HECVAT Glossary
A
Assessment: The process of evaluating a vendor's security practices and controls using the HECVAT questionnaire.
Authentication: The process of verifying the identity of a user, system, or entity.
B
Business Continuity Plan (BCP): A document that outlines how a business will continue operating during an unplanned disruption in service.
C
Cloud Security Alliance (CSA): An organization that promotes best practices for providing security assurance within cloud computing.
Compliance: Adherence to laws, regulations, standards, and established guidelines.
Cybersecurity: The practice of protecting systems, networks, and programs from digital attacks.
D
Data Classification: The process of organizing data into categories for its most effective and efficient use.
Disaster Recovery Plan (DRP): A documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster.
E
Encryption: The process of encoding information in such a way that only authorized parties can access it.
F
Firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
H
HECVAT Full: The comprehensive version of the HECVAT, intended for cloud services that may handle sensitive data.
HECVAT Lite: A shortened version of the HECVAT for lower-risk services or rapid assessments.
HECVAT On-Premise: A version of the HECVAT tailored for on-premise software and services.
I
Incident Response Plan: A set of instructions to help IT staff detect, respond to, and recover from network security incidents.
Information Security: The practice of protecting information by mitigating information risks.
M
Malware: Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.
Multi-Factor Authentication (MFA): An authentication method in which a user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism.
P
Penetration Testing: An authorized simulated cyberattack on a computer system, performed to evaluate the security of the system.
Personal Identifiable Information (PII): Any data that could potentially identify a specific individual.
R
Risk Assessment: The process of identifying, analyzing and evaluating risk.
S
SAAS (Software as a Service): A software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted.
Security Controls: Safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.
SOC 2: A voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data.
T
Two-Factor Authentication (2FA): A subset of multi-factor authentication that requires two different authentication factors to verify a user's identity.
V
Vendor: A third-party service provider that may handle institutional data.
Vulnerability: A weakness which can be exploited by a threat actor, such as an attacker, to perform unauthorized actions within a computer system.
W
Web Application Firewall (WAF): A firewall that monitors, filters and blocks data packets as they travel to and from a web application.