Glossary · goCloudOffice

B

BCDR — Business Continuity and Disaster Recovery: The combination of strategies, plans, and tools to keep an organization running through a disruption (power outage, ransomware, cloud-provider outage) and to restore systems after.; Why it matters: It is the question every regulator asks: if your laptop fleet is encrypted by ransomware tomorrow, how long until you are running again? You need a tested answer.

C

CMMC — Cybersecurity Maturity Model Certification: US Department of Defense framework requiring contractors handling Controlled Unclassified Information (CUI) to certify against specific cybersecurity controls. Levels 1, 2, and 3.; Why it matters: Mandatory for new DoD contracts. Significantly raises the IT bar (full SIEM, evidence management, formal incident response). If you are bidding government work, plan for the cost.
CASB — Cloud Access Security Broker: A control point between cloud services and users that enforces security policies — including DLP, threat detection, encryption, and access control.; Why it matters: Useful when you need visibility into shadow IT (employees using cloud apps without approval) or to enforce policies across multiple SaaS tools at once.
CIS Controls: A community-maintained set of 18 security controls (and 153 sub-controls) that prioritize the most impactful security activities. Levels IG1 (foundational), IG2, IG3.; Why it matters: A more practical starting framework than NIST CSF for SMBs. If you cleanly implement IG1, you have addressed most realistic threats.

D

DLP — Data Loss Prevention: Tools and policies that detect and prevent sensitive data from leaving the organization through email, cloud apps, or removable media.; Why it matters: For regulated industries (finance, healthcare), DLP is often mandatory. For everyone else, it is the difference between "we think no one emailed our customer database to a personal account" and "we know."

E

EDR — Endpoint Detection and Response: Security software that watches endpoint behavior in real time, flags or blocks suspicious activity, and gives security teams a forensic trail to investigate after the fact.; Why it matters: Antivirus alone misses modern attacks (which often use legitimate tools maliciously). EDR catches what AV does not. Almost every cyber-insurance policy now requires it.

H

HIPAA — Health Insurance Portability and Accountability Act: US federal regulation governing the protection of personal health information (PHI). Covered entities and their business associates must follow specific security, privacy, and breach-notification rules.; Why it matters: If your customers include healthcare providers, payers, or anyone handling PHI, you and your IT vendor are likely a "business associate" — which means HIPAA applies to your IT setup.

I

IDP — Identity Provider: The system that authenticates users and provides identity to other systems (SSO). Common ones: Microsoft Entra ID (Azure AD), Okta, Google Workspace, Auth0.; Why it matters: It is the "front door" to your entire stack. Nothing matters more than making it secure (MFA enforced, conditional access policies, regular access reviews).
IAM — Identity and Access Management: The discipline (and product category) of managing who has access to what — provisioning, de-provisioning, role-based access control, periodic reviews.; Why it matters: Most security incidents trace back to access that should not have existed. Solid IAM is more impactful than most security spending you might do.
IaC — Infrastructure as Code: Defining infrastructure (servers, networks, configs) in version-controlled code rather than clicking through dashboards. Tools: Terraform, Pulumi, OpenTofu.; Why it matters: It is how IT operations become reviewable, repeatable, and auditable. Worth pursuing once you have more than a handful of cloud resources.

M

MDM — Mobile Device Management: A platform for enrolling, configuring, securing, and wiping mobile devices (phones and tablets) — and increasingly laptops too.; Why it matters: If a partner loses their phone with client email on it, you need to be able to wipe it remotely. That is what MDM does. Microsoft Intune and Jamf Pro are the major platforms.
MFA — Multi-Factor Authentication: Requiring more than one factor (something you know, have, or are) to log in. Commonly: password plus a code from an authenticator app, plus a hardware key for sensitive accounts.; Why it matters: It blocks the overwhelming majority of credential-theft attacks. If you do exactly one thing on a budget, this is it.

N

NIST CSF — NIST Cybersecurity Framework: A US-government framework organizing security activities into Identify, Protect, Detect, Respond, Recover. Widely cited; not prescriptive.; Why it matters: It is the lingua franca of security programs. Cyber-insurance applications and customer security questionnaires reference it constantly.

P

PCI DSS — Payment Card Industry Data Security Standard: A set of security requirements for organizations that store, process, or transmit cardholder data. Levels 1 through 4 by transaction volume.; Why it matters: If you take credit cards on your own systems, PCI applies. Most SMBs reduce scope by using Stripe Checkout (hosted) so card data never touches their network.
PAM — Privileged Access Management: A specialized subset of IAM for managing accounts with elevated permissions (admin, root, service accounts).; Why it matters: Privileged accounts are the highest-value targets in any environment. Vaulting credentials, requiring approval for elevation, and recording sessions are now baseline expectations.

R

RMM — Remote Monitoring and Management: Software that lets IT teams monitor endpoint health, deploy software, run scripts, and resolve issues remotely across many devices at once.; Why it matters: It is the operational backbone of any modern IT operation. Without RMM, you are walking around with USB sticks. With it, one engineer can manage hundreds of endpoints. Our 360SmartIT base uses NinjaOne.
RTO/RPO — Recovery Time Objective / Recovery Point Objective: RTO: how long can the business tolerate downtime? RPO: how much data loss is acceptable? Both are decisions, not technical defaults.; Why it matters: They drive the cost and architecture of backup and DR. RTO of 4 hours and RPO of 15 minutes is dramatically more expensive than 24 hours / 24 hours, and the right answer depends on your business.

S

SSO — Single Sign-On: A way to authenticate to many applications using one identity provider (Entra ID, Okta, Google Workspace) — instead of separate accounts and passwords for each.; Why it matters: It reduces password sprawl, simplifies offboarding (one disable, all access gone), and makes MFA enforceable everywhere at once.
SOC 2 — Service Organization Control 2: An audit framework (Type I = point in time, Type II = over a period) that demonstrates a service company has controls around security, availability, confidentiality, processing integrity, and privacy.; Why it matters: Increasingly table-stakes for any company selling software or services to enterprises. We are SOC 2 Type II certified, which is partly why our clients can use us as a defensible vendor.
SIEM — Security Information and Event Management: A platform that aggregates security logs from across an organization, applies detection rules, and surfaces incidents for analyst review.; Why it matters: Required for most regulatory frameworks beyond a certain size. Smaller firms can use managed XDR alternatives (Defender for Endpoint, SentinelOne, etc.) to get most of the value with less complexity.
SOAR — Security Orchestration, Automation, and Response: Platforms that automate routine security workflows (triaging alerts, enriching investigations, taking standard remediation actions).; Why it matters: Most growing companies do not need a dedicated SOAR yet — the automation in modern XDR platforms covers most of the high-value cases. Worth knowing the term, mostly.
SaaS — Software as a Service: Software delivered as a hosted, subscription-based service (Microsoft 365, Salesforce, Slack) rather than installed on your own hardware.; Why it matters: Most growing-company stacks are now 80%+ SaaS. The IT discipline shifts from "manage servers" to "manage SaaS configurations and identities."

X

XDR — Extended Detection and Response: EDR that has expanded to cover identity, email, cloud, and network signals — providing correlated detection across the full attack surface.; Why it matters: For most growing companies, XDR is more practical than a full SIEM. Microsoft Defender XDR and SentinelOne Singularity are common picks.

Z

ZTNA — Zero Trust Network Access: A security model where access decisions are made per-request based on identity, device posture, and context — instead of "you are inside the firewall, you are trusted."; Why it matters: It replaces the traditional VPN. Better security posture, better UX (no clunky tunnel client), and aligns with the way modern work actually happens (everyone is remote sometimes).