Dictionary

American Land Title Association (ALTA)
The American Land Title Association, founded in 1907, is the national trade association representing more than 6,400 title insurance companies, title and settlement agents, independent abstracters, title searchers and real estate attorneys. 

Audit Fatigue
Also known as assessment fatigue, is the feeling of tiredness, weariness, frustration or exhaustion that people experience after they’ve been pulled away from their regular tasks repeatedly in order to participate in compliance efforts. 

Audit readiness assessment
The readiness assessment is a process that should be done months in advance of an audit. It involves inviting your selected auditor to your office to interview key personnel within your organization. 

BA routing number
The ABA routing number was developed by the American Bankers Association in 1910. It identifies the specific financial institution responsible for the payment of a negotiable instrument.

Cashier’s Check
A check drawn by a bank on its own funds and signed by the cashier 

Certified Check
A check that is guaranteed by a bank 

CCPAA 
Wide-ranging privacy law that went into effect on January 1st, 2020. It regulates how businesses collect, use, and disclose just about any kind of information that relates to an individual. It covers any business that earns $25 million in revenue per year overall, or sells 50,000 consumer records per year, or derives 50% of its annual revenue from selling personal information. The CCPA requires businesses to implement new policies and procedures to ensure the protection of personal information for Californian residents. What’s more, the law expands what’s considered “personal information” and includes data elements not previously considered personal information under any U.S. law. It also gives California residents some new rights to make data requests to businesses that handle their data. 

Closing
The final step in executing a real estate transaction through purchasing and/or financing a property. 

Closing Disclosure (CD)
A five-page form that provides final details about the mortgage loan selected. It includes the loan terms, projected monthly payments, and how much will be pay in fees and other costs to get the mortgage (closing costs). 

Cloud compliance frameworks
Cloud compliance is the principle that cloud-delivered systems need to be compliant with the standards their customers require. Your customers may have to comply with many regulations around data protection, such as HIPAA, PCI DSS, GDPR, ISO/IEC 27001, NIST, SOX, and more. Cloud compliance is about ensuring that cloud computing services meet compliance requirements. 

CMMC
The CMMC is intended to serve as a verification mechanism to ensure that all appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene and protect controlled unclassified information (CUI) and Federal Contract Information (FCI) that resides on the Department’s industry partners’ networks. 

Collected Funds
Cash deposits or checks that have been presented for payment and for which payment has been received. 

Common Controls Framework (CCF)
A comprehensive set of control requirements, aggregated, correlated and rationalized from the vast array of industry information security and privacy standards. Utilizing a CCF enables an organization to meet the requirements of these security, privacy, and other compliance programs while minimizing the risk of becoming “over controlled.

Construction Loan
Usually a short-term loan that provides funds to cover the cost of building or rehabilitating a home.

Compliance audit
A compliance audit is a comprehensive review and evaluation of a business or organization’s compliance with a voluntary compliance framework (e.g., SOC 2, ISO 27001) or a set of regulatory requirements (e.g., GDPR or HIPAA).

Compliance automation
Compliance automation is about using technology to eliminate as much manual, administrative work as possible from compliance activities — so an organization scales their activities and resources to meet the demands of an increasing compliance scope. 

Compliance Maturity Assessment
A tool created by Hyperproof that organizations can use to self-assess where they are in their compliance journey. 

Compliance Operations
Compliance Operations is an operating model and a methodology that recognizes that managing information security compliance and security assurance programs consistently and on a day-to-day basis is a critical component of effective IT risk management. It operates on the understanding that cyber risks can change by the minute, regulatory volatility isn’t going away, and zero trust is now the default security (and B2B purchase) model. 

Compliance Operations Platform
A platform for managing daily compliance operations — a place for making project plans, getting work done, tracking progress, and identifying areas for improvement. The platform will help to improve the way you plan information security, data privacy, and compliance projects, execute them and monitor progress and keep records. 

Compliance program
A compliance program is a set of internal policies and procedures within a company to comply with laws, rules, and regulations or to uphold the business’ reputation. Where requirements of a regulatory authority do not apply, a compliance program within an organization addresses conduct of employees to abide by internal policies (e.g. spending corporate funds or keeping confidentiality) and, more importantly, to maintain the firm’s reputation among its customers, suppliers, employees, and even the community where the business is located. 

Continuous compliance
Continuous compliance is an approach that helps you manage risks more effectively. With continuous compliance, risks are re-assessed on a regular basis, control processes are consistently performed, and evidence from control processes are evaluated and actioned accordingly. By evaluating control processes on a continuous basis, organizations have an opportunity to refine their risk management strategies in real-time. 

CUI (Controlled Unclassified Information)
CUI is government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. It’s also not corporate intellectual property unless created for or included in requirements related to a government contract. 

Cyber risk
Cyber risk can be understood as the potential (chance) of exposing a business’s information and communications systems to dangerous actors, elements, or circumstances capable of causing loss or damage. Risk implies a degree of probability or the chance of an event occurring. Cyber risk is based on the probability of a bad event happening to your business’s information systems, leading to the loss of confidentiality, integrity, and availability of information.

Cybersecurity incident response plan
A Cybersecurity Incident Response Plan is a document that gives IT and cybersecurity professionals instructions on how to respond to a serious security incident, such as a data breach, data leak, ransomware attack, or loss of sensitive information. 

Cybersecurity risk management
Cybersecurity risk management is an ongoing process of identifying, analyzing, evaluating, and addressing your organization’s cybersecurity threats. 

Cybersecurity risk management framework
Cybersecurity risk management is an ongoing process of identifying, analyzing, evaluating, and addressing your organization’s cybersecurity threats.

Data classification policy
A data classification policy is a comprehensive plan used to categorize a company’s stored information based on its sensitivity level, ensuring proper handling and lowering organizational risk. A data classification policy identifies and helps protect sensitive/confidential data with a framework of rules, processes, and procedures for each class. 

Data security controls
Data security controls facilitate risk management plans by minimizing, avoiding, detecting, or responding to risks in networks, hardware, software, data, and other systems. At a high-level, they can usually be categorized into internal controls or incident-focused controls. 

Escheat
The reversion of property to the state, or (in feudal law) to a lord, on the owner’s dying without legal heirs. 

Escrow
A bond, deed, or other document kept in the custody of a third party and taking effect only when a specified condition has been fulfilled 

Escrow Instructions
The written instructions by buyer and seller of real estate to a title company, escrow company or individual escrow in “closing” a real estate transaction.  These instructions are generally prepared by the escrow holder and then approved by the parties and their agents. 

Escrow Officer
An unbiased third party who ensures a real estate transaction is correctly carried out by a homebuyer, home seller and any real estate agents involved in the purchase or refinance of a home.

Endpoint security
Endpoint security is a multi-layered initiative focused on blocking threats and securing network endpoints. Endpoint solutions operate from centralized software with installs on each device. Endpoint platforms mirror larger systems with firewalls, access control, and vulnerability assessment to neutralize threats. 

FinCEN
FinCEN’s mission is to safeguard the financial system from illicit use and combat money laundering and promote national security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities. 

Fraud
Wrongful or criminal deception intended to result in financial or personal gain.

Good Funds
A wire, cashier’s check or a certified check, as they are immediately available funds. 

GDPR
Any organization that does business in Europe or is expanding to Europe is legally required to comply with the European Union’s General Data Protection Regulation (GDPR). GDPR requires organizations inside and outside Europe to secure all EU citizens’ Personally Identifying Information (PII) collected, processed or stored by the business. Therefor, an organization needs to know where data is sourced and who it’s for. 

Governance, Risk and Compliance
A combination of policies, procedures, and activities intended to advance and manage business objectives while mitigating risk and ensuring compliance with requirements specific to an organization. 

GRC Software
An application or suite of applications designed to assist organizations in the management, review, and testing of controls specific to mitigating risk, complying with relevant internal and external requirements, and supporting security assurance activities. 

HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. HIPAA requires that covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment and operations) must meet a set of rules. 

Information security policy
A high-level document describing an organization’s requirements and objectives related to information security. 

Information security risk assessment
Information security risk assessments focus on identifying the threats facing your information systems, networks and data, and assessing the potential consequences you’d face should these adverse events occur. Risk assessments should be conducted on a regular basis (e.g. annually) and whenever major changes occur within your organization (e.g., acquisition, merger, re-organization, when a leader decides to implement new technology to handle a key business process, when employees suddenly move from working in an office to working remotely). 

Integrated risk management
Integrated risk management (IRM) is a holistic, organization-wide approach to addressing risk which welcomes input from various functions, including risk management, cybersecurity, compliance, and various business units. It’s designed to provide a holistic view of risk across the enterprise and streamline the risk assessment and remediation process. This model leverages agile principles, automation, a security-aware culture, and cross-departmental collaboration to outpace the more traditional, compliance-driven model. 

Internal audit
Company employees carry out internal audits to gauge overall risks to compliance and security and determine whether the company is following internal guidelines. Internal audits should occur throughout the year. Management teams can use the reports generated from internal audits to identify areas that require improvement. Internal audits measure company objectives against output and strategic risks. 

Internal controls
Jonathan Marks, a well-known professional in the forensics, audit, and internal control space, defines internal controls as, “…a process of interlocking activities designed to support the policies and procedures detailing the specific preventive, detective, corrective, directive, and corroborative actions required to achieve the desired process outcomes of the objective(s).” Internal controls are processes that mitigate risk and reduce the chance of an unwanted risk outcome. 

ISO 27001
Developed by the International Organization for Standardization, ISO 27001 is an information security standard providing requirements for an information management system (ISMS). ISO 27001 defines what an information security management system (ISMS) is, what is required to be included within an ISMS, and how management should implement, monitor, and maintain an ISMS. 

IT General Controls (ITGCs)
ITGCs are controls that govern how technology is designed, implemented, and used in your organization. ITGCs shape everything from configuration management to password policy, application development to user account creation. They govern issues such as how technology is acquired and developed, or how security protocols are rolled out across the enterprise. 

Judgment
The obligation, especially a debt, arising from a judicial decision.

Loan to Value Ratio
A financial term used by lenders to express the ratio of a loan to the value of an asset purchased.

Mortgage
A conveyance of or lien against property (as for securing a loan) that becomes void upon payment or performance according to stipulated terms 

Monitoring
Data security controls facilitate risk management plans by minimizing, avoiding, detecting, or responding to risks in networks, hardware, software, data, and other systems. At a high-level, they can usually be categorized into internal controls or incident-focused controls. Monitoring may consist of ongoing activities, separate evaluations or a combo of the two.

NIST Cybersecurity Framework
The NIST Cybersecurity Framework (CF) is a list of standards, guidelines, and practices designed to help organizations better manage and reduce cyber risk of all types – including malware, password theft, phishing attacks, DDoS, traffic interception, social engineering and others. The National Institute of Standards and Technology created the framework by collaborating with government and industry groups with the framework designed to complement existing organizational cybersecurity operations. NIST CF rests on industry best practices gathered from various other documents and standards like ISO 27001 and COBIT 5. 

NIST Privacy Framework
Created by the National Institute of Standards and Technology (NIST), the Privacy Framework is a voluntary tool any organization can use to create or improve a privacy program. Effective privacy risk management can help you build trust in your products and services, communicate better about your privacy practices, and meet your compliance obligations. 

NIST SP 800-53
Developed by computer security and privacy experts at the National Institute of Standards and Technology (NIST), NIST Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, is a collection of specific safeguarding measures that can be used to protect an organization’s operations and data and the privacy of individuals. In fact, NIST SP 800-53 is considered the gold standard for information security and is cross-referenced by many other industry-accepted security standards.

Operational Control 

Typically, these are controls that are performed by staff in the management and administration of an information system, following an established process or procedure, and generally recur on a daily or other event-driven basis. 

PCI Audit
A PCI audit is a vigorous inspection of a merchant’s adherence to PCI DSS requirements, consisting of numerous individual controls or safeguards for protecting cardholder information (e.g., Primary Account Number, CAV/CID/CVC2/CVV2, etc.) and systems that interact with payment processing, which we will discuss later. 

PCI DSSPCI DSS 
(Payment Card Industry Data Security Standard) is an information security standard designed to help all organizations who handle credit card transactions maintain a secure environment. The standard was developed by the PCI Security Standards Council, an independent body founded by major card brands including Visa, MasterCard, and Discover. 

Ransomware
Ransomware is a malware variant designed to secretly infiltrate computer systems, infect and encrypt files, then hold the data hostage until a ransom is paid in untraceable currency. This type of malware attempts to spread throughout connected systems or shared devices within the victim’s network.

Refinance
Real Estate Settlement Procedures Act (RESPA): The Act requires lenders, mortgage brokers, or servicers of home loans to provide borrowers with pertinent and timely disclosures regarding the nature and costs of the real estate settlement process  

Risk management approach
A successful risk management approach will involve developing the necessary security controls to keep all high-risk threats in check, allowing your most important processes to remain functional.

Risk management software
Risk management software helps you identify, assess, and document risks associated with running various business processes and IT assets, communicate about risks, and efficiently manage risk mitigation tasks. 

Risk register
A risk register is an information repository an organization creates to document the risks they face and the responses they’re taking to address the risks. At a minimum, each risk documented in the risk register should contain a description of a particular risk, the likelihood of it happening, its potential impact from a cost standpoint, how it ranks overall in priority relevant to all other risks, the response, and who owns the risk

Secure software development
Secure software development is a methodology (often associated with DevSecOps) for creating software that incorporates security into every phase of the software development life cycle (SDLC). Security is baked into the code from inception rather than addressed after testing reveals critical product flaws. Security becomes part of the planning phase, incorporated long before a single line of code is written. 

Security questionnaire
Security questionnaires are lists of often complex and technical questions, usually compiled by IT teams, to determine a company’s security and compliance posture. Distributing security questionnaires to vendor partners is considered a cybersecurity best practice across most industries today. 

Settlement Agent
A person, other than a party to the real estate transaction, who provides escrow, closing, or settlement services in connection with a transaction related to real estate. 

Settlement Statement (HUD-1)
A document that lists all charges and credits to the buyer and to the seller in a real estate settlement, or all the charges in a mortgage refinance. 

SOC 2
Developed by the American Institute of CPAs (AICPA), a SOC 2 report provides insight into internal controls that exist within an organization to address risks related to security, availability, processing integrity, confidentiality and/or privacy. The report is independently validated by a CPA and uses specific criteria, methodology and expectations that enable consistency in comparison across organizations. Before a SOC 2 report is issued, an independent CPA conducts an assessment of the scope, design, and (for Type 2 reports) the effectiveness of internal control processes. The scope of a SOC 2 report is determined by your organization and your SOC 2 assessor.

Software supply chain attacks
A software supply chain attack occurs when a threat actor infiltrates a vendor network and employs malicious code to compromise the software product before the vendor sends it to their customers. The affected software and data then compromise the customer’s system and data, creating malicious options for the threat actors. Security measures of both the vendor and their customers can be circumvented, allowing unauthorized privileged and persistent access to the target’s networks.Read More › 

SOX
The Sarbanes-Oxley Act of 2002 (SOX), passed by Congress and enforced by the Security Exchange Commission (SEC), is designed to protect shareholders and the general public from accounting errors and fraudulent practices used by businesses and to improve the accuracy of corporate disclosures. IT compliance and IT security professionals need to pay close attention to SOX because the regulation has clear implications for data management, reporting, and security.Read More › 

SSPA
Microsoft believes that security and privacy are critical to its mission and requires their suppliers who handle confidential data to meet a strict set of standards. If you’re doing business with Microsoft and processing Personal Data or Microsoft Confidential Data in the performance of your service, you will need to enroll in Microsoft’s Supplier Privacy & Assurance Standards (SSPA) program. As a supplier, you will need to understand a set of Data Protection Requirements (DPR), attest to the DPR, and gain independent assurance by completing an assessment against the DPR. 

System Security Plan (SSP)
A critical component that must be included in the security package for a system or service seeking a FISMA or FedRAMP ATO. The SSP provides a detailed description of an information system and how the system’s controls satisfy in-scope requirements identified, and possibly tailored, by an authorizing agency.

Title Company
Any company licensed to transact, or transacting, title insurance 

Third party risk
Third-party risk is the likelihood that your organization will experience an adverse event (e.g., data breach, operational disruption, reputational damage) when you choose to outsource certain services or use software built by third-parties to accomplish certain tasks. Third parties include any separate business or individual providing software, physical goods, or supplies or services. Third-parties include software vendors, suppliers, staffing agencies, consultants, and contractors.Read More › 

Third party risk management (TPRM)
Third Party Risk Management is a discipline around analyzing and controlling risks associated with outsourcing third-party vendors or service providers. Third-party and vendor risk assessments is an exercise you can conduct to help your organization to determine how much risk exposure you’d take on if you were to outsource a business process or entrust your data to a third party. 

Virtual compliance officer
A virtual compliance officer is a senior professional who can provide information security strategy guidance and oversight and do the work needed to build, implement, and manage information security programs for continuous compliance without the cost of a full-time Chief Compliance Officer. 

Zero Trust Security
Zero Trust is a cybersecurity strategy based on eliminating any trust within an environment regardless of location. Everyone and everything read as a threat until proven otherwise. All users and devices must be authenticated and authorized before being allowed access to valuable resources.