Compliance & Security Glossary
A
Action Plan
A structured strategy for addressing security issues including vulnerabilities, findings, and compliance gaps. Action plans group related remediation items, define priorities and timelines, and assign ownership. In Openlane, action plans track remediation progress with priority levels (Critical, High, Medium, Low), due dates, and approval requirements.
Access to personal information
The ability to view personal information held by an organization. This ability may be complemented by an ability to update or correct the information. Access defines the intersection of identity and data, that is, who can do what to which data. Access is one of the fair information practice principles. Individuals need to be able to find out what personal information an entity has on file about them and how the information is being used. Individuals need to be able to correct erroneous information in such records.
American Institute for Certified Public Accountants (AICPA)
The American Institute for Certified Public Accountants (AICPA) is the governing body that establishes the standards, criteria, and guidance for all SOC 2 Audits. All official SOC 2 reports must be issues by a licensed CPA firm that is accredited by the AICPA.
Architecture
The design of the structure of a system, including logical components, and the logical interrelationships of computers, operating systems, networks, or other elements, whether internally or externally hosted.
Audit Scoping
Audit scoping refers to determining the bounds of the audit, including the time frame and activities that will be covered by the audit. Determining the scope of an audit is critical to developing an effective plan and ensuring that the audit meets its objectives.
Automated Evidence
Automated Evidence refers to data that has been collected from systems through an automated technical solution, rather than manually pulled. When conducting an audit, automated evidence programs rapidly obtain relevant data for the compliance manager, providing them with quick access to nonconformities and anomalies. Automated evidence collection is significantly faster than manual collection and can be used by Compliance teams to make real-time decisions.
Authentication
The process of verifying the identity or other attributes claimed by or assumed of an entity (user, process, or device) or to verify the source and integrity of data.
Authorization
The process of granting access privileges to a user, program, or process by a person that has the authority to grant such access.
Asset
A resource that an organization owns, operates, or relies upon that requires protection and management. In Openlane, assets are classified by type (Technology, Domain, Device, Telephone) and track properties including data classification, criticality, ownership, and relationships to vendors and controls. Assets are foundational to vulnerability management and compliance tracking.
Assessment
A structured questionnaire or evaluation used to collect information about security practices, compliance status, or risk factors. In Openlane, assessments support vendor due diligence, periodic reviews, internal compliance checks, and risk assessments. See also Security Questionnaires.
Availability One of the Trust Services Criteria established by the AICPA, Availability means that the system is accessible and usable for agreed-upon use. ⚠ Risk example: A denial of service attack brings your service unexpectedly offline.
B
Board of Directors
Individuals with responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity. Depending on the nature of the entity, such responsibilities may be held by a board of directors or supervisory board for a corporation, a board of trustees for a not-for-profit entity, a board of governors or commissioners for a government entity, general partners for a partnership, or an owner for a small business.
Business Partner
An individual or business (and its employees), other than a vendor, that has some degree of involvement with the entity's business dealings or agrees to cooperate, to any degree, with the entity (for example, a computer manufacturer who works with another company that supplies it with parts).
B2B
Business to business. These businesses sell goods or services to other businesses, rather than to individual users. Openlane's platform is optimized for B2B SaaS business models.
B2C
Business to consumer. These businesses sell goods or services to individual customers, rather than to other businesses.
C
CCPA
The California Consumer Privacy Act is a state statute passed in 2018. It gives California residents new data privacy rights and requires compliance obligations from any for-profit entity that does business with California residents. Enforcement of CCPA regulations went into effect on January 1, 2020.
New privacy rights for California residents include:
- The right to know about the personal information a business collects about them and how it is used and shared
- The right to delete personal information collected from them (with some exceptions)
- The right to opt out of the sale of their personal information
- The right to non-discrimination for exercising their CCPA rights
Public, non-profit entities are exempt from complying with the CCPA. Any business’s contractual provision that would otherwise waive a California resident’s data rights is unenforceable under the CCPA.
The CCPA protects personal information (PI) that identifies, relates to, or could reasonably be linked with a California resident or their household. Examples of CCPA-protected data include social security numbers, credit card numbers, and internet search history. Publicly available information is not protected under the CCPA.
Cloud Security Compliance
Cloud security compliance includes a number of potential frameworks that typically fit into two distinct categories: 1. Compliance centric, 2. security centric. The former category includes certifications such as STAR, FedRAMP, and SOX, while the latter includes ISO 27001, NIST, and CIS Controls. Most frameworks for cloud security will assess factors such as governance, and change control and solutions will include continuous automated monitoring and reporting, along with vulnerability management.
Collection
The process of obtaining personal information from the individual directly (for example, through the individual’s submission of an internet form or a registration form) or from another party, such as a business partner.
Commitments
Declarations made by management to customers regarding the performance of one or more systems that provide services or products. Commitments can be communicated in written individualized agreements, standardized contracts, service-level agreements, or published statements (for example, a security practices statement). A commitment may relate to one or more trust services categories. Commitments may be made on many different aspects of the service being provided or the product, production, manufacturing, or distribution specifications.
Compliance Framework
Part of a Compliance program, a Compliance framework lays out the strategies an organization uses to ensure that it remains in Compliance with both internal and external regulations. The Compliance framework should provide a set of tools and a common language for stakeholders to conduct and maintain their Compliance processes across departments.
Compliance Program
A Compliance Program outlines a company’s ongoing and future processes and activities to address Compliance requirements in order to support growth. Having a program enables companies to take a mature approach to Compliance, and provides an underlying fabric through which Compliance activities can be monitored and leveraged. Establishing a Compliance Program is an important step in a company's maturity and stands in stark contrast to the one-time-project Compliance mindset adopted by many small companies.
Compliance
The act of implementing, monitoring, and providing evidence for controls that meet established guidelines such as SOC2, GDPR, or ISO 27001.
Compromise
Refers to a loss of confidentiality, integrity, or availability of information, including any resultant impairment of (1) processing integrity or availability of systems or (2) the integrity or availability of system inputs or outputs.
Confidentiality
One of the Trust Services Criteria established by the AICPA, Confidentiality means that only the right people can access the information held by the organization. ⚠ Risk example: Criminals get hold of your clients’ login details and sell them.
Contacts
Contacts are those people or entities you intend to target with marketing campaigns such as emails or other notifications. Contacts may be a simple email address or may include more information, such as name or phone number. Contacts may be organized into Private or Public lists for managing anything from marketing emails to system messages.
Controls
Policies and procedures that are part of the entity’s system of internal control. The objective of an entity’s system of internal control is to provide reasonable assurance that principal system objectives are achieved.
Control Activity
An action established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.
Controls Convergence
With the growing amount of frameworks organizations adopt, all of which are focused in some way on security, most controls overlap with controls of other frameworks. There are two ways to address this reality; either by working in silos, closing frameworks one by one, or by consolidating controls based on similarity, which helps manage them efficiently, one type at a time.
COSO
The Committee of Sponsoring Organizations of the Treadway Commission. COSO is a joint initiative of five private-sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence. (See www.coso.org.)
CVE (Common Vulnerabilities and Exposures)
A standardized identifier for publicly known cybersecurity vulnerabilities. CVE IDs follow the format CVE-YEAR-NUMBER (e.g., CVE-2024-12345) and are maintained by MITRE Corporation. CVE identifiers enable consistent tracking and communication about specific vulnerabilities across organizations and tools.
CVSS (Common Vulnerability Scoring System)
An open standard for assessing the severity of computer system security vulnerabilities. CVSS provides a numerical score from 0 to 10, with higher scores indicating more severe vulnerabilities. The score considers factors including attack vector, complexity, required privileges, user interaction, and potential impact on confidentiality, integrity, and availability.
D
Design
As used in the COSO definition of internal control, the internal control system design is intended to provide reasonable assurance of the achievement of an entity’s objectives.
Disclosure
The provision of access to or the release, transfer, or divulging in any other manner of information outside the entity holding the information. Disclosure is often used interchangeably with the terms sharing and onward transfer.
Document Watermarking
A security feature that adds identifying information to downloaded documents, typically including the downloader's name or email and a timestamp. Watermarking creates an audit trail for sensitive documents and discourages unauthorized sharing. In Openlane, watermarking can be enabled for Trust Center documents to track who downloads sensitive materials like SOC 2 reports.
Disposal
A phase of the data life cycle that pertains to how an entity removes or destroys data or information.
E
Endpoint Devices
Connected hardware or virtual devices that communicate across a network, such as mobile devices, laptops, desktops, and sensors.
Entity
A legal entity or management operating model of any size established for a particular purpose. A legal entity may, for example, be a business enterprise, a not-for-profit organization, a government body, or an academic institution. The management operating model may follow product or service lines, divisions, or operating units, with geographic markets providing for further subdivisions or aggregations of performance.
Environmental
Of or having to do with the matters that can damage the physical elements of information systems (for example, fire, flood, wind, earthquake, power surges, or power outages). An entity implements controls and other activities to detect, prevent, and manage the risk of casualty damage to the physical elements of the information system from environmental elements.
External Users
Users, other than entity personnel, who are authorized by entity management, customers, or other authorized persons to interact with the entity’s information system.
F
Finding
A specific security observation, issue, or instance discovered during scans, assessments, or reviews. Findings may represent vulnerability instances on particular assets, misconfigurations in cloud resources, policy violations, or security gaps. In Openlane, findings track source, severity, status, and relationships to vulnerabilities, controls, and remediation efforts.
Feature
A feature performs a specific function or capability and provides value to users. They can be basic or complex, and are designed to meet specific requirements and objectives. Features can be made available through the use of Entitlements or Feature Flags.
Functional Requirements
Requirements that must be met for the system to correctly fulfill its designed purpose.
G
GDPR
The acronym GDPR refers to the General Data Protection Regulation. GDPR was established by the European Union to ensure protections for the privacy and security of personal data about individuals in the European Union.
Group
A group is a collection of users, which may be aggregated by company, plan, or pricing tier.
GRC
The acronym GRC refers to an organization’s approach towards Governance, Risk Management, and Compliance. A company’s GRC team or responsible employees make sure that the business is on track in terms of meeting goals, operating smoothly, predicting and mitigating risks, and adhering to both internal and external restrictions and boundaries. Generally speaking, a company’s GRC strategy includes input from departments such as IT, Finance, Legal, Risk, and more.
H
HIPAA
Short for The Health Insurance Portability and Accountability Act, HIPAA is the gold standard when it comes to data protection in the healthcare industry. The framework covers three main areas: administrative, physical security, and technical security, and is viewed as a prerequisite for doing business across the industry. Violating the terms can come with fines ranging anywhere from $50,000-$250,000 and violators may also face lawsuits from patients, depending on the state. Even third-parties, service providers, and technology suppliers to the healthcare industry might be required to comply with HIPAA, if not by the regulator itself, then by the organizations being regulated in their contract with the third-party.
HITRUST
Many companies subject to HIPAA comply with HITRUST, an optional framework that incorporates and harmonizes requirements from HIPAA, NIST, ISO, and other standards to offer a more prescriptive and comprehensive approach to data security. Organizations undergo a formal assessment by a HITRUST-approved assessor to earn certification, which is then valid for a set period, typically two years.
I
Identity Holder
A record representing an individual affiliated with an organization, including employees and contractors. Unlike user accounts (which represent platform login credentials), Identity Holders track personnel for compliance and security management purposes such as assessment completion, access management, and security training. In Openlane, Identity Holders can be linked to user accounts.
Information Assets
Data and the associated software and infrastructure used to process, transmit, and store information or to produce, manufacture, or distribute products.
Integrity
One of the Trust Services Criteria established by the AICPA, Integrity means that the data organization uses to pursue its business or keeps safe for others is reliably stored and not erased or damaged.
Integration
A configured connection between Openlane and an external system that enables automated data synchronization and evidence collection. Integrations connect to cloud providers, security tools, identity providers, collaboration platforms, and storage services. Examples include GitHub, AWS Security Hub, Slack, and Okta.
Infrastructure
The collection of physical or virtual resources that supports an overall IT environment, including the server, storage, network elements, and endpoint devices.
Internal Control
A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
InfoSec
InfoSec is short for Information Security, meaning a set of policies or regulations put in place to safeguard a company’s data or other assets from unauthorized access or use. InfoSec regulations ensure that an organization’s sensitive information is secure.
Information Security Compliance
InfoSec Compliance refers to ensuring that regulations and policies around information security are followed within an organization. Information Security includes restrictions that protect a company’s sensitive information, like data and other Information Technology (IT) assets.
ISMS
An Information Security Management System (ISMS) establishes a systematic approach to managing an organization’s information security. As a documented management system, ISMS provides a set of security controls a company can record in policies, procedures, and other kinds of documents; it may also consist of established processes and technologies that are not documented. The ISO 27001 standard defines which documents must exist at a minimum.
Implementing an ISMS provides a structured approach to integrating information security into an organization’s business processes. Helping to manage and minimize risks to acceptable levels increases the organization’s resiliency against evolving security threats and ensures the confidentiality, integrity, and availability of organizational and customer information.
In any implementation, companies need to define and document a risk assessment method and state the protection of specific business assets. The scope of an organization’s ISMS can be as small or as large as is necessary; the ISMS can cover part of an organization, such as a specific function or service or the entire organization.
ISO 27001 Compliance
One of the most popular standards for Information Security ISO 27001 is often the Compliance framework of choice in the financial industry, spanning from banks, to insurance companies, and additional financial institutions. The framework differs from the popular SOC 2 option as in addition to data security, it also certifies that an organization has an operational Information Security Management System (ISMS) in place.
There are other important entries in the ISO 27000 family including:
- ISO 27002 - Code of practice for ISO 27001
- ISO 27005 - Techniques for security risk management
- ISO 27017 - Code of practice for cloud services (both customers-of and providers)
- ISO 27018 - Code of practice for protecting PII, when using public cloud services
- ISO 27032 - Techniques for cybersecurity
- ISO 27701 - Extension of ISO 27001 and its code of practice (ISO 27002) for privacy information management (in a way, ISO27k flavored for GDPR or something similar)
Issue
A risk that has been realized, or a problem that has already occurred and requires immediate attention and action.
J
K
L
M
Member
Members are people you have invited to manage your workspace at Openlane.
N
Non-Disclosure Agreement (NDA)
A legal agreement that protects confidential information shared between parties. NDAs are commonly used between organizations and their vendors, customers, or prospects. In Openlane, NDAs can be configured in the Trust Center to gate access to private documents. Visitors must sign the NDA electronically before downloading sensitive materials like SOC 2 reports or penetration test summaries.
NIST CSF
NIST is a federal agency within the US Department of Commerce that creates guidelines, frameworks, and policies that support innovation in science and technology. It was created in response to Presidential Executive Order 13636, The National Institute of Standards and Technology (NIST) created a Cybersecurity Framework (CSF) in 2014.
The NIST Cybersecurity Framework provides guidance to organizations on how to mitigate, handle, and monitor security threats. Only federal agencies and their vendors, contractors, and partners are mandated to comply with NIST CSF.
Many private organizations voluntarily implement NIST CSF principles into their compliance and security programs. Self-attestation does not require an audit, and there is no accrediting body that awards certificates for compliance.
NIST CSF is based on five core functions intended to holistically safeguard organizations from security risks.
*Identify: Develop an understanding of possible security risks as they relate to a company’s people, processes, and technology. *Protect: Establish cybersecurity protocols and principles that actively and passively defend a company’s infrastructure from security breaches. *Detect: Continuously monitor a company’s infrastructure for anomalous events, malicious activity, and system weaknesses. Respond: Ensure a proper response strategy that effectively eliminates a security threat while also keeping company production on track. Recover: Maintain the integrity of all systems so that a company’s people, processes, and technologies can return to a stronger, more efficient state of operations.
O
Open Source
Open source software is software with source code that anyone can inspect, modify, and enhance. Openlane is an example of an [open-source company] (https://github.com/theopenlane).
Organization
Organizations are the highest level grouping within Openlane. Organizations are made up of users and represent a billable unit.
P
Personal Information
Information that is about, or can be related to, an identifiable individual.
Policies
Management or board member statements of what should be done to effect control. Such statements may be documented, explicitly stated in communications, or implied through actions and decisions. Policies serve as the basis for procedures.
Practitioner
Used when referencing AICPA procedures, a CPA who performs an examination of controls within an entity’s system relevant to security, availability, processing integrity, confidentiality, or privacy.
Privacy Commitments
Declarations made by management regarding the performance of a system processing personal information. Such commitments can be communicated in written agreements, standardized contracts, service-level agreements, or published statements (for example, a privacy practices statement). In addition, privacy commitments may be made on many different aspects of the service being provided.
Privacy Notice
A written communication by entities that collect personal information, to the individuals about whom personal information is collected, about the entity’s (a) policies regarding the nature of the information that they will collect and how that information will be used, retained, disclosed, and disposed of or anonymized and (b) commitment to adhere to those policies. A privacy notice also includes information about such matters as the purpose of collecting the information, the choices that individuals have related to their personal information, the security of such information, and how individuals can contact the entity with inquiries, complaints, and disputes related to their personal information. When a user entity collects personal information from individuals, it typically provides a privacy notice to those individuals.
Project
A Project is a grouping inside an account. Typically, users leverage projects to separate development and production environments or otherwise group assets for shared identification and management.
Process or Control Framework
A framework that contains a set of processes or controls, established by another party, that organizations are expected to implement in support of establishing an effective system of internal control. These frameworks are usually developed by an industry group, regulator, governmental entity, standard-setting body, or other organization (collectively referred to as sponsoring organizations) to obtain information from organizations with which they do business about their processes and controls. The most common types of process or control frameworks relate to security and privacy.
Products
Tangible or intangible goods manufactured or produced by an entity. Throughout this document, the term is used interchangeably with goods.
Q
R
Remediation
A documented action that addresses a security vulnerability or finding. Remediations include patches, configuration changes, code fixes, architecture changes, or compensating controls. In Openlane, remediations track implementation details including repository and pull request links, ticket references, instructions, and verification status.
Residual Risk
The risk to the achievement of objectives that remains after management’s response has been designed and implemented.
Retention
A phase of the data life cycle that pertains to how long an entity stores information for future use or reference.
Risk
A potential future event with possible negative impacts on the company's objectives. Risks may be quantified using metrics including likelihood and impact, and should be managed and treated within organizations.
Risk Response
The decision to accept, avoid, reduce, or share a risk.
S
Scan
A systematic security assessment that examines a target for vulnerabilities, misconfigurations, or compliance gaps. Scans may be automated (scheduled vulnerability scans), on-demand (triggered by events), or manual (penetration tests). In Openlane, scans track target, type (Domain, Vulnerability, Vendor, Provider), status, and discovered vulnerabilities.
Security Event
An occurrence, arising from actual or attempted unauthorized access or use by internal or external parties, that impairs or could impair the availability, integrity, or confidentiality of information or systems: result in unauthorized disclosure or theft of information or other assets; or cause damage to systems.
Security Incident
A security event that requires action on the part of an entity to protect information assets and resources.
Senior Management
The CEO or equivalent organizational leader and senior management team.
Service Provider
A supplier (such as a service organization) engaged to provide services to the entity. Service providers include outsourced service providers as well as suppliers that provide services not associated with business functions, such as janitorial, legal, and audit services.
Security Questionnaires
Typically encountered in two forms: 1. Vendor Security Questionnaire, 2. Risk Assessment Questionnaire. The latter, Risk Assessment Questionnaire, is a method for identifying potential threats which involves asking questions to key personnel about both risk and the risk management techniques that are currently deployed by the organization. The former, Vendor Security Questionnaire, is nearly the same, aside from the fact that attention should be paid to the length and involvement, as companies shouldn’t place an unreasonable burden on vendors.
SOC 2 Compliance
Applicable to all SaaS and technology companies, this audit attests that customer data is stored and managed in a secure manner. SOC 2 is one of the most common Compliance frameworks and is usually considered as a “must have” to bid on RFPs, or partner with enterprises big and small. SOC 2 categories assessed include:
- Availability - How the business ensures the uptime of systems.
- Security (also referred to as Common Criteria) - How the business protects their information.
- Confidentiality - How the business ensures that data they hold remains confidential.
- Processing Integrity - How the business ensures that processing is, in the words of the AICPA, complete, valid, accurate, timely, and authorized.
- Privacy - How the business collects, uses, shares, stores, and deletes personally identifiable information (PII).
Software
A collection of instructions that tell a computer how to operate. Software may be both internally developed and purchased from vendors and can include both application software (for example, user applications and database management systems) and system software (for example, operating systems, drivers, utilities, programming software, and interfaces).
Stakeholders
Parties that are affected by the entity, such as shareholders, the communities in which an entity operates, employees, customers, and suppliers.
Subprocessor
A third-party vendor or service that processes personal data on behalf of an organization. Common examples include cloud infrastructure providers, payment processors, email services, and customer support platforms. Regulatory frameworks like GDPR require organizations to disclose their subprocessors. In Openlane, subprocessors are listed on the Trust Center to provide transparency about data processing relationships.
System
Refers to the infrastructure, software, procedures, and data that are designed, implemented, and operated by people to achieve one or more of the entity’s specific business objectives (for example, delivery of services or production of goods) in accordance with management-specified requirements.
System Boundaries
The specific aspects of an entity’s infrastructure, software, people, procedures, and data necessary to perform a function (such as producing, manufacturing, or distributing a product) or provide a service. When systems for multiple functions or services share aspects, infrastructure, software, people, procedures, and data, the systems will overlap, but the boundaries of each system will differ.
System Components
Refers to the individual elements of a system, which may be classified into the following five categories: infrastructure, software, people, processes, and data.
System Event
An occurrence that could lead to the loss of, or disruption to, operations, services, or functions and could result in an entity’s failure to achieve its system objectives. Such an occurrence may arise from actual or attempted unauthorized access or use by internal or external parties and (a) impair (or potentially impair) the availability, integrity, or confidentiality of information or systems; (b) result in unauthorized disclosure or theft of information or other assets or the destruction or corruption of data; or (c) cause damage to systems. Such occurrences also may arise from the failure of the system to process data as designed or from the loss, corruption, or destruction of data used by the system.
System Incident
A system event that requires action on the part of entity management to prevent or reduce the impact of the event on the entity’s achievement of its system objectives.
System Objectives
The entity’s objectives, established by entity management, that are embodied in the product commitments it makes to customers, including producing or manufacturing a product that meets product performance specifications and other production, manufacturing, or distribution specifications. The system objectives also include the requirements established for the functioning of the system to meet production, manufacturing, or distribution commitments.
System Requirements
Specifications regarding how the system should function to (a) meet the entity’s commitments to customers and others (such as customers’ customers); (b) meet the entity’s commitments to suppliers and business partners; (c) comply with relevant laws and regulations and guidelines of industry groups, such as business or trade associations; and (d) achieve other entity objectives that are relevant to the trust services category or categories addressed by the description. Requirements are often specified in the entity’s system policies and procedures, system design documentation, contracts with customers, and government regulations. System requirements may result from the entity’s commitments relating to security, availability, processing integrity, confidentiality, or privacy. For example, a commitment to programmatically enforce segregation of duties between data entry and data approval creates system requirements regarding user access administration.
T
Third Party
An individual or organization other than the entity and its employees. Third parties may be customers, suppliers, business partners, or others.
Threat
Any circumstance or event, arising from human actions or natural events, that could potentially impair (a) the achievement of an entity’s objectives, its assets, or activities of its personnel, or (b) other entities through unauthorized access, destruction, disclosure, modification of data, or denial of service.
TPRM
Third Party Risk Management refers to the methodologies used by organizations to understand and mitigate risks introduced by suppliers, partners, or other entities outside the organization.
Trust Center
A customer-facing portal where organizations share their security posture, compliance certifications, and data protection practices with customers, prospects, and auditors. Trust Centers provide a centralized location for security documentation, compliance frameworks, subprocessor disclosures, and security updates. In Openlane, Trust Centers support custom branding, vanity domains, document management with NDA-gated access, and watermarking for sensitive documents.
Trust Services Criteria (TSC)
A set of professional attestation and advisory services based on a core set of criteria related to security, availability, processing integrity, confidentiality, or privacy.
U
Unauthorized Access
Access to information or system components that (a) has not been approved by a person designated to do so by management and (b) compromises segregation of duties, confidentiality commitments, or otherwise increases risks to the information or system components beyond the levels approved by management (that is, access is inappropriate).
V
Vendor (or supplier)
An individual or business (and its employees) that is engaged to provide goods or services to the entity. Depending on the services provided (for example, if the vendor operates certain controls on behalf of the entity that are necessary to achieve the entity’s objectives), it also might be a service provider.
Vanity Domain
A custom domain that an organization configures to host their Trust Center on their own branded URL (e.g., trust.yourcompany.com) instead of the default platform URL. Vanity domains require DNS configuration including CNAME and TXT records for verification.
Vulnerability
Weakness in a component of a system, particularly information assets, system security procedures, internal controls, or implementation, that could be exploited or triggered by human action or natural events. In Openlane, vulnerabilities are tracked with CVE identifiers, CVSS scores, severity ratings, remediation SLAs, and relationships to findings, assets, and controls.
Vulnerability Management
A continuous process of identifying, classifying, prioritizing, and addressing security weaknesses in systems and software. Vulnerability management includes identification (discovery through scanning), assessment (evaluating severity and impact), prioritization (ranking by risk and business context), remediation (implementing fixes), verification (confirming fix effectiveness), and reporting (documenting for compliance). ISO 27001 Annex A 8.8 and SOC 2 CC7.1 require vulnerability management controls.