Glossary

Key terms used throughout ConcertoGRC, organized alphabetically.

---

Access Review

A periodic review of user access to applications and systems to verify that permissions are appropriate and that terminated or role-changed employees have been deprovisioned. ConcertoGRC supports OCR-based user extraction from access screenshots to automate comparison.

Assessment

A formal evaluation of an organization's compliance posture against a specific framework. Assessments can be internal (self-assessment) or external (third-party audit). In ConcertoGRC, assessments track control-level findings with evidence review workflows.

Attestation

A formal declaration by a vendor or third party that they meet specific security or compliance requirements. Attestation documents (SOC 2 reports, ISO certificates, penetration test reports) are tracked in Vendor Management with expiration monitoring.

BIA (Business Impact Assessment)

An analysis of how disruptions to business processes, systems, or vendors would affect the organization. BIA records in ConcertoGRC include criticality scoring, dependency mapping, and recovery time objectives.

CAP (Corrective Action Plan)

A documented plan to address a compliance gap or audit finding. CAPs define the remediation steps, responsible owner, target date, and current status.

CCPA (California Consumer Privacy Act)

A California state law granting consumers rights over their personal data, including the right to know, delete, and opt out of data sales. ConcertoGRC's Privacy Policy documents CCPA compliance.

Compliance Framework

A structured set of controls, requirements, and best practices that organizations follow to meet regulatory or industry standards. ConcertoGRC supports SOC 2, ISO 27001, ISO 42001, PCI DSS, HIPAA, and others.

Control

A specific security measure, policy, or procedure that an organization implements to meet a compliance requirement. Controls in ConcertoGRC are organized by framework and tracked with status, ownership, and evidence mappings.

Control Mapping

The relationship between a control and other entities -- evidence requests, recurring activities, risks, or controls in other frameworks. Cross-framework mappings show how a single control satisfies requirements across multiple standards.

DAST (Dynamic Application Security Testing)

A testing methodology that analyzes a running application for vulnerabilities by sending requests and analyzing responses. ConcertoGRC uses OWASP ZAP for DAST scanning.

Data Processor

An entity that processes personal data on behalf of a data controller. Under GDPR, ConcertoGRC acts as a data processor for customer data, processing it only according to customer instructions.

Data Controller

The entity that determines the purposes and means of processing personal data. ConcertoGRC customers are data controllers for the data they enter into the platform.

DPA (Data Processing Agreement)

A legally binding contract between a data controller and data processor that governs how personal data is handled. Required under GDPR when engaging third-party processors.

Evidence

Documentation that demonstrates a control is implemented and operating effectively. Evidence can include screenshots, reports, configuration exports, policy documents, and attestation letters. ConcertoGRC tracks evidence with validity periods and expiration monitoring.

Evidence Request

A defined requirement for a specific piece of evidence, including what to collect, how often, and where to upload it. Evidence requests can be standalone or mapped to framework controls.

Finding

A gap, deficiency, or observation identified during an assessment or audit. Findings in ConcertoGRC are tracked with severity, status, and remediation plans.

GDPR (General Data Protection Regulation)

The European Union regulation governing the processing of personal data for individuals within the EU. Establishes requirements for data protection, consent, breach notification, and data subject rights.

GRC (Governance, Risk, and Compliance)

The integrated approach to managing an organization's governance structure, risk management practices, and compliance obligations. ConcertoGRC is a GRC platform.

HIPAA (Health Insurance Portability and Accountability Act)

A US federal law that establishes standards for protecting sensitive patient health information. Organizations handling PHI must implement administrative, physical, and technical safeguards.

IdP (Identity Provider)

A service that manages user identities and authentication. ConcertoGRC integrates with Microsoft Entra ID and Google Workspace as identity providers for directory sync.

Inherent Risk

The level of risk before any controls or mitigations are applied. In ConcertoGRC's risk register, inherent risk is scored on a 5x5 matrix of likelihood and impact.

ISO 27001

An international standard for information security management systems (ISMS). Defines requirements for establishing, implementing, maintaining, and continually improving an ISMS.

ISO 42001

An international standard for AI management systems. Defines requirements for organizations developing, providing, or using AI systems to manage risks and ensure responsible AI practices.

KPI (Key Performance Indicator)

A measurable value that demonstrates how effectively an organization is achieving compliance and security objectives. ConcertoGRC tracks KPIs with targets, thresholds, and trend visualization.

MDM (Mobile Device Management)

Software that manages and secures mobile devices and endpoints. ConcertoGRC integrates with SimpleMDM, Microsoft Intune, and Jamf Pro for device compliance monitoring.

MFA (Multi-Factor Authentication)

An authentication method requiring two or more verification factors. ConcertoGRC supports MFA via AWS Cognito and monitors MFA adoption across identity provider integrations.

Nuclei

An open-source vulnerability scanner that uses templates to detect CVEs and misconfigurations. ConcertoGRC runs Nuclei scans on isolated ECS Fargate tasks against configured targets.

Occurrence

A single instance of a recurring activity. When a recurring activity's cadence triggers, an occurrence is created and becomes a task for the assigned owner to complete.

OWASP ZAP

An open-source dynamic application security testing (DAST) tool. ConcertoGRC uses ZAP for web application vulnerability scanning to detect SQLi, XSS, CSRF, and other application-level issues.

PCI DSS (Payment Card Industry Data Security Standard)

A set of security standards for organizations that handle credit card data. Defines requirements across 12 categories including network security, access control, and monitoring.

PHI (Protected Health Information)

Any health-related information that can identify an individual. HIPAA requires specific safeguards for PHI. ConcertoGRC tracks BAA (Business Associate Agreement) status for vendors handling PHI.

PIA (Privacy Impact Assessment)

A systematic assessment of how a project or system collects, uses, and protects personal data. ConcertoGRC provides AI-assisted PIA drafting and gap analysis against GDPR, CCPA, and ISO 27701.

Recurring Activity

A compliance task performed on a regular cadence (daily, weekly, monthly, quarterly, annually). Recurring activities generate occurrences that become trackable tasks with evidence collection.

Residual Risk

The level of risk remaining after controls and mitigations are applied. Residual risk should be lower than inherent risk if controls are effective.

Risk Treatment

The approach taken to address an identified risk. Options include: mitigate (reduce likelihood or impact), transfer (insurance or outsourcing), accept (acknowledge and monitor), or avoid (eliminate the activity).

RBAC (Role-Based Access Control)

An access control model where permissions are assigned to roles rather than individual users. ConcertoGRC uses RBAC with roles including Super Admin, Tenant Admin, User, Auditor, Executive, and Module Access roles.

SOC 2 (System and Organization Controls 2)

An auditing framework developed by the AICPA that evaluates an organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy (the Trust Services Criteria).

Subprocessor

A third-party service that processes personal data on behalf of a data processor. ConcertoGRC's subprocessors include AWS, Cloudflare, and Sentry, as documented in the Privacy Policy.

Tabletop Exercise

A discussion-based exercise where team members walk through a simulated incident scenario to test response procedures. ConcertoGRC provides scenario management, inject delivery, and facilitator/participant views.

Tenant

An organization using the ConcertoGRC platform. Each tenant has isolated data, users, and configurations. Multi-tenancy ensures no data crosses tenant boundaries.

Trust Center

A public-facing page where organizations share their security posture, compliance certifications, and documentation with customers and prospects. ConcertoGRC provides a customizable Trust Center module.

Validity Period

The time window during which a piece of evidence is considered current. ConcertoGRC supports validity periods of 30 days, 90 days, 6 months, 1 year, or indefinite. Uploading new evidence resets the expiration clock.

Vulnerability

A weakness in a system, application, or process that could be exploited. ConcertoGRC tracks vulnerabilities from manual entry, Nuclei/ZAP scans, and AWS GuardDuty/IAM integrations.