Shared Flashcard Set

Details

CISAN
Nisars-CISA
975
Accounting
Graduate
05/07/2011

Additional Accounting Flashcards

 


 

Cards

Term
Abend
Definition
An abnormal end to a computer job; termination of a task prior to its completion because of an error condition that cannot be resolved by recovery facilities while the task is executing
Term
Acceptable Interruption
Window
Definition
The maximum period of time that a system can be unavailable before compromising the achievement of the organization's business objectives.
Term
Acceptable Use Policy
Definition
A policy that establishes an agreement between users and the organization and defines for all parties' ranges of use that are approved before gaining access to a network or the Internet.
Term
Access control
Definition
The processes, rules and deployment mechanisms which control access to information systems, resources and physical access to premises
Term
Access control list (ACL)
Definition
An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals.
Scope Note: Access control lists are also referred to as access control tables.
Term
Access control table
Definition
An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals.
Term
Access method
Definition
The technique used for selecting records in a file, one at a time, for processing, retrieval or storage. The access method is related to, but distinct from, the file organization, which determines how the records are stored.
Term
Access path
Definition
The logical route an end user takes to access computerized information.
Scope Note: Typically, it includes a route through the operating system, telecommunications software, selected application software and the access control system.
Term
Access rights
Definition
The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy
Term
Access servers
Definition
Provides centralized access control for managing remote access dial?up services
Term
Accountability
Definition
The ability to map a given activity or event back to the responsible party.
Term
Accountable Party
Definition
The individual, group, or entity that is ultimately responsible for a subject matter, process or scope. Scope Note: Within ITAF, the term management is equivalent to "accountable party".
Term
Acknowledgement
(ACK)
Definition
A flag set in a packet to indicate to the sender that the previous packet sent was accepted correctly by the receiver without errors, or that the receiver is now ready to accept a transmission.
Term
Active Recovery Site
(Mirrored)
Definition
Recovery strategy that involves two active sites, each capable of taking over the other's workload in the event of a disaster.
Scope Note: Each site will have enough idle processing power to restore data from the other site and to accommodate the excess workload in the event of a disaster.
Term
Active Response
Definition
A response in which the system either automatically, or in concert with the user, blocks or otherwise affects the progress of a detected attack.
Scope Note: The responses takes one of three forms; amending the environment, collecting more information or striking back against the user.
Term
Activity
Definition
The main actions taken to operate the COBIT process.
Term
Address
Definition
Within computer storage, the code used to designate the location of a specific piece of data
Term
Address space
Definition
The number of distinct locations that may be referred to with the machine address
Scope Note: For most binary machines, it is equal to 2n, where n is the number of bits in the machine address.
Term
Addressing
Definition
The method used to identify the location of a participant in a network
Scope Note: Ideally, addressing specifies where the participant is located rather than who they are
(name) or how to get there (routing).
Term
Adjusting Period
Definition
The calendar can contain "real" accounting periods and/or adjusting accounting periods. The "real" accounting periods must not overlap, and cannot have any gaps between them. Adjusting accounting periods can overlap with other accounting periods.
Scope Note: For example a period called DEC?93 can be defined that includes 01?DEC?1993 through
31?DEC?1993. An adjusting period called DEC31?93 can also be defined that includes only one day:
31?DEC?1993 through 31?DEC?1993.
Term
Administrative controls
Definition
The rules, procedures and practices dealing with operational effectiveness, efficiency and adherence to regulations and management policies.
Term
Adware
Definition
Any software package that automatically plays, displays or downloads advertising material to a computer after the software is installed on it or while the application is being used
Scope Note: In most cases, this is done without any notification to the user or the user’s consent. The term adware may also refer to software that displays advertisements, whether or not it does so with the user’s consent; such programs display advertisements as an alternative to shareware registration fees. These are classified as "adware" in the sense of advertising?supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, and provides the user with a specific service.
Term
Alert Situation
Definition
The point in an emergency procedure when the elapsed time passes a threshold and the interruption is not resolved. The organization entering into an alert situation initiates a series of escalation steps.
Term
Allocation Entry
Definition
A recurring journal entry used to allocate revenues or costs.
Scope Note: For example, an allocation entry could be defined to allocate costs to each department based on head count.
Term
Alpha
Definition
The use of alphabetic characters or an alphabetic character string
Term
Alternate Facilities
Definition
Locations and infrastructures from which emergency or backup processes are executed, when the main premises are unavailable or destroyed.
Scope Note: This includes other buildings, offices or data processing centers.
Term
Alternate Process
Definition
Automatic or manual processes designed and established to continue critical business processes from point?of?failure to return?to?normal.
Term
Alternative routing
Definition
A service that allows the option of having an alternate route to complete a call when the marked destination is not available
Scope Note: In signaling, alternate routing is the process of allocating substitute routes for a given signaling traffic stream in case of failure(s) affecting the normal signaling links or routes of that traffic stream.
Term
American Standard Code for Information Interchange
Definition
See ASCII
Term
Amortization
Definition
The process of cost allocation that assigns the original cost of an intangible asset to the periods benefited; calculated in the same way as depreciation.
Term
Analog
Definition
A transmission signal that varies continuously in amplitude and time and is generated in wave formation
Scope Note: Analog signals are used in telecommunications
Term
Analytical Technique
Definition
The examination of ratios, trends and changes in balances and other values between periods to obtain a broad understanding of the organization’s financial or operational position and to identify areas that may require further or closer investigation.
Scope Note: This technique is often used when planning the assurance assignment.
Term
Anomaly
Definition
Unusual or statistically rare.
Term
Anomaly Detection
Definition
Detection on the basis of whether the system activity matched that defined as abnormal.
Term
Anonymity
Definition
The quality or state of not being named or identified.
Term
Antivirus software
Definition
An application software deployed at multiple points in an IT architecture. It is designed to detect and potentially eliminate virus code before damage is done and repair or quarantine files that have already been infected.
Term
Appearance
Definition
The act of giving the idea or impression of being or doing something.
Term
Appearance of
Independence
Definition
Behavior adequate to meet the situations occurring during audit work (interviews, meetings, reporting, etc.).
Scope Note: The IS auditor should be aware that appearance of independence depends upon the perceptions of others and can be influenced by improper actions or associations.
Term
Applet
Definition
A program written in a portable, platform independent computer language, such as Java, JavaScript or Visual Basic
Scope Note: It is usually embedded in an HTML page downloaded from web servers and then executed by a browser on client machines to run any web?based application (e.g., generate web page input forms, run audio/video programs, etc.). Applets can only perform a restricted set of operations, thus preventing, or at least minimizing, the possible security compromise of the host computers. However, applets expose the user's machine to risks if not properly controlled by the browser, which should not allow an applet to access a machine's information without prior authorization of the user.
Term
Application
Definition
A computer program or set of programs that perform the processing of records for a specific function
Scope Note: An application program contrasts with systems programs, such as an operating system or network control program, and with utility programs, such as copy or sort.
Term
Application Acquisition
Review
Definition
An evaluation of an application system being acquired or evaluated, which considers such matters as: appropriate controls are designed into the system; the application will process information in a complete, accurate and reliable manner; the application will function as intended; the application will function in compliance with any applicable statutory provisions; the system is acquired in compliance with the established system acquisition process.
Term
Application
Benchmarking
Definition
The process of establishing the effective design and operation of automated controls within an application.
Term
Application control
Definition
The policies, procedures and activities designed to provide reasonable assurance that objectives relevant to a given automated solution (application) are achieved
Term
Application
Development Review
Definition
An evaluation of an application system under development which considers matters such as: appropriate controls are designed into the system; the application will process information in a complete, accurate and reliable manner; the application will function as intended; the application will function in compliance with any applicable statutory provisions; the system is developed in compliance with the established systems development life cycle process.
Term
Application
Implementation Review
Definition
An evaluation of any part of an implementation project.
Scope Note: Examples include project management, test plans and user acceptance testing procedures.
Term
Application layer
Definition
In the Open Systems Interconnection (OSI) communications model, the application layer provides services for an application program to ensure that effective communication with another application program in a network is possible.
Scope Note: The application layer is not the application that is doing the communication; it is a service layer that provides these services.
Term
Application
Maintenance Review
Definition
An evaluation of any part of a project to perform maintenance on an application system.
Scope Note: Examples include project management, test plans and user acceptance testing procedures.
Term
Application or Managed Service Provider (ASP/MSP)
Definition
A third party that delivers and manages applications and computer services, including security services to multiple users via the Internet or a private network.
Term
Application program
Definition
A program that processes business data through activities such as data entry, update or query
Scope Note: It contrasts with systems programs, such as an operating system or network control program, and with utility programs sych as copy or sort.
Term
Application programming
Definition
The act or function of developing and maintaining applications programs in production
Term
Application programming interface (API)
Definition
A set of routines, protocols and tools referred to as "building blocks" used in business application software development.
Scope Note: A good API makes it easier to develop a program by providing all the building blocks related to functional characteristics of an operating system that applications need to specify, for example, when interfacing with the operating system (e.g., provided by MS?Windows, different versions of UNIX). A programmer would utilize these APIs in developing applications that can operate effectively and efficiently on the platform chosen.
Term
Application Proxy
Definition
A service that connects programs running on internal networks to services on exterior networks by creating two connections, one from the requesting client and another to the destination service.
Term
Application Security
Definition
Refers to the security aspects supported by the application, primarily with regard to the roles or responsibilities and audit trails within the applications.
Term
Application Service
Provider (ASP)
Definition
Also known as managed service provider (MSP), it deploys, hosts and manages access to a packaged application to multiple parties from a centrally managed facility.
Scope Note: The applications are delivered over networks on a subscription basis.
Term
Application Software
Tracing and Mapping
Definition
Specialized tools that can be used to analyze the flow of data, through the processing logic of the application software, and document the logic, paths, control conditions and processing sequences.
Scope Note: Both the command language or job control statements and programming language can be analyzed. This technique includes program/system: mapping, tracing, snapshots, parallel simulations and code comparisons.
Term
Application System
Definition
An integrated set of computer programs designed to serve a particular function that has specific input, processing and output activities.
Scope Note: Examples include general ledger, manufacturing resource planning and human resource management.
Term
Application tracing and mapping
Definition
Specialized tools that can be used to analyze the flow of data, through the processing logic of the application software, and document the logic, paths, control conditions and processing sequences.
Term
Architecture
Definition
Description of the fundamental underlying design of the components of the business system, or of one element of the business system (e.g., technology), the relationships among them, and the manner in which they support the organization's objectives.
Term
Arithmetic logic unit
(ALU)
Definition
The area of the central processing unit that performs mathematical and analytical operations
Term
Artificial intelligence
Definition
Advanced computer systems that can simulate human capabilities, such as analysis, based on a predetermined set of rules
Term
ASCII
Definition
Representing 128 characters, the American Standard Code for Information Interchange (ASCII) code normally uses 7 bits. However, some variations of the ASCII code set allow 8 bits. This 8?bit ASCII code allows 256 characters to be represented.
Term
Assembler
Definition
A program that takes as input a program written in assembly language and translates it into machine code or machine language
Term
Assembly Language
Definition
A low?level computer programming language which uses symbolic code and produces machine instructions.
Term
Assessment
Definition
A broad review of the different aspects of a company or function that includes elements not covered by a structured assurance initiative.
Scope Note: It might include opportunities for reducing the costs of poor quality, employee perceptions on quality aspects, proposals to senior management on policy, goals, etc.
Term
Asset
Definition
Something of either tangible or intangible value worth protecting including people, information, infrastructure, finances and reputation
Term
Assurance
Definition
An objective examination of evidence for the purpose of providing an assessment on risk management, control or governance processes for the organization.
Scope Note: Examples may include financial, performance, compliance and system security engagements.
Term
Assurance Initiative
Definition
An objective examination of evidence for the purpose of providing an assessment on risk management, control or governance processes for the organization.
Scope Note: Examples may include financial, performance, compliance and system security engagements.
Term
Asymmetric key (public key)
Definition
A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message
Scope Note: See public key encryption.
Term
Asynchronous Transfer
Mode (ATM)
Definition
A high?bandwidth low?delay switching and multiplexing technology that allows integration of real?
time voice and video as well as data. It is a data link layer protocol.
Scope Note: This means that it is a protocol?independent transport mechanism. ATM allows very high speed data transfer rates at up to 155 Mbit/s.
The acronym ATM should not be confused with the alternate usage for ATM which refers to an automated teller machine.
Term
Asynchronous transmission
Definition
Character?at?a?time transmission.
Term
Attest Reporting
Engagement
Definition
An engagement where an IS auditor is engaged to either examine management’s assertion regarding particular a subject matter or the subject matter directly.
Scope Note: The IS auditor’s report consists of an opinion on one of the following: The subject matter. These reports relate directly to the subject matter itself rather than an assertion. In certain situations management will not be able to make an assertion over the subject of the engagement. An example of this situation is when IT services are out?sourced to third party. Management will not ordinarily be able to make an assertion over the controls that the third?party is responsible for. Hence, an IS auditor would have to report directly on the subject matter rather than an assertion
Term
Attitude
Definition
Way of thinking, behaving, feeling, etc.
Term
Attribute sampling
Definition
An audit technique used to select items from a population for audit testing purposes based on selecting all those items that have certain attributes or characteristics (such as all items over a certain size)
Term
Audit
Definition
Formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met.
Scope Note: An audit may be carried out by internal or external groups.
Term
Audit Accountability
Definition
Performance measurement of service delivery including cost, timeliness and quality against agreed service levels.
Term
Audit Authority
Definition
A statement of the position within the organization, including lines of reporting and the rights of access.
Term
Audit Charter
Definition
A document approved by the board, which defines the purpose, authority and responsibility of the internal audit activity.
Term
Audit evidence
Definition
The information used to support the audit opinion.
Term
Audit Expert Systems
Definition
Expert or decision support systems that can be used to assist IS auditors in the decision?making process by automating the knowledge of experts in the field.
Scope Note: This technique includes automated risk analysis, systems software and control objectives software packages.
Term
Audit Objective
Definition
The specific goal(s) of an audit.
Scope Note: These often center on substantiating the existence of internal controls to minimize business risk.
Term
Audit Plan
Definition
1. A plan containing the nature, timing and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence to form an opinion.
Scope Note: The plan includes the areas to be audited, the type of work planned, the high level objectives and scope of the work, and topics such as budget, resource allocation, schedule dates, type of report and its intended audience and other general aspects of the work.
2. A high level description of the audit work to be performed in a certain period of time.
Term
Audit Program
Definition
A step?by?step set of audit procedures and instructions that should be performed to complete an audit.
Term
Audit Responsibility
Definition
The roles, scope and objectives documented in the service level agreement between management and audit.
Term
Audit Risk
Definition
The probability that information or financial reports may contain material errors and that the auditor may not detect an error that has occurred.
Term
Audit Sampling
Definition
The application of audit procedures to less than 100 percent of the items within a population to obtain audit evidence about a particular characteristic of the population.
Term
Audit Trail
Definition
A visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source.
Term
Audit Universe
Definition
An inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process.
Scope Note: Traditionally, the list includes all financial and key operational systems as well as other units that would be audited as part of the overall cycle of planned work. The audit universe serves as the source from which the annual audit schedule is prepared. The universe will be periodically revised to reflect changes in the overall risk profile.
Term
Auditability
Definition
The level to which transactions can be traced and audited through a system.
Term
Auditable Unit
Definition
Subjects, units, or systems that are capable of being defined and evaluated.
Scope Note: Auditable units may include:
?Policies, procedures and practices
?Cost centers, profit centers and investment centers
?General ledger account balances
?Information systems (manual and computerized)
?Major contracts and programs
?Organizational units, such as product or service lines
?Functions, such as information technology, purchasing, marketing, production, finance, accounting and human resources
?Transaction systems for activities, such as sales, collection, purchasing, disbursement, inventory and cost accounting, production, treasury, payroll and capital assets
?Financial statements
?Laws and regulations
Term
Authentication
Definition
1. The act of verifying identity, i.e., user, system
Scope Note: Risk: It can also refer to the verification of the correctness of a piece of data
2. The act of verifying the identity of a user, the user’s eligibility to access computerized information
Scope Note: Assurance: Authentication is designed to protect against fraudulent logon activity. It can also refer to the verification of the correctness of a piece of data.
Term
Automated Application
Controls
Definition
Controls that have been programmed and embedded within an application.
Term
Availability
Definition
Information that is accessible when required by the business process now and in the future
Term
Awareness
Definition
Being acquainted with, mindful of, conscious of and well informed on a specific subject, which implies knowing and understanding a subject and acting accordingly.
Term
Backbone
Definition
The main communications channel of a digital network. The part of a network that handles the major traffic.
Scope Note: The backbone employs the highest?speed transmission paths in the network and may also run the longest distances. Smaller networks are attached to the backbone, and networks that directly connect to the end user or customer are called “access networks ” A backbone can span a geographic area of any size from a single building to an office complex to an entire country. Or, it can be as small as a backplane in a single cabinet.
Term
Backup
Definition
Files, equipment, data and procedures available for use in the event of a failure or loss, if the originals are destroyed or out of service.
Term
Backup Center
Definition
An alternate facility to continue IT/IS operations when the primary DP center is unavailable.
Term
Badge
Definition
A card or other device that is presented or displayed to obtain access to an otherwise restricted facility, as a symbol of authority (ex: police), or as a simple means of identification.
Scope Note: Badges are also used in advertising and publicity.
Term
Balanced scorecard
(BSC)
Definition
Developed by Robert S. Kaplan and David P. Norton, a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives
Term
Bandwidth
Definition
The range between the highest and lowest transmittable frequencies. It equates to the transmission capacity of an electronic line and is expressed in bytes per second or Hertz (cycles per second).
Term
Bar Code
Definition
A printed machine?readable code that consists of parallel bars of varied width and spacing.
Term
Base Case
Definition
A standardized body of data created for testing purposes.
Scope Note: Users normally establish the data. Base cases validate production application systems and test the ongoing accurate operation of the system.
Term
Baseband
Definition
A form of modulation in which data signals are pulsed directly on the transmission medium without frequency division and usually utilize a transceiver.
Scope Note: In baseband the entire bandwidth of the transmission medium (e.g., coaxial cable) is utilized for a single channel.
Term
Batch Control
Definition
Correctness checks built into data processing systems and applied to batches of input data, particularly in the data preparation stage.
Scope Note: There are two main forms of batch controls: sequence control, which involves numbering the records in a batch consecutively so that the presence of each record can be confirmed, and control total, which is a total of the values in selected fields within the transactions.
Term
Batch Processing
Definition
The processing of a group of transactions at the same time.
Scope Note: Transactions are collected and processed against the master files at a specified time.
Term
Baud Rate
Definition
The rate of transmission for telecommunication data, expressed in bits per second (bps).
Term
Benchmark
Definition
A test that has been designed to evaluate the performance of a system.
Scope Note: In a benchmark test, a system is subjected to a known workload and the performance of the system against this workload is measured. Typically, the purpose is to compare the measured performance with that of other systems that have been subject to the same benchmark test.
Term
Benchmarking
Definition
A systematic approach to comparing an organization’s performance against peers and competitors in an effort to learn the best ways of conducting business.
Scope Note: Examples include benchmarking of quality, logistical efficiency and various other metrics.
Term
Benefit
Definition
In business, an outcome whose nature and value (expressed in various ways) are considered advantageous by an organization.
Term
Best practice
Definition
A proven activity or process that has been successfully used by multiple organizations.
Term
Binary Code
Definition
A code whose representation is limited to 0 and 1.
Term
Biometric Locks
Definition
Door and entry locks that are activated by such biometric features as voice, eye retina, fingerprint or signature.
Term
Biometrics
Definition
A security technique that verifies an individual’s identity by analyzing a unique physical attribute, such as a handprint.
Term
Bit?stream Image
Definition
Bit?stream backups, also referred to as mirror image backups, involve the backup of all areas of a computer hard disk drive or other type of storage media.
Scope Note: Such backups exactly replicate all sectors on a given storage device including all files and ambient data storage areas.
Term
Black Box Testing
Definition
A testing approach which focuses on the functionality of the application or product and does not require knowledge of the code intervals.
Term
Broadband
Definition
Multiple channels are formed by dividing the transmission medium into discrete frequency segments.
Scope Note: Broadband generally requires the use of a modem.
Term
Brouters
Definition
Devices that perform the functions of both bridges and routers, are called brouters.
Scope Note: They operate at both the data link and the network layers. A brouter connects same data link type LAN segments as well as different data link ones, which is a significant advantage. Like a bridge it forwards packets based on the data link layer address to a different network of the same type. Also, whenever required, it processes and forwards messages to a different data link type network based on the network protocol address. When connecting same data link type networks, they are as fast as bridges besides being able to connect different data link type networks.
Term
Browser
Definition
A computer program that enables the user to retrieve information that has been made publicly available on the Internet; also, that permits multimedia (graphics) applications on the World Wide Web.
Term
Brute Force
Definition
The name given to a class of algorithms that repeatedly try all possible combinations until a solution is found.
Term
Brute Force Attack
Definition
Repeatedly trying all possible combinations of passwords or encryption keys until the correct one is found.
Term
Budget
Definition
Estimated cost and revenue amounts for a given range of periods and set of books
Scope Note: There can be multiple budget versions for the same set of books.
Term
Budget Formula
Definition
A mathematical expression used to calculate budget amounts based on actual results, other budget amounts and statistics.
Scope Note: With budget formulas, budgets using complex equations, calculations and allocations can be automatically created.
Term
Budget Hierarchy
Definition
A group of budgets linked together at different levels such that the budgeting authority of a lower?
level budget is controlled by an upper?level budget.
Term
Budget Organization
Definition
An entity (department, cost center, division or other group) responsible for entering and maintaining budget data.
Term
Buffer
Definition
Memory reserved to temporarily hold data to offset differences between the operating speeds of different devices, such as a printer and a computer.
Scope Note: In a program, buffers are reserved areas of RAM that hold data while they are being processed.
Term
Buffer Overflow
Definition
Occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.
Scope Note: Since buffers are created to contain a finite amount of data, the extra information—which has to go somewhere—can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.
Term
Bulk Data Transfer
Definition
A data recovery strategy that includes a recovery from complete backups that are physically shipped off site once a week.
Scope Note: Specifically, logs are batched electronically several times daily, and then loaded into a tape library located at the same facility as the planned recovery.
Term
Bus
Definition
Common path or channel between hardware devices.
Scope Note: A bus can be between components internal to a computer or between external computers in a communications network.
Term
Bus Configuration
Definition
All devices (nodes) are linked along one communication line where transmissions are received by all attached nodes.
Scope Note: This architecture is reliable in very small networks, as well as easy to use and understand. This configuration requires the least amount of cable to connect the computers together and, therefore, is less expensive than other cabling arrangements. It is also easy to extend, and two cables can be easily joined with a connector to make a longer cable for more computers to join the network. A repeater can also be used to extend a bus configuration.
Term
Business balanced scorecard
Definition
A tool for managing organizational strategy, which uses weighted measures for the areas of financial performance (lag) indicators, internal operations, customer measurements, learning and growth (lead) indicators combined to rate the organization.
Term
Business case
Definition
Documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle
Term
Business continuity plan
(BCP)
Definition
A plan used by an organization to respond to disruption of critical business processes. Depends on the contingency plan for restoration of critical systems
Term
Business controls
Definition
The policies, procedures, practices and organizational structures designed to provide reasonable assurance that the business objectives will be achieved and undesired events will be prevented or detected.
Term
Business dependency assessment
Definition
A process of identifying resources critical to the operation of a business process.
Term
Business Function
Definition
An activity an enterprise does, or needs to do, to achieve its objectives.
Term
Business Goal
Definition
The translation of the enterprise's mission from a statement of intention into performance targets and results
Term
Business Impact
Definition
The net effect, positive or negative, on the achievement of business objectives
Term
Business impact analysis
(BIA)
Definition
A process to determine the impact of losing the support of any resource
Scope Note: The business impact analysis assessment study will establish the escalation of that loss overtime. It is predicated on the fact that senior management, when provided reliable data to document the potential impact of a lost resource, can make the appropriate decision.
Term
Business impact analysis/assessment (BIA)
Definition
Evaluating the criticality and sensitivity of information assets
An exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting system
Scope Note: This process also includes addressing:
?Income loss
?Unexpected expense
?Legal issues (regulatory compliance or contractual)
?Interdependent processes
?Loss of public reputation or public confidence
Term
Business Interruption
Definition
Any event, whether anticipated (i.e., public service strike) or unanticipated (i.e., blackout) which disrupts the normal course of business operations at an organization.
Term
Business Objective
Definition
A further development of the business goals into tactical targets and desired results and outcomes
Term
Business process
Definition
An inter?related set of cross?functional activities or events that result in the delivery of a specific product or service to a customer.
Term
Business Process
Integrity
Definition
Controls over the business processes that are supported by the ERP.
Term
Business process owner
Definition
The individual responsible for identifying process requirements, approving process design and managing process performance
Scope Note: A business process owner must be at an appropriately high level in the enterprise and have authority to commit resources to process?specific risk management activities.
Term
Business process reengineering (BPR)
Definition
The thorough analysis and significant redesign of business processes and management systems to establish a better performing structure, more responsive to the customer base and market conditions, while yielding material cost savings.
Term
Business risk
Definition
A probable situation with uncertain frequency and magnitude of loss (or gain).
Term
Business Service
Provider (BSP)
Definition
An ASP that also provides outsourcing of business processes such as payment processing, sales order processing and application development.
Term
Business sponsor
Definition
The individual accountable for delivering the benefits and value of an IT?enabled business investment program to the organization.
Term
Business?to?Business
Definition
Transactions where the acquirer is an organization or an individual operating in the ambits of his/her professional activity. In this case, laws and regulations related to consumer protection are not applicable.
Scope Note: The contract’s general terms should be communicated to the other party and specifically approved. Some companies require the other party to fill out check?boxes where there
is a description such as “I specifically approve the clauses…” This is not convincing: the best solution is the adoption of a digital signature scheme, which allows the approval of clauses and terms with the non?repudiation condition.
Term
Business?to?Consumer
Definition
Selling processes where the involved parties are the organization, which offers goods or services, and a consumer. In this case there is comprehensive legislation which protects the consumer.
Scope Note: Comprehensive legislation includes:
?Regarding contracts established outside the merchant’s property (such as the right to end the contract with full refund or the return policy for goods)
?Regarding distance contracts (such as rules which establish how a contract should be written, specific clauses and the need to make it transmitted to the consumer and approved)
?Regarding electronic form of the contract (such as on the Internet, the possibility for the consumer to exit from the procedure without having his/her data recorded)
Term
Business?to?Consumer E?
Commerce (B2C)
Definition
Refers to the processes by which organizations conduct business electronically with their customers and/or public at large using the Internet as the enabling technology.
Term
Bypass Label Processing
(BLP)
Definition
A technique of reading a computer file while bypassing the internal file/data set label. This process could result in bypassing of the security access control system.
Term
Cadbury
Definition
The Committee on the Financial Aspects of Corporate Governance, set up in May 1991 by the UK Financial Reporting Council, the London Stock Exchange and the UK accountancy profession, was chaired by Sir Adrian Cadbury and produced a report on the subject commonly known, in the UK, as the Cadbury Report.
Term
Capability
Definition
An aptitude, competency or resource that an enterprise may possess or require at an enterprise, business function or individual level that has the potential or is required to contribute to a business outcome and to create value
Term
Capability maturity model (CMM)
Definition
1. Contains the essential elements of effective processes for one or more disciplines
It also describes an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes with improved quality and effectiveness.
2. CMM for software, from the Software Engineering Institute (SEI), is a model used by many organizations to identify best practices useful in helping them assess and increase the maturity of their software development processes
Scope Note: CMM ranks software development organizations according to a hierarchy of five process maturity levels. Each level ranks the development environment according to its capability of producing quality software. A set of standards is associated with each of the five levels. The standards for level one describe the most immature or chaotic processes and the standards for level five describe the most mature or quality processes.
A maturity model that indicates the degree of reliability or dependency the business can place on a process achieving the desired goals or objectives
A collection of instructions an organization can follow to gain better control over its software
Term
Capacity Stress Testing
Definition
Testing an application with large quantities of data to evaluate its performance during peak periods. It also is called volume testing.
Term
Capital expenditure
Definition
An expenditure that is recorded as an asset because it is expected to benefit more than the current period. The asset is then depreciated or amortized over the expected useful life of the asset.
Term
Capital expense
Definition
An expenditure that is recorded as an asset because it is expected to benefit more than the current period. The asset is then depreciated or amortized over the expected useful life of the asset.
Term
Card Swipes
Definition
A physical control technique that uses a secured card or ID to gain access to a highly sensitive location.
Scope Note: Card swipes, if built correctly, act as a preventative control over physical access to those sensitive locations. After a card has been swiped, the application attached to the physical card swipe device logs all card users that try to access the secured location. The card swipe device prevents unauthorized access and logs all attempts to enter the secured location.
Term
Cathode Ray Tube (CRT)
Definition
A vacuum tube that displays data by means of an electron beam striking the screen, which is coated with suitable phosphor material or a device similar to a television screen upon which data can be displayed.
Term
Central Processing Unit
(CPU)
Definition
Computer hardware that houses the electronic circuits that control/direct all operations of the computer system.
Term
Centralized Data
Processing
Definition
Identified by one central processor and databases that form a distributed processing configuration.
Term
Certificate Authority
(CA)
Definition
A trusted third party that serves authentication infrastructures or organizations and registers entities and issues them certificates.
Term
Certificate Revocation
List (CRL)
Definition
An instrument for checking the continued validity of the certificates for which the certification authority (CA) has responsibility.
Scope Note: CRL details digital certificates that are no longer valid. The time gap between two updates is very critical and is also a risk in digital certificates verification.
Term
Certification Practice
Statement (CPS)
Definition
A detailed set of rules governing the certificate authority's operations. It provides an understanding of the value and trustworthiness of certificates issued by a given CA.
Scope Note: In terms of the controls that an organization observes, the method it uses to validate the authenticity of certificate applicants and the CA's expectations of how its certificates may be used.
Term
Chain of Custody
Definition
A legal principle regarding the validity and integrity of evidence. It requires accountability for anything that will be used as evidence in a legal proceeding, to ensure that it can be accounted for from the time it was collected until the time it is presented in a court of law.
Scope Note: Includes documentation as to who had access to the evidence and when, as well as the ability to identify evidence as being the exact item that was recovered or tested. Lack of control over evidence can lead to it being discredited. Chain of custody depends on the ability to verify that evidence could not have been tampered with. This is accomplished by sealing off the evidence, so it cannot be changed, and providing a documentary record of custody to prove that the evidence was at all times under strict control and not subject to tampering.
Term
Challenge/Response
Token
Definition
A method of user authentication that is carried out through use of the Challenge Handshake
Authentication Protocol (CHAP).
Scope Note: When a user tries to log into the server using CHAP, the server sends the user a "challenge," which is a random value. The user enters a password, which is used as an encryption key to encrypt the "challenge" and return it to the server. The server is aware of the password. It, therefore, encrypts the "challenge" value and compares it with the value received from the user. If the values match, the user is authenticated. The challenge/response activity continues throughout the session and this protects the session from password sniffing attacks. In addition, CHAP is not vulnerable to "man in the middle" attacks as the challenge value is a random value that changes on each access attempt.
Term
Change management
Definition
A holistic and proactive approach to managing the transition from a current to a desired organizational state, focusing specifically on the critical human or "soft" elements of change.
Scope Note: Change management includes activities such as culture change (values, beliefs and attitudes), development of reward systems (measures and appropriate incentives), organizational design, stakeholder management, human resource policies and procedures, executive coaching, change leadership training, team building and communications planning and execution.
Term
Channel Service Unit/Digital Service Unit (CSU/DSU)
Definition
Interfaces at the physical layer of the OSI reference model, data terminal equipment (DTE) to data circuit terminating equipment (DCE), for switched carrier networks
Term
Chargeback
Definition
The redistribution of expenditures to the units within a company that gave rise to them.
Scope Note: Chargeback is important because without such a policy, misleading views may be given as to the real profitability of a product or service, as certain key expenditures will be ignored or calculated according to an arbitrary formula.
Term
Check Digit
Definition
A numeric value, which has been calculated mathematically, is added to data to ensure that original data have not been altered or that an incorrect, but valid match has occurred.
Scope Note: Check digit control is effective in detecting transposition and transcription errors.
Term
Check Digit Verification
(Self?checking Digit)
Definition
A programmed edit or routine that detects transposition and transcription errors by calculating and checking the check digit.
Term
Checklist
Definition
A list of items that is used to verify the completeness of a task or goal.
Scope Note: A checklist is used in quality assurance (and in general, in information systems audit),
to check process compliance, code standardization and error prevention, and other items for which consistency processes or standards have been defined.
Term
Checkpoint Restart
Procedures
Definition
A point in a routine at which sufficient information can be stored to permit restarting the computation from that point.
Term
Checksum
Definition
A mathematical value that is assigned to a file and used to “test” the file at a later date to verify that the data contained in the file has not been maliciously changed.
Scope Note: A cryptographic checksum is created by performing a complicated series of mathematical operations (known as a cryptographic algorithm) that translates the data in the file into a fixed string of digits called a hash value, which is then used as the checksum. Without knowing which cryptographic algorithm was used to create the hash value, it is highly unlikely that an unauthorized person would be able to change data without inadvertently changing the corresponding checksum. Cryptographic checksums are used in data transmission and data storage. Cryptographic checksums are also known as message authentication codes, integrity check?values, modification detection codes or message integrity codes.
Term
Chief executive officer
(CEO)
Definition
Chief executive officer is the highest ranking individual in an organization.
Term
Chief financial officer
(CFO)
Definition
Chief financial officer is the individual primarily responsible for managing the financial risks of an organization.
Term
Chief information officer (CIO)
Definition
The most senior official of the enterprise who is accountable for IT advocacy, aligning IT and business strategies, and planning, resourcing and managing the delivery of IT services, information and the deployment of associated human resources.
Scope Note: In some cases, the CIO role has been expanded to become the chief knowledge officer, CKO, who deals in knowledge, not just information. Also see chief technology officer.
Term
Chief technology officer
(CTO)
Definition
The individual who focuses on technical issues in an organization.
Scope Note: The title CTO is often viewed as synonymous with chief information officer.
Term
Ciphertext
Definition
Information generated by an encryption algorithm to protect the plaintext and is unintelligible to the unauthorized reader.
Term
Circuit?Switched
Network
Definition
A data transmission service requiring the establishment of a circuit?switched connection before data can be transferred from source data terminal equipment (DTE) to a sink DTE.
Scope Note: A circuit?switched data transmission service uses a connection network.
Term
Circular Routing
Definition
In open systems architecture, circular routing is the logical path of a message in a communications network based on a series of gates at the physical network layer in the open systems interconnection (OSI) model.
Term
Cleartext
Definition
Data that is not encrypted. Also known as plaintext.
Term
Client?server
Definition
A group of computers connected by a communications network where the client is the requesting machine and the server is the supplying machine.
Scope Note: Software is specialized at both ends. Processing may take place on either the client or the server but it is transparent to the user.
Term
Cluster Controller
Definition
A communications terminal control hardware unit that controls a number of computer terminals. Scope Note: All messages are buffered by the controller and then transmitted to the receiver.
Term
Coaxial Cable
Definition
Composed of an insulated wire that runs through the middle of each cable, a second wire that surrounds the insulation of the inner wire like a sheath, and the outer insulation which wraps the second wire.
Scope Note: Coaxial cable has a greater transmission capacity than standard twisted?pair cables but has a limited range of effective distance.
Term
COBIT
Definition
Control Objectives for Information and related Technology (COBIT) is a complete, internationally accepted process framework for IT that supports business and IT executives and management in their definition and achievement of business goals and related IT goals by providing a comprehensive IT governance, management, control and assurance model. 'COBIT describes IT processes and associated control objectives, management guidelines (activities, accountabilities, responsibilities and performance metrics) and maturity models. COBIT supports enterprise management in the development, implementation, continuous improvement and monitoring of good IT?related practices.
Scope Note: Adoption and use of the COBIT framework are supported by guidance for executives and management (Board Briefing on IT Governance, 2nd Edition), IT governance implementers (COBIT Quickstart, 2nd Edition; IT Governance Implementation Guide: Using COBIT and Val IT, 2nd Edition; and COBIT Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance), and IT assurance and audit professionals (IT Assurance Guide Using COBIT). Guidance also exists to support its applicability for certain legislative and regulatory requirements (e.g., IT Control Objectives for Sarbanes?Oxley, IT Control Objectives for Basel II) and its relevance to
Term
COCO
Definition
Criteria of Control, published by the Canadian Institute of Chartered Accountants in 1995.
Term
Coevolving
Definition
Originated as a biological term, refers to the way two or more ecologically interdependent species become intertwined over time.
Scope Note: As these species adapt to their environment, they also adapt to one another. Today’s multi?business companies need to take their cue from biology to survive: They should assume that links among businesses are temporary and that the number of connections—not just their content—matters. Rather than plan collaborative strategy from the top, as traditional companies do, corporate executives in coevolving companies should simply set the context and let collaboration (and competition) emerge from business units.
Term
Coherence
Definition
Establishing a potent binding force and sense of direction and purpose for the organization, relating different parts of the organization to each other and to the whole to act as a seemingly unique entity.
Term
Cohesion
Definition
The extent to which a system unit??subroutine, program, module, component, subsystem??
performs a single dedicated function.
Scope Note: Generally, the more cohesive are units, the easier it is to maintain and enhance a system, since it is easier to determine where and how to apply a change.
Term
Cold Site
Definition
An IS backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place.
Scope Note: The site is ready to receive the necessary replacement computer equipment in the event the users have to move from their main computing location to the alternative computer facility.
Term
Combined Code on
Corporate Governance
Definition
The consolidation in 1998 of the "Cadbury," "Greenbury" and "Hampel" Reports.
Scope Note: Named after the Committee Chairs, these reports were sponsored by the UK Financial Reporting Council, the London Stock Exchange, the Confederation of British Industry, the Institute of Directors, the Consultative Committee of Accountancy Bodies, the National Association of Pension Funds and the Association of British Insurers to address the Financial Aspects of Corporate Governance, Directors' Remuneration and the implementation of the Cadbury and Greenbury recommendations.
Term
Communication
Processor
Definition
A computer embedded in a communications system that generally performs basic tasks of classifying network traffic and enforcing network policy functions.
Scope Note: An example is the message data processor of a DDN switching center. More advanced communications processors may perform additional functions.
Term
Communications
Controller
Definition
Small computers used to connect and coordinate communication links between distributed or remote devices and the main computer, thus freeing the main computer from this overhead function.
Term
Community Strings
Definition
Authenticate access to management information base (MIB) objects and function as embedded passwords.
Scope Note: Examples are:
?Read?only (RO)—Gives read access to all objects in the MIB except the community strings, but does not allow write access
?Read?write (RW)—Gives read and write access to all objects in the MIB, but does not allow access to the community strings
?Read?write?all—Gives read and write access to all objects in the MIB, including the community strings (only valid for Catalyst 4000, 5000 and 6000 series switches)
SNMP community strings are sent across the network in cleartext. The best way to protect an OS software?based device from unauthorized SNMP management is to build a standard IP access list that includes the source address of the management station(s). Multiple access lists can be defined and tied to different community strings. If logging is enabled on the access list, then log messages are generated every time the device is accessed from the management station. The log message records the source IP address of the packet.
Term
Comparison Program
Definition
A program for the examination of data, using logical or conditional tests to determine or to identify similarities or differences.
Term
Compensating control
Definition
An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions.
Term
Competencies
Definition
The strengths of an organization, what it does well.
Scope Note: Competencies can refer to the knowledge, skills and abilities of the assurance team or individuals conducting the work.
Term
Compiler
Definition
A program that translates programming language (source code) into machine executable instructions (object code).
Term
Completely Connected
(Mesh) Configuration
Definition
A network topology in which devices are connected with many redundant interconnections between network nodes (primarily used for backbone networks).
Term
Completeness Check
Definition
A procedure designed to ensure that no fields are missing from a record.
Term
Compliance Testing
Definition
Tests of control designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period.
Term
Component
Definition
A general term that is used to mean one part of something more complex.
Scope Note: For example, a computer system may be a component of an IT service, or an application may be a component of a release unit. Components are co?operating packages of executable software that make their services available through defined interfaces. Components used in developing systems may be commercial off?the?shelf software (COTS) or may be purposely built. However, the goal of component?based development is to ultimately use as much pre? developed, prelisted components as possible.
Term
Comprehensive Audit
Definition
An audit designed to determine the accuracy of financial records, as well as evaluate the internal controls of a function or department.
Term
Computationally Greedy
Definition
Requiring a great deal of computing power; processor intensive.
Term
Computer emergency response team (CERT)
Definition
A group of people integrated at the organization with clear lines of reporting and responsibilities for standby support in case of an information systems emergency
This group will act as an efficient corrective control, and should also act as a single point of contact for all incidents and issues related to information systems.
Term
Computer Forensics
Definition
The application of the scientific method to digital media to establish factual information for judicial review.
Scope Note: This process often involves investigating computer systems to determine whether they are or have been used for illegal or unauthorized activities. As a discipline, it combines elements of law and computer science to collect and analyze data from information systems (e.g., personal computers, networks, wireless communications and digital storage devices) in a way that is admissible as evidence in a court of law.
Term
Computer Sequence
Checking
Definition
Verifies that the control number follows sequentially and any control numbers out of sequence are rejected or noted on an exception report for further research.
Term
Computer Server
Definition
1. A computer dedicated to servicing requests for resources from other computers on a network. Servers typically run network operating systems.
2. A computer that provides services to another computer (the client).
Term
Computer?Aided Software Engineering (CASE)
Definition
The use of software packages that aid in the development of all phases of an information system.
Scope Note: System analysis, design programming and documentation are provided. Changes introduced in one CASE chart will update all other related charts automatically. CASE can be installed on a microcomputer for easy access.
Term
Computer?Assisted Audit Technique (CAATs)
Definition
Any automated audit technique, such as generalized audit software, test data generators, computerized audit programs and specialized audit utilities.
Term
Concurrency Control
Definition
Refers to a class of controls used in database management systems (DBMS) to ensure that transactions are processed in an atomic, consistent, isolated and durable manner (ACID). This implies that only serial and recoverable schedules are permitted, and that committed transactions are not discarded when undoing aborted transactions.
Term
Concurrent Access
Definition
A fail?over process, in which all nodes run the same resource group (there can be no IP or MAC
addresses in a concurrent resource group) and access the external storage concurrently.
Term
Confidentiality
Definition
The protection of sensitive or private information from unauthorized disclosure.
Term
Configurable Controls
Definition
Typically, automated controls that are based on and, therefore, dependent on the configuration of parameters within the application system.
Term
Configuration Item (CI)
Definition
Component of an infrastructure??or an item, such as a request for change, associated with an infrastructure??which is (or is to be) under the control of configuration management.
Scope Note: CIs may vary widely in complexity, size and type, from an entire system (including all hardware, software and documentation) to a single module or a minor hardware component.
Term
Configuration
Management
Definition
The control of changes to a set of configuration items over a system life cycle
Term
Console Log
Definition
An automated detail report of computer system activity.
Term
Consulted
Definition
In a RACI chart, refers to those people whose opinions are sought on an activity (two?way communication).
Term
Content Filtering
Definition
Controlling access to a network by analyzing the contents of the incoming and outgoing packets and either letting them pass or denying them based on a list of rules.
Scope Note: Content filtering differs from packet filtering in that it is the data in the packet that are analyzed instead of the attributes of the packet itself (e.g., source/target IP address, TCP flags).
Term
Context
Definition
Includes the factors that must be present before any specific attempt to transform enterprise systems data into knowledge and results.
Scope Note: Context includes technology context (technological factors that affect an organization’s ability to extract value from data), data context (data accuracy, availability, currency and quality), skills and knowledge (general experience and analytical, technical and business skills),
organizational and cultural context (political factors and whether the organization prefers data to intuition) and strategic context (strategic objectives of the organization).
Term
Contingency Plan
Definition
A plan used by an organization or business unit to respond to a specific systems failure or disruption.
Term
Contingency planning
Definition
Process of developing advance arrangements and procedures that enable an organization to respond to an event that could occur by chance or unforeseen circumstances.
Term
Continuity
Definition
Preventing, mitigating and recovering from disruption.
Scope Note: The terms "business resumption planning"," disaster recovery planning" and "contingency planning" also may be used in this context; they all concentrate on the recovery aspects of continuity.
Term
Continuous Auditing
Approach
Definition
This approach allows IS auditors to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer.
Term
Continuous Availability
Definition
Nonstop service, with no lapse in service; the highest level of service in which no downtime is allowed.
Term
Continuous improvement
Definition
The goals of continuous improvement (Kaizen) include the elimination of waste, defined as "activities that add cost but do not add value;" just?in?time delivery; production load leveling of amounts and types; standardized work; paced moving lines; right?sized equipment.
Scope Note: A closer definition of the Japanese usage of Kaizen is "to take it apart and put back together in a better way." What is taken apart is usually a process, system, product or service. Kaizen is a daily activity whose purpose goes beyond improvement. It is also a process that, when done correctly, humanizes the workplace, eliminates hard work (both mental and physical), and teaches people how to do rapid experiments using the scientific method and how to learn to see and eliminate waste in business processes.
Term
Control Center
Definition
Hosts the recovery meetings where disaster recovery operations are managed.
Term
Control framework
Definition
A set of fundamental controls that facilitates the discharge of business process owner responsibilities to prevent financial or information loss in an organization
Term
Control Group
Definition
Members of the operations area that are responsible for the collection, logging and submission of input for the various user groups.
Term
Control Objective
Definition
A statement of the desired result or purpose to be achieved by implementing control procedures in a particular process.
Term
Control Objectives for
Enterprise Governance
Definition
A discussion document which sets out an "enterprise governance model" focusing strongly on both the enterprise business goals and the information technology enablers, which facilitate good enterprise governance, published by the Information Systems Audit and Control Foundation in
1999.
Term
Control Perimeter
Definition
The boundary defining the scope of control authority for an entity.
Scope Note: For example, if a system is within the control perimeter, the right and ability exists to control it in response to an attack.
Term
Control Practice
Definition
Key control mechanism that supports the achievement of control objectives through responsible use of resources, appropriate management of risk and alignment of IT with business.
Term
Control risk
Definition
The risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls. (See also inherent risk)
Term
Control Risk Self?
Assessment
Definition
A method/process by which management and staff of all levels collectively identify and evaluate risks and controls with their business areas. This may be under the guidance of a facilitator such as an auditor or risk manager.
Term
Control Section
Definition
The area of the central processing unit (CPU) that executes software, allocates internal memory and transfers operations between the arithmetic?logic, internal storage and output sections of the computer.
Term
Control Weakness
Definition
A deficiency in the design or operation of a control procedure. Control weaknesses can potentially result in risks relevant to the area of activity not being reduced to an acceptable level (relevant risks are those that threaten achievement of the objectives relevant to the area of activity being examined). Control weaknesses can be material when the design or operation of one or more control procedures does not reduce to a relatively low level the risk that misstatements caused by illegal acts or irregularities may occur and not be detected by the related control procedures.
Term
Controls
Definition
Scope Note: See internal control.
Term
Cookie
Definition
A message kept in the web browser for the purpose of identifying users and possibly preparing customized web pages for them.
Scope Note: For the first time a cookie is set, a user may be required to go through a registration process. Subsequent to this, whenever the cookie's message is sent to the server, a customized view, based on that user's preferences, can be produced. The browser's implementation of cookies has however brought several security concerns, allowing breaches of security and the theft of personal information (e.g., user passwords that validate the user's identity and enable restricted web services).
Term
Corporate Exchange
Rate
Definition
An exchange rate, which can be used optionally to perform foreign currency conversion. The corporate exchange rate is generally a standard market rate determined by senior financial management for use throughout the organization.
Term
Corporate governance
Definition
The system by which organizations are directed and controlled. Boards of directors are responsible for the governance of their organizations. It consists of the leadership and organizational structures and processes that ensure the organization sustains and extends strategies and objectives.
Term
Corporate Security
Officer (CSO)
Definition
Responsible for coordinating the planning, development, implementation, maintenance and monitoring of the information security program.
Term
Corrective Controls
Definition
Designed to correct errors, omissions and unauthorized uses and intrusions, once they are detected.
Term
COSO
Definition
Committee of Sponsoring Organizations of the Treadway Commission.
Scope Note: Its 1992 report "Internal Control??Integrated Framework" is an internationally accepted standard for corporate governance. See www.coso.org.
Term
Countermeasure
Definition
Any process that directly reduces a threat or vulnerability.
Term
Coupling
Definition
Measure of interconnectivity among software program modules’ structure. Coupling depends on the interface complexity between modules. This can be defined as the point at which entry or reference is made to a module, and what data passes across the interface.
Scope Note: In application software design, it is preferable to strive for the lowest possible coupling between modules. Simple connectivity among modules results in software that is easier to understand and maintain and is less prone to a ripple or domino effect caused when errors occur at one location and propagate through the system.
Term
Coverage
Definition
The proportion of known attacks detected by an intrusion detection system.
Term
Crack
Definition
To "break into" or "get around" a software program.
Scope Note: For example, there are certain newsgroups that post serial numbers for pirated versions of software. A cracker may download this information in an attempt to crack the program so he/she can use it. It is commonly used in the case of cracking (unencrypting) a password or other sensitive data.
Term
Credentialed Analysis
Definition
In vulnerability analysis, passive monitoring approaches in which passwords or other access credentials are required.
Scope Note: Credentialed analysis usually involves accessing a system data object.
Term
Criteria
Definition
The standards and benchmarks used to measure and present the subject matter and against which the IS auditor evaluates the subject matter.
Scope Note: Criteria should be: Objective ? Free from bias; Measurable ? Provide for consistent measurement; Complete ? Include all relevant factors to reach a conclusion; Relevant ? Relate to the subject matter.
In an attestation engagement, benchmarks against which management's written assertion on the subject matter can be evaluated. The practitioner forms a conclusion concerning subject matter by referring to suitable criteria.
Term
Critical Functions
Definition
Business activities or information that could not be interrupted or unavailable for several business days without significantly jeopardizing operation of the organization.
Term
Critical Infrastructure
Definition
Systems whose incapacity or destruction would have a debilitating effect on the economic security of an organization, community or nation.
Term
Critical success factors
(CSFs)
Definition
The most important issues or actions for management to achieve control over and within its IT
processes.
Term
Criticality Analysis
Definition
An analysis to evaluate resources or business functions to identify their importance to the organization, and the impact if a function cannot be completed or a resource is not available.
Term
Cross?Certification
Definition
A certificate issued by one certification authority to a second certification authority so that users of the first certification authority are able to obtain the public key of the second certification authority and verify the certificates it has created.
Scope Note: Often cross certification refers specifically to certificates issued to each other by two
CAs at the same level in a hierarchy.
Term
Cryptography
Definition
The art of designing, analyzing and attacking cryptographic schemes.
Term
Customer Relationship
Management (CRM)
Definition
A way to identify, acquire and retain customers. CRM is also an industry term for software solutions that help an organization manage customer relationships in an organized manner.
Term
Cybercops
Definition
An investigator of computer?crime?related activities.
Term
Damage Evaluation
Definition
The determination of the extent of damage that is necessary to provide for an estimation of the recovery time frame and the potential loss to the organization.
Term
Dashboard
Definition
A tool for setting expectations for an organization at each level of responsibility and continuous monitoring of the performance against set targets.
Term
Data Analysis
Definition
Typically in large organizations, where the quantum of data processed by the ERPs are extremely voluminous, analysis of patterns and trends proves to be extremely useful in ascertaining the efficiency and effectiveness of operations.
Scope Note: Most ERPs provide opportunities for extraction and analysis of data, some with built?in tools, through the use of third?party developed tools that interface with the ERP systems
Term
Data Classification
Definition
The assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levels of sensitivity of data are assigned according to predefined categories as data are created, amended, enhanced, stored or transmitted. The classification level is an indication of the value or importance of the data to the organization.
Term
Data Classification
Scheme
Definition
An enterprise scheme for classifying data by factors such as criticality, sensitivity and ownership.
Term
Data Communications
Definition
The transfer of data between separate computer processing sites/devices using telephone lines, microwave and/or satellite links.
Term
Data custodian
Definition
The individuals and departments responsible for the storage and safeguarding of computerized data
Term
Data Dictionary
Definition
A database that contains the name, type, range of values, source and authorization for access for each data element in a database. It also indicates which application programs use that data so that when a data structure is contemplated, a list of the affected programs can be generated.
Scope Note: The data dictionary may be a stand?alone information system used for management or documentation purposes, or it may control the operation of a database.
Term
Data Diddling
Definition
Changing data with malicious intent before or during input into the system.
Term
Data Encryption
Standard (DES)
Definition
An algorithm for encoding binary data.
Scope Note: It is a private key cryptosystem published by the National Bureau of Standards (NBS), the predecessor of the US National Institute of Standards and Technology (NIST). DES was defined as a Federal Information Processing Standard (FIPS) in 1976 and has been used commonly for data encryption in the forms of software and hardware implementation.
Term
Data Flow
Definition
The flow of data from the input (in Internet banking, ordinarily user input at his/her desktop) to output (in Internet banking, ordinarily data in a bank’s central database). Data flow includes traveling through the communication lines, routers, switches and firewalls as well as processing through various applications on servers which process the data from user fingers to storage in a bank's central database.
Term
Data Integrity
Definition
The property that data meet with a priority expectation of quality and that the data can be relied upon.
Term
Data Leakage
Definition
Siphoning out or leaking information by dumping computer files or stealing computer reports and tapes.
Term
Data Normalization
Definition
A structured process for organizing data into tables in such a way that it preserves the relationships among the data.
Term
Data owner
Definition
The individuals, normally managers or directors, who have responsibility .for the integrity, accurate reporting and use of computerized data
Term
Data Security
Definition
Those controls that seek to maintain confidentiality, integrity and availability of information.
Term
Data Structure
Definition
The relationships among files in a database and among data items within each file.
Term
Data Warehouse
Definition
A generic term for a system that stores, retrieves and manages large volumes of data.
Scope Note: Data warehouse software often includes sophisticated comparison and hashing techniques for fast searches, as well as advanced filtering.
Term
Database
Definition
A stored collection of related data needed by organizations and individuals to meet their information processing and retrieval requirements.
Term
Database Administrator
(DBA)
Definition
An individual or department responsible for the security and information classification of the shared data stored on a database system. This responsibility includes the design, definition and maintenance of the database.
Term
Database Management
System (DBMS)
Definition
A software system that controls the organization, storage and retrieval of data in a database.
Term
Database Replication
Definition
The process of creating and managing duplicate versions of a database.
Scope Note: Replication not only copies a database but also synchronizes a set of replicas so that changes made to one replica are reflected in all the others. The beauty of replication is that it enables many users to work with their own local copy of a database but have the database updated as if they were working on a single centralized database. For database applications where geographically users are distributed widely, replication is often the most efficient method of database access.
Term
Database Specifications
Definition
These are the requirements for establishing a database application. They include field definitions, field requirements and reporting requirements for the individual information in the database.
Term
Datagram
Definition
A packet (encapsulated with a frame containing information), which is transmitted in a packet?
switching network from source to destination.
Term
Data?Oriented Systems
Development
Definition
Focuses on providing ad hoc reporting for users by developing a suitable accessible database of information and to provide useable data rather than a function.
Term
Decentralization
Definition
The process of distributing computer processing to different locations within an organization.
Term
Decision Support
Systems (DSS)
Definition
An interactive system that provides the user with easy access to decision models and data, to support semi structured decision?making tasks.
Term
Decryption
Definition
A technique used to recover the original plaintext from the ciphertext such that it is intelligible to the reader. The decryption is a reverse process of the encryption.
Term
Decryption Key
Definition
A digital piece of information used to recover plaintext from the corresponding ciphertext by decryption.
Term
Default
Definition
A computer software setting or preference that states what will automatically happen in the event that the user has not stated another preference. For example, a computer may have a default setting to launch or start Netscape whenever a GIF file is opened; however, if using Photoshop is the preference for viewing a GIF file, the default setting can be changed to Photoshop. In the case
of default accounts, these are accounts that are provided by the operating system vendor (e.g., root in UNIX).
Term
Default Deny Policy
Definition
A policy whereby access is denied unless it is specifically allowed. The inverse of default allow.
Term
Default Password
Definition
The password used to gain access when a system is first installed on a computer or network device.
Scope Note: There is a large list published on the Internet and maintained at several locations. Failure to change these after the installation leaves the system vulnerable.
Term
Defense in Depth
Definition
The practice of layering defenses to provide added protection. Defense in depth increases security by raising the effort needed in an attack. This strategy places multiple barriers between an attacker and an organization's computing and information resources.
Term
Degauss
Definition
The application of variable levels of alternating current for the purpose of demagnetizing magnetic recording media.
Scope Note: The process involves increasing the alternating current field gradually from zero to some maximum value and back to zero, leaving a very low residue of magnetic induction on the media. Degauss loosely means to erase.
Term
Demodulation
Definition
The process of converting an analog telecommunications signal into a digital computer signal.
Term
Demographic
Definition
A fact determined by measuring and analyzing data about a population; it relies heavily upon survey research and census data.
Term
Denial?of?Service Attack
(DOS)
Definition
An assault on a service from a single source that floods it with so many requests that it becomes overwhelmed and is either stopped completely or operates at a significantly reduced rate.
Term
Depreciation
Definition
The process of cost allocation that assigns the original cost of equipment to the periods benefited.
Scope Note: The most common method of calculating depreciation is the straight?line method, which assumes that assets should be written off in equal amounts over their lives.
Term
Detailed IS Controls
Definition
Controls over the acquisition, implementation, delivery and support of IS systems and services made up of application controls plus those general controls not included in pervasive controls.
Term
Detective Application
Controls
Definition
Controls designed to detect errors that may have occurred, based on predefined logic or business rules. Detective application controls are usually executed after an action has taken place and often cover a group of transactions.
Term
Detective controls
Definition
Controls that exist to detect and report when errors, omissions and unauthorized uses or entries occur
Term
Device
Definition
A generic term for a computer subsystem, such as a printer, serial port, or disk drive. A device frequently requires its own controlling software, called a device driver.
Term
Dial?back
Definition
Used as a control over dial?up telecommunications lines. The telecommunications link established through dial?up into the computer from a remote location is interrupted so the computer can dial back to the caller. The link is permitted only if the caller is from a valid phone number or telecommunications channel.
Term
Dial?in Access Controls
Definition
Prevents unauthorized access from remote users that attempt to access a secured environment. These controls range from dial?back controls to remote user authentication.
Term
Digital Certification
Definition
A process to authenticate (or certify) a party’s digital signature; carried out by trusted third parties.
Term
Digital Code Signing
Definition
The process of digitally signing computer code to ensure its integrity.
Term
Digital Signature
Definition
A piece of information, a digitized form of signature, that provides sender authenticity, message integrity and non?repudiation. A digital signature is generated using the sender’s private key or applying a one?way hash function.
Term
Direct Reporting
Engagement
Definition
An engagement where management does not make a written assertion about the effectiveness of their control procedures, and the IS auditor provides an opinion about subject matter directly, such as the effectiveness of the control procedures.
Term
Disaster
Definition
1. A sudden, unplanned calamitous event causing great damage or loss. Any event that creates an inability on an organization's part to provide critical business functions for some predetermined period of time. Similar terms are business interruption, outage and catastrophe.
2. The period when organization management decides to divert from normal production responses and exercises its disaster recovery plan. Typically signifies the beginning of a move from a primary to an alternate location.
Term
Disaster Declaration
Definition
The communication to appropriate internal and external parties that the disaster recovery plan is being put into operation.
Term
Disaster Notification
Fee
Definition
The fee the recovery site vendor charges when the customer notifies them that a disaster has occurred and the recovery site is required.
Scope Note: The fee is implemented to discourage false disaster notifications.
Term
Disaster recovery
Definition
Activities and programs designed to return the organization to an acceptable condition. The ability to respond to an interruption in services by implementing a disaster recovery plan to restore an organization's critical business functions.
Term
Disaster recovery plan
(DRP)
Definition
A set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency or disaster
Term
Disaster Recovery Plan
Desk Checking
Definition
Typically a read?through of a disaster recovery plan without any real actions taking place.
Scope Note: It generally involves a reading of the plan, discussion of the action items and definition of any gaps that might be identified.
Term
Disaster Recovery Plan
Walk?through
Definition
Generally a robust test of the recovery plan requiring that some recovery activities take place and are tested. A disaster scenario is often given and the recovery teams talk through the steps they would need to take to recover. As many aspects of the plan should be tested as possible.
Term
Disaster Tolerance
Definition
The time gap the business can accept the non?availability of IT facilities.
Term
Disclosure Controls and
Procedures
Definition
The processes in place designed to help ensure that all material information is disclosed by an organization in the reports it files or submits to the SEC.
Scope Note: Disclosure Controls and Procedures also require that disclosures be authorized, complete and accurate, and recorded, processed, summarized and reported within the time periods specified in the SEC’s rules and forms. Deficiencies in controls, as well as any significant changes to controls, must be communicated to the organization’s audit committee and auditors in a timely manner. An organization’s principal executive officer and financial officer must certify the existence of these controls on a quarterly basis.
Term
Discount Rate
Definition
An interest rate used to calculate a present value which might or might not include the time value of money tax effects risks or other factors
Term
Discovery Sampling
Definition
A form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in a population.
Term
Discretionary Access
Control (DAC)
Definition
A means of restricting access to objects based on the identity of subjects and/or groups to which they belong.
Scope Note: The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject.
Term
Disk Mirroring
Definition
The practice of duplicating data in separate volumes on two hard disks to make storage more fault tolerant. Mirroring provides data protection in the case of disk failure because data are constantly updated to both disks.
Term
Diskless Workstations
Definition
A workstation or PC on a network that does not have its own disk, but instead, stores files on a network file server.
Term
Distributed Data
Processing Network
Definition
A system of computers connected together by a communications network.
Scope Note: Each computer processes its data and the network supports the system as a whole. Such a network enhances communication among the linked computers and allows access to shared files.
Term
Distributed Denial?of?
Service Attack (DDoS)
Definition
A denial?of?service (DoS) assault from multiple sources.
Term
Diverse Routing
Definition
The method of routing traffic through split cable facilities or duplicate cable facilities.
Scope Note: This can be accomplished with different and/or duplicate cable sheaths. If different cable sheaths are used, the cable may be in the same conduit and, therefore, subject to the same interruptions as the cable it is backing up. The communication service subscriber can duplicate the facilities by having alternate routes, although the entrance to and from the customer premises bay be in the same conduit. The subscriber can obtain diverse routing and alternate routing from the local carrier, including dual entrance facilities. However, acquiring this type of access is time? consuming and costly. Most carriers provide facilities for alternate and diverse routing, although the majority of services are transmitted over terrestrial media. These cable facilities are usually located in the ground or basement. Ground?based facilities are at great risk due to the aging infrastructures of cities. In addition, cable?based facilities usually share room with mechanical and electrical systems that can impose great risks due to human error and disastrous events.
Term
Domain
Definition
In COBIT, the grouping of control objectives into four logical stages in the life cycle of investments involving IT (Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate).
Term
Domain Name System
(DNS)
Definition
A hierarchical database that is distributed across the Internet that allows names to be resolved into
IP addresses (and vice versa) to locate services such as web and e?mail servers.
Term
Domain Name System
(DNS) Poisoning
Definition
Corrupts the table of an Internet server's DNS, replacing an Internet address with the address of another vagrant or scoundrel address.
Scope Note: If a Web user looks for the page with that address, the request is redirected by the scoundrel entry in the table to a different address. Cache poisoning differs from another form of DNS poisoning, in which the attacker spoofs valid e?mail accounts and floods the inboxes of administrative and technical contacts. Cache poisoning is related to URL poisoning or location poisoning, where an Internet user behavior is tracked by adding an identification number to the location line of the browser that can be recorded as the user visits successive pages on the site. Also called DNS cache poisoning or cache poisoning.
Term
Double?loop Step
Definition
Integrates the management of tactics (financial budgets and monthly reviews) and the management of strategy.
Scope Note: A reporting system, based on the balanced scorecard, allows process against strategy to be monitored and corrective actions to be taken as required.
Term
Downloading
Definition
The act of transferring computerized information from one computer to another computer.
Term
Downtime Report
Definition
A report that identifies the elapsed time when a computer is not operating correctly because of machine failure.
Term
Driver (Value and Risk)
Definition
A driver includes an event or other activity that results in the identification of an assurance/audit need.
Term
Dry?pipe Fire
Extinguisher System
Definition
Refers to a sprinkler system that does not have water in the pipes during idle usage, unlike a fully charged fire extinguisher system that has water in the pipes at all times.
Scope Note: The dry?pipe system is activated at the time of the fire alarm, and water is emitted to the pipes from a water reservoir for discharge to the location of the fire.
Term
Dual Control
Definition
A procedure that uses two or more entities (usually persons) operating in concert to protect a system resource, such that no single entity acting alone can access that resource.
Term
Due Care
Definition
The level of care expected from a reasonable person of similar competency under similar conditions.
Term
Due diligence
Definition
The performance of those actions that are generally regarded as prudent, responsible and necessary to conduct a thorough and objective investigation, review and/or analysis.
Term
Due Professional Care
Definition
Diligence that a person, who possesses a special skill, would exercise under a given set of circumstances.
Term
Dumb Terminal
Definition
A display terminal without processing capability.
Scope Note: Dumb terminals are dependent upon the main computer for processing. All entered data are accepted without further editing or validation.
Term
Duplex Routing
Definition
The method or communication mode of routing data over the communication network (also see half duplex and full duplex).
Term
Dynamic Analysis
Definition
Analysis that is performed in real time or in continuous form.
Term
Dynamic Host Configuration Protocol (DHCP)
Definition
A protocol used by networked computers (clients) to obtain IP addresses and other parameters such as the default gateway, subnet mask, and IP addresses of DNS servers from a DHCP server.
Scope Note: The DHCP server ensures that all IP addresses are unique, e.g., no IP address is assigned to a second client while the first client's assignment is valid (its lease has not expired). Thus IP address pool management is done by the server and not by a human network administrator.
Term
Echo Checks
Definition
Detects line errors by retransmitting data back to the sending device for comparison with the original transmission.
Term
E?commerce
Definition
The processes by which organizations conduct business electronically with their customers, suppliers and other external business partners, using the Internet as an enabling technology.
Scope Note: E?commerce encompasses both business?to?business (B2B) and business?to?consumer (B2C) e?commerce models, but does not include existing non?Internet e?commerce methods based on private networks such as EDI and SWIFT.
Term
Economic Value Add
(EVA)
Definition
Technique developed by G. Bennett Stewart III, and registered by the consulting firm of Stern, Stewart, where the performance of the corporate capital base, including depreciated investments, such as training, research and development, as well as more traditional capital investments, such as physical property and equipment, are measured against what shareholders could earn elsewhere.
Term
Edit Controls
Definition
Detects errors in the input portion of information that is sent to the computer for processing. The controls may be manual or automated and allow the user to edit data errors before processing.
Term
Editing
Definition
Ensures that data conform to predetermined criteria and enable early identification of potential errors.
Term
Electronic Data
Interchange (EDI)
Definition
The electronic transmission of transactions (information) between two organizations. EDI promotes a more efficient paperless environment. EDI transmissions can replace the use of standard documents, including invoices or purchase orders.
Term
Electronic Document
Definition
An administrative document (a document with legal validity, such as a contract) in any graphical representation, photographic, electromagnetic (tape) or any other type of electronic representation of the content.
Scope Note: Almost all countries have developed legislation concerning the definition, use and legal validity of an electronic document. An electronic document, in whatever media that contains the data or information used as evidence of a contract or transaction between parties, is considered together with the software program capable to read it. The definition of a legally valid document as any representation of legally relevant data, not only those printed on paper, was introduced into
the legislation related to computer crime. In addition, many countries in defining and disciplining the use of such instruments have issued regulations defining specifics, such as the electronic signature and data interchange formats.
Term
Electronic Funds
Transfer (EFT)
Definition
The exchange of money via telecommunications. EFT refers to any financial transaction that originates at a terminal and transfers a sum of money from one account to another.
Term
Electronic Signature
Definition
Any technique designed to provide the electronic equivalent of a handwritten signature to demonstrate the origin and integrity of specific data. Digital signatures are an example of electronic signatures.
Term
Electronic Vaulting
Definition
A data recovery strategy that allows organizations to recover data within hours after a disaster.
Scope Note: Typically used for batch/journal updates to critical files to supplement full backups taken periodically, it includes recovery of data from an offsite storage media that mirrors data via a communication link.
Term
Embedded Audit
Module
Definition
Integral part of an application system that is designed to identify and report specific transactions or other information based on pre?determined criteria. Identification of reportable items occurs as part of real?time processing. Reporting may be real?time online, or may use store and forward methods. Also known as integrated test facility or continuous auditing module.
Term
Encapsulation (objects)
Definition
Encapsulation is the technique used by layered protocols in which a lower?layer protocol accepts a message from a higher layer protocol and places it in the data portion of a frame in the lower layer.
Term
Encryption
Definition
The process of taking an unencrypted message (plaintext), applying a mathematical function to it
(encryption algorithm with a key) and producing an encrypted message (ciphertext).
Term
Encryption Key
Definition
A piece of information, in a digitized form, used by an encryption algorithm to convert the plaintext to the ciphertext.
Term
End?User Computing
Definition
The ability of end users to design and implement their own information system utilizing computer software products.
Term
Engagement Letter
Definition
Formal document which defines the IS auditor's responsibility, authority and accountability for a specific assignment.
Term
Enterprise
Definition
A group of individuals working together for a common purpose, typically within the context of an organizational form such as a corporation, public agency, charity or trust.
Term
Enterprise architecture
Definition
Description of the fundamental underlying design of the components of the business system, or of one element of the business system (e.g., technology), the relationships among them, and the manner in which they support the organization’s objectives.
Term
Enterprise architecture for IT
Definition
Description of the fundamental underlying design of the IT components of the business, the relationships among them, and the manner in which they support the organization’s objectives.
Term
Enterprise governance
Definition
A set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.
Term
Enterprise resource planning (ERP) system
Definition
An integrated system containing multiple business subsystems
Scope Note: Examples of enterprise resource planning include SAP, Oracle Financials and J.D. Edwards.
Term
Enterprise risk management (ERM)
Definition
The discipline by which an enterprise in any industry assesses, controls, exploits, finances and monitors risks from all sources for the purpose of increasing the enterprise's short? and long?term value to its stakeholders
Term
ERP (Enterprise Resource Planning) System
Definition
A packaged business software system that allows an organization to automate and integrate the majority of its business processes; share common data and practices across the entire enterprise; produce and access information in a real?time environment.
Term
Error
Definition
A deviation from accuracy or correctness.
Scope Note: As it relates to audit work, errors may relate to control deviations (compliance testing)
or misstatements (substantive testing).
Term
Escrow Agent
Definition
A person, agency or organization that is authorized to act on behalf of another to create a legal relationship with a third party in regards to an escrow agreement; the custodian of an asset according to an escrow agreement.
Scope Note: As it relates to a cryptographic key, an escrow agent is the agency or organization charged with the responsibility for safeguarding the key components of the unique key.
Term
Escrow Agreement
Definition
A legal arrangement whereby an asset (often money, but sometimes other property such as art, a deed of title, web site, software source code or a cryptographic key) is delivered to a third party (called an escrow agent) to be held in trust or otherwise pending a contingency or the fulfillment of a condition or conditions in a contract.
Scope Note: Upon the occurrence of the escrow agreement, the escrow agent will deliver the asset to the proper recipient; otherwise the escrow agent is bound by his/her fiduciary duty to maintain the escrow account. Source code escrow means deposit of the source code for the software into an account held by an escrow agent. Escrow is typically requested by a party licensing software (e.g., licensee or buyer), to ensure maintenance of the software. The software source code is released by the escrow agent to the licensee if the licensor (e.g., seller or contractor) files for bankruptcy or otherwise fails to maintain and update the software as promised in the software license agreement.
Term
Ethernet
Definition
A popular network protocol and cabling scheme that uses a bus topology and CSMA/CD (carrier sense multiple access/collision detection) to prevent network failures or collisions when two devices try to access the network at the same time.
Term
Event
Definition
Something that happens at a specific place and/or time
Term
Event type
Definition
For the purpose of IT risk management, one of three possible sorts of events: threat event, loss event and vulnerability event.
Scope Note: Being able to consistently and effectively differentiate the different types of events that contribute to risk is a critical element in developing good risk?related metrics and well? informed decisions. Unless these categorical differences are recognized and applied, any resulting metrics lose meaning and, as a result, decisions based on those metrics are far more likely to be flawed.
Term
Evidence
Definition
Information that proves or disproves a stated issue
Information an auditor gathers in the course of performing an IS audit; relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support
Scope Note: Audit
Term
Exception Reports
Definition
An exception report is generated by a program that identifies transactions or data that appear to be incorrect.
Scope Note: Exception reports may be outside a predetermined range or may not conform to specified criteria.
Term
Exclusive?OR (XOR)
Definition
The exclusive?OR operator returns a value of TRUE only if just one of its operands is TRUE.
Scope Note: The XOR operation is a Boolean operation that produces a 0 if its two Boolean inputs are the same (0 and 0 or 1 and 1) and it produces a 1 if its two inputs are different (1 and 0). In contrast, an inclusive?OR operator returns a value of TRUE if either or both of its operands are TRUE.
Term
Executable Code
Definition
The machine language code that is generally referred to as the object or load module.
Term
Expert Systems
Definition
Expert systems are the most prevalent type of computer systems that arise from the research of artificial intelligence.
Scope Note: An expert system has a built in hierarchy of rules, which are acquired from human experts in the appropriate field. Once input is provided, the system should be able to define the nature of the problem and provide recommendations to solve the problem.
Term
Exposure
Definition
The potential loss to an area due to the occurrence of an adverse event.
Term
Extended Binary?coded Decimal Interchange Code (EBCDIC)
Definition
An 8?bit code representing 256 characters; used in most large computer systems.
Term
Extended Enterprise
Definition
Describes an organization that extends outside its traditional boundaries. Such organizations concentrate on the processes in which they do best and rely on someone outside the entity to perform the remaining processes.
Term
Extensible Markup
Language (XML)
Definition
Promulgated through the World Wide Web Consortium, XML is a web?based application development technique that allows designers to create their own customized tags, thus, enabling the definition, transmission, validation and interpretation of data between applications and organizations.
Term
External Router
Definition
The router at the extreme edge of the network under control, usually connected to an ISP or other service provider; also known as border router.
Term
External Storage
Definition
The location that contains the backup copies to be used in case recovery or restoration is required in the event of a disaster.
Term
Extranet
Definition
A private network that resides on the Internet and allows a company to securely share business information with customers, suppliers, or other businesses, as well as to execute electronic transactions.
Scope Note: An extranet is different from an Intranet in that it is located beyond the company's firewall. Therefore, an Extranet relies on the use of securely issued digital certificates (or alternative methods of user authentication) and encryption of messages. A virtual private network (VPN) and tunneling are often used to implement Extranets, to ensure security and privacy.
Term
Fail?over
Definition
The transfer of service from an incapacitated primary component to its backup component.
Term
Fail?safe
Definition
Describes the design properties of a computer system that allow it to resist active attempts to attack or bypass it.
Term
Fallback Procedures
Definition
A plan of action or set of procedures to be performed if a system implementation, upgrade or modification does not work as intended
Scope Note: Fallback procedures may involve restoring the system to its state prior to the implementation or change. Fallback procedures are needed to ensure that normal business processes continue in the event of failure and should always be considered in system migration or implementation.
Term
Fall?through Logic
Definition
An optimized code based on a branch prediction that predicts which way a grogram will branch when an application is presented.
Term
False Authorization
Definition
Also called false acceptance, it occurs when an unauthorized person is identified as an authorized person by the biometric system.
Term
False Enrollment
Definition
Occurs when an unauthorized person manages to enroll into the biometric system.
Scope Note: Enrollment is the initial process of acquiring a biometric feature and saving it as a personal reference on a smart card, a PC or in a central database.
Term
False Negative
Definition
In intrusion detection, an error that occurs when an attack is misdiagnosed as a normal activity.
Term
False Positive
Definition
A result that has been mistakenly identified as a problem when in reality the situation is normal.
Term
Fault Tolerance
Definition
A system’s level of resilience to seamlessly react from hardware and/or software failure.
Term
Feasibility study
Definition
A phase of a system development life cycle (SDLC) methodology that researches the feasibility and adequacy of resources for the development or acquisition of a system solution to a user need
Term
Fiber Optic Cable
Definition
Glass fibers that transmit binary signals over a telecommunications network.
Scope Note: Fiber optic systems have low transmission losses as compared to twisted?pair cables. They do not radiate energy or conduct electricity. They are free from corruption and lightning? induced interference, and they reduce the risk of wiretaps.
Term
Field
Definition
An individual data element in a computer record.
Scope Note: Examples of a field include employee name, customer address, account number, product unit price and product quantity in stock.
Term
File
Definition
A named collection of related records.
Term
File Allocation Table
(FAT)
Definition
A table used by the operating system to keep track of where every file is located on the disk.
Scope Note: Since a file is often fragmented and thus subdivided into many sectors within the disk, the information stored in the FAT is used when loading or updating the contents of the file.
Term
File Layout
Definition
Specifies the length of the file’s record and the sequence and size of its fields.
Scope Note: A file layout also will specify the type of data contained within each field. For example, alphanumeric, zoned decimal, packed and binary are types of data.
Term
File Server
Definition
A high?capacity disk storage device or a computer that stores data centrally for network users and manages access to that data.
Scope Note: File servers can be dedicated so that no process other than network management can be executed while the network is available; file servers can be non?dedicated so that standard user applications can run while the network is available.
Term
File Transfer Protocol
(FTP)
Definition
A protocol used to transfer files over a TCP/IP network (Internet, UNIX, etc.).
Term
Filtering Router
Definition
A router that is configured to control network access by comparing the attributes of the incoming or outgoing packets to a set of rules.
Term
FIN (Final)
Definition
A flag set in a packet to indicate that this packet is the final data packet of the transmission.
Term
Financial Audit
Definition
An audit designed to determine the accuracy of financial records and information.
Term
Finger
Definition
A protocol and program that allows the remote identification of users logged into a system.
Term
Firewall
Definition
A system or combination of systems that enforces a boundary between two or more networks typically forming a barrier between a secure and an open environment such as the Internet.
Term
Firmware
Definition
Memory chips with embedded program code that hold their content when power is turned off.
Term
Fiscal Year
Definition
Any yearly accounting period without regard to its relationship to a calendar year.
Term
Foreign Key
Definition
A value that represents a reference to a tuple (a row in a table) containing the matching candidate key value.
Scope Note: The problem of ensuring that the database does not include any invalid foreign key values is known as the referential integrity problem. The constraint that values of a given foreign key must match values of the corresponding candidate key is known as a referential constraint. The
relation (table) that contains the foreign key is referred as the referencing relation and the relations that contain the corresponding candidate key as the referenced relation or target relation. (in the relational theory it would be a candidate key, but in real DBMS implementations it is always the primary key).
Term
Forensic Examination
Definition
The process of collecting, assessing, classifying and documenting digital evidence to assist in the identification of an offender and the method of compromise.
Term
Format Checking
Definition
The application of an edit, using a predefined field definition to a submitted information stream; a test to ensure that data conform to a predefined format.
Term
Fourth Generation
Language (4GL)
Definition
High level, user friendly, nonprocedural computer languages used to program and/or read and process computer files.
Term
Frame Relay
Definition
A packet?switched wide?area?network technology that provides faster performance than older packet?switched WAN technologies.
Scope Note: Frame relay is best suited for data and image transfers. Because of its variable?length packet architecture, it is not the most efficient technology for real?time voice and video. In a frame? relay network, end nodes establish a connection via a permanent virtual circuit (PVC).
Term
Framework
Definition
Scope Note: See control framework and IT governance framework.
Term
Frequency
Definition
A measure of the rate by which events occur over a certain period of time
Term
Function Point Analysis
Definition
A technique used to determine the size of a development task, based on the number of function points.
Scope Note: Function points are factors such as inputs, outputs, inquiries and logical internal sites.
Term
Gateway
Definition
A device (router, firewall) on a network that serves as an entrance to another network.
Term
General Computer
Controls
Definition
Controls, other than application controls, which relate to the environment within which computer? based application systems are developed, maintained and operated, and which are therefore applicable to all applications. The objectives of general controls are to ensure the proper development and implementation of applications, the integrity of program and data files and of computer operations. Like application controls, general controls may be either manual or programmed. Examples of general controls include the development and implementation of an IS strategy and an IS security policy, the organization of IS staff to separate conflicting duties and planning for disaster prevention and recovery.
Term
Generalized Audit
Software (GAS)
Definition
Multipurpose audit software that can be used for general processes, such as record selection, matching, recalculation and reporting.
Term
Generic Process Control
Definition
A control that applies to all processes of the organization.
Term
Geographic Disk
Mirroring
Definition
A data recovery strategy that takes a set of physically disparate disks and synchronously mirrors them over high performance communication lines. Any write to a disk on one side will result in a write on the other. The local write will not return until the acknowledgement of the remote write is successful.
Term
Geographical Information System (GIS)
Definition
A tool used to integrate, convert, handle, analyze and produce information regarding the surface of the earth.
Scope Note: GIS data exist as maps, tri?dimensional virtual models lists and tables.
Term
Governance
Definition
The oversight, direction and high?level monitoring and control of an enterprise to ensure the achievement of defined and approved objectives
Term
Guideline
Definition
A description of a particular way of accomplishing something that is less prescriptive than a procedure.
Term
Hacker
Definition
An individual who attempts to gain unauthorized access to a computer system.
Term
Handprint Scanner
Definition
A biometric device that is used to authenticate a user through palm scans.
Term
Harden
Definition
To configure a computer or other network device to resist attacks.
Term
Hardware
Definition
The physical components of a computer system.
Term
Hash Function
Definition
An algorithm that maps or translates one set of bits into another (generally smaller) so that a message yields the same result every time the algorithm is executed using the same message as input.
Scope Note: It is computationally infeasible for a message to be derived or reconstituted from the result produced by the algorithm or to find two different messages that produce the same hash result using the same algorithm.
Term
Hash Total
Definition
The total of any numeric data field on a document or computer file. This total is checked against a control total of the same field to facilitate accuracy of processing.
Term
Help Desk
Definition
A service offered via phone/Internet by an organization to its clients or employees, which provides information, assistance, and troubleshooting advice regarding software, hardware, or networks.
Scope Note: A help desk is staffed by people that can either resolve the problem on their own or escalate the problem to specialized personnel. A help desk is often equipped with dedicated CRM? type software that logs the problems and tracks them until they are solved.
Term
Heuristic Filter
Definition
A method often employed by antispam software to filter spam using criteria established in a centralized rule database.
Scope Note: Every e?mail message is given a rank, based upon its header and contents, which is then matched against preset thresholds. A message that surpasses the threshold will be flagged as spam and discarded, returned to its sender or put in a spam directory for further review by the intended recipient.
Term
Hexadecimal
Definition
A numbering system that uses a base of 16 and uses 16 digits: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E and F. Programmers use hexadecimal numbers as a convenient way of representing binary numbers.
Term
Hierarchical Database
Definition
A database structured in a tree/root or parent/child relationship.
Scope Note: In a hierarchical database, each parent can have many children, but each child may have only one parent.
Term
Honeypot
Definition
A specially configured server, also known as a decoy server, designed to attract and monitor intruders in a manner such that their actions do not affect production systems.
Scope Note: Also known as "decoy server".
Term
Hot Site
Definition
A fully operational offsite data processing facility equipped with both hardware and system software to be used in the event of a disaster.
Term
Hub
Definition
A common connection point for devices in a network, hubs commonly are used to connect segments of a LAN.
Scope Note: A hub contains multiple ports. When a packet arrives at one port, it is copied to the other ports so that all segments of the LAN can see all packets.
Term
Hurdle Rate
Definition
Also known as required rate of return; Required rate of return, above which an investment makes sense and below which it does not.
Scope Note: Hurdle rate is often based on the cost of capital, plus or minus a risk premium, and often varied based upon prevailing economic conditions.
Term
Hybrid Application
Controls
Definition
Those controls that consist of a combination of manual and automated activities, all of which must operate for the control to be effective.
Scope Note: Sometimes referred to as computer?dependent application controls.
Term
Hyper Text Transfer
Protocol Secure (HTTPS)
Definition
A protocol for accessing a secure web server, whereby all data transferred is encrypted.
Term
Hyperlink
Definition
An electronic pathway that may be displayed in the form of highlighted text, graphics or a button that connects one web page with another web page address.
Term
Hypertext
Definition
A language, which enables electronic documents that present information that can be connected together by links instead of being presented sequentially, as is the case with normal text.
Term
Hypertext markup language (HTML)
Definition
A language designed for the creation of web pages with hypertext and other information to be displayed in a web browser; used to structure information??denoting certain text as headings, paragraphs, lists and so on??and can be used to describe, to some degree, the appearance and semantics of a document.
Term
Hypertext Transfer
Protocol (HTTP)
Definition
A communication protocol used to connect to servers on the World Wide Web. Its primary function is to establish a connection with a web server and transmit HTML, XML or other pages to the client browsers.
Term
Idle Standby
Definition
A fail?over process in which the primary node owns the resource group. The backup node runs idle, only supervising the primary node.
Scope Note: In case of a primary node outage, the backup node takes over. The nodes are prioritized, which means the surviving node with the highest priority will acquire the resource group. A higher priority node joining the cluster will thus cause a short service interruption.
Term
IEEE
Definition
Pronounced I?triple?E, IEEE (Institute of Electrical and Electronics Engineers) is an organization composed of engineers, scientists and students
Scope Note: The IEEE is best known for developing standards for the computer and electronics industry.
Term
Image Processing
Definition
The process of electronically inputting source documents by taking an image of the document, thereby eliminating the need for key entry.
Term
Impact analysis
Definition
A study to prioritize the criticality of information resources for the organization based on costs (or consequences) of adverse events.
In an impact analysis, threats to assets are identified and potential business losses determined for different time periods. This assessment is used to justify the extent of safeguards that are required and recovery time frames. This analysis is the basis for establishing the recovery strategy.
Term
Impact assessment
Definition
A review of the possible consequences of a risk.
Scope Note: See impact analysis.
Term
Impersonation
Definition
As a security concept related to Windows NT, allows a server application to temporarily "be" the client in terms of access to secure objects.
Scope Note: Impersonation has three possible levels: identification, letting the server inspect the client's identity; impersonation, letting the server act on behalf of the client; and delegation, the same as impersonation but extended to remote systems to which the server connects (through the preservation of credentials). Impersonation by imitating or copying the identification, behavior or actions of another may also be used in social engineering to obtain otherwise unauthorized physical access.
Term
Implement
Definition
In business, includes the full economic life cycle of the investment program through retirement, i.e., when the full expected value of the investment is realized, as much value as is deemed possible has been realized, or it is determined that the expected value cannot be realized and the program is terminated.
Term
Implementation Life
Cycle Review
Definition
Refers to the controls that support the process of transformation of the organization’s legacy information systems into the ERP applications.
Scope Note: Implementation life cycle review would largely cover all aspects of systems implementation and configuration, such as change management
Term
Incident
Definition
Any event that is not part of the standard operation of a service and that causes, or may cause, an interruption to, or a reduction in, the quality of that service.
Term
Incident Response
Definition
The response of an organization to a disaster or other significant event that may significantly affect the organization, its people, or its ability to function productively. An incident response may include evacuation of a facility, initiating a disaster recovery plan, performing damage assessment, and any other measures necessary to bring an organization to a more stable status.
Term
Incremental Testing
Definition
Deliberately testing only the value?added functionality of a software component.
Term
Independence
Definition
1. Self?governance.
2. Freedom from conflict of interest and undue influence.
Scope Note: The IS auditor should be free to make his/her own decisions, not influenced by the organization being audited and its people (managers and employers).
Term
Independent
Appearance
Definition
The outward impression of being self?governing and free from conflict of interest and undue influence.
Term
Independent Attitude
Definition
Impartial point of view which allows the IS auditor to act objectively and with fairness.
Term
Indexed sequential access method (ISAM)
Definition
A disk access method that stores data sequentially while also maintaining an index of key fields to all the records in the file for direct access capability
Term
Indexed Sequential File
Definition
A file format in which records are organized and can be accessed, according to a pre?established key that is part of the record.
Term
Information
Architecture
Definition
Information architecture is one component of IT architecture (together with applications and technology).
Term
Information Criteria
Definition
Attributes of information that must be satisfied to meet business requirements.
Term
Information Engineering
Definition
Data?oriented development techniques that work on the premise that data are at the center of information processing and that certain data relationships are significant to a business and must be represented in the data structure of its systems.
Term
Information Processing
Facility (IPF)
Definition
The computer room and support areas.
Term
Information security
Definition
Ensures that only authorized users (confidentiality) have access to accurate and complete information (integrity) when required (availability).
Term
Information security governance
Definition
The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks
are managed appropriately and verifying that the enterprise’s resources are used responsibly.
Term
Information Security
Program
Definition
The overall combination of technical, operational and procedural measures, and management structures implemented to provide for the confidentiality, integrity and availability of information based on business requirements and risk analysis.
Term
Information systems (IS)
Definition
The combination of strategic, managerial and operational activities involved in the gathering, processing, storage, distributing, and use of information and its related technologies.
Scope Note: Information systems are distinct from information technology (IT) in that an information system has an IT component that interacts with the process components.
Term
Information technology
(IT)
Definition
The hardware, software, communications and other facilities used to input, store, process, transmit and output data in whatever form.
Term
Informed
Definition
In a RACI chart, refers to those people who are kept up to date on the progress of an activity (one?
way communication).
Term
Inherent risk
Definition
1. The risk level or exposure without taking into account the actions that management has taken or might take (e.g., implementing controls)
2. The risk that a material error could occur, assuming that there are no related internal controls to prevent or detect the error
Scope Note: Audit perspective; also see control risk.
Term
Inheritance (objects)
Definition
Database structures that have a strict hierarchy (no multiple inheritance). Inheritance can initiate other objects irrespective of the class hierarchy, thus there is no strict hierarchy of objects.
Term
Initial Program Load
(IPL)
Definition
The initialization procedure that causes an operating system to be loaded into storage at the beginning of a workday or after a system malfunction.
Term
Initialization Vector (IV) Collisions
Definition
A major concern is in the way WEP allocates the RC4 Initialization Vectors (IVs) used to create the keys that are used to drive a pseudo random number generator that is eventually used for encryption of the wireless data traffic. The IV in WEP is a 24?bit field—a small space that practically guarantees reuse, resulting in key reuse. The WEP standard also fails to specify how these IVs are assigned. Many wireless network cards reset these IVs to zero and then increment them by one for every use. If an attacker can capture two packets using the same IV (the same key if the key has not been changed), mechanisms can be used to determine portions of the original packets. This and other weaknesses result in key reuse, resulting in susceptibility to attacks to determine the keys used. These attacks require a large number of packets (5?6 million) to actually fully derive the WEP key, but on a large, busy network this can occur in a short time, perhaps in as quickly as 10 minutes (although, even some of the largest corporate networks will likely require much more time than
this to gather enough packets). In WEP protected wireless networks, many times multiple, or all, stations use the same shared key. This increases the chances of IV collisions greatly. The result of
Term
Input Controls
Definition
Techniques and procedures used to verify, validate and edit data, to ensure that only correct data are entered into the computer.
Term
Instant Messaging
Definition
Instant messaging is an online mechanism or a form of real?time communication between two or more people based on typed text and multimedia data.
Scope Note: Instant messaging text is conveyed via computers or another electronic device (e.g., cell phone or PDA) connected over a network, such as the Internet.
Term
Integrated Services
Digital Network (ISDN)
Definition
A public end?to?end digital telecommunications network with signaling, switching and transport capabilities supporting a wide range of service accessed by standardized interfaces with integrated customer control.
Scope Note: The standard allows transmission of digital voice, video and data over 64 Kpbs lines.
Term
Integrated Test Facilities
(ITF)
Definition
A testing methodology where test data are processed in production systems.
Scope Note: The data usually represent a set of fictitious entities such as departments, customers and products. Output reports are verified to confirm the correctness of the processing.
Term
Integrity
Definition
The accuracy, completeness and validity of information.
Term
Interface Testing
Definition
A testing technique that is used to evaluate output from one application, while the information is sent as input to another application.
Term
Internal control
Definition
The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected
Term
Internal Control
Environment
Definition
The relevant environment on which the controls have effect.
Term
Internal Control Over
Financial Reporting
Definition
A process designed by, or under the supervision of, the registrant’s principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principals and includes those policies and procedures that:
? Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant
? Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant
? Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant’s assets that could have a material effect on the
Term
Internal Control
Structure
Definition
The dynamic, integrated processes, effected by the governing body, management and all other staff, that are designed to provide reasonable assurance regarding the achievement of the following general objectives:
?Effectiveness, efficiency and economy of operations
?Reliability of management
?Compliance with applicable laws, regulations and internal policies
Management’s strategies for achieving these general objectives are affected by the design and operation of the following components:
?Control environment
?Information system
?Control procedures
Term
Internal Penetrators
Definition
Authorized users of a computer system who overstep their legitimate access rights.
Scope Note: This category is divided into masqueraders and clandestine users.
Term
Internal Rate of Return
(IRR)
Definition
The discount rate that equates an investment cost with its projected earnings.
Scope Note: When discounted at the IRR, the present value of the cash outflow will equal the present value of the cash inflow. The IRR and NPV are measures of the expected profitability of an
investment project.
Term
Internal Storage
Definition
The main memory of the computer’s central processing unit.
Term
Internet
Definition
1. Two or more networks connected by a router
2. The world’s largest network using TCP/IP protocols to link government, university and commercial institutions.
Term
Internet Banking
Definition
Use of the Internet as a remote delivery channel for banking services.
Scope Note: Services include the traditional ones, such as opening an account or transferring funds to different accounts, and new banking services, such as electronic bill presentment and payment (allowing customers to receive and pay bills on a bank’s web site).
Term
Internet Control Message Protocol (ICMP)
Definition
A set of protocols that allow systems to communicate information about the state of services on other systems.
Scope Note: For example, ICMP is used in determining whether systems are up, maximum packet sizes on links, whether a destination host/network/port is available. Hackers typically (abuse) use ICMP to determine information about the remote site.
Term
Internet Engineering
Task Force (IETF)
Definition
The Internet standards setting organization with affiliates internationally from network industry representatives. This includes all network industry developers and researchers concerned with evolution and planned growth of the Internet.
Term
Internet Inter?ORB Protocol (IIOP)
Definition
A protocol developed by the object management group (OMG) to implement Common Object
Request Broker Architecture (CORBA) solutions over the World Wide Web.
Scope Note: CORBA enables modules of network?based programs to communicate with one another. These modules or program parts, such as tables, arrays, and more complex program sub elements, are referred to as objects. Use of IIOP in this process enables browsers and servers to exchange both simple and complex objects. This significantly differs from HTTP, which only supports the transmission of text.
Term
Internet Packet (IP) Spoofing
Definition
An attack using packets with the spoofed source Internet packet (IP) addresses.
Scope Note: This technique exploits applications that use authentication based on IP addresses. This technique also may enable an unauthorized user to gain root access on the target system.
Term
Internet Protocol (IP)
Definition
Specifies the format of packets and the addressing scheme.
Term
Internet Protocol
Security (IPSec)
Definition
A set of protocols developed by the IETF to support the secure exchange of packets.
Term
Internet Service
Provider (ISP)
Definition
A third party that provides individuals and organizations access to the Internet and a variety of other Internet?related services.
Term
Interruption Window
Definition
The time the company can wait from the point of failure to the restoration of the minimum and critical services or applications. After this time, the progressive losses caused by the interruption are excessive for the organization.
Term
Intranet
Definition
A private network that uses the infrastructure and standards of the Internet and World Wide Web, but is isolated from the public Internet by firewall barriers.
Term
Intrusion
Definition
Any event where unauthorized access occurs.
Term
Intrusion Detection
Definition
The process of monitoring the events occurring in a computer system or network to detect signs of unauthorized access or attack.
Term
Intrusion Detection
System (IDS)
Definition
An IDS inspects network and host security activity to identify suspicious patterns that may indicate a network or system attack.
Term
Intrusive Monitoring
Definition
In vulnerability analysis, gaining information by performing checks that affects the normal operation of the system, even crashing the system.
Term
Irregularities
Definition
Intentional violations of established management policy or regulatory requirements. Deliberate misstatements or omissions of information concerning the area under audit or the organization as a whole; gross negligence or unintentional illegal acts.
Term
Irregularity
Definition
Intentional violation of established management policy or regulatory requirement. It may consist of deliberate misstatements or omission of information concerning the area under audit or the organization as a whole, gross negligence or unintentional illegal acts.
Term
ISO 27001
Definition
Information Security Management—Specification with Guidance for Use; the replacement for BS7799?2. It is intended to provide the foundation for third?party audit and is harmonized with other management standards, such as ISO/IEC 9001 and 14001.
Term
ISO 9001:2000
Definition
Code of practice for quality management from the International Organization for Standardization (ISO). ISO 9001:2000, which specifies requirements for a quality management system for any organization that needs to demonstrate its ability to consistently provide product or service that meets particular quality targets.
Term
ISO/IEC 17799
Definition
This standard defines information's confidentiality, integrity and availability controls in a comprehensive information security management system.
Scope Note: Originally released as part of the British Standard for Information Security in 1999 and then as the Code of Practice for Information Security Management in October 2000, it was elevated by the International Organization for Standardization (ISO) to an international code of practice for information security management. The latest version is ISO/IEC 17799:2005.
Term
IT architecture
Definition
Description of the fundamental underlying design of the IT components of the business, the relationships among them, and the manner in which they support the organization’s objectives
Term
IT governance
Definition
The responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization's strategies and objectives.
Term
IT governance framework
Definition
A model that integrates a set of guidelines, policies and methods that represent the organizational approach to the IT governance
Scope Note: Per COBIT 4.0, IT governance is the responsibility of the board of directors and executive management. It is an integral part of institutional governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives
Term
IT Governance Institute
(ITGI)
Definition
Founded by the Information Systems Audit and Control Association and it affiliated foundation in
1998, ITGI strives to assist enterprise leadership in ensuring long?term, sustainable enterprise success and increase stakeholder value by expanding awareness.
Term
IT Incident
Definition
Any event that is not part of the ordinary operation of a service that causes, or may cause, an interruption to, or a reduction in, the quality of that service.
Term
IT infrastructure
Definition
The set of hardware, software and facilities that integrates an organization's IT assets
Scope Note: Specifically, the equipment (including servers, routers, switches, and cabling), software, services and products used in storing, processing, transmitting and displaying all forms of information for the organization’s users
Term
IT investment dashboard
Definition
A tool for setting expectations for an organization at each level and continuous monitoring of the performance against set targets for expenditures on and returns from IT?enabled investment projects in terms of business values.
Term
IT Risk
Definition
The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise
Term
IT Risk Issue
Definition
1. An instance of an IT risk
2. A combination of control, value and threat conditions that impose a noteworthy level of IT risk
Term
IT Risk Profile
Definition
A description of the overall (identified) IT risk to which the enterprise is exposed
Term
IT Risk Register
Definition
A repository of the key attributes of potential and known IT risk issues
Attributes may include name, description, owner, expected/actual frequency, potential/actual magnitude, potential/actual business impact, disposition.
Term
IT Risk Scenario
Definition
The description of an IT?related event that can lead to a business impact
Term
IT steering committee
Definition
An executive management level committee that assists the executive in the delivery of the IT strategy, oversees day?to?day management of IT service delivery and IT projects and focuses on implementation aspects.
Term
IT strategic plan
Definition
A long?term plan, i.e., three? to five?year horizon, in which business and IT management cooperatively describe how IT resources will contribute to the enterprise’s strategic objectives (goals).
Term
IT strategy committee
Definition
Committee at the level of the board of directors to ensure that the board is involved in major IT
matters/decisions.
Scope Note: The committee is primarily accountable for managing the portfolios of IT?enabled investments, IT services and other IT resources. The committee is the owner of the portfolio.
Term
IT tactical plan
Definition
A medium?term plan, i.e., six? to 18?month horizon, that translates the IT strategic plan direction into required initiatives, resource requirements and ways in which resources and benefits will be monitored and managed.
Term
IT User
Definition
A person who uses IT to support or achieve a business objective.
Term
ITIL
Definition
The UK Office of Government Commerce (OGC) IT Infrastructure Library. A set of guides on the management and provision of operational IT services.
Term
IT?related Incident
Definition
An IT?related event that causes an operational, developmental and/or strategic business impact
Term
Job Control Language
(JCL)
Definition
A language used to control run routines in connection with performing tasks on a computer.
Term
Journal Entry
Definition
A debit or credit to a general ledger account, in Oracle. See also manual journal entry.
Term
Judgment Sampling
Definition
Any sample that is selected subjectively or in such a manner that the sample selection process is not random or the sampling results are not evaluated mathematically.
Term
Key goal indicators
(KGIs)
Definition
Measures that tell management, after the fact, whether an IT process has achieved its business requirements, usually expressed in terms of information criteria.
Term
Key management practices
Definition
Those management practices required to successfully execute business processes.
Term
Key performance indicator (KPI)
Definition
A measure that determine how well the process is performing in enabling the goal to be reached.
Scope Note: A KPI is a lead indicator of whether a goal will likely be reached, and a good indicator of capability, practices and skills. It measures an activity goal, which is an action the process owner must take to achieve effective process performance.
Term
Key risk indicator (KRI)
Definition
A subset of risk indicators that are highly relevant and possess a high probability of predicting or indicating important risk.
Scope Note: See risk indicator.
Term
Knowledge Portal
Definition
Refers to the repository of a core of information and knowledge for the extended enterprise.
Scope Note: This is generally a web?based implementation containing a core repository of information provided for the extended enterprise to resolve any issues.
Term
Latency
Definition
The time it takes a system and network delay to respond.
Scope Note: More specifically, system latency is the time a system takes to retrieve data. Network latency is the time it takes for a packet to travel from source to the final destination.
Term
Leadership
Definition
The ability and process to translate vision into desired behaviors that are followed at all levels of the extended enterprise.
Term
Leased Lines
Definition
A communication line permanently assigned to connect two points, as opposed to a dial?up line that is only available and open when a connection is made by dialing the target machine or network. Also known as a dedicated line.
Term
Level of Assurance
Definition
Refers to the degree to which the subject matter has been examined or reviewed.
Term
Librarian
Definition
The individual responsible for the safeguard and maintenance of all program and data files.
Term
Licensing Agreement
Definition
A contract that establishes the terms and conditions under which a piece of software is being licensed (i.e., made legally available for use) from the software developer (owner) to the user.
Term
Life Cycle
Definition
A series of stages that characterize the course of existence of an organizational investment (e.g., product, project, program).
Term
Limit Check
Definition
Tests of specified amount fields against stipulated high or low limits of acceptability.
Scope Note: When both high and low values are used the test may be called a range check
Term
Link Editor (Linkage
Editor)
Definition
A utility program that combines several separately compiled modules into one, resolving internal references between them.
Term
Literals
Definition
Any notation for representing a value within programming language source code, e.g., a string literal; a chunk of input data that is represented "as is" in compressed data.
Term
Local Area Network
(LAN)
Definition
Communications networks that serve several users within a specified geographical area.
Scope Note: Personal computer LANs function as distributed processing systems in which each computer in the network does its own processing and manages some of its data. Shared data are stored in a file server that acts as a remote disk drive for all users in the network.
Term
Log
Definition
To record details of information or events in an organized record?keeping system, usually sequenced in the order they occurred.
Term
Logical Access Controls
Definition
The policies, procedures, organizational structure and electronic access controls designed to restrict access to computer software and data files.
Term
Logoff
Definition
Disconnecting from the computer.
Term
Logon
Definition
The act of connecting to the computer, which typically requires entry of a user ID and password into a computer terminal.
Term
Logs/Log file
Definition
Files created specifically to record various actions occurring on the system to be monitored, such as failed login attempts, full disk drives and e?mail delivery failures.
Term
Loss Event
Definition
Any event where a threat event results in loss
From Jones, J.; "FAIR Taxonomy," Risk Mgmt Insight, USA, 2008
Term
Machine Language
Definition
The logical language a computer understands.
Term
Magnetic Card Reader
Definition
A card reader that reads cards with a magnetic surface on which data can be stored and retrieved.
Term
Magnetic Ink Character
Recognition (MICR)
Definition
Used to electronically input, read and interpret information directly from a source document. Scope Note: MICR requires the source document to have specially?coded magnetic ink typeset
Term
Magnitude
Definition
A measure of the potential severity of loss or the potential gain from realized events/scenarios
Term
Mail Relay Server
Definition
An e?mail server that relays messages so that neither the sender nor the recipient is a local user.
Term
Malware
Definition
Short for malicious software, malware is software designed to infiltrate, damage or obtain information from a computer system without the owner’s consent.
Scope Note: Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware. Spyware is generally used for marketing purposes and, as such, not really malicious
although it is generally unwanted. However, spyware can also be used to gather information for identity theft or other clearly illicit purposes.
Term
Management Information System (MIS)
Definition
An organized assembly of resources and procedures required to collect, process and distribute data for use in decision making.
Term
Mandatory Access
Control (MAC)
Definition
A means of restricting access to data based on varying degrees of security requirements for information contained in the objects and the corresponding security clearance of users or programs acting on their behalf.
Term
Man?in?the?Middle
Attack
Definition
An attack strategy in which the attacker intercepts the communications stream between two parts of the victim system and then replaces the traffic between the two components with the intruder’s own, eventually assuming control of the communication.
Term
Manual Journal Entry
Definition
A journal entry entered at a computer terminal.
Scope Note: Manual journal entries can include regular, statistical, inter?company and foreign currency entries
Term
Mapping
Definition
Diagramming data that are to be exchanged electronically, including how it is to be used and what business management systems need it. Also see application tracing and mapping.
Scope Note: Mapping is a preliminary step for developing an applications link.
Term
Masking
Definition
A computerized technique of blocking out the display of sensitive information, such as passwords, on a computer terminal or report.
Term
Masqueraders
Definition
Attackers that penetrate systems by using the identity of legitimate users and their logon credentials.
Term
Master File
Definition
A file of semi permanent information that is used frequently for processing data or for more than one purpose.
Term
Materiality
Definition
An auditing concept regarding the importance of an item of information with regard to its impact or effect on the functioning of the entity being audited. An expression of the relative significance or importance of a particular matter in the context of the organization as a whole.
Term
Maturity
Definition
In business, indicates the degree of reliability or dependency the business can place on a process achieving the desired goals or objectives
Term
Maturity model
Definition
Scope Note: See capability maturity model (CMM).
Term
Maximum Tolerable
Outages (MTO)
Definition
Maximum time the organization can support processing in alternate mode.
Term
Measure
Definition
A standard used to evaluate and communicate performance against expected results.
Scope Note: Measures are normally quantitative in nature capturing numbers, dollars, percentages, etc., but can also address qualitative information such as customer satisfaction. Reporting and monitoring measures help an organization gauge progress toward effective implementation of strategy.
Term
Media Access Control
(MAC)
Definition
Applied to the hardware at the factory and cannot be modified, MAC is a unique, 48?bit, hard?coded address of a physical layer device, such as an Ethernet LAN or a wireless network card.
Term
Media Oxidation
Definition
The deterioration of the media upon which data is digitally stored due to exposure to oxygen and moisture.
Scope Note: Tapes deteriorating in a warm, humid environment are an example of media oxidation. Proper environmental controls should prevent, or significantly slow, this process.
Term
Memory Dump
Definition
The act of copying raw data from one place to another with little or no formatting for readability.
Scope Note: Usually, dump refers to copying data from main memory to a display screen or a printer. Dumps are useful for diagnosing bugs. After a program fails, one can study the dump and analyze the contents of memory at the time of the failure. Dumps are usually output in a difficult?to? read form (that is, binary, octal or hexadecimal), so a memory dump will not help unless each
person knows exactly for what to look.
Term
Message Authentication
Code
Definition
An ANSI standard checksum that is computed using Data Encryption Standard (DES).
Term
Message Switching
Definition
A telecommunications traffic controlling methodology in which a complete message is sent to a concentration point and stored until the communications path is established.
Term
Metric
Definition
Specific descriptions of how a quantitative and periodic assessment of performance is to be measured.
Scope Note: A complete metric defines the unit used, frequency, ideal target value, the procedure to carry out the measurement and the procedure for the interpretation of the assessment.
Term
Microwave
Transmission
Definition
A high?capacity line?of?sight transmission of data signals through the atmosphere which often requires relay stations.
Term
Middleware
Definition
Another term for an application programmer interface (API). It refers to the interfaces that allow programmers to access lower? or higher?level services by providing an intermediary layer that includes function calls to the services.
Term
Milestone
Definition
A terminal element that marks the completion of a work package or phase.
Scope Note: Typically marked by a high?level event such as project completion, receipt, endorsement or signing of a previously?defined deliverable or a high?level review meeting at which the appropriate level of project completion is determined and agreed to, a milestone is associated with some sort of decision that outlines the future of a project and, for outsourced project, may have a payment to the contractor associated with it.
Term
Mirrored Site
Definition
An alternate site that contains the same information as the original.
Scope Note: Mirror sites are set up for backup and disaster recovery as well as to balance the traffic load for numerous download requests. Such download mirrors are often placed in different locations throughout the Internet.
Term
Mission?Critical
Application
Definition
An application that is vital to the operation of the organization. The term is very popular for describing the applications required to run the day?to?day business.
Term
Misuse Detection
Definition
Detection on the basis of whether the system activity matches that defined as bad.
Term
Mobile Computing
Definition
Extends the concept of wireless computing to devices that enable new kinds of applications and expand an enterprise network to reach places in circumstances that could never have been done by other means.
Scope Note: Mobile computing is comprised of PDAs, cellular phones, laptops and other technologies of this kind.
Term
Mobile Site
Definition
The use of a mobile/temporary facility to serve as a business resumption location. They can usually be delivered to any site and can house information technology and staff.
Term
Modeling
Definition
Developing a simplified representation of a system or phenomenon.
Scope Note: Such representations may be static or dynamic, in which case behavior of the system or phenomenon under different conditions can be simulated.
Term
Modem (Modulator?
Demodulator)
Definition
Connects a terminal or computer to a communications network via a telephone line. Modems turn digital pulses from the computer into frequencies within the audio range of the telephone system. When acting in the receiver capacity, a modem decodes incoming frequencies.
Term
Modulation
Definition
The process of converting a digital computer signal into an analog telecommunications signal.
Term
Monetary Unit Sampling
Definition
A sampling technique that estimates the amount of overstatement in an account balance.
Term
Monitoring Policy
Definition
Rules outlining or delineating the way in which information about the use of computers, networks, applications and information is captured and interpreted.
Term
Multiplexor
Definition
A device used for combining several lower?speed channels into a higher?speed channel.
Term
Mutual Takeover
Definition
A fail?over process, which is basically a two?way idle standby: two servers are configured so that both can take over the other node’s resource group. Both must have enough CPU power to run
both applications with sufficient speed, or performance losses must be taken into account expected until the failed node reintegrates.
Term
Net present value (NPV)
Definition
Calculated by using an after?tax discount rate of an investment and a series of expected incremental cash outflows (the initial investment and operational costs) and cash inflows (cost savings or revenues) that occur at regular periods during the life cycle of the investment.
Scope Note: To arrive at a fair NPV calculation, cash inflows accrued by the business up to about five years after project deployment should be taken into account as well.
Term
Net return
Definition
The revenue after tax and other deductions that a project or business makes. Often also classified as net profit.
Term
Netcat
Definition
A simple UNIX utility, which reads and writes data across network connections using TCP or UDP protocols. It is designed to be a reliable back?end tool that can be used directly or is easily driven by other programs and scripts. At the same time, it is a feature?rich network debugging and
exploration tool, since it can create almost any kind of connection needed and has several interesting built?in capabilities. Netcat is now part of the Red Hat Power Tools collection and comes standard on SuSE Linux, Debian Linux, NetBSD and OpenBSD distributions.
Term
Net?Centric
Technologies
Definition
The contents and security of information or objects (software and data) on the network are now of prime importance compared with traditional computer processing that emphasizes the location of hardware and its related software and data.
Scope Note: An example of net?centric technologies is the Internet, where the network is its primary concern.
Term
Netware
Definition
A popular local area network operating system developed by the Novell Corp.
Term
Network
Definition
A system of interconnected computers and the communications equipment used to connect them.
Term
Network Administrator
Definition
Responsible for planning, implementing and maintaining the telecommunications infrastructure, and also may be responsible for voice networks.
Scope Note: For smaller organizations, the network administrator may also maintain a LAN and assist end users.
Term
Network Attached
Storage (NAS)
Definition
Utilizes dedicated storage devices that centralizes storage of data.
Scope Note: Network attached storage devices generally do not provide traditional file/print or application services.
Term
Network Hop
Definition
An attack strategy in which the attacker successively hacks into a series of connected systems, obscuring his/her identify from the victim of the attack.
Term
Network Interface Card
(NIC)
Definition
A communications card that when inserted into a computer, allows it to communicate with other computers on a network.
Scope Note: Most network interface cards are designed for a particular type of network or protocol.
Term
Node
Definition
Point at which terminals are given access to a network.
Term
Noise
Definition
Disturbances, such as static, in data transmissions that cause messages to be misinterpreted by the receiver.
Term
Nondisclosure
Agreement (NDA)
Definition
A legal contract between at least two parties that outlines confidential materials the parties wish to share with one another for certain purposes, but wish to restrict from generalized use; a contract through which the parties agree not to disclose information covered by the agreement.
Scope Note: Also called a confidential disclosure agreement (CDA), confidentiality agreement or secrecy agreement. An NDA creates a confidential relationship between the parties to protect any type of trade secret. As such, an NDA can protect non?public business information. In the case of certain governmental entities, the confidentiality of information other than trade secrets may be subject to applicable statutory requirements, and in some cases may be required to be revealed to an outside party requesting the information. Generally, the governmental entity will include a provision in the contract to allow the seller to review a request for information the seller identifies as confidential and the seller may appeal such a decision requiring disclosure. NDAs are commonly signed when two companies or individuals are considering doing business together and need to understand the processes used in one another’s businesses solely for the purpose of evaluating the potential business relationship. NDAs can be “mutual,” meaning both parties are restricted in their
Term
Nonintrusive
Monitoring
Definition
The use of transported probes or traces to assemble information, track traffic and identify vulnerabilities.
Term
Nonrepudiable
Transactions
Definition
Transactions that cannot be denied after the fact..
Term
Nonrepudiation
Definition
The assurance that a party cannot later deny originating data; provision of proof of the integrity and origin of the data and can be verified by a third party.
Scope Note: A digital signature can provide non?repudiation.
Term
Normalization
Definition
The elimination of redundant data.
Term
Numeric Check
Definition
An edit check designed to ensure the data in a particular field is numeric.
Term
Object Code
Definition
Machine?readable instructions produced from a compiler or assembler program that has accepted and translated the source code.
Term
Object Management
Group (OMG)
Definition
A consortium with more than 700 affiliates from the software industry whose purpose is to provide a common framework for developing applications using object?oriented programming techniques.
Scope Note: For example, OMG is known principally for promulgating the CORBA specification.
Term
Object Orientation
Definition
An approach to system development where the basic unit of attention is an object, which represents an encapsulation of both data (an object’s attributes) and functionality (an object’s methods).
Scope Note: Objects usually are created using a general template called a class. Classes are the basis for most design work in objects. Classes and their objects communicate in defined ways. Aggregate classes interact through messages, which are directed requests for services from one
class (the client) to another class (the server). A class may share the structure or methods defined in one or more other classes??a relationship known as inheritance.
Term
Objectivity
Definition
The ability to exercise judgment, express opinions and present recommendations with impartiality
Term
Object?Oriented System
Development
Definition
A system development methodology that is organized around "objects" rather than "actions," and
"data" rather than "logic".
Scope Note: Object?oriented analysis is an assessment of a physical system to determine which objects in the real world need to be represented as objects in a software system. Any object? oriented design is software design that is centered around designing the objects that will make up a program. Any object?oriented program is one that is composed of objects or software parts.
Term
Offline Files
Definition
Computer file storage media not physically connected to the computer; typically tapes or tape cartridges used for backup purposes.
Term
Offsite Storage
Definition
A facility located away from the building housing the primary information processing facility (IPF), used for storage of computer media such as offline backup data and storage files.
Term
Online Data Processing
Definition
Achieved by entering information into the computer via a video display terminal.
Scope Note: With online data processing, the computer immediately accepts or rejects the information, as it is entered.
Term
Open Source Security
Testing Methodology
Definition
An open and freely available methodology and manual for security testing.
Term
Open Systems
Definition
Systems for which detailed specifications of their components composition are published in a nonproprietary environment, thereby enabling competing organizations to use these standard components to build competitive systems.
Scope Note: The advantages of using open systems include portability, interoperability and integration.
Term
Operating System
Definition
A master control program that runs the computer and acts as a scheduler and traffic controller.
Scope Note: The operating system is the first program copied into the computer’s memory after the computer is turned on and must reside in memory at all times. It is the software that interfaces between the computer hardware (disk, keyboard, mouse, network, modem, printer) and the application software (word processor, spreadsheet, e?mail), which also controls access to the devices and is partially responsible for security components and sets the standards for the application programs that run in it.
Term
Operating System Audit
Trails
Definition
Records of system events generated by a specialized operating system mechanism.
Term
Operational Audit
Definition
An audit designed to evaluate the various internal controls, economy and efficiency of a function or department.
Term
Operational Control
Definition
These controls deal with the everyday operation of a company or organization to ensure all objectives are achieved.
Term
Operational Level
Agreement (OLA)
Definition
An internal agreement covering the delivery of services that support the IT organization in its delivery of services.
Term
Operator Console
Definition
A special terminal used by computer operations personnel to control computer and systems operations functions.
Scope Note: Operator console terminals typically provide a high level of computer access and should be properly secured.
Term
Optical Character
Recognition
Definition
Used to electronically scan and input written information from a source document.
Term
Optical Scanner
Definition
An input device that reads characters and images that are printed or painted on a paper form into the computer.
Term
Organization
Definition
The manner in which an enterprise is structured; can also mean the entity.
Term
Organization for Economic Cooperation and Development (OECD)
Definition
An international organization helping governments tackle the economic, social, and governance challenges of a global economy.
Scope Note: The OECD groups 30 member countries in a unique forum to discuss, develop, and refine economic and social policies.
Term
Outcome
Definition
Result
Term
Outcome measures
Definition
Represent the consequences of actions previously taken and are often referred to as lag indicators.
Scope Note: Outcome measures frequently focus on results at the end of a time period and characterize historical performance. They are also referred to as key goal indicators (KGIs) and are used to indicate whether goals have been met. These can be measured only after the fact and, therefore, are called ‘lag indicators.’
Term
Output Analyzer
Definition
Checks the accuracy of the results produced by a test run.
Scope Note: There are three types of checks that an output analyzer can perform. First, if a standard set of test data and test results exists for a program, the output of a test run after
program maintenance can be compared with the set of results that should be produced. Second, as programmers prepare test data and calculate the expected results, these results can be stored on a file and the output analyzer compares the actual results of a test run with the expected results. Third, the output analyzer can act as a query language; it accepts queries about whether certain relationships exist in the file of output results and reports compliance or noncompliance.
Term
Outsourcing
Definition
A formal agreement with a third party to perform IS or other business functions for an organization.
Term
Packet
Definition
Data unit that is routed from source to destination in a packet?switched network.
Scope Note: A packet contains both routing information and data. Transmission Control
Protocol/Internet Protocol (TCP/IP) is such a packet?switched network.
Term
Packet Filtering
Definition
Controlling access to a network by analyzing the attributes of the incoming and outgoing packets and either letting them pass, or denying them, based on a list of rules.
Term
Packet Internet Groper
(PING)
Definition
An Internet program (ICMP) used to determine whether a specific IP address is accessible or online. It is a network application that uses UDP to verify reachability of another host on the connected network.
Scope Note: It works by sending a packet to the specified address and waiting for a reply. PING is used primarily to troubleshoot Internet connections. In addition, Ping reports how many hops are required to connect two Internet hosts. There are both freeware and shareware Ping utilities available for PCs.
Term
Packet Switching
Definition
The process of transmitting messages in convenient pieces that can be reassembled at the destination.
Term
Paper Test
Definition
A walk?through of the steps of a regular test, but without actually performing the steps.
Scope Note: Usually used in disaster recovery and contingency testing, where team members review and become familiar with the plans and their specific roles and responsibilities.
Term
Parallel Simulation
Definition
Involves the IS auditor writing a program to replicate those application processes that are critical to an audit opinion and using this program to reprocess application system data.
Scope Note: The results produced by parallel simulation are compared with the results generated by the application system and any discrepancies identified.
Term
Parallel Testing
Definition
The process of feeding test data into two systems, the modified system and an alternative system (possibly the original system) and comparing results to demonstrate the consistency and inconsistency between two versions of the application.
Term
Parity Check
Definition
A general hardware control that helps to detect data errors when data are read from memory or communicated from one computer to another.
Scope Note: A 1?bit digit (either 0 or 1) is added to a data item to indicate whether the sum of that data item’s bit is odd or even. When the parity bit disagrees with the sum of the other bits, the computer reports an error. The probability of a parity check detecting an error is 50 percent.
Term
Partitioned File
Definition
A file format in which the file is divided into multiple sub files and a directory is established to locate each sub file.
Term
Passive Assault
Definition
Intruders attempt to learn some characteristic of the data being transmitted.
Scope Note: With passive assault, intruders may be able to read the contents of the data so the privacy of the data is violated. Alternatively, although the content of the data itself may remain secure, intruders may read and analyze the plaintext source and destination identifiers attached to a message for routing purposes, or they may examine the lengths and frequency of messages being transmitted.
Term
Passive Response
Definition
A response option in intrusion detection in which the system simply reports and records the problem detected, relying on the user to take subsequent action.
Term
Password
Definition
A protected, generally computer?encrypted string of characters that authenticate a computer user to the computer system.
Term
Password Cracker
Definition
A tool that tests the strength of user passwords searching for passwords that are easy to guess by repeatedly trying words from specially crafted dictionaries and often also by generating thousands (and in some cases even millions) of permutations of characters, numbers and symbols.
Term
Patch Management
Definition
An area of systems management that involves acquiring, testing, and installing multiple patches (code changes) to an administered computer system, in order to maintain up?to?date software and often to address security risks.
Scope Note: Patch management tasks include the following: maintaining current knowledge of available patches; deciding what patches are appropriate for particular systems; ensuring that patches are installed properly; testing systems after installation; and documenting all associated procedures, such as specific configurations required. A number of products are available to automate patch management tasks. Patches are sometimes ineffective and can sometimes cause more problems than they fix. Patch management experts suggest that system administrators take simple steps to avoid problems, such as performing backups and testing patches on non?critical systems prior to installations. Patch management can be viewed as part of change management.
Term
Payback period
Definition
The length of time needed to recoup the cost of capital investment.
Scope Note: Financial amounts in the payback formula are not discounted. Note that the payback period does not take into account cash flows after the payback period and is therefore not a measure of the profitability of an investment project. The scope of the IRR, NPV and payback period is the useful economic life of the project up to a maximum of five years.
Term
Payment System
Definition
A financial system that establishes the means for transferring money between suppliers and users of funds, ordinarily by exchanging debits or credits between banks or financial institutions.
Term
Payroll System
Definition
An electronic system for processing payroll information and the related electronic (e.g., electronic timekeeping and/or human resources system), human (e.g., payroll clerk), and external party (e.g., bank) interfaces. In a more limited sense, it is the electronic system that performs the processing for generating payroll checks and/or bank direct deposits to employees.
Term
Penetration Testing
Definition
A live test of the effectiveness of security defenses through mimicking the actions of real?life attackers.
Term
Performance
Definition
In IT, the actual implementation or achievement of a process.
Term
Performance drivers
Definition
Measures that are considered the "drivers" of lag indicators. They can be measured before the outcome is clear and, therefore, are called "lead indicators."
Scope Note: There is an assumed relationship between the two that suggests that improved performance in a leading indicator will drive better performance in the lagging indicator. They are also referred to as key performance indicators (KPIs) and are used to indicate whether goals are likely to be met.
Term
Performance indicators
Definition
A set of metrics designed to measure the extent to which performance objectives are being achieved on an on?going basis.
Scope Note: Performance indicators can include service level agreements, critical success factors, customer satisfaction ratings, internal or external benchmarks, industry best practices and international standards.
Term
Performance management
Definition
In IT, the ability to manage any type of measurement including employee, team, process, operational or financial measurements. The term connotes closed?loop control and regular monitoring of the measurement.
Term
Performance testing
Definition
Comparing the system’s performance to other equivalent systems using well defined benchmarks.
Term
Peripherals
Definition
Auxiliary computer hardware equipment used for input, output and data storage.
Scope Note: Examples of peripherals include disk drives and printers.
Term
Personal Digital
Assistant (PDA)
Definition
Also called palmtop and pocket computer, these are handheld devices that provide computing, Internet, networking and telephone characteristics.
Term
Personal Identification
Number (PIN)
Definition
A type of password (i.e., a secret number assigned to an individual) that, in conjunction with some means of identifying the individual, serves to verify the authenticity of the individual
Scope Note: PINs have been adopted by financial institutions as the primary means of verifying customers in an electronic funds transfer system (EFTS).
Term
Pervasive IS Controls
Definition
General controls which are designed to manage and monitor the IS environment and which, therefore, affect all IS?related activities.
Term
Phase of BCP
Definition
A step?by?step approach consisting of various phases
Scope Note: Phase of BCP is usually comprised of the following phases: pre?implementation phase, implementation phase, testing phase, and post?implementation phase.
Term
Phishing
Definition
This is a type of e?mail attack that attempts to convince a user that the originator is genuine, but with the intention of obtaining information for use in social engineering.
Scope Note: Phishing attacks may take the form of masquerading as a lottery organization advising the recipient of a large win or the user's bank; in either case, the intent is to obtain account and PIN details. Alternative attacks may seek to obtain apparently innocuous business information, which may be used in another form of active attack.
Term
Phreakers
Definition
Those who crack security, most frequently phone and other communications networks.
Term
Piggy Backing
Definition
1. Following an authorized person into a restricted access area.
2. Electronically attaching to an authorized telecommunications link to intercept and possibly alter transmissions.
Term
Plaintext
Definition
Digital information, such as cleartext, that is intelligible to the reader.
Term
PMBOK
Definition
Project Management Body of Knowledge (PMBOK), a project management standard developed by the Project Management Institute (PMI).
Term
Point?of?Presence (POP)
Definition
A phone number that represents the area in which the communications provider or Internet service provider (ISP) provides service.
Term
Point?of?Sale (POS) Systems
Definition
Enable the capture of data at the time and place of transaction.
Scope Note: POS terminals may include use of optical scanners for use with bar codes or magnetic card readers for use with credit cards. POS systems may be online to a central computer or may use stand?alone terminals or microcomputers that hold the transactions until the end of a specified period when they are sent to the main computer for batch processing.
Term
Point?to?Point Protocol
(PPP)
Definition
A protocol used for transmitting data between two ends of a connection.
Term
Point?to?Point Tunneling Protocol (PPTP)
Definition
A protocol used to transmit data securely between two end points to create a VPN.
Term
Policies
Definition
High?level statements of management intent and direction.
Term
Policy
Definition
Generally, a document that records a high?level principle or course of action which has been decided upon. A policy’s intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives and strategic plans established by the enterprise’s management teams.
Scope Note: In addition to policy content, policies need to describe the consequences of failing to comply with the policy, the means for handling exceptions, and the manner in which compliance with the policy will be checked and measured
Term
Polymorphism (Objects)
Definition
Polymorphism refers to database structures that send the same command to different child objects that can produce different results depending on their family hierarchical tree structure.
Term
Population
Definition
The entire set of data from which a sample is selected and about which the IS auditor wishes to draw conclusions.
Term
Portfolio
Definition
A grouping of "objects of interest" (investment programs, IT services, IT projects, other IT assets or resources) managed and monitored to optimize business value. (The investment portfolio is of primary interest to Val IT. IT service, project, asset and other resource portfolios are of primary interest to COBIT).
Term
Posting
Definition
The process of actually entering transactions into computerized or manual files.
Scope Note: Posting transactions might immediately update the master files or may result in memo posting, in which the transactions are accumulated over a period of time, then applied to master
file updating.
Term
Preventive Application
Controls
Definition
Application controls that are intended to prevent an error from occurring. Preventive application controls are typically executed at the transaction level, before an action is performed.
Term
Preventive control
Definition
An internal control that is used to avoid undesirable events, errors and other occurrences that an organization has determined could have a negative material effect on a process or end product
Term
PRINCE2
Definition
Projects in a Controlled Environment (PRINCE2), developed by the OGC, is a project management method that covers the management, control and organization of a project.
Term
Privacy
Definition
Freedom from unauthorized intrusion or disclosure of information about individuals.
Term
Private Branch
Exchange (PBX)
Definition
A telephone exchange that is owned by a private business, as opposed to one owned by a common carrier or by a telephone company.
Term
Private Key
Definition
A mathematical key (kept secret by the holder) used to create digital signatures and, depending upon the algorithm, to decrypt messages or files encrypted (for confidentiality) with the corresponding public key.
Term
Private Key
Cryptosystems
Definition
Used in data encryption, it uses a secret key to encrypt the plaintext to the ciphertext. Private key cryptosystems also use the same key to decrypt the ciphertext to the corresponding plaintext.
Scope Note: In this case, the key is symmetric such that the encryption key is equivalent to the decryption key.
Term
Privilege
Definition
The level of trust with which a system object is imbued.
Term
Problem
Definition
In IT, the unknown underlying cause of one or more incidents.
Term
Problem Escalation
Procedure
Definition
The process of escalating a problem up from junior to senior support staff, and ultimately to higher levels of management.
Scope Note: Problem escalation procedure is often used in help desk management, where an unresolved problem is escalated up the chain of command, until it is solved.
Term
Procedure
Definition
A document containing steps that specify how to achieve an activity. Procedures are defined as part of processes.
Term
Procedures
Definition
A detailed description of the steps necessary to perform specific operations in conformance with applicable standards.
Term
Process
Definition
Generally, a collection of activities influenced by the enterprise’s policies and procedures that takes inputs from a number of sources, (including other processes), manipulates the inputs and produces outputs.
Scope Note: Processes have clear business reasons for existing, accountable owners, clear roles and responsibilities around the execution of the process, and the means to measure performance.
Term
Process Maturity
Assessment
Definition
A subjective assessment technique derived from the SEI CMMI concepts and developed as a COBIT management tool. It provides management with a profile of how well developed are the IT management processes.
Scope Note: It enables management to easily place itself on a scale and appreciate what is required if improved performance is needed. It is used to set targets, raise awareness, capture broad consensus, identify improvements and positively motivate change.
Term
Process Maturity
Attributes
Definition
The different aspects of a process covered in an assurance initiative.
Term
Production Programs
Definition
Programs that are used to process live or actual data that were received as input into the production environment.
Term
Production Software
Definition
Software that is being used and executed to support normal and authorized organizational operations.
Scope Note: Production software is to be distinguished from test software, which is being developed or modified, but has not yet been authorized for use by management.
Term
Professional
Competence
Definition
Proven level of ability, often linked to qualifications issued by relevant professional bodies and compliance with their codes of practice and standards.
Term
Professional Standards
Definition
Refers to standards issued by ISACA. The term may
extend to related guidelines and techniques that assist the professional in implementing and complying with authoritative pronouncements of ISACA. In certain instances, standards of other professional organizations may be considered, depending on the circumstances and their relevance and appropriateness.
Term
Program
Definition
A structured grouping of interdependent projects that is both necessary and sufficient to achieve a desired business outcome and create value. These projects could include, but not be limited to, changes in the nature of the business, business processes, the work performed by people, as well as the competencies required to carry out the work, enabling technology, and organizational
structure.
Term
Program Evaluation and Review Technique (PERT)
Definition
A project management technique used in the planning and control of system projects.
Term
Program Flowcharts
Definition
Program flowcharts show the sequence of instructions in a single program or subroutine.
Scope Note: The symbols used in program flowcharts should be the internationally accepted standard. Program flowcharts should be updated when necessary.
Term
Program Narratives
Definition
Program narratives provide a detailed explanation of program flowcharts, including control points and any external input.
Term
Project
Definition
A structured set of activities concerned with delivering a defined capability (that is necessary but not sufficient to achieve a required business outcome) to the enterprise based on an agreed?upon schedule and budget.
Term
Project Management
Officer (PMO)
Definition
The individual function responsible for the implementation of a specified initiative for supporting the project management role and advancing the discipline of project management.
Term
Project portfolio
Definition
The set of projects owned by a company.
Scope Note: It usually includes the main guidelines relative to each project, including objectives, costs, timelines and other information specific to the project.
Term
Project Team
Definition
Group of people responsible for a project, whose terms of reference may include the development, acquisition, implementation or maintenance of an application system.
Scope Note: The project team members may include line management, operational line staff, external contractors and IS auditors.
Term
Promiscuous Mode
Definition
Allows the network interface to capture all network traffic irrespective of the hardware device to which the packet is addressed.
Term
Protection Domain
Definition
The area of the system that the intrusion detection system is meant to monitor and protect.
Term
Protocol
Definition
The rules by which a network operates and controls the flow and priority of transmissions.
Term
Protocol Converter
Definition
Hardware devices, such as asynchronous and synchronous transmissions, that convert between two different types of transmission.
Term
Protocol Stack
Definition
A set of utilities that implement a particular network protocol.
Scope Note: For instance, in Windows machines a TCP/IP stack consists of TCP/IP software, sockets software and hardware driver software.
Term
Prototyping
Definition
The process of quickly putting together a working model (a prototype) in order to test various aspects of a design, illustrate ideas or features and gather early user feedback.
Scope Note: Prototyping uses programmed simulation techniques to represent a model of the final system to the user for advisement and critique. The emphasis is on end?user screens and reports. Internal controls are not a priority item since this is only a model.
Term
Proxy Server
Definition
A server that acts on behalf of a user.
Scope Note: Typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps perform additional authentication, and complete a connection to a remote destination on behalf of the user.
Term
Public Key
Definition
In an asymmetric cryptographic scheme, the key that may be widely published to enable the operation of the scheme.
Term
Public Key
Cryptosystem
Definition
Used in data encryption, it uses an encryption key, as a public key, to encrypt the plaintext to the ciphertext. It uses the different decryption key, as a secret key, to decrypt the ciphertext to the corresponding plaintext.
Scope Note: In contrast to a private key cryptosystem, the decryption key should be secret; however, the encryption key can be known to everyone. In a public key cryptosystem, two keys are asymmetric, such that the encryption key is not equivalent to the decryption key.
Term
Public Key Encryption
Definition
A cryptographic system that uses two keys. One is a public key, which is known to everyone, and the second is a private or secret key, which in only known to the recipient of the message.
Term
Public Key
Infrastructure
Definition
A series of processes and technologies for the association of cryptographic keys with the entity to whom those keys were issued.
Term
Quality assurance (QA)
Definition
A planned and systematic pattern of all actions necessary to provide adequate confidence that an item or product conforms to established technical requirements. (ISO/IEC 24765)
Term
Quality Management
System (QMS)
Definition
A system that outlines the policies and procedures necessary to improve and control the various processes that will ultimately lead to improved organization performance.
Term
Queue
Definition
A group of items that is waiting to be serviced or processed.
Term
Quick Ship
Definition
A recovery solution provided by recovery and/or hardware vendors and includes a pre?established contract to deliver hardware resources within a specified number amount of hours after a disaster occurs.
Scope Note: The quick ship solution usually provides organizations with the ability to recover within
72 hours or greater.
Term
RACI chart
Definition
Illustrates who is responsible, accountable, consulted and informed within an organizational framework.
Term
Radio Wave
Interference
Definition
The superposition of two or more radio waves resulting in a different radio wave pattern that is more difficult to intercept and decode properly.
Term
Random Access
Memory (RAM)
Definition
The computer’s primary working memory.
Scope Note: Each byte of random access memory can be accessed randomly regardless of adjacent bytes.
Term
Range Check
Definition
Range checks ensure that data fall within a predetermined range.
Term
Rapid Application
Development
Definition
A methodology that enables organizations to develop strategically important systems faster, while reducing development costs and maintaining quality by using a series of proven application development techniques, within a well?defined methodology.
Term
Real?Time Analysis
Definition
Analysis that is performed on a continuous basis, with results gained in time to alter the run?time system.
Term
Real?Time Processing
Definition
An interactive online system capability that immediately updates computer files when transactions are initiated through a terminal.
Term
Reasonable Assurance
Definition
A level of comfort short of a guarantee but considered adequate given the costs of the control and the likely benefits achieved.
Term
Reasonableness Check
Definition
Compares data to predefined reasonability limits or occurrence rates established for the data.
Term
Reciprocal Agreement
Definition
Emergency processing agreements between two or more organizations with similar equipment or applications.
Scope Note: Typically, participants of a reciprocal agreement promise to provide processing time to each other when an emergency arises.
Term
Record
Definition
A collection of related information treated as a unit.
Scope Note: Separate fields within the record are used for processing of the information.
Term
Record, Screen and
Report Layouts
Definition
Record layouts provide information regarding the type of record, its size and the type of data contained in the record. Screen and report layouts describe what information is provided and necessary for input.
Term
Recovery Action
Definition
Execution of a response or task according to a written procedure.
Term
Recovery point objective (RPO)
Definition
The RPO is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time to which it is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption.
Term
Recovery Strategy
Definition
An approach by an organization that will ensure its recovery and continuity in the face of a disaster or other major outage.
Scope Note: Plans and methodologies are determined by the organization's strategy. There may be more than one methodology or solution for an organization's strategy Examples of methodologies and solutions include: contracting for hot site or cold site, building an internal hot site or cold site, identifying an alternate work area, a consortium or reciprocal agreement, contracting for mobile recovery or crate and ship, and many others.
Term
Recovery Testing
Definition
A test to check the system’s ability to recover after a software or hardware failure.
Term
Recovery time objective
(RTO)
Definition
The amount of time allowed for the recovery of a business function or resource after a disaster occurs
Term
Redo Logs
Definition
Files maintained by a system, primarily a database management system, for the purposed of reapplying changes following an error or outage recovery.
Term
Redundancy Check
Definition
Detects transmission errors by appending calculated bits onto the end of each segment of data.
Term
Redundant Array of Inexpensive Disks (RAID)
Definition
Provides performance improvements and fault?tolerant capabilities via hardware or software solutions, by writing to a series of multiple disks to improve performance and/or save large files simultaneously.
Term
Redundant Site
Definition
A recovery strategy involving the duplication of key information technology components, including data or other key business processes, whereby fast recovery can take place.
Term
Reengineering
Definition
A process involving the extraction of components from existing systems and restructuring these components to develop new systems or to enhance the efficiency of existing systems.
Scope Note: Existing software systems can be modernized to prolong their functionality. An example of this is a software code translator that can take an existing hierarchical database system and transpose it to a relational database system. CASE includes a source code reengineering feature.
Term
Registration Authority
(RA)
Definition
The individual of institution that validates and entity's proof of identity and ownership of a key pair.
Term
Regression Testing
Definition
A testing technique used to retest earlier program abends or logical errors that occurred during the initial testing phase.
Term
Relational Database Management System (RDBMS)
Definition
The general purpose of a database is to store and retrieve related information.
Scope Note: Database management systems have evolved from hierarchal to network to relational models. Today, the most widely accepted database model is the relational model. The relational model has three major aspects, structures, operations and integrity rules. An Oracle database is a collection of data that is treated as a unit.
Term
Relevant Audit Evidence
Definition
Audit evidence is relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support.
Term
Reliable Audit Evidence
Definition
Audit evidence is reliable if, in the IS auditor's opinion, it is valid, factual, objective and supportable.
Term
Remote Access Service
Definition
Refers to any combination of hardware and software to enable the remote access to tools or information that typically reside on a network of IT devices.
Scope Note: Originally coined by Microsoft when referring to their built?in NT remote access tools, RAS was a service provided by Windows NT which allows most of the services that which would be available on a network to be accessed over a modem link. Over the years, many vendors have provided both hardware and software solutions to gain remote access to various types of networked information. In fact, most modern routers include a basic RAS capability that can be enabled for any dial?up interface.
Term
Remote Authentication Dial?in User Service (RADIUS)
Definition
A type of service providing an authentication and accounting system often used for dial?up and remote access security.
Term
Remote Job Entry (RJE)
Definition
The transmission of job control language (JCL) and batches of transactions from a remote terminal location.
Term
Remote Procedure Call
(RPC)
Definition
The traditional Internet service protocol widely used for many years on UNIX?based operating systems and supported by the Internet Engineering Task Force (IETF) that allows a program on one computer to execute a program on another (e.g., server).
Scope Note: The primary benefit derived from its use is that a system developer need not develop specific procedures for the targeted computer system. For example, in a client?server arrangement, the client program sends a message to the server with appropriate arguments, and the server returns a message containing the results of the program executed. Common Object Request Broker Architecture (CORBA) and Distributed Component Object Model (DCOM) are two newer object? oriented methods for related RPC functionality.
Term
Repeaters
Definition
A physical layer device that regenerates and propagates electrical signals between two network segments.
Scope Note: Repeaters receive signals from one network segment and amplify (regenerate) the signal to compensate for signals (analog or digital) distorted by transmission loss due to reduction of signal strength during transmission (i.e., attenuation)
Term
Replication
Definition
In its broad computing sense, involves the use of redundant software or hardware elements to provide availability and fault?tolerant capabilities. In a database context, replication involves the sharing of data between databases to reduce workload among database servers, thereby improving client performance, while maintaining consistency among all systems.
Term
Repository
Definition
An enterprise database that stores and organizes data.
Term
Repudiation
Definition
The denial by one of the parties to a transaction, or participation in all or part of that transaction, or of the content of communications related to that transaction
Term
Reputation risk
Definition
The current and prospective effect on earnings and capital arising from negative public opinion.
Scope Note: Reputation risk affects the bank’s ability to establish new relationships or services, or continue servicing existing relationships. It may expose the bank to litigation, financial loss or a decline in its customer base. A bank’s reputation can be damaged by Internet banking services that are executed poorly or otherwise alienate customers and the public. An Internet bank has a greater reputation risk, as compared to a traditional brick?and?mortar bank, since it is easier for its customers to leave and go to a different Internet bank and since it cannot discuss any problems with the customer in person.
Term
Request for Comments
(RFC)
Definition
A document that has been approved by the IETF becomes an RFC and is assigned a unique number once published.
Scope Note: If RFC gains enough interest, it may evolve into an Internet standard.
Term
Request for Proposal
(RFP)
Definition
A document distributed to software vendors requesting them to submit a proposal to develop or provide a software product.
Term
Requirements
Definition
Definition
A technique used where the affected user groups define the requirements of the system for meeting the defined needs.
Scope Note: Some of these requirements are business, regulatory, security as well as development related.
Term
Residual risk
Definition
The remaining risk after management has implemented risk response
Term
Resilience
Definition
The ability of a system or network to resist failure or to recover quickly from any disruption, usually with minimal recognizable effect
Term
Responsible
Definition
In a RACI chart, refers to the person who must ensure that activities are completed successfully.
Term
Return on investment
(ROI)
Definition
A measure of operating performance and efficiency, computed in its simplest form by dividing net income by the total investment over the period being considered.
Term
Reverse Engineering
Definition
A software engineering technique whereby an existing application system code can be redesigned and coded using computer?aided software engineering (CASE) technology.
Term
Ring Configuration
Definition
Used in either token ring or FDDI networks, all stations (nodes) are connected to a multi?station access unit (MSAU), which physically resembles a star?type topology.
Scope Note: A ring configuration is created when these MSAUs are linked together in forming a network. Messages in this network are sent in a deterministic fashion from sender and receiver via a small frame, referred to as a token ring. To send a message, a sender obtains the token with the right priority as the token travels around the ring, with receiving nodes reading those messages addressed to it.
Term
Ring Topology
Definition
A type of LAN architecture in which the cable forms a loop, with stations attached at intervals around the loop.
Scope Note: In ring topology, signals transmitted around the ring take the form of messages. Each station receives the messages and each station determines, on the basis of an address, whether to accept or process a given message. However, after receiving a message, each station acts as a repeater, retransmitting the message at its original signal strength
Term
Risk
Definition
The combination of the probability of an event and its consequence. (ISO/IEC73)
Term
Risk Aggregation
Definition
The process of integrating risk assessments at a corporate level to obtain a complete view on the overall risk for the enterprise
Term
Risk analysis
Definition
1. A process by which frequency and magnitude of IT risk scenarios are estimated
2. The initial steps of risk management: analyzing the value of assets to the business, identifying threats to those assets and evaluating how vulnerable each asset is to those threats
Scope Note: It often involves an evaluation of the probable frequency of a particular event, as well as the probable impact of that event.
Term
Risk Appetite
Definition
The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission
Term
Risk assessment
Definition
A process used to identify and evaluate risks and their potential effects.
Scope Note: Risk assessment includes assessing the critical functions necessary for an organization to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event.
Term
Risk Avoidance
Definition
The process for systematically avoiding risk, constituting one approach to managing risk.
Term
Risk Culture
Definition
The set of shared values and beliefs that governs attitudes toward risk?taking, care and integrity, and determines how openly risks and losses are reported and discussed
Term
Risk Evaluation
Definition
The process of comparing the estimated risk against given risk criteria to determine the significance of the risk. [ISO/IEC Guide 73:2002]
Term
Risk factor
Definition
A condition that can influence the frequency and/or magnitude and, ultimately, the business impact of IT?related events/scenarios
Term
Risk indicator
Definition
A metric capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite
Term
Risk management
Definition
The coordinated activities to direct and control an organization with regard to risk.
(In the International Standard, the term "control" is used as a synonym for "measure" ISO/IEC Guide 73:2002).
Term
Risk Map
Definition
A (graphic) tool for ranking and displaying risks by defined ranges for frequency and magnitude
Term
Risk mitigation
Definition
The management of risk through the use of countermeasures and controls.
Term
Risk Portfolio View
Definition
1. A method to identify interdependencies and interconnections among risks, as well as the effect of risk responses on multiple risks
2. A method to estimate the aggregate impact of multiple risks (e.g., cascading and coincidental threat types/scenarios, risk concentration/correlation across silos) and the potential effect of risk response across multiple risks
Term
Risk tolerance
Definition
The acceptable level of variation that management is willing to allow for any particular risk as it pursues objectives
Term
Risk transfer
Definition
The process of assigning risk to another organization, usually through the purchase of an insurance policy or outsourcing the service.
Term
Risk treatment
Definition
The process of selection and implementation of measures to modify risk [ISO/IEC Guide 73:2002].
Term
Root Cause Analysis
Definition
Process of diagnosis to establish origins of events, which can be used for learning from consequences, typically of errors and problems.
Term
Rootkit
Definition
A software suite designed to aid an intruder in gaining unauthorized administrative access to a computer system.
Term
Rotating Standby
Definition
A fail?over process in which there are two nodes (as in idle standby but without priority).
Scope Note: The node that enters the cluster first owns the resource group, and the second will join as a standby node.
Term
Rounding Down
Definition
A method of computer fraud involving a computer code that instructs the computer to remove small amounts of money from an authorized computer transaction by rounding down to the nearest whole value denomination and rerouting the rounded off amount to the perpetrator’s account.
Term
Router
Definition
A networking device that can send (route) data packets from one local area network (LAN) or wide area network (WAN) to another, based on addressing at the network layer (Layer 3) in the OSI model.
Scope Note: Networks connected by routers can use different or similar networking protocols. Routers usually are capable of filtering packets based on parameters, such as source addresses, destination addresses, protocol and network applications (ports).
Term
RS?232 Interface
Definition
Interface between data terminal equipment and data communications equipment employing serial binary data interchange.
Term
RSA
Definition
A public key cryptosystem developed by R. Rivest, A. Shamir and L. Adleman used for both encryption and digital signatures.
Scope Note: The RSA has two different keys, the public encryption key and the secret decryption key. The strength of the RSA depends on the difficulty of the prime number factorization. For applications with high?level security, the number of the decryption key bits should be greater than
512 bits.
Term
Rulebase
Definition
The list of rules and/or guidance that is used to analyze event data.
Term
Run Instructions
Definition
Computer operating instructions which detail the step?by?step processes that are to occur so an application system can be properly executed; also identifies how to address problems that occur during processing.
Term
Run?to?Run Totals
Definition
Provide evidence that a program processes all input data and that it processed the data correctly.
Term
Safeguard
Definition
A practice, procedure or mechanism that reduces risk.
Term
Salami Technique
Definition
A method of computer fraud involving a computer code that instructs the computer to slice off small amounts of money from an authorized computer transaction and reroute this amount to the perpetrator’s account.
Term
Sampling Risk
Definition
The probability that the IS auditor has reached an incorrect conclusion because an audit sample, rather than the whole population, was tested
Scope Note: While sampling risk can be reduced to an acceptably low level by using an appropriate sample size and selection method, it can never be eliminated.
Term
Scheduling
Definition
A method used in the information processing facility (IPF) to determine and establish the sequence of computer job processing.
Term
Scope Creep
Definition
Also called requirement creep, this refers to uncontrolled changes in a project’s scope.
Scope Note: Scope creep can occur when the scope of a project is not properly defined, documented and controlled. Typically, the scope increase consists of either new products or new features of already approved products. Hence, the project team drifts away from its original purpose. Because of one’s tendency to focus on only one dimension of a project, scope creep can also result in a project team overrunning its original budget and schedule. For example, scope creep can be a result of poor change control, lack of proper identification of what products and features are required to bring about the achievement of project objectives in the first place, or a weak project manager or executive sponsor.
Term
Scoping Process
Definition
Identifying the boundary or extent to which a process, procedure, certification, contract, etc., applies.
Term
Screening Routers
Definition
A router configured to permit or deny traffic based on a set of permission rules installed by the administrator.
Term
Secure Sockets Layer
(SSL)
Definition
A protocol that is used to transmit private documents through the Internet.
Scope Note: The SSL protocol uses a private key to encrypt the data that is to be transferred through the SSL connection.
Term
Security Administrator
Definition
The person responsible for implementing, monitoring and enforcing security rules established and authorized by management.
Term
Security Awareness
Definition
The extent to which every member of an organization and every other individual who potentially has access to the organization's information understand:
?Security and the levels of security appropriate to the organization
?The importance of security and consequences of a lack of security
?Their individual responsibilities regarding security (and act accordingly).
Scope Note: This definition is based on the definition for IT security awareness as defined in Implementation Guide: How to Make Your Organization Aware of IT Security, European Security Forum (ESF), London, UK, 1993)
Term
Security Awareness
Campaign
Definition
A predefined, organized number of actions aimed at improving the security awareness of a special target audience about a specific security problem. Each security awareness program consists of a number of security awareness campaigns.
Term
Security Awareness
Coordinator
Definition
Individual responsible for setting up and maintaining the security awareness program and coordinating the different campaigns and efforts of the various groups involved in the program. He/she is also responsible for making sure all materials are prepared, advocates/trainers are trained, campaigns are scheduled, events are publicized and the program as a whole moves forward.
Term
Security Awareness
Program
Definition
A clearly and formally defined plan, structured approach, and set of related activities and procedures with the objective of realizing and maintaining a security? aware culture.
Scope Note: This definition clearly states that it is about realizing and maintaining a security?aware culture, meaning attaining and sustaining security awareness at all times. This implies that a security awareness program is not a one?time effort but a continuous process.
Term
Security Forum
Definition
Responsible for information security governance within the organization.
Scope Note: A security forum can be part of an existing management body. As information security is a business responsibility shared by all members of the executive management team, the forum needs to involve executives from all significant parts of the organization. Typically, a security forum has the following tasks and responsibilities:
?Defining a security strategy in line with the business strategy
?Identifying security requirements
?Establishing a security policy
?Drawing up an overall security program or plan
?Approving major initiatives to enhance information security
?Reviewing and monitoring information security incidents
?Monitoring significant changes in the exposure of information assets to major threats
Term
Security Incident
Definition
A series of unexpected events that involves an attack or series of attacks (compromise and/or breach of security) at one or more sites. A security incident normally includes an estimation of its level of impact. A limited number of impact levels are defined and, for each, the specific actions required and the people who need to be notified are identified
Term
Security Management
Definition
The process of establishing and maintaining security in a computer or network system.
Scope Note: The stages of the process of security management include prevention of security problems, detection of intrusions, investigation of intrusions and resolution. In network management, controlling access to the network and resources, finding intrusions, identifying entry points for intruders and repairing or otherwise closing those avenues of access.
Term
Security Metrics
Definition
A standard of measurement used in management of security related activities.
Term
Security Perimeter
Definition
The boundary that defines the area of security concern and security policy coverage.
Term
Security Policy
Definition
A high?level document representing an organization’s information security philosophy and commitment.
Term
Security Procedures
Definition
The formal documentation of specific operational steps and processes that specify how security goals and objectives set forward in the security policy and standards are to be achieved.
Term
Security Software
Definition
Software used to administer security, which usually includes authentication of users, access granting according to predefined rules, monitoring and reporting functions.
Term
Security Standards
Definition
Practices, directives, guidelines, principles or baselines that state what needs to be done and focus on areas of current relevance and concern. They are a translation of issues already mentioned in the security policy.
Term
Security Testing
Definition
Ensuring the modified or new system includes appropriate controls and does not introduce any security holes that might compromise other systems or misuses of the system or its information.
Term
Security/Transaction
Risk
Definition
The current and prospective risk to earnings and capital arising from fraud, error and the inability to deliver products or services, maintain a competitive position, and manage information.
Scope Note: Security risk is evident in each product and service offered, and it encompasses product development and delivery, transaction processing, systems development, computing systems, complexity of products and services and the internal control environment. A high level of security risk may exist with Internet banking products, particularly if those lines of business are not adequately planned, implemented and monitored.
Term
Segregation/separation of duties
Definition
A basic internal control that prevents or detects errors and irregularities by assigning to separate individuals responsibility for initiating and recording transactions and custody of assets to separate individuals.
Scope Note: Segregation and separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code without detection.
Term
Sensitivity
Definition
A measure of the impact that improper disclosure of information may have on an organization.
Term
Sequence Check
Definition
A verification that the control number follows sequentially and any control numbers out of sequence are rejected or noted on an exception report for further research.
Scope Note: Can be alpha or numeric and usually utilizes a key field.
Term
Sequential File
Definition
A computer file storage format in which one record follows another.
Scope Note: Records can be accessed sequentially only. It is required with magnetic tape.
Term
Service Bureau
Definition
A computer facility that provides data processing services to clients on a continual basis.
Term
Service Delivery
Objective (SDO)
Definition
Directly related to the business needs, SDO is the level of services to be reached during the alternate process mode until the normal situation is restored.
Term
Service Desk
Definition
The point of contact within the IT organization for users of IT services.
Term
Service level agreement
(SLA)
Definition
An agreement, preferably documented, between a service provider and the customer(s)/user(s)
that defines minimum performance targets for a service and how they will be measured.
Term
Service Provider
Definition
An organization supplying services to one or more (internal or external) customers.
Term
Service Set Identifier
(SSID)
Definition
A 32?character unique identifier attached to the header of packets sent over a WLAN that acts as a password when a mobile device tries to connect to the BSS.
Scope Note: The SSID differentiates one WLAN from another so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device will not be permitted to join the BSS unless it can provide the unique SSID. Because an SSID can be sniffed in plaintext from a packet, it does not supply any security to the network. An SSID is also referred to as a network name, because essentially it is a name that identifies a wireless network.
Term
Service User
Definition
The organization using the outsourced service
Term
Servlet
Definition
A Java applet or a small program that runs within a web server environment.
Scope Note: A Java servlet is similar to a CGI program, but unlike a CGI program, once started, it stays in memory and can fulfill multiple requests, thereby saving server execution time and speeding up the services.
Term
Session Border
Controller (SBC)
Definition
Provide security features for VoIP traffic similar to that provided by firewalls.
Scope Note: SBCs can be configured to filter specific VoIP protocols, monitor for denial?of?service
(DOS) attacks, and provide network address and protocol translation features.
Term
Shell
Definition
The interface between the user and the system.
Term
Shell Programming
Definition
A script written for the shell, or command line interpreter, of an operating system. It is often considered a simple domain?specific programming language.
Scope Note: Typical operations performed by shell scripts include file manipulation, program execution and printing text. Usually, shell script refers to scripts written for a Unix shell, while COMMAND.COM (DOS) and cmd.exe (Windows) command line scripts are usually called batch files. Many shell script interpreters double as command line interface such as the various Unix shells, Windows PowerShell or the MS?DOS COMMAND.COM. Others, such as AppleScript, add scripting capability to computing environments lacking a command line interface. Other examples of programming languages primarily intended for shell scripting include digital command language (DCL) and job control language (JCL).
Term
Sign?on Procedure
Definition
The procedure performed by a user to gain access to an application or operating system.
Scope Note: If the user is properly identified and authenticated by the system’s security, they will be able to access the software.
Term
Simple Fail?over
Definition
A fail?over process in which the primary node owns the resource group.
Scope Note: The backup node runs a non?critical application (e.g., a development or test environment) and takes over the critical resource group but not vice versa.
Term
Simple Mail Transport
Protocol (SMTP)
Definition
The standard e?mail protocol on the Internet.
Term
Simple Object Access
Protocol (SOAP)
Definition
A platform?independent XML?based formatted protocol enabling applications to communicate with each other over the Internet.
Scope Note: Use of SOAP may provide a significant security risk to web application operations, since use of SOAP piggybacks onto a web?based document object model and is transmitted via HTTP
(port 80) to penetrate server firewalls, which are usually configured to accept port 80 and port 21 (FTP) requests. Web?based document models define how objects on a web page are associated with each other and how they can be manipulated while being sent from a server to a client browser. SOAP typically relies on XML for presentation formatting and also adds appropriate HTTP? based headers to send it. SOAP forms the foundation layer of the Web services stack, providing a basic messaging framework on which more abstract layers can build. There are several different types of messaging patterns in SOAP, but by far the most common is the Remote Procedure Call (RPC) pattern, in which one network node (the client) sends a request message to another node (the server), and the server immediately sends a response message to the client.
Term
Single Point of Failure
Definition
A resource whose loss will result in the loss of service or production.
Term
Slack Time (Float)
Definition
Time in the project schedule, the use of which does not affect the project’s critical path; the minimum time to complete the project based upon the estimated time for each project segment and their relationships.
Scope Note: Slack time is commonly referred to as "float" and generally is not "owned" by either party to the transaction.
Term
SMARRT
Definition
Specific, measurable, actionable, realistic, results?oriented and timely, generally used to describe appropriately set goals.
Term
Smart Card
Definition
A small electronic device that contains electronic memory, and possibly an embedded integrated circuit.
Scope Note: Smart cards can be used for a number of purposes including the storage of digital certificates or digital cash, or it can be used as a token to authenticate users.
Term
Sniff
Definition
The act of capturing network packets, including those not necessarily destined for the computer running the sniffing software.
Term
Sniffing
Definition
The process by which data traversing a network are captured or monitored.
Term
Social Engineering
Definition
An attack based on deceiving users or administrators at the target site into revealing confidential or sensitive information.
Term
Software
Definition
Programs and supporting documentation that enable and facilitate use of the computer.
Scope Note: Software controls the operation of the hardware and the processing of data.
Term
Source Code
Definition
The language in which a program is written.
Scope Note: Source code is translated into object code by assemblers and compilers. In some cases, source code may be converted automatically into another language by a conversion program. Source code is not executable by the computer directly. It must first be converted into a machine language.
Term
Source Code Compare
Programs
Definition
Provide assurance that the software being audited is the correct version of the software, by providing a meaningful listing of any discrepancies between the two versions of the program.
Term
Source Documents
Definition
The forms used to record data that have been captured.
Scope Note: A source document may be a piece of paper, a turnaround document or an image displayed for online data input.
Term
Source Lines of Code
(SLOC)
Definition
Often used in deriving single?point software?size estimations.
Term
Spanning Port
Definition
A port configured on a network switch to receive copies of traffic from one or more other ports on the switch
Term
Split Data Systems
Definition
A condition in which each of an organization’s regional locations maintains its own financial and operational data while sharing processing with an organization wide, centralized database.
Scope Note: Split data systems permit easy sharing of data while maintaining a certain level of autonomy.
Term
Split DNS
Definition
An implementation of DNS intended to secure responses provided by the server such that different responses are given to internal vs. external users.
Term
Split Knowledge
Definition
A security technique in which two or more entities separately hold data items that individually convey no knowledge of the information that results from combining the items; a condition under which two or more entities separately have key components that individually convey no knowledge of the plain text key that will be produced when the key components are combined in the cryptographic module.
Term
Spoofing
Definition
Faking the sending address of a transmission in order to gain illegal entry into a secure system.
Term
Spool (Simultaneous Peripheral Operations Online)
Definition
An automated function that can be operating system or application based in which electronic data being transmitted between storage areas are spooled or stored until the receiving device or storage area is prepared and able to receive the information.
Scope Note: Spool allows more efficient electronic data transfers from one device to another by permitting higher speed sending functions, such as internal memory, to continue on with other operations instead of waiting on the slower speed receiving device, such as a printer.
Term
Spyware
Definition
Software whose purpose is to monitor a computer user’s actions (e.g., web sites they visit) and report these actions to a third party, without the informed consent of that machine’s owner or legitimate user.
Scope Note: A particularly malicious form of spyware is software that monitors keystrokes (e.g., to obtain passwords) or otherwise gathers sensitive information such as credit card numbers, which it then transmits to a malicious third party. The term has also come to refer more broadly to software that subverts the computer’s operation for the benefit of a third party.
Term
Stage?Gate
Definition
A point in time when a program is reviewed, and a decision is made to commit expenditures to the next set of activities on a program or project, to stop the work altogether, or to put a hold on execution of further work.
Term
Standard
Definition
A mandatory requirement, code of practice or specification approved by a recognized external standards organization, such as ISO.
Term
Standing Data
Definition
Permanent reference data used in transaction processing.
Scope Note: These data are changed infrequently, such as a product price file or a name and address file.
Term
Star Topology
Definition
A type of LAN architecture that utilizes a central controller to which all nodes are directly connected.
Scope Note: With star topology, all transmissions from one station to another pass through the central controller, which is responsible for managing and controlling all communication. The central controller often acts as a switching device.
Term
Static Analysis
Definition
Analysis of information that occurs on a non?continuous basis; also known as interval?based analysis.
Term
Statistical Sampling
Definition
A method of selecting a portion of a population, by means of mathematical calculations and probabilities, for the purpose of making scientifically and mathematically sound inferences regarding the characteristics of the entire population.
Term
Storage Area Networks
(SANs)
Definition
A variation of a LAN that is dedicated for the express purpose of connecting storage devices to servers and other computing devices.
Scope Note: SANs centralize the process for the storage and administration of data.
Term
Strategic planning
Definition
The process of deciding on the organization’s objectives, on changes in these objectives, and the policies to govern their acquisition and use.
Term
Strengths, weaknesses, opportunities and threats (SWOT)
Definition
A combination of an organizational audit listing the organization’s strengths and weaknesses and an environmental scan or analysis of external opportunities and threats.
Term
Structured
Programming
Definition
A top?down technique of designing programs and systems that makes programs more readable, more reliable and more easily maintained.
Term
Structured Query
Language (SQL)
Definition
The primary language used by both application programmers and end users in accessing relational databases.
Term
Subject Matter
Definition
The specific information subject to the IS auditor’s report and related procedures which can include things such as the design or operation of internal controls and compliance with privacy practices or standards or specified laws and regulations (Area of activity).
Term
Substantive Testing
Definition
Obtaining audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period.
Term
Sufficient Audit
Evidence
Definition
Audit evidence is sufficient if it is adequate, convincing and would lead another IS auditor to form the same conclusions.
Term
Supply Chain
Management (SCM)
Definition
A concept that allows an organization to more effectively and efficiently manage the activities of design, manufacturing, distribution, service and recycling of products and services its customers.
Term
Surge Suppressor
Definition
Filters out electrical surges and spikes.
Term
Suspense File
Definition
A computer file used to maintain information (i.e., on transactions, payments or other events) until the proper disposition of that information can be determined.
Scope Note: Once the proper disposition of the item is determined, it should be removed from the suspense file and processed in accordance with the proper procedures for that particular transaction. Two examples of items that may be included in a suspense file are receipt of a payment from a source that is not readily identified or data that do not yet have an identified match during migration to a new application.
Term
Switches
Definition
Typically associated as a data link layer device, switches enable LAN network segments to be created and interconnected, which also has the added benefit of reducing collision domains in Ethernet?based networks.
Term
Symmetric Key
Encryption
Definition
System in which a different key (or set of keys) is used by each pair of trading partners to ensure that no one else can read their messages. The same key is used for encryption and decryption. See private key cryptosystem.
Term
Synchronize (SYN)
Definition
A flag set in the initial setup packets to indicate that the communicating parties are synchronizing the sequence numbers used for the data transmission.
Term
Synchronous
Transmission
Definition
Block?at?a?time data transmission.
Term
System development life cycle (SDLC)
Definition
The phases deployed in the development or acquisition of a software system
Scope Note: An approach used to plan, design, develop, test and implement an application system or a major modification to an application system.
Typical phases of SDLC include the feasibility study, requirements study, requirements definition, detailed design, programming, testing, installation and
post?implementation review, but not the service delivery or benefits realization activities.
Term
System Exit
Definition
Special system software features and utilities that allow the user to perform complex system maintenance.
Scope Note: Use of system exits often permits the user to operate outside of the security access control system.
Term
System Flowcharts
Definition
Graphical representations of the sequence of operations in an information system or program.
Scope Note: Information system flowcharts show how data from source documents flow through the computer to final distribution to users. Symbols used should be the internationally accepted standard. System flowcharts should be updated when necessary.
Term
System Narratives
Definition
Provide an overview explanation of system flowcharts, with explanation of key control points and system interfaces.
Term
System Software
Definition
A collection of computer programs used in the design, processing and control of all applications.
Scope Note: The programs and processing routines that control the computer hardware, including the operating system and utility programs.
Term
System Testing
Definition
Testing conducted on a complete, integrated system to evaluate the system's compliance with its specified requirements.
Scope Note: System test procedures typically are performed by the system maintenance staff in their development library.
Term
Systems Acquisition
Process
Definition
Procedures established to purchase application software, or an upgrade, including evaluation of the supplier's financial stability, track record, resources and references from existing customers.
Term
Systems Analysis
Definition
The systems development phase in which systems specifications and conceptual designs are developed, based on end?user needs and requirements.
Term
Table Look?ups
Definition
Used to ensure that input data agree with predetermined criteria stored in a table.
Term
Tape Management
System (TMS)
Definition
A system software tool that logs, monitors and directs computer tape usage.
Term
Taps
Definition
Wiring devices that may be inserted into communication links for use with analysis probes, LAN
analyzers and intrusion detection security systems.
Term
Tcpdump
Definition
A network monitoring and data acquisition tool that performs filter translation, packet acquisition and packet display.
Term
Technical Infrastructure
Security
Definition
Refers to the security of the infrastructure that supports the ERP networking and telecommunications, operating systems and databases.
Term
Technology
Infrastructure
Definition
Technology, human resources and facilities that enable the processing and use of applications.
Term
Technology
Infrastructure Plan
Definition
A plan for the technology, human resources and facilities that enable the current and future processing and use of applications.
Term
Telecommunications
Definition
Electronic communications by special devices over distances or around devices that preclude direct interpersonal exchange.
Term
Teleprocessing
Definition
Using telecommunications facilities for handling and processing of computerized information.
Term
Telnet
Definition
Used to enable remote access to a server computer.
Scope Note: Commands typed are run on the remote server.
Term
Terminal Access Controller Access Control System Plus (TACACS+ )
Definition
An authentication protocol, often used by remote?access servers.
Term
Terms of Reference
Definition
A document that confirms the client's and the IS auditor's acceptance of a review assignment.
Term
Test Data
Definition
Simulated transactions that can be used to test processing logic, computations and controls actually programmed in computer applications. Individual programs or an entire system can be tested.
Scope Note: This technique includes Integrated Test Facilities (ITFs) and Base Case System
Evaluations (BCSEs).
Term
Test Generators
Definition
Software used to create data to be used in the testing of computer programs.
Term
Test Programs
Definition
Programs that are tested and evaluated before approval into the production environment.
Scope Note: Test programs, through a series of change control moves, migrate from the test environment to the production environment and become production programs.
Term
Test Types
Definition
Test types include: (a) Checklist test??Copies of BCP is distributed to appropriate personnel for review
(b) Structured walk through??Identified key personnel walk through the plan to ensure that the plan accurately reflects the organization's ability to recover successfully
(c) Simulation test??All operational and support personnel are expected to perform an simulated emergency as a practice session
(d) Parallel Test??Critical systems are run at alternate site (hot, cold, warm or reciprocal)
(e) Complete interruption test??Disaster is replicated, normal production is shut down with real time recovery process.
Term
Testing
Definition
The examination of a sample from a population to estimate characteristics of the population.
Term
Third?party Review
Definition
An independent audit of the control structure of a service organization, such as a service bureau, with the objective of providing assurances to the users of the service organization that the internal control structure is adequate, effective and sound.
Term
Threat
Definition
Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm.
Scope Note: A potential cause of an unwanted incident. (ISO/IEC 13335)
Term
Threat Agent
Definition
Methods and things used to exploit a vulnerability.
Scope Note: Examples include determination, capability, motive and resources.
Term
Threat Analysis
Definition
An evaluation of the type, scope and nature of events or actions that can result in adverse consequences; identification of the threats that exist against organization assets.
Scope Note: The threat analysis usually also defines the level of threat and the likelihood of it materializing.
Term
Threat event
Definition
Any event where a threat element/actor acts against an asset in a manner that has the potential to directly result in harm
Term
Throughput
Definition
The quantity of useful work made by the system per unit of time. Throughput can be measured in instructions per second or some other unit of performance. When referring to a data transfer operation, throughput measures the useful data transfer rate and is expressed in kbps, Mbps and Gbps.
Term
Token
Definition
A device that is used to authenticate a user, typically in addition to a username and password.
Scope Note: A token is usually a credit card?sized device that displays a pseudo random number that changes every few minutes.
Term
Token Ring Topology
Definition
A type of LAN ring topology in which a frame containing a specific format, called the token, is passed from one station to the next around the ring.
Scope Note: When a station receives the token, it is allowed to transmit. The station can send as many frames as desired until a predefined time limit is reached. When a station either has no more frames to send or reaches the time limit, it transmits the token. Token passing prevents data collisions that can occur when two computers begin transmitting at the same time.
Term
Top?level Management
Definition
The highest level of management in the organization, responsible for direction and control of the organization as a whole (such as director, general manager, partner, chief officer and executive manager).
Term
Topology
Definition
The physical layout of how computers are linked together.
Scope Note: Examples of topology include ring, star and bus
Term
Total Cost of Ownership
(TCO)
Definition
Includes original cost of the computer and software, hardware and software upgrades, maintenance, technical support, training and certain activities performed by users.
Term
Transaction
Definition
Business events or information grouped together because they have a single or similar purpose.
Scope Note: Typically, a transaction is applied to a calculation or event that then results in the updating of a holding or master file.
Term
Transaction Log
Definition
A manual or automated log of all updates to data files and databases.
Term
Transaction Protection
Definition
Also known as "automated remote journaling of redo logs", a data recovery strategy that is similar to electronic vaulting, except that instead of transmitting several transaction batches daily, the archive logs are shipped as they are created.
Term
Transmission Control
Protocol (TCP)
Definition
A connection?based Internet protocol that supports reliable data transfer connections.
Scope Note: Packet data is verified using checksums and retransmitted if it is missing or corrupted. The application plays no part in validating the transfer.
Term
Transmission Control Protocol/Internet Protocol (TCP/IP)
Definition
Provides the basis for the Internet; a set of communications protocols that encompasses media access, packet transport, session communications, file transfer, electronic mail, terminal emulation, remote file access and network management.
Term
Transparency
Definition
Refers to an enterprise’s openness about its activities and is based on the concepts:
? It is clear to those who are affected by or want to challenge governance decisions how the mechanism functions
? A common vocabulary has been established
? Relevant information is readily available
Scope Note: Transparency and stakeholder trust are directly related; the more transparency in the governance process, the more confidence in the governance.
Term
Trap Door
Definition
Unauthorized electronic exits, or doorways, out of an authorized computer program into a set of malicious instructions or programs.
Term
Trojan Horse
Definition
Purposefully hidden malicious or damaging code within an authorized computer program.
Scope Note: Unlike viruses, they do not replicate themselves, but they can be just as destructive to a single computer.
Term
Trusted Processes
Definition
Processes certified as supporting a security goal.
Term
Trusted Systems
Definition
Systems that employ sufficient hardware and software assurance measures to allow their use for processing of a range of sensitive or classified information.
Term
Tunnel
Definition
The paths the encapsulated packets follow in an Internet VPN.
Term
Tunneling
Definition
Commonly used to bridge between incompatible hosts/routers or to provide encryption, a method by which one network protocol encapsulates another protocol within itself.
Scope Note: When protocol A encapsulates protocol B, then a protocol A header and optional tunneling headers are appended to the original protocol B packet. Protocol A then becomes the data link layer of protocol B. Examples of tunneling protocols include IPSec, Point?to?point Protocol Over Ethernet (PPPoE), and Layer 2 Tunneling Protocol (L2TP).
Term
Tuple
Definition
A row or record consisting of a set of attribute value pairs (column or field) in a relational data structure.
Term
Twisted Pairs
Definition
A low?capacity transmission medium, a pair of small, insulated wires that are twisted around each other to minimize interference from other wires in the cable.
Term
Two?factor
Authentication
Definition
The use of two independent mechanisms for authentication, for example, requiring a smart card and a password. Typically the combination of something you know, are or have.
Term
Unicode
Definition
A standard for representing characters as integers.
Scope Note: Unicode uses 16 bits, which means that it can represent more than 65,000 unique characters, as is necessary for languages such as Chinese and Japanese.
Term
Uninterruptible Power
Supply (UPS)
Definition
Provides short?term backup power from batteries for a computer system when the electrical power fails or drops to an unacceptable voltage level.
Term
Unit Testing
Definition
A testing technique that is used to test program logic within a particular program or module.
Scope Note: The purpose of the test is to ensure that the internal operation of the program performs according to specification. It uses a set of test cases that focus on the control structure of the procedural design.
Term
Universal Description, Discovery and Integration (UDDI)
Definition
A web?based version of the traditional phone book's yellow and white pages enabling businesses to be publicly listed in promoting greater e?commerce activities.
Term
Universal Serial BUS (USB)
Definition
An external bus standard that provides capabilities to transfer data at a rate of 12 Mbps.
Scope Note: A USB port can connect up to 127 peripheral devices.
Term
UNIX
Definition
A multi?user, multitasking operating system that is used widely as the master control program in workstations and especially servers.
Term
Untrustworthy Host
Definition
The host is referred to as untrustworthy because it cannot be protected by the firewall; therefore, hosts on the trusted networks can place only limited trust in it.
Scope Note: To the basic border firewall, add a host that resides on an untrusted network where the firewall cannot protect it. That host is minimally configured and carefully managed to be as secure as possible. The firewall is configured to require incoming and outgoing traffic to go through the untrustworthy host.
Term
Uploading
Definition
The process of electronically sending computerized information from one computer to another computer.
Scope Note: When uploading, most often the transfer is from a smaller computer to a larger one.
Term
User Awareness
Definition
The training process in security?specific issues to reduce security problems, since users are often the weakest link in the security chain.
Term
User Datagram Protocol
(UDP)
Definition
A connectionless Internet protocol that is designed for network efficiency and speed at the expense of reliability.
Scope Note: A data request by the client is served by sending packets without testing to verify if they actually arrive at the destination, not if they were corrupted in transit. It is up to the application to determine these factors and request retransmissions.
Term
Utility Programs
Definition
Specialized system software used to perform particular computerized functions and routines that are frequently required during normal processing.
Scope Note: Examples of utility programs include sorting, backing up and erasing data.
Term
Utility Script
Definition
A sequence of commands input into a single file to automate a repetitive and specific task.
Scope Note: The utility script is executed, either automatically or manually, to perform the task. In
Unix, these are known as shell scripts.
Term
Utility Software
Definition
Computer programs provided by a computer hardware manufacturer or software vendor and used in running the system.
Scope Note: This technique can be used to examine processing activities; to test programs, system activities and operational procedures; to evaluate data file activity; and, to analyze job accounting data.
Term
Vaccine
Definition
A program designed to detect computer viruses.
Term
Val IT
Definition
The standard framework for organizations to select and manage IT?related business investments and ITassets by means of investment programs such that they deliver the optimal value to the organization. Based on COBIT.
Term
Validity Check
Definition
Programmed checking of data validity in accordance with predetermined criteria.
Term
Value
Definition
The relative worth or importance of an investment for an organization, as perceived by its key stakeholders, expressed as total life cycle benefits net of related costs, adjusted for risk and (in the case of financial value) the time value of money.
Term
Value?added Network
(VAN)
Definition
A data communication network that adds processing services such as error correction, data translation and/or storage to the basic function of transporting data.
Term
Variable Sampling
Definition
A sampling technique used to estimate the average or total value of a population based on a sample; a statistical model used to project a quantitative characteristic, such as a monetary amount.
Term
Verification
Definition
Checks that data are entered correctly.
Term
Virtual Organizations
Definition
Organizations that have no official physical site presence and are made up of diverse geographically dispersed or mobile employees.
Term
Virtual Private Network
(VPN)
Definition
A secure private network that uses the public telecommunications infrastructure to transmit data.
Scope Note: In contrast to a much more expensive system of owned or leased lines that can only be used by one company, VPNs are used by enterprises for both extranets and wide areas of intranets. Using encryption and authentication, a VPN encrypts all data that pass between two Internet
points, maintaining privacy and security.
Term
Virus
Definition
A program with the ability to reproduce by modifying other programs to include a copy of itself.
Scope Note: A virus may contain destructive code that can move into multiple programs, data files or devices on a system and spread through multiple systems in a network.
Term
Virus Signature Files
Definition
The file of virus patterns that are compared with existing files to determine if they are infected with a virus or worm.
Term
Voice Mail
Definition
A system of storing messages in a private recording medium where the called party can later retrieve the messages.
Term
Voice?over Internet
Protocol (VoIP)
Definition
Also called IP Telephony, Internet telephony and Broadband Phone, this is a technology that makes it possible to have a voice conversation over the Internet or over any dedicated Internet Protocol (IP) network instead of dedicated voice transmission lines.
Term
Vulnerability
Definition
A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events
Term
Vulnerability analysis
Definition
Process of identifying and classifying vulnerabilities.
Term
Vulnerability Event
Definition
Any event where a material increase in vulnerability results.
Note that this increase in vulnerability can result from changes in control conditions or from changes in threat capability/force.
From Jones, J.; "FAIR Taxonomy," Risk Management Insight, USA, 2008.
Term
Walk?through
Definition
A thorough demonstration or explanation that details each step of a process.
Term
WAN Switch
Definition
A data link layer device used for implementing various WAN technologies such as asynchronous transfer mode, point?to?point frame relay solutions, and ISDN.
Scope Note: WAN switches are typically associated with carrier networks providing dedicated WAN
switching and router services to organizations via T?1 or T?3 connections.
Term
War Dialer
Definition
Software packages that sequentially dial telephone numbers, recording any numbers that answer.
Term
Warm Site
Definition
Similar to a hot site; however, it is not fully equipped with all necessary hardware needed for recovery.
Term
Waterfall Development
Definition
Also known as traditional development, it is a procedure?focused development cycle with formal sign?off at the completion of each level.
Term
Web Hosting
Definition
The business of providing the equipment and services required to host and maintain files for one or more web sites and provide fast Internet connections to those sites.
Scope Note: Most hosting is "shared" which means that web sites of multiple companies are on the same server to share/reduce costs.
Term
Web Page
Definition
A viewable screen displaying information, presented through a web browser in a single view, sometimes requiring the user to scroll to review the entire page.
Scope Note: An enterprise's web page may display the enterprise’s logo, provide information about the enterprise's products and services, or allow a customer to interact with the enterprise or third parties that have contracted with the enterprise.
Term
Web Server
Definition
Using the client?server model and the World Wide Web's Hypertext Transfer Protocol (HTTP), Web server is a software program that serves web pages to users.
Term
Web Services Description Language (WSDL)
Definition
An XML?formatted language used to describe a web service's capabilities as collections of communication endpoints capable of exchanging messages; WSDL is the language that UDDI uses. Also see Universal Description, Discovery and Integration (UDDI).
Term
Web Site
Definition
Consists of one or more web pages that may originate at one or more web server computers. Scope Note: A person can view the pages of a web site in any order, as he/she would a magazine.
Term
White Box Testing
Definition
A testing approach that uses knowledge of a program/module’s underlying implementation and code intervals to verify its expected behavior.
Term
Wide Area Network
(WAN)
Definition
A computer network connecting different remote locations that may range from short distances, such as a floor or building, to extremely long transmissions that encompass a large region or several countries.
Term
Wi?Fi Protected Access
(WPA)
Definition
A class of systems used to secure wireless (Wi?Fi) computer networks.
Scope Note: WPA was created in response to several serious weaknesses researchers found in the previous system, Wired Equivalent Privacy (WEP). WPA implements the majority of the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i
was prepared. WPA is designed to work with all wireless network interface cards, but not
necessarily with first generation wireless access points. WPA2 implements the full standard, but will not work with some older network cards. Both provide good security with two significant issues. First, either WPA or WPA2 must be enabled and chosen in preference to WEP; WEP is usually presented as the first security choice in most installation instructions. Second, in the “personal” mode, the most likely choice for homes and small offices, a pass phrase is required that, for full security, must be longer than the typical 6 to 8 character passwords users are taught to employ.
Term
Windows NT
Definition
A version of the Windows operating system that supports preemptive multitasking.
Term
Wired Equivalent
Privacy (WEP)
Definition
A scheme that is part of the IEEE 802.11 wireless networking standard to secure IEEE 802.11 wireless networks (also known as Wi?Fi networks).
Scope Note: Because a wireless network broadcasts messages using radio, it is particularly susceptible to eavesdropping. WEP was intended to provide comparable confidentiality to a traditional wired network (in particular it does not protect users of the network from each other), hence the name. Several serious weaknesses were identified by cryptanalysts, and WEP was superseded by Wi?Fi Protected Access (WPA) in 2003, and then by the full IEEE 802.11i standard (also known as WPA2) in 2004. Despite the weaknesses, WEP provides a level of security that can deter casual snooping.
Term
Wireless Computing
Definition
The ability of computing devices to communicate in a form to establish a local area network without cabling infrastructure (wireless), and involves those technologies converging around IEEE
802.11 and 802.11b and radio band services used by mobile devices.
Term
Wiretapping
Definition
The practice of eavesdropping on information being transmitted over telecommunications links.
Term
World Wide Web
(WWW)