risk. Widely adopted by organizations of all sizes.",[31,6023,6024,6027],{},[34,6025,6026],{},"NIST SP 800-53"," — a comprehensive catalog of security and privacy controls for federal information systems. Often used as a reference by private organizations building security programs.",[31,6029,6030,6033],{},[34,6031,6032],{},"NIST SP 800-171"," — security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems, required for defense contractors.",[31,6035,6036,6039],{},[34,6037,6038],{},"NIST SP 800-37"," — the Risk Management Framework (RMF) that guides organizations through a structured process for managing security risk.",[20,6041,6043],{"id":6042},"why-does-nist-matter-for-compliance","Why does NIST matter for compliance?",[16,6045,6046],{},"While NIST frameworks are voluntary for most private organizations, they serve as the foundation or reference point for many compliance requirements:",[28,6048,6049,6052,6055,6058],{},[31,6050,6051],{},"Federal agencies are required to follow NIST guidelines",[31,6053,6054],{},"Defense contractors must comply with NIST SP 800-171 (enforced through CMMC)",[31,6056,6057],{},"Many ISO 27001 and SOC 2 control mappings reference NIST publications",[31,6059,6060],{},"Cyber insurance providers increasingly reference NIST CSF alignment",[20,6062,6064],{"id":6063},"how-does-episki-help-with-nist","How does episki help with NIST?",[16,6066,6067,6068,209],{},"episki supports NIST CSF as a framework and provides control mappings between NIST and other standards like ISO 27001 and SOC 2. Learn more on our ",[205,6069,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":6071},[6072],{"id":6005,"depth":212,"text":6006,"children":6073},[6074,6075,6076],{"id":6012,"depth":217,"text":6013},{"id":6042,"depth":217,"text":6043},{"id":6063,"depth":217,"text":6064},{},"\u002Fglossary\u002Fnist",[985,231],[6081,234,1420],"framework",{"title":6083,"description":6084},"What is NIST? Definition & Compliance Guide","NIST (National Institute of Standards and Technology) is a US government agency that publishes widely used cybersecurity frameworks and guidelines, including the NIST Cybersecurity Framework (CSF).","nist","8.glossary\u002Fnist","2ae4F06Rs2No0I7mHDHgivjpmqOCtVisAqiVyvGLz0Q",{"id":6089,"title":6090,"body":6091,"description":211,"extension":224,"lastUpdated":225,"meta":6214,"navigation":227,"path":6215,"relatedFrameworks":6216,"relatedTerms":6217,"seo":6219,"slug":6222,"stem":6223,"term":6096,"__hash__":6224},"glossary\u002F8.glossary\u002Fnetwork-security.md","Network Security",{"type":8,"value":6092,"toc":6206},[6093,6097,6100,6104,6142,6146,6168,6172,6197,6201],[11,6094,6096],{"id":6095},"what-is-network-security","What is Network Security?",[16,6098,6099],{},"Network security refers to the tools, policies, and practices used to protect the integrity, confidentiality, and availability of a computer network and its data. It encompasses both hardware and software technologies as well as the processes organizations use to prevent unauthorized access, misuse, and disruption of network resources.",[20,6101,6103],{"id":6102},"what-are-the-core-components-of-network-security","What are the core components of network security?",[28,6105,6106,6112,6118,6124,6130,6136],{},[31,6107,6108,6111],{},[34,6109,6110],{},"Firewalls"," — filter traffic between trusted and untrusted networks based on security rules",[31,6113,6114,6117],{},[34,6115,6116],{},"Intrusion detection and prevention systems (IDS\u002FIPS)"," — monitor network traffic for suspicious activity and can automatically block threats",[31,6119,6120,6123],{},[34,6121,6122],{},"Network segmentation"," — divides the network into isolated zones to contain breaches and limit lateral movement",[31,6125,6126,6129],{},[34,6127,6128],{},"Virtual private networks (VPN)"," — encrypt traffic between remote users and the corporate network",[31,6131,6132,6135],{},[34,6133,6134],{},"Network access control (NAC)"," — enforces policies about which devices and users can connect to the network",[31,6137,6138,6141],{},[34,6139,6140],{},"DNS security"," — protects against DNS-based attacks like spoofing and cache poisoning",[20,6143,6145],{"id":6144},"how-do-compliance-frameworks-address-network-security","How do compliance frameworks address network security?",[28,6147,6148,6153,6158,6163],{},[31,6149,6150,6152],{},[34,6151,48],{}," — Requirements 1 and 2 address firewall configuration and secure network architecture",[31,6154,6155,6157],{},[34,6156,42],{}," — A.8.20 (network security), A.8.21 (security of network services), and A.8.22 (segregation of networks)",[31,6159,6160,6162],{},[34,6161,36],{}," — CC6.6 requires security controls for network boundaries",[31,6164,6165,6167],{},[34,6166,54],{}," — PR.AC and PR.PT cover network access control and protective technology",[20,6169,6171],{"id":6170},"what-are-best-practices-for-network-security","What are best practices for network security?",[28,6173,6174,6177,6180,6183,6186,6189],{},[31,6175,6176],{},"Implement defense in depth with multiple layers of network controls",[31,6178,6179],{},"Regularly scan for open ports and unnecessary services",[31,6181,6182],{},"Encrypt data in transit using TLS\u002FSSL",[31,6184,6185],{},"Monitor network traffic for anomalies and potential intrusions",[31,6187,6188],{},"Document network architecture and maintain up-to-date network diagrams",[31,6190,6191,6192,6196],{},"Conduct regular ",[205,6193,6195],{"href":6194},"\u002Fglossary\u002Fpenetration-testing","penetration testing"," to identify network vulnerabilities",[20,6198,6200],{"id":6199},"how-does-episki-help-with-network-security","How does episki help with network security?",[16,6202,6203,6204,209],{},"episki tracks network security controls, links them to framework requirements, and documents evidence like network diagrams and firewall reviews for auditors. Learn more on our ",[205,6205,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":6207},[6208],{"id":6095,"depth":212,"text":6096,"children":6209},[6210,6211,6212,6213],{"id":6102,"depth":217,"text":6103},{"id":6144,"depth":217,"text":6145},{"id":6170,"depth":217,"text":6171},{"id":6199,"depth":217,"text":6200},{},"\u002Fglossary\u002Fnetwork-security",[982,230,231,984,985],[6218,992,933,5749],"firewall",{"title":6220,"description":6221},"What is Network Security? Definition & Compliance Guide","Network security refers to the tools, policies, and practices used to protect the integrity and confidentiality of a computer network and its data.","network-security","8.glossary\u002Fnetwork-security","X-GwLwvpQPWv1-bV4i1pW3X_eNNKctzmhG2CWCYFOe8",{"id":6226,"title":6227,"body":6228,"description":211,"extension":224,"lastUpdated":225,"meta":6362,"navigation":227,"path":6363,"relatedFrameworks":6364,"relatedTerms":6365,"seo":6366,"slug":6369,"stem":6370,"term":6233,"__hash__":6371},"glossary\u002F8.glossary\u002Foffboarding.md","Offboarding",{"type":8,"value":6229,"toc":6353},[6230,6234,6237,6241,6244,6258,6262,6300,6304,6326,6330,6344,6348],[11,6231,6233],{"id":6232},"what-is-offboarding","What is Offboarding?",[16,6235,6236],{},"Offboarding is the formal process of revoking an employee's or contractor's access to systems, applications, and data when they leave an organization or change roles. A well-executed offboarding process is critical for preventing unauthorized access after separation and is a key control auditors review during compliance assessments.",[20,6238,6240],{"id":6239},"why-does-offboarding-matter","Why does offboarding matter?",[16,6242,6243],{},"Delayed or incomplete offboarding creates significant security risks:",[28,6245,6246,6249,6252,6255],{},[31,6247,6248],{},"Former employees retaining access to sensitive systems and data",[31,6250,6251],{},"Orphaned accounts that attackers can discover and exploit",[31,6253,6254],{},"Shared credentials that remain active after a team member departs",[31,6256,6257],{},"Compliance findings for inadequate access termination procedures",[20,6259,6261],{"id":6260},"what-are-the-key-offboarding-activities","What are the key offboarding activities?",[28,6263,6264,6270,6276,6282,6288,6294],{},[31,6265,6266,6269],{},[34,6267,6268],{},"Disable user accounts"," — immediately deactivate accounts in identity providers (SSO, Active Directory) to cascade access revocation",[31,6271,6272,6275],{},[34,6273,6274],{},"Revoke application access"," — remove access to SaaS applications, cloud consoles, code repositories, and internal tools",[31,6277,6278,6281],{},[34,6279,6280],{},"Recover assets"," — collect laptops, mobile devices, badges, hardware tokens, and other company property",[31,6283,6284,6287],{},[34,6285,6286],{},"Transfer ownership"," — reassign shared resources, documents, and project ownership",[31,6289,6290,6293],{},[34,6291,6292],{},"Remove from communication channels"," — remove from email distribution lists, Slack channels, and shared drives",[31,6295,6296,6299],{},[34,6297,6298],{},"Review privileged access"," — ensure any administrative or elevated access is fully revoked",[20,6301,6303],{"id":6302},"how-do-compliance-frameworks-address-offboarding","How do compliance frameworks address offboarding?",[28,6305,6306,6311,6316,6321],{},[31,6307,6308,6310],{},[34,6309,36],{}," — CC6.2 requires timely revocation of access when personnel leave",[31,6312,6313,6315],{},[34,6314,42],{}," — A.6.5 covers responsibilities after termination or change of employment",[31,6317,6318,6320],{},[34,6319,605],{}," — the Security Rule requires procedures for terminating access to ePHI when employment ends",[31,6322,6323,6325],{},[34,6324,48],{}," — Requirement 8.1.3 mandates immediate revocation of access for terminated users",[20,6327,6329],{"id":6328},"what-are-best-practices-for-offboarding","What are best practices for offboarding?",[28,6331,6332,6335,6338,6341],{},[31,6333,6334],{},"Automate offboarding checklists triggered by HR termination events",[31,6336,6337],{},"Set a target of same-day access revocation for all departures",[31,6339,6340],{},"Conduct post-offboarding audits to verify no residual access remains",[31,6342,6343],{},"Document the offboarding process and retain evidence for audit review",[20,6345,6347],{"id":6346},"how-does-episki-help-with-offboarding","How does episki help with offboarding?",[16,6349,6350,6351,209],{},"episki tracks offboarding policies, links them to access control evidence, and provides checklists to ensure complete access revocation. Learn more on our ",[205,6352,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":6354},[6355],{"id":6232,"depth":212,"text":6233,"children":6356},[6357,6358,6359,6360,6361],{"id":6239,"depth":217,"text":6240},{"id":6260,"depth":217,"text":6261},{"id":6302,"depth":217,"text":6303},{"id":6328,"depth":217,"text":6329},{"id":6346,"depth":217,"text":6347},{},"\u002Fglossary\u002Foffboarding",[230,231,983,984],[992,5092,4420],{"title":6367,"description":6368},"What is Offboarding? Definition & Compliance Guide","Offboarding is the formal process of revoking an employee's or contractor's access to systems and data when they leave an organization.","offboarding","8.glossary\u002Foffboarding","Rz5QFRP5_SeeZAbasnNVFWLvYnrzwxu8rDWO1Kpf4lI",{"id":6373,"title":6374,"body":6375,"description":211,"extension":224,"lastUpdated":225,"meta":6490,"navigation":227,"path":6491,"relatedFrameworks":6492,"relatedTerms":6493,"seo":6494,"slug":6497,"stem":6498,"term":6380,"__hash__":6499},"glossary\u002F8.glossary\u002Foperational-risk.md","Operational Risk",{"type":8,"value":6376,"toc":6482},[6377,6381,6384,6388,6414,6418,6435,6439,6473,6477],[11,6378,6380],{"id":6379},"what-is-operational-risk","What is Operational Risk?",[16,6382,6383],{},"Operational risk is the potential for loss, disruption, or harm caused by failures in internal processes, people, systems, or external events. Unlike market or credit risk, operational risk arises from the day-to-day functioning of an organization and includes everything from human errors and system outages to fraud and natural disasters.",[20,6385,6387],{"id":6386},"what-are-the-sources-of-operational-risk","What are the sources of operational risk?",[28,6389,6390,6396,6402,6408],{},[31,6391,6392,6395],{},[34,6393,6394],{},"People"," — human error, insufficient training, insider threats, key person dependencies",[31,6397,6398,6401],{},[34,6399,6400],{},"Processes"," — poorly designed workflows, lack of documentation, inadequate controls",[31,6403,6404,6407],{},[34,6405,6406],{},"Systems"," — hardware failures, software bugs, cybersecurity incidents, integration breakdowns",[31,6409,6410,6413],{},[34,6411,6412],{},"External events"," — natural disasters, supply chain disruptions, regulatory changes, third-party failures",[20,6415,6417],{"id":6416},"how-do-compliance-frameworks-address-operational-risk","How do compliance frameworks address operational risk?",[28,6419,6420,6425,6430],{},[31,6421,6422,6424],{},[34,6423,36],{}," — CC3.1 through CC3.4 address risk assessment and management, including operational risks",[31,6426,6427,6429],{},[34,6428,42],{}," — clauses 6.1 and 8.2 require organizations to identify and treat information security risks, many of which are operational",[31,6431,6432,6434],{},[34,6433,54],{}," — the Identify function (ID.RA) covers risk assessment including operational risk factors",[20,6436,6438],{"id":6437},"how-do-you-manage-operational-risk","How do you manage operational risk?",[28,6440,6441,6449,6456,6467,6470],{},[31,6442,6443,6444,6448],{},"Maintain a ",[205,6445,6447],{"href":6446},"\u002Fglossary\u002Frisk-register","risk register"," that captures identified operational risks with likelihood and impact ratings",[31,6450,6451,6452],{},"Implement controls proportional to the risk level and document them in a ",[205,6453,6455],{"href":6454},"\u002Fglossary\u002Frisk-treatment-plan","risk treatment plan",[31,6457,6458,6459,6462,6463,6466],{},"Establish ",[205,6460,6461],{"href":1416},"business continuity"," and ",[205,6464,6465],{"href":2435},"disaster recovery"," plans for high-impact scenarios",[31,6468,6469],{},"Conduct regular risk assessments to identify new or changing risks",[31,6471,6472],{},"Monitor key risk indicators (KRIs) to detect emerging operational issues",[20,6474,6476],{"id":6475},"how-does-episki-help-with-operational-risk","How does episki help with operational risk?",[16,6478,6479,6480,209],{},"episki provides risk registers, links risks to controls, and tracks risk treatment plans to help organizations manage operational risk systematically. Learn more on our ",[205,6481,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":6483},[6484],{"id":6379,"depth":212,"text":6380,"children":6485},[6486,6487,6488,6489],{"id":6386,"depth":217,"text":6387},{"id":6416,"depth":217,"text":6417},{"id":6437,"depth":217,"text":6438},{"id":6475,"depth":217,"text":6476},{},"\u002Fglossary\u002Foperational-risk",[230,231,985],[1420,1421,1425,1419],{"title":6495,"description":6496},"What is Operational Risk? Definition & Compliance Guide","Operational risk is the potential for loss or disruption caused by failed internal processes, human errors, system failures, or external events.","operational-risk","8.glossary\u002Foperational-risk","FHa7St6ZxdXS6nN4A99Zbld2Kt8WzJLlE0DHI0np8_o",{"id":6501,"title":6502,"body":6503,"description":211,"extension":224,"lastUpdated":225,"meta":6674,"navigation":227,"path":5475,"relatedFrameworks":6675,"relatedTerms":6676,"seo":6681,"slug":6684,"stem":6685,"term":6508,"__hash__":6686},"glossary\u002F8.glossary\u002Fpci-dss.md","Pci Dss",{"type":8,"value":6504,"toc":6666},[6505,6509,6512,6516,6519,6557,6561,6564,6623,6627,6630,6656,6660],[11,6506,6508],{"id":6507},"what-is-pci-dss","What is PCI DSS?",[16,6510,6511],{},"PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to ensure that all organizations that accept, process, store, or transmit credit card information maintain a secure environment. It is managed by the PCI Security Standards Council (PCI SSC).",[20,6513,6515],{"id":6514},"what-are-the-12-pci-dss-requirements","What are the 12 PCI DSS requirements?",[16,6517,6518],{},"PCI DSS organizes controls into 12 high-level requirements:",[155,6520,6521,6524,6527,6530,6533,6536,6539,6542,6545,6548,6551,6554],{},[31,6522,6523],{},"Install and maintain network security controls",[31,6525,6526],{},"Apply secure configurations to all system components",[31,6528,6529],{},"Protect stored account data",[31,6531,6532],{},"Protect cardholder data with strong cryptography during transmission",[31,6534,6535],{},"Protect all systems and networks from malicious software",[31,6537,6538],{},"Develop and maintain secure systems and software",[31,6540,6541],{},"Restrict access to system components and cardholder data by business need to know",[31,6543,6544],{},"Identify users and authenticate access to system components",[31,6546,6547],{},"Restrict physical access to cardholder data",[31,6549,6550],{},"Log and monitor all access to system components and cardholder data",[31,6552,6553],{},"Test security of systems and networks regularly",[31,6555,6556],{},"Support information security with organizational policies and programs",[20,6558,6560],{"id":6559},"what-are-the-pci-dss-compliance-levels","What are the PCI DSS compliance levels?",[16,6562,6563],{},"PCI DSS defines four merchant levels based on annual transaction volume:",[743,6565,6566,6579],{},[746,6567,6568],{},[749,6569,6570,6573,6576],{},[752,6571,6572],{},"Level",[752,6574,6575],{},"Transactions per year",[752,6577,6578],{},"Validation",[766,6580,6581,6592,6603,6613],{},[749,6582,6583,6586,6589],{},[771,6584,6585],{},"1",[771,6587,6588],{},"Over 6 million",[771,6590,6591],{},"Annual on-site audit by QSA",[749,6593,6594,6597,6600],{},[771,6595,6596],{},"2",[771,6598,6599],{},"1-6 million",[771,6601,6602],{},"Annual SAQ + quarterly network scan",[749,6604,6605,6608,6611],{},[771,6606,6607],{},"3",[771,6609,6610],{},"20,000-1 million (e-commerce)",[771,6612,6602],{},[749,6614,6615,6618,6621],{},[771,6616,6617],{},"4",[771,6619,6620],{},"Under 20,000 (e-commerce) or up to 1 million (other)",[771,6622,6602],{},[20,6624,6626],{"id":6625},"what-is-new-in-pci-dss-40","What is new in PCI DSS 4.0?",[16,6628,6629],{},"Version 4.0, released in March 2022, introduced significant changes:",[28,6631,6632,6638,6644,6650],{},[31,6633,6634,6637],{},[34,6635,6636],{},"Customized approach"," — organizations can meet objectives with alternative controls if they can demonstrate equivalent security",[31,6639,6640,6643],{},[34,6641,6642],{},"Targeted risk analysis"," — more flexibility in defining control frequencies based on risk",[31,6645,6646,6649],{},[34,6647,6648],{},"Enhanced authentication"," — multi-factor authentication required for all access to the cardholder data environment",[31,6651,6652,6655],{},[34,6653,6654],{},"Expanded scope"," — additional requirements for e-commerce, phishing protections, and automated log reviews",[20,6657,6659],{"id":6658},"how-does-episki-help-with-pci-dss","How does episki help with PCI DSS?",[16,6661,6662,6663,209],{},"episki maps controls to PCI DSS requirements, tracks evidence for QSA reviews, and connects cardholder data environment documentation to relevant controls. Learn more on our ",[205,6664,6665],{"href":618},"PCI DSS compliance page",{"title":211,"searchDepth":212,"depth":212,"links":6667},[6668],{"id":6507,"depth":212,"text":6508,"children":6669},[6670,6671,6672,6673],{"id":6514,"depth":217,"text":6515},{"id":6559,"depth":217,"text":6560},{"id":6625,"depth":217,"text":6626},{"id":6658,"depth":217,"text":6659},{},[984],[6677,6678,6679,6680,2635],"saq","qsa","asv","cardholder-data-environment",{"title":6682,"description":6683},"What is PCI DSS? Payment Card Compliance Explained","PCI DSS is the security standard for organizations that handle credit card data. Learn about compliance levels, requirements, and what changed in PCI DSS 4.0.","pci-dss","8.glossary\u002Fpci-dss","04BQ4jnTGUK4b8xsKhVX0TesFlkRePr82-ayCBuUDgI",{"id":6688,"title":6689,"body":6690,"description":211,"extension":224,"lastUpdated":225,"meta":6934,"navigation":227,"path":6935,"relatedFrameworks":6936,"relatedTerms":6937,"seo":6938,"slug":6941,"stem":6942,"term":6695,"__hash__":6943},"glossary\u002F8.glossary\u002Fpci-scope.md","Pci Scope",{"type":8,"value":6691,"toc":6924},[6692,6696,6699,6703,6706,6712,6726,6732,6746,6752,6766,6770,6773,6817,6821,6824,6855,6859,6862,6894,6898,6901,6915,6919],[11,6693,6695],{"id":6694},"what-is-pci-scope","What is PCI Scope?",[16,6697,6698],{},"PCI scope refers to the collection of systems, people, processes, and technologies that are subject to PCI DSS requirements for a given assessment. Accurately defining scope is one of the most consequential decisions in PCI DSS compliance — it determines the extent of controls required, the volume of evidence to collect, and the cost of the assessment.",[20,6700,6702],{"id":6701},"what-falls-in-pci-dss-scope","What falls in PCI DSS scope?",[16,6704,6705],{},"PCI DSS scope includes three categories of systems:",[16,6707,6708,6711],{},[34,6709,6710],{},"CDE systems"," — systems that directly store, process, or transmit cardholder data:",[28,6713,6714,6717,6720,6723],{},[31,6715,6716],{},"Payment processing servers",[31,6718,6719],{},"Databases containing PAN",[31,6721,6722],{},"Point-of-sale terminals",[31,6724,6725],{},"Payment applications",[16,6727,6728,6731],{},[34,6729,6730],{},"Connected-to systems"," — systems that connect to or could affect the security of the CDE:",[28,6733,6734,6737,6740,6743],{},[31,6735,6736],{},"Firewalls and routers protecting the CDE",[31,6738,6739],{},"Authentication and directory servers used by CDE systems",[31,6741,6742],{},"Security monitoring systems (SIEM, IDS\u002FIPS)",[31,6744,6745],{},"Administrative workstations used to manage CDE systems",[16,6747,6748,6751],{},[34,6749,6750],{},"Security-impacting systems"," — systems that could impact the security of the CDE even without direct connectivity:",[28,6753,6754,6757,6760,6763],{},[31,6755,6756],{},"DNS servers",[31,6758,6759],{},"NTP servers",[31,6761,6762],{},"Patch management systems",[31,6764,6765],{},"Configuration management tools",[20,6767,6769],{"id":6768},"what-is-the-pci-scoping-methodology","What is the PCI scoping methodology?",[16,6771,6772],{},"Defining PCI scope follows a structured approach:",[155,6774,6775,6781,6787,6793,6799,6805,6811],{},[31,6776,6777,6780],{},[34,6778,6779],{},"Identify all cardholder data flows"," — trace every path that cardholder data takes through your environment",[31,6782,6783,6786],{},[34,6784,6785],{},"Identify all data storage"," — locate every place where cardholder data is stored, including backups and logs",[31,6788,6789,6792],{},[34,6790,6791],{},"Identify all processing systems"," — document every system that processes cardholder data",[31,6794,6795,6798],{},[34,6796,6797],{},"Map network connectivity"," — determine which systems have network access to the CDE",[31,6800,6801,6804],{},[34,6802,6803],{},"Identify supporting systems"," — find systems that provide security services or administration to the CDE",[31,6806,6807,6810],{},[34,6808,6809],{},"Document scope boundaries"," — clearly define what is in scope and what is out of scope",[31,6812,6813,6816],{},[34,6814,6815],{},"Validate with data discovery"," — use tools to verify that cardholder data does not exist outside the defined scope",[20,6818,6820],{"id":6819},"how-do-you-reduce-scope","How do you reduce scope?",[16,6822,6823],{},"Scope reduction is a primary strategy for managing PCI DSS compliance costs and complexity:",[28,6825,6826,6831,6837,6843,6849],{},[31,6827,6828,6830],{},[34,6829,6122],{}," — isolate the CDE on dedicated network segments, preventing other systems from being in scope",[31,6832,6833,6836],{},[34,6834,6835],{},"Tokenization"," — replace PAN with tokens so downstream systems never handle actual cardholder data",[31,6838,6839,6842],{},[34,6840,6841],{},"Point-to-point encryption"," — encrypt cardholder data from the point of interaction, reducing the number of systems that handle unencrypted data",[31,6844,6845,6848],{},[34,6846,6847],{},"Outsourcing"," — shift payment processing to PCI-compliant third-party providers",[31,6850,6851,6854],{},[34,6852,6853],{},"Eliminating unnecessary storage"," — stop storing cardholder data that is not required for business purposes",[20,6856,6858],{"id":6857},"what-are-common-scoping-mistakes","What are common scoping mistakes?",[16,6860,6861],{},"Organizations frequently make errors that expand scope unnecessarily:",[28,6863,6864,6870,6876,6882,6888],{},[31,6865,6866,6869],{},[34,6867,6868],{},"Flat networks"," — without proper segmentation, the entire network may be in scope",[31,6871,6872,6875],{},[34,6873,6874],{},"Unnecessary data retention"," — storing PAN when it is no longer needed",[31,6877,6878,6881],{},[34,6879,6880],{},"Shared infrastructure"," — running CDE systems on shared infrastructure with non-CDE systems",[31,6883,6884,6887],{},[34,6885,6886],{},"Overlooked data locations"," — PAN in log files, test environments, or email",[31,6889,6890,6893],{},[34,6891,6892],{},"Incomplete flow diagrams"," — missing data flows that bring additional systems into scope",[20,6895,6897],{"id":6896},"how-do-you-validate-pci-scope","How do you validate PCI scope?",[16,6899,6900],{},"PCI DSS requires organizations to confirm their scope at least annually and after any significant changes. A QSA or ISA should review and validate scope as part of each assessment. Scope validation includes:",[28,6902,6903,6906,6909,6912],{},[31,6904,6905],{},"Reviewing data flow diagrams for accuracy",[31,6907,6908],{},"Confirming network segmentation controls",[31,6910,6911],{},"Performing data discovery scans",[31,6913,6914],{},"Verifying that scope documentation reflects the current environment",[20,6916,6918],{"id":6917},"how-does-episki-help-with-pci-scope","How does episki help with PCI scope?",[16,6920,6921,6922,209],{},"episki maintains your PCI scope documentation including data flow diagrams, system inventories, and segmentation records. The platform flags changes that could affect scope and prompts validation reviews. Learn more on our ",[205,6923,6665],{"href":618},{"title":211,"searchDepth":212,"depth":212,"links":6925},[6926],{"id":6694,"depth":212,"text":6695,"children":6927},[6928,6929,6930,6931,6932,6933],{"id":6701,"depth":217,"text":6702},{"id":6768,"depth":217,"text":6769},{"id":6819,"depth":217,"text":6820},{"id":6857,"depth":217,"text":6858},{"id":6896,"depth":217,"text":6897},{"id":6917,"depth":217,"text":6918},{},"\u002Fglossary\u002Fpci-scope",[984],[6684,6680,2176,2635,6678],{"title":6939,"description":6940},"What is PCI Scope? Definition & Compliance Guide","PCI scope defines which systems, people, and processes are subject to PCI DSS requirements. Learn how to accurately determine and reduce your PCI scope.","pci-scope","8.glossary\u002Fpci-scope","bLRhCfwv8W5lhV_xP4BB1TxwiPzNpYGtxUFAbmM-HHo",{"id":6945,"title":6946,"body":6947,"description":211,"extension":224,"lastUpdated":225,"meta":7190,"navigation":227,"path":6194,"relatedFrameworks":7191,"relatedTerms":7192,"seo":7193,"slug":5749,"stem":7196,"term":6952,"__hash__":7197},"glossary\u002F8.glossary\u002Fpenetration-testing.md","Penetration Testing",{"type":8,"value":6948,"toc":7180},[6949,6953,6956,6960,6963,6968,7012,7017,7037,7041,7044,7094,7098,7101,7123,7127,7147,7151,7154,7171,7175],[11,6950,6952],{"id":6951},"what-is-penetration-testing","What is Penetration Testing?",[16,6954,6955],{},"Penetration testing (pen testing) is a controlled, simulated cyberattack conducted by security professionals to identify vulnerabilities and weaknesses in an organization's systems, networks, and applications before malicious actors can exploit them. Unlike automated vulnerability scanning, penetration testing involves manual techniques, creative thinking, and the ability to chain multiple findings together to demonstrate real-world attack scenarios.",[20,6957,6959],{"id":6958},"what-are-the-types-of-penetration-testing","What are the types of penetration testing?",[16,6961,6962],{},"Penetration tests are categorized by scope and approach:",[16,6964,6965],{},[34,6966,6967],{},"By target:",[28,6969,6970,6976,6982,6988,6994,7000,7006],{},[31,6971,6972,6975],{},[34,6973,6974],{},"External testing"," — targets internet-facing assets such as web applications, APIs, email servers, and firewalls",[31,6977,6978,6981],{},[34,6979,6980],{},"Internal testing"," — simulates an attacker who has gained access to the internal network",[31,6983,6984,6987],{},[34,6985,6986],{},"Web application testing"," — focuses specifically on web application vulnerabilities (injection, authentication flaws, etc.)",[31,6989,6990,6993],{},[34,6991,6992],{},"API testing"," — evaluates the security of application programming interfaces",[31,6995,6996,6999],{},[34,6997,6998],{},"Mobile application testing"," — assesses mobile apps for security weaknesses",[31,7001,7002,7005],{},[34,7003,7004],{},"Wireless testing"," — tests wireless network security",[31,7007,7008,7011],{},[34,7009,7010],{},"Social engineering"," — tests human vulnerabilities through phishing, pretexting, or physical access attempts",[16,7013,7014],{},[34,7015,7016],{},"By knowledge level:",[28,7018,7019,7025,7031],{},[31,7020,7021,7024],{},[34,7022,7023],{},"Black box"," — the tester has no prior knowledge of the target environment, simulating an external attacker",[31,7026,7027,7030],{},[34,7028,7029],{},"White box"," — the tester has full access to source code, architecture documentation, and credentials",[31,7032,7033,7036],{},[34,7034,7035],{},"Gray box"," — the tester has partial knowledge, such as user-level credentials or limited documentation",[20,7038,7040],{"id":7039},"what-is-the-penetration-testing-process","What is the penetration testing process?",[16,7042,7043],{},"A professional penetration test follows a structured methodology:",[155,7045,7046,7052,7058,7064,7070,7076,7082,7088],{},[31,7047,7048,7051],{},[34,7049,7050],{},"Scoping"," — define the targets, objectives, rules of engagement, and testing window",[31,7053,7054,7057],{},[34,7055,7056],{},"Reconnaissance"," — gather information about the target through passive and active techniques",[31,7059,7060,7063],{},[34,7061,7062],{},"Vulnerability identification"," — discover potential weaknesses using automated tools and manual analysis",[31,7065,7066,7069],{},[34,7067,7068],{},"Exploitation"," — attempt to exploit identified vulnerabilities to demonstrate real-world impact",[31,7071,7072,7075],{},[34,7073,7074],{},"Post-exploitation"," — if access is gained, assess how far an attacker could go (lateral movement, data access, privilege escalation)",[31,7077,7078,7081],{},[34,7079,7080],{},"Reporting"," — document all findings with severity ratings, evidence, and remediation recommendations",[31,7083,7084,7087],{},[34,7085,7086],{},"Remediation support"," — assist the organization in understanding and addressing findings",[31,7089,7090,7093],{},[34,7091,7092],{},"Retest"," — verify that remediation efforts have effectively addressed the vulnerabilities",[20,7095,7097],{"id":7096},"how-do-compliance-frameworks-address-penetration-testing","How do compliance frameworks address penetration testing?",[16,7099,7100],{},"Multiple frameworks require or recommend penetration testing:",[28,7102,7103,7108,7113,7118],{},[31,7104,7105,7107],{},[34,7106,36],{}," — while not explicitly mandated, penetration testing supports CC7.1 (detection of vulnerabilities) and CC4.1 (monitoring)",[31,7109,7110,7112],{},[34,7111,48],{}," — Requirement 11.4 requires annual penetration testing of the CDE, plus testing after significant changes",[31,7114,7115,7117],{},[34,7116,54],{}," — DE.CM (continuous monitoring) and ID.RA (risk assessment) are supported by penetration testing",[31,7119,7120,7122],{},[34,7121,42],{}," — control A.8.8 addresses management of technical vulnerabilities, which penetration testing supports",[20,7124,7126],{"id":7125},"how-often-should-penetration-tests-be-performed","How often should penetration tests be performed?",[28,7128,7129,7135,7141],{},[31,7130,7131,7134],{},[34,7132,7133],{},"Annual testing"," is the minimum standard for most compliance frameworks",[31,7136,7137,7140],{},[34,7138,7139],{},"After significant changes"," — major infrastructure changes, application releases, or acquisitions should trigger additional testing",[31,7142,7143,7146],{},[34,7144,7145],{},"Continuous testing programs"," — some organizations implement bug bounty programs or periodic testing throughout the year",[20,7148,7150],{"id":7149},"how-do-you-select-a-penetration-testing-firm","How do you select a penetration testing firm?",[16,7152,7153],{},"When choosing a penetration testing provider:",[28,7155,7156,7159,7162,7165,7168],{},[31,7157,7158],{},"Look for relevant certifications (OSCP, OSCE, CREST, GPEN)",[31,7160,7161],{},"Request sample reports to evaluate reporting quality",[31,7163,7164],{},"Verify the firm carries appropriate insurance",[31,7166,7167],{},"Confirm experience with your technology stack and industry",[31,7169,7170],{},"Ensure clear rules of engagement and communication protocols",[20,7172,7174],{"id":7173},"how-does-episki-help-with-penetration-testing","How does episki help with penetration testing?",[16,7176,7177,7178,209],{},"episki tracks penetration testing schedules, stores reports, and manages remediation of identified findings. The platform links pen test results to compliance framework requirements and monitors remediation progress. Learn more on our ",[205,7179,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":7181},[7182],{"id":6951,"depth":212,"text":6952,"children":7183},[7184,7185,7186,7187,7188,7189],{"id":6958,"depth":217,"text":6959},{"id":7039,"depth":217,"text":7040},{"id":7096,"depth":217,"text":7097},{"id":7125,"depth":217,"text":7126},{"id":7149,"depth":217,"text":7150},{"id":7173,"depth":217,"text":7174},{},[982,230,984,985],[6679,1948,1952,992],{"title":7194,"description":7195},"What is Penetration Testing? Definition & Compliance Guide","Penetration testing is a simulated cyberattack that identifies vulnerabilities in your systems before real attackers can exploit them. Learn the types and process.","8.glossary\u002Fpenetration-testing","-DYPrBzNiyBknfyn7jeCgBrDE39XjynFvEKprLlba4U",{"id":7199,"title":7200,"body":7201,"description":211,"extension":224,"lastUpdated":225,"meta":7397,"navigation":227,"path":7398,"relatedFrameworks":7399,"relatedTerms":7400,"seo":7401,"slug":1175,"stem":7404,"term":3019,"__hash__":7405},"glossary\u002F8.glossary\u002Fphi.md","Phi",{"type":8,"value":7202,"toc":7386},[7203,7205,7208,7212,7215,7229,7233,7236,7292,7295,7299,7302,7305,7309,7312,7326,7329,7333,7336,7356,7359,7363,7366,7377,7381],[11,7204,3019],{"id":3018},[16,7206,7207],{},"Protected Health Information (PHI) is any individually identifiable health information that is created, received, maintained, or transmitted by a HIPAA covered entity or its business associates. PHI is the central concept in HIPAA regulations — the entire framework exists to protect this category of information.",[20,7209,7211],{"id":7210},"what-qualifies-as-phi","What qualifies as PHI?",[16,7213,7214],{},"For information to be classified as PHI, it must meet two criteria:",[155,7216,7217,7223],{},[31,7218,7219,7222],{},[34,7220,7221],{},"It relates to health"," — the information concerns an individual's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare",[31,7224,7225,7228],{},[34,7226,7227],{},"It is individually identifiable"," — the information can be linked to a specific individual through one or more of 18 identifiers defined by HIPAA",[20,7230,7232],{"id":7231},"what-are-the-18-hipaa-identifiers","What are the 18 HIPAA identifiers?",[16,7234,7235],{},"HIPAA defines 18 types of identifiers that, when combined with health information, create PHI:",[28,7237,7238,7241,7244,7247,7250,7253,7256,7259,7262,7265,7268,7271,7274,7277,7280,7283,7286,7289],{},[31,7239,7240],{},"Names",[31,7242,7243],{},"Geographic data smaller than a state",[31,7245,7246],{},"Dates (except year) related to an individual",[31,7248,7249],{},"Phone numbers",[31,7251,7252],{},"Fax numbers",[31,7254,7255],{},"Email addresses",[31,7257,7258],{},"Social Security numbers",[31,7260,7261],{},"Medical record numbers",[31,7263,7264],{},"Health plan beneficiary numbers",[31,7266,7267],{},"Account numbers",[31,7269,7270],{},"Certificate\u002Flicense numbers",[31,7272,7273],{},"Vehicle identifiers and serial numbers",[31,7275,7276],{},"Device identifiers and serial numbers",[31,7278,7279],{},"Web URLs",[31,7281,7282],{},"IP addresses",[31,7284,7285],{},"Biometric identifiers",[31,7287,7288],{},"Full-face photographs",[31,7290,7291],{},"Any other unique identifying number or code",[16,7293,7294],{},"If health information is stripped of all 18 identifiers following the HIPAA Safe Harbor method, it becomes de-identified data and is no longer subject to HIPAA protections.",[20,7296,7298],{"id":7297},"what-is-electronic-phi-ephi","What is electronic PHI (ePHI)?",[16,7300,7301],{},"Electronic Protected Health Information (ePHI) is PHI that is created, stored, transmitted, or received in electronic form. The HIPAA Security Rule specifically addresses safeguards for ePHI, requiring administrative, physical, and technical controls to protect its confidentiality, integrity, and availability.",[16,7303,7304],{},"ePHI includes data in electronic health records, emails containing patient information, digital images, and any other electronic format.",[20,7306,7308],{"id":7307},"what-is-the-difference-between-phi-and-pii","What is the difference between PHI and PII?",[16,7310,7311],{},"PHI and personally identifiable information (PII) overlap but are not identical:",[28,7313,7314,7320],{},[31,7315,7316,7319],{},[34,7317,7318],{},"PII"," is any information that can identify an individual, regulated by various federal and state laws",[31,7321,7322,7325],{},[34,7323,7324],{},"PHI"," is specifically health-related PII regulated under HIPAA",[16,7327,7328],{},"A person's name alone is PII but not PHI. A person's name combined with a diagnosis or treatment record is PHI.",[20,7330,7332],{"id":7331},"how-do-you-protect-phi","How do you protect PHI?",[16,7334,7335],{},"HIPAA requires covered entities and business associates to implement safeguards to protect PHI:",[28,7337,7338,7344,7350],{},[31,7339,7340,7343],{},[34,7341,7342],{},"Administrative safeguards"," — risk assessments, workforce training, access management policies, incident response procedures",[31,7345,7346,7349],{},[34,7347,7348],{},"Physical safeguards"," — facility access controls, workstation security, device and media controls",[31,7351,7352,7355],{},[34,7353,7354],{},"Technical safeguards"," — access controls, audit controls, integrity controls, transmission security (encryption)",[16,7357,7358],{},"The Minimum Necessary Rule further requires that access to PHI be limited to the minimum amount needed for a specific purpose.",[20,7360,7362],{"id":7361},"what-are-the-penalties-for-phi-violations","What are the penalties for PHI violations?",[16,7364,7365],{},"HIPAA violations involving PHI can result in significant penalties:",[28,7367,7368,7371,7374],{},[31,7369,7370],{},"Fines ranging from $100 to $50,000 per violation, up to $1.5 million per year per violation category",[31,7372,7373],{},"Criminal penalties including imprisonment for knowing violations",[31,7375,7376],{},"Mandatory breach notification to affected individuals, HHS, and potentially media outlets",[20,7378,7380],{"id":7379},"how-does-episki-help-with-phi","How does episki help with PHI?",[16,7382,7383,7384,209],{},"episki helps organizations identify where PHI exists in their systems, implement required safeguards, and maintain documentation demonstrating HIPAA compliance. The platform tracks access controls, risk assessments, and business associate agreements to ensure comprehensive PHI protection. Learn more on our ",[205,7385,1160],{"href":604},{"title":211,"searchDepth":212,"depth":212,"links":7387},[7388],{"id":3018,"depth":212,"text":3019,"children":7389},[7390,7391,7392,7393,7394,7395,7396],{"id":7210,"depth":217,"text":7211},{"id":7231,"depth":217,"text":7232},{"id":7297,"depth":217,"text":7298},{"id":7307,"depth":217,"text":7308},{"id":7331,"depth":217,"text":7332},{"id":7361,"depth":217,"text":7362},{"id":7379,"depth":217,"text":7380},{},"\u002Fglossary\u002Fphi",[983],[983,3092,1177,1178,1183,987,933],{"title":7402,"description":7403},"What is Protected Health Information (PHI)? Definition & Compliance Guide","Protected Health Information (PHI) is any individually identifiable health data covered by HIPAA. Learn what qualifies as PHI and how to protect it.","8.glossary\u002Fphi","S359PhBIZednkFETpVh7HeInrjEkO1Dd9FRUTXZCB2Y",{"id":7407,"title":7408,"body":7409,"description":211,"extension":224,"lastUpdated":225,"meta":7684,"navigation":227,"path":7685,"relatedFrameworks":7686,"relatedTerms":7687,"seo":7688,"slug":1948,"stem":7691,"term":7414,"__hash__":7692},"glossary\u002F8.glossary\u002Fremediation.md","Remediation",{"type":8,"value":7410,"toc":7673},[7411,7415,7418,7422,7425,7489,7493,7496,7545,7549,7552,7589,7593,7596,7616,7620,7623,7640,7643,7647,7664,7668],[11,7412,7414],{"id":7413},"what-is-remediation","What is Remediation?",[16,7416,7417],{},"Remediation is the process of identifying, prioritizing, and resolving security weaknesses, compliance gaps, audit findings, or vulnerabilities in an organization's systems and processes. It is a fundamental component of any security program — identifying risks and gaps is only valuable if the organization takes action to address them.",[20,7419,7421],{"id":7420},"where-do-remediation-items-come-from","Where do remediation items come from?",[16,7423,7424],{},"Remediation needs arise from multiple sources:",[28,7426,7427,7441,7451,7457,7465,7471,7477,7483],{},[31,7428,7429,7432,7433,2920,7435,7437,7438,7440],{},[34,7430,7431],{},"Audit findings"," — gaps identified during ",[205,7434,36],{"href":405},[205,7436,42],{"href":591},", or ",[205,7439,48],{"href":618}," audits",[31,7442,7443,7446,7447],{},[34,7444,7445],{},"Vulnerability scans"," — technical vulnerabilities discovered by automated scanning tools or ",[205,7448,7450],{"href":7449},"\u002Fglossary\u002Fasv","approved scanning vendors (ASVs)",[31,7452,7453,7456],{},[34,7454,7455],{},"Penetration tests"," — weaknesses identified through manual security testing",[31,7458,7459,7464],{},[34,7460,7461],{},[205,7462,7463],{"href":6446},"Risk assessments"," — risks that require new or improved controls",[31,7466,7467,7470],{},[34,7468,7469],{},"Incident investigations"," — root cause analysis revealing underlying security weaknesses",[31,7472,7473,7476],{},[34,7474,7475],{},"Compliance gap assessments"," — differences between current controls and framework requirements",[31,7478,7479,7482],{},[34,7480,7481],{},"Customer security questionnaires"," — gaps exposed through vendor assessment processes",[31,7484,7485,7488],{},[34,7486,7487],{},"Regulatory changes"," — new requirements that existing controls do not address",[20,7490,7492],{"id":7491},"what-is-the-remediation-process","What is the remediation process?",[16,7494,7495],{},"An effective remediation process follows a structured approach:",[155,7497,7498,7504,7510,7516,7522,7528,7533,7539],{},[31,7499,7500,7503],{},[34,7501,7502],{},"Identification"," — document the gap, vulnerability, or finding with sufficient detail to understand the issue",[31,7505,7506,7509],{},[34,7507,7508],{},"Assessment"," — evaluate the severity, risk, and potential impact of the issue",[31,7511,7512,7515],{},[34,7513,7514],{},"Prioritization"," — rank remediation items based on risk severity, exploitability, and business impact",[31,7517,7518,7521],{},[34,7519,7520],{},"Assignment"," — designate a responsible owner for each remediation item",[31,7523,7524,7527],{},[34,7525,7526],{},"Planning"," — define the specific actions needed, required resources, and target completion date",[31,7529,7530,7532],{},[34,7531,1537],{}," — execute the remediation plan",[31,7534,7535,7538],{},[34,7536,7537],{},"Verification"," — confirm that the remediation effectively addresses the issue (through retesting, review, or evidence collection)",[31,7540,7541,7544],{},[34,7542,7543],{},"Documentation"," — record the remediation actions taken and their results",[20,7546,7548],{"id":7547},"how-do-you-prioritize-remediation-items","How do you prioritize remediation items?",[16,7550,7551],{},"Not all remediation items carry equal urgency. Common prioritization factors include:",[28,7553,7554,7560,7566,7572,7578,7584],{},[31,7555,7556,7559],{},[34,7557,7558],{},"Severity"," — how significant is the risk or vulnerability (e.g., CVSS score for technical vulnerabilities)",[31,7561,7562,7565],{},[34,7563,7564],{},"Exploitability"," — how easily could the weakness be exploited",[31,7567,7568,7571],{},[34,7569,7570],{},"Business impact"," — what would happen if the weakness were exploited",[31,7573,7574,7577],{},[34,7575,7576],{},"Compliance deadline"," — are there regulatory or contractual deadlines driving urgency",[31,7579,7580,7583],{},[34,7581,7582],{},"Effort required"," — how much work is needed to remediate",[31,7585,7586,7588],{},[34,7587,2301],{}," — does remediation depend on other work being completed first",[20,7590,7592],{"id":7591},"how-do-you-track-remediation","How do you track remediation?",[16,7594,7595],{},"Effective tracking ensures accountability and progress:",[28,7597,7598,7604,7607,7610,7613],{},[31,7599,7600,7601,7603],{},"Maintain a centralized remediation tracker (often integrated with the ",[205,7602,6447],{"href":6446}," or GRC platform)",[31,7605,7606],{},"Set clear deadlines and milestone dates",[31,7608,7609],{},"Send regular reminders to owners",[31,7611,7612],{},"Escalate overdue items to management",[31,7614,7615],{},"Report on remediation metrics (open items, aging, completion rates)",[20,7617,7619],{"id":7618},"how-does-remediation-work-in-audit-contexts","How does remediation work in audit contexts?",[16,7621,7622],{},"During compliance audits, auditors expect to see:",[28,7624,7625,7628,7631,7634,7637],{},[31,7626,7627],{},"A defined process for managing remediation items",[31,7629,7630],{},"Evidence of timely resolution",[31,7632,7633],{},"Follow-up verification that fixes are effective",[31,7635,7636],{},"Escalation procedures for items that miss deadlines",[31,7638,7639],{},"Management oversight of the remediation program",[16,7641,7642],{},"Auditors view an organization's ability to remediate findings as an indicator of program maturity. A long list of aging, unresolved findings suggests the compliance program is not being actively managed.",[20,7644,7646],{"id":7645},"what-are-common-challenges-with-remediation","What are common challenges with remediation?",[28,7648,7649,7652,7655,7658,7661],{},[31,7650,7651],{},"Competing priorities between security remediation and business initiatives",[31,7653,7654],{},"Insufficient resources to address all findings in a timely manner",[31,7656,7657],{},"Lack of clear ownership for remediation items",[31,7659,7660],{},"Remediation that addresses symptoms rather than root causes",[31,7662,7663],{},"No verification step to confirm effectiveness",[20,7665,7667],{"id":7666},"how-does-episki-help-with-remediation","How does episki help with remediation?",[16,7669,7670,7671,209],{},"episki provides remediation workflows that track findings from identification through verification. The platform assigns owners, sets deadlines, sends reminders, and reports on progress. Auditors can see the full remediation history for any finding. Learn more on our ",[205,7672,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":7674},[7675],{"id":7413,"depth":212,"text":7414,"children":7676},[7677,7678,7679,7680,7681,7682,7683],{"id":7420,"depth":217,"text":7421},{"id":7491,"depth":217,"text":7492},{"id":7547,"depth":217,"text":7548},{"id":7591,"depth":217,"text":7592},{"id":7618,"depth":217,"text":7619},{"id":7645,"depth":217,"text":7646},{"id":7666,"depth":217,"text":7667},{},"\u002Fglossary\u002Fremediation",[230,231,984],[1420,1421,1667,1952,5749],{"title":7689,"description":7690},"Remediation in Compliance: Definition, Process & Best Practices","Compliance remediation is the process of fixing security gaps and audit findings. Learn how to prioritize, track, and close remediation items efficiently.","8.glossary\u002Fremediation","gUhGasusB5qoXZyMJcWGEC3m1KU4Hcwyqjc-ZpOaaho",{"id":7694,"title":7695,"body":7696,"description":211,"extension":224,"lastUpdated":225,"meta":7833,"navigation":227,"path":7834,"relatedFrameworks":7835,"relatedTerms":7836,"seo":7838,"slug":7841,"stem":7842,"term":7701,"__hash__":7843},"glossary\u002F8.glossary\u002Fsoc2-type-1.md","Soc2 Type 1",{"type":8,"value":7697,"toc":7822},[7698,7702,7705,7709,7712,7715,7741,7745,7748,7762,7765,7769,7772,7792,7796,7799,7803,7806,7810,7813,7817],[11,7699,7701],{"id":7700},"what-is-soc-2-type-i","What is SOC 2 Type I?",[16,7703,7704],{},"A SOC 2 Type I report is an independent auditor's assessment of whether an organization's controls are suitably designed to meet one or more Trust Services Criteria at a specific point in time. Unlike a Type II report, which tests controls over a period, a Type I report provides a snapshot of control design on a single date.",[20,7706,7708],{"id":7707},"how-does-a-soc-2-type-i-audit-work","How does a SOC 2 Type I audit work?",[16,7710,7711],{},"During a Type I engagement, the service auditor examines the organization's system description and the controls management has put in place. The auditor evaluates whether those controls, if operating as described, would reasonably achieve the relevant Trust Services Criteria objectives.",[16,7713,7714],{},"The process typically involves:",[155,7716,7717,7723,7729,7735],{},[31,7718,7719,7722],{},[34,7720,7721],{},"System description review"," — the auditor reviews a written description of the organization's system, including infrastructure, software, people, procedures, and data",[31,7724,7725,7728],{},[34,7726,7727],{},"Control identification"," — the auditor identifies the controls relevant to the selected Trust Services Criteria",[31,7730,7731,7734],{},[34,7732,7733],{},"Design assessment"," — the auditor evaluates whether each control is suitably designed to meet its objective",[31,7736,7737,7740],{},[34,7738,7739],{},"Report issuance"," — the auditor produces a report with an opinion on the design of controls as of the specified date",[20,7742,7744],{"id":7743},"what-is-the-difference-between-soc-2-type-i-and-type-ii","What is the difference between SOC 2 Type I and Type II?",[16,7746,7747],{},"The key differences between Type I and Type II reports:",[28,7749,7750,7756],{},[31,7751,7752,7755],{},[34,7753,7754],{},"Type I"," assesses control design at a point in time. It answers: \"Are the controls properly designed?\"",[31,7757,7758,7761],{},[34,7759,7760],{},"Type II"," assesses control design and operating effectiveness over a period (typically 3-12 months). It answers: \"Are the controls working as intended over time?\"",[16,7763,7764],{},"Type I reports are faster and less expensive to obtain, but they carry less weight with enterprise buyers. Many organizations use a Type I report as a stepping stone while building toward a Type II.",[20,7766,7768],{"id":7767},"when-should-you-pursue-a-soc-2-type-i-report","When should you pursue a SOC 2 Type I report?",[16,7770,7771],{},"A Type I report makes sense in several scenarios:",[28,7773,7774,7780,7786],{},[31,7775,7776,7779],{},[34,7777,7778],{},"First-time SOC 2"," — organizations new to SOC 2 often start with Type I to validate their control design before committing to an observation period",[31,7781,7782,7785],{},[34,7783,7784],{},"Urgent customer requests"," — when a prospect or customer needs a SOC 2 report quickly and cannot wait for a full Type II observation period",[31,7787,7788,7791],{},[34,7789,7790],{},"Significant system changes"," — after a major infrastructure migration or reorganization, a Type I can confirm the redesigned controls are appropriate",[20,7793,7795],{"id":7794},"what-is-the-timeline-and-cost-of-a-soc-2-type-i","What is the timeline and cost of a SOC 2 Type I?",[16,7797,7798],{},"A Type I audit typically takes 2-4 weeks once the organization is audit-ready. The total timeline including preparation can range from 6-12 weeks. Costs vary based on scope and auditor, but Type I engagements generally cost 30-50% less than Type II engagements.",[20,7800,7802],{"id":7801},"what-are-the-limitations-of-soc-2-type-i","What are the limitations of SOC 2 Type I?",[16,7804,7805],{},"Because a Type I report only evaluates design at a single point in time, it does not demonstrate that controls actually operated effectively. An organization could have well-designed controls that are not consistently followed. This is why sophisticated buyers and security teams prefer Type II reports for ongoing vendor assessment.",[20,7807,7809],{"id":7808},"how-do-you-move-from-soc-2-type-i-to-type-ii","How do you move from SOC 2 Type I to Type II?",[16,7811,7812],{},"Most organizations treat Type I as a milestone, not a destination. After obtaining a Type I report, the next step is to enter an observation period (typically 3-6 months for the first Type II) during which the auditor can test operating effectiveness. This transition requires maintaining consistent control execution and evidence collection throughout the observation window.",[20,7814,7816],{"id":7815},"how-does-episki-help-with-soc-2-type-i","How does episki help with SOC 2 Type I?",[16,7818,7819,7820,209],{},"episki streamlines Type I readiness by mapping your existing controls to Trust Services Criteria, identifying design gaps, and organizing evidence for your auditor. When you are ready to progress to Type II, episki's continuous evidence collection ensures you are building a track record from day one. Learn more on our ",[205,7821,406],{"href":405},{"title":211,"searchDepth":212,"depth":212,"links":7823},[7824],{"id":7700,"depth":212,"text":7701,"children":7825},[7826,7827,7828,7829,7830,7831,7832],{"id":7707,"depth":217,"text":7708},{"id":7743,"depth":217,"text":7744},{"id":7767,"depth":217,"text":7768},{"id":7794,"depth":217,"text":7795},{"id":7801,"depth":217,"text":7802},{"id":7808,"depth":217,"text":7809},{"id":7815,"depth":217,"text":7816},{},"\u002Fglossary\u002Fsoc2-type-1",[230],[230,422,233,7837],"service-auditor",{"title":7839,"description":7840},"What is SOC 2 Type I? Definition & Compliance Guide","A SOC 2 Type I report evaluates whether an organization's controls are properly designed at a specific point in time. Learn how it differs from Type II.","soc2-type-1","8.glossary\u002Fsoc2-type-1","EHxT6-1DQjMWGjjg7PrkF69NI3OUmcc7dNHXFjmXXSk",{"id":7845,"title":7846,"body":7847,"description":211,"extension":224,"lastUpdated":225,"meta":8005,"navigation":227,"path":8006,"relatedFrameworks":8007,"relatedTerms":8008,"seo":8009,"slug":422,"stem":8012,"term":7852,"__hash__":8013},"glossary\u002F8.glossary\u002Fsoc2-type-2.md","Soc2 Type 2",{"type":8,"value":7848,"toc":7994},[7849,7853,7856,7860,7863,7895,7899,7902,7905,7909,7912,7938,7942,7945,7968,7971,7975,7978,7982,7985,7989],[11,7850,7852],{"id":7851},"what-is-soc-2-type-ii","What is SOC 2 Type II?",[16,7854,7855],{},"A SOC 2 Type II report is an independent auditor's assessment of whether an organization's controls are suitably designed and operating effectively over a defined period of time, typically ranging from 3 to 12 months. It is considered the gold standard for demonstrating security posture to customers and partners.",[20,7857,7859],{"id":7858},"how-does-a-soc-2-type-ii-audit-work","How does a SOC 2 Type II audit work?",[16,7861,7862],{},"A Type II engagement goes beyond evaluating control design. The auditor tests whether controls actually operated as intended throughout the observation period. This involves:",[155,7864,7865,7871,7877,7883,7889],{},[31,7866,7867,7870],{},[34,7868,7869],{},"Observation period"," — the organization operates its controls for a defined window (commonly 6 or 12 months for mature programs, sometimes 3 months for a first Type II)",[31,7872,7873,7876],{},[34,7874,7875],{},"Evidence sampling"," — the auditor selects samples of evidence from across the observation period to verify controls were consistently executed",[31,7878,7879,7882],{},[34,7880,7881],{},"Testing procedures"," — the auditor performs inquiry, observation, inspection, and re-performance to test each control",[31,7884,7885,7888],{},[34,7886,7887],{},"Exception identification"," — any instances where controls did not operate as designed are documented as exceptions",[31,7890,7891,7894],{},[34,7892,7893],{},"Opinion issuance"," — the auditor issues a report with an opinion on both design suitability and operating effectiveness",[20,7896,7898],{"id":7897},"why-does-soc-2-type-ii-matter","Why does SOC 2 Type II matter?",[16,7900,7901],{},"Enterprise buyers, procurement teams, and security reviewers strongly prefer Type II reports because they demonstrate sustained compliance rather than a point-in-time snapshot. A Type II report provides assurance that security controls are not just designed on paper but are consistently followed in practice.",[16,7903,7904],{},"Many enterprise vendor assessment processes require a current Type II report. Without one, sales cycles can stall or deals can be lost to competitors who have the report.",[20,7906,7908],{"id":7907},"what-are-observation-period-considerations-for-soc-2-type-ii","What are observation period considerations for SOC 2 Type II?",[16,7910,7911],{},"The observation period is a critical element of a Type II audit:",[28,7913,7914,7920,7926,7932],{},[31,7915,7916,7919],{},[34,7917,7918],{},"First Type II"," — a 3-month observation period is common for organizations transitioning from Type I",[31,7921,7922,7925],{},[34,7923,7924],{},"Subsequent reports"," — most organizations move to a 12-month observation period to align with annual renewal cycles",[31,7927,7928,7931],{},[34,7929,7930],{},"Gap periods"," — if there is a gap between the end of one report period and the start of the next, customers may flag this as a concern",[31,7933,7934,7937],{},[34,7935,7936],{},"Bridge letters"," — some organizations provide bridge letters to cover gaps between report periods",[20,7939,7941],{"id":7940},"what-do-soc-2-type-ii-auditors-test","What do SOC 2 Type II auditors test?",[16,7943,7944],{},"During a Type II audit, auditors examine evidence such as:",[28,7946,7947,7950,7953,7956,7959,7962,7965],{},[31,7948,7949],{},"Access review documentation and approvals",[31,7951,7952],{},"Change management tickets and approval workflows",[31,7954,7955],{},"Security monitoring alerts and response records",[31,7957,7958],{},"Employee onboarding and offboarding checklists",[31,7960,7961],{},"Vendor assessment records",[31,7963,7964],{},"Incident response logs",[31,7966,7967],{},"Backup and recovery test results",[16,7969,7970],{},"The auditor selects samples across the full observation period to confirm controls operated consistently, not just at the beginning or end.",[20,7972,7974],{"id":7973},"what-are-exceptions-and-qualified-opinions-in-soc-2","What are exceptions and qualified opinions in SOC 2?",[16,7976,7977],{},"If a control did not operate effectively for some portion of the period, the auditor documents an exception. A small number of exceptions does not necessarily result in a qualified opinion, but significant or pervasive exceptions can. Organizations should address exceptions promptly and implement corrective actions.",[20,7979,7981],{"id":7980},"how-do-you-maintain-continuous-compliance-after-soc-2-type-ii","How do you maintain continuous compliance after SOC 2 Type II?",[16,7983,7984],{},"The biggest challenge with Type II is not passing the first audit — it is maintaining compliance year after year. Controls must be executed consistently, evidence must be collected on schedule, and new risks must be addressed as they emerge.",[20,7986,7988],{"id":7987},"how-does-episki-help-with-soc-2-type-ii","How does episki help with SOC 2 Type II?",[16,7990,7991,7992,209],{},"episki automates evidence collection on recurring schedules, sends reminders to control owners, and maintains a complete audit trail throughout your observation period. When your auditor arrives, evidence is organized and ready for review. Learn more on our ",[205,7993,406],{"href":405},{"title":211,"searchDepth":212,"depth":212,"links":7995},[7996],{"id":7851,"depth":212,"text":7852,"children":7997},[7998,7999,8000,8001,8002,8003,8004],{"id":7858,"depth":217,"text":7859},{"id":7897,"depth":217,"text":7898},{"id":7907,"depth":217,"text":7908},{"id":7940,"depth":217,"text":7941},{"id":7973,"depth":217,"text":7974},{"id":7980,"depth":217,"text":7981},{"id":7987,"depth":217,"text":7988},{},"\u002Fglossary\u002Fsoc2-type-2",[230],[230,7841,233,7837,1667],{"title":8010,"description":8011},"What is SOC 2 Type II? Definition & Compliance Guide","A SOC 2 Type II report evaluates whether controls operated effectively over a period of time. Learn about observation periods, audit processes, and requirements.","8.glossary\u002Fsoc2-type-2","Lt5yNICwvtnPL68-78__bdkfP_05abKmQbB56jmwocg",{"id":8015,"title":8016,"body":8017,"description":211,"extension":224,"lastUpdated":225,"meta":8150,"navigation":227,"path":8151,"relatedFrameworks":8152,"relatedTerms":8153,"seo":8155,"slug":230,"stem":8158,"term":8022,"__hash__":8159},"glossary\u002F8.glossary\u002Fsoc2.md","Soc2",{"type":8,"value":8018,"toc":8141},[8019,8023,8026,8030,8033,8065,8068,8070,8084,8087,8091,8094,8098,8101,8132,8136],[11,8020,8022],{"id":8021},"what-is-soc-2","What is SOC 2?",[16,8024,8025],{},"SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA that evaluates how service organizations protect customer data. It is one of the most requested security certifications for SaaS companies and technology vendors.",[20,8027,8029],{"id":8028},"what-are-the-soc-2-trust-services-criteria","What are the SOC 2 Trust Services Criteria?",[16,8031,8032],{},"SOC 2 is built around five Trust Services Criteria (TSC):",[28,8034,8035,8041,8047,8053,8059],{},[31,8036,8037,8040],{},[34,8038,8039],{},"Security"," (required) — protection against unauthorized access",[31,8042,8043,8046],{},[34,8044,8045],{},"Availability"," — system uptime and operational reliability",[31,8048,8049,8052],{},[34,8050,8051],{},"Processing integrity"," — accurate and complete data processing",[31,8054,8055,8058],{},[34,8056,8057],{},"Confidentiality"," — protection of confidential information",[31,8060,8061,8064],{},[34,8062,8063],{},"Privacy"," — handling of personal information per commitments",[16,8066,8067],{},"Most organizations start with Security and add additional criteria based on customer requirements.",[20,8069,7744],{"id":7743},[28,8071,8072,8078],{},[31,8073,8074,8077],{},[34,8075,8076],{},"SOC 2 Type I"," evaluates whether controls are designed appropriately at a specific point in time",[31,8079,8080,8083],{},[34,8081,8082],{},"SOC 2 Type II"," evaluates whether controls operated effectively over a period (typically 3-12 months)",[16,8085,8086],{},"Type II reports carry more weight with enterprise buyers because they demonstrate sustained compliance rather than a single snapshot.",[20,8088,8090],{"id":8089},"who-needs-soc-2","Who needs SOC 2?",[16,8092,8093],{},"SOC 2 is not legally required, but it is effectively mandatory for SaaS companies selling to enterprises. Buyers, procurement teams, and security reviewers routinely request SOC 2 reports as part of vendor diligence.",[20,8095,8097],{"id":8096},"how-long-does-a-soc-2-audit-take","How long does a SOC 2 audit take?",[16,8099,8100],{},"A typical timeline:",[28,8102,8103,8109,8115,8120,8126],{},[31,8104,8105,8108],{},[34,8106,8107],{},"Readiness assessment:"," 2-4 weeks",[31,8110,8111,8114],{},[34,8112,8113],{},"Remediation:"," 4-12 weeks depending on gaps",[31,8116,8117,8108],{},[34,8118,8119],{},"Type I audit:",[31,8121,8122,8125],{},[34,8123,8124],{},"Observation period for Type II:"," 3-12 months",[31,8127,8128,8131],{},[34,8129,8130],{},"Type II audit:"," 4-6 weeks",[20,8133,8135],{"id":8134},"how-does-episki-help-with-soc-2","How does episki help with SOC 2?",[16,8137,8138,8139,209],{},"episki maps controls to Trust Services Criteria, tracks evidence with ownership and review cadences, and provides auditor portals for streamlined collaboration. Learn more on our ",[205,8140,406],{"href":405},{"title":211,"searchDepth":212,"depth":212,"links":8142},[8143],{"id":8021,"depth":212,"text":8022,"children":8144},[8145,8146,8147,8148,8149],{"id":8028,"depth":217,"text":8029},{"id":7743,"depth":217,"text":7744},{"id":8089,"depth":217,"text":8090},{"id":8096,"depth":217,"text":8097},{"id":8134,"depth":217,"text":8135},{},"\u002Fglossary\u002Fsoc2",[230],[233,7841,422,7837,8154],"ssae-18",{"title":8156,"description":8157},"What is SOC 2? Compliance Requirements Explained","SOC 2 is an auditing framework for service organizations based on five Trust Services Criteria. Learn about SOC 2 Type I vs Type II, audit timelines, and what it takes to get compliant.","8.glossary\u002Fsoc2","o9uC6hQlC9MVugjDvZBvvKcA5FJzrAzuVbqCBjKgWaQ",{"id":8161,"title":8162,"body":8163,"description":211,"extension":224,"lastUpdated":225,"meta":8323,"navigation":227,"path":8324,"relatedFrameworks":8325,"relatedTerms":8326,"seo":8327,"slug":8154,"stem":8330,"term":8168,"__hash__":8331},"glossary\u002F8.glossary\u002Fssae-18.md","Ssae 18",{"type":8,"value":8164,"toc":8313},[8165,8169,8172,8176,8179,8205,8208,8212,8215,8234,8237,8241,8244,8270,8274,8277,8291,8294,8298,8301,8304,8308],[11,8166,8168],{"id":8167},"what-is-ssae-18","What is SSAE 18?",[16,8170,8171],{},"SSAE 18 (Statement on Standards for Attestation Engagements No. 18) is the professional standard issued by the AICPA that governs how attestation engagements, including SOC 1, SOC 2, and SOC 3 examinations, are performed in the United States. It provides the authoritative guidance that service auditors must follow when conducting these engagements.",[20,8173,8175],{"id":8174},"what-is-the-background-and-history-of-ssae-18","What is the background and history of SSAE 18?",[16,8177,8178],{},"SSAE 18 replaced SSAE 16 in May 2017. The update introduced several important changes:",[28,8180,8181,8187,8193,8199],{},[31,8182,8183,8186],{},[34,8184,8185],{},"Risk assessment requirements"," — auditors must perform a formal risk assessment as part of planning the engagement",[31,8188,8189,8192],{},[34,8190,8191],{},"Monitoring of subservice organizations"," — organizations that use subservice providers (such as cloud hosting providers) must demonstrate monitoring of those providers' controls",[31,8194,8195,8198],{},[34,8196,8197],{},"Written assertion"," — management must provide a written assertion about the effectiveness of their controls",[31,8200,8201,8204],{},[34,8202,8203],{},"Clarified engagement standards"," — the standard consolidated and clarified previous attestation guidance",[16,8206,8207],{},"These changes strengthened the rigor of SOC engagements and aligned US attestation standards more closely with international practices.",[20,8209,8211],{"id":8210},"how-does-ssae-18-relate-to-soc-reports","How does SSAE 18 relate to SOC reports?",[16,8213,8214],{},"SSAE 18 is the umbrella standard under which SOC reports are issued:",[28,8216,8217,8223,8228],{},[31,8218,8219,8222],{},[34,8220,8221],{},"SOC 1"," — examines controls relevant to user entities' financial reporting (performed under AT-C Section 320)",[31,8224,8225,8227],{},[34,8226,36],{}," — examines controls related to security, availability, processing integrity, confidentiality, and privacy (performed under AT-C Section 205)",[31,8229,8230,8233],{},[34,8231,8232],{},"SOC 3"," — a general-use version of SOC 2 with a shortened report format",[16,8235,8236],{},"The standard defines the auditor's responsibilities, the required elements of the report, and the criteria for issuing opinions.",[20,8238,8240],{"id":8239},"what-are-the-key-requirements-under-ssae-18","What are the key requirements under SSAE 18?",[16,8242,8243],{},"Organizations undergoing SOC engagements should understand several key requirements:",[28,8245,8246,8252,8258,8264],{},[31,8247,8248,8251],{},[34,8249,8250],{},"Management's assertion"," — the organization's management must formally assert that their system description is accurate and that controls are suitably designed (and operating effectively for Type II)",[31,8253,8254,8257],{},[34,8255,8256],{},"Subservice organization oversight"," — if the organization relies on third-party providers (such as AWS, Azure, or a data center), it must demonstrate how it monitors those providers' controls",[31,8259,8260,8263],{},[34,8261,8262],{},"System description"," — the organization must prepare a detailed description of its system, including infrastructure, software, people, procedures, and data",[31,8265,8266,8269],{},[34,8267,8268],{},"Control environment"," — the organization must maintain a defined control environment with clear ownership and accountability",[20,8271,8273],{"id":8272},"how-does-ssae-18-treat-subservice-organizations","How does SSAE 18 treat subservice organizations?",[16,8275,8276],{},"One of the most significant aspects of SSAE 18 is the treatment of subservice organizations. Companies can present subservice organizations in their SOC report using one of two methods:",[28,8278,8279,8285],{},[31,8280,8281,8284],{},[34,8282,8283],{},"Inclusive method"," — the subservice organization's controls are included within the scope of the report",[31,8286,8287,8290],{},[34,8288,8289],{},"Carve-out method"," — the subservice organization's controls are excluded from scope, and the report notes that certain controls are the responsibility of the subservice organization",[16,8292,8293],{},"Most organizations use the carve-out method, referencing their cloud provider's own SOC 2 report as complementary evidence.",[20,8295,8297],{"id":8296},"why-does-ssae-18-matter","Why does SSAE 18 matter?",[16,8299,8300],{},"Understanding SSAE 18 helps organizations prepare more effectively for SOC engagements. It sets expectations for what auditors will require and what management must provide. Organizations that are unfamiliar with these requirements often face delays and additional costs during the audit process.",[16,8302,8303],{},"For buyers reviewing SOC 2 reports, understanding that the report was issued under SSAE 18 provides confidence that it meets a rigorous professional standard.",[20,8305,8307],{"id":8306},"how-does-episki-help-with-ssae-18","How does episki help with SSAE 18?",[16,8309,8310,8311,209],{},"episki structures your compliance program to align with SSAE 18 requirements, including system description preparation, subservice organization tracking, and management assertion documentation. This ensures your organization is audit-ready when the service auditor begins their engagement. Learn more on our ",[205,8312,406],{"href":405},{"title":211,"searchDepth":212,"depth":212,"links":8314},[8315],{"id":8167,"depth":212,"text":8168,"children":8316},[8317,8318,8319,8320,8321,8322],{"id":8174,"depth":217,"text":8175},{"id":8210,"depth":217,"text":8211},{"id":8239,"depth":217,"text":8240},{"id":8272,"depth":217,"text":8273},{"id":8296,"depth":217,"text":8297},{"id":8306,"depth":217,"text":8307},{},"\u002Fglossary\u002Fssae-18",[230],[230,7837,7841,422],{"title":8328,"description":8329},"What is SSAE 18? Definition & Compliance Guide","SSAE 18 is the attestation standard governing SOC 1, SOC 2, and SOC 3 audits in the United States. Learn how it shapes audit requirements and reporting.","8.glossary\u002Fssae-18","NaTe99emRS8D5qz9QNNVptILFWyKwKCnH1XjCtiNv6s",{"id":8333,"title":8334,"body":8335,"description":211,"extension":224,"lastUpdated":225,"meta":8556,"navigation":227,"path":8557,"relatedFrameworks":8558,"relatedTerms":8559,"seo":8560,"slug":8563,"stem":8564,"term":8340,"__hash__":8565},"glossary\u002F8.glossary\u002Fsecurity-awareness-training.md","Security Awareness Training",{"type":8,"value":8336,"toc":8545},[8337,8341,8344,8348,8351,8368,8372,8375,8423,8427,8449,8453,8456,8488,8492,8495,8512,8516,8519,8536,8540],[11,8338,8340],{"id":8339},"what-is-security-awareness-training","What is Security Awareness Training?",[16,8342,8343],{},"Security awareness training is an educational program designed to teach employees about cybersecurity threats, security best practices, and their responsibilities for protecting organizational data and systems. Human error remains one of the leading causes of security incidents, making awareness training a critical control for reducing risk. Every major compliance framework requires or strongly recommends security awareness training.",[20,8345,8347],{"id":8346},"why-does-security-awareness-training-matter","Why does security awareness training matter?",[16,8349,8350],{},"Technology controls alone cannot prevent all security incidents. Employees interact with sensitive data, click links, open attachments, and make decisions that affect security every day. Effective training:",[28,8352,8353,8356,8359,8362,8365],{},[31,8354,8355],{},"Reduces the likelihood of successful phishing and social engineering attacks",[31,8357,8358],{},"Helps employees recognize and report suspicious activity",[31,8360,8361],{},"Builds a security-conscious culture throughout the organization",[31,8363,8364],{},"Meets compliance requirements across multiple frameworks",[31,8366,8367],{},"Reduces the frequency and impact of human-caused security incidents",[20,8369,8371],{"id":8370},"what-are-the-core-security-awareness-training-topics","What are the core security awareness training topics?",[16,8373,8374],{},"A comprehensive security awareness program typically covers:",[28,8376,8377,8383,8389,8394,8400,8406,8411,8417],{},[31,8378,8379,8382],{},[34,8380,8381],{},"Phishing and social engineering"," — how to identify and respond to phishing emails, phone-based pretexting, and other manipulation techniques",[31,8384,8385,8388],{},[34,8386,8387],{},"Password security"," — creating strong passwords, using password managers, and understanding multi-factor authentication",[31,8390,8391,8393],{},[34,8392,290],{}," — proper classification, storage, transmission, and disposal of sensitive data",[31,8395,8396,8399],{},[34,8397,8398],{},"Physical security"," — securing workstations, preventing tailgating, and protecting physical access badges",[31,8401,8402,8405],{},[34,8403,8404],{},"Remote work security"," — securing home networks, using VPNs, and protecting devices outside the office",[31,8407,8408,8410],{},[34,8409,308],{}," — how and when to report suspected security incidents",[31,8412,8413,8416],{},[34,8414,8415],{},"Acceptable use"," — organizational policies on technology use, internet access, and personal devices",[31,8418,8419,8422],{},[34,8420,8421],{},"Regulatory requirements"," — specific requirements based on the organization's compliance obligations (HIPAA for healthcare, PCI DSS for payment card handling)",[20,8424,8426],{"id":8425},"what-training-requirements-apply-by-framework","What training requirements apply by framework?",[28,8428,8429,8434,8439,8444],{},[31,8430,8431,8433],{},[34,8432,36],{}," — CC1.4 requires that the organization demonstrates a commitment to attract, develop, and retain competent individuals, including security training",[31,8435,8436,8438],{},[34,8437,42],{}," — control A.6.3 requires information security awareness, education, and training",[31,8440,8441,8443],{},[34,8442,605],{}," — the Security Rule requires security awareness and training for all workforce members (45 CFR 164.308(a)(5))",[31,8445,8446,8448],{},[34,8447,48],{}," — Requirement 12.6 requires security awareness training for all personnel upon hire and at least annually",[20,8450,8452],{"id":8451},"how-often-should-training-be-delivered-and-how","How often should training be delivered, and how?",[16,8454,8455],{},"Best practices for training delivery include:",[28,8457,8458,8464,8470,8476,8482],{},[31,8459,8460,8463],{},[34,8461,8462],{},"Upon hire"," — all new employees should complete security awareness training during onboarding",[31,8465,8466,8469],{},[34,8467,8468],{},"Annual refresher"," — all employees should complete refresher training at least annually",[31,8471,8472,8475],{},[34,8473,8474],{},"Role-specific training"," — employees in high-risk roles (developers, administrators, finance) should receive additional targeted training",[31,8477,8478,8481],{},[34,8479,8480],{},"Continuous reinforcement"," — supplement formal training with simulated phishing campaigns, security tips, and brief micro-learning modules throughout the year",[31,8483,8484,8487],{},[34,8485,8486],{},"Triggered training"," — require additional training when an employee fails a phishing simulation or is involved in a security incident",[20,8489,8491],{"id":8490},"how-do-you-measure-training-effectiveness","How do you measure training effectiveness?",[16,8493,8494],{},"Training effectiveness should be measured through:",[28,8496,8497,8500,8503,8506,8509],{},[31,8498,8499],{},"Phishing simulation click rates (tracked over time to show improvement)",[31,8501,8502],{},"Training completion rates",[31,8504,8505],{},"Security incident trends related to human factors",[31,8507,8508],{},"Employee knowledge assessments (quizzes or surveys)",[31,8510,8511],{},"Time to report suspicious activity",[20,8513,8515],{"id":8514},"what-training-evidence-do-auditors-look-for","What training evidence do auditors look for?",[16,8517,8518],{},"Auditors expect to see:",[28,8520,8521,8524,8527,8530,8533],{},[31,8522,8523],{},"Training policy documenting requirements and frequency",[31,8525,8526],{},"Records of training completion for all employees",[31,8528,8529],{},"Training content covering relevant topics",[31,8531,8532],{},"Phishing simulation results and trends",[31,8534,8535],{},"Evidence of new hire training",[20,8537,8539],{"id":8538},"how-does-episki-help-with-security-awareness-training","How does episki help with security awareness training?",[16,8541,8542,8543,209],{},"episki tracks security awareness training completion, sends reminders to employees and managers, and maintains training records as compliance evidence. The platform integrates with popular training providers and maps training requirements to framework controls. Learn more on our ",[205,8544,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":8546},[8547],{"id":8339,"depth":212,"text":8340,"children":8548},[8549,8550,8551,8552,8553,8554,8555],{"id":8346,"depth":217,"text":8347},{"id":8370,"depth":217,"text":8371},{"id":8425,"depth":217,"text":8426},{"id":8451,"depth":217,"text":8452},{"id":8490,"depth":217,"text":8491},{"id":8514,"depth":217,"text":8515},{"id":8538,"depth":217,"text":8539},{},"\u002Fglossary\u002Fsecurity-awareness-training",[982,230,231,983,984],[992,1179,1667,1175],{"title":8561,"description":8562},"What is Security Awareness Training? Definition & Compliance Guide","Security awareness training educates employees about cybersecurity threats and best practices. Learn what to include and how it satisfies compliance requirements.","security-awareness-training","8.glossary\u002Fsecurity-awareness-training","xgD6bzRoOy6RZm_k9NAZRMfP5cKo0j-xLN3LeofSjwI",{"id":8567,"title":8568,"body":8569,"description":211,"extension":224,"lastUpdated":225,"meta":8779,"navigation":227,"path":8780,"relatedFrameworks":8781,"relatedTerms":8782,"seo":8784,"slug":8787,"stem":8788,"term":8574,"__hash__":8789},"glossary\u002F8.glossary\u002Fthird-party-risk.md","Third Party Risk",{"type":8,"value":8570,"toc":8769},[8571,8575,8578,8582,8585,8629,8633,8636,8668,8672,8675,8702,8706,8709,8753,8757,8760,8764],[11,8572,8574],{"id":8573},"what-is-third-party-risk","What is Third-Party Risk?",[16,8576,8577],{},"Third-party risk is the potential for negative outcomes — including data breaches, operational disruptions, compliance violations, and reputational damage — arising from an organization's relationships with external vendors, partners, and service providers. As modern organizations depend on extensive networks of third parties, managing this risk has become a critical discipline within information security and compliance programs.",[20,8579,8581],{"id":8580},"what-are-the-types-of-third-party-risk","What are the types of third-party risk?",[16,8583,8584],{},"Third-party risk encompasses several categories:",[28,8586,8587,8593,8599,8605,8611,8617,8623],{},[31,8588,8589,8592],{},[34,8590,8591],{},"Security risk"," — the vendor's security weaknesses could lead to unauthorized access to your data or systems",[31,8594,8595,8598],{},[34,8596,8597],{},"Compliance risk"," — the vendor's practices may not meet regulatory requirements, creating liability for your organization",[31,8600,8601,8604],{},[34,8602,8603],{},"Operational risk"," — vendor outages, service failures, or business disruptions could impact your operations",[31,8606,8607,8610],{},[34,8608,8609],{},"Financial risk"," — vendor financial instability could threaten service continuity",[31,8612,8613,8616],{},[34,8614,8615],{},"Reputational risk"," — a vendor's public security incident or ethical violation could damage your brand",[31,8618,8619,8622],{},[34,8620,8621],{},"Strategic risk"," — over-reliance on a single vendor creates concentration risk",[31,8624,8625,8628],{},[34,8626,8627],{},"Data risk"," — the vendor may mishandle, lose, or improperly disclose your data",[20,8630,8632],{"id":8631},"why-is-third-party-risk-growing","Why is third-party risk growing?",[16,8634,8635],{},"Several trends are increasing third-party risk exposure:",[28,8637,8638,8644,8650,8656,8662],{},[31,8639,8640,8643],{},[34,8641,8642],{},"Cloud adoption"," — organizations store sensitive data with cloud providers and SaaS applications",[31,8645,8646,8649],{},[34,8647,8648],{},"Supply chain complexity"," — vendors use their own vendors (fourth parties), creating layers of risk",[31,8651,8652,8655],{},[34,8653,8654],{},"Data sharing"," — business processes increasingly require sharing data with external parties",[31,8657,8658,8661],{},[34,8659,8660],{},"Remote work"," — distributed workforces rely on more external tools and services",[31,8663,8664,8667],{},[34,8665,8666],{},"Regulatory expansion"," — regulators increasingly hold organizations accountable for their vendors' practices",[20,8669,8671],{"id":8670},"how-do-compliance-frameworks-address-third-party-risk","How do compliance frameworks address third-party risk?",[16,8673,8674],{},"Compliance frameworks address third-party risk explicitly:",[28,8676,8677,8682,8687,8692,8697],{},[31,8678,8679,8681],{},[34,8680,36],{}," — CC9.2 requires assessing risks from vendor relationships. The SSAE 18 standard also requires monitoring subservice organizations.",[31,8683,8684,8686],{},[34,8685,42],{}," — clauses A.5.19 through A.5.23 address supplier relationship security, including policies, assessment, and monitoring",[31,8688,8689,8691],{},[34,8690,54],{}," — the Govern function includes supply chain risk management expectations",[31,8693,8694,8696],{},[34,8695,605],{}," — requires BAAs with business associates and oversight of how they handle PHI",[31,8698,8699,8701],{},[34,8700,48],{}," — Requirement 12.8 requires maintaining and monitoring service provider relationships",[20,8703,8705],{"id":8704},"how-do-you-manage-third-party-risk","How do you manage third-party risk?",[16,8707,8708],{},"Effective third-party risk management involves:",[155,8710,8711,8717,8723,8729,8735,8741,8747],{},[31,8712,8713,8716],{},[34,8714,8715],{},"Inventory"," — know all your third parties and what data or systems they can access",[31,8718,8719,8722],{},[34,8720,8721],{},"Assess"," — evaluate each third party's security posture before and during the relationship",[31,8724,8725,8728],{},[34,8726,8727],{},"Tier"," — classify third parties by risk level to allocate assessment effort appropriately",[31,8730,8731,8734],{},[34,8732,8733],{},"Contract"," — include security requirements, breach notification clauses, and audit rights",[31,8736,8737,8740],{},[34,8738,8739],{},"Monitor"," — continuously track vendor security posture, not just at onboarding",[31,8742,8743,8746],{},[34,8744,8745],{},"Respond"," — have plans for responding to vendor incidents, including data breaches and service outages",[31,8748,8749,8752],{},[34,8750,8751],{},"Exit"," — plan for vendor transitions, ensuring data is returned or destroyed and access is revoked",[20,8754,8756],{"id":8755},"what-is-fourth-party-risk","What is fourth-party risk?",[16,8758,8759],{},"An often-overlooked dimension is fourth-party risk — the risk from your vendors' vendors. If your SaaS provider stores data on a cloud platform that is breached, you are affected even though you have no direct relationship with the cloud provider. Understanding and addressing fourth-party risk requires knowing your vendors' critical subservice organizations.",[20,8761,8763],{"id":8762},"how-does-episki-help-with-third-party-risk","How does episki help with third-party risk?",[16,8765,8766,8767,209],{},"episki provides a centralized platform for managing third-party risk, including vendor inventories, risk assessments, contract tracking, and continuous monitoring. The platform maps vendor relationships to compliance framework requirements and flags vendors that require reassessment. Learn more on our ",[205,8768,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":8770},[8771],{"id":8573,"depth":212,"text":8574,"children":8772},[8773,8774,8775,8776,8777,8778],{"id":8580,"depth":217,"text":8581},{"id":8631,"depth":217,"text":8632},{"id":8670,"depth":217,"text":8671},{"id":8704,"depth":217,"text":8705},{"id":8755,"depth":217,"text":8756},{"id":8762,"depth":217,"text":8763},{},"\u002Fglossary\u002Fthird-party-risk",[230,231,985],[8783,1420,1421,1178],"vendor-risk-management",{"title":8785,"description":8786},"What is Third-Party Risk? Definition & Compliance Guide","Third-party risk is the potential for security incidents, data breaches, or operational disruption originating from your vendors and service providers.","third-party-risk","8.glossary\u002Fthird-party-risk","Dxu5bTWIkyoD6ZHRPLQgh07uV8r8_KtcEKritXx39Ao",{"id":8791,"title":6835,"body":8792,"description":211,"extension":224,"lastUpdated":225,"meta":8990,"navigation":227,"path":8991,"relatedFrameworks":8992,"relatedTerms":8993,"seo":8994,"slug":2635,"stem":8997,"term":8797,"__hash__":8998},"glossary\u002F8.glossary\u002Ftokenization.md",{"type":8,"value":8793,"toc":8979},[8794,8798,8801,8805,8808,8840,8844,8847,8859,8862,8866,8869,8880,8883,8887,8913,8917,8920,8946,8950,8953,8970,8974],[11,8795,8797],{"id":8796},"what-is-tokenization","What is Tokenization?",[16,8799,8800],{},"Tokenization is a data protection technique that replaces sensitive data elements — most commonly the Primary Account Number (PAN) — with non-sensitive substitutes called tokens. The tokens retain the format and certain properties of the original data but have no exploitable value if compromised. The actual sensitive data is stored securely in a token vault maintained by the tokenization provider.",[20,8802,8804],{"id":8803},"how-does-tokenization-work","How does tokenization work?",[16,8806,8807],{},"The tokenization process follows a straightforward flow:",[155,8809,8810,8816,8822,8828,8834],{},[31,8811,8812,8815],{},[34,8813,8814],{},"Data capture"," — the original sensitive data (such as a PAN) is captured at the point of entry",[31,8817,8818,8821],{},[34,8819,8820],{},"Token generation"," — the tokenization system generates a unique token to represent the data",[31,8823,8824,8827],{},[34,8825,8826],{},"Secure storage"," — the original data is stored in a secure token vault with strict access controls",[31,8829,8830,8833],{},[34,8831,8832],{},"Token distribution"," — the token is returned to the requesting system and used in place of the original data for all downstream processing",[31,8835,8836,8839],{},[34,8837,8838],{},"Detokenization"," — when the original data is needed (such as for settlement), authorized systems request detokenization from the vault",[20,8841,8843],{"id":8842},"what-is-the-difference-between-tokenization-and-encryption","What is the difference between tokenization and encryption?",[16,8845,8846],{},"While both tokenization and encryption protect sensitive data, they work differently:",[28,8848,8849,8854],{},[31,8850,8851,8853],{},[34,8852,2334],{}," transforms data using a mathematical algorithm and a key. The encrypted data (ciphertext) can be reversed to the original data using the correct key. If the key is compromised, all encrypted data is at risk.",[31,8855,8856,8858],{},[34,8857,6835],{}," replaces data with an unrelated token. There is no mathematical relationship between the token and the original data. Compromising a token provides no path to the original data.",[16,8860,8861],{},"Both approaches are recognized by PCI DSS for rendering PAN unreadable, but tokenization offers a unique advantage: systems that only handle tokens are not processing actual cardholder data and may be removed from PCI DSS scope.",[20,8863,8865],{"id":8864},"what-are-scope-reduction-benefits","What are scope reduction benefits?",[16,8867,8868],{},"The primary driver for tokenization in PCI DSS environments is scope reduction:",[28,8870,8871,8874,8877],{},[31,8872,8873],{},"Systems that receive and process tokens instead of PAN are not part of the cardholder data environment",[31,8875,8876],{},"Fewer systems in scope means fewer controls to implement and less evidence to collect",[31,8878,8879],{},"Reduced scope translates directly to lower compliance costs and shorter assessment timelines",[16,8881,8882],{},"For example, if a merchant's e-commerce platform receives a token from a payment gateway and passes that token to its order management and fulfillment systems, those downstream systems may be out of PCI DSS scope because they never handle actual PAN.",[20,8884,8886],{"id":8885},"what-are-the-types-of-tokenization","What are the types of tokenization?",[28,8888,8889,8895,8901,8907],{},[31,8890,8891,8894],{},[34,8892,8893],{},"Payment tokenization"," — specifically designed for payment card data, often provided by payment processors or gateways",[31,8896,8897,8900],{},[34,8898,8899],{},"Network tokenization"," — issued by payment networks (Visa, Mastercard) to replace PAN for specific merchant-consumer relationships",[31,8902,8903,8906],{},[34,8904,8905],{},"Vault-based tokenization"," — uses a central token vault to store the mapping between tokens and original data",[31,8908,8909,8912],{},[34,8910,8911],{},"Vaultless tokenization"," — generates tokens algorithmically without a central mapping database, using format-preserving techniques",[20,8914,8916],{"id":8915},"how-is-tokenization-used-in-practice","How is tokenization used in practice?",[16,8918,8919],{},"Common tokenization implementations include:",[28,8921,8922,8928,8934,8940],{},[31,8923,8924,8927],{},[34,8925,8926],{},"Payment gateways"," — Stripe, Braintree, and similar providers tokenize card data so merchants never handle raw PAN",[31,8929,8930,8933],{},[34,8931,8932],{},"Mobile wallets"," — Apple Pay and Google Pay use network tokenization to protect card data during mobile payments",[31,8935,8936,8939],{},[34,8937,8938],{},"Recurring billing"," — merchants store tokens to enable subscription billing without retaining PAN",[31,8941,8942,8945],{},[34,8943,8944],{},"Data warehousing"," — tokenize PAN in analytics and reporting systems to remove them from scope",[20,8947,8949],{"id":8948},"how-do-you-choose-a-tokenization-solution","How do you choose a tokenization solution?",[16,8951,8952],{},"When evaluating tokenization solutions, consider:",[28,8954,8955,8958,8961,8964,8967],{},[31,8956,8957],{},"Whether the solution is PCI DSS validated",[31,8959,8960],{},"Token vault security and access controls",[31,8962,8963],{},"Integration capabilities with your existing systems",[31,8965,8966],{},"Support for detokenization when needed",[31,8968,8969],{},"Format-preserving options if downstream systems require specific data formats",[20,8971,8973],{"id":8972},"how-does-episki-help-with-tokenization","How does episki help with tokenization?",[16,8975,8976,8977,209],{},"episki helps you document your tokenization implementation, track which systems handle tokens versus PAN, and maintain your scope reduction documentation for PCI DSS assessments. Learn more on our ",[205,8978,6665],{"href":618},{"title":211,"searchDepth":212,"depth":212,"links":8980},[8981],{"id":8796,"depth":212,"text":8797,"children":8982},[8983,8984,8985,8986,8987,8988,8989],{"id":8803,"depth":217,"text":8804},{"id":8842,"depth":217,"text":8843},{"id":8864,"depth":217,"text":8865},{"id":8885,"depth":217,"text":8886},{"id":8915,"depth":217,"text":8916},{"id":8948,"depth":217,"text":8949},{"id":8972,"depth":217,"text":8973},{},"\u002Fglossary\u002Ftokenization",[984],[6684,2176,6680,6941,933],{"title":8995,"description":8996},"What is Tokenization? Definition & Compliance Guide","Tokenization replaces sensitive data like credit card numbers with non-sensitive tokens to reduce PCI DSS scope and protect cardholder data.","8.glossary\u002Ftokenization","yVKUeTM8Vxw66Ob6GPnS9Wye4I-5bNqg_bNV_V5C2xo",{"id":9000,"title":3744,"body":9001,"description":211,"extension":224,"lastUpdated":225,"meta":9132,"navigation":227,"path":9133,"relatedFrameworks":9134,"relatedTerms":9135,"seo":9136,"slug":233,"stem":9139,"term":9006,"__hash__":9140},"glossary\u002F8.glossary\u002Ftrust-services-criteria.md",{"type":8,"value":9002,"toc":9122},[9003,9007,9010,9014,9017,9044,9048,9051,9054,9058,9061,9090,9093,9097,9100,9103,9107,9110,9113,9117],[11,9004,9006],{"id":9005},"what-is-trust-services-criteria","What is Trust Services Criteria?",[16,9008,9009],{},"Trust Services Criteria (TSC) are the foundational categories defined by the American Institute of Certified Public Accountants (AICPA) that form the basis of SOC 2 audits. They provide a structured set of principles against which a service organization's controls are evaluated. Understanding TSC is essential for any company pursuing SOC 2 compliance.",[20,9011,9013],{"id":9012},"what-are-the-five-trust-services-criteria-categories","What are the five Trust Services Criteria categories?",[16,9015,9016],{},"The Trust Services Criteria are organized into five categories:",[28,9018,9019,9024,9029,9034,9039],{},[31,9020,9021,9023],{},[34,9022,8039],{}," — the only required category in every SOC 2 engagement, covering protection of systems and data against unauthorized access, both physical and logical",[31,9025,9026,9028],{},[34,9027,8045],{}," — addresses whether systems are operational and accessible as committed in service-level agreements or contracts",[31,9030,9031,9033],{},[34,9032,8051],{}," — evaluates whether system processing is complete, valid, accurate, timely, and authorized",[31,9035,9036,9038],{},[34,9037,8057],{}," — focuses on protecting information designated as confidential, such as trade secrets, intellectual property, or business plans",[31,9040,9041,9043],{},[34,9042,8063],{}," — concerns the collection, use, retention, disclosure, and disposal of personal information in accordance with an organization's privacy notice",[20,9045,9047],{"id":9046},"how-does-the-trust-services-criteria-relate-to-soc-2","How does the Trust Services Criteria relate to SOC 2?",[16,9049,9050],{},"Every SOC 2 audit is built around one or more Trust Services Criteria. The Security category (also known as the Common Criteria) is mandatory. Organizations then select additional categories based on the nature of their services and what their customers or prospects require.",[16,9052,9053],{},"For example, a cloud infrastructure provider may include Availability because uptime guarantees are central to its business. A data analytics company might include Processing Integrity to demonstrate accuracy of its outputs. A healthcare SaaS product may include Privacy to address handling of personal information.",[20,9055,9057],{"id":9056},"what-are-the-common-criteria-cc-series","What are the Common Criteria (CC series)?",[16,9059,9060],{},"The Security category is broken into a series of Common Criteria points (CC1 through CC9) that address topics like:",[28,9062,9063,9066,9069,9072,9075,9078,9081,9084,9087],{},[31,9064,9065],{},"CC1: Control environment",[31,9067,9068],{},"CC2: Communication and information",[31,9070,9071],{},"CC3: Risk assessment",[31,9073,9074],{},"CC4: Monitoring activities",[31,9076,9077],{},"CC5: Control activities",[31,9079,9080],{},"CC6: Logical and physical access controls",[31,9082,9083],{},"CC7: System operations",[31,9085,9086],{},"CC8: Change management",[31,9088,9089],{},"CC9: Risk mitigation",[16,9091,9092],{},"These Common Criteria points also serve as a foundation for the other four categories. Additional criteria specific to Availability, Processing Integrity, Confidentiality, and Privacy supplement the common set.",[20,9094,9096],{"id":9095},"why-does-tsc-matter-for-your-organization","Why does TSC matter for your organization?",[16,9098,9099],{},"Selecting the right Trust Services Criteria directly impacts the scope, cost, and duration of your SOC 2 audit. Choosing too few categories might not satisfy customer requirements. Choosing too many can increase the number of controls you need to implement and the evidence you need to collect, driving up both effort and audit fees.",[16,9101,9102],{},"A strategic approach is to start with Security (required) and one or two additional categories that align with customer demand, then expand over time as your compliance program matures.",[20,9104,9106],{"id":9105},"how-do-you-map-controls-to-the-trust-services-criteria","How do you map controls to the Trust Services Criteria?",[16,9108,9109],{},"Each Trust Services Criteria category includes specific points of focus that guide what controls should exist. Organizations must map their internal controls to these points and collect evidence showing the controls are designed and operating effectively.",[16,9111,9112],{},"This mapping exercise is a core part of SOC 2 readiness. It identifies gaps where new controls are needed and highlights areas where existing processes already satisfy the criteria.",[20,9114,9116],{"id":9115},"how-does-episki-help-with-the-trust-services-criteria","How does episki help with the Trust Services Criteria?",[16,9118,9119,9120,209],{},"episki provides pre-built control mappings to all five Trust Services Criteria categories, making it straightforward to see which controls satisfy which criteria points. The platform tracks evidence collection tied to each control and flags gaps before your auditor arrives. Learn more on our ",[205,9121,406],{"href":405},{"title":211,"searchDepth":212,"depth":212,"links":9123},[9124],{"id":9005,"depth":212,"text":9006,"children":9125},[9126,9127,9128,9129,9130,9131],{"id":9012,"depth":217,"text":9013},{"id":9046,"depth":217,"text":9047},{"id":9056,"depth":217,"text":9057},{"id":9095,"depth":217,"text":9096},{"id":9105,"depth":217,"text":9106},{"id":9115,"depth":217,"text":9116},{},"\u002Fglossary\u002Ftrust-services-criteria",[230],[230,7841,422,240],{"title":9137,"description":9138},"What is Trust Services Criteria? Definition & Compliance Guide","Trust Services Criteria (TSC) are the five categories used in SOC 2 audits to evaluate security, availability, processing integrity, confidentiality, and privacy.","8.glossary\u002Ftrust-services-criteria","nEmxG65hj-8eFizc3Ll2FuMeEAy41rX5qokFQSqeh34",{"id":9142,"title":9143,"body":9144,"description":211,"extension":224,"lastUpdated":225,"meta":9732,"navigation":227,"path":9733,"relatedFrameworks":9734,"relatedTerms":9735,"seo":9736,"slug":8783,"stem":9739,"term":9149,"__hash__":9740},"glossary\u002F8.glossary\u002Fvendor-risk-management.md","Vendor Risk Management",{"type":8,"value":9145,"toc":9719},[9146,9150,9153,9157,9160,9187,9191,9194,9200,9214,9219,9233,9239,9253,9259,9276,9282,9296,9300,9303,9352,9356,9373,9377,9380,9446,9451,9456,9470,9475,9484,9488,9491,9497,9514,9520,9537,9543,9557,9563,9574,9580,9584,9587,9593,9599,9605,9611,9623,9627,9630,9636,9671,9677,9707,9710,9714],[11,9147,9149],{"id":9148},"what-is-vendor-risk-management","What is Vendor Risk Management?",[16,9151,9152],{},"Vendor risk management (VRM) is the process of identifying, assessing, monitoring, and mitigating risks associated with third-party vendors and service providers. As organizations increasingly rely on external partners for critical services — from cloud infrastructure to payroll processing — the security of those vendors directly impacts the organization's own risk posture.",[20,9154,9156],{"id":9155},"why-does-vendor-risk-management-matter","Why does vendor risk management matter?",[16,9158,9159],{},"Third-party vendors are a leading source of data breaches and security incidents. When a vendor that handles your data is compromised, you are compromised. Compliance frameworks recognize this reality:",[28,9161,9162,9167,9172,9177,9182],{},[31,9163,9164,9166],{},[34,9165,36],{}," — CC9.2 requires organizations to assess and manage risks associated with vendors and business partners",[31,9168,9169,9171],{},[34,9170,42],{}," — controls A.5.19 through A.5.23 address information security in supplier relationships",[31,9173,9174,9176],{},[34,9175,54],{}," — the Identify function includes supply chain risk management",[31,9178,9179,9181],{},[34,9180,605],{}," — requires Business Associate Agreements with vendors handling PHI",[31,9183,9184,9186],{},[34,9185,48],{}," — requires monitoring of service provider PCI DSS compliance",[20,9188,9190],{"id":9189},"what-are-the-components-of-a-vrm-program","What are the components of a VRM program?",[16,9192,9193],{},"An effective vendor risk management program includes:",[16,9195,9196,9199],{},[34,9197,9198],{},"Vendor inventory"," — maintain a complete list of all third-party vendors, including:",[28,9201,9202,9205,9208,9211],{},[31,9203,9204],{},"What services they provide",[31,9206,9207],{},"What data they can access",[31,9209,9210],{},"Their criticality to business operations",[31,9212,9213],{},"Contract terms and renewal dates",[16,9215,9216,9218],{},[34,9217,1247],{}," — evaluate each vendor's security posture through:",[28,9220,9221,9224,9227,9230],{},[31,9222,9223],{},"Security questionnaires (SIG, CAIQ, or custom)",[31,9225,9226],{},"Review of compliance reports (SOC 2, ISO 27001 certificates)",[31,9228,9229],{},"Technical assessments when appropriate",[31,9231,9232],{},"Review of publicly available security information",[16,9234,9235,9238],{},[34,9236,9237],{},"Risk tiering"," — classify vendors by risk level based on:",[28,9240,9241,9244,9247,9250],{},[31,9242,9243],{},"Sensitivity of data they access",[31,9245,9246],{},"Criticality of the service they provide",[31,9248,9249],{},"Volume of data handled",[31,9251,9252],{},"Regulatory requirements (e.g., HIPAA business associates)",[16,9254,9255,9258],{},[34,9256,9257],{},"Contractual protections"," — ensure vendor contracts include:",[28,9260,9261,9264,9267,9270,9273],{},[31,9262,9263],{},"Security requirements and responsibilities",[31,9265,9266],{},"Data protection obligations",[31,9268,9269],{},"Breach notification requirements",[31,9271,9272],{},"Right to audit",[31,9274,9275],{},"Compliance certifications",[16,9277,9278,9281],{},[34,9279,9280],{},"Ongoing monitoring"," — continuously monitor vendors through:",[28,9283,9284,9287,9290,9293],{},[31,9285,9286],{},"Annual or periodic reassessments",[31,9288,9289],{},"Review of updated compliance reports",[31,9291,9292],{},"Monitoring for security incidents or breaches",[31,9294,9295],{},"Tracking changes in the vendor's services or risk profile",[20,9297,9299],{"id":9298},"what-is-the-vendor-assessment-process","What is the vendor assessment process?",[16,9301,9302],{},"A typical vendor assessment follows these steps:",[155,9304,9305,9311,9317,9323,9329,9334,9340,9346],{},[31,9306,9307,9310],{},[34,9308,9309],{},"Categorize the vendor"," — determine risk tier based on data access and service criticality",[31,9312,9313,9316],{},[34,9314,9315],{},"Send questionnaire"," — distribute a security questionnaire appropriate to the risk tier",[31,9318,9319,9322],{},[34,9320,9321],{},"Review responses"," — evaluate the vendor's security practices against your requirements",[31,9324,9325,9328],{},[34,9326,9327],{},"Request evidence"," — ask for supporting documentation (SOC 2 report, policies, certifications)",[31,9330,9331,9333],{},[34,9332,179],{}," — document areas where the vendor does not meet your standards",[31,9335,9336,9339],{},[34,9337,9338],{},"Make decision"," — approve, approve with conditions, or reject the vendor",[31,9341,9342,9345],{},[34,9343,9344],{},"Document results"," — record the assessment findings and decision",[31,9347,9348,9351],{},[34,9349,9350],{},"Schedule reassessment"," — set a date for the next review based on risk tier",[20,9353,9355],{"id":9354},"what-are-common-challenges-with-vendor-risk-management","What are common challenges with vendor risk management?",[28,9357,9358,9361,9364,9367,9370],{},[31,9359,9360],{},"Managing assessments across dozens or hundreds of vendors",[31,9362,9363],{},"Getting timely responses to security questionnaires",[31,9365,9366],{},"Assessing vendors that lack formal compliance certifications",[31,9368,9369],{},"Monitoring vendor risk between assessment cycles",[31,9371,9372],{},"Balancing thoroughness with business velocity",[20,9374,9376],{"id":9375},"what-is-vrm-requirements-by-compliance-framework","What is VRM requirements by compliance framework?",[16,9378,9379],{},"Different compliance frameworks address vendor risk management with varying depth and specificity. Understanding where each framework sets expectations helps you design a VRM program that satisfies multiple standards simultaneously.",[743,9381,9382,9393],{},[746,9383,9384],{},[749,9385,9386,9388,9390],{},[752,9387,5324],{},[752,9389,5330],{},[752,9391,9392],{},"Specific controls",[766,9394,9395,9405,9415,9425,9435],{},[749,9396,9397,9399,9402],{},[771,9398,36],{},[771,9400,9401],{},"Vendor risk assessment, monitoring",[771,9403,9404],{},"CC9.2, CC3.2",[749,9406,9407,9409,9412],{},[771,9408,42],{},[771,9410,9411],{},"Supplier security policies, monitoring, change management",[771,9413,9414],{},"A.5.19–A.5.23",[749,9416,9417,9419,9422],{},[771,9418,605],{},[771,9420,9421],{},"BAAs required for PHI-handling vendors",[771,9423,9424],{},"§164.308(b), §164.314",[749,9426,9427,9429,9432],{},[771,9428,48],{},[771,9430,9431],{},"Service provider compliance validation",[771,9433,9434],{},"Req 12.8, Req 12.9",[749,9436,9437,9440,9443],{},[771,9438,9439],{},"NIST CSF 2.0",[771,9441,9442],{},"Dedicated supply chain governance",[771,9444,9445],{},"GV.SC (expanded in 2.0)",[16,9447,9448,9450],{},[34,9449,36],{}," treats vendor risk as part of the broader risk management criteria. CC9.2 requires organizations to assess risks arising from vendor and business partner relationships, while CC3.2 covers risk identification across the entity — including third-party risks. Auditors expect documented vendor inventories, risk assessments, and evidence of ongoing monitoring.",[16,9452,9453,9455],{},[34,9454,42],{}," provides the most prescriptive set of supplier controls. Controls A.5.19 through A.5.23 cover information security in supplier relationships, including establishing policies, addressing security within agreements, managing the ICT supply chain, monitoring and reviewing supplier services, and managing changes to supplier services.",[16,9457,9458,9460,9461,9464,9465,9469],{},[34,9459,605],{}," takes a narrower but legally binding approach. Any vendor that creates, receives, maintains, or transmits ",[205,9462,9463],{"href":7398},"protected health information (PHI)"," on behalf of a covered entity must sign a ",[205,9466,9468],{"href":9467},"\u002Fglossary\u002Fbaa","Business Associate Agreement",". The BAA must specify permitted uses of PHI, breach notification obligations, and data return or destruction requirements.",[16,9471,9472,9474],{},[34,9473,48],{}," Requirement 12.8 requires organizations to maintain a list of service providers, ensure a written agreement acknowledging the provider's security responsibilities, establish a process for engaging providers, and monitor their PCI DSS compliance status at least annually. Requirement 12.9 adds that service providers must themselves acknowledge their responsibilities in writing.",[16,9476,9477,9479,9480,209],{},[34,9478,9439],{}," significantly expanded its supply chain risk management guidance, moving it from a sub-category into its own top-level function category — GV.SC — under the Govern function. This reflects the growing recognition that supply chain risk requires dedicated governance structures, not just ad hoc assessments. For a deeper look at these changes, see our guide to ",[205,9481,9483],{"href":9482},"\u002Fframeworks\u002Fnistcsf\u002Fv2-changes","NIST CSF v2.0 changes",[20,9485,9487],{"id":9486},"how-do-you-build-a-vendor-risk-tiering-model","How do you build a vendor risk tiering model?",[16,9489,9490],{},"Not every vendor requires the same level of scrutiny. A risk tiering model lets you allocate assessment effort proportionally to the risk each vendor introduces. Most organizations use a four-tier model based on data sensitivity, service criticality, and replaceability.",[16,9492,9493,9496],{},[34,9494,9495],{},"Critical (Tier 1)"," — The vendor handles sensitive data (PII, PHI, cardholder data), provides a business-critical service, or would be difficult and costly to replace. Examples include your primary cloud infrastructure provider, EHR system, or payment processor.",[28,9498,9499,9502,9505,9508,9511],{},[31,9500,9501],{},"Full security assessment with detailed questionnaire (SIG or equivalent)",[31,9503,9504],{},"Review of SOC 2 Type II report and\u002For ISO 27001 certificate",[31,9506,9507],{},"Annual reassessment at minimum, with continuous monitoring where feasible",[31,9509,9510],{},"Comprehensive contractual security requirements, including breach notification, audit rights, and data handling obligations",[31,9512,9513],{},"Executive-level relationship management and regular security review meetings",[16,9515,9516,9519],{},[34,9517,9518],{},"High (Tier 2)"," — The vendor accesses internal systems or handles moderate-sensitivity data, but the service is not irreplaceable. Examples include HR\u002Fpayroll platforms, CRM systems, or development tools with access to production data.",[28,9521,9522,9525,9528,9531,9534],{},[31,9523,9524],{},"Standard security questionnaire",[31,9526,9527],{},"Review of available compliance certifications",[31,9529,9530],{},"Annual reassessment",[31,9532,9533],{},"Basic contractual protections including breach notification and data protection clauses",[31,9535,9536],{},"Periodic check-ins with vendor security contacts",[16,9538,9539,9542],{},[34,9540,9541],{},"Medium (Tier 3)"," — The vendor has limited data access, provides a replaceable service, and does not interact with regulated data. Examples include project management tools, marketing analytics platforms, or office productivity suites.",[28,9544,9545,9548,9551,9554],{},[31,9546,9547],{},"Abbreviated assessment or targeted questionnaire",[31,9549,9550],{},"Biennial reassessment (every two years)",[31,9552,9553],{},"Standard contract terms with security addendum",[31,9555,9556],{},"Reassess earlier if the vendor's scope of access changes",[16,9558,9559,9562],{},[34,9560,9561],{},"Low (Tier 4)"," — The vendor has no access to organizational data and provides a commodity service. Examples include office supply vendors, cleaning services, or publicly available information tools.",[28,9564,9565,9568,9571],{},[31,9566,9567],{},"Self-attestation or security waiver",[31,9569,9570],{},"Reassess on contract renewal",[31,9572,9573],{},"Standard procurement terms, no additional security clauses required",[16,9575,9576,9577,9579],{},"The tiering decision should be documented in your ",[205,9578,6447],{"href":6446}," and revisited whenever the vendor's scope of service changes. A vendor that starts at Tier 3 may move to Tier 1 if you later grant it access to sensitive data.",[20,9581,9583],{"id":9582},"what-vendor-assessment-tools-and-questionnaires-are-available","What vendor assessment tools and questionnaires are available?",[16,9585,9586],{},"Choosing the right assessment tool depends on the vendor's risk tier, your industry, and the depth of information you need.",[16,9588,9589,9592],{},[34,9590,9591],{},"SIG (Standardized Information Gathering) questionnaire"," — maintained by Shared Assessments, the SIG is the most widely used vendor assessment questionnaire. SIG Full covers 18 risk domains and is appropriate for Tier 1 and Tier 2 vendors. SIG Lite provides a condensed version for lower-risk vendors. The SIG maps to multiple compliance frameworks, making it efficient for organizations with overlapping regulatory requirements.",[16,9594,9595,9598],{},[34,9596,9597],{},"CAIQ (Consensus Assessment Initiative Questionnaire)"," — developed by the Cloud Security Alliance, the CAIQ is purpose-built for evaluating cloud service providers. It maps to the CSA Cloud Controls Matrix and covers cloud-specific risks such as multi-tenancy, data residency, and virtualization security. Use it alongside or in place of the SIG for cloud-heavy vendor portfolios.",[16,9600,9601,9604],{},[34,9602,9603],{},"Custom questionnaires"," — many organizations supplement standardized questionnaires with custom questions tailored to their specific regulatory environment or risk appetite. Custom questions are particularly useful for addressing industry-specific risks, such as PCI DSS requirements for payment processors or HIPAA requirements for healthcare vendors.",[16,9606,9607,9610],{},[34,9608,9609],{},"Automated risk rating platforms"," — tools like SecurityScorecard and BitSight provide continuous, outside-in assessments of a vendor's security posture by analyzing publicly observable signals such as DNS configuration, patching cadence, exposed services, and breach history. These platforms are useful for continuous monitoring between formal assessment cycles and for initial screening of prospective vendors.",[16,9612,9613,9616,9617,9619,9620,9622],{},[34,9614,9615],{},"Direct review of compliance reports"," — reviewing a vendor's ",[205,9618,8082],{"href":8006}," report is often more valuable than a questionnaire response. A SOC 2 report is independently audited and covers the vendor's actual controls over a defined period, including any exceptions or control gaps identified by the auditor. Similarly, an ",[205,9621,42],{"href":3851}," certificate confirms that the vendor's information security management system has been independently assessed. When a vendor can provide these reports, they should be your primary source of assurance — supplemented by questionnaires only for areas not covered by the audit scope.",[20,9624,9626],{"id":9625},"how-do-you-handle-vendor-offboarding-and-incident-response","How do you handle vendor offboarding and incident response?",[16,9628,9629],{},"Vendor risk management does not end when the contract is signed — it also requires structured processes for when the relationship ends or when something goes wrong.",[16,9631,9632,9635],{},[34,9633,9634],{},"Vendor offboarding"," — terminating a vendor relationship requires deliberate steps to protect your data and systems:",[28,9637,9638,9644,9650,9656,9665],{},[31,9639,9640,9643],{},[34,9641,9642],{},"Data return or destruction"," — require the vendor to return all organizational data in a usable format and certify destruction of any remaining copies. The contract should specify timelines and acceptable destruction methods (e.g., cryptographic erasure, physical destruction).",[31,9645,9646,9649],{},[34,9647,9648],{},"Access revocation"," — immediately revoke the vendor's access to all systems, networks, VPNs, and APIs. Disable any service accounts, API keys, or shared credentials associated with the vendor.",[31,9651,9652,9655],{},[34,9653,9654],{},"Certificate and key rotation"," — if the vendor had access to encryption keys, certificates, or shared secrets, rotate them promptly. This includes API tokens, SSH keys, and any credentials the vendor may have stored.",[31,9657,9658,9661,9662,9664],{},[34,9659,9660],{},"Risk register update"," — update your ",[205,9663,6447],{"href":6446}," to reflect the terminated relationship and document any residual risks, such as data that was processed during the engagement.",[31,9666,9667,9670],{},[34,9668,9669],{},"Knowledge transfer"," — if the vendor provided a critical service, ensure operational knowledge has been transferred to the replacement vendor or internal team before the relationship ends.",[16,9672,9673,9676],{},[34,9674,9675],{},"Vendor-side breach response"," — your contracts and BAAs should establish clear expectations for what happens when a vendor experiences a security incident:",[28,9678,9679,9685,9695,9701],{},[31,9680,9681,9684],{},[34,9682,9683],{},"Notification timelines"," — specify how quickly the vendor must notify you of a confirmed or suspected breach. Industry standards range from 24 to 72 hours, but for critical vendors handling regulated data, shorter timelines may be appropriate. HIPAA requires notification without unreasonable delay and no later than 60 days.",[31,9686,9687,9690,9691,9694],{},[34,9688,9689],{},"Cooperation requirements"," — the vendor should be contractually obligated to cooperate with your ",[205,9692,9693],{"href":4296},"incident response"," investigation, including providing forensic evidence, access logs, and impact assessments.",[31,9696,9697,9700],{},[34,9698,9699],{},"Remediation obligations"," — define who bears responsibility for remediation costs, including notification to affected individuals, credit monitoring, legal fees, and regulatory fines. The contract should also specify timelines for implementing corrective actions.",[31,9702,9703,9706],{},[34,9704,9705],{},"Communication coordination"," — establish protocols for how breach-related communications will be coordinated between your organization and the vendor to ensure consistent messaging to regulators, customers, and the public.",[16,9708,9709],{},"A well-defined vendor offboarding and incident response process reduces the risk of lingering access, orphaned data, and confused responsibilities when the unexpected happens.",[20,9711,9713],{"id":9712},"how-does-episki-help-with-vendor-risk-management","How does episki help with vendor risk management?",[16,9715,9716,9717,209],{},"episki centralizes vendor risk management with vendor inventories, automated questionnaire distribution, risk scoring, and reassessment scheduling. The platform tracks vendor compliance status and flags vendors that require attention. Learn more on our ",[205,9718,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":9720},[9721],{"id":9148,"depth":212,"text":9149,"children":9722},[9723,9724,9725,9726,9727,9728,9729,9730,9731],{"id":9155,"depth":217,"text":9156},{"id":9189,"depth":217,"text":9190},{"id":9298,"depth":217,"text":9299},{"id":9354,"depth":217,"text":9355},{"id":9375,"depth":217,"text":9376},{"id":9486,"depth":217,"text":9487},{"id":9582,"depth":217,"text":9583},{"id":9625,"depth":217,"text":9626},{"id":9712,"depth":217,"text":9713},{},"\u002Fglossary\u002Fvendor-risk-management",[230,231,985],[8787,1420,3092,1667],{"title":9737,"description":9738},"What is Vendor Risk Management? Definition & Compliance Guide","Vendor risk management (VRM) is the process of assessing and monitoring security risks from third-party vendors. Learn how to build an effective VRM program.","8.glossary\u002Fvendor-risk-management","zYUPNHD7rd1SYb6jxTVuGceKFAFQoewNnryA575dKLg",{"id":9742,"title":9743,"body":9744,"description":211,"extension":224,"lastUpdated":225,"meta":9909,"navigation":227,"path":9910,"relatedFrameworks":9911,"relatedTerms":9912,"seo":9914,"slug":9917,"stem":9918,"term":9749,"__hash__":9919},"glossary\u002F8.glossary\u002Fvulnerability-management.md","Vulnerability Management",{"type":8,"value":9745,"toc":9900},[9746,9750,9753,9757,9760,9794,9798,9801,9828,9832,9858,9862,9865,9891,9895],[11,9747,9749],{"id":9748},"what-is-vulnerability-management","What is Vulnerability Management?",[16,9751,9752],{},"Vulnerability management is the continuous process of identifying, classifying, prioritizing, and remediating security vulnerabilities in an organization's systems, software, and infrastructure. Unlike one-time assessments, vulnerability management is an ongoing program that adapts as new threats emerge and your environment changes.",[20,9754,9756],{"id":9755},"what-is-the-vulnerability-management-lifecycle","What is the vulnerability management lifecycle?",[16,9758,9759],{},"An effective program follows a repeating cycle:",[155,9761,9762,9768,9774,9779,9784,9789],{},[31,9763,9764,9767],{},[34,9765,9766],{},"Asset discovery"," — maintain an accurate inventory of all hardware, software, and cloud resources in scope",[31,9769,9770,9773],{},[34,9771,9772],{},"Vulnerability scanning"," — use automated tools to detect known vulnerabilities across your environment on a regular schedule",[31,9775,9776,9778],{},[34,9777,7514],{}," — rank findings by severity (CVSS score), exploitability, asset criticality, and business context — not every \"critical\" CVE is critical to your organization",[31,9780,9781,9783],{},[34,9782,7408],{}," — apply patches, configuration changes, or compensating controls to address vulnerabilities within defined SLAs",[31,9785,9786,9788],{},[34,9787,7537],{}," — rescan to confirm that remediation was effective and didn't introduce new issues",[31,9790,9791,9793],{},[34,9792,7080],{}," — track metrics like mean time to remediate (MTTR), vulnerability aging, and coverage rates",[20,9795,9797],{"id":9796},"how-do-compliance-frameworks-address-vulnerability-management","How do compliance frameworks address vulnerability management?",[16,9799,9800],{},"Most security frameworks require a formal vulnerability management program:",[28,9802,9803,9808,9813,9818,9823],{},[31,9804,9805,9807],{},[34,9806,48],{}," — Requirement 6.3 requires patching critical vulnerabilities within defined timeframes; Requirement 11.3 requires internal and external vulnerability scanning",[31,9809,9810,9812],{},[34,9811,36],{}," — CC7.1 covers detection of vulnerabilities and CC8.1 addresses change management for remediation",[31,9814,9815,9817],{},[34,9816,42],{}," — A.8.8 (management of technical vulnerabilities) requires timely identification and remediation of vulnerabilities",[31,9819,9820,9822],{},[34,9821,54],{}," — ID.RA (risk assessment) and PR.IP (information protection) directly relate to vulnerability identification and remediation",[31,9824,9825,9827],{},[34,9826,4704],{}," — RA.L2-3.11.2 requires remediation of vulnerabilities in accordance with risk assessments",[20,9829,9831],{"id":9830},"what-are-common-vulnerability-scanning-tools","What are common vulnerability scanning tools?",[28,9833,9834,9840,9846,9852],{},[31,9835,9836,9839],{},[34,9837,9838],{},"Infrastructure scanners"," — Nessus, Qualys, Rapid7 InsightVM for network and host-level vulnerabilities",[31,9841,9842,9845],{},[34,9843,9844],{},"Application scanners"," — OWASP ZAP, Burp Suite for web application vulnerabilities",[31,9847,9848,9851],{},[34,9849,9850],{},"Dependency scanners"," — Snyk, Dependabot, Trivy for software composition analysis (SCA)",[31,9853,9854,9857],{},[34,9855,9856],{},"Cloud security posture"," — AWS Inspector, Azure Defender, GCP Security Command Center for cloud misconfigurations",[20,9859,9861],{"id":9860},"what-are-sla-best-practices-for-vulnerability-management","What are SLA best practices for vulnerability management?",[16,9863,9864],{},"Define remediation timelines based on severity:",[28,9866,9867,9873,9879,9885],{},[31,9868,9869,9872],{},[34,9870,9871],{},"Critical"," — remediate within 24–72 hours",[31,9874,9875,9878],{},[34,9876,9877],{},"High"," — remediate within 7–14 days",[31,9880,9881,9884],{},[34,9882,9883],{},"Medium"," — remediate within 30 days",[31,9886,9887,9890],{},[34,9888,9889],{},"Low"," — remediate within 90 days or accept risk with documented justification",[20,9892,9894],{"id":9893},"how-does-episki-help-with-vulnerability-management","How does episki help with vulnerability management?",[16,9896,9897,9898,209],{},"episki tracks vulnerability findings, manages remediation workflows with due dates and ownership, and maps vulnerabilities to compliance framework requirements. The platform provides dashboards showing remediation progress and aging metrics for auditors. Learn more on our ",[205,9899,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":9901},[9902],{"id":9748,"depth":212,"text":9749,"children":9903},[9904,9905,9906,9907,9908],{"id":9755,"depth":217,"text":9756},{"id":9796,"depth":217,"text":9797},{"id":9830,"depth":217,"text":9831},{"id":9860,"depth":217,"text":9861},{"id":9893,"depth":217,"text":9894},{},"\u002Fglossary\u002Fvulnerability-management",[230,231,984,985,982],[5749,1948,1952,9913],"web-application-security",{"title":9915,"description":9916},"What is Vulnerability Management? Definition & Compliance Guide","Vulnerability management is the ongoing process of identifying, classifying, prioritizing, and remediating security vulnerabilities across your systems and applications.","vulnerability-management","8.glossary\u002Fvulnerability-management","uzdMPlyqCfawsSDUCyB5DBUfYbPo1BYxc5FJB7wJDgM",{"id":9921,"title":9922,"body":9923,"description":211,"extension":224,"lastUpdated":225,"meta":10046,"navigation":227,"path":10047,"relatedFrameworks":10048,"relatedTerms":10049,"seo":10050,"slug":9913,"stem":10053,"term":9928,"__hash__":10054},"glossary\u002F8.glossary\u002Fweb-application-security.md","Web Application Security",{"type":8,"value":9924,"toc":10038},[9925,9929,9932,9936,9939,9977,9981,10003,10007,10029,10033],[11,9926,9928],{"id":9927},"what-is-web-application-security","What is Web Application Security?",[16,9930,9931],{},"Web application security is the practice of protecting websites and web applications from attacks that exploit vulnerabilities in application code, configuration, or infrastructure. As organizations increasingly deliver services through web applications, securing these applications has become a critical component of any compliance program.",[20,9933,9935],{"id":9934},"what-are-common-web-application-threats","What are common web application threats?",[16,9937,9938],{},"The OWASP Top 10 provides a widely recognized list of the most critical web application security risks:",[28,9940,9941,9947,9953,9959,9965,9971],{},[31,9942,9943,9946],{},[34,9944,9945],{},"Injection attacks"," — including SQL injection, where attackers insert malicious code through input fields to manipulate databases",[31,9948,9949,9952],{},[34,9950,9951],{},"Cross-site scripting (XSS)"," — injecting malicious scripts into web pages viewed by other users",[31,9954,9955,9958],{},[34,9956,9957],{},"Broken authentication"," — weaknesses in authentication mechanisms that allow unauthorized access",[31,9960,9961,9964],{},[34,9962,9963],{},"Insecure direct object references"," — exposing internal implementation objects through URLs or parameters",[31,9966,9967,9970],{},[34,9968,9969],{},"Security misconfiguration"," — default credentials, unnecessary features enabled, or missing security headers",[31,9972,9973,9976],{},[34,9974,9975],{},"Cross-site request forgery (CSRF)"," — tricking authenticated users into performing unintended actions",[20,9978,9980],{"id":9979},"how-do-compliance-frameworks-address-web-application-security","How do compliance frameworks address web application security?",[28,9982,9983,9988,9993,9998],{},[31,9984,9985,9987],{},[34,9986,48],{}," — Requirement 6 addresses secure development practices and web application firewalls for applications handling cardholder data",[31,9989,9990,9992],{},[34,9991,36],{}," — CC7.1 and CC8.1 cover vulnerability management and change management for applications",[31,9994,9995,9997],{},[34,9996,42],{}," — A.8.25 through A.8.28 address secure development lifecycle, testing, and application security",[31,9999,10000,10002],{},[34,10001,54],{}," — PR.IP covers security in development and information protection processes",[20,10004,10006],{"id":10005},"what-are-web-application-defense-strategies","What are web application defense strategies?",[28,10008,10009,10012,10015,10018,10023,10026],{},[31,10010,10011],{},"Implement a secure development lifecycle (SDLC) with security reviews at each stage",[31,10013,10014],{},"Use static application security testing (SAST) and dynamic application security testing (DAST) in CI\u002FCD pipelines",[31,10016,10017],{},"Deploy a web application firewall (WAF) to filter malicious traffic",[31,10019,6191,10020,10022],{},[205,10021,6195],{"href":6194}," focused on application-layer vulnerabilities",[31,10024,10025],{},"Keep application frameworks and dependencies patched and up to date",[31,10027,10028],{},"Validate and sanitize all user input on the server side",[20,10030,10032],{"id":10031},"how-does-episki-help-with-web-application-security","How does episki help with web application security?",[16,10034,10035,10036,209],{},"episki tracks web application security controls, manages vulnerability remediation workflows, and documents security testing evidence for auditors. Learn more on our ",[205,10037,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":10039},[10040],{"id":9927,"depth":212,"text":9928,"children":10041},[10042,10043,10044,10045],{"id":9934,"depth":217,"text":9935},{"id":9979,"depth":217,"text":9980},{"id":10005,"depth":217,"text":10006},{"id":10031,"depth":217,"text":10032},{},"\u002Fglossary\u002Fweb-application-security",[230,231,984,985],[5749,6218,933,9917],{"title":10051,"description":10052},"What is Web Application Security? Definition & Compliance Guide","Web application security is the practice of protecting websites and web apps from attacks such as SQL injection, cross-site scripting (XSS), and unauthorized access.","8.glossary\u002Fweb-application-security","qOQ02_z-vhAF1v25Yq_MRSjVS7VEGJjSiQUC3OPdzkc",{"id":10056,"title":10057,"body":10058,"description":211,"extension":224,"lastUpdated":225,"meta":10168,"navigation":227,"path":10169,"relatedFrameworks":10170,"relatedTerms":10171,"seo":10172,"slug":10175,"stem":10176,"term":10063,"__hash__":10177},"glossary\u002F8.glossary\u002Fworkforce-security.md","Workforce Security",{"type":8,"value":10059,"toc":10160},[10060,10064,10067,10071,10102,10106,10123,10127,10151,10155],[11,10061,10063],{"id":10062},"what-is-workforce-security","What is Workforce Security?",[16,10065,10066],{},"Workforce security refers to the policies, procedures, and controls that ensure employees, contractors, and other workforce members handle sensitive information responsibly and securely. It encompasses the full employment lifecycle — from hiring and onboarding through ongoing access management to termination and offboarding.",[20,10068,10070],{"id":10069},"what-are-the-key-components-of-workforce-security","What are the key components of workforce security?",[28,10072,10073,10079,10085,10090,10096],{},[31,10074,10075,10078],{},[34,10076,10077],{},"Background checks"," — verifying the identity, qualifications, and history of new hires before granting access to sensitive systems",[31,10080,10081,10084],{},[34,10082,10083],{},"Security awareness training"," — educating the workforce on security policies, threats, and their responsibilities",[31,10086,10087,10089],{},[34,10088,278],{}," — assigning appropriate access based on role and revoking it when no longer needed",[31,10091,10092,10095],{},[34,10093,10094],{},"Acceptable use policies"," — defining what constitutes proper use of organizational systems and data",[31,10097,10098,10101],{},[34,10099,10100],{},"Termination procedures"," — ensuring timely and complete access revocation when workforce members depart",[20,10103,10105],{"id":10104},"how-do-compliance-frameworks-address-workforce-security","How do compliance frameworks address workforce security?",[28,10107,10108,10113,10118],{},[31,10109,10110,10112],{},[34,10111,605],{}," — the Security Rule (45 CFR 164.308(a)(3)) explicitly requires workforce security controls including authorization and supervision, clearance procedures, and termination procedures",[31,10114,10115,10117],{},[34,10116,36],{}," — CC1.4 and CC6.2 address human resource security including hiring, training, and termination",[31,10119,10120,10122],{},[34,10121,42],{}," — A.6.1 through A.6.5 cover screening, terms of employment, awareness training, disciplinary processes, and post-employment responsibilities",[20,10124,10126],{"id":10125},"what-are-best-practices-for-workforce-security","What are best practices for workforce security?",[28,10128,10129,10132,10135,10142,10148],{},[31,10130,10131],{},"Conduct background checks proportional to the sensitivity of the role",[31,10133,10134],{},"Require security awareness training at hire and annually thereafter",[31,10136,10137,10138,10141],{},"Implement role-based access that follows the ",[205,10139,10140],{"href":5086},"least privilege"," principle",[31,10143,10144,10145,10147],{},"Document and enforce termination and ",[205,10146,6369],{"href":6363}," checklists",[31,10149,10150],{},"Review workforce security policies annually and after significant organizational changes",[20,10152,10154],{"id":10153},"how-does-episki-help-with-workforce-security","How does episki help with workforce security?",[16,10156,10157,10158,209],{},"episki tracks workforce security controls, manages training completion records, and documents evidence of hiring and termination procedures for compliance audits. Learn more on our ",[205,10159,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":10161},[10162],{"id":10062,"depth":212,"text":10063,"children":10163},[10164,10165,10166,10167],{"id":10069,"depth":217,"text":10070},{"id":10104,"depth":217,"text":10105},{"id":10125,"depth":217,"text":10126},{"id":10153,"depth":217,"text":10154},{},"\u002Fglossary\u002Fworkforce-security",[983,230,231],[992,8563,6369],{"title":10173,"description":10174},"What is Workforce Security? Definition & Compliance Guide","Workforce security refers to the policies and controls that ensure employees and contractors handle sensitive information responsibly and securely.","workforce-security","8.glossary\u002Fworkforce-security","na2bHZsChgoatdZZY7JsQpjSx5s4F6y3rTrEiRhd0js",{"id":10179,"title":10180,"body":10181,"description":211,"extension":224,"lastUpdated":225,"meta":10358,"navigation":227,"path":9467,"relatedFrameworks":10359,"relatedTerms":10360,"seo":10361,"slug":3092,"stem":10364,"term":3037,"__hash__":10365},"glossary\u002F8.glossary\u002Fbaa.md","Baa",{"type":8,"value":10182,"toc":10348},[10183,10185,10188,10192,10195,10212,10215,10219,10222,10266,10270,10273,10293,10297,10300,10332,10336,10339,10343],[11,10184,3037],{"id":3036},[16,10186,10187],{},"A Business Associate Agreement (BAA) is a legally binding contract required by HIPAA between a covered entity and a business associate, or between two business associates. The BAA establishes the permitted uses and disclosures of Protected Health Information (PHI) and requires the business associate to implement appropriate safeguards to protect that information.",[20,10189,10191],{"id":10190},"why-are-baas-required","Why are BAAs required?",[16,10193,10194],{},"Under HIPAA, covered entities cannot simply hand over PHI to vendors and service providers without contractual protections. The BAA creates a legal obligation for the business associate to:",[28,10196,10197,10200,10203,10206,10209],{},[31,10198,10199],{},"Protect PHI with appropriate administrative, physical, and technical safeguards",[31,10201,10202],{},"Report security incidents and breaches to the covered entity",[31,10204,10205],{},"Limit the use and disclosure of PHI to the purposes specified in the agreement",[31,10207,10208],{},"Return or destroy PHI when the contract ends",[31,10210,10211],{},"Make PHI available for individual access requests when required",[16,10213,10214],{},"Without a BAA in place, sharing PHI with a business associate is itself a HIPAA violation, regardless of whether a breach actually occurs.",[20,10216,10218],{"id":10217},"what-are-the-required-elements-of-a-baa","What are the required elements of a BAA?",[16,10220,10221],{},"HIPAA regulations (45 CFR 164.504(e)) specify that a BAA must include:",[28,10223,10224,10230,10236,10242,10248,10254,10260],{},[31,10225,10226,10229],{},[34,10227,10228],{},"Permitted uses and disclosures"," — a description of what the business associate may and may not do with PHI",[31,10231,10232,10235],{},[34,10233,10234],{},"Safeguard requirements"," — an obligation to use appropriate safeguards to prevent unauthorized use or disclosure",[31,10237,10238,10241],{},[34,10239,10240],{},"Reporting obligations"," — requirements to report breaches, security incidents, and unauthorized disclosures",[31,10243,10244,10247],{},[34,10245,10246],{},"Subcontractor obligations"," — if the business associate engages subcontractors who will access PHI, the BAA must require those subcontractors to agree to the same restrictions",[31,10249,10250,10253],{},[34,10251,10252],{},"Individual rights"," — provisions supporting the covered entity's obligations regarding individual access to PHI",[31,10255,10256,10259],{},[34,10257,10258],{},"HHS access"," — agreement to make practices, books, and records available to HHS for compliance determination",[31,10261,10262,10265],{},[34,10263,10264],{},"Termination provisions"," — conditions under which the agreement terminates and obligations for return or destruction of PHI",[20,10267,10269],{"id":10268},"when-is-a-baa-needed","When is a BAA needed?",[16,10271,10272],{},"A BAA is required whenever a covered entity engages a business associate that will create, receive, maintain, or transmit PHI on its behalf. Common scenarios include:",[28,10274,10275,10278,10281,10284,10287,10290],{},[31,10276,10277],{},"Cloud hosting providers storing ePHI",[31,10279,10280],{},"IT service providers with access to systems containing PHI",[31,10282,10283],{},"Billing and claims processing companies",[31,10285,10286],{},"Legal, accounting, or consulting firms reviewing PHI",[31,10288,10289],{},"SaaS applications processing health data",[31,10291,10292],{},"Shredding and data destruction companies",[20,10294,10296],{"id":10295},"what-are-common-mistakes-with-baas","What are common mistakes with BAAs?",[16,10298,10299],{},"Organizations frequently make errors with BAAs:",[28,10301,10302,10308,10314,10320,10326],{},[31,10303,10304,10307],{},[34,10305,10306],{},"Missing BAAs"," — using vendors that handle PHI without a signed BAA in place",[31,10309,10310,10313],{},[34,10311,10312],{},"Template overreliance"," — using generic templates without tailoring to the specific vendor relationship",[31,10315,10316,10319],{},[34,10317,10318],{},"No tracking"," — failing to maintain an inventory of all BAAs and their renewal dates",[31,10321,10322,10325],{},[34,10323,10324],{},"Stale agreements"," — not updating BAAs when the scope of services or PHI usage changes",[31,10327,10328,10331],{},[34,10329,10330],{},"Ignoring subcontractors"," — not requiring downstream BAAs when business associates engage their own subcontractors",[20,10333,10335],{"id":10334},"what-is-the-difference-between-a-baa-and-an-nda","What is the difference between a BAA and an NDA?",[16,10337,10338],{},"A BAA is not the same as a non-disclosure agreement (NDA). While an NDA protects confidential business information in general, a BAA addresses the specific HIPAA requirements for handling PHI. An NDA alone does not satisfy the HIPAA requirement for a BAA.",[20,10340,10342],{"id":10341},"how-does-episki-help-with-baas","How does episki help with BAAs?",[16,10344,10345,10346,209],{},"episki tracks all your business associate relationships and BAA status in one place. The platform sends renewal reminders, maintains a complete inventory of agreements, and flags vendors that handle PHI but lack a signed BAA. Learn more on our ",[205,10347,1160],{"href":604},{"title":211,"searchDepth":212,"depth":212,"links":10349},[10350],{"id":3036,"depth":212,"text":3037,"children":10351},[10352,10353,10354,10355,10356,10357],{"id":10190,"depth":217,"text":10191},{"id":10217,"depth":217,"text":10218},{"id":10268,"depth":217,"text":10269},{"id":10295,"depth":217,"text":10296},{"id":10334,"depth":217,"text":10335},{"id":10341,"depth":217,"text":10342},{},[983],[983,1175,1178,1177,1183],{"title":10362,"description":10363},"What is a Business Associate Agreement (BAA)? Definition & Compliance Guide","A Business Associate Agreement (BAA) is a HIPAA-required contract between covered entities and vendors who handle PHI. Learn what a BAA must include.","8.glossary\u002Fbaa","ayjPGXWGSuWKW0Y9ePgMv29PgZPw9CIRBQlvd9lLBrU",{"id":10367,"title":10368,"body":10369,"description":211,"extension":224,"lastUpdated":225,"meta":10553,"navigation":227,"path":10554,"relatedFrameworks":10555,"relatedTerms":10556,"seo":10557,"slug":1178,"stem":10560,"term":10374,"__hash__":10561},"glossary\u002F8.glossary\u002Fbusiness-associate.md","Business Associate",{"type":8,"value":10370,"toc":10543},[10371,10375,10378,10382,10385,10429,10433,10436,10468,10472,10475,10486,10489,10493,10496,10510,10513,10517,10520,10531,10534,10538],[11,10372,10374],{"id":10373},"what-is-a-business-associate","What is a Business Associate?",[16,10376,10377],{},"A business associate (BA) under HIPAA is any person or organization that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity, or provides services to a covered entity that involve access to PHI. Business associates are directly subject to certain HIPAA requirements and must sign a Business Associate Agreement (BAA) with each covered entity they serve.",[20,10379,10381],{"id":10380},"what-are-common-examples-of-business-associates","What are common examples of business associates?",[16,10383,10384],{},"Many types of organizations qualify as business associates:",[28,10386,10387,10393,10399,10405,10411,10417,10423],{},[31,10388,10389,10392],{},[34,10390,10391],{},"Cloud service providers"," — hosting companies that store ePHI (such as AWS, Azure, or Google Cloud when used for health data)",[31,10394,10395,10398],{},[34,10396,10397],{},"IT service providers"," — managed service providers, consultants, or contractors with access to systems containing PHI",[31,10400,10401,10404],{},[34,10402,10403],{},"SaaS vendors"," — software platforms that process, store, or transmit PHI (EHR systems, telehealth platforms, billing software)",[31,10406,10407,10410],{},[34,10408,10409],{},"Billing and coding companies"," — organizations that process claims or handle billing data containing PHI",[31,10412,10413,10416],{},[34,10414,10415],{},"Legal and accounting firms"," — when their work involves reviewing or handling PHI",[31,10418,10419,10422],{},[34,10420,10421],{},"Data analytics firms"," — companies that analyze health data on behalf of covered entities",[31,10424,10425,10428],{},[34,10426,10427],{},"Shredding and destruction companies"," — vendors that dispose of physical or electronic media containing PHI",[20,10430,10432],{"id":10431},"what-are-business-associate-obligations","What are business associate obligations?",[16,10434,10435],{},"The HITECH Act extended direct liability to business associates for certain HIPAA requirements. Business associates must:",[28,10437,10438,10444,10450,10456,10462],{},[31,10439,10440,10443],{},[34,10441,10442],{},"Implement safeguards"," — maintain administrative, physical, and technical safeguards appropriate to the sensitivity of the PHI they handle",[31,10445,10446,10449],{},[34,10447,10448],{},"Report breaches"," — notify the covered entity of any breach of unsecured PHI without unreasonable delay, and no later than 60 days after discovery",[31,10451,10452,10455],{},[34,10453,10454],{},"Comply with the Security Rule"," — business associates are directly subject to HIPAA Security Rule requirements",[31,10457,10458,10461],{},[34,10459,10460],{},"Limit PHI use"," — use and disclose PHI only as permitted by the BAA or as required by law",[31,10463,10464,10467],{},[34,10465,10466],{},"Manage subcontractors"," — ensure that any subcontractors with access to PHI also sign BAAs and comply with HIPAA requirements",[20,10469,10471],{"id":10470},"what-is-a-subcontractor-business-associate","What is a subcontractor business associate?",[16,10473,10474],{},"A business associate that engages its own subcontractors who will handle PHI must enter into BAAs with those subcontractors. This creates a chain of accountability:",[28,10476,10477,10480,10483],{},[31,10478,10479],{},"The covered entity signs a BAA with the business associate",[31,10481,10482],{},"The business associate signs a BAA with its subcontractor",[31,10484,10485],{},"The subcontractor has the same obligations as the business associate regarding PHI protection",[16,10487,10488],{},"This chain ensures that PHI is protected at every level, regardless of how many vendors are involved.",[20,10490,10492],{"id":10491},"what-are-the-penalties-for-noncompliance","What are the penalties for noncompliance?",[16,10494,10495],{},"Business associates face the same penalties as covered entities for HIPAA violations:",[28,10497,10498,10501,10504,10507],{},[31,10499,10500],{},"Civil penalties ranging from $100 to $50,000 per violation",[31,10502,10503],{},"Annual caps of $1.5 million per violation category",[31,10505,10506],{},"Criminal penalties for knowing violations, including fines up to $250,000 and imprisonment",[31,10508,10509],{},"OCR enforcement actions, corrective action plans, and resolution agreements",[16,10511,10512],{},"Several high-profile enforcement actions have targeted business associates directly, demonstrating that HHS holds business associates accountable independent of the covered entities they serve.",[20,10514,10516],{"id":10515},"how-do-you-determine-if-you-are-a-business-associate","How do you determine if you are a business associate?",[16,10518,10519],{},"Ask these questions:",[155,10521,10522,10525,10528],{},[31,10523,10524],{},"Does your organization handle PHI on behalf of a covered entity or another business associate?",[31,10526,10527],{},"Do your services involve creating, receiving, maintaining, or transmitting PHI?",[31,10529,10530],{},"Do you have access to systems or data that contain PHI?",[16,10532,10533],{},"If any answer is yes, your organization is likely a business associate and must comply with HIPAA requirements and maintain appropriate BAAs.",[20,10535,10537],{"id":10536},"how-does-episki-help-with-business-associates","How does episki help with business associates?",[16,10539,10540,10541,209],{},"episki helps business associates build and maintain their HIPAA compliance programs by providing pre-built control frameworks, evidence collection workflows, and BAA management. The platform demonstrates compliance to covered entity customers and streamlines security questionnaire responses. Learn more on our ",[205,10542,1160],{"href":604},{"title":211,"searchDepth":212,"depth":212,"links":10544},[10545],{"id":10373,"depth":212,"text":10374,"children":10546},[10547,10548,10549,10550,10551,10552],{"id":10380,"depth":217,"text":10381},{"id":10431,"depth":217,"text":10432},{"id":10470,"depth":217,"text":10471},{"id":10491,"depth":217,"text":10492},{"id":10515,"depth":217,"text":10516},{"id":10536,"depth":217,"text":10537},{},"\u002Fglossary\u002Fbusiness-associate",[983],[983,1175,3092,1177,1176,1183],{"title":10558,"description":10559},"What is a Business Associate? Definition & Compliance Guide","A HIPAA business associate is any vendor or partner that creates, receives, or transmits PHI on behalf of a covered entity. Learn your obligations.","8.glossary\u002Fbusiness-associate","qRN1k9TCSPPGonMPFkOgg08MBVnoxS-aJhCoHp0FnUA",{"id":10563,"title":10564,"body":10565,"description":211,"extension":224,"lastUpdated":225,"meta":10756,"navigation":227,"path":10757,"relatedFrameworks":10758,"relatedTerms":10759,"seo":10760,"slug":6680,"stem":10763,"term":10570,"__hash__":10764},"glossary\u002F8.glossary\u002Fcardholder-data-environment.md","Cardholder Data Environment",{"type":8,"value":10566,"toc":10746},[10567,10571,10574,10578,10581,10605,10609,10612,10626,10629,10633,10636,10674,10678,10681,10704,10708,10711,10737,10741],[11,10568,10570],{"id":10569},"what-is-a-cardholder-data-environment","What is a Cardholder Data Environment?",[16,10572,10573],{},"The Cardholder Data Environment (CDE) is the collection of people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data. Defining the CDE is one of the most critical steps in PCI DSS compliance because it determines the scope of your assessment — everything inside the CDE must meet PCI DSS requirements.",[20,10575,10577],{"id":10576},"what-are-the-components-of-the-cde","What are the components of the CDE?",[16,10579,10580],{},"The CDE includes:",[28,10582,10583,10589,10595,10600],{},[31,10584,10585,10588],{},[34,10586,10587],{},"System components"," — servers, databases, applications, network devices, and any other technology that stores, processes, or transmits cardholder data",[31,10590,10591,10594],{},[34,10592,10593],{},"Network segments"," — the network segments where cardholder data flows or resides",[31,10596,10597,10599],{},[34,10598,6394],{}," — employees, contractors, and third parties who have access to cardholder data or the systems that handle it",[31,10601,10602,10604],{},[34,10603,6400],{}," — business processes that involve cardholder data, such as payment processing, refunds, chargebacks, and reporting",[20,10606,10608],{"id":10607},"what-counts-as-a-connected-system-in-the-cde","What counts as a connected system in the CDE?",[16,10610,10611],{},"Beyond the systems that directly handle cardholder data, PCI DSS also brings into scope any systems that are connected to or could affect the security of the CDE. These include:",[28,10613,10614,10617,10620,10623],{},[31,10615,10616],{},"Systems that provide security services to the CDE (firewalls, IDS\u002FIPS, authentication servers)",[31,10618,10619],{},"Systems on the same network segment as CDE components",[31,10621,10622],{},"Systems that can initiate connections into the CDE",[31,10624,10625],{},"Administrative systems used to manage CDE components",[16,10627,10628],{},"This expanded scope is why network segmentation is so important — it limits the number of connected systems and reduces the overall compliance burden.",[20,10630,10632],{"id":10631},"how-do-you-define-your-cde","How do you define your CDE?",[16,10634,10635],{},"To accurately define your CDE:",[155,10637,10638,10644,10650,10656,10662,10668],{},[31,10639,10640,10643],{},[34,10641,10642],{},"Map cardholder data flows"," — trace how cardholder data enters, moves through, and exits your environment",[31,10645,10646,10649],{},[34,10647,10648],{},"Identify all storage locations"," — find every database, file, log, and backup where cardholder data is stored",[31,10651,10652,10655],{},[34,10653,10654],{},"Document processing systems"," — identify every application and system that processes cardholder data",[31,10657,10658,10661],{},[34,10659,10660],{},"Map network paths"," — document the network segments and connections involved in cardholder data transmission",[31,10663,10664,10667],{},[34,10665,10666],{},"Identify connected systems"," — determine which systems connect to or could affect CDE components",[31,10669,10670,10673],{},[34,10671,10672],{},"Verify with data discovery"," — use data discovery tools to confirm that cardholder data does not exist outside the documented CDE",[20,10675,10677],{"id":10676},"how-do-you-reduce-the-cde","How do you reduce the CDE?",[16,10679,10680],{},"A smaller CDE means fewer systems in scope and lower compliance costs. Common strategies to reduce the CDE include:",[28,10682,10683,10688,10694,10699],{},[31,10684,10685,10687],{},[34,10686,6835],{}," — replace cardholder data with tokens that have no exploitable value, removing systems that only handle tokens from the CDE",[31,10689,10690,10693],{},[34,10691,10692],{},"Point-to-point encryption (P2PE)"," — encrypt cardholder data from the point of interaction to the decryption point, potentially removing intermediate systems from scope",[31,10695,10696,10698],{},[34,10697,6847],{}," — shift cardholder data handling to a PCI-compliant service provider",[31,10700,10701,10703],{},[34,10702,6122],{}," — isolate the CDE from the rest of the network to prevent connected systems from being in scope",[20,10705,10707],{"id":10706},"what-are-common-mistakes-with-the-cde","What are common mistakes with the CDE?",[16,10709,10710],{},"Organizations frequently make errors when defining their CDE:",[28,10712,10713,10719,10725,10731],{},[31,10714,10715,10718],{},[34,10716,10717],{},"Incomplete data flow mapping"," — missing cardholder data in logs, backups, or test environments",[31,10720,10721,10724],{},[34,10722,10723],{},"Overlooking connected systems"," — failing to account for systems with network access to the CDE",[31,10726,10727,10730],{},[34,10728,10729],{},"Scope creep"," — allowing unnecessary systems to connect to the CDE, expanding scope",[31,10732,10733,10736],{},[34,10734,10735],{},"Stale documentation"," — not updating CDE documentation when systems change",[20,10738,10740],{"id":10739},"how-does-episki-help-with-the-cde","How does episki help with the CDE?",[16,10742,10743,10744,209],{},"episki helps you document and maintain your cardholder data environment definition, including data flow diagrams, system inventories, and network segmentation documentation. The platform tracks changes that could affect CDE scope and ensures your documentation stays current. Learn more on our ",[205,10745,6665],{"href":618},{"title":211,"searchDepth":212,"depth":212,"links":10747},[10748],{"id":10569,"depth":212,"text":10570,"children":10749},[10750,10751,10752,10753,10754,10755],{"id":10576,"depth":217,"text":10577},{"id":10607,"depth":217,"text":10608},{"id":10631,"depth":217,"text":10632},{"id":10676,"depth":217,"text":10677},{"id":10706,"depth":217,"text":10707},{"id":10739,"depth":217,"text":10740},{},"\u002Fglossary\u002Fcardholder-data-environment",[984],[6684,6941,2176,2635,6678],{"title":10761,"description":10762},"What is a Cardholder Data Environment? Definition & Compliance Guide","The Cardholder Data Environment (CDE) encompasses all systems that store, process, or transmit cardholder data. Learn how to define and secure your CDE.","8.glossary\u002Fcardholder-data-environment","b6tMCigxUaqDmCxMICc_lqrlhozN9rvWz0eNQJC-I20",{"id":10766,"title":10767,"body":10768,"description":211,"extension":224,"lastUpdated":225,"meta":10964,"navigation":227,"path":3277,"relatedFrameworks":10965,"relatedTerms":10966,"seo":10967,"slug":3854,"stem":10970,"term":10773,"__hash__":10971},"glossary\u002F8.glossary\u002Fcertification-body.md","Certification Body",{"type":8,"value":10769,"toc":10954},[10770,10774,10777,10781,10784,10824,10828,10831,10857,10860,10864,10867,10905,10909,10912,10915,10919,10922,10942,10945,10949],[11,10771,10773],{"id":10772},"what-is-a-certification-body","What is a Certification Body?",[16,10775,10776],{},"A certification body (CB), also called a registrar or conformity assessment body, is an independent organization accredited to perform audits and issue certifications against management system standards such as ISO 27001. When an organization achieves ISO 27001 certification, the certificate is issued by the certification body that conducted the audit.",[20,10778,10780],{"id":10779},"how-do-certification-bodies-work","How do certification bodies work?",[16,10782,10783],{},"Certification bodies operate under a structured process:",[155,10785,10786,10792,10797,10802,10808,10814,10819],{},[31,10787,10788,10791],{},[34,10789,10790],{},"Application"," — the organization applies to the certification body, providing information about the scope of its ISMS",[31,10793,10794,10796],{},[34,10795,3338],{}," — the CB reviews documentation to confirm the ISMS is designed in accordance with ISO 27001 requirements",[31,10798,10799,10801],{},[34,10800,3344],{}," — the CB conducts an on-site or remote audit to verify that the ISMS is implemented and operating effectively",[31,10803,10804,10807],{},[34,10805,10806],{},"Certification decision"," — based on audit findings, the CB decides whether to grant certification",[31,10809,10810,10813],{},[34,10811,10812],{},"Certificate issuance"," — if successful, the CB issues a certificate valid for three years",[31,10815,10816,10818],{},[34,10817,3350],{}," — the CB conducts annual surveillance audits to verify continued compliance",[31,10820,10821,10823],{},[34,10822,3356],{}," — at the end of the three-year cycle, a full recertification audit is performed",[20,10825,10827],{"id":10826},"how-are-certification-bodies-accredited","How are certification bodies accredited?",[16,10829,10830],{},"Certification bodies must themselves be accredited by a recognized accreditation body to ensure they operate competently and impartially. Key accreditation bodies include:",[28,10832,10833,10839,10845,10851],{},[31,10834,10835,10838],{},[34,10836,10837],{},"UKAS"," (United Kingdom Accreditation Service)",[31,10840,10841,10844],{},[34,10842,10843],{},"ANAB"," (ANSI National Accreditation Board) in the United States",[31,10846,10847,10850],{},[34,10848,10849],{},"DAkkS"," (Deutsche Akkreditierungsstelle) in Germany",[31,10852,10853,10856],{},[34,10854,10855],{},"JAS-ANZ"," (Joint Accreditation System of Australia and New Zealand)",[16,10858,10859],{},"Accreditation ensures that the certification body follows ISO 17021 (requirements for bodies providing audit and certification of management systems) and employs qualified auditors. Choosing a non-accredited certification body undermines the credibility of the certification.",[20,10861,10863],{"id":10862},"how-do-you-select-a-certification-body","How do you select a certification body?",[16,10865,10866],{},"When choosing a certification body, consider:",[28,10868,10869,10875,10881,10887,10893,10899],{},[31,10870,10871,10874],{},[34,10872,10873],{},"Accreditation"," — verify the CB is accredited by a recognized national accreditation body",[31,10876,10877,10880],{},[34,10878,10879],{},"Industry experience"," — some CBs specialize in certain industries (technology, healthcare, financial services) and understand sector-specific risks",[31,10882,10883,10886],{},[34,10884,10885],{},"Geographic coverage"," — if your organization operates in multiple countries, ensure the CB can support international audits",[31,10888,10889,10892],{},[34,10890,10891],{},"Auditor expertise"," — the quality of the audit depends heavily on the auditor assigned to your engagement",[31,10894,10895,10898],{},[34,10896,10897],{},"Reputation"," — CBs recognized by your customers and partners carry more weight",[31,10900,10901,10904],{},[34,10902,10903],{},"Cost and timeline"," — audit fees and scheduling availability vary between CBs",[20,10906,10908],{"id":10907},"what-independence-requirements-apply-to-certification-bodies","What independence requirements apply to certification bodies?",[16,10910,10911],{},"Certification bodies must maintain independence from the organizations they certify. A CB cannot provide consulting services to design or implement the ISMS and then audit it. This separation ensures objectivity in the certification process.",[16,10913,10914],{},"Some organizations engage a consulting firm for ISMS implementation and a separate certification body for the audit to maintain clear boundaries.",[20,10916,10918],{"id":10917},"what-happens-when-nonconformities-are-found","What happens when nonconformities are found?",[16,10920,10921],{},"During an audit, the certification body may identify:",[28,10923,10924,10930,10936],{},[31,10925,10926,10929],{},[34,10927,10928],{},"Major nonconformities"," — significant failures that prevent certification until resolved",[31,10931,10932,10935],{},[34,10933,10934],{},"Minor nonconformities"," — less critical issues that must be addressed within a defined timeframe",[31,10937,10938,10941],{},[34,10939,10940],{},"Opportunities for improvement"," — suggestions that are not required but recommended",[16,10943,10944],{},"Major nonconformities must be resolved and verified before the certificate can be issued. Minor nonconformities typically must be addressed before the next surveillance audit.",[20,10946,10948],{"id":10947},"how-does-episki-help-with-certification-bodies","How does episki help with certification bodies?",[16,10950,10951,10952,209],{},"episki prepares your organization for certification body audits by organizing your ISMS documentation, Statement of Applicability, risk treatment plans, and evidence in a structured format that auditors can easily review. The platform tracks nonconformities and corrective actions to ensure timely resolution. Learn more on our ",[205,10953,3234],{"href":591},{"title":211,"searchDepth":212,"depth":212,"links":10955},[10956],{"id":10772,"depth":212,"text":10773,"children":10957},[10958,10959,10960,10961,10962,10963],{"id":10779,"depth":217,"text":10780},{"id":10826,"depth":217,"text":10827},{"id":10862,"depth":217,"text":10863},{"id":10907,"depth":217,"text":10908},{"id":10917,"depth":217,"text":10918},{"id":10947,"depth":217,"text":10948},{},[231],[231,3855,236,3249],{"title":10968,"description":10969},"What is a Certification Body? Definition & Compliance Guide","A certification body is an accredited organization that audits and certifies companies against standards like ISO 27001. Learn how to choose the right one.","8.glossary\u002Fcertification-body","tGGQs2JaSNO2oRdpjvRKWMpEOGaOW9QFE2G22SZIPHk",{"id":10973,"title":10974,"body":10975,"description":211,"extension":224,"lastUpdated":225,"meta":11176,"navigation":227,"path":11177,"relatedFrameworks":11178,"relatedTerms":11179,"seo":11180,"slug":234,"stem":11183,"term":10980,"__hash__":11184},"glossary\u002F8.glossary\u002Fcontrol-framework.md","Control Framework",{"type":8,"value":10976,"toc":11166},[10977,10981,10984,10988,10991,11022,11026,11029,11065,11069,11072,11104,11108,11111,11114,11118,11121,11157,11161],[11,10978,10980],{"id":10979},"what-is-a-control-framework","What is a Control Framework?",[16,10982,10983],{},"A control framework is a structured collection of security controls, guidelines, and best practices that organizations use to design, implement, and evaluate their information security programs. Control frameworks provide a systematic approach to managing security risks by defining what controls should exist and how they should be organized.",[20,10985,10987],{"id":10986},"why-do-control-frameworks-matter","Why do control frameworks matter?",[16,10989,10990],{},"Without a framework, security programs tend to develop organically — addressing risks as they arise without a cohesive structure. This leads to gaps in coverage, duplicated efforts, and difficulty demonstrating security posture to stakeholders. Control frameworks provide:",[28,10992,10993,10999,11004,11010,11016],{},[31,10994,10995,10998],{},[34,10996,10997],{},"Comprehensiveness"," — a complete catalog of controls spanning all relevant security domains",[31,11000,11001,11003],{},[34,11002,3738],{}," — logical organization of controls into categories and domains",[31,11005,11006,11009],{},[34,11007,11008],{},"Common language"," — standardized terminology for discussing security with auditors, customers, and partners",[31,11011,11012,11015],{},[34,11013,11014],{},"Benchmarking"," — a reference point for measuring maturity and identifying gaps",[31,11017,11018,11021],{},[34,11019,11020],{},"Compliance alignment"," — mapping to regulatory and contractual requirements",[20,11023,11025],{"id":11024},"what-are-common-control-frameworks","What are common control frameworks?",[16,11027,11028],{},"Several widely adopted control frameworks exist, each with a different focus:",[28,11030,11031,11037,11043,11048,11053,11059],{},[31,11032,11033,11036],{},[34,11034,11035],{},"SOC 2 Trust Services Criteria"," — evaluates controls across security, availability, processing integrity, confidentiality, and privacy for service organizations",[31,11038,11039,11042],{},[34,11040,11041],{},"ISO 27001 Annex A"," — provides 93 controls across organizational, people, physical, and technological themes for information security management",[31,11044,11045,11047],{},[34,11046,6020],{}," — organizes security activities into five functions: Identify, Protect, Detect, Respond, and Recover",[31,11049,11050,11052],{},[34,11051,6026],{}," — a comprehensive catalog of security and privacy controls used primarily by US federal agencies and their contractors",[31,11054,11055,11058],{},[34,11056,11057],{},"CIS Controls"," — a prioritized set of actions (18 controls) that form a practical starting point for cybersecurity defense",[31,11060,11061,11064],{},[34,11062,11063],{},"COBIT"," — a framework for IT governance and management",[20,11066,11068],{"id":11067},"how-do-you-choose-a-control-framework","How do you choose a control framework?",[16,11070,11071],{},"The right framework depends on your organization's needs:",[28,11073,11074,11080,11086,11092,11098],{},[31,11075,11076,11079],{},[34,11077,11078],{},"Customer requirements"," — if customers require SOC 2 reports, the Trust Services Criteria will be your primary framework",[31,11081,11082,11085],{},[34,11083,11084],{},"Certification goals"," — if you need ISO 27001 certification, Annex A is the relevant control set",[31,11087,11088,11091],{},[34,11089,11090],{},"Industry"," — some industries have specific frameworks (HITRUST for healthcare, PCI DSS for payment cards)",[31,11093,11094,11097],{},[34,11095,11096],{},"Maturity level"," — organizations early in their security journey may start with CIS Controls, while more mature programs adopt NIST SP 800-53",[31,11099,11100,11103],{},[34,11101,11102],{},"Geography"," — ISO 27001 is globally recognized, while some frameworks are more region-specific",[20,11105,11107],{"id":11106},"how-do-you-map-controls-across-multiple-frameworks","How do you map controls across multiple frameworks?",[16,11109,11110],{},"Many organizations must comply with multiple frameworks simultaneously. Cross-framework mapping identifies where controls overlap, allowing a single control to satisfy requirements from multiple frameworks. For example, an access control policy might satisfy SOC 2 CC6.1, ISO 27001 A.5.15, and NIST CSF PR.AC-1.",[16,11112,11113],{},"Effective multi-framework mapping reduces duplication and helps organizations manage compliance efficiently.",[20,11115,11117],{"id":11116},"how-do-you-implement-a-control-framework","How do you implement a control framework?",[16,11119,11120],{},"Implementation typically follows these phases:",[155,11122,11123,11129,11134,11140,11145,11151],{},[31,11124,11125,11128],{},[34,11126,11127],{},"Gap assessment"," — compare current controls against the framework to identify gaps",[31,11130,11131,11133],{},[34,11132,7514],{}," — rank gaps by risk impact and effort required",[31,11135,11136,11139],{},[34,11137,11138],{},"Control design"," — design controls to address identified gaps",[31,11141,11142,11144],{},[34,11143,1537],{}," — deploy controls through policies, processes, and technology",[31,11146,11147,11150],{},[34,11148,11149],{},"Evidence collection"," — establish processes to collect and maintain compliance evidence",[31,11152,11153,11156],{},[34,11154,11155],{},"Monitoring and review"," — continuously assess control effectiveness and address changes",[20,11158,11160],{"id":11159},"how-does-episki-help-with-control-frameworks","How does episki help with control frameworks?",[16,11162,11163,11164,209],{},"episki supports multiple control frameworks out of the box with pre-built mappings between them. The platform lets you manage a single set of controls that maps to SOC 2, ISO 27001, NIST CSF, and other frameworks simultaneously, eliminating duplicate effort. Learn more on our ",[205,11165,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":11167},[11168],{"id":10979,"depth":212,"text":10980,"children":11169},[11170,11171,11172,11173,11174,11175],{"id":10986,"depth":217,"text":10987},{"id":11024,"depth":217,"text":11025},{"id":11067,"depth":217,"text":11068},{"id":11106,"depth":217,"text":11107},{"id":11116,"depth":217,"text":11117},{"id":11159,"depth":217,"text":11160},{},"\u002Fglossary\u002Fcontrol-framework",[230,231,985],[240,1420,2972,233,235],{"title":11181,"description":11182},"What is a Control Framework? Definition & Compliance Guide","A control framework is a structured set of security controls and guidelines that organizations use to build and evaluate their security programs.","8.glossary\u002Fcontrol-framework","l51hViZJUNfZhxJcG_3gNPwVkEmK97R6TuCyFHlE8rs",{"id":11186,"title":11187,"body":11188,"description":211,"extension":224,"lastUpdated":225,"meta":11360,"navigation":227,"path":11361,"relatedFrameworks":11362,"relatedTerms":11363,"seo":11364,"slug":1177,"stem":11367,"term":11193,"__hash__":11368},"glossary\u002F8.glossary\u002Fcovered-entity.md","Covered Entity",{"type":8,"value":11189,"toc":11351},[11190,11194,11197,11201,11207,11230,11233,11239,11259,11265,11269,11272,11300,11304,11307,11321,11324,11328,11331,11339,11342,11346],[11,11191,11193],{"id":11192},"what-is-a-covered-entity","What is a Covered Entity?",[16,11195,11196],{},"A covered entity is an organization that is directly subject to HIPAA regulations. HIPAA defines three categories of covered entities: healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses. Understanding whether your organization qualifies as a covered entity is the first step in determining your HIPAA compliance obligations.",[20,11198,11200],{"id":11199},"what-are-the-three-types-of-covered-entities","What are the three types of covered entities?",[16,11202,11203,11206],{},[34,11204,11205],{},"Healthcare providers"," — any provider of medical or health services who transmits health information in electronic form in connection with a HIPAA-covered transaction. This includes:",[28,11208,11209,11212,11215,11218,11221,11224,11227],{},[31,11210,11211],{},"Hospitals and health systems",[31,11213,11214],{},"Physicians and medical practices",[31,11216,11217],{},"Dentists, chiropractors, and other licensed practitioners",[31,11219,11220],{},"Pharmacies",[31,11222,11223],{},"Clinics and urgent care centers",[31,11225,11226],{},"Nursing facilities",[31,11228,11229],{},"Home health agencies",[16,11231,11232],{},"The key qualifier is electronic transmission. A healthcare provider that conducts all transactions on paper and never transmits health information electronically may not be a covered entity. However, in practice, nearly all providers today transmit information electronically.",[16,11234,11235,11238],{},[34,11236,11237],{},"Health plans"," — organizations that provide or pay for the cost of healthcare. This includes:",[28,11240,11241,11244,11247,11250,11253,11256],{},[31,11242,11243],{},"Health insurance companies",[31,11245,11246],{},"HMOs (Health Maintenance Organizations)",[31,11248,11249],{},"Employer-sponsored group health plans",[31,11251,11252],{},"Government programs such as Medicare, Medicaid, and TRICARE",[31,11254,11255],{},"Long-term care insurance providers",[31,11257,11258],{},"Employee assistance programs that provide health benefits",[16,11260,11261,11264],{},[34,11262,11263],{},"Healthcare clearinghouses"," — entities that process health information received from another entity into a standard format (or vice versa). Clearinghouses typically sit between providers and health plans, translating data into standardized transaction formats.",[20,11266,11268],{"id":11267},"what-are-covered-entity-responsibilities","What are covered entity responsibilities?",[16,11270,11271],{},"As a covered entity, an organization must comply with all HIPAA rules:",[28,11273,11274,11279,11284,11289,11294],{},[31,11275,11276,11278],{},[34,11277,2997],{}," — governs the use and disclosure of PHI, grants individuals rights over their health information, and requires privacy notices",[31,11280,11281,11283],{},[34,11282,610],{}," — requires administrative, physical, and technical safeguards to protect ePHI",[31,11285,11286,11288],{},[34,11287,3008],{}," — mandates notification of affected individuals, HHS, and potentially media following a breach of unsecured PHI",[31,11290,11291,11293],{},[34,11292,3014],{}," — establishes penalties for noncompliance",[31,11295,11296,11299],{},[34,11297,11298],{},"Omnibus Rule"," — extends certain requirements to business associates and strengthens breach notification provisions",[20,11301,11303],{"id":11302},"what-is-the-difference-between-a-covered-entity-and-a-business-associate","What is the difference between a covered entity and a business associate?",[16,11305,11306],{},"The distinction between covered entities and business associates is critical:",[28,11308,11309,11315],{},[31,11310,67,11311,11314],{},[34,11312,11313],{},"covered entity"," is directly regulated under HIPAA and bears primary responsibility for PHI protection",[31,11316,67,11317,11320],{},[34,11318,11319],{},"business associate"," is a vendor or partner that handles PHI on behalf of a covered entity and is regulated through BAAs and certain direct HIPAA obligations",[16,11322,11323],{},"A technology company that builds software for a hospital is typically a business associate, not a covered entity. The hospital is the covered entity. However, both have compliance obligations — the covered entity through direct regulation and the business associate through its BAA and HITECH Act provisions.",[20,11325,11327],{"id":11326},"how-do-you-determine-if-you-are-a-covered-entity","How do you determine if you are a covered entity?",[16,11329,11330],{},"To determine whether your organization is a covered entity:",[155,11332,11333,11336],{},[31,11334,11335],{},"Does your organization provide healthcare services, operate a health plan, or function as a clearinghouse?",[31,11337,11338],{},"Does your organization transmit health information electronically in connection with covered transactions (such as claims, eligibility inquiries, or referral authorizations)?",[16,11340,11341],{},"If both answers are yes, your organization is likely a covered entity. If you are unsure, the HHS website provides a covered entity decision tool.",[20,11343,11345],{"id":11344},"how-does-episki-help-with-covered-entities","How does episki help with covered entities?",[16,11347,11348,11349,209],{},"episki helps covered entities manage their HIPAA compliance obligations by tracking required safeguards, documenting policies and procedures, managing business associate agreements, and maintaining breach notification workflows. Learn more on our ",[205,11350,1160],{"href":604},{"title":211,"searchDepth":212,"depth":212,"links":11352},[11353],{"id":11192,"depth":212,"text":11193,"children":11354},[11355,11356,11357,11358,11359],{"id":11199,"depth":217,"text":11200},{"id":11267,"depth":217,"text":11268},{"id":11302,"depth":217,"text":11303},{"id":11326,"depth":217,"text":11327},{"id":11344,"depth":217,"text":11345},{},"\u002Fglossary\u002Fcovered-entity",[983],[983,1175,3092,1178,1183],{"title":11365,"description":11366},"What is a Covered Entity? Definition & Compliance Guide","A covered entity under HIPAA is a health plan, healthcare provider, or healthcare clearinghouse that transmits health information electronically.","8.glossary\u002Fcovered-entity","65vmoU7rf4rWSBUE_tgrgq6iiAwhbZUZb-vnD69V3v8",{"id":11370,"title":11371,"body":11372,"description":211,"extension":224,"lastUpdated":225,"meta":11486,"navigation":227,"path":11487,"relatedFrameworks":11488,"relatedTerms":11489,"seo":11490,"slug":6218,"stem":11493,"term":11377,"__hash__":11494},"glossary\u002F8.glossary\u002Ffirewall.md","Firewall",{"type":8,"value":11373,"toc":11478},[11374,11378,11381,11385,11417,11421,11424,11446,11450,11469,11473],[11,11375,11377],{"id":11376},"what-is-a-firewall","What is a Firewall?",[16,11379,11380],{},"A firewall is a security system that monitors and controls network traffic based on predefined rules. It acts as a barrier between trusted internal networks and untrusted external ones, inspecting incoming and outgoing packets to enforce an organization's security policy.",[20,11382,11384],{"id":11383},"what-are-the-types-of-firewalls","What are the types of firewalls?",[28,11386,11387,11393,11399,11405,11411],{},[31,11388,11389,11392],{},[34,11390,11391],{},"Packet-filtering firewalls"," — inspect individual packets against a set of rules based on IP addresses, ports, and protocols. Simple and fast but limited in context.",[31,11394,11395,11398],{},[34,11396,11397],{},"Stateful inspection firewalls"," — track the state of active connections and make decisions based on the context of traffic, not just individual packets.",[31,11400,11401,11404],{},[34,11402,11403],{},"Next-generation firewalls (NGFW)"," — combine traditional firewall capabilities with intrusion prevention, application awareness, and deep packet inspection.",[31,11406,11407,11410],{},[34,11408,11409],{},"Web application firewalls (WAF)"," — specifically protect web applications by filtering and monitoring HTTP traffic between the application and the internet.",[31,11412,11413,11416],{},[34,11414,11415],{},"Cloud firewalls"," — delivered as a service to protect cloud-based infrastructure and applications.",[20,11418,11420],{"id":11419},"how-do-compliance-frameworks-address-firewalls","How do compliance frameworks address firewalls?",[16,11422,11423],{},"Firewalls are a foundational control across compliance standards:",[28,11425,11426,11431,11436,11441],{},[31,11427,11428,11430],{},[34,11429,48],{}," — Requirement 1 mandates installing and maintaining firewall configurations to protect cardholder data.",[31,11432,11433,11435],{},[34,11434,42],{}," — Network security controls (A.8.20, A.8.21) require network segmentation and filtering.",[31,11437,11438,11440],{},[34,11439,54],{}," — PR.AC and PR.PT cover network protection and access enforcement.",[31,11442,11443,11445],{},[34,11444,36],{}," — CC6.6 requires restricting access through network security controls.",[20,11447,11449],{"id":11448},"what-are-best-practices-for-firewalls","What are best practices for firewalls?",[28,11451,11452,11455,11458,11461,11464],{},[31,11453,11454],{},"Define explicit allow and deny rules rather than relying on default configurations",[31,11456,11457],{},"Segment networks to limit lateral movement in the event of a breach",[31,11459,11460],{},"Review and update firewall rules regularly to remove stale or overly permissive entries",[31,11462,11463],{},"Log all firewall activity and monitor logs for anomalies",[31,11465,11466,11467],{},"Test firewall configurations as part of regular ",[205,11468,6195],{"href":6194},[20,11470,11472],{"id":11471},"how-does-episki-help-with-firewalls","How does episki help with firewalls?",[16,11474,11475,11476,209],{},"episki tracks firewall-related controls, links them to evidence like configuration exports and rule reviews, and sends reminders when periodic reviews are due. Learn more on our ",[205,11477,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":11479},[11480],{"id":11376,"depth":212,"text":11377,"children":11481},[11482,11483,11484,11485],{"id":11383,"depth":217,"text":11384},{"id":11419,"depth":217,"text":11420},{"id":11448,"depth":217,"text":11449},{"id":11471,"depth":217,"text":11472},{},"\u002Fglossary\u002Ffirewall",[982,984,231,985],[992,6222,5749],{"title":11491,"description":11492},"What is a Firewall? Definition & Compliance Guide","A firewall is a security system that monitors and controls network traffic based on predefined rules, acting as a barrier between trusted internal networks and untrusted external ones.","8.glossary\u002Ffirewall","d_tDCxyFul3bT18aYdQvTB0Erzn8iM00wNVDbeNQM1Y",{"id":11496,"title":5324,"body":11497,"description":211,"extension":224,"lastUpdated":225,"meta":11601,"navigation":227,"path":11602,"relatedFrameworks":11603,"relatedTerms":11604,"seo":11605,"slug":6081,"stem":11608,"term":11502,"__hash__":11609},"glossary\u002F8.glossary\u002Fframework.md",{"type":8,"value":11498,"toc":11593},[11499,11503,11506,11510,11537,11541,11544,11563,11567,11570,11584,11588],[11,11500,11502],{"id":11501},"what-is-a-framework","What is a Framework?",[16,11504,11505],{},"A framework is a structured set of guidelines, controls, and best practices that organizations follow to manage security, risk, and compliance. Frameworks provide a common language and systematic approach for identifying risks, implementing safeguards, and demonstrating due diligence to auditors, customers, and regulators.",[20,11507,11509],{"id":11508},"what-are-common-compliance-frameworks","What are common compliance frameworks?",[28,11511,11512,11517,11522,11527,11532],{},[31,11513,11514,11516],{},[34,11515,42],{}," — an international standard for information security management systems (ISMS) with a risk-based approach to protecting information assets.",[31,11518,11519,11521],{},[34,11520,36],{}," — a reporting framework developed by the AICPA based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.",[31,11523,11524,11526],{},[34,11525,605],{}," — a US law that sets requirements for protecting health information, including the Security Rule and Privacy Rule.",[31,11528,11529,11531],{},[34,11530,48],{}," — a set of security standards for organizations that handle payment card data.",[31,11533,11534,11536],{},[34,11535,54],{}," — a voluntary framework published by the National Institute of Standards and Technology that provides a common taxonomy for managing cybersecurity risk.",[20,11538,11540],{"id":11539},"what-is-the-difference-between-a-framework-a-standard-and-a-regulation","What is the difference between a framework, a standard, and a regulation?",[16,11542,11543],{},"These terms are often used interchangeably but have important distinctions:",[28,11545,11546,11551,11557],{},[31,11547,11548,11550],{},[34,11549,5324],{}," — a flexible structure of guidelines that can be adapted to an organization's context (e.g., NIST CSF).",[31,11552,11553,11556],{},[34,11554,11555],{},"Standard"," — a more prescriptive set of requirements that can be certified against (e.g., ISO 27001).",[31,11558,11559,11562],{},[34,11560,11561],{},"Regulation"," — a legally binding requirement enforced by a governing body (e.g., HIPAA, GDPR).",[20,11564,11566],{"id":11565},"how-do-you-choose-a-framework","How do you choose a framework?",[16,11568,11569],{},"When selecting a framework, consider:",[28,11571,11572,11575,11578,11581],{},[31,11573,11574],{},"Customer and market requirements — enterprise buyers often require SOC 2 or ISO 27001",[31,11576,11577],{},"Industry regulations — healthcare organizations must comply with HIPAA; payment processors with PCI DSS",[31,11579,11580],{},"Geographic scope — GDPR for organizations handling EU data",[31,11582,11583],{},"Organizational maturity — NIST CSF is often a good starting point for organizations new to formal security programs",[20,11585,11587],{"id":11586},"how-does-episki-help-with-compliance-frameworks","How does episki help with compliance frameworks?",[16,11589,11590,11591,209],{},"episki supports multiple frameworks in a single workspace, allowing organizations to map controls across standards and reuse evidence. Learn more on our ",[205,11592,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":11594},[11595],{"id":11501,"depth":212,"text":11502,"children":11596},[11597,11598,11599,11600],{"id":11508,"depth":217,"text":11509},{"id":11539,"depth":217,"text":11540},{"id":11565,"depth":217,"text":11566},{"id":11586,"depth":217,"text":11587},{},"\u002Fglossary\u002Fframework",[230,231,983,984,985],[234,240,2972],{"title":11606,"description":11607},"What is a Framework? Definition & Compliance Guide","A framework is a structured set of guidelines and controls organizations follow to manage security and compliance. Common examples include ISO 27001, SOC 2, and NIST CSF.","8.glossary\u002Fframework","CdMCpQrbry3zSa1fdtsyViYMvkP88wOS8pALWkyZ5Mo",{"id":11611,"title":11612,"body":11613,"description":211,"extension":224,"lastUpdated":225,"meta":11833,"navigation":227,"path":4885,"relatedFrameworks":11834,"relatedTerms":11835,"seo":11836,"slug":2176,"stem":11839,"term":11618,"__hash__":11840},"glossary\u002F8.glossary\u002Fpan.md","Pan",{"type":8,"value":11614,"toc":11822},[11615,11619,11622,11626,11629,11649,11653,11656,11680,11683,11687,11690,11696,11710,11716,11722,11726,11729,11749,11752,11756,11759,11783,11787,11790,11810,11813,11817],[11,11616,11618],{"id":11617},"what-is-a-primary-account-number-pan","What is a Primary Account Number (PAN)?",[16,11620,11621],{},"The Primary Account Number (PAN) is the unique number embossed or printed on a payment card (credit or debit card) that identifies the card issuer and the cardholder's account. The PAN is the defining data element in PCI DSS — if your systems store, process, or transmit PAN data, PCI DSS requirements apply.",[20,11623,11625],{"id":11624},"what-is-the-structure-of-a-pan","What is the structure of a PAN?",[16,11627,11628],{},"A PAN typically consists of 13 to 19 digits:",[28,11630,11631,11637,11643],{},[31,11632,11633,11636],{},[34,11634,11635],{},"Issuer Identification Number (IIN)"," — the first 6-8 digits identify the card issuer and payment network (e.g., Visa cards start with 4, Mastercard with 51-55 or 2221-2720)",[31,11638,11639,11642],{},[34,11640,11641],{},"Account number"," — the middle digits identify the individual cardholder account",[31,11644,11645,11648],{},[34,11646,11647],{},"Check digit"," — the last digit is calculated using the Luhn algorithm and serves as a validation check",[20,11650,11652],{"id":11651},"how-does-pan-affect-pci-dss-scope","How does PAN affect PCI DSS scope?",[16,11654,11655],{},"The presence of PAN is the primary factor that brings systems into PCI DSS scope. PCI DSS defines cardholder data as:",[28,11657,11658,11664,11670,11675],{},[31,11659,11660,11663],{},[34,11661,11662],{},"PAN"," — always triggers PCI DSS scope",[31,11665,11666,11669],{},[34,11667,11668],{},"Cardholder name"," — protected when stored with PAN",[31,11671,11672,11669],{},[34,11673,11674],{},"Expiration date",[31,11676,11677,11669],{},[34,11678,11679],{},"Service code",[16,11681,11682],{},"If PAN is not stored, processed, or transmitted, the other data elements alone do not trigger PCI DSS requirements. This is why many organizations focus on eliminating PAN from their environment wherever possible.",[20,11684,11686],{"id":11685},"how-do-you-protect-pan","How do you protect PAN?",[16,11688,11689],{},"PCI DSS specifies several requirements for protecting PAN:",[16,11691,11692,11695],{},[34,11693,11694],{},"Rendering PAN unreadable when stored"," — PAN must be rendered unreadable anywhere it is stored using one of these methods:",[28,11697,11698,11701,11704,11707],{},[31,11699,11700],{},"One-way hashing with strong cryptography",[31,11702,11703],{},"Truncation (retaining no more than the first 6 and last 4 digits)",[31,11705,11706],{},"Index tokens and pads (tokenization)",[31,11708,11709],{},"Strong cryptography with associated key management",[16,11711,11712,11715],{},[34,11713,11714],{},"Masking PAN when displayed"," — PAN must be masked when displayed, showing no more than the first 6 and last 4 digits. Only personnel with a legitimate business need should see more than the masked PAN.",[16,11717,11718,11721],{},[34,11719,11720],{},"Encrypting PAN in transit"," — PAN must be encrypted when transmitted across open, public networks using strong cryptography.",[20,11723,11725],{"id":11724},"what-is-the-difference-between-pan-and-sensitive-authentication-data","What is the difference between PAN and sensitive authentication data?",[16,11727,11728],{},"PCI DSS distinguishes between cardholder data (which includes PAN) and sensitive authentication data:",[28,11730,11731,11737,11743],{},[31,11732,11733,11736],{},[34,11734,11735],{},"Full track data"," — magnetic stripe or chip data",[31,11738,11739,11742],{},[34,11740,11741],{},"CAV2\u002FCVC2\u002FCVV2\u002FCID"," — the card verification code",[31,11744,11745,11748],{},[34,11746,11747],{},"PIN\u002FPIN block"," — personal identification number",[16,11750,11751],{},"Sensitive authentication data must never be stored after authorization, even if encrypted. This is stricter than PAN storage rules, which permit storage if the PAN is rendered unreadable.",[20,11753,11755],{"id":11754},"how-do-you-minimize-pan-exposure","How do you minimize PAN exposure?",[16,11757,11758],{},"Organizations should minimize PAN exposure through:",[28,11760,11761,11766,11771,11777],{},[31,11762,11763,11765],{},[34,11764,6835],{}," — replace PAN with non-sensitive tokens for downstream processing",[31,11767,11768,11770],{},[34,11769,6841],{}," — encrypt PAN from the point of capture to the payment processor",[31,11772,11773,11776],{},[34,11774,11775],{},"Data minimization"," — avoid storing PAN when not necessary for business purposes",[31,11778,11779,11782],{},[34,11780,11781],{},"Scope reduction"," — isolate systems that must handle PAN from the rest of the network",[20,11784,11786],{"id":11785},"how-does-data-discovery-support-pan-protection","How does data discovery support PAN protection?",[16,11788,11789],{},"Organizations should regularly scan their environments for unintended PAN storage. PAN can end up in unexpected locations such as:",[28,11791,11792,11795,11798,11801,11804,11807],{},[31,11793,11794],{},"Log files",[31,11796,11797],{},"Email systems",[31,11799,11800],{},"Backup tapes",[31,11802,11803],{},"Test and development environments",[31,11805,11806],{},"Spreadsheets and reports",[31,11808,11809],{},"Helpdesk ticket systems",[16,11811,11812],{},"Data discovery tools that recognize PAN patterns (using the Luhn algorithm) can identify these hidden exposures.",[20,11814,11816],{"id":11815},"how-does-episki-help-with-pan","How does episki help with PAN?",[16,11818,11819,11820,209],{},"episki tracks where PAN exists in your environment, documents protection measures, and monitors compliance with PAN handling requirements. The platform helps you maintain a current inventory of PAN storage locations and flags any gaps in protection. Learn more on our ",[205,11821,6665],{"href":618},{"title":211,"searchDepth":212,"depth":212,"links":11823},[11824],{"id":11617,"depth":212,"text":11618,"children":11825},[11826,11827,11828,11829,11830,11831,11832],{"id":11624,"depth":217,"text":11625},{"id":11651,"depth":217,"text":11652},{"id":11685,"depth":217,"text":11686},{"id":11724,"depth":217,"text":11725},{"id":11754,"depth":217,"text":11755},{"id":11785,"depth":217,"text":11786},{"id":11815,"depth":217,"text":11816},{},[984],[6684,6680,2635,933,6941],{"title":11837,"description":11838},"PAN (Primary Account Number): PCI DSS Scope & Protection","The PAN is the card number that triggers PCI DSS scope. Learn how to mask, tokenize, and encrypt PAN data to meet PCI DSS requirements.","8.glossary\u002Fpan","FlcQKUGWd0bBXg66e4ctE8t9fskfCazvztWujJSzk3s",{"id":11842,"title":11843,"body":11844,"description":211,"extension":224,"lastUpdated":225,"meta":12036,"navigation":227,"path":12037,"relatedFrameworks":12038,"relatedTerms":12039,"seo":12040,"slug":6678,"stem":12043,"term":11849,"__hash__":12044},"glossary\u002F8.glossary\u002Fqsa.md","Qsa",{"type":8,"value":11845,"toc":12026},[11846,11850,11853,11857,11860,11865,11882,11887,11901,11905,11908,11946,11950,11953,11973,11977,11980,12010,12014,12017,12021],[11,11847,11849],{"id":11848},"what-is-a-qualified-security-assessor-qsa","What is a Qualified Security Assessor (QSA)?",[16,11851,11852],{},"A Qualified Security Assessor (QSA) is a security professional employed by a QSA company that has been certified by the PCI Security Standards Council (PCI SSC) to perform on-site PCI DSS assessments. QSAs evaluate whether merchants and service providers meet PCI DSS requirements and produce the Report on Compliance (ROC) that documents their findings.",[20,11854,11856],{"id":11855},"what-are-the-qsa-certification-requirements","What are the QSA certification requirements?",[16,11858,11859],{},"To become a QSA, both the individual and their employing organization must meet PCI SSC requirements:",[16,11861,11862],{},[34,11863,11864],{},"QSA company requirements:",[28,11866,11867,11870,11873,11876,11879],{},[31,11868,11869],{},"Apply to and be approved by the PCI SSC",[31,11871,11872],{},"Maintain appropriate insurance coverage",[31,11874,11875],{},"Employ certified QSA individuals",[31,11877,11878],{},"Follow PCI SSC quality assurance procedures",[31,11880,11881],{},"Undergo annual requalification",[16,11883,11884],{},[34,11885,11886],{},"Individual QSA requirements:",[28,11888,11889,11892,11895,11898],{},[31,11890,11891],{},"Complete PCI SSC QSA training and pass the certification exam",[31,11893,11894],{},"Demonstrate relevant information security experience",[31,11896,11897],{},"Maintain the certification through annual requalification and continuing education",[31,11899,11900],{},"Adhere to the PCI SSC Code of Professional Responsibility",[20,11902,11904],{"id":11903},"what-do-qsas-do","What do QSAs do?",[16,11906,11907],{},"During a PCI DSS assessment, a QSA:",[28,11909,11910,11916,11922,11928,11934,11940],{},[31,11911,11912,11915],{},[34,11913,11914],{},"Defines scope"," — works with the organization to identify the cardholder data environment and all connected systems",[31,11917,11918,11921],{},[34,11919,11920],{},"Reviews documentation"," — examines policies, procedures, network diagrams, and data flow diagrams",[31,11923,11924,11927],{},[34,11925,11926],{},"Tests controls"," — verifies that required security controls are in place and operating effectively through observation, interview, and technical testing",[31,11929,11930,11933],{},[34,11931,11932],{},"Identifies gaps"," — documents areas where the organization does not meet PCI DSS requirements",[31,11935,11936,11939],{},[34,11937,11938],{},"Produces the ROC"," — creates the formal Report on Compliance documenting the assessment findings",[31,11941,11942,11945],{},[34,11943,11944],{},"Issues the AOC"," — provides the Attestation of Compliance confirming the assessment results",[20,11947,11949],{"id":11948},"when-is-a-qsa-required","When is a QSA required?",[16,11951,11952],{},"Not all organizations need a QSA-led assessment. The requirement depends on transaction volume and payment brand rules:",[28,11954,11955,11961,11967],{},[31,11956,11957,11960],{},[34,11958,11959],{},"Level 1 merchants"," — typically defined as processing over 6 million transactions annually (thresholds vary by payment brand). These merchants must have an annual on-site assessment by a QSA.",[31,11962,11963,11966],{},[34,11964,11965],{},"Level 1 service providers"," — service providers that store, process, or transmit large volumes of cardholder data must also undergo QSA assessments.",[31,11968,11969,11972],{},[34,11970,11971],{},"Lower-level merchants"," — may self-assess using SAQs, though they can optionally engage a QSA for guidance.",[20,11974,11976],{"id":11975},"how-do-you-choose-a-qsa","How do you choose a QSA?",[16,11978,11979],{},"Selecting the right QSA impacts the quality and efficiency of your assessment. Consider:",[28,11981,11982,11987,11993,11999,12004],{},[31,11983,11984,11986],{},[34,11985,10879],{}," — a QSA familiar with your industry understands typical payment flows and common risks",[31,11988,11989,11992],{},[34,11990,11991],{},"Technical depth"," — the QSA should understand modern architectures including cloud, containers, and microservices",[31,11994,11995,11998],{},[34,11996,11997],{},"Communication"," — the QSA should clearly explain findings and work collaboratively, not adversarially",[31,12000,12001,12003],{},[34,12002,8045],{}," — confirm the QSA's schedule aligns with your assessment timeline",[31,12005,12006,12009],{},[34,12007,12008],{},"References"," — ask for references from organizations of similar size and complexity",[20,12011,12013],{"id":12012},"what-is-the-difference-between-a-qsa-and-an-isa","What is the difference between a QSA and an ISA?",[16,12015,12016],{},"An Internal Security Assessor (ISA) is an alternative for organizations that want to conduct assessments internally. ISAs complete PCI SSC training similar to QSAs but are employed by the organization being assessed. ISAs can perform assessments for their own organization but cannot assess external entities.",[20,12018,12020],{"id":12019},"how-does-episki-help-with-a-qsa","How does episki help with a QSA?",[16,12022,12023,12024,209],{},"episki organizes your PCI DSS controls and evidence in a format aligned with QSA expectations, reducing the time and friction during assessment fieldwork. The platform provides a secure portal for QSA access to documentation and evidence. Learn more on our ",[205,12025,6665],{"href":618},{"title":211,"searchDepth":212,"depth":212,"links":12027},[12028],{"id":11848,"depth":212,"text":11849,"children":12029},[12030,12031,12032,12033,12034,12035],{"id":11855,"depth":217,"text":11856},{"id":11903,"depth":217,"text":11904},{"id":11948,"depth":217,"text":11949},{"id":11975,"depth":217,"text":11976},{"id":12012,"depth":217,"text":12013},{"id":12019,"depth":217,"text":12020},{},"\u002Fglossary\u002Fqsa",[984],[6684,6677,6679,6680,6941],{"title":12041,"description":12042},"What is a Qualified Security Assessor (QSA)? Definition & Compliance Guide","A Qualified Security Assessor (QSA) is a PCI SSC-certified professional who conducts on-site PCI DSS assessments. Learn how QSAs work and how to choose one.","8.glossary\u002Fqsa","QUiR54zJ_sm0UuFzITbB89CJ1p694JOhIKyCsVv3h5M",{"id":12046,"title":12047,"body":12048,"description":211,"extension":224,"lastUpdated":225,"meta":12646,"navigation":227,"path":6446,"relatedFrameworks":12647,"relatedTerms":12648,"seo":12649,"slug":1420,"stem":12652,"term":12053,"__hash__":12653},"glossary\u002F8.glossary\u002Frisk-register.md","Risk Register",{"type":8,"value":12049,"toc":12631},[12050,12054,12057,12061,12064,12138,12142,12145,12195,12199,12202,12234,12238,12241,12247,12253,12259,12266,12270,12273,12360,12363,12367,12373,12399,12402,12406,12409,12443,12447,12450,12553,12556,12560,12563,12592,12596,12599,12619,12622,12626],[11,12051,12053],{"id":12052},"what-is-a-risk-register","What is a Risk Register?",[16,12055,12056],{},"A risk register is a centralized document or tool that records identified risks, their assessment (likelihood and impact), assigned treatments, owners, and current status. It serves as the foundation of an organization's risk management program and is a key artifact required by frameworks including ISO 27001, SOC 2, and NIST CSF.",[20,12058,12060],{"id":12059},"what-does-a-risk-register-contain","What does a risk register contain?",[16,12062,12063],{},"A well-structured risk register typically includes the following fields for each risk:",[28,12065,12066,12072,12078,12084,12090,12096,12102,12108,12114,12120,12126,12132],{},[31,12067,12068,12071],{},[34,12069,12070],{},"Risk ID"," — a unique identifier for tracking",[31,12073,12074,12077],{},[34,12075,12076],{},"Risk description"," — a clear statement of the risk, typically describing the threat, vulnerability, and potential impact",[31,12079,12080,12083],{},[34,12081,12082],{},"Risk category"," — classification such as operational, technical, compliance, strategic, or third-party",[31,12085,12086,12089],{},[34,12087,12088],{},"Likelihood"," — the probability of the risk materializing (often rated on a scale such as 1-5 or low\u002Fmedium\u002Fhigh)",[31,12091,12092,12095],{},[34,12093,12094],{},"Impact"," — the potential consequence if the risk materializes (rated similarly)",[31,12097,12098,12101],{},[34,12099,12100],{},"Risk score"," — calculated from likelihood and impact (e.g., likelihood x impact)",[31,12103,12104,12107],{},[34,12105,12106],{},"Risk owner"," — the person accountable for managing the risk",[31,12109,12110,12113],{},[34,12111,12112],{},"Treatment option"," — mitigate, accept, transfer, or avoid",[31,12115,12116,12119],{},[34,12117,12118],{},"Controls"," — the specific controls implemented to address the risk",[31,12121,12122,12125],{},[34,12123,12124],{},"Residual risk"," — the remaining risk level after treatment is applied",[31,12127,12128,12131],{},[34,12129,12130],{},"Status"," — current state (open, in treatment, accepted, closed)",[31,12133,12134,12137],{},[34,12135,12136],{},"Review date"," — when the risk was last reviewed or when the next review is due",[20,12139,12141],{"id":12140},"how-do-you-build-a-risk-register","How do you build a risk register?",[16,12143,12144],{},"Creating a risk register follows a systematic process:",[155,12146,12147,12153,12159,12165,12171,12177,12183,12189],{},[31,12148,12149,12152],{},[34,12150,12151],{},"Identify risks"," — gather risks through workshops, interviews, threat modeling, vulnerability assessments, incident reviews, and industry threat intelligence",[31,12154,12155,12158],{},[34,12156,12157],{},"Assess each risk"," — evaluate the likelihood and impact of each risk to determine its severity",[31,12160,12161,12164],{},[34,12162,12163],{},"Prioritize"," — rank risks by their risk score to focus attention and resources on the most significant threats",[31,12166,12167,12170],{},[34,12168,12169],{},"Assign ownership"," — designate a responsible owner for each risk",[31,12172,12173,12176],{},[34,12174,12175],{},"Determine treatment"," — decide how each risk will be handled",[31,12178,12179,12182],{},[34,12180,12181],{},"Document controls"," — record the specific controls that address each risk",[31,12184,12185,12188],{},[34,12186,12187],{},"Calculate residual risk"," — assess the remaining risk after controls are applied",[31,12190,12191,12194],{},[34,12192,12193],{},"Review and approve"," — have management review and approve the register",[20,12196,12198],{"id":12197},"how-do-you-maintain-the-risk-register","How do you maintain the risk register?",[16,12200,12201],{},"A risk register is only valuable if it is kept current. Regular maintenance includes:",[28,12203,12204,12210,12216,12222,12228],{},[31,12205,12206,12209],{},[34,12207,12208],{},"Periodic reviews"," — review the full register at least quarterly, with management review at least annually",[31,12211,12212,12215],{},[34,12213,12214],{},"Triggered updates"," — update the register when significant changes occur (new systems, new services, organizational changes, incidents)",[31,12217,12218,12221],{},[34,12219,12220],{},"New risk identification"," — continuously identify and add new risks as the threat landscape evolves",[31,12223,12224,12227],{},[34,12225,12226],{},"Treatment progress tracking"," — monitor and update the status of risk treatment activities",[31,12229,12230,12233],{},[34,12231,12232],{},"Residual risk reassessment"," — re-evaluate residual risk as controls are implemented or change",[20,12235,12237],{"id":12236},"what-are-common-risk-scoring-methodologies","What are common risk scoring methodologies?",[16,12239,12240],{},"How you score risks determines how actionable the register is. The most common approaches:",[16,12242,12243,12246],{},[34,12244,12245],{},"Qualitative (low\u002Fmedium\u002Fhigh)"," — Fast and intuitive, useful for getting started or communicating with non-technical stakeholders. The downside is limited precision; everything tends to collect in the middle.",[16,12248,12249,12252],{},[34,12250,12251],{},"Semi-quantitative (1–5 scales)"," — A 5×5 matrix with likelihood and impact each rated 1 through 5 produces a 1–25 risk score. This is the most widely used approach because it balances simplicity with discrimination.",[16,12254,12255,12258],{},[34,12256,12257],{},"Quantitative (dollar-based)"," — Approaches like FAIR (Factor Analysis of Information Risk) estimate Annual Loss Expectancy in dollars. This is the gold standard for board reporting but requires more mature data and analyst time.",[16,12260,12261,12262,12265],{},"Most compliance programs start with a 5×5 matrix, then introduce quantitative methods for top-tier risks. Whichever scale you choose, ",[34,12263,12264],{},"document the definitions"," — what does \"likelihood 4\" actually mean in your organization? Without clear definitions, different raters produce wildly different scores.",[20,12267,12269],{"id":12268},"how-do-compliance-frameworks-address-risk-register","How do compliance frameworks address risk register?",[16,12271,12272],{},"Different frameworks require or recommend risk registers, often with specific expectations:",[743,12274,12275,12286],{},[746,12276,12277],{},[749,12278,12279,12281,12283],{},[752,12280,5324],{},[752,12282,754],{},[752,12284,12285],{},"Specific reference",[766,12287,12288,12300,12312,12324,12336,12348],{},[749,12289,12290,12294,12297],{},[771,12291,12292],{},[34,12293,42],{},[771,12295,12296],{},"Documented risk assessment process with register as artifact",[771,12298,12299],{},"Clause 6.1.2 and 8.2",[749,12301,12302,12306,12309],{},[771,12303,12304],{},[34,12305,36],{},[771,12307,12308],{},"Risk identification, assessment, and response",[771,12310,12311],{},"CC3.1–CC3.4",[749,12313,12314,12318,12321],{},[771,12315,12316],{},[34,12317,54],{},[771,12319,12320],{},"Risk assessment and risk management strategy",[771,12322,12323],{},"ID.RA and GV.RM (new in 2.0)",[749,12325,12326,12330,12333],{},[771,12327,12328],{},[34,12329,605],{},[771,12331,12332],{},"Risk analysis for ePHI",[771,12334,12335],{},"§164.308(a)(1)(ii)(A)",[749,12337,12338,12342,12345],{},[771,12339,12340],{},[34,12341,48],{},[771,12343,12344],{},"Targeted risk analyses for specific requirements",[771,12346,12347],{},"PCI DSS v4.0 Req 12.3.1",[749,12349,12350,12354,12357],{},[771,12351,12352],{},[34,12353,4704],{},[771,12355,12356],{},"Risk management practices",[771,12358,12359],{},"RA.L2-3.11.1 through 3.11.3",[16,12361,12362],{},"Auditors typically look for: documented scoring criteria, evidence of regular review cadence, treatment decisions tied to each risk, and linkage between risks and controls. A register without review dates, owner signatures, or treatment tracking will draw findings even if the risks themselves are well-identified.",[20,12364,12366],{"id":12365},"what-are-the-risk-treatment-options","What are the risk treatment options?",[16,12368,12369,12370,12372],{},"For each risk, pick one of four treatment strategies (often documented in a parallel ",[205,12371,6455],{"href":6454},"):",[28,12374,12375,12381,12387,12393],{},[31,12376,12377,12380],{},[34,12378,12379],{},"Mitigate"," — implement controls to reduce likelihood or impact. Most common choice. Example: deploy MFA to reduce account takeover likelihood.",[31,12382,12383,12386],{},[34,12384,12385],{},"Accept"," — acknowledge the risk as within tolerance and proceed. Requires documented rationale and, for significant risks, executive sign-off.",[31,12388,12389,12392],{},[34,12390,12391],{},"Transfer"," — shift the risk to a third party via insurance, contract, or outsourcing. Cyber insurance is the canonical example.",[31,12394,12395,12398],{},[34,12396,12397],{},"Avoid"," — eliminate the activity causing the risk. Example: decide not to launch a feature in a high-risk jurisdiction.",[16,12400,12401],{},"Residual risk — the risk remaining after treatment — must be reassessed and either accepted or subjected to additional treatment. Chained mitigation (stacking controls) is a legitimate strategy for high-severity risks.",[20,12403,12405],{"id":12404},"how-do-you-connect-the-risk-register-to-operational-workflows","How do you connect the risk register to operational workflows?",[16,12407,12408],{},"A risk register that lives in isolation quickly goes stale. High-performing programs integrate it with:",[28,12410,12411,12419,12426,12431,12437],{},[31,12412,12413,12418],{},[34,12414,12415],{},[205,12416,12417],{"href":9733},"Vendor risk management"," — third-party risks from vendor assessments feed into the enterprise register",[31,12420,12421,12425],{},[34,12422,12423],{},[205,12424,1998],{"href":4296}," — post-incident reviews identify new risks or update likelihood scores for known ones",[31,12427,12428,12430],{},[34,12429,4339],{}," — significant system or business changes trigger a register update before deployment",[31,12432,12433,12436],{},[34,12434,12435],{},"Policy reviews"," — annual policy reviews check whether controls still address the risks they were designed for",[31,12438,12439,12442],{},[34,12440,12441],{},"Board reporting"," — top-tier risks roll up into executive dashboards showing trends, treatment progress, and heat maps",[20,12444,12446],{"id":12445},"what-does-an-example-risk-register-entry-look-like","What does an example risk register entry look like?",[16,12448,12449],{},"A concrete example makes the structure tangible. Consider a risk identified during an ISO 27001 internal audit:",[743,12451,12452,12462],{},[746,12453,12454],{},[749,12455,12456,12459],{},[752,12457,12458],{},"Field",[752,12460,12461],{},"Value",[766,12463,12464,12471,12479,12487,12494,12501,12509,12517,12524,12531,12539,12546],{},[749,12465,12466,12468],{},[771,12467,12070],{},[771,12469,12470],{},"R-042",[749,12472,12473,12476],{},[771,12474,12475],{},"Description",[771,12477,12478],{},"Unencrypted customer PII in database backups stored in S3",[749,12480,12481,12484],{},[771,12482,12483],{},"Category",[771,12485,12486],{},"Data protection \u002F technical",[749,12488,12489,12491],{},[771,12490,12088],{},[771,12492,12493],{},"3 (possible — we have access logs but no automated detection)",[749,12495,12496,12498],{},[771,12497,12094],{},[771,12499,12500],{},"5 (severe — regulatory exposure under GDPR and state privacy laws)",[749,12502,12503,12506],{},[771,12504,12505],{},"Inherent score",[771,12507,12508],{},"15 (high)",[749,12510,12511,12514],{},[771,12512,12513],{},"Owner",[771,12515,12516],{},"CISO",[749,12518,12519,12522],{},[771,12520,12521],{},"Treatment",[771,12523,12379],{},[749,12525,12526,12528],{},[771,12527,12118],{},[771,12529,12530],{},"Enable S3 server-side encryption with KMS; rotate existing backups; add Macie scan",[749,12532,12533,12536],{},[771,12534,12535],{},"Residual score",[771,12537,12538],{},"4 (low — automated encryption + detection materially reduces both)",[749,12540,12541,12543],{},[771,12542,12130],{},[771,12544,12545],{},"In treatment — 60% complete",[749,12547,12548,12550],{},[771,12549,12136],{},[771,12551,12552],{},"2026-06-01 (quarterly cadence)",[16,12554,12555],{},"This level of detail turns the register into a practical management tool rather than a compliance artifact.",[20,12557,12559],{"id":12558},"what-are-common-pitfalls-with-a-risk-register","What are common pitfalls with a risk register?",[16,12561,12562],{},"Organizations often struggle with risk registers due to:",[28,12564,12565,12568,12571,12574,12577,12580,12586,12589],{},[31,12566,12567],{},"Making the register too complex or too simple",[31,12569,12570],{},"Failing to review and update regularly",[31,12572,12573],{},"Not assigning clear ownership or clear treatment deadlines",[31,12575,12576],{},"Rating all risks as \"high\" without meaningful differentiation",[31,12578,12579],{},"Treating the register as a compliance checkbox rather than a management tool",[31,12581,12582,12583,12585],{},"Disconnecting the register from ",[205,12584,9693],{"href":4296}," and vendor management workflows",[31,12587,12588],{},"Keeping risks open indefinitely without closure criteria or residual risk acceptance",[31,12590,12591],{},"Not versioning the register, making it impossible to demonstrate historical decisions to auditors",[20,12593,12595],{"id":12594},"what-risk-register-tools-and-templates-are-available","What risk register tools and templates are available?",[16,12597,12598],{},"Organizations use a range of tools to maintain a register:",[28,12600,12601,12607,12613],{},[31,12602,12603,12606],{},[34,12604,12605],{},"Spreadsheets"," — acceptable for small teams or early-stage programs. The limitation is that spreadsheets do not track version history, send review reminders, or link risks to other artifacts cleanly.",[31,12608,12609,12612],{},[34,12610,12611],{},"GRC platforms"," — purpose-built tools (including episki) handle scoring, ownership, treatment workflows, and evidence links out of the box.",[31,12614,12615,12618],{},[34,12616,12617],{},"Issue trackers"," — some teams use Jira or Linear to track risks as tickets. This works for operational visibility but typically lacks the scoring and reporting structure auditors expect.",[16,12620,12621],{},"Whatever tool you choose, exportability matters: auditors frequently ask for point-in-time snapshots, and regulators may request historical registers during an investigation.",[20,12623,12625],{"id":12624},"how-does-episki-help-with-a-risk-register","How does episki help with a risk register?",[16,12627,12628,12629,209],{},"episki provides a built-in risk register with configurable likelihood and impact scales, automatic risk scoring, owner assignment, treatment tracking, and review scheduling. The platform links risks to controls and evidence, creating a complete chain from risk identification through treatment. Learn more on our ",[205,12630,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":12632},[12633],{"id":12052,"depth":212,"text":12053,"children":12634},[12635,12636,12637,12638,12639,12640,12641,12642,12643,12644,12645],{"id":12059,"depth":217,"text":12060},{"id":12140,"depth":217,"text":12141},{"id":12197,"depth":217,"text":12198},{"id":12236,"depth":217,"text":12237},{"id":12268,"depth":217,"text":12269},{"id":12365,"depth":217,"text":12366},{"id":12404,"depth":217,"text":12405},{"id":12445,"depth":217,"text":12446},{"id":12558,"depth":217,"text":12559},{"id":12594,"depth":217,"text":12595},{"id":12624,"depth":217,"text":12625},{},[982,231,985,230],[1421,1948,234,8783],{"title":12650,"description":12651},"What is a Risk Register? Definition & Compliance Guide","A risk register is a centralized document that records identified risks, their likelihood, impact, treatment, and ownership. Learn how to build and maintain one.","8.glossary\u002Frisk-register","NLvIZTF-yfLLX2ce3ayhQVoNPH15hEMUk7pCSPoO3Ro",{"id":12655,"title":12656,"body":12657,"description":211,"extension":224,"lastUpdated":225,"meta":12853,"navigation":227,"path":6454,"relatedFrameworks":12854,"relatedTerms":12855,"seo":12856,"slug":1421,"stem":12859,"term":12662,"__hash__":12860},"glossary\u002F8.glossary\u002Frisk-treatment-plan.md","Risk Treatment Plan",{"type":8,"value":12658,"toc":12843},[12659,12663,12666,12668,12671,12693,12696,12700,12703,12753,12757,12760,12780,12783,12787,12790,12794,12797,12834,12838],[11,12660,12662],{"id":12661},"what-is-a-risk-treatment-plan","What is a Risk Treatment Plan?",[16,12664,12665],{},"A risk treatment plan is a formal document that outlines how an organization intends to address each identified information security risk. It specifies the treatment option selected for each risk, the controls to be implemented, responsible owners, timelines, and expected residual risk levels. Risk treatment plans are a core requirement of ISO 27001 and a recommended practice across most compliance frameworks.",[20,12667,12366],{"id":12365},[16,12669,12670],{},"For each identified risk, organizations typically choose one of four treatment options:",[28,12672,12673,12678,12683,12688],{},[31,12674,12675,12677],{},[34,12676,12379],{}," — implement controls to reduce the likelihood or impact of the risk to an acceptable level",[31,12679,12680,12682],{},[34,12681,12385],{}," — acknowledge the risk and decide not to take additional action, typically because the cost of treatment exceeds the potential impact",[31,12684,12685,12687],{},[34,12686,12391],{}," — shift the risk to a third party, such as through insurance or outsourcing to a specialized provider",[31,12689,12690,12692],{},[34,12691,12397],{}," — eliminate the risk entirely by discontinuing the activity or service that creates it",[16,12694,12695],{},"Most risks are treated through mitigation, with specific controls designed to address the identified threat.",[20,12697,12699],{"id":12698},"what-are-the-components-of-a-risk-treatment-plan","What are the components of a risk treatment plan?",[16,12701,12702],{},"A comprehensive risk treatment plan includes:",[28,12704,12705,12711,12716,12721,12726,12731,12737,12743,12748],{},[31,12706,12707,12710],{},[34,12708,12709],{},"Risk identifier"," — reference to the specific risk from the risk register",[31,12712,12713,12715],{},[34,12714,12076],{}," — a clear statement of the risk, including threat, vulnerability, and potential impact",[31,12717,12718,12720],{},[34,12719,12112],{}," — which of the four options has been selected",[31,12722,12723,12725],{},[34,12724,12118],{}," — the specific controls to be implemented for mitigated risks",[31,12727,12728,12730],{},[34,12729,12513],{}," — the person or team responsible for implementing the treatment",[31,12732,12733,12736],{},[34,12734,12735],{},"Timeline"," — target dates for implementation milestones",[31,12738,12739,12742],{},[34,12740,12741],{},"Resources required"," — budget, tools, or personnel needed",[31,12744,12745,12747],{},[34,12746,12124],{}," — the expected risk level after treatment is applied",[31,12749,12750,12752],{},[34,12751,12130],{}," — current implementation progress",[20,12754,12756],{"id":12755},"how-does-iso-27001-handle-risk-treatment","How does ISO 27001 handle risk treatment?",[16,12758,12759],{},"ISO 27001 clause 6.1.3 specifically requires organizations to formulate a risk treatment plan. The standard requires that:",[28,12761,12762,12765,12768,12771,12774,12777],{},[31,12763,12764],{},"Risk treatment options are determined for each assessed risk",[31,12766,12767],{},"Controls necessary to implement the treatment are identified",[31,12769,12770],{},"Selected controls are compared against Annex A to ensure completeness",[31,12772,12773],{},"A Statement of Applicability is produced",[31,12775,12776],{},"The risk treatment plan is approved by risk owners",[31,12778,12779],{},"Residual risk levels are accepted by management",[16,12781,12782],{},"The risk treatment plan is a key document reviewed during certification audits and surveillance audits.",[20,12784,12786],{"id":12785},"how-does-nist-csf-handle-risk-treatment","How does NIST CSF handle risk treatment?",[16,12788,12789],{},"While NIST CSF does not prescribe a specific risk treatment plan format, the framework's Identify function (particularly the Risk Assessment category) and Protect function align closely with risk treatment concepts. Organizations using NIST CSF often develop risk treatment plans as part of their implementation.",[20,12791,12793],{"id":12792},"how-do-you-build-an-effective-risk-treatment-plan","How do you build an effective risk treatment plan?",[16,12795,12796],{},"To create a practical and effective risk treatment plan:",[155,12798,12799,12805,12811,12817,12823,12828],{},[31,12800,12801,12804],{},[34,12802,12803],{},"Prioritize risks"," — start with the highest-rated risks from your risk register",[31,12806,12807,12810],{},[34,12808,12809],{},"Select realistic treatments"," — choose options that are feasible given your budget, resources, and timeline",[31,12812,12813,12816],{},[34,12814,12815],{},"Assign clear ownership"," — every risk treatment must have a named owner accountable for implementation",[31,12818,12819,12822],{},[34,12820,12821],{},"Set measurable milestones"," — define specific, trackable milestones rather than vague commitments",[31,12824,12825,12827],{},[34,12826,351],{}," — update the plan as risks change, new threats emerge, or controls are implemented",[31,12829,12830,12833],{},[34,12831,12832],{},"Communicate status"," — report progress to management and stakeholders",[20,12835,12837],{"id":12836},"how-does-episki-help-with-a-risk-treatment-plan","How does episki help with a risk treatment plan?",[16,12839,12840,12841,209],{},"episki links your risk register directly to your risk treatment plan, making it easy to assign treatments, track implementation progress, and measure residual risk. The platform sends reminders to risk owners and provides management dashboards showing treatment status across the organization. Learn more on our ",[205,12842,3234],{"href":591},{"title":211,"searchDepth":212,"depth":212,"links":12844},[12845],{"id":12661,"depth":212,"text":12662,"children":12846},[12847,12848,12849,12850,12851,12852],{"id":12365,"depth":217,"text":12366},{"id":12698,"depth":217,"text":12699},{"id":12755,"depth":217,"text":12756},{"id":12785,"depth":217,"text":12786},{"id":12792,"depth":217,"text":12793},{"id":12836,"depth":217,"text":12837},{},[231,985],[1420,236,231,234,1948],{"title":12857,"description":12858},"What is a Risk Treatment Plan? Definition & Compliance Guide","A risk treatment plan documents how an organization will address identified risks through mitigation, acceptance, transfer, or avoidance strategies.","8.glossary\u002Frisk-treatment-plan","XKyLKWys4TbkZnZHspi5JeYYAOEqihsJOcykDIp7X_Y",{"id":12862,"title":12863,"body":12864,"description":211,"extension":224,"lastUpdated":225,"meta":13050,"navigation":227,"path":13051,"relatedFrameworks":13052,"relatedTerms":13053,"seo":13054,"slug":6677,"stem":13057,"term":12869,"__hash__":13058},"glossary\u002F8.glossary\u002Fsaq.md","Saq",{"type":8,"value":12865,"toc":13040},[12866,12870,12873,12877,12880,12930,12934,12937,12951,12954,12958,12961,12987,12991,12994,13010,13014,13017,13031,13035],[11,12867,12869],{"id":12868},"what-is-a-self-assessment-questionnaire-saq","What is a Self-Assessment Questionnaire (SAQ)?",[16,12871,12872],{},"A Self-Assessment Questionnaire (SAQ) is a PCI DSS validation tool designed for merchants and service providers who are eligible to self-assess their compliance with the Payment Card Industry Data Security Standard. Instead of undergoing a full on-site audit by a Qualified Security Assessor (QSA), eligible organizations complete an SAQ to document their compliance status.",[20,12874,12876],{"id":12875},"what-are-the-saq-types","What are the SAQ types?",[16,12878,12879],{},"The PCI Security Standards Council provides multiple SAQ types, each designed for a specific merchant or service provider environment:",[28,12881,12882,12888,12894,12900,12906,12912,12918,12924],{},[31,12883,12884,12887],{},[34,12885,12886],{},"SAQ A"," — for merchants that have fully outsourced all cardholder data functions to PCI-compliant third parties (e-commerce with redirect or iframe)",[31,12889,12890,12893],{},[34,12891,12892],{},"SAQ A-EP"," — for e-commerce merchants that partially outsource payment processing but whose website may impact transaction security",[31,12895,12896,12899],{},[34,12897,12898],{},"SAQ B"," — for merchants using only imprint machines or standalone dial-out payment terminals",[31,12901,12902,12905],{},[34,12903,12904],{},"SAQ B-IP"," — for merchants using standalone PTS-approved payment terminals connected via IP",[31,12907,12908,12911],{},[34,12909,12910],{},"SAQ C"," — for merchants with payment application systems connected to the internet",[31,12913,12914,12917],{},[34,12915,12916],{},"SAQ C-VT"," — for merchants manually entering single transactions via a virtual terminal on an isolated computer",[31,12919,12920,12923],{},[34,12921,12922],{},"SAQ D"," — the most comprehensive questionnaire, for merchants and service providers that do not qualify for any other SAQ type",[31,12925,12926,12929],{},[34,12927,12928],{},"SAQ P2PE"," — for merchants using validated point-to-point encryption solutions",[20,12931,12933],{"id":12932},"how-do-you-determine-which-saq-applies","How do you determine which SAQ applies?",[16,12935,12936],{},"The correct SAQ depends on how your organization processes, stores, and transmits cardholder data. Key factors include:",[28,12938,12939,12942,12945,12948],{},[31,12940,12941],{},"Whether you store cardholder data or only transmit it",[31,12943,12944],{},"Whether payment processing is fully outsourced",[31,12946,12947],{},"What types of payment channels you use (e-commerce, point-of-sale, mail\u002Ftelephone)",[31,12949,12950],{},"Whether you use validated P2PE solutions",[16,12952,12953],{},"Selecting the wrong SAQ type can lead to either unnecessary work (choosing a more restrictive SAQ) or inadequate coverage (choosing one that does not address your actual risk).",[20,12955,12957],{"id":12956},"what-does-the-saq-contain","What does the SAQ contain?",[16,12959,12960],{},"Each SAQ includes:",[28,12962,12963,12969,12975,12981],{},[31,12964,12965,12968],{},[34,12966,12967],{},"Questions aligned to PCI DSS requirements"," — the number of questions varies by SAQ type, from approximately 22 (SAQ A) to over 300 (SAQ D)",[31,12970,12971,12974],{},[34,12972,12973],{},"Response options"," — yes, no, N\u002FA, or compensating control for each requirement",[31,12976,12977,12980],{},[34,12978,12979],{},"Compensating control documentation"," — if a requirement cannot be met directly, a compensating control worksheet documents the alternative approach",[31,12982,12983,12986],{},[34,12984,12985],{},"Attestation of Compliance (AOC)"," — a formal statement signed by the organization's executive management attesting to the accuracy of the SAQ",[20,12988,12990],{"id":12989},"who-requires-saqs","Who requires SAQs?",[16,12992,12993],{},"Acquiring banks and payment brands determine whether a merchant or service provider must submit an SAQ based on transaction volume:",[28,12995,12996,13001,13007],{},[31,12997,12998,13000],{},[34,12999,11959],{}," (highest transaction volumes) typically require an on-site assessment by a QSA rather than an SAQ",[31,13002,13003,13006],{},[34,13004,13005],{},"Level 2-4 merchants"," are generally eligible for self-assessment via SAQ",[31,13008,13009],{},"Requirements may vary by payment brand (Visa, Mastercard, etc.)",[20,13011,13013],{"id":13012},"what-are-common-challenges-with-an-saq","What are common challenges with an SAQ?",[16,13015,13016],{},"Organizations often encounter challenges with SAQs:",[28,13018,13019,13022,13025,13028],{},[31,13020,13021],{},"Difficulty determining the correct SAQ type",[31,13023,13024],{},"Incomplete understanding of the cardholder data environment",[31,13026,13027],{},"Gaps between the organization's actual practices and SAQ requirements",[31,13029,13030],{},"Lack of documentation to support \"yes\" answers",[20,13032,13034],{"id":13033},"how-does-episki-help-with-an-saq","How does episki help with an SAQ?",[16,13036,13037,13038,209],{},"episki guides you through SAQ selection based on your payment processing environment and helps you document controls and evidence for each applicable requirement. The platform tracks completion status and flags gaps before submission. Learn more on our ",[205,13039,6665],{"href":618},{"title":211,"searchDepth":212,"depth":212,"links":13041},[13042],{"id":12868,"depth":212,"text":12869,"children":13043},[13044,13045,13046,13047,13048,13049],{"id":12875,"depth":217,"text":12876},{"id":12932,"depth":217,"text":12933},{"id":12956,"depth":217,"text":12957},{"id":12989,"depth":217,"text":12990},{"id":13012,"depth":217,"text":13013},{"id":13033,"depth":217,"text":13034},{},"\u002Fglossary\u002Fsaq",[984],[6684,6678,6680,6941,2176],{"title":13055,"description":13056},"What is a Self-Assessment Questionnaire (SAQ)? Definition & Compliance Guide","A PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool for merchants and service providers to self-evaluate their cardholder data security.","8.glossary\u002Fsaq","y_WJFBksFDBE_V8Nh6vFjLR3Rd6B5-7EGQdgVtSFqCs",{"id":13060,"title":13061,"body":13062,"description":211,"extension":224,"lastUpdated":225,"meta":13258,"navigation":227,"path":13259,"relatedFrameworks":13260,"relatedTerms":13261,"seo":13262,"slug":7837,"stem":13265,"term":13067,"__hash__":13266},"glossary\u002F8.glossary\u002Fservice-auditor.md","Service Auditor",{"type":8,"value":13063,"toc":13247},[13064,13068,13071,13075,13078,13104,13108,13111,13131,13134,13138,13141,13172,13176,13179,13204,13207,13211,13214,13218,13221,13235,13238,13242],[11,13065,13067],{"id":13066},"what-is-a-service-auditor","What is a Service Auditor?",[16,13069,13070],{},"A service auditor is a licensed CPA (Certified Public Accountant) firm that performs attestation engagements, including SOC 1, SOC 2, and SOC 3 examinations, on behalf of service organizations. The auditor independently evaluates whether an organization's controls meet the applicable criteria and issues a formal report with their professional opinion.",[20,13072,13074],{"id":13073},"what-is-the-role-of-the-service-auditor","What is the role of the service auditor?",[16,13076,13077],{},"The service auditor's primary responsibilities include:",[28,13079,13080,13086,13092,13098],{},[31,13081,13082,13085],{},[34,13083,13084],{},"Evaluating control design"," — determining whether controls are suitably designed to meet Trust Services Criteria or other applicable standards",[31,13087,13088,13091],{},[34,13089,13090],{},"Testing operating effectiveness"," — for Type II engagements, testing whether controls operated effectively over the observation period",[31,13093,13094,13097],{},[34,13095,13096],{},"Issuing the audit report"," — providing a formal opinion on the organization's controls, including any exceptions identified",[31,13099,13100,13103],{},[34,13101,13102],{},"Maintaining independence"," — the auditor must remain independent from the organization being audited to ensure objectivity",[20,13105,13107],{"id":13106},"what-qualifications-and-standards-apply-to-service-auditors","What qualifications and standards apply to service auditors?",[16,13109,13110],{},"Service auditors must be licensed CPA firms. They perform SOC engagements under professional standards including:",[28,13112,13113,13119,13125],{},[31,13114,13115,13118],{},[34,13116,13117],{},"SSAE 18"," (Statement on Standards for Attestation Engagements No. 18) — the overarching attestation standard in the United States",[31,13120,13121,13124],{},[34,13122,13123],{},"AT-C Section 205"," — the specific standard governing examination engagements",[31,13126,13127,13130],{},[34,13128,13129],{},"AICPA professional standards"," — including ethical requirements, quality control, and continuing education",[16,13132,13133],{},"Not all CPA firms perform SOC audits. Firms that specialize in SOC engagements typically have dedicated information security audit teams with relevant technical expertise.",[20,13135,13137],{"id":13136},"how-do-you-select-a-service-auditor","How do you select a service auditor?",[16,13139,13140],{},"Choosing the right auditor impacts the quality and efficiency of your audit. Consider:",[28,13142,13143,13149,13155,13161,13167],{},[31,13144,13145,13148],{},[34,13146,13147],{},"Experience"," — how many SOC 2 audits the firm performs annually, particularly in your industry",[31,13150,13151,13154],{},[34,13152,13153],{},"Technical expertise"," — whether the audit team understands modern cloud infrastructure, SaaS architectures, and security tooling",[31,13156,13157,13160],{},[34,13158,13159],{},"Communication style"," — whether the firm is collaborative and responsive, or rigid and difficult to work with",[31,13162,13163,13166],{},[34,13164,13165],{},"Pricing and timeline"," — costs can vary significantly between firms, as can expected timelines",[31,13168,13169,13171],{},[34,13170,10897],{}," — whether the firm's reports are recognized and accepted by your customers and prospects",[20,13173,13175],{"id":13174},"what-should-you-expect-during-a-service-auditor-engagement","What should you expect during a service auditor engagement?",[16,13177,13178],{},"A typical SOC 2 audit engagement includes several phases:",[155,13180,13181,13186,13192,13198],{},[31,13182,13183,13185],{},[34,13184,7526],{}," — the auditor defines scope, identifies key controls, and establishes the testing approach",[31,13187,13188,13191],{},[34,13189,13190],{},"Fieldwork"," — the auditor requests and reviews evidence, conducts interviews, and performs testing procedures",[31,13193,13194,13197],{},[34,13195,13196],{},"Draft review"," — the auditor shares a draft report for the organization to review for factual accuracy",[31,13199,13200,13203],{},[34,13201,13202],{},"Final report"," — the auditor issues the final report with their opinion",[16,13205,13206],{},"During fieldwork, the auditor may request documentation such as policies, screenshots, system configurations, access logs, and change records. Prompt and organized responses to these requests significantly reduce audit duration.",[20,13208,13210],{"id":13209},"why-is-service-auditor-independence-required","Why is service auditor independence required?",[16,13212,13213],{},"Independence is a foundational requirement. The auditor cannot provide the consulting services that design the controls they will later audit. Some firms offer readiness assessments through separate teams to maintain independence boundaries, but organizations should confirm the firm's independence policies before engaging.",[20,13215,13217],{"id":13216},"what-are-common-challenges-with-service-auditors","What are common challenges with service auditors?",[16,13219,13220],{},"Organizations often face friction during audits due to:",[28,13222,13223,13226,13229,13232],{},[31,13224,13225],{},"Incomplete or disorganized evidence",[31,13227,13228],{},"Controls that exist in policy but are not consistently executed",[31,13230,13231],{},"Misalignment between the system description and actual practices",[31,13233,13234],{},"Delayed responses to auditor requests",[16,13236,13237],{},"Preparing thoroughly and maintaining organized evidence throughout the year minimizes these issues.",[20,13239,13241],{"id":13240},"how-does-episki-help-with-service-auditors","How does episki help with service auditors?",[16,13243,13244,13245,209],{},"episki organizes your controls and evidence in a structured format that aligns with auditor expectations. The auditor portal provides secure, read-only access so your auditor can review evidence independently, reducing back-and-forth and shortening the fieldwork phase. Learn more on our ",[205,13246,406],{"href":405},{"title":211,"searchDepth":212,"depth":212,"links":13248},[13249],{"id":13066,"depth":212,"text":13067,"children":13250},[13251,13252,13253,13254,13255,13256,13257],{"id":13073,"depth":217,"text":13074},{"id":13106,"depth":217,"text":13107},{"id":13136,"depth":217,"text":13137},{"id":13174,"depth":217,"text":13175},{"id":13209,"depth":217,"text":13210},{"id":13216,"depth":217,"text":13217},{"id":13240,"depth":217,"text":13241},{},"\u002Fglossary\u002Fservice-auditor",[230],[230,7841,422,8154,233],{"title":13263,"description":13264},"What is a Service Auditor? Definition & Compliance Guide","A service auditor is a CPA firm that performs SOC 2 and other attestation engagements. Learn how to select an auditor and what to expect during the audit process.","8.glossary\u002Fservice-auditor","qm8IN1bnX0wCH3HLg4egJVTwS4rbNZPP4wJhj-kYD5c",{"id":13268,"title":13269,"body":13270,"description":211,"extension":224,"lastUpdated":225,"meta":13475,"navigation":227,"path":3513,"relatedFrameworks":13476,"relatedTerms":13477,"seo":13478,"slug":236,"stem":13481,"term":13275,"__hash__":13482},"glossary\u002F8.glossary\u002Fstatement-of-applicability.md","Statement Of Applicability",{"type":8,"value":13271,"toc":13465},[13272,13276,13279,13283,13286,13318,13322,13325,13369,13373,13376,13414,13418,13421,13432,13435,13439,13442,13456,13460],[11,13273,13275],{"id":13274},"what-is-a-statement-of-applicability","What is a Statement of Applicability?",[16,13277,13278],{},"The Statement of Applicability (SoA) is a mandatory document in ISO 27001 that records which Annex A controls are applicable to the organization, which are not applicable, and the justification for each decision. It serves as a central reference linking the organization's risk assessment results to its selected security controls.",[20,13280,13282],{"id":13281},"why-does-the-soa-matter","Why does the SoA matter?",[16,13284,13285],{},"The Statement of Applicability is one of the most important documents in an ISO 27001 ISMS. It serves multiple purposes:",[28,13287,13288,13294,13300,13306,13312],{},[31,13289,13290,13293],{},[34,13291,13292],{},"Demonstrates completeness"," — shows that the organization has considered every Annex A control and made deliberate decisions about each one",[31,13295,13296,13299],{},[34,13297,13298],{},"Links risk to controls"," — connects identified risks to the controls selected to mitigate them",[31,13301,13302,13305],{},[34,13303,13304],{},"Audit reference"," — certification auditors use the SoA as a primary reference when planning and conducting their audit",[31,13307,13308,13311],{},[34,13309,13310],{},"Scope definition"," — helps define the boundary of the ISMS by clarifying which controls apply and which do not",[31,13313,13314,13317],{},[34,13315,13316],{},"Communication tool"," — provides a clear summary of the organization's security control posture for management and stakeholders",[20,13319,13321],{"id":13320},"what-does-the-statement-of-applicability-contain","What does the Statement of Applicability contain?",[16,13323,13324],{},"A well-structured Statement of Applicability typically includes the following for each Annex A control:",[28,13326,13327,13333,13339,13345,13351,13357,13363],{},[31,13328,13329,13332],{},[34,13330,13331],{},"Control reference number"," — the Annex A control identifier (e.g., A.5.1, A.8.24)",[31,13334,13335,13338],{},[34,13336,13337],{},"Control description"," — a brief description of the control",[31,13340,13341,13344],{},[34,13342,13343],{},"Applicability status"," — whether the control is applicable or not applicable",[31,13346,13347,13350],{},[34,13348,13349],{},"Justification"," — the reason for inclusion or exclusion (referencing the risk assessment where relevant)",[31,13352,13353,13356],{},[34,13354,13355],{},"Implementation status"," — whether the control is fully implemented, partially implemented, or planned",[31,13358,13359,13362],{},[34,13360,13361],{},"Implementation method"," — how the control is implemented (policy, technical measure, process, etc.)",[31,13364,13365,13368],{},[34,13366,13367],{},"Evidence reference"," — pointers to evidence demonstrating implementation",[20,13370,13372],{"id":13371},"how-do-you-build-the-soa","How do you build the SoA?",[16,13374,13375],{},"Creating the Statement of Applicability follows a logical sequence:",[155,13377,13378,13384,13390,13396,13402,13408],{},[31,13379,13380,13383],{},[34,13381,13382],{},"Complete the risk assessment"," — identify and evaluate information security risks",[31,13385,13386,13389],{},[34,13387,13388],{},"Determine risk treatment"," — decide how each risk will be treated",[31,13391,13392,13395],{},[34,13393,13394],{},"Select controls"," — choose controls to mitigate identified risks",[31,13397,13398,13401],{},[34,13399,13400],{},"Cross-reference Annex A"," — compare selected controls against the full Annex A list to check for gaps",[31,13403,13404,13407],{},[34,13405,13406],{},"Document applicability"," — record which controls apply and which do not, with justifications",[31,13409,13410,13413],{},[34,13411,13412],{},"Track implementation"," — document the current status of each applicable control",[20,13415,13417],{"id":13416},"how-do-you-justify-excluding-controls-from-the-soa","How do you justify excluding controls from the SoA?",[16,13419,13420],{},"It is acceptable to exclude Annex A controls from the SoA, but each exclusion must be justified. Common justifications include:",[28,13422,13423,13426,13429],{},[31,13424,13425],{},"The risk associated with the control area has been assessed and is within acceptable tolerance",[31,13427,13428],{},"The control is not relevant to the organization's scope (e.g., physical security controls for a fully remote company with no physical offices)",[31,13430,13431],{},"The risk is transferred through insurance or contractual arrangements",[16,13433,13434],{},"Auditors will scrutinize exclusions, so justifications should be clear, specific, and tied to the risk assessment.",[20,13436,13438],{"id":13437},"how-do-you-maintain-the-soa","How do you maintain the SoA?",[16,13440,13441],{},"The SoA is not a one-time document. It should be reviewed and updated:",[28,13443,13444,13447,13450,13453],{},[31,13445,13446],{},"After changes to the risk assessment",[31,13448,13449],{},"When new Annex A controls are introduced (as in the 2022 revision)",[31,13451,13452],{},"When the organization's scope, services, or infrastructure changes",[31,13454,13455],{},"At least annually as part of the ISMS management review",[20,13457,13459],{"id":13458},"how-does-episki-help-with-the-soa","How does episki help with the SoA?",[16,13461,13462,13463,209],{},"episki generates and maintains your Statement of Applicability automatically based on your risk assessment results and control mappings. As your risk profile evolves, the SoA updates accordingly. The platform provides a clear view of applicability, implementation status, and evidence for each control. Learn more on our ",[205,13464,3234],{"href":591},{"title":211,"searchDepth":212,"depth":212,"links":13466},[13467],{"id":13274,"depth":212,"text":13275,"children":13468},[13469,13470,13471,13472,13473,13474],{"id":13281,"depth":217,"text":13282},{"id":13320,"depth":217,"text":13321},{"id":13371,"depth":217,"text":13372},{"id":13416,"depth":217,"text":13417},{"id":13437,"depth":217,"text":13438},{"id":13458,"depth":217,"text":13459},{},[231],[231,235,1421,3249,3854],{"title":13479,"description":13480},"What is a Statement of Applicability? Definition & Compliance Guide","The Statement of Applicability (SoA) documents which ISO 27001 Annex A controls apply to your organization and why. Learn its role in certification audits.","8.glossary\u002Fstatement-of-applicability","JEWeJrex8SIN5Pb-0qR2PZ9smPxLhzDTy5T2yVTph8I",{"id":13484,"title":13485,"body":13486,"description":211,"extension":224,"lastUpdated":225,"meta":13708,"navigation":227,"path":13709,"relatedFrameworks":13710,"relatedTerms":13711,"seo":13712,"slug":3855,"stem":13715,"term":13491,"__hash__":13716},"glossary\u002F8.glossary\u002Fsurveillance-audit.md","Surveillance Audit",{"type":8,"value":13487,"toc":13697},[13488,13492,13495,13499,13502,13534,13538,13541,13567,13570,13574,13577,13609,13612,13616,13619,13657,13661,13664,13681,13685,13688,13692],[11,13489,13491],{"id":13490},"what-is-a-surveillance-audit","What is a Surveillance Audit?",[16,13493,13494],{},"A surveillance audit is a periodic assessment conducted by a certification body to verify that a certified organization's management system continues to operate in accordance with the standard requirements. In the context of ISO 27001, surveillance audits occur annually between the initial certification and the three-year recertification cycle.",[20,13496,13498],{"id":13497},"what-is-the-purpose-of-surveillance-audits","What is the purpose of surveillance audits?",[16,13500,13501],{},"Surveillance audits serve several important purposes:",[28,13503,13504,13510,13516,13522,13528],{},[31,13505,13506,13509],{},[34,13507,13508],{},"Ongoing assurance"," — confirm that the ISMS has not degraded since the initial certification or last audit",[31,13511,13512,13515],{},[34,13513,13514],{},"Continuous improvement verification"," — check that the organization is actively improving its ISMS rather than letting it stagnate",[31,13517,13518,13521],{},[34,13519,13520],{},"Change assessment"," — evaluate how changes to the organization, its services, or its risk environment have been addressed",[31,13523,13524,13527],{},[34,13525,13526],{},"Corrective action follow-up"," — verify that nonconformities identified in previous audits have been resolved",[31,13529,13530,13533],{},[34,13531,13532],{},"Stakeholder confidence"," — maintain trust among customers, partners, and regulators that the certification remains valid",[20,13535,13537],{"id":13536},"what-is-the-surveillance-audit-schedule","What is the surveillance audit schedule?",[16,13539,13540],{},"ISO 27001 certification follows a three-year cycle:",[28,13542,13543,13549,13555,13561],{},[31,13544,13545,13548],{},[34,13546,13547],{},"Year 0"," — initial certification audit (Stage 1 and Stage 2)",[31,13550,13551,13554],{},[34,13552,13553],{},"Year 1"," — first surveillance audit",[31,13556,13557,13560],{},[34,13558,13559],{},"Year 2"," — second surveillance audit",[31,13562,13563,13566],{},[34,13564,13565],{},"Year 3"," — recertification audit (full audit to renew the certificate for another three years)",[16,13568,13569],{},"Surveillance audits are typically scheduled around the anniversary of the initial certification. Missing or failing a surveillance audit can result in suspension or withdrawal of the certificate.",[20,13571,13573],{"id":13572},"what-is-the-scope-of-surveillance-audits","What is the scope of surveillance audits?",[16,13575,13576],{},"Surveillance audits do not cover the entire ISMS in the same depth as the initial certification. Instead, the certification body samples a subset of controls and processes. However, certain elements are always reviewed:",[28,13578,13579,13585,13591,13597,13603],{},[31,13580,13581,13584],{},[34,13582,13583],{},"Internal audit results"," — evidence that the organization is conducting its own internal audits",[31,13586,13587,13590],{},[34,13588,13589],{},"Management review"," — records showing that management regularly reviews ISMS performance",[31,13592,13593,13596],{},[34,13594,13595],{},"Corrective actions"," — status of previously identified nonconformities",[31,13598,13599,13602],{},[34,13600,13601],{},"Use of the certification mark"," — verification that the organization uses the ISO 27001 mark correctly",[31,13604,13605,13608],{},[34,13606,13607],{},"Changes to the ISMS"," — assessment of any significant changes since the last audit",[16,13610,13611],{},"The certification body plans the surveillance audits to ensure that, across the three-year cycle, all significant areas of the ISMS are examined.",[20,13613,13615],{"id":13614},"how-do-you-prepare-for-a-surveillance-audit","How do you prepare for a surveillance audit?",[16,13617,13618],{},"To prepare effectively:",[28,13620,13621,13627,13633,13639,13645,13651],{},[31,13622,13623,13626],{},[34,13624,13625],{},"Maintain your ISMS"," — do not treat certification as a one-time achievement; keep controls operating and evidence current",[31,13628,13629,13632],{},[34,13630,13631],{},"Conduct internal audits"," — perform regular internal audits and document findings and corrective actions",[31,13634,13635,13638],{},[34,13636,13637],{},"Hold management reviews"," — ensure management reviews occur at planned intervals with documented outcomes",[31,13640,13641,13644],{},[34,13642,13643],{},"Track corrective actions"," — close out any nonconformities from previous audits with evidence of resolution",[31,13646,13647,13650],{},[34,13648,13649],{},"Update documentation"," — keep policies, procedures, the risk register, and Statement of Applicability current",[31,13652,13653,13656],{},[34,13654,13655],{},"Brief your team"," — ensure control owners understand the surveillance process and can speak to their controls",[20,13658,13660],{"id":13659},"what-are-common-pitfalls-with-surveillance-audits","What are common pitfalls with surveillance audits?",[16,13662,13663],{},"Organizations frequently encounter issues during surveillance audits due to:",[28,13665,13666,13669,13672,13675,13678],{},[31,13667,13668],{},"Letting the ISMS become dormant between audits",[31,13670,13671],{},"Failing to conduct internal audits or management reviews",[31,13673,13674],{},"Not updating the risk assessment after significant changes",[31,13676,13677],{},"Incomplete corrective action records",[31,13679,13680],{},"Documentation that does not reflect current practices",[20,13682,13684],{"id":13683},"what-happens-if-you-fail-a-surveillance-audit","What happens if you fail a surveillance audit?",[16,13686,13687],{},"If the certification body identifies major nonconformities during a surveillance audit, the organization typically receives a defined period to resolve them. If nonconformities are not resolved, the CB may suspend or withdraw the certification.",[20,13689,13691],{"id":13690},"how-does-episki-help-with-surveillance-audits","How does episki help with surveillance audits?",[16,13693,13694,13695,209],{},"episki keeps your ISMS active year-round with automated evidence collection, internal audit tracking, and management review workflows. The platform ensures you are always surveillance-audit-ready rather than scrambling to prepare. Learn more on our ",[205,13696,3234],{"href":591},{"title":211,"searchDepth":212,"depth":212,"links":13698},[13699],{"id":13490,"depth":212,"text":13491,"children":13700},[13701,13702,13703,13704,13705,13706,13707],{"id":13497,"depth":217,"text":13498},{"id":13536,"depth":217,"text":13537},{"id":13572,"depth":217,"text":13573},{"id":13614,"depth":217,"text":13615},{"id":13659,"depth":217,"text":13660},{"id":13683,"depth":217,"text":13684},{"id":13690,"depth":217,"text":13691},{},"\u002Fglossary\u002Fsurveillance-audit",[231],[231,3854,3249,236,235],{"title":13713,"description":13714},"What is a Surveillance Audit? Definition & Compliance Guide","A surveillance audit is an annual check by a certification body to verify that your ISO 27001 ISMS continues to operate effectively. Learn what to expect.","8.glossary\u002Fsurveillance-audit","jJBmuftExlStO3zC0agQCzOIUDUgNonZM_tMXHozlAQ",{"id":13718,"title":13719,"body":13720,"description":211,"extension":224,"lastUpdated":225,"meta":13930,"navigation":227,"path":7449,"relatedFrameworks":13931,"relatedTerms":13932,"seo":13933,"slug":6679,"stem":13936,"term":13725,"__hash__":13937},"glossary\u002F8.glossary\u002Fasv.md","Asv",{"type":8,"value":13721,"toc":13919},[13722,13726,13729,13733,13736,13753,13757,13760,13792,13796,13799,13841,13845,13848,13859,13862,13866,13869,13883,13886,13890,13893,13910,13914],[11,13723,13725],{"id":13724},"what-is-an-approved-scanning-vendor-asv","What is an Approved Scanning Vendor (ASV)?",[16,13727,13728],{},"An Approved Scanning Vendor (ASV) is a company certified by the PCI Security Standards Council to perform external vulnerability scans of internet-facing systems that are part of the cardholder data environment. ASV scans are a specific PCI DSS requirement (Requirement 11.3.2) and must be conducted quarterly by a PCI SSC-approved vendor.",[20,13730,13732],{"id":13731},"what-is-the-purpose-of-asv-scans","What is the purpose of ASV scans?",[16,13734,13735],{},"ASV scans serve as an independent check on the security of externally facing systems that could be used to access cardholder data. The scans identify:",[28,13737,13738,13741,13744,13747,13750],{},[31,13739,13740],{},"Known vulnerabilities in operating systems, applications, and network devices",[31,13742,13743],{},"Misconfigurations that could expose systems to attack",[31,13745,13746],{},"Weak or default credentials on internet-facing services",[31,13748,13749],{},"Missing security patches",[31,13751,13752],{},"Other security weaknesses visible from the external network",[20,13754,13756],{"id":13755},"what-are-the-asv-scan-requirements","What are the ASV scan requirements?",[16,13758,13759],{},"PCI DSS requires:",[28,13761,13762,13768,13774,13780,13786],{},[31,13763,13764,13767],{},[34,13765,13766],{},"Quarterly scans"," — external vulnerability scans must be performed at least once every 90 days",[31,13769,13770,13773],{},[34,13771,13772],{},"Passing results"," — scans must achieve a passing status, meaning no vulnerabilities with a CVSS score of 4.0 or higher remain unresolved",[31,13775,13776,13779],{},[34,13777,13778],{},"Scan coverage"," — all externally facing IP addresses and domains in scope must be included",[31,13781,13782,13785],{},[34,13783,13784],{},"Rescans after remediation"," — if a scan fails, vulnerabilities must be remediated and a rescan performed to confirm resolution",[31,13787,13788,13791],{},[34,13789,13790],{},"Scan after significant changes"," — additional scans may be required after significant infrastructure changes",[20,13793,13795],{"id":13794},"how-do-asv-scans-work","How do ASV scans work?",[16,13797,13798],{},"The ASV scan process typically follows these steps:",[155,13800,13801,13806,13812,13818,13824,13829,13835],{},[31,13802,13803,13805],{},[34,13804,13310],{}," — the organization identifies all external IP addresses and domains in the cardholder data environment",[31,13807,13808,13811],{},[34,13809,13810],{},"Scan execution"," — the ASV performs automated vulnerability scanning against the defined scope",[31,13813,13814,13817],{},[34,13815,13816],{},"Results review"," — the ASV provides a report detailing identified vulnerabilities, their severity, and remediation guidance",[31,13819,13820,13823],{},[34,13821,13822],{},"Dispute resolution"," — if the organization believes a finding is a false positive, it can submit a dispute to the ASV with supporting evidence",[31,13825,13826,13828],{},[34,13827,7408],{}," — the organization addresses identified vulnerabilities",[31,13830,13831,13834],{},[34,13832,13833],{},"Rescan"," — if needed, the ASV performs additional scans to confirm remediation",[31,13836,13837,13840],{},[34,13838,13839],{},"Attestation"," — the ASV provides a scan attestation confirming the results",[20,13842,13844],{"id":13843},"what-is-the-difference-between-passing-and-failing-asv-scans","What is the difference between passing and failing ASV scans?",[16,13846,13847],{},"A scan is considered passing when:",[28,13849,13850,13853,13856],{},[31,13851,13852],{},"No vulnerabilities with a CVSS base score of 4.0 or higher are present",[31,13854,13855],{},"No automatic failure conditions exist (such as DNS zone transfers, unrestricted SQL access, or use of SSL\u002Fearly TLS)",[31,13857,13858],{},"All components in scope have been successfully scanned",[16,13860,13861],{},"Failing scans must be addressed before the organization can demonstrate compliance for that quarter.",[20,13863,13865],{"id":13864},"what-is-the-difference-between-asv-scans-and-penetration-testing","What is the difference between ASV scans and penetration testing?",[16,13867,13868],{},"ASV scans and penetration testing serve different purposes:",[28,13870,13871,13877],{},[31,13872,13873,13876],{},[34,13874,13875],{},"ASV scans"," are automated external vulnerability scans required quarterly, focused on identifying known vulnerabilities",[31,13878,13879,13882],{},[34,13880,13881],{},"Penetration testing"," involves manual testing by skilled testers who attempt to exploit vulnerabilities and chain findings together",[16,13884,13885],{},"Both are required by PCI DSS, but they serve complementary functions. ASV scans provide broad, frequent coverage while penetration tests provide deeper, more targeted analysis.",[20,13887,13889],{"id":13888},"how-do-you-choose-an-asv","How do you choose an ASV?",[16,13891,13892],{},"The PCI SSC maintains a list of approved scanning vendors on its website. When selecting an ASV, consider:",[28,13894,13895,13898,13901,13904,13907],{},[31,13896,13897],{},"Quality and usability of scan reports",[31,13899,13900],{},"False positive rates and dispute resolution processes",[31,13902,13903],{},"Customer support responsiveness",[31,13905,13906],{},"Integration capabilities with your security tools",[31,13908,13909],{},"Pricing structure",[20,13911,13913],{"id":13912},"how-does-episki-help-with-asv-scans","How does episki help with ASV scans?",[16,13915,13916,13917,209],{},"episki tracks your ASV scan schedule, stores scan results, and monitors remediation of identified vulnerabilities. The platform alerts you when quarterly scans are due and flags overdue remediation items. Learn more on our ",[205,13918,6665],{"href":618},{"title":211,"searchDepth":212,"depth":212,"links":13920},[13921],{"id":13724,"depth":212,"text":13725,"children":13922},[13923,13924,13925,13926,13927,13928,13929],{"id":13731,"depth":217,"text":13732},{"id":13755,"depth":217,"text":13756},{"id":13794,"depth":217,"text":13795},{"id":13843,"depth":217,"text":13844},{"id":13864,"depth":217,"text":13865},{"id":13888,"depth":217,"text":13889},{"id":13912,"depth":217,"text":13913},{},[984],[6684,6678,6680,5749,6941],{"title":13934,"description":13935},"Approved Scanning Vendor (ASV): PCI DSS Scan Requirements","An ASV is a PCI SSC-certified company that runs external vulnerability scans. Learn when ASV scans are required, how to pass, and what happens if you fail.","8.glossary\u002Fasv","1RCuGF3FH1uv6KD3UKnip7mN31_pxDH7c5aUf0urTlM",{"id":13939,"title":13940,"body":13941,"description":211,"extension":224,"lastUpdated":225,"meta":14156,"navigation":227,"path":726,"relatedFrameworks":14157,"relatedTerms":14158,"seo":14159,"slug":988,"stem":14162,"term":13946,"__hash__":14163},"glossary\u002F8.glossary\u002Faudit-trail.md","Audit Trail",{"type":8,"value":13942,"toc":14146},[13943,13947,13950,13954,13957,13993,13996,14016,14020,14023,14044,14048,14051,14095,14099,14102,14116,14120,14137,14141],[11,13944,13946],{"id":13945},"what-is-an-audit-trail","What is an Audit Trail?",[16,13948,13949],{},"An audit trail is a chronological record of activities, events, and changes within a system or process that provides documentary evidence of the sequence of actions performed. Audit trails answer the fundamental questions: who did what, when did they do it, where did it happen, and what was the result. They are essential for security monitoring, incident investigation, compliance demonstration, and accountability.",[20,13951,13953],{"id":13952},"what-do-audit-trails-capture","What do audit trails capture?",[16,13955,13956],{},"Effective audit trails typically record:",[28,13958,13959,13965,13970,13976,13982,13988],{},[31,13960,13961,13964],{},[34,13962,13963],{},"User actions"," — logins, logouts, data access, data modifications, privilege changes",[31,13966,13967,13969],{},[34,13968,5132],{}," — configuration changes, service starts and stops, errors, failures",[31,13971,13972,13975],{},[34,13973,13974],{},"Administrative actions"," — user account creation and deletion, permission changes, policy updates",[31,13977,13978,13981],{},[34,13979,13980],{},"Data changes"," — creation, modification, and deletion of records, including before and after values where applicable",[31,13983,13984,13987],{},[34,13985,13986],{},"Access attempts"," — both successful and failed authentication and authorization attempts",[31,13989,13990,13992],{},[34,13991,5150],{}," — firewall rule changes, intrusion detection alerts, malware detections",[16,13994,13995],{},"Each audit trail entry should include:",[28,13997,13998,14001,14004,14007,14010,14013],{},[31,13999,14000],{},"Timestamp (synchronized across systems)",[31,14002,14003],{},"User or system identity",[31,14005,14006],{},"Action performed",[31,14008,14009],{},"Target resource or data",[31,14011,14012],{},"Outcome (success or failure)",[31,14014,14015],{},"Source (IP address, device, or location)",[20,14017,14019],{"id":14018},"what-are-the-audit-trail-requirements","What are the audit trail requirements?",[16,14021,14022],{},"Multiple compliance frameworks require audit trails:",[28,14024,14025,14030,14035,14040],{},[31,14026,14027,14029],{},[34,14028,36],{}," — CC7.2 requires monitoring of system components for anomalies, and CC6.1 requires logical access controls with logging",[31,14031,14032,14034],{},[34,14033,42],{}," — control A.8.15 addresses logging, and A.8.17 addresses clock synchronization for accurate audit trails",[31,14036,14037,14039],{},[34,14038,605],{}," — the Security Rule requires audit controls that record and examine activity in systems containing ePHI (45 CFR 164.312(b))",[31,14041,14042,5566],{},[34,14043,48],{},[20,14045,14047],{"id":14046},"how-do-you-implement-audit-trails","How do you implement audit trails?",[16,14049,14050],{},"To implement effective audit trails:",[155,14052,14053,14059,14065,14071,14077,14083,14089],{},[31,14054,14055,14058],{},[34,14056,14057],{},"Enable logging"," — activate audit logging on all in-scope systems including applications, databases, operating systems, and network devices",[31,14060,14061,14064],{},[34,14062,14063],{},"Centralize logs"," — aggregate logs into a central platform (SIEM) for correlation and analysis",[31,14066,14067,14070],{},[34,14068,14069],{},"Protect integrity"," — ensure logs cannot be modified or deleted by users, including administrators",[31,14072,14073,14076],{},[34,14074,14075],{},"Synchronize time"," — use NTP to ensure timestamps are consistent across all systems",[31,14078,14079,14082],{},[34,14080,14081],{},"Define retention"," — establish retention periods aligned with compliance and business requirements",[31,14084,14085,14088],{},[34,14086,14087],{},"Monitor actively"," — review audit trails for suspicious activity, not just for compliance evidence",[31,14090,14091,14094],{},[34,14092,14093],{},"Automate alerts"," — configure alerts for critical events such as failed login attempts, privilege escalation, and unauthorized access",[20,14096,14098],{"id":14097},"how-long-should-audit-trails-be-retained","How long should audit trails be retained?",[16,14100,14101],{},"Retention requirements vary by framework and jurisdiction:",[28,14103,14104,14107,14110,14113],{},[31,14105,14106],{},"PCI DSS requires at least 12 months of audit trail history, with the most recent 3 months immediately available",[31,14108,14109],{},"HIPAA requires documentation retention for 6 years",[31,14111,14112],{},"ISO 27001 does not specify a fixed period but requires organizations to define and follow their own retention policy",[31,14114,14115],{},"SOC 2 audit periods typically require evidence covering the observation period",[20,14117,14119],{"id":14118},"what-are-common-pitfalls-with-audit-trails","What are common pitfalls with audit trails?",[28,14121,14122,14125,14128,14131,14134],{},[31,14123,14124],{},"Insufficient logging — missing critical events or systems",[31,14126,14127],{},"Log overload — logging too much without meaningful analysis",[31,14129,14130],{},"No log protection — allowing administrators to modify or delete logs",[31,14132,14133],{},"Inconsistent timestamps — making it impossible to correlate events across systems",[31,14135,14136],{},"No review process — collecting logs but never analyzing them",[20,14138,14140],{"id":14139},"how-does-episki-help-with-audit-trails","How does episki help with audit trails?",[16,14142,14143,14144,209],{},"episki integrates with your logging infrastructure to track compliance-relevant events, maintain audit trail records, and demonstrate continuous monitoring to auditors. The platform maps audit trail capabilities to framework requirements and flags gaps in coverage. Learn more on our ",[205,14145,208],{"href":207},{"title":211,"searchDepth":212,"depth":212,"links":14147},[14148],{"id":13945,"depth":212,"text":13946,"children":14149},[14150,14151,14152,14153,14154,14155],{"id":13952,"depth":217,"text":13953},{"id":14018,"depth":217,"text":14019},{"id":14046,"depth":217,"text":14047},{"id":14097,"depth":217,"text":14098},{"id":14118,"depth":217,"text":14119},{"id":14139,"depth":217,"text":14140},{},[230,231,983,984],[1667,992,1952,1179],{"title":14160,"description":14161},"What is an Audit Trail? Definition & Compliance Guide","An audit trail is a chronological record of system activities that provides evidence of who did what, when, and where for security and compliance purposes.","8.glossary\u002Faudit-trail","wGJCFb9Xcb1bQvrLNHVniHH6roxZCmzstztRki0-h68",{"id":14165,"title":14166,"body":14167,"description":211,"extension":224,"lastUpdated":225,"meta":14302,"navigation":227,"path":3269,"relatedFrameworks":14303,"relatedTerms":14304,"seo":14305,"slug":3249,"stem":14308,"term":14172,"__hash__":14309},"glossary\u002F8.glossary\u002Fisms.md","Isms",{"type":8,"value":14168,"toc":14293},[14169,14173,14179,14183,14186,14200,14204,14207,14243,14247,14250,14276,14280,14283,14287],[11,14170,14172],{"id":14171},"what-is-an-isms","What is an ISMS?",[16,14174,14175,14176,14178],{},"An ISMS (Information Security Management System) is a systematic framework of policies, processes, and controls that an organization uses to manage information security risks. It is the core requirement of ",[205,14177,42],{"href":591}," certification.",[20,14180,14182],{"id":14181},"what-is-the-purpose-of-an-isms","What is the purpose of an ISMS?",[16,14184,14185],{},"An ISMS provides a structured approach to:",[28,14187,14188,14191,14194,14197],{},[31,14189,14190],{},"Identifying information security risks and opportunities",[31,14192,14193],{},"Implementing controls proportionate to those risks",[31,14195,14196],{},"Monitoring and measuring security performance",[31,14198,14199],{},"Continually improving the security posture",[20,14201,14203],{"id":14202},"what-are-the-key-components-of-an-isms","What are the key components of an ISMS?",[16,14205,14206],{},"An effective ISMS typically includes:",[28,14208,14209,14215,14221,14227,14232,14238],{},[31,14210,14211,14214],{},[34,14212,14213],{},"Information security policy"," — top-level commitment from leadership",[31,14216,14217,14220],{},[34,14218,14219],{},"Risk assessment methodology"," — how the organization identifies, analyzes, and evaluates risks",[31,14222,14223,14226],{},[34,14224,14225],{},"Risk treatment plan"," — how identified risks are addressed (mitigate, accept, transfer, avoid)",[31,14228,14229,14231],{},[34,14230,3514],{}," — which controls from Annex A apply and why",[31,14233,14234,14237],{},[34,14235,14236],{},"Internal audit program"," — regular reviews of ISMS effectiveness",[31,14239,14240,14242],{},[34,14241,13589],{}," — leadership evaluation of ISMS performance and direction",[20,14244,14246],{"id":14245},"what-is-the-isms-lifecycle","What is the ISMS lifecycle?",[16,14248,14249],{},"The ISMS follows a Plan-Do-Check-Act (PDCA) cycle:",[155,14251,14252,14258,14264,14270],{},[31,14253,14254,14257],{},[34,14255,14256],{},"Plan"," — establish objectives, policies, and processes for managing risk",[31,14259,14260,14263],{},[34,14261,14262],{},"Do"," — implement and operate the ISMS",[31,14265,14266,14269],{},[34,14267,14268],{},"Check"," — monitor, measure, and review against objectives",[31,14271,14272,14275],{},[34,14273,14274],{},"Act"," — take corrective actions and improve",[20,14277,14279],{"id":14278},"what-is-the-difference-between-an-isms-and-individual-controls","What is the difference between an ISMS and individual controls?",[16,14281,14282],{},"An ISMS is not a list of controls — it is the management system that governs how controls are selected, implemented, monitored, and improved. Individual controls (like access management or encryption) operate within the ISMS framework.",[20,14284,14286],{"id":14285},"how-does-episki-support-your-isms","How does episki support your ISMS?",[16,14288,14289,14290,209],{},"episki provides the workspace for building and operating an ISMS: control libraries, risk registers, evidence tracking, ownership assignment, and review cadences. Learn more on our ",[205,14291,14292],{"href":591},"ISO 27001 page",{"title":211,"searchDepth":212,"depth":212,"links":14294},[14295],{"id":14171,"depth":212,"text":14172,"children":14296},[14297,14298,14299,14300,14301],{"id":14181,"depth":217,"text":14182},{"id":14202,"depth":217,"text":14203},{"id":14245,"depth":217,"text":14246},{"id":14278,"depth":217,"text":14279},{"id":14285,"depth":217,"text":14286},{},[231],[231,235,236,1421],{"title":14306,"description":14307},"What is an ISMS? Information Security Management System Explained","An ISMS is a systematic framework for managing information security risks. Learn how an ISMS works, its components, and how it relates to ISO 27001 certification.","8.glossary\u002Fisms","eFCKyr5T2onOha3nbKm5Esqc0WJorOxwE48XJvR0WXE",{"id":14311,"title":14312,"body":14313,"description":211,"extension":224,"lastUpdated":225,"meta":14463,"navigation":227,"path":14464,"relatedFrameworks":14465,"relatedTerms":14466,"seo":14467,"slug":1176,"stem":14470,"term":14318,"__hash__":14471},"glossary\u002F8.glossary\u002Fhitech.md","Hitech",{"type":8,"value":14314,"toc":14454},[14315,14319,14322,14326,14329,14335,14341,14347,14364,14370,14376,14380,14383,14400,14404,14407,14421,14424,14428,14431,14445,14449],[11,14316,14318],{"id":14317},"what-is-the-hitech-act","What is the HITECH Act?",[16,14320,14321],{},"The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 as part of the American Recovery and Reinvestment Act. It significantly strengthened HIPAA by extending compliance requirements to business associates, establishing mandatory breach notification rules, increasing penalties for violations, and promoting the adoption of electronic health records (EHRs).",[20,14323,14325],{"id":14324},"what-are-the-key-provisions-of-hitech","What are the key provisions of HITECH?",[16,14327,14328],{},"The HITECH Act introduced several major changes to the HIPAA regulatory landscape:",[16,14330,14331,14334],{},[34,14332,14333],{},"Direct liability for business associates"," — before HITECH, business associates were only bound by their contractual obligations under BAAs. HITECH made business associates directly subject to HIPAA Security Rule requirements and certain Privacy Rule provisions, with the same penalties that apply to covered entities.",[16,14336,14337,14340],{},[34,14338,14339],{},"Mandatory breach notification"," — HITECH established the Breach Notification Rule, requiring covered entities and business associates to notify affected individuals, HHS, and in some cases the media when a breach of unsecured PHI occurs. This was a major shift from the pre-HITECH environment where breach notification was not consistently required.",[16,14342,14343,14346],{},[34,14344,14345],{},"Increased penalties"," — HITECH introduced a tiered penalty structure with significantly higher fines:",[28,14348,14349,14352,14355,14358,14361],{},[31,14350,14351],{},"Tier 1: Lack of knowledge — $100 to $50,000 per violation",[31,14353,14354],{},"Tier 2: Reasonable cause — $1,000 to $50,000 per violation",[31,14356,14357],{},"Tier 3: Willful neglect (corrected) — $10,000 to $50,000 per violation",[31,14359,14360],{},"Tier 4: Willful neglect (not corrected) — $50,000 per violation",[31,14362,14363],{},"Annual maximum of $1.5 million per violation category",[16,14365,14366,14369],{},[34,14367,14368],{},"State attorney general enforcement"," — HITECH granted state attorneys general the authority to bring civil actions against entities that violate HIPAA, adding another layer of enforcement beyond the federal OCR.",[16,14371,14372,14375],{},[34,14373,14374],{},"EHR adoption incentives"," — HITECH provided financial incentives for healthcare providers to adopt certified electronic health record systems through the Medicare and Medicaid EHR Incentive Programs (later renamed the Promoting Interoperability Programs).",[20,14377,14379],{"id":14378},"what-is-the-hipaa-omnibus-rule","What is the HIPAA Omnibus Rule?",[16,14381,14382],{},"In 2013, HHS issued the HIPAA Omnibus Rule to implement many of HITECH's provisions. The Omnibus Rule:",[28,14384,14385,14388,14391,14394,14397],{},[31,14386,14387],{},"Finalized the breach notification requirements",[31,14389,14390],{},"Modified the Privacy Rule to strengthen individual rights",[31,14392,14393],{},"Updated the enforcement provisions with the tiered penalty structure",[31,14395,14396],{},"Extended Security Rule requirements directly to business associates",[31,14398,14399],{},"Required updates to BAAs to reflect the new requirements",[20,14401,14403],{"id":14402},"how-did-hitech-impact-business-associates","How did HITECH impact business associates?",[16,14405,14406],{},"The HITECH Act fundamentally changed the compliance landscape for business associates. Before HITECH, a business associate's HIPAA obligations were primarily contractual. After HITECH, business associates face direct regulatory liability, including:",[28,14408,14409,14412,14415,14418],{},[31,14410,14411],{},"OCR audits and enforcement actions",[31,14413,14414],{},"Civil and criminal penalties",[31,14416,14417],{},"Breach notification obligations",[31,14419,14420],{},"Full compliance with the HIPAA Security Rule",[16,14422,14423],{},"This shift motivated many technology companies and service providers to invest in formal HIPAA compliance programs for the first time.",[20,14425,14427],{"id":14426},"how-did-hitech-change-breach-response","How did HITECH change breach response?",[16,14429,14430],{},"The mandatory breach notification requirements changed how organizations respond to security incidents involving PHI:",[28,14432,14433,14436,14439,14442],{},[31,14434,14435],{},"Individual notification must occur within 60 days of breach discovery",[31,14437,14438],{},"HHS notification is required for all breaches (immediately for breaches affecting 500+ individuals, annually for smaller breaches)",[31,14440,14441],{},"Media notification is required for breaches affecting 500+ individuals in a single state or jurisdiction",[31,14443,14444],{},"Business associates must notify the covered entity of breaches, which then triggers the covered entity's notification obligations",[20,14446,14448],{"id":14447},"how-does-episki-help-with-hitech","How does episki help with HITECH?",[16,14450,14451,14452,209],{},"episki incorporates HITECH requirements into its HIPAA compliance framework, including breach notification workflows, business associate tracking, and the enhanced security controls required under the act. The platform helps both covered entities and business associates maintain compliance with the full scope of HIPAA and HITECH obligations. Learn more on our ",[205,14453,1160],{"href":604},{"title":211,"searchDepth":212,"depth":212,"links":14455},[14456],{"id":14317,"depth":212,"text":14318,"children":14457},[14458,14459,14460,14461,14462],{"id":14324,"depth":217,"text":14325},{"id":14378,"depth":217,"text":14379},{"id":14402,"depth":217,"text":14403},{"id":14426,"depth":217,"text":14427},{"id":14447,"depth":217,"text":14448},{},"\u002Fglossary\u002Fhitech",[983],[983,1175,1178,1177,1183,3092],{"title":14468,"description":14469},"What is the HITECH Act? Definition & Compliance Guide","The HITECH Act strengthened HIPAA by extending requirements to business associates, increasing penalties, and mandating breach notification. Learn the key provisions.","8.glossary\u002Fhitech","ow2eaKtLUQ3UD-N-SepMmXJUhTy2Djfw83cfPmt0cmE",{"id":14473,"title":14474,"body":14475,"description":211,"extension":224,"lastUpdated":225,"meta":14673,"navigation":227,"path":14674,"relatedFrameworks":14675,"relatedTerms":14676,"seo":14677,"slug":987,"stem":14680,"term":14480,"__hash__":14681},"glossary\u002F8.glossary\u002Fminimum-necessary-rule.md","Minimum Necessary Rule",{"type":8,"value":14476,"toc":14663},[14477,14481,14484,14488,14491,14511,14515,14518,14550,14553,14557,14560,14566,14572,14586,14592,14606,14612,14618,14622,14633,14637,14640,14654,14658],[11,14478,14480],{"id":14479},"what-is-the-minimum-necessary-rule","What is the Minimum Necessary Rule?",[16,14482,14483],{},"The Minimum Necessary Rule is a core principle of the HIPAA Privacy Rule that requires covered entities and business associates to limit the use, disclosure, and request of Protected Health Information (PHI) to the minimum amount necessary to accomplish the intended purpose. It embodies the principle of least privilege applied specifically to health information.",[20,14485,14487],{"id":14486},"how-does-the-minimum-necessary-rule-work","How does the minimum necessary rule work?",[16,14489,14490],{},"The Minimum Necessary Rule applies to most uses and disclosures of PHI. When an organization uses, discloses, or requests PHI, it must make reasonable efforts to limit the information to what is needed for the specific task. This applies to:",[28,14492,14493,14499,14505],{},[31,14494,14495,14498],{},[34,14496,14497],{},"Internal use"," — employees should only have access to the PHI they need to perform their job functions",[31,14500,14501,14504],{},[34,14502,14503],{},"Disclosures to others"," — when sharing PHI with other organizations, limit the information to what is relevant",[31,14506,14507,14510],{},[34,14508,14509],{},"Requests for PHI"," — when requesting PHI from another entity, ask only for what is necessary",[20,14512,14514],{"id":14513},"what-are-the-exceptions-to-the-minimum-necessary-rule","What are the exceptions to the minimum necessary rule?",[16,14516,14517],{},"The Minimum Necessary Rule does not apply in certain situations:",[28,14519,14520,14526,14532,14538,14544],{},[31,14521,14522,14525],{},[34,14523,14524],{},"Treatment purposes"," — healthcare providers sharing PHI for treatment are exempt, as limiting information could compromise patient care",[31,14527,14528,14531],{},[34,14529,14530],{},"Individual access"," — when an individual requests access to their own PHI",[31,14533,14534,14537],{},[34,14535,14536],{},"Individual authorization"," — when the individual has signed a valid authorization for the disclosure",[31,14539,14540,14543],{},[34,14541,14542],{},"HHS compliance investigations"," — disclosures required by HHS for enforcement purposes",[31,14545,14546,14549],{},[34,14547,14548],{},"Required by law"," — disclosures that are required by other laws",[16,14551,14552],{},"These exceptions recognize that there are situations where limiting PHI access would be impractical or harmful.",[20,14554,14556],{"id":14555},"what-are-the-implementation-requirements-for-the-minimum-necessary-rule","What are the implementation requirements for the minimum necessary rule?",[16,14558,14559],{},"To comply with the Minimum Necessary Rule, organizations must:",[16,14561,14562,14565],{},[34,14563,14564],{},"Identify roles and access needs"," — determine which workforce members need access to PHI and what specific categories of PHI they require. A billing specialist needs different information than a nurse or a compliance officer.",[16,14567,14568,14571],{},[34,14569,14570],{},"Implement role-based access controls"," — configure systems to restrict PHI access based on job function. This includes:",[28,14573,14574,14577,14580,14583],{},[31,14575,14576],{},"Role-based access in electronic health record systems",[31,14578,14579],{},"Physical access restrictions to areas where PHI is stored",[31,14581,14582],{},"Need-to-know policies for paper records",[31,14584,14585],{},"Segmented access levels within applications",[16,14587,14588,14591],{},[34,14589,14590],{},"Develop policies and procedures"," — create written policies that define:",[28,14593,14594,14597,14600,14603],{},[31,14595,14596],{},"Who may access PHI and under what circumstances",[31,14598,14599],{},"Criteria for determining what constitutes the minimum necessary",[31,14601,14602],{},"Procedures for routine and non-routine disclosures",[31,14604,14605],{},"Review and approval processes for non-routine requests",[16,14607,14608,14611],{},[34,14609,14610],{},"Establish standard protocols for routine disclosures"," — for disclosures that occur regularly (such as sharing information with insurers for payment), define standard protocols that specify exactly what information is shared.",[16,14613,14614,14617],{},[34,14615,14616],{},"Review non-routine requests individually"," — for unusual or one-time requests, develop criteria for case-by-case evaluation.",[20,14619,14621],{"id":14620},"what-are-practical-examples-of-the-minimum-necessary-rule","What are practical examples of the minimum necessary rule?",[28,14623,14624,14627,14630],{},[31,14625,14626],{},"A hospital IT administrator troubleshooting a system issue should not browse patient medical records unrelated to the technical problem",[31,14628,14629],{},"A billing department requesting records for a claim should receive only the information needed for that specific claim, not the patient's entire medical history",[31,14631,14632],{},"A research team should receive de-identified data when possible, or the minimum identified data necessary for the study",[20,14634,14636],{"id":14635},"what-are-common-compliance-challenges","What are common compliance challenges?",[16,14638,14639],{},"Organizations often struggle with the Minimum Necessary Rule because:",[28,14641,14642,14645,14648,14651],{},[31,14643,14644],{},"Legacy systems may not support granular access controls",[31,14646,14647],{},"Staff may resist access restrictions that slow their workflow",[31,14649,14650],{},"Defining \"minimum necessary\" requires judgment and varies by situation",[31,14652,14653],{},"Monitoring compliance requires audit trails and regular access reviews",[20,14655,14657],{"id":14656},"how-does-episki-help-with-the-minimum-necessary-rule","How does episki help with the minimum necessary rule?",[16,14659,14660,14661,209],{},"episki supports Minimum Necessary Rule compliance by helping organizations define role-based access policies, track access control implementations, and document the rationale for PHI access decisions. The platform facilitates regular access reviews and maintains audit trails. Learn more on our ",[205,14662,1160],{"href":604},{"title":211,"searchDepth":212,"depth":212,"links":14664},[14665],{"id":14479,"depth":212,"text":14480,"children":14666},[14667,14668,14669,14670,14671,14672],{"id":14486,"depth":217,"text":14487},{"id":14513,"depth":217,"text":14514},{"id":14555,"depth":217,"text":14556},{"id":14620,"depth":217,"text":14621},{"id":14635,"depth":217,"text":14636},{"id":14656,"depth":217,"text":14657},{},"\u002Fglossary\u002Fminimum-necessary-rule",[983],[983,1175,1177,1178,992],{"title":14678,"description":14679},"What is the Minimum Necessary Rule? Definition & Compliance Guide","The Minimum Necessary Rule requires that access to PHI be limited to the minimum amount needed for a specific purpose. Learn how to implement it under HIPAA.","8.glossary\u002Fminimum-necessary-rule","qBz6RacRE9Latn4wwwCyYHbFbXGxs0xkb0pg5ag5v4I",1778494662428]