The Consensus Assessments Initiative Questionnaire (CAIQ) is a security assessment provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess information security capabilities of cloud providers.

The Standardized Information Gathering (SIG) questionnaire is used to perform an initial assessment of vendors, gathering information to determine how security risks are managed across 18 different risk domains. SIG was developed by Shared Assessments and is a holistic tool for risk management assessments of cybersecurity, IT, privacy, data security, and business resiliency. The SIG questionnaire was created by Shared Assessments.

The Vendor Security Alliance (VSA) questionnaire was created by a coalition of companies committed to improving Internet security. It is one of the most well-known, highly respected security questionnaires, alongside: The VSA questionnaire is free to use and accessible on the VSA website.

The Higher Education Community Vendor Assessment Tool (HECVAT) is a security assessment template that attempts to generalize higher education information security and data protection questions and issues regarding cloud services for consistency and ease of use. HECVAT has various versions that are free to use and provide a consistent, streamlined third-party risk assessment framework.

The OWASP Top 10 is a regularly-updated report outlining the top 10 list of security concerns for web application security. The report is put together by a team of security experts around the world. OWASP refers to the Top 10 as an 'awareness document' and they recommend all companies incorporate the report's findings into the cybersecurity processes.

Data loss prevention (DLP) is a set of processes and technologies that ensure sensitive data is not lost, misused or exposed to unauthorized users by end-users or misconfiguration. Most data loss prevention solutions rely on data classification. This means that sensitive data is grouped into different buckets, e.g. regulated, confidential, financial data, intellectual property, and business-critical data.

Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users and may be used to bypass access control, such as the same-origin policy. The impact of XSS can range from a small nuisance to significant cybersecurity risk, depending on the sensitivity of data handled by the vulnerable website, and the nature of any mitigations implemented.

A whaling attack is a type of phishing attack that targets high-level executives, such as the CEO or CFO, to steal sensitive information from a company. This could include financial information or employees' personal information. The reason whaling attacks target high-ranking employees is because they hold power in companies and often have complete access to sensitive data.

The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) establishes a set of national standards for the protection of patients' rights and certain health information. Its standards address the use and disclosure of individuals' health information, known as protected health information or PHI by organizations subject to the Privacy Rule, as well as standards for an individual's rights to understand and control how their health data is used.

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that enables web sites to declare themselves accessible only via secure connections. This helps protect websites and users from protocol downgrade and cookie hijacking attacks.

Engaging with third-party vendors for the provision of goods and services isn't new. The level of digital transformation, paired with the number of third-party relationships and business partners the average organization has is. Third-party risk management programs need to evolve the manage this ever evolving type of risk exposure. Enterprise-wide organizations rely on third and fourth-party vendors. And many of them have access to sensitive data.

Security ratings or cybersecurity ratings provide risk management and security teams with the information needed to determine whether their vendors' and their own security posture is sufficient to prevent cyber attacks and ensure information security.

The Florida Information Protection Act of 2014 (FIPA) came into effect July 1, 2014, expanding Florida's existing data breach notification statute requirements for covered entities that acquire, use, store or maintain Floridian's personal information. FIPA modified Florida's existing data breach notification law and applies to commercial and government entities.

Email security refers to various cybersecurity measures to secure the access and content of an email account or service. Proper email security can protect sensitive information in email communications, prevent phishing attacks, spear phishing and email spoofing and protect against unauthorized access, loss or compromise of one or more email addresses.