Neosofia Glossary

General Terms

To Be Determined (TBD)

TBD is used to introduce an idea that is intended to be proven or confirmed as true, indicating that further evidence or proof is needed. For Neosofia it is a placeholder to indicate that upon request, evidence for the supported policy or procedure can be demonstrated. Also, an alias for to be demonstrated or to be done.

Keep it Simple Stupid (KISS)

A design principle that emphasizes simplicity and clarity in design and systems.

Do Not Repeat Yourself (DRY)

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system. ¹

Work in Progress (WIP)

A task, project, or deliverable that is currently being worked on but has not yet been completed. WIP is often used to track ongoing efforts and ensure visibility into the status of work within a team or organization.

Enterprise Application Software (EAS)

Computer software used to satisfy the needs of an organization rather than its individual users. ²

EAS Examples

Business intelligence (BI)
Content Management System (CMS)
Customer Relationship Management (CRM)
Database Management System (DBMS)
Enterprise Resource Planning (ERP)
Enterprise Asset Management (EAM)
Human Resource Management (HRM)
Knowledge Management (KM)
Product Lifecycle Management (PLM)
Supply Chain Management (SCM)
Software Configuration Management (SCM) - such as Version Control System (VCS)
Intrusion Detection Prevention (IDS) - and by extension Intrusion Prevention System (IPS)
Security Information Event Management (SIEM)

Compliance Terms

Minimal Viable Compliance (MVC)

The smallest set of policies any organization of any size in any industry should consider implementing for their organization. This is also known as level 1 compliance.

Compliance Levels

The classification of policies and procedures into three compliance levels to simplify the policy/regulation/industry matrix. The levels are

Level 1: The policies and procedures any organization should adopt if they're collecting non-public data of any kind.
Level 2: The policies and procedures any organization that deals with PII should adopt. For example, collecting data for the purpose of marketing on your website (PII), technology (SaaS) providers operating in lightly regulated industries, or any small business with employees beyond the owners.
Level 3: Specialized organizations operating in heavily regulated industries. Healthcare, banking, transportation, and power are some sectors that typically fall into level 3 compliance as they often have the most number of regulations governing them. ³

Quality Management System (QMS)

A formalized system that documents processes, procedures, and responsibilities for achieving quality policies and objectives. It helps coordinate and direct an organization’s activities to meet customer and regulatory requirements and improve its effectiveness and efficiency on a continuous basis.

Plan Do Check Act (PDCA)

An iterative four-step management method used in business for the control and continuous improvement of processes and products. It is also known as the Deming Cycle or Shewhart Cycle.

Plan: Identify an opportunity and plan for change.
Do: Implement the change on a small scale.
Check: Use data to analyze the results of the change and determine whether it made a difference.
Act: If the change was successful, implement it on a wider scale and continuously assess your results. If the change did not work, begin the cycle again.

PDCA is a simple yet powerful tool for driving continuous improvement in organizations.

Neosofia may also use the acronym PIE-ME (Plan, rapid Implementation, Experiment, Measure, Evaluate) to separate the rapid and highly iterative nature of the PIE phase from the longer term ME phase of measurement and evaluation. This fail-fast approach for the PIE phase may lead to several failed experiments, but those that do pass also benefit from the rigor of the more traditional PDCA cycle. Also, it's :pie:

Elements of a QMS

Quality policies
Quality objectives
Organizational structure and responsibilities
Data management
Processes and procedures
Continuous improvement
Document control
Internal audits
Corrective and preventive actions

Quality Assurance (QA)

A systematic process designed to determine if a product or service meets specified requirements and standards. Quality assurance focuses on improving and stabilizing production and associated processes to avoid or minimize issues that lead to defects. It encompasses the entire development process, including planning, design, development, and testing, ensuring that quality is built into the product from the beginning.

Quality Control (QC)

A systematic process through which an organization ensures that its products and services meet specified quality standards and requirements as defined by a QA group. It involves operational techniques and activities aimed at fulfilling these quality requirements. QC typically includes the inspection and testing of products, processes, and services to identify defects and ensure conformity to established specifications and standards.

Quality Control (QC) complements Quality Assurance (QA) by concentrating on the implementation of the processes established by QA to guarantee high-quality outcomes. While QA focuses on the overarching procedures that ensure product and service quality, QC carries out those procedures and provides feedback to the QA team to refine and enhance quality processes.

Subject Matter Expert (SME)

An individual with deep knowledge and expertise in a specific area or subject. SMEs are often consulted for their insights and guidance in the development and implementation of policies, procedures, and processes. They play a crucial role in ensuring that the information and practices within their domain are accurate, relevant, and compliant with industry standards and regulations.

Separation of Concerns

Separation of concerns is a design principle that entails breaking down a system, process, or set of responsibilities into an assigned role that is focused on a specific aspect or concern. Within a Quality Management System (QMS), this principle ensures that various processes, roles, and responsibilities are clearly defined and managed independently, thereby enhancing the overall quality of the system. Or to quote Sidney Sheldon:

Never let a friendly fox into your hen-house. One day he's going to get hungry.

Policy (POL)

A deliberate system of guidelines to guide decisions and achieve rational outcomes. A policy is a statement of intent and is implemented as a procedure or protocol. A rule created by an organization to achieve their goals. ⁴

Regulation (REG)

A policy, typically authored by a government body, that must be complied with in order to do business in the market/region to which the policy applies. Some regulations act as a gate to do business while others can be ignored with the risk of fines and sanctions.

Examples

HIPAA
GDPR
COPPA
SOC
OSHA
HITECH (Act)

Procedure (PROC)

A set of steps taken to achieve a desired outcome

Standard Operating Procedure (SOP)

An approved procedures employees must be trained on and follow. In addition to procedures, SOPs will typically include entry/exit criteria, assigned roles, responsibilities, purpose, scope/limitations and SLOs for determining How Who does What and When.

Formal vs Informal Procedures

SOPs are typically considered a formal procedure as they are a standardized set of steps that must be followed to complete a specific task or process. They're also approved by SMEs and require documented training by each employee before executing the procedure.

Informal procedures on the other hand, are typically a documented set of steps that do not require SME authoring/approval or documented employee training. These are sometimes referred to as work guides (WG) or work instructions (WI).

Evidence

Proof that a policy or procedure is being followed

Validation (VAL)

Evaluation of evidence to determine if it is accurate and reliable to prove compliance.

NOTE: Validation != Testing.

Audit

Validation of a system or multiple systems (set of evidence). Audits can be internal or external from the organizations point of view.

Good Documentation Practices (GDP)

A set of standards and guidelines for creating and maintaining documentation to ensure accuracy, consistency, and reliability. GDP is essential in regulated industries to ensure compliance and to provide clear, concise, and traceable documentation.

Key Principles of GDP

Accuracy: Documentation must be precise and free from errors.
Clarity: Information should be clear and easily understood.
Consistency: Documentation should be consistent in format and content.
Traceability: Changes and updates to documentation should be traceable.
Completeness: All necessary information should be included.
Legibility: Documentation should be readable and accessible.

Nonconformities

Instances where a process, product, or service does not meet specified requirements or standards. Nonconformities can be identified through audits, inspections, or customer feedback and require corrective actions to address the root cause and prevent recurrence.

Corrective Action and Preventative Action (CAPA)

Actions taken to eliminate the causes of existing nonconformities (corrective) and to prevent the occurrence of potential nonconformities (preventative). CAPAs are essential for continuous improvement and compliance in quality management systems.

Customer Service Terms

This section of the glossary is for terms used in the context of providing clients with a measurable level of quality.

Service Level Indicator (SLI)

A measure of the service level provided by a service provider to a customer. ⁵

SLI Examples

Web page response time
Customer support ticket response time

Service Level Objective (SLO)

Target value or range of values for a service level that is measured by an SLI. ⁶

SLO Examples

99% of web page response times are less than 500ms
99% of customer support tickets are handled in less than 24hrs

Service Level Agreement (SLA)

An agreement between a service provider and a customer. Particular aspects of the service – quality, availability, responsibilities – are agreed between the service provider and the service user. ⁷

SLA Examples

If the service provider does not meet their web page response time for one calendar month, the client will be refunded 5% of their monthly application support fee.
If the service provider does not meet their customer support ticket handling time for one calendar month, the client will be refunded 5% of their monthly professional service support fee.

Information Technology Terms

Software as a Service (SaaS)

A software distribution model in which applications are hosted by a service provider or vendor and made available to users over the internet. SaaS eliminates the need for organizations to install and run applications on their own computers or in their own data centers, reducing the cost of hardware, maintenance, and support.

User Experience (UX)

The overall experience a user has when interacting with a product or service, encompassing all aspects of the user's interaction, including usability, accessibility, and satisfaction. UX focuses on the user's journey and how they feel while using the product.

User Interface (UI)

The means by which a user interacts with a computer system, software application, or website. UI includes the design of buttons, icons, spacing, and layout, and is concerned with the look and feel of the product.

UX vs. UI

While UX and UI are often used interchangeably, they are distinct concepts. UX refers to the overall experience and satisfaction a user derives from using a product, while UI focuses specifically on the visual and interactive elements that facilitate that experience. In essence, UI is a component of UX.

Terms Specific to Neosofia Services

Industry

The sector of an economy made up of manufacturing enterprises. Examples include:

finance
healthcare
textile

Sub-sector

An area of economic activity that forms part of one of the larger areas into which the economic activity is divided. Examples include:

healthcare - pharma, medical devices, provider, payer, etc.
finance - retail banking, business banking, investment banking, etc.

Business Operations

Activities that businesses engage in on a daily basis to increase the value of the enterprise and earn a profit. Subcategories include regions where:

your employees work
you provide services
you provide goods
you manufacture goods
you source materials
you do R&D
you're publicly traded

Hard/Soft Validation

A hard validation is one that can be proven true based on the evidence. For example, if a policy implies TLS version 1.1 and the evidence service gathers the TLS version, the version that the given URL provides can be directly compared to the policy. Soft policies cannot be proven true and must be validated by a human. For example, policies requiring SOPs can be a soft validation with a link to the SOP.

Internal/External Validation

An external validation is one that can be performed from the public internet. For example, testing that the company's public-facing website conforms to a set of policies vs internal validations like testing disk encryption inside a company's cloud provider or data center.

Push/Pull Validation

A pull validation is one that is initiated by the validation service. For example, getting the TLS version from a company's public-facing website is a pull validation. An example of push validation would be a system backup and recovery execution log being pushed into the evidence service.

Role Based Access Control (RBAC)

A method of regulating access to computer or network resources based on the roles of individual users within an enterprise. Users are assigned roles, and roles are assigned permissions to perform certain operations.

Software Development Lifecycle (SDLC)

A process used by the software industry to design, develop, and test high-quality software. The SDLC aims to produce high-quality software that meets or exceeds customer expectations, reaches completion within times and cost estimates.

Computer Systems Validation (CSV)

The process of ensuring (and documenting) that a computer-based system will produce information or data that meets a set of defined requirements. It is commonly used in regulated industries to ensure compliance with regulations.

Data Integrity

The accuracy and consistency of data stored in a database, data warehouse, or other construct. It is a critical aspect of the design, implementation, and usage of any system that stores, processes, or retrieves data.

Data Loss Prevention (DLP)

A strategy for ensuring that sensitive data is not lost, misused, or accessed by unauthorized users. DLP software products use business rules to classify and protect confidential and critical information so that unauthorized end users cannot accidentally or maliciously share data whose disclosure could put the organization at risk. ⁸

Data Sensitivity Levels

Low: Public information, marketing materials, press releases
Medium: Internal communications, company intellectual property, project documentation
High: Personally identifiable information (PII), health records, financial data, trade secrets

Encryption at Rest (EAR)

The protection of data that is stored on a disk (including solid-state drives) or backup media. It ensures that data is unreadable to unauthorized users when it is not being accessed or used.

Encryption in Flight (EIF)

The protection of data that is being transmitted over a network. It ensures that data is unreadable to unauthorized users while it is being sent from one location to another.

End-to-End Encryption (EEE)

A method of data transmission where only the communicating users can read the messages. In principle, it prevents potential eavesdroppers – including telecom providers, Internet providers, and even the provider of the communication service – from being able to access the cryptographic keys needed to decrypt the conversation.

Application Programming Interface (API)

A set of rules and definitions that allows software programs to communicate with each other. APIs are used to enable the integration of different systems and to allow third-party developers to create applications that can interact with other software.

Simple Messaging Service (SMS)

A text messaging service component of most telephone, Internet, and mobile device systems. It uses standardized communication protocols to enable mobile devices to exchange short text messages.

Source Code Control (SCC)

The practice of tracking and managing changes to software code. Source code control systems are used to keep track of modifications to code, allowing multiple developers to collaborate on a project without overwriting each other's work.

Continuous Integration and Continuous Delivery (CI/CD)

A method to frequently deliver apps to customers by introducing automation into the stages of app development. The main concepts attributed to CI/CD are continuous integration, continuous delivery, and continuous deployment.

Single Sign On (SSO)

An authentication process that allows a user to access multiple applications with one set of login credentials. SSO is a common feature in enterprise environments, where users may need to access a variety of different systems and applications.

Multi-Factor Authentication (MFA)

A security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. MFA combines two or more independent credentials: what the user knows (password), what the user has (security token), and what the user is (biometric verification).

System Backup and Recovery

The process of creating and storing copies of data that can be used to protect organizations against data loss. Recovery involves restoring the data from the backup to its original or a new location in the event of data loss.

Retention Period

The minimum amount of time backup data must be saved for.

Recovery Point Objective (RPO)

The point in time that the restarted infrastructure will reflect, expressed as "the maximum targeted period in which data (transactions) might be lost from an IT service due to a major incident". ⁹

Recovery Time Objective (RTO)

The amount of time elapsed between disaster and restoration of business functions. ⁹

Online Copy

A copy of live data that is available to the device that manages the data in question.

Offline Copy

An immutable copy of live data typically used for data restoration when the live and online copies of the data have become corrupted.

Full Copy

A complete snapshot of the data including metadata needed to restore it.

Incremental Copy

An incremental backup stores data changed since a reference point in time. The reference point is relative to the most recent full copy of the data

Live Copy

A real time copy of live data. This most common example is two hard drives in a mirrored RAID 1 array.

Continuous Data Protection (CDP)

A backup that instantly saves a copy of every change made to the data. This allows restoration of data to any point in time and is the most comprehensive and advanced data protection. Near-CDP backup applications—often marketed as "CDP"—automatically take incremental backups at a specific interval, for example every 15 minutes, one hour, or 24 hours. They can therefore only allow restores to an interval boundary. ⁹

https://en.wikipedia.org/wiki/Don't_repeat_yourself "DRY" ↩
https://en.wikipedia.org/wiki/Enterprise_software "EAS" ↩
https://www.lisam.com/news/10-most-regulated-industries-in-the-us/ "10 Most Regulated Industries in the U.S." ↩
https://en.wikipedia.org/wiki/Policy "POL" ↩
https://en.wikipedia.org/wiki/Service_level_indicator "SLI" ↩
https://en.wikipedia.org/wiki/Service-level_objective "SLO" ↩
https://en.wikipedia.org/wiki/Service-level_agreement "SLA" ↩
https://en.wikipedia.org/wiki/Data_loss_prevention_software "DLP" ↩
https://en.wikipedia.org/wiki/Backup "Backup" ↩ ↩² ↩³