TPRM Glossary

An Advanced Persistent Threat (APT) is a long-term, stealth cyberattack in which an attacker gains unauthorized access and remains hidden inside a network.

Adverse Media Monitoring is the continuous screening of public news sources to identify negative or high-risk information related to vendors, partners, or individuals.

AI-Powered Risk Management uses artificial intelligence to automate, optimize, and scale the identification, scoring, and mitigation of risks across third-party ecosystems.

APIs for Vendor Data Exchange are standardized digital interfaces that enable secure, real-time data sharing between organizations and third-party vendors.

Assessment Completion Metrics are performance indicators that measure the progress and completion rate of vendor risk assessments.

Attestation is the formal declaration by a vendor or stakeholder confirming the accuracy and completeness of submitted risk, security, or compliance information.

Audit findings are documented results from an internal or external audit that identify compliance gaps, control weaknesses, or areas of risk.

Audit readiness is the state of being fully prepared to undergo internal or external audits with all required evidence, documentation, and processes in place. 

Auto-tiering is the automated process of assigning vendors to risk tiers based on predefined criteria such as data sensitivity, access level, or service criticality.

Automated credentialing is the process of using technology to verify, validate, and track vendor or individual qualifications without manual intervention.

Automated questionnaire distribution is the use of digital workflows to send, track, and manage vendor assessments without manual coordination

Automated risk assessment is the use of technology to evaluate third-party risk factors without manual intervention.

Automated risk scoring is the process of assigning numerical or categorical risk levels to vendors using predefined algorithms and data inputs.

The Bank Secrecy Act (BSA) is a U.S. law requiring financial institutions to assist in detecting and preventing money laundering and financial crimes.

Behavioral risk insights analyze patterns in user or vendor behavior to identify emerging risks.

Bill C-11 is Canada’s Consumer Privacy Protection Act that updates national privacy rules for organizations handling personal data.

A Business Associate Agreement is a contract required under HIPAA that governs how a vendor handles protected health information.

A Business Continuity Plan outlines how an organization continues critical operations during disruptions

Business Email Compromise is a targeted fraud attack where attackers impersonate executives or vendors to steal money or data.

Compliance-as-a-Service delivers outsourced compliance functions through managed services and automation platforms.

CCPA is a California privacy law granting consumers rights over how their personal information is collected and shared.

A Cloud Access Security Broker is a security layer that enforces policies across cloud applications and services.

CCPA and CPRA are California privacy laws that define consumer rights and strengthen data protection obligations.

Compliance documentation includes all records, policies, assessments, and evidence that demonstrate adherence to regulations and controls.

Compliance management is the structured approach to meeting regulatory, contractual, and internal policy obligations.

A compliance monitoring tool tracks adherence to regulations, internal controls, and policy requirements across an organization.

Compliance rate measures how many required controls, tasks, or obligations are completed or functioning correctly.

Concentration risk occurs when too much dependency is placed on a single vendor, technology, region, or service.

Configurable dashboards allow users to customize views of risk, compliance, or operational data.

A context-aware assessment evaluates risk or compliance findings based on the specific environment, use case, and operational conditions.

Contract Lifecycle Management manages the creation, negotiation, execution, and renewal of vendor or customer contracts.

The Control Effectiveness Index measures how well security or compliance controls are performing in practice.

Control framework alignment ensures that organizational controls map to recognized standards such as NIST, ISO, or COBIT.

Control inheritance occurs when an organization or vendor relies on controls implemented by another service provider.

A control library is a centralized repository of security, compliance, and operational controls.
It standardizes expectations and supports assessments, testing, and audits.

Control mapping links controls to policies, regulations, or frameworks they support.

Critical vendors provide services that are essential to business operations or regulatory obligations.
They require enhanced oversight, ongoing monitoring, and stronger contractual controls.

A cyber attack is an intentional attempt to breach systems, steal data, or disrupt operations.

A cyber threat is any potential event or actor that could exploit vulnerabilities to harm systems or data.

Cybersecurity consists of technologies, processes, and controls that protect systems, networks, and data from cyber threats.

Cybersecurity ratings provide an external score of an organization’s security posture based on observable signals and risk indicators.

A data breach occurs when unauthorized parties access, disclose, or steal sensitive information.

A data collection portal is a centralized interface for gathering assessments, evidence, and documentation from stakeholders.

Data exfiltration is the unauthorized removal or transfer of data from a system.

Data integration consolidates information from multiple systems or sources into a unified view.

A data leak is the unintended exposure of sensitive information due to misconfiguration or oversight.a

Data privacy risk is the potential for harm arising from misuse or improper handling of personal information.

A DDoS attack overwhelms a system with excessive traffic to make it unavailable.

A deliver icon is a visual indicator marking completion or delivery of a task or requirement.

Digital risk refers to exposure created by digital technologies, cloud services, and interconnected ecosystems.

Digital risk management manages the identification and mitigation of risks arising from digital technologies.

The DPDP Act is India’s privacy law governing how digital personal data is collected and used.

A DDQ collects information about a vendor’s security, compliance, and operational controls.

Dynamic reporting produces real-time or interactive insights from continuously updated data.

Dynamic risk profiles update a vendor’s risk level based on new data, alerts, and events.

EDR monitors endpoints for malicious behavior and responds to threats in real time.

Engagement-level risk profiling evaluates risk based on the specific services, data types, and scope of a vendor engagement.

An enumeration attack gathers detailed system information to identify potential vulnerabilities.

ESG risk signals indicate environmental, social, or governance exposure associated with a vendor or third party.

Essential Eight is an Australian cybersecurity framework recommending baseline mitigation strategies.

Ethics and compliance risk is the potential for violations of laws, regulations, or ethical expectations.

Evidence collection gathers artifacts that demonstrate compliance with controls or regulatory obligations.

Exception management tracks, reviews, and resolves deviations from required controls or policies.

FCPA is a U.S. law that prohibits bribery of foreign officials and mandates accurate financial reporting.

FedRAMP is the U.S. government program for standardized cloud security assessment and authorization.

FFIEC Guidelines provide regulatory standards for financial institutions on risk, security, and oversight.

Financial risk is the potential for monetary loss due to market, credit, operational, or liquidity failures.

FINRA regulates broker-dealers and enforces rules protecting investors in U.S. financial markets.

A fourth-party is a vendor or subcontractor engaged by a third-party provider.

Fourth-party risk is exposure arising from a vendor’s subcontractors or downstream providers.

A gap analysis identifies differences between current performance and required standards.

GDPR is the EU’s comprehensive privacy law governing the processing of personal data.

Geopolitical risk is exposure arising from political instability, international conflict, or regulatory changes.

GLBA is a U.S. law requiring financial institutions to safeguard customer financial information.

GRC is an integrated framework for managing governance, risk management, and compliance processes.

A heat map visually represents risk severity using color-coded scoring.

HIPAA is a U.S. law governing the privacy and security of protected health information.

Human-in-the-Loop involves human oversight or intervention in automated or AI-driven processes.

Identity and Access Management controls how users authenticate and access systems and data.

An impact-likelihood matrix plots risks based on probability and potential impact.

Indicators of Attack signal malicious behavior patterns that suggest an active attack.

Inherent risk is the level of risk that exists before controls are applied.

Initial due diligence evaluates a vendor’s controls, financial stability, and compliance posture before onboarding.

Insider risk is exposure created by employees or authorized users who misuse access, intentionally or unintentionally.

Internal controls testing evaluates whether organizational controls operate effectively.

An IDS monitors systems and networks for suspicious or malicious activity.

ISO 27001 is an international standard for information security management systems.

Issue tracking manages, prioritizes, and resolves identified problems or risks.

IT resilience is the ability of systems to withstand disruptions and maintain operations.

Kerberos authentication uses tickets and symmetric keys to verify identity securely across networks.

A keylogger records keystrokes on a device, often for malicious purposes.

KYC verifies customer identity and assesses risk to prevent fraud and financial crime.

Legal risk arises from potential violations of laws, regulations, or contractual obligations.

License and certification monitoring tracks required vendor credentials and renewal timelines.

LDAP is a protocol used for accessing and managing directory information services.

Malware is malicious software designed to damage, disrupt, or compromise systems.

Metasploit is a penetration testing framework used to identify and exploit vulnerabilities.

A mitigation workflow is the structured process for resolving risks, issues, or control gaps.

NIST is the U.S. National Institute of Standards and Technology that publishes widely adopted security and risk management frameworks.

OSINT collects publicly available information for threat, compliance, or reputational analysis.

Operational risk is exposure from failed processes, systems, people, or external events.

OSFI self assessments evaluate compliance with Canada’s financial regulatory expectations for risk management.

Outdated vendor risk occurs when a vendor relies on obsolete technology, processes, or certifications.

Outsourcing risk is exposure that results from delegating business processes or services to third parties.

PSD2 is an EU regulation governing payment services, security, and open banking requirements.

PCI DSS is a global standard for protecting payment card data.

Performance monitoring tracks how well vendors meet service, operational, and contractual expectations.

Phishing is a social engineering attack that tricks users into revealing sensitive information or executing malicious actions.

Policy and procedure review evaluates documentation for accuracy, relevance, and regulatory alignment.

Predictive risk modeling uses data, analytics, and patterns to forecast future risk levels.

Privacy risk is exposure created by improper or non-compliant handling of personal data.

Procurement risk management addresses risks associated with sourcing, acquiring, and contracting goods or services.

A proxy server acts as an intermediary for requests between users and external systems.

Ransomware is malware that encrypts data and demands payment for restoration.

A ransomware action plan outlines the steps for responding to and recovering from a ransomware incident.

Real-time risk alerts notify stakeholders when new risk events or indicators occur.

Real-time risk posture reflects a continuously updated view of an organization’s or vendor’s risk level.

A regulatory evidence package compiles documentation required to demonstrate compliance during regulatory reviews.

Reputational risk is the potential for damage to public trust due to negative events or associations.

Residual risk is the remaining risk after controls and mitigation measures have been applied.

Risk appetite is the level of risk an organization is willing to accept to achieve objectives.

A risk assessment identifies, analyzes, and evaluates risks associated with a vendor, system, or process.

Risk domain mapping links risks to categories such as cyber, privacy, financial, or operational risk.

Risk exposure is the potential impact and likelihood of a risk affecting the organization.

The risk lifecycle includes the stages of identifying, assessing, mitigating, monitoring, and retiring risks.

A risk owner is the individual responsible for managing and accepting a specific risk.

A risk posture score quantifies the overall level of risk associated with a vendor or system.

Risk reduction over time tracks decreases in exposure due to remediation or improved controls.

A risk scoring model quantifies risk using structured criteria and weighted metrics.

Risk tiering categorizes vendors into levels based on inherent and residual risk.

Risk-based vendor segmentation groups vendors by risk level rather than spend or category.

Routing and escalation rules define how tasks, alerts, and approvals move through workflows.

Sanctions screening checks vendors against global sanctions lists to ensure compliance with legal restrictions.

A SAQ is a vendor-completed questionnaire used to self-report controls and compliance posture.

SOX is a U.S. law requiring financial reporting integrity and internal control effectiveness.

SASE combines network security and connectivity into a cloud-delivered architecture.

Scalability metrics measure how well systems or vendors handle growth in demand, data, or users.

Security controls testing validates whether controls prevent or detect threats effectively.

A SOC is a centralized function that monitors, detects, and responds to security threats.

A security questionnaire collects information about a vendor’s security controls and practices.

SMB is a network protocol used for file sharing, printing, and communication between systems.

The SIG questionnaire is a standardized vendor assessment used to evaluate risk and compliance.

A single-pane view consolidates data and insights into one unified interface.

SLA enforcement ensures vendors meet contractual performance and service-level commitments.

The SLACIP Act is an Australian law focused on critical infrastructure security and resilience.

Slow onboarding risk is exposure created when vendor activation or due diligence delays operations.

SOC 1, SOC 2, and SOC 3 are audit reports evaluating vendor controls for financial reporting, security, privacy, and operations.

Social engineering manipulates people into revealing information or performing risky actions.

Spring4Shell is a critical vulnerability in the Spring Framework that enables remote code execution.

A stakeholder approval workflow routes assessments, risks, or changes to required approvers.

Standard definitions ensure consistent terminology across risk, compliance, and governance processes.

Supply chain risk is exposure arising from vulnerabilities in interconnected vendors and service providers.

Surface web monitoring analyzes publicly accessible websites for risk or exposure.

A system-of-record for risk is the authoritative source storing all risk data, decisions, and evidence.

Task assignment allocates responsibilities for assessments, reviews, remediation, or approvals.

A task automation engine automates repetitive workflows across risk and compliance processes.

Termination risk is exposure created when ending a vendor relationship disrupts operations or compliance.

CCPA is California’s privacy law governing how personal information is collected, used, and shared.

GDPR is the EU’s privacy law governing personal data rights and processing requirements.

GLBA is a U.S. law requiring financial institutions to protect customer financial information.

A third-party is an external organization providing products or services to an enterprise.

Third-party classification groups vendors based on their role, service type, or risk level.

Third-party due diligence evaluates vendor risks before and during the relationship.

Third-party evaluation assesses vendor performance, controls, and overall suitability.

Third-party oversight ensures continuous monitoring and management of vendor risks.

Portfolio health reflects the overall risk, compliance, and performance status of all third-parties.

Third-party registration captures vendor details and initializes onboarding workflows.

TPRM is the program that identifies, assesses, and manages risks associated with third-party vendors.

Third-party risk scoring quantifies vendor risk using structured metrics and criteria.

Threat intelligence provides insights into current and emerging cyber threats that may affect systems or vendors.

Tiered due diligence applies different assessment levels based on vendor risk tier.

Transaction monitoring tracks activities to detect fraud, anomalies, and suspicious behavior.

Executive Order 14028 strengthens national cybersecurity requirements for federal systems and suppliers.

UK-GDPR is the United Kingdom’s data protection law, aligned with the EU GDPR framework.

A vendor is an external organization providing goods or services to a company.

Vendor assurance validates that vendors meet required security and compliance standards.

Vendor classification groups vendors based on function, service type, or operational role.

Vendor coverage rate measures how many vendors have completed assessments, evidence submissions, or monitoring requirements.

Vendor evaluation criteria are the standards used to assess a vendor’s capabilities, controls, and suitability.

Vendor governance oversees how vendors are managed, monitored, and held accountable.

A vendor master file is the authoritative record of all vendor information maintained by an organization.

Vendor offboarding is the process of safely terminating a vendor relationship and removing access.

Vendor onboarding is the process of initiating a new vendor relationship, including due diligence and approvals.

Vendor performance risk is the potential for a vendor to fail to meet service, quality, or operational expectations.

Vendor portfolio segmentation groups vendors based on shared characteristics or risk levels.

Vendor relationship risk is exposure arising from dependency, misalignment, or instability in vendor relationships.

A vendor risk assessment evaluates a vendor’s security, compliance, operational, and financial risks.

VRM is the structured practice of identifying and managing risks posed by third-party vendors.

A VRM program is the formal framework governing how vendor risks are evaluated and managed.

Vendor risk ratings quantify vendor risk into defined categories or scores.

Vendor tiering groups vendors into levels based on risk, criticality, or regulatory exposure.

Watchlist monitoring checks vendors against sanction, criminal, regulatory, or enforcement lists.

A web shell is malicious code that allows attackers remote access to a compromised web server.

Workflow orchestration automates and coordinates tasks across risk and compliance processes.

Zero Trust is a security model that assumes no implicit trust and verifies every access request.