Compliance Glossary
Definitions of common compliance, security, and regulatory terms used in Axura and the broader compliance industry.
Compliance Terms
AICPA
American Institute of Certified Public Accountants - the organization that developed SOC 2.
Audit Trail
Chronological record of system activities that enables reconstruction of events.
Business Associate
Under HIPAA, a person or entity that performs functions involving PHI on behalf of a covered entity.
CCPA
California Consumer Privacy Act - California's data privacy law.
Control
A specific requirement from a compliance framework that must be implemented and evidenced.
Covered Entity
Under HIPAA, health plans, healthcare providers, and clearinghouses that transmit PHI electronically.
Evidence
Proof that a compliance control is implemented and operating effectively.
Finding
A security issue or compliance gap discovered during scanning.
Framework
A compliance standard or regulation (e.g., SOC 2, ISO 27001, HIPAA).
GDPR
General Data Protection Regulation - EU's comprehensive data protection law.
HIPAA
Health Insurance Portability and Accountability Act - US healthcare data protection law.
ISMS
Information Security Management System - the framework required by ISO 27001.
ISO 27001
International standard for information security management systems.
MFA
Multi-Factor Authentication - requiring multiple forms of verification for access.
PCI-DSS
Payment Card Industry Data Security Standard - security standard for payment card handling.
PHI
Protected Health Information - individually identifiable health information under HIPAA.
PII
Personally Identifiable Information - data that can identify an individual.
RBAC
Role-Based Access Control - restricting access based on user roles.
Risk Assessment
Process of identifying and evaluating risks to information security.
SOC 2
Service Organization Control 2 - trust services criteria for service organizations.
SSO
Single Sign-On - authentication that allows access to multiple systems with one login.
Trust Services Criteria
The five principles (Security, Availability, Processing Integrity, Confidentiality, Privacy) used in SOC 2.
Type I vs Type II
Type I is point-in-time assessment; Type II is assessment over a period (6-12 months).