Regulations and Terms

ISO 27701: Also abbreviated as PIMS (Privacy Information Management System) outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage data privacy. Privacy information management systems are sometimes referred to as personal information management systems. In 2021, Varonis achieved ISO 27701 Data Privacy Certification.

SOC 2: (System and Organization Controls) is a regularly refreshed report that focuses on non-financial reporting controls as they relate to security, availability and confidentiality of a cloud service.

SOC 3: (System and Organization Controls) is a regularly refreshed report that focuses on internal controls as they relate to security, availability and confidentiality of a cloud service.

For a full list of our compliance certifications, please visit our website.

AI: Artificial intelligence.

Generative AI: Traditional AI systems are primarily used to analyze data and make predictions, while generative AI goes a step further by creating new data similar to its training data. In other words, traditional AI excels at pattern recognition, while generative AI excels at pattern creation.

Grounding call: Giving the LLM use-case-specific information not related to its training.

Hallucination: When an LLM confidently presents a response that seems reasonable but is not accurate based on the context.

LLM: Large language model. A specialized type of artificial intelligence that has been trained on vast amounts of text to understand existing content and generate original content.

Model poisoning: Intentionally manipulating training data to compromise a model's accuracy, performance, or security.

RAI: Responsible AI.

Semantic index: A map of data and relationships that glues related concepts together.

CIA: Central Intelligence Agency. CIA is one of the few acronyms that does not need to be spelled out on initial use.

CISA: The Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage and reduce risk to our cyber and physical infrastructure.

Classified information: When referring to classification types of data or information, the terms “Secret” and “Top-secret” should be capitalized.

CMMC: The United States Department of Defense is implementing the Cybersecurity Maturity Model Certification (CMMC) to normalize and standardize cybersecurity preparedness across the federal government’s defense industrial base (DIB). 

Department of Defense: Spell out on first use. DOD is acceptable on second reference.

Federal: Only capitalize when it starts a sentence. Example: “The federal government closed for a week because of the snowstorm” is correct.

FBI: Federal Bureau of Investigation. FBI is one of the few acronyms that does not need to be spelled out on initial use.

GSA: The General Services Administration provides centralized procurement for the federal government, offering billions of dollars worth of products, services and facilities that federal agencies need to serve the public. Spell out on first use and abbreviate as GSA on second use. 

Government: Only capitalize when it starts a sentence. “State and local governments rely on Varonis.” and “the federal government,” are correct.

Microsoft's U.S. Government Community Cloud (GCC) and Microsoft's U.S. Government Community Cloud High (GCC High): Provides government customers with Microsoft 365 productivity services that have additional security, and U.S. data residency needed for U.S. government customers. Should be capitalized.

NIST: National Institute of Standards and Technology. Abbreviate as NIST on second use.

NSA: The National Security Agency is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence. Abbreviate NSA on second use.

White House: Two words, capitalized. Only capitalize “The” if “The White House” starts a new sentence.

If you have any questions please refer to AP style guidelines or email Megan Garza.

Form 8-K: A very broad form used to notify investors in United States public companies of specified events that may be important to shareholders or the U.S. Securities and Exchange Commission. This is one of the most common types of forms filed with the SEC.

In March 2022, the SEC voted to propose new rules for cybersecurity disclosure and incident reporting on the form.

Form 10-K: An annual report required by the U.S. Securities and Exchange Commission, that gives a comprehensive summary of a company's financial performance.

The Sarbanes-Oxley Act of 2002, often simply called SOX or Sarbox, is U.S. law meant to protect investors from fraudulent accounting activities by corporations. Sarbanes-Oxley was enacted after several major accounting scandals in the early 2000s perpetrated by companies such as Enron, Tyco, and WorldCom.

The Gramm-Leach-Bliley Act requires financial institutions — companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance — to explain their information-sharing practices to their customers, and to safeguard sensitive data.